diff options
Diffstat (limited to 'config/snort-dev')
-rw-r--r-- | config/snort-dev/snort.inc | 280 | ||||
-rw-r--r-- | config/snort-dev/snort.xml | 5 |
2 files changed, 155 insertions, 130 deletions
diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 3f8ccc79..25f8beb0 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -1,4 +1,4 @@ -<?php +<?php /* $Id$ */ /* snort.inc @@ -53,38 +53,11 @@ function sync_package_snort_reinstall() /* start snort service */ start_service("snort"); } - -function sync_package_snort_install() { - - global $g, $config; - - /* create a few directories and ensure the sample files are in place */ - exec("/bin/mkdir -p /usr/local/etc/snort_bkup"); - exec("/bin/mkdir -p /usr/local/etc/snort"); - exec("/bin/mkdir -p /var/log/snort"); - exec("/bin/mkdir -p /usr/local/etc/snort/rules"); - - if(!file_exists("/usr/local/etc/snort/unicode.map-sample")) - exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); - exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config"); - exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map"); - exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators"); - exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config"); - exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map"); - exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid"); - exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf"); - exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); - exec("/bin/rm -f /usr/local/etc/rc.d/snort"); - exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); - - if(!file_exists("/usr/local/etc/snort/rules/local.rules")) - exec("/bin/cp /usr/local/pkg/local.rules /usr/local/etc/snort/rules/local.rules"); - -} - function sync_package_snort() { - global $config, $g; + global $config, $g; + + mwexec("mkdir -p /var/log/snort/"); if(!file_exists("/var/log/snort/alert")) touch("/var/log/snort/alert"); @@ -102,20 +75,19 @@ function sync_package_snort() conf_mount_rw(); /* create a few directories and ensure the sample files are in place */ -// exec("/bin/mkdir -p /usr/local/etc/snort"); -// exec("/bin/mkdir -p /var/log/snort"); -// exec("/bin/mkdir -p /usr/local/etc/snort/rules"); -// exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); -// exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config"); -// exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map"); -// exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators"); -// exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config"); -// exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map"); -// exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid"); -// exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf"); -// exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); -// exec("/bin/rm -f /usr/local/etc/rc.d/snort"); - + exec("/bin/mkdir -p /usr/local/etc/snort"); + exec("/bin/mkdir -p /var/log/snort"); + exec("/bin/mkdir -p /usr/local/etc/snort/rules"); + exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); + exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config"); + exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map"); + exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators"); + exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config"); + exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map"); + exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid"); + exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf"); + exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); + exec("/bin/rm -f /usr/local/etc/rc.d/snort"); $first = 0; $snortInterfaces = array(); /* -gtm */ @@ -164,7 +136,7 @@ function sync_package_snort() if($bpfmaxinsns) mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); - /* always stop snort2c before starting snort -gtm */ + /* always stop barnyard2 before starting snort -gtm */ $start .= "/usr/bin/killall barnyard2\n"; /* start a snort process for each interface -gtm */ @@ -175,34 +147,27 @@ function sync_package_snort() { $start .= "sleep 8\n"; $start .= "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; - - /* define snortbarnyardlog_chk */ + /* define snortbarnyardlog_chk */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; if ($snortbarnyardlog_info_chk == on) - $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; + $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; } -// /* if block offenders is checked, start snort2c */ -// if($_POST['blockoffenders']) { -// $start .= "\nsleep 8\n"; -// $start .= "snort2c -w /var/db/whitelist -a /var/log/snort/alert\n"; -// } - - $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; - $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; - $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; + $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; + $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; + $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; $sample_before = "\nBEFORE_MEM=`top | grep Free | grep Wired | awk '{print \$10}'`\n"; $sample_after = "\nAFTER_MEM=`top | grep Free | grep Wired | awk '{print \$10}'`\n"; $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nsleep 17"; $total_free_after = "\nTOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; $echo_usage = "\necho \"Ram free BEFORE starting Snort: \${BEFORE_MEM} -- Ram free AFTER starting Snort: \${AFTER_MEM}\" -- Mode {$snort_performance} -- Snort memory usage: \$TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup\n"; - $rm_snort_sh_pid = "\nrm /tmp/snort.sh.pid\n"; - + $rm_snort_sh_pid = "\nrm /tmp/snort.sh.pid\n"; + /* write out rc.d start/stop file */ write_rcfile(array( "file" => "snort.sh", "start" => "{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$sample_before}{$start}{$sleep_before_final}{$sample_after}{$echo_usage}{$rm_snort_sh_pid}", - "stop" => "/usr/bin/killall snort; killall snort2c" + "stop" => "/usr/bin/killall snort; killall barnyard2" ) ); @@ -214,10 +179,12 @@ $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['conf if ($snortbarnyardlog_info_chk == on) create_barnyard2_conf(); - + /* snort will not start on install untill setting are set */ +if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") { /* start snort service */ conf_mount_ro(); start_service("snort"); + } } /* open barnyard2.conf for writing */ @@ -235,7 +202,6 @@ function create_barnyard2_conf() { fclose($bconf); // conf_mount_ro(); } - /* open barnyard2.conf for writing" */ function generate_barnyard2_conf() { @@ -274,7 +240,6 @@ EOD; } - function create_snort_conf() { global $config, $g; /* write out snort.conf */ @@ -291,10 +256,9 @@ function create_snort_conf() { } function snort_deinstall() { -// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; -// $filenamea = "/etc/crontab"; - /* remove auto rules update helper */ -// remove_text_from_file($filenamea, $text_ww); + + global $config, $g; + /* remove custom sysctl */ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); /* decrease bpf buffers back to 4096, from 20480 */ @@ -309,6 +273,69 @@ function snort_deinstall() { exec("cd /var/db/pkg && pkg_delete `ls | grep libdnet`"); exec("/usr/bin/killall -9 snort"); exec("/usr/bin/killall snort"); + + /* Remove snort cron entries Ugly code needs smoothness*/ + + function snort_rm_blocked_deinstall_cron($should_install) { + global $config, $g; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + } + + function snort_rules_up_deinstall_cron($should_install) { + global $config, $g; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + } + +snort_rm_blocked_deinstall_cron(""); +snort_rules_up_deinstall_cron(""); + + + /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ + /* Keep this as a last step */ + unset($config['installedpackages']['snort']['config'][0]['autorulesupdate7']); + unset($config['installedpackages']['snort']['config'][0]['rm_blocked']); + write_config(); + } function generate_snort_conf() { @@ -352,7 +379,6 @@ if ($snortunifiedlog_info_chk == on) $spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; if ($spoink_info_chk == on) $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; - /* define servers and ports snortdefservers */ /* def DNS_SERVSERS */ @@ -612,13 +638,14 @@ else else $snort_performance = "ac-bnfa"; - /* set the snort block hosts time */ + /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */ $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; if ($snort_rm_blocked_info_ck == "never_b") $snort_rm_blocked_false = ""; else $snort_rm_blocked_false = "true"; +if ($snort_rm_blocked_info_ck != "") { function snort_rm_blocked_install_cron($should_install) { global $config, $g; @@ -720,20 +747,21 @@ function snort_rm_blocked_install_cron($should_install) { configure_cron(); } break; - } + } + } + snort_rm_blocked_install_cron(""); + snort_rm_blocked_install_cron($snort_rm_blocked_false); } -snort_rm_blocked_install_cron(""); -snort_rm_blocked_install_cron($snort_rm_blocked_false); - /* set the snort rules update time */ - $snort_up_rules_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; - if ($snort_up_rules_info_ck == "never_up") - $snort_up_rules_false = ""; + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "never_up") + $snort_rules_up_false = ""; else - $snort_up_rules_false = "true"; + $snort_rules_up_false = "true"; -function snort_up_rules_install_cron($should_install) { +if ($snort_rules_up_info_ck != "") { +function snort_rules_up_install_cron($should_install) { global $config, $g; if ($g['booting']==true) @@ -752,58 +780,58 @@ function snort_up_rules_install_cron($should_install) { } $x++; } - $snort_up_rules_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; - if ($snort_up_rules_info_ck == "6h_up") { - $snort_up_rules_min = "*"; - $snort_up_rules_hr = "*/6"; - $snort_up_rules_mday = "*"; - $snort_up_rules_month = "*"; - $snort_up_rules_wday = "*"; + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; } - if ($snort_up_rules_info_ck == "12h_up") { - $snort_up_rules_min = "*"; - $snort_up_rules_hr = "*/12"; - $snort_up_rules_mday = "*"; - $snort_up_rules_month = "*"; - $snort_up_rules_wday = "*"; + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; } - if ($snort_up_rules_info_ck == "1d_up") { - $snort_up_rules_min = "*"; - $snort_up_rules_hr = "*"; - $snort_up_rules_mday = "*/1"; - $snort_up_rules_month = "*"; - $snort_up_rules_wday = "*"; + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; } - if ($snort_up_rules_info_ck == "4d_up") { - $snort_up_rules_min = "*"; - $snort_up_rules_hr = "*"; - $snort_up_rules_mday = "*/4"; - $snort_up_rules_month = "*"; - $snort_up_rules_wday = "*"; + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; } - if ($snort_up_rules_info_ck == "7d_up") { - $snort_up_rules_min = "*"; - $snort_up_rules_hr = "*"; - $snort_up_rules_mday = "*/7"; - $snort_up_rules_month = "*"; - $snort_up_rules_wday = "*"; + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; } - if ($snort_up_rules_info_ck == "28d_up") { - $snort_up_rules_min = "*"; - $snort_up_rules_hr = "*"; - $snort_up_rules_mday = "*/28"; - $snort_up_rules_month = "*"; - $snort_up_rules_wday = "*"; + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; } switch($should_install) { case true: if(!$is_installed) { $cron_item = array(); - $cron_item['minute'] = "$snort_up_rules_min"; - $cron_item['hour'] = "$snort_up_rules_hr"; - $cron_item['mday'] = "$snort_up_rules_mday"; - $cron_item['month'] = "$snort_up_rules_month"; - $cron_item['wday'] = "$snort_up_rules_wday"; + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; $cron_item['who'] = "root"; $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; $config['cron']['item'][] = $cron_item; @@ -820,13 +848,12 @@ function snort_up_rules_install_cron($should_install) { configure_cron(); } break; - } + } + } + snort_rules_up_install_cron(""); + snort_rules_up_install_cron($snort_rm_blocked_false); } -snort_up_rules_install_cron(""); -snort_up_rules_install_cron($snort_up_rules_false); - - /* open snort2c's whitelist for writing */ $whitelist = fopen("/var/db/whitelist", "w"); if(!$whitelist) { @@ -1283,7 +1310,6 @@ $alertsystemlog_type $tcpdumplog_type $snortmysqllog_info_chk $snortunifiedlog_type -$spoink_type ################# # diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml index 08746e54..cf798303 100644 --- a/config/snort-dev/snort.xml +++ b/config/snort-dev/snort.xml @@ -364,12 +364,11 @@ <type>checkbox</type> </field> </fields> - <custom_add_php_command> - </custom_add_php_command> <custom_php_resync_config_command> - sync_package_snort_install(); sync_package_snort(); </custom_php_resync_config_command> + <custom_add_php_command> + </custom_add_php_command> <custom_php_install_command> sync_package_snort_reinstall(); </custom_php_install_command> |