aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
Diffstat (limited to 'config/snort')
-rwxr-xr-xconfig/snort/snort.inc639
-rw-r--r--config/snort/snort_barnyard.php562
2 files changed, 809 insertions, 392 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 847a0dba..1c9c5cd6 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -51,10 +51,10 @@ $snortver = array();
exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
$snort_version = $snortver[0];
if (empty($snort_version))
- $snort_version = "2.9.5.6";
+ $snort_version = "2.9.6.0";
/* package version */
-$pfSense_snort_version = "3.0.4";
+$pfSense_snort_version = "3.0.5";
$snort_package_version = "Snort {$snort_version} pkg v{$pfSense_snort_version}";
// Define SNORTDIR and SNORTLIBDIR constants according to pfSense version
@@ -81,6 +81,7 @@ define("VRT_FILE_PREFIX", "snort_");
define("GPL_FILE_PREFIX", "GPLv2_");
define("ET_OPEN_FILE_PREFIX", "emerging-");
define("ET_PRO_FILE_PREFIX", "etpro-");
+define("IPREP_PATH", "/var/db/snort/iprep/");
/* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */
$rebuild_rules = false;
@@ -498,21 +499,18 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
return $valresult;
}
-/* checks to see if service is running yes/no and stop/start */
+/* checks to see if service is running */
function snort_is_running($snort_uuid, $if_real, $type = 'snort') {
global $config, $g;
- if (file_exists("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid"))
- return 'yes';
-
- return 'no';
+ return isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid");
}
function snort_barnyard_stop($snortcfg, $if_real) {
global $config, $g;
$snort_uuid = $snortcfg['uuid'];
- if (file_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) {
+ if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) {
log_error("[Snort] Barnyard2 STOP for {$snortcfg['descr']}({$if_real})...");
killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid");
}
@@ -522,7 +520,7 @@ function snort_stop($snortcfg, $if_real) {
global $config, $g;
$snort_uuid = $snortcfg['uuid'];
- if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
+ if (isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
log_error("[Snort] Snort STOP for {$snortcfg['descr']}({$if_real})...");
killbypid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid");
}
@@ -534,12 +532,13 @@ function snort_barnyard_start($snortcfg, $if_real) {
global $config, $g;
$snortdir = SNORTDIR;
+ $snortlogdir = SNORTLOGDIR;
$snort_uuid = $snortcfg['uuid'];
/* define snortbarnyardlog_chk */
- if ($snortcfg['barnyard_enable'] == 'on' && !empty($snortcfg['barnyard_mysql'])) {
+ if ($snortcfg['barnyard_enable'] == 'on') {
log_error("[Snort] Barnyard2 START for {$snortcfg['descr']}({$if_real})...");
- exec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q");
+ mwexec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
}
}
@@ -547,11 +546,12 @@ function snort_start($snortcfg, $if_real) {
global $config, $g;
$snortdir = SNORTDIR;
+ $snortlogdir = SNORTLOGDIR;
$snort_uuid = $snortcfg['uuid'];
if ($snortcfg['enable'] == 'on') {
log_error("[Snort] Snort START for {$snortcfg['descr']}({$if_real})...");
- exec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
+ mwexec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
}
else
return;
@@ -575,64 +575,44 @@ function snort_reload_config($snortcfg, $signal="SIGHUP") {
$snortdir = SNORTDIR;
$snort_uuid = $snortcfg['uuid'];
- $if_real = snort_get_real_interface($snortcfg['interface']);
+ $if_real = get_real_interface($snortcfg['interface']);
/******************************************************/
/* Only send the SIGHUP if Snort is running and we */
/* can find a valid PID for the process. */
/******************************************************/
- if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
+ if (isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']} ({$if_real})...");
- exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &");
+ mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid");
}
}
-function snort_get_friendly_interface($interface) {
-
- if (function_exists('convert_friendly_interface_to_friendly_descr'))
- $iface = convert_friendly_interface_to_friendly_descr($interface);
- else {
- if (!$interface || ($interface == "wan"))
- $iface = "WAN";
- else if(strtolower($interface) == "lan")
- $iface = "LAN";
- else if(strtolower($interface) == "pppoe")
- $iface = "PPPoE";
- else if(strtolower($interface) == "pptp")
- $iface = "PPTP";
- else
- $iface = strtoupper($interface);
- }
-
- return $iface;
-}
+function snort_barnyard_reload_config($snortcfg, $signal="HUP") {
-/* get the real iface name of wan */
-function snort_get_real_interface($interface) {
- global $config;
+ /**************************************************************/
+ /* This function sends the passed SIGNAL to the Barnyard2 */
+ /* instance on the passed interface to cause Barnyard to */
+ /* reload and parse the running configuration without */
+ /* impacting packet processing. It also executes the reload */
+ /* as a background process and returns control immediately */
+ /* to the caller. */
+ /* */
+ /* $signal = HUP (default) parses and reloads config. */
+ /**************************************************************/
+ global $g;
- $lc_interface = strtolower($interface);
- if (function_exists('get_real_interface'))
- return get_real_interface($lc_interface);
- else {
- if ($lc_interface == "lan") {
- if ($config['inerfaces']['lan'])
- return $config['interfaces']['lan']['if'];
- return $interface;
- }
- if ($lc_interface == "wan")
- return $config['interfaces']['wan']['if'];
- $ifdescrs = array();
- for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) {
- $ifname = "opt{$j}";
- if(strtolower($ifname) == $lc_interface)
- return $config['interfaces'][$ifname]['if'];
- if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface))
- return $config['interfaces'][$ifname]['if'];
- }
- }
+ $snortdir = SNORTDIR;
+ $snort_uuid = $snortcfg['uuid'];
+ $if_real = get_real_interface($snortcfg['interface']);
- return $interface;
+ /******************************************************/
+ /* Only send the SIGHUP if Barnyard2 is running and */
+ /* we can find a valid PID for the process. */
+ /******************************************************/
+ if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) {
+ log_error("[Snort] Barnyard2 CONFIG RELOAD initiated for {$snortcfg['descr']} ({$if_real})...");
+ mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid");
+ }
}
/*
@@ -650,7 +630,7 @@ function snort_post_delete_logs($snort_uuid = 0) {
foreach ($config['installedpackages']['snortglobal']['rule'] as $value) {
if ($value['uuid'] != $snort_uuid)
continue;
- $if_real = snort_get_real_interface($value['interface']);
+ $if_real = get_real_interface($value['interface']);
$snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}";
if ($if_real != '') {
@@ -661,18 +641,14 @@ function snort_post_delete_logs($snort_uuid = 0) {
@unlink($file);
/* Clean-up packet capture files if any exist */
- $filelist = glob("{$snort_log_dir}/snort.log.*");
- foreach ($filelist as $file)
- @unlink($file);
+ unlink_if_exists("{$snort_log_dir}/snort.log.*");
- /* Clean-up stats files if they are enabled */
- if ($value['perform_stat'] == 'on') {
- $fd = fopen("{$snort_log_dir}/{$if_real}.stats", "w");
- if ($fd) {
- ftruncate($fd, 0);
- fclose($fd);
- }
- }
+ /* Clean-up Barnyard2 archived files if any exist */
+ unlink_if_exists("{$snort_log_dir}/barnyard2/archive/*");
+
+ /* Clean-up stats file if enabled */
+ if ($value['perform_stat'] == 'on')
+ file_put_contents("{$snort_log_dir}/{$if_real}.stats", "");
}
}
}
@@ -686,62 +662,16 @@ function snort_Getdirsize($node) {
return substr( $blah, 0, strpos($blah, 9) );
}
-/* func for log dir size limit cron */
-function snort_snortloglimit_install_cron($should_install) {
- global $config, $g;
-
- if (!is_array($config['cron']['item']))
- $config['cron']['item'] = array();
+function snort_snortloglimit_install_cron($should_install=TRUE) {
- $x=0;
- $is_installed = false;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], 'snort_check_cron_misc.inc')) {
- $is_installed = true;
- break;
- }
- $x++;
- }
-
- switch($should_install) {
- case true:
- if(!$is_installed) {
- $cron_item = array();
- $cron_item['minute'] = "*/5";
- $cron_item['hour'] = "*";
- $cron_item['mday'] = "*";
- $cron_item['month'] = "*";
- $cron_item['wday'] = "*";
- $cron_item['who'] = "root";
- $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc";
- $config['cron']['item'][] = $cron_item;
- }
- break;
- case false:
- if($is_installed == true)
- unset($config['cron']['item'][$x]);
- break;
- }
+ install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc", $should_install, "*/5");
}
-/* func for updating cron */
function snort_rm_blocked_install_cron($should_install) {
global $config, $g;
- if (!is_array($config['cron']['item']))
- $config['cron']['item'] = array();
-
- $x=0;
- $is_installed = false;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], "snort2c")) {
- $is_installed = true;
- break;
- }
- $x++;
- }
-
$snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked'];
+
if ($snort_rm_blocked_info_ck == "15m_b") {
$snort_rm_blocked_min = "*/2";
$snort_rm_blocked_hr = "*";
@@ -822,46 +752,15 @@ function snort_rm_blocked_install_cron($should_install) {
$snort_rm_blocked_wday = "*";
$snort_rm_blocked_expire = "2419200";
}
- switch($should_install) {
- case true:
- $cron_item = array();
- $cron_item['minute'] = $snort_rm_blocked_min;
- $cron_item['hour'] = $snort_rm_blocked_hr;
- $cron_item['mday'] = $snort_rm_blocked_mday;
- $cron_item['month'] = $snort_rm_blocked_month;
- $cron_item['wday'] = $snort_rm_blocked_wday;
- $cron_item['who'] = "root";
- $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c";
-
- /* Add cron job if not already installed, else just update the existing one */
- if (!$is_installed)
- $config['cron']['item'][] = $cron_item;
- elseif ($is_installed)
- $config['cron']['item'][$x] = $cron_item;
- break;
- case false:
- if ($is_installed == true)
- unset($config['cron']['item'][$x]);
- break;
- }
+
+ $command = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c";
+ install_cron_job($command, $should_install, $snort_rm_blocked_min, $snort_rm_blocked_hr, $snort_rm_blocked_mday, $snort_rm_blocked_month, $snort_rm_blocked_wday, "root");
}
/* func to install snort update */
function snort_rules_up_install_cron($should_install) {
global $config, $g;
- if(!$config['cron']['item'])
- $config['cron']['item'] = array();
-
- $x=0;
- $is_installed = false;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], "snort_check_for_rule_updates.php")) {
- $is_installed = true;
- break;
- }
- $x++;
- }
$snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7'];
/* See if a customized start time has been set for rule file updates */
@@ -924,28 +823,9 @@ function snort_rules_up_install_cron($should_install) {
$snort_rules_up_month = "*";
$snort_rules_up_wday = "*";
}
- switch($should_install) {
- case true:
- $cron_item = array();
- $cron_item['minute'] = $snort_rules_up_min;
- $cron_item['hour'] = $snort_rules_up_hr;
- $cron_item['mday'] = $snort_rules_up_mday;
- $cron_item['month'] = $snort_rules_up_month;
- $cron_item['wday'] = $snort_rules_up_wday;
- $cron_item['who'] = "root";
- $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php";
-
- /* Add cron job if not already installed, else just update the existing one */
- if (!$is_installed)
- $config['cron']['item'][] = $cron_item;
- elseif ($is_installed)
- $config['cron']['item'][$x] = $cron_item;
- break;
- case false:
- if($is_installed == true)
- unset($config['cron']['item'][$x]);
- break;
- }
+
+ $command = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php";
+ install_cron_job($command, $should_install, $snort_rules_up_min, $snort_rules_up_hr, $snort_rules_up_mday, $snort_rules_up_month, $snort_rules_up_wday, "root");
}
/* Only run when all ifaces needed to sync. Expects filesystem rw */
@@ -967,14 +847,14 @@ function sync_snort_package_config() {
$snortconf = $config['installedpackages']['snortglobal']['rule'];
foreach ($snortconf as $value) {
- $if_real = snort_get_real_interface($value['interface']);
+ $if_real = get_real_interface($value['interface']);
/* create a snort.conf file for interface */
snort_generate_conf($value);
/* create barnyard2.conf file for interface */
if ($value['barnyard_enable'] == 'on')
- snort_create_barnyard2_conf($value, $if_real);
+ snort_generate_barnyard2_conf($value, $if_real);
}
/* create snort bootup file snort.sh only create once */
@@ -982,7 +862,7 @@ function sync_snort_package_config() {
$snortglob = $config['installedpackages']['snortglobal'];
- snort_snortloglimit_install_cron($snortglob['snortloglimit'] == 'on' ? true : false);
+ snort_snortloglimit_install_cron(true);
/* set the snort block hosts time IMPORTANT */
snort_rm_blocked_install_cron($snortglob['rm_blocked'] != "never_b" ? true : false);
@@ -1004,7 +884,19 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
/*************************************************************/
/* This function reads all the rules file in the passed */
/* $rules_path variable and produces a properly formatted */
- /* sid-msg.map file for use by Snort and/or barnyard2. */
+ /* sid-msg.map v2 file for use by Snort and/or barnyard2. */
+ /* */
+ /* This function produces the new v2 format sid-msg.map */
+ /* with the field layout as follows: */
+ /* */
+ /* GID || SID || REV || CLASSTYPE || PRI || MSG || REF ... */
+ /* */
+ /* On Entry: $rules_path --> array or directory of files */
+ /* or a single file containing */
+ /* the rules to read. */
+ /* $sid_file --> the complete destination path */
+ /* and filename for the output */
+ /* sid-msg.map file. */
/*************************************************************/
$sidMap = array();
@@ -1013,7 +905,7 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
/* First check if we were passed a directory, a single file */
/* or an array of filenames to read. Set our $rule_files */
/* variable accordingly. If we can't figure it out, return */
- /* and don't write a sid_msg_map file. */
+ /* and don't write a sid-msg.map file. */
if (is_string($rules_path)) {
if (is_dir($rules_path))
$rule_files = glob($rules_path . "*.rules");
@@ -1066,7 +958,11 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
$record = "";
/* Parse the rule to find sid and any references. */
+ $gid = '1'; // default to 1 for regular rules
$sid = '';
+ $rev = '';
+ $classtype = 'NOCLASS'; // required default for v2 format
+ $priority = '0'; // required default for v2 format
$msg = '';
$matches = '';
$sidEntry = '';
@@ -1074,23 +970,32 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
$msg = trim($matches[1]);
if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches))
$sid = trim($matches[1]);
- if (!empty($sid) && !empty($msg)) {
- $sidEntry = $sid . ' || ' . $msg;
+ if (preg_match('/\bgid\s*:\s*(\d+)\s*;/i', $rule, $matches))
+ $gid = trim($matches[1]);
+ if (preg_match('/\brev\s*:\s*([^\;]+)/i', $rule, $matches))
+ $rev = trim($matches[1]);
+ if (preg_match('/\bclasstype\s*:\s*([^\;]+)/i', $rule, $matches))
+ $classtype = trim($matches[1]);
+ if (preg_match('/\bpriority\s*:\s*([^\;]+)/i', $rule, $matches))
+ $priority = trim($matches[1]);
+
+ if (!empty($gid) && !empty($sid) && !empty($msg)) {
+ $sidEntry = $gid . ' || ' . $sid . ' || ' . $rev . ' || ' . $classtype . ' || ';
+ $sidEntry .= $priority . ' || ' . $msg;
preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches);
foreach ($matches[1] as $ref)
$sidEntry .= " || " . trim($ref);
$sidEntry .= "\n";
- if (!is_array($sidMap[$sid]))
- $sidMap[$sid] = array();
- $sidMap[$sid] = $sidEntry;
+ $sidMap[] = $sidEntry;
}
}
}
- /* Sort the generated sid-msg map by sid */
- ksort($sidMap);
+ /* Sort the generated sid-msg map */
+ natcasesort($sidMap);
/* Now print the result to the supplied file */
- @file_put_contents($sid_file, array_values($sidMap));
+ @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Snort.\n\n");
+ @file_put_contents($sid_file, array_values($sidMap), FILE_APPEND);
}
function snort_merge_reference_configs($cfg_in, $cfg_out) {
@@ -1211,7 +1116,7 @@ function snort_load_rules_map($rules_path) {
* Read all the rules into the map array.
* The structure of the map array is:
*
- * map[gid][sid]['rule']['category']['disabled']['flowbits']
+ * map[gid][sid]['rule']['category']['disabled']['action']['flowbits']
*
* where:
* gid = Generator ID from rule, or 1 if general text
@@ -1221,6 +1126,7 @@ function snort_load_rules_map($rules_path) {
* category = File name of file containing the rule
* disabled = 1 if rule is disabled (commented out), 0 if
* rule is enabled
+ * action = alert|log|pass|drop|reject|sdrop
* flowbits = Array of applicable flowbits if rule contains
* flowbits options
***************************************************************/
@@ -1267,7 +1173,7 @@ function snort_load_rules_map($rules_path) {
/* Skip any non-rule lines unless we're in */
/* multiline mode. */
- if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline)
+ if (!preg_match('/^\s*#*\s*(alert|log|pass|drop|reject|sdrop)/i', $rule) && !$b_Multiline)
continue;
/* Test for a multi-line rule; loop and reassemble */
@@ -1312,6 +1218,13 @@ function snort_load_rules_map($rules_path) {
else
$map_ref[$gid][$sid]['disabled'] = 0;
+ /* Grab the rule action (this is for a future option) */
+ $matches = array();
+ if (preg_match('/^\s*#*\s*(alert|log|pass|drop|reject|sdrop)/i', $rule, $matches))
+ $map_ref[$gid][$sid]['action'] = $matches[1];
+ else
+ $map_ref[$gid][$sid]['action'] = "";
+
/* Grab any associated flowbits from the rule. */
$map_ref[$gid][$sid]['flowbits'] = snort_get_flowbits($rule);
@@ -1829,9 +1742,10 @@ function snort_create_rc() {
/* after any changes to snort.conf saved in the GUI. */
/*********************************************************/
- global $config, $g;
+ global $config, $g, $pfs_version;
$snortdir = SNORTDIR;
+ $snortlogdir = SNORTLOGDIR;
$rcdir = RCFILEPREFIX;
// If no interfaces are configured for Snort, exit
@@ -1845,36 +1759,37 @@ function snort_create_rc() {
$start_snort_iface_start = array();
$start_snort_iface_stop = array();
+ // If not using PBI package, then make sure Barnyard2 can
+ // find the latest MySQL shared libs in /usr/local/lib/mysql
+ if ($pfs_version < 2.1) {
+ $sql_lib_path = "\n# Ensure MySQL shared libs are in ldconfig search path\n";
+ $sql_lib_path .= "/sbin/ldconfig -m /usr/local/lib/mysql";
+ $start_snort_iface_start[] = $sql_lib_path;
+ }
+
// Loop thru each configured interface and build
// the shell script.
foreach ($snortconf as $value) {
+ // Skip disabled Snort interfaces
+ if ($value['enable'] <> 'on')
+ continue;
$snort_uuid = $value['uuid'];
- $if_real = snort_get_real_interface($value['interface']);
+ $if_real = get_real_interface($value['interface']);
$start_barnyard = <<<EOE
if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
- pid=`/bin/pgrep -f "barnyard2 -r {$snort_uuid} "`
+ pid=`/bin/pgrep -fn "barnyard2 -r {$snort_uuid} "`
else
pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid`
fi
if [ ! -z \$pid ]; then
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill \$pid -a
- time=0 timeout=30
- while kill -0 \$pid 2>/dev/null; do
- sleep 1
- time=\$((time+1))
- if [ \$time -gt \$timeout ]; then
- break
- fi
- done
- if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
- /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid
- fi
+ /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..."
+ /bin/pkill -HUP \$pid
+ else
+ /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..."
+ /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q
fi
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q
EOE;
$stop_barnyard2 = <<<EOE
@@ -1895,7 +1810,7 @@ EOE;
/bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid
fi
else
- pid=`/bin/pgrep -f "barnyard2 -r {$snort_uuid} "`
+ pid=`/bin/pgrep -fn "barnyard2 -r {$snort_uuid} "`
if [ ! -z \$pid ]; then
/bin/pkill -f "barnyard2 -r {$snort_uuid} "
time=0 timeout=30
@@ -1910,7 +1825,7 @@ EOE;
fi
EOE;
- if ($value['barnyard_enable'] == 'on' && !empty($value['barnyard_mysql']))
+ if ($value['barnyard_enable'] == 'on')
$start_barnyard2 = $start_barnyard;
else
$start_barnyard2 = $stop_barnyard2;
@@ -1920,7 +1835,7 @@ EOE;
###### For Each Iface
# Start snort and barnyard2
if [ ! -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then
- pid=`/bin/pgrep -f "snort -R {$snort_uuid} "`
+ pid=`/bin/pgrep -fn "snort -R {$snort_uuid} "`
else
pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid`
fi
@@ -1930,7 +1845,7 @@ EOE;
/bin/pkill -HUP \$pid
else
/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}
+ /usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}
fi
sleep 2
@@ -1956,10 +1871,10 @@ EOE;
/bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid
fi
else
- pid=`/bin/pgrep -f "snort -R {$snort_uuid} "`
+ pid=`/bin/pgrep -fn "snort -R {$snort_uuid} "`
if [ ! -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill -f "snort -R {$snort_uuid} "
+ /bin/pkill -fn "snort -R {$snort_uuid} "
time=0 timeout=30
while kill -0 \$pid 2>/dev/null; do
sleep 1
@@ -2019,79 +1934,119 @@ EOD;
@chmod("{$rcdir}/snort.sh", 0755);
}
-/* open barnyard2.conf for writing */
-function snort_create_barnyard2_conf($snortcfg, $if_real) {
- global $config, $g;
-
- $snortdir = SNORTDIR;
- $snort_uuid = $snortcfg['uuid'];
-
- if (!file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"))
- exec("/usr/bin/touch {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf");
-
- if (!file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo")) {
- @touch("/var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo");
- mwexec("/bin/chmod 770 /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true);
- }
-
- $barnyard2_conf_text = snort_generate_barnyard2_conf($snortcfg, $if_real);
+function snort_generate_barnyard2_conf($snortcfg, $if_real) {
- /* write out barnyard2_conf */
- @file_put_contents("{$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", $barnyard2_conf_text);
-}
+ /****************************************************/
+ /* This function creates the barnyard2.conf config */
+ /* file for the passed interface when Barnyard2 is */
+ /* enabled. */
+ /****************************************************/
-/* open barnyard2.conf for writing" */
-function snort_generate_barnyard2_conf($snortcfg, $if_real) {
global $config, $g;
- $snortdir = SNORTDIR;
$snort_uuid = $snortcfg['uuid'];
+ $snortdir = SNORTDIR;
+ $snortcfgdir = SNORTDIR . "/snort_{$snort_uuid}_{$if_real}";
+ $snortlogdir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}";
+
+ // Create required directories for barnyard2 if missing
+ if (!is_dir("{$snortlogdir}/barnyard2"))
+ safe_mkdir("{$snortlogdir}/barnyard2");
+ if (!is_dir("{$snortlogdir}/barnyard2/archive"))
+ safe_mkdir("{$snortlogdir}/barnyard2/archive");
+
+ // Create the barnyard2 waldo file if missing
+ if (!file_exists("{$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo")) {
+ @touch("{$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo");
+ mwexec("/bin/chmod 770 {$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo", true);
+ }
+
+ // If there is no gen-msg.map file present, create an
+ // empty one so Barnyard2 will at least start.
+ if (!file_exists("{$snortcfgdir}/gen-msg.map"))
+ @file_put_contents("{$snortcfgdir}/gen-msg.map", "");
+
+ $snortbarnyard_hostname_info = php_uname("n");
+
+ // Set general config parameters
+ $gen_configs = "config quiet\nconfig daemon\nconfig decode_data_link\nconfig alert_with_interface_name\nconfig event_cache_size: 8192";
+ if ($snortcfg['barnyard_show_year'] == 'on')
+ $gen_configs .= "\nconfig show_year";
+ if ($snortcfg['barnyard_obfuscate_ip'] == 'on')
+ $gen_configs .= "\nconfig obfuscate";
+ if ($snortcfg['barnyard_dump_payload'] == 'on')
+ $gen_configs .= "\nconfig dump_payload";
+ if ($snortcfg['barnyard_archive_enable'] == 'on')
+ $gen_configs .= "\nconfig archivedir: {$snortlogdir}/barnyard2/archive";
+
+ // Set output plugins
+ $snortbarnyardlog_output_plugins = "";
+ if ($snortcfg['barnyard_mysql_enable'] == 'on') {
+ $by2_dbpwd = base64_decode($snortcfg['barnyard_dbpwd']);
+ $snortbarnyardlog_output_plugins .= "# database: log to a MySQL DB\noutput database: log, mysql, ";
+ if (isset($snortcfg['barnyard_sensor_name']) && strlen($snortcfg['barnyard_sensor_name']) > 0)
+ $snortbarnyardlog_output_plugins .= "sensor_name={$snortcfg['barnyard_sensor_name']}, ";
+ $snortbarnyardlog_output_plugins .= "user={$snortcfg['barnyard_dbuser']} password={$by2_dbpwd} ";
+ $snortbarnyardlog_output_plugins .= "dbname={$snortcfg['barnyard_dbname']} host={$snortcfg['barnyard_dbhost']}\n\n";
+ }
+ if ($snortcfg['barnyard_syslog_enable'] == 'on') {
+ $snortbarnyardlog_output_plugins .= "# syslog_full: log to a syslog receiver\noutput alert_syslog_full: ";
+ if (isset($snortcfg['barnyard_sensor_name']) && strlen($snortcfg['barnyard_sensor_name']) > 0)
+ $snortbarnyardlog_output_plugins .= "sensor_name {$snortcfg['barnyard_sensor_name']}, ";
+ else
+ $snortbarnyardlog_output_plugins .= "sensor_name {$snortbarnyard_hostname_info}, ";
+ if ($snortcfg['barnyard_syslog_local'] == 'on')
+ $snortbarnyardlog_output_plugins .= "local, log_facility LOG_AUTH, log_priority LOG_INFO\n\n";
+ else {
+ $snortbarnyardlog_output_plugins .= "server {$snortcfg['barnyard_syslog_rhost']}, protocol {$snortcfg['barnyard_syslog_proto']}, ";
+ $snortbarnyardlog_output_plugins .= "port {$snortcfg['barnyard_syslog_dport']}, operation_mode {$snortcfg['barnyard_syslog_opmode']}, ";
+ $snortbarnyardlog_output_plugins .= "log_facility {$snortcfg['barnyard_syslog_facility']}, log_priority {$snortcfg['barnyard_syslog_priority']}\n\n";
+ }
+ }
+ if ($snortcfg['barnyard_bro_ids_enable'] == 'on') {
+ $snortbarnyardlog_output_plugins .= "# alert_bro: log to a Bro-IDS receiver\n";
+ $snortbarnyardlog_output_plugins .= "output alert_bro: {$snortcfg['barnyard_bro_ids_rhost']}:{$snortcfg['barnyard_bro_ids_dport']}\n";
+ }
- /* TODO: add support for the other 5 output plugins */
- $snortbarnyardlog_database_info_chk = $snortcfg['barnyard_mysql'];
- $snortbarnyardlog_hostname_info_chk = php_uname("n");
- /* user add arguments */
+ // Trim leading and trailing newlines and spaces
+ $snortbarnyardlog_output_plugins = rtrim($snortbarnyardlog_output_plugins, "\n");
+
+ // User pass-through arguments
$snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['barnconfigpassthru']));
+ // Create the conf file as a text string
$barnyard2_conf_text = <<<EOD
-# barnyard2.conf
+# barnyard2.conf
# barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php
#
-# set the appropriate paths to the file(s) your Snort process is using
-
-config reference_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/reference.config
-config classification_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/classification.config
-config gen_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/gen-msg.map
-config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map
-config hostname: $snortbarnyardlog_hostname_info_chk
-config interface: {$if_real}
-config decode_data_link
-config waldo_file: /var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo
-
-# Show year in timestamps
-config show_year
+## General Barnyard2 settings ##
+{$gen_configs}
+config reference_file: {$snortcfgdir}/reference.config
+config classification_file: {$snortcfgdir}/classification.config
+config sid_file: {$snortcfgdir}/sid-msg.map
+config gen_file: {$snortcfgdir}/gen-msg.map
+config hostname: {$snortbarnyard_hostname_info}
+config interface: {$if_real}
+config waldo_file: {$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo
+config logdir: {$snortlogdir}
## START user pass through ##
-
- {$snortbarnyardlog_config_pass_thru}
-
+{$snortbarnyardlog_config_pass_thru}
## END user pass through ##
-# Step 2: setup the input plugins
+## Setup input plugins ##
input unified2
-config logdir: /var/log/snort/snort_{$if_real}{$snort_uuid}
-
-# database: log to a variety of databases
-# output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx
-
- $snortbarnyardlog_database_info_chk
+## Setup output plugins ##
+{$snortbarnyardlog_output_plugins}
EOD;
- return $barnyard2_conf_text;
+ /* Write out barnyard2_conf text string to disk */
+ @file_put_contents("{$snortcfgdir}/barnyard2.conf", $barnyard2_conf_text);
+ unset($barnyard2_conf_text);
}
function snort_deinstall() {
@@ -2103,6 +2058,7 @@ function snort_deinstall() {
$snortlogdir = SNORTLOGDIR;
$rcdir = RCFILEPREFIX;
$snort_rules_upd_log = RULES_UPD_LOGFILE;
+ $iprep_path = IPREP_PATH;
log_error(gettext("[Snort] Snort package uninstall in progress..."));
@@ -2115,7 +2071,7 @@ function snort_deinstall() {
mwexec('/usr/bin/killall -9 snort', true);
sleep(2);
// Delete any leftover snort PID files in /var/run
- array_map('@unlink', glob("/var/run/snort_*.pid"));
+ unlink_if_exists("/var/run/snort_*.pid");
/* Make sure all active Barnyard2 processes are terminated */
/* Log a message only if a running process is detected */
@@ -2126,38 +2082,48 @@ function snort_deinstall() {
mwexec('/usr/bin/killall -9 barnyard2', true);
sleep(2);
// Delete any leftover barnyard2 PID files in /var/run
- array_map('@unlink', glob("/var/run/barnyard2_*.pid"));
+ unlink_if_exists("/var/run/barnyard2_*.pid");
/* Remove the snort user and group */
mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true);
- /* Remove snort cron entries Ugly code needs smoothness */
- if (!function_exists('snort_deinstall_cron')) {
- function snort_deinstall_cron($crontask) {
- global $config, $g;
-
- if(!is_array($config['cron']['item']))
- return;
+ /* Remove all the Snort cron jobs. */
+ install_cron_job("snort2c", false);
+ install_cron_job("snort_check_for_rule_updates.php", false);
+ install_cron_job("snort_check_cron_misc.inc", false);
+ configure_cron();
- $x=0;
- $is_installed = false;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], $crontask)) {
- $is_installed = true;
- break;
+ /* Remove our associated Dashboard widget config. If */
+ /* "save settings" is enabled, then save old widget */
+ /* container settings so we can restore them later. */
+ $widgets = $config['widgets']['sequence'];
+ if (!empty($widgets)) {
+ $widgetlist = explode(",", $widgets);
+ foreach ($widgetlist as $key => $widget) {
+ if (strstr($widget, "snort_alerts-container")) {
+ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
+ $config['installedpackages']['snortglobal']['dashboard_widget'] = $widget;
}
- $x++;
+ unset($widgetlist[$key]);
+ break;
}
- if ($is_installed == true)
- unset($config['cron']['item'][$x]);
}
+ $config['widgets']['sequence'] = implode(",", $widgetlist);
+ write_config();
}
- /* Remove all the Snort cron jobs. */
- snort_deinstall_cron("snort2c");
- snort_deinstall_cron("snort_check_for_rule_updates.php");
- snort_deinstall_cron("snort_check_cron_misc.inc");
- configure_cron();
+ /* See if we are to clear blocked hosts on uninstall */
+ if ($config['installedpackages']['snortglobal']['clearblocks'] == 'on') {
+ log_error(gettext("[Snort] Removing all blocked hosts from <snort2c> table..."));
+ mwexec("/sbin/pfctl -t snort2c -T flush");
+ }
+
+ /* See if we are to clear Snort log files on uninstall */
+ if ($config['installedpackages']['snortglobal']['clearlogs'] == 'on') {
+ log_error(gettext("[Snort] Clearing all Snort-related log files..."));
+ unlink_if_exists("{$snort_rules_upd_log}");
+ mwexec("/bin/rm -rf {$snortlogdir}");
+ }
/**********************************************************/
/* Test for existence of library backup tarballs in /tmp. */
@@ -2186,8 +2152,11 @@ function snort_deinstall() {
log_error(gettext("Not saving settings... all Snort configuration info and logs deleted..."));
unset($config['installedpackages']['snortglobal']);
unset($config['installedpackages']['snortsync']);
- @unlink("{$snort_rules_upd_log}");
+ unlink_if_exists("{$snort_rules_upd_log}");
+ log_error(gettext("[Snort] Flushing <snort2c> firewall table to remove addresses blocked by Snort..."));
+ mwexec("/sbin/pfctl -t snort2c -T flush");
mwexec("/bin/rm -rf {$snortlogdir}");
+ mwexec("/bin/rm -rf {$iprep_path}");
log_error(gettext("[Snort] The package has been removed from this system..."));
}
}
@@ -2220,7 +2189,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
return;
/* Log a message for rules rebuild in progress */
- log_error(gettext("[Snort] Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ..."));
+ log_error(gettext("[Snort] Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . " ..."));
/* Enable all, some or none of the SDF rules depending on setting. */
if ($snortcfg['sensitive_data'] == 'on' && $snortcfg['protect_preproc_rules'] != 'on') {
@@ -2280,6 +2249,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
$enabled_rules[$k1][$k2]['rule'] = $v['rule'];
$enabled_rules[$k1][$k2]['category'] = $v['category'];
$enabled_rules[$k1][$k2]['disabled'] = $v['disabled'];
+ $enabled_rules[$k1][$k2]['action'] = $v['action'];
$enabled_rules[$k1][$k2]['flowbits'] = $v['flowbits'];
}
}
@@ -2302,6 +2272,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
$enabled_rules[$k1][$k2]['rule'] = $p['rule'];
$enabled_rules[$k1][$k2]['category'] = $p['category'];
$enabled_rules[$k1][$k2]['disabled'] = $p['disabled'];
+ $enabled_rules[$k1][$k2]['action'] = $p['action'];
$enabled_rules[$k1][$k2]['flowbits'] = $p['flowbits'];
}
}
@@ -2314,7 +2285,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Check for and disable any rules dependent upon disabled preprocessors if */
/* this option is enabled for the interface. */
if ($snortcfg['preproc_auto_rule_disable'] == "on") {
- log_error('[Snort] Checking for rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ log_error('[Snort] Checking for rules dependent on disabled preprocessors for: ' . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . '...');
snort_filter_preproc_rules($snortcfg, $enabled_rules);
}
@@ -2323,7 +2294,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */
if ($snortcfg['autoflowbitrules'] == 'on') {
- log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ log_error('[Snort] Enabling any flowbit-required rules for: ' . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . '...');
$fbits = snort_resolve_flowbits($all_rules, $enabled_rules);
/* Check for and disable any flowbit-required rules the user has */
@@ -2333,7 +2304,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Check for and disable any flowbit-required rules dependent upon */
/* disabled preprocessors if this option is enabled for the interface. */
if ($snortcfg['preproc_auto_rule_disable'] == "on") {
- log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . '...');
snort_filter_preproc_rules($snortcfg, $fbits, true);
}
snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}");
@@ -2356,11 +2327,11 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Log a warning if the interface has no rules defined or enabled */
if ($no_rules_defined)
- log_error(gettext("[Snort] Warning - no text rules or IPS-Policy selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ..."));
+ log_error(gettext("[Snort] Warning - no text rules or IPS-Policy selected for: " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . " ..."));
/* Build a new sid-msg.map file from the enabled */
/* rules and copy it to the interface directory. */
- log_error(gettext("[Snort] Building new sig-msg.map file for " . snort_get_friendly_interface($snortcfg['interface']) . "..."));
+ log_error(gettext("[Snort] Building new sig-msg.map file for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "..."));
snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map");
}
@@ -2485,7 +2456,7 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa
/* when flowbit-required rules are being assessed after the */
/* primary enforcing rules have been evaluated. */
/***************************************************************/
- $iface = snort_get_friendly_interface($snortcfg['interface']);
+ $iface = convert_friendly_interface_to_friendly_descr($snortcfg['interface']);
$file = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log";
if ($persist_log)
$fp = fopen($file, 'a');
@@ -2551,7 +2522,7 @@ function snort_generate_conf($snortcfg) {
else
$protect_preproc_rules = "off";
- $if_real = snort_get_real_interface($snortcfg['interface']);
+ $if_real = get_real_interface($snortcfg['interface']);
$snort_uuid = $snortcfg['uuid'];
$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
@@ -2611,8 +2582,18 @@ function snort_generate_conf($snortcfg) {
/* define snortunifiedlog */
$snortunifiedlog_type = "";
- if ($snortcfg['snortunifiedlog'] == "on")
- $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128";
+ if ($snortcfg['barnyard_enable'] == "on") {
+ if (isset($snortcfg['unified2_log_limit']))
+ $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}";
+ else
+ $u2_log_limit = "limit 128";
+
+ $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}";
+ if ($snortcfg['barnyard_log_vlan_events'] == 'on')
+ $snortunifiedlog_type .= ", vlan_event_types";
+ if ($snortcfg['barnyard_log_mpls_events'] == 'on')
+ $snortunifiedlog_type .= ", mpls_event_types";
+ }
/* define spoink */
$spoink_type = "";
@@ -2621,7 +2602,7 @@ function snort_generate_conf($snortcfg) {
if ($snortcfg['blockoffenderskill'] == "on")
$pfkill = "kill";
$spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true);
- /* write whitelist */
+ /* write Pass List */
@file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist));
$spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}";
}
@@ -3170,6 +3151,49 @@ preprocessor sensitive_data: \
EOD;
+ /* define IP Reputation preprocessor */
+ if (is_array($snortcfg['blist_files']['item'])) {
+ $blist_files = "";
+ $bIsFirst = TRUE;
+ foreach ($snortcfg['blist_files']['item'] as $blist) {
+ if ($bIsFirst) {
+ $blist_files .= "blacklist " . IPREP_PATH . $blist;
+ $bIsFirst = FALSE;
+ }
+ else
+ $blist_files .= ", \\ \n\tblacklist " . IPREP_PATH . $blist;
+ }
+ }
+ if (is_array($snortcfg['wlist_files']['item'])) {
+ $wlist_files = "";
+ $bIsFirst = TRUE;
+ foreach ($snortcfg['wlist_files']['item'] as $wlist) {
+ if ($bIsFirst) {
+ $wlist_files .= "whitelist " . IPREP_PATH . $wlist;
+ $bIsFirst = FALSE;
+ }
+ else
+ $wlist_files .= ", \\ \n\twhitelist " . IPREP_PATH . $wlist;
+ }
+ }
+ if (!empty($blist_files))
+ $ip_lists = $blist_files;
+ if (!empty($wlist_files))
+ $ip_lists .= ", \\ \n" . $wlist_files;
+ if ($snortcfg['iprep_scan_local'] == 'on')
+ $ip_lists .= ", \\ \n\tscan_local";
+
+ $reputation_preproc = <<<EOD
+# IP Reputation preprocessor #
+preprocessor reputation: \
+ memcap {$snortcfg['iprep_memcap']}, \
+ priority {$snortcfg['iprep_priority']}, \
+ nested_ip {$snortcfg['iprep_nested_ip']}, \
+ white {$snortcfg['iprep_white']}, \
+ {$ip_lists}
+
+EOD;
+
/* define servers as IP variables */
$snort_servers = array (
"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
@@ -3200,11 +3224,11 @@ EOD;
"ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc"
);
$snort_preproc = array (
- "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc",
- "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc"
+ "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan",
+ "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc"
);
$default_disabled_preprocs = array(
- "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc"
+ "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat"
);
$snort_preprocessors = "";
foreach ($snort_preproc as $preproc) {
@@ -3754,14 +3778,7 @@ output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,src
EOD;
// Write out snort.conf file
- $conf = fopen("{$snortcfgdir}/snort.conf", "w");
- if(!$conf) {
- log_error("Could not open {$snortcfgdir}/snort.conf for writing.");
- conf_mount_ro();
- return -1;
- }
- fwrite($conf, $snort_conf_text);
- fclose($conf);
+ file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text);
conf_mount_ro();
unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type);
unset($home_net, $external_net, $ipvardef, $portvardef);
diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php
index 2457b573..7acf95c3 100644
--- a/config/snort/snort_barnyard.php
+++ b/config/snort/snort_barnyard.php
@@ -5,6 +5,7 @@
*
* Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
* Copyright (C) 2008-2009 Robert Zelaya.
+ * Copyright (C) 2014 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -34,9 +35,11 @@ require_once("/usr/local/pkg/snort/snort.inc");
global $g, $rebuild_rules;
-$id = $_GET['id'];
-if (isset($_POST['id']))
+if (isset($_POST['id']) && is_numericint($_POST['id']))
$id = $_POST['id'];
+elseif (isset($_GET['id']) && is_numericint($_GET['id']))
+ $id = htmlspecialchars($_GET['id']);
+
if (is_null($id)) {
header("Location: /snort/snort_interfaces.php");
exit;
@@ -47,63 +50,150 @@ if (!is_array($config['installedpackages']['snortglobal']['rule']))
$a_nat = &$config['installedpackages']['snortglobal']['rule'];
$pconfig = array();
+
+// The keys in the $retentions array are the retention period
+// converted to hours.
+$retentions = array( '0' => gettext('KEEP ALL'), '24' => gettext('1 DAY'), '168' => gettext('7 DAYS'), '336' => gettext('14 DAYS'),
+ '720' => gettext('30 DAYS'), '1080' => gettext("45 DAYS"), '2160' => gettext('90 DAYS'), '4320' => gettext('180 DAYS'),
+ '8766' => gettext('1 YEAR'), '26298' => gettext("3 YEARS") );
+
+$log_sizes = array( '0' => gettext('NO LIMIT'), '8' => gettext('8 MB'), '16' => gettext('16 MB'), '32' => gettext('32 MB'),
+ '64' => gettext('64 MB'), '128' => gettext('128 MB'), '256' => gettext('256 MB') );
+
if (isset($id) && $a_nat[$id]) {
- /* old options */
$pconfig = $a_nat[$id];
if (!empty($a_nat[$id]['barnconfigpassthru']))
$pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']);
+ if (!empty($a_nat[$id]['barnyard_dbpwd']))
+ $pconfig['barnyard_dbpwd'] = base64_decode($a_nat[$id]['barnyard_dbpwd']);
+ if (empty($a_nat[$id]['barnyard_show_year']))
+ $pconfig['barnyard_show_year'] = "on";
+ if (empty($a_nat[$id]['unified2_log_limit']))
+ $pconfig['unified2_log_limit'] = "32";
+ if (empty($a_nat[$id]['barnyard_archive_enable']))
+ $pconfig['barnyard_archive_enable'] = "on";
+ if (empty($a_nat[$id]['u2_archived_log_retention']))
+ $pconfig['u2_archived_log_retention'] = "168";
+ if (empty($a_nat[$id]['barnyard_obfuscate_ip']))
+ $pconfig['barnyard_obfuscate_ip'] = "off";
+ if (empty($a_nat[$id]['barnyard_syslog_dport']))
+ $pconfig['barnyard_syslog_dport'] = "514";
+ if (empty($a_nat[$id]['barnyard_syslog_proto']))
+ $pconfig['barnyard_syslog_proto'] = "udp";
+ if (empty($a_nat[$id]['barnyard_syslog_opmode']))
+ $pconfig['barnyard_syslog_opmode'] = "default";
+ if (empty($a_nat[$id]['barnyard_syslog_facility']))
+ $pconfig['barnyard_syslog_facility'] = "LOG_USER";
+ if (empty($a_nat[$id]['barnyard_syslog_priority']))
+ $pconfig['barnyard_syslog_priority'] = "LOG_INFO";
+ if (empty($a_nat[$id]['barnyard_bro_ids_dport']))
+ $pconfig['barnyard_bro_ids_dport'] = "47760";
}
-if (isset($_GET['dup']))
- unset($id);
+if ($_POST['save']) {
+ // Check that at least one output plugin is enabled
+ if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on' &&
+ $_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on")
+ $input_errors[] = gettext("You must enable at least one output option when using Barnyard2.");
-if ($_POST) {
+ // Validate inputs if MySQL database loggging enabled
+ if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") {
+ if (empty($_POST['barnyard_dbhost']))
+ $input_errors[] = gettext("Please provide a valid hostname or IP address for the MySQL database host.");
+ if (empty($_POST['barnyard_dbname']))
+ $input_errors[] = gettext("You must provide a DB instance name when logging to a MySQL database.");
+ if (empty($_POST['barnyard_dbuser']))
+ $input_errors[] = gettext("You must provide a DB user login name when logging to a MySQL database.");
+ }
+
+ // Validate inputs if syslog output enabled
+ if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_enable'] == "on") {
+ if ($_POST['barnyard_log_vlan_events'] == 'on' || $_POST['barnyard_log_mpls_events'] == 'on')
+ $input_errors[] = gettext("Logging of VLAN or MPLS events is not compatible with syslog output. You must disable VLAN and MPLS event type logging when using the syslog output option.");
+ }
+ if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_syslog_local'] <> 'on' &&
+ $_POST['barnyard_enable'] == "on") {
+ if (empty($_POST['barnyard_syslog_dport']) || !is_numeric($_POST['barnyard_syslog_dport']))
+ $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Syslog Remote Port.");
+ if (empty($_POST['barnyard_syslog_rhost']))
+ $input_errors[] = gettext("Please provide a valid hostname or IP address for the Syslog Remote Host.");
+ }
- foreach ($a_nat as $natent) {
- if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent))
- continue;
- if ($natent['interface'] != $_POST['interface'])
- $input_error[] = "This interface has already an instance defined";
+ // Validate inputs if Bro-IDS output enabled
+ if ($_POST['barnyard_bro_ids_enable'] == 'on' && $_POST['barnyard_enable'] == "on") {
+ if (empty($_POST['barnyard_bro_ids_dport']) || !is_numeric($_POST['barnyard_bro_ids_dport']))
+ $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Bro-IDS Remote Port.");
+ if (empty($_POST['barnyard_bro_ids_rhost']))
+ $input_errors[] = gettext("Please provide a valid hostname or IP address for the Bro-IDS Remote Host.");
}
- /* if no errors write to conf */
+ // if no errors write to conf
if (!$input_errors) {
$natent = array();
/* repost the options already in conf */
$natent = $pconfig;
$natent['barnyard_enable'] = $_POST['barnyard_enable'] ? 'on' : 'off';
- if ($_POST['barnyard_mysql']) $natent['barnyard_mysql'] = $_POST['barnyard_mysql']; else unset($natent['barnyard_mysql']);
+ $natent['barnyard_show_year'] = $_POST['barnyard_show_year'] ? 'on' : 'off';
+ $natent['barnyard_archive_enable'] = $_POST['barnyard_archive_enable'] ? 'on' : 'off';
+ $natent['barnyard_dump_payload'] = $_POST['barnyard_dump_payload'] ? 'on' : 'off';
+ $natent['barnyard_obfuscate_ip'] = $_POST['barnyard_obfuscate_ip'] ? 'on' : 'off';
+ $natent['barnyard_log_vlan_events'] = $_POST['barnyard_log_vlan_events'] ? 'on' : 'off';
+ $natent['barnyard_log_mpls_events'] = $_POST['barnyard_log_mpls_events'] ? 'on' : 'off';
+ $natent['barnyard_mysql_enable'] = $_POST['barnyard_mysql_enable'] ? 'on' : 'off';
+ $natent['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable'] ? 'on' : 'off';
+ $natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off';
+ $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off';
+ $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode'];
+ $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto'];
+
+ if ($_POST['unified2_log_limit']) $natent['unified2_log_limit'] = $_POST['unified2_log_limit']; else unset($natent['unified2_log_limit']);
+ if ($_POST['u2_archived_log_retention']) $natent['u2_archived_log_retention'] = $_POST['u2_archived_log_retention']; else unset($natent['u2_archived_log_retention']);
+ if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']);
+ if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']);
+ if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']);
+ if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']);
+ if ($_POST['barnyard_dbpwd']) $natent['barnyard_dbpwd'] = base64_encode($_POST['barnyard_dbpwd']); else unset($natent['barnyard_dbpwd']);
+ if ($_POST['barnyard_syslog_rhost']) $natent['barnyard_syslog_rhost'] = $_POST['barnyard_syslog_rhost']; else unset($natent['barnyard_syslog_rhost']);
+ if ($_POST['barnyard_syslog_dport']) $natent['barnyard_syslog_dport'] = $_POST['barnyard_syslog_dport']; else $natent['barnyard_syslog_dport'] = '514';
+ if ($_POST['barnyard_syslog_facility']) $natent['barnyard_syslog_facility'] = $_POST['barnyard_syslog_facility']; else $natent['barnyard_syslog_facility'] = 'LOG_USER';
+ if ($_POST['barnyard_syslog_priority']) $natent['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; else $natent['barnyard_syslog_priority'] = 'LOG_INFO';
+ if ($_POST['barnyard_bro_ids_rhost']) $natent['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; else unset($natent['barnyard_bro_ids_rhost']);
+ if ($_POST['barnyard_bro_ids_dport']) $natent['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; else $natent['barnyard_bro_ids_dport'] = '47760';
if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode($_POST['barnconfigpassthru']); else unset($natent['barnconfigpassthru']);
- if ($_POST['barnyard_enable'] == "on")
- $natent['snortunifiedlog'] = 'on';
- else
- $natent['snortunifiedlog'] = 'off';
-
- if (isset($id) && $a_nat[$id])
- $a_nat[$id] = $natent;
- else {
- $a_nat[] = $natent;
- }
+ $a_nat[$id] = $natent;
write_config();
- /* No need to rebuild rules if just toggling Barnyard2 on or off */
+ // No need to rebuild rules for Barnyard2 changes
$rebuild_rules = false;
sync_snort_package_config();
- /* after click go to this page */
- header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
- header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
- header( 'Cache-Control: no-store, no-cache, must-revalidate' );
- header( 'Cache-Control: post-check=0, pre-check=0', false );
- header( 'Pragma: no-cache' );
- header("Location: snort_barnyard.php?id=$id");
- exit;
+ // If disabling Barnyard2 on the interface, stop any
+ // currently running instance. If an instance is
+ // running, signal it to reload the configuration.
+ // If Barnyard2 is enabled but not running, notify the
+ // user to restart Snort to enable Unified2 output.
+ if ($a_nat[$id]['barnyard_enable'] == "off") {
+ snort_barnyard_stop($a_nat[$id], get_real_interface($a_nat[$id]['interface']));
+ }
+ elseif ($a_nat[$id]['barnyard_enable'] == "on") {
+ if (snort_is_running($a_nat[$id]['uuid'], get_real_interface($a_nat[$id]['interface']), "barnyard2"))
+ snort_barnyard_reload_config($a_nat[$id], "HUP");
+ else {
+ // Notify user a Snort restart is required if enabling Barnyard2 for the first time
+ $savemsg = gettext("NOTE: you must restart Snort on this interface to activate unified2 logging for Barnyard2.");
+ }
+ }
+ $pconfig = $natent;
+ }
+ else {
+ // We had errors, so save previous field data to prevent retyping
+ $pconfig = $_POST;
}
}
-$if_friendly = snort_get_friendly_interface($pconfig['interface']);
+$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']);
$pgtitle = gettext("Snort: Interface {$if_friendly} - Barnyard2 Settings");
include_once("head.inc");
@@ -111,21 +201,6 @@ include_once("head.inc");
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
<?php include("fbegin.inc"); ?>
-<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?>
-
-<script language="JavaScript">
-<!--
-
-function enable_change(enable_change) {
- endis = !(document.iform.barnyard_enable.checked || enable_change);
- // make shure a default answer is called if this is envoked.
- endis2 = (document.iform.barnyard_enable);
-
- document.iform.barnyard_mysql.disabled = endis;
- document.iform.barnconfigpassthru.disabled = endis;
-}
-//-->
-</script>
<?php
@@ -138,10 +213,10 @@ function enable_change(enable_change) {
print_info_box($savemsg);
}
- ?>
+?>
-<form action="snort_barnyard.php" method="post"
- enctype="multipart/form-data" name="iform" id="iform">
+<form action="snort_barnyard.php" method="post" enctype="multipart/form-data" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id;?>" /> </td>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
<?php
@@ -149,23 +224,25 @@ function enable_change(enable_change) {
$tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php");
$tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php");
$tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php");
- $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php");
+ $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php?instance={$id}");
$tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php");
- $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php");
+ $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
- $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
- display_top_tabs($tab_array);
+ $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
+ $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td>';
$menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");
- $tab_array = array();
- $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}");
- $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}");
- $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}");
- $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}");
- $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}");
- $tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}");
- display_top_tabs($tab_array);
+ $tab_array = array();
+ $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}");
+ display_top_tabs($tab_array, true);
?>
</td></tr>
<tr>
@@ -178,46 +255,274 @@ function enable_change(enable_change) {
<tr>
<td width="22%" valign="top" class="vncellreq"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable">
- <input name="barnyard_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_enable'] == "on") echo "checked"; ?> onClick="enable_change(false)">
+ <input name="barnyard_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_enable'] == "on") echo "checked"; ?> onClick="enable_change(false)"/>
<strong><?php echo gettext("Enable Barnyard2"); ?></strong><br/>
- <?php echo gettext("This will enable barnyard2 for this interface. You will also have to set the database credentials."); ?></td>
+ <?php echo gettext("This will enable barnyard2 for this interface. You will also to enable at least one logging destination below."); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Show Year"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_show_year" type="checkbox" value="on" <?php if ($pconfig['barnyard_show_year'] == "on") echo "checked"; ?>/>
+ <?php echo gettext("Enable the year being shown in timestamps. Default value is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Unified2 Log Limit"); ?></td>
+ <td width="78%" class="vtable"><select name="unified2_log_limit" class="formselect" id="unified2_log_limit">
+ <?php foreach ($log_sizes as $k => $p): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['unified2_log_limit']) echo "selected"; ?>>
+ <?=htmlspecialchars($p);?></option>
+ <?php endforeach; ?>
+ </select>&nbsp;<?php echo gettext("Choose a Unified2 Log file size limit in megabytes (MB). Default is "); ?><strong><?=gettext("32 MB.");?></strong><br/><br/>
+ <?php echo gettext("This sets the maximum size for a Unified2 Log file before it is rotated and a new one created."); ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Archive Unified2 Logs"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_archive_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_archive_enable'] == "on") echo "checked"; ?>/>
+ <?php echo gettext("Enable the archiving of processed unified2 log files. Default value is ") . "<strong>" . gettext("Checked") . "</strong>"; ?><br/>
+ <?php echo gettext("Unified2 log files will be moved to an archive folder for subsequent cleanup when processed."); ?>
+ </td>
+ </tr>
+ <tr>
+ <td class="vncell" width="22%" valign="top"><?=gettext("Unified2 Archived Log Retention Period");?></td>
+ <td width="78%" class="vtable"><select name="u2_archived_log_retention" class="formselect" id="u2_archived_log_retention">
+ <?php foreach ($retentions as $k => $p): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['u2_archived_log_retention']) echo "selected"; ?>>
+ <?=htmlspecialchars($p);?></option>
+ <?php endforeach; ?>
+ </select>&nbsp;<?=gettext("Choose retention period for archived Barnyard2 binary log files. Default is ") . "<strong>" . gettext("7 days."). "</strong>";?><br/><br/>
+ <?=gettext("When Barnyard2 output is enabled, Snort writes event data to a binary format file that Barnyard2 reads and processes. ") .
+ gettext("When finished processing a file, Barnyard2 moves it to an archive folder. This setting determines how long files ") .
+ gettext("remain in the archive folder before they are automatically deleted.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Dump Payload"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_dump_payload" type="checkbox" value="on" <?php if ($pconfig['barnyard_dump_payload'] == "on") echo "checked"; ?>/>
+ <?php echo gettext("Enable dumping of application data from unified2 files. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Obfuscate IP Addresses"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_obfuscate_ip" type="checkbox" value="on" <?php if ($pconfig['barnyard_obfuscate_ip'] == "on") echo "checked"; ?>/>
+ <?php echo gettext("Enable obfuscation of logged IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?>
+ </td>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Log VLAN Events"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_log_vlan_events" type="checkbox" value="on" <?php if ($pconfig['barnyard_log_vlan_events'] == "on") echo "checked"; ?>/>
+ <?php echo gettext("Enable logging of VLAN event types in unified2 files. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Log MPLS Events"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_log_mpls_events" type="checkbox" value="on" <?php if ($pconfig['barnyard_log_mpls_events'] == "on") echo "checked"; ?>/>
+ <?php echo gettext("Enable logging of MPLS event types in unified2 files. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensor Name"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_sensor_name" type="text" class="formfld unknown"
+ id="barnyard_sensor_name" size="25" value="<?=htmlspecialchars($pconfig['barnyard_sensor_name']);?>"/>
+ &nbsp;<?php echo gettext("Unique name for this sensor. Leave blank to use internal default."); ?>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Settings"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable MySQL Database"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_mysql_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_mysql_enable'] == "on") echo "checked"; ?>
+ onClick="toggle_mySQL()"/><?php echo gettext("Enable logging of alerts to a MySQL database instance"); ?><br/>
+ <?php echo gettext("You will also have to provide the database credentials in the fields below."); ?></td>
+ </tr>
+ <tbody id="mysql_config_rows">
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Database Host"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_dbhost" type="text" class="formfld host"
+ id="barnyard_dbhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbhost']);?>"/>
+ &nbsp;<?php echo gettext("Hostname or IP address of the MySQL database server"); ?>
+ </td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td>
- <td width="78%" class="vtable"><input name="barnyard_mysql"
- type="text" class="formfld unknown" id="barnyard_mysql" style="width:95%;" size="85"
- value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br/>
- <span class="vexpl"><?php echo gettext("Example: output database: alert, mysql, " .
- "dbname=snort user=snort host=localhost password=xyz"); ?><br/>
- <?php echo gettext("Example: output database: log, mysql, dbname=snort user=snort " .
- "host=localhost password=xyz"); ?></span></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Database Name"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_dbname" type="text" class="formfld unknown"
+ id="barnyard_dbname" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbname']);?>"/>
+ &nbsp;<?php echo gettext("Instance or DB name of the MySQL database"); ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Database User Name"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_dbuser" type="text" class="formfld user"
+ id="barnyard_dbuser" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbuser']);?>"/>
+ &nbsp;<?php echo gettext("Username for the MySQL database"); ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Database User Password"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_dbpwd" type="password" class="formfld pwd"
+ id="barnyard_dbpwd" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbpwd']);?>"/>
+ &nbsp;<?php echo gettext("Password for the MySQL database user"); ?>
+ </td>
</tr>
+ </tbody>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Syslog Output Settings"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Syslog"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_syslog_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_syslog_enable'] == "on") echo "checked"; ?>
+ onClick="toggle_syslog()"/>
+ <?php echo gettext("Enable logging of alerts to a syslog receiver"); ?><br/>
+ <?php echo gettext("This will send alert data to either a local or remote syslog receiver."); ?></td>
+ </tr>
+ <tbody id="syslog_config_rows">
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Operation Mode"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_syslog_opmode" type="radio" id="barnyard_syslog_opmode_default"
+ value="default" <?php if ($pconfig['barnyard_syslog_opmode'] == 'default') echo "checked";?>/>
+ <?php echo gettext("DEFAULT"); ?>&nbsp;<input name="barnyard_syslog_opmode" type="radio" id="barnyard_syslog_opmode_complete"
+ value="complete" <?php if ($pconfig['barnyard_syslog_opmode'] == 'complete') echo "checked";?>/>
+ <?php echo gettext("COMPLETE"); ?>&nbsp;&nbsp;
+ <?php echo gettext("Select the level of detail to include when reporting"); ?><br/><br/>
+ <?php echo gettext("DEFAULT mode is compatible with the standard Snort syslog format. COMPLETE mode includes additional information such as the raw packet data (displayed in hex format)."); ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Local Only"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_syslog_local" type="checkbox" value="on" <?php if ($pconfig['barnyard_syslog_local'] == "on") echo "checked"; ?>
+ onClick="toggle_local_syslog()"/>
+ <?php echo gettext("Enable logging of alerts to the local system only"); ?><br/>
+ <?php echo gettext("This will send alert data to the local system only and overrides the host, port, protocol, facility and priority values below."); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Host"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_syslog_rhost" type="text" class="formfld host"
+ id="barnyard_syslog_rhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_syslog_rhost']);?>"/>
+ &nbsp;<?php echo gettext("Hostname or IP address of remote syslog host"); ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Port"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_syslog_dport" type="text" class="formfld unknown"
+ id="barnyard_syslog_dport" size="25" value="<?=htmlspecialchars($pconfig['barnyard_syslog_dport']);?>"/>
+ &nbsp;<?php echo gettext("Port number for syslog on remote host. Default is ") . "<strong>" . gettext("514") . "</strong>."; ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_syslog_proto" type="radio" id="barnyard_syslog_proto_udp"
+ value="udp" <?php if ($pconfig['barnyard_syslog_proto'] == 'udp') echo "checked";?>/>
+ <?php echo gettext("UDP"); ?>&nbsp;<input name="barnyard_syslog_proto" type="radio" id="barnyard_syslog_proto_tcp"
+ value="tcp" <?php if ($pconfig['barnyard_syslog_proto'] == 'tcp') echo "checked";?>/>
+ <?php echo gettext("TCP"); ?>&nbsp;&nbsp;
+ <?php echo gettext("Select IP protocol to use for remote reporting. Default is ") . "<strong>" . gettext("UDP") . "</strong>."; ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Facility"); ?></td>
+ <td width="78%" class="vtable">
+ <select name="barnyard_syslog_facility" id="barnyard_syslog_facility" class="formselect">
+ <?php
+ $log_facility = array( "LOG_AUTH", "LOG_AUTHPRIV", "LOG_DAEMON", "LOG_KERN", "LOG_SYSLOG", "LOG_USER", "LOG_LOCAL1",
+ "LOG_LOCAL2", "LOG_LOCAL3", "LOG_LOCAL4", "LOG_LOCAL5", "LOG_LOCAL6", "LOG_LOCAL7" );
+ foreach ($log_facility as $facility) {
+ $selected = "";
+ if ($facility == $pconfig['barnyard_syslog_facility'])
+ $selected = " selected";
+ echo "<option value='{$facility}'{$selected}>" . $facility . "</option>\n";
+ }
+ ?></select>&nbsp;&nbsp;
+ <?php echo gettext("Select Syslog Facility to use for remote reporting. Default is ") . "<strong>" . gettext("LOG_USER") . "</strong>."; ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Priority"); ?></td>
+ <td width="78%" class="vtable">
+ <select name="barnyard_syslog_priority" id="barnyard_syslog_priority" class="formselect">
+ <?php
+ $log_priority = array( "LOG_EMERG", "LOG_ALERT", "LOG_CRIT", "LOG_ERR", "LOG_WARNING", "LOG_NOTICE", "LOG_INFO" );
+ foreach ($log_priority as $priority) {
+ $selected = "";
+ if ($priority == $pconfig['barnyard_syslog_priority'])
+ $selected = " selected";
+ echo "<option value='{$priority}'{$selected}>" . $priority . "</option>\n";
+ }
+ ?></select>&nbsp;&nbsp;
+ <?php echo gettext("Select Syslog Priority (Level) to use for remote reporting. Default is ") . "<strong>" . gettext("LOG_INFO") . "</strong>."; ?>
+ </td>
+ </tr>
+ </tbody>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Bro-IDS Output Settings"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Bro-IDS"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_bro_ids_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_bro_ids_enable'] == "on") echo "checked"; ?>
+ onClick="toggle_bro_ids()"/>
+ <?php echo gettext("Enable logging of alerts to a Bro-IDS receiver"); ?><br/>
+ <?php echo gettext("This will send alert data to either a local or remote Bro-IDS receiver."); ?></td>
+ </tr>
+ <tbody id="bro_ids_config_rows">
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Host"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_bro_ids_rhost" type="text" class="formfld host"
+ id="barnyard_bro_ids_rhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_bro_ids_rhost']);?>"/>
+ &nbsp;<?php echo gettext("Hostname or IP address of remote Bro-IDS host"); ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Port"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_bro_ids_dport" type="text" class="formfld unknown"
+ id="barnyard_bro_ids_dport" size="25" value="<?=htmlspecialchars($pconfig['barnyard_bro_ids_dport']);?>"/>
+ &nbsp;<?php echo gettext("Port number for Bro-IDS instance on remote host. Default is ") . "<strong>" . gettext("47760") . "</strong>."; ?>
+ </td>
+ </tr>
+ </tbody>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Advanced Settings"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Advanced configuration " .
- "pass through"); ?></td>
+ "pass-through"); ?></td>
<td width="78%" class="vtable"><textarea name="barnconfigpassthru" style="width:95%;"
cols="65" rows="7" id="barnconfigpassthru" ><?=htmlspecialchars($pconfig['barnconfigpassthru']);?></textarea>
<br/>
- <?php echo gettext("Arguments here will be automatically inserted into the running " .
+ <?php echo gettext("Arguments entered here will be automatically inserted into the running " .
"barnyard2 configuration."); ?></td>
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>
<td width="78%">
- <input name="Submit" type="submit" class="formbtn" value="Save">
- <input name="id" type="hidden" value="<?=$id;?>"> </td>
+ <input name="save" type="submit" class="formbtn" value="Save" title="<?=gettext("Save Barnyard2 configuration");?>" />
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>
<td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span></span>
<br/>
- <?php echo gettext("Please save your settings before you click start."); ?> </td>
+ <?php echo gettext("Remember to save your settings before you leave this tab."); ?> </td>
</tr>
</table>
</div>
@@ -225,10 +530,105 @@ function enable_change(enable_change) {
</tr>
</table>
</form>
+
<script language="JavaScript">
-<!--
+function toggle_mySQL() {
+ var endis = !document.iform.barnyard_mysql_enable.checked;
+
+ document.iform.barnyard_dbhost.disabled = endis;
+ document.iform.barnyard_dbname.disabled = endis;
+ document.iform.barnyard_dbuser.disabled = endis;
+ document.iform.barnyard_dbpwd.disabled = endis;
+
+ if (endis)
+ document.getElementById("mysql_config_rows").style.display = "none";
+ else
+ document.getElementById("mysql_config_rows").style.display = "";
+}
+
+function toggle_syslog() {
+ var endis = !document.iform.barnyard_syslog_enable.checked;
+
+ document.iform.barnyard_syslog_opmode_default.disabled = endis;
+ document.iform.barnyard_syslog_opmode_complete.disabled = endis;
+ document.iform.barnyard_syslog_local.disabled = endis;
+ document.iform.barnyard_syslog_rhost.disabled = endis;
+ document.iform.barnyard_syslog_dport.disabled = endis;
+ document.iform.barnyard_syslog_proto_udp.disabled = endis;
+ document.iform.barnyard_syslog_proto_tcp.disabled = endis;
+ document.iform.barnyard_syslog_facility.disabled = endis;
+ document.iform.barnyard_syslog_priority.disabled = endis;
+
+ if (endis)
+ document.getElementById("syslog_config_rows").style.display = "none";
+ else
+ document.getElementById("syslog_config_rows").style.display = "";
+}
+
+function toggle_local_syslog() {
+ var endis = document.iform.barnyard_syslog_local.checked;
+
+ if (document.iform.barnyard_syslog_enable.checked) {
+ document.iform.barnyard_syslog_rhost.disabled = endis;
+ document.iform.barnyard_syslog_dport.disabled = endis;
+ document.iform.barnyard_syslog_proto_udp.disabled = endis;
+ document.iform.barnyard_syslog_proto_tcp.disabled = endis;
+ document.iform.barnyard_syslog_facility.disabled = endis;
+ document.iform.barnyard_syslog_priority.disabled = endis;
+ }
+}
+
+function toggle_bro_ids() {
+ var endis = !document.iform.barnyard_bro_ids_enable.checked;
+
+ document.iform.barnyard_bro_ids_rhost.disabled = endis;
+ document.iform.barnyard_bro_ids_dport.disabled = endis;
+
+ if (endis)
+ document.getElementById("bro_ids_config_rows").style.display = "none";
+ else
+ document.getElementById("bro_ids_config_rows").style.display = "";
+}
+
+function enable_change(enable_change) {
+ endis = !(document.iform.barnyard_enable.checked || enable_change);
+ // make sure a default answer is called if this is invoked.
+ endis2 = (document.iform.barnyard_enable);
+ document.iform.unified2_log_limit.disabled = endis;
+ document.iform.barnyard_archive_enable.disabled = endis;
+ document.iform.u2_archived_log_retention.disabled = endis;
+ document.iform.barnyard_show_year.disabled = endis;
+ document.iform.barnyard_dump_payload.disabled = endis;
+ document.iform.barnyard_obfuscate_ip.disabled = endis;
+ document.iform.barnyard_log_vlan_events.disabled = endis;
+ document.iform.barnyard_log_mpls_events.disabled = endis;
+ document.iform.barnyard_sensor_name.disabled = endis;
+ document.iform.barnyard_mysql_enable.disabled = endis;
+ document.iform.barnyard_dbhost.disabled = endis;
+ document.iform.barnyard_dbname.disabled = endis;
+ document.iform.barnyard_dbuser.disabled = endis;
+ document.iform.barnyard_dbpwd.disabled = endis;
+ document.iform.barnyard_syslog_enable.disabled = endis;
+ document.iform.barnyard_syslog_local.disabled = endis;
+ document.iform.barnyard_syslog_opmode_default.disabled = endis;
+ document.iform.barnyard_syslog_opmode_complete.disabled = endis;
+ document.iform.barnyard_syslog_rhost.disabled = endis;
+ document.iform.barnyard_syslog_dport.disabled = endis;
+ document.iform.barnyard_syslog_proto_udp.disabled = endis;
+ document.iform.barnyard_syslog_proto_tcp.disabled = endis;
+ document.iform.barnyard_syslog_facility.disabled = endis;
+ document.iform.barnyard_syslog_priority.disabled = endis;
+ document.iform.barnyard_bro_ids_enable.disabled = endis;
+ document.iform.barnyard_bro_ids_rhost.disabled = endis;
+ document.iform.barnyard_bro_ids_dport.disabled = endis;
+ document.iform.barnconfigpassthru.disabled = endis;
+}
+
enable_change(false);
-//-->
+toggle_mySQL();
+toggle_syslog();
+toggle_local_syslog();
+toggle_bro_ids();
</script>
<?php include("fend.inc"); ?>
</body>