diff options
Diffstat (limited to 'config/snort-dev2')
53 files changed, 16933 insertions, 0 deletions
diff --git a/config/snort-dev2/.buildpath b/config/snort-dev2/.buildpath new file mode 100644 index 00000000..8bcb4b5f --- /dev/null +++ b/config/snort-dev2/.buildpath @@ -0,0 +1,5 @@ +<?xml version="1.0" encoding="UTF-8"?> +<buildpath> + <buildpathentry kind="src" path=""/> + <buildpathentry kind="con" path="org.eclipse.php.core.LANGUAGE"/> +</buildpath> diff --git a/config/snort-dev2/.project b/config/snort-dev2/.project new file mode 100644 index 00000000..210cee14 --- /dev/null +++ b/config/snort-dev2/.project @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+ <name>snort-dev2</name>
+ <comment></comment>
+ <projects>
+ </projects>
+ <buildSpec>
+ <buildCommand>
+ <name>org.eclipse.wst.validation.validationbuilder</name>
+ <arguments>
+ </arguments>
+ </buildCommand>
+ <buildCommand>
+ <name>org.eclipse.dltk.core.scriptbuilder</name>
+ <arguments>
+ </arguments>
+ </buildCommand>
+ </buildSpec>
+ <natures>
+ <nature>org.eclipse.php.core.PHPNature</nature>
+ </natures>
+</projectDescription>
diff --git a/config/snort-dev2/.settings/org.eclipse.php.core.prefs b/config/snort-dev2/.settings/org.eclipse.php.core.prefs new file mode 100644 index 00000000..c21f9750 --- /dev/null +++ b/config/snort-dev2/.settings/org.eclipse.php.core.prefs @@ -0,0 +1,4 @@ +eclipse.preferences.version=1
+include_path=0;/snort-dev2
+phpVersion=php5.3
+use_asp_tags_as_php=false
diff --git a/config/snort-dev2/bin/oinkmaster_contrib/README.contrib b/config/snort-dev2/bin/oinkmaster_contrib/README.contrib new file mode 100644 index 00000000..6923fa26 --- /dev/null +++ b/config/snort-dev2/bin/oinkmaster_contrib/README.contrib @@ -0,0 +1,84 @@ +# $Id: README.contrib,v 1.21 2005/10/18 10:41:20 andreas_o Exp $ # + +------------------------------------------------------------------------------- +* oinkgui.pl by Andreas Östling <andreaso@it.su.se> + + A graphical front-end to Oinkmaster written in Perl/Tk. + See README.gui for complete documentation. +------------------------------------------------------------------------------- + + + +------------------------------------------------------------------------------- +* addsid.pl by Andreas Östling <andreaso@it.su.se> + + A script that parses *.rules in all specified directories and adds a + SID to (active) rules that don't have any. (Actually, rev and classtype + are also added if missing, unless you edit addsid.pl and tune this.) The + script first looks for the current highest SID (even in inactive rules) + and starts at the next one, unless this value is below MIN_SID (defined + inside addsid.pl). By default, this value is set to 1000001 since this + is the lowest SID assigned for local usage. Handles multi-line rules. +------------------------------------------------------------------------------- + + + +------------------------------------------------------------------------------- +* create-sidmap.pl by Andreas Östling <andreaso@it.su.se> + + A script that parses all active rules in *.rules in all specified + directories and creates a SID map. (Like Snort's regen-sidmap, but this + one handles multi-line rules.) Result goes to standard output which can + be redirected to a sid-msg.map file. +------------------------------------------------------------------------------- + + + +------------------------------------------------------------------------------- +* makesidex.pl, originally by Jerry Applebaum but later rewritten by + Andreas Östling <andreaso@it.su.se> to handle multi-line rules and + multiple rules directories. + + It reads *.rules in all specified directories, looks for all disabled + rules and prints a "disablesid <sid> # <msg>" line for each disabled rule. + The output can be appended to oinkmaster.conf. + Useful to new Oinkmaster users. +------------------------------------------------------------------------------- + + + +------------------------------------------------------------------------------- +* addmsg.pl by Andreas Östling <andreaso@it.su.se>: + + A script that will parse your oinkmaster.conf for + localsid/enablesid/disablesid lines and add their rule message as a #comment. + If your oinkmaster.conf looks like this before addmsg.pl has been run: + + disablesid 286 + disablesid 287 + disablesid 288 + + It will look something like this afterward: + + disablesid 286 # POP3 EXPLOIT x86 bsd overflow + disablesid 287 # POP3 EXPLOIT x86 bsd overflow + disablesid 288 # POP3 EXPLOIT x86 linux overflow + + addmsg.pl will not touch lines that already has a comment in them. + It's not able to handle SID lists when written like this: + disablesid 1,2,3, ... + But it should handle them if written like this: + disablesid \ + 1, \ + 2, \ + 3 + + The new config file will be printed to standard output, so you + probably want to redirect the output to a file, for example: + + ./addmsg.pl oinkmaster.conf rules/ > oinkmaster.conf.new + + If oinkmaster.conf.new looks ok, simply rename it to oinkmaster.conf. + Do NOT redirect to the same file you read from, as this will destroy + that file. +------------------------------------------------------------------------------- diff --git a/config/snort-dev2/bin/oinkmaster_contrib/addmsg.pl b/config/snort-dev2/bin/oinkmaster_contrib/addmsg.pl new file mode 100644 index 00000000..e5866d6f --- /dev/null +++ b/config/snort-dev2/bin/oinkmaster_contrib/addmsg.pl @@ -0,0 +1,299 @@ +#!/usr/bin/perl -w + +# $Id: addmsg.pl,v 1.19 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use strict; + +sub get_next_entry($ $ $ $ $ $); +sub parse_singleline_rule($ $ $); + + +my $USAGE = << "RTFM"; + +Parse Oinkmaster configuration file and add the rule's "msg" string as a +#comment for each disablesid/enablesid line. + +Usage: $0 <oinkmaster.conf> <rulesdir> [rulesdir2, ...] + +The new config file will be printed to standard output, so you +probably want to redirect the output to a new file (*NOT* the same +file you used as input, because that will destroy the file!). +For example: + +$0 /etc/oinkmaster.conf /etc/rules/ > oinkmaster.conf.new + +If oinkmaster.conf.new looks ok, simply rename it to /etc/oinkmaster.conf. + +RTFM + + +# Regexp to match the start of a multi-line rule. +# %ACTIONS% will be replaced with content of $config{actions} later. +my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.*\\\\\s*\n$'; # '; + +# Regexp to match a single-line rule. +my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.+;\s*\)\s*$'; # '; + + +my $config = shift || die($USAGE); + +my @rulesdirs = @ARGV; +die($USAGE) unless ($#rulesdirs > -1); + +my $verbose = 1; +my (%sidmsgmap, %config); + +$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; + +$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; +$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; + + + +# Read in oinkmaster.conf. +open(CONFIG, "<" , "$config") or die("could not open \"$config\" for reading: $!\n"); +my @config = <CONFIG>; +close(CONFIG); + + +# Read in *.rules in all rulesdirs and create %sidmsgmap ($sidmsgmap{sid} = msg). +foreach my $rulesdir (@rulesdirs) { + opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); + + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + + open(FILE, "<", "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); + my @file = <FILE>; + close(FILE); + + my ($single, $multi, $nonrule, $msg, $sid); + + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + $sidmsgmap{$sid} = $msg + if (defined($single)); + } + } +} + + +# Print new oinkmaster.conf. +while ($_ = shift(@config)) { + if (/^\s*(?:disable|enable|local)sid\s+(\d+)\s*$/ || /^\s*(\d+)\s*,\s*\\$/ || /^\s*(\d+)\s*$/) { + my $sid = $1; + my $is_multiline = 0; + chomp; + + if (/\\$/) { + $is_multiline = 1; + s/\\$//; + } + + $_ = sprintf("%-25s", $_); + if (exists($sidmsgmap{$sid})) { + print "$_ # $sidmsgmap{$sid}"; + } else { + print "$_"; + } + print " \\" if ($is_multiline); + print "\n"; + } else { + print; + } +} + + + +# From oinkmaster.pl. +sub get_next_entry($ $ $ $ $ $) +{ + my $arr_ref = shift; + my $single_ref = shift; + my $multi_ref = shift; + my $nonrule_ref = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$single_ref); + undef($$multi_ref); + undef($$nonrule_ref); + undef($$msg_ref); + undef($$sid_ref); + + my $line = shift(@$arr_ref) || return(0); + my $disabled = 0; + my $broken = 0; + + # Possible beginning of multi-line rule? + if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { + $$single_ref = $line; + $$multi_ref = $line; + + $disabled = 1 if ($line =~ /^\s*#/); + + # Keep on reading as long as line ends with "\". + while (!$broken && $line =~ /\\\s*\n$/) { + + # Remove trailing "\" and newline for single-line version. + $$single_ref =~ s/\\\s*\n//; + + # If there are no more lines, this can not be a valid multi-line rule. + if (!($line = shift(@$arr_ref))) { + + warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") + if ($config{verbose}); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Multi-line continuation. + $$multi_ref .= $line; + + # If there are non-comment lines in the middle of a disabled rule, + # mark the rule as broken to return as non-rule lines. + if ($line !~ /^\s*#/ && $disabled) { + $broken = 1; + } elsif ($line =~ /^\s*#/ && !$disabled) { + # comment line (with trailing slash) in the middle of an active rule - ignore it + } else { + $line =~ s/^\s*#*\s*//; # remove leading # in single-line version + $$single_ref .= $line; + } + + } # while line ends with "\" + + # Single-line version should now be a valid rule. + # If not, it wasn't a valid multi-line rule after all. + if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { + + $$single_ref =~ s/^\s*//; # remove leading whitespaces + $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # + $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + $$multi_ref =~ s/^\s*//; + $$multi_ref =~ s/\s*\n$/\n/; + $$multi_ref =~ s/^#+\s*/#/; + + return (1); # return multi + } else { + warn("\nWARNING: invalid multi-line rule: $$single_ref\n") + if ($config{verbose} && $$multi_ref !~ /^\s*#/); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { + $$single_ref = $line; + $$single_ref =~ s/^\s*//; + $$single_ref =~ s/^#+\s*/#/; + $$single_ref =~ s/\s*\n$/\n/; + + return (1); # return single + } else { # non-rule line + + # Do extra check and warn if it *might* be a rule anyway, + # but that we just couldn't parse for some reason. + warn("\nWARNING: line may be a rule but it could not be parsed ". + "(missing sid or msg?): $line\n") + if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); + + $$nonrule_ref = $line; + $$nonrule_ref =~ s/\s*\n$/\n/; + + return (1); # return non-rule + } +} + + + +# From oinkmaster.pl. +sub parse_singleline_rule($ $ $) +{ + my $line = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { + + if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { + $$msg_ref = $1; + } else { + return (0); + } + + if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { + $$sid_ref = $1; + } else { + return (0); + } + + return (1); + } + + return (0); +} diff --git a/config/snort-dev2/bin/oinkmaster_contrib/addsid.pl b/config/snort-dev2/bin/oinkmaster_contrib/addsid.pl new file mode 100644 index 00000000..64255d22 --- /dev/null +++ b/config/snort-dev2/bin/oinkmaster_contrib/addsid.pl @@ -0,0 +1,382 @@ +#!/usr/bin/perl -w + +# $Id: addsid.pl,v 1.30 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use strict; + + +sub get_next_entry($ $ $ $ $ $); +sub parse_singleline_rule($ $ $); +sub get_next_available_sid(@); + + +# Set this to the default classtype you want to add, if missing. +# Set to 0 or "" if you don't want to add a classtype. +my $CLASSTYPE = "misc-attack"; + +# If ADD_REV is set to 1, "rev: 1;" will be added to rule if it has no rev. +# Set to 0 if you don't want to add it. +my $ADD_REV = 1; + +# Minimum SID to add. Normally, the next available SID will be used, +# unless it's below this value. Only SIDs >= 1000000 are reserved for +# personal use. +my $MIN_SID = 1000001; + +# Regexp to match the start of a multi-line rule. +# %ACTIONS% will be replaced with content of $config{actions} later. +my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.*\\\\\s*\n$'; # '; + +# Regexp to match a single-line rule. +my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.+;\s*\)\s*$'; # '; + + +my $USAGE = << "RTFM"; + +Parse *.rules in one or more directories and add "sid:<sid>;" to +active rules that don't have any "sid" entry, starting with the next +available SID after parsing all rules files (but $MIN_SID at minumum). +Also, "rev:1;" is added to rules without a "rev" entry, and +"classtype:misc-attack;" is added to rules without a "classtype" entry +(edit options at the top of $0 if you want to change this). + +Usage: $0 <rulesdir> [rulesdir2, ...] + +RTFM + + +# Start in verbose mode. +my $verbose = 1; + +my (%all_sids, %active_sids, %config); + +my @rulesdirs = @ARGV; + +die($USAGE) unless ($#rulesdirs > -1); + +$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; + +$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; +$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; + + +# Find out the next available SID. +my $next_sid = get_next_available_sid(@rulesdirs); + +# Avoid seeing possible warnings about broken rules twice. +$verbose = 0; + +# Add sid/rev/classtype to active rules that don't have any. +foreach my $dir (@rulesdirs) { + opendir(RULESDIR, "$dir") or die("could not open \"$dir\": $!\n"); + + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + + open(OLDFILE, "$dir/$file") + or die("could not open \"$dir/$file\": $!\n"); + my @file = <OLDFILE>; + close(OLDFILE); + + open(NEWFILE, ">", "$dir/$file") + or die("could not open \"$dir/$file\" for writing: $!\n"); + + my ($single, $multi, $nonrule, $msg, $sid); + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + + if (defined($nonrule)) { + print NEWFILE "$nonrule"; + next; + } + + $multi = $single unless (defined($multi)); + + # Don't care about inactive rules. + if ($single =~ /^\s*#/) { + print NEWFILE "$multi"; + next; + } + + my $added; + + # Add SID. + if ($single !~ /sid\s*:\s*\d+\s*;/) { + $added .= "SID $next_sid,"; + $multi =~ s/\)\s*\n/sid:$next_sid;)\n/; + $next_sid++; + } + + # Add revision. + if ($ADD_REV && $single !~ /rev\s*:\s*\d+\s*;/) { + $added .= "rev,"; + $multi =~ s/\)\s*\n/rev:1;)\n/; + } + + # Add classtype. + if ($CLASSTYPE && $single !~ /classtype\s*:\s*.+\s*;/) { + $added .= "classtype $CLASSTYPE,"; + $multi =~ s/\)\s*\n/classtype:$CLASSTYPE;)\n/; + } + + if (defined($added)) { + $added =~ s/,$//; + print "Adding $added to rule \"$msg\"\n" + if (defined($added)); + } + + print NEWFILE "$multi"; + } + + close(NEWFILE); + } + + closedir(RULESDIR); +} + + + +# Read in *.rules in given directory and return highest SID. +sub get_next_available_sid(@) +{ + my @dirs = @_; + + foreach my $dir (@dirs) { + opendir(RULESDIR, "$dir") or die("could not open \"$dir\": $!\n"); + + # Only care about *.rules. + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + + open(OLDFILE, "<$dir/$file") or die("could not open \"$dir/$file\": $!\n"); + my @file = <OLDFILE>; + close(OLDFILE); + + my ($single, $multi, $nonrule, $msg, $sid); + + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + if (defined($single) && defined($sid)) { + $all_sids{$sid}++; + + # If this is an active rule add to %active_sids and + # warn if it already exists. + if ($single =~ /^\s*alert/) { + print STDERR "WARNING: duplicate SID: $sid\n" + if (exists($active_sids{$sid})); + $active_sids{$sid}++ + } + } + } + } + } + + # Sort sids and use highest one + 1, unless it's below MIN_SID. + @_ = sort {$a <=> $b} keys(%all_sids); + my $sid = pop(@_); + + if (!defined($sid)) { + $sid = $MIN_SID + } else { + $sid++; + } + + # If it's below MIN_SID, use MIN_SID instead. + $sid = $MIN_SID if ($sid < $MIN_SID); + + return ($sid) +} + + + +sub get_next_entry($ $ $ $ $ $) +{ + my $arr_ref = shift; + my $single_ref = shift; + my $multi_ref = shift; + my $nonrule_ref = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$single_ref); + undef($$multi_ref); + undef($$nonrule_ref); + undef($$msg_ref); + undef($$sid_ref); + + my $line = shift(@$arr_ref) || return(0); + my $disabled = 0; + my $broken = 0; + + # Possible beginning of multi-line rule? + if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { + $$single_ref = $line; + $$multi_ref = $line; + + $disabled = 1 if ($line =~ /^\s*#/); + + # Keep on reading as long as line ends with "\". + while (!$broken && $line =~ /\\\s*\n$/) { + + # Remove trailing "\" and newline for single-line version. + $$single_ref =~ s/\\\s*\n//; + + # If there are no more lines, this can not be a valid multi-line rule. + if (!($line = shift(@$arr_ref))) { + + warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") + if ($config{verbose}); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Multi-line continuation. + $$multi_ref .= $line; + + # If there are non-comment lines in the middle of a disabled rule, + # mark the rule as broken to return as non-rule lines. + if ($line !~ /^\s*#/ && $disabled) { + $broken = 1; + } elsif ($line =~ /^\s*#/ && !$disabled) { + # comment line (with trailing slash) in the middle of an active rule - ignore it + } else { + $line =~ s/^\s*#*\s*//; # remove leading # in single-line version + $$single_ref .= $line; + } + + } # while line ends with "\" + + # Single-line version should now be a valid rule. + # If not, it wasn't a valid multi-line rule after all. + if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { + + $$single_ref =~ s/^\s*//; # remove leading whitespaces + $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # + $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + $$multi_ref =~ s/^\s*//; + $$multi_ref =~ s/\s*\n$/\n/; + $$multi_ref =~ s/^#+\s*/#/; + + return (1); # return multi + } else { + warn("\nWARNING: invalid multi-line rule: $$single_ref\n") + if ($config{verbose} && $$multi_ref !~ /^\s*#/); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { + $$single_ref = $line; + $$single_ref =~ s/^\s*//; + $$single_ref =~ s/^#+\s*/#/; + $$single_ref =~ s/\s*\n$/\n/; + + return (1); # return single + } else { # non-rule line + + # Do extra check and warn if it *might* be a rule anyway, + # but that we just couldn't parse for some reason. + warn("\nWARNING: line may be a rule but it could not be parsed ". + "(missing sid or msg?): $line\n") + if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); + + $$nonrule_ref = $line; + $$nonrule_ref =~ s/\s*\n$/\n/; + + return (1); # return non-rule + } +} + + + +# From oinkmaster.pl except that this version +# has been modified so that the sid is *optional*. +sub parse_singleline_rule($ $ $) +{ + my $line = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { + + if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { + $$msg_ref = $1; + } else { + return (0); + } + + if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { + $$sid_ref = $1; +# } else { +# return (0); + } + + return (1); + } + + return (0); +} diff --git a/config/snort-dev2/bin/oinkmaster_contrib/create-sidmap.pl b/config/snort-dev2/bin/oinkmaster_contrib/create-sidmap.pl new file mode 100644 index 00000000..26a9040c --- /dev/null +++ b/config/snort-dev2/bin/oinkmaster_contrib/create-sidmap.pl @@ -0,0 +1,280 @@ +#!/usr/local/bin/perl -w + +# $Id: create-sidmap.pl,v 1.21 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use strict; + +sub get_next_entry($ $ $ $ $ $); +sub parse_singleline_rule($ $ $); + +# Files to ignore. +my %skipfiles = ( + 'deleted.rules' => 1, +); + +# Regexp to match the start of a multi-line rule. +# %ACTIONS% will be replaced with content of $config{actions} later. +my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.*\\\\\s*\n$'; # '; + +# Regexp to match a single-line rule. +my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.+;\s*\)\s*$'; # '; + +my $USAGE = << "RTFM"; + +Parse active rules in *.rules in one or more directories and create a SID +map. Result is sent to standard output, which can be redirected to a +sid-msg.map file. + +Usage: $0 <rulesdir> [rulesdir2, ...] + +RTFM + +my $verbose = 1; + +my (%sidmap, %config); + +my @rulesdirs = @ARGV; + +die($USAGE) unless ($#rulesdirs > -1); + +$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; + +$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; +$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; + + +# Read in all rules from each rules file (*.rules) in each rules dir. +# into %sidmap. +foreach my $rulesdir (@rulesdirs) { + opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); + + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + next if ($skipfiles{$file}); + + open(FILE, "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); + my @file = <FILE>; + close(FILE); + + my ($single, $multi, $nonrule, $msg, $sid); + + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + if (defined($single)) { + + warn("WARNING: duplicate SID: $sid (discarding old)\n") + if (exists($sidmap{$sid})); + + $sidmap{$sid} = "$sid || $msg"; + + # Print all references. Borrowed from Brian Caswell's regen-sidmap script. + my $ref = $single; + while ($ref =~ s/(.*)reference\s*:\s*([^\;]+)(.*)$/$1 $3/) { + $sidmap{$sid} .= " || $2" + } + + $sidmap{$sid} .= "\n"; + } + } + } +} + +# Print results. +foreach my $sid (sort { $a <=> $b } keys(%sidmap)) { + print "$sidmap{$sid}"; +} + + + +# Same as in oinkmaster.pl. +sub get_next_entry($ $ $ $ $ $) +{ + my $arr_ref = shift; + my $single_ref = shift; + my $multi_ref = shift; + my $nonrule_ref = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$single_ref); + undef($$multi_ref); + undef($$nonrule_ref); + undef($$msg_ref); + undef($$sid_ref); + + my $line = shift(@$arr_ref) || return(0); + my $disabled = 0; + my $broken = 0; + + # Possible beginning of multi-line rule? + if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { + $$single_ref = $line; + $$multi_ref = $line; + + $disabled = 1 if ($line =~ /^\s*#/); + + # Keep on reading as long as line ends with "\". + while (!$broken && $line =~ /\\\s*\n$/) { + + # Remove trailing "\" and newline for single-line version. + $$single_ref =~ s/\\\s*\n//; + + # If there are no more lines, this can not be a valid multi-line rule. + if (!($line = shift(@$arr_ref))) { + + warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") + if ($config{verbose}); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Multi-line continuation. + $$multi_ref .= $line; + + # If there are non-comment lines in the middle of a disabled rule, + # mark the rule as broken to return as non-rule lines. + if ($line !~ /^\s*#/ && $disabled) { + $broken = 1; + } elsif ($line =~ /^\s*#/ && !$disabled) { + # comment line (with trailing slash) in the middle of an active rule - ignore it + } else { + $line =~ s/^\s*#*\s*//; # remove leading # in single-line version + $$single_ref .= $line; + } + + } # while line ends with "\" + + # Single-line version should now be a valid rule. + # If not, it wasn't a valid multi-line rule after all. + if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { + + $$single_ref =~ s/^\s*//; # remove leading whitespaces + $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # + $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + $$multi_ref =~ s/^\s*//; + $$multi_ref =~ s/\s*\n$/\n/; + $$multi_ref =~ s/^#+\s*/#/; + + return (1); # return multi + } else { + warn("\nWARNING: invalid multi-line rule: $$single_ref\n") + if ($config{verbose} && $$multi_ref !~ /^\s*#/); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { + $$single_ref = $line; + $$single_ref =~ s/^\s*//; + $$single_ref =~ s/^#+\s*/#/; + $$single_ref =~ s/\s*\n$/\n/; + + return (1); # return single + } else { # non-rule line + + # Do extra check and warn if it *might* be a rule anyway, + # but that we just couldn't parse for some reason. + warn("\nWARNING: line may be a rule but it could not be parsed ". + "(missing sid or msg?): $line\n") + if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); + + $$nonrule_ref = $line; + $$nonrule_ref =~ s/\s*\n$/\n/; + + return (1); # return non-rule + } +} + + + +# Same as in oinkmaster.pl. +sub parse_singleline_rule($ $ $) +{ + my $line = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { + + if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { + $$msg_ref = $1; + } else { + return (0); + } + + if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { + $$sid_ref = $1; + } else { + return (0); + } + + return (1); + } + + return (0); +} diff --git a/config/snort-dev2/bin/oinkmaster_contrib/make_snortsam_map.pl b/config/snort-dev2/bin/oinkmaster_contrib/make_snortsam_map.pl new file mode 100644 index 00000000..42ce2b3b --- /dev/null +++ b/config/snort-dev2/bin/oinkmaster_contrib/make_snortsam_map.pl @@ -0,0 +1,265 @@ +#!/usr/bin/perl -w + +# $Id: makesidex.pl,v 1.11 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Modified by Robert Zelaya for the snort package. +# gets enabled sids and msgs for all rules in a dir + + + +use strict; + +sub get_next_entry($ $ $ $ $ $); +sub parse_singleline_rule($ $ $); + + +# Regexp to match the start of a multi-line rule. +# %ACTIONS% will be replaced with content of $config{actions} later. +my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.*\\\\\s*\n$'; # '; + +# Regexp to match a single-line rule. +my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.+;\s*\)\s*$'; # '; + +my $USAGE = << "RTFM"; + +Parse *.rules in one or more directories and look for all rules that are +disabled (i.e. begin with "#") and print "disablesid <sid> # <msg>" to +standard output for all those rules. This output can be redirected to a +file, which will be understood by Oinkmaster. + +Usage: $0 <rulesdir> [rulesdir2, ...] + +RTFM + +my $verbose = 1; + +my (%disabled, %config); + +my @rulesdirs = @ARGV; + +die($USAGE) unless ($#rulesdirs > -1); + +$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; + +$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; +$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; + +foreach my $rulesdir (@rulesdirs) { + opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); + + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + + open(FILE, "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); + my @file = <FILE>; + close(FILE); + + my ($single, $multi, $nonrule, $msg, $sid); + + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + $single = $multi if (defined($multi)); + $disabled{$sid} = $msg + if (defined($single) && $single =~ /^alert/); + } + } +} + +# Print results. +foreach my $sid (sort { $a <=> $b } keys(%disabled)) { + printf("%-25s # %s\n", "$sid", $disabled{$sid}); +} + + + +# Same as in oinkmaster.pl. +sub get_next_entry($ $ $ $ $ $) +{ + my $arr_ref = shift; + my $single_ref = shift; + my $multi_ref = shift; + my $nonrule_ref = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$single_ref); + undef($$multi_ref); + undef($$nonrule_ref); + undef($$msg_ref); + undef($$sid_ref); + + my $line = shift(@$arr_ref) || return(0); + my $disabled = 0; + my $broken = 0; + + # Possible beginning of multi-line rule? + if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { + $$single_ref = $line; + $$multi_ref = $line; + + $disabled = 1 if ($line =~ /^alert/); + + # Keep on reading as long as line ends with "\". + while (!$broken && $line =~ /\\\s*\n$/) { + + # Remove trailing "\" and newline for single-line version. + $$single_ref =~ s/\\\s*\n//; + + # If there are no more lines, this can not be a valid multi-line rule. + if (!($line = shift(@$arr_ref))) { + + warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") + if ($config{verbose}); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Multi-line continuation. + $$multi_ref .= $line; + + # If there are non-comment lines in the middle of a disabled rule, + # mark the rule as broken to return as non-rule lines. + if ($line !~ /^alert/ && $disabled) { + $broken = 1; + } elsif ($line =~ /^alert/ && !$disabled) { + # comment line (with trailing slash) in the middle of an active rule - ignore it + } else { + $line =~ s/^\s*alert*\s*/alert/; # remove leading # in single-line version + $$single_ref .= $line; + } + + } # while line ends with "\" + + # Single-line version should now be a valid rule. + # If not, it wasn't a valid multi-line rule after all. + if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { + + $$single_ref =~ s/^\s*//; # remove leading whitespaces + $$single_ref =~ s/^alert+\s*/#/; # remove whitespaces next to leading # + $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + $$multi_ref =~ s/^\s*//; + $$multi_ref =~ s/\s*\n$/\n/; + $$multi_ref =~ s/^alert+\s*/alert/; + + return (1); # return multi + } else { + warn("\nWARNING: invalid multi-line rule: $$single_ref\n") + if ($config{verbose} && $$multi_ref !~ /^alert/); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { + $$single_ref = $line; + $$single_ref =~ s/^\s*//; + $$single_ref =~ s/^alert+\s*/alert/; + $$single_ref =~ s/\s*\n$/\n/; + + return (1); # return single + } else { # non-rule line + + # Do extra check and warn if it *might* be a rule anyway, + # but that we just couldn't parse for some reason. + warn("\nWARNING: line may be a rule but it could not be parsed ". + "(missing sid or msg?): $line\n") + if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); + + $$nonrule_ref = $line; + $$nonrule_ref =~ s/\s*\n$/\n/; + + return (1); # return non-rule + } +} + + + +# Same as in oinkmaster.pl. +sub parse_singleline_rule($ $ $) +{ + my $line = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { + + if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { + $$msg_ref = $1; + } else { + return (0); + } + + if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { + $$sid_ref = $1; + } else { + return (0); + } + + return (1); + } + + return (0); +} diff --git a/config/snort-dev2/bin/oinkmaster_contrib/makesidex.pl b/config/snort-dev2/bin/oinkmaster_contrib/makesidex.pl new file mode 100644 index 00000000..80354735 --- /dev/null +++ b/config/snort-dev2/bin/oinkmaster_contrib/makesidex.pl @@ -0,0 +1,261 @@ +#!/usr/bin/perl -w + +# $Id: makesidex.pl,v 1.11 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use strict; + +sub get_next_entry($ $ $ $ $ $); +sub parse_singleline_rule($ $ $); + + +# Regexp to match the start of a multi-line rule. +# %ACTIONS% will be replaced with content of $config{actions} later. +my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.*\\\\\s*\n$'; # '; + +# Regexp to match a single-line rule. +my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.+;\s*\)\s*$'; # '; + +my $USAGE = << "RTFM"; + +Parse *.rules in one or more directories and look for all rules that are +disabled (i.e. begin with "#") and print "disablesid <sid> # <msg>" to +standard output for all those rules. This output can be redirected to a +file, which will be understood by Oinkmaster. + +Usage: $0 <rulesdir> [rulesdir2, ...] + +RTFM + +my $verbose = 1; + +my (%disabled, %config); + +my @rulesdirs = @ARGV; + +die($USAGE) unless ($#rulesdirs > -1); + +$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; + +$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; +$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; + +foreach my $rulesdir (@rulesdirs) { + opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); + + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + + open(FILE, "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); + my @file = <FILE>; + close(FILE); + + my ($single, $multi, $nonrule, $msg, $sid); + + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + $single = $multi if (defined($multi)); + $disabled{$sid} = $msg + if (defined($single) && $single =~ /^\s*#/); + } + } +} + +# Print results. +foreach my $sid (sort { $a <=> $b } keys(%disabled)) { + printf("%-25s # %s\n", "disablesid $sid", $disabled{$sid}); +} + + + +# Same as in oinkmaster.pl. +sub get_next_entry($ $ $ $ $ $) +{ + my $arr_ref = shift; + my $single_ref = shift; + my $multi_ref = shift; + my $nonrule_ref = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$single_ref); + undef($$multi_ref); + undef($$nonrule_ref); + undef($$msg_ref); + undef($$sid_ref); + + my $line = shift(@$arr_ref) || return(0); + my $disabled = 0; + my $broken = 0; + + # Possible beginning of multi-line rule? + if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { + $$single_ref = $line; + $$multi_ref = $line; + + $disabled = 1 if ($line =~ /^\s*#/); + + # Keep on reading as long as line ends with "\". + while (!$broken && $line =~ /\\\s*\n$/) { + + # Remove trailing "\" and newline for single-line version. + $$single_ref =~ s/\\\s*\n//; + + # If there are no more lines, this can not be a valid multi-line rule. + if (!($line = shift(@$arr_ref))) { + + warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") + if ($config{verbose}); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Multi-line continuation. + $$multi_ref .= $line; + + # If there are non-comment lines in the middle of a disabled rule, + # mark the rule as broken to return as non-rule lines. + if ($line !~ /^\s*#/ && $disabled) { + $broken = 1; + } elsif ($line =~ /^\s*#/ && !$disabled) { + # comment line (with trailing slash) in the middle of an active rule - ignore it + } else { + $line =~ s/^\s*#*\s*//; # remove leading # in single-line version + $$single_ref .= $line; + } + + } # while line ends with "\" + + # Single-line version should now be a valid rule. + # If not, it wasn't a valid multi-line rule after all. + if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { + + $$single_ref =~ s/^\s*//; # remove leading whitespaces + $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # + $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + $$multi_ref =~ s/^\s*//; + $$multi_ref =~ s/\s*\n$/\n/; + $$multi_ref =~ s/^#+\s*/#/; + + return (1); # return multi + } else { + warn("\nWARNING: invalid multi-line rule: $$single_ref\n") + if ($config{verbose} && $$multi_ref !~ /^\s*#/); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { + $$single_ref = $line; + $$single_ref =~ s/^\s*//; + $$single_ref =~ s/^#+\s*/#/; + $$single_ref =~ s/\s*\n$/\n/; + + return (1); # return single + } else { # non-rule line + + # Do extra check and warn if it *might* be a rule anyway, + # but that we just couldn't parse for some reason. + warn("\nWARNING: line may be a rule but it could not be parsed ". + "(missing sid or msg?): $line\n") + if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); + + $$nonrule_ref = $line; + $$nonrule_ref =~ s/\s*\n$/\n/; + + return (1); # return non-rule + } +} + + + +# Same as in oinkmaster.pl. +sub parse_singleline_rule($ $ $) +{ + my $line = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { + + if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { + $$msg_ref = $1; + } else { + return (0); + } + + if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { + $$sid_ref = $1; + } else { + return (0); + } + + return (1); + } + + return (0); +} diff --git a/config/snort-dev2/bin/oinkmaster_contrib/oinkgui.pl b/config/snort-dev2/bin/oinkmaster_contrib/oinkgui.pl new file mode 100644 index 00000000..4e96f7db --- /dev/null +++ b/config/snort-dev2/bin/oinkmaster_contrib/oinkgui.pl @@ -0,0 +1,1046 @@ +#!/usr/bin/perl -w + +# $Id: oinkgui.pl,v 1.52 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use 5.006001; + +use strict; +use File::Spec; +use Tk; +use Tk::Balloon; +use Tk::BrowseEntry; +use Tk::FileSelect; +use Tk::NoteBook; +use Tk::ROText; + +use constant CSIDL_DRIVES => 17; + +sub update_rules(); +sub clear_messages(); +sub create_cmdline($); +sub fileDialog($ $ $ $); +sub load_config(); +sub save_config(); +sub save_messages(); +sub update_file_label_color($ $ $); +sub create_fileSelectFrame($ $ $ $ $ $); +sub create_checkbutton($ $ $); +sub create_radiobutton($ $ $); +sub create_actionbutton($ $ $); +sub execute_oinkmaster(@); +sub logmsg($ $); + + +my $version = 'Oinkmaster GUI v1.1'; + +my @oinkmaster_conf = qw( + /etc/oinkmaster.conf + /usr/local/etc/oinkmaster.conf +); + +# List of URLs that will show up in the URL BrowseEntry. +my @urls = qw( + http://www.bleedingsnort.com/bleeding.rules.tar.gz + http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz + http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz + http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.3.tar.gz +); + +my %color = ( + background => 'Bisque3', + button => 'Bisque2', + label => 'Bisque1', + notebook_bg => 'Bisque2', + notebook_inact => 'Bisque3', + file_label_ok => '#00e000', + file_label_not_ok => 'red', + out_frame_fg => 'white', + out_frame_bg => 'black', + entry_bg => 'white', + button_active => 'white', + button_bg => 'Bisque4', +); + +my %config = ( + animate => 1, + careful => 0, + enable_all => 0, + check_removed => 0, + output_mode => 'normal', + diff_mode => 'detailed', + perl => $^X, + oinkmaster => "", + oinkmaster_conf => "", + outdir => "", + url => "", + varfile => "", + backupdir => "", + editor => "", +); + +my %help = ( + + # File locations. + oinkscript => 'Location of the executable Oinkmaster script (oinkmaster.pl).', + oinkconf => 'The Oinkmaster configuration file to use.', + outdir => 'Where to put the new rules. This should be the directory where you '. + 'store your current rules.', + + url => 'Alternate location of rules archive to download/copy. '. + 'Leave empty to use the location set in oinkmaster.conf.', + varfile => 'Variables that exist in downloaded snort.conf but not in '. + 'this file will be added to it. Leave empty to skip.', + backupdir => 'Directory to put tarball of old rules before overwriting them. '. + 'Leave empty to skip backup.', + editor => 'Full path to editor to execute when pressing the "edit" button '. + '(wordpad is recommended on Windows). ', + + # Checkbuttons. + careful => 'In careful mode, Oinkmaster will just check for changes, '. + 'not update anything.', + enable => 'Some rules may be commented out by default (for a reason!). '. + 'This option will make Oinkmaster enable those.', + removed => 'Check for rules files that exist in the output directory but not '. + 'in the downloaded rules archive.', + + # Action buttons. + clear => 'Clear current output messages.', + save => 'Save current output messages to file.', + exit => 'Exit the GUI.', + update => 'Execute Oinkmaster to update the rules.', + test => 'Test current Oinkmaster configuration. ' . + 'If there are no fatal errors, you are ready to update the rules.', + version => 'Request version information from Oinkmaster.', +); + + +my $gui_config_file = ""; +my $use_fileop = 0; + + +#### MAIN #### + +select STDERR; +$| = 1; +select STDOUT; +$| = 1; + +# Find out if can use Win32::FileOp. +if ($^O eq 'MSWin32') { + BEGIN { $^W = 0 } + $use_fileop = 1 if (eval "require Win32::FileOp"); +} + +# Find out which oinkmaster.pl file to default to. +foreach my $dir (File::Spec->path()) { + my $file = "$dir/oinkmaster"; + if (-f "$file" && (-x "$file" || $^O eq 'MSWin32')) { + $config{oinkmaster} = $file; + last; + } elsif (-f "$file.pl" && (-x "$file" || $^O eq 'MSWin32')) { + $config{oinkmaster} = "$file.pl"; + last; + } +} + +# Find out which oinkmaster config file to default to. +foreach my $file (@oinkmaster_conf) { + if (-e "$file") { + $config{oinkmaster_conf} = $file; + last; + } +} + +# Find out where the GUI config file is (it's not required). +if ($ENV{HOME}) { + $gui_config_file = "$ENV{HOME}/.oinkguirc" +} elsif ($ENV{HOMEDRIVE} && $ENV{HOMEPATH}) { + $gui_config_file = "$ENV{HOMEDRIVE}$ENV{HOMEPATH}\\.oinkguirc"; +} + + +# Create main window. +my $main = MainWindow->new( + -background => "$color{background}", + -title => "$version", +); + + +# Create scrolled frame with output messages. +my $out_frame = $main->Scrolled('ROText', + -setgrid => 'true', + -scrollbars => 'e', + -background => $color{out_frame_bg}, + -foreground => $color{out_frame_fg}, +); + + +my $help_label = $main->Label( + -relief => 'groove', + -background => "$color{label}", +); + +my $balloon = $main->Balloon( + -statusbar => $help_label, +); + + +# Create notebook. +my $notebook = $main->NoteBook( + -ipadx => 6, + -ipady => 6, + -background => $color{notebook_bg}, + -inactivebackground => $color{notebook_inact}, + -backpagecolor => $color{background}, +); + + +# Create tab with required files/dirs. +my $req_tab = $notebook->add("required", + -label => "Required files and directories", + -underline => 0, +); + +$req_tab->configure(-bg => "$color{notebook_inact}"); + + +# Create frame with oinkmaster.pl location. +my $filetypes = [ + ['Oinkmaster script', 'oinkmaster.pl'], + ['All files', '*' ] +]; + +my $oinkscript_frame = + create_fileSelectFrame($req_tab, "oinkmaster.pl", 'EXECFILE', + \$config{oinkmaster}, 'NOEDIT', $filetypes); + +$balloon->attach($oinkscript_frame, -statusmsg => $help{oinkscript}); + + +# Create frame with oinkmaster.conf location. +$filetypes = [ + ['configuration files', '.conf'], + ['All files', '*' ] +]; + +my $oinkconf_frame = + create_fileSelectFrame($req_tab, "oinkmaster.conf", 'ROFILE', + \$config{oinkmaster_conf}, 'EDIT', $filetypes); + +$balloon->attach($oinkconf_frame, -statusmsg => $help{oinkconf}); + + +# Create frame with output directory. +my $outdir_frame = + create_fileSelectFrame($req_tab, "output directory", 'WRDIR', + \$config{outdir}, 'NOEDIT', undef); + +$balloon->attach($outdir_frame, -statusmsg => $help{outdir}); + + + +# Create tab with optional files/dirs. +my $opt_tab = $notebook->add("optional", + -label => "Optional files and directories", + -underline => 0, +); + +$opt_tab->configure(-bg => "$color{notebook_inact}"); + +# Create frame with alternate URL location. +$filetypes = [ + ['compressed tar files', '.tar.gz'] +]; + +my $url_frame = + create_fileSelectFrame($opt_tab, "Alternate URL", 'URL', + \$config{url}, 'NOEDIT', $filetypes); + +$balloon->attach($url_frame, -statusmsg => $help{url}); + + +# Create frame with variable file. +$filetypes = [ + ['Snort configuration files', ['.conf', '.config']], + ['All files', '*' ] +]; + +my $varfile_frame = + create_fileSelectFrame($opt_tab, "Variable file", 'WRFILE', + \$config{varfile}, 'EDIT', $filetypes); + +$balloon->attach($varfile_frame, -statusmsg => $help{varfile}); + + +# Create frame with backup dir location. +my $backupdir_frame = + create_fileSelectFrame($opt_tab, "Backup directory", 'WRDIR', + \$config{backupdir}, 'NOEDIT', undef); + +$balloon->attach($backupdir_frame, -statusmsg => $help{backupdir}); + + +# Create frame with editor location. +$filetypes = [ + ['executable files', ['.exe']], + ['All files', '*' ] +]; + +my $editor_frame = + create_fileSelectFrame($opt_tab, "Editor", 'EXECFILE', + \$config{editor}, 'NOEDIT', $filetypes); + +$balloon->attach($editor_frame, -statusmsg => $help{editor}); + + + +$notebook->pack( + -expand => 'no', + -fill => 'x', + -padx => '5', + -pady => '5', + -side => 'top' +); + + +# Create the frame to the left. +my $left_frame = $main->Frame( + -background => "$color{label}", + -border => '2', +)->pack( + -side => 'left', + -fill => 'y', +); + + +# Create "GUI settings" label. +$left_frame->Label( + -text => "GUI settings:", + -background => "$color{label}", +)->pack( + -side => 'top', + -fill => 'x', +); + + +create_actionbutton($left_frame, "Load saved settings", \&load_config); +create_actionbutton($left_frame, "Save current settings", \&save_config); + + +# Create "options" label at the top of the left frame. +$left_frame->Label( + -text => "Options:", + -background => "$color{label}", +)->pack(-side => 'top', + -fill => 'x', +); + + +# Create checkbuttons in the left frame. +$balloon->attach( + create_checkbutton($left_frame, "Careful mode", \$config{careful}), + -statusmsg => $help{careful} +); + +$balloon->attach( + create_checkbutton($left_frame, "Enable all", \$config{enable_all}), + -statusmsg => $help{enable} +); + +$balloon->attach( + create_checkbutton($left_frame, "Check for removed files", \$config{check_removed}), + -statusmsg => $help{removed} +); + + +# Create "mode" label. +$left_frame->Label( + -text => "Output mode:", + -background => "$color{label}", +)->pack( + -side => 'top', + -fill => 'x', +); + +# Create mode radiobuttons in the left frame. +create_radiobutton($left_frame, "super-quiet", \$config{output_mode}); +create_radiobutton($left_frame, "quiet", \$config{output_mode}); +create_radiobutton($left_frame, "normal", \$config{output_mode}); +create_radiobutton($left_frame, "verbose", \$config{output_mode}); + +# Create "Diff mode" label. +$left_frame->Label( + -text => "Diff mode:", + -background => "$color{label}", +)->pack( + -side => 'top', + -fill => 'x', +); + +create_radiobutton($left_frame, "detailed", \$config{diff_mode}); +create_radiobutton($left_frame, "summarized", \$config{diff_mode}); +create_radiobutton($left_frame, "remove common", \$config{diff_mode}); + + +# Create "activity messages" label. +$main->Label( + -text => "Output messages:", + -width => '130', + -background => "$color{label}", +)->pack( + -side => 'top', + -fill => 'x', +); + + + +# Pack output frame. +$out_frame->pack( + -expand => 'yes', + -fill => 'both', +); + + +# Pack help label below output window. +$help_label->pack( + -fill => 'x', +); + + +# Create "actions" label. +$left_frame->Label( + -text => "Actions:", + -background => "$color{label}", +)->pack( + -side => 'top', + -fill => 'x', +); + + +# Create action buttons. + +$balloon->attach( + create_actionbutton($left_frame, "Update rules!", \&update_rules), + -statusmsg => $help{update} +); + +$balloon->attach( + create_actionbutton($left_frame, "Clear output messages", \&clear_messages), + -statusmsg => $help{clear} +); + +$balloon->attach( + create_actionbutton($left_frame, "Save output messages", \&save_messages), + -statusmsg => $help{save} +); + +$balloon->attach( + create_actionbutton($left_frame, "Exit", \&exit), + -statusmsg => $help{exit} +); + + + +# Make the mousewheel scroll the output window. Taken from Mastering Perl/Tk. +if ($^O eq 'MSWin32') { + $out_frame->bind('<MouseWheel>' => + [ sub { $_[0]->yview('scroll', -($_[1] / 120) * 3, 'units')}, + Ev('D') ] + ); +} else { + $out_frame->bind('<4>' => sub { + $_[0]->yview('scroll', -3, 'units') unless $Tk::strictMotif; + }); + + $out_frame->bind('<5>' => sub { + $_[0]->yview('scroll', +3, 'units') unless $Tk::strictMotif; + }); +} + + + +# Now the fun begins. +if ($config{animate}) { + foreach (split(//, "Welcome to $version")) { + logmsg("$_", 'MISC'); + $out_frame->after(5); + } +} else { + logmsg("Welcome to $version", 'MISC'); +} + +logmsg("\n\n", 'MISC'); + +# Load gui settings into %config. +load_config(); + + +# Warn if any required file/directory is not set. +logmsg("No oinkmaster.pl set, please select one above!\n\n", 'ERROR') + if ($config{oinkmaster} !~ /\S/); + +logmsg("No oinkmaster configuration file set, please select one above!\n\n", 'ERROR') + if ($config{oinkmaster_conf} !~ /\S/); + +logmsg("Output directory is not set, please select one above!\n\n", 'ERROR') + if ($config{outdir} !~ /\S/); + + +MainLoop; + + + +#### END #### + + + +sub fileDialog($ $ $ $) +{ + my $var_ref = shift; + my $title = shift; + my $type = shift; + my $filetypes = shift; + my $dirname; + + if ($type eq 'WRDIR') { + if ($use_fileop) { + $dirname = Win32::FileOp::BrowseForFolder("title", CSIDL_DRIVES); + } else { + my $fs = $main->FileSelect(); + $fs->configure(-verify => ['-d', '-w'], -title => $title); + $dirname = $fs->Show; + } + $$var_ref = $dirname if ($dirname); + } elsif ($type eq 'EXECFILE' || $type eq 'ROFILE' || $type eq 'WRFILE' || $type eq 'URL') { + my $filename = $main->getOpenFile(-title => $title, -filetypes => $filetypes); + $$var_ref = $filename if ($filename); + } elsif ($type eq 'SAVEFILE') { + my $filename = $main->getSaveFile(-title => $title, -filetypes => $filetypes); + $$var_ref = $filename if ($filename); + } else { + logmsg("Unknown type ($type)\n", 'ERROR'); + } +} + + + +sub update_file_label_color($ $ $) +{ + my $label = shift; + my $filename = shift; + my $type = shift; + + $filename =~ s/^\s+//; + $filename =~ s/\s+$//; + + unless ($filename) { + $label->configure(-background => $color{file_label_not_ok}); + return (1); + } + + if ($type eq "URL") { + if ($filename =~ /^(?:http|ftp|scp):\/\/.+\.tar\.gz$/) { + $label->configure(-background => $color{file_label_ok}); + } elsif ($filename =~ /^(?:file:\/\/)*(.+\.tar\.gz)$/) { + my $file = $1; + if (-f "$file" && -r "$file") { + $label->configure(-background => $color{file_label_ok}); + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } elsif ($type eq "ROFILE") { + if (-f "$filename" && -r "$filename") { + $label->configure(-background => $color{file_label_ok}); + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } elsif ($type eq "EXECFILE") { + if (-f "$filename" && (-x "$filename" || $^O eq 'MSWin32')) { + $label->configure(-background => $color{file_label_ok}); + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } elsif ($type eq "WRFILE") { + if (-f "$filename" && -w "$filename") { + $label->configure(-background => $color{file_label_ok}); + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } elsif ($type eq "WRDIR") { + if (-d "$filename" && -w "$filename") { + $label->configure(-background => $color{file_label_ok}); + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } else { + print STDERR "incorrect type ($type)\n"; + exit; + } + + return (1); +} + + + +sub create_checkbutton($ $ $) +{ + my $frame = shift; + my $name = shift; + my $var_ref = shift; + + my $button = $frame->Checkbutton( + -text => $name, + -background => $color{button}, + -activebackground => $color{button_active}, + -highlightbackground => $color{button_bg}, + -variable => $var_ref, + -relief => 'raise', + -anchor => 'w', + )->pack( + -fill => 'x', + -side => 'top', + -pady => '1', + ); + + return ($button); +} + + + +sub create_actionbutton($ $ $) +{ + my $frame = shift; + my $name = shift; + my $func_ref = shift; + + my $button = $frame->Button( + -text => $name, + -command => sub { + &$func_ref; + $out_frame->focus; + }, + -background => $color{button}, + -activebackground => $color{button_active}, + -highlightbackground => $color{button_bg}, + )->pack( + -fill => 'x', + ); + + return ($button); +} + + + +sub create_radiobutton($ $ $) +{ + my $frame = shift; + my $name = shift; + my $mode_ref = shift; + + my $button = $frame->Radiobutton( + -text => $name, + -highlightbackground => $color{button_bg}, + -background => $color{button}, + -activebackground => $color{button_active}, + -variable => $mode_ref, + -relief => 'raised', + -anchor => 'w', + -value => $name, + )->pack( + -side => 'top', + -pady => '1', + -fill => 'x', + ); + + return ($button); +} + + + +# Create <label><entry><browsebutton> in given frame. +sub create_fileSelectFrame($ $ $ $ $ $) +{ + my $win = shift; + my $name = shift; + my $type = shift; # FILE|DIR|URL + my $var_ref = shift; + my $edtype = shift; # EDIT|NOEDIT + my $filetypes = shift; + + # Create frame. + my $frame = $win->Frame( + -bg => $color{background}, + )->pack( + -padx => '2', + -pady => '2', + -fill => 'x' + ); + + # Create label. + my $label = $frame->Label( + -text => $name, + -width => '16', + -relief => 'raised', + -background => "$color{file_label_not_ok}", + )->pack( + -side => 'left' + ); + + my $entry; + + if ($type eq 'URL') { + $entry = $frame->BrowseEntry( + -textvariable => $var_ref, + -background => $color{entry_bg}, + -width => '80', + -choices => \@urls, + -validate => 'key', + -validatecommand => sub { update_file_label_color($label, $_[0], $type) }, + )->pack( + -side => 'left', + -expand => 'yes', + -fill => 'x' + ); + } else { + $entry = $frame->Entry( + -textvariable => $var_ref, + -background => $color{entry_bg}, + -width => '80', + -validate => 'key', + -validatecommand => sub { update_file_label_color($label, $_[0], $type) }, + )->pack( + -side => 'left', + -expand => 'yes', + -fill => 'x' + ); + } + + # Create edit-button if file is ediable. + if ($edtype eq 'EDIT') { + my $edit_but = $frame->Button( + -text => "Edit", + -background => "$color{button}", + -command => sub { + unless (-e "$$var_ref") { + logmsg("Select an existing file first!\n\n", 'ERROR'); + return; + } + + if ($config{editor}) { + $main->Busy(-recurse => 1); + logmsg("Launching " . $config{editor} . + ", close it to continue the GUI.\n\n", 'MISC'); + sleep(2); + system($config{editor}, $$var_ref); # MainLoop will be put on hold... + $main->Unbusy; + } else { + logmsg("No editor set\n\n", 'ERROR'); + } + } + )->pack( + -side => 'left', + ); + } + + # Create browse-button. + my $but = $frame->Button( + -text => "browse ...", + -background => $color{button}, + -command => sub { + fileDialog($var_ref, $name, $type, $filetypes); + } + )->pack( + -side => 'left', + ); + + return ($frame); +} + + + +sub logmsg($ $) +{ + my $text = shift; + my $type = shift; + + return unless (defined($text)); + + $out_frame->tag(qw(configure OUTPUT -foreground grey)); + $out_frame->tag(qw(configure ERROR -foreground red)); + $out_frame->tag(qw(configure MISC -foreground white)); + $out_frame->tag(qw(configure EXEC -foreground bisque2)); + + $out_frame->insert('end', "$text", "$type"); + $out_frame->see('end'); + $out_frame->update; +} + + + + +sub execute_oinkmaster(@) +{ + my @cmd = @_; + my @obfuscated_cmd; + + # Obfuscate possible password in url. + foreach my $line (@cmd) { + if ($line =~ /^(\S+:\/\/.+?):.+?@(.+)/) { + push(@obfuscated_cmd, "$1:*password*\@$2"); + } else { + push(@obfuscated_cmd, $line); + } + } + + logmsg("@obfuscated_cmd:\n", 'EXEC'); + + $main->Busy(-recurse => 1); + + if ($^O eq 'MSWin32') { + open(OINK, "@cmd 2>&1|"); + while (<OINK>) { + logmsg($_, 'OUTPUT'); + } + close(OINK); + } else { + if (open(OINK,"-|")) { + while (<OINK>) { + logmsg($_, 'OUTPUT'); + } + } else { + open(STDERR, '>&STDOUT'); + exec(@cmd); + } + close(OINK); + } + + $main->Unbusy; + logmsg("done.\n\n", 'EXEC'); +} + + + +sub clear_messages() +{ + $out_frame->delete('1.0','end'); + $out_frame->update; +} + + + +sub save_messages() +{ + my $text = $out_frame->get('1.0', 'end'); + my $title = 'Save output messages'; + my $filename; + + my $filetypes = [ + ['Log files', ['.log', '.txt']], + ['All files', '*' ] + ]; + + + if (length($text) > 1) { + fileDialog(\$filename, $title, 'SAVEFILE', $filetypes); + if (defined($filename)) { + + unless (open(LOG, ">", "$filename")) { + logmsg("Could not open $filename for writing: $!\n\n", 'ERROR'); + return; + } + + print LOG $text; + close(LOG); + logmsg("Successfully saved output messages to $filename\n\n", 'MISC'); + } + + } else { + logmsg("Nothing to save.\n\n", 'ERROR'); + } +} + + + +sub update_rules() +{ + my @cmd; + + create_cmdline(\@cmd) || return; + clear_messages(); + execute_oinkmaster(@cmd); +} + + + +sub create_cmdline($) +{ + my $cmd_ref = shift; + + my $oinkmaster = $config{oinkmaster}; + my $oinkmaster_conf = $config{oinkmaster_conf}; + my $outdir = $config{outdir}; + my $varfile = $config{varfile}; + my $url = $config{url}; + my $backupdir = $config{backupdir}; + + # Assume file:// if url prefix is missing. + if ($url) { + $url = "file://$url" unless ($url =~ /(?:http|ftp|file|scp):\/\//); + if ($url =~ /.+<oinkcode>.+/) { + logmsg("You must replace <oinkcode> with your real oinkcode, see the FAQ!\n\n", 'ERROR'); + return (0); + } + } + + $oinkmaster = File::Spec->rel2abs($oinkmaster) + if ($oinkmaster); + + $outdir = File::Spec->canonpath("$outdir"); + $backupdir = File::Spec->canonpath("$backupdir"); + + # Clean leading/trailing whitespaces. + foreach my $var_ref (\$oinkmaster, \$oinkmaster_conf, \$outdir, + \$varfile, \$url, \$backupdir) { + $$var_ref =~ s/^\s+//; + $$var_ref =~ s/\s+$//; + } + + unless ($config{oinkmaster} && -f "$config{oinkmaster}" && + (-x "$config{oinkmaster}" || $^O eq 'MSWin32')) { + logmsg("Location of oinkmaster.pl is not set correctly!\n\n", 'ERROR'); + return; + } + + unless ($oinkmaster_conf && -f "$oinkmaster_conf") { + logmsg("Location of configuration file is not set correctlyy!\n\n", 'ERROR'); + return (0); + } + + unless ($outdir && -d "$outdir") { + logmsg("Output directory is not set correctly!\n\n", 'ERROR'); + return (0); + } + + # Add leading/trailing "" if win32. + foreach my $var_ref (\$oinkmaster, \$oinkmaster_conf, \$outdir, + \$varfile, \$url, \$backupdir) { + if ($^O eq 'MSWin32' && $$var_ref) { + $$var_ref = "\"$$var_ref\""; + } + } + + push(@$cmd_ref, + "$config{perl}", "$oinkmaster", + "-C", "$oinkmaster_conf", + "-o", "$outdir"); + + push(@$cmd_ref, "-c") if ($config{careful}); + push(@$cmd_ref, "-e") if ($config{enable_all}); + push(@$cmd_ref, "-r") if ($config{check_removed}); + push(@$cmd_ref, "-q") if ($config{output_mode} eq "quiet"); + push(@$cmd_ref, "-Q") if ($config{output_mode} eq "super-quiet"); + push(@$cmd_ref, "-v") if ($config{output_mode} eq "verbose"); + push(@$cmd_ref, "-m") if ($config{diff_mode} eq "remove common"); + push(@$cmd_ref, "-s") if ($config{diff_mode} eq "summarized"); + push(@$cmd_ref, "-U", "$varfile") if ($varfile); + push(@$cmd_ref, "-b", "$backupdir") if ($backupdir); + + push(@$cmd_ref, "-u", "$url") + if ($url); + + return (1); +} + + + +# Load $config file into %config hash. +sub load_config() +{ + unless (defined($gui_config_file) && $gui_config_file) { + logmsg("Unable to determine config file location, is your \$HOME set?\n\n", 'ERROR'); + return; + } + + unless (-e "$gui_config_file") { + logmsg("$gui_config_file does not exist, keeping current/default settings\n\n", 'MISC'); + return; + } + + unless (open(RC, "<", "$gui_config_file")) { + logmsg("Could not open $gui_config_file for reading: $!\n\n", 'ERROR'); + return; + } + + while (<RC>) { + next unless (/^(\S+)=(.*)/); + $config{$1} = $2; + } + + close(RC); + logmsg("Successfully loaded GUI settings from $gui_config_file\n\n", 'MISC'); +} + + + +# Save %config into file $config. +sub save_config() +{ + unless (defined($gui_config_file) && $gui_config_file) { + logmsg("Unable to determine config file location, is your \$HOME set?\n\n", 'ERROR'); + return; + } + + unless (open(RC, ">", "$gui_config_file")) { + logmsg("Could not open $gui_config_file for writing: $!\n\n", 'ERROR'); + return; + } + + print RC "# Automatically created by Oinkgui. ". + "Do not edit directly unless you have to.\n"; + + foreach my $option (sort(keys(%config))) { + print RC "$option=$config{$option}\n"; + } + + close(RC); + logmsg("Successfully saved current GUI settings to $gui_config_file\n\n", 'MISC'); +} diff --git a/config/snort-dev2/bin/oinkmaster_contrib/oinkmaster.pl b/config/snort-dev2/bin/oinkmaster_contrib/oinkmaster.pl new file mode 100644 index 00000000..f9c4d215 --- /dev/null +++ b/config/snort-dev2/bin/oinkmaster_contrib/oinkmaster.pl @@ -0,0 +1,2754 @@ +#!/usr/bin/perl -w + +# $Id: oinkmaster.pl,v 1.406 2006/02/10 13:02:44 andreas_o Exp $ # + +# Copyright (c) 2001-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use 5.006001; + +use strict; +use File::Basename; +use File::Copy; +use File::Path; +use File::Spec; +use Getopt::Long; +use File::Temp qw(tempdir); + +sub show_usage(); +sub parse_cmdline($); +sub read_config($ $); +sub sanity_check(); +sub download_file($ $); +sub unpack_rules_archive($ $ $); +sub join_tmp_rules_dirs($ $ @); +sub process_rules($ $ $ $ $ $); +sub process_rule($ $ $ $ $ $ $ $); +sub setup_rules_hash($ $); +sub get_first_only($ $ $); +sub print_changes($ $); +sub print_changetype($ $ $ $); +sub print_summary_change($ $); +sub make_backup($ $); +sub get_changes($ $ $); +sub update_rules($ @); +sub copy_rules($ $); +sub is_in_path($); +sub get_next_entry($ $ $ $ $ $); +sub get_new_vars($ $ $ $); +sub add_new_vars($ $); +sub write_new_vars($ $); +sub msdos_to_cygwin_path($); +sub parse_mod_expr($ $ $ $); +sub untaint_path($); +sub approve_changes(); +sub parse_singleline_rule($ $ $); +sub join_multilines($); +sub minimize_diff($ $); +sub catch_sigint(); +sub clean_exit($); + + +my $VERSION = 'Oinkmaster v2.0, Copyright (C) 2001-2006 '. + 'Andreas Östling <andreaso@it.su.se>'; +my $OUTFILE = 'snortrules.tar.gz'; +my $RULES_DIR = 'rules'; + +my $PRINT_NEW = 1; +my $PRINT_OLD = 2; +my $PRINT_BOTH = 3; + +my %config = ( + careful => 0, + check_removed => 0, + config_test_mode => 0, + enable_all => 0, + interactive => 0, + make_backup => 0, + minimize_diff => 0, + min_files => 1, + min_rules => 1, + quiet => 0, + summary_output => 0, + super_quiet => 0, + update_vars => 0, + use_external_bins => 1, + verbose => 0, + use_path_checks => 1, + rule_actions => "alert|drop|log|pass|reject|sdrop|activate|dynamic", + tmp_basedir => $ENV{TMP} || $ENV{TMPDIR} || $ENV{TEMPDIR} || '/tmp', +); + + +# Regexp to match the start of a multi-line rule. +# %ACTIONS% will be replaced with content of $config{actions} later. +# sid and msg will then be looked for in parse_singleline_rule(). +my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.*\\\\\s*\n$'; # '; + +# Regexp to match a single-line rule. +# sid and msg will then be looked for in parse_singleline_rule(). +my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.+;\s*\)\s*$'; # '; + +# Match var line where var name goes into $1. +my $VAR_REGEXP = '^\s*var\s+(\S+)\s+(\S+)'; + +# Allowed characters in misc paths/filenames, including the ones in the tarball. +my $OK_PATH_CHARS = 'a-zA-Z\d\ _\(\)\[\]\.\-+:\\\/~@,='; + +# Default locations for configuration file. +my @DEFAULT_CONFIG_FILES = qw( + /etc/oinkmaster.conf + /usr/local/etc/oinkmaster.conf +); + +my @DEFAULT_DIST_VAR_FILES = qw( + snort.conf +); + +my (%loaded, $tmpdir); + + + +#### MAIN #### + +# No buffering. +select(STDERR); +$| = 1; +select(STDOUT); +$| = 1; + + +my $start_date = scalar(localtime); + +# Assume the required Perl modules are available if we're on Windows. +$config{use_external_bins} = 0 if ($^O eq "MSWin32"); + +# Parse command line arguments and add at least %config{output_dir}. +parse_cmdline(\%config); + +# If no config was specified on command line, look for one in default locations. +if ($#{$config{config_files}} == -1) { + foreach my $config (@DEFAULT_CONFIG_FILES) { + if (-e "$config") { + push(@{${config{config_files}}}, $config); + last; + } + } +} + +# If no dist var file was specified on command line, set to default file(s). +if ($#{$config{dist_var_files}} == -1) { + foreach my $var_file (@DEFAULT_DIST_VAR_FILES) { + push(@{${config{dist_var_files}}}, $var_file); + } +} + +# If config is still not defined, we can't continue. +if ($#{$config{config_files}} == -1) { + clean_exit("configuration file not found in default locations\n". + "(@DEFAULT_CONFIG_FILES)\n". + "Put it there or use the \"-C <file>\" argument."); +} + +read_config($_, \%config) for @{$config{config_files}}; + +# Now substitute "%ACTIONS%" with $config{rule_actions}, which may have +# been modified after reading the config file. +$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; +$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; + +# If we're told not to use external binaries, load the Perl modules now. +unless ($config{use_external_bins}) { + print STDERR "Loading Perl modules.\n" if ($config{verbose}); + + eval { + require IO::Zlib; + require Archive::Tar; + require LWP::UserAgent; + }; + + clean_exit("failed to load required Perl modules:\n\n$@\n". + "Install them or set use_external_bins to 1 ". + "if you want to use external binaries instead.") + if ($@); +} + + +# Do some basic sanity checking and exit if something fails. +# A new PATH will be set. +sanity_check(); + +$SIG{INT} = \&catch_sigint; + +# Create temporary dir. +$tmpdir = tempdir("oinkmaster.XXXXXXXXXX", DIR => File::Spec->rel2abs($config{tmp_basedir})) + or clean_exit("could not create temporary directory in $config{tmp_basedir}: $!"); + +# If we're in config test mode and have come this far, we're done. +if ($config{config_test_mode}) { + print "No fatal errors in configuration.\n"; + clean_exit(""); +} + +umask($config{umask}) if exists($config{umask}); + +# Download and unpack all the rules archives into separate tmp dirs. +my @url_tmpdirs; +foreach my $url (@{$config{url}}) { + my $url_tmpdir = tempdir("url.XXXXXXXXXX", DIR => $tmpdir) + or clean_exit("could not create temporary directory in $tmpdir: $!"); + push(@url_tmpdirs, "$url_tmpdir/$RULES_DIR"); + if ($url =~ /^dir:\/\/(.+)/) { + mkdir("$url_tmpdir/$RULES_DIR") + or clean_exit("Could not create $url_tmpdir/$RULES_DIR"); + copy_rules($1, "$url_tmpdir/$RULES_DIR"); + } else { + download_file($url, "$url_tmpdir/$OUTFILE"); + unpack_rules_archive("$url", "$url_tmpdir/$OUTFILE", $RULES_DIR); + } +} + +# Copy all rules files from the tmp dirs into $RULES_DIR in the tmp directory. +# File matching 'skipfile' a directive will not be copied. +# Filenames (with full path) will be stored as %new_files{filename}. +# Will exit in case of duplicate filenames. +my $num_files = join_tmp_rules_dirs("$tmpdir/$RULES_DIR", \my %new_files, @url_tmpdirs); + +# Make sure we have at least the minimum number of files. +clean_exit("not enough rules files in downloaded rules archive(s).\n". + "Number of rules files is $num_files but minimum is set to $config{min_files}.") + if ($num_files < $config{min_files}); + +# This is to read in possible 'localsid' rules. +my %rh_tmp = setup_rules_hash(\%new_files, $config{output_dir}); + +# Disable/modify/clean downloaded rules. +my $num_rules = process_rules(\@{$config{sid_modify_list}}, + \%{$config{sid_disable_list}}, + \%{$config{sid_enable_list}}, + \%{$config{sid_local_list}}, + \%rh_tmp, + \%new_files); + +# Make sure we have at least the minimum number of rules. +clean_exit("not enough rules in downloaded archive(s).\n". + "Number of rules is $num_rules but minimum is set to $config{min_rules}.") + if ($num_rules < $config{min_rules}); + +# Setup a hash containing the content of all processed rules files. +my %rh = setup_rules_hash(\%new_files, $config{output_dir}); + +# Compare the new rules to the old ones. +my %changes = get_changes(\%rh, \%new_files, $RULES_DIR); + +# Check for variables that exist in dist snort.conf(s) but not in local snort.conf. +get_new_vars(\%changes, \@{$config{dist_var_files}}, $config{varfile}, \@url_tmpdirs) + if ($config{update_vars}); + + +# Find out if something had changed. +my $something_changed = 0; + +$something_changed = 1 + if (keys(%{$changes{modified_files}}) || + keys(%{$changes{added_files}}) || + keys(%{$changes{removed_files}}) || + $#{$changes{new_vars}} > -1); + + +# Update files listed in %changes{modified_files} (copy the new files +# from the temporary directory into our output directory) and add new +# variables to the local snort.conf if requested, unless we're running in +# careful mode. Create backup first if running with -b. +my $printed = 0; +if ($something_changed) { + if ($config{careful}) { + print STDERR "Skipping backup since we are running in careful mode.\n" + if ($config{make_backup} && (!$config{quiet})); + } else { + if ($config{interactive}) { + print_changes(\%changes, \%rh); + $printed = 1; + } + + if (!$config{interactive} || ($config{interactive} && approve_changes)) { + make_backup($config{output_dir}, $config{backup_dir}) + if ($config{make_backup}); + + add_new_vars(\%changes, $config{varfile}) + if ($config{update_vars}); + + update_rules($config{output_dir}, keys(%{$changes{modified_files}})); + } + } +} else { + print STDERR "No files modified - no need to backup old files, skipping.\n" + if ($config{make_backup} && !$config{quiet}); +} + +print "\nOinkmaster is running in careful mode - not updating anything.\n" + if ($something_changed && $config{careful}); + +print_changes(\%changes, \%rh) + if (!$printed && ($something_changed || !$config{quiet})); + + +# Everything worked. Do a clean exit without any error message. +clean_exit(""); + + +# END OF MAIN # + + + +# Show usage information and exit. +sub show_usage() +{ + my $progname = basename($0); + + print STDERR << "RTFM"; + +$VERSION + +Usage: $progname -o <outdir> [options] + +<outdir> is where to put the new files. +This should be the directory where you store your Snort rules. + +Options: +-b <dir> Backup your old rules into <dir> before overwriting them +-c Careful mode (dry run) - check for changes but do not update anything +-C <file> Use this configuration file instead of the default + May be specified multiple times to load multiple files +-e Enable all rules that are disabled by default +-h Show this usage information +-i Interactive mode - you will be asked to approve the changes (if any) +-m Minimize diff when printing result by removing common parts in rules +-q Quiet mode - no output unless changes were found +-Q Super-quiet mode - like -q but even more quiet +-r Check for rules files that exist in the output directory + but not in the downloaded rules archive +-s Leave out details in rules results, just print SID, msg and filename +-S <file> Look for new variables in this file in the downloaded archive instead + of the default (@DEFAULT_DIST_VAR_FILES). Used in conjunction with -U. + May be specified multiple times to search multiple files. +-T Config test - just check configuration file(s) for errors/warnings +-u <url> Download from this URL instead of URL(s) in the configuration file + (http|https|ftp|file|scp:// ... .tar.gz|.gz, or dir://<dir>) + May be specified multiple times to grab multiple rules archives +-U <file> Merge new variables from downloaded snort.conf(s) into <file> +-v Verbose mode (debug) +-V Show version and exit + +RTFM + exit; +} + + + +# Parse the command line arguments and exit if we don't like them. +sub parse_cmdline($) +{ + my $cfg_ref = shift; + + Getopt::Long::Configure("bundling"); + + my $cmdline_ok = GetOptions( + "b=s" => \$$cfg_ref{backup_dir}, + "c" => \$$cfg_ref{careful}, + "C=s" => \@{$$cfg_ref{config_files}}, + "e" => \$$cfg_ref{enable_all}, + "h" => \&show_usage, + "i" => \$$cfg_ref{interactive}, + "m" => \$$cfg_ref{minimize_diff}, + "o=s" => \$$cfg_ref{output_dir}, + "q" => \$$cfg_ref{quiet}, + "Q" => \$$cfg_ref{super_quiet}, + "r" => \$$cfg_ref{check_removed}, + "s" => \$$cfg_ref{summary_output}, + "S=s" => \@{$$cfg_ref{dist_var_files}}, + "T" => \$$cfg_ref{config_test_mode}, + "u=s" => \@{$$cfg_ref{url}}, + "U=s" => \$$cfg_ref{varfile}, + "v" => \$$cfg_ref{verbose}, + "V" => sub { + print "$VERSION\n"; + exit(0); + } + ); + + + show_usage unless ($cmdline_ok && $#ARGV == -1); + + $$cfg_ref{quiet} = 1 if ($$cfg_ref{super_quiet}); + $$cfg_ref{update_vars} = 1 if ($$cfg_ref{varfile}); + + if ($$cfg_ref{backup_dir}) { + $$cfg_ref{backup_dir} = File::Spec->canonpath($$cfg_ref{backup_dir}); + $$cfg_ref{make_backup} = 1; + } + + # Cannot specify dist var files without specifying var target file. + if (@{$$cfg_ref{dist_var_files}} && !$$cfg_ref{update_vars}) { + clean_exit("You can not specify distribution variable file(s) without ". + "also specifying local file to merge into"); + } + + # -o <dir> is the only required option in normal usage. + if ($$cfg_ref{output_dir}) { + $$cfg_ref{output_dir} = File::Spec->canonpath($$cfg_ref{output_dir}); + } else { + warn("Error: no output directory specified.\n"); + show_usage(); + } + + # Mark that url was set on command line (so we don't override it later). + $$cfg_ref{cmdline_url} = 1 if ($#{$config{url}} > -1); +} + + + +# Read in stuff from the configuration file. +sub read_config($ $) +{ + my $config_file = shift; + my $cfg_ref = shift; + my $linenum = 0; + my $multi; + my %templates; + + $config_file = File::Spec->canonpath(File::Spec->rel2abs($config_file)); + + clean_exit("configuration file \"$config_file\" does not exist.\n") + unless (-e "$config_file"); + + clean_exit("\"$config_file\" is not a file.\n") + unless (-f "$config_file"); + + print STDERR "Loading $config_file\n" + unless ($config{quiet}); + + # Avoid loading the same file multiple times to avoid infinite recursion etc. + if ($^O eq "MSWin32") { + clean_exit("attempt to load \"$config_file\" twice.") + if ($loaded{$config_file}++); + } else { + my ($dev, $ino) = (stat($config_file))[0,1] + or clean_exit("unable to stat $config_file: $!"); + clean_exit("attempt to load \"$config_file\" twice.") + if ($loaded{$dev, $ino}++); + } + + open(CONF, "<", "$config_file") + or clean_exit("could not open configuration file \"$config_file\": $!"); + my @conf = <CONF>; + close(CONF); + + LINE:while ($_ = shift(@conf)) { + $linenum++; + + unless ($multi) { + s/^\s*//; + s/^#.*//; + } + + # Multi-line start/continuation. + if (/\\\s*\n$/) { + s/\\\s*\n$//; + s/^\s*#.*//; + + # Be strict about removing #comments in modifysid/define_template statements, as + # they may contain other '#' chars. + if (defined($multi) && ($multi =~ /^modifysid/i || $multi =~ /^define_template/i)) { + s/#.*// if (/^\s*\d+[,\s\d]+#/); + } else { + s/\s*\#.*// unless (/^modifysid/i || /^define_template/i); + } + + $multi .= $_; + next LINE; + } + + # Last line of multi-line directive. + if (defined($multi)) { + $multi .= $_; + $_ = $multi; + undef($multi); + } + + # Remove traling whitespaces (*after* a possible multi-line is rebuilt). + s/\s*$//; + + # Remove comments unless it's a modifysid/define_template line + # (the "#" may be part of the modifysid expression). + s/\s*\#.*// unless (/^modifysid/i || /^define_template/i); + + # Skip blank lines. + next unless (/\S/); + + # Use a template and make $_ a "modifysid" line. + if (/^use_template\s+(\S+)\s+(\S+[^"]*)\s*(".*")*(?:#.*)*/i) { + my ($template_name, $sid, $args) = ($1, $2, $3); + + if (exists($templates{$template_name})) { + my $template = $templates{$template_name}; # so we don't substitute %ARGx% globally + + # Evaluate each "%ARGx%" in the template to the corresponding value. + if (defined($args)) { + my @args = split(/"\s+"/, $args); + foreach my $i (1 .. @args) { + $args[$i - 1] =~ s/^"//; + $args[$i - 1] =~ s/"$//; + $template =~ s/%ARG$i%/$args[$i - 1]/g; + } + } + + # There should be no %ARGx% stuff left now. + if ($template =~ /%ARG\d%/) { + warn("WARNING: too few arguments for template \"$template_name\"\n"); + $_ = "error"; # so it will be reported as an invalid line later + } + + unless ($_ eq "error") { + $_ = "modifysid $sid $template\n"; + print STDERR "Template \"$template_name\" expanded to: $_" + if ($config{verbose}); + } + + } else { + warn("WARNING: template \"$template_name\" has not been defined\n"); + } + } + + # new template definition. + if (/^define_template\s+(\S+)\s+(".+"\s+\|\s+".*")\s*(?:#.*)*$/i) { + my ($template_name, $template) = ($1, $2); + + if (exists($templates{$template_name})) { + warn("WARNING: line $linenum in $config_file: ". + "template \"$template_name\" already defined, keeping old\n"); + } else { + $templates{$template_name} = $template; + } + + # modifysid <SIDORFILE[,SIDORFILE, ...]> "substthis" | "withthis" + } elsif (/^modifysids*\s+(\S+.*)\s+"(.+)"\s+\|\s+"(.*)"\s*(?:#.*)*$/i) { + my ($sid_list, $subst, $repl) = ($1, $2, $3); + warn("WARNING: line $linenum in $config_file is invalid, ignoring\n") + unless(parse_mod_expr(\@{$$cfg_ref{sid_modify_list}}, + $sid_list, $subst, $repl)); + + # disablesid <SID[,SID, ...]> + } elsif (/^disablesids*\s+(\d.*)/i) { + my $sid_list = $1; + foreach my $sid (split(/\s*,\s*/, $sid_list)) { + if ($sid =~ /^\d+$/) { + $$cfg_ref{sid_disable_list}{$sid}++; + } else { + warn("WARNING: line $linenum in $config_file: ". + "\"$sid\" is not a valid SID, ignoring\n"); + } + } + + # localsid <SID[,SID, ...]> + } elsif (/^localsids*\s+(\d.*)/i) { + my $sid_list = $1; + foreach my $sid (split(/\s*,\s*/, $sid_list)) { + if ($sid =~ /^\d+$/) { + $$cfg_ref{sid_local_list}{$sid}++; + } else { + warn("WARNING: line $linenum in $config_file: ". + "\"$sid\" is not a valid SID, ignoring\n"); + } + } + + # enablesid <SID[,SID, ...]> + } elsif (/^enablesids*\s+(\d.*)/i) { + my $sid_list = $1; + foreach my $sid (split(/\s*,\s*/, $sid_list)) { + if ($sid =~ /^\d+$/) { + $$cfg_ref{sid_enable_list}{$sid}++; + } else { + warn("WARNING: line $linenum in $config_file: ". + "\"$sid\" is not a valid SID, ignoring\n"); + } + } + + # skipfile <file[,file, ...]> + } elsif (/^skipfiles*\s+(.*)/i) { + my $args = $1; + foreach my $file (split(/\s*,\s*/, $args)) { + if ($file =~ /^\S+$/) { + $config{verbose} && print STDERR "Adding file to ignore list: $file.\n"; + $$cfg_ref{file_ignore_list}{$file}++; + } else { + warn("WARNING: line $linenum in $config_file is invalid, ignoring\n"); + } + } + + } elsif (/^url\s*=\s*(.*)/i) { + push(@{$$cfg_ref{url}}, $1) + unless ($$cfg_ref{cmdline_url}); + + } elsif (/^path\s*=\s*(.+)/i) { + $$cfg_ref{path} = $1; + + } elsif (/^update_files\s*=\s*(.+)/i) { + $$cfg_ref{update_files} = $1; + + } elsif (/^rule_actions\s*=\s*(.+)/i) { + $$cfg_ref{rule_actions} = $1; + + } elsif (/^umask\s*=\s*([0-7]{4})$/i) { + $$cfg_ref{umask} = oct($1); + + } elsif (/^min_files\s*=\s*(\d+)/i) { + $$cfg_ref{min_files} = $1; + + } elsif (/^min_rules\s*=\s*(\d+)/i) { + $$cfg_ref{min_rules} = $1; + + } elsif (/^tmpdir\s*=\s*(.+)/i) { + $$cfg_ref{tmp_basedir} = $1; + + } elsif (/^use_external_bins\s*=\s*([01])/i) { + $$cfg_ref{use_external_bins} = $1; + + } elsif (/^scp_key\s*=\s*(.+)/i) { + $$cfg_ref{scp_key} = $1; + + } elsif (/^use_path_checks\s*=\s*([01])/i) { + $$cfg_ref{use_path_checks} = $1; + + } elsif (/^user_agent\s*=\s*(.+)/i) { + $$cfg_ref{user_agent} = $1; + + } elsif (/^include\s+(\S+.*)/i) { + my $include = $1; + read_config($include, $cfg_ref); + } else { + warn("WARNING: line $linenum in $config_file is invalid, ignoring\n"); + } + } +} + + + +# Make a few basic tests to make sure things look ok. +# Will also set a new PATH as defined in the config file. +sub sanity_check() +{ + my @req_params = qw(path update_files); # required parameters in conf + my @req_binaries = qw(gzip tar); # required binaries (unless we use modules) + + # Can't use both quiet mode and verbose mode. + clean_exit("quiet mode and verbose mode at the same time doesn't make sense.") + if ($config{quiet} && $config{verbose}); + + # Can't use multiple output modes. + clean_exit("can't use multiple output modes at the same time.") + if ($config{minimize_diff} && $config{summary_output}); + + # Make sure all required variables are defined in the config file. + foreach my $param (@req_params) { + clean_exit("the required parameter \"$param\" is not defined in the configuration file.") + unless (exists($config{$param})); + } + + # We now know a path was defined in the config, so set it. + # If we're under cygwin and path was specified as msdos style, convert + # it to cygwin style to avoid problems. + if ($^O eq "cygwin" && $config{path} =~ /^[a-zA-Z]:[\/\\]/) { + $ENV{PATH} = ""; + foreach my $path (split(/;/, $config{path})) { + $ENV{PATH} .= "$path:" if (msdos_to_cygwin_path(\$path)); + } + chop($ENV{PATH}); + } else { + $ENV{PATH} = $config{path}; + } + + # Reset environment variables that may cause trouble. + delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; + + # Make sure $config{update_files} is a valid regexp. + eval { + "foo" =~ /$config{update_files}/; + }; + + clean_exit("update_files (\"$config{update_files}\") is not a valid regexp: $@") + if ($@); + + # Make sure $config{rule_actions} is a valid regexp. + eval { + "foo" =~ /$config{rule_actions}/; + }; + + clean_exit("rule_actions (\"$config{rule_actions}\") is not a valid regexp: $@") + if ($@); + + # If a variable file (probably local snort.conf) has been specified, + # it must exist. It must also be writable unless we're in careful mode. + if ($config{update_vars}) { + $config{varfile} = untaint_path($config{varfile}); + + clean_exit("variable file \"$config{varfile}\" does not exist.") + unless (-e "$config{varfile}"); + + clean_exit("variable file \"$config{varfile}\" is not a file.") + unless (-f "$config{varfile}"); + + clean_exit("variable file \"$config{varfile}\" is not writable by you.") + if (!$config{careful} && !-w "$config{varfile}"); + + # Make sure dist var files don't contain [back]slashes + # (probably means user confused it with local var file). + my %dist_var_files; + foreach my $dist_var_file (@{${config{dist_var_files}}}) { + clean_exit("variable file \"$dist_var_file\" specified multiple times") + if (exists($dist_var_files{$dist_var_file})); + $dist_var_files{$dist_var_file} = 1; + clean_exit("variable file \"$dist_var_file\" contains slashes or backslashes ". + "but it must be specified as a filename (without path) ". + "that exists in the downloaded rules, e.g. \"snort.conf\"") + if ($dist_var_file =~ /\// || $dist_var_file =~ /\\/); + } + } + + # Make sure all required binaries can be found, unless + # we're used to use Perl modules instead. + # Wget is only required if url is http[s] or ftp. + if ($config{use_external_bins}) { + foreach my $binary (@req_binaries) { + clean_exit("$binary not found in PATH ($ENV{PATH}).") + unless (is_in_path($binary)); + } + } + + # Make sure $url is defined (either by -u <url> or url=... in the conf). + clean_exit("URL not specified. Specify at least one \"url=<url>\" in the \n". + "Oinkmaster configuration file or use the \"-u <url>\" argument") + if ($#{$config{url}} == -1); + + # Make sure all urls look ok, and untaint them. + my @urls = @{$config{url}}; + $#{$config{url}} = -1; + foreach my $url (@urls) { + clean_exit("incorrect URL: \"$url\"") + unless ($url =~ /^((?:https*|ftp|file|scp):\/\/.+\.(?:tar\.gz|tgz))$/ + || $url =~ /^(dir:\/\/.+)/); + my $ok_url = $1; + + if ($ok_url =~ /^dir:\/\/(.+)/) { + my $dir = untaint_path($1); + clean_exit("\"$dir\" does not exist or is not a directory") + unless (-d $dir); + + # Simple check if the output dir is specified as url (probably a mistake). + if (File::Spec->canonpath(File::Spec->rel2abs($dir)) + eq File::Spec->canonpath(File::Spec->rel2abs($config{output_dir}))) { + clean_exit("Download directory can not be same as output directory"); + } + } + push(@{$config{url}}, $ok_url); + } + + # Wget must be found if url is http[s]:// or ftp://. + if ($config{use_external_bins}) { + clean_exit("wget not found in PATH ($ENV{PATH}).") + if ($config{'url'} =~ /^(https*|ftp):/ && !is_in_path("wget")); + } + + # scp must be found if scp://... + clean_exit("scp not found in PATH ($ENV{PATH}).") + if ($config{'url'} =~ /^scp:/ && !is_in_path("scp")); + + # ssh key must exist if specified and url is scp://... + clean_exit("ssh key \"$config{scp_key}\" does not exist.") + if ($config{'url'} =~ /^scp:/ && exists($config{scp_key}) + && !-e $config{scp_key}); + + # Untaint output directory string. + $config{output_dir} = untaint_path($config{output_dir}); + + # Make sure the output directory exists and is readable. + clean_exit("the output directory \"$config{output_dir}\" doesn't exist ". + "or isn't readable by you.") + if (!-d "$config{output_dir}" || !-x "$config{output_dir}"); + + # Make sure the output directory is writable unless running in careful mode. + clean_exit("the output directory \"$config{output_dir}\" isn't writable by you.") + if (!$config{careful} && !-w "$config{output_dir}"); + + # Make sure we have read permission on all rules files in the output dir, + # and also write permission unless we're in careful mode. + # This is to avoid bailing out in the middle of an execution if a copy + # fails because of permission problem. + opendir(OUTDIR, "$config{output_dir}") + or clean_exit("could not open directory $config{output_dir}: $!"); + + while ($_ = readdir(OUTDIR)) { + next if (/^\.\.?$/ || exists($config{file_ignore_list}{$_})); + + if (/$config{update_files}/) { + unless (-r "$config{output_dir}/$_") { + closedir(OUTDIR); + clean_exit("no read permission on \"$config{output_dir}/$_\"\n". + "Read permission is required on all rules files ". + "inside the output directory.\n") + } + + if (!$config{careful} && !-w "$config{output_dir}/$_") { + closedir(OUTDIR); + clean_exit("no write permission on \"$config{output_dir}/$_\"\n". + "Write permission is required on all rules files ". + "inside the output directory.\n") + } + } + } + + closedir(OUTDIR); + + # Make sure the backup directory exists and is writable if running with -b. + if ($config{make_backup}) { + $config{backup_dir} = untaint_path($config{backup_dir}); + clean_exit("the backup directory \"$config{backup_dir}\" doesn't exist or ". + "isn't writable by you.") + if (!-d "$config{backup_dir}" || !-w "$config{backup_dir}"); + } + + # Convert tmp_basedir to cygwin style if running cygwin and msdos style was specified. + if ($^O eq "cygwin" && $config{tmp_basedir} =~ /^[a-zA-Z]:[\/\\]/) { + msdos_to_cygwin_path(\$config{tmp_basedir}) + or clean_exit("could not convert temporary dir to cygwin style"); + } + + # Make sure temporary directory exists. + clean_exit("the temporary directory \"$config{tmp_basedir}\" does not ". + "exist or isn't writable by you.") + if (!-d "$config{tmp_basedir}" || !-w "$config{tmp_basedir}"); + + # Also untaint it. + $config{tmp_basedir} = untaint_path($config{tmp_basedir}); + + # Make sure stdin and stdout are ttys if we're running in interactive mode. + clean_exit("you can not run in interactive mode when STDIN/STDOUT is not a TTY.") + if ($config{interactive} && !(-t STDIN && -t STDOUT)); +} + + + +# Download the rules archive. +sub download_file($ $) +{ + my $url = shift; + my $localfile = shift; + my $log = "$tmpdir/wget.log"; + my $ret; + + # If there seems to be a password in the url, replace it with "*password*" + # and use new string when printing the url to screen. + my $obfuscated_url = $url; + $obfuscated_url = "$1:*password*\@$2" + if ($obfuscated_url =~ /^(\S+:\/\/.+?):.+?@(.+)/); + + # Ofbuscate oinkcode as well. + $obfuscated_url = "$1*oinkcode*$2" + if ($obfuscated_url =~ /^(\S+:\/\/.+\.cgi\/)[0-9a-z]{32,64}(\/.+)/i); + + my @user_agent_opt; + @user_agent_opt = ("-U", $config{user_agent}) if (exists($config{user_agent})); + + # Use wget if URL starts with "http[s]" or "ftp" and we use external binaries. + if ($config{use_external_bins} && $url =~ /^(?:https*|ftp)/) { + print STDERR "Downloading file from $obfuscated_url... " + unless ($config{quiet}); + + if ($config{verbose}) { + print STDERR "\n"; + my @wget_cmd = ("wget", "-v", "-O", $localfile, $url, @user_agent_opt); + clean_exit("could not download from $obfuscated_url") + if (system(@wget_cmd)); + + } else { + my @wget_cmd = ("wget", "-v", "-o", $log, "-O", $localfile, $url, @user_agent_opt); + if (system(@wget_cmd)) { + my $log_output; + open(LOG, "<", "$log") + or clean_exit("could not open $log for reading: $!"); + # Sanitize oinkcode in wget's log (password is automatically sanitized). + while (<LOG>) { + $_ = "$1*oinkcode*$2" + if (/(\S+:\/\/.+\.cgi\/)[0-9a-z]{32,64}(\/.+)/i); + $log_output .= $_; + } + close(LOG); + clean_exit("could not download from $obfuscated_url. ". + "Output from wget follows:\n\n $log_output"); + } + print STDERR "done.\n" unless ($config{quiet}); + } + + # Use LWP if URL starts with "http[s]" or "ftp" and use_external_bins=0. + } elsif (!$config{use_external_bins} && $url =~ /^(?:https*|ftp)/) { + print STDERR "Downloading file from $obfuscated_url... " + unless ($config{quiet}); + + my %lwp_opt; + $lwp_opt{agent} = $config{user_agent} if (exists($config{user_agent})); + + my $ua = LWP::UserAgent->new(%lwp_opt); + $ua->env_proxy; + my $request = HTTP::Request->new(GET => $url); + my $response = $ua->request($request, $localfile); + + clean_exit("could not download from $obfuscated_url: " . $response->status_line) + unless $response->is_success; + + print "done.\n" unless ($config{quiet}); + + # Grab file from local filesystem if file://... + } elsif ($url =~ /^file/) { + $url =~ s/^file:\/\///; + + clean_exit("the file $url does not exist.") + unless (-e "$url"); + + clean_exit("the file $url is empty.") + unless (-s "$url"); + + print STDERR "Copying file from $url... " + unless ($config{quiet}); + + copy("$url", "$localfile") + or clean_exit("unable to copy $url to $localfile: $!"); + + print STDERR "done.\n" + unless ($config{quiet}); + + # Grab file using scp if scp://... + } elsif ($url =~ /^scp/) { + $url =~ s/^scp:\/\///; + + my @cmd; + push(@cmd, "scp"); + push(@cmd, "-i", "$config{scp_key}") if (exists($config{scp_key})); + push(@cmd, "-q") if ($config{quiet}); + push(@cmd, "-v") if ($config{verbose}); + push(@cmd, "$url", "$localfile"); + + print STDERR "Copying file from $url using scp:\n" + unless ($config{quiet}); + + clean_exit("scp returned error when trying to copy $url") + if (system(@cmd)); + + # Unknown download method. + } else { + clean_exit("unknown or unsupported download method\n"); + } + + # Make sure the downloaded file actually exists. + clean_exit("failed to download $url: ". + "local target file $localfile doesn't exist after download.") + unless (-e "$localfile"); + + # Also make sure it's at least non-empty. + clean_exit("failed to download $url: local target file $localfile is empty ". + "after download (perhaps you're out of diskspace or file in url is empty?)") + unless (-s "$localfile"); +} + + + +# Copy all rules files from the tmp dirs (one for each url) +# into a single directory inside the tmp dir, except for files +# matching a 'skipfile' directive'. +# Will exit in case of colliding filenames. +sub join_tmp_rules_dirs($ $ @) +{ + my $rules_dir = shift; + my $new_files_ref = shift; + my @url_tmpdirs = @_; + + my %rules_files; + + clean_exit("failed to create directory \"$rules_dir\": $!") + unless (mkdir($rules_dir)); + + foreach my $url_tmpdir (@url_tmpdirs) { + opendir(URL_TMPDIR, "$url_tmpdir") + or clean_exit("could not open directory \"$url_tmpdir\": $!"); + + while ($_ = readdir(URL_TMPDIR)) { + next if (/^\.\.?$/ || exists($config{file_ignore_list}{$_}) || !/$config{update_files}/); + + if (exists($rules_files{$_})) { + closedir(URL_TMPDIR); + clean_exit("a file called \"$_\" exists in multiple rules archives") + } + + # Make sure it's a regular file. + unless (-f "$url_tmpdir/$_" && !-l "$url_tmpdir/$_") { + closedir(URL_TMPDIR); + clean_exit("downloaded \"$_\" is not a regular file.") + } + + $rules_files{$_} = 1; + $$new_files_ref{"$rules_dir/$_"} = 1; + + my $src_file = untaint_path("$url_tmpdir/$_"); + unless (copy("$src_file", "$rules_dir")) { + closedir(URL_TMPDIR); + clean_exit("could not copy \"$src_file\" to \"$rules_dir\": $!"); + } + } + + closedir(URL_TMPDIR); + } + + return (keys(%$new_files_ref)); +} + + + +# Make a few basic sanity checks on the rules archive and then +# uncompress/untar it if everything looked ok. +sub unpack_rules_archive($ $ $) +{ + my $url = shift; # only used when printing warnings/errors + my $archive = shift; + my $rules_dir = shift; + + my ($tar, @tar_content); + + my $old_dir = untaint_path(File::Spec->rel2abs(File::Spec->curdir())); + + my $dir = dirname($archive); + chdir("$dir") or clean_exit("$url: could not change directory to \"$dir\": $!"); + + if ($config{use_external_bins}) { + + # Run integrity check on the gzip file. + clean_exit("$url: integrity check on gzip file failed (file transfer failed or ". + "file in URL not in gzip format?).") + if (system("gzip", "-t", "$archive")); + + # Decompress it. + system("gzip", "-d", "$archive") + and clean_exit("$url: unable to uncompress $archive."); + + # Suffix has now changed from .tar.gz|.tgz to .tar. + $archive =~ s/\.gz$//; + + # Make sure the .tar file now exists. + # (Gzip may not return an error if it was not a gzipped file...) + clean_exit("$url: failed to unpack gzip file (file transfer failed or ". + "file in URL not in tar'ed gzip format?).") + unless (-e "$archive"); + + my $stdout_file = "$tmpdir/tar_content.out"; + + open(OLDOUT, ">&STDOUT") or clean_exit("could not dup STDOUT: $!"); + open(STDOUT, ">$stdout_file") or clean_exit("could not redirect STDOUT: $!"); + + my $ret = system("tar", "tf", "$archive"); + + close(STDOUT); + open(STDOUT, ">&OLDOUT") or clean_exit("could not dup STDOUT: $!"); + close(OLDOUT); + + clean_exit("$url: could not list files in tar archive (is it broken?)") + if ($ret); + + open(TAR, "$stdout_file") or clean_exit("failed to open $stdout_file: $!"); + @tar_content = <TAR>; + close(TAR); + + # use_external_bins=0 + } else { + $tar = Archive::Tar->new($archive, 1); + clean_exit("$url: failed to read $archive (file transfer failed or ". + "file in URL not in tar'ed gzip format?).") + unless (defined($tar)); + @tar_content = $tar->list_files(); + } + + # Make sure we could grab some content from the tarball. + clean_exit("$url: could not list files in tar archive (is it broken?)") + if ($#tar_content < 0); + + # For each filename in the archive, do some basic sanity checks. + foreach my $filename (@tar_content) { + chomp($filename); + + # We don't want absolute filename. + clean_exit("$url: rules archive contains absolute filename. ". + "Offending file/line:\n$filename") + if ($filename =~ /^\//); + + # We don't want to have any weird characters anywhere in the filename. + clean_exit("$url: illegal character in filename in tar archive. Allowed are ". + "$OK_PATH_CHARS\nOffending file/line:\n$filename") + if ($config{use_path_checks} && $filename =~ /[^$OK_PATH_CHARS]/); + + # We don't want to unpack any "../../" junk (check is useless now though). + clean_exit("$url: filename in tar archive contains \"..\".\n". + "Offending file/line:\n$filename") + if ($filename =~ /\.\./); + } + + # Looks good. Now we can untar it. + print STDERR "Archive successfully downloaded, unpacking... " + unless ($config{quiet}); + + if ($config{use_external_bins}) { + clean_exit("failed to untar $archive.") + if system("tar", "xf", "$archive"); + } else { + mkdir("$rules_dir") or clean_exit("could not create \"$rules_dir\" directory: $!\n"); + foreach my $file ($tar->list_files) { + next unless ($file =~ /^$rules_dir\/[^\/]+$/); # only ^rules/<file>$ + + my $content = $tar->get_content($file); + + # Symlinks in the archive will make get_content return undef. + clean_exit("could not get content from file \"$file\" in downloaded archive, ". + "make sure it is a regular file\n") + unless (defined($content)); + + open(RULEFILE, ">", "$file") + or clean_exit("could not open \"$file\" for writing: $!\n"); + print RULEFILE $content; + close(RULEFILE); + } + } + + # Make sure that non-empty rules directory existed in archive. + # We permit empty rules directory if min_files is set to 0 though. + clean_exit("$url: no \"$rules_dir\" directory found in tar file.") + unless (-d "$dir/$rules_dir"); + + my $num_files = 0; + opendir(RULESDIR, "$dir/$rules_dir") + or clean_exit("could not open directory \"$dir/$rules_dir\": $!"); + + while ($_ = readdir(RULESDIR)) { + next if (/^\.\.?$/); + $num_files++; + } + + closedir(RULESDIR); + + clean_exit("$url: directory \"$rules_dir\" in unpacked archive is empty") + if ($num_files == 0 && $config{min_files} != 0); + + chdir($old_dir) + or clean_exit("could not change directory back to $old_dir: $!"); + + print STDERR "done.\n" + unless ($config{quiet}); +} + + + +# Open all rules files in the temporary directory and disable/modify all +# rules/lines as requested in oinkmaster.conf, and then write back to the +# same files. Also clean unwanted whitespaces and duplicate sids from them. +sub process_rules($ $ $ $ $ $) +{ + my $modify_sid_ref = shift; + my $disable_sid_ref = shift; + my $enable_sid_ref = shift; + my $local_sid_ref = shift; + my $rh_tmp_ref = shift; + my $newfiles_ref = shift; + my %sids; + + my %stats = ( + disabled => 0, + enabled => 0, + modified => 0, + total => 0, + ); + + warn("WARNING: all rules that are disabled by default will be enabled\n") + if ($config{enable_all} && !$config{quiet}); + + print STDERR "Processing downloaded rules... " + unless ($config{quiet}); + + print STDERR "\n" + if ($config{verbose}); + + # Phase #1 - process all active rules and store in temporary hash. + # In case of dups, we use the one with the highest rev. + foreach my $file (sort(keys(%$newfiles_ref))) { + + open(INFILE, "<", "$file") + or clean_exit("could not open $file for reading: $!"); + my @infile = <INFILE>; + close(INFILE); + + my ($single, $multi, $nonrule, $msg, $sid); + + RULELOOP:while (get_next_entry(\@infile, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + + # We don't care about non-rules in this phase. + next RULELOOP if (defined($nonrule)); + + # Even if it was a single-line rule, we want a copy in $multi. + $multi = $single unless (defined($multi)); + + my %rule = ( + single => $single, + multi => $multi, + ); + + # modify/disable/enable this rule as requested unless there is a matching + # localsid statement. Possible verbose messages and warnings will be printed. + unless (exists($$local_sid_ref{$sid})) { + process_rule($modify_sid_ref, $disable_sid_ref, $enable_sid_ref, + \%rule, $sid, \%stats, 1, basename($file)); + } + + $stats{total}++; + + $single = $rule{single}; + $multi = $rule{multi}; + + # Only care about active rules in this phase (the rule may have been + # disabled by a disablesid or a modifysid statement above, so we can't + # do this check earlier). + next RULELOOP if ($multi =~ /^#/); + + # Is it a dup? If so, see if this seems to be more recent (higher rev). + if (exists($sids{$sid})) { + warn("\nWARNING: duplicate SID in downloaded archive, SID=$sid, ". + "only keeping rule with highest 'rev'\n") + unless($config{super_quiet}); + + my ($old_rev) = ($sids{$sid}{single} =~ /\brev\s*:\s*(\d+)\s*;/); + my ($new_rev) = ($single =~ /\brev\s*:\s*(\d+)\s*;/); + + # This is so rules with a rev gets higher prio than + # rules without any rev. + $old_rev = -1 unless (defined($old_rev)); + $new_rev = -1 unless (defined($new_rev)); + + # If this rev is higher than the one in the last stored rule with + # this sid, replace rule with this one. This is also done if the + # revs are equal because we assume the rule appearing last in the + # rules file is the more recent rule. + if ($new_rev >= $old_rev) { + $sids{$sid}{single} = $single; + $sids{$sid}{multi} = $multi; + } + + # No dup. + } else { + $sids{$sid}{single} = $single; + $sids{$sid}{multi} = $multi; + } + } + } + + # Phase #2 - read all rules files again, but when writing active rules + # back to the files, use the one stored in the sid hash (which is free of dups). + foreach my $file (sort(keys(%$newfiles_ref))) { + + open(INFILE, "<", "$file") + or clean_exit("could not open $file for reading: $!"); + my @infile = <INFILE>; + close(INFILE); + + # Write back to the same file. + open(OUTFILE, ">", "$file") + or clean_exit("could not open $file for writing: $!"); + + my ($single, $multi, $nonrule, $msg, $sid); + + RULELOOP:while (get_next_entry(\@infile, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + if (defined($nonrule)) { + print OUTFILE "$nonrule"; + next RULELOOP; + } + + # Even if it was a single-line rule, we want a copy in $multi. + $multi = $single unless (defined($multi)); + + # If this rule is marked as localized and has not yet been written, + # write the old version to the new rules file. + if (exists($$local_sid_ref{$sid}) && !exists($sids{$sid}{printed})) { + + # Just ignore the rule in the downloaded file if it doesn't + # exist in the same local file. + unless(exists($$rh_tmp_ref{old}{rules}{basename($file)}{$sid})) { + warn("WARNING: SID $sid is marked as local and exists in ". + "downloaded " . basename($file) . " but the SID does not ". + "exist in the local file, ignoring rule\n") + if ($config{verbose}); + + next RULELOOP; + } + + print OUTFILE $$rh_tmp_ref{old}{rules}{basename($file)}{$sid}; + $sids{$sid}{printed} = 1; + + warn("SID $sid is marked as local, keeping your version from ". + basename($file) . ".\n". + "Your version: $$rh_tmp_ref{old}{rules}{basename($file)}{$sid}". + "Downloaded version: $multi\n") + if ($config{verbose}); + + next RULELOOP; + } + + my %rule = ( + single => $single, + multi => $multi, + ); + + # modify/disable/enable this rule. Possible verbose messages and warnings + # will not be printed (again) as this was done in the first phase. + # We send the stats to a dummy var as this was collected on the + # first phase as well. + process_rule($modify_sid_ref, $disable_sid_ref, $enable_sid_ref, + \%rule, $sid, \my %unused_stats, 0, basename($file)); + + $single = $rule{single}; + $multi = $rule{multi}; + + # Disabled rules are printed right back to the file, unless + # there also is an active rule with the same sid. Als o make + # sure we only print the sid once, even though it's disabled. + if ($multi =~ /^#/ && !exists($sids{$sid}) && !exists($sids{$sid}{printed})) { + print OUTFILE $multi; + $sids{$sid}{printed} = 1; + next RULELOOP; + } + + # If this sid has not yet been printed and this is the place where + # the sid with the highest rev was, print the rule to the file. + # (There can be multiple totally different rules with the same sid + # and we don't want to put the wrong rule in the wrong place. + if (!exists($sids{$sid}{printed}) && $single eq $sids{$sid}{single}) { + print OUTFILE $multi; + $sids{$sid}{printed} = 1; + } + } + + close(OUTFILE); + } + + print STDERR "disabled $stats{disabled}, enabled $stats{enabled}, ". + "modified $stats{modified}, total=$stats{total}\n" + unless ($config{quiet}); + + # Print warnings on attempt at enablesid/disablesid/localsid on non-existent + # rule if we're in verbose mode. + if ($config{verbose}) { + foreach my $sid (keys(%$enable_sid_ref)) { + warn("WARNING: attempt to use \"enablesid\" on non-existent SID $sid\n") + unless (exists($sids{$sid})); + } + + foreach my $sid (keys(%$disable_sid_ref)) { + warn("WARNING: attempt to use \"disablesid\" on non-existent SID $sid\n") + unless (exists($sids{$sid})); + } + + foreach my $sid (keys(%$local_sid_ref)) { + warn("WARNING: attempt to use \"localsid\" on non-existent SID $sid\n") + unless (exists($sids{$sid})); + } + } + + # Print warnings on attempt at modifysid'ing non-existent stuff, unless quiet mode. + unless ($config{quiet}) { + my %new_files; + foreach my $file (sort(keys(%$newfiles_ref))) { + $new_files{basename($file)} = 1; + } + + my %mod_tmp; + foreach my $mod_expr (@$modify_sid_ref) { + my ($type, $arg) = ($mod_expr->[2], $mod_expr->[3]); + $mod_tmp{$type}{$arg} = 1; + } + + foreach my $sid (keys(%{$mod_tmp{sid}})) { + warn("WARNING: attempt to use \"modifysid\" on non-existent SID $sid\n") + unless (exists($sids{$sid})); + } + + foreach my $file (keys(%{$mod_tmp{file}})) { + warn("WARNING: attempt to use \"modifysid\" on non-existent file $file\n") + unless(exists($new_files{$file})); + } + } + + # Return total number of valid rules. + return ($stats{total}); +} + + + +# Process (modify/enable/disable) a rule as requested. +sub process_rule($ $ $ $ $ $ $ $) +{ + my $modify_sid_ref = shift; + my $disable_sid_ref = shift; + my $enable_sid_ref = shift; + my $rule_ref = shift; + my $sid = shift; + my $stats_ref = shift; + my $print_messages = shift; + my $filename = shift; + + # Just for easier access. + my $single = $$rule_ref{single}; + my $multi = $$rule_ref{multi}; + + # Some rules may be commented out by default. + # Enable them if -e is specified (both single-line and multi-line, + # version, because we don't know which version one we're going to + # use below. + # Enable them if -e is specified. + if ($multi =~ /^#/ && $config{enable_all}) { + $multi =~ s/^#*//; + $multi =~ s/\n#*/\n/g; + $single =~ s/^#*//; + $$stats_ref{enabled}++; + } + + # Modify rule if requested. For disablesid/enablesid we work + # on the multi-line version of the rule (if exists). For + # modifysid that's no good since we don't know where in the + # rule the trailing backslashes and newlines are going to be + # and we don't want them to affect the regexp. + MOD_EXP:foreach my $mod_expr (@$modify_sid_ref) { + my ($subst, $repl, $type, $arg) = + ($mod_expr->[0], $mod_expr->[1], $mod_expr->[2], $mod_expr->[3]); + + my $print_modify_warnings = 0; + $print_modify_warnings = 1 if (!$config{super_quiet} && $print_messages && $type eq "sid"); + + if ($type eq "wildcard" || ($type eq "sid" && $sid eq $arg) || + ($type eq "file" && $filename eq $arg)) { + + if ($single =~ /$subst/si) { + print STDERR "Modifying rule, SID=$sid, filename=$filename, ". + "match type=$type, subst=$subst, ". + "repl=$repl\nBefore: $single" + if ($print_messages && $config{verbose}); + + + # If user specified a backreference but the regexp did not set $1 - don't modify rule. + if (!defined($1) && ($repl =~ /[^\\]\$\d+/ || $repl =~ /[^\\]\$\{\d+\}/ + || $repl =~ /^qq\/\$\d+/ || $repl =~ /^qq\/\$\{\d+\}/)) { + warn("WARNING: SID $sid matches modifysid expression \"$subst\" but ". + "backreference variable \$1 is undefined after match, ". + "keeping original rule\n") + if ($print_modify_warnings); + next MOD_EXP; + } + + # Do the substitution on the single-line version and put it + # back in $multi. + $single =~ s/$subst/$repl/eei; + $multi = $single; + + print STDERR "After: $single\n" + if ($print_messages && $config{verbose}); + + $$stats_ref{modified}++; + } else { + if ($print_modify_warnings) { + warn("WARNING: SID $sid does not match modifysid ". + "expression \"$subst\", keeping original rule\n"); + } + } + } + } + + # Disable rule if requested and it's not already disabled. + if (exists($$disable_sid_ref{$sid}) && $multi !~ /^\s*#/) { + $multi = "#$multi"; + $multi =~ s/\n([^#].+)/\n#$1/g; + $$stats_ref{disabled}++; + } + + # Enable rule if requested and it's not already enabled. + if (exists($$enable_sid_ref{$sid}) && $multi =~ /^\s*#/) { + $multi =~ s/^#+//; + $multi =~ s/\n#+(.+)/\n$1/g; + $$stats_ref{enabled}++; + } + + $$rule_ref{single} = $single; + $$rule_ref{multi} = $multi; +} + + + +# Setup rules hash. +# Format for rules will be: rh{old|new}{rules{filename}{sid} = single-line rule +# Format for non-rules will be: rh{old|new}{other}{filename} = array of lines +# List of added files will be stored as rh{added_files}{filename} +sub setup_rules_hash($ $) +{ + my $new_files_ref = shift; + my $output_dir = shift; + + my (%rh, %old_sids); + + print STDERR "Setting up rules structures... " + unless ($config{quiet}); + + foreach my $file (sort(keys(%$new_files_ref))) { + warn("\nWARNING: downloaded rules file $file is empty\n") + if (!-s "$file" && $config{verbose}); + + open(NEWFILE, "<", "$file") + or clean_exit("could not open $file for reading: $!"); + my @newfile = <NEWFILE>; + close(NEWFILE); + + # From now on we don't care about the path, so remove it. + $file = basename($file); + + my ($single, $multi, $nonrule, $msg, $sid); + + while (get_next_entry(\@newfile, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + if (defined($single)) { + $rh{new}{rules}{"$file"}{"$sid"} = $single; + } else { + push(@{$rh{new}{other}{"$file"}}, $nonrule); + } + } + + # Also read in old (aka local) file if it exists. + # We do a sid dup check in these files. + if (-f "$output_dir/$file") { + open(OLDFILE, "<", "$output_dir/$file") + or clean_exit("could not open $output_dir/$file for reading: $!"); + my @oldfile = <OLDFILE>; + close(OLDFILE); + + while (get_next_entry(\@oldfile, \$single, \$multi, \$nonrule, undef, \$sid)) { + if (defined($single)) { + warn("\nWARNING: duplicate SID in your local rules, SID ". + "$sid exists multiple times, you may need to fix this manually!\n") + if (exists($old_sids{$sid})); + + $rh{old}{rules}{"$file"}{"$sid"} = $single; + $old_sids{$sid}++; + } else { + push(@{$rh{old}{other}{"$file"}}, $nonrule); + } + } + } else { + $rh{added_files}{"$file"}++; + } + } + + print STDERR "done.\n" + unless ($config{quiet}); + + return (%rh); +} + + + +# Return lines that exist only in first array but not in second one. +sub get_first_only($ $ $) +{ + my $first_only_ref = shift; + my $first_arr_ref = shift; + my $second_arr_ref = shift; + my %arr_hash; + + @arr_hash{@$second_arr_ref} = (); + + foreach my $line (@$first_arr_ref) { + + # Skip blank lines and CVS Id tags. + next unless ($line =~ /\S/); + next if ($line =~ /^\s*#+\s*\$I\S:.+Exp\s*\$/); + + push(@$first_only_ref, $line) + unless(exists($arr_hash{$line})); + } +} + + + +# Backup files in output dir matching $config{update_files} into the backup dir. +sub make_backup($ $) +{ + my $src_dir = shift; # dir with the rules to be backed up + my $dest_dir = shift; # where to put the backup tarball + + my ($sec, $min, $hour, $mday, $mon, $year) = (localtime)[0 .. 5]; + + my $date = sprintf("%4d%02d%02d-%02d%02d%02d", + $year + 1900, $mon + 1, $mday, $hour, $min, $sec); + + my $backup_tarball = "rules-backup-$date.tar"; + my $backup_tmp_dir = File::Spec->catdir("$tmpdir", "rules-backup-$date"); + my $dest_file = File::Spec->catfile("$dest_dir", "$backup_tarball.gz"); + + print STDERR "Creating backup of old rules..." + unless ($config{quiet}); + + mkdir("$backup_tmp_dir", 0700) + or clean_exit("could not create temporary backup directory $backup_tmp_dir: $!"); + + # Copy all rules files from the rules dir to the temporary backup dir. + opendir(OLDRULES, "$src_dir") + or clean_exit("could not open directory $src_dir: $!"); + + while ($_ = readdir(OLDRULES)) { + next if (/^\.\.?$/); + if (/$config{update_files}/) { + my $src_file = untaint_path("$src_dir/$_"); + copy("$src_file", "$backup_tmp_dir/") + or warn("WARNING: could not copy $src_file to $backup_tmp_dir/: $!"); + } + } + + closedir(OLDRULES); + + # Also backup the -U <file> (as "variable-file.conf") if specified. + if ($config{update_vars}) { + copy("$config{varfile}", "$backup_tmp_dir/variable-file.conf") + or warn("WARNING: could not copy $config{varfile} to $backup_tmp_dir: $!") + } + + my $old_dir = untaint_path(File::Spec->rel2abs(File::Spec->curdir())); + + # Change directory to $tmpdir (so we'll be right below the directory where + # we have our rules to be backed up). + chdir("$tmpdir") or clean_exit("could not change directory to $tmpdir: $!"); + + if ($config{use_external_bins}) { + clean_exit("tar command returned error when archiving backup files.\n") + if (system("tar","cf","$backup_tarball","rules-backup-$date")); + + clean_exit("gzip command returned error when compressing backup file.\n") + if (system("gzip","$backup_tarball")); + + $backup_tarball .= ".gz"; + + } else { + my $tar = Archive::Tar->new; + opendir(RULES, "rules-backup-$date") + or clean_exit("unable to open directory \"rules-backup-$date\": $!"); + + while ($_ = readdir(RULES)) { + next if (/^\.\.?$/); + $tar->add_files("rules-backup-$date/$_"); + } + + closedir(RULES); + + $backup_tarball .= ".gz"; + + # Write tarball. Print stupid error message if it fails as + # we can't use $tar->error or Tar::error on all platforms. + $tar->write("$backup_tarball", 1); + + clean_exit("could not create backup archive: tarball empty after creation\n") + unless (-s "$backup_tarball"); + } + + # Change back to old directory (so it will work with -b <directory> as either + # an absolute or a relative path. + chdir("$old_dir") + or clean_exit("could not change directory back to $old_dir: $!"); + + copy("$tmpdir/$backup_tarball", "$dest_file") + or clean_exit("unable to copy $tmpdir/$backup_tarball to $dest_file/: $!\n"); + + print STDERR " saved as $dest_file.\n" + unless ($config{quiet}); +} + + + +# Print the results. +sub print_changes($ $) +{ + my $ch_ref = shift; + my $rh_ref = shift; + + my ($sec, $min, $hour, $mday, $mon, $year) = (localtime)[0 .. 5]; + + my $date = sprintf("%4d%02d%02d %02d:%02d:%02d", + $year + 1900, $mon + 1, $mday, $hour, $min, $sec); + + print "\n[***] Results from Oinkmaster started $date [***]\n"; + + # Print new variables. + if ($config{update_vars}) { + if ($#{$$ch_ref{new_vars}} > -1) { + print "\n[*] New variables: [*]\n"; + foreach my $var (@{$$ch_ref{new_vars}}) { + print " $var"; + } + } else { + print "\n[*] New variables: [*]\n None.\n" + unless ($config{super_quiet}); + } + } + + + # Print rules modifications. + print "\n[*] Rules modifications: [*]\n None.\n" + if (!keys(%{$$ch_ref{rules}}) && !$config{super_quiet}); + + # Print added rules. + if (exists($$ch_ref{rules}{added})) { + print "\n[+++] Added rules: [+++]\n"; + if ($config{summary_output}) { + print_summary_change(\%{$$ch_ref{rules}{added}}, $rh_ref); + } else { + print_changetype($PRINT_NEW, "Added to", + \%{$$ch_ref{rules}{added}}, $rh_ref); + } + } + + # Print enabled rules. + if (exists($$ch_ref{rules}{ena})) { + print "\n[+++] Enabled rules: [+++]\n"; + if ($config{summary_output}) { + print_summary_change(\%{$$ch_ref{rules}{ena}}, $rh_ref); + } else { + print_changetype($PRINT_NEW, "Enabled in", + \%{$$ch_ref{rules}{ena}}, $rh_ref); + } + } + + # Print enabled + modified rules. + if (exists($$ch_ref{rules}{ena_mod})) { + print "\n[+++] Enabled and modified rules: [+++]\n"; + if ($config{summary_output}) { + print_summary_change(\%{$$ch_ref{rules}{ena_mod}}, $rh_ref); + } else { + print_changetype($PRINT_BOTH, "Enabled and modified in", + \%{$$ch_ref{rules}{ena_mod}}, $rh_ref); + } + } + + # Print modified active rules. + if (exists($$ch_ref{rules}{mod_act})) { + print "\n[///] Modified active rules: [///]\n"; + + if ($config{summary_output}) { + print_summary_change(\%{$$ch_ref{rules}{mod_act}}, $rh_ref); + } else { + print_changetype($PRINT_BOTH, "Modified active in", + \%{$$ch_ref{rules}{mod_act}}, $rh_ref); + } + } + + # Print modified inactive rules. + if (exists($$ch_ref{rules}{mod_ina})) { + print "\n[///] Modified inactive rules: [///]\n"; + if ($config{summary_output}) { + print_summary_change(\%{$$ch_ref{rules}{mod_ina}}, $rh_ref); + } else { + print_changetype($PRINT_BOTH, "Modified inactive in", + \%{$$ch_ref{rules}{mod_ina}}, $rh_ref); + } + } + + # Print disabled + modified rules. + if (exists($$ch_ref{rules}{dis_mod})) { + print "\n[---] Disabled and modified rules: [---]\n"; + if ($config{summary_output}) { + print_summary_change(\%{$$ch_ref{rules}{dis_mod}}, $rh_ref); + } else { + print_changetype($PRINT_BOTH, "Disabled and modified in", + \%{$$ch_ref{rules}{dis_mod}}, $rh_ref); + } + } + + # Print disabled rules. + if (exists($$ch_ref{rules}{dis})) { + print "\n[---] Disabled rules: [---]\n"; + if ($config{summary_output}) { + print_summary_change(\%{$$ch_ref{rules}{dis}}, $rh_ref); + } else { + print_changetype($PRINT_NEW, "Disabled in", + \%{$$ch_ref{rules}{dis}}, $rh_ref); + } + } + + # Print removed rules. + if (exists($$ch_ref{rules}{removed})) { + print "\n[---] Removed rules: [---]\n"; + if ($config{summary_output}) { + print_summary_change(\%{$$ch_ref{rules}{removed}}, $rh_ref); + } else { + print_changetype($PRINT_OLD, "Removed from", + \%{$$ch_ref{rules}{removed}}, $rh_ref); + } + } + + + # Print non-rule modifications. + print "\n[*] Non-rule line modifications: [*]\n None.\n" + if (!keys(%{$$ch_ref{other}}) && !$config{super_quiet}); + + # Print added non-rule lines. + if (exists($$ch_ref{other}{added})) { + print "\n[+++] Added non-rule lines: [+++]\n"; + foreach my $file (sort({uc($a) cmp uc($b)} keys(%{$$ch_ref{other}{added}}))) { + my $num = $#{$$ch_ref{other}{added}{$file}} + 1; + print "\n -> Added to $file ($num):\n"; + foreach my $line (@{$$ch_ref{other}{added}{$file}}) { + print " $line"; + } + } + } + + # Print removed non-rule lines. + if (keys(%{$$ch_ref{other}{removed}}) > 0) { + print "\n[---] Removed non-rule lines: [---]\n"; + foreach my $file (sort({uc($a) cmp uc($b)} keys(%{$$ch_ref{other}{removed}}))) { + my $num = $#{$$ch_ref{other}{removed}{$file}} + 1; + print "\n -> Removed from $file ($num):\n"; + foreach my $other (@{$$ch_ref{other}{removed}{$file}}) { + print " $other"; + } + } + } + + + # Print list of added files. + if (keys(%{$$ch_ref{added_files}})) { + print "\n[+] Added files (consider updating your snort.conf to include them if needed): [+]\n\n"; + foreach my $added_file (sort({uc($a) cmp uc($b)} keys(%{$$ch_ref{added_files}}))) { + print " -> $added_file\n"; + } + } else { + print "\n[*] Added files: [*]\n None.\n" + unless ($config{super_quiet} || $config{summary_output}); + } + + # Print list of possibly removed files if requested. + if ($config{check_removed}) { + if (keys(%{$$ch_ref{removed_files}})) { + print "\n[-] Files possibly removed from the archive ". + "(consider removing them from your snort.conf if needed): [-]\n\n"; + foreach my $removed_file (sort({uc($a) cmp uc($b)} keys(%{$$ch_ref{removed_files}}))) { + print " -> $removed_file\n"; + } + } else { + print "\n[*] Files possibly removed from the archive: [*]\n None.\n" + unless ($config{super_quiet} || $config{summary_output}); + } + } + + print "\n"; +} + + + +# Helper for print_changes(). +sub print_changetype($ $ $ $) +{ + my $type = shift; # $PRINT_OLD|$PRINT_NEW|$PRINT_BOTH + my $string = shift; # string to print before filename + my $ch_ref = shift; # reference to an entry in the rules changes hash + my $rh_ref = shift; # reference to rules hash + + foreach my $file (sort({uc($a) cmp uc($b)} keys(%$ch_ref))) { + my $num = keys(%{$$ch_ref{$file}}); + print "\n -> $string $file ($num):\n"; + foreach my $sid (keys(%{$$ch_ref{$file}})) { + if ($type == $PRINT_OLD) { + print " $$rh_ref{old}{rules}{$file}{$sid}" + } elsif ($type == $PRINT_NEW) { + print " $$rh_ref{new}{rules}{$file}{$sid}" + } elsif ($type == $PRINT_BOTH) { + + my $old = $$rh_ref{old}{rules}{$file}{$sid}; + my $new = $$rh_ref{new}{rules}{$file}{$sid}; + + if ($config{minimize_diff}) { + my ($old, $new) = minimize_diff($old, $new); + print "\n old SID $sid: $old"; + print " new SID $sid: $new"; + } else { + print "\n old: $old"; + print " new: $new"; + } + } + } + } +} + + + +# Print changes in bmc style, i.e. only sid and msg, no full details. +sub print_summary_change($ $) +{ + my $ch_ref = shift; # reference to an entry in the rules changes hash + my $rh_ref = shift; # reference to rules hash + + my (@sids, %sidmap); + + print "\n"; + + # First get all the sids (may be spread across multiple files. + foreach my $file (keys(%$ch_ref)) { + foreach my $sid (keys(%{$$ch_ref{$file}})) { + push(@sids, $sid); + if (exists($$rh_ref{new}{rules}{$file}{$sid})) { + $sidmap{$sid}{rule} = $$rh_ref{new}{rules}{$file}{$sid}; + } else { + $sidmap{$sid}{rule} = $$rh_ref{old}{rules}{$file}{$sid}; + } + $sidmap{$sid}{file} = $file; + } + } + + # Print rules, sorted by sid. + foreach my $sid (sort {$a <=> $b} (@sids)) { + my @rule = $sidmap{$sid}{rule}; + my $file = $sidmap{$sid}{file}; + get_next_entry(\@rule, undef, undef, undef, \(my $msg), undef); + printf("%8d - %s (%s)\n", $sid, $msg, $file); + } + + print "\n"; +} + + + +# Compare the new rules to the old ones. +sub get_changes($ $ $) +{ + my $rh_ref = shift; + my $new_files_ref = shift; + my $rules_dir = shift; + my %changes; + + print STDERR "Comparing new files to the old ones... " + unless ($config{quiet}); + + # We have the list of added files (without full path) in $rh_ref{added_files} + # but we'd rather want to have it in $changes{added_files} now. + $changes{added_files} = $$rh_ref{added_files}; + + # New files are also regarded as modified since we want to update + # (i.e. add) those as well. Here we want them with full path. + foreach my $file (keys(%{$changes{added_files}})) { + $changes{modified_files}{"$tmpdir/$rules_dir/$file"}++; + } + + # Add list of possibly removed files if requested. + if ($config{check_removed}) { + opendir(OLDRULES, "$config{output_dir}") + or clean_exit("could not open directory $config{output_dir}: $!"); + + while ($_ = readdir(OLDRULES)) { + next if (/^\.\.?$/); + $changes{removed_files}{"$_"} = 1 + if (/$config{update_files}/ && + !exists($config{file_ignore_list}{$_}) && + !-e "$tmpdir/$rules_dir/$_"); + } + + closedir(OLDRULES); + } + + # For each new rules file... + FILELOOP:foreach my $file_w_path (sort(keys(%$new_files_ref))) { + my $file = basename($file_w_path); + + # Skip comparison if it's an added file. + next FILELOOP if (exists($$rh_ref{added_files}{$file})); + + # For each sid in the new file... + foreach my $sid (keys(%{$$rh_ref{new}{rules}{$file}})) { + my $new_rule = $$rh_ref{new}{rules}{$file}{$sid}; + + # Sid also exists in the old file? + if (exists($$rh_ref{old}{rules}{$file}{$sid})) { + my $old_rule = $$rh_ref{old}{rules}{$file}{$sid}; + + # Are they identical? + unless ($new_rule eq $old_rule) { + $changes{modified_files}{$file_w_path}++; + + # Find out in which way the rules are different. + if ("#$old_rule" eq $new_rule) { + $changes{rules}{dis}{$file}{$sid}++; + } elsif ($old_rule eq "#$new_rule") { + $changes{rules}{ena}{$file}{$sid}++; + } elsif ($old_rule =~ /^\s*#/ && $new_rule !~ /^\s*#/) { + $changes{rules}{ena_mod}{$file}{$sid}++; + } elsif ($old_rule !~ /^\s*#/ && $new_rule =~ /^\s*#/) { + $changes{rules}{dis_mod}{$file}{$sid}++; + } elsif ($old_rule =~ /^\s*#/ && $new_rule =~ /^\s*#/) { + $changes{rules}{mod_ina}{$file}{$sid}++; + } else { + $changes{rules}{mod_act}{$file}{$sid}++; + } + + } + } else { # sid not found in old file, i.e. it's added + $changes{modified_files}{$file_w_path}++; + $changes{rules}{added}{$file}{$sid}++; + } + } # foreach sid + + # Check for removed rules, i.e. sids that exist in the old file but + # not in the new one. + foreach my $sid (keys(%{$$rh_ref{old}{rules}{$file}})) { + unless (exists($$rh_ref{new}{rules}{$file}{$sid})) { + $changes{modified_files}{$file_w_path}++; + $changes{rules}{removed}{$file}{$sid}++; + } + } + + # Check for added non-rule lines. + get_first_only(\my @added, + \@{$$rh_ref{new}{other}{$file}}, + \@{$$rh_ref{old}{other}{$file}}); + + if (scalar(@added)) { + @{$changes{other}{added}{$file}} = @added; + $changes{modified_files}{$file_w_path}++; + } + + # Check for removed non-rule lines. + get_first_only(\my @removed, + \@{$$rh_ref{old}{other}{$file}}, + \@{$$rh_ref{new}{other}{$file}}); + + if (scalar(@removed)) { + @{$changes{other}{removed}{$file}} = @removed; + $changes{modified_files}{$file_w_path}++; + } + + } # foreach new file + + print STDERR "done.\n" unless ($config{quiet}); + + return (%changes); +} + + + +# Simply copy the modified rules files to the output directory. +sub update_rules($ @) +{ + my $dst_dir = shift; + my @modified_files = @_; + + print STDERR "Updating local rules files... " + if (!$config{quiet} || $config{interactive}); + + foreach my $file_w_path (@modified_files) { + copy("$file_w_path", "$dst_dir") + or clean_exit("could not copy $file_w_path to $dst_dir: $!"); + } + + print STDERR "done.\n" + if (!$config{quiet} || $config{interactive}); +} + + +# Simply copy rules files from one dir to another. +# Links are not allowed. +sub copy_rules($ $) +{ + my $src_dir = shift; + my $dst_dir = shift; + + print STDERR "Copying rules from $src_dir... " + if (!$config{quiet} || $config{interactive}); + + opendir(SRC_DIR, $src_dir) + or clean_exit("could not open directory $src_dir: $!"); + + my $num_files = 0; + while ($_ = readdir(SRC_DIR)) { + next if (/^\.\.?$/ || exists($config{file_ignore_list}{$_}) + || !/$config{update_files}/); + + my $src_file = untaint_path("$src_dir/$_"); + + # Make sure it's a regular file. + unless (-f "$src_file" && !-l "$src_file") { + closedir(SRC_DIR); + clean_exit("\"$src_file\" is not a regular file.") + } + + unless (copy($src_file, $dst_dir)) { + closedir(SRC_DIR); + clean_exit("could not copy \"$src_file\" to \"$dst_dir\"/: $!"); + } + $num_files++; + } + + closedir(SRC_DIR); + + print STDERR "$num_files files copied.\n" + if (!$config{quiet} || $config{interactive}); +} + + + +# Return true if file is in PATH and is executable. +sub is_in_path($) +{ + my $file = shift; + + foreach my $dir (File::Spec->path()) { + if ((-f "$dir/$file" && -x "$dir/$file") + || (-f "$dir/$file.exe" && -x "$dir/$file.exe")) { + print STDERR "Found $file binary in $dir\n" + if ($config{verbose}); + return (1); + } + } + + return (0); +} + + + +# get_next_entry() will parse the array referenced in the first arg +# and return the next entry. The array should contain a rules file, +# and the returned entry will be removed from the array. +# An entry is one of: +# - single-line rule (put in 2nd ref) +# - multi-line rule (put in 3rd ref) +# - non-rule line (put in 4th ref) +# If the entry is a multi-line rule, its single-line version is also +# returned (put in the 2nd ref). +# If it's a rule, the msg string will be put in 4th ref and sid in 5th. +sub get_next_entry($ $ $ $ $ $) +{ + my $arr_ref = shift; + my $single_ref = shift; + my $multi_ref = shift; + my $nonrule_ref = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$single_ref); + undef($$multi_ref); + undef($$nonrule_ref); + undef($$msg_ref); + undef($$sid_ref); + + my $line = shift(@$arr_ref) || return(0); + my $disabled = 0; + my $broken = 0; + + chomp($line); + $line .= "\n"; + + # Possible beginning of multi-line rule? + if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { + $$single_ref = $line; + $$multi_ref = $line; + + $disabled = 1 if ($line =~ /^\s*#/); + + # Keep on reading as long as line ends with "\". + while (!$broken && $line =~ /\\\s*\n$/) { + + # Remove trailing "\" and newline for single-line version. + $$single_ref =~ s/\\\s*\n//; + + # If there are no more lines, this can not be a valid multi-line rule. + if (!($line = shift(@$arr_ref))) { + + warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") + if ($config{verbose}); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Multi-line continuation. + $$multi_ref .= $line; + + # If there are non-comment lines in the middle of a disabled rule, + # mark the rule as broken to return as non-rule lines. + if ($line !~ /^\s*#/ && $disabled) { + $broken = 1; + } elsif ($line =~ /^\s*#/ && !$disabled) { + # comment line (with trailing slash) in the middle of an active rule - ignore it + } else { + $line =~ s/^\s*#*\s*//; # remove leading # in single-line version + $$single_ref .= $line; + } + + } # while line ends with "\" + + # Single-line version should now be a valid rule. + # If not, it wasn't a valid multi-line rule after all. + if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { + + $$single_ref =~ s/^\s*//; # remove leading whitespaces + $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # + $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + $$multi_ref =~ s/^\s*//; + $$multi_ref =~ s/\s*\n$/\n/; + $$multi_ref =~ s/^#+\s*/#/; + + return (1); # return multi + + # Invalid multi-line rule. + } else { + warn("\nWARNING: invalid multi-line rule: $$single_ref\n") + if ($config{verbose} && $$multi_ref !~ /^\s*#/); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Check if it's a regular single-line rule. + } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { + $$single_ref = $line; + $$single_ref =~ s/^\s*//; + $$single_ref =~ s/^#+\s*/#/; + $$single_ref =~ s/\s*\n$/\n/; + + return (1); # return single + + # Non-rule line. + } else { + + # Do extra check and warn if it *might* be a rule anyway, + # but that we just couldn't parse for some reason. + warn("\nWARNING: line may be a rule but it could not be parsed ". + "(missing sid?): $line\n") + if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); + + $$nonrule_ref = $line; + $$nonrule_ref =~ s/\s*\n$/\n/; + + return (1); # return non-rule + } +} + + + +# Look for variables that exist in dist var files but not in local var file. +sub get_new_vars($ $ $ $) +{ + my $ch_ref = shift; + my $dist_var_files_ref = shift; + my $local_var_file = shift; + my $url_tmpdirs_ref = shift; + + my %new_vars; + my (%old_vars, %dist_var_files, %found_dist_var_files); + my $confs_found = 0; + + + # Warn in case we can't find a specified dist file. + foreach my $dir (@$url_tmpdirs_ref) { + foreach my $dist_var_file (@$dist_var_files_ref) { + if (-e "$dir/$dist_var_file") { + $found_dist_var_files{$dist_var_file} = 1; + $confs_found++; + } + } + } + + foreach my $dist_var_file (@$dist_var_files_ref) { + unless (exists($found_dist_var_files{$dist_var_file})) { + warn("WARNING: did not find variable file \"$dist_var_file\" in ". + "downloaded archive(s)\n") + unless($config{quiet}); + } + } + + unless ($confs_found) { + unless ($config{quiet}) { + warn("WARNING: no variable files found in downloaded archive(s), ". + "aborting check for new variables\n"); + return; + } + } + + # Read in variable names from old (target) var file. + open(LOCAL_VAR_FILE, "<", "$local_var_file") + or clean_exit("could not open $local_var_file for reading: $!"); + + my @local_var_conf = <LOCAL_VAR_FILE>; + + foreach $_ (join_multilines(\@local_var_conf)) { + $old_vars{lc($1)}++ if (/$VAR_REGEXP/i); + } + + close(LOCAL_VAR_FILE); + + # Read in variables from new file(s). + foreach my $dir (@$url_tmpdirs_ref) { + foreach my $dist_var_file (@$dist_var_files_ref) { + my $conf = "$dir/$dist_var_file"; + if (-e "$conf") { + my $num_new = 0; + print STDERR "Checking downloaded $dist_var_file for new variables... " + unless ($config{quiet}); + + open(DIST_CONF, "<", "$conf") + or clean_exit("could not open $conf for reading: $!"); + my @dist_var_conf = <DIST_CONF>; + close(DIST_CONF); + + foreach $_ (join_multilines(\@dist_var_conf)) { + if (/$VAR_REGEXP/i && !exists($old_vars{lc($1)})) { + my ($varname, $varval) = (lc($1), $2); + if (exists($new_vars{$varname})) { + warn("\nWARNING: new variable \"$varname\" is defined multiple ". + "times in downloaded files\n"); + } + s/^\s*//; + push(@{$$ch_ref{new_vars}}, "$_\n"); + $new_vars{$varname} = $varval; + $num_new++; + } + } + + close(DIST_CONF); + print STDERR "$num_new new found.\n" + unless ($config{quiet}); + } + } + } +} + + + +# Add new variables to local snort.conf. +sub add_new_vars($ $) +{ + my $ch_ref = shift; + my $varfile = shift; + my $tmp_varfile = "$tmpdir/tmp_varfile.conf"; + my $new_content; + + return unless ($#{$changes{new_vars}} > -1); + + print STDERR "Adding new variables to $varfile... " + unless ($config{quiet}); + + open(OLD_LOCAL_CONF, "<", "$varfile") + or clean_exit("could not open $varfile for reading: $!"); + my @old_content = <OLD_LOCAL_CONF>; + close(OLD_LOCAL_CONF); + + open(NEW_LOCAL_CONF, ">", "$tmp_varfile") + or clean_exit("could not open $tmp_varfile for writing: $!"); + + my @old_vars = grep(/$VAR_REGEXP/i, @old_content); + + + # If any vars exist in old file, put new vars right after them. + if ($#old_vars > -1) { + while ($_ = shift(@old_content)) { + print NEW_LOCAL_CONF $_; + last if ($_ eq $old_vars[$#old_vars]); + } + } + + print NEW_LOCAL_CONF @{$changes{new_vars}}; + print NEW_LOCAL_CONF @old_content; + + close(NEW_LOCAL_CONF); + + clean_exit("could not copy $tmp_varfile to $varfile: $!") + unless (copy("$tmp_varfile", "$varfile")); + + print STDERR "done.\n" + unless ($config{quiet}); +} + + + +# Convert msdos style path to cygwin style, e.g. +# c:\foo => /cygdrive/c/foo +sub msdos_to_cygwin_path($) +{ + my $path_ref = shift; + + if ($$path_ref =~ /^([a-zA-Z]):[\/\\](.*)/) { + my ($drive, $dir) = ($1, $2); + $dir =~ s/\\/\//g; + $$path_ref = "/cygdrive/$drive/$dir"; + return (1); + } + + return (0); +} + + + +# Parse and process a modifysid expression. +# Return 1 if valid, or otherwise 0. +sub parse_mod_expr($ $ $ $) +{ + my $mod_list_ref = shift; # where to store valid entries + my $sid_arg_list = shift; # comma-separated list of SIDs/files or wildcard + my $subst = shift; # regexp to look for + my $repl = shift; # regexp to replace it with + + my @tmp_mod_list; + + $sid_arg_list =~ s/\s+$//; + + foreach my $sid_arg (split(/\s*,\s*/, $sid_arg_list)) { + my $type = ""; + + $type = "sid" if ($sid_arg =~ /^\d+$/); + $type = "file" if ($sid_arg =~ /^\S+.*\.\S+$/); + $type = "wildcard" if ($sid_arg eq "*"); + + return (0) unless ($type); + + # Sanity check to make sure user escaped at least all the "$" in $subst. + if ($subst =~ /[^\\]\$./ || $subst =~ /^\$/) { + warn("WARNING: unescaped \$ in expression \"$subst\", all special ". + "characters must be escaped\n"); + return (0); + } + + # Only allow backreference variables. The check should at least catch some user typos. + if (($repl =~ /[^\\]\$(\D.)/ && $1 !~ /{\d/) || $repl =~ /[^\\]\$$/ + || ($repl =~ /^\$(\D.)/ && $1 !~ /{\d/)) { + warn("WARNING: illegal replacement expression \"$repl\": unescaped \$ ". + "that isn't a backreference\n"); + return (0); + } + + # Don't permit unescaped @. + if ($repl =~ /[^\\]\@/ || $repl =~ /^\@/) { + warn("WARNING: illegal replacement expression \"$repl\": unescaped \@\n"); + return (0); + } + + # Make sure the regexp is valid. + my $repl_qq = "qq/$repl/"; + my $dummy = "foo"; + + eval { + $dummy =~ s/$subst/$repl_qq/ee; + }; + + # We should probably check for warnings as well as errors... + if ($@) { + warn("Invalid regexp: $@"); + return (0); + } + + push(@tmp_mod_list, [$subst, $repl_qq, $type, $sid_arg]); + } + + # If we come this far, all sids and the regexp were parsed successfully, so + # append them to real mod list array. + foreach my $mod_entry (@tmp_mod_list) { + push(@$mod_list_ref, $mod_entry); + } + + return (1); +} + + + +# Untaint a path. Die if it contains illegal chars. +sub untaint_path($) +{ + my $path = shift; + my $orig_path = $path; + + return $path unless ($config{use_path_checks}); + + (($path) = $path =~ /^([$OK_PATH_CHARS]+)$/) + or clean_exit("illegal character in path/filename ". + "\"$orig_path\", allowed are $OK_PATH_CHARS\n". + "Fix this or set use_path_checks=0 in oinkmaster.conf ". + "to disable this check completely if it is too strict.\n"); + + return ($path); +} + + + +# Ask user to approve changes. Return 1 for yes, 0 for no. +sub approve_changes() +{ + my $answer = ""; + + while ($answer !~ /^[yn]/i) { + print "Do you approve these changes? [Yn] "; + $answer = <STDIN>; + $answer = "y" unless ($answer =~ /\S/); + } + + return ($answer =~ /^y/i); +} + + + +# Remove common leading and trailing stuff from two rules. +sub minimize_diff($ $) +{ + my $old_rule = shift; + my $new_rule = shift; + + my $original_old = $old_rule; + my $original_new = $new_rule; + + # Additional chars to print next to the diffing part. + my $additional_chars = 20; + + # Remove the rev keyword from the rules, as it often + # makes the whole diff minimizing useless. + $old_rule =~ s/\s*\b(rev\s*:\s*\d+\s*;)\s*//; + my $old_rev = $1; + + $new_rule =~ s/\s*\b(rev\s*:\s*\d+\s*;)\s*//; + my $new_rev = $1; + + # If rev was the only thing that changed, we want to restore the rev + # before continuing so we don't remove common stuff from rules that + # are identical. + if ($old_rule eq $new_rule) { + $old_rule = $original_old; + $new_rule = $original_new; + } + + # Temporarily remove possible leading # so it works nicely + # with modified rules that are also being either enabled or disabled. + my $old_is_disabled = 0; + my $new_is_disabled = 0; + + $old_is_disabled = 1 if ($old_rule =~ s/^#//); + $new_is_disabled = 1 if ($new_rule =~ s/^#//); + + # Go forward char by char until they aren't equeal. + # $i will bet set to the index where they diff. + my @old = split(//, $old_rule); + my @new = split(//, $new_rule); + + my $i = 0; + while ($i <= $#old && $i <= $#new && $old[$i] eq $new[$i]) { + $i++; + } + + # Now same thing but backwards. + # $j will bet set to the index where they diff. + @old = reverse(split(//, $old_rule)); + @new = reverse(split(//, $new_rule)); + + my $j = 0; + while ($j <= $#old && $j <= $#new && $old[$j] eq $new[$j]) { + $j++; + } + + # Print some additional chars on either side, if there is room for it. + $i -= $additional_chars; + $i = 0 if ($i < 0); + + $j = -$j + $additional_chars; + $j = 0 if ($j > -1); + + my ($old, $new); + + # Print entire rules (i.e. they can not be shortened). + if (!$i && !$j) { + $old = $old_rule; + $new = $new_rule; + + # Leading and trailing stuff can be removed. + } elsif ($i && $j) { + $old = "..." . substr($old_rule, $i, $j) . "..."; + $new = "..." . substr($new_rule, $i, $j) . "..."; + + # Trailing stuff can be removed. + } elsif (!$i && $j) { + $old = substr($old_rule, $i, $j) . "..."; + $new = substr($new_rule, $i, $j) . "..."; + + # Leading stuff can be removed. + } elsif ($i && !$j) { + $old = "..." . substr($old_rule, $i); + $new = "..." . substr($new_rule, $i); + } + + chomp($old, $new); + $old .= "\n"; + $new .= "\n"; + + # Restore possible leading # now. + $old = "#$old" if ($old_is_disabled); + $new = "#$new" if ($new_is_disabled); + + return ($old, $new); +} + + + +# Check a string and return 1 if it's a valid single-line snort rule. +# Msg string is put in second arg, sid in third (those are the only +# required keywords, besides the leading rule actions). +sub parse_singleline_rule($ $ $) +{ + my $line = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$msg_ref); + undef($$sid_ref); + + if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { + + if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { + $$msg_ref = $1; + } else { + return (0); + } + + if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { + $$sid_ref = $1; + } else { + return (0); + } + + return (1); + } + + return (0); +} + + + +# Merge multiline directives in an array by simply removing traling backslashes. +sub join_multilines($) +{ + my $multiline_conf_ref = shift; + my $joined_conf = ""; + + foreach $_ (@$multiline_conf_ref) { + s/\\\s*\n$//; + $joined_conf .= $_; + } + + return (split/\n/, $joined_conf); +} + + + +# Catch SIGINT. +sub catch_sigint() +{ + $SIG{INT} = 'IGNORE'; + print STDERR "\nInterrupted, cleaning up.\n"; + sleep(1); + clean_exit("interrupted by signal"); +} + + + +# Remove temporary directory and exit. +# If a non-empty string is given as argument, it will be regarded +# as an error message and we will use die() with the message instead +# of just exit(0). +sub clean_exit($) +{ + my $err_msg = shift; + + $SIG{INT} = 'DEFAULT'; + + if (defined($tmpdir) && -d "$tmpdir") { + chdir(File::Spec->rootdir()); + rmtree("$tmpdir", 0, 1); + undef($tmpdir); + } + + if (!defined($err_msg) || $err_msg eq "") { + exit(0); + } else { + chomp($err_msg); + die("\n$0: Error: $err_msg\n\nOink, oink. Exiting...\n"); + } +} + + + +#### EOF #### diff --git a/config/snort-dev2/bin/oinkmaster_contrib/snort_rename.pl b/config/snort-dev2/bin/oinkmaster_contrib/snort_rename.pl new file mode 100644 index 00000000..e5f0d39e --- /dev/null +++ b/config/snort-dev2/bin/oinkmaster_contrib/snort_rename.pl @@ -0,0 +1,100 @@ +#!/usr/bin/perl -w + +#usage: rename perl_expression [files] +my $usage = qq{rename [-v] s/pat/repl/ [filenames...]\t (c)2001 hellweg\@snark.de +rename files read from the commandline or stdin + +License to use, modify and redistribute granted to each and every lifeform on +this planet (as long as credit to hellweg\@snark.de remains). No guarantee that +'rename' does or does not perform the way you want... + +} ; +$verbose = 0 ; +$quiet = 0 ; + +$op=shift || 0 ; +if($op eq "-v") { + $verbose++ ; $quiet = 0 ; + $op=shift || 0 ; +} +if($op eq "-q") { + $quiet++ ; $verbose = 0 ; + $op=shift || 0 ; +} +if($op =~ /^-h/) { + print $usage; exit(0) ; +} + +if(! $op) { + print $usage; exit(-1) ; +} + +if (!@ARGV) { + @ARGV = <STDIN>; +} + +$count=0 ; +my($m, $d, $y, $T) ; +for (@ARGV) { + chomp ; + if(-e $_) { + $was = $_; + if($op =~ /\$[Tdym]/) { + my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst)=localtime((stat($_))[9]); + $m = sprintf("%0.2i", $mon+1); + $d = sprintf("%0.2i", $mday); + $y = $year + 1900 ; + $T = "$y$m$d" ; + } + eval $op; + die $@ if $@; + if(-f $_) { print("! exists already: $was -> $_ \n") unless $quiet ; } + else { + if(rename($was, $_)) { + print("$was -> $_\n") if $verbose ; + $count++; + } else { + if(/\//) { + # maybe we need to create dirs? + my $createRes = createDirs($_) ; + if($createRes) { + print("! fauled to create $createRes for $_\n") + unless $quiet ; + } + else { # try again + if(rename($was, $_)) { + print("$was -> $_\n") if $verbose ; + $count++; + } else { + print("! failed to rename $was -> $_ \n") + unless $quiet ; + } + } + } + else { + print("! failed to rename $was -> $_ \n") unless $quiet ; + } + } + } + } + else { print("! not found: $_ \n") ; } +} +print("renamed $count files\n") if $verbose ; + + +sub createDirs { # return the dir we failed to create or 0 + my $file = shift ; + my @dirs = split /\//, $file ; + pop @dirs ; # don't try to mkdir the file itself + my $current = "" ; + $current = "/" if ($file =~ /^\//) ; + foreach (@dirs) { + $current .= $_ ; + if(! -d $current) { + mkdir $current, 0700 || return $current ; + print "mkdir $current\n" if ($verbose) ; + } + $current .= "/" ; + } + return 0 ; # success +} diff --git a/config/snort-dev2/css/sexybuttons.css b/config/snort-dev2/css/sexybuttons.css new file mode 100644 index 00000000..c3834b44 --- /dev/null +++ b/config/snort-dev2/css/sexybuttons.css @@ -0,0 +1,342 @@ +/* + * Sexy Buttons + * + * DESCRIPTION: + * Sexy, skinnable HTML/CSS buttons with icons. + * + * PROJECT URL: + * http://code.google.com/p/sexybuttons/ + * + * AUTHOR: + * Richard Davies + * http://www.richarddavies.us + * Richard@richarddavies.us + * + * VERSION: + * 1.1 + * + * LICENSE: + * Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0) + * Creative Commons 3.0 Attribution (http://creativecommons.org/licenses/by/3.0/) + * + * CREDITS: + * Inspired by, derived from, and thanks to: + * http://www.p51labs.com/simply-buttons-v2/ + * http://www.oscaralexander.com/tutorials/how-to-make-sexy-buttons-with-css.html + * http://www.zurb.com/article/266/super-awesome-buttons-with-css3-and-rgba + * http://www.elctech.com/snippets/make-your-buttons-look-super-awesome + * + * USAGE: + * Simply add class="sexybutton [skin]" to a <button> or <a> element and wrap the label text with double <span>s. + * You can optionally add a "silk" icon to the button text by using a third <span> with class to identify the icon. + * + * EXAMPLE: + * <button id="btn1" class="sexybutton" name="btn1" type="submit" value="Submit"> + * <span><span><span class="ok">Submit</span></span></span> + * </button> + */ + + +/* + * Generic styles for all Sexy Buttons + */ + +.sexybutton { + display: inline-block; + margin: 0; + padding: 0; + font: bold 13px "Helvetica Neue", Helvetica, Arial !important; + text-decoration: none !important; + text-shadow: 1px 1px 2px rgba(0,0,0,0.20); + background: none; + border: none; + white-space: nowrap; + cursor: pointer; + user-select: none; + -moz-user-select: none; + + /* Fix extra width padding in IE */ + _width: 0; + overflow: visible; +} + +.sexybutton span { + display: block; /* Prevents :active from working in IE--oh well! */ + height: 24px; + padding-right: 12px; + background-repeat: no-repeat; + background-position: right top; +} + +.sexybutton span span { + padding-right: 0; + padding-left: 12px; + line-height: 24px; + background-position: left top; +} + +.sexybutton span span span { + padding-left: 21px; + background-image: none; + background-repeat: no-repeat; + background-position: left center; + /* IE6 still requires a PNG transparency fix */ + /* _background-image: none; Or just hide icons from the undeserving IE6 */ + /* _padding-left: 0; Or just hide icons from the undeserving IE6 */ +} + +.sexybutton span span span.after { + padding-left: 0px; + padding-right: 21px; + background-position: right center; + /* IE6 still requires a PNG transparency fix */ + /* _padding-right: 0; Or just hide icons from the undeserving IE6 */ +} + +.sexybutton[disabled], +.sexybutton[disabled]:hover, +.sexybutton[disabled]:focus, +.sexybutton[disabled]:active, +.sexybutton.disabled, +.sexybutton.disabled:hover, +.sexybutton.disabled:focus, +.sexybutton.disabled:active { + color: #333 !important; + cursor: inherit; + text-shadow: none; + opacity: 0.33; +} + +.sexybutton:hover span, +.sexybutton:focus span { + background-position: 100% -24px; +} + +.sexybutton:hover span span, +.sexybutton:focus span span { + background-position: 0% -24px; +} + +.sexybutton:active span { + background-position: 100% -48px; +} + +.sexybutton:active span span { + background-position: 0% -48px; +} + +.sexybutton[disabled] span, +.sexybutton.disabled span { + background-position: 100% -72px; +} + +.sexybutton[disabled] span span, +.sexybutton.disabled span span { + background-position: 0% -72px; +} + +.sexybutton:hover span span span, +.sexybutton:focus span span span, +.sexybutton:active span span span, +.sexybutton[disabled] span span span, +.sexybutton.disabled span span span { + background-position: left center; +} + +.sexybutton:hover span span span.after, +.sexybutton:focus span span span.after, +.sexybutton:active span span span.after, +.sexybutton[disabled] span span span.after, +.sexybutton.disabled span span span.after { + background-position: right center; +} + +.sexybutton img { + margin-right: 5px; + vertical-align: text-top; + /* IE6 Hack */ + _margin-top: 4px; + _vertical-align: text-bottom; + /* IE6 still requires a PNG transparency fix */ + /* _display: none; Or just hide icons from the undeserving IE6 */ +} + +.sexybutton img.after { + margin-right: 0; + margin-left: 5px; + /* IE6 still requires a PNG transparency fix */ + /* _margin-left: 0; Or just hide icons from the undeserving IE6 */ +} + +.sexybutton.sexysmalls { font-size:.8em !important; } +.sexybutton.sexymedium { font-size: 15px !important; } +.sexybutton.sexylarge { font-size: 18px !important; } + + +/* + * Button Skins + * + * .PNG background images with alpha transparency are also supplied if you'd rather use them instead of the + * default .GIF images. (Just beware of IE6's lack of support.) + * + * Additional skins can be added below. The images/skins/ButtonTemplate.psd can be used to create new skins. + * Prefix the skin name with "sexy" to avoid any potential conflicts with other class names. + */ + +/* + * Simple Skin Buttons + */ + +.sexybutton.sexysimple { + position: relative; + padding: 5px 10px 5px; + font: inherit; + font-size: .85em !important; + font-style: normal !important; + font-weight: bold !important; + color: #fff !important; + line-height: 1; + background-image: url(/snort/images//awesome-overlay-sprite.png); + background-repeat: repeat-x; + background-position: 0 0; + + /* Special effects */ + text-shadow: 0 -1px 1px rgba(0,0,0,0.25), -2px 0 1px rgba(0,0,0,0.25); + border-radius: 5px; + -moz-border-radius: 5px; + -webkit-border-radius: 5px; + -moz-box-shadow: 0 1px 2px rgba(0,0,0,0.5); + -webkit-box-shadow: 0 1px 2px rgba(0,0,0,0.5); + + /* IE only stuff */ + border-bottom: 1px solid transparent\9; + _background-image: none; + + /* Cross browser inline block hack - http://blog.mozilla.com/webdev/2009/02/20/cross-browser-inline-block/ */ + display: -moz-inline-stack; + display: inline-block; + vertical-align: middle; + *display: inline !important; + position: relative; + + /* Force hasLayout in IE */ + zoom: 1; + + /* Disable text selection (Firefox only)*/ + -moz-user-select: none; +} + +.sexybutton.sexysimple::selection { + background: transparent; +} + +.sexybutton.sexysimple:hover, +.sexybutton.sexysimple:focus { + background-position: 0 -50px; + color: #fff !important; +} + +.sexybutton.sexysimple:active { + background-position: 0 -100px; + -moz-box-shadow: inset 0 1px 2px rgba(0,0,0,0.7); + /* Unfortunately, Safari doesn't support inset yet */ + -webkit-box-shadow: none; + + /* IE only stuff */ + border-bottom: 0\9; + border-top: 1px solid #666\9; +} + +.sexybutton.sexysimple[disabled], +.sexybutton.sexysimple.disabled { + background-position: 0 -150px; + color: #333 !important; + text-shadow: none; +} + +.sexybutton.sexysimple[disabled]:hover, +.sexybutton.sexysimple[disabled]:focus, +.sexybutton.sexysimple[disabled]:active, +.sexybutton.sexysimple.disabled:hover, +.sexybutton.sexysimple.disabled:focus, +.sexybutton.sexysimple.disabled:active { + -moz-box-shadow: 0 1px 2px rgba(0,0,0,0.5); + -webkit-box-shadow: 0 1px 2px rgba(0,0,0,0.5); +} + +.sexybutton.sexysimple span { + height: auto; + padding-left: 24px; + padding-right: 0; + background-position: left center; + background-repeat: no-repeat; + /* IE6 still requires a PNG transparency fix */ + /* _padding-left: 0; Or just hide icons from the undeserving IE6 */ +} + +.sexybutton.sexysimple span.after { + padding-left: 0; + padding-right: 24px; + background-position: right center; + /* IE6 still requires a PNG transparency fix */ + /* _padding-right: 0; Or just hide icons from the undeserving IE6 */ +} + +/* Simple button colors */ +.sexybutton.sexysimple { background-color: #333; } /* Default */ +.sexybutton.sexysimple.sexyblack { background-color: #333; } +.sexybutton.sexysimple.sexyred { background-color: #a90118; } +.sexybutton.sexysimple.sexyorange { background-color: #ff8a00; } +.sexybutton.sexysimple.sexyyellow { background-color: #ffb515; } +.sexybutton.sexysimple.sexygreen { background-color: #59a901; } +.sexybutton.sexysimple.sexyblue { background-color: #015ea9; } +.sexybutton.sexysimple.sexyteal { background-color: #2daebf; } +.sexybutton.sexysimple.sexymagenta { background-color: #a9014b; } +.sexybutton.sexysimple.sexypurple { background-color: #9d01a9; } + +/* Simple button sizes */ +.sexybutton.sexysimple.sexysmall { padding: 4px 7px 5px; font-size: 10px !important; } +.sexybutton.sexysimple.sexysmall:active { padding: 5px 7px 4px; } +.sexybutton.sexysimple { /* default */ } +.sexybutton.sexysimple:active { padding: 6px 10px 4px; } +.sexybutton.sexysimple.sexymedium { /* default */ } +.sexybutton.sexysimple.sexymedium:active { padding: 6px 10px 4px; } +.sexybutton.sexysimple.sexylarge { padding: 8px 14px 8px; font-size: 14px !important; } +.sexybutton.sexysimple.sexylarge:active { padding: 9px 14px 7px; } +.sexybutton.sexysimple.sexyxl { padding: 8px 14px 8px; font-size: 16px !important; } +.sexybutton.sexysimple.sexyxl:active { padding: 9px 14px 7px; } +.sexybutton.sexysimple.sexyxxl { padding: 8px 14px 8px; font-size: 20px !important; } +.sexybutton.sexysimple.sexyxxl:active { padding: 9px 14px 7px; } +.sexybutton.sexysimple.sexyxxxl { padding: 8px 14px 8px; font-size: 26px !important; } +.sexybutton.sexysimple.sexyxxxl:active { padding: 9px 14px 7px; } + +.sexybutton.sexysimple.sexysmall[disabled]:active, +.sexybutton.sexysimple.sexysmall.disabled:active { padding: 4px 7px 5px; } +.sexybutton.sexysimple[disabled]:active, +.sexybutton.sexysimple.disabled:active { padding: 5px 10px 5px; } +.sexybutton.sexysimple.sexymedium[disabled]:active, +.sexybutton.sexysimple.sexymedium.disabled:active { padding: 6px 10px 4px; } +.sexybutton.sexysimple.sexylarge[disabled]:active, +.sexybutton.sexysimple.sexylarge.disabled:active { padding: 8px 14px 8px; } +.sexybutton.sexysimple.sexyxl[disabled]:active, +.sexybutton.sexysimple.sexyxl.disabled:active { padding: 8px 14px 8px; } +.sexybutton.sexysimple.sexyxxl[disabled]:active, +.sexybutton.sexysimple.sexyxxl.disabled:active { padding: 8px 14px 8px; } +.sexybutton.sexysimple.sexyxxxl[disabled]:active, +.sexybutton.sexysimple.sexyxxxl.disabled:active { padding: 8px 14px 8px; } + + +/* + * Icon Definitions + */ + +/* Silk Icons - http://www.famfamfam.com/lab/icons/silk/ */ +/* (Obviously not all Silk icons are defined here. Feel free to define any other icons that you may need.) */ + +.sexybutton span.ok { background-image: url(/snort/images//tick.png) !important; } +.sexybutton span.cancel { background-image: url(/snort/images//cross.png) !important; } +.sexybutton span.add { background-image: url(/snort/images//add.png) !important; } +.sexybutton span.delete { background-image: url(/snort/images//delete.png) !important; } +.sexybutton span.download { background-image: url(/snort/images//arrow_down.png) !important; } +.sexybutton span.pwhitetxt { background-image: url(/snort/images//page_white_text.png) !important; } + diff --git a/config/snort-dev2/css/style.css b/config/snort-dev2/css/style.css new file mode 100644 index 00000000..b484966c --- /dev/null +++ b/config/snort-dev2/css/style.css @@ -0,0 +1,206 @@ +.alert { + position:absolute; + top:10px; + left:0px; + width:94%; +background:#FCE9C0; +background-position: 15px; +border-top:2px solid #DBAC48; +border-bottom:2px solid #DBAC48; +padding: 15px 10px 85% 50px; +} + +.formpre { +font-family:arial; +font-size: 1.1em; +} + +#download_rules { +font-family: arial; +font-size: 13px; +font-weight: bold; +text-align: center +} + +#download_rules_td { +font-family: arial; +font-size: 13px; +font-weight: bold; +text-align: center +} + +/* hack fix the hard coded fbegin link */ +#header-left2 { +position: absolute; +background-position: center center; +height: 67px; +width: 147px; +top: -77px; +left: 8px; +float: left; +z-index:999; +} +#header-left2 #status-link2 { + position: relative; + top: 3px; + left: 2px; +} +/* end of fbegin hack */ + +.body2 { +font-family:arial; +font-size:12px; +} + + + + +/* Start of main css Pfsense */ +/* Start of main css Pfsense */ + +@charset "utf-8"; +.textstyle { + font-family: Arial, Helvetica, sans-serif; + font-size: 12px; + font-style: normal; + background-color: #666; + color: #CCC; +} +.textstyle p2 a { + font-family: Arial, Helvetica, sans-serif; + font-size: 12px; + font-style: normal; + color: #CCC; +} + +.textstyle p { + font-family: Arial, Helvetica, sans-serif; + font-size: 24px; + font-weight: bold; + color: #FFF; + text-decoration: underline; +} +.textstyle p2 { + font-family: Arial, Helvetica, sans-serif; + font-size: 12px; + color: #CCC; +} + +/* Start of main css for table sort */ +/* Start of main css for table sort */ + +table { + margin: 0; + padding: 0; + border: 0; + font-weight: inherit; + font-style: inherit; + font-size: 9; + font-family: Arial, Helvetica, sans-serif; + vertical-align: baseline; +} + +/* Tables still need 'cellspacing="0"' in the markup. */ +table { border-collapse: separate; border-spacing: 0; } +caption, th, td { text-align: left; font-weight:400; } + +/* Remove possible quote marks (") from <q>, <blockquote>. */ +blockquote:before, blockquote:after, q:before, q:after { content: ""; } +blockquote, q { quotes: "" ""; } + +#container { + width: auto; + margin: 0px; + padding-top: 10px; + padding-bottom: 10px; +} + + + +/************************************************************** + + Sortable Table + v 1.4 + +**************************************************************/ + + + +th { + background-color: #eee; + background: #eee url(/snort/images/icon-table-sort.png) no-repeat 2px 8px; + padding: 4px 4px 4px 14px; +} + +.allRow { + background-color: #eee; + padding: 4px; +} + +tr.altRow { + background-color: #fff; +} + +.leftAlign { + text-align: left; +} + +.centerAlign { + text-align: center; +} + +.rightAlign { + text-align: right; +} + +.sortedASC { + background: url(/snort/images/icon-table-sort-asc.png) no-repeat 2px 4px #eee; +} + +.sortedDESC { + background: url(/snort/images/icon-table-sort-desc.png) no-repeat 2px 10px #eee; +} + +.tableHeaderOver { + cursor: pointer; + color: #354158; +} + + +tr.selected { + background-color: 9999ff; + color: #000000; +} + +tr.over { + background-color: #993333; + color: #fff; + cursor: pointer; +} + +tr.hide { + display: none; +} +/***************************/ + +.mainTableFilter { + position: absolute; + top: 0; + left: -10px; + width: auto; +} + +.tableFilter { + border: 1px solid #ccc; + padding: 2px; + margin: 5px 0 10px 0; +} + +.tableFilter input { + border: 1px solid #ccc; +} + +.tableFilter select { + border: 1px solid #ccc; +} + diff --git a/config/snort-dev2/help_and_info.php b/config/snort-dev2/help_and_info.php new file mode 100644 index 00000000..af8eb4ae --- /dev/null +++ b/config/snort-dev2/help_and_info.php @@ -0,0 +1,247 @@ +<?php + +require_once("guiconfig.inc"); + +echo ' + +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" +"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> +<title>The Snort Package Help Page</title> +<style type="text/css"> +body { + background: #f0f0f0; + margin: 0; + padding: 0; + font: 10px normal Verdana, Arial, Helvetica, sans-serif; + color: #444; +} +h1 {font-size: 3em; margin: 20px 0;} +.container {width: 800px; margin: 10px auto;} +ul.tabs { + margin: 0; + padding: 0; + float: left; + list-style: none; + height: 25px; + border-bottom: 1px solid #999; + border-left: 1px solid #999; + width: 100%; +} +ul.tabs li { + float: left; + margin: 0; + padding: 0; + height: 24px; + line-height: 24px; + border: 1px solid #000000; + border-left: none; + margin-bottom: -1px; + background: #ffffff; + overflow: hidden; + position: relative; +} +ul.tabs li a { + text-decoration: none; + color: #000000; + display: block; + font-size: 1.2em; + padding: 0 20px; + border: 1px solid #fff; + outline: none; +} +ul.tabs li a:hover { + background: #eeeeee; +} + +html ul.tabs li.active, html ul.tabs li.active a:hover { + background: #fff; + border-bottom: 1px solid #fff; + color: #000000; +} +.tab_container { + border: 1px solid #999; + border-top: none; + clear: both; + float: left; + width: 100%; + background: #fff; + -moz-border-radius-bottomright: 5px; + -khtml-border-radius-bottomright: 5px; + -webkit-border-bottom-right-radius: 5px; + -moz-border-radius-bottomleft: 5px; + -khtml-border-radius-bottomleft: 5px; + -webkit-border-bottom-left-radius: 5px; +} +.tab_content { + padding: 20px; + font-size: 1.2em; +} +.tab_content h2 { + font-weight: normal; + padding-bottom: 10px; + border-bottom: 1px dashed #ddd; + font-size: 1.8em; +} +.tab_content h3 a{ + color: #254588; +} +.tab_content img { + float: left; + margin: 0 20px 20px 0; + border: 1px solid #ddd; + padding: 5px; +} +</style> + +<script type="text/javascript" src="./javascript/jquery-1.4.2.min.js"></script> + +<script type="text/javascript"> + +jQuery(document).ready(function() { + + //Default Action + jQuery(".tab_content").hide(); //Hide all content + jQuery("ul.tabs li:first").addClass("active").show(); //Activate first tab + jQuery(".tab_content:first").show(); //Show first tab content + + //On Click Event + jQuery("ul.tabs li").click(function() { + jQuery("ul.tabs li").removeClass("active"); //Remove any "active" class + jQuery(this).addClass("active"); //Add "active" class to selected tab + jQuery(".tab_content").hide(); //Hide all tab content + var activeTab = jQuery(this).find("a").attr("href"); //Find the rel attribute value to identify the active tab + content + jQuery(activeTab).fadeIn(); //Fade in the active content + return false; + }); + +}); + +</script> + +</head> + +<body> + +<div class="container"> + <ul class="tabs"> + <li><a href="#tab1">Home</a></li> + <li><a href="#tab2">Change Log</a></li> + <li><a href="#tab3">Getting Help</a></li> + <li><a href="#tab4">Heros</a></li> + </ul> + <div class="tab_container"> + <div id="tab1" class="tab_content"> + <h2><a href="#"> <img src="./images/logo.jpg" width="750px" height="76" ALT="Snort Package" /></a></h2> + + <p> + <font size="5"><strong>Snort Package</strong></font> is a GUI based front-end for Sourcefire\'s Snort ® IDS/IPS software. The Snort Package goal is to be + the best open-source GUI to manage multiple snort sensors and multiple rule snapshots. The project other goal is to be a highly competitive GUI for + network monitoring for both private and enterprise use. Lastly, this project software development should bring programmers and users together to create + software. + </p> + <p> + <font size="5"><strong>What is Snort ?</strong></font> Used by fortune 500 companies and goverments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and + can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port + scans, CGI attacks, SMB probes, and much more. + </p> + <p> + <font size="5"><strong>Requirements :</strong></font><br> + Minimum requirement 256 mb ram, 500 MHz CPU.<br> + Recommended 500 mb ram, 1 Ghz CPU.<br> + The more rules you run the more memory you need.<br> + The more interfaces you select the more memory you need.<br><br> + Development is done on a Alix 2D3 system (500 MHz AMD Geode LX800 CPU 256MB DDR DRAM). + </p> + + </div> + + <div id="tab2" class="tab_content"> + <h2><a href="#"> <img src="./images/logo.jpg" width="750px" height="76" ALT="Snort Package" /></a></h2> + + <p><font size="5"><strong>Change Log</strong></font><p> + + <p>Changes to this package can be viewed by following <a href="https://github.com/bsdperimeter/pfsense-packages" target="_blank"><font size="2" color="#990000"><strong>packages repository</strong></font></a></p> + </div> + + <div id="tab3" class="tab_content"> + <h2><a href="#"> <img src="./images/logo.jpg" width="750px" height="76" ALT="Snort Package" /></a></h2> + + <p><font size="5"><strong>Getting Help</strong></font></p> + +<p> +<font size="2"><strong>Obtaining Support</strong></font><br> + +We provide several means of obtaining support for pfSense. +</p> + +<p> +<font color="#990000" size="4"><strong>Free Options</strong></font><br> +Our free options include our <a href="http://forum.pfsense.org/" target="_blank"><font color="#990000"><strong>forum</strong></font></a>, <a href="http://www.pfsense.org/index.php?option=com_content&task=view&id=66&Itemid=71" target="_blank"><font color="#990000"><strong>mailing list</strong></font></a> , and <a href="http://www.pfsense.org/index.php?option=com_content&task=view&id=64&Itemid=72" target="_blank"><font color="#990000"><strong>IRC channel</strong></font></a>. Before using any of these resources, please review the Project Rules below. +</p> + +<p> +<font color="#990000" size="4"><strong>Commercial Support</strong></font><br> + +<a href="https://portal.pfsense.org/index.php/support-subscription" target="_blank"><font color="#990000"><strong>Commercial support</strong></font></a> is available from the company founded by the founders of the pfSense project, <a href="http://www.bsdperimeter.com/" target="_blank"><font color="#990000"><strong>BSD Perimeter</strong></font></a>. Phone and email support is available for <a href="https://portal.pfsense.org/index.php/support-subscription" target="_blank"><font color="#990000"><strong>support subscribers</strong></font></a> only. +</p> + +<p> +<font color="#990000" size="4"><strong>Project Rules</strong></font><br> +To keep things orderly, and be fair to everyone, we must enforce these rules. +</p> + +<p> +Please do not post support questions to the blog comments. The comments are for discussion of the post, and letting people ask questions there would make a mess of the purpose of those comments. Any support questions will not be moderator approved. +</p> + +<p> +Please do not cross post questions between the forum and mailing list, unless your inquiry has gone unanswered for at least 24 hours. Do not bump your mailing list or forum posts for at least 24 hours. If you have not received a reply after more than 24 hours, you are welcome to bump your thread. +</p> + +<p> +Please do not email individuals, the coreteam address, or private message people on the forum to ask questions. We provide a wide variety of means for obtaining help in a public forum, where it helps others who have the same questions in the future. We don\'t have enough time to answer all the questions our users post in the public forums, much less via email and private messages. Since we cannot possibly reply to everyone\'s email and private messages, to be fair we will not reply to anyone. Individual attention via phone and email support is available for commercial support customers. +</p> + </div> + + <div id="tab4" class="tab_content"> + <h2><a href="#"> <img src="./images/logo.jpg" width="750px" height="76" ALT="Snort Package" /></a></h2> + + <p><font size="5"><strong>Heros</strong></font></p> + + <p>Pfsense Snort Package users who have cared enough to donate to this project. I can\'t thank you enough for all your help. With-out your support I would have stoped long time ago.</p> + + <p>If your not on this list PM me and I will add you. If you would like to be removed pm me and I will remove you.</p> + + <p><font size="5"><strong>Names</strong></font></p> + + <p>sandro tavella</p> + <p>João Kemp Filho</p> + <p>Julio Fumoso</p> + <p>Rolland Hart</p> + <p>DiMarco Technology Solutions Inc.</p> + <p>Brett Burley</p> + <p>Tomasz Iskra</p> + <p>Bruno Buchschacher</p> + <p>Marco Pannetto</p> + <p>Christopher Weakland</p> + <p>Antonio Riveros</p> + <p>DigitalJer</p> + <p>Serialdie</p> + <p>Dlawley</p> + <p>Onhel</p> + <p>Jerrygoldsmith</p> + + + </div> + </div> +</div> + +</body> +</html> + +'; + +?> diff --git a/config/snort-dev2/images/alert.jpg b/config/snort-dev2/images/alert.jpg Binary files differnew file mode 100644 index 00000000..96c24e35 --- /dev/null +++ b/config/snort-dev2/images/alert.jpg diff --git a/config/snort-dev2/images/arrow_down.png b/config/snort-dev2/images/arrow_down.png Binary files differnew file mode 100644 index 00000000..2c4e2793 --- /dev/null +++ b/config/snort-dev2/images/arrow_down.png diff --git a/config/snort-dev2/images/awesome-overlay-sprite.png b/config/snort-dev2/images/awesome-overlay-sprite.png Binary files differnew file mode 100644 index 00000000..c3af7dd9 --- /dev/null +++ b/config/snort-dev2/images/awesome-overlay-sprite.png diff --git a/config/snort-dev2/images/down.gif b/config/snort-dev2/images/down.gif Binary files differnew file mode 100644 index 00000000..2b3c99fc --- /dev/null +++ b/config/snort-dev2/images/down.gif diff --git a/config/snort-dev2/images/down2.gif b/config/snort-dev2/images/down2.gif Binary files differnew file mode 100644 index 00000000..71bf92eb --- /dev/null +++ b/config/snort-dev2/images/down2.gif diff --git a/config/snort-dev2/images/footer.jpg b/config/snort-dev2/images/footer.jpg Binary files differnew file mode 100644 index 00000000..4af05707 --- /dev/null +++ b/config/snort-dev2/images/footer.jpg diff --git a/config/snort-dev2/images/footer2.jpg b/config/snort-dev2/images/footer2.jpg Binary files differnew file mode 100644 index 00000000..3332e085 --- /dev/null +++ b/config/snort-dev2/images/footer2.jpg diff --git a/config/snort-dev2/images/icon-table-sort-asc.png b/config/snort-dev2/images/icon-table-sort-asc.png Binary files differnew file mode 100644 index 00000000..0c127919 --- /dev/null +++ b/config/snort-dev2/images/icon-table-sort-asc.png diff --git a/config/snort-dev2/images/icon-table-sort-desc.png b/config/snort-dev2/images/icon-table-sort-desc.png Binary files differnew file mode 100644 index 00000000..5c52f2d0 --- /dev/null +++ b/config/snort-dev2/images/icon-table-sort-desc.png diff --git a/config/snort-dev2/images/icon-table-sort.png b/config/snort-dev2/images/icon-table-sort.png Binary files differnew file mode 100644 index 00000000..3cae604b --- /dev/null +++ b/config/snort-dev2/images/icon-table-sort.png diff --git a/config/snort-dev2/images/icon_excli.png b/config/snort-dev2/images/icon_excli.png Binary files differnew file mode 100644 index 00000000..4b54fa31 --- /dev/null +++ b/config/snort-dev2/images/icon_excli.png diff --git a/config/snort-dev2/images/logo.jpg b/config/snort-dev2/images/logo.jpg Binary files differnew file mode 100644 index 00000000..fa01d818 --- /dev/null +++ b/config/snort-dev2/images/logo.jpg diff --git a/config/snort-dev2/images/logo22.png b/config/snort-dev2/images/logo22.png Binary files differnew file mode 100644 index 00000000..64ed9d75 --- /dev/null +++ b/config/snort-dev2/images/logo22.png diff --git a/config/snort-dev2/images/page_white_text.png b/config/snort-dev2/images/page_white_text.png Binary files differnew file mode 100644 index 00000000..813f712f --- /dev/null +++ b/config/snort-dev2/images/page_white_text.png diff --git a/config/snort-dev2/images/up.gif b/config/snort-dev2/images/up.gif Binary files differnew file mode 100644 index 00000000..89596771 --- /dev/null +++ b/config/snort-dev2/images/up.gif diff --git a/config/snort-dev2/images/up2.gif b/config/snort-dev2/images/up2.gif Binary files differnew file mode 100644 index 00000000..21c5a254 --- /dev/null +++ b/config/snort-dev2/images/up2.gif diff --git a/config/snort-dev2/snort.inc b/config/snort-dev2/snort.inc new file mode 100644 index 00000000..49439149 --- /dev/null +++ b/config/snort-dev2/snort.inc @@ -0,0 +1,2510 @@ +<?php
+/*
+ snort.inc
+ Copyright (C) 2006 Scott Ullrich
+ Copyright (C) 2009-2010 Robert Zelaya
+ Copyright (C) 2011 Ermal Luci
+ part of pfSense
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("pfsense-utils.inc");
+require_once("config.inc");
+require_once("functions.inc");
+
+// Needed on 2.0 because of filter_get_vpns_list()
+require_once("filter.inc");
+
+/* package version */
+$snort_package_version = 'Snort 2.9.2.3 pkg v. 2.2';
+$snort_rules_file = "snortrules-snapshot-2922.tar.gz";
+
+/* Allow additional execution time 0 = no limit. */
+ini_set('max_execution_time', '9999');
+ini_set('max_input_time', '9999');
+
+/* define oinkid */
+if ($config['installedpackages']['snortglobal'])
+ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode'];
+else
+ $config['installedpackages']['snortglobal'] = array();
+
+/* find out if were in 1.2.3-RELEASE */
+if (intval($config['version']) > 6)
+ $snort_pfsense_basever = 'no';
+else
+ $snort_pfsense_basever = 'yes';
+
+/* find out what arch where in x86 , x64 */
+global $snort_arch;
+$snort_arch = 'x86';
+$snort_arch_ck = php_uname("m");
+if ($snort_arch_ck == 'i386')
+ $snort_arch = 'x86';
+else if ($snort_arch_ck == "amd64")
+ $snort_arch = 'x64';
+else
+ $snort_arch = "Unknown";
+
+/* tell me my theme */
+$pfsense_theme_is = $config['theme'];
+
+/* func builds custom white lists */
+function find_whitelist_key($find_wlist_number) {
+ global $config, $g;
+
+ if (!is_array($config['installedpackages']['snortglobal']['whitelist']))
+ $config['installedpackages']['snortglobal']['whitelist'] = array();
+ if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
+ return 0; /* XXX */
+
+ foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $w_key => $value) {
+ if ($value['name'] == $find_wlist_number)
+ return $w_key;
+ }
+}
+
+/* func builds custom suppress lists */
+function find_suppress_key($find_slist_number) {
+ global $config, $g;
+
+ if (!is_array($config['installedpackages']['snortglobal']['suppress']))
+ $config['installedpackages']['snortglobal']['suppress'] = array();
+ if (!is_array($config['installedpackages']['snortglobal']['suppress']['item']))
+ return 0; /* XXX */
+
+ foreach ($config['installedpackages']['snortglobal']['suppress']['item'] as $s_key => $value) {
+ if ($value['name'] == $find_slist_number)
+ return $s_key;
+ }
+}
+
+/* func builds custom whitelests */
+function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $userwips) {
+ global $config, $g, $snort_pfsense_basever;
+
+ /* build an interface array list */
+ if (function_exists('get_configured_interface_list'))
+ $int_array = get_configured_interface_list();
+ else {
+ $int_array = array('lan');
+ for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++)
+ if(isset($config['interfaces']['opt' . $j]['enable']))
+ if(isset($config['interfaces']['opt' . $j]['gateway']))
+ $int_array[] = "opt{$j}";
+ }
+
+ $home_net = "";
+
+ /* iterate through interface list and write out whitelist items
+ * and also compile a home_net list for snort.
+ */
+ foreach ($int_array as $int) {
+ /* calculate interface subnet information */
+ if (function_exists('get_interface_ip')) {
+ $subnet = get_interface_ip($int);
+ if (is_ipaddr($subnet)) {
+ $sn = get_interface_subnet($int);
+ $home_net .= "{$subnet}/{$sn} ";
+ }
+ } else {
+ $ifcfg = $config['interfaces'][$int];
+ switch ($ifcfg['ipaddr']) {
+ case "pppoe":
+ case "pptp":
+ case "l2tp":
+ if (function_exists('get_interface_ip'))
+ $subnet = get_interface_ip($int);
+ else
+ $subnet = find_interface_ip("ng0");
+
+ if (is_ipaddr($subnet))
+ $home_net .= "{$subnet} ";
+ break;
+ case "dhcp":
+ $subnet = find_interface_ip(snort_get_real_interface($int));
+ if (is_ipaddr($subnet))
+ $home_net .= "{$subnet} ";
+ break;
+ default:
+ if (is_ipaddr($ifcfg['ipaddr'])) {
+ $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']);
+ if ($ifcfg['subnet'])
+ $home_net .= "{$subnet}/{$ifcfg['subnet']} ";
+ }
+ break;
+ }
+ }
+ }
+
+ if ($snort_pfsense_basever == 'yes' && $wanip == 'yes') {
+ /* add all WAN ips to the whitelist */
+ $wan_if = get_real_wan_interface();
+ $ip = find_interface_ip($wan_if);
+ if (is_ipaddr($ip))
+ $home_net .= "{$ip} ";
+ }
+
+ if ($wangw == 'yes') {
+ /* Add Gateway on WAN interface to whitelist (For RRD graphs) */
+ $gw = get_interface_gateway('wan');
+ if($gw)
+ $home_net .= "{$gw} ";
+ }
+
+ if($wandns == 'yes') {
+ /* Add DNS server for WAN interface to whitelist */
+ $dns_servers = get_dns_servers();
+ foreach ($dns_servers as $dns) {
+ if($dns)
+ $home_net .= "{$dns} ";
+ }
+ }
+
+ if($vips == 'yes') {
+ /* iterate all vips and add to whitelist */
+ if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) {
+ foreach($config['virtualip']['vip'] as $vip)
+ if($vip['subnet'])
+ $home_net .= "{$vip['subnet']} ";
+ }
+ }
+
+ /* Add loopback to whitelist (ftphelper) */
+ $home_net .= "127.0.0.1 ";
+
+ /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */
+ if ($vpns == 'yes') {
+ if ($snort_pfsense_basever == 'yes') // chk what pfsense version were on
+ $vpns_list = get_vpns_list();
+ else if ($snort_pfsense_basever == 'no') // chk what pfsense version were on
+ $vpns_list = filter_get_vpns_list();
+
+ if (!empty($vpns_list))
+ $home_net .= "{$vpns_list} ";
+ }
+
+ /* never ever compair numbers to words */
+ if ($userwips > -1) {
+ if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
+ $config['installedpackages']['snortglobal']['whitelist']['item'] = array();
+
+ $home_net .= $config['installedpackages']['snortglobal']['whitelist']['item'][$userwips]['address'];
+ }
+
+ $home_net = trim($home_net);
+
+ /* this foe whitelistfile, convert spaces to carriage returns */
+ if ($build_netlist == 'whitelist') {
+ $whitelist_home_net = str_replace(" ", "\n", $home_net);
+ $whitelist_home_net = str_replace(" ", "\n", $home_net);
+ return $whitelist_home_net;
+ }
+
+ /* this is for snort.conf */
+ $validator = explode(" ", $home_net);
+ $valresult = array();
+ foreach ($validator as $vald) {
+ if (empty($vald))
+ continue;
+ $valresult[] = $vald;
+ }
+ $home_net = implode(",", $valresult);
+ $home_net = "[{$home_net}]";
+
+ return $home_net;
+}
+
+
+/* checks to see if snort is running yes/no and stop/start */
+function Running_Ck($snort_uuid, $if_real, $id) {
+ global $config;
+
+ $snort_uph = 'no';
+ $snort_up_prell = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'");
+ if ($snort_up_prell != '')
+ $snort_uph = 'yes';
+
+ return $snort_uph;
+}
+
+/* checks to see if barnyard2 is running yes/no */
+function Running_Ck_b($snort_uuid, $if_real, $id) {
+ global $config;
+
+ $snort_up_b = 'no';
+ $snort_up_pre_b = exec("/bin/ps -ax | /usr/bin/grep barnyard2 | /usr/bin/grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'");
+ if ($snort_up_pre_b != '')
+ $snort_up_b = 'yes';
+
+ return $snort_up_b;
+}
+
+function Running_Stop($snort_uuid, $if_real, $id) {
+ global $config, $g;
+
+ /* if snort.sh crashed this will remove the pid */
+ @unlink("{$g['tmp_path']}/snort.sh.pid");
+
+ $start_up = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'");
+ $start_upb = exec("/bin/ps -ax | /usr/bin/grep \"snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'");
+
+
+ if ($start_up != '') {
+ exec("/bin/kill {$start_up}");
+ exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*");
+ exec("/bin/rm /var/log/snort/snort_{$if_real}{$snort_uuid}/snort_{$snort_uuid}_{$if_real}*");
+ @unlink("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert_{$snort_uuid}");
+ }
+
+ if ($start_upb != '') {
+ exec("/bin/kill {$start_upb}");
+ exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*");
+ exec("/bin/rm /var/log/snort/snort_{$if_real}{$snort_uuid}/snort.u2_{$snort_uuid}_{$if_real}*");
+ }
+
+ /* Log Iface stop */
+ exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'");
+ sleep(2); // Give time so GUI displays correctly
+}
+
+function Running_Start($snort_uuid, $if_real, $id) {
+ global $config;
+
+ /* if snort.sh crashed this will remove the pid */
+ @unlink("{$g['tmp_path']}/snort.sh.pid");
+
+ $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
+ if ($snort_info_chk == 'on')
+ exec("/usr/local/bin/snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
+ else
+ return;
+
+ /* define snortbarnyardlog_chk */
+ /* top will have trouble if the uuid is to far back */
+ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'];
+ $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql'];
+ if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') {
+ exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$snort_uuid}_{$if_real}/ -D -q");
+ }
+
+ /* Log Iface stop */
+ exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'");
+ sleep(2); // Give time so GUI displays correctly
+}
+
+function snort_get_friendly_interface($interface) {
+
+ if (function_exists('convert_friendly_interface_to_friendly_descr'))
+ $iface = convert_friendly_interface_to_friendly_descr($interface);
+ else {
+ if (!$interface || ($interface == "wan"))
+ $iface = "WAN";
+ else if(strtolower($interface) == "lan")
+ $iface = "LAN";
+ else if(strtolower($interface) == "pppoe")
+ $iface = "PPPoE";
+ else if(strtolower($interface) == "pptp")
+ $iface = "PPTP";
+ else
+ $iface = strtoupper($interface);
+ }
+
+ return $iface;
+}
+
+/* get the real iface name of wan */
+function snort_get_real_interface($interface) {
+ global $config;
+
+ $lc_interface = strtolower($interface);
+ if (function_exists('get_real_interface'))
+ return get_real_interface($lc_interface);
+ else {
+ if ($lc_interface == "lan") {
+ if ($config['inerfaces']['lan'])
+ return $config['interfaces']['lan']['if'];
+ return $interface;
+ }
+ if ($lc_interface == "wan")
+ return $config['interfaces']['wan']['if'];
+ $ifdescrs = array();
+ for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) {
+ $ifname = "opt{$j}";
+ if(strtolower($ifname) == $lc_interface)
+ return $config['interfaces'][$ifname]['if'];
+ if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface))
+ return $config['interfaces'][$ifname]['if'];
+ }
+ }
+
+ return $interface;
+}
+
+/*
+ this code block is for deleteing logs while keeping the newest file,
+ snort is linked to these files while running, do not take the easy way out
+ by touch and rm, snort will lose sync and not log.
+
+ this code needs to be watched.
+ */
+
+/* list dir files */
+function snort_file_list($snort_log_dir, $snort_log_file)
+{
+ $dir = opendir ("$snort_log_dir");
+ while (false !== ($file = readdir($dir))) {
+ if (strpos($file, "$snort_log_file",1) )
+ $file_list[] = basename($file);
+ }
+ return $file_list;
+}
+
+/* snort dir files */
+function snort_file_sort($snort_file1, $snort_file2)
+{
+ if ($snort_file1 == $snort_file2)
+ return 0;
+
+ return ($snort_file1 < $snort_file2); // ? -1 : 1; // this flips the array
+}
+
+/* build files newest first array */
+function snort_build_order($snort_list)
+{
+ foreach ($snort_list as $value_list)
+ $list_order[] = $value_list;
+
+ return $list_order;
+}
+
+/* keep the newest remove the rest */
+function snort_remove_files($snort_list_rm, $snort_file_safe)
+{
+ foreach ($snort_list_rm as $value_list) {
+ if ($value_list != $snort_file_safe)
+ @unlink("/var/log/snort/$value_list");
+ else
+ file_put_contents("/var/log/snort/$snort_file_safe", "");
+ }
+}
+
+/*
+ * TODO:
+ * This is called by snort_alerts.php.
+ *
+ * This func needs to be made to only clear one interface rule log
+ * at a time.
+ *
+ */
+function post_delete_logs()
+{
+ global $config, $g;
+
+ /* do not start config build if rules is empty */
+ if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ return;
+
+ $snort_log_dir = '/var/log/snort';
+
+ foreach ($config['installedpackages']['snortglobal']['rule'] as $value) {
+ $result_lan = $value['interface'];
+ $if_real = snort_get_real_interface($result_lan);
+ $snort_uuid = $value['uuid'];
+
+ if ($if_real != '' && $snort_uuid != '') {
+ if ($value['snortunifiedlog'] == 'on') {
+ $snort_log_file_u2 = "{$snort_uuid}_{$if_real}.u2.";
+ $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2);
+ if (is_array($snort_list_u2)) {
+ usort($snort_list_u2, "snort_file_sort");
+ $snort_u2_rm_list = snort_build_order($snort_list_u2);
+ snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]);
+ }
+ } else
+ exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.u2*");
+
+ if ($value['tcpdumplog'] == 'on') {
+ $snort_log_file_tcpd = "{$snort_uuid}_{$if_real}.tcpdump.";
+ $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd);
+ if (is_array($snort_list_tcpd)) {
+ usort($snort_list_tcpd, "snort_file_sort");
+ $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd);
+ snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]);
+ }
+ } else
+ exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.tcpdump*");
+
+ /* create barnyard2 configuration file */
+ //if ($value['barnyard_enable'] == 'on')
+ //create_barnyard2_conf($id, $if_real, $snort_uuid);
+
+ if ($value['perform_stat'] == 'on')
+ @file_put_contents("/var/log/snort/snort_{$snort_uuid}_{$if_real}.stats", "");
+ }
+ }
+}
+
+function snort_postinstall()
+{
+ global $config, $g, $snort_pfsense_basever, $snort_arch;
+
+ /* snort -> advanced features */
+ if (is_array($config['installedpackages']['snortglobal'])) {
+ $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize'];
+ $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize'];
+ $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns'];
+ }
+
+ /* cleanup default files */
+ @rename('/usr/local/etc/snort/snort.conf-sample', '/usr/local/etc/snort/snort.conf');
+ @rename('/usr/local/etc/snort/threshold.conf-sample', '/usr/local/etc/snort/threshold.conf');
+ @rename('/usr/local/etc/snort/sid-msg.map-sample', '/usr/local/etc/snort/sid-msg.map');
+ @rename('/usr/local/etc/snort/unicode.map-sample', '/usr/local/etc/snort/unicode.map');
+ @rename('/usr/local/etc/snort/classification.config-sample', '/usr/local/etc/snort/classification.config');
+ @rename('/usr/local/etc/snort/generators-sample', '/usr/local/etc/snort/generators');
+ @rename('/usr/local/etc/snort/reference.config-sample', '/usr/local/etc/snort/reference.config');
+ @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map');
+ @unlink('/usr/local/etc/snort/sid');
+ @unlink('/usr/local/etc/rc.d/snort');
+ @unlink('/usr/local/etc/rc.d/bardyard2');
+
+ /* remove example files */
+ if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0'))
+ exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*');
+
+ if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so'))
+ exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*');
+
+ /* create a few directories and ensure the sample files are in place */
+ if (!is_dir('/usr/local/etc/snort'))
+ exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules');
+ if (!is_dir('/usr/local/etc/snort/whitelist'))
+ exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/');
+ /* NOTE: the diff between the if check and the exec() extra run is by design */
+ if (!is_dir('/var/log/snort'))
+ exec('/bin/mkdir -p /var/log/snort/run');
+ else
+ exec('/bin/rm -r /var/log/snort/*; /bin/mkdir -p /var/log/snort/run');
+
+ if (!is_dir('/var/log/snort/barnyard2'))
+ exec('/bin/mkdir -p /var/log/snort/barnyard2');
+ if (!is_dir('/usr/local/lib/snort/dynamicrules/'))
+ exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/');
+ if (!file_exists('/var/db/whitelist'))
+ touch('/var/db/whitelist');
+
+ /* XXX: These are needed if you run snort as snort user
+ mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true);
+ mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true);
+ mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true);
+ mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true);
+ mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true);
+ */
+ /* important */
+ mwexec('/bin/chmod 660 /var/db/whitelist', true);
+ mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true);
+ mwexec('/bin/chmod -R 660 /tmp/snort*', true);
+ mwexec('/bin/chmod -R 660 /var/run/snort*', true);
+ mwexec('/bin/chmod -R 660 /var/snort/run/*', true);
+ mwexec('/bin/chmod 770 /usr/local/lib/snort', true);
+ mwexec('/bin/chmod 770 /usr/local/etc/snort', true);
+ mwexec('/bin/chmod 770 /usr/local/etc/whitelist', true);
+ mwexec('/bin/chmod 770 /var/log/snort', true);
+ mwexec('/bin/chmod 770 /var/log/snort/run', true);
+ mwexec('/bin/chmod 770 /var/log/snort/barnyard2', true);
+
+ /* move files around, make it look clean */
+ mwexec('/bin/mkdir -p /usr/local/www/snort/css');
+ mwexec('/bin/mkdir -p /usr/local/www/snort/images');
+
+ chdir ("/usr/local/www/snort/css/");
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/style.css');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/sexybuttons.css');
+ chdir("/usr/local/www/snort/images/");
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/alert.jpg');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down.gif');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down2.gif');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort.png');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-asc.png');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-desc.png');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up.gif');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up2.gif');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo.jpg');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon_excli.png');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/arrow_down.png');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/awesome-overlay-sprite.png');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo22.png');
+ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/page_white_text.png');
+
+ /* remake saved settings */
+ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
+ update_status(gettext("Saved settings detected..."));
+ update_output_window(gettext("Please wait... rebuilding files..."));
+ sync_snort_package_config();
+ update_output_window(gettext("Finnished Rebuilding files..."));
+ }
+}
+
+function snort_Getdirsize($node) {
+ if(!is_readable($node))
+ return false;
+
+ $blah = exec( "/usr/bin/du -kd $node" );
+ return substr( $blah, 0, strpos($blah, 9) );
+}
+
+/* func for log dir size limit cron */
+function snort_snortloglimit_install_cron($should_install) {
+ global $config, $g;
+
+ if (!is_array($config['cron']['item']))
+ $config['cron']['item'] = array();
+
+ $x=0;
+ $is_installed = false;
+ foreach($config['cron']['item'] as $item) {
+ if (strstr($item['command'], '/usr/local/pkg/snort/snort_check_cron_misc.inc')) {
+ $is_installed = true;
+ break;
+ }
+ $x++;
+ }
+
+ switch($should_install) {
+ case true:
+ if(!$is_installed) {
+
+ $cron_item = array();
+ $cron_item['minute'] = "*/5";
+ $cron_item['hour'] = "*";
+ $cron_item['mday'] = "*";
+ $cron_item['month'] = "*";
+ $cron_item['wday'] = "*";
+ $cron_item['who'] = "root";
+ $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc";
+ $config['cron']['item'][] = $cron_item;
+ }
+ break;
+ case false:
+ if($is_installed == true)
+ unset($config['cron']['item'][$x]);
+ break;
+ }
+}
+
+/* func for updating cron */
+function snort_rm_blocked_install_cron($should_install) {
+ global $config, $g;
+
+ if (!is_array($config['cron']['item']))
+ $config['cron']['item'] = array();
+
+ $x=0;
+ $is_installed = false;
+ foreach($config['cron']['item'] as $item) {
+ if (strstr($item['command'], "snort2c")) {
+ $is_installed = true;
+ break;
+ }
+ $x++;
+ }
+
+ $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked'];
+ if ($snort_rm_blocked_info_ck == "1h_b") {
+ $snort_rm_blocked_min = "*/5";
+ $snort_rm_blocked_hr = "*";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "3600";
+ }
+ if ($snort_rm_blocked_info_ck == "3h_b") {
+ $snort_rm_blocked_min = "*/15";
+ $snort_rm_blocked_hr = "*";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "10800";
+ }
+ if ($snort_rm_blocked_info_ck == "6h_b") {
+ $snort_rm_blocked_min = "*/30";
+ $snort_rm_blocked_hr = "*";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "21600";
+ }
+ if ($snort_rm_blocked_info_ck == "12h_b") {
+ $snort_rm_blocked_min = "2";
+ $snort_rm_blocked_hr = "*/1";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "43200";
+ }
+ if ($snort_rm_blocked_info_ck == "1d_b") {
+ $snort_rm_blocked_min = "2";
+ $snort_rm_blocked_hr = "*/2";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "86400";
+ }
+ if ($snort_rm_blocked_info_ck == "4d_b") {
+ $snort_rm_blocked_min = "2";
+ $snort_rm_blocked_hr = "*/8";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "345600";
+ }
+ if ($snort_rm_blocked_info_ck == "7d_b") {
+ $snort_rm_blocked_min = "2";
+ $snort_rm_blocked_hr = "*/14";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "604800";
+ }
+ if ($snort_rm_blocked_info_ck == "28d_b") {
+ $snort_rm_blocked_min = "2";
+ $snort_rm_blocked_hr = "0";
+ $snort_rm_blocked_mday = "*/2";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "2419200";
+ }
+ switch($should_install) {
+ case true:
+ if(!$is_installed) {
+ $cron_item = array();
+ $cron_item['minute'] = "$snort_rm_blocked_min";
+ $cron_item['hour'] = "$snort_rm_blocked_hr";
+ $cron_item['mday'] = "$snort_rm_blocked_mday";
+ $cron_item['month'] = "$snort_rm_blocked_month";
+ $cron_item['wday'] = "$snort_rm_blocked_wday";
+ $cron_item['who'] = "root";
+ $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c";
+ $config['cron']['item'][] = $cron_item;
+ }
+ break;
+ case false:
+ if ($is_installed == true)
+ unset($config['cron']['item'][$x]);
+ break;
+ }
+}
+
+/* func to install snort update */
+function snort_rules_up_install_cron($should_install) {
+ global $config, $g;
+
+ if(!$config['cron']['item'])
+ $config['cron']['item'] = array();
+
+ $x=0;
+ $is_installed = false;
+ foreach($config['cron']['item'] as $item) {
+ if (strstr($item['command'], "snort_check_for_rule_updates.php")) {
+ $is_installed = true;
+ break;
+ }
+ $x++;
+ }
+ $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7'];
+ if ($snort_rules_up_info_ck == "6h_up") {
+ $snort_rules_up_min = "3";
+ $snort_rules_up_hr = "*/6";
+ $snort_rules_up_mday = "*";
+ $snort_rules_up_month = "*";
+ $snort_rules_up_wday = "*";
+ }
+ if ($snort_rules_up_info_ck == "12h_up") {
+ $snort_rules_up_min = "3";
+ $snort_rules_up_hr = "*/12";
+ $snort_rules_up_mday = "*";
+ $snort_rules_up_month = "*";
+ $snort_rules_up_wday = "*";
+ }
+ if ($snort_rules_up_info_ck == "1d_up") {
+ $snort_rules_up_min = "3";
+ $snort_rules_up_hr = "0";
+ $snort_rules_up_mday = "*/1";
+ $snort_rules_up_month = "*";
+ $snort_rules_up_wday = "*";
+ }
+ if ($snort_rules_up_info_ck == "4d_up") {
+ $snort_rules_up_min = "3";
+ $snort_rules_up_hr = "0";
+ $snort_rules_up_mday = "*/4";
+ $snort_rules_up_month = "*";
+ $snort_rules_up_wday = "*";
+ }
+ if ($snort_rules_up_info_ck == "7d_up") {
+ $snort_rules_up_min = "3";
+ $snort_rules_up_hr = "0";
+ $snort_rules_up_mday = "*/7";
+ $snort_rules_up_month = "*";
+ $snort_rules_up_wday = "*";
+ }
+ if ($snort_rules_up_info_ck == "28d_up") {
+ $snort_rules_up_min = "3";
+ $snort_rules_up_hr = "0";
+ $snort_rules_up_mday = "*/28";
+ $snort_rules_up_month = "*";
+ $snort_rules_up_wday = "*";
+ }
+ switch($should_install) {
+ case true:
+ if(!$is_installed) {
+ $cron_item = array();
+ $cron_item['minute'] = "$snort_rules_up_min";
+ $cron_item['hour'] = "$snort_rules_up_hr";
+ $cron_item['mday'] = "$snort_rules_up_mday";
+ $cron_item['month'] = "$snort_rules_up_month";
+ $cron_item['wday'] = "$snort_rules_up_wday";
+ $cron_item['who'] = "root";
+ $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log";
+ $config['cron']['item'][] = $cron_item;
+ }
+ break;
+ case false:
+ if($is_installed == true)
+ unset($config['cron']['item'][$x]);
+ break;
+ }
+}
+
+/* Only run when all ifaces needed to sync. Expects filesystem rw */
+function sync_snort_package_config()
+{
+ global $config, $g;
+
+ /* RedDevil suggested code */
+ /* TODO: more testing needs to be done */
+ /* may cause voip to fail */
+ //exec("/sbin/sysctl net.bpf.bufsize=8388608");
+ //exec("/sbin/sysctl net.bpf.maxbufsize=4194304");
+ //exec("/sbin/sysctl net.bpf.maxinsns=512");
+ //exec("/sbin/sysctl net.inet.tcp.rfc1323=1");
+
+ conf_mount_rw();
+
+ /* do not start config build if rules is empty */
+ if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
+ exec('/bin/rm /usr/local/etc/rc.d/snort.sh');
+ conf_mount_ro();
+ return;
+ }
+
+ foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) {
+ $if_real = snort_get_real_interface($value['interface']);
+ $snort_uuid = $value['uuid'];
+
+ if ($if_real != '' && $snort_uuid != '') {
+
+ /* only build whitelist when needed */
+ if ($value['blockoffenders7'] == 'on')
+ create_snort_whitelist($id, $if_real);
+
+ /* only build threshold when needed */
+ if ($value['suppresslistname'] != 'default')
+ create_snort_suppress($id, $if_real);
+
+ /* create snort configuration file */
+ create_snort_conf($id, $if_real, $snort_uuid);
+
+ /* if rules exist cp rules to each iface */
+ create_rules_iface($id, $if_real, $snort_uuid);
+
+ /* create barnyard2 configuration file */
+ if ($value['barnyard_enable'] == 'on')
+ create_barnyard2_conf($id, $if_real, $snort_uuid);
+ }
+ }
+
+ /* create snort bootup file snort.sh only create once */
+ create_snort_sh();
+
+ /* all new files are for the user snort nologin */
+ if (!is_dir("/var/log/snort/snort_{$if_real}{$snort_uuid}"))
+ exec("/bin/mkdir -p /var/log/snort/snort_{$if_real}{$snort_uuid}");
+
+ if (!is_dir('/var/log/snort/run'))
+ exec('/bin/mkdir -p /var/log/snort/run');
+
+ if (!is_dir("/var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}"))
+ exec("/bin/mkdir -p /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}");
+
+ /* XXX: These are needed if snort is run as snort user
+ mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true);
+ mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true);
+ mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true);
+ mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true);
+ mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true);
+ */
+
+ /* important */
+ mwexec('/bin/chmod 770 /var/db/whitelist', true);
+ mwexec('/bin/chmod 770 /var/run/snort*', true);
+ mwexec('/bin/chmod 770 /tmp/snort*', true);
+ mwexec('/bin/chmod -R 770 /var/log/snort', true);
+ mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true);
+ mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true);
+
+ conf_mount_ro();
+}
+
+/* Start of main config files */
+
+/* create threshold file */
+function create_snort_suppress($id, $if_real) {
+ global $config, $g;
+
+ /* make sure dir is there */
+ if (!is_dir('/usr/local/etc/snort/suppress'))
+ exec('/bin/mkdir -p /usr/local/etc/snort/suppress');
+
+ if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ return;
+
+ if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') {
+ $whitelist_key_s = find_suppress_key($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname']);
+
+ /* file name */
+ $suppress_file_name = $config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['name'];
+
+ /* Message */
+ $s_data = '# This file is auto generated by the snort package. Please do not edit this file by hand.' . "\n\n";
+
+ /* user added arguments */
+ $s_data .= str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['suppresspassthru']));
+
+ /* open snort's whitelist for writing */
+ @file_put_contents("/usr/local/etc/snort/suppress/$suppress_file_name", $s_data);
+ }
+}
+
+function create_snort_whitelist($id, $if_real) {
+ global $config, $g;
+
+ /* make sure dir is there */
+ if (!is_dir('/usr/local/etc/snort/whitelist'))
+ exec('/bin/mkdir -p /usr/local/etc/snort/whitelist');
+
+ if ($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'] == 'default') {
+
+ $w_data = build_base_whitelist('whitelist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no');
+
+ /* open snort's whitelist for writing */
+ @file_put_contents("/usr/local/etc/snort/whitelist/defaultwlist", $w_data);
+
+ } else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'])) {
+ $whitelist_key_w = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname']);
+
+ if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
+ return;
+
+ $whitelist = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w];
+ $w_data = build_base_whitelist($whitelist['snortlisttype'], $whitelist['wanips'], $whitelist['wangateips'],
+ $whitelist['wandnsips'], $whitelist['vips'], $whitelist['vpnips'], $whitelist_key_w);
+
+ /* open snort's whitelist for writing */
+ @file_put_contents("/usr/local/etc/snort/whitelist/" . $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $w_data);
+ }
+}
+
+function create_snort_homenet($id, $if_real) {
+ global $config, $g;
+
+ if ($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == 'default' || $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == '')
+ return build_base_whitelist('netlist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no');
+ else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'])) {
+ $whitelist_key_h = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['homelistname']);
+
+ if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
+ return;
+
+ $build_netlist_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['snortlisttype'];
+ $wanip_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wanips'];
+ $wangw_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wangateips'];
+ $wandns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wandnsips'];
+ $vips_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vips'];
+ $vpns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vpnips'];
+
+ return build_base_whitelist($build_netlist_h, $wanip_h, $wangw_h, $wandns_h, $vips_h, $vpns_h, $whitelist_key_h);
+ }
+}
+
+function create_snort_externalnet($id, $if_real) {
+ global $config, $g;
+
+ if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['externallistname'])) {
+ $whitelist_key_ex = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['externallistname']);
+
+ if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
+ return;
+
+ $build_netlist_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['snortlisttype'];
+ $wanip_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wanips'];
+ $wangw_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wangateips'];
+ $wandns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wandnsips'];
+ $vips_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vips'];
+ $vpns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vpnips'];
+
+ return build_base_whitelist($build_netlist_ex, $wanip_ex, $wangw_ex, $wandns_ex, $vips_ex, $vpns_ex, $whitelist_key_ex);
+ }
+}
+
+/* open snort.sh for writing" */
+function create_snort_sh()
+{
+ global $config, $g;
+
+ if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ return;
+
+ $snortconf =& $config['installedpackages']['snortglobal']['rule'];
+
+ $snort_sh_text3 = array();
+ $snort_sh_text4 = array();
+
+ /* do not start config build if rules is empty */
+ if (!empty($snortconf)) {
+ foreach ($snortconf as $value) {
+ $snort_uuid = $value['uuid'];
+ $result_lan = $value['interface'];
+ $if_real = snort_get_real_interface($result_lan);
+
+ /* define snortbarnyardlog_chk */
+ $snortbarnyardlog_info_chk = $value['barnyard_enable'];
+ $snortbarnyardlog_mysql_info_chk = $value['barnyard_mysql'];
+
+ if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '')
+ $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q";
+
+ $snort_sh_text3[] = <<<EOE
+
+###### For Each Iface
+
+#### Fake start only used on bootup and Pfsense IP changes
+#### Only try to restart if snort is running on Iface
+if [ "`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'`" != "" ]; then
+ snort_pid=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'`
+ /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart"
+
+ #### Restart Iface
+ /bin/kill -HUP \${snort_pid}
+ /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..."
+else
+ # Start snort and barnyard2
+ /bin/echo "snort.sh run" > /tmp/snort.sh.pid
+ /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid
+
+ /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}
+ $start_barnyard2
+
+ /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD START For {$snort_uuid}_{$if_real}..."
+fi
+
+EOE;
+
+ $snort_sh_text4[] = <<<EOF
+
+pid_s=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'`
+sleep 3
+pid_b=`/bin/ps -ax | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'`
+if [ \${pid_s} ] ; then
+
+ /bin/echo "snort.sh run" > /tmp/snort.sh.pid
+ /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..."
+
+ /bin/kill \${pid_s}
+ sleep 3
+ /bin/kill \${pid_b}
+
+ /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid
+fi
+
+EOF;
+ }
+ }
+
+
+ $start_snort_iface_start = implode("\n\n", $snort_sh_text3);
+ $start_snort_iface_stop = implode("\n\n", $snort_sh_text4);
+
+ $snort_sh_text = <<<EOD
+#!/bin/sh
+########
+# This file was automatically generated
+# by the pfSense service handler.
+# Code added to protect from double starts on pfSense bootup
+######## Begining of Main snort.sh
+
+rc_start() {
+
+ /bin/echo "snort.sh run" > /tmp/snort.sh.pid
+ $start_snort_iface_start
+ /bin/rm /tmp/snort.sh.pid
+}
+
+rc_stop() {
+
+ $start_snort_iface_stop
+ /bin/rm /tmp/snort.sh.pid
+ /bin/rm /var/run/snort*
+
+}
+
+case $1 in
+ start)
+ rc_start
+ ;;
+ stop)
+ rc_stop
+ ;;
+ restart)
+ rc_start
+ ;;
+esac
+
+EOD;
+
+ /* write out snort.sh */
+ $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w");
+ if(!$bconf) {
+ log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing.");
+ return;
+ }
+ fwrite($bconf, $snort_sh_text);
+ fclose($bconf);
+ @chmod("/usr/local/etc/rc.d/snort.sh", 0755);
+}
+
+/* if rules exist copy to new interfaces */
+function create_rules_iface($id, $if_real, $snort_uuid)
+{
+ global $config, $g;
+
+ $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}";
+ $folder_chk = (count(glob("{$if_rule_dir}/rules/*")) === 0) ? 'empty' : 'full';
+
+ if ($folder_chk == "empty") {
+ if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"))
+ exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules");
+ exec("/bin/cp /usr/local/etc/snort/rules/* {$if_rule_dir}/rules");
+ if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules"))
+ exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules");
+ }
+}
+
+/* open barnyard2.conf for writing */
+function create_barnyard2_conf($id, $if_real, $snort_uuid) {
+ global $config, $g;
+
+ if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"))
+ exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf");
+
+ if (!file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo")) {
+ mwexec("/usr/bin/touch /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo", true);
+ /* XXX: This is needed if snort is run as snort user */
+ //mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true);
+ mwexec("/bin/chmod 770 /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo", true);
+ }
+
+ $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid);
+
+ /* write out barnyard2_conf */
+ $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w");
+ if(!$bconf) {
+ log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing.");
+ return;
+ }
+ fwrite($bconf, $barnyard2_conf_text);
+ fclose($bconf);
+}
+
+/* open barnyard2.conf for writing" */
+function generate_barnyard2_conf($id, $if_real, $snort_uuid) {
+ global $config, $g;
+
+ /* define snortbarnyardlog */
+ /* TODO: add support for the other 5 output plugins */
+
+ $snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql'];
+ $snortbarnyardlog_hostname_info_chk = exec("/bin/hostname");
+ /* user add arguments */
+ $snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['rule'][$id]['barnconfigpassthru']));
+
+ $barnyard2_conf_text = <<<EOD
+
+# barnyard2.conf
+# barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php
+#
+# set the appropriate paths to the file(s) your Snort process is using
+
+config reference_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config
+config classification_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config
+config gen_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map
+config sid_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map
+
+config hostname: $snortbarnyardlog_hostname_info_chk
+config interface: {$snort_uuid}_{$if_real}
+config decode_data_link
+config waldo_file: /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo
+
+## START user pass through ##
+
+ {$snortbarnyardlog_config_pass_thru}
+
+## END user pass through ##
+
+# Step 2: setup the input plugins
+input unified2
+
+config logdir: /var/log/snort/snort_{$if_real}{$snort_uuid}
+
+# database: log to a variety of databases
+# output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx
+
+ $snortbarnyardlog_database_info_chk
+
+EOD;
+
+ return $barnyard2_conf_text;
+}
+
+function create_snort_conf($id, $if_real, $snort_uuid)
+{
+ global $config, $g;
+
+ if (!empty($if_real)&& !empty($snort_uuid)) {
+ if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}")) {
+ exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}");
+ @touch("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf");
+ }
+
+ $snort_conf_text = generate_snort_conf($id, $if_real, $snort_uuid);
+ if (empty($snort_conf_text))
+ return;
+
+ /* write out snort.conf */
+ $conf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf", "w");
+ if(!$conf) {
+ log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf for writing.");
+ return -1;
+ }
+ fwrite($conf, $snort_conf_text);
+ fclose($conf);
+ }
+}
+
+function snort_deinstall() {
+ global $config, $g;
+
+ /* remove custom sysctl */
+ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480");
+
+ /* decrease bpf buffers back to 4096, from 20480 */
+ exec('/sbin/sysctl net.bpf.bufsize=4096');
+ mwexec('/usr/bin/killall snort', true);
+ sleep(2);
+ mwexec('/usr/bin/killall -9 snort', true);
+ sleep(2);
+ mwexec('/usr/bin/killall barnyard2', true);
+ sleep(2);
+ mwexec('/usr/bin/killall -9 barnyard2', true);
+ sleep(2);
+ mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true);
+ mwexec('/bin/rm -rf /usr/local/etc/snort*; /bin/rm -rf /usr/local/pkg/snort*', true);
+ mwexec('/bin/rm -r /usr/local/bin/barnyard2', true);
+ mwexec('/bin/rm -rf /usr/local/www/snort; /bin/rm -rf /var/log/snort; /bin/rm -rf /usr/local/lib/snort', true);
+
+ /* Remove snort cron entries Ugly code needs smoothness*/
+ if (!function_exists('snort_deinstall_cron')) {
+ function snort_deinstall_cron($crontask) {
+ global $config, $g;
+
+ if(!is_array($config['cron']['item']))
+ return;
+
+ $x=0;
+ $is_installed = false;
+ foreach($config['cron']['item'] as $item) {
+ if (strstr($item['command'], $crontask)) {
+ $is_installed = true;
+ break;
+ }
+ $x++;
+ }
+ if ($is_installed == true)
+ unset($config['cron']['item'][$x]);
+ }
+ }
+
+ snort_deinstall_cron("snort2c");
+ snort_deinstall_cron("snort_check_for_rule_updates.php");
+ snort_deinstall_cron("/usr/local/pkg/snort/snort_check_cron_misc.inc");
+ configure_cron();
+
+ /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */
+ /* Keep this as a last step */
+ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on')
+ unset($config['installedpackages']['snortglobal']);
+}
+
+function generate_snort_conf($id, $if_real, $snort_uuid)
+{
+ global $config, $g, $snort_pfsense_basever;
+
+ if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ return;
+
+ $snortcfg =& $config['installedpackages']['snortglobal']['rule'][$id];
+
+ /* custom home nets */
+ $home_net = create_snort_homenet($id, $if_real);
+
+ if ($snortcfg['externallistname'] == 'default')
+ $external_net = '!$HOME_NET';
+ else
+ $external_net = create_snort_externalnet($id, $if_real);
+
+ /* obtain external interface */
+ /* XXX: make multi wan friendly */
+ $snort_ext_int = $snortcfg['interface'];
+
+ /* user added arguments */
+ $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru']));
+
+ /* create basic files */
+ if (!is_dir("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}"))
+ exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}");
+
+ exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map");
+ exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config");
+ exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config");
+ exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map");
+ exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map");
+ exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf");
+ exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf");
+
+ if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"))
+ exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules");
+
+ /* define basic log filename */
+ $snortunifiedlogbasic_type = "output unified: filename snort_{$snort_uuid}_{$if_real}.log, limit 128";
+
+ /* define snortalertlogtype */
+ if ($config['installedpackages']['snortglobal']['snortalertlogtype'] == "fast")
+ $snortalertlogtype_type = "output alert_fast: alert_{$snort_uuid}";
+ else
+ $snortalertlogtype_type = "output alert_full: alert_{$snort_uuid}";
+
+ /* define alertsystemlog */
+ $alertsystemlog_type = "";
+ if ($snortcfg['alertsystemlog'] == "on")
+ $alertsystemlog_type = "output alert_syslog: log_alert";
+
+ /* define tcpdumplog */
+ $tcpdumplog_type = "";
+ if ($snortcfg['tcpdumplog'] == "on")
+ $tcpdumplog_type = "output log_tcpdump: snort_{$snort_uuid}_{$if_real}.tcpdump";
+
+ /* define snortunifiedlog */
+ $snortunifiedlog_type = "";
+ if ($snortcfg['snortunifiedlog'] == "on")
+ $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128";
+
+ /* define spoink */
+ $spoink_type = "";
+ if ($snortcfg['blockoffenders7'] == "on") {
+ if ($snortcfg['whitelistname'] == "default")
+ $spoink_whitelist_name = 'defaultwlist';
+ else if (file_exists("/usr/local/etc/snort/whitelist/{$snortcfg['whitelistname']}"))
+ $spoink_whitelist_name = $snortcfg['whitelistname'];
+
+ $pfkill = "";
+ if ($snortcfg['blockoffenderskill'] == "on")
+ $pfkill = "kill";
+
+ $spoink_type = "output alert_pf: /usr/local/etc/snort/whitelist/{$spoink_whitelist_name},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}";
+ }
+
+ /* define threshold file */
+ $threshold_file_name = "";
+ if ($snortcfg['suppresslistname'] != 'default') {
+ if (file_exists("/usr/local/etc/snort/suppress/{$snortcfg['suppresslistname']}"))
+ $threshold_file_name = "include /usr/local/etc/snort/suppress/{$snortcfg['suppresslistname']}";
+ }
+
+ /* define servers and ports snortdefservers */
+ /* def DNS_SERVSERS */
+ $def_dns_servers_info_chk = $snortcfg['def_dns_servers'];
+ if ($def_dns_servers_info_chk == "")
+ $def_dns_servers_type = "\$HOME_NET";
+ else
+ $def_dns_servers_type = "$def_dns_servers_info_chk";
+
+ /* def DNS_PORTS */
+ $def_dns_ports_info_chk = $snortcfg['def_dns_ports'];
+ if ($def_dns_ports_info_chk == "")
+ $def_dns_ports_type = "53";
+ else
+ $def_dns_ports_type = "$def_dns_ports_info_chk";
+
+ /* def SMTP_SERVSERS */
+ $def_smtp_servers_info_chk = $snortcfg['def_smtp_servers'];
+ if ($def_smtp_servers_info_chk == "")
+ $def_smtp_servers_type = "\$HOME_NET";
+ else
+ $def_smtp_servers_type = "$def_smtp_servers_info_chk";
+
+ /* def SMTP_PORTS */
+ $def_smtp_ports_info_chk = $snortcfg['def_smtp_ports'];
+ if ($def_smtp_ports_info_chk == "")
+ $def_smtp_ports_type = "25";
+ else
+ $def_smtp_ports_type = "$def_smtp_ports_info_chk";
+
+ /* def MAIL_PORTS */
+ $def_mail_ports_info_chk = $snortcfg['def_mail_ports'];
+ if ($def_mail_ports_info_chk == "")
+ $def_mail_ports_type = "25,143,465,691";
+ else
+ $def_mail_ports_type = "$def_mail_ports_info_chk";
+
+ /* def HTTP_SERVSERS */
+ $def_http_servers_info_chk = $snortcfg['def_http_servers'];
+ if ($def_http_servers_info_chk == "")
+ $def_http_servers_type = "\$HOME_NET";
+ else
+ $def_http_servers_type = "$def_http_servers_info_chk";
+
+ /* def WWW_SERVSERS */
+ $def_www_servers_info_chk = $snortcfg['def_www_servers'];
+ if ($def_www_servers_info_chk == "")
+ $def_www_servers_type = "\$HOME_NET";
+ else
+ $def_www_servers_type = "$def_www_servers_info_chk";
+
+ /* def HTTP_PORTS */
+ $def_http_ports_info_chk = $snortcfg['def_http_ports'];
+ if ($def_http_ports_info_chk == "")
+ $def_http_ports_type = "80";
+ else
+ $def_http_ports_type = "$def_http_ports_info_chk";
+
+ /* def SQL_SERVSERS */
+ $def_sql_servers_info_chk = $snortcfg['def_sql_servers'];
+ if ($def_sql_servers_info_chk == "")
+ $def_sql_servers_type = "\$HOME_NET";
+ else
+ $def_sql_servers_type = "$def_sql_servers_info_chk";
+
+ /* def ORACLE_PORTS */
+ $def_oracle_ports_info_chk = $snortcfg['def_oracle_ports'];
+ if ($def_oracle_ports_info_chk == "")
+ $def_oracle_ports_type = "1521";
+ else
+ $def_oracle_ports_type = "$def_oracle_ports_info_chk";
+
+ /* def MSSQL_PORTS */
+ $def_mssql_ports_info_chk = $snortcfg['def_mssql_ports'];
+ if ($def_mssql_ports_info_chk == "")
+ $def_mssql_ports_type = "1433";
+ else
+ $def_mssql_ports_type = "$def_mssql_ports_info_chk";
+
+ /* def TELNET_SERVSERS */
+ $def_telnet_servers_info_chk = $snortcfg['def_telnet_servers'];
+ if ($def_telnet_servers_info_chk == "")
+ $def_telnet_servers_type = "\$HOME_NET";
+ else
+ $def_telnet_servers_type = "$def_telnet_servers_info_chk";
+
+ /* def TELNET_PORTS */
+ $def_telnet_ports_info_chk = $snortcfg['def_telnet_ports'];
+ if ($def_telnet_ports_info_chk == "")
+ $def_telnet_ports_type = "23";
+ else
+ $def_telnet_ports_type = "$def_telnet_ports_info_chk";
+
+ /* def SNMP_SERVSERS */
+ $def_snmp_servers_info_chk = $snortcfg['def_snmp_servers'];
+ if ($def_snmp_servers_info_chk == "")
+ $def_snmp_servers_type = "\$HOME_NET";
+ else
+ $def_snmp_servers_type = "$def_snmp_servers_info_chk";
+
+ /* def SNMP_PORTS */
+ $def_snmp_ports_info_chk = $snortcfg['def_snmp_ports'];
+ if ($def_snmp_ports_info_chk == "")
+ $def_snmp_ports_type = "161";
+ else
+ $def_snmp_ports_type = "$def_snmp_ports_info_chk";
+
+ /* def FTP_SERVSERS */
+ $def_ftp_servers_info_chk = $snortcfg['def_ftp_servers'];
+ if ($def_ftp_servers_info_chk == "")
+ $def_ftp_servers_type = "\$HOME_NET";
+ else
+ $def_ftp_servers_type = "$def_ftp_servers_info_chk";
+
+ /* def FTP_PORTS */
+ $def_ftp_ports_info_chk = $snortcfg['def_ftp_ports'];
+ if ($def_ftp_ports_info_chk == "")
+ $def_ftp_ports_type = "21";
+ else
+ $def_ftp_ports_type = "$def_ftp_ports_info_chk";
+
+ /* def SSH_SERVSERS */
+ $def_ssh_servers_info_chk = $snortcfg['def_ssh_servers'];
+ if ($def_ssh_servers_info_chk == "")
+ $def_ssh_servers_type = "\$HOME_NET";
+ else
+ $def_ssh_servers_type = "$def_ssh_servers_info_chk";
+
+ /* if user has defined a custom ssh port, use it */
+ if(isset($config['system']['ssh']['port']))
+ $ssh_port = $config['system']['ssh']['port'];
+ else
+ $ssh_port = "22";
+
+ /* def SSH_PORTS */
+ $def_ssh_ports_info_chk = $snortcfg['def_ssh_ports'];
+ if ($def_ssh_ports_info_chk == "")
+ $def_ssh_ports_type = "{$ssh_port}";
+ else
+ $def_ssh_ports_type = "$def_ssh_ports_info_chk";
+
+ /* def POP_SERVSERS */
+ $def_pop_servers_info_chk = $snortcfg['def_pop_servers'];
+ if ($def_pop_servers_info_chk == "")
+ $def_pop_servers_type = "\$HOME_NET";
+ else
+ $def_pop_servers_type = "$def_pop_servers_info_chk";
+
+ /* def POP2_PORTS */
+ $def_pop2_ports_info_chk = $snortcfg['def_pop2_ports'];
+ if ($def_pop2_ports_info_chk == "")
+ $def_pop2_ports_type = "109";
+ else
+ $def_pop2_ports_type = "$def_pop2_ports_info_chk";
+
+ /* def POP3_PORTS */
+ $def_pop3_ports_info_chk = $snortcfg['def_pop3_ports'];
+ if ($def_pop3_ports_info_chk == "")
+ $def_pop3_ports_type = "110";
+ else
+ $def_pop3_ports_type = "$def_pop3_ports_info_chk";
+
+ /* def IMAP_SERVSERS */
+ $def_imap_servers_info_chk = $snortcfg['def_imap_servers'];
+ if ($def_imap_servers_info_chk == "")
+ $def_imap_servers_type = "\$HOME_NET";
+ else
+ $def_imap_servers_type = "$def_imap_servers_info_chk";
+
+ /* def IMAP_PORTS */
+ $def_imap_ports_info_chk = $snortcfg['def_imap_ports'];
+ if ($def_imap_ports_info_chk == "")
+ $def_imap_ports_type = "143";
+ else
+ $def_imap_ports_type = "$def_imap_ports_info_chk";
+
+ /* def SIP_PROXY_IP */
+ $def_sip_proxy_ip_info_chk = $snortcfg['def_sip_proxy_ip'];
+ if ($def_sip_proxy_ip_info_chk == "")
+ $def_sip_proxy_ip_type = "\$HOME_NET";
+ else
+ $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk";
+
+ /* def SIP_PROXY_PORTS */
+ $def_sip_proxy_ports_info_chk = $snortcfg['def_sip_proxy_ports'];
+ if ($def_sip_proxy_ports_info_chk == "")
+ $def_sip_proxy_ports_type = "5060:5090,16384:32768";
+ else
+ $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk";
+
+ /* def SIP_SERVERS */
+ $def_sip_servers_info_chk = $snortcfg['def_sip_servers'];
+ if ($def_sip_servers_info_chk == "")
+ $def_sip_servers_type = "\$HOME_NET";
+ else
+ $def_sip_servers_type = "$def_sip_servers_info_chk";
+
+ /* def SIP_PORTS */
+ $def_sip_ports_info_chk = $snortcfg['def_sip_ports'];
+ if ($def_sip_ports_info_chk == "")
+ $def_sip_ports_type = "5060:5090,16384:32768";
+ else
+ $def_sip_ports_type = "$def_sip_ports_info_chk";
+
+ /* def AUTH_PORTS */
+ $def_auth_ports_info_chk = $snortcfg['def_auth_ports'];
+ if ($def_auth_ports_info_chk == "")
+ $def_auth_ports_type = "113";
+ else
+ $def_auth_ports_type = "$def_auth_ports_info_chk";
+
+ /* def FINGER_PORTS */
+ $def_finger_ports_info_chk = $snortcfg['def_finger_ports'];
+ if ($def_finger_ports_info_chk == "")
+ $def_finger_ports_type = "79";
+ else
+ $def_finger_ports_type = "$def_finger_ports_info_chk";
+
+ /* def IRC_PORTS */
+ $def_irc_ports_info_chk = $snortcfg['def_irc_ports'];
+ if ($def_irc_ports_info_chk == "")
+ $def_irc_ports_type = "6665,6666,6667,6668,6669,7000";
+ else
+ $def_irc_ports_type = "$def_irc_ports_info_chk";
+
+ /* def NNTP_PORTS */
+ $def_nntp_ports_info_chk = $snortcfg['def_nntp_ports'];
+ if ($def_nntp_ports_info_chk == "")
+ $def_nntp_ports_type = "119";
+ else
+ $def_nntp_ports_type = "$def_nntp_ports_info_chk";
+
+ /* def RLOGIN_PORTS */
+ $def_rlogin_ports_info_chk = $snortcfg['def_rlogin_ports'];
+ if ($def_rlogin_ports_info_chk == "")
+ $def_rlogin_ports_type = "513";
+ else
+ $def_rlogin_ports_type = "$def_rlogin_ports_info_chk";
+
+ /* def RSH_PORTS */
+ $def_rsh_ports_info_chk = $snortcfg['def_rsh_ports'];
+ if ($def_rsh_ports_info_chk == "")
+ $def_rsh_ports_type = "514";
+ else
+ $def_rsh_ports_type = "$def_rsh_ports_info_chk";
+
+ /* def SSL_PORTS */
+ $def_ssl_ports_info_chk = $snortcfg['def_ssl_ports'];
+ if ($def_ssl_ports_info_chk == "")
+ $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995";
+ else
+ $def_ssl_ports_type = "$def_ssl_ports_info_chk";
+
+ /* if user is on pppoe, we really want to use ng0 interface */
+ if ($snort_pfsense_basever == 'yes' && $snort_ext_int == "wan")
+ $snort_ext_int = get_real_wan_interface();
+
+ /* set the snort performance model */
+ if($snortcfg['performance'])
+ $snort_performance = $snortcfg['performance'];
+ else
+ $snort_performance = "ac-bnfa";
+
+
+ /* generate rule sections to load */
+ $enabled_rulesets = $snortcfg['rulesets'];
+ $selected_rules_sections = "";
+ if (!empty($enabled_rulesets)) {
+ $enabled_rulesets_array = split("\|\|", $enabled_rulesets);
+ foreach($enabled_rulesets_array as $enabled_item)
+ $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n";
+ }
+
+ /////////////////////////////
+
+ /* preprocessor code */
+
+ /* def perform_stat */
+ $snort_perform_stat = <<<EOD
+
+##########################
+ #
+# NEW #
+# Performance Statistics #
+ #
+##########################
+
+preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$if_real}{$snort_uuid}/snort_{$snort_uuid}_{$if_real}.stats pktcnt 10000
+
+EOD;
+
+ $def_perform_stat_info_chk = $snortcfg['perform_stat'];
+ if ($def_perform_stat_info_chk == "on")
+ $def_perform_stat_type = "$snort_perform_stat";
+ else
+ $def_perform_stat_type = "";
+
+ $def_flow_depth_info_chk = $snortcfg['flow_depth'];
+ if (empty($def_flow_depth_info_chk))
+ $def_flow_depth_type = '0';
+ else
+ $def_flow_depth_type = $snortcfg['flow_depth'];
+
+ /* def http_inspect */
+ $snort_http_inspect = <<<EOD
+
+#################
+ #
+# HTTP Inspect #
+ #
+#################
+
+preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
+
+# TODO: pfsense GUI needed for ports
+preprocessor http_inspect_server: server default \
+ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
+ ports { 80 8080 } \
+ non_strict \
+ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
+ flow_depth {$def_flow_depth_type} \
+ apache_whitespace no \
+ directory no \
+ iis_backslash no \
+ u_encode yes \
+ extended_response_inspection \
+ inspect_gzip \
+ normalize_utf \
+ unlimited_decompress \
+ ascii no \
+ chunk_length 500000 \
+ bare_byte yes \
+ double_decode yes \
+ iis_unicode no \
+ iis_delimiter no \
+ multi_slash no \
+ server_flow_depth 0 \
+ client_flow_depth 0 \
+ post_depth 65495 \
+ oversize_dir_length 500 \
+ max_header_length 750 \
+ max_headers 100 \
+ max_spaces 0 \
+ small_chunk_length { 10 5 } \
+ enable_cookie \
+ normalize_javascript \
+ utf_8 no \
+ webroot no
+
+EOD;
+
+ $def_http_inspect_info_chk = $snortcfg['http_inspect'];
+ if ($def_http_inspect_info_chk == "on")
+ $def_http_inspect_type = "$snort_http_inspect";
+ else
+ $def_http_inspect_type = "";
+
+ /* def other_preprocs */
+ $snort_other_preprocs = <<<EOD
+
+##################
+ #
+# Other preprocs #
+ #
+##################
+
+preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
+preprocessor bo
+
+EOD;
+
+ $def_other_preprocs_info_chk = $snortcfg['other_preprocs'];
+ if ($def_other_preprocs_info_chk == "on")
+ $def_other_preprocs_type = "$snort_other_preprocs";
+ else
+ $def_other_preprocs_type = "";
+
+ /* def ftp_preprocessor */
+ $snort_ftp_preprocessor = <<<EOD
+
+#####################
+ #
+# ftp preprocessor #
+ #
+#####################
+
+preprocessor ftp_telnet: global \
+ inspection_type stateful \
+ encrypted_traffic no
+
+preprocessor ftp_telnet_protocol: telnet \
+ normalize \
+ ayt_attack_thresh 200 \
+ detect_anomalies
+
+preprocessor ftp_telnet_protocol: \
+ ftp server default \
+ def_max_param_len 100 \
+ # TODO add pfsense GUI
+ ports { 21 } \
+ telnet_cmds yes \
+ ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
+ ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
+ ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
+ ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
+ ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
+ ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
+ ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
+ ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
+ ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
+ ftp_cmds { XSEN XSHA1 XSHA256 } \
+ alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
+ alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
+ alt_max_param_len 256 { CWD RNTO } \
+ alt_max_param_len 400 { PORT } \
+ alt_max_param_len 512 { SIZE } \
+ chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
+ chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
+ chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
+ chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
+ chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
+ chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
+ chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
+ chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
+ cmd_validity ALLO < int [ char R int ] > \
+ cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
+ cmd_validity MACB < string > \
+ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
+ cmd_validity MODE < char ASBCZ > \
+ cmd_validity PORT < host_port > \
+ cmd_validity PROT < char CSEP > \
+ cmd_validity STRU < char FRPO [ string ] > \
+ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
+
+preprocessor ftp_telnet_protocol: ftp client default \
+ max_resp_len 256 \
+ bounce yes \
+ telnet_cmds yes
+
+EOD;
+
+ $def_ftp_preprocessor_info_chk = $snortcfg['ftp_preprocessor'];
+ if ($def_ftp_preprocessor_info_chk == "on")
+ $def_ftp_preprocessor_type = "$snort_ftp_preprocessor";
+ else
+ $def_ftp_preprocessor_type = "";
+
+ /* def smtp_preprocessor */
+ $snort_smtp_preprocessor = <<<EOD
+
+#####################
+ #
+# SMTP preprocessor #
+ #
+#####################
+
+# TODO add pfsense GUI
+preprocessor SMTP: ports { 25 465 691 } \
+ inspection_type stateful \
+ b64_decode_depth 0 \
+ qp_decode_depth 0 \
+ bitenc_decode_depth 0 \
+ uu_decode_depth 0 \
+ log_mailfrom \
+ log_rcptto \
+ log_filename \
+ log_email_hdrs \
+ normalize cmds \
+ normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
+ normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
+ normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
+ normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
+ max_command_line_len 512 \
+ max_header_line_len 1000 \
+ max_response_line_len 512 \
+ alt_max_command_line_len 260 { MAIL } \
+ alt_max_command_line_len 300 { RCPT } \
+ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
+ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
+ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
+ valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
+ valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
+ valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
+ valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
+ xlink2state { enabled }
+
+EOD;
+
+ $def_smtp_preprocessor_info_chk = $snortcfg['smtp_preprocessor'];
+ if ($def_smtp_preprocessor_info_chk == "on")
+ $def_smtp_preprocessor_type = "$snort_smtp_preprocessor";
+ else
+ $def_smtp_preprocessor_type = "";
+
+ /* def sf_portscan */
+ $snort_sf_portscan = <<<EOD
+
+################
+ #
+# sf Portscan #
+ #
+################
+
+preprocessor sfportscan: scan_type { all } \
+ proto { all } \
+ memcap { 10000000 } \
+ sense_level { medium } \
+ ignore_scanners { \$HOME_NET }
+
+EOD;
+
+ $def_sf_portscan_info_chk = $snortcfg['sf_portscan'];
+ if ($def_sf_portscan_info_chk == "on")
+ $def_sf_portscan_type = "$snort_sf_portscan";
+ else
+ $def_sf_portscan_type = "";
+
+ /* def dce_rpc_2 */
+ $snort_dce_rpc_2 = <<<EOD
+
+###############
+ #
+# NEW #
+# DCE/RPC 2 #
+ #
+###############
+
+preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
+preprocessor dcerpc2_server: default, policy WinXP, \
+ detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
+ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
+ smb_max_chain 3, \
+ smb_invalid_shares ["C$", "D$", "ADMIN$"]
+
+EOD;
+
+ $def_dce_rpc_2_info_chk = $snortcfg['dce_rpc_2'];
+ if ($def_dce_rpc_2_info_chk == "on")
+ $def_dce_rpc_2_type = "$snort_dce_rpc_2";
+ else
+ $def_dce_rpc_2_type = "";
+
+ /* def dns_preprocessor */
+ $snort_dns_preprocessor = <<<EOD
+
+####################
+ #
+# DNS preprocessor #
+ #
+####################
+
+# TODO add pfsense GUI
+preprocessor dns: \
+ ports { 53 } \
+ enable_rdata_overflow
+
+EOD;
+
+ $def_dns_preprocessor_info_chk = $snortcfg['dns_preprocessor'];
+ if ($def_dns_preprocessor_info_chk == "on")
+ $def_dns_preprocessor_type = "$snort_dns_preprocessor";
+ else
+ $def_dns_preprocessor_type = "";
+
+ /* def SSL_PORTS IGNORE */
+ $def_ssl_ports_ignore_info_chk = $snortcfg['def_ssl_ports_ignore'];
+ if ($def_ssl_ports_ignore_info_chk == "")
+ $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995";
+ else
+ $def_ssl_ports_ignore_type = "$def_ssl_ports_ignore_info_chk";
+
+ /* stream5 queued settings */
+
+
+ $def_max_queued_bytes_info_chk = $snortcfg['max_queued_bytes'];
+ if ($def_max_queued_bytes_info_chk == '')
+ $def_max_queued_bytes_type = '';
+ else
+ $def_max_queued_bytes_type = ' max_queued_bytes ' . $snortcfg['max_queued_bytes'] . ',';
+
+ $def_max_queued_segs_info_chk = $snortcfg['max_queued_segs'];
+ if ($def_max_queued_segs_info_chk == '')
+ $def_max_queued_segs_type = '';
+ else
+ $def_max_queued_segs_type = ' max_queued_segs ' . $snortcfg['max_queued_segs'] . ',';
+
+ $snort_preprocessor_decoder_rules = "";
+ if (file_exists("/usr/local/etc/snort/preproc_rules/preprocessor.rules"))
+ $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
+ if (file_exists("/usr/local/etc/snort/preproc_rules/decoder.rules"))
+ $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
+
+ /* build snort configuration file */
+ $snort_conf_text = <<<EOD
+
+##############################################################################
+# #
+# snort configuration file generated by the pfSense package manager system #
+# see /usr/local/pkg/snort.inc # #
+# for snort ver. 2.9.2.3 #
+# more information Snort can be found at http://www.snort.org/ #
+# #
+##############################################################################
+
+#########################
+ #
+# Define Local Network #
+ #
+#########################
+
+# TODO: bug, auto gen is adding extra 127.0.0.1
+ipvar HOME_NET {$home_net}
+ipvar EXTERNAL_NET {$external_net}
+
+###################
+ #
+# Define Servers #
+ #
+###################
+
+ipvar DNS_SERVERS [{$def_dns_servers_type}]
+ipvar SMTP_SERVERS [{$def_smtp_servers_type}]
+ipvar HTTP_SERVERS [{$def_http_servers_type}]
+ipvar SQL_SERVERS [{$def_sql_servers_type}]
+ipvar TELNET_SERVERS [{$def_telnet_servers_type}]
+ipvar FTP_SERVERS [{$def_ftp_servers_type}]
+ipvar SSH_SERVERS [{$def_ssh_servers_type}]
+ipvar SIP_PROXY_IP [{$def_sip_proxy_ip_type}]
+ipvar SIP_SERVERS [{$def_sip_servers_type}]
+ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
+# def below may have been removed
+ipvar POP_SERVERS [{$def_pop_servers_type}]
+ipvar IMAP_SERVERS [{$def_imap_servers_type}]
+ipvar RPC_SERVERS [\$HOME_NET]
+ipvar WWW_SERVERS [{$def_www_servers_type}]
+ipvar SNMP_SERVERS [{$def_snmp_servers_type}]
+
+
+########################
+ #
+# Define Server Ports #
+ #
+########################
+
+portvar HTTP_PORTS [{$def_http_ports_type}]
+portvar SHELLCODE_PORTS !80
+portvar ORACLE_PORTS [{$def_oracle_ports_type}]
+portvar FTP_PORTS [{$def_ftp_ports_type}]
+portvar SSH_PORTS [{$def_ssh_ports_type}]
+portvar SIP_PORTS [{$def_sip_ports_type}]
+### Below ports need new gui ###
+portvar FILE_DATA_PORTS [\$HTTP_PORTS,110,143]
+portvar GTP_PORTS [2123,2152,3386]
+portvar MODBUS_PORTS [502]
+portvar DNP3_PORTS [20000]
+# These ports may have been removed left here so no custom rules break
+portvar AUTH_PORTS [{$def_auth_ports_type}]
+portvar DNS_PORTS [{$def_dns_ports_type}]
+portvar FINGER_PORTS [{$def_finger_ports_type}]
+portvar IMAP_PORTS [{$def_imap_ports_type}]
+portvar IRC_PORTS [{$def_irc_ports_type}]
+portvar MSSQL_PORTS [{$def_mssql_ports_type}]
+portvar NNTP_PORTS [{$def_nntp_ports_type}]
+portvar POP2_PORTS [{$def_pop2_ports_type}]
+portvar POP3_PORTS [{$def_pop3_ports_type}]
+portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
+portvar RLOGIN_PORTS [{$def_rlogin_ports_type}]
+portvar RSH_PORTS [{$def_rsh_ports_type}]
+portvar SMB_PORTS [139,445]
+portvar SMTP_PORTS [{$def_smtp_ports_type}]
+portvar SNMP_PORTS [{$def_snmp_ports_type}]
+portvar TELNET_PORTS [{$def_telnet_ports_type}]
+portvar MAIL_PORTS [{$def_mail_ports_type}]
+portvar SSL_PORTS [{$def_sip_proxy_ports_type}]
+portvar SIP_PROXY_PORTS [{$def_sip_ports_type}]
+
+# These ports may have been removed left here so no custom rules break
+# DCERPC NCACN-IP-TCP
+portvar DCERPC_NCACN_IP_TCP [139,445]
+portvar DCERPC_NCADG_IP_UDP [138,1024:]
+portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
+portvar DCERPC_NCACN_UDP_LONG [135,1024:]
+portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
+portvar DCERPC_NCACN_TCP [2103,2105,2107]
+portvar DCERPC_BRIGHTSTORE [6503,6504]
+
+
+#####################
+ #
+# Define Rule Paths #
+ #
+#####################
+
+var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules
+var PREPROC_RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/preproc_rules
+var SO_RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/so_rules
+
+#############################################################
+# #
+# reputation preprocessor, ALWAYS USE FULL PATHS, BUG 89986 #
+# #
+#############################################################
+
+#var WHITE_LIST_PATH ../rules
+#var BLACK_LIST_PATH ../rules
+
+################################
+ #
+# Configure the snort decoder #
+ #
+################################
+
+config checksum_mode: all
+config disable_decode_alerts
+config disable_tcpopt_experimental_alerts
+config disable_tcpopt_obsolete_alerts
+config disable_ttcp_alerts
+config disable_tcpopt_alerts
+config disable_tcpopt_ttcp_alerts
+config disable_ipopt_alerts
+config disable_decode_drops
+
+################ The following is for inline mode tunning ################
+
+# config enable_decode_oversized_alerts
+# config enable_decode_oversized_drops
+# config flowbits_size: 64
+
+#### make sure I enable gui for this ##########
+# config ignore_ports: tcp 21 6667:6671 1356 #
+# config ignore_ports: udp 1:17 53 #
+###############################################
+
+# Configure active response for non inline
+# config response: eth0 attempts 2
+
+# Configure DAQ related options for inline mode
+#
+# config daq: <type>
+# config daq_dir: <dir>
+# config daq_mode: <mode>
+# config daq_var: <var>
+#
+# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
+# <mode> ::= read-file | passive | inline
+# <var> ::= arbitrary <name>=<value passed to DAQ
+# <dir> ::= path as to where to look for DAQ module so's
+
+## gui needed for pfsense ##
+# config daq: afpacket
+
+#############################################################
+
+########################################
+# Configure specific UID and GID
+# to run snort as after dropping privs
+#
+# config set_gid:
+# config set_uid:
+########################################
+
+########################################
+#
+# Configure default snaplen. Snort
+# defaults to MTU of in use interface
+#
+# config snaplen:
+#
+# TODO: gui needed for pfsense
+#
+########################################
+
+################################################################
+#
+# Configure default bpf_file to use for filtering what traffic
+# reaches snort. options (-F)
+#
+# config bpf_file:
+#
+# TODO: gui needed for pfsense
+#
+###############################################################
+
+#####################################################################
+#
+# Configure default log directory for snort to log to. options (-l)
+#
+# config logdir:
+#
+#####################################################################
+
+###################################
+ #
+# Configure the detection engine #
+# Use lower memory models #
+ #
+###################################
+
+# TODO: gui needed for pfsense
+# Configure PCRE match limitations
+config pcre_match_limit: 3500
+config pcre_match_limit_recursion: 1500
+
+#############################################################################
+# #
+# Configure the detection engine #
+# Use lower memory models for pfsense #
+# #
+# #
+# Notes #
+# #
+# ac, ac-q, ac-bnfa, ac-bnfa-q, lowmem, lowmem-q #
+# ac-split shorthand for search-method ac, split-any-any, intel-cpm,ac-nq, #
+# ac-bnfa-nq This is the default search method if none is specified. #
+# lowmem-nq, ac-std, acs, ac-banded, ac-sparsebands #
+# #
+#############################################################################
+
+config detection: search-method {$snort_performance} search-optimize max-pattern-len 20
+config event_queue: max_queue 8 log 3 order_events content_length
+
+###################################################
+# Configure GTP if it is to be used
+####################################################
+
+# TODO: gui needed for pfsense
+# config enable_gtp
+
+###################################################
+# Per packet and rule latency enforcement, README.ppm
+###################################################
+
+# Per Packet latency configuration
+#config ppm: max-pkt-time 250, \
+# fastpath-expensive-packets, \
+# pkt-log
+
+# Per Rule latency configuration
+#config ppm: max-rule-time 200, \
+# threshold 3, \
+# suspend-expensive-rules, \
+# suspend-timeout 20, \
+# rule-log alert
+
+###################################################
+# Configure Perf Profiling for debugging, README.PerfProfiling
+###################################################
+
+#config profile_rules: print all, sort avg_ticks
+#config profile_preprocs: print all, sort avg_ticks
+
+###################################################
+# Configure protocol aware flushing. README.stream5
+###################################################
+config paf_max: 16000
+
+##################################################
+# Configure dynamic loaded libraries
+##################################################
+
+dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
+dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
+dynamicdetection directory /usr/local/lib/snort/dynamicrules
+
+###################
+ #
+# Flow and stream #
+ #
+###################
+
+# TODO: gui needed for pfsense
+# GTP Control Channle Preprocessor, README.GTP
+preprocessor gtp: ports { 2123 3386 2152 }
+
+####################################################
+# Inline packet normalization, README.normalize
+# Does nothing in IDS mode
+#
+# preprocessor normalize_ip4
+# preprocessor normalize_tcp: ips ecn stream
+# preprocessor normalize_icmp4
+# preprocessor normalize_ip6
+# preprocessor normalize_icmp6
+####################################################
+
+# this tuning ,may need testing
+preprocessor frag3_global: max_frags 65536
+preprocessor frag3_engine: policy bsd detect_anomalies
+
+preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5
+
+preprocessor stream5_tcp: policy BSD, ports both all, timeout 180, {$def_max_queued_bytes_type}{$def_max_queued_segs_type}
+preprocessor stream5_udp: timeout 180
+preprocessor stream5_icmp:
+
+ {$def_perform_stat_type}
+
+ {$def_http_inspect_type}
+
+ {$def_other_preprocs_type}
+
+ {$def_ftp_preprocessor_type}
+
+ {$def_smtp_preprocessor_type}
+
+ {$def_sf_portscan_type}
+
+########################
+ #
+# ARP spoof detection. #
+ #
+########################
+
+# preprocessor arpspoof
+# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
+
+##########################
+ #
+# SSH anomaly detection #
+ #
+##########################
+
+preprocessor ssh: server_ports { 22 } \
+ autodetect \
+ max_client_bytes 19600 \
+ max_encrypted_packets 20 \
+ max_server_version_len 100 \
+ enable_respoverflow enable_ssh1crc32 \
+ enable_srvoverflow enable_protomismatch
+
+
+ {$def_dce_rpc_2_type}
+
+ {$def_dns_preprocessor_type}
+
+##############################
+ #
+# NEW #
+# Ignore SSL and Encryption #
+ #
+##############################
+
+preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspect_encrypted
+
+
+###########################################################
+ #
+# SDF sensitive data preprocessor, README.sensitive_data #
+ #
+###########################################################
+
+# TODO: add pfsense GUI
+preprocessor sensitive_data: alert_threshold 20
+
+#############################################################
+ #
+# SIP Session Initiation Protocol preprocessor, README.sip #
+ #
+#############################################################
+
+# TODO: add pfsense GUI
+preprocessor sip: max_sessions 40000, \
+ ports { 5060 5061 5600 }, \
+ methods { invite \
+ cancel \
+ ack \
+ bye \
+ register \
+ options \
+ refer \
+ subscribe \
+ update \
+ join \
+ info \
+ message \
+ notify \
+ benotify \
+ do \
+ qauth \
+ sprack \
+ publish \
+ service \
+ unsubscribe \
+ prack }, \
+ max_uri_len 512, \
+ max_call_id_len 80, \
+ max_requestName_len 20, \
+ max_from_len 256, \
+ max_to_len 256, \
+ max_via_len 1024, \
+ max_contact_len 512, \
+ max_content_len 2048
+
+##################################
+ #
+# IMAP preprocessor, README.imap #
+ #
+##################################
+
+# TODO: add pfsense GUI
+preprocessor imap: \
+ ports { 143 } \
+ b64_decode_depth 0 \
+ qp_decode_depth 0 \
+ bitenc_decode_depth 0 \
+ uu_decode_depth 0
+
+##################################
+ #
+# POP preprocessor, README.pop #
+ #
+##################################
+
+# TODO: add pfsense GUI
+preprocessor pop: \
+ ports { 110 } \
+ b64_decode_depth 0 \
+ qp_decode_depth 0 \
+ bitenc_decode_depth 0 \
+ uu_decode_depth 0
+
+#######################################
+ #
+# Modbus preprocessor, README.modbus #
+# Used for SCADA #
+ #
+#######################################
+
+# TODO: add pfsense GUI
+preprocessor modbus: ports { 502 }
+
+
+###############################################
+ #
+# DNP3 preprocessor, EADME.dnp3 #
+ #
+###############################################
+
+# TODO: add pfsense GUI
+preprocessor dnp3: ports { 20000 } \
+ memcap 262144 \
+ check_crc
+
+###############################################
+ #
+# Reputation preprocessor, README.reputation #
+ #
+###############################################
+
+#preprocessor reputation: \
+# memcap 500, \
+# priority whitelist, \
+# nested_ip inner, \
+# whitelist $WHITE_LIST_PATH/white_list.rules, \
+# blacklist $BLACK_LIST_PATH/black_list.rules
+
+
+#####################
+ #
+# Snort Output Logs #
+ #
+#####################
+
+$snortunifiedlogbasic_type
+$snortalertlogtype_type
+$alertsystemlog_type
+$tcpdumplog_type
+$snortmysqllog_info_chk
+$snortunifiedlog_type
+$spoink_type
+
+#################
+ #
+# Misc Includes #
+ #
+#################
+
+include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config
+include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config
+{$snort_preprocessor_decoder_rules}
+
+$threshold_file_name
+
+# Snort user pass through configuration
+{$snort_config_pass_thru}
+
+###################
+ #
+# Rules Selection #
+ #
+###################
+
+ {$selected_rules_sections}
+
+EOD;
+
+ return $snort_conf_text;
+}
+
+/* hide progress bar */
+function hide_progress_bar_status() {
+ global $snort_filename, $snort_filename_md5, $console_mode;
+
+ ob_flush();
+ if(!$console_mode)
+ echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>";
+}
+
+/* unhide progress bar */
+function unhide_progress_bar_status() {
+ global $snort_filename, $snort_filename_md5, $console_mode;
+
+ ob_flush();
+ if(!$console_mode)
+ echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='visible';\n</script>";
+}
+
+/* update both top and bottom text box during an operation */
+function update_all_status($status) {
+ global $snort_filename, $snort_filename_md5, $console_mode;
+
+ ob_flush();
+ if(!$console_mode) {
+ update_status($status);
+ update_output_window($status);
+ }
+}
+
+######## new
+
+// returns array that matches pattern, option to replace objects in matches
+function snortScanDirFilter($arrayList, $pattmatch, $pattreplace, $pattreplacewith)
+{
+ foreach ( $arrayList as $val )
+ {
+ if (preg_match($pattmatch, $val, $matches)) {
+ if ($pattreplace != '') {
+ $matches2 = preg_replace($pattreplace, $pattreplacewith, $matches[0]);
+ $filterDirList[] = $matches2;
+ }else{
+ $filterDirList[] = $matches[0];
+ }
+ }
+ }
+ return $filterDirList;
+}
+
+?>
diff --git a/config/snort-dev2/snort.xml b/config/snort-dev2/snort.xml new file mode 100644 index 00000000..2365bbea --- /dev/null +++ b/config/snort-dev2/snort.xml @@ -0,0 +1,205 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfsense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>Snort</name> + <version>2.9.0.5</version> + <title>Services:2.9.0.5 pkg v. 2.0</title> + <include_file>/usr/local/pkg/snort/snort.inc</include_file> + <menu> + <name>Snort</name> + <tooltiptext>Setup snort specific settings</tooltiptext> + <section>Services</section> + <url>/snort/snort_interfaces.php</url> + </menu> + <service> + <name>snort</name> + <rcfile>snort.sh</rcfile> + <executable>snort</executable> + <description>Snort is the most widely deployed IDS/IPS technology + worldwide.</description> + </service> + <tabs> + </tabs> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_gui.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_check_cron_misc.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/create-sidmap.pl</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/oinkmaster.pl</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/snort_rename.pl</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_barnyard.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_blocked.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_define_servers.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_download_rules.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_download_updates.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_check_for_rule_updates.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/help_and_info.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_global.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_rules.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_rules_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_rulesets.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_preprocessors.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_whitelist.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_whitelist_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress_edit.php</item> + </additional_files_needed> + <fields> + </fields> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_resync_config_command> + sync_snort_package_config(); + </custom_php_resync_config_command> + <custom_php_install_command> + snort_postinstall(); + </custom_php_install_command> + <custom_php_deinstall_command> + snort_deinstall(); + </custom_php_deinstall_command> +</packagegui> diff --git a/config/snort-dev2/snort_alerts.php b/config/snort-dev2/snort_alerts.php new file mode 100644 index 00000000..3094d1a7 --- /dev/null +++ b/config/snort-dev2/snort_alerts.php @@ -0,0 +1,582 @@ +<?php +/* $Id$ */ +/* + snort_alerts.php + part of pfSense + + Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Modified for the Pfsense snort package v. 1.8+ + Copyright (C) 2009 Robert Zelaya Sr. Developer + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +/* load only javascript that is needed */ +$snort_load_sortabletable = 'yes'; +$snort_load_mootools = 'yes'; + +$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_instance = &$config['installedpackages']['snortglobal']['rule']; +$snort_uuid = $a_instance[0]['uuid']; +if ($_POST['instance']) + $snort_uuid = $a_instance[$_POST['instance']]['uuid']; + +if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { + $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; + $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; + $anentries = $pconfig['alertnumber']; +} else { + $anentries = '250'; + $pconfig['alertnumber'] = '250'; + $pconfig['arefresh'] = 'off'; +} + +if ($_POST['save']) +{ + //unset($input_errors); + //$pconfig = $_POST; + + /* input validation */ + if ($_POST['save']) + { + + // if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { + // $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; + // } + + } + + /* no errors */ + if (!$input_errors) { + if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) + $config['installedpackages']['snortglobal']['alertsblocks'] = array(); + $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; + + write_config(); + + header("Location: /snort/snort_alerts.php"); + exit; + } + +} + +if ($_GET['action'] == "clear" || $_POST['clear']) +{ + if (file_exists("/var/log/snort/alert_{$snort_uuid}")) + { + conf_mount_rw(); + @file_put_contents("/var/log/snort/alert_{$snort_uuid}", ""); + post_delete_logs(); + /* XXX: This is needed is snort is run as snort user */ + //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); + mwexec('/bin/chmod 660 /var/log/snort/*', true); + mwexec('/usr/bin/killall -HUP snort', true); + conf_mount_ro(); + } + header("Location: /snort/snort_alerts.php"); + exit; +} + +if ($_POST['download']) +{ + + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_logs_{$save_date}.tar.gz"; + exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort"); + + if (file_exists("/tmp/{$file_name}")) { + $file = "/tmp/snort_logs_{$save_date}.tar.gz"; + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: ".filesize($file)); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("$file"); + exec("/bin/rm /tmp/{$file_name}"); + } + + header("Location: /snort/snort_alerts.php"); + exit; +} + + +/* WARNING: took me forever to figure reg expression, dont lose */ +// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; +function get_snort_alert_date($fileline) +{ + /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */ + if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1)) + $alert_date = "$matches1[0]"; + + return $alert_date; +} + +function get_snort_alert_disc($fileline) +{ + /* disc */ + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + $alert_disc = "$matches[2]"; + + return $alert_disc; +} + +function get_snort_alert_class($fileline) +{ + /* class */ + if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2)) + $alert_class = "$matches2[0]"; + + return $alert_class; +} + +function get_snort_alert_priority($fileline) +{ + /* Priority */ + if (preg_match('/Priority:\s\d/', $fileline, $matches3)) + $alert_priority = "$matches3[0]"; + + return $alert_priority; +} + +function get_snort_alert_proto($fileline) +{ + /* Priority */ + if (preg_match('/\{.+\}/', $fileline, $matches3)) + $alert_proto = "$matches3[0]"; + + return $alert_proto; +} + +function get_snort_alert_proto_full($fileline) +{ + /* Protocal full */ + if (preg_match('/.+\sTTL/', $fileline, $matches2)) + $alert_proto_full = "$matches2[0]"; + + return $alert_proto_full; +} + +function get_snort_alert_ip_src($fileline) +{ + /* SRC IP */ + $re1='.*?'; # Non-greedy match on filler + $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) + $alert_ip_src = $matches4[1][0]; + + return $alert_ip_src; +} + +function get_snort_alert_src_p($fileline) +{ + /* source port */ + if (preg_match('/:\d+\s-/', $fileline, $matches5)) + $alert_src_p = "$matches5[0]"; + + return $alert_src_p; +} + +function get_snort_alert_flow($fileline) +{ + /* source port */ + if (preg_match('/(->|<-)/', $fileline, $matches5)) + $alert_flow = "$matches5[0]"; + + return $alert_flow; +} + +function get_snort_alert_ip_dst($fileline) +{ + /* DST IP */ + $re1dp='.*?'; # Non-greedy match on filler + $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress + $re3dp='.*?'; # Non-greedy match on filler + $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6)) + $alert_ip_dst = $matches6[1][0]; + + return $alert_ip_dst; +} + +function get_snort_alert_dst_p($fileline) +{ + /* dst port */ + if (preg_match('/:\d+$/', $fileline, $matches7)) + $alert_dst_p = "$matches7[0]"; + + return $alert_dst_p; +} + +function get_snort_alert_dst_p_full($fileline) +{ + /* dst port full */ + if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7)) + $alert_dst_p = "$matches7[0]"; + + return $alert_dst_p; +} + +function get_snort_alert_sid($fileline) +{ + /* SID */ + if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8)) + $alert_sid = "$matches8[0]"; + + return $alert_sid; +} + +$pgtitle = "Services: Snort: Snort Alerts"; +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php + +include_once("fbegin.inc"); +echo $snort_general_css; + +/* refresh every 60 secs */ +if ($pconfig['arefresh'] == 'on') + echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n"; +?> + +<div class="body2"><?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), true, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Help"), false, "/snort/help_and_info.php"); + display_top_tabs($tab_array); +?> +</td></tr> +<tr> + <td> + <div id="mainarea2"> + <table class="tabcont" width="100%" border="1" cellspacing="0" cellpadding="0"> + <form action="/snort/snort_alerts.php" method="post" id="formalert"> + <tr> + <td width="22%" colspan="0" class="listtopic">Last <?=$anentries;?> Alert Entries.</td> + <td width="78%" class="listtopic">Latest Alert Entries Are Listed First.</td> + </tr> + <tr> + <td width="22%" class="vncell">Instance to inspect</td> + <td width="78%" class="vtable"> + <br/> <select name="instance" id="instance" class="formfld unkown" onChange="document.getElementById('formalert').submit()"> + <?php + foreach ($a_instance as $id => $instance) { + echo "<option value='{$id}'> (" . snort_get_friendly_interface($instance['interface']) . "){$instance['descr']}</option>\n"; + } + ?> + </select><br/> Choose which instance alerts you want to inspect. + </td> + <tr> + <td width="22%" class="vncell">Save or Remove Logs</td> + <td width="78%" class="vtable"> + <input name="download" type="submit" class="formbtn" value="Download"> All + log files will be saved. <a href="/snort/snort_alerts.php?action=clear"> + <input name="delete" type="button" class="formbtn" value="Clear" + onclick="return confirm('Do you really want to remove all instance logs?')"></a> + <span class="red"><strong>Warning:</strong></span> all log files will be deleted. + </td> + </tr> + <tr> + <td width="22%" class="vncell">Auto Refresh and Log View</td> + <td width="78%" class="vtable"> + <input name="save" type="submit" class="formbtn" value="Save"> + Refresh <input name="arefresh" type="checkbox" value="on" + <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> + <strong>Default</strong> is <strong>ON</strong>. + <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> + Enter the number of log entries to view. <strong>Default</strong> is <strong>250</strong>. + </td> + </tr> + </form> + </table> + </div> + </td> + </tr> +</table> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <td width="100%"><br> + <div class="tableFilter"> + <form id="tableFilter" + onsubmit="myTable.filter(this.id); return false;">Filter: <select + id="column"> + <option value="1">PRIORITY</option> + <option value="2">PROTO</option> + <option value="3">DESCRIPTION</option> + <option value="4">CLASS</option> + <option value="5">SRC</option> + <option value="6">SRC PORT</option> + <option value="7">FLOW</option> + <option value="8">DST</option> + <option value="9">DST PORT</option> + <option value="10">SID</option> + <option value="11">Date</option> + </select> <input type="text" id="keyword" /> <input type="submit" + value="Submit" /> <input type="reset" value="Clear" /></form> + </div> + <table class="allRow" id="myTable" width="100%" border="2" + cellpadding="1" cellspacing="1"> + <thead> + <th axis="number">#</th> + <th axis="string">PRI</th> + <th axis="string">PROTO</th> + <th axis="string">DESCRIPTION</th> + <th axis="string">CLASS</th> + <th axis="string">SRC</th> + <th axis="string">SPORT</th> + <th axis="string">FLOW</th> + <th axis="string">DST</th> + <th axis="string">DPORT</th> + <th axis="string">SID</th> + <th axis="date">Date</th> + </thead> + <tbody> + <?php + + /* make sure alert file exists */ + if (!file_exists("/var/log/snort/alert_{$snort_uuid}")) + exec("/usr/bin/touch /var/log/snort/alert_{$snort_uuid}"); + + $logent = $anentries; + + /* detect the alert file type */ + if ($snortalertlogt == 'full') + $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents("/var/log/snort/alert_{$snort_uuid}")))); + else + $alerts_array = array_reverse(array_filter(split("\n", file_get_contents("/var/log/snort/alert_{$snort_uuid}")))); + + + + if (is_array($alerts_array)) { + + $counter = 0; + foreach($alerts_array as $fileline) + { + + if($logent <= $counter) + continue; + + $counter++; + + /* Date */ + $alert_date_str = get_snort_alert_date($fileline); + + if($alert_date_str != '') + { + $alert_date = $alert_date_str; + }else{ + $alert_date = 'empty'; + } + + /* Discription */ + $alert_disc_str = get_snort_alert_disc($fileline); + + if($alert_disc_str != '') + { + $alert_disc = $alert_disc_str; + }else{ + $alert_disc = 'empty'; + } + + /* Classification */ + $alert_class_str = get_snort_alert_class($fileline); + + if($alert_class_str != '') + { + + $alert_class_match = array('[Classification:',']'); + $alert_class = str_replace($alert_class_match, '', "$alert_class_str"); + }else{ + $alert_class = 'Prep'; + } + + /* Priority */ + $alert_priority_str = get_snort_alert_priority($fileline); + + if($alert_priority_str != '') + { + $alert_priority_match = array('Priority: ',']'); + $alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str"); + }else{ + $alert_priority = 'empty'; + } + + /* Protocol */ + /* Detect alert file type */ + if ($snortalertlogt == 'full') + { + $alert_proto_str = get_snort_alert_proto_full($fileline); + }else{ + $alert_proto_str = get_snort_alert_proto($fileline); + } + + if($alert_proto_str != '') + { + $alert_proto_match = array(" TTL",'{','}'); + $alert_proto = str_replace($alert_proto_match, '', "$alert_proto_str"); + }else{ + $alert_proto = 'empty'; + } + + /* IP SRC */ + $alert_ip_src_str = get_snort_alert_ip_src($fileline); + + if($alert_ip_src_str != '') + { + $alert_ip_src = $alert_ip_src_str; + }else{ + $alert_ip_src = 'empty'; + } + + /* IP SRC Port */ + $alert_src_p_str = get_snort_alert_src_p($fileline); + + if($alert_src_p_str != '') + { + $alert_src_p_match = array(' -',':'); + $alert_src_p = str_replace($alert_src_p_match, '', "$alert_src_p_str"); + }else{ + $alert_src_p = 'empty'; + } + + /* Flow */ + $alert_flow_str = get_snort_alert_flow($fileline); + + if($alert_flow_str != '') + { + $alert_flow = $alert_flow_str; + }else{ + $alert_flow = 'empty'; + } + + /* IP Destination */ + $alert_ip_dst_str = get_snort_alert_ip_dst($fileline); + + if($alert_ip_dst_str != '') + { + $alert_ip_dst = $alert_ip_dst_str; + }else{ + $alert_ip_dst = 'empty'; + } + + /* IP DST Port */ + if ($snortalertlogt == 'full') + { + $alert_dst_p_str = get_snort_alert_dst_p_full($fileline); + }else{ + $alert_dst_p_str = get_snort_alert_dst_p($fileline); + } + + if($alert_dst_p_str != '') + { + $alert_dst_p_match = array(':',"\n"," TTL"); + $alert_dst_p_str2 = str_replace($alert_dst_p_match, '', "$alert_dst_p_str"); + $alert_dst_p_match2 = array('/[A-Z]/'); + $alert_dst_p = preg_replace($alert_dst_p_match2, '', "$alert_dst_p_str2"); + }else{ + $alert_dst_p = 'empty'; + } + + /* SID */ + $alert_sid_str = get_snort_alert_sid($fileline); + + if($alert_sid_str != '') + { + $alert_sid_match = array('[',']'); + $alert_sid = str_replace($alert_sid_match, '', "$alert_sid_str"); + }else{ + $alert_sid_str = 'empty'; + } + + /* NOTE: using one echo improves performance by 2x */ + if ($alert_disc != 'empty') + { + echo "<tr id=\"{$counter}\"> + <td class=\"centerAlign\">{$counter}</td> + <td class=\"centerAlign\">{$alert_priority}</td> + <td class=\"centerAlign\">{$alert_proto}</td> + <td>{$alert_disc}</td> + <td class=\"centerAlign\">{$alert_class}</td> + <td>{$alert_ip_src}</td> + <td class=\"centerAlign\">{$alert_src_p}</td> + <td class=\"centerAlign\">{$alert_flow}</td> + <td>{$alert_ip_dst}</td> + <td class=\"centerAlign\">{$alert_dst_p}</td> + <td class=\"centerAlign\">{$alert_sid}</td> + <td>{$alert_date}</td> + </tr>\n"; + } + + // <script type="text/javascript"> + // var myTable = {}; + // window.addEvent('domready', function(){ + // myTable = new sortableTable('myTable', {overCls: 'over', onClick: function(){alert(this.id)}}); + // }); + // </script> + + } + } + + ?> + </tbody> + </table> + </td> +</table> + +</div> + +<?php +include("fend.inc"); + +echo $snort_custom_rnd_box; + +?> +</body> +</html> diff --git a/config/snort-dev2/snort_barnyard.php b/config/snort-dev2/snort_barnyard.php new file mode 100644 index 00000000..b647c007 --- /dev/null +++ b/config/snort-dev2/snort_barnyard.php @@ -0,0 +1,269 @@ +<?php +/* $Id$ */ +/* + snort_interfaces.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008-2009 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +/* + +TODO: Nov 12 09 +Clean this code up its ugly +Important add error checking + +*/ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +$pconfig = array(); +if (isset($id) && $a_nat[$id]) { + /* old options */ + $pconfig = $a_nat[$id]; + $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; + $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; + $pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']); +} + +if (isset($_GET['dup'])) + unset($id); + +$if_real = snort_get_real_interface($pconfig['interface']); +$snort_uuid = $pconfig['uuid']; + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + +if ($_POST) { + + /* XXX: Mising error reporting?! + * check for overlaps + foreach ($a_nat as $natent) { + if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) + continue; + if ($natent['interface'] != $_POST['interface']) + continue; + } + */ + + /* if no errors write to conf */ + if (!$input_errors) { + $natent = array(); + /* repost the options already in conf */ + $natent = $pconfig; + + $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? 'on' : 'off'; + $natent['barnyard_mysql'] = $_POST['barnyard_mysql'] ? $_POST['barnyard_mysql'] : $pconfig['barnyard_mysql']; + $natent['barnconfigpassthru'] = $_POST['barnconfigpassthru'] ? base64_encode($_POST['barnconfigpassthru']) : $pconfig['barnconfigpassthru']; + if ($_POST['barnyard_enable'] == "on") + $natent['snortunifiedlog'] = 'on'; + else + $natent['snortunifiedlog'] = 'off'; + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + sync_snort_package_config(); + + /* after click go to this page */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_barnyard.php?id=$id"); + exit; + } +} + +$pgtitle = "Snort: Interface: $id$if_real Barnyard2 Edit"; +include_once("head.inc"); + +?> +<body + link="#0000CC" vlink="#0000CC" alink="#0000CC"> + + +<?php include("fbegin.inc"); ?> +<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<?php +echo "{$snort_general_css}\n"; +?> + +<div class="body2"> + +<noscript> +<div class="alert" ALIGN=CENTER><img + src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please +enable JavaScript to view this content +</CENTER></div> +</noscript> + +<script language="JavaScript"> +<!-- + +function enable_change(enable_change) { + endis = !(document.iform.barnyard_enable.checked || enable_change); + // make shure a default answer is called if this is envoked. + endis2 = (document.iform.barnyard_enable); + + document.iform.barnyard_mysql.disabled = endis; + document.iform.barnconfigpassthru.disabled = endis; +} +//--> +</script> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<form action="snort_barnyard.php" method="post" + enctype="multipart/form-data" name="iform" id="iform"><?php + + /* Display Alert message */ + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + ?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tabid = 0; + $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tabid++; + $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); +?> +</td></tr> + <tr> + <td class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">General Barnyard2 + Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq2">Enable</td> + <td width="78%" class="vtable"> + <input name="barnyard_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_enable'] == "on") echo "checked"; ?> onClick="enable_change(false)"> + <strong>Enable Barnyard2 </strong><br> + This will enable barnyard2 for this interface. You will also have to set the database credentials.</td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Mysql Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Log to a Mysql Database</td> + <td width="78%" class="vtable"><input name="barnyard_mysql" + type="text" class="formfld" id="barnyard_mysql" size="100" + value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br> + <span class="vexpl">Example: output database: alert, mysql, + dbname=snort user=snort host=localhost password=xyz<br> + Example: output database: log, mysql, dbname=snort user=snort + host=localhost password=xyz</span></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Advanced Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Advanced configuration + pass through</td> + <td width="78%" class="vtable"><textarea name="barnconfigpassthru" + cols="100" rows="7" id="barnconfigpassthru" class="formpre"><?=htmlspecialchars($pconfig['barnconfigpassthru']);?></textarea> + <br> + Arguments here will be automatically inserted into the running + barnyard2 configuration.</td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input name="id" type="hidden" value="<?=$id;?>"> </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> + <br> + Please save your settings befor you click start. </td> + </tr> + </table> + +</table> +</form> + +</div> + +<script language="JavaScript"> +<!-- +enable_change(false); +//--> +</script> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort-dev2/snort_blocked.php b/config/snort-dev2/snort_blocked.php new file mode 100644 index 00000000..932e0983 --- /dev/null +++ b/config/snort-dev2/snort_blocked.php @@ -0,0 +1,426 @@ +<?php +/* $Id$ */ +/* + snort_blocked.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Modified for the Pfsense snort package v. 1.8+ + Copyright (C) 2009 Robert Zelaya Sr. Developer + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) + $config['installedpackages']['snortglobal']['alertsblocks'] = array(); + +$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; +$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; + +if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') +{ + $bnentries = '500'; +}else{ + $bnentries = $pconfig['blertnumber']; +} + +if($_POST['todelete'] or $_GET['todelete']) { + if($_POST['todelete']) + $ip = $_POST['todelete']; + if($_GET['todelete']) + $ip = $_GET['todelete']; + exec("/sbin/pfctl -t snort2c -T delete {$ip}"); +} + +if ($_POST['remove']) { + exec("/sbin/pfctl -t snort2c -T flush"); + sleep(1); + header("Location: /snort/snort_blocked.php"); + exit; + +} + +/* TODO: build a file with block ip and disc */ +if ($_POST['download']) +{ + + ob_start(); //important or other posts will fail + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_blocked_{$save_date}.tar.gz"; + exec('/bin/mkdir /tmp/snort_blocked'); + exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); + + $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); + + if ($blocked_ips_array_save[0] != '') { + /* build the list */ + file_put_contents("/tmp/snort_blocked/snort_block.pf", ""); + foreach($blocked_ips_array_save as $counter => $fileline3) + file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline3}\n", FILE_APPEND); + } + + exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); + + if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) { + $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: ".filesize($file)); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("$file"); + exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz"); + exec("/bin/rm /tmp/snort_block.pf"); + exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); + od_end_clean(); //importanr or other post will fail + } else + echo 'Error no saved file.'; + +} + +if ($_POST['save']) +{ + + /* input validation */ + if ($_POST['save']) + { + + + } + + /* no errors */ + if (!$input_errors) + { + $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; + + write_config(); + + header("Location: /snort/snort_blocked.php"); + + } + +} + +/* build filter funcs */ +function get_snort_alert_ip_src($fileline) +{ + /* SRC IP */ + $re1='.*?'; # Non-greedy match on filler + $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) + $alert_ip_src = $matches4[1][0]; + + return $alert_ip_src; +} + +function get_snort_alert_disc($fileline) +{ + /* disc */ + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + $alert_disc = "$matches[2]"; + + return $alert_disc; +} + +/* build sec filters */ +function get_snort_block_ip($fileline) +{ + /* ip */ + if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) + $alert_block_ip = "$matches[0]"; + + return $alert_block_ip; +} + +function get_snort_block_disc($fileline) +{ + /* disc */ + if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) + $alert_block_disc = "$matches[0]"; + + return $alert_block_disc; +} + +/* tell the user what settings they have */ +$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked']; +if ($blockedtab_msg_chk == "1h_b") { + $blocked_msg = "hour"; +} +if ($blockedtab_msg_chk == "3h_b") { + $blocked_msg = "3 hours"; +} +if ($blockedtab_msg_chk == "6h_b") { + $blocked_msg = "6 hours"; +} +if ($blockedtab_msg_chk == "12h_b") { + $blocked_msg = "12 hours"; +} +if ($blockedtab_msg_chk == "1d_b") { + $blocked_msg = "day"; +} +if ($blockedtab_msg_chk == "4d_b") { + $blocked_msg = "4 days"; +} +if ($blockedtab_msg_chk == "7d_b") { + $blocked_msg = "7 days"; +} +if ($blockedtab_msg_chk == "28d_b") { + $blocked_msg = "28 days"; +} + +if ($blockedtab_msg_chk != "never_b") +{ + $blocked_msg_txt = "Hosts are removed every <strong>$blocked_msg</strong>."; +}else{ + $blocked_msg_txt = "Settings are set to never <strong>remove</strong> hosts."; +} + +$pgtitle = "Services: Snort Blocked Hosts"; +include_once("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> + +<?php + +include_once("fbegin.inc"); +echo $snort_general_css; + +/* refresh every 60 secs */ +if ($pconfig['brefresh'] == 'on') + echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n"; +?> + +<div class="body2"><?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<?php if ($savemsg) print_info_box($savemsg); ?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), true, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Help"), false, "/snort/help_and_info.php"); + display_top_tabs($tab_array); +?> +</td></tr> + <tr> + <td> + <div id="mainarea2"> + + <table id="maintable" class="tabcont" width="100%" border="0" + cellpadding="0" cellspacing="0"> + <tr> + <td width="22%" colspan="0" class="listtopic">Last <?=$bnentries;?> + Blocked.</td> + <td width="78%" class="listtopic">This page lists hosts that have + been blocked by Snort. <?=$blocked_msg_txt;?></td> + </tr> + <tr> + <td width="22%" class="vncell">Save or Remove Hosts</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_blocked.php" method="post"><input + name="download" type="submit" class="formbtn" value="Download"> All + blocked hosts will be saved. <input name="remove" type="submit" + class="formbtn" value="Clear"> <span class="red"><strong>Warning:</strong></span> + all hosts will be removed.</form> + </td> + </tr> + <tr> + <td width="22%" class="vncell">Auto Refresh and Log View</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_blocked.php" method="post"><input + name="save" type="submit" class="formbtn" value="Save"> Refresh <input + name="brefresh" type="checkbox" value="on" + <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> + <strong>Default</strong> is <strong>ON</strong>. <input + name="blertnumber" type="text" class="formfld" id="blertnumber" + size="5" value="<?=htmlspecialchars($bnentries);?>"> Enter the + number of blocked entries to view. <strong>Default</strong> is <strong>500</strong>. + </form> + </td> + </tr> + </table> + </div> + <br> + </td> + </tr> + + <table class="tabcont" width="100%" border="0" cellspacing="0" + cellpadding="0"> + <tr> + <td> + <table id="sortabletable1" class="sortable" width="100%" border="0" + cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">Remove</td> + <td class="listhdrr">#</td> + <td class="listhdrr">IP</td> + <td class="listhdrr">Alert Description</td> + </tr> + <?php + + /* set the arrays */ + exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache'); + $blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); + foreach (glob("/var/log/snort/alert_*") as $alert) { + $alerts_array = array_reverse(explode("\n\n", file_get_contents("{$alert}"))); + + $logent = $bnentries; + + if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') + { + + /* build the list and compare blocks to alerts */ + $counter = 0; + foreach($alerts_array as $fileline) + { + + $counter++; + + $alert_ip_src = get_snort_alert_ip_src($fileline); + $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); + + if (in_array("$alert_ip_src", $blocked_ips_array)) + $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + } + + foreach($blocked_ips_array as $alert_block_ip) + { + + if (!in_array($alert_block_ip, $alert_ip_src_array)) + { + $input[] = "[$alert_block_ip] " . "[N\A]\n"; + } + } + + /* reduce double occurrences */ + $result = array_unique($input); + + /* buil final list, preg_match, buld html */ + $counter2 = 0; + + foreach($result as $fileline2) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_ip_str = get_snort_block_ip($fileline2); + + if($alert_block_ip_str != '') + { + $alert_block_ip_match = array('[',']'); + $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); + }else{ + $alert_block_ip = 'empty'; + } + + $alert_block_disc_str = get_snort_block_disc($fileline2); + + if($alert_block_disc_str != '') + { + $alert_block_disc_match = array('] [',']'); + $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); + }else{ + $alert_block_disc = 'empty'; + } + + /* use one echo to do the magic*/ + echo "<tr> + <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> + <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + <td> {$counter2}</td> + <td> {$alert_block_ip}</td> + <td> {$alert_block_disc}</td> + </tr>\n"; + + } + + }else{ + + /* if alerts file is empty and blocked table is not empty */ + $counter2 = 0; + + foreach($blocked_ips_array as $alert_block_ip) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_disc = 'N/A'; + + /* use one echo to do the magic*/ + echo "<tr> + <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> + <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + <td> {$counter2}</td> + <td> {$alert_block_ip}</td> + <td> {$alert_block_disc}</td> + </tr>\n"; + } + } + } + + echo '</table>' . "\n"; + + if (empty($blocked_ips_array[0])) + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; + else + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>"; + + ?> + </td> + </tr> + </table> + </td> + </tr> + </table> + </div> + + <?php + + include("fend.inc"); + +echo $snort_custom_rnd_box; + +?> + +</body> +</html> diff --git a/config/snort-dev2/snort_check_cron_misc.inc b/config/snort-dev2/snort_check_cron_misc.inc new file mode 100644 index 00000000..28d454b0 --- /dev/null +++ b/config/snort-dev2/snort_check_cron_misc.inc @@ -0,0 +1,76 @@ +<?php +/* $Id$ */ +/* + snort_chk_log_dir_size.php + part of pfSense + + Modified for the Pfsense snort package v. 1.8+ + Copyright (C) 2009-2010 Robert Zelaya Developer + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("/usr/local/pkg/snort/snort.inc"); + +// 'B' => 1, +// 'KB' => 1024, +// 'MB' => 1024 * 1024, +// 'GB' => 1024 * 1024 * 1024, +// 'TB' => 1024 * 1024 * 1024 * 1024, +// 'PB' => 1024 * 1024 * 1024 * 1024 * 1024, + + +/* chk if snort log dir is full if so clear it */ +$snortloglimit = $config['installedpackages']['snortglobal']['snortloglimit']; +$snortloglimitsize = $config['installedpackages']['snortglobal']['snortloglimitsize']; + +if ($g['booting']==true) + return; + +if ($snortloglimit == 'off') + return; + +$snortloglimitDSKsize = exec('/bin/df -k /var | grep -v "Filesystem" | awk \'{print $4}\''); + +$snortlogAlertsizeKB = snort_Getdirsize('/var/log/snort/alert'); +$snortloglimitAlertsizeKB = round($snortlogAlertsizeKB * .70); +$snortloglimitsizeKB = round($snortloglimitsize * 1024); + +/* do I need HUP kill ? */ +if (snort_Getdirsize('/var/log/snort/') >= $snortloglimitsizeKB ) { + + conf_mount_rw(); + if(file_exists('/var/log/snort/alert')) { + if ($snortlogAlertsizeKB >= $snortloglimitAlertsizeKB) { + exec('/bin/echo "" > /var/log/snort/alert'); + } + post_delete_logs(); + /* XXX: This is needed if snort is run as snort user */ + //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); + mwexec('/bin/chmod 660 /var/log/snort/*', true); + } + conf_mount_ro(); + +} + +?> diff --git a/config/snort-dev2/snort_check_for_rule_updates.php b/config/snort-dev2/snort_check_for_rule_updates.php new file mode 100644 index 00000000..41995e9d --- /dev/null +++ b/config/snort-dev2/snort_check_for_rule_updates.php @@ -0,0 +1,690 @@ +<?php +/* + snort_check_for_rule_updates.php + Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +/* Setup enviroment */ + +/* TODO: review if include files are needed */ +require_once("functions.inc"); +require_once("service-utils.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +$pkg_interface = "console"; + +$tmpfname = "/usr/local/etc/snort/tmp/snort_rules_up"; +$snortdir = "/usr/local/etc/snort"; +$snortdir_wan = "/usr/local/etc/snort"; +$snort_filename_md5 = "{$snort_rules_file}.md5"; +$snort_filename = "{$snort_rules_file}"; +$emergingthreats_filename_md5 = "emerging.rules.tar.gz.md5"; +$emergingthreats_filename = "emerging.rules.tar.gz"; +$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; +$pfsense_rules_filename = "pfsense_rules.tar.gz"; + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; + +$up_date_time = date('l jS \of F Y h:i:s A'); +echo "\n"; +echo "#########################\n"; +echo "$up_date_time\n"; +echo "#########################\n"; +echo "\n\n"; + +/* define checks */ +$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; + +if ($snortdownload == 'off' && $emergingthreats != 'on') + $snort_emrging_info = 'stop'; + +if ($oinkid == "" && $snortdownload != 'off') + $snort_oinkid_info = 'stop'; + +/* check if main rule directory is empty */ +$if_mrule_dir = "/usr/local/etc/snort/rules"; +$mfolder_chk = (count(glob("$if_mrule_dir/*")) === 0) ? 'empty' : 'full'; + +if (file_exists('/var/run/snort.conf.dirty')) + $snort_dirty_d = 'stop'; + +/* Start of code */ +conf_mount_rw(); + +if (!is_dir('/usr/local/etc/snort/tmp')) + exec('/bin/mkdir -p /usr/local/etc/snort/tmp'); + +$snort_md5_check_ok = 'off'; +$emerg_md5_check_ok = 'off'; +$pfsense_md5_check_ok = 'off'; + +/* Set user agent to Mozilla */ +ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); +ini_set("memory_limit","150M"); + +/* mark the time update started */ +$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); + +/* send current buffer */ +ob_flush(); + +/* send current buffer */ +ob_flush(); + +/* remove old $tmpfname files */ +if (is_dir("{$tmpfname}")) { + update_status(gettext("Removing old tmp files...")); + exec("/bin/rm -r {$tmpfname}"); + apc_clear_cache(); +} + +/* Make shure snortdir exits */ +exec("/bin/mkdir -p {$snortdir}"); +exec("/bin/mkdir -p {$snortdir}/rules"); +exec("/bin/mkdir -p {$snortdir}/signatures"); +exec("/bin/mkdir -p {$tmpfname}"); +exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules/"); + +/* send current buffer */ +ob_flush(); + +$pfsensedownload = 'on'; + +/* download md5 sig from snort.org */ +if ($snortdownload == 'on') +{ + if (file_exists("{$tmpfname}/{$snort_filename_md5}") && + filesize("{$tmpfname}/{$snort_filename_md5}") > 0) { + update_status(gettext("snort.org md5 temp file exists...")); + } else { + update_status(gettext("Downloading snort.org md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + + //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); + $image = @file_get_contents("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); + @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); + update_status(gettext("Done downloading snort.org md5")); + } +} + +/* download md5 sig from emergingthreats.net */ +if ($emergingthreats == 'on') +{ + update_status(gettext("Downloading emergingthreats md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); + $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5'); + @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); + update_status(gettext("Done downloading emergingthreats md5")); +} + +/* download md5 sig from pfsense.org */ +if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { + update_status(gettext("pfsense md5 temp file exists...")); +} else { + update_status(gettext("Downloading pfsense md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); + @file_put_contents("{$tmpfname}/pfsense_rules.tar.gz.md5", $image); + update_status(gettext("Done downloading pfsense md5.")); +} + +/* If md5 file is empty wait 15min exit */ +if ($snortdownload == 'on') +{ + if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) + { + update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + $snortdownload = 'off'; + } +} + +/* If pfsense md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ + update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); + update_output_window(gettext("Rules are released to support Pfsense packages.")); + $pfsensedownload = 'off'; +} + +/* Check if were up to date snort.org */ +if ($snortdownload == 'on') +{ + if (file_exists("{$snortdir}/{$snort_filename_md5}")) + { + $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); + $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); + $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($md5_check_new == $md5_check_old) + { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + $snort_md5_check_ok = 'on'; + } else { + update_status(gettext("Your rules are not up to date...")); + $snort_md5_check_ok = 'off'; + } + } +} + +/* Check if were up to date emergingthreats.net */ +if ($emergingthreats == 'on') +{ + if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}")) + { + $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); + $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); + $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($emerg_md5_check_new == $emerg_md5_check_old) + { + $emerg_md5_check_ok = 'on'; + } else + $emerg_md5_check_ok = 'off'; + } +} + +/* Check if were up to date pfsense.org */ +if ($pfsensedownload == 'on' && file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) +{ + $pfsense_check_new_parse = file_get_contents("{$tmpfname}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($pfsense_md5_check_new == $pfsense_md5_check_old) + { + $pfsense_md5_check_ok = 'on'; + } else + $pfsense_md5_check_ok = 'off'; +} + +if ($snortdownload == 'on') { + if ($snort_md5_check_ok == 'on') + { + update_status(gettext("Your snort.org rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + $snortdownload = 'off'; + } +} +if ($emergingthreats == 'on') { + if ($emerg_md5_check_ok == 'on') + { + update_status(gettext("Your Emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + $emergingthreats = 'off'; + } +} + +/* download snortrules file */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Snortrule tar file exists...")); + } else { + update_status(gettext("There is a new set of Snort.org rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", "{$tmpfname}/{$snort_filename}"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + if (300000 > filesize("{$tmpfname}/$snort_filename")){ + update_status(gettext("Error with the snort rules download...")); + update_output_window(gettext("Snort rules file downloaded failed...")); + $snortdownload = 'off'; + } + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext('Emergingthreats tar file exists...')); + }else{ + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); + update_status(gettext('Done downloading Emergingthreats rules file.')); + } + } +} + +/* download pfsense rules file */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Snortrule tar file exists...")); + } else { + update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + } +} + +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// return; +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// return; +// } +//} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + + if ($pfsense_stable == 'yes') + $freebsd_version_so = 'FreeBSD-7-2'; + else + $freebsd_version_so = 'FreeBSD-8-1'; + + update_status(gettext("Extracting Snort.org rules...")); + update_output_window(gettext("May take a while...")); + /* extract snort.org rules and add prefix to all snort.org files*/ + exec("/bin/rm -r {$snortdir}/rules"); + sleep(2); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); + chdir ("/usr/local/etc/snort/rules"); + sleep(2); + exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); + + /* extract so rules */ + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); + if($snort_arch == 'x86'){ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } else if ($snort_arch == 'x64') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } + /* extract so rules none bin and rename */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . + " so_rules/chat.rules/" . + " so_rules/dos.rules/" . + " so_rules/exploit.rules/" . + " so_rules/icmp.rules/" . + " so_rules/imap.rules/" . + " so_rules/misc.rules/" . + " so_rules/multimedia.rules/" . + " so_rules/netbios.rules/" . + " so_rules/nntp.rules/" . + " so_rules/p2p.rules/" . + " so_rules/smtp.rules/" . + " so_rules/sql.rules/" . + " so_rules/web-activex.rules/" . + " so_rules/web-client.rules/" . + " so_rules/web-iis.rules/" . + " so_rules/web-misc.rules/"); + + exec("/bin/mv -f {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/snort_bad-traffic.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/chat.rules {$snortdir}/rules/snort_chat.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/dos.rules {$snortdir}/rules/snort_dos.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/snort_exploit.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/icmp.rules {$snortdir}/rules/snort_icmp.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/imap.rules {$snortdir}/rules/snort_imap.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/misc.rules {$snortdir}/rules/snort_misc.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/snort_multimedia.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/snort_netbios.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/snort_nntp.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/snort_p2p.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/snort_smtp.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/sql.rules {$snortdir}/rules/snort_sql.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-activex.rules {$snortdir}/rules/snort_web-activex.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/snort_web-client.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-iis.rules {$snortdir}/rules/snort_web-iis.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/snort_web-misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + } + + /* extract base etc files */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); + exec("/bin/mv -f {$snortdir}/etc/* {$snortdir}"); + exec("/bin/rm -r {$snortdir}/etc"); + + update_status(gettext("Done extracting Snort.org Rules.")); + }else{ + update_status(gettext("Error extracting Snort.org Rules...")); + update_output_window(gettext("Error Line 755")); + $snortdownload = 'off'; + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats == 'on') +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Extracting Pfsense rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); + } +} + +/* Untar snort signatures */ +if ($snortdownload == 'on' && $snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') { + update_status(gettext("Extracting Signatures...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + update_status(gettext("Done extracting Signatures.")); + } + } +} + +/* Copy md5 sig to snort dir */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/$snort_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); + }else{ + update_status(gettext("The md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $snortdownload = 'off'; + } + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) + { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); + }else{ + update_status(gettext("The emergingthreats md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $emergingthreats = 'off'; + } + } +} + +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + update_status(gettext("Copying Pfsense md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); + } else { + update_status(gettext("The Pfsense md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $pfsensedownload = 'off'; + } +} + +/* Copy signatures dir to snort dir */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') + { + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') + { + if (file_exists("{$snortdir}/doc/signatures")) { + update_status(gettext("Copying signatures...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); + exec("/bin/rm -r {$snortdir}/doc/signatures"); + update_status(gettext("Done copying signatures.")); + }else{ + update_status(gettext("Directory signatures exist...")); + update_output_window(gettext("Error copying signature...")); + $snortdownload = 'off'; + } + } + } +} + +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + @unlink("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-botcc.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); +} + +/* make shure default rules are in the right format */ +exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + +/* create a msg-map for snort */ +update_status(gettext("Updating Alert Messages...")); +update_output_window(gettext("Please Wait...")); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); + + +////////////////// +/* open oinkmaster_conf for writing" function */ +function oinkmaster_conf($id, $if_real, $iface_uuid) +{ + global $config, $g, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + + @unlink("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf"); + + /* enable disable setting will carry over with updates */ + /* TODO carry signature changes with the updates */ + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { + + $selected_sid_on_section = ""; + $selected_sid_off_sections = ""; + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { + $enabled_sid_on = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']); + $enabled_sid_on_array = split('\|\|', $enabled_sid_on); + foreach($enabled_sid_on_array as $enabled_item_on) + $selected_sid_on_sections .= "$enabled_item_on\n"; + } + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { + $enabled_sid_off = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']); + $enabled_sid_off_array = split('\|\|', $enabled_sid_off); + foreach($enabled_sid_off_array as $enabled_item_off) + $selected_sid_off_sections .= "$enabled_item_off\n"; + } + + if (!empty($selected_sid_off_sections) || !empty($selected_sid_on_section)) { + $snort_sid_text = <<<EOD + +########################################### +# # +# this is auto generated on snort updates # +# # +########################################### + +path = /bin:/usr/bin:/usr/local/bin + +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + +url = dir:///usr/local/etc/snort/rules + +$selected_sid_on_sections + +$selected_sid_off_sections + +EOD; + + /* open snort's oinkmaster.conf for writing */ + @file_put_contents("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf", $snort_sid_text); + } + } +} + +/* Run oinkmaster to snort_wan and cp configs */ +/* If oinkmaster is not needed cp rules normally */ +/* TODO add per interface settings here */ +function oinkmaster_run($id, $if_real, $iface_uuid) +{ + global $config, $g, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { + if (empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']) && empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { + update_status(gettext("Your first set of rules are being copied...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + } else { + update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + + /* might have to add a sleep for 3sec for flash drives or old drives */ + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf -o /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules > /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); + + } + } +} + +/* Start the proccess for every interface rule */ +/* TODO: try to make the code smother */ +if (is_array($config['installedpackages']['snortglobal']['rule'])) +{ + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + $iface_uuid = $value['uuid']; + + /* make oinkmaster.conf for each interface rule */ + oinkmaster_conf($id, $if_real, $iface_uuid); + + /* run oinkmaster for each interface rule */ + oinkmaster_run($id, $if_real, $iface_uuid); + } +} + +////////////// + +/* mark the time update finnished */ +$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); + +/* remove old $tmpfname files */ +if (is_dir('/usr/local/etc/snort/tmp')) { + update_status(gettext("Cleaning up...")); + exec("/bin/rm -r /usr/local/etc/snort/tmp/snort_rules_up"); + sleep(2); + exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); +} + +/* XXX: These are needed if snort is run as snort user +mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); +mwexec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort", true); +mwexec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort", true); +*/ +/* make all dirs snorts */ +mwexec("/bin/chmod -R 755 /var/log/snort", true); +mwexec("/bin/chmod -R 755 /usr/local/etc/snort", true); +mwexec("/bin/chmod -R 755 /usr/local/lib/snort", true); + +if ($snortdownload == 'off' && $emergingthreats == 'off' && $pfsensedownload == 'off') + update_output_window(gettext("Finished...")); +else if ($snort_md5_check_ok == 'on' && $emerg_md5_check_ok == 'on' && $pfsense_md5_check_ok == 'on') + update_output_window(gettext("Finished...")); +else { + /* You are Not Up to date, always stop snort when updating rules for low end machines */; + update_status(gettext("You are NOT up to date...")); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("Snort has restarted with your new set of rules...")); + exec("/bin/rm /tmp/snort_download_halt.pid"); +} + +update_status(gettext("The Rules update finished...")); +conf_mount_ro(); + +?> diff --git a/config/snort-dev2/snort_define_servers.php b/config/snort-dev2/snort_define_servers.php new file mode 100644 index 00000000..497f0a79 --- /dev/null +++ b/config/snort-dev2/snort_define_servers.php @@ -0,0 +1,541 @@ +<?php +/* $Id$ */ +/* + snort_define_servers.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008-2009 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +/* + +TODO: Nov 12 09 +Clean this code up its ugly +Important add error checking + +*/ + +//require_once("globals.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$pconfig = array(); +if (isset($id) && $a_nat[$id]) { + $pconfig = $a_nat[$id]; + + /* old options */ + $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; + $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; + $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; + $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; + $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; + $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; + $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; + $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; + $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; + $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; + $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; + $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; + $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; + $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; + $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; + $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; + $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; + $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; + $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; + $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; + $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; + $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; + $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; + $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; + $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; + $pconfig['def_sip_servers'] = $a_nat[$id]['def_sip_servers']; + $pconfig['def_sip_ports'] = $a_nat[$id]['def_sip_ports']; + $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; + $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; + $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; + $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; + $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; + $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; + $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; + $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; +} + +/* convert fake interfaces to real */ +$if_real = snort_get_real_interface($pconfig['interface']); +$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + +if ($_POST) { + + $natent = array(); + $natent = $pconfig; + + /* if no errors write to conf */ + if (!$input_errors) { + /* post new options */ + if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; }else{ $natent['def_dns_servers'] = ""; } + if ($_POST['def_dns_ports'] != "") { $natent['def_dns_ports'] = $_POST['def_dns_ports']; }else{ $natent['def_dns_ports'] = ""; } + if ($_POST['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $_POST['def_smtp_servers']; }else{ $natent['def_smtp_servers'] = ""; } + if ($_POST['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $_POST['def_smtp_ports']; }else{ $natent['def_smtp_ports'] = ""; } + if ($_POST['def_mail_ports'] != "") { $natent['def_mail_ports'] = $_POST['def_mail_ports']; }else{ $natent['def_mail_ports'] = ""; } + if ($_POST['def_http_servers'] != "") { $natent['def_http_servers'] = $_POST['def_http_servers']; }else{ $natent['def_http_servers'] = ""; } + if ($_POST['def_www_servers'] != "") { $natent['def_www_servers'] = $_POST['def_www_servers']; }else{ $natent['def_www_servers'] = ""; } + if ($_POST['def_http_ports'] != "") { $natent['def_http_ports'] = $_POST['def_http_ports']; }else{ $natent['def_http_ports'] = ""; } + if ($_POST['def_sql_servers'] != "") { $natent['def_sql_servers'] = $_POST['def_sql_servers']; }else{ $natent['def_sql_servers'] = ""; } + if ($_POST['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $_POST['def_oracle_ports']; }else{ $natent['def_oracle_ports'] = ""; } + if ($_POST['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $_POST['def_mssql_ports']; }else{ $natent['def_mssql_ports'] = ""; } + if ($_POST['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $_POST['def_telnet_servers']; }else{ $natent['def_telnet_servers'] = ""; } + if ($_POST['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $_POST['def_telnet_ports']; }else{ $natent['def_telnet_ports'] = ""; } + if ($_POST['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $_POST['def_snmp_servers']; }else{ $natent['def_snmp_servers'] = ""; } + if ($_POST['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $_POST['def_snmp_ports']; }else{ $natent['def_snmp_ports'] = ""; } + if ($_POST['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $_POST['def_ftp_servers']; }else{ $natent['def_ftp_servers'] = ""; } + if ($_POST['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $_POST['def_ftp_ports']; }else{ $natent['def_ftp_ports'] = ""; } + if ($_POST['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $_POST['def_ssh_servers']; }else{ $natent['def_ssh_servers'] = ""; } + if ($_POST['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $_POST['def_ssh_ports']; }else{ $natent['def_ssh_ports'] = ""; } + if ($_POST['def_pop_servers'] != "") { $natent['def_pop_servers'] = $_POST['def_pop_servers']; }else{ $natent['def_pop_servers'] = ""; } + if ($_POST['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $_POST['def_pop2_ports']; }else{ $natent['def_pop2_ports'] = ""; } + if ($_POST['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $_POST['def_pop3_ports']; }else{ $natent['def_pop3_ports'] = ""; } + if ($_POST['def_imap_servers'] != "") { $natent['def_imap_servers'] = $_POST['def_imap_servers']; }else{ $natent['def_imap_servers'] = ""; } + if ($_POST['def_imap_ports'] != "") { $natent['def_imap_ports'] = $_POST['def_imap_ports']; }else{ $natent['def_imap_ports'] = ""; } + if ($_POST['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $_POST['def_sip_proxy_ip']; }else{ $natent['def_sip_proxy_ip'] = ""; } + if ($_POST['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $_POST['def_sip_proxy_ports']; }else{ $natent['def_sip_proxy_ports'] = ""; } + if ($_POST['def_sip_servers'] != "") { $natent['def_sip_servers'] = $_POST['def_sip_servers']; }else{ $natent['def_sip_servers'] = ""; } + if ($_POST['def_sip_ports'] != "") { $natent['def_sip_ports'] = $_POST['def_sip_ports']; }else{ $natent['def_sip_ports'] = ""; } + if ($_POST['def_auth_ports'] != "") { $natent['def_auth_ports'] = $_POST['def_auth_ports']; }else{ $natent['def_auth_ports'] = ""; } + if ($_POST['def_finger_ports'] != "") { $natent['def_finger_ports'] = $_POST['def_finger_ports']; }else{ $natent['def_finger_ports'] = ""; } + if ($_POST['def_irc_ports'] != "") { $natent['def_irc_ports'] = $_POST['def_irc_ports']; }else{ $natent['def_irc_ports'] = ""; } + if ($_POST['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $_POST['def_nntp_ports']; }else{ $natent['def_nntp_ports'] = ""; } + if ($_POST['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $_POST['def_rlogin_ports']; }else{ $natent['def_rlogin_ports'] = ""; } + if ($_POST['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $_POST['def_rsh_ports']; }else{ $natent['def_rsh_ports'] = ""; } + if ($_POST['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $_POST['def_ssl_ports']; }else{ $natent['def_ssl_ports'] = ""; } + + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + + sync_snort_package_config(); + + /* after click go to this page */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_define_servers.php?id=$id"); + exit; + } +} + +$pgtitle = "Snort: Interface $id$if_real Define Servers"; +include_once("head.inc"); + +?> +<body + link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php +include("fbegin.inc"); +if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} + +echo "{$snort_general_css}\n"; +?> + +<form action="snort_define_servers.php" method="post" + enctype="multipart/form-data" name="iform" id="iform"><?php + + /* Display Alert message */ + + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + ?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tabid = 0; + $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tabid++; + $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Servers"), true, "/snort/snort_define_servers.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); +?> +</td></tr> +<tr> + <td class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span><br> + Please save your settings before you click start.<br> + Please make sure there are <strong>no spaces</strong> in your + definitions. </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Define Servers</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define DNS_SERVERS</td> + <td width="78%" class="vtable"><input name="def_dns_servers" + type="text" class="formfld" id="def_dns_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_dns_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define DNS_PORTS</td> + <td width="78%" class="vtable"><input name="def_dns_ports" + type="text" class="formfld" id="def_dns_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_dns_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 53.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SMTP_SERVERS</td> + <td width="78%" class="vtable"><input name="def_smtp_servers" + type="text" class="formfld" id="def_smtp_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_smtp_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SMTP_PORTS</td> + <td width="78%" class="vtable"><input name="def_smtp_ports" + type="text" class="formfld" id="def_smtp_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_smtp_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 25.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define Mail_Ports</td> + <td width="78%" class="vtable"><input name="def_mail_ports" + type="text" class="formfld" id="def_mail_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_mail_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 25,143,465,691.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define HTTP_SERVERS</td> + <td width="78%" class="vtable"><input name="def_http_servers" + type="text" class="formfld" id="def_http_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_http_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define WWW_SERVERS</td> + <td width="78%" class="vtable"><input name="def_www_servers" + type="text" class="formfld" id="def_www_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_www_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define HTTP_PORTS</td> + <td width="78%" class="vtable"><input name="def_http_ports" + type="text" class="formfld" id="def_http_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_http_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 80.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SQL_SERVERS</td> + <td width="78%" class="vtable"><input name="def_sql_servers" + type="text" class="formfld" id="def_sql_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_sql_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define ORACLE_PORTS</td> + <td width="78%" class="vtable"><input name="def_oracle_ports" + type="text" class="formfld" id="def_oracle_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_oracle_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 1521.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define MSSQL_PORTS</td> + <td width="78%" class="vtable"><input name="def_mssql_ports" + type="text" class="formfld" id="def_mssql_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_mssql_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 1433.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define TELNET_SERVERS</td> + <td width="78%" class="vtable"><input name="def_telnet_servers" + type="text" class="formfld" id="def_telnet_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_telnet_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define TELNET_PORTS</td> + <td width="78%" class="vtable"><input name="def_telnet_ports" + type="text" class="formfld" id="def_telnet_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_telnet_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 23.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SNMP_SERVERS</td> + <td width="78%" class="vtable"><input name="def_snmp_servers" + type="text" class="formfld" id="def_snmp_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_snmp_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SNMP_PORTS</td> + <td width="78%" class="vtable"><input name="def_snmp_ports" + type="text" class="formfld" id="def_snmp_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_snmp_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 161.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define FTP_SERVERS</td> + <td width="78%" class="vtable"><input name="def_ftp_servers" + type="text" class="formfld" id="def_ftp_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_ftp_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define FTP_PORTS</td> + <td width="78%" class="vtable"><input name="def_ftp_ports" + type="text" class="formfld" id="def_ftp_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_ftp_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 21.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SSH_SERVERS</td> + <td width="78%" class="vtable"><input name="def_ssh_servers" + type="text" class="formfld" id="def_ssh_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_ssh_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SSH_PORTS</td> + <td width="78%" class="vtable"><input name="def_ssh_ports" + type="text" class="formfld" id="def_ssh_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_ssh_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is the firewall's SSH port.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define POP_SERVERS</td> + <td width="78%" class="vtable"><input name="def_pop_servers" + type="text" class="formfld" id="def_pop_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_pop_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define POP2_PORTS</td> + <td width="78%" class="vtable"><input name="def_pop2_ports" + type="text" class="formfld" id="def_pop2_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_pop2_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 109.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define POP3_PORTS</td> + <td width="78%" class="vtable"><input name="def_pop3_ports" + type="text" class="formfld" id="def_pop3_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_pop3_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 110.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define IMAP_SERVERS</td> + <td width="78%" class="vtable"><input name="def_imap_servers" + type="text" class="formfld" id="def_imap_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_imap_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define IMAP_PORTS</td> + <td width="78%" class="vtable"><input name="def_imap_ports" + type="text" class="formfld" id="def_imap_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_imap_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 143.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SIP_PROXY_IP</td> + <td width="78%" class="vtable"><input name="def_sip_proxy_ip" + type="text" class="formfld" id="def_sip_proxy_ip" size="40" + value="<?=htmlspecialchars($pconfig['def_sip_proxy_ip']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SIP_PROXY_PORTS</td> + <td width="78%" class="vtable"><input name="def_sip_proxy_ports" + type="text" class="formfld" id="def_sip_proxy_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_sip_proxy_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 5060:5090,16384:32768.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SIP_SERVERS</td> + <td width="78%" class="vtable"><input name="def_sip_servers" + type="text" class="formfld" id="def_sip_servers" size="40" + value="<?=htmlspecialchars($pconfig['def_sip_servers']);?>"> <br> + <span class="vexpl">Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SIP_PORTS</td> + <td width="78%" class="vtable"><input name="def_sip_ports" + type="text" class="formfld" id="def_sip_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_sip_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 5060:5090,16384:32768.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define AUTH_PORTS</td> + <td width="78%" class="vtable"><input name="def_auth_ports" + type="text" class="formfld" id="def_auth_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_auth_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 113.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define FINGER_PORTS</td> + <td width="78%" class="vtable"><input name="def_finger_ports" + type="text" class="formfld" id="def_finger_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_finger_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 79.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define IRC_PORTS</td> + <td width="78%" class="vtable"><input name="def_irc_ports" + type="text" class="formfld" id="def_irc_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_irc_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 6665,6666,6667,6668,6669,7000.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define NNTP_PORTS</td> + <td width="78%" class="vtable"><input name="def_nntp_ports" + type="text" class="formfld" id="def_nntp_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_nntp_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 119.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define RLOGIN_PORTS</td> + <td width="78%" class="vtable"><input name="def_rlogin_ports" + type="text" class="formfld" id="def_rlogin_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_rlogin_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 513.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define RSH_PORTS</td> + <td width="78%" class="vtable"><input name="def_rsh_ports" + type="text" class="formfld" id="def_rsh_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_rsh_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 514.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SSL_PORTS</td> + <td width="78%" class="vtable"><input name="def_ssl_ports" + type="text" class="formfld" id="def_ssl_ports" size="40" + value="<?=htmlspecialchars($pconfig['def_ssl_ports']);?>"> <br> + <span class="vexpl">Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 25,443,465,636,993,995.</span></td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input name="id" type="hidden" value="<?=$id;?>"> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> + <br> + Please save your settings before you click start. </td> + </tr> + </table> + +</table> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort-dev2/snort_download_rules.php b/config/snort-dev2/snort_download_rules.php new file mode 100644 index 00000000..7d61240e --- /dev/null +++ b/config/snort-dev2/snort_download_rules.php @@ -0,0 +1,786 @@ +<?php +/* + snort_download_rules.php + Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +/* Setup enviroment */ +require_once("guiconfig.inc"); +require_once("functions.inc"); +require_once("service-utils.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if ($_GET['return']) { + header("Location: /snort/snort_download_updates.php"); + exit; +} + +$tmpfname = "/usr/local/etc/snort/tmp/snort_rules_up"; +$snortdir = "/usr/local/etc/snort"; +$snortdir_wan = "/usr/local/etc/snort"; +$snort_filename_md5 = "{$snort_rules_file}.md5"; +$snort_filename = "{$snort_rules_file}"; +$emergingthreats_filename_md5 = "emerging.rules.tar.gz.md5"; +$emergingthreats_filename = "emerging.rules.tar.gz"; +$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; +$pfsense_rules_filename = "pfsense_rules.tar.gz"; + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; + +/* define checks */ +$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; + +if ($snortdownload == 'off' && $emergingthreats != 'on') + $snort_emrging_info = 'stop'; + +if ($oinkid == "" && $snortdownload != 'off') + $snort_oinkid_info = 'stop'; + +/* check if main rule directory is empty */ +$if_mrule_dir = "/usr/local/etc/snort/rules"; +$mfolder_chk = (count(glob("$if_mrule_dir/*")) === 0) ? 'empty' : 'full'; + +if (file_exists('/var/run/snort.conf.dirty')) + $snort_dirty_d = 'stop'; + +$pgtitle = "Services: Snort: Update Rules"; + +include("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("fbegin.inc"); ?> +<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<form action="/snort/snort_download_updates.php" method="GET"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td ><!-- progress bar --> + <table id="progholder" width='320' + style='border-collapse: collapse; border: 1px solid #000000;' + cellpadding='2' cellspacing='2'> + <tr> + <td><img border='0' + src='../themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' + width='280' height='23' name='progressbar' id='progressbar' + alt='' /> + </td> + </tr> + </table> + <br /> + <!-- status box --> <textarea cols="60" rows="2" name="status" id="status" wrap="hard"> + <?=gettext("Initializing...");?> + </textarea> + <!-- command output box --> <textarea cols="60" rows="2" name="output" id="output" wrap="hard"> + </textarea> + </td> + </tr> + </table> + </div> + </td> +</tr> +<tr><td><input type="submit" Value="Return"></td></tr> +</table> +</form> +<?php include("fend.inc");?> +</body> +</html> + +<?php +/* Start of code */ +conf_mount_rw(); + +if (!is_dir('/usr/local/etc/snort/tmp')) + exec('/bin/mkdir -p /usr/local/etc/snort/tmp'); + +$snort_md5_check_ok = 'off'; +$emerg_md5_check_ok = 'off'; +$pfsense_md5_check_ok = 'off'; + +/* Set user agent to Mozilla */ +ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); +ini_set("memory_limit","150M"); + +/* mark the time update started */ +$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); + +/* send current buffer */ +ob_flush(); + +/* hide progress bar */ +hide_progress_bar_status(); + +/* send current buffer */ +ob_flush(); + +/* remove old $tmpfname files */ +if (is_dir("{$tmpfname}")) { + update_status(gettext("Removing old tmp files...")); + exec("/bin/rm -r {$tmpfname}"); + apc_clear_cache(); +} + +/* Make shure snortdir exits */ +exec("/bin/mkdir -p {$snortdir}"); +exec("/bin/mkdir -p {$snortdir}/rules"); +exec("/bin/mkdir -p {$snortdir}/signatures"); +exec("/bin/mkdir -p {$tmpfname}"); +exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules/"); + +/* send current buffer */ +ob_flush(); + +/* unhide progress bar and lets end this party */ +unhide_progress_bar_status(); + +$pfsensedownload = 'on'; + +/* download md5 sig from snort.org */ +if ($snortdownload == 'on') +{ + if (file_exists("{$tmpfname}/{$snort_filename_md5}") && + filesize("{$tmpfname}/{$snort_filename_md5}") > 0) { + update_status(gettext("snort.org md5 temp file exists...")); + } else { + update_status(gettext("Downloading snort.org md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + + //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); + $image = @file_get_contents("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); + @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); + update_status(gettext("Done downloading snort.org md5")); + } +} + +/* download md5 sig from emergingthreats.net */ +if ($emergingthreats == 'on') +{ + update_status(gettext("Downloading emergingthreats md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); + $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5'); + @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); + update_status(gettext("Done downloading emergingthreats md5")); +} + +/* download md5 sig from pfsense.org */ +if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { + update_status(gettext("pfsense md5 temp file exists...")); +} else { + update_status(gettext("Downloading pfsense md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); + @file_put_contents("{$tmpfname}/pfsense_rules.tar.gz.md5", $image); + update_status(gettext("Done downloading pfsense md5.")); +} + +/* If md5 file is empty wait 15min exit */ +if ($snortdownload == 'on') +{ + if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) + { + update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + hide_progress_bar_status(); + $snortdownload = 'off'; + } +} + +/* If pfsense md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ + update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); + update_output_window(gettext("Rules are released to support Pfsense packages.")); + hide_progress_bar_status(); + $pfsensedownload = 'off'; +} + +/* Check if were up to date snort.org */ +if ($snortdownload == 'on') +{ + if (file_exists("{$snortdir}/{$snort_filename_md5}")) + { + $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); + $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); + $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($md5_check_new == $md5_check_old) + { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + $snort_md5_check_ok = 'on'; + } else { + update_status(gettext("Your rules are not up to date...")); + $snort_md5_check_ok = 'off'; + } + } +} + +/* Check if were up to date emergingthreats.net */ +if ($emergingthreats == 'on') +{ + if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}")) + { + $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); + $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); + $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($emerg_md5_check_new == $emerg_md5_check_old) + { + hide_progress_bar_status(); + $emerg_md5_check_ok = 'on'; + } else + $emerg_md5_check_ok = 'off'; + } +} + +/* Check if were up to date pfsense.org */ +if ($pfsensedownload == 'on' && file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) +{ + $pfsense_check_new_parse = file_get_contents("{$tmpfname}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($pfsense_md5_check_new == $pfsense_md5_check_old) + { + hide_progress_bar_status(); + $pfsense_md5_check_ok = 'on'; + } else + $pfsense_md5_check_ok = 'off'; +} + +if ($snortdownload == 'on') { + if ($snort_md5_check_ok == 'on') + { + update_status(gettext("Your snort.org rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + $snortdownload = 'off'; + } +} +if ($emergingthreats == 'on') { + if ($emerg_md5_check_ok == 'on') + { + update_status(gettext("Your Emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + $emergingthreats = 'off'; + } +} + +/* download snortrules file */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Snortrule tar file exists...")); + } else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Snort.org rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", "{$tmpfname}/{$snort_filename}"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + if (150000 > filesize("{$tmpfname}/$snort_filename")){ + update_status(gettext("Error with the snort rules download...")); + + update_output_window(gettext("Snort rules file downloaded failed...")); + $snortdownload = 'off'; + } + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext('Emergingthreats tar file exists...')); + }else{ + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); + update_status(gettext('Done downloading Emergingthreats rules file.')); + } + } +} + +/* download pfsense rules file */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Snortrule tar file exists...")); + } else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + } +} + +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// return; +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// return; +// } +//} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + + // find out if were in 1.2.3-RELEASE
+ $pfsense_ver_chk = exec('/bin/cat /etc/version');
+ if ($pfsense_ver_chk === '1.2.3-RELEASE') {
+ $pfsense_stable = 'yes';
+ }else{
+ $pfsense_stable = 'no';
+ } + + // get the system arch
+ $snort_arch_ck = exec('/usr/bin/uname -m');
+ if ($snort_arch_ck === 'i386') {
+ $snort_arch = 'i386';
+ }else{
+ $snort_arch = 'x86-64'; // amd64
+ } + + if ($pfsense_stable === 'yes') { + $freebsd_version_so = 'FreeBSD-7-3'; + }else{ + $freebsd_version_so = 'FreeBSD-8-1'; + } + + update_status(gettext("Extracting Snort.org rules...")); + update_output_window(gettext("May take a while...")); + /* extract snort.org rules and add prefix to all snort.org files*/ + exec("/bin/rm -r {$snortdir}/rules"); + sleep(2); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); + chdir ("/usr/local/etc/snort/rules"); + sleep(2); + + $snort_dirList = scandir("{$snortdir_rules}/rules"); // Waning: only in php 5
+ $snortrules_filterList = snortscandirfilter($snort_dirList, '/.*\.rules/', '/\.rules/', ''); + + if (!empty($snortrules_filterList)) {
+ foreach ($snortrules_filterList as $snort_rule_move)
+ {
+ exec("/bin/mv -f {$snortdir}/rules/{$snort_rule_move}.rules {$snortdir}/rules/snort_{$snort_rule_move}.rules");
+ }
+ } + + /* extract so rules */
+ exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/');
+ exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/{$snort_arch}/2.9.2.2/");
+ exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/{$snort_arch}/2.9.2.2/* /usr/local/lib/snort/dynamicrules/"); + + /* extract so rules none bin and rename */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . + " so_rules/chat.rules/" . + " so_rules/dos.rules/" . + " so_rules/exploit.rules/" . + " so_rules/icmp.rules/" . + " so_rules/imap.rules/" . + " so_rules/misc.rules/" . + " so_rules/multimedia.rules/" . + " so_rules/netbios.rules/" . + " so_rules/nntp.rules/" . + " so_rules/p2p.rules/" . + " so_rules/smtp.rules/" . + " so_rules/sql.rules/" . + " so_rules/web-activex.rules/" . + " so_rules/web-client.rules/" . + " so_rules/web-iis.rules/" . + " so_rules/web-misc.rules/"); + + exec("/bin/mv -f {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/snort_bad-traffic.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/chat.rules {$snortdir}/rules/snort_chat.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/dos.rules {$snortdir}/rules/snort_dos.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/snort_exploit.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/icmp.rules {$snortdir}/rules/snort_icmp.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/imap.rules {$snortdir}/rules/snort_imap.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/misc.rules {$snortdir}/rules/snort_misc.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/snort_multimedia.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/snort_netbios.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/snort_nntp.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/snort_p2p.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/snort_smtp.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/sql.rules {$snortdir}/rules/snort_sql.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-activex.rules {$snortdir}/rules/snort_web-activex.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/snort_web-client.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-iis.rules {$snortdir}/rules/snort_web-iis.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/snort_web-misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + } + + //// rob + + // list so_rules and exclude dir
+ exec("/usr/bin/tar --exclude='precompiled' --exclude='src' -tf {$tmpfname}/{$snort_filename} so_rules", $so_rules_list); + + $so_rulesPattr = array('/\//', '/\.rules/');
+ $so_rulesPattw = array('', '');
+
+ // build list of so rules
+ $so_rules_filterList = snortscandirfilter($so_rules_list, '/\/.*\.rules/', $so_rulesPattr, $so_rulesPattw); + + //// end + + /* extract base etc files */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); + exec("/bin/mv -f {$snortdir}/etc/* {$snortdir}"); + exec("/bin/rm -r {$snortdir}/etc"); + + update_status(gettext("Done extracting Snort.org Rules.")); + }else{ + update_status(gettext("Error extracting Snort.org Rules...")); + update_output_window(gettext("Error Line 755")); + $snortdownload = 'off'; + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats == 'on') +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Extracting Pfsense rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); + } +} + +/* Untar snort signatures */ +if ($snortdownload == 'on' && $snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') { + update_status(gettext("Extracting Signatures...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + update_status(gettext("Done extracting Signatures.")); + } + } +} + +/* Copy md5 sig to snort dir */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/$snort_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); + }else{ + update_status(gettext("The md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $snortdownload = 'off'; + } + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) + { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); + }else{ + update_status(gettext("The emergingthreats md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $emergingthreats = 'off'; + } + } +} + +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + update_status(gettext("Copying Pfsense md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); + } else { + update_status(gettext("The Pfsense md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $pfsensedownload = 'off'; + } +} + +/* Copy signatures dir to snort dir */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') + { + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') + { + if (file_exists("{$snortdir}/doc/signatures")) { + update_status(gettext("Copying signatures...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); + exec("/bin/rm -r {$snortdir}/doc/signatures"); + update_status(gettext("Done copying signatures.")); + }else{ + update_status(gettext("Directory signatures exist...")); + update_output_window(gettext("Error copying signature...")); + $snortdownload = 'off'; + } + } + } +} + +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + @unlink("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-botcc.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); +} + +/* make shure default rules are in the right format */ +exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + +/* create a msg-map for snort */ +update_status(gettext("Updating Alert Messages...")); +update_output_window(gettext("Please Wait...")); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); + + +////////////////// + +/* open oinkmaster_conf for writing" function */ +function oinkmaster_conf($id, $if_real, $iface_uuid) +{ + global $config, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + + @unlink("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf"); + + /* enable disable setting will carry over with updates */ + /* TODO carry signature changes with the updates */ + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { + + $selected_sid_on_sections = ""; + $selected_sid_off_sections = ""; + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { + $enabled_sid_on = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']); + $enabled_sid_on_array = split('\|\|', $enabled_sid_on); + foreach($enabled_sid_on_array as $enabled_item_on) + $selected_sid_on_sections .= "$enabled_item_on\n"; + } + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { + $enabled_sid_off = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']); + $enabled_sid_off_array = split('\|\|', $enabled_sid_off); + foreach($enabled_sid_off_array as $enabled_item_off) + $selected_sid_off_sections .= "$enabled_item_off\n"; + } + + if (!empty($selected_sid_on_sections) || !empty($selected_sid_off_sections)) { + $snort_sid_text = <<<EOD + +########################################### +# # +# this is auto generated on snort updates # +# # +########################################### + +path = /bin:/usr/bin:/usr/local/bin + +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + +url = dir:///usr/local/etc/snort/rules + +$selected_sid_on_sections + +$selected_sid_off_sections + +EOD; + + /* open snort's oinkmaster.conf for writing */ + @file_put_contents("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf", $snort_sid_text); + } + } +} + +/* Run oinkmaster to snort_wan and cp configs */ +/* If oinkmaster is not needed cp rules normally */ +/* TODO add per interface settings here */ +function oinkmaster_run($id, $if_real, $iface_uuid) +{ + global $config, $g, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { + if (empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']) && empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { + update_status(gettext("Your first set of rules are being copied...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + } else { + update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + + /* might have to add a sleep for 3sec for flash drives or old drives */ + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf -o /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules > /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); + } + } +} + +/* Start the proccess for every interface rule */ +/* TODO: try to make the code smother */ +if (is_array($config['installedpackages']['snortglobal']['rule'])) +{ + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + $iface_uuid = $value['uuid']; + + /* make oinkmaster.conf for each interface rule */ + oinkmaster_conf($id, $if_real, $iface_uuid); + + /* run oinkmaster for each interface rule */ + oinkmaster_run($id, $if_real, $iface_uuid); + } +} + +////////////// + +/* mark the time update finnished */ +$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); + +/* remove old $tmpfname files */ +if (is_dir('/usr/local/etc/snort/tmp')) { + update_status(gettext("Cleaning up...")); + exec("/bin/rm -r /usr/local/etc/snort/tmp/snort_rules_up"); + sleep(2); + exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); +} + +/* XXX: These are needed if snort is run as snort user +mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); +mwexec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort", true); +mwexec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort", true); +*/ +/* make all dirs snorts */ +mwexec("/bin/chmod -R 755 /var/log/snort", true); +mwexec("/bin/chmod -R 755 /usr/local/etc/snort", true); +mwexec("/bin/chmod -R 755 /usr/local/lib/snort", true); + +/* hide progress bar and lets end this party */ +hide_progress_bar_status(); + +if ($snortdownload == 'off' && $emergingthreats == 'off' && $pfsensedownload == 'off') + update_output_window(gettext("Finished...")); +else if ($snort_md5_check_ok == 'on' && $emerg_md5_check_ok == 'on' && $pfsense_md5_check_ok == 'on') + update_output_window(gettext("Finished...")); +else { + /* You are Not Up to date, always stop snort when updating rules for low end machines */; + update_status(gettext("You are NOT up to date...")); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("Snort has restarted with your new set of rules...")); + exec("/bin/rm /tmp/snort_download_halt.pid"); +} + +update_status(gettext("The Rules update finished...")); +conf_mount_ro(); + +?> diff --git a/config/snort-dev2/snort_download_updates.php b/config/snort-dev2/snort_download_updates.php new file mode 100644 index 00000000..e902cd64 --- /dev/null +++ b/config/snort-dev2/snort_download_updates.php @@ -0,0 +1,322 @@ +<?php +/* + snort_download_updates.php + part of pfSense + Copyright (C) 2004 Scott Ullrich + Copyright (C) 2011 Ermal Luci + All rights reserved. + + part of m0n0wall as reboot.php (http://m0n0.ch/wall) + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +/* load only javascript that is needed */ +$snort_load_jquery = 'yes'; +$snort_load_jquery_colorbox = 'yes'; + + +/* quick md5s chk */ +$snort_org_sig_chk_local = 'N/A'; +if (file_exists("/usr/local/etc/snort/{$snort_rules_file}.md5")) + $snort_org_sig_chk_local = exec("/bin/cat /usr/local/etc/snort/{$snort_rules_file}.md5"); + +$emergingt_net_sig_chk_local = 'N/A'; +if(file_exists('/usr/local/etc/snort/emerging.rules.tar.gz.md5')) + $emergingt_net_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/emerging.rules.tar.gz.md5'); + +$pfsense_org_sig_chk_local = 'N/A'; +if(file_exists('/usr/local/etc/snort/pfsense_rules.tar.gz.md5')) + $pfsense_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/pfsense_rules.tar.gz.md5'); + +/* define checks */ +$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; + +if ($snortdownload != 'on' && $emergingthreats != 'on') + $snort_emrging_info = 'stop'; + +if ($oinkid == '' && $snortdownload != 'off') + $snort_oinkid_info = 'stop'; + +if ($snort_emrging_info == 'stop' || $snort_oinkid_info == 'stop') + $error_stop = 'true'; + +/* check if main rule directory is empty */ +$if_mrule_dir = "/usr/local/etc/snort/rules"; +$mfolder_chk = (count(glob("$if_mrule_dir/*")) === 0) ? 'empty' : 'full'; + +/* check for logfile */ +$update_logfile_chk = 'no'; +if (file_exists('/usr/local/etc/snort/snort_update.log')) + $update_logfile_chk = 'yes'; + +header("snort_help_info.php"); +header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" ); +header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" ); +header( "Cache-Control: no-cache, must-revalidate" ); +header( "Pragma: no-cache" ); + + +$pgtitle = "Services: Snort: Updates"; +include_once("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> + +<?php +echo "{$snort_general_css}\n"; +echo "$snort_interfaces_css\n"; +?> + +<?php include("fbegin.inc"); ?> + +<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<noscript> +<div class="alert" ALIGN=CENTER><img + src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please +enable JavaScript to view this content +</CENTER></div> +</noscript> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), true, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Help"), false, "/snort/help_and_info.php"); + display_top_tabs($tab_array); +?> +</td></tr> +<tr> + <td> + <div id="mainarea3"> + <table id="maintable4" class="tabcont" width="100%" border="0" + cellpadding="0" cellspacing="0"> + <tr> + <td><!-- grey line --> + <table height="12px" width="725px" border="0" cellpadding="5px" + cellspacing="0"> + <tr> + <td style='background-color: #eeeeee'> + <div height="12px" width="725px" style='background-color: #dddddd'> + </div> + </td> + </tr> + </table> + + <br> + + <table id="download_rules" height="32px" width="725px" border="0" + cellpadding="5px" cellspacing="0"> + <tr> + <td id="download_rules_td" style="background-color: #eeeeee"> + <div height="32" width="725px" style="background-color: #eeeeee"> + + <font color="#777777" size="1.5px"><b>INSTALLED SIGNATURE RULESET</b></font><br> + <br> + <p style="text-align: left; margin-left: 225px;"><font + color="#FF850A" size="1px"><b>SNORT.ORG >>></b></font><font + size="1px" color="#000000"> <? echo $snort_org_sig_chk_local; ?></font><br> + <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET >>></b></font><font + size="1px" color="#000000"> <? echo $emergingt_net_sig_chk_local; ?></font><br> + <font color="#FF850A" size="1px"><b>PFSENSE.ORG >>></b></font><font + size="1px" color="#000000"> <? echo $pfsense_org_sig_chk_local; ?></font><br> + </p> + + </div> + </td> + </tr> + </table> + + <br> + + <!-- grey line --> + <table height="12px" width="725px" border="0" cellpadding="5px" + cellspacing="0"> + <tr> + <td style='background-color: #eeeeee'> + <div height="12px" width="725px" style='background-color: #eeeeee'> + </div> + </td> + </tr> + </table> + + <br> + + <table id="download_rules" height="32px" width="725px" border="0" + cellpadding="5px" cellspacing="0"> + <tr> + <td id="download_rules_td" style='background-color: #eeeeee'> + <div height="32" width="725px" style='background-color: #eeeeee'> + + <font color='#777777' size='1.5px'><b>UPDATE YOUR RULES</b></font><br> + <br> + + <?php + + if ($error_stop == 'true') { + echo ' + + <button class="sexybutton disabled" disabled="disabled"><span class="download">Update Rules </span></button><br/> + <p style="text-align:left; margin-left:150px;"> + <font color="#fc3608" size="2px"><b>WARNING:</b></font><font size="1px" color="#000000"> No rule types have been selected for download. "Global Settings Tab"</font><br>'; + + if ($mfolder_chk == 'empty') { + + echo ' + <font color="#fc3608" size="2px"><b>WARNING:</b></font><font size="1px" color="#000000"> The main rules directory is empty. /usr/local/etc/snort/rules</font>' ."\n"; + } + + echo '</p>' . "\n"; + + }else{ + + echo ' + + <a href="/snort/snort_download_rules.php"><button class="sexybutton disabled"><span class="download">Update Rules </span></button></a><br/>' . "\n"; + + if ($mfolder_chk == 'empty') { + + echo ' + <p style="text-align:left; margin-left:150px;"> + <font color="#fc3608" size="2px"><b>WARNING:</b></font><font size="1px" color="#000000"> The main rules directory is empty. /usr/local/etc/snort/rules</font> + </p>'; + } + + } + + ?> <br> + + </div> + </td> + </tr> + </table> + + <br> + + <table id="download_rules" height="32px" width="725px" border="0" + cellpadding="5px" cellspacing="0"> + <tr> + <td id="download_rules_td" style='background-color: #eeeeee'> + <div height="32" width="725px" style='background-color: #eeeeee'> + + <font color='#777777' size='1.5px'><b>VIEW UPDATE LOG</b></font><br> + <br> + + <?php + + if ($update_logfile_chk == 'yes') { + echo ' + <button class="sexybutton sexysimple example9" href="/snort/snort_rules_edit.php?openruleset=/usr/local/etc/snort/snort_update.log"><span class="pwhitetxt">Update Log </span></button>' . "\n"; + }else{ + echo ' + <button class="sexybutton disabled" disabled="disabled" href="/snort/snort_rules_edit.php?openruleset=/usr/local/etc/snort/snort_update.log"><span class="pwhitetxt">Update Log </span></button>' . "\n"; + } + + ?> <br> + <br> + + </div> + </td> + </tr> + </table> + + <br> + + <table height="12px" width="725px" border="0" cellpadding="5px" + cellspacing="0"> + <tr> + <td style='background-color: #eeeeee'> + <div height="12px" width="725px" style='background-color: #eeeeee'> + </div> + </td> + </tr> + </table> + + <br> + + <table id="download_rules" height="32px" width="725px" border="0" + cellpadding="5px" cellspacing="0"> + <tr> + <td id="download_rules_td" style='background-color: #eeeeee'> + <div height="32" width="725px" style='background-color: #eeeeee'> + + <img style='vertical-align: middle' + src="/snort/images/icon_excli.png" width="40" height="32"> <font + color='#FF850A' size='1px'><b>NOTE:</b></font><font size='1px' + color='#000000'> Snort.org and Emergingthreats.net + will go down from time to time. Please be patient.</font></div> + </td> + </tr> + </table> + + <br> + + <table height="12px" width="725px" border="0" cellpadding="5px" + cellspacing="0"> + <tr> + <td style='background-color: #eeeeee'> + <div height="12px" width="725px" style='background-color: #eeeeee'> + </div> + </td> + </tr> + </table> + + </td> + </tr> + </table> + </div> + + + + + + <br> + </td> + </tr> +</table> +<!-- end of final table --></div> + +<?php include("fend.inc"); ?> + +<?php echo "$snort_custom_rnd_box\n"; ?> + +</body> +</html> diff --git a/config/snort-dev2/snort_gui.inc b/config/snort-dev2/snort_gui.inc new file mode 100644 index 00000000..d2fd4e30 --- /dev/null +++ b/config/snort-dev2/snort_gui.inc @@ -0,0 +1,203 @@ +<?php +/* $Id$ */ +/* + snort.inc + Copyright (C) 2006 Scott Ullrich + Copyright (C) 2006 Robert Zelaya + part of pfSense + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +include_once("/usr/local/pkg/snort/snort.inc"); + +function print_info_box_np2($msg) { + global $config, $g; + + echo "<table height=\"32\" width=\"100%\">\n"; + echo " <tr>\n"; + echo " <td>\n"; + echo " <div style='background-color:#990000' id='redbox'>\n"; + echo " <table width='100%'><tr><td width='8%'>\n"; + echo " <img style='vertical-align:middle' src=\"/snort/images/alert.jpg\" width=\"32\" height=\"28\">\n"; + echo " </td>\n"; + echo " <td width='70%'><font color='white'><b>{$msg}</b></font>\n"; + echo " </td>"; + if(stristr($msg, "apply") == true) { + echo " <td>"; + echo " <input name=\"apply\" type=\"submit\" class=\"formbtn\" id=\"apply\" value=\"Apply changes\">\n"; + echo " </td>"; + } + echo " </tr></table>\n"; + echo " </div>\n"; + echo " </td>\n"; + echo "</table>\n"; + echo "<script type=\"text/javascript\">\n"; + echo "NiftyCheck();\n"; + echo "Rounded(\"div#redbox\",\"all\",\"#FFF\",\"#990000\",\"smooth\");\n"; + echo "Rounded(\"td#blackbox\",\"all\",\"#FFF\",\"#000000\",\"smooth\");\n"; + echo "</script>\n"; + echo "\n<br>\n"; + + +} + + +/* makes boxes round */ +/* load at bottom */ + +$snort_custom_rnd_box = ' +<script type="text/javascript"> +<!-- + + NiftyCheck(); + Rounded("div#mainarea2","bl br tr","#FFF","#dddddd","smooth"); + Rounded("div#mainarea3","bl br tr","#FFF","#dddddd","smooth"); + Rounded("div#mainarea4","all","#FFF","#dddddd","smooth"); + Rounded("div#mainarea5","all","#eeeeee","#dddddd","smooth"); + +//--> +</script>' . "\n"; + +/* general css code */ +$snort_general_css = ' + +<style type="text/css"> + +.alert { + position:absolute; + top:10px; + left:0px; + width:94%; + height:90%; + +background:#FCE9C0; +background-position: 15px; +border-top:2px solid #DBAC48; +border-bottom:2px solid #DBAC48; +padding: 15px 10px 85% 50px; +} + +.formpre { +font-family:arial; +font-size: 1.1em; +} + +#download_rules { +font-family: arial; +font-size: 13px; +font-weight: bold; +text-align: center +} + +#download_rules_td { +font-family: arial; +font-size: 13px; +font-weight: bold; +text-align: center +} + +body2 { +font-family:arial; +font-size:12px; +} + +.tabcont { +background-color: #dddddd; +padding-right: 12px; +padding-left: 12px; +padding-top: 12px; +padding-bottom: 12px; +} + +.tabcont2 { +background-color: #eeeeee; +padding-right: 12px; +padding-left: 12px; +padding-top: 12px; +padding-bottom: 12px; +} + +.vncell2 { + background-color: #eeeeee; + padding-right: 20px; + padding-left: 8px; + border-bottom: 1px solid #999999; +} + +/* global tab, white lil box */ +.vncell3 { + width: 50px; + background-color: #eeeeee; + padding-right: 2px; + padding-left: 2px; + border-bottom-width: 1px; + border-bottom-style: solid; + border-bottom-color: #999999; +} + +.vncellreq2 { +background-color: #eeeeee; +padding-right: 20px; +padding-left: 8px; +font-weight: bold; +border-bottom-width: 1px; +border-bottom-style: solid; +border-bottom-color: #999999; +} + +</style> ' . "\n"; + + +/* general css code for snort_interface.php */ +$snort_interfaces_css = ' + +<style type="text/css"> + +.listbg2 { + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + background-color: #090; + color: #000; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} + +.listbg3 { + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + background-color: #777777; + color: #000; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} + +</style>' . "\n"; + +?> diff --git a/config/snort-dev2/snort_interfaces.php b/config/snort-dev2/snort_interfaces.php new file mode 100644 index 00000000..86a9aff6 --- /dev/null +++ b/config/snort-dev2/snort_interfaces.php @@ -0,0 +1,437 @@ +<?php +/* $Id$ */ +/* + +originally part of m0n0wall (http://m0n0.ch/wall) +Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. +Copyright (C) 2008-2009 Robert Zelaya. +Copyright (C) 2011 Ermal Luci +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, +this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. +*/ + +$nocsrf = true; +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; +$id_gen = count($config['installedpackages']['snortglobal']['rule']); + +if (isset($_POST['del_x'])) { + /* delete selected rules */ + if (is_array($_POST['rule'])) { + conf_mount_rw(); + foreach ($_POST['rule'] as $rulei) { + + /* convert fake interfaces to real */ + $if_real = snort_get_real_interface($a_nat[$rulei]['interface']); + $snort_uuid = $a_nat[$rulei]['uuid']; + + Running_Stop($snort_uuid,$if_real, $rulei); + + unset($a_nat[$rulei]); + } + conf_mount_ro(); + + write_config(); + sleep(2); + + /* if there are no ifaces do not create snort.sh */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) + create_snort_sh(); + else { + conf_mount_rw(); + exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); + conf_mount_ro(); + } + + sync_snort_package_config(); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces.php"); + exit; + } + +} + + +/* start/stop snort */ +if ($_GET['act'] == 'toggle' && is_numeric($id)) { + + $if_real = snort_get_real_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Toggle for {$snort_uuid}_{$if_real}...'"); + + sync_snort_package_config(); + + $tester2 = Running_Ck($snort_uuid, $if_real, $id); + + if ($tester2 == 'yes') { + Running_Stop($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + + } else { + Running_Start($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + } + sleep(4); // So the GUI reports correctly + header("Location: /snort/snort_interfaces.php"); + exit; +} + + +$pgtitle = "Services: $snort_package_version"; +include_once("head.inc"); + +?> +<body link="#000000" vlink="#000000" alink="#000000"> + +<?php +echo "{$snort_general_css}\n"; +echo "$snort_interfaces_css\n"; + +include_once("fbegin.inc"); +if ($pfsense_stable == 'yes') + echo '<p class="pgtitle">' . $pgtitle . '</p>'; +?> + +<noscript> +<div class="alert" ALIGN=CENTER><img + src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please +enable JavaScript to view this content +</CENTER></div> +</noscript> + +<form action="snort_interfaces.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<?php + /* Display Alert message */ + if ($input_errors) + print_input_errors($input_errors); // TODO: add checks + + if ($savemsg) + print_info_box2($savemsg); + + //if (file_exists($d_snortconfdirty_path)) { + if ($d_snortconfdirty_path_ls != '') { + echo '<p>'; + + if($savemsg) + print_info_box_np2("{$savemsg}"); + else { + print_info_box_np2(' + The Snort configuration has changed for one or more interfaces.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } +?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Help"), false, "/snort/help_and_info.php"); + display_top_tabs($tab_array); +?> +</td></tr> +<tr> + <td> + <div id="mainarea2"> + <table class="tabcont" width="100%" border="0" cellpadding="0" + cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="list"> </td> + <td width="1%" class="list"> </td> + <td width="10%" class="listhdrr">If</td> + <td width="10%" class="listhdrr">Snort</td> + <td width="10%" class="listhdrr">Performance</td> + <td width="10%" class="listhdrr">Block</td> + <td width="10%" class="listhdrr">Barnyard2</td> + <td width="50%" class="listhdr">Description</td> + <td width="3%" class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td width="17"></td> + <td><a href="snort_interfaces_edit.php?id=<?php echo $id_gen;?>"><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> + <?php $nnats = $i = 0; foreach ($a_nat as $natent): ?> + <tr valign="top" id="fr<?=$nnats;?>"> + <?php + + /* convert fake interfaces to real and check if iface is up */ + /* There has to be a smarter way to do this */ + $if_real = snort_get_real_interface($natent['interface']); + $snort_uuid = $natent['uuid']; + + $tester2 = Running_Ck($snort_uuid, $if_real, $id); + + if ($tester2 == 'no') { + $iconfn = 'pass'; + $class_color_up = 'listbg'; + }else{ + $class_color_up = 'listbg2'; + $iconfn = 'block'; + } + + ?> + <td class="listt"> + <a href="?act=toggle&id=<?=$i;?>"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_<?=$iconfn;?>.gif" + width="13" height="13" border="0" + title="click to toggle start/stop snort"></a> + <input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0;"></td> + <td class="listt" align="center"></td> + <td class="<?=$class_color_up;?>" onClick="fr_toggle(<?=$nnats;?>)" + id="frd<?=$nnats;?>" + ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php + echo snort_get_friendly_interface($natent['interface']); + ?></td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" + id="frd<?=$nnats;?>" + ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php + $check_snort_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['enable']; + if ($check_snort_info == "on") + { + $check_snort = enabled; + } else { + $check_snort = disabled; + } + ?> <?=strtoupper($check_snort);?></td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" + id="frd<?=$nnats;?>" + ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php + $check_performance_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['performance']; + if ($check_performance_info != "") { + $check_performance = $check_performance_info; + }else{ + $check_performance = "lowmem"; + } + ?> <?=strtoupper($check_performance);?></td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" + id="frd<?=$nnats;?>" + ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php + $check_blockoffenders_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['blockoffenders7']; + if ($check_blockoffenders_info == "on") + { + $check_blockoffenders = enabled; + } else { + $check_blockoffenders = disabled; + } + ?> <?=strtoupper($check_blockoffenders);?></td> + <?php + + $color2_upb = Running_Ck_b($snort_uuid, $if_real, $id); + + if ($color2_upb == 'yes') { + $class_color_upb = 'listbg2'; + }else{ + $class_color_upb = 'listbg'; + } + + ?> + <td class="<?=$class_color_upb;?>" onClick="fr_toggle(<?=$nnats;?>)" + id="frd<?=$nnats;?>" + ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php + $check_snortbarnyardlog_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['barnyard_enable']; + if ($check_snortbarnyardlog_info == "on") + { + $check_snortbarnyardlog = strtoupper(enabled); + }else{ + $check_snortbarnyardlog = strtoupper(disabled); + } + ?> <?php echo "$check_snortbarnyardlog";?></td> + <td class="listbg3" onClick="fr_toggle(<?=$nnats;?>)" + ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <font color="#ffffff"> <?=htmlspecialchars($natent['descr']);?> + </td> + <td valign="middle" class="list" nowrap> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td><a href="snort_interfaces_edit.php?id=<?=$i;?>"><img + src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="edit rule"></a></td> + </tr> + </table> + + </tr> + <?php $i++; $nnats++; endforeach; ?> + <tr> + <td class="list" colspan="8"></td> + <td class="list" valign="middle" nowrap> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td><?php if ($nnats == 0): ?><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" + width="17" height="17" title="delete selected rules" border="0"><?php else: ?><input + name="del" type="image" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + width="17" height="17" title="delete selected mappings" + onclick="return confirm('Do you really want to delete the selected Snort Rule?')"><?php endif; ?></td> + </tr> + </table> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> + +<br> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <div id="mainarea4"> + <table class="tabcont" width="100%" border="0" cellpadding="0" + cellspacing="0"> + <tr id="frheader"> + <td width="100%"><span class="red"><strong>Note:</strong></span> <br> + This is the <strong>Snort Menu</strong> where you can see an over + view of all your interface settings. <br> + Please edit the <strong>Global Settings</strong> tab before adding + an interface. <br> + <br> + <span class="red"><strong>Warning:</strong></span> <br> + <strong>New settings will not take effect until interface restart.</strong> + <br> + <br> + <strong>Click</strong> on the <img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0" title="Add Icon"> icon to add a + interface.<strong> Click</strong> + on the <img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" + width="13" height="13" border="0" title="Start Icon"> icon to <strong>start</strong> + snort and barnyard2. <br> + <strong>Click</strong> on the <img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="Edit Icon"> icon to edit a + interface and settings.<strong> Click</strong> + on the <img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" + width="13" height="13" border="0" title="Stop Icon"> icon to <strong>stop</strong> + snort and barnyard2. <br> + <strong> Click</strong> on the <img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + width="17" height="17" border="0" title="Delete Icon"> icon to + delete a interface and settings.</td> + </tr> + </table> + </div> + + </tr> + </td> +</table> + + <?php + if ($pkg['tabs'] <> "") { + echo "</td></tr></table>"; + } + ?></form> +</div> + +<br> +<br> +<br> + +<style type="text/css"> +#footer2 { + position: relative; + background-color: transparent; + background-image: url("./images/logo22.png"); + background-repeat: no-repeat; + background-attachment: scroll; + background-position: 0% 0%; + top: 10px; + left: 0px; + width: 770px; + height: 60px; + color: #000000; + text-align: center; + font-size: 0.8em; + padding-top: 40px; + margin-bottom: -35px; + clear: both; +} +</style> + +<div id="footer2">SNORT registered � by Sourcefire, Inc, Barnyard2 +registered � by securixlive.com, Orion registered � by Robert Zelaya, +Emergingthreats registered � by emergingthreats.net, Mysql registered � +by Mysql.com</div> +<!-- Footer DIV --> + + <?php + + include("fend.inc"); + + echo $snort_custom_rnd_box; + + ?> + + + +</body> +</html> diff --git a/config/snort-dev2/snort_interfaces_edit.php b/config/snort-dev2/snort_interfaces_edit.php new file mode 100644 index 00000000..f3d96848 --- /dev/null +++ b/config/snort-dev2/snort_interfaces_edit.php @@ -0,0 +1,733 @@ +<?php +/* + snort_interfaces_edit.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008-2009 Robert Zelaya. + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + + +/* always have a limit of (65535) numbers only or snort will not start do to id limits */ +/* TODO: When inline gets added make the uuid the port number lisstening */ +$pconfig = array(); + +/* gen uuid for each iface !inportant */ +if (empty($config['installedpackages']['snortglobal']['rule'][$id]['uuid'])) { + //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); + $snort_uuid = 0; + while ($snort_uuid > 65535 || $snort_uuid == 0) { + $snort_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $snort_uuid; + } +} else { + $snort_uuid = $a_nat[$id]['uuid']; + $pconfig['uuid'] = $snort_uuid; +} + +if (isset($id) && $a_nat[$id]) { + + /* old options */ + $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; + $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; + $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; + $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; + $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; + $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; + $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; + $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; + $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; + $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; + $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; + $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; + $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; + $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; + $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; + $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; + $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; + $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; + $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; + $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; + $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; + $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; + $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; + $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; + $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; + $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; + $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; + $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; + $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; + $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; + $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; + $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; + $pconfig['def_sip_servers'] = $a_nat[$id]['def_sip_servers']; + $pconfig['def_sip_ports'] = $a_nat[$id]['def_sip_ports']; + $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; + $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; + $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; + $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; + $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; + $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; + $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; + $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; + $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; + $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['performance'] = $a_nat[$id]['performance']; + $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['blockoffenderskill'] = $a_nat[$id]['blockoffenderskill']; + $pconfig['blockoffendersip'] = $a_nat[$id]['blockoffendersip']; + $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; + $pconfig['homelistname'] = $a_nat[$id]['homelistname']; + $pconfig['externallistname'] = $a_nat[$id]['externallistname']; + $pconfig['suppresslistname'] = $a_nat[$id]['suppresslistname']; + $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; + $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; + $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; + $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; + $pconfig['configpassthru'] = base64_decode($a_nat[$id]['configpassthru']); + $pconfig['barnconfigpassthru'] = $a_nat[$id]['barnconfigpassthru']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; + $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; + $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; + + + if (!$pconfig['interface']) + $pconfig['interface'] = "wan"; + } else + $pconfig['interface'] = "wan"; + +/* convert fake interfaces to real */ +$if_real = snort_get_real_interface($pconfig['interface']); + +if (isset($_GET['dup'])) + unset($id); + + /* alert file */ + $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + + if ($_POST["Submit"]) { + + if ($_POST['descr'] == '' && $pconfig['descr'] == '') { + $input_errors[] = "Please enter a description for your reference."; + } + + if ($id == "" && $config['installedpackages']['snortglobal']['rule'][0]['interface'] != "") { + + $rule_array = $config['installedpackages']['snortglobal']['rule']; + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + + if ($_POST['interface'] == $result_lan) + $input_errors[] = "Interface $result_lan is in use. Please select another interface."; + } + } + + /* XXX: Void code + * check for overlaps + foreach ($a_nat as $natent) { + if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) + continue; + if ($natent['interface'] != $_POST['interface']) + continue; + } + */ + + /* if no errors write to conf */ + if (!$input_errors) { + $natent = array(); + + /* write to conf for 1st time or rewrite the answer */ + if ($_POST['interface']) + $natent['interface'] = $_POST['interface']; + + /* if post write to conf or rewite the answer */ + $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; + $natent['uuid'] = $pconfig['uuid']; + $natent['descr'] = $_POST['descr'] ? $_POST['descr'] : $pconfig['descr']; + $natent['performance'] = $_POST['performance'] ? $_POST['performance'] : $pconfig['performance']; + /* if post = on use on off or rewrite the conf */ + if ($_POST['blockoffenders7'] == "on") + $natent['blockoffenders7'] = 'on'; + else + $natent['blockoffenders7'] = 'off'; + if ($_POST['blockoffenderskill'] == "on") + $natent['blockoffenderskill'] = 'on'; + if ($_POST['blockoffendersip']) + $natent['blockoffendersip'] = $_POST['blockoffendersip']; + + $natent['whitelistname'] = $_POST['whitelistname'] ? $_POST['whitelistname'] : $pconfig['whitelistname']; + $natent['homelistname'] = $_POST['homelistname'] ? $_POST['homelistname'] : $pconfig['homelistname']; + $natent['externallistname'] = $_POST['externallistname'] ? $_POST['externallistname'] : $pconfig['externallistname']; + $natent['suppresslistname'] = $_POST['suppresslistname'] ? $_POST['suppresslistname'] : $pconfig['suppresslistname']; + $natent['snortalertlogtype'] = $_POST['snortalertlogtype'] ? $_POST['snortalertlogtype'] : $pconfig['snortalertlogtype']; + if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = 'on'; }else{ $natent['alertsystemlog'] = 'off'; } + if ($_POST['enable']) { $natent['enable'] = 'on'; } else unset($natent['enable']); + if ($_POST['tcpdumplog'] == "on") { $natent['tcpdumplog'] = 'on'; }else{ $natent['tcpdumplog'] = 'off'; } + if ($_POST['snortunifiedlog'] == "on") { $natent['snortunifiedlog'] = 'on'; }else{ $natent['snortunifiedlog'] = 'off'; } + $natent['configpassthru'] = $_POST['configpassthru'] ? base64_encode($_POST['configpassthru']) : $pconfig['configpassthru']; + /* if optiion = 0 then the old descr way will not work */ + + /* rewrite the options that are not in post */ + /* make shure values are set befor repost or conf.xml will be broken */ + if ($pconfig['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $pconfig['def_ssl_ports_ignore']; } + if ($pconfig['flow_depth'] != "") { $natent['flow_depth'] = $pconfig['flow_depth']; } + if ($pconfig['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $pconfig['max_queued_bytes']; } + if ($pconfig['max_queued_segs'] != "") { $natent['max_queued_segs'] = $pconfig['max_queued_segs']; } + if ($pconfig['perform_stat'] != "") { $natent['perform_stat'] = $pconfig['perform_stat']; } + if ($pconfig['http_inspect'] != "") { $natent['http_inspect'] = $pconfig['http_inspect']; } + if ($pconfig['other_preprocs'] != "") { $natent['other_preprocs'] = $pconfig['other_preprocs']; } + if ($pconfig['ftp_preprocessor'] != "") { $natent['ftp_preprocessor'] = $pconfig['ftp_preprocessor']; } + if ($pconfig['smtp_preprocessor'] != "") { $natent['smtp_preprocessor'] = $pconfig['smtp_preprocessor']; } + if ($pconfig['sf_portscan'] != "") { $natent['sf_portscan'] = $pconfig['sf_portscan']; } + if ($pconfig['dce_rpc_2'] != "") { $natent['dce_rpc_2'] = $pconfig['dce_rpc_2']; } + if ($pconfig['dns_preprocessor'] != "") { $natent['dns_preprocessor'] = $pconfig['dns_preprocessor']; } + if ($pconfig['def_dns_servers'] != "") { $natent['def_dns_servers'] = $pconfig['def_dns_servers']; } + if ($pconfig['def_dns_ports'] != "") { $natent['def_dns_ports'] = $pconfig['def_dns_ports']; } + if ($pconfig['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $pconfig['def_smtp_servers']; } + if ($pconfig['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $pconfig['def_smtp_ports']; } + if ($pconfig['def_mail_ports'] != "") { $natent['def_mail_ports'] = $pconfig['def_mail_ports']; } + if ($pconfig['def_http_servers'] != "") { $natent['def_http_servers'] = $pconfig['def_http_servers']; } + if ($pconfig['def_www_servers'] != "") { $natent['def_www_servers'] = $pconfig['def_www_servers']; } + if ($pconfig['def_http_ports'] != "") { $natent['def_http_ports'] = $pconfig['def_http_ports']; } + if ($pconfig['def_sql_servers'] != "") { $natent['def_sql_servers'] = $pconfig['def_sql_servers']; } + if ($pconfig['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $pconfig['def_oracle_ports']; } + if ($pconfig['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $pconfig['def_mssql_ports']; } + if ($pconfig['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $pconfig['def_telnet_servers']; } + if ($pconfig['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $pconfig['def_telnet_ports']; } + if ($pconfig['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $pconfig['def_snmp_servers']; } + if ($pconfig['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $pconfig['def_snmp_ports']; } + if ($pconfig['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $pconfig['def_ftp_servers']; } + if ($pconfig['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $pconfig['def_ftp_ports']; } + if ($pconfig['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $pconfig['def_ssh_servers']; } + if ($pconfig['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $pconfig['def_ssh_ports']; } + if ($pconfig['def_pop_servers'] != "") { $natent['def_pop_servers'] = $pconfig['def_pop_servers']; } + if ($pconfig['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $pconfig['def_pop2_ports']; } + if ($pconfig['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $pconfig['def_pop3_ports']; } + if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; } + if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; } + if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; } + if ($pconfig['def_sip_servers'] != "") { $natent['def_sip_servers'] = $pconfig['def_sip_servers']; }else{ $natent['def_sip_servers'] = ""; } + if ($pconfig['def_sip_ports'] != "") { $natent['def_sip_ports'] = $pconfig['def_sip_ports']; }else{ $natent['def_sip_ports'] = ""; } + if ($pconfig['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; } + if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; } + if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; } + if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; } + if ($pconfig['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $pconfig['def_nntp_ports']; } + if ($pconfig['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; } + if ($pconfig['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; } + if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; } + if ($pconfig['barnyard_enable'] != "") { $natent['barnyard_enable'] = $pconfig['barnyard_enable']; } + if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; } + if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } + if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } + if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } + if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } + + + $if_real = snort_get_real_interface($natent['interface']); + + if (isset($id) && $a_nat[$id]) { + if ($natent['interface'] != $a_nat[$id]['interface']) + Running_Stop($snort_uuid, $if_real, $id); + $a_nat[$id] = $natent; + } else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + + sync_snort_package_config(); + sleep(1); + + /* if snort.sh crashed this will remove the pid */ + exec('/bin/rm /tmp/snort.sh.pid'); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces.php"); + + exit; + } + } + + if ($_POST["Submit2"]) { + + sync_snort_package_config(); + sleep(1); + + Running_Start($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces_edit.php?id=$id"); + exit; + } + +$pgtitle = "Snort: Interface Edit: $id $snort_uuid $if_real"; +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php + include("fbegin.inc"); + echo "{$snort_general_css}\n"; +?> + +<noscript> +<div class="alert" ALIGN=CENTER><img + src="/themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please +enable JavaScript to view this content</strong></div> +</noscript> +<script language="JavaScript"> +<!-- + +function enable_blockoffenders() { + var endis = !(document.iform.blockoffenders7.checked); + document.iform.blockoffenderskill.disabled=endis; + document.iform.blockoffendersip.disabled=endis; +} + +function enable_change(enable_change) { + endis = !(document.iform.enable.checked || enable_change); + // make shure a default answer is called if this is envoked. + endis2 = (document.iform.enable); + document.iform.performance.disabled = endis; + document.iform.blockoffenders7.disabled = endis; + document.iform.alertsystemlog.disabled = endis; + document.iform.externallistname.disabled = endis; + document.iform.homelistname.disabled = endis; + document.iform.suppresslistname.disabled = endis; + document.iform.tcpdumplog.disabled = endis; + document.iform.snortunifiedlog.disabled = endis; + document.iform.configpassthru.disabled = endis; +} +//--> +</script> +<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<form action="snort_interfaces_edit.php<?php echo "?id=$id";?>" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<?php + /* Display Alert message */ + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + //if (file_exists($d_snortconfdirty_path)) { + if (file_exists($d_snortconfdirty_path) || file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { + echo '<p>'; + + if($savemsg) + print_info_box_np2("{$savemsg}"); + else { + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } +?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tabid = 0; + $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tabid++; + $tab_array[$tabid] = array(gettext("If Settings"), true, "/snort/snort_interfaces_edit.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); +?> +</td></tr> + <tr> + <td class="tabnavtbl"> + <?php + if ($a_nat[$id]['interface'] != '') { + /* get the interface name */ + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_array = split(',', $if_list); + if($if_array) { + foreach($if_array as $iface2) { + /* build a list of user specified interfaces -gtm */ + $if2 = snort_get_real_interface($iface2); + if ($if2) + array_push($snortInterfaces, $if2); + } + + if (count($snortInterfaces) < 1) + log_error("Snort will not start. You must select an interface for it to listen on."); + } + + } + ?> + </td> + </tr> + <tr> + <td class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">General Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq2">Enable</td> + <td width="22%" valign="top" class="vtable"> <?php + // <input name="enable" type="checkbox" value="yes" checked onClick="enable_change(false)"> + // care with spaces + if ($pconfig['enable'] == "on") + $checked = checked; + + $onclick_enable = "onClick=\"enable_change(false)\">"; + + echo " + <input name=\"enable\" type=\"checkbox\" value=\"on\" $checked $onclick_enable + Enable or Disable</td>\n\n"; + ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq2">Interface</td> + <td width="78%" class="vtable"> + <select name="interface" class="formfld"> + <?php + if (function_exists('get_configured_interface_with_descr')) + $interfaces = get_configured_interface_with_descr(); + else { + $interfaces = array('wan' => 'WAN', 'lan' => 'LAN'); + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; + } + } + foreach ($interfaces as $iface => $ifacename): ?> + <option value="<?=$iface;?>" + <?php if ($iface == $pconfig['interface']) echo "selected"; ?>><?=htmlspecialchars($ifacename);?> + </option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Choose which interface this rule applies to.<br> + Hint: in most cases, you'll want to use WAN here.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq2">Description</td> + <td width="78%" class="vtable"><input name="descr" type="text" + class="formfld" id="descr" size="40" + value="<?=htmlspecialchars($pconfig['descr']);?>"> <br> + <span class="vexpl">You may enter a description here for your + reference (not parsed).</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Memory Performance</td> + <td width="78%" class="vtable"><select name="performance" + class="formfld" id="performance"> + <?php + $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', 'ac-banded' => 'AC-BANDED', 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS'); + foreach ($interfaces2 as $iface2 => $ifacename2): ?> + <option value="<?=$iface2;?>" + <?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename2);?></option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Lowmem and ac-bnfa are recommended for low end + systems, Ac: high memory, best performance, ac-std: moderate + memory,high performance, acs: small memory, moderateperformance, + ac-banded: small memory,moderate performance, ac-sparsebands: small + memory, high performance.<br> + </span></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Choose the networks + snort should inspect and whitelist.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Home net</td> + <td width="78%" class="vtable"><select name="homelistname" + class="formfld" id="homelistname"> + <?php + echo "<option value='default' >default</option>"; + /* find whitelist names and filter by type */ + if (is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) { + foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $value) { + if ($value['snortlisttype'] == 'netlist') { + $ilistname = $value['name']; + if ($ilistname == $pconfig['homelistname']) + echo "<option value='$ilistname' selected>"; + else + echo "<option value='$ilistname'>"; + echo htmlspecialchars($ilistname) . '</option>'; + } + } + } + ?> + </select><br> + <span class="vexpl">Choose the home net you will like this rule to + use. </span> <br/><span class="red">Note:</span> Default home + net adds only local networks.<br> + <span class="red">Hint:</span> Most users add a list of + friendly ips that the firewall cant see.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">External net</td> + <td width="78%" class="vtable"><select name="externallistname" + class="formfld" id="externallistname"> + <?php + echo "<option value='default' >default</option>"; + /* find whitelist names and filter by type */ + if (is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) { + foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $value) { + if ($value['snortlisttype'] == 'netlist') { + $ilistname = $value['name']; + if ($ilistname == $pconfig['externallistname']) + echo "<option value='$ilistname' selected>"; + else + echo "<option value='$ilistname'>"; + echo htmlspecialchars($ilistname) . '</option>'; + } + } + } + ?> + </select><br/> + <span class="vexpl">Choose the external net you will like this rule + to use. </span> <br/><span class="red">Note:</span> Default + external net, networks that are not home net.<br> + <span class="red">Hint:</span> Most users should leave this + setting at default.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Block offenders</td> + <td width="78%" class="vtable"> + <input name="blockoffenders7" id="blockoffenders7" type="checkbox" value="on" + <?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?> + onClick="enable_blockoffenders()"><br> + Checking this option will automatically block hosts that generate a + Snort alert.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Kill states</td> + <td width="78%" class="vtable"> + <input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>> + <br/>Should firewall states be killed for the blocked ip + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Which ip to block</td> + <td width="78%" class="vtable"> + <select name="blockoffendersip" class="formfld" id="blockoffendersip"> + <?php + foreach (array("src", "dst", "both") as $btype) { + if ($btype == $pconfig['blockoffendersip']) + echo "<option value='{$btype}' selected>"; + else + echo "<option value='{$btype}'>"; + echo htmlspecialchars($btype) . '</option>'; + } + ?> + </select> + <br/> Which ip extracted from the packet you want to block + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Whitelist</td> + <td width="78%" class="vtable"> + <select name="whitelistname" class="formfld" id="whitelistname"> + <?php + /* find whitelist names and filter by type, make sure to track by uuid */ + echo "<option value='default' >default</option>\n"; + if (is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) { + foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $value) { + if ($value['snortlisttype'] == 'whitelist') { + if ($value['name'] == $pconfig['whitelistname']) + echo "<option value='{$value['name']}' selected>"; + else + echo "<option value='{$value['name']}'>"; + echo htmlspecialchars($value['name']) . '</option>'; + } + } + } + ?> + </select><br> + <span class="vexpl">Choose the whitelist you will like this rule to + use. </span> <br/><span class="red">Note:</span> Default + whitelist adds only local networks.<br/> + <span class="red">Note:</span> This option will only be used when block offenders is on. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Suppression and + filtering</td> + <td width="78%" class="vtable"> + <select name="suppresslistname" class="formfld" id="suppresslistname"> + <?php + echo "<option value='default' >default</option>\n"; + if (is_array($config['installedpackages']['snortglobal']['suppress']['item'])) { + $slist_select = $config['installedpackages']['snortglobal']['suppress']['item']; + foreach ($slist_select as $value) { + $ilistname = $value['name']; + if ($ilistname == $pconfig['suppresslistname']) + echo "<option value='$ilistname' selected>"; + else + echo "<option value='$ilistname'>"; + echo htmlspecialchars($ilistname) . '</option>'; + } + } + ?> + </select><br> + <span class="vexpl">Choose the suppression or filtering file you + will like this rule to use. </span> <br/><span class="red">Note:</span> Default + option disables suppression and filtering.</td> + </tr> + + <tr> + <td colspan="2" valign="top" class="listtopic">Choose the types of + logs snort should create.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Send alerts to main + System logs</td> + <td width="78%" class="vtable"><input name="alertsystemlog" + type="checkbox" value="on" + <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Snort will send Alerts to the firewall's system logs.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Log to a Tcpdump file</td> + <td width="78%" class="vtable"><input name="tcpdumplog" + type="checkbox" value="on" + <?php if ($pconfig['tcpdumplog'] == "on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Snort will log packets to a tcpdump-formatted file. The file then + can be analyzed by an application such as Wireshark which + understands pcap file formats. <span class="red"><strong>WARNING:</strong></span> + File may become large.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Log Alerts to a snort + unified2 file</td> + <td width="78%" class="vtable"><input name="snortunifiedlog" + type="checkbox" value="on" + <?php if ($pconfig['snortunifiedlog'] == "on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Snort will log Alerts to a file in the UNIFIED2 format. This is a + requirement for barnyard2.</td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Arguments here will + be automatically inserted into the snort configuration.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Advanced configuration + pass through</td> + <td width="78%" class="vtable"><textarea wrap="off" + name="configpassthru" cols="75" rows="12" id="configpassthru" + class="formpre2"><?=htmlspecialchars($pconfig['configpassthru']);?></textarea> + </td> + </tr> + <tr> + <td width="22%" valign="top"></td> + <td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save"> + <?php if (isset($id) && $a_nat[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?></td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> + <br> + Please save your settings before you click start. </td> + </tr> + </table> + +</table> +</form> + +<script language="JavaScript"> +<!-- +enable_change(false); +enable_blockoffenders(); +//--> +</script> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort-dev2/snort_interfaces_global.php b/config/snort-dev2/snort_interfaces_global.php new file mode 100644 index 00000000..a267f561 --- /dev/null +++ b/config/snort-dev2/snort_interfaces_global.php @@ -0,0 +1,437 @@ +<?php +/* + snort_interfaces_global.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Copyright (C) 2008-2009 Robert Zelaya + Modified for the Pfsense snort package. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$d_snort_global_dirty_path = '/var/run/snort_global.dirty'; + +/* make things short */ +$pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; +$pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; +$pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; +$pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; +$pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; +$pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; +$pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7']; +$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; +$pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings']; + +/* if no errors move foward */ +if (!$input_errors) { + + if ($_POST["Submit"]) { + + $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; + $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; + $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; + if ($_POST['snortloglimitsize']) { + $config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit']; + $config['installedpackages']['snortglobal']['snortloglimitsize'] = $_POST['snortloglimitsize']; + } else { + $config['installedpackages']['snortglobal']['snortloglimit'] = 'on'; + + /* code will set limit to 21% of slice that is unused */ + $snortloglimitDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') * .22 / 1024); + $config['installedpackages']['snortglobal']['snortloglimitsize'] = $snortloglimitDSKsize; + } + $config['installedpackages']['snortglobal']['autorulesupdate7'] = $_POST['autorulesupdate7']; + $config['installedpackages']['snortglobal']['snortalertlogtype'] = $_POST['snortalertlogtype']; + $config['installedpackages']['snortglobal']['forcekeepsettings'] = $_POST['forcekeepsettings'] ? 'on' : 'off'; + + $retval = 0; + + $snort_snortloglimit_info_ck = $config['installedpackages']['snortglobal']['snortloglimit']; + snort_snortloglimit_install_cron($snort_snortloglimit_info_ck == 'ok' ? true : false); + + /* set the snort block hosts time IMPORTANT */ + $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "never_b") + $snort_rm_blocked_false = false; + else + $snort_rm_blocked_false = true; + + snort_rm_blocked_install_cron($snort_rm_blocked_false); + + /* set the snort rules update time */ + $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; + if ($snort_rules_up_info_ck == "never_up") + $snort_rules_up_false = false; + else + $snort_rules_up_false = true; + + snort_rules_up_install_cron($snort_rules_up_false); + + configure_cron(); + write_config(); + + /* create whitelist and homenet file then sync files */ + sync_snort_package_config(); + + /* forces page to reload new settings */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces_global.php"); + exit; + } +} + + +if ($_POST["Reset"]) { + + function snort_deinstall_settings() { + global $config, $g, $id, $if_real; + + exec("/usr/usr/bin/killall snort"); + sleep(2); + exec("/usr/usr/bin/killall -9 snort"); + sleep(2); + exec("/usr/usr/bin/killall barnyard2"); + sleep(2); + exec("/usr/usr/bin/killall -9 barnyard2"); + sleep(2); + + /* Remove snort cron entries Ugly code needs smoothness*/ + if (!function_exists('snort_deinstall_cron')) { + function snort_deinstall_cron($cronmatch) { + global $config, $g; + + + if(!$config['cron']['item']) + return; + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], $cronmatch)) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) + unset($config['cron']['item'][$x]); + + configure_cron(); + } + } + + snort_deinstall_cron("snort2c"); + snort_deinstall_cron("snort_check_for_rule_updates.php"); + + + /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ + /* Keep this as a last step */ + unset($config['installedpackages']['snortglobal']); + + /* remove all snort iface dir */ + exec('rm -r /usr/local/etc/snort/snort_*'); + exec('rm /var/log/snort/*'); + } + + snort_deinstall_settings(); + write_config(); /* XXX */ + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces_global.php"); + exit; +} + +$pgtitle = 'Services: Snort: Global Settings'; +include_once("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> + +<?php +echo "{$snort_general_css}\n"; +echo "$snort_interfaces_css\n"; + +include_once("fbegin.inc"); + +if($pfsense_stable == 'yes') + echo '<p class="pgtitle">' . $pgtitle . '</p>'; +?> + +<noscript> +<div class="alert" ALIGN=CENTER><img + src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please +enable JavaScript to view this content +</CENTER></div> +</noscript> + +<form action="snort_interfaces_global.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<?php + /* Display Alert message, under form tag or no refresh */ + if ($input_errors) + print_input_errors($input_errors); // TODO: add checks + + if (!$input_errors) { + if (file_exists($d_snort_global_dirty_path)) { + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } +?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), true, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Help"), false, "/snort/help_and_info.php"); + display_top_tabs($tab_array); +?> +</td></tr> +<tr> + <td class="tabcont"> + <table id="maintable2" width="100%" border="0" cellpadding="6" + cellspacing="0"> + <tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Please Choose The + Type Of Rules You Wish To Download</td> + </tr> + <td width="22%" valign="top" class="vncell2">Install Snort.org rules</td> + <td width="78%" class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td colspan="2"><input name="snortdownload" type="radio" + id="snortdownload" value="off" onClick="enable_change(false)" + <?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?>> + Do <strong>NOT</strong> Install</td> + </tr> + <tr> + <td colspan="2"><input name="snortdownload" type="radio" + id="snortdownload" value="on" onClick="enable_change(false)" + <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>> Install + Basic Rules or Premium rules <br> + <a + href="https://www.snort.org/signup" target="_blank">Sign Up for a + Basic Rule Account</a><br> + <a + href="http://www.snort.org/vrt/buy-a-subscription" + target="_blank">Sign Up for Sourcefire VRT Certified Premium + Rules. This Is Highly Recommended</a></td> + </tr> + <tr> + <td> </td> + </tr> + </table> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="optsect_t2">Oinkmaster code</td> + </tr> + <tr> + <td class="vncell2" valign="top">Code</td> + <td class="vtable"><input name="oinkmastercode" type="text" + class="formfld" id="oinkmastercode" size="52" + value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br> + Obtain a snort.org Oinkmaster code and paste here.</td> + + </table> + + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Install <strong>Emergingthreats</strong> + rules</td> + <td width="78%" class="vtable"><input name="emergingthreats" + type="checkbox" value="yes" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Emerging Threats is an open source community that produces fastest + moving and diverse Snort Rules.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Update rules + automatically</td> + <td width="78%" class="vtable"><select name="autorulesupdate7" + class="formfld" id="autorulesupdate7"> + <?php + $interfaces3 = array('never_up' => 'NEVER', '6h_up' => '6 HOURS', '12h_up' => '12 HOURS', '1d_up' => '1 DAY', '4d_up' => '4 DAYS', '7d_up' => '7 DAYS', '28d_up' => '28 DAYS'); + foreach ($interfaces3 as $iface3 => $ifacename3): ?> + <option value="<?=$iface3;?>" + <?php if ($iface3 == $pconfig['autorulesupdate7']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename3);?></option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Please select the update times for rules.<br> + Hint: in most cases, every 12 hours is a good choice.</span></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">General Settings</td> + </tr> + + <tr> + <?php $snortlogCurrentDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') / 1024); ?> + <td width="22%" valign="top" class="vncell2">Log Directory Size + Limit<br> + <br> + <br> + <br> + <br> + <br> + <span class="red"><strong>Note</span>:</strong><br> + Available space is <strong><?php echo $snortlogCurrentDSKsize; ?>MB</strong></td> + <td width="78%" class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td colspan="2"><input name="snortloglimit" type="radio" + id="snortloglimit" value="on" onClick="enable_change(false)" + <?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?>> + <strong>Enable</strong> directory size limit (<strong>Default</strong>)</td> + </tr> + <tr> + <td colspan="2"><input name="snortloglimit" type="radio" + id="snortloglimit" value="off" onClick="enable_change(false)" + <?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <strong>Disable</strong> + directory size limit<br> + <br> + <span class="red"><strong>Warning</span>:</strong> Nanobsd + should use no more than 10MB of space.</td> + </tr> + <tr> + <td> </td> + </tr> + </table> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td class="vncell3">Size in <strong>MB</strong></td> + <td class="vtable"><input name="snortloglimitsize" type="text" + class="formfld" id="snortloglimitsize" size="7" + value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> + Default is <strong>20%</strong> of available space.</td> + + </table> + + </tr> + + <tr> + <td width="22%" valign="top" class="vncell2">Remove blocked hosts + every</td> + <td width="78%" class="vtable"><select name="rm_blocked" + class="formfld" id="rm_blocked"> + <?php + $interfaces3 = array('never_b' => 'NEVER', '1h_b' => '1 HOUR', '3h_b' => '3 HOURS', '6h_b' => '6 HOURS', '12h_b' => '12 HOURS', '1d_b' => '1 DAY', '4d_b' => '4 DAYS', '7d_b' => '7 DAYS', '28d_b' => '28 DAYS'); + foreach ($interfaces3 as $iface3 => $ifacename3): ?> + <option value="<?=$iface3;?>" + <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename3);?></option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Please select the amount of time you would like + hosts to be blocked for.<br> + Hint: in most cases, 1 hour is a good choice.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Alerts file description + type</td> + <td width="78%" class="vtable"><select name="snortalertlogtype" + class="formfld" id="snortalertlogtype"> + <?php + $interfaces4 = array('full' => 'FULL', 'fast' => 'SHORT'); + foreach ($interfaces4 as $iface4 => $ifacename4): ?> + <option value="<?=$iface4;?>" + <?php if ($iface4 == $pconfig['snortalertlogtype']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename4);?></option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Please choose the type of Alert logging you will + like see in your alert file.<br> + Hint: Best pratice is to chose full logging.</span> <span + class="red"><strong>WARNING:</strong></span> <strong>On + change, alert file will be cleared.</strong></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Keep snort settings + after deinstall</td> + <td width="78%" class="vtable"><input name="forcekeepsettings" + id="forcekeepsettings" type="checkbox" value="yes" + <?php if ($config['installedpackages']['snortglobal']['forcekeepsettings']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Settings will not be removed during deinstall.</td> + </tr> + <tr> + <td width="22%" valign="top"><input name="Reset" type="submit" + class="formbtn" value="Reset" + onclick="return confirm('Do you really want to delete all global and interface settings?')"><span + class="red"><strong> WARNING:</strong><br> + This will reset all global and interface settings.</span></td> + <td width="78%"><input name="Submit" type="submit" class="formbtn" + value="Save" onClick="enable_change(true)"> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:<br> + </strong></span> Changing any settings on this page will affect all + interfaces. Please, double check if your oink code is correct and + the type of snort.org account you hold.</span></td> + </tr> + </table> + </td> + </tr> +</table> +</form> + +</div> + + <?php include("fend.inc"); ?> + + <?php echo "$snort_custom_rnd_box\n"; ?> + +</body> +</html> diff --git a/config/snort-dev2/snort_interfaces_suppress.php b/config/snort-dev2/snort_interfaces_suppress.php new file mode 100644 index 00000000..4eeed42d --- /dev/null +++ b/config/snort-dev2/snort_interfaces_suppress.php @@ -0,0 +1,171 @@ +<?php +/* $Id$ */ +/* + Copyright (C) 2004 Scott Ullrich + Copyright (C) 2011 Ermal Luci + All rights reserved. + + originially part of m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + modified for the pfsense snort package + Copyright (C) 2009-2010 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + + +if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); +$a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; +$id_gen = count($config['installedpackages']['snortglobal']['suppress']['item']); + +$d_suppresslistdirty_path = '/var/run/snort_suppress.dirty'; + +if ($_GET['act'] == "del") { + if ($a_suppress[$_GET['id']]) { + /* make sure rule is not being referenced by any nat or filter rules */ + + unset($a_suppress[$_GET['id']]); + write_config(); + filter_configure(); + header("Location: /snort/snort_interfaces_suppress.php"); + exit; + } +} + +$pgtitle = "Services: Snort: Suppression"; +include_once("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> + +<?php +include_once("fbegin.inc"); +echo $snort_general_css; +?> + +<div class="body2"><?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<form action="/snort/snort_interfaces_suppress.php" method="post"><?php if ($savemsg) print_info_box($savemsg); ?> +<?php if (file_exists($d_suppresslistdirty_path)): ?> +<p><?php print_info_box_np("The white list has been changed.<br>You must apply the changes in order for them to take effect.");?> +<?php endif; ?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), true, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Help"), false, "/snort/help_and_info.php"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td class="tabcont"> + + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + + <tr> + <td width="30%" class="listhdrr">File Name</td> + <td width="70%" class="listhdr">Description</td> + + <td width="10%" class="list"></td> + </tr> + <?php $i = 0; foreach ($a_suppress as $list): ?> + <tr> + <td class="listlr" + ondblclick="document.location='snort_interfaces_suppress_edit.php?id=<?=$i;?>';"> + <?=htmlspecialchars($list['name']);?></td> + <td class="listbg" + ondblclick="document.location='snort_interfaces_suppress_edit.php?id=<?=$i;?>';"> + <font color="#FFFFFF"> <?=htmlspecialchars($list['descr']);?> + </td> + + <td valign="middle" nowrap class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a + href="snort_interfaces_suppress_edit.php?id=<?=$i;?>"><img + src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="edit whitelist"></a></td> + <td><a + href="/snort/snort_interfaces_suppress.php?act=del&id=<?=$i;?>" + onclick="return confirm('Do you really want to delete this whitelist? All elements that still use it will become invalid (e.g. snort rules will fall back to the default whitelist)!')"><img + src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + width="17" height="17" border="0" title="delete whitelist"></a></td> + </tr> + </table> + </td> + </tr> + <?php $i++; endforeach; ?> + <tr> + <td class="list" colspan="2"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle" width="17"> </td> + <td valign="middle"><a + href="snort_interfaces_suppress_edit.php?id=<?php echo $id_gen;?> "><img + src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0" title="add a new list"></a></td> + </tr> + </table> + </td> + </tr> + </table> + </td> + </tr> +</table> +<br> +<table class="tabcont" width="100%" border="0" cellpadding="0" + cellspacing="0"> + <td width="100%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> + <p><span class="vexpl">Here you can create event filtering and + suppression for your snort package rules.<br> + Please note that you must restart a running rule so that changes can + take effect.</span></p></td> +</table> + +</form> + +</div> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort-dev2/snort_interfaces_suppress_edit.php b/config/snort-dev2/snort_interfaces_suppress_edit.php new file mode 100644 index 00000000..7303349f --- /dev/null +++ b/config/snort-dev2/snort_interfaces_suppress_edit.php @@ -0,0 +1,295 @@ +<?php +/* $Id$ */ +/* + firewall_aliases_edit.php + Copyright (C) 2004 Scott Ullrich + All rights reserved. + + originially part of m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + modified for the pfsense snort package + Copyright (C) 2009-2010 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); +$a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (!is_numeric($id)) + $id = 0; // XXX: safety belt + + +/* gen uuid for each iface */ +if (is_array($config['installedpackages']['snortglobal']['suppress']['item'][$id])) { + if ($config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid'] == '') { + //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); + $suppress_uuid = 0; + while ($suppress_uuid > 65535 || $suppress_uuid == 0) { + $suppress_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $suppress_uuid; + } + } else if ($config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid'] != '') { + $suppress_uuid = $config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid']; + } +} + +$d_snort_suppress_dirty_path = '/var/run/snort_suppress.dirty'; + +/* returns true if $name is a valid name for a whitelist file name or ip */ +function is_validwhitelistname($name) { + if (!is_string($name)) + return false; + + if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + return true; + + return false; +} + +if (isset($id) && $a_suppress[$id]) { + + /* old settings */ + $pconfig['name'] = $a_suppress[$id]['name']; + $pconfig['uuid'] = $a_suppress[$id]['uuid']; + $pconfig['descr'] = $a_suppress[$id]['descr']; + $pconfig['suppresspassthru'] = base64_decode($a_suppress[$id]['suppresspassthru']); +} + +if ($_POST['submit']) { + + unset($input_errors); + $pconfig = $_POST; + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if(strtolower($_POST['name']) == "defaultwhitelist") + $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; + + $x = is_validwhitelistname($_POST['name']); + if (!isset($x)) { + $input_errors[] = "Reserved word used for whitelist file name."; + } else { + if (is_validwhitelistname($_POST['name']) == false) + $input_errors[] = "Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."; + } + + + /* check for name conflicts */ + foreach ($a_suppress as $s_list) { + if (isset($id) && ($a_suppress[$id]) && ($a_suppress[$id] === $s_list)) + continue; + + if ($s_list['name'] == $_POST['name']) { + $input_errors[] = "A whitelist file name with this name already exists."; + break; + } + } + + + if (!$input_errors) { + $s_list = array(); + $s_list['name'] = $_POST['name']; + $s_list['uuid'] = $suppress_uuid; + $s_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); + $s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']); + + if (isset($id) && $a_suppress[$id]) + $a_suppress[$id] = $s_list; + else + $a_suppress[] = $s_list; + + write_config(); + + sync_snort_package_config(); + + header("Location: /snort/snort_interfaces_suppress.php"); + exit; + } + +} + +$pgtitle = "Services: Snort: Suppression: Edit $suppress_uuid"; +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php +include("fbegin.inc"); +echo $snort_general_css; +?> + +<div class="body2"><?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<?php if ($input_errors) print_input_errors($input_errors); ?> +<div id="inputerrors"></div> + +<form action="/snort/snort_interfaces_suppress_edit.php?id=<?=$id?>" + method="post" name="iform" id="iform"><?php + /* Display Alert message */ + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + //if (file_exists($d_snortconfdirty_path)) { + if (file_exists($d_snort_suppress_dirty_path)) { + echo '<p>'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } + ?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabnavtbl"> + + <div class="newtabmenu" style="margin: 1px 0px; width: 775px;"><!-- Tabbed bar code--> + <ul class="newtabmenu"> + <li><a href="/snort/snort_interfaces.php"><span>Snort Interfaces</span></a></li> + <li><a href="/snort/snort_interfaces_global.php"><span>Global + Settings</span></a></li> + <li><a href="/snort/snort_download_updates.php"><span>Updates</span></a></li> + <li><a href="/snort/snort_alerts.php"><span>Alerts</span></a></li> + <li><a href="/snort/snort_blocked.php"><span>Blocked</span></a></li> + <li><a href="/snort/snort_interfaces_whitelist.php"><span>Whitelists</span></a></li> + <li class="newtabmenu_active"><a + href="/snort/snort_interfaces_suppress.php"><span>Suppress</span></a></li> + <li><a class="example8" href="/snort/help_and_info.php"><span>Help</span></a></li> + </ul> + </div> + + </td> + </tr> + + <tr> + <td class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Add the name and + description of the file.</td> + </tr> + <tr> + <td valign="top" class="vncellreq2">Name</td> + <td class="vtable"><input name="name" type="text" id="name" + size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> + <span class="vexpl"> The list name may only consist of the + characters a-z, A-Z and 0-9. <span class="red">Note: </span> No + Spaces. </span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Description</td> + <td width="78%" class="vtable"><input name="descr" type="text" + id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br /> + <span class="vexpl"> You may enter a description here for your + reference (not parsed). </span></td> + </tr> + </table> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <table height="32" width="100%"> + <tr> + <td> + <div style='background-color: #E0E0E0' id='redbox'> + <table width='100%'> + <tr> + <td width='8%'> <img + style='vertical-align: middle' + src="/snort/images/icon_excli.png" width="40" height="32"></td> + <td width='70%'><font size="2" color='#FF850A'><b>NOTE:</b></font> + <font size="2" color='#000000'> The threshold keyword + is deprecated as of version 2.8.5. Use the event_filter keyword + instead.</font></td> + </tr> + </table> + </div> + </td> + </tr> + <script type="text/javascript"> + NiftyCheck(); + Rounded("div#redbox","all","#FFF","#E0E0E0","smooth"); + Rounded("td#blackbox","all","#FFF","#000000","smooth"); + </script> + <tr> + <td colspan="2" valign="top" class="listtopic">Apply suppression or + filters to rules. Valid keywords are 'suppress', 'event_filter' and + 'rate_filter'.</td> + </tr> + <tr> + <td colspan="2" valign="top" class="vncell"><b>Example 1;</b> + suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54<br> + <b>Example 2;</b> event_filter gen_id 1, sig_id 1851, type limit, + track by_src, count 1, seconds 60<br> + <b>Example 3;</b> rate_filter gen_id 135, sig_id 1, track by_src, + count 100, seconds 1, new_action log, timeout 10</td> + </tr> + <tr> + <td width="100%" class="vtable"><textarea wrap="off" + name="suppresspassthru" cols="142" rows="28" id="suppresspassthru" + class="formpre"><?=htmlspecialchars($pconfig['suppresspassthru']);?></textarea> + </td> + </tr> + <tr> + <td width="78%"><input id="submit" name="submit" type="submit" + class="formbtn" value="Save" /> <input id="cancelbutton" + name="cancelbutton" type="button" class="formbtn" value="Cancel" + onclick="history.back()" /> <?php if (isset($id) && $a_suppress[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>" /> <?php endif; ?> + </td> + </tr> + </table> + </table> + </td> + </tr> +</table> +</form> + +</div> + + <?php include("fend.inc"); ?> + +</body> +</html> diff --git a/config/snort-dev2/snort_interfaces_whitelist.php b/config/snort-dev2/snort_interfaces_whitelist.php new file mode 100644 index 00000000..2dc2d491 --- /dev/null +++ b/config/snort-dev2/snort_interfaces_whitelist.php @@ -0,0 +1,189 @@ +<?php +/* $Id$ */ +/* + firewall_aliases.php + Copyright (C) 2004 Scott Ullrich + Copyright (C) 2011 Ermal Luci + All rights reserved. + + originially part of m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + modified for the pfsense snort package + Copyright (C) 2009-2010 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + + +if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) +$config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + +//aliases_sort(); << what ? +$a_whitelist = &$config['installedpackages']['snortglobal']['whitelist']['item']; + +if (isset($config['installedpackages']['snortglobal']['whitelist']['item'])) { + $id_gen = count($config['installedpackages']['snortglobal']['whitelist']['item']); +}else{ + $id_gen = '0'; +} + +$d_whitelistdirty_path = '/var/run/snort_whitelist.dirty'; + +if ($_GET['act'] == "del") { + if ($a_whitelist[$_GET['id']]) { + /* make sure rule is not being referenced by any nat or filter rules */ + + unset($a_whitelist[$_GET['id']]); + write_config(); + filter_configure(); + header("Location: /snort/snort_interfaces_whitelist.php"); + exit; + } +} + +$pgtitle = "Services: Snort: Whitelist"; +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php +include_once("fbegin.inc"); +echo $snort_general_css; +?> + +<div class="body2"><?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<form action="/snort/snort_interfaces_whitelist.php" method="post"><?php if ($savemsg) print_info_box($savemsg); ?> +<?php if (file_exists($d_whitelistdirty_path)): ?> +<p><?php print_info_box_np("The white list has been changed.<br>You must apply the changes in order for them to take effect.");?> +<?php endif; ?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), true, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Help"), false, "/snort/help_and_info.php"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td class="tabcont"> + + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + + <tr> + <td width="20%" class="listhdrr">File Name</td> + <td width="40%" class="listhdrr">Values</td> + <td width="40%" class="listhdr">Description</td> + <td width="10%" class="list"></td> + </tr> + <?php $i = 0; foreach ($a_whitelist as $list): ?> + <tr> + <td class="listlr" + ondblclick="document.location='snort_interfaces_whitelist_edit.php?id=<?=$i;?>';"> + <?=htmlspecialchars($list['name']);?></td> + <td class="listr" + ondblclick="document.location='snort_interfaces_whitelist_edit.php?id=<?=$i;?>';"> + <?php + $addresses = implode(", ", array_slice(explode(" ", $list['address']), 0, 10)); + echo $addresses; + if(count($addresses) < 10) { + echo " "; + } else { + echo "..."; + } + ?></td> + <td class="listbg" + ondblclick="document.location='snort_interfaces_whitelist_edit.php?id=<?=$i;?>';"> + <font color="#FFFFFF"> <?=htmlspecialchars($list['descr']);?> + </td> + <td valign="middle" nowrap class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a + href="snort_interfaces_whitelist_edit.php?id=<?=$i;?>"><img + src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="edit whitelist"></a></td> + <td><a + href="/snort/snort_interfaces_whitelist.php?act=del&id=<?=$i;?>" + onclick="return confirm('Do you really want to delete this whitelist? All elements that still use it will become invalid (e.g. snort rules will fall back to the default whitelist)!')"><img + src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + width="17" height="17" border="0" title="delete whitelist"></a></td> + </tr> + </table> + </td> + </tr> + <?php $i++; endforeach; ?> + <tr> + <td class="list" colspan="3"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle" width="17"> </td> + <td valign="middle"><a + href="snort_interfaces_whitelist_edit.php?id=<?php echo $id_gen;?> "><img + src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0" title="add a new list"></a></td> + </tr> + </table> + </td> + </tr> + </table> + </td> + </tr> +</table> +<br> +<table class="tabcont" width="100%" border="0" cellpadding="0" + cellspacing="0"> + <td width="100%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> + <p><span class="vexpl">Here you can create whitelist files for your + snort package rules.<br> + Please add all the ips or networks you want to protect against snort + block decisions.<br> + Remember that the default whitelist only includes local networks.<br> + Be careful, it is very easy to get locked out of you system.</span></p></td> +</table> + +</form> + +</div> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort-dev2/snort_interfaces_whitelist_edit.php b/config/snort-dev2/snort_interfaces_whitelist_edit.php new file mode 100644 index 00000000..fe3c54a5 --- /dev/null +++ b/config/snort-dev2/snort_interfaces_whitelist_edit.php @@ -0,0 +1,414 @@ +<?php +/* $Id$ */ +/* + firewall_aliases_edit.php + Copyright (C) 2004 Scott Ullrich + Copyright (C) 2011 Ermal Luci + All rights reserved. + + originially part of m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + modified for the pfsense snort package + Copyright (C) 2009-2010 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + +$a_whitelist = &$config['installedpackages']['snortglobal']['whitelist']['item']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces_whitelist.php"); + exit; +} + +/* gen uuid for each iface !inportant */ +if ($config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid'] == '') { + $whitelist_uuid = 0; + while ($whitelist_uuid > 65535 || $whitelist_uuid == 0) { + $whitelist_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $whitelist_uuid; + } +} else if ($config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid'] != '') { + $whitelist_uuid = $config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid']; +} + +$d_snort_whitelist_dirty_path = '/var/run/snort_whitelist.dirty'; + +/* returns true if $name is a valid name for a whitelist file name or ip */ +function is_validwhitelistname($name) { + if (!is_string($name)) + return false; + + if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + return true; + + return false; +} + + +if (isset($id) && $a_whitelist[$id]) { + + /* old settings */ + $pconfig = array(); + $pconfig['name'] = $a_whitelist[$id]['name']; + $pconfig['uuid'] = $a_whitelist[$id]['uuid']; + $pconfig['detail'] = $a_whitelist[$id]['detail']; + $pconfig['snortlisttype'] = $a_whitelist[$id]['snortlisttype']; + $pconfig['address'] = $a_whitelist[$id]['address']; + $pconfig['descr'] = html_entity_decode($a_whitelist[$id]['descr']); + $pconfig['wanips'] = $a_whitelist[$id]['wanips']; + $pconfig['wangateips'] = $a_whitelist[$id]['wangateips']; + $pconfig['wandnsips'] = $a_whitelist[$id]['wandnsips']; + $pconfig['vips'] = $a_whitelist[$id]['vips']; + $pconfig['vpnips'] = $a_whitelist[$id]['vpnips']; + $addresses = explode(' ', $pconfig['address']); + $address = explode(" ", $addresses[0]); +} + +if ($_POST['submit']) { + + conf_mount_rw(); + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "name"); + $reqdfieldsn = explode(",", "Name"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if(strtolower($_POST['name']) == "defaultwhitelist") + $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; + + $x = is_validwhitelistname($_POST['name']); + if (!isset($x)) { + $input_errors[] = "Reserved word used for whitelist file name."; + } else { + if (is_validwhitelistname($_POST['name']) == false) + $input_errors[] = "Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."; + } + + /* check for name conflicts */ + foreach ($a_whitelist as $w_list) { + if (isset($id) && ($a_whitelist[$id]) && ($a_whitelist[$id] === $w_list)) + continue; + + if ($w_list['name'] == $_POST['name']) { + $input_errors[] = "A whitelist file name with this name already exists."; + break; + } + } + + $isfirst = 0; + $address = ""; + $final_address_details .= ""; + /* add another entry code */ + for($x=0; $x<499; $x++) { + if (!empty($_POST["address{$x}"])) { + if ($is_first > 0) + $address .= " "; + $address .= $_POST["address{$x}"]; + if ($_POST["address_subnet{$x}"] <> "") + $address .= "" . $_POST["address_subnet{$x}"]; + + /* Compress in details to a single key, data separated by pipes. + Pulling details here lets us only pull in details for valid + address entries, saving us from having to track which ones to + process later. */ + $final_address_detail = mb_convert_encoding($_POST["detail{$x}"],'HTML-ENTITIES','auto'); + if ($final_address_detail <> "") + $final_address_details .= $final_address_detail; + else { + $final_address_details .= "Entry added" . " "; + $final_address_details .= date('r'); + } + $final_address_details .= "||"; + $is_first++; + } + } + + if (!$input_errors) { + $w_list = array(); + /* post user input */ + $w_list['name'] = $_POST['name']; + $w_list['uuid'] = $whitelist_uuid; + $w_list['snortlisttype'] = $_POST['snortlisttype']; + $w_list['wanips'] = $_POST['wanips']? 'yes' : 'no'; + $w_list['wangateips'] = $_POST['wangateips']? 'yes' : 'no'; + $w_list['wandnsips'] = $_POST['wandnsips']? 'yes' : 'no'; + $w_list['vips'] = $_POST['vips']? 'yes' : 'no'; + $w_list['vpnips'] = $_POST['vpnips']? 'yes' : 'no'; + + $w_list['address'] = $address; + $w_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); + $w_list['detail'] = $final_address_details; + + if (isset($id) && $a_whitelist[$id]) + $a_whitelist[$id] = $w_list; + else + $a_whitelist[] = $w_list; + + write_config(); + + /* create whitelist and homenet file then sync files */ + sync_snort_package_config(); + + header("Location: /snort/snort_interfaces_whitelist.php"); + exit; + } else { + $pconfig['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); + $pconfig['address'] = $address; + $pconfig['detail'] = $final_address_details; + } + +} + +$pgtitle = "Services: Snort: Whitelist: Edit $whitelist_uuid"; +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +echo $snort_general_css; +?> +<script type="text/javascript" src="/javascript/row_helper.js"></script> + <input type='hidden' name='address_type' value='textbox' /> + <script type="text/javascript"> + + rowname[0] = "address"; + rowtype[0] = "textbox"; + rowsize[0] = "20"; + + rowname[1] = "detail"; + rowtype[1] = "textbox"; + rowsize[1] = "30"; +</script> + +<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<?php if ($input_errors) print_input_errors($input_errors); ?> +<div id="inputerrors"></div> + +<form action="snort_interfaces_whitelist_edit.php" method="post" name="iform" id="iform"> +<?php + /* Display Alert message */ + if ($input_errors) + print_input_errors($input_errors); // TODO: add checks + + if ($savemsg) + print_info_box2($savemsg); + +?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabcont"> + + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Add the name and + description of the file.</td> + </tr> + <tr> + <td valign="top" class="vncellreq2">Name</td> + <td class="vtable"><input name="name" type="text" id="name" + size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> + <span class="vexpl"> The list name may only consist of the + characters a-z, A-Z and 0-9. <span class="red">Note: </span> No + Spaces. </span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Description</td> + <td width="78%" class="vtable"><input name="descr" type="text" + id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br /> + <span class="vexpl"> You may enter a description here for your + reference (not parsed). </span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">List Type</td> + <td width="78%" class="vtable"> + + <div + style="padding: 5px; margin-top: 16px; margin-bottom: 16px; border: 1px dashed #ff3333; background-color: #eee; color: #000; font-size: 8pt;" + id="itemhelp"><strong>WHITELIST:</strong> This + list specifies addresses that Snort Package should not block.<br> + <br> + <strong>NETLIST:</strong> This list is for defining + addresses as $HOME_NET or $EXTERNAL_NET in the snort.conf file.</div> + + <select name="snortlisttype" class="formfld" id="snortlisttype"> + <?php + $interfaces4 = array('whitelist' => 'WHITELIST', 'netlist' => 'NETLIST'); + foreach ($interfaces4 as $iface4 => $ifacename4): ?> + <option value="<?=$iface4;?>" + <?php if ($iface4 == $pconfig['snortlisttype']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename4);?></option> + <?php endforeach; ?> + </select> <span class="vexpl"> Choose the type of + list you will like see in your <span class="red">Interface Edit Tab</span>. + </span></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Add auto generated + ips.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">WAN IPs</td> + <td width="78%" class="vtable"><input name="wanips" type="checkbox" + id="wanips" size="40" value="yes" + <?php if($pconfig['wanips'] == 'yes'){ echo "checked";} if($pconfig['wanips'] == ''){ echo "checked";} ?> /> + <span class="vexpl"> Add WAN IPs to the list. </span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Wan Gateways</td> + <td width="78%" class="vtable"><input name="wangateips" + type="checkbox" id="wangateips" size="40" value="yes" + <?php if($pconfig['wangateips'] == 'yes'){ echo "checked";} if($pconfig['wangateips'] == ''){ echo "checked";} ?> /> + <span class="vexpl"> Add WAN Gateways to the list. </span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Wan DNS servers</td> + <td width="78%" class="vtable"><input name="wandnsips" + type="checkbox" id="wandnsips" size="40" value="yes" + <?php if($pconfig['wandnsips'] == 'yes'){ echo "checked";} if($pconfig['wandnsips'] == ''){ echo "checked";} ?> /> + <span class="vexpl"> Add WAN DNS servers to the list. </span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Virtual IP Addresses</td> + <td width="78%" class="vtable"><input name="vips" type="checkbox" + id="vips" size="40" value="yes" + <?php if($pconfig['vips'] == 'yes'){ echo "checked";} if($pconfig['vips'] == ''){ echo "checked";} ?> /> + <span class="vexpl"> Add Virtual IP Addresses to the list. </span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">VPNs</td> + <td width="78%" class="vtable"><input name="vpnips" type="checkbox" + id="vpnips" size="40" value="yes" + <?php if($pconfig['vpnips'] == 'yes'){ echo "checked";} if($pconfig['vpnips'] == ''){ echo "checked";} ?> /> + <span class="vexpl"> Add VPN Addresses to the list. </span></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Add your own custom + ips.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq2"> + <div id="addressnetworkport">IP or CIDR items</div> + </td> + <td width="78%" class="vtable"> + <table id="maintable"> + <tbody> + <tr> + <td colspan="4"> + <div + style="padding: 5px; margin-top: 16px; margin-bottom: 16px; border: 1px dashed #ff3333; background-color: #eee; color: #000; font-size: 8pt;" + id="itemhelp">For <strong>WHITELIST's</strong> enter <strong>ONLY + IPs not CIDRs</strong>. Example: 192.168.4.1<br> + <br> + For <strong>NETLIST's</strong> you may enter <strong>IPs and + CIDRs</strong>. Example: 192.168.4.1 or 192.168.4.0/24</div> + </td> + </tr> + <tr> + <td> + <div id="onecolumn">IP or CIDR</div> + </td> + <td> + <div id="threecolumn">Add a Description or leave blank and a date + will be added.</div> + </td> + </tr> + + <?php + /* cleanup code */ + $counter = 0; + $address = $pconfig['address']; + if ($address <> ""): + $item = explode(" ", $address); + $item3 = explode("||", $pconfig['detail']); + foreach($item as $ww): + $address = $item[$counter]; + $item4 = $item3[$counter]; + ?> + <tr> + <td><input name="address<?php echo $counter; ?>" class="formfld unknown" type="text" id="address<?php echo $counter; ?>" size="30" value="<?=htmlspecialchars($address);?>" /></td> + <td><input name="detail<?php echo $counter; ?>" class="formfld unknown" type="text" id="address<?php echo $counter; ?>" size="50" value="<?=$item4;?>" /></td> + <td> + <?php echo "<input type=\"image\" src=\"/themes/".$g['theme']."/images/icons/icon_x.gif\" onclick=\"removeRow(this); return false;\" value=\"Delete\" />"; ?> + </td> + </tr> + <?php + $counter++; + + endforeach; endif; + ?> + </tbody> + </table> + <a onclick="javascript:addRowTo('maintable'); return false;" + href="#"><img border="0" + src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" alt="" + title="add another entry" /> </a></td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input id="submit" name="submit" type="submit" class="formbtn" value="Save" /> + <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" value="Cancel" onclick="history.back()" /> + <input name="id" type="hidden" value="<?=$id;?>" /> + </td> + </tr> + </table> + </td> + </tr> +</table> +</form> + +<script type="text/javascript"> + /* row and col adjust when you add extra entries */ + + field_counter_js = 3; + rows = 1; + totalrows = <?php echo $counter; ?>; + loaded = <?php echo $counter; ?>; + +</script> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort-dev2/snort_preprocessors.php b/config/snort-dev2/snort_preprocessors.php new file mode 100644 index 00000000..7f89d433 --- /dev/null +++ b/config/snort-dev2/snort_preprocessors.php @@ -0,0 +1,391 @@ +<?php +/* $Id$ */ +/* + snort_preprocessors.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008-2009 Robert Zelaya. + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +$pconfig = array(); +if (isset($id) && $a_nat[$id]) { + $pconfig = $a_nat[$id]; + + /* new options */ + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; + $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; + $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; + $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; + $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; + $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; + $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; +} + +/* convert fake interfaces to real */ +$if_real = snort_get_real_interface($pconfig['interface']); +$snort_uuid = $pconfig['uuid']; + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + +if ($_POST) { + + $natent = array(); + $natent = $pconfig; + + /* if no errors write to conf */ + if (!$input_errors) { + /* post new options */ + $natent['perform_stat'] = $_POST['perform_stat']; + if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } + if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; } + if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } + if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } + + $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; + $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; + $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; + $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; + $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; + $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; + $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; + $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + + $if_real = snort_get_real_interface($pconfig['interface']); + sync_snort_package_config(); + + /* after click go to this page */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_preprocessors.php?id=$id"); + exit; + } +} + +$pgtitle = "Snort: Interface $id$if_real Preprocessors and Flow"; +include_once("head.inc"); + +?> +<body + link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("fbegin.inc"); ?> +<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<?php +echo "{$snort_general_css}\n"; +?> + +<div class="body2"> + +<noscript> +<div class="alert" ALIGN=CENTER><img + src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please +enable JavaScript to view this content +</CENTER></div> +</noscript> + + +<form action="snort_preprocessors.php" method="post" + enctype="multipart/form-data" name="iform" id="iform"><?php + + /* Display Alert message */ + + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + ?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tabid = 0; + $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tabid++; + $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Preprocessors"), true, "/snort/snort_preprocessors.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); +?> +</td></tr> + <tr> + <td class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php + /* display error code if there is no id */ + if($id == "") + { + echo " + <style type=\"text/css\"> + .noid { + position:absolute; + top:10px; + left:0px; + width:94%; + background:#FCE9C0; + background-position: 15px; + border-top:2px solid #DBAC48; + border-bottom:2px solid #DBAC48; + padding: 15px 10px 85% 50px; + } + </style> + <div class=\"alert\" ALIGN=CENTER><img src=\"../themes/{$g['theme']}/images/icons/icon_alert.gif\"/><strong>You can not edit options without an interface ID.</CENTER></div>\n"; + + } + ?> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note: + </strong></span><br> + Rules may be dependent on preprocessors!<br> + Defaults will be used when there is no user input.<br></td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Performance + Statistics</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Enable</td> + <td width="78%" class="vtable"><input name="perform_stat" + type="checkbox" value="on" + <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?> + onClick="enable_change(false)"> Performance Statistics for this + interface.</td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">HTTP Inspect Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Enable</td> + <td width="78%" class="vtable"><input name="http_inspect" + type="checkbox" value="on" + <?php if ($pconfig['http_inspect']=="on") echo "checked"; ?> + onClick="enable_change(false)"> Use HTTP Inspect to + Normalize/Decode and detect HTTP traffic and protocol anomalies.</td> + </tr> + <tr> + <td valign="top" class="vncell2">HTTP server flow depth</td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="flow_depth" type="text" class="formfld" + id="flow_depth" size="5" + value="<?=htmlspecialchars($pconfig['flow_depth']);?>"> <strong>-1</strong> + to <strong>1460</strong> (<strong>-1</strong> disables HTTP + inspect, <strong>0</strong> enables all HTTP inspect)</td> + </tr> + </table> + Amount of HTTP server response payload to inspect. Snort's + performance may increase by adjusting this value.<br> + Setting this value too low may cause false negatives. Values above 0 + are specified in bytes. Default value is <strong>0</strong><br> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Stream5 Settings</td> + </tr> + <tr> + <td valign="top" class="vncell2">Max Queued Bytes</td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="max_queued_bytes" type="text" class="formfld" + id="max_queued_bytes" size="5" + value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>"> + Minimum is <strong>1024</strong>, Maximum is <strong>1073741824</strong> + ( default value is <strong>1048576</strong>, <strong>0</strong> + means Maximum )</td> + </tr> + </table> + The number of bytes to be queued for reassembly for TCP sessions in + memory. Default value is <strong>1048576</strong><br> + </td> + </tr> + <tr> + <td valign="top" class="vncell2">Max Queued Segs</td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="max_queued_segs" type="text" class="formfld" + id="max_queued_segs" size="5" + value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>"> + Minimum is <strong>2</strong>, Maximum is <strong>1073741824</strong> + ( default value is <strong>2621</strong>, <strong>0</strong> means + Maximum )</td> + </tr> + </table> + The number of segments to be queued for reassembly for TCP sessions + in memory. Default value is <strong>2621</strong><br> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">General Preprocessor + Settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Enable <br> + RPC Decode and Back Orifice detector</td> + <td width="78%" class="vtable"><input name="other_preprocs" + type="checkbox" value="on" + <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Normalize/Decode RPC traffic and detects Back Orifice traffic on the + network.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Enable <br> + FTP and Telnet Normalizer</td> + <td width="78%" class="vtable"><input name="ftp_preprocessor" + type="checkbox" value="on" + <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Normalize/Decode FTP and Telnet traffic and protocol anomalies.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Enable <br> + SMTP Normalizer</td> + <td width="78%" class="vtable"><input name="smtp_preprocessor" + type="checkbox" value="on" + <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Normalize/Decode SMTP protocol for enforcement and buffer overflows.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Enable <br> + Portscan Detection</td> + <td width="78%" class="vtable"><input name="sf_portscan" + type="checkbox" value="on" + <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Detects various types of portscans and portsweeps.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Enable <br> + DCE/RPC2 Detection</td> + <td width="78%" class="vtable"><input name="dce_rpc_2" + type="checkbox" value="on" + <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC + traffic.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Enable <br> + DNS Detection</td> + <td width="78%" class="vtable"><input name="dns_preprocessor" + type="checkbox" value="on" + <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + The DNS preprocessor decodes DNS Response traffic and detects some + vulnerabilities.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Define SSL_IGNORE</td> + <td width="78%" class="vtable"><input name="def_ssl_ports_ignore" + type="text" class="formfld" id="def_ssl_ports_ignore" size="40" + value="<?=htmlspecialchars($pconfig['def_ssl_ports_ignore']);?>"> <br> + <span class="vexpl"> Encrypted traffic should be ignored by Snort + for both performance reasons and to reduce false positives.<br> + Default: "443 465 563 636 989 990 992 993 994 995".</span> <strong>Please + use spaces and not commas.</strong></td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input name="id" type="hidden" value="<?=$id;?>"></td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> + <br> + Please save your settings before you click Start. </td> + </tr> + </table> + +</table> +</form> + +</div> + + <?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort-dev2/snort_rules.php b/config/snort-dev2/snort_rules.php new file mode 100644 index 00000000..871eb39e --- /dev/null +++ b/config/snort-dev2/snort_rules.php @@ -0,0 +1,458 @@ +<?php +/* + snort_rules.php + Copyright (C) 2004, 2005 Scott Ullrich + Copyright (C) 2008, 2009 Robert Zelaya + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (isset($id) && $a_nat[$id]) { + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; +} + +/* convert fake interfaces to real */ +$if_real = snort_get_real_interface($pconfig['interface']); +$iface_uuid = $a_nat[$id]['uuid']; + +/* Check if the rules dir is empy if so warn the user */ +/* TODO give the user the option to delete the installed rules rules */ +if (!is_dir("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules"); + +$isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); +if ($isrulesfolderempty == "") { + $isrulesfolderempty = exec("ls -A /usr/local/etc/snort/rules/*.rules"); + if ($isrulesfolderempty == "") { + include_once("head.inc"); + include_once("fbegin.inc"); + + echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; + + if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} + + echo "<table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n + <tr>\n + <td>\n"; + + $tab_array = array(); + $tabid = 0; + $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tabid++; + $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); + echo "</td>\n + </tr>\n + <tr>\n + <td>\n + <div id=\"mainarea\">\n + <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n + <tr>\n + <td>\n + # The rules directory is empty.\n + </td>\n + </tr>\n + </table>\n + </div>\n + </td>\n + </tr>\n + </table>\n + \n + </form>\n + \n + <p>\n\n"; + + echo "Please click on the Update Rules tab to install your selected rule sets."; + include("fend.inc"); + + echo "</body>"; + echo "</html>"; + + exit(0); + } else { + /* Make sure that we have the rules */ + mwexec("/bin/cp /usr/local/etc/snort/rules/*.rules /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules", true); + } +} + +function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; +} + +function write_rule_file($content_changed, $received_file) +{ + @file_put_contents($received_file, implode("\n", $content_changed)); +} + +function load_rule_file($incoming_file) +{ + //read file into string, and get filesize + $contents = @file_get_contents($incoming_file); + + //split the contents of the string file into an array using the delimiter + return explode("\n", $contents); +} + +$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; +//$ruledir = "/usr/local/etc/snort/rules/"; +$dh = opendir($ruledir); +while (false !== ($filename = readdir($dh))) +{ + //only populate this array if its a rule file + $isrulefile = strstr($filename, ".rules"); + if ($isrulefile !== false) + $files[] = basename($filename); +} +sort($files); + +if ($_GET['openruleset']) + $rulefile = $_GET['openruleset']; +else + $rulefile = $ruledir.$files[0]; + +//Load the rule file +$splitcontents = load_rule_file($rulefile); + +if ($_GET['act'] == "toggle" && $_GET['ids']) { + + $lineid= $_GET['ids']; + + //copy rule contents from array into string + $tempstring = $splitcontents[$lineid]; + + //explode rule contents into an array, (delimiter is space) + $rule_content = explode(' ', $tempstring); + + $findme = "# alert"; //find string for disabled alerts + $disabled = strstr($tempstring, $findme); + + //if find alert is false, then rule is disabled + if ($disabled !== false) { + //rule has been enabled + $tempstring = substr($tempstring, 2); + } else + $tempstring = "# ". $tempstring; + + //copy string into array for writing + $splitcontents[$lineid] = $tempstring; + + //write the new .rules file + write_rule_file($splitcontents, $rulefile); + + //write disable/enable sid to config.xml + $sid = get_middle($tempstring, 'sid:', ';', 0); + if (is_numeric($sid)) { + // rule_sid_on registers + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); + if ($disabled === false) + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; + else + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; + } + + write_config(); + + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$rulefile}"); + exit; +} + +$currentruleset = basename($rulefile); + +$ifname = strtoupper($pconfig['interface']); + +require_once("guiconfig.inc"); +include_once("head.inc"); + +$pgtitle = "Snort: $id $iface_uuid $if_real Category: $currentruleset"; +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php +include("fbegin.inc"); +if ($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} + +echo "{$snort_general_css}\n"; +?> +<form action="snort_rules.php" method="post" name="iform" id="iform"> + +<script language="javascript" type="text/javascript"> +function go() +{ + var box = document.iform.selectbox; + destination = box.options[box.selectedIndex].value; + if (destination) + location.href = destination; +} +function popup(url) +{ + params = 'width='+screen.width; + params += ', height='+screen.height; + params += ', top=0, left=0' + params += ', fullscreen=yes'; + + newwin=window.open(url,'windowname4', params); + if (window.focus) {newwin.focus()} + return false; +} +</script> + +<table style="table-layout:fixed;" width="99%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tabid = 0; + $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tabid++; + $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); +?> +</td></tr> +<tr> + <td> + <div id="mainarea2"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listt" colspan="8"> + <br>Category: + <select id="selectbox" name="selectbox" class="formfld" onChange="go()"> + <?php + foreach ($files as $value) { + echo "<option value='?id={$id}&openruleset={$ruledir}{$value}' "; + if ($value === $currentruleset) + echo "selected"; + echo ">{$value}</option>\n"; + } + ?> + </select> + </td> + </tr> + <tr id="frheader"> + <td width="3%" class="list"> </td> + <td width="5%" class="listhdr">SID</td> + <td width="6%" class="listhdrr">Proto</td> + <td width="15%" class="listhdrr">Source</td> + <td width="10%" class="listhdrr">Port</td> + <td width="15%" class="listhdrr">Destination</td> + <td width="10%" class="listhdrr">Port</td> + <td width="32%" class="listhdrr">Message</td> + </tr> + <?php + foreach ( $splitcontents as $counter => $value ) + { + $disabled = "False"; + $comments = "False"; + $findme = "# alert"; //find string for disabled alerts + $disabled_pos = strstr($value, $findme); + + $counter2 = 1; + $sid = get_middle($value, 'sid:', ';', 0); + //check to see if the sid is numberical + if (!is_numeric($sid)) + continue; + + //if find alert is false, then rule is disabled + if ($disabled_pos !== false){ + $counter2 = $counter2+1; + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_block_d.gif"; + + $ischecked = ""; + } else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + + $ischecked = "checked"; + } + + $rule_content = explode(' ', $value); + + $protocol = $rule_content[$counter2];//protocol location + $counter2++; + $source = substr($rule_content[$counter2], 0, 20) . "...";//source location + $counter2++; + $source_port = $rule_content[$counter2];//source port location + $counter2 = $counter2+2; + $destination = substr($rule_content[$counter2], 0, 20) . "...";//destination location + $counter2++; + $destination_port = $rule_content[$counter2];//destination port location + + if (strstr($value, 'msg: "')) + $message = get_middle($value, 'msg: "', '";', 0); + else if (strstr($value, 'msg:"')) + $message = get_middle($value, 'msg:"', '";', 0); + + echo "<tr><td class=\"listt\"> $textss\n"; + ?> + <a href="?id=<?=$id;?>&openruleset=<?=$rulefile;?>&act=toggle&ids=<?=$counter;?>"><img + src="../themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" + width="10" height="10" border="0" + title="click to toggle enabled/disabled status"></a> + <!-- <input name="enable" type="checkbox" value="yes" <?= $ischecked; ?> onClick="enable_change(false)"> --> + <!-- TODO: add checkbox and save so that that disabling is nicer --> + <?php + echo "$textse + </td> + <td width='5%' class=\"listlr\"> + $textss + $sid + $textse + </td> + <td width='6%' class=\"listlr\"> + $textss + $protocol"; + echo "$textse + </td> + <td width='20%' class=\"listlr\"> + $textss + $source + $textse + </td> + <td width='5%' class=\"listlr\"> + $textss + $source_port + $textse + </td> + <td width='20%' class=\"listlr\"> + $textss + $destination + $textse + </td> + <td width='5%' class=\"listlr\"> + $textss + $destination_port + $textse + </td> + <td width='30%' class=\"listbg\"><font color=\"white\"> + $textss + $message + $textse + </td>"; + ?> + <td valign="middle" nowrap class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td><a href="javascript: void(0)" + onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$rulefile;?>&ids=<?=$counter;?>')"><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + title="edit rule" width="17" height="17" border="0"></a></td> + <!-- Codes by Quackit.com --> + </tr> + </table> + </td> + <?php + } + ?> + + </table> + </td> + </tr> + <tr> + <td class="listlr"> + <?php echo " <strong><span class='red'>There are {$counter} rules in this category. <br/><br/></span></strong>"; ?> + </td> + </tr> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td width="16"><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" + width="11" height="11"></td> + <td>Rule Enabled</td> + </tr> + <tr> + <td><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" + width="11" height="11"></td> + <td nowrap>Rule Disabled</td> + </tr> + <tr> + <!-- TODO: add save and cancel for checkbox options --> + <!-- <td><pre><input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"><pre></td> --> + </tr> + <tr> + <td colspan="10"> + <p><!--<strong><span class="red">Warning:<br/> </span></strong>Editing these r</p>--> + </td> + </tr> + </table> + </td> + </tr> + </table> + </td> +</tr> +</table> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort-dev2/snort_rules_edit.php b/config/snort-dev2/snort_rules_edit.php new file mode 100644 index 00000000..330630f4 --- /dev/null +++ b/config/snort-dev2/snort_rules_edit.php @@ -0,0 +1,188 @@ +<?php +/* + snort_rules_edit.php + Copyright (C) 2004, 2005 Scott Ullrich + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Adapted for FreeNAS by Volker Theile (votdev@gmx.de) + Copyright (C) 2006-2009 Volker Theile + + Adapted for Pfsense Snort package by Robert Zelaya + Copyright (C) 2008-2009 Robert Zelaya + + Using dp.SyntaxHighlighter for syntax highlighting + http://www.dreamprojections.com/SyntaxHighlighter + Copyright (C) 2004-2006 Alex Gorbatchev. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$ids = $_GET['ids']; +if (isset($_POST['ids'])) + $ids = $_POST['ids']; + +if (isset($id) && $a_nat[$id]) { + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; +} + +//get rule id +$lineid = $_GET['ids']; +if (isset($_POST['ids'])) + $lineid = $_POST['ids']; + +$file = $_GET['openruleset']; +if (isset($_POST['openruleset'])) + $file = $_POST['openruleset']; + +//read file into string, and get filesize also chk for empty files +$contents = ''; +if (filesize($file) > 0 ) + $contents = file_get_contents($file); + +//delimiter for each new rule is a new line +$delimiter = "\n"; + +//split the contents of the string file into an array using the delimiter +$splitcontents = explode($delimiter, $contents); +$findme = "# alert"; //find string for disabled alerts +$highlight = "yes"; +if (strstr($splitcontents[$lineid], $findme)) + $highlight = "no"; +if ($highlight == "no") + $splitcontents[$lineid] = substr($splitcontents[$lineid], 2); + +if (!function_exists('get_middle')) { + function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; + } +} + +if ($_POST) { + if ($_POST['save']) { + + //copy string into file array for writing + if ($_POST['highlight'] == "yes") + $splitcontents[$lineid] = $_POST['code']; + else + $splitcontents[$lineid] = "# " . $_POST['code']; + + //write disable/enable sid to config.xml + $sid = get_middle($splitcontents[$lineid], 'sid:', ';', 0); + if (is_numeric($sid)) { + // rule_sid_on registers + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); + if ($_POST['highlight'] == "yes") + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid" . $a_nat[$id]['rule_sid_on']; + else + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid" . $a_nat[$id]['rule_sid_off']; + } + + //write the new .rules file + @file_put_contents($file, implode($delimiter, $splitcontents)); + + write_config(); + + echo "<script> opener.window.location.reload(); window.close(); </script>"; + exit; + } +} + +$pgtitle = array(gettext("Advanced"), gettext("File Editor")); + +?> + +<?php include("head.inc");?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<form action="snort_rules_edit.php" method="post"> + <?php if ($savemsg) print_info_box($savemsg); ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td class="tabcont"> + + + <table width="100%" cellpadding="9" cellspacing="9" bgcolor="#eeeeee"> + <tr> + <td> + <input name="save" type="submit" class="formbtn" id="save" value="save" /> + <input type='hidden' name='id' value='<?=$id;?>' /> + <input type='hidden' name='ids' value='<?=$ids;?>' /> + <input type='hidden' name='openruleset' value='<?=$file;?>' /> + <input type="button" class="formbtn" value="Cancel" onclick="window.close()"> + <hr noshade="noshade" /> + Disable original rule :<br/> + + <input id="highlighting_enabled" name="highlight2" type="radio" value="yes" <?php if($highlight == "yes") echo " checked=\"checked\""; ?> /> + <label for="highlighting_enabled"><?=gettext("Enabled");?> </label> + <input id="highlighting_disabled" name="highlight2" type="radio" value="no" <?php if($highlight == "no") echo " checked=\"checked\""; ?> /> + <label for="highlighting_disabled"> <?=gettext("Disabled");?></label> + </td> + </tr> + <tr> + <td valign="top" class="label"> + <textarea wrap="off" style="width: 98%; margin: 7px;" + class="<?php echo $language; ?>:showcolumns" rows="3" + cols="66" name="code"><?=$splitcontents[$lineid];?></textarea> + </div> + </td> + </tr> + <tr> + <td valign="top" class="label"> + <div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea disabled + wrap="off" style="width: 98%; margin: 7px;" + class="<?php echo $language; ?>:showcolumns" rows="33" + cols="66" name="code2"><?=$contents;?></textarea> + </div> + </td> + </tr> + </table> + </td> +</tr> +</table> +</form> +<?php include("fend.inc");?> +</body> +</html> diff --git a/config/snort-dev2/snort_rulesets.php b/config/snort-dev2/snort_rulesets.php new file mode 100644 index 00000000..313daea2 --- /dev/null +++ b/config/snort-dev2/snort_rulesets.php @@ -0,0 +1,313 @@ +<?php +/* $Id$ */ +/* + snort_rulesets.php + Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (isset($id) && $a_nat[$id]) { + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; + + /* convert fake interfaces to real */ + $if_real = snort_get_real_interface($pconfig['interface']); + + $iface_uuid = $a_nat[$id]['uuid']; +} + +$pgtitle = "Snort: Interface $id $iface_uuid $if_real Categories"; + + +/* Check if the rules dir is empy if so warn the user */ +/* TODO give the user the option to delete the installed rules rules */ +$isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); +if ($isrulesfolderempty == "") { + $isrulesfolderempty = exec("ls -A /usr/local/etc/snort/rules/*.rules"); + if ($isrulesfolderempty == "") { + include_once("head.inc"); + include("fbegin.inc"); + + echo "<p class=\"pgtitle\">"; + if($pfsense_stable == 'yes'){echo $pgtitle;} + echo "</p>\n"; + + echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; + + echo " + <table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n + <tr><td>\n"; + + $tab_array = array(); + $tabid = 0; + $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tabid++; + $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); + echo " + </td></tr> + <tr>\n + <td>\n + <div id=\"mainarea\">\n + <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n + <tr>\n + <td>\n + # The rules directory is empty. /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules \n + </td>\n + </tr>\n + </table>\n + </div>\n + </td>\n + </tr>\n + </table>\n + \n + </form>\n + \n + <p>\n\n"; + + echo "Please click on the Update Rules tab to install your selected rule sets. $isrulesfolderempty"; + include("fend.inc"); + + echo "</body>"; + echo "</html>"; + + exit(0); + } else { + /* Make sure that we have the rules */ + mwexec("/bin/cp /usr/local/etc/snort/rules/*.rules /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules", true); + } +} + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$iface_uuid}_{$if_real}.dirty"; +if ($_POST["Submit"]) { + $enabled_items = ""; + $isfirst = true; + if (is_array($_POST['toenable'])) + $enabled_items = implode("||", $_POST['toenable']); + else + $enabled_items = $_POST['toenable']; + $a_nat[$id]['rulesets'] = $enabled_items; + + write_config(); + sync_snort_package_config(); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_rulesets.php?id=$id"); + exit; +} + +$enabled_rulesets = $a_nat[$id]['rulesets']; +if($enabled_rulesets) + $enabled_rulesets_array = split("\|\|", $enabled_rulesets); + +include_once("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> + +<?php include("fbegin.inc"); ?> +<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> + +<?php +echo "{$snort_general_css}\n"; +?> + +<div class="body2"> + +<noscript> +<div class="alert" ALIGN=CENTER><img + src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please +enable JavaScript to view this content +</CENTER></div> +</noscript> + +<?php + +echo "<form action=\"snort_rulesets.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; + +?> <?php + +/* Display message */ + +if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks +} + +if ($savemsg) { + print_info_box2($savemsg); +} + +if (file_exists($d_snortconfdirty_path)) { + echo '<p>'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } +} + +?> + +<table width="99%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tabid = 0; + $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tabid++; + $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); +?> +</td></tr> + <tr> + <td> + <div id="mainarea2"> + <table id="maintable" class="tabcont" width="100%" border="0" + cellpadding="0" cellspacing="0"> + <tr> + <td> + <table id="sortabletable1" class="sortable" width="100%" border="0" + cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">Enabled</td> + <td class="listhdrr"><?php if($snort_arch == 'x86'){echo 'Ruleset: Rules that end with "so.rules" are shared object rules.';}else{echo 'Shared object rules are "so.rules" and not available on 64 bit architectures.';}?></td> + <!-- <td class="listhdrr">Description</td> --> + </tr> + <?php + $dir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; + $dh = opendir($dir); + while (false !== ($filename = readdir($dh))) { + $files[] = basename($filename); + } + sort($files); + foreach($files as $file) { + if(!stristr($file, ".rules")) + continue; + echo "<tr>\n"; + echo "<td align=\"center\" valign=\"top\">"; + if(is_array($enabled_rulesets_array)) + if(in_array($file, $enabled_rulesets_array)) { + $CHECKED = " checked=\"checked\""; + } else { + $CHECKED = ""; + } + else + $CHECKED = ""; + echo " \n<input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />\n"; + echo "</td>\n"; + echo "<td>\n"; + echo "<a href='snort_rules.php?id={$id}&openruleset=/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/" . urlencode($file) . "'>{$file}</a>\n"; + echo "</td>\n</tr>\n\n"; + //echo "<td>"; + //echo "description"; + //echo "</td>"; + } + + ?> + </table> + </td> + </tr> + <tr> + <td> </td> + </tr> + <tr> + <td>Check the rulesets that you would like Snort to load at startup.</td> + </tr> + <tr> + <td> </td> + </tr> + <tr> + <td><input value="Save" type="submit" name="Submit" id="Submit" /></td> + </tr> + </table> + </div> + </td> + </tr> +</table> + +</form> + +<p><b>NOTE:</b> You can click on a ruleset name to edit the ruleset.</p> + +</div> + +<?php +include("fend.inc"); +echo $snort_custom_rnd_box; +?> + +</body> +</html> |