diff options
Diffstat (limited to 'config/snort')
-rwxr-xr-x | config/snort/snort.inc | 639 | ||||
-rw-r--r-- | config/snort/snort_barnyard.php | 562 |
2 files changed, 809 insertions, 392 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 847a0dba..1c9c5cd6 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -51,10 +51,10 @@ $snortver = array(); exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); $snort_version = $snortver[0]; if (empty($snort_version)) - $snort_version = "2.9.5.6"; + $snort_version = "2.9.6.0"; /* package version */ -$pfSense_snort_version = "3.0.4"; +$pfSense_snort_version = "3.0.5"; $snort_package_version = "Snort {$snort_version} pkg v{$pfSense_snort_version}"; // Define SNORTDIR and SNORTLIBDIR constants according to pfSense version @@ -81,6 +81,7 @@ define("VRT_FILE_PREFIX", "snort_"); define("GPL_FILE_PREFIX", "GPLv2_"); define("ET_OPEN_FILE_PREFIX", "emerging-"); define("ET_PRO_FILE_PREFIX", "etpro-"); +define("IPREP_PATH", "/var/db/snort/iprep/"); /* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */ $rebuild_rules = false; @@ -498,21 +499,18 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { return $valresult; } -/* checks to see if service is running yes/no and stop/start */ +/* checks to see if service is running */ function snort_is_running($snort_uuid, $if_real, $type = 'snort') { global $config, $g; - if (file_exists("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid")) - return 'yes'; - - return 'no'; + return isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid"); } function snort_barnyard_stop($snortcfg, $if_real) { global $config, $g; $snort_uuid = $snortcfg['uuid']; - if (file_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { + if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { log_error("[Snort] Barnyard2 STOP for {$snortcfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); } @@ -522,7 +520,7 @@ function snort_stop($snortcfg, $if_real) { global $config, $g; $snort_uuid = $snortcfg['uuid']; - if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + if (isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { log_error("[Snort] Snort STOP for {$snortcfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); } @@ -534,12 +532,13 @@ function snort_barnyard_start($snortcfg, $if_real) { global $config, $g; $snortdir = SNORTDIR; + $snortlogdir = SNORTLOGDIR; $snort_uuid = $snortcfg['uuid']; /* define snortbarnyardlog_chk */ - if ($snortcfg['barnyard_enable'] == 'on' && !empty($snortcfg['barnyard_mysql'])) { + if ($snortcfg['barnyard_enable'] == 'on') { log_error("[Snort] Barnyard2 START for {$snortcfg['descr']}({$if_real})..."); - exec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q"); + mwexec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q"); } } @@ -547,11 +546,12 @@ function snort_start($snortcfg, $if_real) { global $config, $g; $snortdir = SNORTDIR; + $snortlogdir = SNORTLOGDIR; $snort_uuid = $snortcfg['uuid']; if ($snortcfg['enable'] == 'on') { log_error("[Snort] Snort START for {$snortcfg['descr']}({$if_real})..."); - exec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + mwexec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); } else return; @@ -575,64 +575,44 @@ function snort_reload_config($snortcfg, $signal="SIGHUP") { $snortdir = SNORTDIR; $snort_uuid = $snortcfg['uuid']; - $if_real = snort_get_real_interface($snortcfg['interface']); + $if_real = get_real_interface($snortcfg['interface']); /******************************************************/ /* Only send the SIGHUP if Snort is running and we */ /* can find a valid PID for the process. */ /******************************************************/ - if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + if (isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']} ({$if_real})..."); - exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &"); + mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); } } -function snort_get_friendly_interface($interface) { - - if (function_exists('convert_friendly_interface_to_friendly_descr')) - $iface = convert_friendly_interface_to_friendly_descr($interface); - else { - if (!$interface || ($interface == "wan")) - $iface = "WAN"; - else if(strtolower($interface) == "lan") - $iface = "LAN"; - else if(strtolower($interface) == "pppoe") - $iface = "PPPoE"; - else if(strtolower($interface) == "pptp") - $iface = "PPTP"; - else - $iface = strtoupper($interface); - } - - return $iface; -} +function snort_barnyard_reload_config($snortcfg, $signal="HUP") { -/* get the real iface name of wan */ -function snort_get_real_interface($interface) { - global $config; + /**************************************************************/ + /* This function sends the passed SIGNAL to the Barnyard2 */ + /* instance on the passed interface to cause Barnyard to */ + /* reload and parse the running configuration without */ + /* impacting packet processing. It also executes the reload */ + /* as a background process and returns control immediately */ + /* to the caller. */ + /* */ + /* $signal = HUP (default) parses and reloads config. */ + /**************************************************************/ + global $g; - $lc_interface = strtolower($interface); - if (function_exists('get_real_interface')) - return get_real_interface($lc_interface); - else { - if ($lc_interface == "lan") { - if ($config['inerfaces']['lan']) - return $config['interfaces']['lan']['if']; - return $interface; - } - if ($lc_interface == "wan") - return $config['interfaces']['wan']['if']; - $ifdescrs = array(); - for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { - $ifname = "opt{$j}"; - if(strtolower($ifname) == $lc_interface) - return $config['interfaces'][$ifname]['if']; - if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface)) - return $config['interfaces'][$ifname]['if']; - } - } + $snortdir = SNORTDIR; + $snort_uuid = $snortcfg['uuid']; + $if_real = get_real_interface($snortcfg['interface']); - return $interface; + /******************************************************/ + /* Only send the SIGHUP if Barnyard2 is running and */ + /* we can find a valid PID for the process. */ + /******************************************************/ + if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Barnyard2 CONFIG RELOAD initiated for {$snortcfg['descr']} ({$if_real})..."); + mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); + } } /* @@ -650,7 +630,7 @@ function snort_post_delete_logs($snort_uuid = 0) { foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { if ($value['uuid'] != $snort_uuid) continue; - $if_real = snort_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; if ($if_real != '') { @@ -661,18 +641,14 @@ function snort_post_delete_logs($snort_uuid = 0) { @unlink($file); /* Clean-up packet capture files if any exist */ - $filelist = glob("{$snort_log_dir}/snort.log.*"); - foreach ($filelist as $file) - @unlink($file); + unlink_if_exists("{$snort_log_dir}/snort.log.*"); - /* Clean-up stats files if they are enabled */ - if ($value['perform_stat'] == 'on') { - $fd = fopen("{$snort_log_dir}/{$if_real}.stats", "w"); - if ($fd) { - ftruncate($fd, 0); - fclose($fd); - } - } + /* Clean-up Barnyard2 archived files if any exist */ + unlink_if_exists("{$snort_log_dir}/barnyard2/archive/*"); + + /* Clean-up stats file if enabled */ + if ($value['perform_stat'] == 'on') + file_put_contents("{$snort_log_dir}/{$if_real}.stats", ""); } } } @@ -686,62 +662,16 @@ function snort_Getdirsize($node) { return substr( $blah, 0, strpos($blah, 9) ); } -/* func for log dir size limit cron */ -function snort_snortloglimit_install_cron($should_install) { - global $config, $g; - - if (!is_array($config['cron']['item'])) - $config['cron']['item'] = array(); +function snort_snortloglimit_install_cron($should_install=TRUE) { - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], 'snort_check_cron_misc.inc')) { - $is_installed = true; - break; - } - $x++; - } - - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "*/5"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc"; - $config['cron']['item'][] = $cron_item; - } - break; - case false: - if($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } + install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc", $should_install, "*/5"); } -/* func for updating cron */ function snort_rm_blocked_install_cron($should_install) { global $config, $g; - if (!is_array($config['cron']['item'])) - $config['cron']['item'] = array(); - - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "15m_b") { $snort_rm_blocked_min = "*/2"; $snort_rm_blocked_hr = "*"; @@ -822,46 +752,15 @@ function snort_rm_blocked_install_cron($should_install) { $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "2419200"; } - switch($should_install) { - case true: - $cron_item = array(); - $cron_item['minute'] = $snort_rm_blocked_min; - $cron_item['hour'] = $snort_rm_blocked_hr; - $cron_item['mday'] = $snort_rm_blocked_mday; - $cron_item['month'] = $snort_rm_blocked_month; - $cron_item['wday'] = $snort_rm_blocked_wday; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; - - /* Add cron job if not already installed, else just update the existing one */ - if (!$is_installed) - $config['cron']['item'][] = $cron_item; - elseif ($is_installed) - $config['cron']['item'][$x] = $cron_item; - break; - case false: - if ($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } + + $command = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + install_cron_job($command, $should_install, $snort_rm_blocked_min, $snort_rm_blocked_hr, $snort_rm_blocked_mday, $snort_rm_blocked_month, $snort_rm_blocked_wday, "root"); } /* func to install snort update */ function snort_rules_up_install_cron($should_install) { global $config, $g; - if(!$config['cron']['item']) - $config['cron']['item'] = array(); - - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; /* See if a customized start time has been set for rule file updates */ @@ -924,28 +823,9 @@ function snort_rules_up_install_cron($should_install) { $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } - switch($should_install) { - case true: - $cron_item = array(); - $cron_item['minute'] = $snort_rules_up_min; - $cron_item['hour'] = $snort_rules_up_hr; - $cron_item['mday'] = $snort_rules_up_mday; - $cron_item['month'] = $snort_rules_up_month; - $cron_item['wday'] = $snort_rules_up_wday; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php"; - - /* Add cron job if not already installed, else just update the existing one */ - if (!$is_installed) - $config['cron']['item'][] = $cron_item; - elseif ($is_installed) - $config['cron']['item'][$x] = $cron_item; - break; - case false: - if($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } + + $command = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php"; + install_cron_job($command, $should_install, $snort_rules_up_min, $snort_rules_up_hr, $snort_rules_up_mday, $snort_rules_up_month, $snort_rules_up_wday, "root"); } /* Only run when all ifaces needed to sync. Expects filesystem rw */ @@ -967,14 +847,14 @@ function sync_snort_package_config() { $snortconf = $config['installedpackages']['snortglobal']['rule']; foreach ($snortconf as $value) { - $if_real = snort_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); /* create a snort.conf file for interface */ snort_generate_conf($value); /* create barnyard2.conf file for interface */ if ($value['barnyard_enable'] == 'on') - snort_create_barnyard2_conf($value, $if_real); + snort_generate_barnyard2_conf($value, $if_real); } /* create snort bootup file snort.sh only create once */ @@ -982,7 +862,7 @@ function sync_snort_package_config() { $snortglob = $config['installedpackages']['snortglobal']; - snort_snortloglimit_install_cron($snortglob['snortloglimit'] == 'on' ? true : false); + snort_snortloglimit_install_cron(true); /* set the snort block hosts time IMPORTANT */ snort_rm_blocked_install_cron($snortglob['rm_blocked'] != "never_b" ? true : false); @@ -1004,7 +884,19 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { /*************************************************************/ /* This function reads all the rules file in the passed */ /* $rules_path variable and produces a properly formatted */ - /* sid-msg.map file for use by Snort and/or barnyard2. */ + /* sid-msg.map v2 file for use by Snort and/or barnyard2. */ + /* */ + /* This function produces the new v2 format sid-msg.map */ + /* with the field layout as follows: */ + /* */ + /* GID || SID || REV || CLASSTYPE || PRI || MSG || REF ... */ + /* */ + /* On Entry: $rules_path --> array or directory of files */ + /* or a single file containing */ + /* the rules to read. */ + /* $sid_file --> the complete destination path */ + /* and filename for the output */ + /* sid-msg.map file. */ /*************************************************************/ $sidMap = array(); @@ -1013,7 +905,7 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { /* First check if we were passed a directory, a single file */ /* or an array of filenames to read. Set our $rule_files */ /* variable accordingly. If we can't figure it out, return */ - /* and don't write a sid_msg_map file. */ + /* and don't write a sid-msg.map file. */ if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -1066,7 +958,11 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { $record = ""; /* Parse the rule to find sid and any references. */ + $gid = '1'; // default to 1 for regular rules $sid = ''; + $rev = ''; + $classtype = 'NOCLASS'; // required default for v2 format + $priority = '0'; // required default for v2 format $msg = ''; $matches = ''; $sidEntry = ''; @@ -1074,23 +970,32 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { $msg = trim($matches[1]); if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) $sid = trim($matches[1]); - if (!empty($sid) && !empty($msg)) { - $sidEntry = $sid . ' || ' . $msg; + if (preg_match('/\bgid\s*:\s*(\d+)\s*;/i', $rule, $matches)) + $gid = trim($matches[1]); + if (preg_match('/\brev\s*:\s*([^\;]+)/i', $rule, $matches)) + $rev = trim($matches[1]); + if (preg_match('/\bclasstype\s*:\s*([^\;]+)/i', $rule, $matches)) + $classtype = trim($matches[1]); + if (preg_match('/\bpriority\s*:\s*([^\;]+)/i', $rule, $matches)) + $priority = trim($matches[1]); + + if (!empty($gid) && !empty($sid) && !empty($msg)) { + $sidEntry = $gid . ' || ' . $sid . ' || ' . $rev . ' || ' . $classtype . ' || '; + $sidEntry .= $priority . ' || ' . $msg; preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); foreach ($matches[1] as $ref) $sidEntry .= " || " . trim($ref); $sidEntry .= "\n"; - if (!is_array($sidMap[$sid])) - $sidMap[$sid] = array(); - $sidMap[$sid] = $sidEntry; + $sidMap[] = $sidEntry; } } } - /* Sort the generated sid-msg map by sid */ - ksort($sidMap); + /* Sort the generated sid-msg map */ + natcasesort($sidMap); /* Now print the result to the supplied file */ - @file_put_contents($sid_file, array_values($sidMap)); + @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Snort.\n\n"); + @file_put_contents($sid_file, array_values($sidMap), FILE_APPEND); } function snort_merge_reference_configs($cfg_in, $cfg_out) { @@ -1211,7 +1116,7 @@ function snort_load_rules_map($rules_path) { * Read all the rules into the map array. * The structure of the map array is: * - * map[gid][sid]['rule']['category']['disabled']['flowbits'] + * map[gid][sid]['rule']['category']['disabled']['action']['flowbits'] * * where: * gid = Generator ID from rule, or 1 if general text @@ -1221,6 +1126,7 @@ function snort_load_rules_map($rules_path) { * category = File name of file containing the rule * disabled = 1 if rule is disabled (commented out), 0 if * rule is enabled + * action = alert|log|pass|drop|reject|sdrop * flowbits = Array of applicable flowbits if rule contains * flowbits options ***************************************************************/ @@ -1267,7 +1173,7 @@ function snort_load_rules_map($rules_path) { /* Skip any non-rule lines unless we're in */ /* multiline mode. */ - if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) + if (!preg_match('/^\s*#*\s*(alert|log|pass|drop|reject|sdrop)/i', $rule) && !$b_Multiline) continue; /* Test for a multi-line rule; loop and reassemble */ @@ -1312,6 +1218,13 @@ function snort_load_rules_map($rules_path) { else $map_ref[$gid][$sid]['disabled'] = 0; + /* Grab the rule action (this is for a future option) */ + $matches = array(); + if (preg_match('/^\s*#*\s*(alert|log|pass|drop|reject|sdrop)/i', $rule, $matches)) + $map_ref[$gid][$sid]['action'] = $matches[1]; + else + $map_ref[$gid][$sid]['action'] = ""; + /* Grab any associated flowbits from the rule. */ $map_ref[$gid][$sid]['flowbits'] = snort_get_flowbits($rule); @@ -1829,9 +1742,10 @@ function snort_create_rc() { /* after any changes to snort.conf saved in the GUI. */ /*********************************************************/ - global $config, $g; + global $config, $g, $pfs_version; $snortdir = SNORTDIR; + $snortlogdir = SNORTLOGDIR; $rcdir = RCFILEPREFIX; // If no interfaces are configured for Snort, exit @@ -1845,36 +1759,37 @@ function snort_create_rc() { $start_snort_iface_start = array(); $start_snort_iface_stop = array(); + // If not using PBI package, then make sure Barnyard2 can + // find the latest MySQL shared libs in /usr/local/lib/mysql + if ($pfs_version < 2.1) { + $sql_lib_path = "\n# Ensure MySQL shared libs are in ldconfig search path\n"; + $sql_lib_path .= "/sbin/ldconfig -m /usr/local/lib/mysql"; + $start_snort_iface_start[] = $sql_lib_path; + } + // Loop thru each configured interface and build // the shell script. foreach ($snortconf as $value) { + // Skip disabled Snort interfaces + if ($value['enable'] <> 'on') + continue; $snort_uuid = $value['uuid']; - $if_real = snort_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); $start_barnyard = <<<EOE if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then - pid=`/bin/pgrep -f "barnyard2 -r {$snort_uuid} "` + pid=`/bin/pgrep -fn "barnyard2 -r {$snort_uuid} "` else pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` fi if [ ! -z \$pid ]; then - /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." - /bin/pkill \$pid -a - time=0 timeout=30 - while kill -0 \$pid 2>/dev/null; do - sleep 1 - time=\$((time+1)) - if [ \$time -gt \$timeout ]; then - break - fi - done - if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then - /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid - fi + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill -HUP \$pid + else + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..." + /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q fi - /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..." - /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q EOE; $stop_barnyard2 = <<<EOE @@ -1895,7 +1810,7 @@ EOE; /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid fi else - pid=`/bin/pgrep -f "barnyard2 -r {$snort_uuid} "` + pid=`/bin/pgrep -fn "barnyard2 -r {$snort_uuid} "` if [ ! -z \$pid ]; then /bin/pkill -f "barnyard2 -r {$snort_uuid} " time=0 timeout=30 @@ -1910,7 +1825,7 @@ EOE; fi EOE; - if ($value['barnyard_enable'] == 'on' && !empty($value['barnyard_mysql'])) + if ($value['barnyard_enable'] == 'on') $start_barnyard2 = $start_barnyard; else $start_barnyard2 = $stop_barnyard2; @@ -1920,7 +1835,7 @@ EOE; ###### For Each Iface # Start snort and barnyard2 if [ ! -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then - pid=`/bin/pgrep -f "snort -R {$snort_uuid} "` + pid=`/bin/pgrep -fn "snort -R {$snort_uuid} "` else pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid` fi @@ -1930,7 +1845,7 @@ EOE; /bin/pkill -HUP \$pid else /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..." - /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + /usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} fi sleep 2 @@ -1956,10 +1871,10 @@ EOE; /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid fi else - pid=`/bin/pgrep -f "snort -R {$snort_uuid} "` + pid=`/bin/pgrep -fn "snort -R {$snort_uuid} "` if [ ! -z \$pid ]; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." - /bin/pkill -f "snort -R {$snort_uuid} " + /bin/pkill -fn "snort -R {$snort_uuid} " time=0 timeout=30 while kill -0 \$pid 2>/dev/null; do sleep 1 @@ -2019,79 +1934,119 @@ EOD; @chmod("{$rcdir}/snort.sh", 0755); } -/* open barnyard2.conf for writing */ -function snort_create_barnyard2_conf($snortcfg, $if_real) { - global $config, $g; - - $snortdir = SNORTDIR; - $snort_uuid = $snortcfg['uuid']; - - if (!file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) - exec("/usr/bin/touch {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); - - if (!file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { - @touch("/var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo"); - mwexec("/bin/chmod 770 /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); - } - - $barnyard2_conf_text = snort_generate_barnyard2_conf($snortcfg, $if_real); +function snort_generate_barnyard2_conf($snortcfg, $if_real) { - /* write out barnyard2_conf */ - @file_put_contents("{$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", $barnyard2_conf_text); -} + /****************************************************/ + /* This function creates the barnyard2.conf config */ + /* file for the passed interface when Barnyard2 is */ + /* enabled. */ + /****************************************************/ -/* open barnyard2.conf for writing" */ -function snort_generate_barnyard2_conf($snortcfg, $if_real) { global $config, $g; - $snortdir = SNORTDIR; $snort_uuid = $snortcfg['uuid']; + $snortdir = SNORTDIR; + $snortcfgdir = SNORTDIR . "/snort_{$snort_uuid}_{$if_real}"; + $snortlogdir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; + + // Create required directories for barnyard2 if missing + if (!is_dir("{$snortlogdir}/barnyard2")) + safe_mkdir("{$snortlogdir}/barnyard2"); + if (!is_dir("{$snortlogdir}/barnyard2/archive")) + safe_mkdir("{$snortlogdir}/barnyard2/archive"); + + // Create the barnyard2 waldo file if missing + if (!file_exists("{$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { + @touch("{$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo"); + mwexec("/bin/chmod 770 {$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); + } + + // If there is no gen-msg.map file present, create an + // empty one so Barnyard2 will at least start. + if (!file_exists("{$snortcfgdir}/gen-msg.map")) + @file_put_contents("{$snortcfgdir}/gen-msg.map", ""); + + $snortbarnyard_hostname_info = php_uname("n"); + + // Set general config parameters + $gen_configs = "config quiet\nconfig daemon\nconfig decode_data_link\nconfig alert_with_interface_name\nconfig event_cache_size: 8192"; + if ($snortcfg['barnyard_show_year'] == 'on') + $gen_configs .= "\nconfig show_year"; + if ($snortcfg['barnyard_obfuscate_ip'] == 'on') + $gen_configs .= "\nconfig obfuscate"; + if ($snortcfg['barnyard_dump_payload'] == 'on') + $gen_configs .= "\nconfig dump_payload"; + if ($snortcfg['barnyard_archive_enable'] == 'on') + $gen_configs .= "\nconfig archivedir: {$snortlogdir}/barnyard2/archive"; + + // Set output plugins + $snortbarnyardlog_output_plugins = ""; + if ($snortcfg['barnyard_mysql_enable'] == 'on') { + $by2_dbpwd = base64_decode($snortcfg['barnyard_dbpwd']); + $snortbarnyardlog_output_plugins .= "# database: log to a MySQL DB\noutput database: log, mysql, "; + if (isset($snortcfg['barnyard_sensor_name']) && strlen($snortcfg['barnyard_sensor_name']) > 0) + $snortbarnyardlog_output_plugins .= "sensor_name={$snortcfg['barnyard_sensor_name']}, "; + $snortbarnyardlog_output_plugins .= "user={$snortcfg['barnyard_dbuser']} password={$by2_dbpwd} "; + $snortbarnyardlog_output_plugins .= "dbname={$snortcfg['barnyard_dbname']} host={$snortcfg['barnyard_dbhost']}\n\n"; + } + if ($snortcfg['barnyard_syslog_enable'] == 'on') { + $snortbarnyardlog_output_plugins .= "# syslog_full: log to a syslog receiver\noutput alert_syslog_full: "; + if (isset($snortcfg['barnyard_sensor_name']) && strlen($snortcfg['barnyard_sensor_name']) > 0) + $snortbarnyardlog_output_plugins .= "sensor_name {$snortcfg['barnyard_sensor_name']}, "; + else + $snortbarnyardlog_output_plugins .= "sensor_name {$snortbarnyard_hostname_info}, "; + if ($snortcfg['barnyard_syslog_local'] == 'on') + $snortbarnyardlog_output_plugins .= "local, log_facility LOG_AUTH, log_priority LOG_INFO\n\n"; + else { + $snortbarnyardlog_output_plugins .= "server {$snortcfg['barnyard_syslog_rhost']}, protocol {$snortcfg['barnyard_syslog_proto']}, "; + $snortbarnyardlog_output_plugins .= "port {$snortcfg['barnyard_syslog_dport']}, operation_mode {$snortcfg['barnyard_syslog_opmode']}, "; + $snortbarnyardlog_output_plugins .= "log_facility {$snortcfg['barnyard_syslog_facility']}, log_priority {$snortcfg['barnyard_syslog_priority']}\n\n"; + } + } + if ($snortcfg['barnyard_bro_ids_enable'] == 'on') { + $snortbarnyardlog_output_plugins .= "# alert_bro: log to a Bro-IDS receiver\n"; + $snortbarnyardlog_output_plugins .= "output alert_bro: {$snortcfg['barnyard_bro_ids_rhost']}:{$snortcfg['barnyard_bro_ids_dport']}\n"; + } - /* TODO: add support for the other 5 output plugins */ - $snortbarnyardlog_database_info_chk = $snortcfg['barnyard_mysql']; - $snortbarnyardlog_hostname_info_chk = php_uname("n"); - /* user add arguments */ + // Trim leading and trailing newlines and spaces + $snortbarnyardlog_output_plugins = rtrim($snortbarnyardlog_output_plugins, "\n"); + + // User pass-through arguments $snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['barnconfigpassthru'])); + // Create the conf file as a text string $barnyard2_conf_text = <<<EOD -# barnyard2.conf +# barnyard2.conf # barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php # -# set the appropriate paths to the file(s) your Snort process is using - -config reference_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/reference.config -config classification_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/classification.config -config gen_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/gen-msg.map -config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map -config hostname: $snortbarnyardlog_hostname_info_chk -config interface: {$if_real} -config decode_data_link -config waldo_file: /var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo - -# Show year in timestamps -config show_year +## General Barnyard2 settings ## +{$gen_configs} +config reference_file: {$snortcfgdir}/reference.config +config classification_file: {$snortcfgdir}/classification.config +config sid_file: {$snortcfgdir}/sid-msg.map +config gen_file: {$snortcfgdir}/gen-msg.map +config hostname: {$snortbarnyard_hostname_info} +config interface: {$if_real} +config waldo_file: {$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo +config logdir: {$snortlogdir} ## START user pass through ## - - {$snortbarnyardlog_config_pass_thru} - +{$snortbarnyardlog_config_pass_thru} ## END user pass through ## -# Step 2: setup the input plugins +## Setup input plugins ## input unified2 -config logdir: /var/log/snort/snort_{$if_real}{$snort_uuid} - -# database: log to a variety of databases -# output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx - - $snortbarnyardlog_database_info_chk +## Setup output plugins ## +{$snortbarnyardlog_output_plugins} EOD; - return $barnyard2_conf_text; + /* Write out barnyard2_conf text string to disk */ + @file_put_contents("{$snortcfgdir}/barnyard2.conf", $barnyard2_conf_text); + unset($barnyard2_conf_text); } function snort_deinstall() { @@ -2103,6 +2058,7 @@ function snort_deinstall() { $snortlogdir = SNORTLOGDIR; $rcdir = RCFILEPREFIX; $snort_rules_upd_log = RULES_UPD_LOGFILE; + $iprep_path = IPREP_PATH; log_error(gettext("[Snort] Snort package uninstall in progress...")); @@ -2115,7 +2071,7 @@ function snort_deinstall() { mwexec('/usr/bin/killall -9 snort', true); sleep(2); // Delete any leftover snort PID files in /var/run - array_map('@unlink', glob("/var/run/snort_*.pid")); + unlink_if_exists("/var/run/snort_*.pid"); /* Make sure all active Barnyard2 processes are terminated */ /* Log a message only if a running process is detected */ @@ -2126,38 +2082,48 @@ function snort_deinstall() { mwexec('/usr/bin/killall -9 barnyard2', true); sleep(2); // Delete any leftover barnyard2 PID files in /var/run - array_map('@unlink', glob("/var/run/barnyard2_*.pid")); + unlink_if_exists("/var/run/barnyard2_*.pid"); /* Remove the snort user and group */ mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); - /* Remove snort cron entries Ugly code needs smoothness */ - if (!function_exists('snort_deinstall_cron')) { - function snort_deinstall_cron($crontask) { - global $config, $g; - - if(!is_array($config['cron']['item'])) - return; + /* Remove all the Snort cron jobs. */ + install_cron_job("snort2c", false); + install_cron_job("snort_check_for_rule_updates.php", false); + install_cron_job("snort_check_cron_misc.inc", false); + configure_cron(); - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], $crontask)) { - $is_installed = true; - break; + /* Remove our associated Dashboard widget config. If */ + /* "save settings" is enabled, then save old widget */ + /* container settings so we can restore them later. */ + $widgets = $config['widgets']['sequence']; + if (!empty($widgets)) { + $widgetlist = explode(",", $widgets); + foreach ($widgetlist as $key => $widget) { + if (strstr($widget, "snort_alerts-container")) { + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { + $config['installedpackages']['snortglobal']['dashboard_widget'] = $widget; } - $x++; + unset($widgetlist[$key]); + break; } - if ($is_installed == true) - unset($config['cron']['item'][$x]); } + $config['widgets']['sequence'] = implode(",", $widgetlist); + write_config(); } - /* Remove all the Snort cron jobs. */ - snort_deinstall_cron("snort2c"); - snort_deinstall_cron("snort_check_for_rule_updates.php"); - snort_deinstall_cron("snort_check_cron_misc.inc"); - configure_cron(); + /* See if we are to clear blocked hosts on uninstall */ + if ($config['installedpackages']['snortglobal']['clearblocks'] == 'on') { + log_error(gettext("[Snort] Removing all blocked hosts from <snort2c> table...")); + mwexec("/sbin/pfctl -t snort2c -T flush"); + } + + /* See if we are to clear Snort log files on uninstall */ + if ($config['installedpackages']['snortglobal']['clearlogs'] == 'on') { + log_error(gettext("[Snort] Clearing all Snort-related log files...")); + unlink_if_exists("{$snort_rules_upd_log}"); + mwexec("/bin/rm -rf {$snortlogdir}"); + } /**********************************************************/ /* Test for existence of library backup tarballs in /tmp. */ @@ -2186,8 +2152,11 @@ function snort_deinstall() { log_error(gettext("Not saving settings... all Snort configuration info and logs deleted...")); unset($config['installedpackages']['snortglobal']); unset($config['installedpackages']['snortsync']); - @unlink("{$snort_rules_upd_log}"); + unlink_if_exists("{$snort_rules_upd_log}"); + log_error(gettext("[Snort] Flushing <snort2c> firewall table to remove addresses blocked by Snort...")); + mwexec("/sbin/pfctl -t snort2c -T flush"); mwexec("/bin/rm -rf {$snortlogdir}"); + mwexec("/bin/rm -rf {$iprep_path}"); log_error(gettext("[Snort] The package has been removed from this system...")); } } @@ -2220,7 +2189,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { return; /* Log a message for rules rebuild in progress */ - log_error(gettext("[Snort] Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + log_error(gettext("[Snort] Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . " ...")); /* Enable all, some or none of the SDF rules depending on setting. */ if ($snortcfg['sensitive_data'] == 'on' && $snortcfg['protect_preproc_rules'] != 'on') { @@ -2280,6 +2249,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_rules[$k1][$k2]['rule'] = $v['rule']; $enabled_rules[$k1][$k2]['category'] = $v['category']; $enabled_rules[$k1][$k2]['disabled'] = $v['disabled']; + $enabled_rules[$k1][$k2]['action'] = $v['action']; $enabled_rules[$k1][$k2]['flowbits'] = $v['flowbits']; } } @@ -2302,6 +2272,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_rules[$k1][$k2]['rule'] = $p['rule']; $enabled_rules[$k1][$k2]['category'] = $p['category']; $enabled_rules[$k1][$k2]['disabled'] = $p['disabled']; + $enabled_rules[$k1][$k2]['action'] = $p['action']; $enabled_rules[$k1][$k2]['flowbits'] = $p['flowbits']; } } @@ -2314,7 +2285,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Check for and disable any rules dependent upon disabled preprocessors if */ /* this option is enabled for the interface. */ if ($snortcfg['preproc_auto_rule_disable'] == "on") { - log_error('[Snort] Checking for rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + log_error('[Snort] Checking for rules dependent on disabled preprocessors for: ' . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . '...'); snort_filter_preproc_rules($snortcfg, $enabled_rules); } @@ -2323,7 +2294,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */ if ($snortcfg['autoflowbitrules'] == 'on') { - log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + log_error('[Snort] Enabling any flowbit-required rules for: ' . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . '...'); $fbits = snort_resolve_flowbits($all_rules, $enabled_rules); /* Check for and disable any flowbit-required rules the user has */ @@ -2333,7 +2304,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Check for and disable any flowbit-required rules dependent upon */ /* disabled preprocessors if this option is enabled for the interface. */ if ($snortcfg['preproc_auto_rule_disable'] == "on") { - log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . '...'); snort_filter_preproc_rules($snortcfg, $fbits, true); } snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}"); @@ -2356,11 +2327,11 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Log a warning if the interface has no rules defined or enabled */ if ($no_rules_defined) - log_error(gettext("[Snort] Warning - no text rules or IPS-Policy selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + log_error(gettext("[Snort] Warning - no text rules or IPS-Policy selected for: " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . " ...")); /* Build a new sid-msg.map file from the enabled */ /* rules and copy it to the interface directory. */ - log_error(gettext("[Snort] Building new sig-msg.map file for " . snort_get_friendly_interface($snortcfg['interface']) . "...")); + log_error(gettext("[Snort] Building new sig-msg.map file for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "...")); snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map"); } @@ -2485,7 +2456,7 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa /* when flowbit-required rules are being assessed after the */ /* primary enforcing rules have been evaluated. */ /***************************************************************/ - $iface = snort_get_friendly_interface($snortcfg['interface']); + $iface = convert_friendly_interface_to_friendly_descr($snortcfg['interface']); $file = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; if ($persist_log) $fp = fopen($file, 'a'); @@ -2551,7 +2522,7 @@ function snort_generate_conf($snortcfg) { else $protect_preproc_rules = "off"; - $if_real = snort_get_real_interface($snortcfg['interface']); + $if_real = get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; @@ -2611,8 +2582,18 @@ function snort_generate_conf($snortcfg) { /* define snortunifiedlog */ $snortunifiedlog_type = ""; - if ($snortcfg['snortunifiedlog'] == "on") - $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; + if ($snortcfg['barnyard_enable'] == "on") { + if (isset($snortcfg['unified2_log_limit'])) + $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}"; + else + $u2_log_limit = "limit 128"; + + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}"; + if ($snortcfg['barnyard_log_vlan_events'] == 'on') + $snortunifiedlog_type .= ", vlan_event_types"; + if ($snortcfg['barnyard_log_mpls_events'] == 'on') + $snortunifiedlog_type .= ", mpls_event_types"; + } /* define spoink */ $spoink_type = ""; @@ -2621,7 +2602,7 @@ function snort_generate_conf($snortcfg) { if ($snortcfg['blockoffenderskill'] == "on") $pfkill = "kill"; $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); - /* write whitelist */ + /* write Pass List */ @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; } @@ -3170,6 +3151,49 @@ preprocessor sensitive_data: \ EOD; + /* define IP Reputation preprocessor */ + if (is_array($snortcfg['blist_files']['item'])) { + $blist_files = ""; + $bIsFirst = TRUE; + foreach ($snortcfg['blist_files']['item'] as $blist) { + if ($bIsFirst) { + $blist_files .= "blacklist " . IPREP_PATH . $blist; + $bIsFirst = FALSE; + } + else + $blist_files .= ", \\ \n\tblacklist " . IPREP_PATH . $blist; + } + } + if (is_array($snortcfg['wlist_files']['item'])) { + $wlist_files = ""; + $bIsFirst = TRUE; + foreach ($snortcfg['wlist_files']['item'] as $wlist) { + if ($bIsFirst) { + $wlist_files .= "whitelist " . IPREP_PATH . $wlist; + $bIsFirst = FALSE; + } + else + $wlist_files .= ", \\ \n\twhitelist " . IPREP_PATH . $wlist; + } + } + if (!empty($blist_files)) + $ip_lists = $blist_files; + if (!empty($wlist_files)) + $ip_lists .= ", \\ \n" . $wlist_files; + if ($snortcfg['iprep_scan_local'] == 'on') + $ip_lists .= ", \\ \n\tscan_local"; + + $reputation_preproc = <<<EOD +# IP Reputation preprocessor # +preprocessor reputation: \ + memcap {$snortcfg['iprep_memcap']}, \ + priority {$snortcfg['iprep_priority']}, \ + nested_ip {$snortcfg['iprep_nested_ip']}, \ + white {$snortcfg['iprep_white']}, \ + {$ip_lists} + +EOD; + /* define servers as IP variables */ $snort_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", @@ -3200,11 +3224,11 @@ EOD; "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", - "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", + "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc" ); $default_disabled_preprocs = array( - "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc" + "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat" ); $snort_preprocessors = ""; foreach ($snort_preproc as $preproc) { @@ -3754,14 +3778,7 @@ output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,src EOD; // Write out snort.conf file - $conf = fopen("{$snortcfgdir}/snort.conf", "w"); - if(!$conf) { - log_error("Could not open {$snortcfgdir}/snort.conf for writing."); - conf_mount_ro(); - return -1; - } - fwrite($conf, $snort_conf_text); - fclose($conf); + file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text); conf_mount_ro(); unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type); unset($home_net, $external_net, $ipvardef, $portvardef); diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index 2457b573..7acf95c3 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -5,6 +5,7 @@ * * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. * Copyright (C) 2008-2009 Robert Zelaya. + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -34,9 +35,11 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g, $rebuild_rules; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (is_null($id)) { header("Location: /snort/snort_interfaces.php"); exit; @@ -47,63 +50,150 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) $a_nat = &$config['installedpackages']['snortglobal']['rule']; $pconfig = array(); + +// The keys in the $retentions array are the retention period +// converted to hours. +$retentions = array( '0' => gettext('KEEP ALL'), '24' => gettext('1 DAY'), '168' => gettext('7 DAYS'), '336' => gettext('14 DAYS'), + '720' => gettext('30 DAYS'), '1080' => gettext("45 DAYS"), '2160' => gettext('90 DAYS'), '4320' => gettext('180 DAYS'), + '8766' => gettext('1 YEAR'), '26298' => gettext("3 YEARS") ); + +$log_sizes = array( '0' => gettext('NO LIMIT'), '8' => gettext('8 MB'), '16' => gettext('16 MB'), '32' => gettext('32 MB'), + '64' => gettext('64 MB'), '128' => gettext('128 MB'), '256' => gettext('256 MB') ); + if (isset($id) && $a_nat[$id]) { - /* old options */ $pconfig = $a_nat[$id]; if (!empty($a_nat[$id]['barnconfigpassthru'])) $pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']); + if (!empty($a_nat[$id]['barnyard_dbpwd'])) + $pconfig['barnyard_dbpwd'] = base64_decode($a_nat[$id]['barnyard_dbpwd']); + if (empty($a_nat[$id]['barnyard_show_year'])) + $pconfig['barnyard_show_year'] = "on"; + if (empty($a_nat[$id]['unified2_log_limit'])) + $pconfig['unified2_log_limit'] = "32"; + if (empty($a_nat[$id]['barnyard_archive_enable'])) + $pconfig['barnyard_archive_enable'] = "on"; + if (empty($a_nat[$id]['u2_archived_log_retention'])) + $pconfig['u2_archived_log_retention'] = "168"; + if (empty($a_nat[$id]['barnyard_obfuscate_ip'])) + $pconfig['barnyard_obfuscate_ip'] = "off"; + if (empty($a_nat[$id]['barnyard_syslog_dport'])) + $pconfig['barnyard_syslog_dport'] = "514"; + if (empty($a_nat[$id]['barnyard_syslog_proto'])) + $pconfig['barnyard_syslog_proto'] = "udp"; + if (empty($a_nat[$id]['barnyard_syslog_opmode'])) + $pconfig['barnyard_syslog_opmode'] = "default"; + if (empty($a_nat[$id]['barnyard_syslog_facility'])) + $pconfig['barnyard_syslog_facility'] = "LOG_USER"; + if (empty($a_nat[$id]['barnyard_syslog_priority'])) + $pconfig['barnyard_syslog_priority'] = "LOG_INFO"; + if (empty($a_nat[$id]['barnyard_bro_ids_dport'])) + $pconfig['barnyard_bro_ids_dport'] = "47760"; } -if (isset($_GET['dup'])) - unset($id); +if ($_POST['save']) { + // Check that at least one output plugin is enabled + if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on' && + $_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on") + $input_errors[] = gettext("You must enable at least one output option when using Barnyard2."); -if ($_POST) { + // Validate inputs if MySQL database loggging enabled + if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { + if (empty($_POST['barnyard_dbhost'])) + $input_errors[] = gettext("Please provide a valid hostname or IP address for the MySQL database host."); + if (empty($_POST['barnyard_dbname'])) + $input_errors[] = gettext("You must provide a DB instance name when logging to a MySQL database."); + if (empty($_POST['barnyard_dbuser'])) + $input_errors[] = gettext("You must provide a DB user login name when logging to a MySQL database."); + } + + // Validate inputs if syslog output enabled + if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { + if ($_POST['barnyard_log_vlan_events'] == 'on' || $_POST['barnyard_log_mpls_events'] == 'on') + $input_errors[] = gettext("Logging of VLAN or MPLS events is not compatible with syslog output. You must disable VLAN and MPLS event type logging when using the syslog output option."); + } + if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_syslog_local'] <> 'on' && + $_POST['barnyard_enable'] == "on") { + if (empty($_POST['barnyard_syslog_dport']) || !is_numeric($_POST['barnyard_syslog_dport'])) + $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Syslog Remote Port."); + if (empty($_POST['barnyard_syslog_rhost'])) + $input_errors[] = gettext("Please provide a valid hostname or IP address for the Syslog Remote Host."); + } - foreach ($a_nat as $natent) { - if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) - continue; - if ($natent['interface'] != $_POST['interface']) - $input_error[] = "This interface has already an instance defined"; + // Validate inputs if Bro-IDS output enabled + if ($_POST['barnyard_bro_ids_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { + if (empty($_POST['barnyard_bro_ids_dport']) || !is_numeric($_POST['barnyard_bro_ids_dport'])) + $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Bro-IDS Remote Port."); + if (empty($_POST['barnyard_bro_ids_rhost'])) + $input_errors[] = gettext("Please provide a valid hostname or IP address for the Bro-IDS Remote Host."); } - /* if no errors write to conf */ + // if no errors write to conf if (!$input_errors) { $natent = array(); /* repost the options already in conf */ $natent = $pconfig; $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? 'on' : 'off'; - if ($_POST['barnyard_mysql']) $natent['barnyard_mysql'] = $_POST['barnyard_mysql']; else unset($natent['barnyard_mysql']); + $natent['barnyard_show_year'] = $_POST['barnyard_show_year'] ? 'on' : 'off'; + $natent['barnyard_archive_enable'] = $_POST['barnyard_archive_enable'] ? 'on' : 'off'; + $natent['barnyard_dump_payload'] = $_POST['barnyard_dump_payload'] ? 'on' : 'off'; + $natent['barnyard_obfuscate_ip'] = $_POST['barnyard_obfuscate_ip'] ? 'on' : 'off'; + $natent['barnyard_log_vlan_events'] = $_POST['barnyard_log_vlan_events'] ? 'on' : 'off'; + $natent['barnyard_log_mpls_events'] = $_POST['barnyard_log_mpls_events'] ? 'on' : 'off'; + $natent['barnyard_mysql_enable'] = $_POST['barnyard_mysql_enable'] ? 'on' : 'off'; + $natent['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable'] ? 'on' : 'off'; + $natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off'; + $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off'; + $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; + $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; + + if ($_POST['unified2_log_limit']) $natent['unified2_log_limit'] = $_POST['unified2_log_limit']; else unset($natent['unified2_log_limit']); + if ($_POST['u2_archived_log_retention']) $natent['u2_archived_log_retention'] = $_POST['u2_archived_log_retention']; else unset($natent['u2_archived_log_retention']); + if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']); + if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']); + if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']); + if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']); + if ($_POST['barnyard_dbpwd']) $natent['barnyard_dbpwd'] = base64_encode($_POST['barnyard_dbpwd']); else unset($natent['barnyard_dbpwd']); + if ($_POST['barnyard_syslog_rhost']) $natent['barnyard_syslog_rhost'] = $_POST['barnyard_syslog_rhost']; else unset($natent['barnyard_syslog_rhost']); + if ($_POST['barnyard_syslog_dport']) $natent['barnyard_syslog_dport'] = $_POST['barnyard_syslog_dport']; else $natent['barnyard_syslog_dport'] = '514'; + if ($_POST['barnyard_syslog_facility']) $natent['barnyard_syslog_facility'] = $_POST['barnyard_syslog_facility']; else $natent['barnyard_syslog_facility'] = 'LOG_USER'; + if ($_POST['barnyard_syslog_priority']) $natent['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; else $natent['barnyard_syslog_priority'] = 'LOG_INFO'; + if ($_POST['barnyard_bro_ids_rhost']) $natent['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; else unset($natent['barnyard_bro_ids_rhost']); + if ($_POST['barnyard_bro_ids_dport']) $natent['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; else $natent['barnyard_bro_ids_dport'] = '47760'; if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode($_POST['barnconfigpassthru']); else unset($natent['barnconfigpassthru']); - if ($_POST['barnyard_enable'] == "on") - $natent['snortunifiedlog'] = 'on'; - else - $natent['snortunifiedlog'] = 'off'; - - if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; - else { - $a_nat[] = $natent; - } + $a_nat[$id] = $natent; write_config(); - /* No need to rebuild rules if just toggling Barnyard2 on or off */ + // No need to rebuild rules for Barnyard2 changes $rebuild_rules = false; sync_snort_package_config(); - /* after click go to this page */ - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: snort_barnyard.php?id=$id"); - exit; + // If disabling Barnyard2 on the interface, stop any + // currently running instance. If an instance is + // running, signal it to reload the configuration. + // If Barnyard2 is enabled but not running, notify the + // user to restart Snort to enable Unified2 output. + if ($a_nat[$id]['barnyard_enable'] == "off") { + snort_barnyard_stop($a_nat[$id], get_real_interface($a_nat[$id]['interface'])); + } + elseif ($a_nat[$id]['barnyard_enable'] == "on") { + if (snort_is_running($a_nat[$id]['uuid'], get_real_interface($a_nat[$id]['interface']), "barnyard2")) + snort_barnyard_reload_config($a_nat[$id], "HUP"); + else { + // Notify user a Snort restart is required if enabling Barnyard2 for the first time + $savemsg = gettext("NOTE: you must restart Snort on this interface to activate unified2 logging for Barnyard2."); + } + } + $pconfig = $natent; + } + else { + // We had errors, so save previous field data to prevent retyping + $pconfig = $_POST; } } -$if_friendly = snort_get_friendly_interface($pconfig['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Barnyard2 Settings"); include_once("head.inc"); @@ -111,21 +201,6 @@ include_once("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> - -<script language="JavaScript"> -<!-- - -function enable_change(enable_change) { - endis = !(document.iform.barnyard_enable.checked || enable_change); - // make shure a default answer is called if this is envoked. - endis2 = (document.iform.barnyard_enable); - - document.iform.barnyard_mysql.disabled = endis; - document.iform.barnconfigpassthru.disabled = endis; -} -//--> -</script> <?php @@ -138,10 +213,10 @@ function enable_change(enable_change) { print_info_box($savemsg); } - ?> +?> -<form action="snort_barnyard.php" method="post" - enctype="multipart/form-data" name="iform" id="iform"> +<form action="snort_barnyard.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id;?>" /> </td> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -149,23 +224,25 @@ function enable_change(enable_change) { $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php?instance={$id}"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); echo '</td></tr>'; echo '<tr><td>'; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); - $tab_array = array(); - $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr> @@ -178,46 +255,274 @@ function enable_change(enable_change) { <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Enable"); ?></td> <td width="78%" class="vtable"> - <input name="barnyard_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_enable'] == "on") echo "checked"; ?> onClick="enable_change(false)"> + <input name="barnyard_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_enable'] == "on") echo "checked"; ?> onClick="enable_change(false)"/> <strong><?php echo gettext("Enable Barnyard2"); ?></strong><br/> - <?php echo gettext("This will enable barnyard2 for this interface. You will also have to set the database credentials."); ?></td> + <?php echo gettext("This will enable barnyard2 for this interface. You will also to enable at least one logging destination below."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Show Year"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_show_year" type="checkbox" value="on" <?php if ($pconfig['barnyard_show_year'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable the year being shown in timestamps. Default value is ") . "<strong>" . gettext("Checked") . "</strong>"; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Unified2 Log Limit"); ?></td> + <td width="78%" class="vtable"><select name="unified2_log_limit" class="formselect" id="unified2_log_limit"> + <?php foreach ($log_sizes as $k => $p): ?> + <option value="<?=$k;?>" + <?php if ($k == $pconfig['unified2_log_limit']) echo "selected"; ?>> + <?=htmlspecialchars($p);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose a Unified2 Log file size limit in megabytes (MB). Default is "); ?><strong><?=gettext("32 MB.");?></strong><br/><br/> + <?php echo gettext("This sets the maximum size for a Unified2 Log file before it is rotated and a new one created."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Archive Unified2 Logs"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_archive_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_archive_enable'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable the archiving of processed unified2 log files. Default value is ") . "<strong>" . gettext("Checked") . "</strong>"; ?><br/> + <?php echo gettext("Unified2 log files will be moved to an archive folder for subsequent cleanup when processed."); ?> + </td> + </tr> + <tr> + <td class="vncell" width="22%" valign="top"><?=gettext("Unified2 Archived Log Retention Period");?></td> + <td width="78%" class="vtable"><select name="u2_archived_log_retention" class="formselect" id="u2_archived_log_retention"> + <?php foreach ($retentions as $k => $p): ?> + <option value="<?=$k;?>" + <?php if ($k == $pconfig['u2_archived_log_retention']) echo "selected"; ?>> + <?=htmlspecialchars($p);?></option> + <?php endforeach; ?> + </select> <?=gettext("Choose retention period for archived Barnyard2 binary log files. Default is ") . "<strong>" . gettext("7 days."). "</strong>";?><br/><br/> + <?=gettext("When Barnyard2 output is enabled, Snort writes event data to a binary format file that Barnyard2 reads and processes. ") . + gettext("When finished processing a file, Barnyard2 moves it to an archive folder. This setting determines how long files ") . + gettext("remain in the archive folder before they are automatically deleted.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Dump Payload"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_dump_payload" type="checkbox" value="on" <?php if ($pconfig['barnyard_dump_payload'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable dumping of application data from unified2 files. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Obfuscate IP Addresses"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_obfuscate_ip" type="checkbox" value="on" <?php if ($pconfig['barnyard_obfuscate_ip'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable obfuscation of logged IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?> + </td> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log VLAN Events"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_log_vlan_events" type="checkbox" value="on" <?php if ($pconfig['barnyard_log_vlan_events'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable logging of VLAN event types in unified2 files. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log MPLS Events"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_log_mpls_events" type="checkbox" value="on" <?php if ($pconfig['barnyard_log_mpls_events'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable logging of MPLS event types in unified2 files. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensor Name"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_sensor_name" type="text" class="formfld unknown" + id="barnyard_sensor_name" size="25" value="<?=htmlspecialchars($pconfig['barnyard_sensor_name']);?>"/> + <?php echo gettext("Unique name for this sensor. Leave blank to use internal default."); ?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Settings"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable MySQL Database"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_mysql_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_mysql_enable'] == "on") echo "checked"; ?> + onClick="toggle_mySQL()"/><?php echo gettext("Enable logging of alerts to a MySQL database instance"); ?><br/> + <?php echo gettext("You will also have to provide the database credentials in the fields below."); ?></td> + </tr> + <tbody id="mysql_config_rows"> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Database Host"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_dbhost" type="text" class="formfld host" + id="barnyard_dbhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbhost']);?>"/> + <?php echo gettext("Hostname or IP address of the MySQL database server"); ?> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td> - <td width="78%" class="vtable"><input name="barnyard_mysql" - type="text" class="formfld unknown" id="barnyard_mysql" style="width:95%;" size="85" - value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br/> - <span class="vexpl"><?php echo gettext("Example: output database: alert, mysql, " . - "dbname=snort user=snort host=localhost password=xyz"); ?><br/> - <?php echo gettext("Example: output database: log, mysql, dbname=snort user=snort " . - "host=localhost password=xyz"); ?></span></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Database Name"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_dbname" type="text" class="formfld unknown" + id="barnyard_dbname" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbname']);?>"/> + <?php echo gettext("Instance or DB name of the MySQL database"); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Database User Name"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_dbuser" type="text" class="formfld user" + id="barnyard_dbuser" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbuser']);?>"/> + <?php echo gettext("Username for the MySQL database"); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Database User Password"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_dbpwd" type="password" class="formfld pwd" + id="barnyard_dbpwd" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbpwd']);?>"/> + <?php echo gettext("Password for the MySQL database user"); ?> + </td> </tr> + </tbody> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Syslog Output Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Syslog"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_syslog_enable'] == "on") echo "checked"; ?> + onClick="toggle_syslog()"/> + <?php echo gettext("Enable logging of alerts to a syslog receiver"); ?><br/> + <?php echo gettext("This will send alert data to either a local or remote syslog receiver."); ?></td> + </tr> + <tbody id="syslog_config_rows"> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Operation Mode"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_opmode" type="radio" id="barnyard_syslog_opmode_default" + value="default" <?php if ($pconfig['barnyard_syslog_opmode'] == 'default') echo "checked";?>/> + <?php echo gettext("DEFAULT"); ?> <input name="barnyard_syslog_opmode" type="radio" id="barnyard_syslog_opmode_complete" + value="complete" <?php if ($pconfig['barnyard_syslog_opmode'] == 'complete') echo "checked";?>/> + <?php echo gettext("COMPLETE"); ?> + <?php echo gettext("Select the level of detail to include when reporting"); ?><br/><br/> + <?php echo gettext("DEFAULT mode is compatible with the standard Snort syslog format. COMPLETE mode includes additional information such as the raw packet data (displayed in hex format)."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Local Only"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_local" type="checkbox" value="on" <?php if ($pconfig['barnyard_syslog_local'] == "on") echo "checked"; ?> + onClick="toggle_local_syslog()"/> + <?php echo gettext("Enable logging of alerts to the local system only"); ?><br/> + <?php echo gettext("This will send alert data to the local system only and overrides the host, port, protocol, facility and priority values below."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Host"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_rhost" type="text" class="formfld host" + id="barnyard_syslog_rhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_syslog_rhost']);?>"/> + <?php echo gettext("Hostname or IP address of remote syslog host"); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Port"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_dport" type="text" class="formfld unknown" + id="barnyard_syslog_dport" size="25" value="<?=htmlspecialchars($pconfig['barnyard_syslog_dport']);?>"/> + <?php echo gettext("Port number for syslog on remote host. Default is ") . "<strong>" . gettext("514") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_proto" type="radio" id="barnyard_syslog_proto_udp" + value="udp" <?php if ($pconfig['barnyard_syslog_proto'] == 'udp') echo "checked";?>/> + <?php echo gettext("UDP"); ?> <input name="barnyard_syslog_proto" type="radio" id="barnyard_syslog_proto_tcp" + value="tcp" <?php if ($pconfig['barnyard_syslog_proto'] == 'tcp') echo "checked";?>/> + <?php echo gettext("TCP"); ?> + <?php echo gettext("Select IP protocol to use for remote reporting. Default is ") . "<strong>" . gettext("UDP") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Facility"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_syslog_facility" id="barnyard_syslog_facility" class="formselect"> + <?php + $log_facility = array( "LOG_AUTH", "LOG_AUTHPRIV", "LOG_DAEMON", "LOG_KERN", "LOG_SYSLOG", "LOG_USER", "LOG_LOCAL1", + "LOG_LOCAL2", "LOG_LOCAL3", "LOG_LOCAL4", "LOG_LOCAL5", "LOG_LOCAL6", "LOG_LOCAL7" ); + foreach ($log_facility as $facility) { + $selected = ""; + if ($facility == $pconfig['barnyard_syslog_facility']) + $selected = " selected"; + echo "<option value='{$facility}'{$selected}>" . $facility . "</option>\n"; + } + ?></select> + <?php echo gettext("Select Syslog Facility to use for remote reporting. Default is ") . "<strong>" . gettext("LOG_USER") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Priority"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_syslog_priority" id="barnyard_syslog_priority" class="formselect"> + <?php + $log_priority = array( "LOG_EMERG", "LOG_ALERT", "LOG_CRIT", "LOG_ERR", "LOG_WARNING", "LOG_NOTICE", "LOG_INFO" ); + foreach ($log_priority as $priority) { + $selected = ""; + if ($priority == $pconfig['barnyard_syslog_priority']) + $selected = " selected"; + echo "<option value='{$priority}'{$selected}>" . $priority . "</option>\n"; + } + ?></select> + <?php echo gettext("Select Syslog Priority (Level) to use for remote reporting. Default is ") . "<strong>" . gettext("LOG_INFO") . "</strong>."; ?> + </td> + </tr> + </tbody> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Bro-IDS Output Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Bro-IDS"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_bro_ids_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_bro_ids_enable'] == "on") echo "checked"; ?> + onClick="toggle_bro_ids()"/> + <?php echo gettext("Enable logging of alerts to a Bro-IDS receiver"); ?><br/> + <?php echo gettext("This will send alert data to either a local or remote Bro-IDS receiver."); ?></td> + </tr> + <tbody id="bro_ids_config_rows"> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Host"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_bro_ids_rhost" type="text" class="formfld host" + id="barnyard_bro_ids_rhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_bro_ids_rhost']);?>"/> + <?php echo gettext("Hostname or IP address of remote Bro-IDS host"); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Port"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_bro_ids_dport" type="text" class="formfld unknown" + id="barnyard_bro_ids_dport" size="25" value="<?=htmlspecialchars($pconfig['barnyard_bro_ids_dport']);?>"/> + <?php echo gettext("Port number for Bro-IDS instance on remote host. Default is ") . "<strong>" . gettext("47760") . "</strong>."; ?> + </td> + </tr> + </tbody> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Advanced Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Advanced configuration " . - "pass through"); ?></td> + "pass-through"); ?></td> <td width="78%" class="vtable"><textarea name="barnconfigpassthru" style="width:95%;" cols="65" rows="7" id="barnconfigpassthru" ><?=htmlspecialchars($pconfig['barnconfigpassthru']);?></textarea> <br/> - <?php echo gettext("Arguments here will be automatically inserted into the running " . + <?php echo gettext("Arguments entered here will be automatically inserted into the running " . "barnyard2 configuration."); ?></td> </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <input name="id" type="hidden" value="<?=$id;?>"> </td> + <input name="save" type="submit" class="formbtn" value="Save" title="<?=gettext("Save Barnyard2 configuration");?>" /> </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span></span> <br/> - <?php echo gettext("Please save your settings before you click start."); ?> </td> + <?php echo gettext("Remember to save your settings before you leave this tab."); ?> </td> </tr> </table> </div> @@ -225,10 +530,105 @@ function enable_change(enable_change) { </tr> </table> </form> + <script language="JavaScript"> -<!-- +function toggle_mySQL() { + var endis = !document.iform.barnyard_mysql_enable.checked; + + document.iform.barnyard_dbhost.disabled = endis; + document.iform.barnyard_dbname.disabled = endis; + document.iform.barnyard_dbuser.disabled = endis; + document.iform.barnyard_dbpwd.disabled = endis; + + if (endis) + document.getElementById("mysql_config_rows").style.display = "none"; + else + document.getElementById("mysql_config_rows").style.display = ""; +} + +function toggle_syslog() { + var endis = !document.iform.barnyard_syslog_enable.checked; + + document.iform.barnyard_syslog_opmode_default.disabled = endis; + document.iform.barnyard_syslog_opmode_complete.disabled = endis; + document.iform.barnyard_syslog_local.disabled = endis; + document.iform.barnyard_syslog_rhost.disabled = endis; + document.iform.barnyard_syslog_dport.disabled = endis; + document.iform.barnyard_syslog_proto_udp.disabled = endis; + document.iform.barnyard_syslog_proto_tcp.disabled = endis; + document.iform.barnyard_syslog_facility.disabled = endis; + document.iform.barnyard_syslog_priority.disabled = endis; + + if (endis) + document.getElementById("syslog_config_rows").style.display = "none"; + else + document.getElementById("syslog_config_rows").style.display = ""; +} + +function toggle_local_syslog() { + var endis = document.iform.barnyard_syslog_local.checked; + + if (document.iform.barnyard_syslog_enable.checked) { + document.iform.barnyard_syslog_rhost.disabled = endis; + document.iform.barnyard_syslog_dport.disabled = endis; + document.iform.barnyard_syslog_proto_udp.disabled = endis; + document.iform.barnyard_syslog_proto_tcp.disabled = endis; + document.iform.barnyard_syslog_facility.disabled = endis; + document.iform.barnyard_syslog_priority.disabled = endis; + } +} + +function toggle_bro_ids() { + var endis = !document.iform.barnyard_bro_ids_enable.checked; + + document.iform.barnyard_bro_ids_rhost.disabled = endis; + document.iform.barnyard_bro_ids_dport.disabled = endis; + + if (endis) + document.getElementById("bro_ids_config_rows").style.display = "none"; + else + document.getElementById("bro_ids_config_rows").style.display = ""; +} + +function enable_change(enable_change) { + endis = !(document.iform.barnyard_enable.checked || enable_change); + // make sure a default answer is called if this is invoked. + endis2 = (document.iform.barnyard_enable); + document.iform.unified2_log_limit.disabled = endis; + document.iform.barnyard_archive_enable.disabled = endis; + document.iform.u2_archived_log_retention.disabled = endis; + document.iform.barnyard_show_year.disabled = endis; + document.iform.barnyard_dump_payload.disabled = endis; + document.iform.barnyard_obfuscate_ip.disabled = endis; + document.iform.barnyard_log_vlan_events.disabled = endis; + document.iform.barnyard_log_mpls_events.disabled = endis; + document.iform.barnyard_sensor_name.disabled = endis; + document.iform.barnyard_mysql_enable.disabled = endis; + document.iform.barnyard_dbhost.disabled = endis; + document.iform.barnyard_dbname.disabled = endis; + document.iform.barnyard_dbuser.disabled = endis; + document.iform.barnyard_dbpwd.disabled = endis; + document.iform.barnyard_syslog_enable.disabled = endis; + document.iform.barnyard_syslog_local.disabled = endis; + document.iform.barnyard_syslog_opmode_default.disabled = endis; + document.iform.barnyard_syslog_opmode_complete.disabled = endis; + document.iform.barnyard_syslog_rhost.disabled = endis; + document.iform.barnyard_syslog_dport.disabled = endis; + document.iform.barnyard_syslog_proto_udp.disabled = endis; + document.iform.barnyard_syslog_proto_tcp.disabled = endis; + document.iform.barnyard_syslog_facility.disabled = endis; + document.iform.barnyard_syslog_priority.disabled = endis; + document.iform.barnyard_bro_ids_enable.disabled = endis; + document.iform.barnyard_bro_ids_rhost.disabled = endis; + document.iform.barnyard_bro_ids_dport.disabled = endis; + document.iform.barnconfigpassthru.disabled = endis; +} + enable_change(false); -//--> +toggle_mySQL(); +toggle_syslog(); +toggle_local_syslog(); +toggle_bro_ids(); </script> <?php include("fend.inc"); ?> </body> |