diff options
Diffstat (limited to 'config/snort/snort.inc')
| -rw-r--r-- | config/snort/snort.inc | 778 |
1 files changed, 133 insertions, 645 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 8e3e5f88..0e624c7f 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -37,7 +37,7 @@ require_once("functions.inc"); require_once("filter.inc"); /* package version */ -$snort_package_version = 'Snort 2.8.6.1 pkg v. 2.0'; +$snort_package_version = 'Snort 2.9.1 pkg v. 2.0'; /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); @@ -56,10 +56,12 @@ else $snort_pfsense_basever = 'yes'; /* find out what arch where in x86 , x64 */ +global $snort_arch; +$snort_arch = 'x86'; $snort_arch_ck = php_uname("m"); if ($snort_arch_ck == 'i386') $snort_arch = 'x86'; -else if ($snort_arch_ck = "amd64") +else if ($snort_arch_ck == "amd64") $snort_arch = 'x64'; else $snort_arch = "Unknown"; @@ -238,25 +240,10 @@ function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $v function Running_Ck($snort_uuid, $if_real, $id) { global $config; - $snort_up_ck = exec("/bin/ps -U snort | /usr/bin/grep snort | /usr/bin/awk '{print \$1;}'"); - - if(snort_up_ck == '') { - $snort_up = 'no'; - return $snort_up; - } - - if(snort_up_ck != ''){ - - /* use ob_clean to clear output buffer, this code needs to be watched */ - ob_clean(); - $snort_up_prell = exec("/bin/ps -U snort | /usr/bin/grep \"\-R {$snort_uuid}\" | /usr/bin/awk '{print \$1;}'"); - - if ($snort_up_prell != '') { - $snort_uph = 'yes'; - }else{ - $snort_uph = 'no'; - } - } + $snort_uph = 'no'; + $snort_up_prell = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'"); + if ($snort_up_prell != '') + $snort_uph = 'yes'; return $snort_uph; } @@ -265,24 +252,10 @@ function Running_Ck($snort_uuid, $if_real, $id) { function Running_Ck_b($snort_uuid, $if_real, $id) { global $config; - $snort_up_ck_b = exec("/bin/ps -U snort | /usr/bin/grep barnyard2 | /usr/bin/awk '{print \$1;}'"); - - if($snort_up_ck_b == ''){ - $snort_up_b = 'no'; - return $snort_up_b; - } - - if(snort_up_ck_b != '') { - - ob_clean(); - $snort_up_pre_b = exec("/bin/ps -U snort | grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); - - if ($snort_up_pre_b != '') { - $snort_up_b = 'yes'; - }else{ - $snort_up_b = 'no'; - } - } + $snort_up_b = 'no'; + $snort_up_pre_b = exec("/bin/ps -ax | /usr/bin/grep barnyard2 | /usr/bin/grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'"); + if ($snort_up_pre_b != '') + $snort_up_b = 'yes'; return $snort_up_b; } @@ -291,45 +264,27 @@ function Running_Stop($snort_uuid, $if_real, $id) { global $config; /* if snort.sh crashed this will remove the pid */ - exec('/bin/rm /tmp/snort.sh.pid'); - - $start_up_s = exec("/bin/ps -U snort | grep \"\-R {$snort_uuid}\" | awk '{ print \$1; }'"); - $start_up_r = exec("/bin/ps -U root | grep \"\-R {$snort_uuid}\" | awk '{ print \$1; }'"); + @unlink('/tmp/snort.sh.pid'); - $start2_upb_s = exec("/bin/ps -U snort | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{ print \$1; }'"); - $start2_upb_r = exec("/bin/ps -U root | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{ print \$1; }'"); - - if ($start_up_s != '' || $start_up_r != '' || $start2_upb_s != '' || $start2_upb_r != '') { - if ($start_up_s != '') - { - exec("/bin/kill {$start_up_s}"); - exec("rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); - exec("rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); - } + $start_up = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'"); + $start_upb = exec("/bin/ps -ax | /usr/bin/grep \"snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'"); - if ($start2_upb_s != '') - { - exec("/bin/kill {$start2_upb_s}"); - exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); - } - - if ($start_up_r != '') - { - exec("/bin/kill {$start_up_r}"); - exec("rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); - exec("rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); - } - - if ($start2_upb_r != '') - { - exec("/bin/kill {$start2_upb_r}"); - exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); - } + if ($start_up != '') { + exec("/bin/kill {$start_up}"); + exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); + exec("/bin/rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); + exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + } - /* Log Iface stop */ - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); - sleep(2); // Give time so GUI displays correctly + if ($start_upb != '') { + exec("/bin/kill {$start_upb}"); + exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); + exec("/bin/rm /var/log/snort/snort.u2_{$snort_uuid}_{$if_real}*"); } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); + sleep(2); // Give time so GUI displays correctly } function Running_Start($snort_uuid, $if_real, $id) { @@ -340,13 +295,16 @@ function Running_Start($snort_uuid, $if_real, $id) { $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; if ($snort_info_chk == 'on') - exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + exec("/usr/local/bin/snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + else + return; + /* define snortbarnyardlog_chk */ /* top will have trouble if the uuid is to far back */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; - if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '' && $snort_info_chk == 'on') { - exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" -u snort -g snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"); + if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { + exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"); } /* Log Iface stop */ @@ -396,7 +354,7 @@ function snort_file_list($snort_log_dir, $snort_log_file) $dir = opendir ("$snort_log_dir"); while (false !== ($file = readdir($dir))) { if (strpos($file, "$snort_log_file",1) ) - $file_list[] = $file; + $file_list[] = basename($file); } return $file_list; } @@ -473,7 +431,7 @@ function post_delete_logs() //create_barnyard2_conf($id, $if_real, $snort_uuid); if ($value['perform_stat'] == 'on') - file_put_contents("/var/log/snort/snort_{$snort_uuid}_{$if_real}.stats", ""); + @file_put_contents("/var/log/snort/snort_{$snort_uuid}_{$if_real}.stats", ""); } } } @@ -490,14 +448,14 @@ function snort_postinstall() } /* cleanup default files */ - @unlink('/usr/local/etc/snort/snort.conf-sample'); - @unlink('/usr/local/etc/snort/threshold.conf-sample'); - @unlink('/usr/local/etc/snort/sid-msg.map-sample'); - @unlink('/usr/local/etc/snort/unicode.map-sample'); - @unlink('/usr/local/etc/snort/classification.config-sample'); - @unlink('/usr/local/etc/snort/generators-sample'); - @unlink('/usr/local/etc/snort/reference.config-sample'); - @unlink('/usr/local/etc/snort/gen-msg.map-sample'); + @rename('/usr/local/etc/snort/snort.conf-sample', '/usr/local/etc/snort/snort.conf'); + @rename('/usr/local/etc/snort/threshold.conf-sample', '/usr/local/etc/snort/threshold.conf'); + @rename('/usr/local/etc/snort/sid-msg.map-sample', '/usr/local/etc/snort/sid-msg.map'); + @rename('/usr/local/etc/snort/unicode.map-sample', '/usr/local/etc/snort/unicode.map'); + @rename('/usr/local/etc/snort/classification.config-sample', '/usr/local/etc/snort/classification.config'); + @rename('/usr/local/etc/snort/generators-sample', '/usr/local/etc/snort/generators'); + @rename('/usr/local/etc/snort/reference.config-sample', '/usr/local/etc/snort/reference.config'); + @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map'); @unlink('/usr/local/etc/snort/sid'); @unlink('/usr/local/etc/rc.d/snort'); @unlink('/usr/local/etc/rc.d/bardyard2'); @@ -509,9 +467,11 @@ function snort_postinstall() if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); - /* add snort user and group note: 920 keep the numbers < 2000, above this is reserved in pfSense 2.0 */ + /* XXX: In pfSense this really does not add much! + * add snort user and group note: 920 keep the numbers < 2000, above this is reserved in pfSense 2.0 exec('/usr/sbin/pw groupadd snort -g 920'); exec('/usr/sbin/pw useradd snort -u 920 -c "Snort User" -d /nonexistent -g snort -s /sbin/nologin'); + */ /* create a few directories and ensure the sample files are in place */ @@ -542,15 +502,17 @@ function snort_postinstall() } /* rm barnyard2 important */ - if (!file_exists('/usr/local/bin/barnyard2')) + if (file_exists('/usr/local/bin/barnyard2')) @unlink('/usr/local/bin/barnyard2'); - /* important */ + /* XXX: These are needed if you run snort as snort user mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ + /* important */ mwexec('/bin/chmod 660 /var/log/snort/alert', true); mwexec('/bin/chmod 660 /var/db/whitelist', true); mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true); @@ -588,19 +550,19 @@ function snort_postinstall() exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/page_white_text.png'); /* install barnyard2 for 2.0 x86 x64 and 1.2.3 x86 */ - chdir("/usr/local/bin/"); - update_status(gettext("Installing Barnyard2 for $snort_arch...")); update_output_window(gettext("Please wait...")); if ($snort_pfsense_basever == 'yes') - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/7.3.x86/barnyard2'); - else if ($snort_pfsense_basever == 'no') - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.1{$snort_arch}/barnyard2'); - + exec('/usr/bin/fetch -o /usr/local/bin/barnyard2 http://www.pfsense.com/packages/config/snort/bin/7.3.x86/barnyard2'); + else if ($snort_pfsense_basever == 'no') { + if ($snort_arch == 'x64') + exec("/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2"); + else + exec("/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2"); + exec('/bin/chmod 0755 /usr/local/bin/barnyard2'); + } update_output_window(gettext("Finnished Installing Barnyard2...")); - exec('/bin/chmod 755 /usr/local/bin/barnyard2'); - /* XXX: remove compeletely? */ if ($snort_pfsense_basever == 'yes') { if (!is_dir('/tmp/pkg_s')) @@ -632,29 +594,11 @@ function snort_postinstall() if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_status(gettext("Saved settings detected...")); update_output_window(gettext("Please wait... rebuilding files...")); - sync_snort_package_empty(); + sync_snort_package_config(); update_output_window(gettext("Finnished Rebuilding files...")); } } -function sync_package_snort_reinstall() -{ - global $config; - - conf_mount_rw(); - - if (!$config['installedpackages']['snortglobal']) - return; - - /* create snort configuration file */ - create_snort_conf(); - - /* start snort service */ - // start_service("snort"); // do not start, may be needed latter. - - conf_mount_ro(); -} - function snort_Getdirsize($node) { if(!is_readable($node)) return false; @@ -885,77 +829,8 @@ function snort_rules_up_install_cron($should_install) { } } -function sync_snort_package_remove_old() -{ - global $config, $g; - - $snort_dir_scan = '/usr/local/etc/snort'; - - // scan dirm might have to make this into a funtion - $dh_scan = opendir($snort_dir_scan); - while (false !== ($dir_filename = readdir($dh_scan))) { - $list_dir_files[] = $dir_filename; - } - - // find patern in a array, very cool code - class array_ereg { - function array_ereg($pattern) { $this->pattern = $pattern; } - function ereg($string) { - return ereg($this->pattern, $string); - } - } - - $rule_array2 = $config['installedpackages']['snortglobal']['rule']; - foreach ($rule_array2 as $id => $value) { - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - - $snort_rules_list[] = "snort_{$id}{$if_real}"; - } - - $snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg')); - $snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list); - - foreach ($snort_dir_filter_search_result as $value) - exec("/bin/rm -r /usr/local/etc/snort/$value"); - -} - -/* make sure this func on writes to files and does not start snort */ -function sync_snort_package() { - global $config, $g; - - /* all new files are for the user snort nologin */ - if (!is_dir('/var/log/snort')) - exec('/bin/mkdir -p /var/log/snort'); - - if (!is_dir('/var/log/snort/run')) - exec('/bin/mkdir -p /var/log/snort/run'); - - if (!is_dir('/var/log/snort/barnyard2')) - exec('/bin/mkdir -p /var/log/snort/barnyard2'); - - /* all new files are for the user snort nologin */ - if (!file_exists('/var/log/snort/alert')) - exec('/usr/bin/touch /var/log/snort/alert'); - - /* important */ - mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); - mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); - mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); - - mwexec('/bin/chmod 770 /var/db/whitelist', true); - mwexec('/bin/chmod 770 /var/run/snort*', true); - mwexec('/bin/chmod 770 /tmp/snort*', true); - mwexec('/bin/chmod -R 770 /var/log/snort', true); - mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); - mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); -} - -/* only run when a single iface needs to sync */ -function sync_snort_package_all($id, $if_real, $snort_uuid) +/* Only run when all ifaces needed to sync. Expects filesystem rw */ +function sync_snort_package_config() { global $config, $g; @@ -967,62 +842,14 @@ function sync_snort_package_all($id, $if_real, $snort_uuid) //exec("/sbin/sysctl net.bpf.maxinsns=512"); //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - if (!is_array($config['installedpackages']['snortglobal']['rule'][$id])) - return; - conf_mount_rw(); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = snort_get_real_interface($result_lan); - - /* only build whitelist when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on') - create_snort_whitelist($id, $if_real); - - /* only build threshold when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') - create_snort_suppress($id, $if_real); - - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); - - /* if rules exist cp rules to each iface */ - create_rules_iface($id, $if_real, $snort_uuid); - - /* create snort bootup file snort.sh only create once */ - create_snort_sh(); - - /* create barnyard2 configuration file */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'] == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - - sync_snort_package(); - - conf_mount_ro(); -} - -/* Only run when all ifaces needed to sync. Expects filesystem rw */ -function sync_snort_package_empty() -{ - global $config, $g; - - /* RedDevil suggested code */ - /* TODO: more testing needs to be done */ - /* may cause voip to fail */ - //exec("/sbin/sysctl net.bpf.bufsize=8388608"); - //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); - //exec("/sbin/sysctl net.bpf.maxinsns=512"); - //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) + if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); + conf_mount_ro(); return; - - conf_mount_rw(); + } foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { $if_real = snort_get_real_interface($value['interface']); @@ -1045,8 +872,7 @@ function sync_snort_package_empty() create_rules_iface($id, $if_real, $snort_uuid); /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $value['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') + if ($value['barnyard_enable'] == 'on') create_barnyard2_conf($id, $if_real, $snort_uuid); } } @@ -1054,61 +880,39 @@ function sync_snort_package_empty() /* create snort bootup file snort.sh only create once */ create_snort_sh(); - sync_snort_package(); - - conf_mount_ro(); -} - -/* only bootup and ip refresh */ -function sync_snort_package_config() -{ - global $config, $g; - - /* RedDevil suggested code */ - /* TODO: more testing needs to be done */ - /* may cause voip to fail */ - //exec("/sbin/sysctl net.bpf.bufsize=8388608"); - //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); - //exec("/sbin/sysctl net.bpf.maxinsns=512"); - //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - - conf_mount_rw(); - - foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { - - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - $snort_uuid = $value['uuid']; - - if (!empty($if_real) && !empty($snort_uuid)) { + /* all new files are for the user snort nologin */ + if (!is_dir('/var/log/snort')) + exec('/bin/mkdir -p /var/log/snort'); - /* only build whitelist when needed */ - if ($value['blockoffenders7'] == 'on') - create_snort_whitelist($id, $if_real); + if (!is_dir('/var/log/snort/run')) + exec('/bin/mkdir -p /var/log/snort/run'); - /* only build threshold when needed */ - if ($value['suppresslistname'] != 'default') - create_snort_suppress($id, $if_real); + if (!is_dir('/var/log/snort/barnyard2')) + exec('/bin/mkdir -p /var/log/snort/barnyard2'); - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); + /* all new files are for the user snort nologin */ + if (!file_exists('/var/log/snort/alert')) + exec('/usr/bin/touch /var/log/snort/alert'); - /* create barnyard2 configuration file */ - if ($value['barnyard_enable'] == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - } - } + /* XXX: These are needed if snort is run as snort user + mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); + mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); + mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ - sync_snort_package(); + /* important */ + mwexec('/bin/chmod 770 /var/db/whitelist', true); + mwexec('/bin/chmod 770 /var/run/snort*', true); + mwexec('/bin/chmod 770 /tmp/snort*', true); + mwexec('/bin/chmod -R 770 /var/log/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); conf_mount_ro(); } - /* Start of main config files */ /* create threshold file */ @@ -1220,7 +1024,6 @@ function create_snort_sh() $snortconf =& $config['installedpackages']['snortglobal']['rule']; - $snort_sh_text2 = array(); $snort_sh_text3 = array(); $snort_sh_text4 = array(); @@ -1236,29 +1039,7 @@ function create_snort_sh() $snortbarnyardlog_mysql_info_chk = $value['barnyard_mysql']; if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') - $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"; - - /* Get all interface startup commands ready */ - $snort_sh_text2[] = <<<EOD -###### For Each Iface - -# If Snort proc is NOT running -if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" = "" ]; then - - /bin/echo "snort.sh run" > /tmp/snort.sh.pid - - # Start snort and barnyard2 - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck - - /usr/local/bin/snort -u snort -g snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} - $start_barnyard2 - - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For {$snort_uuid}_{$if_real}..." - -fi - -EOD; + $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"; $snort_sh_text3[] = <<<EOE @@ -1266,25 +1047,31 @@ EOD; #### Fake start only used on bootup and Pfsense IP changes #### Only try to restart if snort is running on Iface -if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" != "" ]; then - - snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" +if [ "`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'`" != "" ]; then + snort_pid=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'` /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" #### Restart Iface /bin/kill -HUP \${snort_pid} /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..." +else + # Start snort and barnyard2 + /bin/echo "snort.sh run" > /tmp/snort.sh.pid + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + + /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + $start_barnyard2 + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD START For {$snort_uuid}_{$if_real}..." fi EOE; $snort_sh_text4[] = <<<EOF -pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print \$2;}'` +pid_s=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'` sleep 3 -pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/awk '{print \$2;}'` - +pid_b=`/bin/ps -ax | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'` if [ \${pid_s} ] ; then /bin/echo "snort.sh run" > /tmp/snort.sh.pid @@ -1294,9 +1081,7 @@ if [ \${pid_s} ] ; then sleep 3 /bin/kill \${pid_b} - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - fi EOF; @@ -1304,8 +1089,7 @@ EOF; } - $start_snort_iface_start = implode("\n\n", $snort_sh_text2); - $start_snort_iface_restart = implode("\n\n", $snort_sh_text3); + $start_snort_iface_start = implode("\n\n", $snort_sh_text3); $start_snort_iface_stop = implode("\n\n", $snort_sh_text4); $snort_sh_text = <<<EOD @@ -1318,56 +1102,14 @@ EOF; rc_start() { - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then - - /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" - exit 0 - - fi - /bin/echo "snort.sh run" > /tmp/snort.sh.pid - - #### Remake the configs on boot Important! - /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php & - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." - - $start_snort_iface_restart - - /bin/rm /tmp/snort.sh.pid - - #### If on Fake start snort is NOT running DO a real start. - if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}{$if_real}" | awk '{print $2;}'`" = "" ]; then - - rc_start_real - - fi -} - -rc_start_real() { - - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then - /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" - exit 0 - fi - $start_snort_iface_start - /bin/rm /tmp/snort.sh.pid - } rc_stop() { - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then - /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" - exit 0 - fi - $start_snort_iface_stop - /bin/rm /tmp/snort.sh.pid /bin/rm /var/run/snort* @@ -1377,15 +1119,11 @@ case $1 in start) rc_start ;; - start_real) - rc_start_real - ;; stop) rc_stop ;; restart) - rc_stop - rc_start_real + rc_start ;; esac @@ -1402,9 +1140,6 @@ EOD; @chmod("/usr/local/etc/rc.d/snort.sh", 0755); } - -///////////////////////// >>>>>>>>>>>> - /* if rules exist copy to new interfaces */ function create_rules_iface($id, $if_real, $snort_uuid) { @@ -1414,7 +1149,9 @@ function create_rules_iface($id, $if_real, $snort_uuid) $folder_chk = (count(glob("{$if_rule_dir}/rules/*")) === 0) ? 'empty' : 'full'; if ($folder_chk == "empty") { - exec("/bin/cp -R /usr/local/etc/snort/rules {$if_rule_dir}/rules"); + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + exec("/bin/cp /usr/local/etc/snort/rules/* {$if_rule_dir}/rules"); if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules"); } @@ -1422,14 +1159,15 @@ function create_rules_iface($id, $if_real, $snort_uuid) /* open barnyard2.conf for writing */ function create_barnyard2_conf($id, $if_real, $snort_uuid) { - global $bconfig, $g; + global $config, $g; if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); if (!file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { mwexec("/usr/bin/touch /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); - mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); + /* XXX: This is needed if snort is run as snort user */ + //mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); mwexec("/bin/chmod 770 /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); } @@ -1439,7 +1177,7 @@ function create_barnyard2_conf($id, $if_real, $snort_uuid) { $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); if(!$bconf) { log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); - exit; + return; } fwrite($bconf, $barnyard2_conf_text); fclose($bconf); @@ -1462,29 +1200,6 @@ function generate_barnyard2_conf($id, $if_real, $snort_uuid) { # barnyard2.conf # barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php # -# Copyright (C) 2006 Robert Zelaya -# part of pfSense -# All rights reserved. -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# - # set the appropriate paths to the file(s) your Snort process is using config reference_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config @@ -1929,8 +1644,8 @@ function generate_snort_conf($id, $if_real, $snort_uuid) /* generate rule sections to load */ $enabled_rulesets = $snortcfg['rulesets']; + $selected_rules_sections = ""; if (!empty($enabled_rulesets)) { - $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); foreach($enabled_rulesets_array as $enabled_item) $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; @@ -1973,7 +1688,7 @@ EOD; # ################# -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ ports { 80 8080 } \ @@ -1984,6 +1699,10 @@ preprocessor http_inspect_server: server default \ directory no \ iis_backslash no \ u_encode yes \ + extended_response_inspection \ + inspect_gzip \ + normalize_utf \ + unlimited_decompress \ ascii no \ chunk_length 500000 \ bare_byte yes \ @@ -2200,9 +1919,13 @@ EOD; else $def_max_queued_segs_type = ' max_queued_segs ' . $snortcfg['max_queued_segs'] . ','; + $snort_preprocessor_decoder_rules = ""; + if (file_exists("/usr/local/etc/snort/preproc_rules/preprocessor.rules")) + $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + if (file_exists("/usr/local/etc/snort/preproc_rules/decoder.rules")) + $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; /* build snort configuration file */ - /* TODO; feed back from pfsense users to reduce false positives */ $snort_conf_text = <<<EOD # snort configuration file @@ -2212,31 +1935,6 @@ EOD; # for more information # snort.conf # Snort can be found at http://www.snort.org/ -# -# Copyright (C) 2009-2010 Robert Zelaya -# part of pfSense -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. ######################### # @@ -2316,7 +2014,7 @@ portvar DCERPC_BRIGHTSTORE [6503,6504] ##################### var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules -# var PREPROC_RULE_PATH ./preproc_rules +var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules ################################ # @@ -2357,9 +2055,9 @@ dynamicdetection directory /usr/local/lib/snort/dynamicrules preprocessor frag3_global: max_frags 8192 preprocessor frag3_engine: policy bsd detect_anomalies -preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ -track_udp yes, track_icmp yes -preprocessor stream5_tcp: policy BSD, ports both all,{$def_max_queued_bytes_type}{$def_max_queued_segs_type} use_static_footprint_sizes +preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes + +preprocessor stream5_tcp: policy BSD, ports both all, {$def_max_queued_bytes_type}{$def_max_queued_segs_type} preprocessor stream5_udp: preprocessor stream5_icmp: @@ -2375,16 +2073,6 @@ preprocessor stream5_icmp: {$def_sf_portscan_type} -############################ - # -# OLD # -# preprocessor dcerpc: \ # -# autodetect \ # -# max_frag_size 3000 \ # -# memcap 100000 # - # -############################ - {$def_dce_rpc_2_type} {$def_dns_preprocessor_type} @@ -2420,10 +2108,12 @@ preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspec include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config - $threshold_file_name +{$snort_preprocessor_decoder_rules} + +$threshold_file_name # Snort user pass through configuration - {$snort_config_pass_thru} +{$snort_config_pass_thru} ################### # @@ -2438,125 +2128,6 @@ EOD; return $snort_conf_text; } -/* check downloaded text from snort.org to make sure that an error did not occur - * for example, if you are not a premium subscriber you can only download rules - * so often, etc. TO BE: Removed unneeded. - */ -function check_for_common_errors($filename) { - global $snort_filename, $snort_filename_md5, $console_mode; - - // ob_flush(); - $contents = file_get_contents($filename); - if (!$contents) { - if(!$console_mode) { - update_all_status("An error occured while downloading {$filename}."); - hide_progress_bar_status(); - } else - log_error("An error occured. Scroll down to inspect it's contents."); - - if (!$console_mode) - update_output_window(strip_tags("$contents")); - else { - $contents = strip_tags($contents); - log_error("Error downloading snort rules: {$contents}"); - echo "Error downloading snort rules: {$contents}"; - } - - scroll_down_to_bottom_of_page(); - - return; - } -} - -/* force browser to scroll all the way down */ -function scroll_down_to_bottom_of_page() { - global $snort_filename, $console_mode; - - ob_flush(); - if(!$console_mode) - echo "\n<script type=\"text/javascript\">parent.scrollTo(0,1500);\n</script>"; -} - -/* ensure downloaded file looks sane */ -function verify_downloaded_file($filename) { - global $snort_filename, $snort_filename_md5, $console_mode; - - ob_flush(); - if (filesize($filename) < 9500) { - if(!$console_mode) { - update_all_status("Checking {$filename}..."); - check_for_common_errors($filename); - } - } - update_all_status("Verifying {$filename}..."); - if(!file_exists($filename)) { - if(!$console_mode) { - update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); - hide_progress_bar_status(); - } else { - log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); - echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; - } - return; - } - update_all_status("Verified {$filename}."); -} - -/* extract rules */ -function extract_snort_rules_md5($tmpfname) { - global $snort_filename, $snort_filename_md5, $console_mode; - - ob_flush(); - if(!$console_mode) { - $static_output = gettext("Extracting snort rules..."); - update_all_status($static_output); - } - if(!is_dir("/usr/local/etc/snort/rules/")) - @mkdir("/usr/local/etc/snort/rules/"); - - $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/"; - $handle = popen("{$cmd} 2>&1", 'r'); - while(!feof($handle)) { - $buffer = fgets($handle); - update_output_window($buffer); - } - pclose($handle); - - if(!$console_mode) { - $static_output = gettext("Snort rules extracted."); - update_all_status($static_output); - } else { - log_error("Snort rules extracted."); - echo "Snort rules extracted."; - } -} - -/* verify MD5 against downloaded item */ -function verify_snort_rules_md5($tmpfname) { - global $snort_filename, $snort_filename_md5, $console_mode; - - ob_flush(); - if(!$console_mode) { - $static_output = gettext("Verifying md5 signature..."); - update_all_status($static_output); - } - - $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5 = `echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; - $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; - if($md5 == $file_md5_ondisk) { - if(!$console_mode) { - $static_output = gettext("snort rules: md5 signature of rules mismatch."); - update_all_status($static_output); - hide_progress_bar_status(); - } else { - log_error("snort rules: md5 signature of rules mismatch."); - echo "snort rules: md5 signature of rules mismatch."; - } - return; - } -} - /* hide progress bar */ function hide_progress_bar_status() { global $snort_filename, $snort_filename_md5, $console_mode; @@ -2586,87 +2157,4 @@ function update_all_status($status) { } } -/* obtain alert description for an ip address */ -function get_snort_alert($ip) { - global $snort_alert_file_split, $snort_config; - - if(!file_exists("/var/log/snort/alert")) - return; - if(!$snort_config) - $snort_config = read_snort_config_cache(); - if($snort_config[$ip]) - return $snort_config[$ip]; - if(!$snort_alert_file_split) - $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); - - foreach($snort_alert_file_split as $fileline) { - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - $alert_title = $matches[2]; - if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) - $alert_ip = $matches[$id]; - if($alert_ip == $ip) { - if(!$snort_config[$ip]) - $snort_config[$ip] = $alert_title; - - return $alert_title; - } - } - return "n/a"; -} - -function make_clickable($buffer) { - global $config, $g; - - /* if clickable urls is disabled, simply return buffer back to caller */ - $clickablalerteurls = $config['installedpackages']['snort']['config'][$id]['oinkmastercode']; - if(!$clickablalerteurls) - return $buffer; - - $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); - $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","<a href=\"mailto:\\1\">\\1</a>", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"ftp://\\2\" target=\"_blank\">\\2</a>", $buffer); - - return $buffer; -} - -function read_snort_config_cache() { - global $g, $config, $snort_config; - - if($snort_config) - return $snort_config; - - if(file_exists($g['tmp_path'] . '/snort_config.cache')) - $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); - - return $snort_config; -} - -function write_snort_config_cache($snort_config) { - global $g, $config; - - $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w"); - if(!$configcache) { - log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing."); - return false; - } - fwrite($configcache, serialize($snort_config)); - fclose($configcache); - - return true; -} - -function snort_advanced() { - global $g, $config; - - sync_package_snort(); -} - -function snort_define_servers() { - global $g, $config; - - sync_package_snort(); -} - ?> |