aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort/snort.inc
diff options
context:
space:
mode:
Diffstat (limited to 'config/snort/snort.inc')
-rwxr-xr-xconfig/snort/snort.inc551
1 files changed, 436 insertions, 115 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index c36fc873..8062834f 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -33,21 +33,54 @@
require_once("pfsense-utils.inc");
require_once("config.inc");
require_once("functions.inc");
+require_once("service-utils.inc");
// Needed on 2.0 because of filter_get_vpns_list()
require_once("filter.inc");
+// Explicitly declare these as global so they work through function call includes
+global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log;
+global $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall;
+global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename;
+
/* package version */
-$snort_version = "2.9.2.3";
-$pfSense_snort_version = "2.5.4";
+$snort_version = "2.9.4.1";
+$pfSense_snort_version = "2.5.7";
$snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}";
-$snort_rules_file = "snortrules-snapshot-2923.tar.gz";
-$emerging_threats_version = "2.9.3";
+
+// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI)
+if (floatval(php_uname("r")) >= 8.3) {
+ exec("/usr/local/sbin/pbi_info | grep 'snort-{$snort_version}' | xargs /usr/local/sbin/pbi_info | awk '/Prefix/ {print $2}'",$pbidirarray);
+ $snort_pbidir = "{$pbidirarray[0]}";
+ /* In case this is an initial Snort install and pbi_info() above returned null, set a sane default value */
+ if (empty($snort_pbidir))
+ $snort_pbidir = "/usr/pbi/snort-" . php_uname("m");
+ define("SNORTDIR", "{$snort_pbidir}/etc/snort");
+ define("SNORTLIBDIR", "{$snort_pbidir}/lib/snort");
+}
+else {
+ define("SNORTDIR", "/usr/local/etc/snort");
+ define("SNORTLIBDIR", "/usr/local/lib/snort");
+}
+
+define("SNORTLOGDIR", "/var/log/snort");
+
+/* Important file definitions */
+$snort_rules_file = "snortrules-snapshot-2941.tar.gz";
+$emerging_threats_version = "2.9.0";
+$emergingthreats_filename = "emerging.rules.tar.gz";
+$snort_community_rules_url = "https://s3.amazonaws.com/snort-org/www/rules/community/";
+$snort_community_rules_filename = "community-rules.tar.gz";
$flowbit_rules_file = "flowbit-required.rules";
$snort_enforcing_rules_file = "snort.rules";
+$snort_rules_upd_log = SNORTLOGDIR;
+$snort_rules_upd_log .= "/snort_rules_update.log";
-define("SNORTDIR", "/usr/local/etc/snort");
-define("SNORTLOGDIR", "/var/log/snort");
+/* Rebuild Rules Flag -- if "on", rebuild enforcing rules and flowbit-rules files */
+$rebuild_rules = "off";
+
+/* Post-install Flag -- normally "false" except during post-install of package */
+$is_postinstall = false;
if (!is_array($config['installedpackages']['snortglobal']))
$config['installedpackages']['snortglobal'] = array();
@@ -296,7 +329,6 @@ function snort_barnyard_stop($snortcfg, $if_real) {
$snort_uuid = $snortcfg['uuid'];
if (file_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) {
killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid");
- @unlink("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid");
}
}
@@ -306,12 +338,11 @@ function snort_stop($snortcfg, $if_real) {
$snort_uuid = $snortcfg['uuid'];
if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
killbypid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid");
- exec("/bin/rm {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid");
}
snort_barnyard_stop($snortcfg, $if_real);
- log_error("Interface Rule STOP for {$snortcfg['descr']}({$if_real})...");
+ log_error("Snort STOP for {$snortcfg['descr']}({$if_real})...");
}
function snort_barnyard_start($snortcfg, $if_real) {
@@ -339,7 +370,7 @@ function snort_start($snortcfg, $if_real) {
snort_barnyard_start($snortcfg, $if_real);
- log_error("Interface Rule START for {$snortcfg['descr']}({$if_real})...");
+ log_error("Snort START for {$snortcfg['descr']}({$if_real})...");
}
function snort_get_friendly_interface($interface) {
@@ -427,9 +458,15 @@ function snort_post_delete_logs($snort_uuid = 0) {
}
function snort_postinstall() {
- global $config, $g;
+ global $config, $g, $snort_rules_file, $emerging_threats_version;
+ global $snort_version, $rebuild_rules, $is_postinstall;
$snortdir = SNORTDIR;
+ $snortlibdir = SNORTLIBDIR;
+ $rcdir = RCFILEPREFIX;
+
+ /* Set flag for post-install in progress */
+ $is_postinstall = true;
/* cleanup default files */
@rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf");
@@ -440,25 +477,48 @@ function snort_postinstall() {
@rename("{$snortdir}/generators-sample", "{$snortdir}/generators");
@rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config");
@rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map");
- @unlink("{$snortdir}/sid");
- @unlink("/usr/local/etc/rc.d/snort");
- @unlink("/usr/local/etc/rc.d/barnyard2");
- /* remove example files */
- if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0'))
- exec('rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*');
+ /* fix up the preprocessor rules filenames from a PBI package install */
+ $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules");
+ foreach ($preproc_rules as $file) {
+ if (file_exists("{$snortdir}/preproc_rules/{$file}-sample"))
+ @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}");
+ }
+
+ /* Remove any previously installed scripts since we rebuild them */
+ @unlink("{$snortdir}/sid");
+ @unlink("{$rcdir}/snort.sh");
+ @unlink("{$rcdir}/barnyard2");
- if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so'))
- exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*');
+ /* remove example library files */
+ $files = glob("{$snortlibdir}/dynamicrules/*_example*");
+ foreach ($files as $f)
+ @unlink($f);
+ $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*");
+ foreach ($files as $f)
+ @unlink($f);
/* remake saved settings */
if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
+ log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings..."));
update_status(gettext("Saved settings detected..."));
- update_output_window(gettext("Please wait... rebuilding files..."));
+ update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
+ log_error(gettext("[Snort] Downloading and updating configured rule types..."));
@include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php");
+ update_status(gettext("Generating snort.conf configuration file from saved settings..."));
+ $rebuild_rules = "on";
sync_snort_package_config();
- update_output_window(gettext("Finnished Rebuilding files..."));
+ $rebuild_rules = "off";
+ update_output_window(gettext("Finished rebuilding files..."));
+ log_error(gettext("[Snort] Finished rebuilding installation from saved settings..."));
+ update_status(gettext("Starting Snort using rebuilt configuration..."));
+ log_error(gettext("[Snort] Starting Snort using rebuilt configuration..."));
+ start_service("snort");
}
+
+ /* Done with post-install, so clear flag */
+ $is_postinstall = false;
+ log_error(gettext("[Snort] Package post-installation tasks completed..."));
}
function snort_Getdirsize($node) {
@@ -592,17 +652,20 @@ function snort_rm_blocked_install_cron($should_install) {
}
switch($should_install) {
case true:
- if(!$is_installed) {
- $cron_item = array();
- $cron_item['minute'] = "$snort_rm_blocked_min";
- $cron_item['hour'] = "$snort_rm_blocked_hr";
- $cron_item['mday'] = "$snort_rm_blocked_mday";
- $cron_item['month'] = "$snort_rm_blocked_month";
- $cron_item['wday'] = "$snort_rm_blocked_wday";
- $cron_item['who'] = "root";
- $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c";
+ $cron_item = array();
+ $cron_item['minute'] = "$snort_rm_blocked_min";
+ $cron_item['hour'] = "$snort_rm_blocked_hr";
+ $cron_item['mday'] = "$snort_rm_blocked_mday";
+ $cron_item['month'] = "$snort_rm_blocked_month";
+ $cron_item['wday'] = "$snort_rm_blocked_wday";
+ $cron_item['who'] = "root";
+ $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c";
+
+ /* Add cron job if not already installed, else just update the existing one */
+ if (!$is_installed)
$config['cron']['item'][] = $cron_item;
- }
+ elseif ($is_installed)
+ $config['cron']['item'][$x] = $cron_item;
break;
case false:
if ($is_installed == true)
@@ -672,17 +735,20 @@ function snort_rules_up_install_cron($should_install) {
}
switch($should_install) {
case true:
- if(!$is_installed) {
- $cron_item = array();
- $cron_item['minute'] = "$snort_rules_up_min";
- $cron_item['hour'] = "$snort_rules_up_hr";
- $cron_item['mday'] = "$snort_rules_up_mday";
- $cron_item['month'] = "$snort_rules_up_month";
- $cron_item['wday'] = "$snort_rules_up_wday";
- $cron_item['who'] = "root";
- $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log";
+ $cron_item = array();
+ $cron_item['minute'] = "$snort_rules_up_min";
+ $cron_item['hour'] = "$snort_rules_up_hr";
+ $cron_item['mday'] = "$snort_rules_up_mday";
+ $cron_item['month'] = "$snort_rules_up_month";
+ $cron_item['wday'] = "$snort_rules_up_wday";
+ $cron_item['who'] = "root";
+ $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log";
+
+ /* Add cron job if not already installed, else just update the existing one */
+ if (!$is_installed)
$config['cron']['item'][] = $cron_item;
- }
+ elseif ($is_installed)
+ $config['cron']['item'][$x] = $cron_item;
break;
case false:
if($is_installed == true)
@@ -693,12 +759,15 @@ function snort_rules_up_install_cron($should_install) {
/* Only run when all ifaces needed to sync. Expects filesystem rw */
function sync_snort_package_config() {
- global $config, $g;
+ global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file;
+ global $snort_version, $rebuild_rules;
+
+ $snortdir = SNORTDIR;
conf_mount_rw();
- /* do not start config build if rules is empty */
- if (!is_array($config['installedpackages']['snortglobal']) && !is_array($config['installedpackages']['snortglobal']['rule'])) {
+ /* do not start config build if rules is empty or there are no Snort settings */
+ if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) {
exec('/bin/rm /usr/local/etc/rc.d/snort.sh');
conf_mount_ro();
return;
@@ -708,10 +777,10 @@ function sync_snort_package_config() {
foreach ($snortconf as $value) {
$if_real = snort_get_real_interface($value['interface']);
- /* create snort configuration file */
+ /* create a snort.conf file for interface */
snort_generate_conf($value);
- /* create barnyard2 configuration file */
+ /* create barnyard2.conf file for interface */
if ($value['barnyard_enable'] == 'on')
snort_create_barnyard2_conf($value, $if_real);
}
@@ -748,7 +817,7 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
/* First check if we were passed a directory, a single file */
/* or an array of filenames to read. Set our $rule_files */
/* variable accordingly. If we can't figure it out, return */
- /* an empty rules map array. */
+ /* and don't write a sid_msg_map file. */
if (is_string($rules_path)) {
if (is_dir($rules_path))
$rule_files = glob($rules_path . "*.rules");
@@ -858,11 +927,19 @@ function snort_merge_reference_configs($cfg_in, $cfg_out) {
/* Sort the new reference map. */
uksort($outMap,'strnatcasecmp');
+ /**********************************************************/
+ /* Do NOT write an empty references.config file, just */
+ /* exit instead. */
+ /**********************************************************/
+ if (empty($outMap))
+ return false;
+
/* Format and write it to the supplied output file. */
$format = "config reference: %-12s %s\n";
foreach ($outMap as $key=>$value)
$outMap[$key] = sprintf($format, $key, $value);
@file_put_contents($cfg_out, array_values($outMap));
+ return true;
}
function snort_merge_classification_configs($cfg_in, $cfg_out) {
@@ -895,11 +972,19 @@ function snort_merge_classification_configs($cfg_in, $cfg_out) {
/* Sort the new classification map. */
uksort($outMap,'strnatcasecmp');
+ /**********************************************************/
+ /* Do NOT write an empty classification.config file, just */
+ /* exit instead. */
+ /**********************************************************/
+ if (empty($outMap))
+ return false;
+
/* Format and write it to the supplied output file. */
$format = "config classification: %s,%s\n";
foreach ($outMap as $key=>$value)
$outMap[$key] = sprintf($format, $key, $value);
@file_put_contents($cfg_out, array_values($outMap));
+ return true;
}
function snort_load_rules_map($rules_path) {
@@ -1272,11 +1357,13 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) {
/* given. */
/************************************************/
+ global $flowbit_rules_file;
+
/* See if we were passed a directory or full */
/* filename to write the rules to, and adjust */
/* the destination argument accordingly. */
if (is_dir($rule_file))
- $rule_file = rtrim($rule_file, '/').'/flowbit-required.rules';
+ $rule_file = rtrim($rule_file, '/')."/{$flowbit_rules_file}";
if (empty($flowbit_rules)) {
@file_put_contents($rule_file, "");
@@ -1363,7 +1450,7 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) {
global $snort_enforcing_rules_file;
- $rule_file = "/snort.rules";
+ $rule_file = "/{$snort_enforcing_rules_file}";
/* See if we were passed a directory or full */
/* filename to write the rules to, and adjust */
@@ -1402,9 +1489,17 @@ function snort_load_sid_mods($sids, $value) {
/* This function parses the string of */
/* SID values in $sids and returns an */
/* array with the SID as the key and */
- /* passed $value as the value. The SID */
- /* values in $sids are assumed to be */
- /* delimited by "||". */
+ /* value. The SID values in $sids are */
+ /* assumed to be delimited by "||". */
+ /* */
+ /* $sids ==> string of SID values from */
+ /* saved config file. */
+ /* */
+ /* $value ==> type of mod (enable or */
+ /* disable). Not currently */
+ /* utilized, but maintained */
+ /* so as not to break legacy */
+ /* code elsewhere. */
/*****************************************/
$result = array();
@@ -1413,7 +1508,7 @@ function snort_load_sid_mods($sids, $value) {
$tmp = explode("||", $sids);
foreach ($tmp as $v) {
if (preg_match('/\s\d+/', $v, $match))
- $result[trim($match[0])] = $value;
+ $result[trim($match[0])] = trim($match[0]);
}
unset($tmp);
@@ -1458,14 +1553,13 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
if (!empty($disablesid)) {
foreach ($rule_map as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
- if (in_array($k2, $disablesid) && $v['disabled'] == 0) {
+ if (in_array($k2, $disablesid) && $v['disabled'] == 0) {
$rule_map[$k1][$k2]['rule'] = "# " . $v['rule'];
$rule_map[$k1][$k2]['disabled'] = 1;
}
}
}
}
-
unset($enablesid, $disablesid);
}
@@ -1475,6 +1569,7 @@ function snort_create_rc() {
global $config, $g;
$snortdir = SNORTDIR;
+ $rcdir = RCFILEPREFIX;
if (!is_array($config['installedpackages']['snortglobal']['rule']))
return;
@@ -1494,8 +1589,9 @@ function snort_create_rc() {
if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' > {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid
+ else
+ /bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid
fi
- /bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid
if [ $? = 0 ]; then
/bin/pkill -HUP -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid -a
else
@@ -1506,10 +1602,30 @@ EOE;
$stop_barnyard2 = <<<EOE
if [ -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
+ pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid`
/bin/pkill -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid -a
- /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid
+ time=0 timeout=30
+ while kill -0 \$pid 2>/dev/null; do
+ sleep 1
+ time=\$((time+1))
+ if [ \$time -gt \$timeout ]; then
+ break
+ fi
+ done
+ if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
+ /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid
+ fi
else
+ pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q'`
/bin/pkill -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q'
+ time=0 timeout=30
+ while kill -0 \$pid 2>/dev/null; do
+ sleep 1
+ time=\$((time+1))
+ if [ \$time -gt \$timeout ]; then
+ break
+ fi
+ done
fi
EOE;
@@ -1521,19 +1637,18 @@ EOE;
$start_snort_iface_start[] = <<<EOE
###### For Each Iface
-#### Only try to restart if snort is running on Iface
+ # Start snort and barnyard2
if [ ! -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then
- /bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' > {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid
+ pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'`
+ else
+ pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid`
fi
- /bin/pgrep -nF {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid
if [ $? = 0 ]; then
- /bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT START For {$value['descr']}({$snort_uuid}_{$if_real})..."
+ /bin/pkill -HUP \$pid
+ /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..."
else
- # Start snort and barnyard2
- /bin/rm {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid
/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START For {$value['descr']}({$snort_uuid}_{$if_real})..."
+ /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..."
fi
sleep 2
@@ -1543,12 +1658,32 @@ EOE;
$start_snort_iface_stop[] = <<<EOE
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP For {$value['descr']}({$snort_uuid}_{$if_real})..."
+ /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..."
if [ -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then
+ pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid`
/bin/pkill -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a
- /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid
- else
+ time=0 timeout=30
+ while kill -0 \$pid 2>/dev/null; do
+ sleep 1
+ time=\$((time+1))
+ if [ \$time -gt \$timeout ]; then
+ break
+ fi
+ done
+ if [ -f /var/run/snort_{$if_real}{$snort_uuid}.pid ]; then
+ /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid
+ fi
+ else
+ pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'`
/bin/pkill -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'
+ time=0 timeout=30
+ while kill -0 \$pid 2>/dev/null; do
+ sleep 1
+ time=\$((time+1))
+ if [ \$time -gt \$timeout ]; then
+ break
+ fi
+ done
fi
sleep 2
@@ -1584,6 +1719,7 @@ case $1 in
rc_stop
;;
restart)
+ rc_stop
rc_start
;;
esac
@@ -1591,11 +1727,11 @@ esac
EOD;
/* write out snort.sh */
- if (!@file_put_contents("/usr/local/etc/rc.d/snort.sh", $snort_sh_text)) {
- log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing.");
+ if (!@file_put_contents("{$rcdir}/snort.sh", $snort_sh_text)) {
+ log_error("Could not open {$rcdir}/snort.sh for writing.");
return;
}
- @chmod("/usr/local/etc/rc.d/snort.sh", 0755);
+ @chmod("{$rcdir}/snort.sh", 0755);
}
/* open barnyard2.conf for writing */
@@ -1642,13 +1778,16 @@ function snort_generate_barnyard2_conf($snortcfg, $if_real) {
config reference_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/reference.config
config classification_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/classification.config
config gen_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/gen-msg.map
-config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map
+config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map
config hostname: $snortbarnyardlog_hostname_info_chk
config interface: {$if_real}
config decode_data_link
config waldo_file: /var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo
+# Show year in timestamps
+config show_year
+
## START user pass through ##
{$snortbarnyardlog_config_pass_thru}
@@ -1671,12 +1810,15 @@ EOD;
}
function snort_deinstall() {
- global $config, $g;
+
+ global $config, $g, $snort_rules_upd_log;
$snortdir = SNORTDIR;
+ $snortlibdir = SNORTLIBDIR;
$snortlogdir = SNORTLOGDIR;
+ $rcdir = RCFILEPREFIX;
- /* decrease bpf buffers back to 4096, from 20480 */
+ /* Make sure all active Snort processes are terminated */
mwexec('/usr/bin/killall snort', true);
sleep(2);
mwexec('/usr/bin/killall -9 snort', true);
@@ -1685,9 +1827,11 @@ function snort_deinstall() {
sleep(2);
mwexec('/usr/bin/killall -9 barnyard2', true);
sleep(2);
+
+ /* Remove the snort user and group */
mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true);
- /* Remove snort cron entries Ugly code needs smoothness*/
+ /* Remove snort cron entries Ugly code needs smoothness */
if (!function_exists('snort_deinstall_cron')) {
function snort_deinstall_cron($crontask) {
global $config, $g;
@@ -1709,25 +1853,62 @@ function snort_deinstall() {
}
}
- mwexec("/bin/rm {$snortdir}/*.md5; /bin/rm -r {$snortdir}/snort_*");
+ /* Remove all the Snort cron jobs. */
snort_deinstall_cron("snort2c");
snort_deinstall_cron("snort_check_for_rule_updates.php");
snort_deinstall_cron("snort_check_cron_misc.inc");
configure_cron();
+ /**********************************************************/
+ /* Test for existence of library backup tarballs in /tmp. */
+ /* If these are present, then a package "delete" */
+ /* operation is in progress and we need to wipe out the */
+ /* configuration files. Otherwise we leave the binary- */
+ /* side configuration intact since only a GUI files */
+ /* deinstall and reinstall operation is in progress. */
+ /* */
+ /* XXX: hopefully a better method presents itself in */
+ /* future versions of pfSense. */
+ /**********************************************************/
+ if (file_exists("/tmp/pkg_libs.tgz") || file_exists("/tmp/pkg_bins.tgz")) {
+ log_error(gettext("[Snort] Package deletion requested... removing all files..."));
+ mwexec("/bin/rm -rf {$snortdir}");
+ mwexec("/bin/rm -rf {$snortlibdir}/dynamicrules");
+ mwexec("/bin/rm -f {$rcdir}/snort.sh");
+ mwexec("/bin/rm -rf /usr/local/pkg/snort");
+ mwexec("/bin/rm -rf /usr/local/www/snort");
+ mwexec("/bin/rm -rf /usr/local/etc/snort");
+ }
+
/* Keep this as a last step */
- if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on')
+ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') {
+ log_error(gettext("Not saving settings... all Snort configuration info and logs deleted..."));
unset($config['installedpackages']['snortglobal']);
+ @unlink("{$snort_rules_upd_log}");
+ mwexec("/bin/rm -rf {$snortlogdir}");
+ log_error(gettext("[Snort] The package has been removed from this system..."));
+ }
}
function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
- global $snort_enforcing_rules_file, $flowbit_rules_file;
+
+ global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules;
$snortdir = SNORTDIR;
+ $no_rules_defined = true;
+
+ /* If there is no reason to rebuild the rules, exit to save time. */
+ if ($rebuild_rules == "off")
+ return;
+
+ /* Log a message for rules rebuild in progress */
+ log_error(gettext("[Snort] Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ..."));
+ /* Only rebuild rules if some are selected or an IPS Policy is enabled */
if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') {
$enabled_rules = array();
$enabled_files = array();
+ $no_rules_defined = false;
/* Create an array with the full path filenames of the enabled */
/* rule category files if we have any. */
@@ -1741,16 +1922,6 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
$enabled_rules = snort_load_rules_map($enabled_files);
}
- /* Remove any existing rules files (except custom rules) prior to building a new set. */
- foreach (glob("{$snortcfgdir}/rules/*.rules") as $file) {
- $tmpfile = basename($file);
- if (in_array("{$snortdir}/rules/{$tmpfile}", $enabled_files))
- continue;
- if ($tmpfile != "custom.rules" && $tmpfile != $flowbit_rules_file &&
- $tmpfile != $snort_enforcing_rules_file)
- @unlink($file);
- }
-
/* Check if a pre-defined Snort VRT policy is selected. If so, */
/* add all the VRT policy rules to our enforcing rule set. */
if (!empty($snortcfg['ips_policy'])) {
@@ -1773,9 +1944,12 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Process any enablesid or disablesid modifications for the selected rules. */
snort_modify_sids($enabled_rules, $snortcfg);
- /* Check for and disable any rules dependent upon disabled preprocessors. */
- log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
- snort_filter_preproc_rules($snortcfg, $enabled_rules);
+ /* Check for and disable any rules dependent upon disabled preprocessors if */
+ /* this option is enabled for the interface. */
+ if ($snortcfg['preproc_auto_rule_disable'] == "on") {
+ log_error('[Snort] Checking for rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ snort_filter_preproc_rules($snortcfg, $enabled_rules);
+ }
/* Write the enforcing rules file to the Snort interface's "rules" directory. */
snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}");
@@ -1783,9 +1957,19 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */
if ($snortcfg['autoflowbitrules'] == 'on') {
- log_error('Resolving and auto-enabling flowbit required rules for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
$enabled_files[] = "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}";
- snort_write_flowbit_rules_file(snort_resolve_flowbits($enabled_files), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
+ $fbits = snort_resolve_flowbits($enabled_files);
+
+ /* Check for and disable any flowbit-required rules dependent upon */
+ /* disabled preprocessors if this option is enabled for the interface. */
+ if ($snortcfg['preproc_auto_rule_disable'] == "on") {
+ log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ snort_filter_preproc_rules($snortcfg, $fbits, true);
+ }
+ snort_filter_preproc_rules($snortcfg, $fbits, true);
+ snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}");
+ unset($fbits);
} else
/* Just put an empty file to always have the file present */
snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
@@ -1796,17 +1980,24 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
}
- if (!empty($snortcfg['customrules']))
+ if (!empty($snortcfg['customrules'])) {
@file_put_contents("{$snortcfgdir}/rules/custom.rules", base64_decode($snortcfg['customrules']));
+ $no_rules_defined = false;
+ }
else
@file_put_contents("{$snortcfgdir}/rules/custom.rules", "");
+ /* Log a warning if the interface has no rules defined or enabled */
+ if ($no_rules_defined)
+ log_error(gettext("[Snort] Warning - no text rules selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ..."));
+
/* Build a new sid-msg.map file from the enabled */
/* rules and copy it to the interface directory. */
+ log_error(gettext("[Snort] Building new sig-msg.map file for " . snort_get_friendly_interface($snortcfg['interface']) . "..."));
snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map");
}
-function snort_filter_preproc_rules($snortcfg, &$active_rules) {
+function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = false) {
/**************************************************/
/* This function checks the $active_rules array */
@@ -1819,11 +2010,22 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
/* the interface */
/* $active_rules -> rules_map array of enabled */
/* rules for the interface */
+ /* */
+ /* NOTE: This feature must be enabled in the GUI */
+ /* by the user. Use of this feature can */
+ /* severely degrade Snort's ability to */
+ /* detect threats by disabling potentially */
+ /* crucial detection rules. */
/**************************************************/
global $config;
- if (empty($active_rules))
+ $snortlogdir = SNORTLOGDIR;
+ $disabled_count = 0;
+ $log_msg = array();
+
+ /* Check if no rules or if this option is disabled */
+ if (empty($active_rules) || $snortcfg['preproc_auto_rule_disable'] <> 'on')
return;
/***************************************************
@@ -1833,8 +2035,20 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
* IMPORTANT -- Keep this part of the code current *
* with changes to preprocessor rule options in *
* Snort VRT rules. *
+ * *
+ * *
+ * Format of array is: *
+ * "rule_option" => "dependent_preprocessor" *
+ * *
+ * Last Update: 04/05/2013 *
+ * *
+ * Added: http_inspect content modifiers and *
+ * various "service" metadata values. *
+ * *
***************************************************/
$rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc",
+ "service ssl" => "ssl_preproc", "service ftp" => "ftp_preprocessor",
+ "service telnet" => "ftp_preprocessor", "service dns" => "dns_preprocessor",
"dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2",
"dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data",
"sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc",
@@ -1843,7 +2057,16 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
"gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc",
"modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc",
"dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc",
- "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc");
+ "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc",
+ "http_client_body;" => "http_inspect", "http_cookie;" => "http_inspect",
+ "http_raw_cookie;" => "http_inspect", "http_header;" => "http_inspect",
+ "http_raw_header;" => "http_inspect", "http_method;" => "http_inspect",
+ "http_uri;" => "http_inspect", "http_raw_uri;" => "http_inspect",
+ "http_stat_code;" => "http_inspect", "http_stat_msg;" => "http_inspect",
+ "uricontent:" => "http_inspect", "urilen:" => "http_inspect",
+ "http_encode;" => "http_inspect", "service http" => "http_inspect",
+ "service imap" => "imap_preproc", "service pop2" => "pop_preproc",
+ "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor");
/***************************************************
* Iterate the enabled rules, and check for rule *
@@ -1855,31 +2078,99 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
***************************************************/
foreach ($active_rules as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
- if ($v['disabled'] == 0)
+
+ /* If rule is already disabled, skip it. */
+ if ($v['disabled'] == 1)
continue;
+
foreach ($rule_opts_preprocs as $opt => $preproc) {
- $pcre = "/\s*\b" . $opt . "/i";
+ $pcre = "/\s*\b" . preg_quote($opt) . "/i";
if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) {
$active_rules[$k1][$k2]['rule'] = "# " . $v['rule'];
$active_rules[$k1][$k2]['disabled'] = 1;
+ $disabled_count++;
+
+ /* Accumulate auto-disabled rules for logging */
+ $tmp = $active_rules[$k1][$k2]['category'] . ",";
+ $tmp .= "{$k1}:{$k2},{$preproc},{$opt}";
+ $log_msg[] = $tmp;
break;
}
}
}
}
+
+ /***************************************************************/
+ /* If we are persisting the log from the last pass, then open */
+ /* the log file in append mode. Otherwise open in overwrite */
+ /* to clear the log in case we have zero disabled rules. */
+ /* */
+ /* Typically "persist log" mode is used on the second pass */
+ /* when flowbit-required rules are being assessed after the */
+ /* primary enforcing rules have been evaluated. */
+ /***************************************************************/
+ $iface = snort_get_friendly_interface($snortcfg['interface']);
+ $file = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log";
+ if ($persist_log)
+ $fp = fopen($file, 'a');
+ else
+ $fp = fopen($file, 'w');
+
+ /***************************************************/
+ /* Log a warning if we auto-disabled any rules */
+ /* just so the user is aware protection is less */
+ /* than optimal with the preprocessors disabled. */
+ /***************************************************/
+ if ($disabled_count > 0) {
+ log_error(gettext("[Snort] Warning: auto-disabled {$disabled_count} rules due to disabled preprocessor dependencies."));
+ natcasesort($log_msg);
+ if ($fp) {
+ /* Only write the header when not persisting the log */
+ if (!$persist_log) {
+ @fwrite($fp, "#\n# Run Time: " . date("Y-m-d H:i:s") . "\n#\n");
+ @fwrite($fp, "#\n# These rules were auto-disabled because they contain options or operators\n");
+ @fwrite($fp, "# dependent on preprocessors that are currently NOT ENABLED on the Preprocessors\n");
+ @fwrite($fp, "# tab. Without these dependent preprocessors enabled, Snort would fail to start\n");
+ @fwrite($fp, "# if the rules listed below were enabled. Therefore the listed rules have been\n");
+ @fwrite($fp, "# automatically disabled. This behavior is controlled by the Auto-Rule Disable\n");
+ @fwrite($fp, "# feature on the Preprocessors tab.\n#\n");
+ @fwrite($fp, "# WARNING: Using the auto-disable rule feature is not recommended because it can\n");
+ @fwrite($fp, "# significantly reduce the threat detection capabilities of Snort!\n#");
+ @fwrite($fp, "\n# In the list below, the PREPROCESSOR column is the disabled preprocessor that\n");
+ @fwrite($fp, "# triggered the auto-disable of the rule represented by GID:SID. The RULE OPTION\n");
+ @fwrite($fp, "# column shows the specific rule option or content modifier contained within\n");
+ @fwrite($fp, "# the rule text that requires the preprocessor be enabled in order to execute.\n#");
+ @fwrite($fp, "\n# RULE CATEGORY GID:SID PREPROCESSOR RULE OPTION\n");
+ }
+ foreach ($log_msg as $m) {
+ $tmp = explode(",", $m);
+ @fwrite($fp, sprintf("%-30s %-10s %-20s %s", $tmp[0], $tmp[1], $tmp[2], $tmp[3]) . "\n");
+ }
+ }
+ log_error(gettext("[Snort] See '{$file}' for list of auto-disabled rules."));
+ unset($log_msg);
+ }
+ if ($fp)
+ fclose($fp);
}
function snort_generate_conf($snortcfg) {
- global $config, $g;
+
+ global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules;
$snortdir = SNORTDIR;
+ $snortlibdir = SNORTLIBDIR;
$snortlogdir = SNORTLOGDIR;
- $flowbit_rules_file = "flowbit-required.rules";
- $snort_enforcing_rules_file = "snort.rules";
if (!is_array($config['installedpackages']['snortglobal']['rule']))
return;
+ /* See if we should protect and not modify the preprocessor rules files */
+ if (!empty($snortcfg['protect_preproc_rules']))
+ $protect_preproc_rules = $snortcfg['protect_preproc_rules'];
+ else
+ $protect_preproc_rules = "off";
+
$if_real = snort_get_real_interface($snortcfg['interface']);
$snort_uuid = $snortcfg['uuid'];
$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
@@ -1902,8 +2193,8 @@ function snort_generate_conf($snortcfg) {
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}",
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2",
"{$snortcfgdir}/preproc_rules",
- "dynamicrules" => "/usr/local/lib/snort/dynamicrules",
- "dynamicengine" => "/usr/local/lib/snort/dynamicengine",
+ "dynamicrules" => "{$snortlibdir}/dynamicrules",
+ "dynamicengine" => "{$snortlibdir}/dynamicengine",
"dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor"
);
foreach ($snort_dirs as $dir) {
@@ -1911,13 +2202,24 @@ function snort_generate_conf($snortcfg) {
safe_mkdir($dir);
}
+ /********************************************************************/
+ /* For fail-safe on an initial startup following installation, and */
+ /* before a rules update has occurred, copy the default config */
+ /* files to the interface directory. If files already exist in */
+ /* the interface directory, or they are newer, that means a rule */
+ /* update has been done and we should leave the customized files */
+ /* put in place by the rules update process. */
+ /********************************************************************/
$snort_files = array("gen-msg.map", "classification.config", "reference.config",
"sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules",
"preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules"
);
foreach ($snort_files as $file) {
- if (file_exists("{$snortdir}/{$file}"))
- @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}");
+ if (file_exists("{$snortdir}/{$file}")) {
+ $ftime = filemtime("{$snortdir}/{$file}");
+ if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}")))
+ @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}");
+ }
}
/* define alertsystemlog */
@@ -2011,7 +2313,7 @@ EOD;
if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0'))
$def_client_flow_depth_type = $snortcfg['client_flow_depth'];
- if ($snortcfg['noalert_http_inspect'] == 'on')
+ if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect']))
$noalert_http_inspect = "no_alerts ";
else
$noalert_http_inspect = "";
@@ -2256,6 +2558,16 @@ EOD;
if (!empty($snortcfg['stream5_mem_cap']))
$def_stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}";
+ /* Default the HTTP_INSPECT preprocessor to "on" if not set. */
+ /* The preprocessor is required by hundreds of Snort rules, */
+ /* and without it Snort may not start and/or the number of */
+ /* rules required to be disabled reduces Snort's capability. */
+ /* Alerts from the HTTP_INSPECT preprocessor default to "off" */
+ /* unless a specific value has been set by the user. */
+ /**************************************************************/
+ if (empty($snortcfg['http_inspect']))
+ $snortcfg['http_inspect'] = 'on';
+
/* define servers and ports snortdefservers */
$snort_servers = array (
"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
@@ -2294,8 +2606,8 @@ EOD;
if (!empty($snort_preproc_libs[$preproc])) {
$preproclib = "libsf_" . $snort_preproc_libs[$preproc];
if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) {
- if (file_exists("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so")) {
- @copy("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
+ if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) {
+ @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
$snort_preprocessors .= $$preproc;
$snort_preprocessors .= "\n";
} else
@@ -2317,28 +2629,32 @@ EOD;
if (file_exists("{$snortcfgdir}/classification.config"))
$snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n";
if (is_dir("{$snortcfgdir}/preproc_rules")) {
- if ($snortcfg['sensitive_data'] == 'on') {
+ if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
$sedcmd = '/^#alert.*classtype:sdf/s/^#//';
if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules"))
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
} else
$sedcmd = '/^alert.*classtype:sdf/s/^/#/';
if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
- file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) {
+ file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") {
@file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
@unlink("{$g['tmp_path']}/sedcmd");
-
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
- } else {
+ } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
+ file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") {
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
+ }
+ else {
$snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
- log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
+ log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
}
} else {
$snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
- log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
+ log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
}
/* generate rule sections to load */
@@ -2346,6 +2662,8 @@ EOD;
$selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n";
$selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n";
$selected_rules_sections .= "include \$RULE_PATH/custom.rules\n";
+
+ /* Create the actual rules file and save in the interface directory */
snort_prepare_rule_files($snortcfg, $snortcfgdir);
$cksumcheck = "all";
@@ -2393,6 +2711,9 @@ config pcre_match_limit_recursion: 1500
config detection: search-method {$snort_performance} search-optimize max-pattern-len 20 max_queue_events 5
config event_queue: max_queue 8 log 5 order_events content_length
+# Configure to show year in timestamps
+config show_year
+
# Configure protocol aware flushing #
# For more information see README.stream5 #
config paf_max: 16000
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-26 03:54:24 +0000