aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort/snort_post_install.php
diff options
context:
space:
mode:
Diffstat (limited to 'config/snort/snort_post_install.php')
-rw-r--r--config/snort/snort_post_install.php164
1 files changed, 103 insertions, 61 deletions
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
index 003628be..dbac41ef 100644
--- a/config/snort/snort_post_install.php
+++ b/config/snort/snort_post_install.php
@@ -96,13 +96,15 @@ function snort_build_new_conf($snortcfg) {
if (!is_array($config['installedpackages']['snortglobal']['rule']))
return;
+ conf_mount_rw();
+
/* See if we should protect and not modify the preprocessor rules files */
if (!empty($snortcfg['protect_preproc_rules']))
$protect_preproc_rules = $snortcfg['protect_preproc_rules'];
else
$protect_preproc_rules = "off";
- $if_real = snort_get_real_interface($snortcfg['interface']);
+ $if_real = get_real_interface($snortcfg['interface']);
$snort_uuid = $snortcfg['uuid'];
$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
@@ -162,8 +164,18 @@ function snort_build_new_conf($snortcfg) {
/* define snortunifiedlog */
$snortunifiedlog_type = "";
- if ($snortcfg['snortunifiedlog'] == "on")
- $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128";
+ if ($snortcfg['barnyard_enable'] == "on") {
+ if (isset($snortcfg['unified2_log_limit']))
+ $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}";
+ else
+ $u2_log_limit = "limit 128";
+
+ $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}";
+ if ($snortcfg['barnyard_log_vlan_events'] == 'on')
+ $snortunifiedlog_type .= ", vlan_event_types";
+ if ($snortcfg['barnyard_log_mpls_events'] == 'on')
+ $snortunifiedlog_type .= ", mpls_event_types";
+ }
/* define spoink */
$spoink_type = "";
@@ -721,6 +733,49 @@ preprocessor sensitive_data: \
EOD;
+ /* define IP Reputation preprocessor */
+ if (is_array($snortcfg['blist_files']['item'])) {
+ $blist_files = "";
+ $bIsFirst = TRUE;
+ foreach ($snortcfg['blist_files']['item'] as $blist) {
+ if ($bIsFirst) {
+ $blist_files .= "blacklist " . IPREP_PATH . $blist;
+ $bIsFirst = FALSE;
+ }
+ else
+ $blist_files .= ", \\ \n\tblacklist " . IPREP_PATH . $blist;
+ }
+ }
+ if (is_array($snortcfg['wlist_files']['item'])) {
+ $wlist_files = "";
+ $bIsFirst = TRUE;
+ foreach ($snortcfg['wlist_files']['item'] as $wlist) {
+ if ($bIsFirst) {
+ $wlist_files .= "whitelist " . IPREP_PATH . $wlist;
+ $bIsFirst = FALSE;
+ }
+ else
+ $wlist_files .= ", \\ \n\twhitelist " . IPREP_PATH . $wlist;
+ }
+ }
+ if (!empty($blist_files))
+ $ip_lists = $blist_files;
+ if (!empty($wlist_files))
+ $ip_lists .= ", \\ \n" . $wlist_files;
+ if ($snortcfg['iprep_scan_local'] == 'on')
+ $ip_lists .= ", \\ \n\tscan_local";
+
+ $reputation_preproc = <<<EOD
+# IP Reputation preprocessor #
+preprocessor reputation: \
+ memcap {$snortcfg['iprep_memcap']}, \
+ priority {$snortcfg['iprep_priority']}, \
+ nested_ip {$snortcfg['iprep_nested_ip']}, \
+ white {$snortcfg['iprep_white']}, \
+ {$ip_lists}
+
+EOD;
+
/* define servers as IP variables */
$snort_servers = array (
"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
@@ -751,11 +806,11 @@ EOD;
"ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc"
);
$snort_preproc = array (
- "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc",
- "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc"
+ "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan",
+ "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc"
);
$default_disabled_preprocs = array(
- "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc"
+ "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat"
);
$snort_preprocessors = "";
foreach ($snort_preproc as $preproc) {
@@ -793,43 +848,9 @@ EOD;
$snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n";
if (file_exists("{$snortcfgdir}/classification.config"))
$snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n";
- if (is_dir("{$snortcfgdir}/preproc_rules")) {
- if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
- $sedcmd = '/^#alert.*classtype:sdf/s/^#//';
- if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
- #enable only selected sensitive data
- if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){
- $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")";
- $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules");
- $sd_tmp_new_file="";
- foreach ($sd_tmp_file as $sd_tmp_line)
- $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : "";
- file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX);
- }
- }
- } else
- $sedcmd = '/^alert.*classtype:sdf/s/^/#/';
- if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
- file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") {
- @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
- mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
- mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
- @unlink("{$g['tmp_path']}/sedcmd");
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
- } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
- file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") {
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
- }
- else {
- $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
- log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
- }
- } else {
+ if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) {
$snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
- log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
+ log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.");
}
/* generate rule sections to load */
@@ -1247,9 +1268,8 @@ EOD;
ipvar HOME_NET [{$home_net}]
ipvar EXTERNAL_NET [{$external_net}]
-# Define Rule Paths #
+# Define Rule Path #
var RULE_PATH {$snortcfgdir}/rules
-var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules
# Define Servers #
{$ipvardef}
@@ -1340,13 +1360,8 @@ output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,src
EOD;
// Write out snort.conf file
- $conf = fopen("{$snortcfgdir}/snort.conf", "w");
- if(!$conf) {
- log_error("Could not open {$snortcfgdir}/snort.conf for writing.");
- return -1;
- }
- fwrite($conf, $snort_conf_text);
- fclose($conf);
+ file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text);
+ conf_mount_ro();
unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type);
unset($home_net, $external_net, $ipvardef, $portvardef);
}
@@ -1361,14 +1376,14 @@ if(is_process_running("snort")) {
exec("/usr/bin/killall -z snort");
sleep(2);
// Delete any leftover snort PID files in /var/run
- array_map('@unlink', glob("/var/run/snort_*.pid"));
+ unlink_if_exists("/var/run/snort_*.pid");
}
// Hard kill any running Barnyard2 processes
if(is_process_running("barnyard")) {
exec("/usr/bin/killall -z barnyard2");
sleep(2);
// Delete any leftover barnyard2 PID files in /var/run
- array_map('@unlink', glob("/var/run/barnyard2_*.pid"));
+ unlink_if_exists("/var/run/barnyard2_*.pid");
}
/* Set flag for post-install in progress */
@@ -1397,46 +1412,68 @@ foreach ($preproc_rules as $file) {
@unlink("{$rcdir}/snort.sh");
@unlink("{$rcdir}/barnyard2");
+/* Create required log and db directories in /var */
+safe_mkdir(SNORTLOGDIR);
+safe_mkdir(IPREP_PATH);
+
+/* If installed, absorb the Snort Dashboard Widget into this package */
+/* by removing it as a separately installed package. */
+$pkgid = get_pkg_id("Dashboard Widget: Snort");
+if ($pkgid >= 0) {
+ log_error(gettext("[Snort] Removing legacy 'Dashboard Widget: Snort' package because the widget is now part of the Snort package."));
+ unset($config['installedpackages']['package'][$pkgid]);
+ unlink_if_exists("/usr/local/pkg/widget-snort.xml");
+ write_config("Snort pkg: removed legacy Snort Dashboard Widget.");
+}
+
+/* Define a default Dashboard Widget Container for Snort */
+$snort_widget_container = "snort_alerts-container:col2:close";
+
/* remake saved settings */
if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings..."));
update_status(gettext("Saved settings detected..."));
/* Do one-time settings migration for new multi-engine configurations */
- update_output_window(gettext("Please wait... migrating settings to new multi-engine configuration..."));
- include "/usr/local/pkg/snort/snort_migrate_config.php";
+ update_output_window(gettext("Please wait... migrating settings to new configuration..."));
+ include('/usr/local/www/snort/snort_migrate_config.php');
update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
log_error(gettext("[Snort] Downloading and updating configured rule types..."));
update_output_window(gettext("Please wait... downloading and updating configured rule types..."));
if ($pkg_interface <> "console")
$snort_gui_include = true;
- include "/usr/local/pkg/snort/snort_check_for_rule_updates.php";
+ include('/usr/local/www/snort/snort_check_for_rule_updates.php');
update_status(gettext("Generating snort.conf configuration file from saved settings..."));
$rebuild_rules = true;
/* Create the snort.conf files for each enabled interface */
$snortconf = $config['installedpackages']['snortglobal']['rule'];
foreach ($snortconf as $value) {
- $if_real = snort_get_real_interface($value['interface']);
+ $if_real = get_real_interface($value['interface']);
/* create a snort.conf file for interface */
snort_build_new_conf($value);
/* create barnyard2.conf file for interface */
if ($value['barnyard_enable'] == 'on')
- snort_create_barnyard2_conf($value, $if_real);
+ snort_generate_barnyard2_conf($value, $if_real);
}
/* create snort bootup file snort.sh */
snort_create_rc();
/* Set Log Limit, Block Hosts Time and Rules Update Time */
- snort_snortloglimit_install_cron($config['installedpackages']['snortglobal']['snortloglimit'] == 'on' ? true : false);
+ snort_snortloglimit_install_cron(true);
snort_rm_blocked_install_cron($config['installedpackages']['snortglobal']['rm_blocked'] != "never_b" ? true : false);
snort_rules_up_install_cron($config['installedpackages']['snortglobal']['autorulesupdate7'] != "never_up" ? true : false);
/* Add the recurring jobs created above to crontab */
configure_cron();
+ /* Restore the last Snort Dashboard Widget setting if none is set */
+ if (!empty($config['installedpackages']['snortglobal']['dashboard_widget']) &&
+ stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE)
+ $config['widgets']['sequence'] .= "," . $config['installedpackages']['snortglobal']['dashboard_widget'];
+
$rebuild_rules = false;
update_output_window(gettext("Finished rebuilding Snort configuration files..."));
log_error(gettext("[Snort] Finished rebuilding installation from saved settings..."));
@@ -1451,9 +1488,14 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
}
}
+/* If an existing Snort Dashboard Widget container is not found, */
+/* then insert our default Widget Dashboard container. */
+if (stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE)
+ $config['widgets']['sequence'] .= ",{$snort_widget_container}";
+
/* Update Snort package version in configuration */
-$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.2";
-write_config();
+$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.7";
+write_config("Snort pkg: post-install configuration saved.");
/* Done with post-install, so clear flag */
unset($g['snort_postinstall']);