diff options
Diffstat (limited to 'config/snort-dev')
-rw-r--r-- | config/snort-dev/snort.inc | 3140 | ||||
-rw-r--r-- | config/snort-dev/snort_check_for_rule_updates.php | 1204 |
2 files changed, 2172 insertions, 2172 deletions
diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 4c120818..456c991a 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -1,1570 +1,1570 @@ -<?php
-/* $Id$ */
-/*
- snort.inc
- Copyright (C) 2006 Scott Ullrich
- part of pfSense
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require_once("pfsense-utils.inc");
-
-// Needed on 2.0 because of get_vpns_list()
-require_once("filter.inc");
-
-/* Allow additional execution time 0 = no limit. */
-ini_set('max_execution_time', '9999');
-ini_set('max_input_time', '9999');
-
-/* define oinkid */
-if($config['installedpackages']['snort'])
- $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode'];
-
-function sync_package_snort_reinstall()
-{
- global $config;
- if(!$config['installedpackages']['snort'])
- return;
-
- /* create snort configuration file */
- create_snort_conf();
-
- /* start snort service */
- start_service("snort");
-}
-function sync_package_snort()
-{
- global $config, $g;
-
- mwexec("mkdir -p /var/log/snort/");
-
- if(!file_exists("/var/log/snort/alert"))
- touch("/var/log/snort/alert");
-
- /* snort -> advanced features */
- $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize'];
- $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize'];
- $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns'];
-
- /* set the snort performance model */
- if($config['installedpackages']['snort']['config'][0]['performance'])
- $snort_performance = $config['installedpackages']['snort']['config'][0]['performance'];
- else
- $snort_performance = "ac-bnfa";
-
- conf_mount_rw();
- /* create a few directories and ensure the sample files are in place */
- exec("/bin/mkdir -p /usr/local/etc/snort");
- exec("/bin/mkdir -p /var/log/snort");
- exec("/bin/mkdir -p /usr/local/etc/snort/rules");
- exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
- exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config");
- exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map");
- exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators");
- exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config");
- exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map");
- exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid");
- exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf");
- exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
- exec("/bin/rm -f /usr/local/etc/rc.d/snort");
-
- $first = 0;
- $snortInterfaces = array(); /* -gtm */
-
- $if_list = $config['installedpackages']['snort']['config'][0]['iface_array'];
- $if_array = split(',', $if_list);
- //print_r($if_array);
- if($if_array) {
- foreach($if_array as $iface) {
- $if = convert_friendly_interface_to_real_interface_name($iface);
-
- if($config['interfaces'][$iface]['ipaddr'] == "pppoe") {
- $if = "ng0";
- }
-
- /* build a list of user specified interfaces -gtm */
- if($if){
- array_push($snortInterfaces, $if);
- $first = 1;
- }
- }
-
- if (count($snortInterfaces) < 1) {
- log_error("Snort will not start. You must select an interface for it to listen on.");
- return;
- }
- }
- //print_r($snortInterfaces);
-
- /* create log directory */
- $start = "/bin/mkdir -p /var/log/snort\n";
-
- /* snort advanced features - bpf tuning */
- if($bpfbufsize)
- $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n";
- if($bpfmaxbufsize)
- $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n";
- if($bpfmaxinsns)
- $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n";
-
- /* go ahead and issue bpf changes */
- if($bpfbufsize)
- mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}");
- if($bpfmaxbufsize)
- mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}");
- if($bpfmaxinsns)
- mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}");
-
- /* always stop barnyard2 before starting snort -gtm */
- $start .= "/usr/bin/killall barnyard2\n";
-
- /* start a snort process for each interface -gtm */
- /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */
- /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */
- /* TODO; get snort to start under nologin shell */
- foreach($snortInterfaces as $snortIf)
- {
- $start .= "sleep 8\n";
- $start .= "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n";
- /* define snortbarnyardlog_chk */
- $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog'];
- if ($snortbarnyardlog_info_chk == on)
- $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n";
- }
- $check_if_snort_runs = "\nif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\texit 1\nfi\n\n";
- $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n";
- $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n";
- $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n";
- $del_old_pids = "\nrm -f /var/run/snort_*\n";
- $sample_before = "BEFORE_MEM=`top | grep Wired | awk '{print \$12}'`\n";
- $sample_after = "AFTER_MEM=`top | grep Wired | awk '{print \$12}'`\n";
- if ($snort_performance == "ac-bnfa")
- $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=60\n";
- else
- $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=300\n";
- $sleep_before_final .= "while [ \"\$MYSNORTLOG\" = \"\" -a \$WAITSECURE -gt 0 ] ; do\n\tsleep 2\n\tMYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`\n\tWAITSECURE=`expr \$WAITSECURE - 1`\ndone\n";
- $total_used_after = "TOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n";
- $echo_usage = "\nif [ \$WAITSECURE -eq 0 -a \"\$MYSNORTLOG\" = \"\" ] ; then\n\techo \"Snort has not finished starting, please check log for possible errors.\"\n";
- $echo_usage .= "else\n\t" . $sample_after . "\t" . $total_used_after . "\techo \"Ram free BEFORE starting Snort: \$BEFORE_MEM -- Ram free AFTER starting Snort: \$AFTER_MEM -- Mode " . $snort_performance . " -- Snort memory usage: \$TOTAL_USAGE\" | logger -p daemon.info -i -t SnortStartup\nfi\n";
- $rm_snort_sh_pid = "\nrm /tmp/snort.sh.pid\n";
-
- /* write out rc.d start/stop file */
- write_rcfile(array(
- "file" => "snort.sh",
- "start" => "{$check_if_snort_runs}{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$del_old_pids}{$sample_before}{$start}{$sleep_before_final}{$echo_usage}{$rm_snort_sh_pid}",
- "stop" => "/usr/bin/killall snort; killall barnyard2"
- )
- );
-
- /* create snort configuration file */
- create_snort_conf();
-
-/* create barnyard2 configuration file */
-$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog'];
-if ($snortbarnyardlog_info_chk == on)
- create_barnyard2_conf();
-
- /* snort will not start on install untill setting are set */
-if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") {
- /* start snort service */
- conf_mount_ro();
- start_service("snort");
- }
-}
-
-/* open barnyard2.conf for writing */
-function create_barnyard2_conf() {
- global $bconfig, $bg;
- /* write out barnyard2_conf */
- $barnyard2_conf_text = generate_barnyard2_conf();
-// conf_mount_rw();
- $bconf = fopen("/usr/local/etc/barnyard2.conf", "w");
- if(!$bconf) {
- log_error("Could not open /usr/local/etc/barnyard2.conf for writing.");
- exit;
- }
- fwrite($bconf, $barnyard2_conf_text);
- fclose($bconf);
-// conf_mount_ro();
-}
-/* open barnyard2.conf for writing" */
-function generate_barnyard2_conf() {
-
- global $config, $g;
- conf_mount_rw();
-
-/* define snortbarnyardlog */
-$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database'];
-
-$barnyard2_conf_text = <<<EOD
-
- Copyright (C) 2006 Scott Ullrich
- part of pfSense
- All rights reserved.
-
-# set the appropriate paths to the file(s) your Snort process is using
-config reference-map: /usr/local/etc/snort/reference.config
-config class-map: /usr/local/etc/snort/classification.config
-config gen-msg-map: /usr/local/etc/snort/gen-msg.map
-config sid-msg-map: /usr/local/etc/snort/sid-msg.map
-
-config hostname: pfsense.local
-config interface: vr0
-
-# Step 2: setup the input plugins
-input unified2
-
-# database: log to a variety of databases
-# output database: log, mysql, user=snort password=snort123 dbname=snort host=192.168.1.22
-
-$snortbarnyardlog_database_info_chk
-
-EOD;
-
- return $barnyard2_conf_text;
-
-}
-
-function create_snort_conf() {
- global $config, $g;
- /* write out snort.conf */
- $snort_conf_text = generate_snort_conf();
- conf_mount_rw();
- $conf = fopen("/usr/local/etc/snort/snort.conf", "w");
- if(!$conf) {
- log_error("Could not open /usr/local/etc/snort/snort.conf for writing.");
- exit;
- }
- fwrite($conf, $snort_conf_text);
- fclose($conf);
- conf_mount_ro();
-}
-
-function snort_deinstall() {
-
- global $config, $g;
-
- /* remove custom sysctl */
- remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480");
- /* decrease bpf buffers back to 4096, from 20480 */
- exec("/sbin/sysctl net.bpf.bufsize=4096");
- exec("/usr/bin/killall snort");
- sleep(5);
- exec("/usr/bin/killall -9 snort");
- exec("rm -f /usr/local/etc/rc.d/snort*");
- exec("rm -rf /usr/local/etc/snort*");
- exec("cd /var/db/pkg && pkg_delete `ls | grep snort`");
- exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client`");
- exec("cd /var/db/pkg && pkg_delete `ls | grep libdnet`");
- exec("/usr/bin/killall -9 snort");
- exec("/usr/bin/killall snort");
-
- /* Remove snort cron entries Ugly code needs smoothness*/
-
- function snort_rm_blocked_deinstall_cron($should_install) {
- global $config, $g;
-
- $is_installed = false;
-
- if(!$config['cron']['item'])
- return;
-
- $x=0;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], "snort2c")) {
- $is_installed = true;
- break;
- }
- $x++;
- }
- if($is_installed == true) {
- if($x > 0) {
- unset($config['cron']['item'][$x]);
- write_config();
- }
- configure_cron();
- }
- }
-
- function snort_rules_up_deinstall_cron($should_install) {
- global $config, $g;
-
- $is_installed = false;
-
- if(!$config['cron']['item'])
- return;
-
- $x=0;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], "snort_check_for_rule_updates.php")) {
- $is_installed = true;
- break;
- }
- $x++;
- }
- if($is_installed == true) {
- if($x > 0) {
- unset($config['cron']['item'][$x]);
- write_config();
- }
- configure_cron();
- }
- }
-
-snort_rm_blocked_deinstall_cron("");
-snort_rules_up_deinstall_cron("");
-
-
- /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */
- /* Keep this as a last step */
- unset($config['installedpackages']['snort']['config'][0]['autorulesupdate7']);
- unset($config['installedpackages']['snort']['config'][0]['rm_blocked']);
- write_config();
-
-}
-
-function generate_snort_conf() {
-
- global $config, $g;
- conf_mount_rw();
- /* obtain external interface */
- /* XXX: make multi wan friendly */
- $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0];
-
- $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru'];
-
-/* define snortalertlogtype */
-$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype'];
-if ($snortalertlogtype == fast)
- $snortalertlogtype_type = "output alert_fast: alert";
-else
- $snortalertlogtype_type = "output alert_full: alert";
-
-/* define alertsystemlog */
-$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog'];
-if ($alertsystemlog_info_chk == on)
- $alertsystemlog_type = "output alert_syslog: log_alert";
-
-/* define tcpdumplog */
-$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog'];
-if ($tcpdumplog_info_chk == on)
- $tcpdumplog_type = "output log_tcpdump: snorttcpd.log";
-
-/* define snortbarnyardlog_chk */
-$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog'];
-if ($snortbarnyardlog_info_chk == on)
- $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D";
-
-/* define snortunifiedlog */
-$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog'];
-if ($snortunifiedlog_info_chk == on)
- $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128";
-
-/* define spoink */
-$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7'];
-if ($spoink_info_chk == on)
- $spoink_type = "output alert_pf: /var/db/whitelist,snort2c";
-
- /* define servers and ports snortdefservers */
-
-/* def DNS_SERVSERS */
-$def_dns_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_servers'];
-if ($def_dns_servers_info_chk == "")
- $def_dns_servers_type = "\$HOME_NET";
-else
- $def_dns_servers_type = "$def_dns_servers_info_chk";
-
-/* def DNS_PORTS */
-$def_dns_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_ports'];
-if ($def_dns_ports_info_chk == "")
- $def_dns_ports_type = "53";
-else
- $def_dns_ports_type = "$def_dns_ports_info_chk";
-
-/* def SMTP_SERVSERS */
-$def_smtp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_servers'];
-if ($def_smtp_servers_info_chk == "")
- $def_smtp_servers_type = "\$HOME_NET";
-else
- $def_smtp_servers_type = "$def_smtp_servers_info_chk";
-
-/* def SMTP_PORTS */
-$def_smtp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_ports'];
-if ($def_smtp_ports_info_chk == "")
- $def_smtp_ports_type = "25";
-else
- $def_smtp_ports_type = "$def_smtp_ports_info_chk";
-
-/* def MAIL_PORTS */
-$def_mail_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mail_ports'];
-if ($def_mail_ports_info_chk == "")
- $def_mail_ports_type = "25,143,465,691";
-else
- $def_mail_ports_type = "$def_mail_ports_info_chk";
-
-/* def HTTP_SERVSERS */
-$def_http_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_servers'];
-if ($def_http_servers_info_chk == "")
- $def_http_servers_type = "\$HOME_NET";
-else
- $def_http_servers_type = "$def_http_servers_info_chk";
-
-/* def WWW_SERVSERS */
-$def_www_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_www_servers'];
-if ($def_www_servers_info_chk == "")
- $def_www_servers_type = "\$HOME_NET";
-else
- $def_www_servers_type = "$def_www_servers_info_chk";
-
-/* def HTTP_PORTS */
-$def_http_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_ports'];
-if ($def_http_ports_info_chk == "")
- $def_http_ports_type = "80";
-else
- $def_http_ports_type = "$def_http_ports_info_chk";
-
-/* def SQL_SERVSERS */
-$def_sql_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sql_servers'];
-if ($def_sql_servers_info_chk == "")
- $def_sql_servers_type = "\$HOME_NET";
-else
- $def_sql_servers_type = "$def_sql_servers_info_chk";
-
-/* def ORACLE_PORTS */
-$def_oracle_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_oracle_ports'];
-if ($def_oracle_ports_info_chk == "")
- $def_oracle_ports_type = "1521";
-else
- $def_oracle_ports_type = "$def_oracle_ports_info_chk";
-
-/* def MSSQL_PORTS */
-$def_mssql_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mssql_ports'];
-if ($def_mssql_ports_info_chk == "")
- $def_mssql_ports_type = "1433";
-else
- $def_mssql_ports_type = "$def_mssql_ports_info_chk";
-
-/* def TELNET_SERVSERS */
-$def_telnet_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_servers'];
-if ($def_telnet_servers_info_chk == "")
- $def_telnet_servers_type = "\$HOME_NET";
-else
- $def_telnet_servers_type = "$def_telnet_servers_info_chk";
-
-/* def TELNET_PORTS */
-$def_telnet_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_ports'];
-if ($def_telnet_ports_info_chk == "")
- $def_telnet_ports_type = "23";
-else
- $def_telnet_ports_type = "$def_telnet_ports_info_chk";
-
-/* def SNMP_SERVSERS */
-$def_snmp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_servers'];
-if ($def_snmp_servers_info_chk == "")
- $def_snmp_servers_type = "\$HOME_NET";
-else
- $def_snmp_servers_type = "$def_snmp_servers_info_chk";
-
-/* def SNMP_PORTS */
-$def_snmp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_ports'];
-if ($def_snmp_ports_info_chk == "")
- $def_snmp_ports_type = "161";
-else
- $def_snmp_ports_type = "$def_snmp_ports_info_chk";
-
-/* def FTP_SERVSERS */
-$def_ftp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_servers'];
-if ($def_ftp_servers_info_chk == "")
- $def_ftp_servers_type = "\$HOME_NET";
-else
- $def_ftp_servers_type = "$def_ftp_servers_info_chk";
-
-/* def FTP_PORTS */
-$def_ftp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_ports'];
-if ($def_ftp_ports_info_chk == "")
- $def_ftp_ports_type = "21";
-else
- $def_ftp_ports_type = "$def_ftp_ports_info_chk";
-
-/* def SSH_SERVSERS */
-$def_ssh_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_servers'];
-if ($def_ssh_servers_info_chk == "")
- $def_ssh_servers_type = "\$HOME_NET";
-else
- $def_ssh_servers_type = "$def_ssh_servers_info_chk";
-
-/* if user has defined a custom ssh port, use it */
-if($config['system']['ssh']['port'])
- $ssh_port = $config['system']['ssh']['port'];
-else
- $ssh_port = "22";
-
-/* def SSH_PORTS */
-$def_ssh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_ports'];
-if ($def_ssh_ports_info_chk == "")
- $def_ssh_ports_type = "{$ssh_port}";
-else
- $def_ssh_ports_type = "$def_ssh_ports_info_chk";
-
-/* def POP_SERVSERS */
-$def_pop_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop_servers'];
-if ($def_pop_servers_info_chk == "")
- $def_pop_servers_type = "\$HOME_NET";
-else
- $def_pop_servers_type = "$def_pop_servers_info_chk";
-
-/* def POP2_PORTS */
-$def_pop2_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop2_ports'];
-if ($def_pop2_ports_info_chk == "")
- $def_pop2_ports_type = "109";
-else
- $def_pop2_ports_type = "$def_pop2_ports_info_chk";
-
-/* def POP3_PORTS */
-$def_pop3_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop3_ports'];
-if ($def_pop3_ports_info_chk == "")
- $def_pop3_ports_type = "110";
-else
- $def_pop3_ports_type = "$def_pop3_ports_info_chk";
-
-/* def IMAP_SERVSERS */
-$def_imap_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_servers'];
-if ($def_imap_servers_info_chk == "")
- $def_imap_servers_type = "\$HOME_NET";
-else
- $def_imap_servers_type = "$def_imap_servers_info_chk";
-
-/* def IMAP_PORTS */
-$def_imap_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_ports'];
-if ($def_imap_ports_info_chk == "")
- $def_imap_ports_type = "143";
-else
- $def_imap_ports_type = "$def_imap_ports_info_chk";
-
-/* def SIP_PROXY_IP */
-$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ip'];
-if ($def_sip_proxy_ip_info_chk == "")
- $def_sip_proxy_ip_type = "\$HOME_NET";
-else
- $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk";
-
-/* def SIP_PROXY_PORTS */
-$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ports'];
-if ($def_sip_proxy_ports_info_chk == "")
- $def_sip_proxy_ports_type = "5060:5090,16384:32768";
-else
- $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk";
-
-/* def AUTH_PORTS */
-$def_auth_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_auth_ports'];
-if ($def_auth_ports_info_chk == "")
- $def_auth_ports_type = "113";
-else
- $def_auth_ports_type = "$def_auth_ports_info_chk";
-
-/* def FINGER_PORTS */
-$def_finger_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_finger_ports'];
-if ($def_finger_ports_info_chk == "")
- $def_finger_ports_type = "79";
-else
- $def_finger_ports_type = "$def_finger_ports_info_chk";
-
-/* def IRC_PORTS */
-$def_irc_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_irc_ports'];
-if ($def_irc_ports_info_chk == "")
- $def_irc_ports_type = "6665,6666,6667,6668,6669,7000";
-else
- $def_irc_ports_type = "$def_irc_ports_info_chk";
-
-/* def NNTP_PORTS */
-$def_nntp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_nntp_ports'];
-if ($def_nntp_ports_info_chk == "")
- $def_nntp_ports_type = "119";
-else
- $def_nntp_ports_type = "$def_nntp_ports_info_chk";
-
-/* def RLOGIN_PORTS */
-$def_rlogin_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rlogin_ports'];
-if ($def_rlogin_ports_info_chk == "")
- $def_rlogin_ports_type = "513";
-else
- $def_rlogin_ports_type = "$def_rlogin_ports_info_chk";
-
-/* def RSH_PORTS */
-$def_rsh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rsh_ports'];
-if ($def_rsh_ports_info_chk == "")
- $def_rsh_ports_type = "514";
-else
- $def_rsh_ports_type = "$def_rsh_ports_info_chk";
-
-/* def SSL_PORTS */
-$def_ssl_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssl_ports'];
-if ($def_ssl_ports_info_chk == "")
- $def_ssl_ports_type = "25,443,465,636,993,995";
-else
- $def_ssl_ports_type = "$def_ssl_ports_info_chk";
-
- /* add auto update scripts to /etc/crontab */
-// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php";
-// $filenamea = "/etc/crontab";
-// remove_text_from_file($filenamea, $text_ww);
-// add_text_to_file($filenamea, $text_ww);
-// exec("killall -HUP cron"); */
-
- /* should we install a automatic update crontab entry? */
- $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate'];
-
- /* if user is on pppoe, we really want to use ng0 interface */
- if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe")
- $snort_ext_int = "ng0";
-
- /* set the snort performance model */
- if($config['installedpackages']['snort']['config'][0]['performance'])
- $snort_performance = $config['installedpackages']['snort']['config'][0]['performance'];
- else
- $snort_performance = "ac-bnfa";
-
- /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */
- $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked'];
- if ($snort_rm_blocked_info_ck == "never_b")
- $snort_rm_blocked_false = "";
- else
- $snort_rm_blocked_false = "true";
-
-if ($snort_rm_blocked_info_ck != "") {
-function snort_rm_blocked_install_cron($should_install) {
- global $config, $g;
-
- if ($g['booting']==true)
- return;
-
- $is_installed = false;
-
- if(!$config['cron']['item'])
- return;
-
- $x=0;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], "snort2c")) {
- $is_installed = true;
- break;
- }
- $x++;
- }
- $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked'];
- if ($snort_rm_blocked_info_ck == "1h_b") {
- $snort_rm_blocked_min = "*/5";
- $snort_rm_blocked_hr = "*";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "3600";
- }
- if ($snort_rm_blocked_info_ck == "3h_b") {
- $snort_rm_blocked_min = "*/15";
- $snort_rm_blocked_hr = "*";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "10800";
- }
- if ($snort_rm_blocked_info_ck == "6h_b") {
- $snort_rm_blocked_min = "*/30";
- $snort_rm_blocked_hr = "*";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "21600";
- }
- if ($snort_rm_blocked_info_ck == "12h_b") {
- $snort_rm_blocked_min = "*";
- $snort_rm_blocked_hr = "*/1";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "43200";
- }
- if ($snort_rm_blocked_info_ck == "1d_b") {
- $snort_rm_blocked_min = "*";
- $snort_rm_blocked_hr = "*/2";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "86400";
- }
- if ($snort_rm_blocked_info_ck == "4d_b") {
- $snort_rm_blocked_min = "*";
- $snort_rm_blocked_hr = "*/8";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "345600";
- }
- if ($snort_rm_blocked_info_ck == "7d_b") {
- $snort_rm_blocked_min = "*";
- $snort_rm_blocked_hr = "*/14";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "604800";
- }
- if ($snort_rm_blocked_info_ck == "28d_b") {
- $snort_rm_blocked_min = "*";
- $snort_rm_blocked_hr = "*";
- $snort_rm_blocked_mday = "*/2";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "2419200";
- }
- switch($should_install) {
- case true:
- if(!$is_installed) {
- $cron_item = array();
- $cron_item['minute'] = "$snort_rm_blocked_min";
- $cron_item['hour'] = "$snort_rm_blocked_hr";
- $cron_item['mday'] = "$snort_rm_blocked_mday";
- $cron_item['month'] = "$snort_rm_blocked_month";
- $cron_item['wday'] = "$snort_rm_blocked_wday";
- $cron_item['who'] = "root";
- $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c";
- $config['cron']['item'][] = $cron_item;
- write_config("Installed 15 minute filter reload for Time Based Rules");
- configure_cron();
- }
- break;
- case false:
- if($is_installed == true) {
- if($x > 0) {
- unset($config['cron']['item'][$x]);
- write_config();
- }
- configure_cron();
- }
- break;
- }
- }
- snort_rm_blocked_install_cron("");
- snort_rm_blocked_install_cron($snort_rm_blocked_false);
-}
-
- /* set the snort rules update time */
- $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7'];
- if ($snort_rules_up_info_ck == "never_up")
- $snort_rules_up_false = "";
- else
- $snort_rules_up_false = "true";
-
-if ($snort_rules_up_info_ck != "") {
-function snort_rules_up_install_cron($should_install) {
- global $config, $g;
-
- if ($g['booting']==true)
- return;
-
- $is_installed = false;
-
- if(!$config['cron']['item'])
- return;
-
- $x=0;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], "snort_check_for_rule_updates.php")) {
- $is_installed = true;
- break;
- }
- $x++;
- }
- $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7'];
- if ($snort_rules_up_info_ck == "6h_up") {
- $snort_rules_up_min = "*";
- $snort_rules_up_hr = "*/6";
- $snort_rules_up_mday = "*";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- if ($snort_rules_up_info_ck == "12h_up") {
- $snort_rules_up_min = "*";
- $snort_rules_up_hr = "*/12";
- $snort_rules_up_mday = "*";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- if ($snort_rules_up_info_ck == "1d_up") {
- $snort_rules_up_min = "*";
- $snort_rules_up_hr = "*";
- $snort_rules_up_mday = "*/1";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- if ($snort_rules_up_info_ck == "4d_up") {
- $snort_rules_up_min = "*";
- $snort_rules_up_hr = "*";
- $snort_rules_up_mday = "*/4";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- if ($snort_rules_up_info_ck == "7d_up") {
- $snort_rules_up_min = "*";
- $snort_rules_up_hr = "*";
- $snort_rules_up_mday = "*/7";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- if ($snort_rules_up_info_ck == "28d_up") {
- $snort_rules_up_min = "*";
- $snort_rules_up_hr = "*";
- $snort_rules_up_mday = "*/28";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- switch($should_install) {
- case true:
- if(!$is_installed) {
- $cron_item = array();
- $cron_item['minute'] = "$snort_rules_up_min";
- $cron_item['hour'] = "$snort_rules_up_hr";
- $cron_item['mday'] = "$snort_rules_up_mday";
- $cron_item['month'] = "$snort_rules_up_month";
- $cron_item['wday'] = "$snort_rules_up_wday";
- $cron_item['who'] = "root";
- $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log";
- $config['cron']['item'][] = $cron_item;
- write_config("Installed 15 minute filter reload for Time Based Rules");
- configure_cron();
- }
- break;
- case false:
- if($is_installed == true) {
- if($x > 0) {
- unset($config['cron']['item'][$x]);
- write_config();
- }
- configure_cron();
- }
- break;
- }
- }
- snort_rules_up_install_cron("");
- snort_rules_up_install_cron($snort_rules_up_false);
-}
-
- /* open snort2c's whitelist for writing */
- $whitelist = fopen("/var/db/whitelist", "w");
- if(!$whitelist) {
- log_error("Could not open /var/db/whitelist for writing.");
- return;
- }
-
- /* build an interface array list */
- $int_array = array('lan');
- for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++)
- if(isset($config['interfaces']['opt' . $j]['enable']))
- if(!$config['interfaces']['opt' . $j]['gateway'])
- $int_array[] = "opt{$j}";
-
- /* iterate through interface list and write out whitelist items
- * and also compile a home_net list for snort.
- */
- foreach($int_array as $int) {
- /* calculate interface subnet information */
- $ifcfg = &$config['interfaces'][$int];
- $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']);
- $subnetmask = gen_subnet_mask($ifcfg['subnet']);
- if($subnet == "pppoe" or $subnet == "dhcp") {
- $subnet = find_interface_ip("ng0");
- if($subnet)
- $home_net .= "{$subnet} ";
- } else {
- if ($subnet)
- if($ifcfg['subnet'])
- $home_net .= "{$subnet}/{$ifcfg['subnet']} ";
- }
- }
-
- /* add all WAN ips to the whitelist */
- $wan_if = get_real_wan_interface();
- $ip = find_interface_ip($wan_if);
- if($ip)
- $home_net .= "{$ip} ";
-
- /* Add Gateway on WAN interface to whitelist (For RRD graphs) */
- $int = convert_friendly_interface_to_real_interface_name("WAN");
- $gw = get_interface_gateway($int);
- if($gw)
- $home_net .= "{$gw} ";
-
- /* Add DNS server for WAN interface to whitelist */
- $dns_servers = get_dns_servers();
- foreach($dns_servers as $dns) {
- if($dns)
- $home_net .= "{$dns} ";
- }
-
- /* Add loopback to whitelist (ftphelper) */
- $home_net .= "127.0.0.1 ";
-
- /* iterate all vips and add to whitelist */
- if($config['virtualip'])
- foreach($config['virtualip']['vip'] as $vip)
- if($vip['subnet'])
- $home_net .= $vip['subnet'] . " ";
-
- if($config['installedpackages']['snortwhitelist'])
- foreach($config['installedpackages']['snortwhitelist']['config'] as $snort)
- if($snort['ip'])
- $home_net .= $snort['ip'] . " ";
-
- /* write out whitelist, convert spaces to carriage returns */
- $whitelist_home_net = str_replace(" ", " ", $home_net);
- $whitelist_home_net = str_replace(" ", "\n", $home_net);
-
- /* make $home_net presentable to snort */
- $home_net = trim($home_net);
- $home_net = str_replace(" ", ",", $home_net);
- $home_net = "[{$home_net}]";
-
- /* foreach through whitelist, writing out to file */
- $whitelist_split = split("\n", $whitelist_home_net);
- foreach($whitelist_split as $wl)
- if(trim($wl))
- fwrite($whitelist, trim($wl) . "\n");
-
- /* should we whitelist vpns? */
- $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns'];
-
- /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */
- if($whitelistvpns) {
- $vpns_list = get_vpns_list();
- $whitelist_vpns = split(" ", $vpns_list);
- foreach($whitelist_vpns as $wl)
- if(trim($wl))
- fwrite($whitelist, trim($wl) . "\n");
- }
-
- /* close file */
- fclose($whitelist);
-
- /* open snort's threshold.conf for writing */
- $threshlist = fopen("/usr/local/etc/snort/threshold.conf", "w");
- if(!$threshlist) {
- log_error("Could not open /usr/local/etc/snort/threshold.conf for writing.");
- return;
- }
-
- /* list all entries to new lines */
- if($config['installedpackages']['snortthreshold'])
- foreach($config['installedpackages']['snortthreshold']['config'] as $snortthreshlist)
- if($snortthreshlist['threshrule'])
- $snortthreshlist_r .= $snortthreshlist['threshrule'] . "\n";
-
-
- /* foreach through threshlist, writing out to file */
- $threshlist_split = split("\n", $snortthreshlist_r);
- foreach($threshlist_split as $wl)
- if(trim($wl))
- fwrite($threshlist, trim($wl) . "\n");
-
- /* close snort's threshold.conf file */
- fclose($threshlist);
-
- /* generate rule sections to load */
- $enabled_rulesets = $config['installedpackages']['snort']['rulesets'];
- if($enabled_rulesets) {
- $selected_rules_sections = "";
- $enabled_rulesets_array = split("\|\|", $enabled_rulesets);
- foreach($enabled_rulesets_array as $enabled_item)
- $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n";
- }
-
- conf_mount_ro();
-
- /* build snort configuration file */
- /* TODO; feed back from pfsense users to reduce false positives */
- $snort_conf_text = <<<EOD
-
-# snort configuration file
-# generated by the pfSense
-# package manager system
-# see /usr/local/pkg/snort.inc
-# for more information
-
-#########################
- #
-# Define Local Network #
- #
-#########################
-
-var HOME_NET {$home_net}
-var EXTERNAL_NET !\$HOME_NET
-
-###################
- #
-# Define Servers #
- #
-###################
-
-var DNS_SERVERS [{$def_dns_servers_type}]
-var SMTP_SERVERS [{$def_smtp_servers_type}]
-var HTTP_SERVERS [{$def_http_servers_type}]
-var SQL_SERVERS [{$def_sql_servers_type}]
-var TELNET_SERVERS [{$def_telnet_servers_type}]
-var SNMP_SERVERS [{$def_snmp_servers_type}]
-var FTP_SERVERS [{$def_ftp_servers_type}]
-var SSH_SERVERS [{$def_ssh_servers_type}]
-var POP_SERVERS [{$def_pop_servers_type}]
-var IMAP_SERVERS [{$def_imap_servers_type}]
-var RPC_SERVERS \$HOME_NET
-var WWW_SERVERS [{$def_www_servers_type}]
-var SIP_PROXY_IP [{$def_sip_proxy_ip_type}]
-var AIM_SERVERS \
-[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
-
-########################
- #
-# Define Server Ports #
- #
-########################
-
-portvar HTTP_PORTS [{$def_http_ports_type}]
-portvar SHELLCODE_PORTS !80
-portvar ORACLE_PORTS [{$def_oracle_ports_type}]
-portvar AUTH_PORTS [{$def_auth_ports_type}]
-portvar DNS_PORTS [{$def_dns_ports_type}]
-portvar FINGER_PORTS [{$def_finger_ports_type}]
-portvar FTP_PORTS [{$def_ftp_ports_type}]
-portvar IMAP_PORTS [{$def_imap_ports_type}]
-portvar IRC_PORTS [{$def_irc_ports_type}]
-portvar MSSQL_PORTS [{$def_mssql_ports_type}]
-portvar NNTP_PORTS [{$def_nntp_ports_type}]
-portvar POP2_PORTS [{$def_pop2_ports_type}]
-portvar POP3_PORTS [{$def_pop3_ports_type}]
-portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
-portvar RLOGIN_PORTS [{$def_rlogin_ports_type}]
-portvar RSH_PORTS [{$def_rsh_ports_type}]
-portvar SMB_PORTS [139,445]
-portvar SMTP_PORTS [{$def_smtp_ports_type}]
-portvar SNMP_PORTS [{$def_snmp_ports_type}]
-portvar SSH_PORTS [{$def_ssh_ports_type}]
-portvar TELNET_PORTS [{$def_telnet_ports_type}]
-portvar MAIL_PORTS [{$def_mail_ports_type}]
-portvar SSL_PORTS [{$def_ssl_ports_type}]
-portvar SIP_PROXY_PORTS [{$def_sip_proxy_ports_type}]
-
-# DCERPC NCACN-IP-TCP
-portvar DCERPC_NCACN_IP_TCP [139,445]
-portvar DCERPC_NCADG_IP_UDP [138,1024:]
-portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
-portvar DCERPC_NCACN_UDP_LONG [135,1024:]
-portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
-portvar DCERPC_NCACN_TCP [2103,2105,2107]
-portvar DCERPC_BRIGHTSTORE [6503,6504]
-
-#####################
- #
-# Define Rule Paths #
- #
-#####################
-
-var RULE_PATH /usr/local/etc/snort/rules
-# var PREPROC_RULE_PATH ./preproc_rules
-
-################################
- #
-# Configure the snort decoder #
- #
-################################
-
-config checksum_mode: all
-config disable_decode_alerts
-config disable_tcpopt_experimental_alerts
-config disable_tcpopt_obsolete_alerts
-config disable_ttcp_alerts
-config disable_tcpopt_alerts
-config disable_ipopt_alerts
-config disable_decode_drops
-
-###################################
- #
-# Configure the detection engine #
-# Use lower memory models #
- #
-###################################
-
-config detection: search-method {$snort_performance}
-config detection: max_queue_events 5
-config event_queue: max_queue 8 log 3 order_events content_length
-
-#Configure dynamic loaded libraries
-dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/
-dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
-dynamicdetection directory /usr/local/lib/snort/dynamicrules/
-
-###################
- #
-# Flow and stream #
- #
-###################
-
-preprocessor frag3_global: max_frags 8192
-preprocessor frag3_engine: policy windows
-preprocessor frag3_engine: policy linux
-preprocessor frag3_engine: policy first
-preprocessor frag3_engine: policy bsd detect_anomalies
-
-preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
-track_udp yes
-# track_icmp yes
-preprocessor stream5_tcp: bind_to any, policy windows
-preprocessor stream5_tcp: bind_to any, policy linux
-preprocessor stream5_tcp: bind_to any, policy vista
-preprocessor stream5_tcp: bind_to any, policy macos
-preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes
-preprocessor stream5_udp
-# preprocessor stream5_icmp
-
-##########################
- #
-# NEW #
-# Performance Statistics #
- #
-##########################
-
-preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000
-
-#################
- #
-# HTTP Inspect #
- #
-#################
-
-preprocessor http_inspect: global iis_unicode_map unicode.map 1252
-
-preprocessor http_inspect_server: server default \
- ports { 80 8080 } \
- no_alerts \
- non_strict \
- non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
- flow_depth 0 \
- apache_whitespace yes \
- directory no \
- iis_backslash no \
- u_encode yes \
- ascii yes \
- chunk_length 500000 \
- bare_byte yes \
- double_decode yes \
- iis_unicode yes \
- iis_delimiter yes \
- multi_slash no
-
-##################
- #
-# Other preprocs #
- #
-##################
-
-preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
-preprocessor bo
-
-#####################
- #
-# ftp preprocessor #
- #
-#####################
-
-preprocessor ftp_telnet: global \
-inspection_type stateless
-
-preprocessor ftp_telnet_protocol: telnet \
- normalize \
- ayt_attack_thresh 200
-
-preprocessor ftp_telnet_protocol: \
- ftp server default \
- def_max_param_len 100 \
- ports { 21 } \
- ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
- ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
- ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
- ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
- ftp_cmds { FEAT CEL CMD MACB } \
- ftp_cmds { MDTM REST SIZE MLST MLSD } \
- ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
- alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
- alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
- alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
- alt_max_param_len 256 { RNTO CWD } \
- alt_max_param_len 400 { PORT } \
- alt_max_param_len 512 { SIZE } \
- chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
- chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
- chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
- chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
- chk_str_fmt { FEAT CEL CMD } \
- chk_str_fmt { MDTM REST SIZE MLST MLSD } \
- chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
- cmd_validity MODE < char ASBCZ > \
- cmd_validity STRU < char FRP > \
- cmd_validity ALLO < int [ char R int ] > \
- cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
- cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
- cmd_validity PORT < host_port >
-
-preprocessor ftp_telnet_protocol: ftp client default \
- max_resp_len 256 \
- bounce yes \
- telnet_cmds yes
-
-#####################
- #
-# SMTP preprocessor #
- #
-#####################
-
-preprocessor SMTP: \
- ports { 25 465 691 } \
- inspection_type stateful \
- normalize cmds \
- valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
-CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
- normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
-PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
- max_header_line_len 1000 \
- max_response_line_len 512 \
- alt_max_command_line_len 260 { MAIL } \
- alt_max_command_line_len 300 { RCPT } \
- alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
- alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
- alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
- alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
- alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
- xlink2state { enable }
-
-################
- #
-# sf Portscan #
- #
-################
-
-preprocessor sfportscan: scan_type { all } \
- proto { all } \
- memcap { 10000000 } \
- sense_level { medium } \
- ignore_scanners { \$HOME_NET }
-
-############################
- #
-# OLD #
-# preprocessor dcerpc: \ #
-# autodetect \ #
-# max_frag_size 3000 \ #
-# memcap 100000 #
- #
-############################
-
-###############
- #
-# NEW #
-# DCE/RPC 2 #
- #
-###############
-
-preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
-preprocessor dcerpc2_server: default, policy WinXP, \
- detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
- autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
- smb_max_chain 3
-
-####################
- #
-# DNS preprocessor #
- #
-####################
-
-preprocessor dns: \
- ports { 53 } \
- enable_rdata_overflow
-
-##############################
- #
-# NEW #
-# Ignore SSL and Encryption #
- #
-##############################
-
-preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted
-
-#####################
- #
-# Snort Output Logs #
- #
-#####################
-
-$snortalertlogtype_type
-$alertsystemlog_type
-$tcpdumplog_type
-$snortmysqllog_info_chk
-$snortunifiedlog_type
-$spoink_type
-
-#################
- #
-# Misc Includes #
- #
-#################
-
-include /usr/local/etc/snort/reference.config
-include /usr/local/etc/snort/classification.config
-include /usr/local/etc/snort/threshold.conf
-
-# Snort user pass through configuration
-{$snort_config_pass_thru}
-
-###################
- #
-# Rules Selection #
- #
-###################
-
-{$selected_rules_sections}
-
-EOD;
-
- return $snort_conf_text;
-}
-
-/* check downloaded text from snort.org to make sure that an error did not occur
- * for example, if you are not a premium subscriber you can only download rules
- * so often, etc.
- */
-function check_for_common_errors($filename) {
- global $snort_filename, $snort_filename_md5, $console_mode;
- ob_flush();
- $contents = file_get_contents($filename);
- if(stristr($contents, "You don't have permission")) {
- if(!$console_mode) {
- update_all_status("An error occured while downloading {$filename}.");
- hide_progress_bar_status();
- } else {
- log_error("An error occured. Scroll down to inspect it's contents.");
- echo "An error occured. Scroll down to inspect it's contents.";
- }
- if(!$console_mode) {
- update_output_window(strip_tags("$contents"));
- } else {
- $contents = strip_tags($contents);
- log_error("Error downloading snort rules: {$contents}");
- echo "Error downloading snort rules: {$contents}";
- }
- scroll_down_to_bottom_of_page();
- exit;
- }
-}
-
-/* force browser to scroll all the way down */
-function scroll_down_to_bottom_of_page() {
- global $snort_filename, $console_mode;
- ob_flush();
- if(!$console_mode)
- echo "\n<script type=\"text/javascript\">parent.scrollTo(0,1500);\n</script>";
-}
-
-/* ensure downloaded file looks sane */
-function verify_downloaded_file($filename) {
- global $snort_filename, $snort_filename_md5, $console_mode;
- ob_flush();
- if(filesize($filename)<9500) {
- if(!$console_mode) {
- update_all_status("Checking {$filename}...");
- check_for_common_errors($filename);
- }
- }
- update_all_status("Verifying {$filename}...");
- if(!file_exists($filename)) {
- if(!$console_mode) {
- update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again.");
- hide_progress_bar_status();
- } else {
- log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again.");
- echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again.";
- }
- exit;
- }
- update_all_status("Verifyied {$filename}.");
-}
-
-/* extract rules */
-function extract_snort_rules_md5($tmpfname) {
- global $snort_filename, $snort_filename_md5, $console_mode;
- ob_flush();
- if(!$console_mode) {
- $static_output = gettext("Extracting snort rules...");
- update_all_status($static_output);
- }
- if(!is_dir("/usr/local/etc/snort/rules/"))
- mkdir("/usr/local/etc/snort/rules/");
- $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/";
- $handle = popen("{$cmd} 2>&1", 'r');
- while(!feof($handle)) {
- $buffer = fgets($handle);
- update_output_window($buffer);
- }
- pclose($handle);
-
- if(!$console_mode) {
- $static_output = gettext("Snort rules extracted.");
- update_all_status($static_output);
- } else {
- log_error("Snort rules extracted.");
- echo "Snort rules extracted.";
- }
-}
-
-/* verify MD5 against downloaded item */
-function verify_snort_rules_md5($tmpfname) {
- global $snort_filename, $snort_filename_md5, $console_mode;
- ob_flush();
- if(!$console_mode) {
- $static_output = gettext("Verifying md5 signature...");
- update_all_status($static_output);
- }
-
- $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}");
- $md5 = `/bin/echo "{$md555}" | /usr/bin/awk '{ print $4 }'`;
- $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`;
- if($md5 == $file_md5_ondisk) {
- if(!$console_mode) {
- $static_output = gettext("snort rules: md5 signature of rules mismatch.");
- update_all_status($static_output);
- hide_progress_bar_status();
- } else {
- log_error("snort rules: md5 signature of rules mismatch.");
- echo "snort rules: md5 signature of rules mismatch.";
- }
- exit;
- }
-}
-
-/* hide progress bar */
-function hide_progress_bar_status() {
- global $snort_filename, $snort_filename_md5, $console_mode;
- ob_flush();
- if(!$console_mode)
- echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>";
-}
-
-/* unhide progress bar */
-function unhide_progress_bar_status() {
- global $snort_filename, $snort_filename_md5, $console_mode;
- ob_flush();
- if(!$console_mode)
- echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='visible';\n</script>";
-}
-
-/* update both top and bottom text box during an operation */
-function update_all_status($status) {
- global $snort_filename, $snort_filename_md5, $console_mode;
- ob_flush();
- if(!$console_mode) {
- update_status($status);
- update_output_window($status);
- }
-}
-
-/* obtain alert description for an ip address */
-function get_snort_alert($ip) {
- global $snort_alert_file_split, $snort_config;
- if(!file_exists("/var/log/snort/alert"))
- return;
- if(!$snort_config)
- $snort_config = read_snort_config_cache();
- if($snort_config[$ip])
- return $snort_config[$ip];
- if(!$snort_alert_file_split)
- $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert"));
- foreach($snort_alert_file_split as $fileline) {
- if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
- $alert_title = $matches[2];
- if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches))
- $alert_ip = $matches[0];
- if($alert_ip == $ip) {
- if(!$snort_config[$ip])
- $snort_config[$ip] = $alert_title;
- return $alert_title;
- }
- }
- return "n/a";
-}
-
-function make_clickable($buffer) {
- global $config, $g;
- /* if clickable urls is disabled, simply return buffer back to caller */
- $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode'];
- if(!$clickablalerteurls)
- return $buffer;
- $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer);
- $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer);
- $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","<a href=\"mailto:\\1\">\\1</a>", $buffer);
- $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $buffer);
- $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"ftp://\\2\" target=\"_blank\">\\2</a>", $buffer);
-
- return $buffer;
-}
-
-function read_snort_config_cache() {
- global $g, $config, $snort_config;
- if($snort_config)
- return $snort_config;
- if(file_exists($g['tmp_path'] . '/snort_config.cache')) {
- $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache'));
- return $snort_config;
- }
- return;
-}
-
-function write_snort_config_cache($snort_config) {
- global $g, $config;
- conf_mount_rw();
- $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w");
- if(!$configcache) {
- log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing.");
- return false;
- }
- fwrite($configcache, serialize($snort_config));
- fclose($configcache);
- conf_mount_ro();
- return true;
-}
-
-function snort_advanced() {
- global $g, $config;
- sync_package_snort();
-}
-
-function snort_define_servers() {
- global $g, $config;
- sync_package_snort();
-}
-
-?>
+<?php +/* $Id$ */ +/* + snort.inc + Copyright (C) 2006 Scott Ullrich + part of pfSense + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("pfsense-utils.inc"); + +// Needed on 2.0 because of get_vpns_list() +require_once("filter.inc"); + +/* Allow additional execution time 0 = no limit. */ +ini_set('max_execution_time', '9999'); +ini_set('max_input_time', '9999'); + +/* define oinkid */ +if($config['installedpackages']['snort']) + $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + +function sync_package_snort_reinstall() +{ + global $config; + if(!$config['installedpackages']['snort']) + return; + + /* create snort configuration file */ + create_snort_conf(); + + /* start snort service */ + start_service("snort"); +} +function sync_package_snort() +{ + global $config, $g; + + mwexec("mkdir -p /var/log/snort/"); + + if(!file_exists("/var/log/snort/alert")) + touch("/var/log/snort/alert"); + + /* snort -> advanced features */ + $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize']; + $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize']; + $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns']; + + /* set the snort performance model */ + if($config['installedpackages']['snort']['config'][0]['performance']) + $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; + else + $snort_performance = "ac-bnfa"; + + conf_mount_rw(); + /* create a few directories and ensure the sample files are in place */ + exec("/bin/mkdir -p /usr/local/etc/snort"); + exec("/bin/mkdir -p /var/log/snort"); + exec("/bin/mkdir -p /usr/local/etc/snort/rules"); + exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); + exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config"); + exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map"); + exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators"); + exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config"); + exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map"); + exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid"); + exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf"); + exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); + exec("/bin/rm -f /usr/local/etc/rc.d/snort"); + + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + + if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { + $if = "ng0"; + } + + /* build a list of user specified interfaces -gtm */ + if($if){ + array_push($snortInterfaces, $if); + $first = 1; + } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; + } + } + //print_r($snortInterfaces); + + /* create log directory */ + $start = "/bin/mkdir -p /var/log/snort\n"; + + /* snort advanced features - bpf tuning */ + if($bpfbufsize) + $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n"; + if($bpfmaxbufsize) + $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n"; + if($bpfmaxinsns) + $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n"; + + /* go ahead and issue bpf changes */ + if($bpfbufsize) + mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}"); + if($bpfmaxbufsize) + mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}"); + if($bpfmaxinsns) + mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); + + /* always stop barnyard2 before starting snort -gtm */ + $start .= "/usr/bin/killall barnyard2\n"; + + /* start a snort process for each interface -gtm */ + /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ + /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */ + /* TODO; get snort to start under nologin shell */ + foreach($snortInterfaces as $snortIf) + { + $start .= "sleep 8\n"; + $start .= "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; + if ($snortbarnyardlog_info_chk == on) + $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; + } + $check_if_snort_runs = "\nif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\texit 1\nfi\n\n"; + $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; + $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; + $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; + $del_old_pids = "\nrm -f /var/run/snort_*\n"; + $sample_before = "BEFORE_MEM=`top | grep Wired | awk '{print \$12}'`\n"; + $sample_after = "AFTER_MEM=`top | grep Wired | awk '{print \$12}'`\n"; + if ($snort_performance == "ac-bnfa") + $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=60\n"; + else + $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=300\n"; + $sleep_before_final .= "while [ \"\$MYSNORTLOG\" = \"\" -a \$WAITSECURE -gt 0 ] ; do\n\tsleep 2\n\tMYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`\n\tWAITSECURE=`expr \$WAITSECURE - 1`\ndone\n"; + $total_used_after = "TOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; + $echo_usage = "\nif [ \$WAITSECURE -eq 0 -a \"\$MYSNORTLOG\" = \"\" ] ; then\n\techo \"Snort has not finished starting, please check log for possible errors.\"\n"; + $echo_usage .= "else\n\t" . $sample_after . "\t" . $total_used_after . "\techo \"Ram free BEFORE starting Snort: \$BEFORE_MEM -- Ram free AFTER starting Snort: \$AFTER_MEM -- Mode " . $snort_performance . " -- Snort memory usage: \$TOTAL_USAGE\" | logger -p daemon.info -i -t SnortStartup\nfi\n"; + $rm_snort_sh_pid = "\nrm /tmp/snort.sh.pid\n"; + + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "snort.sh", + "start" => "{$check_if_snort_runs}{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$del_old_pids}{$sample_before}{$start}{$sleep_before_final}{$echo_usage}{$rm_snort_sh_pid}", + "stop" => "/usr/bin/killall snort; killall barnyard2" + ) + ); + + /* create snort configuration file */ + create_snort_conf(); + +/* create barnyard2 configuration file */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + create_barnyard2_conf(); + + /* snort will not start on install untill setting are set */ +if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") { + /* start snort service */ + conf_mount_ro(); + start_service("snort"); + } +} + +/* open barnyard2.conf for writing */ +function create_barnyard2_conf() { + global $bconfig, $bg; + /* write out barnyard2_conf */ + $barnyard2_conf_text = generate_barnyard2_conf(); +// conf_mount_rw(); + $bconf = fopen("/usr/local/etc/barnyard2.conf", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/barnyard2.conf for writing."); + exit; + } + fwrite($bconf, $barnyard2_conf_text); + fclose($bconf); +// conf_mount_ro(); +} +/* open barnyard2.conf for writing" */ +function generate_barnyard2_conf() { + + global $config, $g; + conf_mount_rw(); + +/* define snortbarnyardlog */ +$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database']; + +$barnyard2_conf_text = <<<EOD + + Copyright (C) 2006 Scott Ullrich + part of pfSense + All rights reserved. + +# set the appropriate paths to the file(s) your Snort process is using +config reference-map: /usr/local/etc/snort/reference.config +config class-map: /usr/local/etc/snort/classification.config +config gen-msg-map: /usr/local/etc/snort/gen-msg.map +config sid-msg-map: /usr/local/etc/snort/sid-msg.map + +config hostname: pfsense.local +config interface: vr0 + +# Step 2: setup the input plugins +input unified2 + +# database: log to a variety of databases +# output database: log, mysql, user=snort password=snort123 dbname=snort host=192.168.1.22 + +$snortbarnyardlog_database_info_chk + +EOD; + + return $barnyard2_conf_text; + +} + +function create_snort_conf() { + global $config, $g; + /* write out snort.conf */ + $snort_conf_text = generate_snort_conf(); + conf_mount_rw(); + $conf = fopen("/usr/local/etc/snort/snort.conf", "w"); + if(!$conf) { + log_error("Could not open /usr/local/etc/snort/snort.conf for writing."); + exit; + } + fwrite($conf, $snort_conf_text); + fclose($conf); + conf_mount_ro(); +} + +function snort_deinstall() { + + global $config, $g; + + /* remove custom sysctl */ + remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); + /* decrease bpf buffers back to 4096, from 20480 */ + exec("/sbin/sysctl net.bpf.bufsize=4096"); + exec("/usr/bin/killall snort"); + sleep(5); + exec("/usr/bin/killall -9 snort"); + exec("rm -f /usr/local/etc/rc.d/snort*"); + exec("rm -rf /usr/local/etc/snort*"); + exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); + exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client`"); + exec("cd /var/db/pkg && pkg_delete `ls | grep libdnet`"); + exec("/usr/bin/killall -9 snort"); + exec("/usr/bin/killall snort"); + + /* Remove snort cron entries Ugly code needs smoothness*/ + + function snort_rm_blocked_deinstall_cron($should_install) { + global $config, $g; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + } + + function snort_rules_up_deinstall_cron($should_install) { + global $config, $g; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + } + +snort_rm_blocked_deinstall_cron(""); +snort_rules_up_deinstall_cron(""); + + + /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ + /* Keep this as a last step */ + unset($config['installedpackages']['snort']['config'][0]['autorulesupdate7']); + unset($config['installedpackages']['snort']['config'][0]['rm_blocked']); + write_config(); + +} + +function generate_snort_conf() { + + global $config, $g; + conf_mount_rw(); + /* obtain external interface */ + /* XXX: make multi wan friendly */ + $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; + + $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru']; + +/* define snortalertlogtype */ +$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype']; +if ($snortalertlogtype == fast) + $snortalertlogtype_type = "output alert_fast: alert"; +else + $snortalertlogtype_type = "output alert_full: alert"; + +/* define alertsystemlog */ +$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog']; +if ($alertsystemlog_info_chk == on) + $alertsystemlog_type = "output alert_syslog: log_alert"; + +/* define tcpdumplog */ +$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog']; +if ($tcpdumplog_info_chk == on) + $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; + +/* define snortbarnyardlog_chk */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D"; + +/* define snortunifiedlog */ +$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; +if ($snortunifiedlog_info_chk == on) + $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; + +/* define spoink */ +$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; +if ($spoink_info_chk == on) + $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; + + /* define servers and ports snortdefservers */ + +/* def DNS_SERVSERS */ +$def_dns_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_servers']; +if ($def_dns_servers_info_chk == "") + $def_dns_servers_type = "\$HOME_NET"; +else + $def_dns_servers_type = "$def_dns_servers_info_chk"; + +/* def DNS_PORTS */ +$def_dns_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_ports']; +if ($def_dns_ports_info_chk == "") + $def_dns_ports_type = "53"; +else + $def_dns_ports_type = "$def_dns_ports_info_chk"; + +/* def SMTP_SERVSERS */ +$def_smtp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_servers']; +if ($def_smtp_servers_info_chk == "") + $def_smtp_servers_type = "\$HOME_NET"; +else + $def_smtp_servers_type = "$def_smtp_servers_info_chk"; + +/* def SMTP_PORTS */ +$def_smtp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_ports']; +if ($def_smtp_ports_info_chk == "") + $def_smtp_ports_type = "25"; +else + $def_smtp_ports_type = "$def_smtp_ports_info_chk"; + +/* def MAIL_PORTS */ +$def_mail_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mail_ports']; +if ($def_mail_ports_info_chk == "") + $def_mail_ports_type = "25,143,465,691"; +else + $def_mail_ports_type = "$def_mail_ports_info_chk"; + +/* def HTTP_SERVSERS */ +$def_http_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_servers']; +if ($def_http_servers_info_chk == "") + $def_http_servers_type = "\$HOME_NET"; +else + $def_http_servers_type = "$def_http_servers_info_chk"; + +/* def WWW_SERVSERS */ +$def_www_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_www_servers']; +if ($def_www_servers_info_chk == "") + $def_www_servers_type = "\$HOME_NET"; +else + $def_www_servers_type = "$def_www_servers_info_chk"; + +/* def HTTP_PORTS */ +$def_http_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_ports']; +if ($def_http_ports_info_chk == "") + $def_http_ports_type = "80"; +else + $def_http_ports_type = "$def_http_ports_info_chk"; + +/* def SQL_SERVSERS */ +$def_sql_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sql_servers']; +if ($def_sql_servers_info_chk == "") + $def_sql_servers_type = "\$HOME_NET"; +else + $def_sql_servers_type = "$def_sql_servers_info_chk"; + +/* def ORACLE_PORTS */ +$def_oracle_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_oracle_ports']; +if ($def_oracle_ports_info_chk == "") + $def_oracle_ports_type = "1521"; +else + $def_oracle_ports_type = "$def_oracle_ports_info_chk"; + +/* def MSSQL_PORTS */ +$def_mssql_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mssql_ports']; +if ($def_mssql_ports_info_chk == "") + $def_mssql_ports_type = "1433"; +else + $def_mssql_ports_type = "$def_mssql_ports_info_chk"; + +/* def TELNET_SERVSERS */ +$def_telnet_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_servers']; +if ($def_telnet_servers_info_chk == "") + $def_telnet_servers_type = "\$HOME_NET"; +else + $def_telnet_servers_type = "$def_telnet_servers_info_chk"; + +/* def TELNET_PORTS */ +$def_telnet_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_ports']; +if ($def_telnet_ports_info_chk == "") + $def_telnet_ports_type = "23"; +else + $def_telnet_ports_type = "$def_telnet_ports_info_chk"; + +/* def SNMP_SERVSERS */ +$def_snmp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_servers']; +if ($def_snmp_servers_info_chk == "") + $def_snmp_servers_type = "\$HOME_NET"; +else + $def_snmp_servers_type = "$def_snmp_servers_info_chk"; + +/* def SNMP_PORTS */ +$def_snmp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_ports']; +if ($def_snmp_ports_info_chk == "") + $def_snmp_ports_type = "161"; +else + $def_snmp_ports_type = "$def_snmp_ports_info_chk"; + +/* def FTP_SERVSERS */ +$def_ftp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_servers']; +if ($def_ftp_servers_info_chk == "") + $def_ftp_servers_type = "\$HOME_NET"; +else + $def_ftp_servers_type = "$def_ftp_servers_info_chk"; + +/* def FTP_PORTS */ +$def_ftp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_ports']; +if ($def_ftp_ports_info_chk == "") + $def_ftp_ports_type = "21"; +else + $def_ftp_ports_type = "$def_ftp_ports_info_chk"; + +/* def SSH_SERVSERS */ +$def_ssh_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_servers']; +if ($def_ssh_servers_info_chk == "") + $def_ssh_servers_type = "\$HOME_NET"; +else + $def_ssh_servers_type = "$def_ssh_servers_info_chk"; + +/* if user has defined a custom ssh port, use it */ +if($config['system']['ssh']['port']) + $ssh_port = $config['system']['ssh']['port']; +else + $ssh_port = "22"; + +/* def SSH_PORTS */ +$def_ssh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_ports']; +if ($def_ssh_ports_info_chk == "") + $def_ssh_ports_type = "{$ssh_port}"; +else + $def_ssh_ports_type = "$def_ssh_ports_info_chk"; + +/* def POP_SERVSERS */ +$def_pop_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop_servers']; +if ($def_pop_servers_info_chk == "") + $def_pop_servers_type = "\$HOME_NET"; +else + $def_pop_servers_type = "$def_pop_servers_info_chk"; + +/* def POP2_PORTS */ +$def_pop2_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop2_ports']; +if ($def_pop2_ports_info_chk == "") + $def_pop2_ports_type = "109"; +else + $def_pop2_ports_type = "$def_pop2_ports_info_chk"; + +/* def POP3_PORTS */ +$def_pop3_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop3_ports']; +if ($def_pop3_ports_info_chk == "") + $def_pop3_ports_type = "110"; +else + $def_pop3_ports_type = "$def_pop3_ports_info_chk"; + +/* def IMAP_SERVSERS */ +$def_imap_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_servers']; +if ($def_imap_servers_info_chk == "") + $def_imap_servers_type = "\$HOME_NET"; +else + $def_imap_servers_type = "$def_imap_servers_info_chk"; + +/* def IMAP_PORTS */ +$def_imap_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_ports']; +if ($def_imap_ports_info_chk == "") + $def_imap_ports_type = "143"; +else + $def_imap_ports_type = "$def_imap_ports_info_chk"; + +/* def SIP_PROXY_IP */ +$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ip']; +if ($def_sip_proxy_ip_info_chk == "") + $def_sip_proxy_ip_type = "\$HOME_NET"; +else + $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; + +/* def SIP_PROXY_PORTS */ +$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ports']; +if ($def_sip_proxy_ports_info_chk == "") + $def_sip_proxy_ports_type = "5060:5090,16384:32768"; +else + $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; + +/* def AUTH_PORTS */ +$def_auth_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_auth_ports']; +if ($def_auth_ports_info_chk == "") + $def_auth_ports_type = "113"; +else + $def_auth_ports_type = "$def_auth_ports_info_chk"; + +/* def FINGER_PORTS */ +$def_finger_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_finger_ports']; +if ($def_finger_ports_info_chk == "") + $def_finger_ports_type = "79"; +else + $def_finger_ports_type = "$def_finger_ports_info_chk"; + +/* def IRC_PORTS */ +$def_irc_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_irc_ports']; +if ($def_irc_ports_info_chk == "") + $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; +else + $def_irc_ports_type = "$def_irc_ports_info_chk"; + +/* def NNTP_PORTS */ +$def_nntp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_nntp_ports']; +if ($def_nntp_ports_info_chk == "") + $def_nntp_ports_type = "119"; +else + $def_nntp_ports_type = "$def_nntp_ports_info_chk"; + +/* def RLOGIN_PORTS */ +$def_rlogin_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rlogin_ports']; +if ($def_rlogin_ports_info_chk == "") + $def_rlogin_ports_type = "513"; +else + $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; + +/* def RSH_PORTS */ +$def_rsh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rsh_ports']; +if ($def_rsh_ports_info_chk == "") + $def_rsh_ports_type = "514"; +else + $def_rsh_ports_type = "$def_rsh_ports_info_chk"; + +/* def SSL_PORTS */ +$def_ssl_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssl_ports']; +if ($def_ssl_ports_info_chk == "") + $def_ssl_ports_type = "25,443,465,636,993,995"; +else + $def_ssl_ports_type = "$def_ssl_ports_info_chk"; + + /* add auto update scripts to /etc/crontab */ +// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; +// $filenamea = "/etc/crontab"; +// remove_text_from_file($filenamea, $text_ww); +// add_text_to_file($filenamea, $text_ww); +// exec("killall -HUP cron"); */ + + /* should we install a automatic update crontab entry? */ + $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate']; + + /* if user is on pppoe, we really want to use ng0 interface */ + if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") + $snort_ext_int = "ng0"; + + /* set the snort performance model */ + if($config['installedpackages']['snort']['config'][0]['performance']) + $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; + else + $snort_performance = "ac-bnfa"; + + /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */ + $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($snort_rm_blocked_info_ck == "never_b") + $snort_rm_blocked_false = ""; + else + $snort_rm_blocked_false = "true"; + +if ($snort_rm_blocked_info_ck != "") { +function snort_rm_blocked_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($snort_rm_blocked_info_ck == "1h_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "3600"; + } + if ($snort_rm_blocked_info_ck == "3h_b") { + $snort_rm_blocked_min = "*/15"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "10800"; + } + if ($snort_rm_blocked_info_ck == "6h_b") { + $snort_rm_blocked_min = "*/30"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "21600"; + } + if ($snort_rm_blocked_info_ck == "12h_b") { + $snort_rm_blocked_min = "*"; + $snort_rm_blocked_hr = "*/1"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "43200"; + } + if ($snort_rm_blocked_info_ck == "1d_b") { + $snort_rm_blocked_min = "*"; + $snort_rm_blocked_hr = "*/2"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "86400"; + } + if ($snort_rm_blocked_info_ck == "4d_b") { + $snort_rm_blocked_min = "*"; + $snort_rm_blocked_hr = "*/8"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "345600"; + } + if ($snort_rm_blocked_info_ck == "7d_b") { + $snort_rm_blocked_min = "*"; + $snort_rm_blocked_hr = "*/14"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "604800"; + } + if ($snort_rm_blocked_info_ck == "28d_b") { + $snort_rm_blocked_min = "*"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*/2"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "2419200"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + break; + } + } + snort_rm_blocked_install_cron(""); + snort_rm_blocked_install_cron($snort_rm_blocked_false); +} + + /* set the snort rules update time */ + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "never_up") + $snort_rules_up_false = ""; + else + $snort_rules_up_false = "true"; + +if ($snort_rules_up_info_ck != "") { +function snort_rules_up_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "*"; + $snort_rules_up_hr = "*"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + break; + } + } + snort_rules_up_install_cron(""); + snort_rules_up_install_cron($snort_rules_up_false); +} + + /* open snort2c's whitelist for writing */ + $whitelist = fopen("/var/db/whitelist", "w"); + if(!$whitelist) { + log_error("Could not open /var/db/whitelist for writing."); + return; + } + + /* build an interface array list */ + $int_array = array('lan'); + for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) + if(isset($config['interfaces']['opt' . $j]['enable'])) + if(!$config['interfaces']['opt' . $j]['gateway']) + $int_array[] = "opt{$j}"; + + /* iterate through interface list and write out whitelist items + * and also compile a home_net list for snort. + */ + foreach($int_array as $int) { + /* calculate interface subnet information */ + $ifcfg = &$config['interfaces'][$int]; + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + $subnetmask = gen_subnet_mask($ifcfg['subnet']); + if($subnet == "pppoe" or $subnet == "dhcp") { + $subnet = find_interface_ip("ng0"); + if($subnet) + $home_net .= "{$subnet} "; + } else { + if ($subnet) + if($ifcfg['subnet']) + $home_net .= "{$subnet}/{$ifcfg['subnet']} "; + } + } + + /* add all WAN ips to the whitelist */ + $wan_if = get_real_wan_interface(); + $ip = find_interface_ip($wan_if); + if($ip) + $home_net .= "{$ip} "; + + /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ + $int = convert_friendly_interface_to_real_interface_name("WAN"); + $gw = get_interface_gateway($int); + if($gw) + $home_net .= "{$gw} "; + + /* Add DNS server for WAN interface to whitelist */ + $dns_servers = get_dns_servers(); + foreach($dns_servers as $dns) { + if($dns) + $home_net .= "{$dns} "; + } + + /* Add loopback to whitelist (ftphelper) */ + $home_net .= "127.0.0.1 "; + + /* iterate all vips and add to whitelist */ + if($config['virtualip']) + foreach($config['virtualip']['vip'] as $vip) + if($vip['subnet']) + $home_net .= $vip['subnet'] . " "; + + if($config['installedpackages']['snortwhitelist']) + foreach($config['installedpackages']['snortwhitelist']['config'] as $snort) + if($snort['ip']) + $home_net .= $snort['ip'] . " "; + + /* write out whitelist, convert spaces to carriage returns */ + $whitelist_home_net = str_replace(" ", " ", $home_net); + $whitelist_home_net = str_replace(" ", "\n", $home_net); + + /* make $home_net presentable to snort */ + $home_net = trim($home_net); + $home_net = str_replace(" ", ",", $home_net); + $home_net = "[{$home_net}]"; + + /* foreach through whitelist, writing out to file */ + $whitelist_split = split("\n", $whitelist_home_net); + foreach($whitelist_split as $wl) + if(trim($wl)) + fwrite($whitelist, trim($wl) . "\n"); + + /* should we whitelist vpns? */ + $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns']; + + /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ + if($whitelistvpns) { + $vpns_list = get_vpns_list(); + $whitelist_vpns = split(" ", $vpns_list); + foreach($whitelist_vpns as $wl) + if(trim($wl)) + fwrite($whitelist, trim($wl) . "\n"); + } + + /* close file */ + fclose($whitelist); + + /* open snort's threshold.conf for writing */ + $threshlist = fopen("/usr/local/etc/snort/threshold.conf", "w"); + if(!$threshlist) { + log_error("Could not open /usr/local/etc/snort/threshold.conf for writing."); + return; + } + + /* list all entries to new lines */ + if($config['installedpackages']['snortthreshold']) + foreach($config['installedpackages']['snortthreshold']['config'] as $snortthreshlist) + if($snortthreshlist['threshrule']) + $snortthreshlist_r .= $snortthreshlist['threshrule'] . "\n"; + + + /* foreach through threshlist, writing out to file */ + $threshlist_split = split("\n", $snortthreshlist_r); + foreach($threshlist_split as $wl) + if(trim($wl)) + fwrite($threshlist, trim($wl) . "\n"); + + /* close snort's threshold.conf file */ + fclose($threshlist); + + /* generate rule sections to load */ + $enabled_rulesets = $config['installedpackages']['snort']['rulesets']; + if($enabled_rulesets) { + $selected_rules_sections = ""; + $enabled_rulesets_array = split("\|\|", $enabled_rulesets); + foreach($enabled_rulesets_array as $enabled_item) + $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; + } + + conf_mount_ro(); + + /* build snort configuration file */ + /* TODO; feed back from pfsense users to reduce false positives */ + $snort_conf_text = <<<EOD + +# snort configuration file +# generated by the pfSense +# package manager system +# see /usr/local/pkg/snort.inc +# for more information + +######################### + # +# Define Local Network # + # +######################### + +var HOME_NET {$home_net} +var EXTERNAL_NET !\$HOME_NET + +################### + # +# Define Servers # + # +################### + +var DNS_SERVERS [{$def_dns_servers_type}] +var SMTP_SERVERS [{$def_smtp_servers_type}] +var HTTP_SERVERS [{$def_http_servers_type}] +var SQL_SERVERS [{$def_sql_servers_type}] +var TELNET_SERVERS [{$def_telnet_servers_type}] +var SNMP_SERVERS [{$def_snmp_servers_type}] +var FTP_SERVERS [{$def_ftp_servers_type}] +var SSH_SERVERS [{$def_ssh_servers_type}] +var POP_SERVERS [{$def_pop_servers_type}] +var IMAP_SERVERS [{$def_imap_servers_type}] +var RPC_SERVERS \$HOME_NET +var WWW_SERVERS [{$def_www_servers_type}] +var SIP_PROXY_IP [{$def_sip_proxy_ip_type}] +var AIM_SERVERS \ +[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] + +######################## + # +# Define Server Ports # + # +######################## + +portvar HTTP_PORTS [{$def_http_ports_type}] +portvar SHELLCODE_PORTS !80 +portvar ORACLE_PORTS [{$def_oracle_ports_type}] +portvar AUTH_PORTS [{$def_auth_ports_type}] +portvar DNS_PORTS [{$def_dns_ports_type}] +portvar FINGER_PORTS [{$def_finger_ports_type}] +portvar FTP_PORTS [{$def_ftp_ports_type}] +portvar IMAP_PORTS [{$def_imap_ports_type}] +portvar IRC_PORTS [{$def_irc_ports_type}] +portvar MSSQL_PORTS [{$def_mssql_ports_type}] +portvar NNTP_PORTS [{$def_nntp_ports_type}] +portvar POP2_PORTS [{$def_pop2_ports_type}] +portvar POP3_PORTS [{$def_pop3_ports_type}] +portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779] +portvar RLOGIN_PORTS [{$def_rlogin_ports_type}] +portvar RSH_PORTS [{$def_rsh_ports_type}] +portvar SMB_PORTS [139,445] +portvar SMTP_PORTS [{$def_smtp_ports_type}] +portvar SNMP_PORTS [{$def_snmp_ports_type}] +portvar SSH_PORTS [{$def_ssh_ports_type}] +portvar TELNET_PORTS [{$def_telnet_ports_type}] +portvar MAIL_PORTS [{$def_mail_ports_type}] +portvar SSL_PORTS [{$def_ssl_ports_type}] +portvar SIP_PROXY_PORTS [{$def_sip_proxy_ports_type}] + +# DCERPC NCACN-IP-TCP +portvar DCERPC_NCACN_IP_TCP [139,445] +portvar DCERPC_NCADG_IP_UDP [138,1024:] +portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:] +portvar DCERPC_NCACN_UDP_LONG [135,1024:] +portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:] +portvar DCERPC_NCACN_TCP [2103,2105,2107] +portvar DCERPC_BRIGHTSTORE [6503,6504] + +##################### + # +# Define Rule Paths # + # +##################### + +var RULE_PATH /usr/local/etc/snort/rules +# var PREPROC_RULE_PATH ./preproc_rules + +################################ + # +# Configure the snort decoder # + # +################################ + +config checksum_mode: all +config disable_decode_alerts +config disable_tcpopt_experimental_alerts +config disable_tcpopt_obsolete_alerts +config disable_ttcp_alerts +config disable_tcpopt_alerts +config disable_ipopt_alerts +config disable_decode_drops + +################################### + # +# Configure the detection engine # +# Use lower memory models # + # +################################### + +config detection: search-method {$snort_performance} +config detection: max_queue_events 5 +config event_queue: max_queue 8 log 3 order_events content_length + +#Configure dynamic loaded libraries +dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/ +dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so +dynamicdetection directory /usr/local/lib/snort/dynamicrules/ + +################### + # +# Flow and stream # + # +################### + +preprocessor frag3_global: max_frags 8192 +preprocessor frag3_engine: policy windows +preprocessor frag3_engine: policy linux +preprocessor frag3_engine: policy first +preprocessor frag3_engine: policy bsd detect_anomalies + +preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ +track_udp yes +# track_icmp yes +preprocessor stream5_tcp: bind_to any, policy windows +preprocessor stream5_tcp: bind_to any, policy linux +preprocessor stream5_tcp: bind_to any, policy vista +preprocessor stream5_tcp: bind_to any, policy macos +preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes +preprocessor stream5_udp +# preprocessor stream5_icmp + +########################## + # +# NEW # +# Performance Statistics # + # +########################## + +preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 + +################# + # +# HTTP Inspect # + # +################# + +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 + +preprocessor http_inspect_server: server default \ + ports { 80 8080 } \ + no_alerts \ + non_strict \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + flow_depth 0 \ + apache_whitespace yes \ + directory no \ + iis_backslash no \ + u_encode yes \ + ascii yes \ + chunk_length 500000 \ + bare_byte yes \ + double_decode yes \ + iis_unicode yes \ + iis_delimiter yes \ + multi_slash no + +################## + # +# Other preprocs # + # +################## + +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor bo + +##################### + # +# ftp preprocessor # + # +##################### + +preprocessor ftp_telnet: global \ +inspection_type stateless + +preprocessor ftp_telnet_protocol: telnet \ + normalize \ + ayt_attack_thresh 200 + +preprocessor ftp_telnet_protocol: \ + ftp server default \ + def_max_param_len 100 \ + ports { 21 } \ + ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ + ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ + ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT CEL CMD MACB } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ + alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ + alt_max_param_len 256 { RNTO CWD } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ + chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ + chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ + chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ + chk_str_fmt { FEAT CEL CMD } \ + chk_str_fmt { MDTM REST SIZE MLST MLSD } \ + chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +##################### + # +# SMTP preprocessor # + # +##################### + +preprocessor SMTP: \ + ports { 25 465 691 } \ + inspection_type stateful \ + normalize cmds \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ +CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ +PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } + +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } + +############################ + # +# OLD # +# preprocessor dcerpc: \ # +# autodetect \ # +# max_frag_size 3000 \ # +# memcap 100000 # + # +############################ + +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3 + +#################### + # +# DNS preprocessor # + # +#################### + +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +############################## + # +# NEW # +# Ignore SSL and Encryption # + # +############################## + +preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted + +##################### + # +# Snort Output Logs # + # +##################### + +$snortalertlogtype_type +$alertsystemlog_type +$tcpdumplog_type +$snortmysqllog_info_chk +$snortunifiedlog_type +$spoink_type + +################# + # +# Misc Includes # + # +################# + +include /usr/local/etc/snort/reference.config +include /usr/local/etc/snort/classification.config +include /usr/local/etc/snort/threshold.conf + +# Snort user pass through configuration +{$snort_config_pass_thru} + +################### + # +# Rules Selection # + # +################### + +{$selected_rules_sections} + +EOD; + + return $snort_conf_text; +} + +/* check downloaded text from snort.org to make sure that an error did not occur + * for example, if you are not a premium subscriber you can only download rules + * so often, etc. + */ +function check_for_common_errors($filename) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + $contents = file_get_contents($filename); + if(stristr($contents, "You don't have permission")) { + if(!$console_mode) { + update_all_status("An error occured while downloading {$filename}."); + hide_progress_bar_status(); + } else { + log_error("An error occured. Scroll down to inspect it's contents."); + echo "An error occured. Scroll down to inspect it's contents."; + } + if(!$console_mode) { + update_output_window(strip_tags("$contents")); + } else { + $contents = strip_tags($contents); + log_error("Error downloading snort rules: {$contents}"); + echo "Error downloading snort rules: {$contents}"; + } + scroll_down_to_bottom_of_page(); + exit; + } +} + +/* force browser to scroll all the way down */ +function scroll_down_to_bottom_of_page() { + global $snort_filename, $console_mode; + ob_flush(); + if(!$console_mode) + echo "\n<script type=\"text/javascript\">parent.scrollTo(0,1500);\n</script>"; +} + +/* ensure downloaded file looks sane */ +function verify_downloaded_file($filename) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(filesize($filename)<9500) { + if(!$console_mode) { + update_all_status("Checking {$filename}..."); + check_for_common_errors($filename); + } + } + update_all_status("Verifying {$filename}..."); + if(!file_exists($filename)) { + if(!$console_mode) { + update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); + hide_progress_bar_status(); + } else { + log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); + echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; + } + exit; + } + update_all_status("Verifyied {$filename}."); +} + +/* extract rules */ +function extract_snort_rules_md5($tmpfname) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) { + $static_output = gettext("Extracting snort rules..."); + update_all_status($static_output); + } + if(!is_dir("/usr/local/etc/snort/rules/")) + mkdir("/usr/local/etc/snort/rules/"); + $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/"; + $handle = popen("{$cmd} 2>&1", 'r'); + while(!feof($handle)) { + $buffer = fgets($handle); + update_output_window($buffer); + } + pclose($handle); + + if(!$console_mode) { + $static_output = gettext("Snort rules extracted."); + update_all_status($static_output); + } else { + log_error("Snort rules extracted."); + echo "Snort rules extracted."; + } +} + +/* verify MD5 against downloaded item */ +function verify_snort_rules_md5($tmpfname) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) { + $static_output = gettext("Verifying md5 signature..."); + update_all_status($static_output); + } + + $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); + $md5 = `/bin/echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; + $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; + if($md5 == $file_md5_ondisk) { + if(!$console_mode) { + $static_output = gettext("snort rules: md5 signature of rules mismatch."); + update_all_status($static_output); + hide_progress_bar_status(); + } else { + log_error("snort rules: md5 signature of rules mismatch."); + echo "snort rules: md5 signature of rules mismatch."; + } + exit; + } +} + +/* hide progress bar */ +function hide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) + echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>"; +} + +/* unhide progress bar */ +function unhide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) + echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='visible';\n</script>"; +} + +/* update both top and bottom text box during an operation */ +function update_all_status($status) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) { + update_status($status); + update_output_window($status); + } +} + +/* obtain alert description for an ip address */ +function get_snort_alert($ip) { + global $snort_alert_file_split, $snort_config; + if(!file_exists("/var/log/snort/alert")) + return; + if(!$snort_config) + $snort_config = read_snort_config_cache(); + if($snort_config[$ip]) + return $snort_config[$ip]; + if(!$snort_alert_file_split) + $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); + foreach($snort_alert_file_split as $fileline) { + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + $alert_title = $matches[2]; + if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) + $alert_ip = $matches[0]; + if($alert_ip == $ip) { + if(!$snort_config[$ip]) + $snort_config[$ip] = $alert_title; + return $alert_title; + } + } + return "n/a"; +} + +function make_clickable($buffer) { + global $config, $g; + /* if clickable urls is disabled, simply return buffer back to caller */ + $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + if(!$clickablalerteurls) + return $buffer; + $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); + $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); + $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","<a href=\"mailto:\\1\">\\1</a>", $buffer); + $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $buffer); + $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"ftp://\\2\" target=\"_blank\">\\2</a>", $buffer); + + return $buffer; +} + +function read_snort_config_cache() { + global $g, $config, $snort_config; + if($snort_config) + return $snort_config; + if(file_exists($g['tmp_path'] . '/snort_config.cache')) { + $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); + return $snort_config; + } + return; +} + +function write_snort_config_cache($snort_config) { + global $g, $config; + conf_mount_rw(); + $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w"); + if(!$configcache) { + log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing."); + return false; + } + fwrite($configcache, serialize($snort_config)); + fclose($configcache); + conf_mount_ro(); + return true; +} + +function snort_advanced() { + global $g, $config; + sync_package_snort(); +} + +function snort_define_servers() { + global $g, $config; + sync_package_snort(); +} + +?> diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php index e14e1bee..f99ff08d 100644 --- a/config/snort-dev/snort_check_for_rule_updates.php +++ b/config/snort-dev/snort_check_for_rule_updates.php @@ -1,602 +1,602 @@ -<?php
-/* $Id$ */
-/*
- snort_rulesets.php
- Copyright (C) 2006 Scott Ullrich
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-/* Setup enviroment */
-$tmpfname = "/tmp/snort_rules_up";
-$snortdir = "/usr/local/etc/snort_bkup";
-$snortdir_wan = "/usr/local/etc/snort";
-$snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5";
-$snort_filename = "snortrules-snapshot-2.8.tar.gz";
-$emergingthreats_filename_md5 = "version.txt";
-$emergingthreats_filename = "emerging.rules.tar.gz";
-$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5";
-$pfsense_rules_filename = "pfsense_rules.tar.gz";
-
-require("/usr/local/pkg/snort.inc");
-require_once("config.inc");
-
-?>
-
-
-<?php
-
-$up_date_time = date('l jS \of F Y h:i:s A');
-echo "";
-echo "#########################";
-echo "$up_date_time";
-echo "#########################";
-echo "";
-
-/* Begin main code */
-/* Set user agent to Mozilla */
-ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
-ini_set("memory_limit","125M");
-
-/* send current buffer */
-ob_flush();
-
-/* define oinkid */
-if($config['installedpackages']['snort'])
- $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode'];
-
-/* if missing oinkid exit */
-if(!$oinkid) {
- echo "Please add you oink code\n";
- exit;
-}
-
-/* premium_subscriber check */
-//unset($config['installedpackages']['snort']['config'][0]['subscriber']);
-//write_config();
-$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber'];
-
-if ($premium_subscriber_chk === on) {
- $premium_subscriber = "_s";
-}else{
- $premium_subscriber = "";
-}
-
-$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber'];
-if ($premium_url_chk === on) {
- $premium_url = "sub-rules";
-}else{
- $premium_url = "reg-rules";
-}
-
-/* send current buffer */
-ob_flush();
-
-/* remove old $tmpfname files */
-if (file_exists("{$tmpfname}")) {
- exec("/bin/rm -r {$tmpfname}");
- apc_clear_cache();
-}
-
-/* send current buffer */
-ob_flush();
-
-/* If tmp dir does not exist create it */
-if (file_exists($tmpfname)) {
- echo "The directory tmp exists...\n";
-} else {
- mkdir("{$tmpfname}", 700);
-}
-
-/* download md5 sig from snort.org */
-if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
- echo "md5 temp file exists...\n";
-} else {
- echo "Downloading md5 file...\n";
- ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
- $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}");
-// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5");
- $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w');
- fwrite($f, $image);
- fclose($f);
- echo "Done. downloading md5\n";
-}
-
-/* download md5 sig from emergingthreats.net */
-$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats'];
-if ($emergingthreats_url_chk == on) {
- echo "Downloading md5 file...\n";
- ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
- $image = @file_get_contents("http://www.emergingthreats.net/version.txt");
-// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt");
- $f = fopen("{$tmpfname}/version.txt", 'w');
- fwrite($f, $image);
- fclose($f);
- echo "Done. downloading md5\n";
-}
-
-/* download md5 sig from pfsense.org */
-if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) {
- echo "md5 temp file exists...\n";
-} else {
- echo "Downloading pfsense md5 file...\n";
- ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
- $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5");
-// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5");
- $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w');
- fwrite($f, $image);
- fclose($f);
- echo "Done. downloading md5\n";
-}
-
-/* Time stamps define */
-$last_md5_download = $config['installedpackages']['snort']['last_md5_download'];
-$last_rules_install = $config['installedpackages']['snort']['last_rules_install'];
-
-/* If md5 file is empty wait 15min exit */
-if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){
- echo "Please wait... You may only check for New Rules every 15 minutes...\n";
- echo "Rules are released every month from snort.org. You may download the Rules at any time.\n";
- exit(0);
-}
-
-/* If emergingthreats md5 file is empty wait 15min exit not needed */
-
-/* If pfsense md5 file is empty wait 15min exit */
-if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){
- echo "Please wait... You may only check for New Pfsense Rules every 15 minutes...\n";
- echo "Rules are released to support Pfsense packages.\n";
- exit(0);
-}
-
-/* Check if were up to date snort.org */
-if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){
-$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}");
-$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`;
-$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}");
-$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`;
-/* Write out time of last sucsessful md5 to cache */
-$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A");
-write_config();
-if ($md5_check_new == $md5_check_old) {
- echo "Your rules are up to date...\n";
- echo "You may start Snort now, check update.\n";
- $snort_md5_check_ok = on;
- }
-}
-
-/* Check if were up to date emergingthreats.net */
-$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats'];
-if ($emergingthreats_url_chk == on) {
-if (file_exists("{$snortdir}/version.txt")){
-$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt");
-$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`;
-$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt");
-$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`;
-/* Write out time of last sucsessful md5 to cache */
-$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A");
-write_config();
-if ($emerg_md5_check_new == $emerg_md5_check_old) {
- echo "Your emergingthreats rules are up to date...\n";
- echo "You may start Snort now, check update.\n";
- $emerg_md5_check_chk_ok = on;
- }
- }
-}
-
-/* Check if were up to date pfsense.org */
-if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){
-$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}");
-$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`;
-$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}");
-$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`;
-if ($pfsense_md5_check_new == $pfsense_md5_check_old) {
- $pfsense_md5_check_ok = on;
- }
-}
-
-/* Make Clean Snort Directory emergingthreats not checked */
-if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) {
- echo "Cleaning the snort Directory...\n";
- echo "removing...\n";
- exec("/bin/rm {$snortdir}/rules/emerging*\n");
- exec("/bin/rm {$snortdir}/version.txt");
- echo "Done making cleaning emrg direcory.\n";
-}
-
-/* Check if were up to date exits */
-if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) {
- echo "Your rules are up to date...\n";
- echo "You may start Snort now...\n";
- exit(0);
-}
-
-if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) {
- echo "Your rules are up to date...\n";
- echo "You may start Snort now...\n";
- exit(0);
-}
-
-/* "You are Not Up to date */;
- echo "You are NOT up to date...\n";
- echo "Stopping Snort service...\n";
-stop_service("snort");
-sleep(2);
-// start_service("snort");
-
-/* download snortrules file */
-if ($snort_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/{$snort_filename}")) {
- echo "Snortrule tar file exists...\n";
-} else {
-
- echo "There is a new set of Snort rules posted. Downloading...\n";
- echo "May take 4 to 10 min...\n";
- ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
- $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}");
-// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz");
- $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz", 'w');
- fwrite($f, $image);
- fclose($f);
- echo "Done downloading rules file.\n";
- if (150000 > filesize("{$tmpfname}/$snort_filename")){
- echo "Error with the snort rules download...\n";
- echo "Snort rules file downloaded failed...\n";
- exit(0);
- }
- }
-}
-
-/* download emergingthreats rules file */
-if ($emergingthreats_url_chk == on) {
-if ($emerg_md5_check_chk_ok != on) {
-if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
- echo "Emergingthreats tar file exists...\n";
-} else {
- echo "There is a new set of Emergingthreats rules posted. Downloading...\n";
- echo "May take 4 to 10 min...\n";
- ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
- $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz");
-// $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz");
- $f = fopen("{$tmpfname}/emerging.rules.tar.gz", 'w');
- fwrite($f, $image);
- fclose($f);
- echo "Done downloading Emergingthreats rules file.\n";
- }
- }
- }
-
-/* download pfsense rules file */
-if ($pfsense_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) {
- echo "Snortrule tar file exists...\n";
-} else {
-
- echo "There is a new set of Pfsense rules posted. Downloading...\n";
- echo "May take 4 to 10 min...\n";
- ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
- $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz");
-// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz");
- $f = fopen("{$tmpfname}/pfsense_rules.tar.gz", 'w');
- fwrite($f, $image);
- fclose($f);
- echo "Done downloading rules file.\n";
- }
-}
-
-/* Untar snort rules file individually to help people with low system specs */
-if ($snort_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/{$snort_filename}")) {
- echo "Extracting rules...\n";
- echo "May take a while...\n";
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/");
- exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/bad-traffic.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/chat.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/dos.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/exploit.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/imap.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/misc.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/multimedia.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/netbios.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/nntp.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/p2p.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/smtp.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/sql.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/web-client.rules/");
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/web-misc.rules/");
- echo "Done extracting Rules.\n";
-} else {
- echo "The Download rules file missing...\n";
- echo "Error rules extracting failed...\n";
- exit(0);
- }
-}
-
-/* Untar emergingthreats rules to tmp */
-if ($emergingthreats_url_chk == on) {
-if ($emerg_md5_check_chk_ok != on) {
-if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
- echo "Extracting rules...\n";
- echo "May take a while...\n";
- exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname} rules/");
- }
- }
-}
-
-/* Untar Pfsense rules to tmp */
-if ($pfsense_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) {
- echo "Extracting Pfsense rules...\n";
- echo "May take a while...\n";
- exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$tmpfname} rules/");
- }
-}
-
-/* Untar snort signatures */
-if ($snort_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/{$snort_filename}")) {
-$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo'];
-if ($premium_url_chk == on) {
- echo "Extracting Signatures...\n";
- echo "May take a while...\n";
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} doc/signatures/");
- echo "Done extracting Signatures.\n";
- }
- }
-}
-
-/* Make Clean Snort Directory */
-if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) {
-if (file_exists("{$snortdir}/rules")) {
- echo "Cleaning the snort Directory...\n";
- echo "removing...\n";
- exec("/bin/mkdir -p {$snortdir}");
- exec("/bin/mkdir -p {$snortdir}/rules");
- exec("/bin/mkdir -p {$snortdir}/signatures");
- exec("/bin/rm {$snortdir}/*");
- exec("/bin/rm {$snortdir}/rules/*");
- exec("/bin/rm {$snortdir_wan}/*");
- exec("/bin/rm {$snortdir_wan}/rules/*");
- exec("/bin/rm /usr/local/lib/snort/dynamicrules/*");
-} else {
- echo "Making Snort Directory...\n";
- echo "should be fast...\n";
- exec("/bin/mkdir {$snortdir}");
- exec("/bin/mkdir {$snortdir}/rules");
- exec("/bin/rm {$snortdir_wan}/\*");
- exec("/bin/rm {$snortdir_wan}/rules/*");
- exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*");
- echo "Done making snort direcory.\n";
- }
-}
-
-/* Copy so_rules dir to snort lib dir */
-if ($snort_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) {
- echo "Copying so_rules...\n";
- echo "May take a while...\n";
- sleep(2);
- exec("`/bin/cp -f {$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`");
- exec("/bin/cp {$tmpfname}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules");
- exec("/bin/cp {$tmpfname}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules");
- echo "Done copying so_rules.\n";
-} else {
- echo "Directory so_rules does not exist...\n";
- echo "Error copping so_rules...\n";
- exit(0);
- }
-}
-
-/* enable disable setting will carry over with updates */
-/* TODO carry signature changes with the updates */
-if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) {
-
-$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on'];
-$enabled_sid_on_array = split("\|\|", $enabled_sid_on);
-foreach($enabled_sid_on_array as $enabled_item_on)
-$selected_sid_on_sections .= "enable $enabled_item_on\n";
-
-$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off'];
-$enabled_sid_off_array = split("\|\|", $enabled_sid_off);
-foreach($enabled_sid_off_array as $enabled_item_off)
-$selected_sid_off_sections .= "disable $enabled_item_off\n";
-
-$snort_sid_text = <<<EOD
-
-###########################################
-# #
-# this is auto generated on snort updates #
-# #
-###########################################
-
-path = /bin:/usr/bin:/usr/local/bin
-
-update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
-
-url = dir:///usr/local/etc/snort_bkup/rules
-
-$selected_sid_on_sections
-
-$selected_sid_off_sections
-
-EOD;
-
- /* open snort's threshold.conf for writing */
- $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w");
-
- fwrite($oinkmasterlist, "$snort_sid_text");
-
- /* close snort's threshold.conf file */
- fclose($oinkmasterlist);
-
-}
-
-/* Copy configs to snort dir */
-if ($snort_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/etc/Makefile.am")) {
- echo "Copying configs to snort directory...\n";
- exec("/bin/cp {$tmpfname}/etc/* {$snortdir}");
-} else {
- echo "The snort configs does not exist...\n";
- echo "Error copping config...\n";
- exit(0);
- }
-}
-
-/* Copy md5 sig to snort dir */
-if ($snort_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/$snort_filename_md5")) {
- echo "Copying md5 sig to snort directory...\n";
- exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5");
-} else {
- echo "The md5 file does not exist...\n";
- echo "Error copping config...\n";
- exit(0);
- }
-}
-
-/* Copy emergingthreats md5 sig to snort dir */
-if ($emergingthreats_url_chk == on) {
-if ($emerg_md5_check_chk_ok != on) {
-if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) {
- echo "Copying md5 sig to snort directory...\n";
- exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5");
-} else {
- echo "The emergingthreats md5 file does not exist...\n";
- echo "Error copping config...\n";
- exit(0);
- }
- }
-}
-
-/* Copy Pfsense md5 sig to snort dir */
-if ($pfsense_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) {
- echo "Copying Pfsense md5 sig to snort directory...\n";
- exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5");
-} else {
- echo "The Pfsense md5 file does not exist...\n";
- echo "Error copping config...\n";
- exit(0);
- }
-}
-
-/* Copy signatures dir to snort dir */
-if ($snort_md5_check_ok != on) {
-$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo'];
-if ($premium_url_chk == on) {
-if (file_exists("{$tmpfname}/doc/signatures")) {
- echo "Copying signatures...\n";
- echo "May take a while...\n";
- exec("/bin/mv -f {$tmpfname}/doc/signatures {$snortdir}/signatures");
- echo "Done copying signatures.\n";
-} else {
- echo "Directory signatures exist...\n";
- echo "Error copping signature...\n";
- exit(0);
- }
- }
-}
-
-/* Copy snort rules and emergingthreats and pfsense dir to snort dir */
-if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/rules")) {
- echo "Copying rules...\n";
- echo "May take a while...\n";
- exec("/bin/cp {$tmpfname}/rules/* {$snortdir}/rules");
- echo "Done copping rules.\n";
- /* Write out time of last sucsessful rule install catch */
- $config['installedpackages']['snort']['last_rules_install'] = date("Y-M-jS-h:i-A");
- write_config();
-} else {
- echo "Directory rules does not exists...\n";
- echo "Error copying rules direcory...\n";
- exit(0);
- }
-}
-
-/* double make shure clean up emerg rules that dont belong */
-if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) {
- apc_clear_cache();
- exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules");
- exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules");
- exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules");
- exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules");
- exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules");
- exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules");
- exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules");
-}
-
-if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) {
- exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so");
- exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*");
-}
-
-echo "Updating Alert Messages...\n";
-echo "Please Wait...\n";
-sleep(2);
-exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/gen-msg.map");
-
-/* Run oinkmaster to snort_wan and cp configs */
-if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) {
-echo "Your enable and disable changes are being applied to your fresh set of rules...\n";
-echo "May take a while...\n";
-
-exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}");
-exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}");
-exec("/bin/cp {$snortdir}/generators {$snortdir_wan}");
-exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}");
-exec("/bin/cp {$snortdir}/sid {$snortdir_wan}");
-exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}");
-exec("/bin/cp {$snortdir}/snort.conf {$snortdir_wan}");
-exec("/bin/cp {$snortdir}/threshold.conf {$snortdir_wan}");
-exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}");
-
-exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log");
-
-}
-
-/* php code to flush out cache some people are reportting missing files this might help */
-sleep(5);
-apc_clear_cache();
-exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync");
-
-/* php code finish */
-echo "The Rules update finished...\n";
-echo "You may start snort now...\n";
-
-?>
+<?php +/* $Id$ */ +/* + snort_rulesets.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* Setup enviroment */ +$tmpfname = "/tmp/snort_rules_up"; +$snortdir = "/usr/local/etc/snort_bkup"; +$snortdir_wan = "/usr/local/etc/snort"; +$snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; +$snort_filename = "snortrules-snapshot-2.8.tar.gz"; +$emergingthreats_filename_md5 = "version.txt"; +$emergingthreats_filename = "emerging.rules.tar.gz"; +$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; +$pfsense_rules_filename = "pfsense_rules.tar.gz"; + +require("/usr/local/pkg/snort.inc"); +require_once("config.inc"); + +?> + + +<?php + +$up_date_time = date('l jS \of F Y h:i:s A'); +echo ""; +echo "#########################"; +echo "$up_date_time"; +echo "#########################"; +echo ""; + +/* Begin main code */ +/* Set user agent to Mozilla */ +ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); +ini_set("memory_limit","125M"); + +/* send current buffer */ +ob_flush(); + +/* define oinkid */ +if($config['installedpackages']['snort']) + $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + +/* if missing oinkid exit */ +if(!$oinkid) { + echo "Please add you oink code\n"; + exit; +} + +/* premium_subscriber check */ +//unset($config['installedpackages']['snort']['config'][0]['subscriber']); +//write_config(); +$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; + +if ($premium_subscriber_chk === on) { + $premium_subscriber = "_s"; +}else{ + $premium_subscriber = ""; +} + +$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +if ($premium_url_chk === on) { + $premium_url = "sub-rules"; +}else{ + $premium_url = "reg-rules"; +} + +/* send current buffer */ +ob_flush(); + +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + exec("/bin/rm -r {$tmpfname}"); + apc_clear_cache(); +} + +/* send current buffer */ +ob_flush(); + +/* If tmp dir does not exist create it */ +if (file_exists($tmpfname)) { + echo "The directory tmp exists...\n"; +} else { + mkdir("{$tmpfname}", 700); +} + +/* download md5 sig from snort.org */ +if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { + echo "md5 temp file exists...\n"; +} else { + echo "Downloading md5 file...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); + $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done. downloading md5\n"; +} + +/* download md5 sig from emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { + echo "Downloading md5 file...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); + $f = fopen("{$tmpfname}/version.txt", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done. downloading md5\n"; +} + +/* download md5 sig from pfsense.org */ +if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { + echo "md5 temp file exists...\n"; +} else { + echo "Downloading pfsense md5 file...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); + $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done. downloading md5\n"; +} + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; + +/* If md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ + echo "Please wait... You may only check for New Rules every 15 minutes...\n"; + echo "Rules are released every month from snort.org. You may download the Rules at any time.\n"; + exit(0); +} + +/* If emergingthreats md5 file is empty wait 15min exit not needed */ + +/* If pfsense md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ + echo "Please wait... You may only check for New Pfsense Rules every 15 minutes...\n"; + echo "Rules are released to support Pfsense packages.\n"; + exit(0); +} + +/* Check if were up to date snort.org */ +if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ +$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); +if ($md5_check_new == $md5_check_old) { + echo "Your rules are up to date...\n"; + echo "You may start Snort now, check update.\n"; + $snort_md5_check_ok = on; + } +} + +/* Check if were up to date emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { +if (file_exists("{$snortdir}/version.txt")){ +$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); +$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); +$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); +if ($emerg_md5_check_new == $emerg_md5_check_old) { + echo "Your emergingthreats rules are up to date...\n"; + echo "You may start Snort now, check update.\n"; + $emerg_md5_check_chk_ok = on; + } + } +} + +/* Check if were up to date pfsense.org */ +if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ +$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +if ($pfsense_md5_check_new == $pfsense_md5_check_old) { + $pfsense_md5_check_ok = on; + } +} + +/* Make Clean Snort Directory emergingthreats not checked */ +if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { + echo "Cleaning the snort Directory...\n"; + echo "removing...\n"; + exec("/bin/rm {$snortdir}/rules/emerging*\n"); + exec("/bin/rm {$snortdir}/version.txt"); + echo "Done making cleaning emrg direcory.\n"; +} + +/* Check if were up to date exits */ +if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { + echo "Your rules are up to date...\n"; + echo "You may start Snort now...\n"; + exit(0); +} + +if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { + echo "Your rules are up to date...\n"; + echo "You may start Snort now...\n"; + exit(0); +} + +/* "You are Not Up to date */; + echo "You are NOT up to date...\n"; + echo "Stopping Snort service...\n"; +stop_service("snort"); +sleep(2); +// start_service("snort"); + +/* download snortrules file */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + echo "Snortrule tar file exists...\n"; +} else { + + echo "There is a new set of Snort rules posted. Downloading...\n"; + echo "May take 4 to 10 min...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz"); + $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done downloading rules file.\n"; + if (150000 > filesize("{$tmpfname}/$snort_filename")){ + echo "Error with the snort rules download...\n"; + echo "Snort rules file downloaded failed...\n"; + exit(0); + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + echo "Emergingthreats tar file exists...\n"; +} else { + echo "There is a new set of Emergingthreats rules posted. Downloading...\n"; + echo "May take 4 to 10 min...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); +// $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); + $f = fopen("{$tmpfname}/emerging.rules.tar.gz", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done downloading Emergingthreats rules file.\n"; + } + } + } + +/* download pfsense rules file */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + echo "Snortrule tar file exists...\n"; +} else { + + echo "There is a new set of Pfsense rules posted. Downloading...\n"; + echo "May take 4 to 10 min...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz"); + $f = fopen("{$tmpfname}/pfsense_rules.tar.gz", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done downloading rules file.\n"; + } +} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + echo "Extracting rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); + exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/bad-traffic.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/chat.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/dos.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/exploit.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/imap.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/multimedia.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/netbios.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/nntp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/p2p.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/smtp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/sql.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/web-client.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/web-misc.rules/"); + echo "Done extracting Rules.\n"; +} else { + echo "The Download rules file missing...\n"; + echo "Error rules extracting failed...\n"; + exit(0); + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + echo "Extracting rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + echo "Extracting Pfsense rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$tmpfname} rules/"); + } +} + +/* Untar snort signatures */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { +$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { + echo "Extracting Signatures...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} doc/signatures/"); + echo "Done extracting Signatures.\n"; + } + } +} + +/* Make Clean Snort Directory */ +if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { +if (file_exists("{$snortdir}/rules")) { + echo "Cleaning the snort Directory...\n"; + echo "removing...\n"; + exec("/bin/mkdir -p {$snortdir}"); + exec("/bin/mkdir -p {$snortdir}/rules"); + exec("/bin/mkdir -p {$snortdir}/signatures"); + exec("/bin/rm {$snortdir}/*"); + exec("/bin/rm {$snortdir}/rules/*"); + exec("/bin/rm {$snortdir_wan}/*"); + exec("/bin/rm {$snortdir_wan}/rules/*"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); +} else { + echo "Making Snort Directory...\n"; + echo "should be fast...\n"; + exec("/bin/mkdir {$snortdir}"); + exec("/bin/mkdir {$snortdir}/rules"); + exec("/bin/rm {$snortdir_wan}/\*"); + exec("/bin/rm {$snortdir_wan}/rules/*"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); + echo "Done making snort direcory.\n"; + } +} + +/* Copy so_rules dir to snort lib dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { + echo "Copying so_rules...\n"; + echo "May take a while...\n"; + sleep(2); + exec("`/bin/cp -f {$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); + exec("/bin/cp {$tmpfname}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules"); + echo "Done copying so_rules.\n"; +} else { + echo "Directory so_rules does not exist...\n"; + echo "Error copping so_rules...\n"; + exit(0); + } +} + +/* enable disable setting will carry over with updates */ +/* TODO carry signature changes with the updates */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + +$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; +$enabled_sid_on_array = split("\|\|", $enabled_sid_on); +foreach($enabled_sid_on_array as $enabled_item_on) +$selected_sid_on_sections .= "enable $enabled_item_on\n"; + +$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; +$enabled_sid_off_array = split("\|\|", $enabled_sid_off); +foreach($enabled_sid_off_array as $enabled_item_off) +$selected_sid_off_sections .= "disable $enabled_item_off\n"; + +$snort_sid_text = <<<EOD + +########################################### +# # +# this is auto generated on snort updates # +# # +########################################### + +path = /bin:/usr/bin:/usr/local/bin + +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + +url = dir:///usr/local/etc/snort_bkup/rules + +$selected_sid_on_sections + +$selected_sid_off_sections + +EOD; + + /* open snort's threshold.conf for writing */ + $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); + + fwrite($oinkmasterlist, "$snort_sid_text"); + + /* close snort's threshold.conf file */ + fclose($oinkmasterlist); + +} + +/* Copy configs to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/etc/Makefile.am")) { + echo "Copying configs to snort directory...\n"; + exec("/bin/cp {$tmpfname}/etc/* {$snortdir}"); +} else { + echo "The snort configs does not exist...\n"; + echo "Error copping config...\n"; + exit(0); + } +} + +/* Copy md5 sig to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$snort_filename_md5")) { + echo "Copying md5 sig to snort directory...\n"; + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); +} else { + echo "The md5 file does not exist...\n"; + echo "Error copping config...\n"; + exit(0); + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { + echo "Copying md5 sig to snort directory...\n"; + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); +} else { + echo "The emergingthreats md5 file does not exist...\n"; + echo "Error copping config...\n"; + exit(0); + } + } +} + +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + echo "Copying Pfsense md5 sig to snort directory...\n"; + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); +} else { + echo "The Pfsense md5 file does not exist...\n"; + echo "Error copping config...\n"; + exit(0); + } +} + +/* Copy signatures dir to snort dir */ +if ($snort_md5_check_ok != on) { +$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { +if (file_exists("{$tmpfname}/doc/signatures")) { + echo "Copying signatures...\n"; + echo "May take a while...\n"; + exec("/bin/mv -f {$tmpfname}/doc/signatures {$snortdir}/signatures"); + echo "Done copying signatures.\n"; +} else { + echo "Directory signatures exist...\n"; + echo "Error copping signature...\n"; + exit(0); + } + } +} + +/* Copy snort rules and emergingthreats and pfsense dir to snort dir */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/rules")) { + echo "Copying rules...\n"; + echo "May take a while...\n"; + exec("/bin/cp {$tmpfname}/rules/* {$snortdir}/rules"); + echo "Done copping rules.\n"; + /* Write out time of last sucsessful rule install catch */ + $config['installedpackages']['snort']['last_rules_install'] = date("Y-M-jS-h:i-A"); + write_config(); +} else { + echo "Directory rules does not exists...\n"; + echo "Error copying rules direcory...\n"; + exit(0); + } +} + +/* double make shure clean up emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); +} + +echo "Updating Alert Messages...\n"; +echo "Please Wait...\n"; +sleep(2); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/gen-msg.map"); + +/* Run oinkmaster to snort_wan and cp configs */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { +echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; +echo "May take a while...\n"; + +exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); +exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); +exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); +exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); +exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); +exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); +exec("/bin/cp {$snortdir}/snort.conf {$snortdir_wan}"); +exec("/bin/cp {$snortdir}/threshold.conf {$snortdir_wan}"); +exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + +exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); + +} + +/* php code to flush out cache some people are reportting missing files this might help */ +sleep(5); +apc_clear_cache(); +exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); + +/* php code finish */ +echo "The Rules update finished...\n"; +echo "You may start snort now...\n"; + +?> |