aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
Diffstat (limited to 'config/snort')
-rwxr-xr-xconfig/snort/snort.inc85
-rw-r--r--config/snort/snort.priv.inc1
-rwxr-xr-xconfig/snort/snort.xml9
-rw-r--r--config/snort/snort_check_cron_misc.inc27
-rwxr-xr-xconfig/snort/snort_check_for_rule_updates.php198
-rw-r--r--config/snort/snort_conf_template.inc3
-rw-r--r--config/snort/snort_defs.inc101
-rwxr-xr-xconfig/snort/snort_download_updates.php77
-rw-r--r--config/snort/snort_generate_conf.php39
-rw-r--r--config/snort/snort_interface_logs.php18
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php6
-rw-r--r--config/snort/snort_interfaces_global.php132
-rw-r--r--config/snort/snort_ip_list_mgmt.php37
-rw-r--r--config/snort/snort_ip_reputation.php14
-rw-r--r--config/snort/snort_log_mgmt.php32
-rw-r--r--config/snort/snort_migrate_config.php76
-rw-r--r--config/snort/snort_post_install.php31
-rwxr-xr-xconfig/snort/snort_preprocessors.php150
-rwxr-xr-xconfig/snort/snort_rules.php9
-rw-r--r--config/snort/snort_sid_mgmt.php11
20 files changed, 743 insertions, 313 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 5c113d27..ed1e64be 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -36,9 +36,8 @@ require_once("config.inc");
require_once("functions.inc");
require_once("service-utils.inc");
require_once("pkg-utils.inc");
-
-// Needed on 2.0 because of filter_get_vpns_list()
require_once("filter.inc");
+require("/usr/local/pkg/snort/snort_defs.inc");
// Snort GUI needs some extra PHP memory space to manipulate large rules arrays
ini_set("memory_limit", "256M");
@@ -48,47 +47,12 @@ global $g, $config, $rebuild_rules, $pfSense_snort_version;
// Grab the Snort binary version programmatically, but if that fails use a safe default
$snortver = array();
-exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
-
-/* Used to indicate latest version of this include file has been loaded */
-$pfSense_snort_version = "3.1.5";
+$snortbindir = SNORT_PBI_BINDIR;
+exec("{$snortbindir}snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
/* get installed package version for display */
$snort_package_version = "Snort {$config['installedpackages']['package'][get_pkg_id("snort")]['version']}";
-// Define SNORTDIR and SNORTLIBDIR constants according to pfSense version
-$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pfs_version >= 2.2) {
- define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/local/etc/snort");
- define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/local/lib/snort");
-}
-else {
- define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/etc/snort");
- define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/lib/snort");
-}
-
-/* Define some useful constants for Snort */
-/* Be sure to include trailing slash on the URL defines */
-define("SNORTLOGDIR", "{$g['varlog_path']}/snort");
-define("SNORT_BIN_VERSION", "2.9.6.2");
-define("SNORT_ET_DNLD_FILENAME", "emerging.rules.tar.gz");
-define("SNORT_ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
-define("SNORT_GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
-define("SNORT_ENFORCING_RULES_FILENAME", "snort.rules");
-define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
-define("SNORT_IPREP_PATH", "{$g['vardb_path']}/snort/iprep/");
-define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
-if (!defined("FLOWBITS_FILENAME"))
- define("FLOWBITS_FILENAME", "flowbit-required.rules");
-if (!defined("VRT_FILE_PREFIX"))
- define("VRT_FILE_PREFIX", "snort_");
-if (!defined("GPL_FILE_PREFIX"))
- define("GPL_FILE_PREFIX", "GPLv2_");
-if (!defined("ET_OPEN_FILE_PREFIX"))
- define("ET_OPEN_FILE_PREFIX", "emerging-");
-if (!defined("ET_PRO_FILE_PREFIX"))
- define("ET_PRO_FILE_PREFIX", "etpro-");
-
/* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */
$rebuild_rules = false;
@@ -599,13 +563,14 @@ function snort_barnyard_start($snortcfg, $if_real, $background=FALSE) {
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
$snort_uuid = $snortcfg['uuid'];
+ $snortbindir = SNORT_PBI_BINDIR;
if ($snortcfg['barnyard_enable'] == 'on' && !isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) {
log_error("[Snort] Barnyard2 START for " . convert_real_interface_to_friendly_descr($if_real) . "({$if_real})...");
if ($background)
- mwexec_bg("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
+ mwexec_bg("{$snortbindir}barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
else
- mwexec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
+ mwexec("{$snortbindir}barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
}
}
@@ -615,13 +580,19 @@ function snort_start($snortcfg, $if_real, $background=FALSE) {
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
$snort_uuid = $snortcfg['uuid'];
+ $snortbindir = SNORT_PBI_BINDIR;
+
+ if ($config['installedpackages']['snortglobal']['verbose_logging'] == "on")
+ $quiet = "";
+ else
+ $quiet = "-q --suppress-config-log";
if ($snortcfg['enable'] == 'on' && !isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
log_error("[Snort] Snort START for " . convert_real_interface_to_friendly_descr($if_real) . "({$if_real})...");
if ($background)
- mwexec_bg("/usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
+ mwexec_bg("{$snortbindir}snort -R {$snort_uuid} -D {$quiet} -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
else
- mwexec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
+ mwexec("{$snortbindir}snort -R {$snort_uuid} -D {$quiet} -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
snort_barnyard_start($snortcfg, $if_real, $background);
}
}
@@ -2735,11 +2706,12 @@ function snort_load_sid_mods($sids) {
if (preg_match('/(\d+)\s*:\s*(\d+)/', $v, $match)) {
if (!is_array($result[$match[1]]))
$result[$match[1]] = array();
+ if (!is_array($result[$match[1]][$match[2]]))
+ $result[$match[1]][$match[2]] = array();
$result[$match[1]][$match[2]] = "{$match[1]}:{$match[2]}";
}
}
unset($tmp);
-
return $result;
}
@@ -2804,6 +2776,7 @@ function snort_create_rc() {
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
+ $snortbindir = SNORT_PBI_BINDIR;
$rcdir = RCFILEPREFIX;
$snortconf = $config['installedpackages']['snortglobal']['rule'];
@@ -2814,6 +2787,12 @@ function snort_create_rc() {
return;
}
+ // See whether or not to enable detailed startup logging
+ if ($config['installedpackages']['snortglobal']['verbose_logging'] == "on")
+ $quiet = "";
+ else
+ $quiet = "-q --suppress-config-log";
+
// At least one interface is configured, so OK
$start_snort_iface_start = array();
$start_snort_iface_stop = array();
@@ -2837,7 +2816,7 @@ function snort_create_rc() {
fi
if [ -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q > /dev/null 2>&1
+ {$snortbindir}barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q > /dev/null 2>&1
fi
EOE;
$stop_barnyard2 = <<<EOE
@@ -2888,7 +2867,7 @@ EOE;
if [ -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} > /dev/null 2>&1
+ {$snortbindir}snort -R {$snort_uuid} -D {$quiet} -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} > /dev/null 2>&1
fi
{$start_barnyard2}
@@ -3106,7 +3085,7 @@ function snort_deinstall() {
global $config, $g;
$snortdir = SNORTDIR;
- $snortlibdir = SNORTLIBDIR;
+ $snortlibdir = "/usr/pbi/snort-" . php_uname("m") . "/lib";
$snortlogdir = SNORTLOGDIR;
$rcdir = RCFILEPREFIX;
$snort_rules_upd_log = SNORT_RULES_UPD_LOGFILE;
@@ -3205,6 +3184,8 @@ function snort_deinstall() {
rmdir_recursive("/usr/local/www/snort");
rmdir_recursive("/usr/local/etc/snort");
rmdir_recursive("/usr/local/lib/snort");
+ rmdir_recursive("/usr/local/lib/snort_dynamicengine");
+ rmdir_recursive("/usr/local/lib/snort_dynamicpreprocessor");
}
/* Keep this as a last step */
@@ -3518,10 +3499,9 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa
* Format of array is: *
* "rule_option" => "dependent_preprocessor" *
* *
- * Last Update: 04/05/2013 *
+ * Last Update: 10/30/2014 *
* *
- * Added: http_inspect content modifiers and *
- * various "service" metadata values. *
+ * Added: appid: detection option *
* *
***************************************************/
$rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc",
@@ -3544,7 +3524,8 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa
"uricontent:" => "http_inspect", "urilen:" => "http_inspect",
"http_encode;" => "http_inspect", "service http" => "http_inspect",
"service imap" => "imap_preproc", "service pop2" => "pop_preproc",
- "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor");
+ "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor",
+ "appid:" => "appid_preproc" );
/***************************************************
* Iterate the enabled rules, and check for rule *
@@ -3650,7 +3631,7 @@ function snort_generate_conf($snortcfg) {
return;
$snortdir = SNORTDIR;
- $snortlibdir = SNORTLIBDIR;
+ $snortlibdir = SNORT_PBI_BASEDIR . "lib";
$snortlogdir = SNORTLOGDIR;
$flowbit_rules_file = FLOWBITS_FILENAME;
$snort_enforcing_rules_file = SNORT_ENFORCING_RULES_FILENAME;
diff --git a/config/snort/snort.priv.inc b/config/snort/snort.priv.inc
index 1af0e783..928ecb52 100644
--- a/config/snort/snort.priv.inc
+++ b/config/snort/snort.priv.inc
@@ -11,6 +11,7 @@ $priv_list['page-services-snort']['match'][] = "snort/snort_barnyard.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_blocked.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_check_for_rule_updates.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_define_servers.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_defs.inc*";
$priv_list['page-services-snort']['match'][] = "snort/snort_download_rules.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_download_updates.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_edit_hat_data.php*";
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index 91d42532..e8f8b5f2 100755
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -46,8 +46,8 @@
<requirements>None</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>Snort</name>
- <version>2.9.6.2</version>
- <title>Services:2.9.6.2 pkg v3.1.5</title>
+ <version>2.9.7.0</version>
+ <title>Services:2.9.7.0 pkg v3.2</title>
<include_file>/usr/local/pkg/snort/snort.inc</include_file>
<menu>
<name>Snort</name>
@@ -129,6 +129,11 @@
<item>https://packages.pfsense.org/packages/config/snort/snort_check_for_rule_updates.php</item>
</additional_files_needed>
<additional_files_needed>
+ <prefix>/usr/local/pkg/snort/</prefix>
+ <chmod>077</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/snort_defs.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
<prefix>/usr/local/www/snort/</prefix>
<chmod>077</chmod>
<item>https://packages.pfsense.org/packages/config/snort/snort_interfaces.php</item>
diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc
index b39d8d1c..a2688b58 100644
--- a/config/snort/snort_check_cron_misc.inc
+++ b/config/snort/snort_check_cron_misc.inc
@@ -75,16 +75,21 @@ function snort_check_dir_size_limit($snortloglimitsize) {
@file_put_contents("{$snort_log_dir}/alert", "");
}
- // Cleanup any rotated perfmon stats logs
+ // Cleanup any perfmon stats logs
$files = array();
$list = glob("{$snort_log_dir}/*");
foreach ($list as $file) {
- if (preg_match('/(^\d{4}-\d{2}-\d{2}[\.]?[\d+]?)/', basename($file), $matches))
+ if (preg_match('/(^\d{4}-\d{2}-\d{2}[\.\d+]*)/', basename($file), $matches))
$files[] = $snort_log_dir . "/" . $matches[1];
}
foreach ($files as $file)
unlink_if_exists($file);
+ // Cleanup any AppID stats logs
+ $files = glob("{$snort_log_dir}/appid-stats.log.*");
+ foreach ($files as $file)
+ unlink_if_exists($file);
+
// This is needed if snort is run as snort user
mwexec('/bin/chmod 660 {$snort_log_dir}/*', true);
@@ -214,7 +219,7 @@ if ($config['installedpackages']['snortglobal']['enable_log_mgmt'] == 'on') {
$files = array();
$list = glob("{$snort_log_dir}/*");
foreach ($list as $file) {
- if (preg_match('/(^\d{4}-\d{2}-\d{2}[\.]?[\d+]?)/', basename($file), $matches))
+ if (preg_match('/(^\d{4}-\d{2}-\d{2}[\.\d+]*)/', basename($file), $matches))
$files[] = $snort_log_dir . "/" . $matches[1];
}
$prune_count = 0;
@@ -228,6 +233,22 @@ if ($config['installedpackages']['snortglobal']['enable_log_mgmt'] == 'on') {
if ($prune_count > 0)
log_error(gettext("[Snort] perfmon stats logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/..."));
}
+
+ // Prune any aged-out AppID stats logs if any exist
+ if ($value['appid_stats_log_retention'] > 0) {
+ $now = time();
+ $files = glob("{$snort_log_dir}/app-stats.log.*");
+ $prune_count = 0;
+ foreach ($files as $f) {
+ if (($now - filemtime($f)) > ($value['appid_stats_log_retention'] * 3600)) {
+ $prune_count++;
+ unlink_if_exists($f);
+ }
+ }
+ unset($files);
+ if ($prune_count > 0)
+ log_error(gettext("[Snort] AppID stats logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/..."));
+ }
}
}
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index edf99dc8..3106cb7b 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -32,46 +32,16 @@
require_once("functions.inc");
require_once("service-utils.inc");
-require_once "/usr/local/pkg/snort/snort.inc";
+require_once("/usr/local/pkg/snort/snort.inc");
+require("/usr/local/pkg/snort/snort_defs.inc");
global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules;
-if (!defined("VRT_DNLD_URL"))
- define("VRT_DNLD_URL", "https://www.snort.org/rules/");
-if (!defined("SNORT_BIN_VERSION"))
- define("SNORT_BIN_VERSION", "2.9.6.2");
-if (!defined("ET_VERSION"))
- define("ET_VERSION", "2.9.0");
-if (!defined("ET_BASE_DNLD_URL"))
- define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/");
-if (!defined("ETPRO_BASE_DNLD_URL"))
- define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/");
-if (!defined("SNORT_ET_DNLD_FILENAME"))
- define("SNORT_ET_DNLD_FILENAME", "emerging.rules.tar.gz");
-if (!defined("SNORT_ETPRO_DNLD_FILENAME"))
- define("SNORT_ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
-if (!defined("SNORT_GPLV2_DNLD_FILENAME"))
- define("SNORT_GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
-if (!defined("GPLV2_DNLD_URL"))
- define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/");
-if (!defined("SNORT_RULES_UPD_LOGFILE"))
- define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
-if (!defined("VRT_FILE_PREFIX"))
- define("VRT_FILE_PREFIX", "snort_");
-if (!defined("GPL_FILE_PREFIX"))
- define("GPL_FILE_PREFIX", "GPLv2_");
-if (!defined("ET_OPEN_FILE_PREFIX"))
- define("ET_OPEN_FILE_PREFIX", "emerging-");
-if (!defined("ET_PRO_FILE_PREFIX"))
- define("ET_PRO_FILE_PREFIX", "etpro-");
-if (!defined("SNORT_IPREP_PATH"))
- define("SNORT_IPREP_PATH", "{$g['vardb_path']}/snort/iprep/");
-
$snortdir = SNORTDIR;
-$snortlibdir = SNORTLIBDIR;
+$snortlibdir = "/usr/pbi/snort-" . php_uname("m") . "/lib";
$snortlogdir = SNORTLOGDIR;
$snortiprepdir = SNORT_IPREP_PATH;
-$snort_rules_upd_log = SNORT_RULES_UPD_LOGFILE;
+$snortbindir = SNORT_PBI_BINDIR;
$mounted_rw = FALSE;
/* Save the state of $pkg_interface so we can restore it */
@@ -89,6 +59,7 @@ $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'
$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == 'on' ? 'on' : 'off';
$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules'] == 'on' ? 'on' : 'off';
$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'] == 'on' ? 'on' : 'off';
+$openappid_detectors = $config['installedpackages']['snortglobal']['openappid_detectors'] == 'on' ? 'on' : 'off';
/* Working directory for downloaded rules tarballs and extraction */
$tmpfname = "{$g['tmp_path']}/snort_rules_up";
@@ -97,7 +68,7 @@ $tmpfname = "{$g['tmp_path']}/snort_rules_up";
/* the proper Snort VRT rules tarball and md5 filenames. Fallback to a */
/* default in the event we fail. */
$snortver = array();
-exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
+exec("{$snortbindir}snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
// Save the version with decimal delimiters for use in extracting the rules
$snort_version = $snortver[0];
if (empty($snort_version))
@@ -143,6 +114,11 @@ $snort_community_rules_filename = SNORT_GPLV2_DNLD_FILENAME;
$snort_community_rules_filename_md5 = SNORT_GPLV2_DNLD_FILENAME . ".md5";
$snort_community_rules_url = GPLV2_DNLD_URL;
+/* Snort OpenAppID detectors filename and URL */
+$snort_openappid_filename = SNORT_OPENAPPID_DNLD_FILENAME;
+$snort_openappid_filename_md5 = SNORT_OPENAPPID_DNLD_FILENAME . ".md5";
+$snort_openappid_url = SNORT_OPENAPPID_DNLD_URL;
+
function snort_download_file_url($url, $file_out) {
/************************************************/
@@ -293,21 +269,21 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
/* error occurred. */
/**********************************************************/
- global $pkg_interface, $snort_rules_upd_log, $last_curl_error, $update_errors;
+ global $pkg_interface, $last_curl_error, $update_errors;
$snortdir = SNORTDIR;
$filename_md5 = basename($file_dst);
if ($pkg_interface <> "console")
update_status(gettext("Downloading {$desc} md5 file..."));
- error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, SNORT_RULES_UPD_LOGFILE);
$rc = snort_download_file_url($file_url, $file_dst);
// See if download from URL was successful
if ($rc === true) {
if ($pkg_interface <> "console")
update_status(gettext("Done downloading {$filename_md5}."));
- error_log("\tChecking {$desc} md5 file...\n", 3, $snort_rules_upd_log);
+ error_log("\tChecking {$desc} md5 file...\n", 3, SNORT_RULES_UPD_LOGFILE);
// check md5 hash in new file against current file to see if new download is posted
if (file_exists("{$snortdir}/{$filename_md5}")) {
@@ -317,7 +293,7 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
if ($pkg_interface <> "console")
update_status(gettext("{$desc} are up to date..."));
log_error(gettext("[Snort] {$desc} are up to date..."));
- error_log(gettext("\t{$desc} are up to date.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} are up to date.\n"), 3, SNORT_RULES_UPD_LOGFILE);
return false;
}
else
@@ -326,7 +302,7 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
return true;
}
else {
- error_log(gettext("\t{$desc} md5 download failed.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} md5 download failed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
$snort_err_msg = gettext("Server returned error code {$rc}.");
if ($pkg_interface <> "console") {
update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
@@ -334,9 +310,9 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
}
log_error(gettext("[Snort] {$desc} md5 download failed..."));
log_error(gettext("[Snort] Server returned error code {$rc}..."));
- error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$snort_err_msg}\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\t{$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE);
$update_errors = true;
return false;
}
@@ -361,7 +337,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* FALSE if download was not successful. */
/**********************************************************/
- global $pkg_interface, $snort_rules_upd_log, $last_curl_error, $update_errors;
+ global $pkg_interface, $last_curl_error, $update_errors;
$snortdir = SNORTDIR;
$filename = basename($file_dst);
@@ -369,8 +345,8 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($pkg_interface <> "console")
update_status(gettext("There is a new set of {$desc} posted. Downloading..."));
log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}..."));
- error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, SNORT_RULES_UPD_LOGFILE);
$rc = snort_download_file_url($file_url, $file_dst);
// See if the download from the URL was successful
@@ -378,7 +354,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($pkg_interface <> "console")
update_status(gettext("Done downloading {$desc} file."));
log_error("[Snort] {$desc} file update downloaded successfully");
- error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log);
+ error_log(gettext("\tDone downloading rules file.\n"),3, SNORT_RULES_UPD_LOGFILE);
// Test integrity of the rules file. Turn off update if file has wrong md5 hash
if ($file_md5 != trim(md5_file($file_dst))){
@@ -387,10 +363,10 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum..."));
log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst)));
log_error(gettext("[Snort] Expected File MD5: {$file_md5}"));
- error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE);
$update_errors = true;
return false;
}
@@ -400,9 +376,9 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($pkg_interface <> "console")
update_output_window(gettext("{$desc} file download failed..."));
log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'..."));
- error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\t{$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE);
$update_errors = true;
return false;
}
@@ -422,18 +398,18 @@ safe_mkdir("{$snortdir}/rules");
safe_mkdir("{$snortdir}/signatures");
safe_mkdir("{$snortdir}/preproc_rules");
safe_mkdir("{$tmpfname}");
-safe_mkdir("{$snortlibdir}/dynamicrules");
+safe_mkdir("{$snortlibdir}/snort_dynamicrules");
safe_mkdir("{$snortlogdir}");
safe_mkdir("{$snortiprepdir}");
/* See if we need to automatically clear the Update Log based on 1024K size limit */
-if (file_exists($snort_rules_upd_log)) {
- if (1048576 < filesize($snort_rules_upd_log))
- unlink_if_exists("{$snort_rules_upd_log}");
+if (file_exists(SNORT_RULES_UPD_LOGFILE)) {
+ if (1048576 < filesize(SNORT_RULES_UPD_LOGFILE))
+ unlink_if_exists("{SNORT_RULES_UPD_LOGFILE}");
}
/* Log start time for this rules update */
-error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log);
+error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, SNORT_RULES_UPD_LOGFILE);
$last_curl_error = "";
$update_errors = false;
@@ -449,9 +425,22 @@ if ($snortdownload == 'on') {
$snortdownload = 'off';
}
+/* Check for and download any new Snort OpenAppID detectors */
+if ($openappid_detectors == 'on') {
+ if (snort_check_rule_md5("{$snort_openappid_url}{$snort_openappid_filename}/md5", "{$tmpfname}/{$snort_openappid_filename_md5}", "Snort OpenAppID detectors")) {
+ $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_openappid_filename_md5}"));
+ file_put_contents("{$tmpfname}/{$snort_openappid_filename_md5}", $file_md5);
+ /* download snort-openappid file */
+ if (!snort_fetch_new_rules("{$snort_openappid_url}{$snort_openappid_filename}", "{$tmpfname}/{$snort_openappid_filename}", $file_md5, "Snort OpenAppID detectors"))
+ $openappid_detectors = 'off';
+ }
+ else
+ $openappid_detectors = 'off';
+}
+
/* Check for and download any new Snort GPLv2 Community Rules sigs */
if ($snortcommunityrules == 'on') {
- if (snort_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) {
+ if (snort_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename}/md5", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) {
/* download Snort GPLv2 Community Rules file */
$file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"));
if (!snort_fetch_new_rules("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}", $file_md5, "Snort GPLv2 Community Rules"))
@@ -492,7 +481,7 @@ if ($snortdownload == 'on') {
update_status(gettext("Extracting Snort VRT rules..."));
update_output_window(gettext("Installing Sourcefire VRT rules..."));
}
- error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
/* extract snort.org rules and add VRT_FILE_PREFIX prefix to all snort.org files */
safe_mkdir("{$tmpfname}/snortrules");
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname}/snortrules rules/");
@@ -507,7 +496,7 @@ if ($snortdownload == 'on') {
$newfile = basename($file);
@copy($file, "{$snortdir}/rules/{$newfile}");
}
- exec("rm -r {$tmpfname}/snortrules");
+ rmdir_recursive("{$tmpfname}/snortrules");
/* Extract the Snort preprocessor rules */
if ($pkg_interface <> "console")
update_output_window(gettext("Extracting preprocessor rules files..."));
@@ -517,22 +506,21 @@ if ($snortdownload == 'on') {
$newfile = basename($file);
@copy($file, "{$snortdir}/preproc_rules/{$newfile}");
}
- exec("rm -r {$tmpfname}/preproc_rules");
+ rmdir_recursive("{$tmpfname}/preproc_rules");
/* extract so rules */
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort VRT Shared Objects rules..."));
update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}..."));
}
- exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/");
- error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, SNORT_RULES_UPD_LOGFILE);
$snort_arch = php_uname("m");
$nosorules = false;
if ($snort_arch == 'i386'){
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/");
- exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
+ exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/snort_dynamicrules/");
} elseif ($snort_arch == 'amd64') {
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/");
- exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
+ exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/snort_dynamicrules/");
} else
$nosorules = true;
rmdir_recursive("{$tmpfname}/so_rules/");
@@ -558,7 +546,7 @@ if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/etc/{$file}"))
@copy("{$tmpfname}/etc/{$file}", "{$tmpfname}/VRT_{$file}");
}
- exec("rm -r {$tmpfname}/etc");
+ rmdir_recursive("{$tmpfname}/etc");
if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
if ($pkg_interface <> "console")
update_status(gettext("Copying md5 signature to snort directory..."));
@@ -568,7 +556,30 @@ if ($snortdownload == 'on') {
update_status(gettext("Extraction of Snort VRT rules completed..."));
update_output_window(gettext("Installation of Sourcefire VRT rules completed..."));
}
- error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ }
+}
+
+/* Untar Snort OpenAppID detectors file to SNORT_APPID_ODP_PATH */
+if ($openappid_detectors == 'on') {
+ // If we have a valid downloaded file, then first cleanup the old directory
+ if (file_exists("{$tmpfname}/{$snort_openappid_filename}")) {
+ $snort_openappid_path = SNORT_APPID_ODP_PATH;
+ rmdir_recursive("{$snort_openappid_path}odp");
+ error_log(gettext("\tExtracting and installing Snort OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ safe_mkdir(SNORT_APPID_ODP_PATH);
+ exec("/usr/bin/tar oxzf {$tmpfname}/{$snort_openappid_filename} -C {$snort_openappid_path}");
+ if (file_exists("{$tmpfname}/{$snort_openappid_filename_md5}")) {
+ if ($pkg_interface <> "console")
+ update_status(gettext("Copying md5 signature to snort directory..."));
+ @copy("{$tmpfname}/{$snort_openappid_filename_md5}", "{$snortdir}/{$snort_openappid_filename_md5}");
+ }
+ if ($pkg_interface <> "console") {
+ update_status(gettext("Extraction of Snort OpenAppID detectors completed..."));
+ update_output_window(gettext("Installation of Snort OpenAppID detectors completed..."));
+ }
+ unlink_if_exists("{$tmpfname}/{$snort_openappid_filename}");
+ error_log(gettext("\tInstallation of Snort OpenAppID detectors completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
}
@@ -580,7 +591,7 @@ if ($snortcommunityrules == 'on') {
update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
update_output_window(gettext("Installing Snort GPLv2 Community Rules..."));
}
- error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/");
$files = glob("{$tmpfname}/community/community-rules/*.rules");
@@ -603,7 +614,7 @@ if ($snortcommunityrules == 'on') {
update_status(gettext("Extraction of Snort GPLv2 Community Rules completed..."));
update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed..."));
}
- error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/community/");
}
}
@@ -616,7 +627,7 @@ if ($emergingthreats == 'on') {
update_status(gettext("Extracting {$et_name} rules..."));
update_output_window(gettext("Installing {$et_name} rules..."));
}
- error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/");
/* Remove the old Emerging Threats rules files */
@@ -664,7 +675,7 @@ if ($emergingthreats == 'on') {
update_status(gettext("Extraction of {$et_name} rules completed..."));
update_output_window(gettext("Installation of {$et_name} rules completed..."));
}
- error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/emerging/");
}
}
@@ -698,7 +709,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
if ($pkg_interface <> "console")
update_status(gettext('Copying new config and map files...'));
- error_log(gettext("\tCopying new config and map files...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tCopying new config and map files...\n"), 3, SNORT_RULES_UPD_LOGFILE);
/******************************************************************/
/* Build the classification.config and reference.config files */
@@ -757,8 +768,8 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/rules");
if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/preproc_rules"))
safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/preproc_rules");
- if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/dynamicpreprocessor"))
- safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/dynamicpreprocessor");
+ if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/snort_dynamicpreprocessor"))
+ safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/snort_dynamicpreprocessor");
snort_apply_customizations($value, $if_real);
@@ -768,7 +779,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
$tmp .= gettext("\tPreprocessor text rules flagged as protected and not updated for ");
$tmp .= convert_friendly_interface_to_friendly_descr($value['interface']) . "...\n";
}
- error_log($tmp, 3, $snort_rules_upd_log);
+ error_log($tmp, 3, SNORT_RULES_UPD_LOGFILE);
}
}
else {
@@ -776,7 +787,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
update_output_window(gettext("Warning: No interfaces configured for Snort were found..."));
update_output_window(gettext("No interfaces currently have Snort configured and enabled on them..."));
}
- error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
/* Clear the rebuild rules flag. */
@@ -788,7 +799,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
update_status(gettext('Restarting Snort to activate the new set of rules...'));
update_output_window(gettext("Please wait ... restarting Snort will take some time..."));
}
- error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
touch("{$g['varrun_path']}/snort_pkg_starting.lck");
snort_restart_all_interfaces(TRUE);
sleep(3);
@@ -796,7 +807,32 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
if ($pkg_interface <> "console")
update_output_window(gettext("Snort has restarted with your new set of rules..."));
log_error(gettext("[Snort] Snort has restarted with your new set of rules..."));
- error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ }
+ else {
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("The rules update task is complete..."));
+ }
+}
+elseif ($openappid_detectors == 'on') {
+ /**************************************************************************************/
+ /* Only updated OpenAppID detectors, so do not need to rebuild all interface rules. */
+ /* Restart snort if running, and not in post-install, so as to pick up the detectors. */
+ /**************************************************************************************/
+ if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) {
+ if ($pkg_interface <> "console") {
+ update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...'));
+ update_output_window(gettext("Please wait ... restarting Snort will take some time..."));
+ }
+ error_log(gettext("\tRestarting Snort to activate the new OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ touch("{$g['varrun_path']}/snort_pkg_starting.lck");
+ snort_restart_all_interfaces(TRUE);
+ sleep(2);
+ unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck");
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("Snort has restarted with your new set of OpenAppID detectors..."));
+ log_error(gettext("[Snort] Snort has restarted with your new set of OpenAppID detectors..."));
+ error_log(gettext("\tSnort has restarted with your new set of OpenAppID detectors.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
else {
if ($pkg_interface <> "console")
@@ -812,7 +848,7 @@ if (is_dir("{$tmpfname}")) {
if ($pkg_interface <> "console")
update_status(gettext("The Rules update has finished..."));
log_error(gettext("[Snort] The Rules update has finished."));
-error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $snort_rules_upd_log);
+error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SNORT_RULES_UPD_LOGFILE);
/* Remount filesystem read-only if we changed it in this module */
if ($mounted_rw == TRUE)
diff --git a/config/snort/snort_conf_template.inc b/config/snort/snort_conf_template.inc
index e1b11acc..6b362ce5 100644
--- a/config/snort/snort_conf_template.inc
+++ b/config/snort/snort_conf_template.inc
@@ -24,9 +24,6 @@ var RULE_PATH {$snortcfgdir}/rules
# Define Server Ports #
{$portvardef}
-# Configure quiet startup mode #
-config quiet
-
# Configure the snort decoder #
config checksum_mode: {$cksumcheck}
config disable_decode_alerts
diff --git a/config/snort/snort_defs.inc b/config/snort/snort_defs.inc
new file mode 100644
index 00000000..aa4b2dc9
--- /dev/null
+++ b/config/snort/snort_defs.inc
@@ -0,0 +1,101 @@
+<?php
+/*
+ * snort_defs.inc
+ *
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009-2010 Robert Zelaya
+ * Copyright (C) 2011-2012 Ermal Luci
+ * Copyright (C) 2013,2014 Bill Meeks
+ * part of pfSense
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+global $g, $config;
+
+/* Define some useful constants for Snort */
+if (!defined("SNORT_PBI_BASEDIR"))
+ define("SNORT_PBI_BASEDIR", "/usr/pbi/snort-" . php_uname("m") . "/");
+if (!defined("SNORT_PBI_BINDIR"))
+ define("SNORT_PBI_BINDIR", SNORT_PBI_BASEDIR . "bin/");
+if (!defined("SNORTDIR"))
+ define("SNORTDIR", SNORT_PBI_BASEDIR . "etc/snort");
+if (!defined("SNORTLOGDIR"))
+ define("SNORTLOGDIR", "{$g['varlog_path']}/snort");
+if (!defined("SNORT_BIN_VERSION")) {
+ // Grab the Snort binary version programmatically
+ $snortver = array();
+ $snortbindir = SNORT_PBI_BINDIR;
+ mwexec("{$snortbindir}/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
+ if (!empty($snortver[0]))
+ define("SNORT_BIN_VERSION", $snortver[0]);
+ else
+ define("SNORT_BIN_VERSION", "2.9.7.0");
+}
+if (!defined("SNORT_SID_MODS_PATH"))
+ define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
+if (!defined("SNORT_IPREP_PATH"))
+ define("SNORT_IPREP_PATH", "{$g['vardb_path']}/snort/iprep/");
+if (!defined('SNORT_APPID_ODP_PATH'))
+ define('SNORT_APPID_ODP_PATH', "{$g['vardb_path']}/snort/app/");
+
+// Rules filenames, download URLs and prefixes.
+// Be sure to include the trailing backslash on URLs.
+if (!defined("SNORT_ENFORCING_RULES_FILENAME"))
+ define("SNORT_ENFORCING_RULES_FILENAME", "snort.rules");
+if (!defined("FLOWBITS_FILENAME"))
+ define("FLOWBITS_FILENAME", "flowbit-required.rules");
+if (!defined("SNORT_RULES_UPD_LOGFILE"))
+ define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
+if (!defined("VRT_DNLD_URL"))
+ define("VRT_DNLD_URL", "https://www.snort.org/rules/");
+if (!defined("ET_VERSION"))
+ define("ET_VERSION", "2.9.0");
+if (!defined("ET_BASE_DNLD_URL"))
+ define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/");
+if (!defined("ETPRO_BASE_DNLD_URL"))
+ define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/");
+if (!defined("SNORT_ET_DNLD_FILENAME"))
+ define("SNORT_ET_DNLD_FILENAME", "emerging.rules.tar.gz");
+if (!defined("SNORT_ETPRO_DNLD_FILENAME"))
+ define("SNORT_ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
+if (!defined("SNORT_GPLV2_DNLD_FILENAME"))
+ define("SNORT_GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
+if (!defined("GPLV2_DNLD_URL"))
+ define("GPLV2_DNLD_URL", "https://www.snort.org/downloads/community/");
+if (!defined("SNORT_OPENAPPID_DNLD_URL"))
+ define("SNORT_OPENAPPID_DNLD_URL", "https://www.snort.org/downloads/openappid/");
+if (!defined("SNORT_OPENAPPID_DNLD_FILENAME"))
+ define("SNORT_OPENAPPID_DNLD_FILENAME", "snort-openappid.tar.gz");
+if (!defined("SNORT_RULES_UPD_LOGFILE"))
+ define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
+if (!defined("VRT_FILE_PREFIX"))
+ define("VRT_FILE_PREFIX", "snort_");
+if (!defined("GPL_FILE_PREFIX"))
+ define("GPL_FILE_PREFIX", "GPLv2_");
+if (!defined("ET_OPEN_FILE_PREFIX"))
+ define("ET_OPEN_FILE_PREFIX", "emerging-");
+if (!defined("ET_PRO_FILE_PREFIX"))
+ define("ET_PRO_FILE_PREFIX", "etpro-");
+
+?>
diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php
index e74a9ce6..3f34cb7e 100755
--- a/config/snort/snort_download_updates.php
+++ b/config/snort/snort_download_updates.php
@@ -39,24 +39,18 @@ require_once("/usr/local/pkg/snort/snort.inc");
/* Define some locally required variables from Snort constants */
$snortdir = SNORTDIR;
$snort_rules_upd_log = SNORT_RULES_UPD_LOGFILE;
+$snortbinver = SNORT_BIN_VERSION;
+$snortbinver = str_replace(".", "", $snortbinver);
-/* Grab the Snort binary version programmatically and */
-/* use it to construct the proper Snort VRT rules */
-/* tarball filename. Fallback to a safe default if */
-/* we fail. */
-$snortver = array();
-exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
-if (empty($snortver[0]))
- $snortver[0] = SNORT_BIN_VERSION;
-$snortver[0] = str_replace(".", "", $snortver[0]);
-
-$snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz";
+$snort_rules_file = "snortrules-snapshot-{$snortbinver}.tar.gz";
$snort_community_rules_filename = SNORT_GPLV2_DNLD_FILENAME;
+$snort_openappid_filename = SNORT_OPENAPPID_DNLD_FILENAME;
$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'];
$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'];
$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro'];
$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules'];
+$openappid_detectors = $config['installedpackages']['snortglobal']['openappid_detectors'];
/* Get last update information if available */
if (!empty($config['installedpackages']['snortglobal']['last_rule_upd_time']))
@@ -70,21 +64,21 @@ else
if ($etpro == "on") {
$emergingthreats_filename = SNORT_ETPRO_DNLD_FILENAME;
- $et_name = "Emerging Threats Pro Rules";
+ $et_name = gettext("Emerging Threats Pro Rules");
}
else {
$emergingthreats_filename = SNORT_ET_DNLD_FILENAME;
- $et_name = "Emerging Threats Open Rules";
+ $et_name = gettext("Emerging Threats Open Rules");
}
/* quick md5 chk of downloaded rules */
if ($snortdownload == 'on') {
- $snort_org_sig_chk_local = 'Not Downloaded';
- $snort_org_sig_date = 'Not Downloaded';
+ $snort_org_sig_chk_local = gettext("Not Downloaded");
+ $snort_org_sig_date = gettext("Not Downloaded");
}
else {
- $snort_org_sig_chk_local = 'Not Enabled';
- $snort_org_sig_date = 'Not Enabled';
+ $snort_org_sig_chk_local = gettext("Not Enabled");
+ $snort_org_sig_date = gettext("Not Enabled");
}
if (file_exists("{$snortdir}/{$snort_rules_file}.md5") && $snortdownload == 'on') {
$snort_org_sig_chk_local = file_get_contents("{$snortdir}/{$snort_rules_file}.md5");
@@ -92,12 +86,12 @@ if (file_exists("{$snortdir}/{$snort_rules_file}.md5") && $snortdownload == 'on'
}
if ($etpro == "on" || $emergingthreats == "on") {
- $emergingt_net_sig_chk_local = 'Not Downloaded';
- $emergingt_net_sig_date = 'Not Downloaded';
+ $emergingt_net_sig_chk_local = gettext("Not Downloaded");
+ $emergingt_net_sig_date = gettext("Not Downloaded");
}
else {
- $emergingt_net_sig_chk_local = 'Not Enabled';
- $emergingt_net_sig_date = 'Not Enabled';
+ $emergingt_net_sig_chk_local = gettext("Not Enabled");
+ $emergingt_net_sig_date = gettext("Not Enabled");
}
if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5") && ($etpro == "on" || $emergingthreats == "on")) {
$emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/{$emergingthreats_filename}.md5");
@@ -105,16 +99,29 @@ if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5") && ($etpro == "on
}
if ($snortcommunityrules == 'on') {
- $snort_community_sig_chk_local = 'Not Downloaded';
- $snort_community_sig_sig_date = 'Not Downloaded';
+ $snort_community_sig_chk_local = gettext("Not Downloaded");
+ $snort_community_sig_date = gettext("Not Downloaded");
}
else {
- $snort_community_sig_chk_local = 'Not Enabled';
- $snort_community_sig_sig_date = 'Not Enabled';
+ $snort_community_sig_chk_local = gettext("Not Enabled");
+ $snort_community_sig_date = gettext("Not Enabled");
}
if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5") && $snortcommunityrules == 'on') {
$snort_community_sig_chk_local = file_get_contents("{$snortdir}/{$snort_community_rules_filename}.md5");
- $snort_community_sig_sig_date = date(DATE_RFC850, filemtime("{$snortdir}/{$snort_community_rules_filename}.md5"));
+ $snort_community_sig_date = date(DATE_RFC850, filemtime("{$snortdir}/{$snort_community_rules_filename}.md5"));
+}
+
+if ($openappid_detectors == 'on') {
+ $openappid_detectors_sig_chk_local = gettext("Not Downloaded");
+ $openappid_detectors_sig_date = gettext("Not Downloaded");
+}
+else {
+ $openappid_detectors_sig_chk_local = gettext("Not Enabled");
+ $openappid_detectors_sig_date = gettext("Not Enabled");
+}
+if (file_exists("{$snortdir}/{$snort_openappid_filename}.md5") && $openappid_detectors == 'on') {
+ $openappid_detectors_sig_chk_local = file_get_contents("{$snortdir}/{$snort_openappid_filename}.md5");
+ $openappid_detectors_sig_date = date(DATE_RFC850, filemtime("{$snortdir}/{$snort_openappid_filename}.md5"));
}
/* Check for postback to see if we should clear the update log file. */
@@ -122,7 +129,7 @@ if (isset($_POST['clear'])) {
unlink_if_exists($snort_rules_upd_log);
}
-if (isset($_POST['check'])) {
+if (isset($_POST['update'])) {
header("Location: /snort/snort_download_rules.php");
exit;
}
@@ -135,6 +142,7 @@ if ($_POST['force']) {
unlink_if_exists("{$snortdir}/{$emergingthreats_filename}.md5");
unlink_if_exists("{$snortdir}/{$snort_community_rules_filename}.md5");
unlink_if_exists("{$snortdir}/{$snort_rules_file}.md5");
+ unlink_if_exists("{$snortdir}/{$snort_openappid_filename}.md5");
// Revert file system to R/O.
conf_mount_ro();
@@ -204,20 +212,25 @@ include_once("head.inc");
</tr>
</thead>
<tr>
- <td align="center" class="vncell vexpl"><b>Snort VRT Rules</b></td>
+ <td align="center" class="vncell vexpl"><b><?=gettext("Snort VRT Rules");?></b></td>
<td align="center" class="vncell vexpl"><? echo trim($snort_org_sig_chk_local);?></td>
<td align="center" class="vncell vexpl"><?php echo gettext($snort_org_sig_date);?></td>
</tr>
<tr>
- <td align="center" class="vncell vexpl"><b>Snort GPLv2 Community Rules</b></td>
+ <td align="center" class="vncell vexpl"><b><?=gettext("Snort GPLv2 Community Rules");?></b></td>
<td align="center" class="vncell vexpl"><? echo trim($snort_community_sig_chk_local);?></td>
- <td align="center" class="vncell vexpl"><?php echo gettext($snort_community_sig_sig_date);?></td>
+ <td align="center" class="vncell vexpl"><?php echo gettext($snort_community_sig_date);?></td>
</tr>
<tr>
<td align="center" class="vncell vexpl"><b><?=$et_name;?></b></td>
<td align="center" class="vncell vexpl"><? echo trim($emergingt_net_sig_chk_local);?></td>
<td align="center" class="vncell vexpl"><?php echo gettext($emergingt_net_sig_date);?></td>
</tr>
+ <tr>
+ <td align="center" class="vncell vexpl"><b><?=gettext("Snort OpenAppID Detectors");?></b></td>
+ <td align="center" class="vncell vexpl"><? echo trim($openappid_detectors_sig_chk_local);?></td>
+ <td align="center" class="vncell vexpl"><?php echo gettext($openappid_detectors_sig_date);?></td>
+ </tr>
</table><br/>
</td>
</tr>
@@ -253,8 +266,8 @@ include_once("head.inc");
<br/></p>
<?php else: ?>
<br/>
- <input type="submit" value="<?=gettext("Check");?>" name="check" id="check" class="formbtn"
- title="<?php echo gettext("Check for new updates to enabled rule sets"); ?>"/>&nbsp;&nbsp;&nbsp;&nbsp;
+ <input type="submit" value="<?=gettext("Update");?>" name="update" id="update" class="formbtn"
+ title="<?php echo gettext("Check for and apply new update to enabled rule sets"); ?>"/>&nbsp;&nbsp;&nbsp;&nbsp;
<input type="submit" value="<?=gettext("Force");?>" name="force" id="force" class="formbtn"
title="<?=gettext("Force an update of all enabled rule sets");?>"
onclick="return confirm('<?=gettext("This will zero-out the MD5 hashes to force a fresh download of enabled rule sets. Click OK to continue or CANCEL to quit");?>');"/>
diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php
index fb5c750f..1d56fc13 100644
--- a/config/snort/snort_generate_conf.php
+++ b/config/snort/snort_generate_conf.php
@@ -64,9 +64,9 @@ $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules",
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}",
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2",
"{$snortcfgdir}/preproc_rules",
- "dynamicrules" => "{$snortlibdir}/dynamicrules",
- "dynamicengine" => "{$snortlibdir}/dynamicengine",
- "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor"
+ "dynamicrules" => "{$snortlibdir}/snort_dynamicrules",
+ "dynamicengine" => "{$snortlibdir}/snort_dynamicengine",
+ "dynamicpreprocessor" => "{$snortcfgdir}/snort_dynamicpreprocessor"
);
foreach ($snort_dirs as $dir) {
if (!is_dir($dir))
@@ -82,7 +82,7 @@ foreach ($snort_dirs as $dir) {
/* put in place by the rules update process. */
/********************************************************************/
$snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd",
- "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules",
+ "sid-msg.map", "unicode.map", "file_magic.conf", "threshold.conf", "preproc_rules/preprocessor.rules",
"preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules"
);
foreach ($snort_files as $file) {
@@ -126,6 +126,10 @@ if ($snortcfg['barnyard_enable'] == "on") {
$snortunifiedlog_type .= ", vlan_event_types";
if ($snortcfg['barnyard_log_mpls_events'] == 'on')
$snortunifiedlog_type .= ", mpls_event_types";
+
+ // If AppID detector is enabled, add it to unified2 logging
+ if ($snortcfg['appid_preproc'] == 'on' )
+ $snortunifiedlog_type .= ", appid_event_types";
}
/* define spoink */
@@ -889,6 +893,23 @@ preprocessor reputation: \
EOD;
+/* def AppID preprocessor */
+$appid_memcap = $snortcfg['sf_appid_mem_cap'] * 1024 * 1024;
+$appid_params = "app_detector_dir " . SNORT_APPID_ODP_PATH . ", \\\n\tmemcap {$appid_memcap}";
+if ($snortcfg['sf_appid_statslog'] == "on") {
+ $appid_params .= ", \\\n\tapp_stats_filename app-stats.log";
+ $appid_params .= ", \\\n\tapp_stats_period {$snortcfg['sf_appid_stats_period']}";
+ $appid_params .= ", \\\n\tapp_stats_rollover_size " . strval($config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] * 1024);
+ $appid_params .= ", \\\n\tapp_stats_rollover_time 86400";
+}
+
+$appid_preproc = <<<EOD
+# AppID preprocessor #
+preprocessor appid: \
+ {$appid_params}
+
+EOD;
+
/***************************************/
/* end of preprocessor string var code */
/***************************************/
@@ -920,14 +941,14 @@ $snort_preproc_libs = array(
"dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc",
"pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc",
"sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc",
- "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc"
+ "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc", "appid_preproc" => "appid_preproc"
);
$snort_preproc = array (
"perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan",
- "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc"
+ "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "appid_preproc"
);
$default_disabled_preprocs = array(
- "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat"
+ "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat", "appid_preproc"
);
$snort_preprocessors = "";
foreach ($snort_preproc as $preproc) {
@@ -941,8 +962,8 @@ foreach ($snort_preproc as $preproc) {
if (!empty($snort_preproc_libs[$preproc])) {
$preproclib = "libsf_" . $snort_preproc_libs[$preproc];
if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) {
- if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) {
- @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
+ if (file_exists("{$snortlibdir}/snort_dynamicpreprocessor/{$preproclib}.so")) {
+ @copy("{$snortlibdir}/snort_dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
$snort_preprocessors .= $$preproc;
$snort_preprocessors .= "\n";
} else
diff --git a/config/snort/snort_interface_logs.php b/config/snort/snort_interface_logs.php
index ba8215ca..c8c4c24c 100644
--- a/config/snort/snort_interface_logs.php
+++ b/config/snort/snort_interface_logs.php
@@ -54,15 +54,29 @@ $if_real = get_real_interface($a_instance[$id]['interface']);
// Construct a pointer to the instance's logging subdirectory
$snortlogdir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}/";
+// Construct a pointer to the PBI_BIN directory
+$snortbindir = SNORT_PBI_BINDIR;
+
// Limit all file access to just the currently selected interface's logging subdirectory
$logfile = htmlspecialchars($snortlogdir . basename($_POST['file']));
if ($_POST['action'] == 'load') {
+ // If viewing the app-stats log, then grab only the most recent one
+ if (strpos(basename($logfile), "app-stats.log") !== FALSE) {
+ $appid_statlogs = glob("{$snortlogdir}app-stats.log.*");
+ $logfile = array_pop($appid_statlogs);
+ }
+
if(!is_file($logfile)) {
echo "|3|" . gettext("Log file does not exist or that logging feature is not enabled") . ".|";
}
else {
- $data = file_get_contents($logfile);
+ // Test for special unified2 format app-stats file because
+ // we have to use a Snort binary tool to display its contents.
+ if (strpos(basename($_POST['file']), "app-stats.log") !== FALSE)
+ $data = shell_exec("{$snortbindir}u2openappid {$logfile} 2>&1");
+ else
+ $data = file_get_contents($logfile);
if($data === false) {
echo "|1|" . gettext("Failed to read log file") . ".|";
} else {
@@ -178,7 +192,7 @@ if ($input_errors) {
<td width="78%" class="vtable">
<select name="logFile" id="logFile" class="formselect" onChange="loadFile();">
<?php
- $logs = array( "alert", "{$if_real}.stats" , "sid_changes.log" );
+ $logs = array( "alert", "app-stats.log", "{$if_real}.stats" , "sid_changes.log" );
foreach ($logs as $log) {
$selected = "";
if ($log == basename($logfile))
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index 14b54b34..0d41c7db 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -365,9 +365,15 @@ if ($_POST["save"] && !$input_errors) {
if (!is_array($natent['stream5_tcp_engine']['item']))
$natent['stream5_tcp_engine']['item'] = array();
$natent['stream5_tcp_engine']['item'][] = $stream5_eng;
+
$natent['alertsystemlog_facility'] = "log_auth";
$natent['alertsystemlog_priority'] = "log_alert";
+ $natent['appid_preproc'] = "off";
+ $natent['sf_appid_mem_cap'] = "256";
+ $natent['sf_appid_statslog'] = "on";
+ $natent['sf_appid_stats_period'] = "300";
+
$a_rule[] = $natent;
}
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php
index fb36d192..d816284a 100644
--- a/config/snort/snort_interfaces_global.php
+++ b/config/snort/snort_interfaces_global.php
@@ -41,19 +41,26 @@ require_once("/usr/local/pkg/snort/snort.inc");
global $g;
$snortdir = SNORTDIR;
-
-/* make things short */
-$pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload'] == "on" ? 'on' : 'off';
-$pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode'];
-$pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code'];
-$pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats'] == "on" ? 'on' : 'off';
-$pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == "on" ? 'on' : 'off';
-$pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked'];
-$pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7'];
-$pconfig['rule_update_starttime'] = $config['installedpackages']['snortglobal']['rule_update_starttime'];
-$pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings'] == "on" ? 'on' : 'off';
-$pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules'] == "on" ? 'on' : 'off';
-$pconfig['clearblocks'] = $config['installedpackages']['snortglobal']['clearblocks'] == "on" ? 'on' : 'off';
+$snort_openappdir = SNORT_APPID_ODP_PATH;
+
+// Grab any previous input values if doing a SAVE operation
+if ($_POST['save'])
+ $pconfig = $_POST;
+else {
+ $pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload'] == "on" ? 'on' : 'off';
+ $pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode'];
+ $pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code'];
+ $pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats'] == "on" ? 'on' : 'off';
+ $pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == "on" ? 'on' : 'off';
+ $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked'];
+ $pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7'];
+ $pconfig['rule_update_starttime'] = $config['installedpackages']['snortglobal']['rule_update_starttime'];
+ $pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings'] == "on" ? 'on' : 'off';
+ $pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules'] == "on" ? 'on' : 'off';
+ $pconfig['clearblocks'] = $config['installedpackages']['snortglobal']['clearblocks'] == "on" ? 'on' : 'off';
+ $pconfig['verbose_logging'] = $config['installedpackages']['snortglobal']['verbose_logging'] == "on" ? 'on' : 'off';
+ $pconfig['openappid_detectors'] = $config['installedpackages']['snortglobal']['openappid_detectors'] == "on" ? 'on' : 'off';
+}
/* Set sensible values for any empty default params */
if (!isset($pconfig['rule_update_starttime']))
@@ -61,6 +68,16 @@ if (!isset($pconfig['rule_update_starttime']))
if (!isset($config['installedpackages']['snortglobal']['forcekeepsettings']))
$pconfig['forcekeepsettings'] = 'on';
+/* Grab OpenAppID version info if enabled and downloaded */
+if ($pconfig['openappid_detectors'] == "on") {
+ if (file_exists("{$snort_openappdir}odp/version.conf")) {
+ $openappid_ver = gettext("Installed Detection Package ");
+ $openappid_ver .= gettext(ucfirst(strtolower(file_get_contents("{$snort_openappdir}odp/version.conf"))));
+ }
+ else
+ $openappid_ver = gettext("N/A (Not Downloaded)");
+}
+
if ($_POST['rule_update_starttime']) {
if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['rule_update_starttime']))
$input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'.";
@@ -72,6 +89,9 @@ if ($_POST['snortdownload'] == "on" && empty($_POST['oinkmastercode']))
if ($_POST['emergingthreats_pro'] == "on" && empty($_POST['etpro_code']))
$input_errors[] = "You must supply a subscription code in the box provided in order to enable Emerging Threats Pro rules!";
+if ($_POST['openappid_detectors'] == "on" && empty($_POST['openappid_dnload_url']))
+ $input_errors[] = "You must supply a download URL in the box provided in order to enable OpenAppID detectors!";
+
/* if no errors move foward with save */
if (!$input_errors) {
if ($_POST["save"]) {
@@ -81,6 +101,8 @@ if (!$input_errors) {
$config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['clearblocks'] = $_POST['clearblocks'] ? 'on' : 'off';
+ $config['installedpackages']['snortglobal']['verbose_logging'] = $_POST['verbose_logging'] ? 'on' : 'off';
+ $config['installedpackages']['snortglobal']['openappid_detectors'] = $_POST['openappid_detectors'] ? 'on' : 'off';
// If any rule sets are being turned off, then remove them
// from the active rules section of each interface. Start
@@ -137,13 +159,13 @@ if (!$input_errors) {
$retval = 0;
+ write_config("Snort pkg: modified global settings.");
+
/* create whitelist and homenet file, then sync files */
conf_mount_rw();
sync_snort_package_config();
conf_mount_ro();
- write_config("Snort pkg: modified global settings.");
-
/* forces page to reload new settings */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
@@ -206,7 +228,7 @@ if ($input_errors)
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td><input name="snortdownload" type="checkbox" id="snortdownload" value="on" onclick="enable_snort_vrt();"
- <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>></td>
+ <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?> /></td>
<td><span class="vexpl"><?php echo gettext("Snort VRT free Registered User or paid Subscriber rules"); ?></span></td>
<tr>
<td>&nbsp;</td>
@@ -224,9 +246,9 @@ if ($input_errors)
</tr>
<tr>
<td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
- <td><input name="oinkmastercode" type="text"
- class="formfld unknown" id="oinkmastercode" size="52"
- value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br/>
+ <td><input name="oinkmastercode" type="text"
+ class="formfld unknown" id="oinkmastercode" size="52"
+ value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>" /><br/>
<?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td>
</tr>
</table>
@@ -236,8 +258,8 @@ if ($input_errors)
<td width="78%" class="vtable">
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
- <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on"
- <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked";?> ></td>
+ <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on"
+ <?php if ($pconfig['snortcommunityrules']=="on") echo "checked";?> /></td>
<td class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " .
"without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset.");?>
<br/><br/><?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
@@ -252,13 +274,13 @@ if ($input_errors)
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="on" onclick="enable_et_rules();"
- <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>></td>
+ <?php if ($pconfig['emergingthreats']=="on") echo "checked"; ?> /></td>
<td><span class="vexpl"><?php echo gettext("ETOpen is an open source set of Snort rules whose coverage " .
"is more limited than ETPro."); ?></span></td>
</tr>
<tr>
<td valign="top" width="8%"><input name="emergingthreats_pro" type="checkbox" value="on" onclick="enable_etpro_rules();"
- <?php if ($config['installedpackages']['snortglobal']['emergingthreats_pro']=="on") echo "checked"; ?>></td>
+ <?php if ($pconfig['emergingthreats_pro']=="on") echo "checked"; ?>/></td>
<td><span class="vexpl"><?php echo gettext("ETPro for Snort offers daily updates and extensive coverage of current malware threats."); ?></span></td>
</tr>
<tr>
@@ -282,13 +304,38 @@ if ($input_errors)
<td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
<td><input name="etpro_code" type="text"
class="formfld unknown" id="etpro_code" size="52"
- value="<?=htmlspecialchars($pconfig['etpro_code']);?>"><br/>
+ value="<?=htmlspecialchars($pconfig['etpro_code']);?>"/><br/>
<?php echo gettext("Obtain an ETPro subscription code and paste it here."); ?></td>
</tr>
</table>
</td>
</tr>
-
+<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("OpenAppID") . "</strong>" . gettext(" detectors");?></td>
+ <td width="78%" class="vtable">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td valign="top" width="8%"><input name="openappid_detectors" type="checkbox" value="on" onclick="enable_openappid_dnload();"
+ <?php if ($pconfig['openappid_detectors']=="on") echo "checked";?> /></td>
+ <td class="vexpl"><?php echo gettext("The OpenAppID package contains the application signatures required by " .
+ "the AppID preprocessor.");?>
+ <br/><br/><?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
+ gettext("You must enable download of the OpenAppID detectors package in order to utilize the Application ID ") .
+ gettext("preprocessor and any user-provided application detection rules. Once enabled, go to the ") .
+ "<a href='/snort/snort_download_updates.php'>" . gettext("UPDATES") . "</a>" . gettext(" tab and click to download updates.");?></td>
+ </tr>
+ <tbody id="openappid_rows">
+ <tr>
+ <td class="vexpl" colspan="2"><br/><strong><?=gettext("OpenAppID Detection Package");?></strong></td>
+ </tr>
+ <tr>
+ <td class="vexpl" valign="top"><strong><?=gettext("VER:");?></strong></td>
+ <td class="vexpl"><?=htmlspecialchars($openappid_ver);?></td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+</tr>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Rules Update Settings"); ?></td>
</tr>
@@ -300,7 +347,7 @@ if ($input_errors)
$interfaces3 = array('never_up' => gettext('NEVER'), '6h_up' => gettext('6 HOURS'), '12h_up' => gettext('12 HOURS'), '1d_up' => gettext('1 DAY'), '4d_up' => gettext('4 DAYS'), '7d_up' => gettext('7 DAYS'), '28d_up' => gettext('28 DAYS'));
foreach ($interfaces3 as $iface3 => $ifacename3): ?>
<option value="<?=$iface3;?>"
- <?php if ($iface3 == $pconfig['autorulesupdate7']) echo "selected"; ?>>
+ <?php if ($iface3 == $pconfig['autorulesupdate7']) echo "selected"; ?> />
<?=htmlspecialchars($ifacename3);?></option>
<?php endforeach; ?>
</select><span class="vexpl">&nbsp;&nbsp;<?php echo gettext("Please select the interval for rule updates. Choosing ") .
@@ -310,7 +357,7 @@ if ($input_errors)
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Update Start Time"); ?></td>
<td width="78%" class="vtable"><input type="text" class="formfld time" name="rule_update_starttime" id="rule_update_starttime" size="4"
- maxlength="5" value="<?=htmlspecialchars($pconfig['rule_update_starttime']);?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?>><span class="vexpl">&nbsp;&nbsp;
+ maxlength="5" value="<?=htmlspecialchars($pconfig['rule_update_starttime']);?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?> /><span class="vexpl">&nbsp;&nbsp;
<?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). ") . "<strong>" .
gettext("Default") . "&nbsp;</strong>" . gettext("is ") . "<strong>" . gettext("00:05") . "</strong></span>"; ?>.<br/><br/>
<?php echo gettext("Rules will update at the interval chosen above starting at the time specified here. For example, using the default " .
@@ -327,7 +374,7 @@ if ($input_errors)
$interfaces3 = array('never_b' => gettext('NEVER'), '15m_b' => gettext('15 MINS'), '30m_b' => gettext('30 MINS'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS'));
foreach ($interfaces3 as $iface3 => $ifacename3): ?>
<option value="<?=$iface3;?>"
- <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>>
+ <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?> />
<?=htmlspecialchars($ifacename3);?></option>
<?php endforeach; ?>
</select>&nbsp;
@@ -336,21 +383,29 @@ if ($input_errors)
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Blocked Hosts After Deinstall"); ?></td>
- <td width="78%" class="vtable"><input name="clearblocks" id="clearblocks" type="checkbox" value="yes"
- <?php if ($config['installedpackages']['snortglobal']['clearblocks']=="on") echo " checked"; ?>/>&nbsp;
+ <td width="78%" class="vtable"><input name="clearblocks" id="clearblocks" type="checkbox" value="yes"
+ <?php if ($pconfig['clearblocks']=="on") echo " checked"; ?> />&nbsp;
<?php echo gettext("All blocked hosts added by Snort will be removed during package deinstallation."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Keep Snort Settings After Deinstall"); ?></td>
<td width="78%" class="vtable"><input name="forcekeepsettings"
- id="forcekeepsettings" type="checkbox" value="yes"
- <?php if ($pconfig['forcekeepsettings']=="on") echo "checked"; ?>
- >&nbsp;&nbsp;<?php echo gettext("Settings will not be removed during package deinstallation."); ?></td>
+ id="forcekeepsettings" type="checkbox" value="yes"
+ <?php if ($pconfig['forcekeepsettings']=="on") echo "checked"; ?> />
+ &nbsp;&nbsp;<?php echo gettext("Settings will not be removed during package deinstallation."); ?></td>
+</tr>
+<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Startup/Shutdown Logging"); ?></td>
+ <td width="78%" class="vtable"><input name="verbose_logging"
+ id="verbose_logging" type="checkbox" value="yes"
+ <?php if ($pconfig['verbose_logging']=="on") echo "checked"; ?> />
+ &nbsp;&nbsp;<?php echo gettext("Output detailed messages to the system log when Snort is starting and stopping. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>" . gettext("."); ?></td>
</tr>
<tr>
<td width="22%" valign="top">
<td width="78%">
- <input name="save" type="submit" class="formbtn" value="Save" >
+ <input name="save" type="submit" class="formbtn" value="Save" />
</td>
</tr>
<tr>
@@ -403,11 +458,20 @@ function enable_change_rules_upd() {
document.iform.rule_update_starttime.disabled="";
}
+function enable_openappid_dnload() {
+ var endis = document.iform.openappid_detectors.checked;
+ if (endis)
+ document.getElementById("openappid_rows").style.display = "";
+ else
+ document.getElementById("openappid_rows").style.display = "none";
+}
+
// Initialize the form controls state based on saved settings
enable_snort_vrt();
enable_et_rules();
enable_etpro_rules();
enable_change_rules_upd();
+enable_openappid_dnload();
//-->
</script>
diff --git a/config/snort/snort_ip_list_mgmt.php b/config/snort/snort_ip_list_mgmt.php
index 8311ea1c..20d486c6 100644
--- a/config/snort/snort_ip_list_mgmt.php
+++ b/config/snort/snort_ip_list_mgmt.php
@@ -152,6 +152,7 @@ if ($savemsg)
<input type="hidden" name="MAX_FILE_SIZE" value="100000000" />
<input type="hidden" name="iplist_fname" id="iplist_fname" value=""/>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tbody>
<tr><td>
<?php
$tab_array = array();
@@ -170,21 +171,19 @@ if ($savemsg)
?>
</td>
</tr>
-<tbody id="uploader" style="display: none;" class="tabcont">
- <tr>
- <td colspan="4" class="list"><br/><?php echo gettext("Click BROWSE to select a file to import, and then click UPLOAD. Click CLOSE to quit."); ?></td>
- </tr>
- <tr>
- <td colspan="4" class="list"><input type="file" name="iprep_fileup" id="iprep_fileup" class="formfld file" size="50" />
- &nbsp;&nbsp;<input type="submit" name="upload" id="upload" value="<?=gettext("Upload");?>"
- title="<?=gettext("Upload selected IP list to firewall");?>"/>&nbsp;&nbsp;<input type="button"
- value="<?=gettext("Close");?>" onClick="document.getElementById('uploader').style.display='none';" /><br/></td>
- <td class="list"></td>
- </tr>
-</tbody>
<tr>
<td>
<div id="mainarea">
+
+ <?php if ($g['platform'] == "nanobsd") : ?>
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tbody>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("IP Reputation is not supported on NanoBSD installs"); ?></td>
+ </tr>
+ </tbody>
+ </table>
+ <?php else: ?>
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
<colgroup>
<col style="width: 50%;">
@@ -223,6 +222,18 @@ if ($savemsg)
height="17" border="0" title="<?php echo gettext('Delete this IP List');?>"/></td>
</tr>
<?php endforeach; ?>
+ <tbody id="uploader" style="display: none;">
+ <tr>
+ <td colspan="4" class="list"><br/><?php echo gettext("Click BROWSE to select a file to import, and then click UPLOAD. Click CLOSE to quit."); ?></td>
+ </tr>
+ <tr>
+ <td colspan="4" class="list"><input type="file" name="iprep_fileup" id="iprep_fileup" class="formfld file" size="50" />
+ &nbsp;&nbsp;<input type="submit" name="upload" id="upload" value="<?=gettext("Upload");?>"
+ title="<?=gettext("Upload selected IP list to firewall");?>"/>&nbsp;&nbsp;<input type="button"
+ value="<?=gettext("Close");?>" onClick="document.getElementById('uploader').style.display='none';" /><br/></td>
+ <td colspan="4" class="list"></td>
+ </tr>
+ </tbody>
<tbody id="iplist_editor" style="<?=$iplist_edit_style;?>">
<tr>
<td colspan="4">&nbsp;</td>
@@ -267,9 +278,11 @@ if ($savemsg)
<td class="list"></td>
</tr>
</table>
+ <?php endif; ?>
</div>
</td>
</tr>
+</tbody>
</table>
</form>
<?php include("fend.inc"); ?>
diff --git a/config/snort/snort_ip_reputation.php b/config/snort/snort_ip_reputation.php
index 891f3773..4c3065a0 100644
--- a/config/snort/snort_ip_reputation.php
+++ b/config/snort/snort_ip_reputation.php
@@ -204,6 +204,7 @@ if ($savemsg)
<?php endif; ?>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tbody>
<tr>
<td>
<?php
@@ -239,6 +240,12 @@ if ($savemsg)
<tr>
<td><div id="mainarea">
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tbody>
+ <?php if ($g['platform'] == "nanobsd") : ?>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("IP Reputation is not supported on NanoBSD installs"); ?></td>
+ </tr>
+ <?php else: ?>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("IP Reputation Preprocessor Configuration"); ?></td>
</tr>
@@ -368,9 +375,9 @@ if ($savemsg)
<td width="22%" valign='top' class='vncell'><?php echo gettext("Whitelist Files"); ?>
</td>
<td width="78%" class="vtable">
- <table width="95%" border="0" cellpadding="2" cellspacing="0">
<!-- wlist_chooser -->
<div id="wlistChooser" name="wlistChooser" style="display:none; border:1px dashed gray; width:98%;"></div>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
<colgroup>
<col style="text-align:left;">
<col style="width: 30%; text-align:left;">
@@ -411,12 +418,16 @@ if ($savemsg)
</table>
</td>
</tr>
+ <?php endif; ?>
+ </tbody>
</table>
</div>
</td>
</tr>
+ </tbody>
</table>
+<?php if ($g['platform'] != "nanobsd") : ?>
<script type="text/javascript">
Event.observe(
window, "load",
@@ -504,6 +515,7 @@ function wlistComplete(req) {
}
</script>
+<?php endif; ?>
</form>
<?php include("fend.inc"); ?>
diff --git a/config/snort/snort_log_mgmt.php b/config/snort/snort_log_mgmt.php
index 0e38afc2..33d94a04 100644
--- a/config/snort/snort_log_mgmt.php
+++ b/config/snort/snort_log_mgmt.php
@@ -57,6 +57,8 @@ $pconfig['sid_changes_log_limit_size'] = $config['installedpackages']['snortglob
$pconfig['sid_changes_log_retention'] = $config['installedpackages']['snortglobal']['sid_changes_log_retention'];
$pconfig['event_pkts_log_limit_size'] = '0';
$pconfig['event_pkts_log_retention'] = $config['installedpackages']['snortglobal']['event_pkts_log_retention'];
+$pconfig['appid_stats_log_limit_size'] = $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'];
+$pconfig['appid_stats_log_retention'] = $config['installedpackages']['snortglobal']['appid_stats_log_retention'];
// Load up some arrays with selection values (we use these later).
// The keys in the $retentions array are the retention period
@@ -86,6 +88,8 @@ if (!isset($pconfig['sid_changes_log_retention']))
$pconfig['sid_changes_log_retention'] = "336";
if (!isset($pconfig['event_pkts_log_retention']))
$pconfig['event_pkts_log_retention'] = "336";
+if (!isset($pconfig['appid_stats_log_retention']))
+ $pconfig['appid_stats_log_retention'] = "168";
// Set default log file size limits
if (!isset($pconfig['alert_log_limit_size']))
@@ -94,6 +98,8 @@ if (!isset($pconfig['stats_log_limit_size']))
$pconfig['stats_log_limit_size'] = "500";
if (!isset($pconfig['sid_changes_log_limit_size']))
$pconfig['sid_changes_log_limit_size'] = "250";
+if (!isset($pconfig['appid_stats_log_limit_size']))
+ $pconfig['appid_stats_log_limit_size'] = "1000";
if ($_POST['ResetAll']) {
@@ -102,11 +108,13 @@ if ($_POST['ResetAll']) {
$pconfig['stats_log_retention'] = "168";
$pconfig['sid_changes_log_retention'] = "336";
$pconfig['event_pkts_log_retention'] = "336";
+ $pconfig['appid_stats_log_retention'] = "168";
$pconfig['alert_log_limit_size'] = "500";
$pconfig['stats_log_limit_size'] = "500";
$pconfig['sid_changes_log_limit_size'] = "250";
$pconfig['event_pkts_log_limit_size'] = "0";
+ $pconfig['appid_stats_log_limit_size'] = "1000";
/* Log a message at the top of the page to inform the user */
$savemsg = gettext("All log management settings on this page have been reset to their defaults. Click APPLY if you wish to keep these new settings.");
@@ -148,6 +156,8 @@ if ($_POST["save"] || $_POST['apply']) {
$config['installedpackages']['snortglobal']['sid_changes_log_retention'] = $_POST['sid_changes_log_retention'];
$config['installedpackages']['snortglobal']['event_pkts_log_limit_size'] = $_POST['event_pkts_log_limit_size'];
$config['installedpackages']['snortglobal']['event_pkts_log_retention'] = $_POST['event_pkts_log_retention'];
+ $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] = $_POST['appid_stats_log_limit_size'];
+ $config['installedpackages']['snortglobal']['appid_stats_log_retention'] = $_POST['appid_stats_log_retention'];
write_config("Snort pkg: saved updated configuration for LOGS MGMT.");
conf_mount_rw();
@@ -307,7 +317,26 @@ if ($savemsg) {
</td>
<td class="listbg"><?=gettext("Snort alerts and event details");?></td>
</tr>
-
+ <tr>
+ <td class="listbg">appid-stats</td>
+ <td class="listr" align="center"><select name="appid_stats_log_limit_size" class="formselect" id="appid_stats_log_limit_size">
+ <?php foreach ($log_sizes as $k => $l): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['appid_stats_log_limit_size']) echo " selected"; ?>>
+ <?=htmlspecialchars($l);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listr" align="center"><select name="appid_stats_log_retention" class="formselect" id="appid_stats_log_retention">
+ <?php foreach ($retentions as $k => $p): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['appid_stats_log_retention']) echo " selected"; ?>>
+ <?=htmlspecialchars($p);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listbg"><?=gettext("Application ID statistics");?></td>
+ </tr>
<tr>
<td class="listbg">event pcaps</td>
<td class="listr" align="center"><select name="event_pkts_log_limit_size" class="formselect" id="event_pkts_log_limit_size">
@@ -324,7 +353,6 @@ if ($savemsg) {
</td>
<td class="listbg"><?=gettext("Snort alert related packet captures");?></td>
</tr>
-
<tr>
<td class="listbg">sid_changes</td>
<td class="listr" align="center"><select name="sid_changes_log_limit_size" class="formselect" id="sid_changes_log_limit_size">
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
index a722d52b..12ae5d19 100644
--- a/config/snort/snort_migrate_config.php
+++ b/config/snort/snort_migrate_config.php
@@ -73,27 +73,52 @@ if (empty($config['installedpackages']['snortglobal']['snort_config_ver']) &&
/**********************************************************/
/* Create new Auto SID Mgmt settings if not set */
/**********************************************************/
- if (empty($config['installedpackages']['snortglobal']['auto_manage_sids'])) {
- $config['installedpackages']['snortglobal']['auto_manage_sids'] = "off";
- $updated_cfg = true;
- }
+if (empty($config['installedpackages']['snortglobal']['auto_manage_sids'])) {
+ $config['installedpackages']['snortglobal']['auto_manage_sids'] = "off";
+ $updated_cfg = true;
+}
/**********************************************************/
/* Create new LOG MGMT settings if not set */
/**********************************************************/
- if (empty($config['installedpackages']['snortglobal']['enable_log_mgmt'])) {
- $config['installedpackages']['snortglobal']['enable_log_mgmt'] = "on";
- $config['installedpackages']['snortglobal']['alert_log_limit_size'] = "500";
- $config['installedpackages']['snortglobal']['alert_log_retention'] = "336";
- $config['installedpackages']['snortglobal']['event_pkts_log_limit_size'] = "0";
- $config['installedpackages']['snortglobal']['event_pkts_log_retention'] = "336";
- $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'] = "250";
- $config['installedpackages']['snortglobal']['sid_changes_log_retention'] = "336";
- $config['installedpackages']['snortglobal']['stats_log_limit_size'] = "500";
- $config['installedpackages']['snortglobal']['stats_log_retention'] = "168";
- $updated_cfg = true;
+if (empty($config['installedpackages']['snortglobal']['enable_log_mgmt'])) {
+ $config['installedpackages']['snortglobal']['enable_log_mgmt'] = "on";
+ $config['installedpackages']['snortglobal']['alert_log_limit_size'] = "500";
+ $config['installedpackages']['snortglobal']['alert_log_retention'] = "336";
+ $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] = "1000";
+ $config['installedpackages']['snortglobal']['appid_stats_log_retention'] = "168";
+ $config['installedpackages']['snortglobal']['event_pkts_log_limit_size'] = "0";
+ $config['installedpackages']['snortglobal']['event_pkts_log_retention'] = "336";
+ $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'] = "250";
+ $config['installedpackages']['snortglobal']['sid_changes_log_retention'] = "336";
+ $config['installedpackages']['snortglobal']['stats_log_limit_size'] = "500";
+ $config['installedpackages']['snortglobal']['stats_log_retention'] = "168";
+ $updated_cfg = true;
+}
+if (empty($config['installedpackages']['snortglobal']['appid_stats_log_limit_size']))
+ $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] = "1000";
+if (empty($config['installedpackages']['snortglobal']['appid_stats_log_retention']))
+ $config['installedpackages']['snortglobal']['appid_stats_log_retention'] = "168";
+
+/**********************************************************/
+/* Create new VERBOSE_LOGGING setting if not set */
+/**********************************************************/
+if (empty($config['installedpackages']['snortglobal']['verbose_logging'])) {
+ $config['installedpackages']['snortglobal']['verbose_logging'] = "off";
+ $updated_cfg = true;
}
+/**********************************************************/
+/* Create new OpenAppID settings if not set */
+/**********************************************************/
+if (empty($config['installedpackages']['snortglobal']['openappid_detectors'])) {
+ $config['installedpackages']['snortglobal']['openappid_detectors'] = "off";
+ $updated_cfg = true;
+}
+
+/**********************************************************/
+/* Migrate per interface settings if required. */
+/**********************************************************/
foreach ($rule as &$r) {
// Initialize arrays for supported preprocessors if necessary
if (!is_array($r['frag3_engine']['item']))
@@ -482,6 +507,24 @@ foreach ($rule as &$r) {
$updated_cfg = true;
}
+ // Default any unconfigured AppID preprocessor settings
+ if (empty($pconfig['appid_preproc'])) {
+ $pconfig['appid_preproc'] = 'off';
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['sf_appid_mem_cap'])) {
+ $pconfig['sf_appid_mem_cap'] = '256';
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['sf_appid_statslog'])) {
+ $pconfig['sf_appid_statslog'] = 'on';
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['sf_appid_stats_period'])) {
+ $pconfig['sf_appid_stats_period'] = '300';
+ $updated_cfg = true;
+ }
+
// Save the new configuration data into the $config array pointer
$r = $pconfig;
}
@@ -490,8 +533,7 @@ unset($r);
// Log a message if we changed anything
if ($updated_cfg) {
- $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1.5";
- log_error("[Snort] Saving configuration settings in new format...");
+ $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2";
log_error("[Snort] Settings successfully migrated to new configuration format...");
}
else
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
index 5009a8b3..57e92ce5 100644
--- a/config/snort/snort_post_install.php
+++ b/config/snort/snort_post_install.php
@@ -41,35 +41,12 @@
require_once("config.inc");
require_once("functions.inc");
require_once("/usr/local/pkg/snort/snort.inc");
+require("/usr/local/pkg/snort/snort_defs.inc");
global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include;
-/****************************************
- * Define any new constants here that *
- * may not be yet defined in the old *
- * "snort.inc" include file that might *
- * be cached and used by the package *
- * manager installation code. *
- * *
- * This is a hack to work around the *
- * fact the old version of suricata.inc *
- * is cached and used instead of the *
- * updated version icluded with the *
- * updated GUI package. *
- ****************************************/
-if (!defined('SNORT_SID_MODS_PATH'))
- define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
-
-if (!defined('SNORT_ENFORCING_RULES_FILENAME'))
- define("SNORT_ENFORCING_RULES_FILENAME", "snort.rules");
-
-/****************************************
- * End of PHP caching workaround *
- ****************************************/
-
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
-$snortlibdir = SNORTLIBDIR;
$rcdir = RCFILEPREFIX;
$flowbit_rules_file = FLOWBITS_FILENAME;
$snort_enforcing_rules_file = SNORT_ENFORCING_RULES_FILENAME;
@@ -101,6 +78,7 @@ conf_mount_rw();
@rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf");
@rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map");
@rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map");
+@rename("{$snortdir}/file_magic.conf-sample", "{$snortdir}/file_magic.conf");
@rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config");
@rename("{$snortdir}/generators-sample", "{$snortdir}/generators");
@rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config");
@@ -123,6 +101,7 @@ unlink_if_exists("{$rcdir}barnyard2");
safe_mkdir(SNORTLOGDIR);
safe_mkdir(SNORT_IPREP_PATH);
safe_mkdir(SNORT_SID_MODS_PATH);
+safe_mkdir(SNORT_APPID_ODP_PATH);
/* If installed, absorb the Snort Dashboard Widget into this package */
/* by removing it as a separately installed package. */
@@ -263,8 +242,8 @@ if (stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE)
$config['widgets']['sequence'] .= ",{$snort_widget_container}";
/* Update Snort package version in configuration */
-$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1.5";
-write_config("Snort pkg v3.1.5: post-install configuration saved.");
+$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2";
+write_config("Snort pkg v3.2: post-install configuration saved.");
/* Done with post-install, so clear flag */
unset($g['snort_postinstall']);
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 75e4902d..9f6879ef 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -341,6 +341,10 @@ if ($_POST['ResetAll']) {
$pconfig['smtp_log_rcpt_to'] = 'on';
$pconfig['smtp_log_filename'] = 'on';
$pconfig['smtp_log_email_hdrs'] = 'on';
+ $pconfig['appid_preproc'] = "off";
+ $pconfig['sf_appid_mem_cap'] = "256";
+ $pconfig['sf_appid_statslog'] = "on";
+ $pconfig['sf_appid_stats_period'] = "300";
$pconfig['sf_portscan'] = "off";
$pconfig['pscan_protocol'] = "all";
$pconfig['pscan_type'] = "all";
@@ -439,6 +443,14 @@ if ($_POST['save']) {
$input_errors[] = gettext("The value for SMTP Decoder E-Mail Headers Log Depth must be between 0 and 20,480.");
}
+ // Validate AppID parameter values if AppID Detector is enabled
+ if ($_POST['appid_preproc'] == 'on') {
+ if ($_POST['sf_appid_mem_cap'] < 32 || $_POST['sf_appid_mem_cap'] > 3000)
+ $input_errors[] = gettext("The value for Application ID Memory Cap must be between 32 and 3000.");
+ if ($_POST['sf_appid_stats_period'] < 60 || $_POST['sf_appid_stats_period'] > 3600)
+ $input_errors[] = gettext("The value for Application ID Stats Period must be between 60 and 3600.");
+ }
+
/* if no errors write to conf */
if (!$input_errors) {
/* post new options */
@@ -481,6 +493,8 @@ if ($_POST['save']) {
if ($_POST['smtp_bitenc_decode_depth'] != "") { $natent['smtp_bitenc_decode_depth'] = $_POST['smtp_bitenc_decode_depth']; }else{ $natent['smtp_bitenc_decode_depth'] = "0"; }
if ($_POST['smtp_uu_decode_depth'] != "") { $natent['smtp_uu_decode_depth'] = $_POST['smtp_uu_decode_depth']; }else{ $natent['smtp_uu_decode_depth'] = "0"; }
if ($_POST['smtp_email_hdrs_log_depth'] != "") { $natent['smtp_email_hdrs_log_depth'] = $_POST['smtp_email_hdrs_log_depth']; }else{ $natent['smtp_email_hdrs_log_depth'] = "1464"; }
+ if ($_POST['sf_appid_mem_cap'] != "") { $natent['sf_appid_mem_cap'] = $_POST['sf_appid_mem_cap']; }else{ $natent['sf_appid_mem_cap'] = "256"; }
+ if ($_POST['sf_appid_stats_period'] != "") { $natent['sf_appid_stats_period'] = $_POST['sf_appid_stats_period']; }else{ $natent['sf_appid_stats_period'] = "300"; }
// Set SDF inspection types
$natent['sdf_alert_data_type'] = implode(",",$_POST['sdf_alert_data_type']);
@@ -525,6 +539,8 @@ if ($_POST['save']) {
$natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off';
$natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off';
$natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off';
+ $natent['appid_preproc'] = $_POST['appid_preproc'] ? 'on' : 'off';
+ $natent['sf_appid_statslog'] = $_POST['sf_appid_statslog'] ? 'on' : 'off';
if (isset($id) && isset($a_nat[$id])) {
$a_nat[$id] = $natent;
@@ -685,14 +701,14 @@ if ($savemsg) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Performance Stats"); ?></td>
<td width="78%" class="vtable"><input name="perform_stat" type="checkbox" value="on"
- <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?>/>
<?php echo gettext("Collect Performance Statistics for this interface."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Protect Customized Preprocessor Rules"); ?></td>
<td width="78%" class="vtable"><input name="protect_preproc_rules" type="checkbox" value="on"
<?php if ($pconfig['protect_preproc_rules']=="on") echo "checked ";
- if ($vrt_enabled <> 'on') echo "disabled"; ?>>
+ if ($vrt_enabled <> 'on') echo "disabled"; ?>/>
<?php echo gettext("Check this box if you maintain customized preprocessor text rules files for this interface."); ?>
<table width="100%" border="0" cellpadding="2" cellpadding="2">
<tr>
@@ -709,7 +725,7 @@ if ($savemsg) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Auto Rule Disable"); ?></td>
<td width="78%" class="vtable"><input name="preproc_auto_rule_disable" type="checkbox" value="on"
- <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?>/>
<?php echo gettext("Auto-disable text rules dependent on disabled preprocessors for this interface. ");
echo gettext("Default is ") . '<strong>' . gettext("Not Checked"); ?></strong>.<br/>
<table width="100%" border="0" cellpadding="2" cellpadding="2">
@@ -739,7 +755,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="host_attribute_table"
type="checkbox" value="on" id="host_attribute_table" onclick="host_attribute_table_enable_change();"
- <?php if ($pconfig['host_attribute_table']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['host_attribute_table']=="on") echo "checked"; ?>/>
<?php echo gettext("Use a Host Attribute Table file to auto-configure applicable preprocessors. " .
"Default is "); ?><strong><?php echo gettext("Not Checked"); ?></strong>.</td>
</tr>
@@ -823,7 +839,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="http_inspect"
type="checkbox" value="on" id="http_inspect" onclick="http_inspect_enable_change();"
- <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked";?>>
+ <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked";?>/>
<?php echo gettext("Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is ");?>
<strong><?php echo gettext("Checked"); ?></strong>.</td>
</tr>
@@ -831,7 +847,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Proxy Alert"); ?></td>
<td width="78%" class="vtable"><input name="http_inspect_proxy_alert"
type="checkbox" value="on" id="http_inspect_proxy_alert"
- <?php if ($pconfig['http_inspect_proxy_alert']=="on") echo "checked";?>>
+ <?php if ($pconfig['http_inspect_proxy_alert']=="on") echo "checked";?>/>
<?php echo gettext("Enable global alerting on HTTP server proxy usage. Default is ");?>
<strong><?php echo gettext("Not Checked"); ?></strong>.<br/><br/><span class="red"><strong>
<?php echo gettext("Note: ") . "</strong></span>" . gettext("By adding Server Configurations below and enabling " .
@@ -916,7 +932,7 @@ if ($savemsg) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable");?></td>
<td width="78%" class="vtable"><input name="frag3_detection" type="checkbox" value="on" onclick="frag3_enable_change();"
- <?php if ($pconfig['frag3_detection']=="on") echo "checked";?>>
+ <?php if ($pconfig['frag3_detection']=="on") echo "checked";?>/>
<?php echo gettext("Use Frag3 Engine to detect IDS evasion attempts via target-based IP packet fragmentation. Default is ") .
"<strong>" . gettext("Checked") . "</strong>.";?></td>
</tr>
@@ -984,14 +1000,14 @@ if ($savemsg) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="stream5_reassembly" type="checkbox" value="on" onclick="stream5_enable_change();"
- <?php if ($pconfig['stream5_reassembly']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['stream5_reassembly']=="on") echo "checked"; ?>/>
<?php echo gettext("Use Stream5 session reassembly for TCP, UDP and/or ICMP traffic. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr id="stream5_flushonalert_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Flush On Alert"); ?></td>
<td width="78%" class="vtable"><input name="stream5_flush_on_alert" type="checkbox" value="on"
- <?php if ($pconfig['stream5_flush_on_alert']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['stream5_flush_on_alert']=="on") echo "checked"; ?>/>
<?php echo gettext("Flush a TCP stream when an alert is generated on that stream. Default is ") .
"<strong>" . gettext("Not Checked") . "</strong><br/><span class=\"red\"><strong>" .
gettext("Note: ") . "</strong></span>" . gettext("This parameter is for backwards compatibility.");?></td>
@@ -1135,6 +1151,53 @@ if ($savemsg) {
</table>
</td>
</tr>
+
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Application ID Detection"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
+ <td width="78%" class="vtable"><input name="appid_preproc" onclick="appid_preproc_enable_change();"
+ type="checkbox" value="on" id="appid_preproc"
+ <?php if ($pconfig['appid_preproc']=="on") echo "checked"; ?>/>
+ <?php echo gettext("Use OpenAppID to detect various applications. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tbody id="appid_rows">
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td>
+ <td class="vtable">
+ <input name="sf_appid_mem_cap" type="text" class="formfld unknown" id="sf_appid_mem_cap" size="9"
+ value="<?=htmlspecialchars($pconfig['sf_appid_mem_cap']);?>">
+ <?php echo gettext("Memory for App ID structures. Min is ") . "<strong>" . gettext("32") . "</strong>" .
+ gettext(" (32 MB) and Max is ") . "<strong>" . gettext("3000") . "</strong>" .
+ gettext(" (3 GB) bytes.");?><br/>
+ <?php echo gettext("The memory cap in megabytes used by AppID internal structures " .
+ "in RAM. Default value is ") . "<strong>" . gettext("256") . "</strong>" . gettext(" (256 MB)."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("AppID Stats Logging"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="sf_appid_statslog" type="checkbox" value="on" id="sf_appid_statslog"
+ <?php if ($pconfig['sf_appid_statslog']=="on") echo "checked"; ?>/>
+ <?php echo gettext("Enable OpenAppID statistics logging. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>" . gettext("."); ?><br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("log size and retention limits for AppID Stats Logging") .
+ gettext(" can be set on the ") . "<a href='/snort/snort_log_mgmt.php'>" . gettext("LOG MGMT") . "</a>" . gettext(" tab.");?> </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("AppID Stats Period"); ?></td>
+ <td class="vtable">
+ <input name="sf_appid_stats_period" type="text" class="formfld unknown" id="sf_appid_stats_period" size="9"
+ value="<?=htmlspecialchars($pconfig['sf_appid_stats_period']);?>">
+ <?php echo gettext("Bucket size in seconds for AppID stats. Min is ") . "<strong>" . gettext("60") . "</strong>" .
+ gettext(" (1 minute) and Max is ") . "<strong>" . gettext("3600") . "</strong>" . gettext(" (1 hour).");?><br/>
+ <?php echo gettext("The bucket size in seconds used to collecxt AppID statistics. " .
+ "Default value is ") . "<strong>" . gettext("300") . "</strong>" . gettext(" (5 minutes)."); ?><br/>
+ </td>
+ </tr>
+ </tbody>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Detection"); ?></td>
</tr>
@@ -1142,7 +1205,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="sf_portscan" onclick="sf_portscan_enable_change();"
type="checkbox" value="on" id="sf_portscan"
- <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?>/>
<?php echo gettext("Use Portscan Detection to detect various types of port scans and sweeps. Default is ") .
"<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
</tr>
@@ -1287,14 +1350,14 @@ if ($savemsg) {
<tr id="ftp_telnet_row_encrypted_check">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Check Encrypted Traffic"); ?></td>
<td width="78%" class="vtable"><input name="ftp_telnet_check_encrypted" type="checkbox" value="on"
- <?php if ($pconfig['ftp_telnet_check_encrypted']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ftp_telnet_check_encrypted']=="on") echo "checked"; ?>/>
<?php echo gettext("Continue to check an encrypted session for subsequent command to cease encryption. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr id="ftp_telnet_row_encrypted_alert">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Alert on Encrypted Commands"); ?></td>
<td width="78%" class="vtable"><input name="ftp_telnet_alert_encrypted" type="checkbox" value="on"
- <?php if ($pconfig['ftp_telnet_alert_encrypted']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ftp_telnet_alert_encrypted']=="on") echo "checked"; ?>/>
<?php echo gettext("Alert on encrypted FTP and Telnet command channels. Default is ") .
"<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
</tr>
@@ -1304,14 +1367,14 @@ if ($savemsg) {
<tr id="ftp_telnet_row_normalize">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Normalization"); ?></td>
<td width="78%" class="vtable"><input name="ftp_telnet_normalize" type="checkbox" value="on"
- <?php if ($pconfig['ftp_telnet_normalize']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ftp_telnet_normalize']=="on") echo "checked"; ?>/>
<?php echo gettext("Normalize Telnet traffic by eliminating Telnet escape sequences. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr id="ftp_telnet_row_detect_anomalies">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Anomalies"); ?></td>
<td width="78%" class="vtable"><input name="ftp_telnet_detect_anomalies" type="checkbox" value="on"
- <?php if ($pconfig['ftp_telnet_detect_anomalies']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ftp_telnet_detect_anomalies']=="on") echo "checked"; ?>/>
<?php echo gettext("Alert on Telnet subnegotiation begin without corresponding subnegotiation end. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
@@ -1423,7 +1486,7 @@ if ($savemsg) {
echo "checked";
elseif ($vrt_enabled == "off")
echo "disabled";
- ?>>
+ ?>/>
<?php echo gettext("Sensitive data searches for credit card numbers, Social Security numbers and e-mail addresses in data."); ?>
<br/>
<span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the ") .
@@ -1458,7 +1521,7 @@ if ($savemsg) {
<input name="sdf_mask_output" type="checkbox" value="on"
<?php if ($pconfig['sdf_mask_output'] == "on")
echo "checked";
- ?>>
+ ?>/>
<?php echo gettext("Replace all but last 4 digits of PII with \"X\"s on credit card and Social Security Numbers. ") .
gettext("Default is ") . "<strong>" . gettext("Not Checked") . "</strong>."; ?>
</td>
@@ -1756,40 +1819,40 @@ if ($savemsg) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable RPC Decode and Back Orifice detector"); ?></td>
<td width="78%" class="vtable"><input name="other_preprocs" type="checkbox" value="on"
- <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?>/>
<?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DCE/RPC2 Detection"); ?></td>
<td width="78%" class="vtable"><input name="dce_rpc_2" type="checkbox" value="on"
- <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?>/>
<?php echo gettext("The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SIP Detection"); ?></td>
<td width="78%" class="vtable"><input name="sip_preproc" type="checkbox" value="on"
- <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable GTP Detection"); ?></td>
<td width="78%" class="vtable"><input name="gtp_preproc" type="checkbox" value="on"
- <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SSH Detection"); ?></td>
<td width="78%" class="vtable"><input name="ssh_preproc" type="checkbox" value="on"
- <?php if ($pconfig['ssh_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ssh_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("The SSH preprocessor detects various Secure Shell exploit attempts."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNS Detection"); ?></td>
<td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on"
- <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>/>
<?php echo gettext("The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
@@ -1797,7 +1860,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SSL Data"); ?></td>
<td width="78%" class="vtable">
<input name="ssl_preproc" type="checkbox" value="on"
- <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("SSL data searches for irregularities during SSL protocol exchange. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
@@ -1808,7 +1871,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Modbus Detection"); ?></td>
<td width="78%" class="vtable">
<input name="modbus_preproc" type="checkbox" value="on"
- <?php if ($pconfig['modbus_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['modbus_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("Modbus is a protocol used in SCADA networks. The default port is TCP 502.") . "<br/>" .
"<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
gettext("If your network does not contain Modbus-enabled devices, you can leave this preprocessor disabled."); ?>
@@ -1818,7 +1881,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNP3 Detection"); ?></td>
<td width="78%" class="vtable">
<input name="dnp3_preproc" type="checkbox" value="on"
- <?php if ($pconfig['dnp3_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['dnp3_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("DNP3 is a protocol used in SCADA networks. The default port is TCP 20000.") . "<br/>" .
"<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
gettext("If your network does not contain DNP3-enabled devices, you can leave this preprocessor disabled."); ?>
@@ -1833,7 +1896,7 @@ if ($savemsg) {
<input name="ResetAll" type="submit" class="formbtn" value="Reset" title="<?php echo
gettext("Reset all settings to defaults") . "\" onclick=\"return confirm('" .
gettext("WARNING: This will reset ALL preprocessor settings to their defaults. Click OK to continue or CANCEL to quit.") .
- "');\""; ?>></td>
+ "');\""; ?>/></td>
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>
@@ -1978,12 +2041,20 @@ function http_inspect_enable_change() {
var endis = !(document.iform.http_inspect.checked);
document.iform.http_inspect_memcap.disabled=endis;
- // Hide the "icmp session timeout " row if stream5_track_icmp disabled
- if (endis) {
- document.getElementById("httpinspect_memcap_row").style.display="none";
- document.getElementById("httpinspect_maxgzipmem_row").style.display="none";
- document.getElementById("httpinspect_proxyalert_row").style.display="none";
- document.getElementById("httpinspect_engconf_row").style.display="none";
+ if (!document.iform.http_inspect.checked) {
+ var msg = "WARNING: Disabling the http_inspect preprocessor is not recommended!\n\n";
+ msg = msg + "Snort may fail to start because of other dependent preprocessors or ";
+ msg = msg + "rule options. Are you sure you want to disable it?\n\n";
+ msg = msg + "Click OK to disable http_inspect, or CANCEL to quit.";
+ if (!confirm(msg)) {
+ document.iform.http_inspect.checked=true;
+ }
+ else {
+ document.getElementById("httpinspect_memcap_row").style.display="none";
+ document.getElementById("httpinspect_maxgzipmem_row").style.display="none";
+ document.getElementById("httpinspect_proxyalert_row").style.display="none";
+ document.getElementById("httpinspect_engconf_row").style.display="none";
+ }
}
else {
document.getElementById("httpinspect_memcap_row").style.display="table-row";
@@ -2013,6 +2084,16 @@ function sf_portscan_enable_change() {
}
}
+function appid_preproc_enable_change() {
+ var endis = !(document.iform.appid_preproc.checked);
+
+ // Hide the AppID configuration rows if appid_preproc disabled
+ if (endis)
+ document.getElementById("appid_rows").style.display="none";
+ else
+ document.getElementById("appid_rows").style.display="";
+}
+
function stream5_enable_change() {
if (!document.iform.stream5_reassembly.checked) {
var msg = "WARNING: Stream5 is a critical preprocessor, and disabling it is not recommended! ";
@@ -2020,7 +2101,8 @@ function stream5_enable_change() {
msg = msg + " SMTP\t\tPOP\t\tSIP\n";
msg = msg + " SENSITIVE_DATA\tSF_PORTSCAN\tDCE/RPC 2\n";
msg = msg + " IMAP\t\tDNS\t\tSSL\n";
- msg = msg + " GTP\t\tDNP3\t\tMODBUS\n\n";
+ msg = msg + " GTP\t\tDNP3\t\tMODBUS\n";
+ msg = msg + " APP_ID\n\n";
msg = msg + "Snort may fail to start because of other preprocessors or rule options dependent on Stream5. ";
msg = msg + "Are you sure you want to disable it?\n\n";
msg = msg + "Click OK to disable Stream5, or CANCEL to quit.";
@@ -2039,6 +2121,7 @@ function stream5_enable_change() {
document.iform.dns_preprocessor.checked=false;
document.iform.modbus_preproc.checked=false;
document.iform.dnp3_preproc.checked=false;
+ document.iform.appid_preproc.checked=false;
document.iform.sf_portscan.checked=false;
sf_portscan_enable_change();
}
@@ -2147,6 +2230,7 @@ function smtp_enable_change() {
function enable_change_all() {
http_inspect_enable_change();
sf_portscan_enable_change();
+ appid_preproc_enable_change();
// -- Enable/Disable Host Attribute Table settings --
host_attribute_table_enable_change();
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index 681c691f..b9050b35 100755
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -36,6 +36,7 @@ require_once("/usr/local/pkg/snort/snort.inc");
global $g, $rebuild_rules;
$snortdir = SNORTDIR;
+$snortbindir = SNORT_PBI_BINDIR;
$rules_map = array();
$categories = array();
$pconfig = array();
@@ -400,7 +401,7 @@ elseif ($_POST['save']) {
$rebuild_rules = false;
$output = "";
$retcode = "";
- exec("/usr/local/bin/snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode);
+ exec("{$snortbindir}snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode);
if (intval($retcode) != 0) {
$error = "";
$start = count($output);
@@ -412,8 +413,7 @@ elseif ($_POST['save']) {
else {
/* Soft-restart Snort to live-load new rules */
snort_reload_config($a_rule[$id]);
- $savemsg = gettext("Custom rules validated successfully and have been saved to the Snort configuration files. ");
- $savemsg .= gettext("Any active Snort process on this interface has been signalled to live-load the new rules.");
+ $savemsg = gettext("Custom rules validated successfully and any active Snort process on this interface has been signalled to live-load the new rules.");
}
clear_subsystem_dirty('snort_rules');
@@ -443,6 +443,9 @@ else if ($_POST['apply']) {
// Sync to configured CARP slaves if any are enabled
snort_sync_on_changes();
+
+ if (snort_is_running($snort_uuid, $if_real))
+ $savemsg = gettext("Snort is 'live-reloading' the new rule set.");
}
include_once("head.inc");
diff --git a/config/snort/snort_sid_mgmt.php b/config/snort/snort_sid_mgmt.php
index ea1a5b99..016cc96d 100644
--- a/config/snort/snort_sid_mgmt.php
+++ b/config/snort/snort_sid_mgmt.php
@@ -294,6 +294,11 @@ if ($savemsg) {
<div id="mainarea">
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
<tbody>
+ <?php if ($g['platform'] == "nanobsd") : ?>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("SID auto-management is not supported on NanoBSD installs"); ?></td>
+ </tr>
+ <?php else: ?>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td>
</tr>
@@ -568,6 +573,7 @@ if ($savemsg) {
&nbsp;&nbsp;<?=gettext("Remember to save changes before exiting this page"); ?>
</td>
</tr>
+ <?php endif; ?>
</tbody>
</table>
</div>
@@ -576,8 +582,9 @@ if ($savemsg) {
</table>
</form>
-
<?php include("fend.inc"); ?>
+
+<?php if ($g['platform'] != "nanobsd") : ?>
<script type="text/javascript">
function enable_sid_conf() {
@@ -593,5 +600,7 @@ function enable_sid_conf() {
enable_sid_conf();
</script>
+<?php endif; ?>
+
</body>
</html>