1 files changed, 298 insertions, 0 deletions
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
new file mode 100644
index 00000000..35dd3847
--- /dev/null
+++ b/config/snort/snort_migrate_config.php
@@ -0,0 +1,298 @@
+<?php
+/*
+ * snort_migrate_config.inc
+ *
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009-2010 Robert Zelaya
+ * Copyright (C) 2011-2012 Ermal Luci
+ * part of pfSense
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("config.inc");
+require_once("functions.inc");
+
+/****************************************************************************/
+/* The code in this module is called once during the post-install process   */
+/* via an "include" line.  It is used to perform a one-time migration of    */
+/* Snort preprocessor configuration parameters into the new format used     */
+/* by the multi-engine config feature.  Configuration parameters for the    */
+/* multiple configuration engines of some preprocessors are stored as       */
+/* array values within the "config.xml" file in the [snortglobals] section. */
+/****************************************************************************/
+
+global $config;
+
+if (!is_array($config['installedpackages']['snortglobal']))
+	$config['installedpackages']['snortglobal'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+	$config['installedpackages']['snortglobal']['rule'] = array();
+
+// Just exit if this is a clean install with no saved settings
+if (empty($config['installedpackages']['snortglobal']['rule']))
+	return;
+
+$rule = &$config['installedpackages']['snortglobal']['rule'];
+
+/****************************************************************************/
+/* Loop through all the <rule> elements in the Snort configuration and      */
+/* migrate the relevant preprocessor parameters to the new format.          */
+/****************************************************************************/
+
+$updated_cfg = false;
+log_error("[Snort] Checking configuration settings version...");
+
+// Check the configuration version to see if XMLRPC Sync should
+// auto-disabled as part of the upgrade due to config format changes.
+if (empty($config['installedpackages']['snortglobal']['snort_config_ver']) && 
+    ($config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'auto' ||
+     $config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'manual')) {
+	$config['installedpackages']['snortsync']['config']['varsynconchanges']	= "disabled";
+	log_error("[Snort] Turning off Snort Sync on this host due to configuration format changes in this update.  Upgrade all Snort Sync targets to this same Snort package version before re-enabling Snort Sync.");
+	$updated_cfg = true;
+}
+
+foreach ($rule as &$r) {
+	// Initialize arrays for supported preprocessors if necessary
+	if (!is_array($r['frag3_engine']['item']))
+		$r['frag3_engine']['item'] = array();
+	if (!is_array($r['stream5_tcp_engine']['item']))
+		$r['stream5_tcp_engine']['item'] = array();
+	if (!is_array($r['http_inspect_engine']['item']))
+		$r['http_inspect_engine']['item'] = array();
+	if (!is_array($r['ftp_client_engine']['item']))
+		$r['ftp_client_engine']['item'] = array();
+	if (!is_array($r['ftp_server_engine']['item']))
+		$r['ftp_server_engine']['item'] = array();
+
+	$pconfig = array();
+	$pconfig = $r;
+
+	// Create a default "frag3_engine" if none are configured
+	if (empty($pconfig['frag3_engine']['item'])) {
+		$updated_cfg = true;
+		log_error("[Snort] Migrating Frag3 Engine configuration for interface {$pconfig['descr']}...");
+		$default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", 
+				"timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", 
+				"overlap_limit" => 0, "min_frag_len" => 0 );
+
+		// Ensure sensible default values exist for global Frag3 parameters
+		if (empty($pconfig['frag3_max_frags']))
+			$pconfig['frag3_max_frags'] = '8192';
+		if (empty($pconfig['frag3_memcap']))
+			$pconfig['frag3_memcap'] = '4194304';
+		if (empty($pconfig['frag3_detection']))
+			$pconfig['frag3_detection'] = 'on';
+
+		// Put any old values in new default engine and remove old value
+		if (isset($pconfig['frag3_policy']))
+			$default['policy'] = $pconfig['frag3_policy'];
+		unset($pconfig['frag3_policy']);
+		if (isset($pconfig['frag3_timeout']) && is_numeric($pconfig['frag3_timeout']))
+			$default['timeout'] = $pconfig['frag3_timeout'];
+		unset($pconfig['frag3_timeout']);
+		if (isset($pconfig['frag3_overlap_limit']) && is_numeric($pconfig['frag3_overlap_limit']))
+			$default['overlap_limit'] = $pconfig['frag3_overlap_limit'];
+		unset($pconfig['frag3_overlap_limit']);
+		if (isset($pconfig['frag3_min_frag_len']) && is_numeric($pconfig['frag3_min_frag_len']))
+			$default['min_frag_len'] = $pconfig['frag3_min_frag_len'];
+		unset($pconfig['frag3_min_frag_len']);
+
+		$pconfig['frag3_engine']['item'] = array();
+		$pconfig['frag3_engine']['item'][] = $default;
+	}
+
+	// Create a default Stream5 engine array if none are configured
+	if (empty($pconfig['stream5_tcp_engine']['item'])) {
+		$updated_cfg = true;
+		log_error("[Snort] Migrating Stream5 Engine configuration for interface {$pconfig['descr']}...");
+		$default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, 
+				"max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, 
+				"max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, 
+				"no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", 
+				"check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", 
+				"ports_both" => "default", "ports_server" => "none" );
+
+		// Ensure sensible defaults exist for Stream5 global parameters
+		if (empty($pconfig['stream5_reassembly']))
+			$pconfig['stream5_reassembly'] = 'on';
+		if (empty($pconfig['stream5_flush_on_alert']))
+			$pconfig['stream5_flush_on_alert'] = 'off';
+		if (empty($pconfig['stream5_prune_log_max']))
+			$pconfig['stream5_prune_log_max'] = '1048576';
+		if (empty($pconfig['stream5_track_tcp']))
+			$pconfig['stream5_track_tcp'] = 'on';
+		if (empty($pconfig['stream5_max_tcp']))
+			$pconfig['stream5_max_tcp'] = '262144';
+		if (empty($pconfig['stream5_track_udp']))
+			$pconfig['stream5_track_udp'] = 'on';
+		if (empty($pconfig['stream5_max_udp']))
+			$pconfig['stream5_max_udp'] = '131072';
+		if (empty($pconfig['stream5_udp_timeout']))
+			$pconfig['stream5_udp_timeout'] = '30';
+		if (empty($pconfig['stream5_track_icmp']))
+			$pconfig['stream5_track_icmp'] = 'off';
+		if (empty($pconfig['stream5_max_icmp']))
+			$pconfig['stream5_max_icmp'] = '65536';
+		if (empty($pconfig['stream5_icmp_timeout']))
+			$pconfig['stream5_icmp_timeout'] = '30';
+		if (empty($pconfig['stream5_mem_cap']))
+			$pconfig['stream5_mem_cap']= '8388608';
+
+		// Put any old values in new default engine and remove old value
+		if (isset($pconfig['stream5_policy']))
+			$default['policy'] = $pconfig['stream5_policy'];
+		unset($pconfig['stream5_policy']);
+		if (isset($pconfig['stream5_tcp_timeout']) && is_numeric($pconfig['stream5_tcp_timeout']))
+			$default['timeout'] = $pconfig['stream5_tcp_timeout'];
+		unset($pconfig['stream5_tcp_timeout']);
+		if (isset($pconfig['stream5_overlap_limit']) && is_numeric($pconfig['stream5_overlap_limit']))
+			$default['overlap_limit'] = $pconfig['stream5_overlap_limit'];
+		unset($pconfig['stream5_overlap_limit']);
+		if (isset($pconfig['stream5_require_3whs']))
+			$default['require_3whs'] = $pconfig['stream5_require_3whs'];
+		unset($pconfig['stream5_require_3whs']);
+		if (isset($pconfig['stream5_no_reassemble_async']))
+			$default['no_reassemble_async'] = $pconfig['stream5_no_reassemble_async'];
+		unset($pconfig['stream5_no_reassemble_async']);
+		if (isset($pconfig['stream5_dont_store_lg_pkts']))
+			$default['dont_store_lg_pkts'] = $pconfig['stream5_dont_store_lg_pkts'];
+		unset($pconfig['stream5_dont_store_lg_pkts']);
+		if (isset($pconfig['max_queued_bytes']) && is_numeric($pconfig['max_queued_bytes']))
+			$default['max_queued_bytes'] = $pconfig['max_queued_bytes'];
+		unset($pconfig['max_queued_bytes']);
+		if (isset($pconfig['max_queued_segs']) && is_numeric($pconfig['max_queued_segs']))
+			$default['max_queued_segs'] = $pconfig['max_queued_segs'];
+		unset($pconfig['max_queued_segs']);
+
+		$pconfig['stream5_tcp_engine']['item'] = array();
+		$pconfig['stream5_tcp_engine']['item'][] = $default;
+	}
+
+	// Create a default HTTP_INSPECT engine if none are configured
+	if (empty($pconfig['http_inspect_engine']['item'])) {
+		$updated_cfg = true;
+		log_error("[Snort] Migrating HTTP_Inspect Engine configuration for interface {$pconfig['descr']}...");
+		$default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", 
+				"log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", 
+				"client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", 
+				"unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", 
+				"normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", 
+				"allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
+				"post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+
+		// Ensure sensible default values exist for global HTTP_INSPECT parameters
+		if (empty($pconfig['http_inspect']))
+			$pconfig['http_inspect'] = "on";
+		if (empty($pconfig['http_inspect_proxy_alert']))
+			$pconfig['http_inspect_proxy_alert'] = "off";
+		if (empty($pconfig['http_inspect_memcap']))
+			$pconfig['http_inspect_memcap'] = "150994944";
+		if (empty($pconfig['http_inspect_max_gzip_mem']))
+			$pconfig['http_inspect_max_gzip_mem'] = "838860";
+
+		// Put any old values in new default engine and remove old value
+		if (isset($pconfig['server_flow_depth']) && is_numeric($pconfig['server_flow_depth']))
+			$default['server_flow_depth'] = $pconfig['server_flow_depth'];
+		unset($pconfig['server_flow_depth']);
+		if (isset($pconfig['client_flow_depth']) & is_numeric($pconfig['client_flow_depth']))
+			$default['client_flow_depth'] = $pconfig['client_flow_depth'];
+		unset($pconfig['client_flow_depth']);
+		if (isset($pconfig['http_server_profile']))
+			$default['server_profile'] = $pconfig['http_server_profile'];
+		unset($pconfig['http_server_profile']);
+		if (isset($pconfig['http_inspect_enable_xff']))
+			$default['enable_xff'] = $pconfig['http_inspect_enable_xff'];
+		unset($pconfig['http_inspect_enable_xff']);
+		if (isset($pconfig['http_inspect_log_uri']))
+			$default['log_uri'] = $pconfig['http_inspect_log_uri'];
+		unset($pconfig['http_inspect_log_uri']);
+		if (isset($pconfig['http_inspect_log_hostname']))
+			$default['log_hostname'] = $pconfig['http_inspect_log_hostname'];
+		unset($pconfig['http_inspect_log_hostname']);
+		if (isset($pconfig['noalert_http_inspect']))
+			$default['no_alerts'] = $pconfig['noalert_http_inspect'];
+		unset($pconfig['noalert_http_inspect']);
+
+		$pconfig['http_inspect_engine']['item'] = array();
+		$pconfig['http_inspect_engine']['item'][] = $default;
+	}
+
+	// Create a default FTP_CLIENT engine if none are configured
+	if (empty($pconfig['ftp_client_engine']['item'])) {
+		$updated_cfg = true;
+		log_error("[Snort] Migrating FTP Client Engine configuration for interface {$pconfig['descr']}...");
+		$default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, 
+				  "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", 
+				  "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+		// Set defaults for new FTP_Telnet preprocessor configurable parameters
+		if (empty($pconfig['ftp_telnet_inspection_type']))
+			$pconfig['ftp_telnet_inspection_type'] = 'stateful';
+		if (empty($pconfig['ftp_telnet_alert_encrypted']))
+			$pconfig['ftp_telnet_alert_encrypted'] = 'off';
+		if (empty($pconfig['ftp_telnet_check_encrypted']))
+			$pconfig['ftp_telnet_check_encrypted'] = 'on';
+		if (empty($pconfig['ftp_telnet_normalize']))
+			$pconfig['ftp_telnet_normalize'] = 'on';
+		if (empty($pconfig['ftp_telnet_detect_anomalies']))
+			$pconfig['ftp_telnet_detect_anomalies'] = 'on';
+		if (empty($pconfig['ftp_telnet_ayt_attack_threshold']))
+			$pconfig['ftp_telnet_ayt_attack_threshold'] = '20';
+
+		// Add new FTP_Telnet Client default engine
+		$pconfig['ftp_client_engine']['item'] = array();
+		$pconfig['ftp_client_engine']['item'][] = $default;
+	}
+
+	// Create a default FTP_SERVER engine if none are configured
+	if (empty($pconfig['ftp_server_engine']['item'])) {
+		$updated_cfg = true;
+		log_error("[Snort] Migrating FTP Server Engine configuration for interface {$pconfig['descr']}...");
+		$default = array( "name" => "default", "bind_to" => "all", "ports" => "default", 
+				  "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", 
+				  "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+		// Add new FTP_Telnet Server default engine
+		$pconfig['ftp_server_engine']['item'] = array();
+		$pconfig['ftp_server_engine']['item'][] = $default;
+	}
+
+	// Save the new configuration data into the $config array pointer
+	$r = $pconfig;
+}
+// Release reference to final array element
+unset($r);
+
+// Write out the new configuration to disk if we changed anything
+if ($updated_cfg) {
+	$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.0";
+	log_error("[Snort] Saving configuration settings in new format...");
+	write_config();
+	log_error("[Snort] Settings successfully migrated to new configuration format...");
+}
+else
+	log_error("[Snort] Configuration version is current...");
+
+?>