diff options
Diffstat (limited to 'config/snort')
28 files changed, 566 insertions, 2071 deletions
diff --git a/config/snort/NOTES.txt b/config/snort/NOTES.txt deleted file mode 100644 index e566d292..00000000 --- a/config/snort/NOTES.txt +++ /dev/null @@ -1,26 +0,0 @@ - - -April 27 2010 -Snort-dev 2.8.5.3 pk v. 23 final - -TODO: - -Auto rule download has to be mirrored to the GUI download code. -Snort block table should survive reboots. Dont know how Im going to do this. -Create Upload GUI. Use Pierre POMES code. -Add log rotation and log dir size display -Redo code for rule downloads so that changes in snort.org rule gzip file does not break the package. -Add code suggested by Andrew Thompson. - -Long Term Goals: - -Use Chroot for snort. -Isolate functions using classes so we dont have double $vars errors. ! Important -The whitelist and supress code can be simplified. -Go through each tab and delete old code. -Snort Inline needs to be worked on. ! Important - - -Any other Devs that read this. -Please add your intials and date to any code blocks you add. It helps me keep track. - diff --git a/config/snort/bin/7.3.x86/barnyard2 b/config/snort/bin/7.3.x86/barnyard2 Binary files differdeleted file mode 100644 index df78449d..00000000 --- a/config/snort/bin/7.3.x86/barnyard2 +++ /dev/null diff --git a/config/snort/bin/8.1x64/barnyard2 b/config/snort/bin/8.1x64/barnyard2 Binary files differdeleted file mode 100644 index 3416c814..00000000 --- a/config/snort/bin/8.1x64/barnyard2 +++ /dev/null diff --git a/config/snort/bin/8.1x86/barnyard2 b/config/snort/bin/8.1x86/barnyard2 Binary files differdeleted file mode 100644 index 07e1069f..00000000 --- a/config/snort/bin/8.1x86/barnyard2 +++ /dev/null diff --git a/config/snort/bin/barnyard2 b/config/snort/bin/barnyard2 Binary files differdeleted file mode 100644 index b942e87f..00000000 --- a/config/snort/bin/barnyard2 +++ /dev/null diff --git a/config/snort/bin/snort2c b/config/snort/bin/snort2c Binary files differdeleted file mode 100644 index fdc91ac8..00000000 --- a/config/snort/bin/snort2c +++ /dev/null diff --git a/config/snort/pfsense_rules/local.rules b/config/snort/pfsense_rules/local.rules deleted file mode 100644 index 83a05f1b..00000000 --- a/config/snort/pfsense_rules/local.rules +++ /dev/null @@ -1,7 +0,0 @@ -# ---------------- -# LOCAL RULES -# ---------------- -# This file intentionally does not come with signatures. Put your local -# additions here. Pfsense first install rule. Rule edit tabe fails with out this file. -# -#
\ No newline at end of file diff --git a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 deleted file mode 100644 index d2e6fa4d..00000000 --- a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 +++ /dev/null @@ -1 +0,0 @@ -"e8a95fd5f1b40e878fedeffd585134bb"
\ No newline at end of file diff --git a/config/snort/pfsense_rules/rules/pfsense-voip.rules b/config/snort/pfsense_rules/rules/pfsense-voip.rules deleted file mode 100644 index 12f2fdf2..00000000 --- a/config/snort/pfsense_rules/rules/pfsense-voip.rules +++ /dev/null @@ -1,10 +0,0 @@ -alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000001; rev:1;) -# Excessive number of SIP 4xx Responses Does not work -#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000002; rev:1;) -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000003; rev:1;) -# Rule for alerting of INVITE flood attack: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000004; rev:1;) -# Rule for alerting of REGISTER flood attack: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;) -# Threshold rule for unauthorized responses: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000006; rev:1;) diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 8e3e5f88..0e624c7f 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -37,7 +37,7 @@ require_once("functions.inc"); require_once("filter.inc"); /* package version */ -$snort_package_version = 'Snort 2.8.6.1 pkg v. 2.0'; +$snort_package_version = 'Snort 2.9.1 pkg v. 2.0'; /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); @@ -56,10 +56,12 @@ else $snort_pfsense_basever = 'yes'; /* find out what arch where in x86 , x64 */ +global $snort_arch; +$snort_arch = 'x86'; $snort_arch_ck = php_uname("m"); if ($snort_arch_ck == 'i386') $snort_arch = 'x86'; -else if ($snort_arch_ck = "amd64") +else if ($snort_arch_ck == "amd64") $snort_arch = 'x64'; else $snort_arch = "Unknown"; @@ -238,25 +240,10 @@ function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $v function Running_Ck($snort_uuid, $if_real, $id) { global $config; - $snort_up_ck = exec("/bin/ps -U snort | /usr/bin/grep snort | /usr/bin/awk '{print \$1;}'"); - - if(snort_up_ck == '') { - $snort_up = 'no'; - return $snort_up; - } - - if(snort_up_ck != ''){ - - /* use ob_clean to clear output buffer, this code needs to be watched */ - ob_clean(); - $snort_up_prell = exec("/bin/ps -U snort | /usr/bin/grep \"\-R {$snort_uuid}\" | /usr/bin/awk '{print \$1;}'"); - - if ($snort_up_prell != '') { - $snort_uph = 'yes'; - }else{ - $snort_uph = 'no'; - } - } + $snort_uph = 'no'; + $snort_up_prell = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'"); + if ($snort_up_prell != '') + $snort_uph = 'yes'; return $snort_uph; } @@ -265,24 +252,10 @@ function Running_Ck($snort_uuid, $if_real, $id) { function Running_Ck_b($snort_uuid, $if_real, $id) { global $config; - $snort_up_ck_b = exec("/bin/ps -U snort | /usr/bin/grep barnyard2 | /usr/bin/awk '{print \$1;}'"); - - if($snort_up_ck_b == ''){ - $snort_up_b = 'no'; - return $snort_up_b; - } - - if(snort_up_ck_b != '') { - - ob_clean(); - $snort_up_pre_b = exec("/bin/ps -U snort | grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); - - if ($snort_up_pre_b != '') { - $snort_up_b = 'yes'; - }else{ - $snort_up_b = 'no'; - } - } + $snort_up_b = 'no'; + $snort_up_pre_b = exec("/bin/ps -ax | /usr/bin/grep barnyard2 | /usr/bin/grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'"); + if ($snort_up_pre_b != '') + $snort_up_b = 'yes'; return $snort_up_b; } @@ -291,45 +264,27 @@ function Running_Stop($snort_uuid, $if_real, $id) { global $config; /* if snort.sh crashed this will remove the pid */ - exec('/bin/rm /tmp/snort.sh.pid'); - - $start_up_s = exec("/bin/ps -U snort | grep \"\-R {$snort_uuid}\" | awk '{ print \$1; }'"); - $start_up_r = exec("/bin/ps -U root | grep \"\-R {$snort_uuid}\" | awk '{ print \$1; }'"); + @unlink('/tmp/snort.sh.pid'); - $start2_upb_s = exec("/bin/ps -U snort | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{ print \$1; }'"); - $start2_upb_r = exec("/bin/ps -U root | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{ print \$1; }'"); - - if ($start_up_s != '' || $start_up_r != '' || $start2_upb_s != '' || $start2_upb_r != '') { - if ($start_up_s != '') - { - exec("/bin/kill {$start_up_s}"); - exec("rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); - exec("rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); - } + $start_up = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'"); + $start_upb = exec("/bin/ps -ax | /usr/bin/grep \"snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'"); - if ($start2_upb_s != '') - { - exec("/bin/kill {$start2_upb_s}"); - exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); - } - - if ($start_up_r != '') - { - exec("/bin/kill {$start_up_r}"); - exec("rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); - exec("rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); - } - - if ($start2_upb_r != '') - { - exec("/bin/kill {$start2_upb_r}"); - exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); - } + if ($start_up != '') { + exec("/bin/kill {$start_up}"); + exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); + exec("/bin/rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); + exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + } - /* Log Iface stop */ - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); - sleep(2); // Give time so GUI displays correctly + if ($start_upb != '') { + exec("/bin/kill {$start_upb}"); + exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); + exec("/bin/rm /var/log/snort/snort.u2_{$snort_uuid}_{$if_real}*"); } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); + sleep(2); // Give time so GUI displays correctly } function Running_Start($snort_uuid, $if_real, $id) { @@ -340,13 +295,16 @@ function Running_Start($snort_uuid, $if_real, $id) { $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; if ($snort_info_chk == 'on') - exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + exec("/usr/local/bin/snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + else + return; + /* define snortbarnyardlog_chk */ /* top will have trouble if the uuid is to far back */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; - if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '' && $snort_info_chk == 'on') { - exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" -u snort -g snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"); + if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { + exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"); } /* Log Iface stop */ @@ -396,7 +354,7 @@ function snort_file_list($snort_log_dir, $snort_log_file) $dir = opendir ("$snort_log_dir"); while (false !== ($file = readdir($dir))) { if (strpos($file, "$snort_log_file",1) ) - $file_list[] = $file; + $file_list[] = basename($file); } return $file_list; } @@ -473,7 +431,7 @@ function post_delete_logs() //create_barnyard2_conf($id, $if_real, $snort_uuid); if ($value['perform_stat'] == 'on') - file_put_contents("/var/log/snort/snort_{$snort_uuid}_{$if_real}.stats", ""); + @file_put_contents("/var/log/snort/snort_{$snort_uuid}_{$if_real}.stats", ""); } } } @@ -490,14 +448,14 @@ function snort_postinstall() } /* cleanup default files */ - @unlink('/usr/local/etc/snort/snort.conf-sample'); - @unlink('/usr/local/etc/snort/threshold.conf-sample'); - @unlink('/usr/local/etc/snort/sid-msg.map-sample'); - @unlink('/usr/local/etc/snort/unicode.map-sample'); - @unlink('/usr/local/etc/snort/classification.config-sample'); - @unlink('/usr/local/etc/snort/generators-sample'); - @unlink('/usr/local/etc/snort/reference.config-sample'); - @unlink('/usr/local/etc/snort/gen-msg.map-sample'); + @rename('/usr/local/etc/snort/snort.conf-sample', '/usr/local/etc/snort/snort.conf'); + @rename('/usr/local/etc/snort/threshold.conf-sample', '/usr/local/etc/snort/threshold.conf'); + @rename('/usr/local/etc/snort/sid-msg.map-sample', '/usr/local/etc/snort/sid-msg.map'); + @rename('/usr/local/etc/snort/unicode.map-sample', '/usr/local/etc/snort/unicode.map'); + @rename('/usr/local/etc/snort/classification.config-sample', '/usr/local/etc/snort/classification.config'); + @rename('/usr/local/etc/snort/generators-sample', '/usr/local/etc/snort/generators'); + @rename('/usr/local/etc/snort/reference.config-sample', '/usr/local/etc/snort/reference.config'); + @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map'); @unlink('/usr/local/etc/snort/sid'); @unlink('/usr/local/etc/rc.d/snort'); @unlink('/usr/local/etc/rc.d/bardyard2'); @@ -509,9 +467,11 @@ function snort_postinstall() if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); - /* add snort user and group note: 920 keep the numbers < 2000, above this is reserved in pfSense 2.0 */ + /* XXX: In pfSense this really does not add much! + * add snort user and group note: 920 keep the numbers < 2000, above this is reserved in pfSense 2.0 exec('/usr/sbin/pw groupadd snort -g 920'); exec('/usr/sbin/pw useradd snort -u 920 -c "Snort User" -d /nonexistent -g snort -s /sbin/nologin'); + */ /* create a few directories and ensure the sample files are in place */ @@ -542,15 +502,17 @@ function snort_postinstall() } /* rm barnyard2 important */ - if (!file_exists('/usr/local/bin/barnyard2')) + if (file_exists('/usr/local/bin/barnyard2')) @unlink('/usr/local/bin/barnyard2'); - /* important */ + /* XXX: These are needed if you run snort as snort user mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ + /* important */ mwexec('/bin/chmod 660 /var/log/snort/alert', true); mwexec('/bin/chmod 660 /var/db/whitelist', true); mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true); @@ -588,19 +550,19 @@ function snort_postinstall() exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/page_white_text.png'); /* install barnyard2 for 2.0 x86 x64 and 1.2.3 x86 */ - chdir("/usr/local/bin/"); - update_status(gettext("Installing Barnyard2 for $snort_arch...")); update_output_window(gettext("Please wait...")); if ($snort_pfsense_basever == 'yes') - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/7.3.x86/barnyard2'); - else if ($snort_pfsense_basever == 'no') - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.1{$snort_arch}/barnyard2'); - + exec('/usr/bin/fetch -o /usr/local/bin/barnyard2 http://www.pfsense.com/packages/config/snort/bin/7.3.x86/barnyard2'); + else if ($snort_pfsense_basever == 'no') { + if ($snort_arch == 'x64') + exec("/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/amd64/8/All/barnyard2"); + else + exec("/usr/bin/fetch -o /usr/local/bin/barnyard2 http://files.pfsense.org/packages/8/All/barnyard2"); + exec('/bin/chmod 0755 /usr/local/bin/barnyard2'); + } update_output_window(gettext("Finnished Installing Barnyard2...")); - exec('/bin/chmod 755 /usr/local/bin/barnyard2'); - /* XXX: remove compeletely? */ if ($snort_pfsense_basever == 'yes') { if (!is_dir('/tmp/pkg_s')) @@ -632,29 +594,11 @@ function snort_postinstall() if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_status(gettext("Saved settings detected...")); update_output_window(gettext("Please wait... rebuilding files...")); - sync_snort_package_empty(); + sync_snort_package_config(); update_output_window(gettext("Finnished Rebuilding files...")); } } -function sync_package_snort_reinstall() -{ - global $config; - - conf_mount_rw(); - - if (!$config['installedpackages']['snortglobal']) - return; - - /* create snort configuration file */ - create_snort_conf(); - - /* start snort service */ - // start_service("snort"); // do not start, may be needed latter. - - conf_mount_ro(); -} - function snort_Getdirsize($node) { if(!is_readable($node)) return false; @@ -885,77 +829,8 @@ function snort_rules_up_install_cron($should_install) { } } -function sync_snort_package_remove_old() -{ - global $config, $g; - - $snort_dir_scan = '/usr/local/etc/snort'; - - // scan dirm might have to make this into a funtion - $dh_scan = opendir($snort_dir_scan); - while (false !== ($dir_filename = readdir($dh_scan))) { - $list_dir_files[] = $dir_filename; - } - - // find patern in a array, very cool code - class array_ereg { - function array_ereg($pattern) { $this->pattern = $pattern; } - function ereg($string) { - return ereg($this->pattern, $string); - } - } - - $rule_array2 = $config['installedpackages']['snortglobal']['rule']; - foreach ($rule_array2 as $id => $value) { - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - - $snort_rules_list[] = "snort_{$id}{$if_real}"; - } - - $snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg')); - $snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list); - - foreach ($snort_dir_filter_search_result as $value) - exec("/bin/rm -r /usr/local/etc/snort/$value"); - -} - -/* make sure this func on writes to files and does not start snort */ -function sync_snort_package() { - global $config, $g; - - /* all new files are for the user snort nologin */ - if (!is_dir('/var/log/snort')) - exec('/bin/mkdir -p /var/log/snort'); - - if (!is_dir('/var/log/snort/run')) - exec('/bin/mkdir -p /var/log/snort/run'); - - if (!is_dir('/var/log/snort/barnyard2')) - exec('/bin/mkdir -p /var/log/snort/barnyard2'); - - /* all new files are for the user snort nologin */ - if (!file_exists('/var/log/snort/alert')) - exec('/usr/bin/touch /var/log/snort/alert'); - - /* important */ - mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); - mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); - mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); - - mwexec('/bin/chmod 770 /var/db/whitelist', true); - mwexec('/bin/chmod 770 /var/run/snort*', true); - mwexec('/bin/chmod 770 /tmp/snort*', true); - mwexec('/bin/chmod -R 770 /var/log/snort', true); - mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); - mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); -} - -/* only run when a single iface needs to sync */ -function sync_snort_package_all($id, $if_real, $snort_uuid) +/* Only run when all ifaces needed to sync. Expects filesystem rw */ +function sync_snort_package_config() { global $config, $g; @@ -967,62 +842,14 @@ function sync_snort_package_all($id, $if_real, $snort_uuid) //exec("/sbin/sysctl net.bpf.maxinsns=512"); //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - if (!is_array($config['installedpackages']['snortglobal']['rule'][$id])) - return; - conf_mount_rw(); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = snort_get_real_interface($result_lan); - - /* only build whitelist when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on') - create_snort_whitelist($id, $if_real); - - /* only build threshold when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') - create_snort_suppress($id, $if_real); - - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); - - /* if rules exist cp rules to each iface */ - create_rules_iface($id, $if_real, $snort_uuid); - - /* create snort bootup file snort.sh only create once */ - create_snort_sh(); - - /* create barnyard2 configuration file */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'] == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - - sync_snort_package(); - - conf_mount_ro(); -} - -/* Only run when all ifaces needed to sync. Expects filesystem rw */ -function sync_snort_package_empty() -{ - global $config, $g; - - /* RedDevil suggested code */ - /* TODO: more testing needs to be done */ - /* may cause voip to fail */ - //exec("/sbin/sysctl net.bpf.bufsize=8388608"); - //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); - //exec("/sbin/sysctl net.bpf.maxinsns=512"); - //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) + if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); + conf_mount_ro(); return; - - conf_mount_rw(); + } foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { $if_real = snort_get_real_interface($value['interface']); @@ -1045,8 +872,7 @@ function sync_snort_package_empty() create_rules_iface($id, $if_real, $snort_uuid); /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $value['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') + if ($value['barnyard_enable'] == 'on') create_barnyard2_conf($id, $if_real, $snort_uuid); } } @@ -1054,61 +880,39 @@ function sync_snort_package_empty() /* create snort bootup file snort.sh only create once */ create_snort_sh(); - sync_snort_package(); - - conf_mount_ro(); -} - -/* only bootup and ip refresh */ -function sync_snort_package_config() -{ - global $config, $g; - - /* RedDevil suggested code */ - /* TODO: more testing needs to be done */ - /* may cause voip to fail */ - //exec("/sbin/sysctl net.bpf.bufsize=8388608"); - //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); - //exec("/sbin/sysctl net.bpf.maxinsns=512"); - //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - - conf_mount_rw(); - - foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { - - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - $snort_uuid = $value['uuid']; - - if (!empty($if_real) && !empty($snort_uuid)) { + /* all new files are for the user snort nologin */ + if (!is_dir('/var/log/snort')) + exec('/bin/mkdir -p /var/log/snort'); - /* only build whitelist when needed */ - if ($value['blockoffenders7'] == 'on') - create_snort_whitelist($id, $if_real); + if (!is_dir('/var/log/snort/run')) + exec('/bin/mkdir -p /var/log/snort/run'); - /* only build threshold when needed */ - if ($value['suppresslistname'] != 'default') - create_snort_suppress($id, $if_real); + if (!is_dir('/var/log/snort/barnyard2')) + exec('/bin/mkdir -p /var/log/snort/barnyard2'); - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); + /* all new files are for the user snort nologin */ + if (!file_exists('/var/log/snort/alert')) + exec('/usr/bin/touch /var/log/snort/alert'); - /* create barnyard2 configuration file */ - if ($value['barnyard_enable'] == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - } - } + /* XXX: These are needed if snort is run as snort user + mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); + mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); + mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ - sync_snort_package(); + /* important */ + mwexec('/bin/chmod 770 /var/db/whitelist', true); + mwexec('/bin/chmod 770 /var/run/snort*', true); + mwexec('/bin/chmod 770 /tmp/snort*', true); + mwexec('/bin/chmod -R 770 /var/log/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); conf_mount_ro(); } - /* Start of main config files */ /* create threshold file */ @@ -1220,7 +1024,6 @@ function create_snort_sh() $snortconf =& $config['installedpackages']['snortglobal']['rule']; - $snort_sh_text2 = array(); $snort_sh_text3 = array(); $snort_sh_text4 = array(); @@ -1236,29 +1039,7 @@ function create_snort_sh() $snortbarnyardlog_mysql_info_chk = $value['barnyard_mysql']; if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') - $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"; - - /* Get all interface startup commands ready */ - $snort_sh_text2[] = <<<EOD -###### For Each Iface - -# If Snort proc is NOT running -if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" = "" ]; then - - /bin/echo "snort.sh run" > /tmp/snort.sh.pid - - # Start snort and barnyard2 - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck - - /usr/local/bin/snort -u snort -g snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} - $start_barnyard2 - - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For {$snort_uuid}_{$if_real}..." - -fi - -EOD; + $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"; $snort_sh_text3[] = <<<EOE @@ -1266,25 +1047,31 @@ EOD; #### Fake start only used on bootup and Pfsense IP changes #### Only try to restart if snort is running on Iface -if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" != "" ]; then - - snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" +if [ "`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'`" != "" ]; then + snort_pid=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'` /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" #### Restart Iface /bin/kill -HUP \${snort_pid} /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..." +else + # Start snort and barnyard2 + /bin/echo "snort.sh run" > /tmp/snort.sh.pid + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + + /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + $start_barnyard2 + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD START For {$snort_uuid}_{$if_real}..." fi EOE; $snort_sh_text4[] = <<<EOF -pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print \$2;}'` +pid_s=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'` sleep 3 -pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/awk '{print \$2;}'` - +pid_b=`/bin/ps -ax | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'` if [ \${pid_s} ] ; then /bin/echo "snort.sh run" > /tmp/snort.sh.pid @@ -1294,9 +1081,7 @@ if [ \${pid_s} ] ; then sleep 3 /bin/kill \${pid_b} - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - fi EOF; @@ -1304,8 +1089,7 @@ EOF; } - $start_snort_iface_start = implode("\n\n", $snort_sh_text2); - $start_snort_iface_restart = implode("\n\n", $snort_sh_text3); + $start_snort_iface_start = implode("\n\n", $snort_sh_text3); $start_snort_iface_stop = implode("\n\n", $snort_sh_text4); $snort_sh_text = <<<EOD @@ -1318,56 +1102,14 @@ EOF; rc_start() { - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then - - /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" - exit 0 - - fi - /bin/echo "snort.sh run" > /tmp/snort.sh.pid - - #### Remake the configs on boot Important! - /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php & - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." - - $start_snort_iface_restart - - /bin/rm /tmp/snort.sh.pid - - #### If on Fake start snort is NOT running DO a real start. - if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}{$if_real}" | awk '{print $2;}'`" = "" ]; then - - rc_start_real - - fi -} - -rc_start_real() { - - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then - /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" - exit 0 - fi - $start_snort_iface_start - /bin/rm /tmp/snort.sh.pid - } rc_stop() { - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then - /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" - exit 0 - fi - $start_snort_iface_stop - /bin/rm /tmp/snort.sh.pid /bin/rm /var/run/snort* @@ -1377,15 +1119,11 @@ case $1 in start) rc_start ;; - start_real) - rc_start_real - ;; stop) rc_stop ;; restart) - rc_stop - rc_start_real + rc_start ;; esac @@ -1402,9 +1140,6 @@ EOD; @chmod("/usr/local/etc/rc.d/snort.sh", 0755); } - -///////////////////////// >>>>>>>>>>>> - /* if rules exist copy to new interfaces */ function create_rules_iface($id, $if_real, $snort_uuid) { @@ -1414,7 +1149,9 @@ function create_rules_iface($id, $if_real, $snort_uuid) $folder_chk = (count(glob("{$if_rule_dir}/rules/*")) === 0) ? 'empty' : 'full'; if ($folder_chk == "empty") { - exec("/bin/cp -R /usr/local/etc/snort/rules {$if_rule_dir}/rules"); + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + exec("/bin/cp /usr/local/etc/snort/rules/* {$if_rule_dir}/rules"); if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules"); } @@ -1422,14 +1159,15 @@ function create_rules_iface($id, $if_real, $snort_uuid) /* open barnyard2.conf for writing */ function create_barnyard2_conf($id, $if_real, $snort_uuid) { - global $bconfig, $g; + global $config, $g; if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); if (!file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { mwexec("/usr/bin/touch /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); - mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); + /* XXX: This is needed if snort is run as snort user */ + //mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); mwexec("/bin/chmod 770 /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); } @@ -1439,7 +1177,7 @@ function create_barnyard2_conf($id, $if_real, $snort_uuid) { $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); if(!$bconf) { log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); - exit; + return; } fwrite($bconf, $barnyard2_conf_text); fclose($bconf); @@ -1462,29 +1200,6 @@ function generate_barnyard2_conf($id, $if_real, $snort_uuid) { # barnyard2.conf # barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php # -# Copyright (C) 2006 Robert Zelaya -# part of pfSense -# All rights reserved. -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# - # set the appropriate paths to the file(s) your Snort process is using config reference_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config @@ -1929,8 +1644,8 @@ function generate_snort_conf($id, $if_real, $snort_uuid) /* generate rule sections to load */ $enabled_rulesets = $snortcfg['rulesets']; + $selected_rules_sections = ""; if (!empty($enabled_rulesets)) { - $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); foreach($enabled_rulesets_array as $enabled_item) $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; @@ -1973,7 +1688,7 @@ EOD; # ################# -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ ports { 80 8080 } \ @@ -1984,6 +1699,10 @@ preprocessor http_inspect_server: server default \ directory no \ iis_backslash no \ u_encode yes \ + extended_response_inspection \ + inspect_gzip \ + normalize_utf \ + unlimited_decompress \ ascii no \ chunk_length 500000 \ bare_byte yes \ @@ -2200,9 +1919,13 @@ EOD; else $def_max_queued_segs_type = ' max_queued_segs ' . $snortcfg['max_queued_segs'] . ','; + $snort_preprocessor_decoder_rules = ""; + if (file_exists("/usr/local/etc/snort/preproc_rules/preprocessor.rules")) + $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + if (file_exists("/usr/local/etc/snort/preproc_rules/decoder.rules")) + $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; /* build snort configuration file */ - /* TODO; feed back from pfsense users to reduce false positives */ $snort_conf_text = <<<EOD # snort configuration file @@ -2212,31 +1935,6 @@ EOD; # for more information # snort.conf # Snort can be found at http://www.snort.org/ -# -# Copyright (C) 2009-2010 Robert Zelaya -# part of pfSense -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. ######################### # @@ -2316,7 +2014,7 @@ portvar DCERPC_BRIGHTSTORE [6503,6504] ##################### var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules -# var PREPROC_RULE_PATH ./preproc_rules +var PREPROC_RULE_PATH /usr/local/etc/snort/preproc_rules ################################ # @@ -2357,9 +2055,9 @@ dynamicdetection directory /usr/local/lib/snort/dynamicrules preprocessor frag3_global: max_frags 8192 preprocessor frag3_engine: policy bsd detect_anomalies -preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ -track_udp yes, track_icmp yes -preprocessor stream5_tcp: policy BSD, ports both all,{$def_max_queued_bytes_type}{$def_max_queued_segs_type} use_static_footprint_sizes +preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes + +preprocessor stream5_tcp: policy BSD, ports both all, {$def_max_queued_bytes_type}{$def_max_queued_segs_type} preprocessor stream5_udp: preprocessor stream5_icmp: @@ -2375,16 +2073,6 @@ preprocessor stream5_icmp: {$def_sf_portscan_type} -############################ - # -# OLD # -# preprocessor dcerpc: \ # -# autodetect \ # -# max_frag_size 3000 \ # -# memcap 100000 # - # -############################ - {$def_dce_rpc_2_type} {$def_dns_preprocessor_type} @@ -2420,10 +2108,12 @@ preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspec include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config - $threshold_file_name +{$snort_preprocessor_decoder_rules} + +$threshold_file_name # Snort user pass through configuration - {$snort_config_pass_thru} +{$snort_config_pass_thru} ################### # @@ -2438,125 +2128,6 @@ EOD; return $snort_conf_text; } -/* check downloaded text from snort.org to make sure that an error did not occur - * for example, if you are not a premium subscriber you can only download rules - * so often, etc. TO BE: Removed unneeded. - */ -function check_for_common_errors($filename) { - global $snort_filename, $snort_filename_md5, $console_mode; - - // ob_flush(); - $contents = file_get_contents($filename); - if (!$contents) { - if(!$console_mode) { - update_all_status("An error occured while downloading {$filename}."); - hide_progress_bar_status(); - } else - log_error("An error occured. Scroll down to inspect it's contents."); - - if (!$console_mode) - update_output_window(strip_tags("$contents")); - else { - $contents = strip_tags($contents); - log_error("Error downloading snort rules: {$contents}"); - echo "Error downloading snort rules: {$contents}"; - } - - scroll_down_to_bottom_of_page(); - - return; - } -} - -/* force browser to scroll all the way down */ -function scroll_down_to_bottom_of_page() { - global $snort_filename, $console_mode; - - ob_flush(); - if(!$console_mode) - echo "\n<script type=\"text/javascript\">parent.scrollTo(0,1500);\n</script>"; -} - -/* ensure downloaded file looks sane */ -function verify_downloaded_file($filename) { - global $snort_filename, $snort_filename_md5, $console_mode; - - ob_flush(); - if (filesize($filename) < 9500) { - if(!$console_mode) { - update_all_status("Checking {$filename}..."); - check_for_common_errors($filename); - } - } - update_all_status("Verifying {$filename}..."); - if(!file_exists($filename)) { - if(!$console_mode) { - update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); - hide_progress_bar_status(); - } else { - log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); - echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; - } - return; - } - update_all_status("Verified {$filename}."); -} - -/* extract rules */ -function extract_snort_rules_md5($tmpfname) { - global $snort_filename, $snort_filename_md5, $console_mode; - - ob_flush(); - if(!$console_mode) { - $static_output = gettext("Extracting snort rules..."); - update_all_status($static_output); - } - if(!is_dir("/usr/local/etc/snort/rules/")) - @mkdir("/usr/local/etc/snort/rules/"); - - $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/"; - $handle = popen("{$cmd} 2>&1", 'r'); - while(!feof($handle)) { - $buffer = fgets($handle); - update_output_window($buffer); - } - pclose($handle); - - if(!$console_mode) { - $static_output = gettext("Snort rules extracted."); - update_all_status($static_output); - } else { - log_error("Snort rules extracted."); - echo "Snort rules extracted."; - } -} - -/* verify MD5 against downloaded item */ -function verify_snort_rules_md5($tmpfname) { - global $snort_filename, $snort_filename_md5, $console_mode; - - ob_flush(); - if(!$console_mode) { - $static_output = gettext("Verifying md5 signature..."); - update_all_status($static_output); - } - - $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5 = `echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; - $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; - if($md5 == $file_md5_ondisk) { - if(!$console_mode) { - $static_output = gettext("snort rules: md5 signature of rules mismatch."); - update_all_status($static_output); - hide_progress_bar_status(); - } else { - log_error("snort rules: md5 signature of rules mismatch."); - echo "snort rules: md5 signature of rules mismatch."; - } - return; - } -} - /* hide progress bar */ function hide_progress_bar_status() { global $snort_filename, $snort_filename_md5, $console_mode; @@ -2586,87 +2157,4 @@ function update_all_status($status) { } } -/* obtain alert description for an ip address */ -function get_snort_alert($ip) { - global $snort_alert_file_split, $snort_config; - - if(!file_exists("/var/log/snort/alert")) - return; - if(!$snort_config) - $snort_config = read_snort_config_cache(); - if($snort_config[$ip]) - return $snort_config[$ip]; - if(!$snort_alert_file_split) - $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); - - foreach($snort_alert_file_split as $fileline) { - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - $alert_title = $matches[2]; - if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) - $alert_ip = $matches[$id]; - if($alert_ip == $ip) { - if(!$snort_config[$ip]) - $snort_config[$ip] = $alert_title; - - return $alert_title; - } - } - return "n/a"; -} - -function make_clickable($buffer) { - global $config, $g; - - /* if clickable urls is disabled, simply return buffer back to caller */ - $clickablalerteurls = $config['installedpackages']['snort']['config'][$id]['oinkmastercode']; - if(!$clickablalerteurls) - return $buffer; - - $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); - $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","<a href=\"mailto:\\1\">\\1</a>", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"ftp://\\2\" target=\"_blank\">\\2</a>", $buffer); - - return $buffer; -} - -function read_snort_config_cache() { - global $g, $config, $snort_config; - - if($snort_config) - return $snort_config; - - if(file_exists($g['tmp_path'] . '/snort_config.cache')) - $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); - - return $snort_config; -} - -function write_snort_config_cache($snort_config) { - global $g, $config; - - $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w"); - if(!$configcache) { - log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing."); - return false; - } - fwrite($configcache, serialize($snort_config)); - fclose($configcache); - - return true; -} - -function snort_advanced() { - global $g, $config; - - sync_package_snort(); -} - -function snort_define_servers() { - global $g, $config; - - sync_package_snort(); -} - ?> diff --git a/config/snort/snort.sh b/config/snort/snort.sh deleted file mode 100644 index 5b725cfe..00000000 --- a/config/snort/snort.sh +++ /dev/null @@ -1,99 +0,0 @@ -#!/bin/sh -# $FreeBSD: ports/security/snort/files/snort.sh.in,v 1.4 2009/10/29 01:27:53 clsung Exp $ - -# PROVIDE: snort -# REQUIRE: DAEMON -# BEFORE: LOGIN -# KEYWORD: shutdown - -. /etc/rc.subr -. /var/etc/rc.snort - -name="snort" -rcvar=`set_rcvar` -start_cmd="snort_start" -stop_cmd="snort_stop" - -snort_bin="/usr/local/bin/snort" -barnyard_bin="/usr/local/bin/barnyard2" - -[ -z "$snort_enable" ] && snort_enable="YES" -[ -z "$snort_flags" ] && snort_flags="-u snort -g snort -D -q -l /var/log/snort" -[ -z "$barnyard_flags" ] && barnyard_flags="-u snort -g snort -d /var/log/snort" - -snort_start() -{ - echo -n 'Starting snort:' - for _s in ${snort_list} - do - echo -n " ${_s}" - - eval _conf=\"\$snort_${_s}_conf\" - eval _name=\"\$snort_${_s}_name\" - eval _id=\"\$snort_${_s}_id\" - eval _iface=\"\$snort_${_s}_interface\" - eval _enable=\"\$snort_${_s}_enable\" - eval _barnyard=\"\$snort_${_s}_barnyard\" - _confdir=${_conf%/*} - - _enable="${_enable:-YES}" - if ! checkyesno _enable; then - continue; - fi - - if [ -f /var/run/snort_${_iface}${_name}.pid ]; then - if pgrep -F /var/run/snort_${_iface}${_name}.pid snort; then - echo -n " [snort ${_s} already running]" - continue; - fi - fi - ${snort_bin} ${snort_flags} -G ${_id} -R ${_name} -c ${_conf} -i ${_iface} - - _barnyard="${_barnyard:-NO}" - if checkyesno _barnyard; then - ${barnyard_bin} ${snort_flags} -R ${_name} -c ${_confdir}/barnyard2.conf \ - -f snort.u2_${_name} -w ${_confdir}/barnyard2.waldo - fi - done - echo -} - -snort_stop() -{ - echo -n 'Stopping snort:' - _pidlist='' - for _s in ${snort_list} - do - echo -n " ${_s}" - - eval _conf=\"\$snort_${_s}_conf\" - eval _name=\"\$snort_${_s}_name\" - eval _iface=\"\$snort_${_s}_interface\" - - if [ -f /var/run/snort_${_iface}${_name}.pid ]; then - _pid=$(pgrep -F /var/run/snort_${_iface}${_name}.pid snort) - if [ -n "${_pid}" ]; then - kill ${_pid} - _pidlist="${_pidlist} ${_pid}" - fi - fi - if [ -f /var/run/barnyard_${_iface}${_name}.pid ]; then - _pid=$(pgrep -F /var/run/barnyard_${_iface}${_name}.pid barnyard2) - if [ -n "${_pid}" ]; then - kill ${_pid} - _pidlist="${_pidlist} ${_pid}" - fi - fi - done - echo - wait_for_pids ${_pidlist} -} - -cmd="$1" -if [ $# -gt 0 ]; then - shift -fi -if [ -n "$*" ]; then - snort_list="$*" -fi -run_rc_command "${cmd}" diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 9d14c9ec..2365bbea 100644 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.8.6</version> - <title>Services:2.8.6 pkg v. 1.30</title> + <version>2.9.0.5</version> + <title>Services:2.9.0.5 pkg v. 2.0</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -95,11 +95,6 @@ <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/snort_rename.pl</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/pf/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_dynamic_ip_reload.php</item> - </additional_files_needed> - <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item> @@ -199,7 +194,7 @@ <custom_add_php_command> </custom_add_php_command> <custom_php_resync_config_command> - sync_snort_package(); + sync_snort_package_config(); </custom_php_resync_config_command> <custom_php_install_command> snort_postinstall(); diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 8e81d16a..53b9e3a2 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -80,34 +80,36 @@ if ($_POST['save']) write_config(); header("Location: /snort/snort_alerts.php"); + exit; } } -if ($_POST['delete']) +if ($_GET['action'] == "clear" || $_POST['clear']) { - conf_mount_rw(); if(file_exists('/var/log/snort/alert')) { - @file_put_content("/var/log/snort/alert", ""); + conf_mount_rw(); + @file_put_contents("/var/log/snort/alert", ""); post_delete_logs(); - mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); + /* XXX: This is needed is snort is run as snort user */ + //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); mwexec('/bin/chmod 660 /var/log/snort/*', true); - sleep(2); mwexec('/usr/bin/killall -HUP snort', true); + conf_mount_ro(); } - conf_mount_ro(); + header("Location: /snort/snort_alerts.php"); + exit; } if ($_POST['download']) { - ob_start(); //importanr or other post will fail $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_logs_{$save_date}.tar.gz"; - exec("/usr/bin/tar cfz /tmp/snort_logs_{$save_date}.tar.gz /var/log/snort"); + exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort"); - if (file_exists("/tmp/snort_logs_{$save_date}.tar.gz")) { + if (file_exists("/tmp/{$file_name}")) { $file = "/tmp/snort_logs_{$save_date}.tar.gz"; header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); header("Pragma: private"); // needed for IE @@ -117,10 +119,11 @@ if ($_POST['download']) header("Content-length: ".filesize($file)); header("Content-disposition: attachment; filename = {$file_name}"); readfile("$file"); - exec("/bin/rm /tmp/snort_logs_{$save_date}.tar.gz"); - od_end_clean(); //importanr or other post will fail - } else - echo 'Error no saved file.'; + exec("/bin/rm /tmp/{$file_name}"); + } + + header("Location: /snort/snort_alerts.php"); + exit; } @@ -301,9 +304,9 @@ if ($pconfig['arefresh'] == 'on') <td width="78%" class="vtable"> <form action="/snort/snort_alerts.php" method="post"><input name="download" type="submit" class="formbtn" value="Download"> All - log files will be saved. <input name="delete" type="submit" + log files will be saved. <a href="/snort/snort_alerts.php?action=clear"><input name="delete" type="button" class="formbtn" value="Clear" - onclick="return confirm('Do you really want to remove all your logs ? All snort rule interfces may have to be restarted.')"> + onclick="return confirm('Do you really want to remove all your logs ? All snort rule interfces may have to be restarted.')"></a> <span class="red"><strong>Warning:</strong></span> all log files will be deleted.</form> </td> @@ -558,21 +561,11 @@ if ($pconfig['arefresh'] == 'on') </div> - <?php - - include("fend.inc"); - - echo $snort_custom_rnd_box; - - ?> - +<?php +include("fend.inc"); -<script type="text/javascript"> - var myTable = {}; - window.addEvent('domready', function(){ - myTable = new sortableTable('myTable', {overCls: 'over'}); - }); - </script> +echo $snort_custom_rnd_box; +?> </body> </html> diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index 2e857f22..b647c007 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -44,105 +44,42 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g; -if (!is_array($config['installedpackages']['snortglobal']['rule'])) - $config['installedpackages']['snortglobal']['rule'] = array(); - -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; if (isset($_GET['dup'])) { $id = $_GET['dup']; $after = $_GET['dup']; } +$pconfig = array(); if (isset($id) && $a_nat[$id]) { /* old options */ - $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; - $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; - $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; - $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; - $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; - $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; - $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; - $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; - $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; - $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; - $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; - $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; - $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; - $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; - $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; - $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; - $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; - $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; - $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; - $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; - $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; - $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; - $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; - $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; - $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; - $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; - $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; - $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; - $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; - $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; - $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; - $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; - $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; - $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; - $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; - $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; - $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; - $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; - $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; - $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; - $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; - $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; + $pconfig = $a_nat[$id]; $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['uuid'] = $a_nat[$id]['uuid']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['descr'] = $a_nat[$id]['descr']; - $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; - $pconfig['homelistname'] = $a_nat[$id]['homelistname']; - $pconfig['externallistname'] = $a_nat[$id]['externallistname']; - $pconfig['suppresslistname'] = $a_nat[$id]['suppresslistname']; - $pconfig['performance'] = $a_nat[$id]['performance']; - $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; - $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; - $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; - $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; - $pconfig['configpassthru'] = $a_nat[$id]['configpassthru']; $pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']); - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; - $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; - $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; - - - if (!$pconfig['interface']) - $pconfig['interface'] = "wan"; -} else - $pconfig['interface'] = "wan"; +} if (isset($_GET['dup'])) unset($id); $if_real = snort_get_real_interface($pconfig['interface']); -if (!empty($config['installedpackages']['snortglobal']['rule'][$id])) - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; +$snort_uuid = $pconfig['uuid']; /* alert file */ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; -if ($_POST["Submit"]) { +if ($_POST) { /* XXX: Mising error reporting?! * check for overlaps @@ -160,70 +97,6 @@ if ($_POST["Submit"]) { /* repost the options already in conf */ $natent = $pconfig; - /* post new options */ - if ($_POST['interface'] != "") { $natent['interface'] = $_POST['interface']; } else unset($natent['interface']); - if ($_POST['enable'] != "") { $natent['enable'] = $_POST['enable']; } else unset($natent['enable']); - if ($_POST['uuid'] != "") { $natent['uuid'] = $_POST['uuid']; } else unset($natent['uuid']); - if ($_POST['descr'] != "") { $natent['descr'] = $_POST['descr']; } else unset($natent['descr']); - if ($_POST['performance'] != "") { $natent['performance'] = $_POST['performance']; } else unset($natent['descr']); - if ($_POST['blockoffenders7'] != "") { $natent['blockoffenders7'] = $_POST['blockoffenders7']; } else unset($natent['blockoffenders7']); - if ($_POST['alertsystemlog'] != "") { $natent['alertsystemlog'] = $_POST['alertsystemlog']; } else unset($natent['alertsystemlog']); - if ($_POST['tcpdumplog'] != "") { $natent['tcpdumplog'] = $_POST['tcpdumplog']; } else unset($natent['tcpdumplog']); - if ($_POST['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $_POST['snortunifiedlog']; } else unset($natent['snortunifiedlog']); - if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; } else unset($natent['def_ssl_ports_ignore']); - if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; } else unset($natent['flow_depth']); - if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; } else unset($natent['max_queued_bytes']); - if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; } else unset($natent['max_queued_segs']); - if ($_POST['perform_stat'] != "") { $natent['perform_stat'] = $_POST['perform_stat']; } else unset($natent['perform_stat']); - if ($_POST['http_inspect'] != "") { $natent['http_inspect'] = $_POST['http_inspect']; } else unset($natent['http_inspect']); - if ($_POST['other_preprocs'] != "") { $natent['other_preprocs'] = $_POST['other_preprocs']; } else unset($natent['other_preprocs']); - if ($_POST['ftp_preprocessor'] != "") { $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor']; } else unset($natent['ftp_preprocessor']); - if ($_POST['smtp_preprocessor'] != "") { $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor']; } else unset($natent['smtp_preprocessor']); - if ($_POST['sf_portscan'] != "") { $natent['sf_portscan'] = $_POST['sf_portscan']; } else unset($natent['sf_portscan']); - if ($_POST['dce_rpc_2'] != "") { $natent['dce_rpc_2'] = $_POST['dce_rpc_2']; } else unset($natent['dce_rpc_2']); - if ($_POST['dns_preprocessor'] != "") { $natent['dns_preprocessor'] = $_POST['dns_preprocessor']; } else unset($natent['dns_preprocessor']); - if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; } else unset($natent['def_dns_servers']); - if ($_POST['def_dns_ports'] != "") { $natent['def_dns_ports'] = $_POST['def_dns_ports']; } else unset($natent['def_dns_ports']); - if ($_POST['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $_POST['def_smtp_servers']; } else unset($natent['def_smtp_servers']); - if ($_POST['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $_POST['def_smtp_ports']; } else unset($natent['def_mail_ports']); - if ($_POST['def_mail_ports'] != "") { $natent['def_mail_ports'] = $_POST['def_mail_ports']; } else unset($natent['def_mail_ports']); - if ($_POST['def_http_servers'] != "") { $natent['def_http_servers'] = $_POST['def_http_servers']; } else unset($natent['def_http_servers']); - if ($_POST['def_www_servers'] != "") { $natent['def_www_servers'] = $_POST['def_www_servers']; } else unset($natent['def_www_servers']); - if ($_POST['def_http_ports'] != "") { $natent['def_http_ports'] = $_POST['def_http_ports']; } else unset($natent['def_http_ports']); - if ($_POST['def_sql_servers'] != "") { $natent['def_sql_servers'] = $_POST['def_sql_servers']; } else unset($natent['def_sql_servers']); - if ($_POST['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $_POST['def_oracle_ports']; } else unset($natent['def_oracle_ports']); - if ($_POST['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $_POST['def_mssql_ports']; } else unset($natent['def_mssql_ports']); - if ($_POST['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $_POST['def_telnet_servers']; } else unset($natent['def_telnet_ports']); - if ($_POST['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $_POST['def_telnet_ports']; } else unset($natent['def_telnet_ports']); - if ($_POST['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $_POST['def_snmp_servers']; } else unset($natent['def_snmp_servers']); - if ($_POST['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $_POST['def_snmp_ports']; } else unset($natent['def_snmp_ports']); - if ($_POST['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $_POST['def_ftp_servers']; } else unset($natent['def_ftp_servers']); - if ($_POST['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $_POST['def_ftp_ports']; } else unset($natent['def_ftp_ports']); - if ($_POST['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $_POST['def_ssh_servers']; } else unset($natent['def_ssh_servers']); - if ($_POST['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $_POST['def_ssh_ports']; } else unset($natent['def_ssh_ports']); - if ($_POST['def_pop_servers'] != "") { $natent['def_pop_servers'] = $_POST['def_pop_servers']; } else unset($natent['def_pop_servers']); - if ($_POST['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $_POST['def_pop2_ports']; } else unset($natent['def_pop2_ports']); - if ($_POST['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $_POST['def_pop3_ports']; } else unset($natent['def_pop3_ports']); - if ($_POST['def_imap_servers'] != "") { $natent['def_imap_servers'] = $_POST['def_imap_servers']; } else unset($natent['def_imap_servers']); - if ($_POST['def_imap_ports'] != "") { $natent['def_imap_ports'] = $_POST['def_imap_ports']; } else unset($natent['def_imap_ports']); - if ($_POST['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $_POST['def_sip_proxy_ip']; } else unset($natent['def_sip_proxy_ip']); - if ($_POST['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $_POST['def_sip_proxy_ports']; } else unset($natent['def_sip_proxy_ports']); - if ($_POST['def_auth_ports'] != "") { $natent['def_auth_ports'] = $_POST['def_auth_ports']; } else unset($natent['def_auth_ports']); - if ($_POST['def_finger_ports'] != "") { $natent['def_finger_ports'] = $_POST['def_finger_ports']; } else unset($natent['def_finger_ports']); - if ($_POST['def_irc_ports'] != "") { $natent['def_irc_ports'] = $_POST['def_irc_ports']; } else unset($natent['def_irc_ports']); - if ($_POST['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $_POST['def_nntp_ports']; } else unset($natent['def_nntp_ports']); - if ($_POST['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $_POST['def_rlogin_ports']; } else unset($natent['def_rlogin_ports']); - if ($_POST['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $_POST['def_rsh_ports']; } else unset($natent['def_rsh_ports']); - if ($_POST['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $_POST['def_ssl_ports']; } else unset($natent['def_ssl_ports']); - if ($_POST['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $_POST['snortunifiedlog']; } else unset($natent['snortunifiedlog']); - if ($_POST['configpassthru'] != "") { $natent['configpassthru'] = $_POST['configpassthru']; } else unset($natent['configpassthru']); - if ($_POST['rulesets'] != "") { $natent['rulesets'] = $_POST['rulesets']; } else unset($natent['rulesets']); - if ($_POST['rule_sid_off'] != "") { $natent['rule_sid_off'] = $_POST['rule_sid_off']; } else unset($natent['rule_sid_off']); - if ($_POST['rule_sid_on'] != "") { $natent['rule_sid_on'] = $_POST['rule_sid_on']; } else unset($natent['rule_sid_on']); - if ($_POST['whitelistname'] != "") { $natent['whitelistname'] = $_POST['whitelistname']; } else unset($natent['whitelistname']); - if ($_POST['homelistname'] != "") { $natent['homelistname'] = $_POST['homelistname']; } else unset($natent['homelistname']); - if ($_POST['externallistname'] != "") { $natent['externallistname'] = $_POST['externallistname']; } else unset($natent['externallistname']); - if ($_POST['suppresslistname'] != "") { $natent['suppresslistname'] = $_POST['suppresslistname']; } else unset($natent['suppresslistname']); $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? 'on' : 'off'; $natent['barnyard_mysql'] = $_POST['barnyard_mysql'] ? $_POST['barnyard_mysql'] : $pconfig['barnyard_mysql']; $natent['barnconfigpassthru'] = $_POST['barnconfigpassthru'] ? base64_encode($_POST['barnconfigpassthru']) : $pconfig['barnconfigpassthru']; @@ -231,8 +104,6 @@ if ($_POST["Submit"]) { $natent['snortunifiedlog'] = 'on'; else $natent['snortunifiedlog'] = 'off'; - if (empty($_POST['barnyard_enable'])) - $natent['snortunifiedlog'] = 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -244,7 +115,7 @@ if ($_POST["Submit"]) { } write_config(); - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -252,7 +123,6 @@ if ($_POST["Submit"]) { header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: snort_barnyard.php?id=$id"); exit; } @@ -334,73 +204,16 @@ function enable_change(enable_change) { <tr> <td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <?php - /* display error code if there is no id */ - if($id == "") - { - echo " - <style type=\"text/css\"> - .noid { - position:absolute; - top:10px; - left:0px; - width:94%; - background:#FCE9C0; - background-position: 15px; - border-top:2px solid #DBAC48; - border-bottom:2px solid #DBAC48; - padding: 15px 10px 85% 50px; - } - </style> - <div class=\"alert\" ALIGN=CENTER><img src=\"/themes/{$g['theme']}/images/icons/icon_alert.gif\"/><strong>You can not edit options without an interface ID.</CENTER></div>\n"; - - } - ?> <tr> <td colspan="2" valign="top" class="listtopic">General Barnyard2 Settings</td> </tr> <tr> <td width="22%" valign="top" class="vncellreq2">Enable</td> - <td width="78%" class="vtable"><?php - // <input name="enable" type="checkbox" value="yes" checked onClick="enable_change(false)"> - // care with spaces - if ($pconfig['barnyard_enable'] == "on") - $checked = checked; - if($id != "") - { - $onclick_enable = "onClick=\"enable_change(false)\">"; - } - echo " - <input name=\"barnyard_enable\" type=\"checkbox\" value=\"on\" $checked $onclick_enable - <strong>Enable Barnyard2 on this Interface</strong><br> - This will enable barnyard2 for this interface. You will also have to set the database credentials.</td>\n\n"; - ?> - - </tr> - <tr> - <td width="22%" valign="top" class="vncell2">Interface</td> - <td width="78%" class="vtable"><select name="interface" - class="formfld"> - <?php - if (function_exists('get_configured_interface_with_descr')) - $interfaces = get_configured_interface_with_descr(); - else { - $interfaces = array('wan' => 'WAN', 'lan' => 'LAN', 'pptp' => 'PPTP', 'pppoe' => 'PPPOE'); - for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { - $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; - } - } - foreach ($interfaces as $iface => $ifacename): - if ($iface != $pconfig['interface']) - continue; - ?> - <option value="<?=$iface;?>" selected><?=htmlspecialchars($ifacename);?></option> - - <?php endforeach; ?> - </select><br> - <span class="vexpl">The interface this rule applies to.</span><br/> - </td> + <td width="78%" class="vtable"> + <input name="barnyard_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_enable'] == "on") echo "checked"; ?> onClick="enable_change(false)"> + <strong>Enable Barnyard2 </strong><br> + This will enable barnyard2 for this interface. You will also have to set the database credentials.</td> </tr> <tr> <td colspan="2" valign="top" class="listtopic">Mysql Settings</td> @@ -431,8 +244,7 @@ function enable_change(enable_change) { <td width="22%" valign="top"> </td> <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_nat[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> <?php endif; ?></td> + <input name="id" type="hidden" value="<?=$id;?>"> </td> </tr> <tr> <td width="22%" valign="top"> </td> @@ -452,6 +264,6 @@ function enable_change(enable_change) { enable_change(false); //--> </script> - <?php include("fend.inc"); ?> +<?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc index 0529f79b..28d454b0 100644 --- a/config/snort/snort_check_cron_misc.inc +++ b/config/snort/snort_check_cron_misc.inc @@ -65,7 +65,8 @@ if (snort_Getdirsize('/var/log/snort/') >= $snortloglimitsizeKB ) { exec('/bin/echo "" > /var/log/snort/alert'); } post_delete_logs(); - mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); + /* XXX: This is needed if snort is run as snort user */ + //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); mwexec('/bin/chmod 660 /var/log/snort/*', true); } conf_mount_ro(); diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index cb85e0ef..5043a624 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -1,7 +1,6 @@ <?php -/* $Id$ */ /* - snort_rulesets.php + snort_check_for_rule_updates.php Copyright (C) 2006 Scott Ullrich Copyright (C) 2009 Robert Zelaya Copyright (C) 2011 Ermal Luci @@ -41,8 +40,8 @@ $pkg_interface = "console"; $tmpfname = "/usr/local/etc/snort/tmp/snort_rules_up"; $snortdir = "/usr/local/etc/snort"; $snortdir_wan = "/usr/local/etc/snort"; -$snort_filename_md5 = "snortrules-snapshot-2861.tar.gz.md5"; -$snort_filename = "snortrules-snapshot-2861.tar.gz"; +$snort_filename_md5 = "snortrules-snapshot-2905.tar.gz.md5"; +$snort_filename = "snortrules-snapshot-2905.tar.gz"; $emergingthreats_filename_md5 = "emerging.rules.tar.gz.md5"; $emergingthreats_filename = "emerging.rules.tar.gz"; $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; @@ -150,7 +149,7 @@ if ($emergingthreats == 'on') update_status(gettext("Downloading emergingthreats md5 file...")); ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz.md5'); + $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5'); @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); update_status(gettext("Done downloading emergingthreats md5")); } @@ -286,7 +285,7 @@ if ($emergingthreats == "on") }else{ update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); update_output_window(gettext("May take 4 to 10 min...")); - download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); + download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); update_status(gettext('Done downloading Emergingthreats rules file.')); } } @@ -340,11 +339,9 @@ if ($snortdownload == 'on') if (file_exists("{$tmpfname}/{$snort_filename}")) { if ($pfsense_stable == 'yes') - { $freebsd_version_so = 'FreeBSD-7-2'; - }else{ - $freebsd_version_so = 'FreeBSD-8-0'; - } + else + $freebsd_version_so = 'FreeBSD-8-1'; update_status(gettext("Extracting Snort.org rules...")); update_output_window(gettext("May take a while...")); @@ -356,14 +353,17 @@ if ($snortdownload == 'on') sleep(2); exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); - /* extract so rules on for x86 for now */ - /* TODO: ask snort.org to build x64 version of so rules for Freebsd 8.1 Sept 05,2010 */ + /* extract so rules */ + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); if($snort_arch == 'x86'){ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.8.6.1/"); - exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); - exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.8.6.1/* /usr/local/lib/snort/dynamicrules/"); - /* extract so rules none bin and rename */ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } else if ($snort_arch == 'x64') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } + /* extract so rules none bin and rename */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . " so_rules/chat.rules/" . " so_rules/dos.rules/" . " so_rules/exploit.rules/" . @@ -412,7 +412,6 @@ if ($snortdownload == 'on') update_output_window(gettext("Error Line 755")); $snortdownload = 'off'; } - } } /* Untar emergingthreats rules to tmp */ @@ -547,31 +546,36 @@ exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/r ////////////////// - /* open oinkmaster_conf for writing" function */ function oinkmaster_conf($id, $if_real, $iface_uuid) { - global $config, $g, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + global $config, $g, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + + @unlink("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf"); /* enable disable setting will carry over with updates */ /* TODO carry signature changes with the updates */ if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { + $selected_sid_on_section = ""; + $selected_sid_off_sections = ""; + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { - $enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; + $enabled_sid_on = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']); $enabled_sid_on_array = split('\|\|', $enabled_sid_on); foreach($enabled_sid_on_array as $enabled_item_on) $selected_sid_on_sections .= "$enabled_item_on\n"; } if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { - $enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; + $enabled_sid_off = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']); $enabled_sid_off_array = split('\|\|', $enabled_sid_off); foreach($enabled_sid_off_array as $enabled_item_off) $selected_sid_off_sections .= "$enabled_item_off\n"; } - $snort_sid_text = <<<EOD + if (!empty($selected_sid_off_sections) || !empty($selected_sid_on_section)) { + $snort_sid_text = <<<EOD ########################################### # # @@ -591,8 +595,9 @@ $selected_sid_off_sections EOD; - /* open snort's oinkmaster.conf for writing */ - @file_put_contents("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf", $snort_sid_text); + /* open snort's oinkmaster.conf for writing */ + @file_put_contents("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf", $snort_sid_text); + } } } @@ -603,11 +608,8 @@ function oinkmaster_run($id, $if_real, $iface_uuid) { global $config, $g, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') - { - - if ($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'] == '' && $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'] == '') - { + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { + if (empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']) && empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { update_status(gettext("Your first set of rules are being copied...")); update_output_window(gettext("May take a while...")); exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); @@ -618,7 +620,7 @@ function oinkmaster_run($id, $if_real, $iface_uuid) exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - }else{ + } else { update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); update_output_window(gettext("May take a while...")); exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); @@ -633,11 +635,6 @@ function oinkmaster_run($id, $if_real, $iface_uuid) /* might have to add a sleep for 3sec for flash drives or old drives */ exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf -o /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules > /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); - /* TODO: Remove this code when x64 so rules are ready */ - if($snort_arch == 'x64'){ - exec("/bin/rm -r /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.so.rules"); - } - } } } @@ -672,10 +669,12 @@ if (is_dir('/usr/local/etc/snort/tmp')) { exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); } -/* make all dirs snorts */ +/* XXX: These are needed if snort is run as snort user mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); mwexec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort", true); mwexec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort", true); +*/ +/* make all dirs snorts */ mwexec("/bin/chmod -R 755 /var/log/snort", true); mwexec("/bin/chmod -R 755 /usr/local/etc/snort", true); mwexec("/bin/chmod -R 755 /usr/local/lib/snort", true); @@ -687,14 +686,6 @@ else if ($snort_md5_check_ok == 'on' && $emerg_md5_check_ok == 'on' && $pfsense_ else { /* You are Not Up to date, always stop snort when updating rules for low end machines */; update_status(gettext("You are NOT up to date...")); - $chk_if_snort_up = exec("pgrep -x snort"); - if ($chk_if_snort_up != "") { - update_output_window(gettext("Stopping Snort service...")); - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh stop"); - sleep(2); - } - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); update_status(gettext("The Rules update finished...")); update_output_window(gettext("Snort has restarted with your new set of rules...")); diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 68b5710a..e3238ef7 100644 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -1,7 +1,7 @@ <?php /* $Id$ */ /* - snort_interfaces.php + snort_define_servers.php part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. @@ -45,38 +45,24 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g; -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} - -//nat_rules_sort(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; - -if (isset($_GET['dup'])) { - $id = $_GET['dup']; - $after = $_GET['dup']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; } +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; +$pconfig = array(); if (isset($id) && $a_nat[$id]) { + $pconfig = $a_nat[$id]; /* old options */ - $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; - $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; - $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; - $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; - $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; - $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; - $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; - $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; - $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; - $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; @@ -110,82 +96,22 @@ if (isset($id) && $a_nat[$id]) { $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; - $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; - $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['uuid'] = $a_nat[$id]['uuid']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; - $pconfig['homelistname'] = $a_nat[$id]['homelistname']; - $pconfig['externallistname'] = $a_nat[$id]['externallistname']; - $pconfig['suppresslistname'] = $a_nat[$id]['suppresslistname']; - $pconfig['descr'] = $a_nat[$id]['descr']; - $pconfig['performance'] = $a_nat[$id]['performance']; - $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; - $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; - $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; - $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; - $pconfig['configpassthru'] = $a_nat[$id]['configpassthru']; - $pconfig['barnconfigpassthru'] = $a_nat[$id]['barnconfigpassthru']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; - $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; - $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; - - if (isset($_GET['dup'])) - unset($id); } /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; /* alert file */ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; +if ($_POST) { -if ($_POST["Submit"]) { - - /* check for overlaps */ + $natent = array(); + $natent = $pconfig; /* if no errors write to conf */ if (!$input_errors) { - $natent = array(); - /* repost the options already in conf */ - if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } - if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } - if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } - if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } - if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } - if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } - if ($pconfig['alertsystemlog'] != "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } - if ($pconfig['tcpdumplog'] != "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } - if ($pconfig['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } - if ($pconfig['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $pconfig['def_ssl_ports_ignore']; } - if ($pconfig['flow_depth'] != "") { $natent['flow_depth'] = $pconfig['flow_depth']; } - if ($pconfig['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $pconfig['max_queued_bytes']; } - if ($pconfig['max_queued_segs'] != "") { $natent['max_queued_segs'] = $pconfig['max_queued_segs']; } - if ($pconfig['perform_stat'] != "") { $natent['perform_stat'] = $pconfig['perform_stat']; } - if ($pconfig['http_inspect'] != "") { $natent['http_inspect'] = $pconfig['http_inspect']; } - if ($pconfig['other_preprocs'] != "") { $natent['other_preprocs'] = $pconfig['other_preprocs']; } - if ($pconfig['ftp_preprocessor'] != "") { $natent['ftp_preprocessor'] = $pconfig['ftp_preprocessor']; } - if ($pconfig['smtp_preprocessor'] != "") { $natent['smtp_preprocessor'] = $pconfig['smtp_preprocessor']; } - if ($pconfig['sf_portscan'] != "") { $natent['sf_portscan'] = $pconfig['sf_portscan']; } - if ($pconfig['dce_rpc_2'] != "") { $natent['dce_rpc_2'] = $pconfig['dce_rpc_2']; } - if ($pconfig['dns_preprocessor'] != "") { $natent['dns_preprocessor'] = $pconfig['dns_preprocessor']; } - if ($pconfig['barnyard_enable'] != "") { $natent['barnyard_enable'] = $pconfig['barnyard_enable']; } - if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; } - if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } - if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } - if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } - if ($pconfig['configpassthru'] != "") { $natent['configpassthru'] = $pconfig['configpassthru']; } - if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } - if ($pconfig['whitelistname'] != "") { $natent['whitelistname'] = $pconfig['whitelistname']; } - if ($pconfig['homelistname'] != "") { $natent['homelistname'] = $pconfig['homelistname']; } - if ($pconfig['externallistname'] != "") { $natent['externallistname'] = $pconfig['externallistname']; } - if ($pconfig['suppresslistname'] != "") { $natent['suppresslistname'] = $pconfig['suppresslistname']; } - - /* post new options */ if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; }else{ $natent['def_dns_servers'] = ""; } if ($_POST['def_dns_ports'] != "") { $natent['def_dns_ports'] = $_POST['def_dns_ports']; }else{ $natent['def_dns_ports'] = ""; } @@ -233,7 +159,7 @@ if ($_POST["Submit"]) { write_config(); - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -241,9 +167,7 @@ if ($_POST["Submit"]) { header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - header("Location: snort_define_servers.php?id=$id"); - exit; } } @@ -262,15 +186,6 @@ if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} echo "{$snort_general_css}\n"; ?> -<div class="body2"> - -<noscript> -<div class="alert" ALIGN=CENTER><img - src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please -enable JavaScript to view this content -</CENTER></div> -</noscript> - <form action="snort_define_servers.php" method="post" enctype="multipart/form-data" name="iform" id="iform"><?php @@ -284,20 +199,6 @@ enable JavaScript to view this content print_info_box2($savemsg); } - //if (file_exists($d_snortconfdirty_path)) { - if (file_exists($d_snortconfdirty_path) || file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { - echo '<p>'; - - if($savemsg) { - print_info_box_np2("{$savemsg}"); - }else{ - print_info_box_np2(' - The Snort configuration has changed and snort needs to be restarted on this interface.<br> - You must apply the changes in order for them to take effect.<br> - '); - } - } - ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -324,28 +225,6 @@ enable JavaScript to view this content <tr> <td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <?php - /* display error code if there is no id */ - if($id == "") - { - echo " - <style type=\"text/css\"> - .noid { - position:absolute; - top:10px; - left:0px; - width:94%; - background:#FCE9C0; - background-position: 15px; - border-top:2px solid #DBAC48; - border-bottom:2px solid #DBAC48; - padding: 15px 10px 85% 50px; - } - </style> - <div class=\"alert\" ALIGN=CENTER><img src=\"/themes/{$g['theme']}/images/icons/icon_alert.gif\"/><strong>You can not edit options without an interface ID.</CENTER></div>\n"; - - } - ?> <tr> <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span><br> @@ -624,9 +503,8 @@ enable JavaScript to view this content <td width="22%" valign="top"> </td> <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_nat[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <?php endif; ?></td> + <input name="id" type="hidden" value="<?=$id;?>"> + </td> </tr> <tr> <td width="22%" valign="top"> </td> @@ -638,10 +516,6 @@ enable JavaScript to view this content </table> </form> - -</div> - - - <?php include("fend.inc"); ?> +<?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index 0e4ce635..1056c337 100644 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -1,7 +1,6 @@ <?php -/* $Id$ */ /* - snort_rulesets.php + snort_download_rules.php Copyright (C) 2006 Scott Ullrich Copyright (C) 2009 Robert Zelaya Copyright (C) 2011 Ermal Luci @@ -40,8 +39,8 @@ require_once("/usr/local/pkg/snort/snort.inc"); $tmpfname = "/usr/local/etc/snort/tmp/snort_rules_up"; $snortdir = "/usr/local/etc/snort"; $snortdir_wan = "/usr/local/etc/snort"; -$snort_filename_md5 = "snortrules-snapshot-2861.tar.gz.md5"; -$snort_filename = "snortrules-snapshot-2861.tar.gz"; +$snort_filename_md5 = "snortrules-snapshot-2905.tar.gz.md5"; +$snort_filename = "snortrules-snapshot-2905.tar.gz"; $emergingthreats_filename_md5 = "emerging.rules.tar.gz.md5"; $emergingthreats_filename = "emerging.rules.tar.gz"; $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; @@ -203,7 +202,7 @@ if ($emergingthreats == 'on') update_status(gettext("Downloading emergingthreats md5 file...")); ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz.md5'); + $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5'); @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); update_status(gettext("Done downloading emergingthreats md5")); } @@ -346,7 +345,7 @@ if ($emergingthreats == "on") }else{ update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); update_output_window(gettext("May take 4 to 10 min...")); - download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); + download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); update_status(gettext('Done downloading Emergingthreats rules file.')); } } @@ -404,7 +403,7 @@ if ($snortdownload == 'on') { $freebsd_version_so = 'FreeBSD-7-2'; }else{ - $freebsd_version_so = 'FreeBSD-8-0'; + $freebsd_version_so = 'FreeBSD-8-1'; } update_status(gettext("Extracting Snort.org rules...")); @@ -417,14 +416,18 @@ if ($snortdownload == 'on') sleep(2); exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); - /* extract so rules on for x86 for now */ - /* TODO: ask snort.org to build x64 version of so rules for Freebsd 8.1 Sept 05,2010 */ - if($snort_arch == 'x86'){ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.8.6.1/"); - exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); - exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.8.6.1/* /usr/local/lib/snort/dynamicrules/"); - /* extract so rules none bin and rename */ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . + /* extract so rules */ + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); + if($snort_arch == 'x86') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } else if ($snort_arch == 'x64') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } + /* extract so rules none bin and rename */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . " so_rules/chat.rules/" . " so_rules/dos.rules/" . " so_rules/exploit.rules/" . @@ -473,7 +476,6 @@ if ($snortdownload == 'on') update_output_window(gettext("Error Line 755")); $snortdownload = 'off'; } - } } /* Untar emergingthreats rules to tmp */ @@ -612,27 +614,33 @@ exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/r /* open oinkmaster_conf for writing" function */ function oinkmaster_conf($id, $if_real, $iface_uuid) { - global $config, $g, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + global $config, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + + @unlink("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf"); /* enable disable setting will carry over with updates */ /* TODO carry signature changes with the updates */ if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { + $selected_sid_on_sections = ""; + $selected_sid_off_sections = ""; + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { - $enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; + $enabled_sid_on = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']); $enabled_sid_on_array = split('\|\|', $enabled_sid_on); foreach($enabled_sid_on_array as $enabled_item_on) $selected_sid_on_sections .= "$enabled_item_on\n"; } if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { - $enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; + $enabled_sid_off = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']); $enabled_sid_off_array = split('\|\|', $enabled_sid_off); foreach($enabled_sid_off_array as $enabled_item_off) $selected_sid_off_sections .= "$enabled_item_off\n"; } - $snort_sid_text = <<<EOD + if (!empty($selected_sid_on_sections) || !empty($selected_sid_off_sections)) { + $snort_sid_text = <<<EOD ########################################### # # @@ -652,8 +660,9 @@ $selected_sid_off_sections EOD; - /* open snort's oinkmaster.conf for writing */ - @file_put_contents("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf", $snort_sid_text); + /* open snort's oinkmaster.conf for writing */ + @file_put_contents("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf", $snort_sid_text); + } } } @@ -664,11 +673,8 @@ function oinkmaster_run($id, $if_real, $iface_uuid) { global $config, $g, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') - { - - if ($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'] == '' && $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'] == '') - { + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { + if (empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']) && empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { update_status(gettext("Your first set of rules are being copied...")); update_output_window(gettext("May take a while...")); exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); @@ -679,7 +685,7 @@ function oinkmaster_run($id, $if_real, $iface_uuid) exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - }else{ + } else { update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); update_output_window(gettext("May take a while...")); exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); @@ -693,12 +699,6 @@ function oinkmaster_run($id, $if_real, $iface_uuid) /* might have to add a sleep for 3sec for flash drives or old drives */ exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf -o /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules > /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); - - /* TODO: Remove this code when x64 so rules are ready */ - if($snort_arch == 'x64'){ - exec("/bin/rm -r /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.so.rules"); - } - } } } @@ -733,10 +733,12 @@ if (is_dir('/usr/local/etc/snort/tmp')) { exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); } -/* make all dirs snorts */ +/* XXX: These are needed if snort is run as snort user mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); mwexec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort", true); mwexec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort", true); +*/ +/* make all dirs snorts */ mwexec("/bin/chmod -R 755 /var/log/snort", true); mwexec("/bin/chmod -R 755 /usr/local/etc/snort", true); mwexec("/bin/chmod -R 755 /usr/local/lib/snort", true); @@ -751,14 +753,6 @@ else if ($snort_md5_check_ok == 'on' && $emerg_md5_check_ok == 'on' && $pfsense_ else { /* You are Not Up to date, always stop snort when updating rules for low end machines */; update_status(gettext("You are NOT up to date...")); - $chk_if_snort_up = exec("pgrep -x snort"); - if ($chk_if_snort_up != "") { - update_output_window(gettext("Stopping Snort service...")); - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh stop"); - sleep(2); - } - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); update_status(gettext("The Rules update finished...")); update_output_window(gettext("Snort has restarted with your new set of rules...")); diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 92ff0a06..ebde5729 100644 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -1,7 +1,6 @@ <?php -/* $Id$ */ /* - halt.php + snort_download_updates.php part of pfSense Copyright (C) 2004 Scott Ullrich Copyright (C) 2011 Ermal Luci @@ -45,9 +44,9 @@ $snort_load_jquery_colorbox = 'yes'; /* quick md5s chk */ -if(file_exists('/usr/local/etc/snort/snortrules-snapshot-2861.tar.gz.md5')) +if(file_exists('/usr/local/etc/snort/snortrules-snapshot-2905.tar.gz.md5')) { - $snort_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/snortrules-snapshot-2861.tar.gz.md5'); + $snort_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/snortrules-snapshot-2905.tar.gz.md5'); }else{ $snort_org_sig_chk_local = 'N/A'; } diff --git a/config/snort/snort_dynamic_ip_reload.php b/config/snort/snort_dynamic_ip_reload.php deleted file mode 100644 index 66bc505c..00000000 --- a/config/snort/snort_dynamic_ip_reload.php +++ /dev/null @@ -1,45 +0,0 @@ -<?php - -/* $Id$ */ -/* - snort_dynamic_ip_reload.php - Copyright (C) 2009 Robert Zeleya - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -/* NOTE: this file gets included from the pfSense filter.inc plugin process */ -/* NOTE: file location /usr/local/pkg/pf, all files in pf dir get exec on filter reloads */ - -require_once("/usr/local/pkg/snort/snort.inc"); - -if (file_exists('/var/run/snort_dynamic_ip_reload.dirty')) { - exit(); -} - -exec('/usr/bin/touch /var/run/snort_dynamic_ip_reload.dirty'); - -sync_snort_package_config(); -@unlink("/var/run/snort_dynamic_ip_reload.dirty"); - -?> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index 1d91eda8..9174c24f 100644 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -51,56 +51,13 @@ if (isset($_POST['del_x'])) { /* delete selected rules */ if (is_array($_POST['rule'])) { conf_mount_rw(); - foreach ($_POST['rule'] as $rulei) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($a_nat[$rulei]['interface']); $snort_uuid = $a_nat[$rulei]['uuid']; - /* cool code to check if any snort is up */ - $snort_up_ck = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep snort | /usr/bin/awk '{print \$2;}' | sed 1q"); - - if ($snort_up_ck != "") - { - - $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}\" | awk '{print \$1;}'"); - $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); - $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); - - $start2_upb_pre = exec("/bin/cat /var/run/barnyard2_{$snort_uuid}_{$if_real}.pid"); - $start2_upb_s = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); - $start2_upb_r = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); - - - if ($start_up_s != "" || $start_up_r != "" || $start2_upb_s != "" || $start2_upb_r != "") { - /* remove only running instances */ - if ($start_up_s != "") { - exec("/bin/kill {$start_up_s}"); - exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); - } - - if ($start2_upb_s != "") { - exec("/bin/kill {$start2_upb_s}"); - exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); - } - - if ($start_up_r != "") { - exec("/bin/kill {$start_up_r}"); - exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); - } - - if ($start2_upb_r != "") { - exec("/bin/kill {$start2_upb_r}"); - exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); - } - } - - } - - /* for every iface do these steps */ - exec("/bin/rm /var/log/snort/snort.u2_{$snort_uuid}_{$if_real}*"); - exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + Running_Stop($snort_uuid,$if_real, $rulei); unset($a_nat[$rulei]); } @@ -110,15 +67,15 @@ if (isset($_POST['del_x'])) { sleep(2); /* if there are no ifaces do not create snort.sh */ - if (isset($config['installedpackages']['snortglobal']['rule'][0]['enable'])) { + if (!empty($config['installedpackages']['snortglobal']['rule'])) create_snort_sh(); - }else{ + else { conf_mount_rw(); exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); conf_mount_ro(); } - sync_snort_package_empty(); + sync_snort_package_config(); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -141,15 +98,11 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { /* Log Iface stop */ exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Toggle for {$snort_uuid}_{$if_real}...'"); - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); $tester2 = Running_Ck($snort_uuid, $if_real, $id); if ($tester2 == 'yes') { - - /* Log Iface stop */ - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup '{$tester2} yn for {$snort_uuid}_{$if_real}...'"); - Running_Stop($snort_uuid, $if_real, $id); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -158,8 +111,7 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - }else{ - + } else { Running_Start($snort_uuid, $if_real, $id); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -168,6 +120,7 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); } + sleep(4); // So the GUI reports correctly header("Location: /snort/snort_interfaces.php"); exit; } diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index c843a3f7..b1a091e7 100644 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -284,7 +284,7 @@ if (isset($_GET['dup'])) write_config(); - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); sleep(1); /* if snort.sh crashed this will remove the pid */ @@ -295,7 +295,7 @@ if (isset($_GET['dup'])) header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - header("Location: /snort/snort_interfaces_edit.php?id=$id"); + header("Location: /snort/snort_interfaces.php"); exit; } @@ -303,7 +303,7 @@ if (isset($_GET['dup'])) if ($_POST["Submit2"]) { - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); sleep(1); Running_Start($snort_uuid, $if_real, $id); @@ -317,35 +317,6 @@ if (isset($_GET['dup'])) exit; } - if ($_POST["Submit3"]) - { - - Running_Stop($snort_uuid, $if_real, $id); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: /snort/snort_interfaces_edit.php?id=$id"); - exit; - - } - - /* This code needs to be below headers */ - if (isset($config['installedpackages']['snortglobal']['rule'][$id]['interface'])) - { - - $snort_up_ck2_info = Running_Ck($snort_uuid, $if_real, $id); - - if ($snort_up_ck2_info == 'no') - $snort_up_ck = '<input name="Submit2" type="submit" class="formbtn" value="Start" onClick="enable_change(true)">'; - else - $snort_up_ck = '<input name="Submit3" type="submit" class="formbtn" value="Stop" onClick="enable_change(true)">'; - } else - $snort_up_ck = ''; - - $pgtitle = "Snort: Interface Edit: $id $snort_uuid $if_real"; include_once("head.inc"); @@ -694,7 +665,6 @@ function enable_change(enable_change) { <tr> <td width="22%" valign="top"></td> <td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save"> - <?php echo $snort_up_ck; ?> <?php if (isset($id) && $a_nat[$id]): ?> <input name="id" type="hidden" value="<?=$id;?>"> <?php endif; ?></td> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 37d389da..57fec1f1 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -103,7 +103,7 @@ if (!$input_errors) { write_config(); /* create whitelist and homenet file then sync files */ - sync_snort_package_empty(); + sync_snort_package_config(); /* forces page to reload new settings */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -143,7 +143,7 @@ if ($_POST["Reset"]) { $x=0; $is_installed = false; foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { + if (strstr($item['command'], $cronmatch)) { $is_installed = true; break; } diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index 03ba1df8..fe3c54a5 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -184,7 +184,7 @@ if ($_POST['submit']) { write_config(); /* create whitelist and homenet file then sync files */ - sync_snort_package_empty(); + sync_snort_package_config(); header("Location: /snort/snort_interfaces_whitelist.php"); exit; diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index df4e9b6a..7f89d433 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -1,7 +1,7 @@ <?php /* $Id$ */ /* - snort_interfaces.php + snort_preprocessors.php part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. @@ -46,15 +46,17 @@ $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; - -if (isset($_GET['dup'])) { - $id = $_GET['dup']; - $after = $_GET['dup']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; } +$pconfig = array(); if (isset($id) && $a_nat[$id]) { + $pconfig = $a_nat[$id]; /* new options */ + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; @@ -67,138 +69,22 @@ if (isset($id) && $a_nat[$id]) { $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; - - /* old options */ - $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; - $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; - $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; - $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; - $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; - $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; - $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; - $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; - $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; - $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; - $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; - $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; - $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; - $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; - $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; - $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; - $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; - $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; - $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; - $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; - $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; - $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; - $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; - $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; - $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; - $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; - $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; - $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; - $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; - $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; - $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; - $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; - $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; - $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['uuid'] = $a_nat[$id]['uuid']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['descr'] = $a_nat[$id]['descr']; - $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; - $pconfig['homelistname'] = $a_nat[$id]['homelistname']; - $pconfig['externallistname'] = $a_nat[$id]['externallistname']; - $pconfig['suppresslistname'] = $a_nat[$id]['suppresslistname']; - $pconfig['performance'] = $a_nat[$id]['performance']; - $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; - $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; - $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; - $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; - $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; - $pconfig['configpassthru'] = $a_nat[$id]['configpassthru']; - $pconfig['barnconfigpassthru'] = $a_nat[$id]['barnconfigpassthru']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; - $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; - $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; - - if (isset($_GET['dup'])) - unset($id); } /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); - $snort_uuid = $pconfig['uuid']; /* alert file */ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; -if ($_POST["Submit"]) { +if ($_POST) { - /* check for overlaps */ + $natent = array(); + $natent = $pconfig; /* if no errors write to conf */ if (!$input_errors) { - $natent = array(); - /* repost the options already in conf */ - if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } - if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } - if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } - if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } - if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } - if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } - if ($pconfig['alertsystemlog'] != "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } - if ($pconfig['tcpdumplog'] != "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } - if ($pconfig['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } - if ($pconfig['barnyard_enable'] != "") { $natent['barnyard_enable'] = $pconfig['barnyard_enable']; } - if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; } - if ($pconfig['def_dns_servers'] != "") { $natent['def_dns_servers'] = $pconfig['def_dns_servers']; } - if ($pconfig['def_dns_ports'] != "") { $natent['def_dns_ports'] = $pconfig['def_dns_ports']; } - if ($pconfig['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $pconfig['def_smtp_servers']; } - if ($pconfig['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $pconfig['def_smtp_ports']; } - if ($pconfig['def_mail_ports'] != "") { $natent['def_mail_ports'] = $pconfig['def_mail_ports']; } - if ($pconfig['def_http_servers'] != "") { $natent['def_http_servers'] = $pconfig['def_http_servers']; } - if ($pconfig['def_www_servers'] != "") { $natent['def_www_servers'] = $pconfig['def_www_servers']; } - if ($pconfig['def_http_ports'] != "") { $natent['def_http_ports'] = $pconfig['def_http_ports']; } - if ($pconfig['def_sql_servers'] != "") { $natent['def_sql_servers'] = $pconfig['def_sql_servers']; } - if ($pconfig['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $pconfig['def_oracle_ports']; } - if ($pconfig['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $pconfig['def_mssql_ports']; } - if ($pconfig['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $pconfig['def_telnet_servers']; } - if ($pconfig['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $pconfig['def_telnet_ports']; } - if ($pconfig['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $pconfig['def_snmp_servers']; } - if ($pconfig['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $pconfig['def_snmp_ports']; } - if ($pconfig['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $pconfig['def_ftp_servers']; } - if ($pconfig['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $pconfig['def_ftp_ports']; } - if ($pconfig['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $pconfig['def_ssh_servers']; } - if ($pconfig['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $pconfig['def_ssh_ports']; } - if ($pconfig['def_pop_servers'] != "") { $natent['def_pop_servers'] = $pconfig['def_pop_servers']; } - if ($pconfig['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $pconfig['def_pop2_ports']; } - if ($pconfig['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $pconfig['def_pop3_ports']; } - if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; } - if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; } - if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; } - if ($pconfig['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; } - if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; } - if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; } - if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; } - if ($pconfig['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $pconfig['def_nntp_ports']; } - if ($pconfig['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; } - if ($pconfig['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; } - if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; } - if ($pconfig['configpassthru'] != "") { $natent['configpassthru'] = $pconfig['configpassthru']; } - if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } - if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } - if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } - if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } - if ($pconfig['whitelistname'] != "") { $natent['whitelistname'] = $pconfig['whitelistname']; } - if ($pconfig['homelistname'] != "") { $natent['homelistname'] = $pconfig['homelistname']; } - if ($pconfig['externallistname'] != "") { $natent['externallistname'] = $pconfig['externallistname']; } - if ($pconfig['suppresslistname'] != "") { $natent['suppresslistname'] = $pconfig['suppresslistname']; } - - /* post new options */ $natent['perform_stat'] = $_POST['perform_stat']; if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } @@ -227,7 +113,7 @@ if ($_POST["Submit"]) { write_config(); $if_real = snort_get_real_interface($pconfig['interface']); - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -485,8 +371,7 @@ enable JavaScript to view this content <td width="22%" valign="top"> </td> <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="Save"> - <?php if (isset($id) && $a_nat[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> <?php endif; ?></td> + <input name="id" type="hidden" value="<?=$id;?>"></td> </tr> <tr> <td width="22%" valign="top"> </td> diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 3975fd2c..871eb39e 100644 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -1,7 +1,6 @@ <?php -/* $Id$ */ /* - edit_snortrule.php + snort_rules.php Copyright (C) 2004, 2005 Scott Ullrich Copyright (C) 2008, 2009 Robert Zelaya Copyright (C) 2011 Ermal Luci @@ -43,6 +42,10 @@ $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} if (isset($id) && $a_nat[$id]) { $pconfig['enable'] = $a_nat[$id]['enable']; @@ -52,7 +55,6 @@ if (isset($id) && $a_nat[$id]) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); - $iface_uuid = $a_nat[$id]['uuid']; /* Check if the rules dir is empy if so warn the user */ @@ -135,65 +137,27 @@ function get_middle($source, $beginning, $ending, $init_pos) { function write_rule_file($content_changed, $received_file) { - //read snort file with writing enabled - $filehandle = fopen($received_file, "w"); - - //delimiter for each new rule is a new line - $delimiter = "\n"; - - //implode the array back into a string for writing purposes - $fullfile = implode($delimiter, $content_changed); - - //write data to file - fwrite($filehandle, $fullfile); - - //close file handle - fclose($filehandle); - + @file_put_contents($received_file, implode("\n", $content_changed)); } function load_rule_file($incoming_file) { - - //read snort file - $filehandle = fopen($incoming_file, "r"); - //read file into string, and get filesize - $contents = fread($filehandle, filesize($incoming_file)); - - //close handler - fclose ($filehandle); - - - //string for populating category select - $currentruleset = basename($rulefile); - - //delimiter for each new rule is a new line - $delimiter = "\n"; + $contents = @file_get_contents($incoming_file); //split the contents of the string file into an array using the delimiter - $splitcontents = explode($delimiter, $contents); - - return $splitcontents; - + return explode("\n", $contents); } -/* -if ($_GET['openruleset'] != '' && $_GET['ids'] != '') { - header("Location: /snort/snort_rules.php?id=$id&openruleset={$_GET['openruleset']}&saved=yes"); - exit; -} -*/ - -//$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; -$ruledir = "/usr/local/etc/snort/rules/"; +$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; +//$ruledir = "/usr/local/etc/snort/rules/"; $dh = opendir($ruledir); while (false !== ($filename = readdir($dh))) { //only populate this array if its a rule file $isrulefile = strstr($filename, ".rules"); if ($isrulefile !== false) - $files[] = $filename; + $files[] = basename($filename); } sort($files); @@ -205,200 +169,50 @@ else //Load the rule file $splitcontents = load_rule_file($rulefile); -if ($_POST) -{ +if ($_GET['act'] == "toggle" && $_GET['ids']) { - conf_mount_rw(); - - if (!$_POST['apply']) { - //retrieve POST data - $post_lineid = $_POST['lineid']; - $post_enabled = $_POST['enabled']; - $post_src = $_POST['src']; - $post_srcport = $_POST['srcport']; - $post_dest = $_POST['dest']; - $post_destport = $_POST['destport']; - - //clean up any white spaces insert by accident - $post_src = str_replace(" ", "", $post_src); - $post_srcport = str_replace(" ", "", $post_srcport); - $post_dest = str_replace(" ", "", $post_dest); - $post_destport = str_replace(" ", "", $post_destport); - - //copy rule contents from array into string - $tempstring = $splitcontents[$post_lineid]; - - //search string - $findme = "# alert"; //find string for disabled alerts - - //find if alert is disabled - $disabled = strstr($tempstring, $findme); - - //if find alert is false, then rule is disabled - if ($disabled !== false) - { - //has rule been enabled - if ($post_enabled == "yes") - { - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("# alert", "alert", $tempstring); - $counter2 = 1; - } - else - { - //rule is staying disabled - $counter2 = 2; - } - } - else - { - //has rule been disabled - if ($post_enabled != "yes") - { - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("alert", "# alert", $tempstring); - $counter2 = 2; - } - else - { - //rule is staying enabled - $counter2 = 1; - } - } - - //explode rule contents into an array, (delimiter is space) - $rule_content = explode(' ', $tempstring); - - //insert new values - $counter2++; - $rule_content[$counter2] = $post_src;//source location - $counter2++; - $rule_content[$counter2] = $post_srcport;//source port location - $counter2 = $counter2+2; - $rule_content[$counter2] = $post_dest;//destination location - $counter2++; - $rule_content[$counter2] = $post_destport;//destination port location - - //implode the array back into string - $tempstring = implode(' ', $rule_content); - - //copy string into file array for writing - $splitcontents[$post_lineid] = $tempstring; - - //write the new .rules file - write_rule_file($splitcontents, $rulefile); - - //once file has been written, reload file - $splitcontents = load_rule_file($rulefile); - - $stopMsg = true; - } - conf_mount_ro(); -} -else if ($_GET['act'] == "toggle") -{ - - conf_mount_rw(); - - $toggleid = $_GET['ids']; + $lineid= $_GET['ids']; //copy rule contents from array into string - $tempstring = $splitcontents[$toggleid]; + $tempstring = $splitcontents[$lineid]; //explode rule contents into an array, (delimiter is space) $rule_content = explode(' ', $tempstring); - //search string $findme = "# alert"; //find string for disabled alerts - - //find if alert is disabled $disabled = strstr($tempstring, $findme); //if find alert is false, then rule is disabled - if ($disabled !== false) - { + if ($disabled !== false) { //rule has been enabled - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("# alert", "alert", $tempstring); - - } - else - { - //has rule been disabled - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("alert", "# alert", $tempstring); - - } + $tempstring = substr($tempstring, 2); + } else + $tempstring = "# ". $tempstring; //copy string into array for writing - $splitcontents[$toggleid] = $tempstring; + $splitcontents[$lineid] = $tempstring; //write the new .rules file write_rule_file($splitcontents, $rulefile); - //once file has been written, reload file - $splitcontents = load_rule_file($rulefile); - - $stopMsg = true; - //write disable/enable sid to config.xml - if ($disabled == false) { - $string_sid = strstr($tempstring, 'sid:'); - $sid_pieces = explode(";", $string_sid); - $sid_off_cut = $sid_pieces[0]; - // sid being turned off - $sid_off = str_replace("sid:", "", $sid_off_cut); + $sid = get_middle($tempstring, 'sid:', ';', 0); + if (is_numeric($sid)) { // rule_sid_on registers - $sid_on_pieces = $a_nat[$id]['rule_sid_on']; - // if off sid is the same as on sid remove it - $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); - // write the replace sid back as empty - $a_nat[$id]['rule_sid_on'] = $sid_on_old; - // rule sid off registers - $sid_off_pieces = $a_nat[$id]['rule_sid_off']; - // if off sid is the same as off sid remove it - $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); - // write the replace sid back as empty - $a_nat[$id]['rule_sid_off'] = $sid_off_old; - // add sid off registers to new off sid - $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; - } - else - { - $string_sid = strstr($tempstring, 'sid:'); - $sid_pieces = explode(";", $string_sid); - $sid_on_cut = $sid_pieces[0]; - // sid being turned off - $sid_on = str_replace("sid:", "", $sid_on_cut); - // rule_sid_off registers - $sid_off_pieces = $a_nat[$id]['rule_sid_off']; - // if off sid is the same as on sid remove it - $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); - // write the replace sid back as empty - $a_nat[$id]['rule_sid_off'] = $sid_off_old; - // rule sid on registers - $sid_on_pieces = $a_nat[$id]['rule_sid_on']; - // if on sid is the same as on sid remove it - $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); - // write the replace sid back as empty - $a_nat[$id]['rule_sid_on'] = $sid_on_old; - // add sid on registers to new on sid - $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); + if ($disabled === false) + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; + else + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; } - write_config(); - conf_mount_ro(); - -} -if ($_GET['saved'] == 'yes') -{ - $message = "The Snort rule configuration has been changed.<br>You must restart this snort interface in order for the changes to take effect."; + write_config(); - // stop_service("snort"); - // sleep(2); - // start_service("snort"); - // $savemsg = ""; - // $stopMsg = false; + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$rulefile}"); + exit; } $currentruleset = basename($rulefile); @@ -409,50 +223,25 @@ require_once("guiconfig.inc"); include_once("head.inc"); $pgtitle = "Snort: $id $iface_uuid $if_real Category: $currentruleset"; - ?> -<body - link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php include("fbegin.inc"); ?> -<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> - +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php +include("fbegin.inc"); +if ($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} + echo "{$snort_general_css}\n"; ?> +<form action="snort_rules.php" method="post" name="iform" id="iform"> -<div class="body2"> - -<noscript> -<div class="alert" ALIGN=CENTER><img - src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please -enable JavaScript to view this content -</CENTER></div> -</noscript> - - -<?php -echo "<form action=\"snort_rules.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; -?> <?php if ($_GET['saved'] == 'yes') {print_info_box_np2($message);}?> -</form> -</script> <script language="javascript" type="text/javascript"> -<!-- +<script language="javascript" type="text/javascript"> function go() { - var agt=navigator.userAgent.toLowerCase(); - if (agt.indexOf("msie") != -1) { - box = document.forms.selectbox; - } else { - box = document.forms[1].selectbox; - } + var box = document.iform.selectbox; destination = box.options[box.selectedIndex].value; if (destination) location.href = destination; } -// --> -</script> <script type="text/javascript"> -<!-- function popup(url) { params = 'width='+screen.width; @@ -464,10 +253,9 @@ function popup(url) if (window.focus) {newwin.focus()} return false; } -// --> </script> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> +<table style="table-layout:fixed;" width="99%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php $tab_array = array(); @@ -488,199 +276,154 @@ function popup(url) display_top_tabs($tab_array); ?> </td></tr> - <tr> - <td> - <div id="mainarea2"> - <table id="maintable" class="tabcont" width="100%" border="0" - cellpadding="0" cellspacing="0"> - <tr> - <td> - <table id="ruletable1" class="sortable" width="100%" border="0" - cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="3%" class="list"> </td> - <td width="5%" class="listhdr">SID</td> - <td width="6%" class="listhdrr">Proto</td> - <td width="15%" class="listhdrr">Source</td> - <td width="10%" class="listhdrr">Port</td> - <td width="15%" class="listhdrr">Destination</td> - <td width="10%" class="listhdrr">Port</td> - <td width="32%" class="listhdrr">Message</td> +<tr> + <td> + <div id="mainarea2"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listt" colspan="8"> + <br>Category: + <select id="selectbox" name="selectbox" class="formfld" onChange="go()"> + <?php + foreach ($files as $value) { + echo "<option value='?id={$id}&openruleset={$ruledir}{$value}' "; + if ($value === $currentruleset) + echo "selected"; + echo ">{$value}</option>\n"; + } + ?> + </select> + </td> + </tr> + <tr id="frheader"> + <td width="3%" class="list"> </td> + <td width="5%" class="listhdr">SID</td> + <td width="6%" class="listhdrr">Proto</td> + <td width="15%" class="listhdrr">Source</td> + <td width="10%" class="listhdrr">Port</td> + <td width="15%" class="listhdrr">Destination</td> + <td width="10%" class="listhdrr">Port</td> + <td width="32%" class="listhdrr">Message</td> + </tr> + <?php + foreach ( $splitcontents as $counter => $value ) + { + $disabled = "False"; + $comments = "False"; + $findme = "# alert"; //find string for disabled alerts + $disabled_pos = strstr($value, $findme); - </tr> - <tr> - <?php - - echo "<br>Category: "; - - //string for populating category select - $currentruleset = basename($rulefile); - - ?> - <form name="forms"><select name="selectbox" class="formfld" - onChange="go()"> - <?php - $i=0; - foreach ($files as $value) - { - $selectedruleset = ""; - if ($files[$i] === $currentruleset) - $selectedruleset = "selected"; - ?> - <option - value="?id=<?=$id;?>&openruleset=<?=$ruledir;?><?=$files[$i];?>" - <?=$selectedruleset;?>><?=$files[$i];?></option> - <?php - $i++; - - } - ?> - </select></form> - </tr> - <?php - - $counter = 0; - $printcounter = 0; - - foreach ( $splitcontents as $value ) - { - - $counter++; - $disabled = "False"; - $comments = "False"; - - $tempstring = $splitcontents[$counter]; - $findme = "# alert"; //find string for disabled alerts - - //find alert - $disabled_pos = strstr($tempstring, $findme); - - - //do soemthing, this rule is enabled - $counter2 = 1; - - //retrieve sid value - $sid = get_middle($tempstring, 'sid:', ';', 0); - - //check to see if the sid is numberical - $is_sid_num = is_numeric($sid); - - //if SID is numerical, proceed - if ($is_sid_num) - { - - //if find alert is false, then rule is disabled - if ($disabled_pos !== false){ - $counter2 = $counter2+1; - $textss = "<span class=\"gray\">"; - $textse = "</span>"; - $iconb = "icon_block_d.gif"; - } - else - { - $textss = $textse = ""; - $iconb = "icon_block.gif"; - } - - if ($disabled_pos !== false){ - $ischecked = ""; - }else{ - $ischecked = "checked"; - } - - $rule_content = explode(' ', $tempstring); - - $protocol = $rule_content[$counter2];//protocol location - $counter2++; - $source = $rule_content[$counter2];//source location - $counter2++; - $source_port = $rule_content[$counter2];//source port location - $counter2 = $counter2+2; - $destination = $rule_content[$counter2];//destination location - $counter2++; - $destination_port = $rule_content[$counter2];//destination port location - - if (strstr($tempstring, 'msg: "')) - $message = get_middle($tempstring, 'msg: "', '";', 0); - if (strstr($tempstring, 'msg:"')) - $message = get_middle($tempstring, 'msg:"', '";', 0); - - echo "<tr> - <td class=\"listt\"> - $textss\n"; - ?> - <a - href="?id=<?=$id;?>&openruleset=<?=$rulefile;?>&act=toggle&ids=<?=$counter;?>"><img - src="../themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" - width="10" height="10" border="0" - title="click to toggle enabled/disabled status"></a> - <!-- <input name="enable" type="checkbox" value="yes" <?= $ischecked; ?> onClick="enable_change(false)"> --> - <!-- TODO: add checkbox and save so that that disabling is nicer --> - <?php - echo "$textse - </td> - <td class=\"listlr\"> - $textss - $sid - $textse - </td> - <td class=\"listlr\"> - $textss - $protocol"; - ?> - <?php - $printcounter++; - echo "$textse - </td> - <td class=\"listlr\"> - $textss - $source - $textse - </td> - <td class=\"listlr\"> - $textss - $source_port - $textse - </td> - <td class=\"listlr\"> - $textss - $destination - $textse - </td> - <td class=\"listlr\"> - $textss - $destination_port - $textse - </td>"; - ?> - <td class="listbg"><font color="white"> <?php - echo "$textss + $counter2 = 1; + $sid = get_middle($value, 'sid:', ';', 0); + //check to see if the sid is numberical + if (!is_numeric($sid)) + continue; + + //if find alert is false, then rule is disabled + if ($disabled_pos !== false){ + $counter2 = $counter2+1; + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_block_d.gif"; + + $ischecked = ""; + } else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + + $ischecked = "checked"; + } + + $rule_content = explode(' ', $value); + + $protocol = $rule_content[$counter2];//protocol location + $counter2++; + $source = substr($rule_content[$counter2], 0, 20) . "...";//source location + $counter2++; + $source_port = $rule_content[$counter2];//source port location + $counter2 = $counter2+2; + $destination = substr($rule_content[$counter2], 0, 20) . "...";//destination location + $counter2++; + $destination_port = $rule_content[$counter2];//destination port location + + if (strstr($value, 'msg: "')) + $message = get_middle($value, 'msg: "', '";', 0); + else if (strstr($value, 'msg:"')) + $message = get_middle($value, 'msg:"', '";', 0); + + echo "<tr><td class=\"listt\"> $textss\n"; + ?> + <a href="?id=<?=$id;?>&openruleset=<?=$rulefile;?>&act=toggle&ids=<?=$counter;?>"><img + src="../themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" + width="10" height="10" border="0" + title="click to toggle enabled/disabled status"></a> + <!-- <input name="enable" type="checkbox" value="yes" <?= $ischecked; ?> onClick="enable_change(false)"> --> + <!-- TODO: add checkbox and save so that that disabling is nicer --> + <?php + echo "$textse + </td> + <td width='5%' class=\"listlr\"> + $textss + $sid + $textse + </td> + <td width='6%' class=\"listlr\"> + $textss + $protocol"; + echo "$textse + </td> + <td width='20%' class=\"listlr\"> + $textss + $source + $textse + </td> + <td width='5%' class=\"listlr\"> + $textss + $source_port + $textse + </td> + <td width='20%' class=\"listlr\"> + $textss + $destination + $textse + </td> + <td width='5%' class=\"listlr\"> + $textss + $destination_port + $textse + </td> + <td width='30%' class=\"listbg\"><font color=\"white\"> + $textss $message $textse - </td>"; - ?> - <td valign="middle" nowrap class="list"> + </td>"; + ?> + <td valign="middle" nowrap class="list"> <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><a href="javascript: void(0)" - onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$rulefile;?>&ids=<?=$counter;?>')"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" - title="edit rule" width="17" height="17" border="0"></a></td> + <tr> + <td><a href="javascript: void(0)" + onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$rulefile;?>&ids=<?=$counter;?>')"><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + title="edit rule" width="17" height="17" border="0"></a></td> <!-- Codes by Quackit.com --> - </tr> + </tr> </table> - </td> - <?php - } - } - echo " There are $printcounter rules in this category. <br><br>"; - ?> - - </table> </td> - </tr> - <table class="tabcont" width="100%" border="0" cellspacing="0" - cellpadding="0"> + <?php + } + ?> + + </table> + </td> + </tr> + <tr> + <td class="listlr"> + <?php echo " <strong><span class='red'>There are {$counter} rules in this category. <br/><br/></span></strong>"; ?> + </td> + </tr> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" @@ -693,36 +436,23 @@ function popup(url) width="11" height="11"></td> <td nowrap>Rule Disabled</td> </tr> - <table class="tabcont" width="100%" border="0" cellspacing="0" - cellpadding="0"> - <tr> + <tr> <!-- TODO: add save and cancel for checkbox options --> <!-- <td><pre><input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"><pre></td> --> - </tr> - </table> + </tr> <tr> <td colspan="10"> - <p><!--<strong><span class="red">Warning:<br> - </span></strong>Editing these r</p>--> - + <p><!--<strong><span class="red">Warning:<br/> </span></strong>Editing these r</p>--> </td> </tr> </table> - </table> - - </td> - </tr> - + </td> + </tr> + </table> + </td> +</tr> </table> - -</div> - -<?php - -include("fend.inc"); -echo $snort_custom_rnd_box; -?> - -</div> +</form> +<?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index bac04f68..330630f4 100644 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -1,6 +1,6 @@ <?php /* - system_edit.php + snort_rules_edit.php Copyright (C) 2004, 2005 Scott Ullrich Copyright (C) 2011 Ermal Luci All rights reserved. @@ -44,8 +44,6 @@ require_once("/usr/local/pkg/snort/snort_gui.inc"); if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); } - -//nat_rules_sort(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; @@ -64,55 +62,69 @@ if (isset($id) && $a_nat[$id]) { //get rule id $lineid = $_GET['ids']; +if (isset($_POST['ids'])) + $lineid = $_POST['ids']; $file = $_GET['openruleset']; +if (isset($_POST['openruleset'])) + $file = $_POST['openruleset']; + //read file into string, and get filesize also chk for empty files -if (filesize($file) > 0 ) { - $contents2 = file_get_contents($file); -}else{ - $contents2 = ''; -} +$contents = ''; +if (filesize($file) > 0 ) + $contents = file_get_contents($file); //delimiter for each new rule is a new line $delimiter = "\n"; //split the contents of the string file into an array using the delimiter -$splitcontents = explode($delimiter, $contents2); - -if ($_POST) { - if($_POST['highlight'] <> "") { - if($_POST['highlight'] == "yes" or - $_POST['highlight'] == "enabled") { - $highlight = "yes"; - } else { - $highlight = "no"; - } - } else { - $highlight = "no"; +$splitcontents = explode($delimiter, $contents); +$findme = "# alert"; //find string for disabled alerts +$highlight = "yes"; +if (strstr($splitcontents[$lineid], $findme)) + $highlight = "no"; +if ($highlight == "no") + $splitcontents[$lineid] = substr($splitcontents[$lineid], 2); + +if (!function_exists('get_middle')) { + function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; } +} - if($_POST['rows'] <> "") - $rows = $_POST['rows']; - else - $rows = 1; - - if($_POST['cols'] <> "") - $cols = $_POST['cols']; - else - $cols = 66; - +if ($_POST) { if ($_POST['save']) { - /* get the changes */ - $rule_content2 = $_POST['code']; - //copy string into file array for writing - $splitcontents[$lineid] = $rule_content2; + if ($_POST['highlight'] == "yes") + $splitcontents[$lineid] = $_POST['code']; + else + $splitcontents[$lineid] = "# " . $_POST['code']; + + //write disable/enable sid to config.xml + $sid = get_middle($splitcontents[$lineid], 'sid:', ';', 0); + if (is_numeric($sid)) { + // rule_sid_on registers + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); + if ($_POST['highlight'] == "yes") + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid" . $a_nat[$id]['rule_sid_on']; + else + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid" . $a_nat[$id]['rule_sid_off']; + } //write the new .rules file @file_put_contents($file, implode($delimiter, $splitcontents)); - echo "<script> window.close(); </script>"; + write_config(); + + echo "<script> opener.window.location.reload(); window.close(); </script>"; exit; } } @@ -124,18 +136,20 @@ $pgtitle = array(gettext("Advanced"), gettext("File Editor")); <?php include("head.inc");?> <body link="#000000" vlink="#000000" alink="#000000"> +<form action="snort_rules_edit.php" method="post"> + <?php if ($savemsg) print_info_box($savemsg); ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="tabcont"> - <form action="snort_rules_edit.php?id=<?=$id; ?>&openruleset=<?=$file; ?>&ids=<?=$ids; ?>" method="post"> +<tr> + <td class="tabcont"> + - <?php if ($savemsg) print_info_box($savemsg); - if ($file != '/usr/local/etc/snort/snort_update.log'): - ?> <table width="100%" cellpadding="9" cellspacing="9" bgcolor="#eeeeee"> <tr> <td> <input name="save" type="submit" class="formbtn" id="save" value="save" /> + <input type='hidden' name='id' value='<?=$id;?>' /> + <input type='hidden' name='ids' value='<?=$ids;?>' /> + <input type='hidden' name='openruleset' value='<?=$file;?>' /> <input type="button" class="formbtn" value="Cancel" onclick="window.close()"> <hr noshade="noshade" /> Disable original rule :<br/> @@ -146,37 +160,29 @@ $pgtitle = array(gettext("Advanced"), gettext("File Editor")); <label for="highlighting_disabled"> <?=gettext("Disabled");?></label> </td> </tr> - </table> - <table width="100%"> + <tr> + <td valign="top" class="label"> + <textarea wrap="off" style="width: 98%; margin: 7px;" + class="<?php echo $language; ?>:showcolumns" rows="3" + cols="66" name="code"><?=$splitcontents[$lineid];?></textarea> + </div> + </td> + </tr> <tr> <td valign="top" class="label"> - <div style="background: #eeeeee;" id="textareaitem"> - <!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea wrap="off" style="width: 98%; margin: 7px;" class="<?=$language;?>:showcolumns" rows="<?=$rows;?>" cols="<?=$cols;?>" name="code"> - <?=$tempstring;?> </textarea> - </div> + <div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea disabled + wrap="off" style="width: 98%; margin: 7px;" + class="<?php echo $language; ?>:showcolumns" rows="33" + cols="66" name="code2"><?=$contents;?></textarea> + </div> </td> </tr> </table> - <?php endif; ?> - <table width='100%'> - <tr> - <td valign="top" class="label"> - <div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea - <? if ($file != '/usr/local/etc/snort/snort_update.log') { echo 'disabled'; } ?> - wrap="off" style="width: 98%; margin: 7px;" - class="<?php echo $language; ?>:showcolumns" rows="33" - cols="<?=$cols;?>" name="code2"><?=$contents2;?></textarea> - </div> - </td> - </tr> - </table> - <? echo "$file\n"; ?></td> - </tr> + </td> +</tr> </table> - +</form> <?php include("fend.inc");?> - </body> </html> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 264603a5..e4577818 100644 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -38,8 +38,6 @@ global $g; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); } - -//nat_rules_sort(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; @@ -138,20 +136,14 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$iface_uuid}_{$if_real}.dirty"; if ($_POST["Submit"]) { $enabled_items = ""; $isfirst = true; - if (is_array($_POST['toenable'])) { - foreach($_POST['toenable'] as $toenable) { - if(!$isfirst) - $enabled_items .= "||"; - $enabled_items .= "{$toenable}"; - $isfirst = false; - } - }else{ + if (is_array($_POST['toenable'])) + $enabled_items = implode("||", $_POST['toenable']); + else $enabled_items = $_POST['toenable']; - } $a_nat[$id]['rulesets'] = $enabled_items; write_config(); - sync_snort_package_all($id, $if_real, $iface_uuid); + sync_snort_package_config(); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -258,7 +250,7 @@ if (file_exists($d_snortconfdirty_path)) { $dir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; $dh = opendir($dir); while (false !== ($filename = readdir($dh))) { - $files[] = $filename; + $files[] = basename($filename); } sort($files); foreach($files as $file) { |