diff options
Diffstat (limited to 'config/snort/snort.inc')
| -rw-r--r-- | config/snort/snort.inc | 111 |
1 files changed, 40 insertions, 71 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 8e3e5f88..f27bb383 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -37,7 +37,7 @@ require_once("functions.inc"); require_once("filter.inc"); /* package version */ -$snort_package_version = 'Snort 2.8.6.1 pkg v. 2.0'; +$snort_package_version = 'Snort 2.9.0.5 pkg v. 2.0'; /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); @@ -59,7 +59,7 @@ else $snort_arch_ck = php_uname("m"); if ($snort_arch_ck == 'i386') $snort_arch = 'x86'; -else if ($snort_arch_ck = "amd64") +else if ($snort_arch_ck == "amd64") $snort_arch = 'x64'; else $snort_arch = "Unknown"; @@ -291,7 +291,7 @@ function Running_Stop($snort_uuid, $if_real, $id) { global $config; /* if snort.sh crashed this will remove the pid */ - exec('/bin/rm /tmp/snort.sh.pid'); + @unlink('/tmp/snort.sh.pid'); $start_up_s = exec("/bin/ps -U snort | grep \"\-R {$snort_uuid}\" | awk '{ print \$1; }'"); $start_up_r = exec("/bin/ps -U root | grep \"\-R {$snort_uuid}\" | awk '{ print \$1; }'"); @@ -490,14 +490,14 @@ function snort_postinstall() } /* cleanup default files */ - @unlink('/usr/local/etc/snort/snort.conf-sample'); - @unlink('/usr/local/etc/snort/threshold.conf-sample'); - @unlink('/usr/local/etc/snort/sid-msg.map-sample'); - @unlink('/usr/local/etc/snort/unicode.map-sample'); - @unlink('/usr/local/etc/snort/classification.config-sample'); - @unlink('/usr/local/etc/snort/generators-sample'); - @unlink('/usr/local/etc/snort/reference.config-sample'); - @unlink('/usr/local/etc/snort/gen-msg.map-sample'); + @rename('/usr/local/etc/snort/snort.conf-sample', '/usr/local/etc/snort/snort.conf'); + @rename('/usr/local/etc/snort/threshold.conf-sample', '/usr/local/etc/snort/threshold.conf'); + @rename('/usr/local/etc/snort/sid-msg.map-sample', '/usr/local/etc/snort/sid-msg.map'); + @rename('/usr/local/etc/snort/unicode.map-sample', '/usr/local/etc/snort/unicode.map'); + @rename('/usr/local/etc/snort/classification.config-sample', '/usr/local/etc/snort/classification.config'); + @rename('/usr/local/etc/snort/generators-sample', '/usr/local/etc/snort/generators'); + @rename('/usr/local/etc/snort/reference.config-sample', '/usr/local/etc/snort/reference.config'); + @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map'); @unlink('/usr/local/etc/snort/sid'); @unlink('/usr/local/etc/rc.d/snort'); @unlink('/usr/local/etc/rc.d/bardyard2'); @@ -588,19 +588,19 @@ function snort_postinstall() exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/page_white_text.png'); /* install barnyard2 for 2.0 x86 x64 and 1.2.3 x86 */ - chdir("/usr/local/bin/"); - update_status(gettext("Installing Barnyard2 for $snort_arch...")); update_output_window(gettext("Please wait...")); if ($snort_pfsense_basever == 'yes') - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/7.3.x86/barnyard2'); - else if ($snort_pfsense_basever == 'no') - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.1{$snort_arch}/barnyard2'); - + exec('/usr/bin/fetch -o /usr/local/bin/barnyard2 http://www.pfsense.com/packages/config/snort/bin/7.3.x86/barnyard2'); + else if ($snort_pfsense_basever == 'no') { + if ($snort_arch == 'x64') + exec("/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2"); + else + exec("/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2"); + exec('/bin/chmod 0755 /usr/local/bin/barnyard2'); + } update_output_window(gettext("Finnished Installing Barnyard2...")); - exec('/bin/chmod 755 /usr/local/bin/barnyard2'); - /* XXX: remove compeletely? */ if ($snort_pfsense_basever == 'yes') { if (!is_dir('/tmp/pkg_s')) @@ -1243,13 +1243,12 @@ function create_snort_sh() ###### For Each Iface # If Snort proc is NOT running -if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" = "" ]; then +if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/awk '{print $2;}'`" = "" ]; then /bin/echo "snort.sh run" > /tmp/snort.sh.pid # Start snort and barnyard2 /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck /usr/local/bin/snort -u snort -g snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} $start_barnyard2 @@ -1266,9 +1265,9 @@ EOD; #### Fake start only used on bootup and Pfsense IP changes #### Only try to restart if snort is running on Iface -if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" != "" ]; then +if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/awk '{print $2;}'`" != "" ]; then - snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" + snort_pid=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/awk '{print $2;}'` /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" #### Restart Iface @@ -1281,7 +1280,7 @@ EOE; $snort_sh_text4[] = <<<EOF -pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print \$2;}'` +pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/awk '{print \$2;}'` sleep 3 pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/awk '{print \$2;}'` @@ -1294,7 +1293,6 @@ if [ \${pid_s} ] ; then sleep 3 /bin/kill \${pid_b} - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid fi @@ -1337,7 +1335,7 @@ rc_start() { /bin/rm /tmp/snort.sh.pid #### If on Fake start snort is NOT running DO a real start. - if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}{$if_real}" | awk '{print $2;}'`" = "" ]; then + if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}" | awk '{print $2;}'`" = "" ]; then rc_start_real @@ -1422,7 +1420,7 @@ function create_rules_iface($id, $if_real, $snort_uuid) /* open barnyard2.conf for writing */ function create_barnyard2_conf($id, $if_real, $snort_uuid) { - global $bconfig, $g; + global $config, $g; if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); @@ -1439,7 +1437,7 @@ function create_barnyard2_conf($id, $if_real, $snort_uuid) { $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); if(!$bconf) { log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); - exit; + return; } fwrite($bconf, $barnyard2_conf_text); fclose($bconf); @@ -1929,8 +1927,8 @@ function generate_snort_conf($id, $if_real, $snort_uuid) /* generate rule sections to load */ $enabled_rulesets = $snortcfg['rulesets']; + $selected_rules_sections = ""; if (!empty($enabled_rulesets)) { - $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); foreach($enabled_rulesets_array as $enabled_item) $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; @@ -2200,9 +2198,13 @@ EOD; else $def_max_queued_segs_type = ' max_queued_segs ' . $snortcfg['max_queued_segs'] . ','; + $snort_preprocessor_decoder_rules = ""; + if (file_exists("/usr/local/etc/snort/preproc_rules/preprocessor.rules")) + $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + if (file_exists("/usr/local/etc/snort/preproc_rules/decoder.rules")) + $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; /* build snort configuration file */ - /* TODO; feed back from pfsense users to reduce false positives */ $snort_conf_text = <<<EOD # snort configuration file @@ -2212,31 +2214,6 @@ EOD; # for more information # snort.conf # Snort can be found at http://www.snort.org/ -# -# Copyright (C) 2009-2010 Robert Zelaya -# part of pfSense -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. ######################### # @@ -2316,7 +2293,7 @@ portvar DCERPC_BRIGHTSTORE [6503,6504] ##################### var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules -# var PREPROC_RULE_PATH ./preproc_rules +var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules ################################ # @@ -2357,9 +2334,9 @@ dynamicdetection directory /usr/local/lib/snort/dynamicrules preprocessor frag3_global: max_frags 8192 preprocessor frag3_engine: policy bsd detect_anomalies -preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ -track_udp yes, track_icmp yes -preprocessor stream5_tcp: policy BSD, ports both all,{$def_max_queued_bytes_type}{$def_max_queued_segs_type} use_static_footprint_sizes +preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes + +preprocessor stream5_tcp: policy BSD, ports both all, {$def_max_queued_bytes_type}{$def_max_queued_segs_type} preprocessor stream5_udp: preprocessor stream5_icmp: @@ -2375,16 +2352,6 @@ preprocessor stream5_icmp: {$def_sf_portscan_type} -############################ - # -# OLD # -# preprocessor dcerpc: \ # -# autodetect \ # -# max_frag_size 3000 \ # -# memcap 100000 # - # -############################ - {$def_dce_rpc_2_type} {$def_dns_preprocessor_type} @@ -2420,10 +2387,12 @@ preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspec include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config - $threshold_file_name +{$snort_preprocessor_decoder_rules} + +$threshold_file_name # Snort user pass through configuration - {$snort_config_pass_thru} +{$snort_config_pass_thru} ################### # |