diff options
Diffstat (limited to 'config/snort-dev')
-rw-r--r-- | config/snort-dev/NOTES.txt | 58 | ||||
-rw-r--r-- | config/snort-dev/snort.inc | 391 | ||||
-rw-r--r-- | config/snort-dev/snort_barnyard.php | 2 | ||||
-rw-r--r-- | config/snort-dev/snort_define_servers.php | 2 | ||||
-rw-r--r-- | config/snort-dev/snort_gui.inc | 59 | ||||
-rw-r--r-- | config/snort-dev/snort_interfaces.php | 140 | ||||
-rw-r--r-- | config/snort-dev/snort_interfaces_edit.php | 160 | ||||
-rw-r--r-- | config/snort-dev/snort_preprocessors.php | 2 |
8 files changed, 422 insertions, 392 deletions
diff --git a/config/snort-dev/NOTES.txt b/config/snort-dev/NOTES.txt index b6c49926..88c80cb2 100644 --- a/config/snort-dev/NOTES.txt +++ b/config/snort-dev/NOTES.txt @@ -1,59 +1,19 @@ -November 18 2009 +March 16 2019 +Snort-dev 2.8.5.3 pk v. 12 Beta -Snort_inline due date is by Dec 1st. (Why ? Scott said so.) +Snort is Stoping/Starting with new UUID. Files are independent of rule order now. Ya me....... -Gui is almost done. just odds and ends left. +TODO: +The snort.sh code needs to be looked at and made sure there is a new file at every enabe/disbale save, +reboot, rule delete. -If you work on this package just comment on every-thing you change or add. +The snort_interfaces.php needs speed inprovments. !inportant. -==================== -Goals -==================== +Make sure I ad a reset button someware the removes all of snort-devs addd to config.xml -Release the New snort GUI as a package for 1.2.3 so that we can work out bugs. +Pierre POMES code needs to be added. -Move the Snort GUI to base of Pfsense. The divert options should be added to firewall_nat.php or firewall_rules.php. -Ask Ermal to add divert out to Pfsense again though, he has kept divert in. - -================================= -Any Devs that would like to help please work on snort_rules_edit.php and snort_rules.php. They work but need cleaning up. -================================= - -To get snort_rules_edit.php and snort_rules.php working - - * Update the rules. - * Add at least on rule to snort_interfaces.php. - -snort_rules_edit.php -Make sure all snort sig options that are in the GUI are written to file. - -snort_rules.php -Change the way the rules get disabled, by removing the x icon image and replacing it with check boxes. -This should improve the users experience. Moreover, check boxes could be added to blocked.php tab to improve performance. -Users always complain that the way were deleting options is slow. - -=========================================== -Misc. -=========================================== - -All further development will be in Freebsd 8. - -ALL further snort and barnyard builds will be mmx sse. - -All further snort builds will have snort_inline code. - -All further builds will have "did I start on a pfsense system" code, if not, exit. - -Adding extra options to the new snort gui for snort_inline should be easy. - -Snort_inline binaries with custom c++ code ready to go. - -Snort_inline works with only one Wan and Lan. Add a Opt onterface and the TCP flow goes into a loop. -This should be easy to fix by the firewall guru by modifying the divert rule I am using. - - - Done.
\ No newline at end of file diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 513fc626..b773b231 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -44,14 +44,40 @@ if ($pfsense_ver_chk == '1.2.3-RELEASE') $pfsense_stable = 'no'; } -/* Get id and realinterfaces */ +/* check if uniq snort proc is running */ +function uniq_snort_proc($id, $if_real) +{ + global $config, $g, $id, $if_real; + +$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; +$snort_up_ck = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep snort | /usr/bin/awk '{print \$2;}' | sed 1q"); + + if ($snort_up_ck == '') + { + $snort_up == 'false'; + } + + if ($snort_up_ck == '') + { + $snort_up = 'false'; + } + + if ($snort_up_ck != '') + { + $snort_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'"); -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; + $snort_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$snort_up_pre} | /usr/bin/awk '{print \$1;}'"); + $snort_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$snort_up_pre} | /usr/bin/awk '{print \$1;}'"); -$interface_fake = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; -$if_real = convert_friendly_interface_to_real_interface_name($interface_fake); + if ($snort_up_s != '' || $snort_up_r != '') + { + $snort_up = 'true'; + }else{ + $snort_up = 'false'; + } + return $snort_up; + } +} /* get the real iface name of wan */ function convert_friendly_interface_to_real_interface_name2($interface) @@ -420,6 +446,55 @@ function snort_rules_up_install_cron($should_install) { } } +function sync_snort_package_remove_old() +{ + + global $config, $g; + +$snort_dir_scan = '/usr/local/etc/snort'; + +// scan dirm might have to make this into a funtion +$dh_scan = opendir($snort_dir_scan); +while (false !== ($dir_filename = readdir($dh_scan))) { + $list_dir_files[] = $dir_filename; +} + +// find patern in a array, very cool code +class array_ereg { + function array_ereg($pattern) { $this->pattern = $pattern; } + function ereg($string) { + return ereg($this->pattern, $string); + } +} + + $rule_array2 = $config['installedpackages']['snortglobal']['rule']; + $id2 = -1; + foreach ($rule_array2 as $value) + { + + $id += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name($result_lan); + + $snort_rules_list[] = "snort_$id$if_real"; + + } + + +$snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg')); +$snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list); + + foreach ($snort_dir_filter_search_result as $value) + { + exec("rm -r /usr/local/etc/snort/$value"); + exec("echo \"rm -r /usr/local/etc/snort/$value\" >> /root/test.log"); + } + + exec("echo \"Function remove ....\" >> /root/test.log"); + +} + /* make sure this func on writes to files and does not start snort */ function sync_snort_package() { @@ -439,7 +514,9 @@ function sync_snort_package() exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); exec("/bin/chmod -R 755 /var/log/snort"); exec("/bin/chmod -R 755 /usr/local/etc/snort"); - exec("/bin/chmod -R 755 /usr/local/lib/snort"); + exec("/bin/chmod -R 755 /usr/local/lib/snort"); + + exec("echo \"Funtion sync package....\" >> /root/test.log"); conf_mount_ro(); } @@ -447,10 +524,7 @@ function sync_snort_package() /* make sure this func on writes to files and does not start snort */ function sync_snort_package_all() { - global $config, $g, $id, $if_real, $interface_fake; - conf_mount_rw(); - - + global $config, $g, $id, $if_real, $snort_uuid, $interface_fake; /* RedDevil suggested code */ /* TODO: more testing needs to be done */ @@ -459,112 +533,37 @@ exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); exec("/sbin/sysctl net.bpf.maxinsns=512"); exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); -if ($id != '' && $if_real != '') +# Error checking +if ($id != '' && $if_real != '') //new { - /* do not start config build if rules is empty */ if (!empty($config['installedpackages']['snortglobal']['rule'])) { - if ($id == "") - { - $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) - { - - $id += 1; + conf_mount_rw(); + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $if_real = convert_friendly_interface_to_real_interface_name($result_lan); /* create snort configuration file */ - create_snort_conf(); - - /* create snort bootup file snort.sh */ - create_snort_sh(); + create_snort_conf($id, $if_real, $snort_uuid); /* if rules exist cp rules to each iface */ - create_rules_iface(); + create_rules_iface($id, $if_real, $snort_uuid); /* create barnyard2 configuration file */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; if ($snortbarnyardlog_info_chk == 'on') - create_barnyard2_conf(); - - } - - }else{ + create_barnyard2_conf($id, $if_real, $snort_uuid); - /* create snort configuration file */ - create_snort_conf(); - - /* create snort bootup file snort.sh */ - create_snort_sh(); - - /* if rules exist cp rules to each iface */ - create_rules_iface(); - - /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == on) - { - create_barnyard2_conf(); - } + exec("echo \"Funtion sync all $id $if_real $snort_uuid....\" >> /root/test.log"); + conf_mount_ro(); } } - - /* all new files are for the user snort nologin */ - if(!file_exists("/var/log/snort")) - { - exec("/bin/mkdir -p /var/log/snort"); - } - - exec("/usr/sbin/chown -R snort:snort /var/log/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); - exec("/bin/chmod -R 755 /var/log/snort"); - exec("/bin/chmod -R 755 /usr/local/etc/snort"); - exec("/bin/chmod -R 755 /usr/local/lib/snort"); - - /* Generate the snort instance list */ - $rc_snort = ""; - $i = 0; - $rules = &$config['installedpackages']['snortglobal']['rule']; - foreach($rules as $snort) { - $name = "${i}${if_real}"; - $if_real = convert_friendly_interface_to_real_interface_name($snort['interface']); - $rc_snort .= "snort_list=\"\${snort_list} ${name}\"\n"; - $rc_snort .= "snort_${name}_conf=\"/usr/local/etc/snort/snort_${name}/snort.conf\"\n"; - $rc_snort .= "snort_${name}_name=\"${name}\"\n"; - $rc_snort .= "snort_${name}_id=\"${i}\"\n"; - $rc_snort .= "snort_${name}_interface=\"${if_real}\"\n"; - - $snortenable_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; - if ($snortenable_info_chk == 'on') - $rc_snort .= "snort_${name}_enable=\"YES\"\n"; - else - $rc_snort .= "snort_${name}_enable=\"NO\"\n"; - - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') - $rc_snort .= "snort_${name}_barnyard=\"YES\"\n"; - $i++; - } - $rcconf = fopen("/var/etc/rc.snort", "w"); - if(!$rcconf) { - log_error("Could not open /var/etc/rc.snort for writing."); - exit; - } - fwrite($rcconf, $rc_snort); - fclose($rcconf); - - - conf_mount_ro(); - -} } + /* Start of main config files */ /* Start of main config files */ @@ -576,15 +575,17 @@ function create_snort_sh() { # Don not add $id or this will break - global $config, $g, $if_real, $if_real_wan; + global $config, $g; conf_mount_rw(); +exec("echo \"Craete snort.sh $snort_uuid $if_real $id....\" >> /root/test.log"); + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; /* define snortbarnyardlog_chk */ if ($snortbarnyardlog_info_chk == on) { - $start_barnyard2 = "sleep 4/n/usr/local/bin/barnyard2 -u snort -g snort -c /usr/local/etc/snort/snort_$id$if_real/barnyard2.conf -d /var/log/snort -f snort.u2_$id$if_real -w /usr/local/etc/snort/snort_$id$if_real/barnyard2.waldo -D -q"; + $start_barnyard2 = "sleep 4/n/usr/local/bin/barnyard2 -u snort -g snort -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -f snort.u2_{$snort_uuid}_{$if_real} -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"; } @@ -600,7 +601,8 @@ function create_snort_sh() { $id += 1; - + + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $if_real = convert_friendly_interface_to_real_interface_name($result_lan); @@ -610,18 +612,18 @@ $snort_sh_text2[] = <<<EOD ###### For Each Iface # If Snort proc is NOT running - if [ "`/bin/ps -auwx | grep -v grep | grep "R $id$if_real" | awk '{print $2;}'`" = "" ]; then + if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}_{$if_real}" | awk '{print $2;}'`" = "" ]; then /bin/echo "snort.sh run" > /tmp/snort.sh.pid # Start snort and barnyard2 - /bin/rm /var/run/snort_$if_real$id$if_real.pid - /bin/rm /var/run/snort_$if_real$id$if_real.pid.lck + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck - /usr/local/bin/snort -u snort -g snort -R $id$if_real -D -q -l /var/log/snort -G $id -c /usr/local/etc/snort/snort_$id$if_real/snort.conf -i $if_real + /usr/local/bin/snort -u snort -g snort -R {$snort_uuid}_{$if_real} -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} $start_barnyard2 - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For $id$if_real..." + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For {$snort_uuid}_{$if_real}..." fi EOD; @@ -632,9 +634,9 @@ $snort_sh_text3[] = <<<EOE #### Fake start only used on bootup and Pfsense IP changes #### Only try to restart if snort is running on Iface - if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R $id$if_real" | /usr/bin/awk '{print $2;}'`" != "" ]; then + if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}_{$if_real}" | /usr/bin/awk '{print $2;}'`" != "" ]; then - snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R $id$if_real" | /usr/bin/awk '{print $2;}'`" + snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}_{$if_real}" | /usr/bin/awk '{print $2;}'`" /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" #### Remake the configs on boot Important! @@ -642,7 +644,7 @@ $snort_sh_text3[] = <<<EOE #### Restart Iface /bin/kill -HUP \${snort_pid} - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For $id$if_real..." + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..." fi @@ -650,21 +652,21 @@ EOE; $snort_sh_text4[] = <<<EOF - pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R $id$if_real" | /usr/bin/awk '{print \$2;}'` + pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}_{$if_real}" | /usr/bin/awk '{print \$2;}'` sleep 3 - pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort.u2_$id$if_real" | /usr/bin/awk '{print \$2;}'` + pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort.u2_{$snort_uuid}_{$if_real}" | /usr/bin/awk '{print \$2;}'` if [ \${pid_s} ] ; then /bin/echo "snort.sh run" > /tmp/snort.sh.pid - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For $id$if_real..." + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." /bin/kill \${pid_s} sleep 3 /bin/kill \${pid_b} - /bin/rm /var/run/snort_$if_real$id$if_real.pid.lck - /bin/rm /var/run/snort_$if_real$id$if_real.pid + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid fi @@ -674,6 +676,7 @@ EOF; } } + $start_snort_iface_start = implode("\n\n", $snort_sh_text2); $start_snort_iface_restart = implode("\n\n", $snort_sh_text3); @@ -707,7 +710,7 @@ $start_snort_iface_restart /bin/rm /tmp/snort.sh.pid #### If on Fake start snort is NOT running DO a real start. - if [ "`/bin/ps -auwx | grep -v grep | grep "R $id$if_real" | awk '{print $2;}'`" = "" ]; then + if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}_{$if_real}" | awk '{print $2;}'`" = "" ]; then rc_start_real @@ -777,26 +780,27 @@ EOD; ///////////////////////// >>>>>>>>>>>> /* if rules exist copy to new interfaces */ -function create_rules_iface() +function create_rules_iface($id, $if_real, $snort_uuid) { - global $config, $g, $id, $if_real; + global $config, $g; conf_mount_rw(); + +exec("echo \"Create rules $snort_uuid $if_real $id ....\" >> /root/test.log"); - if ($id != '' || $if_real != '') - { - $if_rule_dir = "/usr/local/etc/snort/snort_$id$if_real/rules"; + + $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"; $folder_chk = (count(glob("$if_rule_dir/*")) === 0) ? 'empty' : 'full'; if ($folder_chk == "empty") { - exec("/bin/cp -R /usr/local/etc/snort/rules /usr/local/etc/snort/snort_$id$if_real"); - if (file_exists("/usr/local/etc/snort/custom_rules/local_$id$if_real.rules")) + exec("/bin/cp -R /usr/local/etc/snort/rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) { - exec("/bin/cp /usr/local/etc/snort/custom_rules/local_$id$if_real.rules /usr/local/etc/snort/snort_$id$if_real/rules/local_$id$if_real.rules"); + exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules/local_{$snort_uuid}_{$if_real}.rules"); } } - } + } /* open barnyard2.conf for writing */ @@ -804,15 +808,17 @@ function create_barnyard2_conf() { global $bconfig, $bg, $id, $if_real; /* write out barnyard2_conf */ - if(!file_exists("/usr/local/etc/snort/snort_$id$if_real/barnyard2.conf")) +exec("echo \"Create barnyard.conf $if_real $id....\" >> /root/test.log"); + + if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) { - exec("/bin//usr/bin/touch /usr/local/etc/snort/snort_$id$if_real/barnyard2.conf"); + exec("/bin//usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); } $barnyard2_conf_text = generate_barnyard2_conf(); - $bconf = fopen("/usr/local/etc/snort/snort_$id$if_real/barnyard2.conf", "w"); + $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); if(!$bconf) { - log_error("Could not open /usr/local/etc/snort/snort_$id$if_real/barnyard2.conf for writing."); + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); exit; } fwrite($bconf, $barnyard2_conf_text); @@ -831,8 +837,6 @@ function generate_barnyard2_conf() { $snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; $snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); -$snortbarnyardlog_interface_info_chk = $if_real; - $barnyard2_conf_text = <<<EOD # barnyard2.conf @@ -868,7 +872,7 @@ config gen-msg-map: /usr/local/etc/snort/gen-msg.map config sid-msg-map: /usr/local/etc/snort/sid-msg.map config hostname: $snortbarnyardlog_hostname_info_chk -config interface: $id$snortbarnyardlog_interface_info_chk +config interface: {$snort_uuid}_{$if_real} # Step 2: setup the input plugins input unified2 @@ -884,19 +888,25 @@ EOD; } -function create_snort_conf() { - global $config, $g, $id, $if_real; +function create_snort_conf($id, $if_real, $snort_uuid) +{ + global $config, $g, $id, $if_real, $snort_uuid; /* write out snort.conf */ - $snort_conf_text = generate_snort_conf(); + +exec("echo \"Create sonrt.conf $snort_uuid $if_real $id....\" >> /root/test.log"); + + $snort_conf_text = generate_snort_conf($id, $if_real, $snort_uuid); conf_mount_rw(); - $conf = fopen("/usr/local/etc/snort/snort_$id$if_real/snort.conf", "w"); + $conf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf", "w"); if(!$conf) { - log_error("Could not open /usr/local/etc/snort/$id$if_real/snort.conf for writing."); + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf for writing."); exit; } fwrite($conf, $snort_conf_text); fclose($conf); conf_mount_ro(); + + } function snort_deinstall() @@ -905,6 +915,8 @@ function snort_deinstall() global $config, $g, $id, $if_real; conf_mount_rw(); +exec("echo \"Snort Deinstall $if_real $id....\" >> /root/test.log"); + /* remove custom sysctl */ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); /* decrease bpf buffers back to 4096, from 20480 */ @@ -924,12 +936,15 @@ function snort_deinstall() exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); /* Remove snort cron entries Ugly code needs smoothness*/ - +} + function snort_rm_blocked_deinstall_cron($should_install) { global $config, $g; conf_mount_rw(); +exec("echo \"Deinstall cron block....\" >> /root/test.log"); + $is_installed = false; if(!$config['cron']['item']) @@ -963,10 +978,13 @@ function snort_rm_blocked_deinstall_cron($should_install) } - function snort_rules_up_deinstall_cron($should_install) { + function snort_rules_up_deinstall_cron($should_install) +{ global $config, $g; conf_mount_rw(); +exec("echo \"Deinstall rules up ....\" >> /root/test.log"); + $is_installed = false; if(!$config['cron']['item']) @@ -988,7 +1006,6 @@ function snort_rm_blocked_deinstall_cron($should_install) } configure_cron(); } - } snort_rm_blocked_deinstall_cron(""); snort_rules_up_deinstall_cron(""); @@ -1008,14 +1025,13 @@ snort_rules_up_deinstall_cron(""); } -function generate_snort_conf() +function generate_snort_conf($id, $if_real, $snort_uuid) { - global $config, $g, $if_real, $id; + global $config, $g, $id, $if_real, $snort_uuid; conf_mount_rw(); -if ($id != '' && $if_real != '') -{ +exec("echo \"Generate snort.conf $snort_uuid $if_real $id....\" >> /root/test.log"); /* obtain external interface */ /* XXX: make multi wan friendly */ @@ -1024,25 +1040,24 @@ if ($id != '' && $if_real != '') // $snort_config_pass_thru = $config['installedpackages']['snortglobal']['rule'][$id]['configpassthru']; /* create basic files */ - if(!file_exists("/usr/local/etc/snort/snort/snort_$id$if_real")) + if(!file_exists("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}")) { - exec("/bin/mkdir -p /usr/local/etc/snort/snort_$id$if_real/"); - exec("/bin/mkdir -p /usr/local/etc/snort/snort_$id$if_real/rules"); + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/"); + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); - if(!file_exists("/usr/local/etc/snort/snort_$id$if_real/gen-msg.map")) + if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map")) { - exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_$id$if_real/classification.config"); - exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_$id$if_real/gen-msg.map"); - exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_$id$if_real/reference.config"); - exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_$id$if_real/sid-msg.map"); - exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_$id$if_real/unicode.map"); - exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_$id$if_real/threshold.conf"); - exec("/bin/cp /usr/local/etc/snort/snort.conf /usr/local/etc/snort/snort_$id$if_real/snort.conf"); - exec("/bin//usr/bin/touch /usr/local/etc/snort/snort_$id$if_real/barnyard2.conf"); - exec("/bin/mkdir -p /usr/local/etc/snort/snort_$id$if_real/rules"); + exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); + exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); + exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); + exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); + exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); + exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); + exec("/bin/cp /usr/local/etc/snort/snort.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); + exec("/bin/cp/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); } } -} /* define snortalertlogtype */ $snortalertlogtype = $config['installedpackages']['snortglobal']['snortalertlogtype']; @@ -1064,7 +1079,7 @@ if ($tcpdumplog_info_chk == on) /* define snortunifiedlog */ $snortunifiedlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog']; if ($snortunifiedlog_info_chk == on) - $snortunifiedlog_type = "output unified2: filename snort.u2_$id$if_real, limit 128"; + $snortunifiedlog_type = "output unified2: filename snort.u2_{$snort_uuid}_{$if_real}, limit 128"; /* define spoink (DISABLED)*/ $spoink_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7']; @@ -1321,7 +1336,7 @@ else if($config['installedpackages']['snortglobal']['rule'][$id]['performance']) $snort_performance = $config['installedpackages']['snortglobal']['rule'][$id]['performance']; else - $snort_performance = "lowmem"; + $snort_performance = "ac-bnfa"; /* open snort's whitelist for writing */ $whitelist = fopen("/var/db/whitelist", "w"); @@ -1452,7 +1467,7 @@ $snort_perform_stat = <<<EOD # ########################## -preprocessor perfmonitor: time 300 file /var/log/snort/snort_$id$if_real.stats pktcnt 10000 +preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$snort_uuid}_{$if_real}.stats pktcnt 10000 EOD; @@ -1797,7 +1812,7 @@ portvar DCERPC_BRIGHTSTORE [6503,6504] # ##################### -var RULE_PATH /usr/local/etc/snort/snort_$id$if_real/rules +var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules # var PREPROC_RULE_PATH ./preproc_rules ################################ @@ -1899,9 +1914,9 @@ $spoink_type # ################# -include /usr/local/etc/snort/snort_$id$if_real/reference.config -include /usr/local/etc/snort/snort_$id$if_real/classification.config -include /usr/local/etc/snort/snort_$id$if_real/threshold.conf +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf # Snort user pass through configuration {$snort_config_pass_thru} @@ -1919,13 +1934,63 @@ EOD; return $snort_conf_text; } +/* only be run on new iface create, bootup and ip refresh */ +function sync_snort_package_empty() +//function sync_snort_package_all() +{ + global $config, $g; + conf_mount_rw(); + + /* do not start config build if rules is empty */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) + { + if ($id == "") + { + + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id = -1; + foreach ($rule_array as $value) + { + + if ($id == '') { + $id = 0; + } + + $id += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name($result_lan); + + /* create snort configuration file */ + create_snort_conf($id, $if_real); + + /* create snort bootup file snort.sh */ + create_snort_sh($if_real); + + /* if rules exist cp rules to each iface */ + create_rules_iface($id, $if_real); + + /* create barnyard2 configuration file */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == 'on') + create_barnyard2_conf($id, $if_real); + + exec("echo \"Funtion sync empty create files foreach $if_real $id....\" >> /root/test.log"); + + } + } + } +} + /* check downloaded text from snort.org to make sure that an error did not occur * for example, if you are not a premium subscriber you can only download rules * so often, etc. TO BE: Removed unneeded. */ + function check_for_common_errors($filename) { global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); + +// ob_flush(); $contents = file_get_contents($filename); if(stristr($contents, "You don't have permission")) { if(!$console_mode) { diff --git a/config/snort-dev/snort_barnyard.php b/config/snort-dev/snort_barnyard.php index 10afa183..667de21a 100644 --- a/config/snort-dev/snort_barnyard.php +++ b/config/snort-dev/snort_barnyard.php @@ -105,6 +105,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; @@ -144,6 +145,7 @@ if ($_POST) { if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } + if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } diff --git a/config/snort-dev/snort_define_servers.php b/config/snort-dev/snort_define_servers.php index a2cafc05..550cf153 100644 --- a/config/snort-dev/snort_define_servers.php +++ b/config/snort-dev/snort_define_servers.php @@ -105,6 +105,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; @@ -133,6 +134,7 @@ if ($_POST) { /* repost the options already in conf */ if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } + if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } diff --git a/config/snort-dev/snort_gui.inc b/config/snort-dev/snort_gui.inc index 1746ab54..c485d1ac 100644 --- a/config/snort-dev/snort_gui.inc +++ b/config/snort-dev/snort_gui.inc @@ -29,37 +29,40 @@ POSSIBILITY OF SUCH DAMAGE. */ -function print_info_box_np2($msg) { - global $g; - echo "<table height=\"32\" width=\"100%\">\n"; - echo " <tr>\n"; - echo " <td>\n"; - echo " <div style='background-color:#990000' id='redbox'>\n"; - echo " <table width='100%'><tr><td width='8%'>\n"; - echo " <img style='vertical-align:middle' src=\"/snort/images/alert.jpg\" width=\"32\" height=\"28\">\n"; - echo " </td>\n"; - echo " <td width='70%'><font color='white'><b>{$msg}</b></font>\n"; - echo " </td>"; - echo " </tr></table>\n"; - echo " </div>\n"; - echo " </td>\n"; - echo "</table>\n"; - echo "<script type=\"text/javascript\">\n"; - echo "NiftyCheck();\n"; - echo "Rounded(\"div#redbox\",\"all\",\"#FFF\",\"#990000\",\"smooth\");\n"; - echo "Rounded(\"td#blackbox\",\"all\",\"#FFF\",\"#000000\",\"smooth\");\n"; - echo "</script>\n"; - echo "\n<br>\n"; -} - - - - - - +include_once("/usr/local/pkg/snort/snort.inc"); +function print_info_box_np2($msg) { + global $config, $g; + + echo "<table height=\"32\" width=\"100%\">\n"; + echo " <tr>\n"; + echo " <td>\n"; + echo " <div style='background-color:#990000' id='redbox'>\n"; + echo " <table width='100%'><tr><td width='8%'>\n"; + echo " <img style='vertical-align:middle' src=\"/snort/images/alert.jpg\" width=\"32\" height=\"28\">\n"; + echo " </td>\n"; + echo " <td width='70%'><font color='white'><b>{$msg}</b></font>\n"; + echo " </td>"; + if(stristr($msg, "apply") == true) { + echo " <td>"; + echo " <input name=\"apply\" type=\"submit\" class=\"formbtn\" id=\"apply\" value=\"Apply changes\">\n"; + echo " </td>"; + } + echo " </tr></table>\n"; + echo " </div>\n"; + echo " </td>\n"; + echo "</table>\n"; + echo "<script type=\"text/javascript\">\n"; + echo "NiftyCheck();\n"; + echo "Rounded(\"div#redbox\",\"all\",\"#FFF\",\"#990000\",\"smooth\");\n"; + echo "Rounded(\"td#blackbox\",\"all\",\"#FFF\",\"#000000\",\"smooth\");\n"; + echo "</script>\n"; + echo "\n<br>\n"; + + exec("echo \"Funtion print info ....\" >> /root/test.log"); +} ?>
\ No newline at end of file diff --git a/config/snort-dev/snort_interfaces.php b/config/snort-dev/snort_interfaces.php index 996ff83b..e2cf9fdb 100644 --- a/config/snort-dev/snort_interfaces.php +++ b/config/snort-dev/snort_interfaces.php @@ -42,6 +42,16 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) $a_nat = &$config['installedpackages']['snortglobal']['rule']; +/////////// + +if (isset($config['installedpackages']['snortglobal']['rule'])) { +$id_gen = count($config['installedpackages']['snortglobal']['rule']); +}else{ +$id_gen = '0'; +} + +/////////// + /* if a custom message has been passed along, lets process it */ if ($_GET['savemsg']) $savemsg = $_GET['savemsg']; @@ -71,6 +81,8 @@ if ($_POST) { unlink($d_filterconfdirty_path); } + exec("echo \"Sync Empty on POST on interfaces.php....\" >> /root/test.log"); + } } @@ -81,17 +93,19 @@ if (isset($_POST['del_x'])) { /* convert fake interfaces to real */ $if_real = convert_friendly_interface_to_real_interface_name($a_nat[$rulei]['interface']); + $snort_uuid = $a_nat[$rulei]['uuid']; + + /* cool code to check if any snort is up */ + $snort_up_ck = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep snort | /usr/bin/awk '{print \$2;}' | sed 1q"); - $snort_pid = exec("/bin/ps -auwx | grep -v grep | grep \"$if_real -c\" | awk '{print $2;}'"); - - if ($snort_pid != "") + if ($snort_up_ck != "") { - $start_up_pre = exec("/bin/cat /var/run/snort_{$if_real}{$rulei}{$if_real}.pid"); + $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'"); $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); - $start2_upb_pre = exec("/bin/cat /var/run/barnyard2_{$rulei}{$if_real}.pid"); + $start2_upb_pre = exec("/bin/cat /var/run/barnyard2_{$snort_uuid}_{$if_real}.pid"); $start2_upb_s = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); $start2_upb_r = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); @@ -100,113 +114,68 @@ if (isset($_POST['del_x'])) { { /* dont flood the syslog code */ - exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); - sleep(3); + //exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); + //sleep(3); /* remove only running instances */ if ($start_up_s != "") { exec("/bin/kill {$start_up_s}"); - exec("/bin/rm /var/run/snort_$if_real$rulei$if_real*"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); } if ($start2_upb_s != "") { exec("/bin/kill {$start2_upb_s}"); - exec("/bin/rm /var/run/barnyard2_$rulei$if_real*"); + exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); } if ($start_up_r != "") { exec("/bin/kill {$start_up_r}"); - exec("/bin/rm /var/run/snort_$if_real$rulei$if_real*"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); } if ($start2_upb_r != "") { exec("/bin/kill {$start2_upb_r}"); - exec("/bin/rm /var/run/barnyard2_$rulei$if_real*"); + exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); } /* stop syslog flood code */ - $if_real_wan_rulei = $a_nat[$rulei]['interface']; - $if_real_wan_rulei2 = convert_friendly_interface_to_real_interface_name2($if_real_wan_rulei); - exec("/sbin/ifconfig $if_real_wan_rulei2 -promisc"); - exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_$rulei$if_real.log"); - exec("/usr/bin/killall syslogd"); - exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); - exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); - sleep(2); - exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); - $after_mem = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after {$rulei}{$if_real} STOP {$after_mem}'"); - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule removed for {$rulei}{$if_real}...'"); + //$if_real_wan_rulei = $a_nat[$rulei]['interface']; + //$if_real_wan_rulei2 = convert_friendly_interface_to_real_interface_name2($if_real_wan_rulei); + //exec("/sbin/ifconfig $if_real_wan_rulei2 -promisc"); + //exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_$rulei$if_real.log"); + //exec("/usr/bin/killall syslogd"); + //exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); + //exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); + //sleep(2); + //exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); + //$after_mem = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); + //exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after {$rulei}{$if_real} STOP {$after_mem}'"); + //exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule removed for {$rulei}{$if_real}...'"); } } unset($a_nat[$rulei]); - } + exec("echo \"Removing old files ....\" >> /root/test.log"); conf_mount_rw(); - exec("/bin/rm -r /usr/local/etc/snort/snort_$rulei$if_real"); - exec("/bin/rm /usr/local/etc/rc.d/snort_$rulei$if_real.sh"); - exec("/bin/rm /var/log/snort/snort.u2_$rulei$if_real*"); + exec("/bin/rm /var/log/snort/snort.u2_{$snort_uuid}_{$if_real}*"); + exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); conf_mount_ro(); write_config(); - // touch($d_natconfdirty_path); + touch($d_natconfdirty_path); header("Location: /snort/snort_interfaces.php"); exit; } -} else { - - /* yuck - IE won't send value attributes for image buttons, while Mozilla does - so we use .x/.y to find move button clicks instead... */ - unset($movebtn); - foreach ($_POST as $pn => $pd) { - if (preg_match("/move_(\d+)_x/", $pn, $matches)) { - $movebtn = $matches[1]; - break; - } - } - /* move selected rules before this rule */ - if (isset($movebtn) && is_array($_POST['rule']) && count($_POST['rule'])) { - $a_nat_new = array(); - - /* copy all rules < $movebtn and not selected */ - for ($i = 0; $i < $movebtn; $i++) { - if (!in_array($i, $_POST['rule'])) - $a_nat_new[] = $a_nat[$i]; - } - - /* copy all selected rules */ - for ($i = 0; $i < count($a_nat); $i++) { - if ($i == $movebtn) - continue; - if (in_array($i, $_POST['rule'])) - $a_nat_new[] = $a_nat[$i]; - } - - /* copy $movebtn rule */ - if ($movebtn < count($a_nat)) - $a_nat_new[] = $a_nat[$movebtn]; - - /* copy all rules > $movebtn and not selected */ - for ($i = $movebtn+1; $i < count($a_nat); $i++) { - if (!in_array($i, $_POST['rule'])) - $a_nat_new[] = $a_nat[$i]; - } - $a_nat = $a_nat_new; - write_config(); - touch($d_natconfdirty_path); - header("Location: snort_interfaces.php"); - - exit; - } } @@ -215,8 +184,10 @@ if ($_GET['act'] == "toggle" && $_GET['id'] != "") { $if_real2 = convert_friendly_interface_to_real_interface_name($a_nat[$id]['interface']); + + $snort_uuid = $a_nat[$id]['uuid']; - $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$id}{$if_real2}\" | awk '{print \$1;}'"); + $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real2}\" | awk '{print \$1;}'"); $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); @@ -235,7 +206,7 @@ if ($_GET['act'] == "toggle" && $_GET['id'] != "") if ($start_up_s != "") { exec("/bin/kill {$start_up_s}"); - exec("/bin/rm /var/run/snort_$if_real2$id$if_real2*"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real2}*"); } //if ($start2_upb_s != "") @@ -247,7 +218,7 @@ if ($_GET['act'] == "toggle" && $_GET['id'] != "") if ($start_up_r != "") { exec("/bin/kill {$start_up_r}"); - exec("/bin/rm /var/run/snort_$if_real2$id$if_real2*"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real2}*"); } //if ($start2_upb_r != "") @@ -280,9 +251,9 @@ if ($_GET['act'] == "toggle" && $_GET['id'] != "") header("Location: /snort/snort_interfaces.php"); }else{ - sync_snort_package_all(); + //sync_snort_package_all(); - exec("/usr/local/bin/snort -u snort -g snort -R \"$id$if_real2\" -D -q -l /var/log/snort -G $id -c /usr/local/etc/snort/snort_$id$if_real2/snort.conf -i $if_real2"); + exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}_{$if_real2}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real2}/snort.conf -i {$if_real2}"); //print_r("$id $if_real2"); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -296,7 +267,7 @@ if ($_GET['act'] == "toggle" && $_GET['id'] != "") } -$pgtitle = "Services: Snort 2.8.5.3 pkg v. 1.10 alpha"; +$pgtitle = "Services: Snort 2.8.5.3 pkg v. 1.12 Beta"; include("head.inc"); ?> @@ -353,12 +324,12 @@ padding: 15px 10px 50% 50px; padding-left: 0px; } -</style> -<noscript><div class="alert" ALIGN=CENTER><img src="../themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> +</style> + + +<noscript><div class="alert" ALIGN=CENTER><img src="../themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> <form action="snort_interfaces.php" method="post" name="iform"> -<script type="text/javascript" language="javascript" src="row_toggle.js"> -</script> <?php if (file_exists($d_natconfdirty_path)): ?><p> <?php if($savemsg) @@ -398,7 +369,7 @@ padding: 15px 10px 50% 50px; <table border="0" cellspacing="0" cellpadding="1"> <tr> <td width="17"></td> - <td><a href="snort_interfaces_edit.php"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + <td><a href="snort_interfaces_edit.php?id=<?php echo $id_gen;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> </tr> </table> </td> @@ -410,6 +381,7 @@ padding: 15px 10px 50% 50px; /* convert fake interfaces to real and check if iface is up */ /* There has to be a smarter way to do this */ $if_real = convert_friendly_interface_to_real_interface_name($natent['interface']); + $snort_uuid = $natent['uuid']; $color_up_ck = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep snort | /usr/bin/awk '{print \$2;}' | sed 1q"); @@ -422,7 +394,7 @@ padding: 15px 10px 50% 50px; if ($color_up_ck != "") { //$color_up_pre = exec("/bin/cat /var/run/snort_{$if_real}{$nnats}{$if_real}.pid"); - $color_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R $nnats$if_real\" | awk '{print \$1;}'"); + $color_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'"); // /bin/ps -auwx | grep -v grep | grep "$id$if_real -c" | awk '{print $2;}' $color_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$color_up_pre} | /usr/bin/awk '{print \$1;}'"); diff --git a/config/snort-dev/snort_interfaces_edit.php b/config/snort-dev/snort_interfaces_edit.php index 6bdb0dc7..f67cb828 100644 --- a/config/snort-dev/snort_interfaces_edit.php +++ b/config/snort-dev/snort_interfaces_edit.php @@ -48,6 +48,25 @@ if (isset($_GET['dup'])) { $after = $_GET['dup']; } +/* always have a limit of (65535) numbers only or snort will not start do to id limits */ +/* TODO: When inline gets added make the uuid the port number lisstening */ +//function gen_snort_uuid($fileline) +//{ + /* return the first 5 */ + //if (preg_match("/...../", $fileline, $matches1)) + //{ + //$uuid_final = "$matches1[0]"; + //} +//return $uuid_final; +//} + +/* gen uuid for each iface !inportant */ +if ($a_nat[$id]['interface'] == '') { + //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); + $snort_uuid = mt_rand(0, 65534); + $pconfig['uuid'] = $snort_uuid; +} + if (isset($id) && $a_nat[$id]) { /* old options */ @@ -97,10 +116,12 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; @@ -121,7 +142,7 @@ if (isset($_GET['dup'])) /* convert fake interfaces to real */ $if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); -if ($_POST['Submit']) { +if ($_POST["Submit"]) { /* input validation */ // if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { @@ -167,26 +188,26 @@ if ($_POST['Submit']) { // if ($config['installedpackages']['snortglobal']['rule']) { -// if ($_POST['descr'] == "") { -// $input_errors[] = "Please enter a description for your reference."; -// } + if ($_POST['descr'] == "") { + $input_errors[] = "Please enter a description for your reference."; + } -// if ($id == "" && $config['installedpackages']['snortglobal']['rule'][0]['interface'] != "") { + if ($id == "" && $config['installedpackages']['snortglobal']['rule'][0]['interface'] != "") { -// $rule_array = $config['installedpackages']['snortglobal']['rule']; -// $id_c = -1; -// foreach ($rule_array as $value) { + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id_c = -1; + foreach ($rule_array as $value) { -// $id_c += 1; + $id_c += 1; -// $result_lan = $config['installedpackages']['snortglobal']['rule'][$id_c]['interface']; -// $if_real = convert_friendly_interface_to_real_interface_name($result_lan); + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id_c]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name($result_lan); -// if ($_POST['interface'] == $result_lan) { -// $input_errors[] = "Interface $result_lan is in use. Please select another interface."; -// } -// } -// } + if ($_POST['interface'] == $result_lan) { + $input_errors[] = "Interface $result_lan is in use. Please select another interface."; + } + } + } /* check for overlaps */ foreach ($a_nat as $natent) { @@ -204,10 +225,12 @@ if ($_POST['Submit']) { $natent['interface'] = $_POST['interface'] ? $_POST['interface'] : $pconfig['interface']; /* if post write to conf or rewite the answer */ $natent['enable'] = $_POST['enable'] ? on : off; + $natent['uuid'] = $pconfig['uuid']; $natent['descr'] = $_POST['descr'] ? $_POST['descr'] : $pconfig['descr']; $natent['performance'] = $_POST['performance'] ? $_POST['performance'] : $pconfig['performance']; /* if post = on use on off or rewrite the conf */ if ($_POST['blockoffenders7'] == "on") { $natent['blockoffenders7'] = on; }else{ $natent['blockoffenders7'] = off; } if ($_POST['enable'] == "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } + $natent['snortalertlogtype'] = $_POST['snortalertlogtype'] ? $_POST['snortalertlogtype'] : $pconfig['snortalertlogtype']; if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = on; }else{ $natent['alertsystemlog'] = off; } if ($_POST['enable'] == "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } if ($_POST['tcpdumplog'] == "on") { $natent['tcpdumplog'] = on; }else{ $natent['tcpdumplog'] = off; } if ($_POST['enable'] == "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } if ($_POST['snortunifiedlog'] == "on") { $natent['snortunifiedlog'] = on; }else{ $natent['snortunifiedlog'] = off; } if ($_POST['enable'] == "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } @@ -277,35 +300,61 @@ if ($_POST['Submit']) { write_config(); // stop_service("snort"); - if ($pconfig['interface'] != '' && $id != '') { + if ($pconfig['interface'] != "") { sync_snort_package_all(); - } - if ($pconfig['interface'] != '' && $id != '') { + //touch($d_natconfdirty_path); header("Location: /snort/snort_interfaces_edit.php?id=$id"); - }else{ - touch($d_natconfdirty_path); - header("Location: /snort/snort_interfaces.php"); - - } + exit; } } + if (isset($config['installedpackages']['snortglobal']['rule'][$id]['interface'])) + { + if (uniq_snort_proc($id, $if_real) == 'false') + { + $snort_up_ck = '<input name="Submit2" type="submit" class="formbtn" value="Start" onClick="enable_change(true)">'; + }else{ + $snort_up_ck = '<input name="Submit3" type="submit" class="formbtn" value="Stop" onClick="enable_change(true)">'; + } + }else{ + $snort_up_ck = ''; + } + if ($_POST["Submit2"]) { - if ($id != '') - { - sync_snort_package_all(); - } + sync_snort_package_all($id, $if_real); sleep(1); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start {$id}{$if_real}"); + exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}_{$if_real}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); header("Location: /snort/snort_interfaces_edit.php?id=$id"); exit; } -$ifname = strtoupper($pconfig['interface']); -$pgtitle = "Snort: Interface: $id$if_real Settings Edit"; + if ($_POST["Submit3"]) + { + sync_snort_package_all($id, $if_real); + sleep(1); + + $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'"); + $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + + if ($start_up_s != '') + { + exec("/bin/kill {$start_up_s}"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); + } + + if ($start_up_r != '') + { + exec("/bin/kill {$start_up_r}"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); + } + } + +$iface_uuid = $a_nat[$id]['uuid']; +$pgtitle = "Snort: Interface Edit: $id $iface_uuid $if_real"; include("head.inc"); ?> @@ -313,7 +362,6 @@ include("head.inc"); <?php include("fbegin.inc"); ?> -<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> <style type="text/css"> .alert { position:absolute; @@ -339,7 +387,7 @@ function enable_change(enable_change) { <?php /* make shure all the settings exist or function hide will not work */ /* if $id is emty allow if and discr to be open */ -if($id != "") +if($iface_uuid != '') { echo " document.iform.interface.disabled = endis2; @@ -348,22 +396,22 @@ echo " ?> document.iform.performance.disabled = endis; document.iform.blockoffenders7.disabled = endis; + document.iform.snortalertlogtype.disabled = endis; document.iform.alertsystemlog.disabled = endis; document.iform.tcpdumplog.disabled = endis; document.iform.snortunifiedlog.disabled = endis; } //--> </script> +<p class="pgtitle"><?=$pgtitle?></p> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php if ($input_errors) print_input_errors($input_errors); ?> <?php if ($savemsg) print_info_box($savemsg); ?> -<form action="snort_interfaces_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<form action="snort_interfaces_edit.php<?php echo "?id=$id";?>" method="post" enctype="multipart/form-data" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> <?php -if($id != "") -{ - +if ($a_nat[$id]['interface'] != '') { /* get the interface name */ $first = 0; $snortInterfaces = array(); /* -gtm */ @@ -391,48 +439,25 @@ if($id != "") return; } } - - /* do for the selected interface */ - foreach($snortInterfaces as $snortIf) - { - - /* if base directories dont exist create them */ - if(!file_exists("/usr/local/etc/snort/snort_{$id}{$if_real}/")) { - exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$id}{$if_real}/"); - } +} $tab_array = array(); $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); $tab_array[] = array("If Settings", true, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array("Conf upload", false, "/snort/snort_conf_upload.php?id={$id}"); $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); - } -} + ?> </td> </tr> <tr> <td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <?php - if($id == "") - { - echo " - <tr> - <td width=\"22%\" valign=\"top\"> </td> - <td width=\"78%\"><span class=\"vexpl\"><span class=\"red\"><strong>Note:</strong></span><br> - You will be redirected to the Snort Interfaces Menu to approve changes.<br> - After approval, interface options will be made available. - <br><br> - Please select an interface and a description. - </td> - </tr>\n"; - } - ?> <tr> <td width="22%" valign="top" class="vtable"> </td> <td width="78%" class="vtable"> @@ -441,10 +466,9 @@ if($id != "") // care with spaces if ($pconfig['enable'] == "on") $checked = checked; - if($id != "") - { + $onclick_enable = "onClick=\"enable_change(false)\">"; - } + echo " <input name=\"enable\" type=\"checkbox\" value=\"on\" $checked $onclick_enable <strong>Enable Interface</strong></td>\n\n"; @@ -516,7 +540,7 @@ if($id != "") <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> <input name="Submit2" type="submit" class="formbtn" value="Start" onClick="enable_change(true)"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <input name="Submit" type="submit" class="formbtn" value="Save"> <?php echo $snort_up_ck; ?> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> <?php if (isset($id) && $a_nat[$id]): ?> <input name="id" type="hidden" value="<?=$id;?>"> <?php endif; ?> @@ -526,7 +550,7 @@ if($id != "") <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> <br> - Please save your settings before you click start. </td> + Please save your settings befor you click start. </td> </tr> </table> </table> diff --git a/config/snort-dev/snort_preprocessors.php b/config/snort-dev/snort_preprocessors.php index 0227735c..8072484d 100644 --- a/config/snort-dev/snort_preprocessors.php +++ b/config/snort-dev/snort_preprocessors.php @@ -107,6 +107,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; @@ -136,6 +137,7 @@ if ($_POST) { /* repost the options already in conf */ if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } + if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } |