diff options
Diffstat (limited to 'config/snort-dev')
-rw-r--r-- | config/snort-dev/NOTES.txt | 2 | ||||
-rw-r--r-- | config/snort-dev/snort.inc | 315 | ||||
-rw-r--r-- | config/snort-dev/snort_dynamic_ip_reload.php | 59 | ||||
-rw-r--r-- | config/snort-dev/snort_interfaces_edit.php | 35 |
4 files changed, 273 insertions, 138 deletions
diff --git a/config/snort-dev/NOTES.txt b/config/snort-dev/NOTES.txt index 584c84a0..9b4d8d0e 100644 --- a/config/snort-dev/NOTES.txt +++ b/config/snort-dev/NOTES.txt @@ -26,8 +26,6 @@ snort.inc Must be recoded so that it reads the [snortglobal] [snortglobal][rule] options in conf.xml and makes the files whitelist, snort.sh, snort.conf, and barnyard.conf. This is easy, just cut and paste from the old snort.inc. I will work on this. -Should be working for only one interface. Add code to wirite files for every snort rule in conf.xml - ================================= Any Devs that would like to help please work on snort_rules_edit.php and snort_rules.php. They work but need cleaning up. diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 8bd4e880..6422df2c 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -40,7 +40,8 @@ $id = $_GET['id']; if (isset($_POST['id']))
$id = $_POST['id'];
-
+$interface_fake = $config['installedpackages']['snortglobal']['rule'][$id][interface];
+$if_real = convert_friendly_interface_to_real_interface_name($interface_fake);
/* Allow additional execution time 0 = no limit. */
ini_set('max_execution_time', '9999');
@@ -66,8 +67,9 @@ function sync_package_snort_reinstall() /* make sure this func on writes to files and does not start snort */
function sync_package_snort()
{
- global $config, $g;
+ global $config, $g, $id, $if_real;
+ if(!file_exists("/var/log/snort/"))
mwexec("mkdir -p /var/log/snort/");
if(!file_exists("/var/log/snort/alert"))
@@ -79,8 +81,8 @@ function sync_package_snort() $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns'];
/* set the snort performance model */
- if($config['installedpackages']['snortglobal']['rule'][0]['performance'])
- $config['installedpackages']['snortglobal']['rule'][0]['performance'];
+ if($config['installedpackages']['snortglobal']['rule'][$id]['performance'])
+ $config['installedpackages']['snortglobal']['rule'][$id]['performance'];
else
$snort_performance = "lowmem";
@@ -89,6 +91,8 @@ function sync_package_snort() exec("/bin/mkdir -p /usr/local/etc/snort");
exec("/bin/mkdir -p /var/log/snort");
exec("/bin/mkdir -p /usr/local/etc/snort/rules");
+
+ if(file_exists("/usr/local/etc/snort/snort.conf-sample")) {
exec("/bin/rm /usr/local/etc/snort/snort.conf-sample");
exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample");
exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample");
@@ -99,25 +103,41 @@ function sync_package_snort() exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample");
exec("/bin/rm /usr/local/etc/snort/sid");
exec("/bin/rm -f /usr/local/etc/rc.d/snort");
+ }
- /* create log directory */
- $start = "/bin/mkdir -p /var/log/snort\n";
+ /* create basic files */
+ if ($id != "") {
+ if(!file_exists("/usr/local/etc/snort/snort/snort_$id$if_real")) {
+ exec("/bin/mkdir -p /usr/local/etc/snort/snort_$id$if_real/");
+ exec("/bin/mkdir -p /usr/local/etc/snort/snort_$id$if_real/rules");
+ }
+ if(!file_exists("/usr/local/etc/snort/snort_$id$if_real/gen-msg.map")) {
+ exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_$id$if_real/classification.config");
+ exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_$id$if_real/gen-msg.map");
+ exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_$id$if_real/reference.config");
+ exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_$id$if_real/sid-msg.map");
+ exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_$id$if_real/unicode.map");
+ exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_$id$if_real/threshold.conf");
+ exec("/bin/cp /usr/local/etc/snort/snort.conf /usr/local/etc/snort/snort_$id$if_real/snort.conf");
+ exec("/bin/mkdir -p /usr/local/etc/snort/snort_$id$if_real/rules");
+ }
+ }
/* snort advanced features - bpf tuning */
- if($bpfbufsize)
- $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n";
- if($bpfmaxbufsize)
- $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n";
- if($bpfmaxinsns)
- $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n";
+// if($bpfbufsize)
+// $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n";
+// if($bpfmaxbufsize)
+// $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n";
+// if($bpfmaxinsns)
+// $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n";
/* go ahead and issue bpf changes */
- if($bpfbufsize)
- mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}");
- if($bpfmaxbufsize)
- mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}");
- if($bpfmaxinsns)
- mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}");
+// if($bpfbufsize)
+// mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}");
+// if($bpfmaxbufsize)
+// mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}");
+// if($bpfmaxinsns)
+// mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}");
/* let there be snort.sh for each rule */
/* start snort.sh for writing */
@@ -131,6 +151,15 @@ $counter_rule += 1; $result_lan = $config['installedpackages']['snortglobal']['rule'][$counter_rule][interface];
$if_real_c = convert_friendly_interface_to_real_interface_name($result_lan);
+$snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$counter_rule]['barnyard_enable'];
+/* define snortbarnyardlog_chk */
+if ($snortbarnyardlog_info_chk == on) {
+
+$start_barnyard2 = "\nsleep 4\n/usr/local/bin/barnyard2 -c /usr/local/etc/snort/snort_$counter_rule$if_real_c/barnyard2.conf -d /var/log/snort -f snort.u2_$counter_rule$if_real_c -w /usr/local/etc/snort/snort_$counter_rule$if_real_c/barnyard2.waldo -D -q\n\n";
+
+}
+
+
/* open snort.sh for writing" */
conf_mount_rw();
@@ -163,68 +192,114 @@ $snort_sh_text = <<<EOD #!/bin/sh
# This file was automatically generated
# by the pfSense service handler.
+# Code added to protect from double starts on pfSense bootup
rc_start() {
+
+ if [ "`ps -auwx | grep -v grep | grep "$if_real_c -c" | awk '{print $2;}'`" != "" ] ; then
+ snort_pid="`ps -auwx | grep -v grep | grep "$if_real_c -c" | awk '{print $2;}'`"
+ cp /var/log/system.log /var/log/system.log.bk
+ logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart"
+ /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php $counter $if_real_c
+ kill -HUP \${snort_pid}
+ sleep 3
+ AFTER_MEM=`top | grep Wired | awk '{print $12}'`
+ cp /var/log/system.log /var/log/snort/snort_sys_$if_real_c.log
+ /usr/sbin/clog -i -s 262144 /var/log/system.log
+ cp /var/log/system.log.bk /var/log/system.log
+ logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For $counter_rule$if_real_c..."
+ logger -p daemon.info -i -t SnortStartup "MEM after $counter_rule$if_real_c START \${AFTER_MEM}"
+ exit 1
+ fi
+
+ rc_start_real
+}
+
+rc_start_real() {
- if [ "ls -A /usr/local/etc/snort/snort_$counter_rule$if_real_c/rules" ] ; then
- echo "rules exist"
- else
- echo "rules DONT exist"
- exit 2
- fi
-
- if [ "`pgrep -x snort`" = "" ] ; then
- /bin/rm /tmp/snort_$counter_rule$if_real_c.sh.pid
- fi
-
- if [ "`pgrep -x snort`" != "" ] ; then
- logger -p daemon.info -i -t SnortStartup "Snort already running..."
- /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php
- exit 1
- fi
-
-if ls /tmp/snort_$counter_rule$if_real_c.sh.pid > /dev/null
-then
- echo "snort_$counter_rule$if_real_c.sh is running"
- exit 0
-else
- echo "snort_$counter_rule$if_real_c.sh is not running"
-fi
+ # If no rules dir exit
+
+ if [ "ls -A /usr/local/etc/snort/snort_$counter_rule$if_real_c/rules" ] ; then
+ echo "rules DO exist"
+ else
+ exit 2
+ fi
+
+ # If Snort.sh is running exit
+
+ if ls /tmp/snort_$counter_rule$if_real_c.sh.pid > /dev/null ; then
+ echo "snort.sh is running"
+ exit 3
+ else
+ echo "snort.sh is not running"
+ fi
-echo "snort_$counter_rule$if_real_c.sh run" > /tmp/snort_$counter_rule$if_real_c.sh.pid
+ # If Snort proc is running exit
-echo "snort_$counter_rule$if_real_c.sh run" >> /tmp/snort_$counter_rule$if_real_c.sh_startup.log
+ if [ "`ps -auwx | grep -v grep | grep "$counter_rule$if_real_c -c" | awk '{print $2;}'`" != "" ] ; then
+ echo "Snort is running"
+ exit 4
+ fi
-rm -f /var/run/snort_$counter_rule$if_real_c.sh
-BEFORE_MEM=`top | grep Wired | awk '{print $12}'`
-/bin/mkdir -p /var/log/snort
-/usr/bin/killall barnyard2
+ cp /var/log/system.log /var/log/system.log.bk
+ logger -p daemon.info -i -t SnortStartup "Snort is NOT running, hard restart"
-sleep 4
-/usr/local/bin/snort -G $counter_rule$if_real_c -R $counter_rule$if_real_c -c /usr/local/etc/snort/snort_$counter_rule$if_real_c/snort.conf -l /var/log/snort -D -i $if_real_c -q
+ if [ "`ps -auwx | grep -v grep | grep "$counter_rule$if_real_c -c" | awk '{print $2;}'`" = "" ] ; then
+ /bin/rm /tmp/snort_$counter_rule$if_real_c.sh.pid
+ fi
-# sleep 4
-# /usr/local/bin/barnyard2 -c /usr/local/etc/snort/snort_$counter_rule$if_real_c/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/snort_$counter_rule$if_real_c/barnyard2.waldo -D -q
+ echo "snort_$counter_rule$if_real_c.sh run" > /tmp/snort_$counter_rule$if_real_c.sh.pid
- sleep 2
- MYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`
+ echo "snort_$counter_rule$if_real_c.sh run" >> /tmp/snort_$counter_rule$if_real_c.sh_startup.log
+
+ # Start the interfaces
+
+ /usr/local/bin/snort -G $counter_rule$if_real_c -R $counter_rule$if_real_c -c /usr/local/etc/snort/snort_$counter_rule$if_real_c/snort.conf -l /var/log/snort -D -i $if_real_c -q
+
+ sleep 3
+ AFTER_MEM=`top | grep Wired | awk '{print $12}'`
+ cp /var/log/system.log /var/log/snort/snort_sys_$counter_rule$if_real_c.log
+ /usr/sbin/clog -i -s 262144 /var/log/system.log
+ cp /var/log/system.log.bk /var/log/system.log
+ logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For $counter_rule$if_real_c..."
+ logger -p daemon.info -i -t SnortStartup "MEM after $counter_rule$if_real_c START \${AFTER_MEM}"
+ echo "snort is running, but snort.sh finished removed pid"
+ /bin/rm /tmp/snort_$counter_rule$if_real_c.sh.pid
}
rc_stop() {
- /usr/bin/killall snort; killall barnyard2
+
+ pid_s=`ps -auwx | grep -v grep | grep "$counter_rule$if_real_c -c" | awk '{print \$2;}'`
+ pid_b=`ps -auwx | grep -v grep | grep "snort.u2_$counter_rule$if_real_c" | awk '{print \$2;}'`
+
+ if [ \${pid_s} ] ; then
+ cp /var/log/system.log /var/log/system.log.bk
+ logger -p daemon.info -i -t SnortStartup "Snort IS running, hard STOP"
+ /bin/kill \${pid_s}; /bin/kill \${pid_b};
+ sleep 3
+ AFTER_MEM=`top | grep Wired | awk '{print $12}'`
+ cp /var/log/system.log /var/log/snort/snort_sys_$counter_rule$if_real_c.log
+ /usr/sbin/clog -i -s 262144 /var/log/system.log
+ cp /var/log/system.log.bk /var/log/system.log
+ logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For $counter_rule$if_real_c..."
+ logger -p daemon.info -i -t SnortStartup "MEM after $counter_rule$if_real_c STOP \${AFTER_MEM}"
+ fi
}
case $1 in
start)
rc_start
;;
+ start_real)
+ rc_start_real
+ ;;
stop)
rc_stop
;;
restart)
rc_stop
- rc_start
+ rc_start_real
;;
esac
@@ -246,17 +321,12 @@ EOD; create_snort_conf();
/* create barnyard2 configuration file */
-$snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['barnyard_enable'];
+$snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'];
if ($snortbarnyardlog_info_chk == on)
create_barnyard2_conf();
- /* snort will not start on install untill setting are set */
- /* do start snort create a funtion to start snort */
-if ($config['installedpackages']['snortglobal']['autorulesupdate7'] != "") {
- /* start snort service */
- conf_mount_ro();
- start_service("snort");
- }
+conf_mount_ro();
+
}
@@ -265,9 +335,9 @@ function create_barnyard2_conf() { global $bconfig, $bg;
/* write out barnyard2_conf */
$barnyard2_conf_text = generate_barnyard2_conf();
- $bconf = fopen("/usr/local/etc/snort/snort_0vr1/barnyard2.conf", "w");
+ $bconf = fopen("/usr/local/etc/snort/$id$if_real/barnyard2.conf", "w");
if(!$bconf) {
- log_error("Could not open /usr/local/etc/snort/snort_0vr1/barnyard2.conf for writing.");
+ log_error("Could not open /usr/local/etc/snort/$id$if_real/barnyard2.conf for writing.");
exit;
}
fwrite($bconf, $barnyard2_conf_text);
@@ -277,18 +347,15 @@ function create_barnyard2_conf() { /* open barnyard2.conf for writing" */
function generate_barnyard2_conf() {
- global $config, $g, $id;
+ global $config, $g, $id, $if_real;
conf_mount_rw();
/* define snortbarnyardlog */
/* TODO add support for the other 5 output plugins */
-$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['barnyard_mysql'];
+$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql'];
$snortbarnyardlog_hostname_info_chk = exec("/bin/hostname");
-/* convert fake interfaces to real */
-$if_real = convert_friendly_interface_to_real_interface_name($config['installedpackages']['snortglobal']['rule'][0]['interface']);
-
$snortbarnyardlog_interface_info_chk = $if_real;
$barnyard2_conf_text = <<<EOD
@@ -343,13 +410,13 @@ EOD; }
function create_snort_conf() {
- global $config, $g;
+ global $config, $g, $id, $if_real;
/* write out snort.conf */
$snort_conf_text = generate_snort_conf();
conf_mount_rw();
- $conf = fopen("/usr/local/etc/snort/snort_0vr1/snort.conf", "w");
+ $conf = fopen("/usr/local/etc/snort/snort_$id$if_real/snort.conf", "w");
if(!$conf) {
- log_error("Could not open /usr/local/etc/snort/snort_0vr1/snort.conf for writing.");
+ log_error("Could not open /usr/local/etc/snort/$id$if_real/snort.conf for writing.");
exit;
}
fwrite($conf, $snort_conf_text);
@@ -359,7 +426,7 @@ function create_snort_conf() { function snort_deinstall() {
- global $config, $g;
+ global $config, $g, $id, $if_real;
/* remove custom sysctl */
remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480");
@@ -434,7 +501,7 @@ snort_rules_up_deinstall_cron(""); /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */
/* Keep this as a last step */
- unset($config['installedpackages']['snortglobal']['rule'][0]['autorulesupdate7']);
+ unset($config['installedpackages']['snortglobal']['rule'][$id]['autorulesupdate7']);
unset($config['installedpackages']['snortglobal']['rm_blocked']);
write_config();
@@ -442,169 +509,169 @@ snort_rules_up_deinstall_cron(""); function generate_snort_conf() {
- global $config, $g;
+ global $config, $g, $if_real, $id;
conf_mount_rw();
/* obtain external interface */
/* XXX: make multi wan friendly */
- $snort_ext_int = $config['installedpackages']['snortglobal']['rule'][0]['interface'];
+ $snort_ext_int = $config['installedpackages']['snortglobal']['rule'][$id]['interface'];
-// $snort_config_pass_thru = $config['installedpackages']['snortglobal']['rule'][0]['configpassthru'];
+// $snort_config_pass_thru = $config['installedpackages']['snortglobal']['rule'][$id]['configpassthru'];
/* define snortalertlogtype */
-$snortalertlogtype = $config['installedpackages']['snortglobal']['rule'][0]['snortalertlogtype'];
+$snortalertlogtype = $config['installedpackages']['snortglobal']['rule'][$id]['snortalertlogtype'];
if ($snortalertlogtype == fast)
$snortalertlogtype_type = "output alert_fast: alert";
else
$snortalertlogtype_type = "output alert_full: alert";
/* define alertsystemlog */
-$alertsystemlog_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['alertsystemlog'];
+$alertsystemlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['alertsystemlog'];
if ($alertsystemlog_info_chk == on)
$alertsystemlog_type = "output alert_syslog: log_alert";
/* define tcpdumplog */
-$tcpdumplog_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['tcpdumplog'];
+$tcpdumplog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['tcpdumplog'];
if ($tcpdumplog_info_chk == on)
$tcpdumplog_type = "output log_tcpdump: snorttcpd.log";
/* define snortbarnyardlog_chk */
-$snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['snortbarnyardlog'];
+$snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['snortbarnyardlog'];
if ($snortbarnyardlog_info_chk == on)
$snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D";
/* define snortunifiedlog */
-$snortunifiedlog_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['snortunifiedlog'];
+$snortunifiedlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog'];
if ($snortunifiedlog_info_chk == on)
- $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128";
+ $snortunifiedlog_type = "output unified2: filename snort.u2_$id$if_real, limit 128";
/* define spoink */
-$spoink_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['blockoffenders7'];
+$spoink_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'];
if ($spoink_info_chk == on)
$spoink_type = "output alert_pf: /var/db/whitelist,snort2c";
/* define servers and ports snortdefservers */
/* def DNS_SERVSERS */
-$def_dns_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_dns_servers'];
+$def_dns_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_servers'];
if ($def_dns_servers_info_chk == "")
$def_dns_servers_type = "\$HOME_NET";
else
$def_dns_servers_type = "$def_dns_servers_info_chk";
/* def DNS_PORTS */
-$def_dns_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_dns_ports'];
+$def_dns_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_ports'];
if ($def_dns_ports_info_chk == "")
$def_dns_ports_type = "53";
else
$def_dns_ports_type = "$def_dns_ports_info_chk";
/* def SMTP_SERVSERS */
-$def_smtp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_smtp_servers'];
+$def_smtp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_servers'];
if ($def_smtp_servers_info_chk == "")
$def_smtp_servers_type = "\$HOME_NET";
else
$def_smtp_servers_type = "$def_smtp_servers_info_chk";
/* def SMTP_PORTS */
-$def_smtp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_smtp_ports'];
+$def_smtp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_ports'];
if ($def_smtp_ports_info_chk == "")
$def_smtp_ports_type = "25";
else
$def_smtp_ports_type = "$def_smtp_ports_info_chk";
/* def MAIL_PORTS */
-$def_mail_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_mail_ports'];
+$def_mail_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mail_ports'];
if ($def_mail_ports_info_chk == "")
$def_mail_ports_type = "25,143,465,691";
else
$def_mail_ports_type = "$def_mail_ports_info_chk";
/* def HTTP_SERVSERS */
-$def_http_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_http_servers'];
+$def_http_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_servers'];
if ($def_http_servers_info_chk == "")
$def_http_servers_type = "\$HOME_NET";
else
$def_http_servers_type = "$def_http_servers_info_chk";
/* def WWW_SERVSERS */
-$def_www_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_www_servers'];
+$def_www_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_www_servers'];
if ($def_www_servers_info_chk == "")
$def_www_servers_type = "\$HOME_NET";
else
$def_www_servers_type = "$def_www_servers_info_chk";
/* def HTTP_PORTS */
-$def_http_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_http_ports'];
+$def_http_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_ports'];
if ($def_http_ports_info_chk == "")
$def_http_ports_type = "80";
else
$def_http_ports_type = "$def_http_ports_info_chk";
/* def SQL_SERVSERS */
-$def_sql_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_sql_servers'];
+$def_sql_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sql_servers'];
if ($def_sql_servers_info_chk == "")
$def_sql_servers_type = "\$HOME_NET";
else
$def_sql_servers_type = "$def_sql_servers_info_chk";
/* def ORACLE_PORTS */
-$def_oracle_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_oracle_ports'];
+$def_oracle_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_oracle_ports'];
if ($def_oracle_ports_info_chk == "")
$def_oracle_ports_type = "1521";
else
$def_oracle_ports_type = "$def_oracle_ports_info_chk";
/* def MSSQL_PORTS */
-$def_mssql_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_mssql_ports'];
+$def_mssql_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mssql_ports'];
if ($def_mssql_ports_info_chk == "")
$def_mssql_ports_type = "1433";
else
$def_mssql_ports_type = "$def_mssql_ports_info_chk";
/* def TELNET_SERVSERS */
-$def_telnet_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_telnet_servers'];
+$def_telnet_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_servers'];
if ($def_telnet_servers_info_chk == "")
$def_telnet_servers_type = "\$HOME_NET";
else
$def_telnet_servers_type = "$def_telnet_servers_info_chk";
/* def TELNET_PORTS */
-$def_telnet_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_telnet_ports'];
+$def_telnet_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_ports'];
if ($def_telnet_ports_info_chk == "")
$def_telnet_ports_type = "23";
else
$def_telnet_ports_type = "$def_telnet_ports_info_chk";
/* def SNMP_SERVSERS */
-$def_snmp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_snmp_servers'];
+$def_snmp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_servers'];
if ($def_snmp_servers_info_chk == "")
$def_snmp_servers_type = "\$HOME_NET";
else
$def_snmp_servers_type = "$def_snmp_servers_info_chk";
/* def SNMP_PORTS */
-$def_snmp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_snmp_ports'];
+$def_snmp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_ports'];
if ($def_snmp_ports_info_chk == "")
$def_snmp_ports_type = "161";
else
$def_snmp_ports_type = "$def_snmp_ports_info_chk";
/* def FTP_SERVSERS */
-$def_ftp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_ftp_servers'];
+$def_ftp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_servers'];
if ($def_ftp_servers_info_chk == "")
$def_ftp_servers_type = "\$HOME_NET";
else
$def_ftp_servers_type = "$def_ftp_servers_info_chk";
/* def FTP_PORTS */
-$def_ftp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_ftp_ports'];
+$def_ftp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_ports'];
if ($def_ftp_ports_info_chk == "")
$def_ftp_ports_type = "21";
else
$def_ftp_ports_type = "$def_ftp_ports_info_chk";
/* def SSH_SERVSERS */
-$def_ssh_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_ssh_servers'];
+$def_ssh_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_servers'];
if ($def_ssh_servers_info_chk == "")
$def_ssh_servers_type = "\$HOME_NET";
else
@@ -617,105 +684,105 @@ else $ssh_port = "22";
/* def SSH_PORTS */
-$def_ssh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_ssh_ports'];
+$def_ssh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_ports'];
if ($def_ssh_ports_info_chk == "")
$def_ssh_ports_type = "{$ssh_port}";
else
$def_ssh_ports_type = "$def_ssh_ports_info_chk";
/* def POP_SERVSERS */
-$def_pop_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_pop_servers'];
+$def_pop_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop_servers'];
if ($def_pop_servers_info_chk == "")
$def_pop_servers_type = "\$HOME_NET";
else
$def_pop_servers_type = "$def_pop_servers_info_chk";
/* def POP2_PORTS */
-$def_pop2_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_pop2_ports'];
+$def_pop2_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop2_ports'];
if ($def_pop2_ports_info_chk == "")
$def_pop2_ports_type = "109";
else
$def_pop2_ports_type = "$def_pop2_ports_info_chk";
/* def POP3_PORTS */
-$def_pop3_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_pop3_ports'];
+$def_pop3_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop3_ports'];
if ($def_pop3_ports_info_chk == "")
$def_pop3_ports_type = "110";
else
$def_pop3_ports_type = "$def_pop3_ports_info_chk";
/* def IMAP_SERVSERS */
-$def_imap_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_imap_servers'];
+$def_imap_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_servers'];
if ($def_imap_servers_info_chk == "")
$def_imap_servers_type = "\$HOME_NET";
else
$def_imap_servers_type = "$def_imap_servers_info_chk";
/* def IMAP_PORTS */
-$def_imap_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_imap_ports'];
+$def_imap_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_ports'];
if ($def_imap_ports_info_chk == "")
$def_imap_ports_type = "143";
else
$def_imap_ports_type = "$def_imap_ports_info_chk";
/* def SIP_PROXY_IP */
-$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_sip_proxy_ip'];
+$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ip'];
if ($def_sip_proxy_ip_info_chk == "")
$def_sip_proxy_ip_type = "\$HOME_NET";
else
$def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk";
/* def SIP_PROXY_PORTS */
-$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_sip_proxy_ports'];
+$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ports'];
if ($def_sip_proxy_ports_info_chk == "")
$def_sip_proxy_ports_type = "5060:5090,16384:32768";
else
$def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk";
/* def AUTH_PORTS */
-$def_auth_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_auth_ports'];
+$def_auth_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_auth_ports'];
if ($def_auth_ports_info_chk == "")
$def_auth_ports_type = "113";
else
$def_auth_ports_type = "$def_auth_ports_info_chk";
/* def FINGER_PORTS */
-$def_finger_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_finger_ports'];
+$def_finger_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_finger_ports'];
if ($def_finger_ports_info_chk == "")
$def_finger_ports_type = "79";
else
$def_finger_ports_type = "$def_finger_ports_info_chk";
/* def IRC_PORTS */
-$def_irc_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_irc_ports'];
+$def_irc_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_irc_ports'];
if ($def_irc_ports_info_chk == "")
$def_irc_ports_type = "6665,6666,6667,6668,6669,7000";
else
$def_irc_ports_type = "$def_irc_ports_info_chk";
/* def NNTP_PORTS */
-$def_nntp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_nntp_ports'];
+$def_nntp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_nntp_ports'];
if ($def_nntp_ports_info_chk == "")
$def_nntp_ports_type = "119";
else
$def_nntp_ports_type = "$def_nntp_ports_info_chk";
/* def RLOGIN_PORTS */
-$def_rlogin_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_rlogin_ports'];
+$def_rlogin_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rlogin_ports'];
if ($def_rlogin_ports_info_chk == "")
$def_rlogin_ports_type = "513";
else
$def_rlogin_ports_type = "$def_rlogin_ports_info_chk";
/* def RSH_PORTS */
-$def_rsh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_rsh_ports'];
+$def_rsh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rsh_ports'];
if ($def_rsh_ports_info_chk == "")
$def_rsh_ports_type = "514";
else
$def_rsh_ports_type = "$def_rsh_ports_info_chk";
/* def SSL_PORTS */
-$def_ssl_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][0]['def_ssl_ports'];
+$def_ssl_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports'];
if ($def_ssl_ports_info_chk == "")
$def_ssl_ports_type = "25,443,465,636,993,995";
else
@@ -729,8 +796,8 @@ else $snort_ext_int = "ng0";
/* set the snort performance model */
- if($config['installedpackages']['snortglobal']['rule'][0]['performance'])
- $snort_performance = $config['installedpackages']['snortglobal']['rule'][0]['performance'];
+ if($config['installedpackages']['snortglobal']['rule'][$id]['performance'])
+ $snort_performance = $config['installedpackages']['snortglobal']['rule'][$id]['performance'];
else
$snort_performance = "lowmem";
@@ -1055,7 +1122,7 @@ function snort_rules_up_install_cron($should_install) { fclose($whitelist);
/* generate rule sections to load */
- $enabled_rulesets = $config['installedpackages']['snortglobal']['rule'][0]['rulesets'];
+ $enabled_rulesets = $config['installedpackages']['snortglobal']['rule'][$id]['rulesets'];
if($enabled_rulesets) {
$selected_rules_sections = "";
$enabled_rulesets_array = split("\|\|", $enabled_rulesets);
@@ -1599,7 +1666,7 @@ function get_snort_alert($ip) { if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
$alert_title = $matches[2];
if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches))
- $alert_ip = $matches[0];
+ $alert_ip = $matches[$id];
if($alert_ip == $ip) {
if(!$snort_config[$ip])
$snort_config[$ip] = $alert_title;
@@ -1612,7 +1679,7 @@ function get_snort_alert($ip) { function make_clickable($buffer) {
global $config, $g;
/* if clickable urls is disabled, simply return buffer back to caller */
- $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode'];
+ $clickablalerteurls = $config['installedpackages']['snort']['config'][$id]['oinkmastercode'];
if(!$clickablalerteurls)
return $buffer;
$buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer);
diff --git a/config/snort-dev/snort_dynamic_ip_reload.php b/config/snort-dev/snort_dynamic_ip_reload.php new file mode 100644 index 00000000..7c42c85f --- /dev/null +++ b/config/snort-dev/snort_dynamic_ip_reload.php @@ -0,0 +1,59 @@ +<?php + +/* $Id$ */ +/* + snort_dynamic_ip_reload.php + Copyright (C) 2006 Scott Ullrich and Robert Zeleya + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* NOTE: this file gets included from the pfSense filter.inc plugin process */ +/* NOTE: file location /usr/local/pkg/pf, all files in pf dir get exec on filter reloads */ + +require_once("/usr/local/pkg/snort/snort.inc"); + +require_once("/usr/local/pkg/snort/snort.inc"); + +/* get the varibles from the command line */ +/* Note: snort.sh sould only be using this */ +$id = $_SERVER["argv"][1]; +$if_real = $_SERVER["argv"][2]; + +$test_iface = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + +if ($id == "" || $if_real == "" || $test_iface == "") { + exec("/usr/bin/logger -p daemon.info -i -t SnortDynIP \"ERORR starting snort_dynamic_ip_reload.php\""); + exit; + } + +if ($id != "" && $if_real != "") { + create_snort_conf(); + +/* create barnyard2 configuration file */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; +if ($snortbarnyardlog_info_chk == on) + create_barnyard2_conf(); +} + +?>
\ No newline at end of file diff --git a/config/snort-dev/snort_interfaces_edit.php b/config/snort-dev/snort_interfaces_edit.php index f6fc2143..8d9def44 100644 --- a/config/snort-dev/snort_interfaces_edit.php +++ b/config/snort-dev/snort_interfaces_edit.php @@ -75,7 +75,7 @@ if (isset($_GET['dup'])) /* convert fake interfaces to real */ $if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); -if ($_POST) { +if ($_POST["Submit"]) { /* input validation */ // if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { @@ -160,21 +160,35 @@ if ($_POST) { $a_nat[] = $natent; } - touch($d_natconfdirty_path); - write_config(); // stop_service("snort"); //create_snort_conf(); //create_barnyard2_conf(); - sync_package_snort(); - // sleep(2); - // start_service("snort"); - header("Location: snort_interfaces.php"); + if ($pconfig['performance'] != "") { + sync_package_snort(); + } + + if ($pconfig['performance'] != "") { + header("Location: /snort/snort_interfaces_edit.php?id=$id"); + }else{ + touch($d_natconfdirty_path); + header("Location: /snort_interfaces.php"); + } exit; } } + if ($_POST["Submit2"]) { + if ($pconfig['performance'] != "") { + sync_package_snort(); + sleep(1); + exec("/bin/sh /usr/local/etc/rc.d/snort_{$id}{$if_real}.sh restart"); + header("Location: /snort/snort_interfaces_edit.php?id=$id"); + exit; + } + } + $pgtitle = "Snort: Interface: $id$if_real Settings Edit"; include("head.inc"); @@ -269,11 +283,8 @@ if($id != "") { /* if base directories dont exist create them */ - if(!file_exists("/usr/local/pkg/snort/snort_{$snortIf}_{$id}/")) - { - exec("/bin/mkdir -p /usr/local/pkg/snort/snort_{$snortIf}_{$id}/"); - if(!file_exists("/usr/local/www/snort/snort_{$snortIf}_{$id}/")) - exec("/bin/mkdir -p /usr/local/www/snort/snort_{$snortIf}_{$id}/"); + if(!file_exists("/usr/local/etc/snort/snort_{$id}{$if_real}/")) { + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$id}{$if_real}/"); } $tab_array = array(); |