diff options
Diffstat (limited to 'config/snort')
-rwxr-xr-x | config/snort/snort_alerts.php | 5 | ||||
-rw-r--r-- | config/snort/snort_blocked.php | 3 | ||||
-rwxr-xr-x | config/snort/snort_define_servers.php | 2 | ||||
-rwxr-xr-x | config/snort/snort_download_updates.php | 2 | ||||
-rw-r--r-- | config/snort/snort_edit_hat_data.php | 4 | ||||
-rwxr-xr-x | config/snort/snort_interfaces_edit.php | 2 | ||||
-rw-r--r-- | config/snort/snort_interfaces_whitelist_edit.php | 2 | ||||
-rw-r--r-- | config/snort/snort_migrate_config.php | 2 | ||||
-rwxr-xr-x | config/snort/snort_preprocessors.php | 14 | ||||
-rwxr-xr-x | config/snort/snort_rules.php | 10 | ||||
-rwxr-xr-x | config/snort/snort_rulesets.php | 6 |
11 files changed, 40 insertions, 12 deletions
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 2b957f61..97174cdd 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -221,16 +221,17 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { $fd = @fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w+"); if ($fd) fclose($fd); - conf_mount_ro(); /* XXX: This is needed if snort is run as snort user */ mwexec('/bin/chmod 660 /var/log/snort/*', true); if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); + conf_mount_ro(); header("Location: /snort/snort_alerts.php?instance={$instanceid}"); exit; } if ($_POST['download']) { + conf_mount_rw(); $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_logs_{$save_date}_{$if_real}.tar.gz"; exec("cd /var/log/snort/snort_{$if_real}{$snort_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *"); @@ -255,6 +256,8 @@ if ($_POST['download']) { } else $savemsg = gettext("An error occurred while creating archive"); + + conf_mount_ro(); } /* Load up an array with the current Suppression List GID,SID values */ diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 8d106a90..95109660 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -63,6 +63,7 @@ if ($_POST['remove']) { /* TODO: build a file with block ip and disc */ if ($_POST['download']) { + conf_mount_rw(); $blocked_ips_array_save = ""; exec('/sbin/pfctl -t snort2c -T show', $blocked_ips_array_save); /* build the list */ @@ -104,6 +105,8 @@ if ($_POST['download']) $savemsg = gettext("An error occurred while creating archive"); } else $savemsg = gettext("No content on snort block list"); + + conf_mount_ro(); } if ($_POST['save']) diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index e9fcfcab..7b729208 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -131,11 +131,13 @@ if ($_POST) { $a_nat[$id] = $natent; + conf_mount_rw(); write_config(); /* Update the snort conf file for this interface. */ $rebuild_rules = false; snort_generate_conf($a_nat[$id]); + conf_mount_ro(); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 5c9b8210..fc97ab96 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -87,8 +87,10 @@ if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5")) /* Check for postback to see if we should clear the update log file. */ if (isset($_POST['clear'])) { + conf_mount_rw(); if (file_exists("{$snort_rules_upd_log}")) mwexec("/bin/rm -f {$snort_rules_upd_log}"); + conf_mount_ro(); } if (isset($_POST['update'])) { diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php index f6d00b0b..9189c936 100644 --- a/config/snort/snort_edit_hat_data.php +++ b/config/snort/snort_edit_hat_data.php @@ -61,19 +61,23 @@ else $pconfig['host_attribute_data'] = ""; if ($_POST['clear']) { + conf_mount_rw(); unset($a_nat[$id]['host_attribute_data']); write_config(); $rebuild_rules = false; snort_generate_conf($a_nat[$id]); + conf_mount_ro(); header("Location: /snort/snort_edit_hat_data.php?id={$id}"); exit; } if ($_POST['host_attribute_data']) { + conf_mount_rw(); $a_nat[$id]['host_attribute_data'] = base64_encode($_POST['host_attribute_data']); write_config(); $rebuild_rules = false; snort_generate_conf($a_nat[$id]); + conf_mount_ro(); header("Location: /snort/snort_preprocessors.php?id={$id}"); exit; } diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 9d488207..0a99e60a 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -150,8 +150,10 @@ if ($_POST["Submit"]) { if ($natent['interface'] != $a_rule[$id]['interface']) { $oif_real = snort_get_real_interface($a_rule[$id]['interface']); snort_stop($a_rule[$id], $oif_real); + conf_mount_rw(); exec("rm -r /var/log/snort_{$oif_real}" . $a_rule[$id]['uuid']); exec("mv -f {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$if_real}"); + conf_mount_ro(); } $a_rule[$id] = $natent; } else { diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index cbc31378..882c2b6f 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -100,8 +100,6 @@ if ($_GET['act'] == "import") { } if ($_POST['submit']) { - conf_mount_rw(); - unset($input_errors); $pconfig = $_POST; diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index 1a555408..61989e99 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -296,7 +296,7 @@ unset($r); // Write out the new configuration to disk if we changed anything if ($updated_cfg) { - $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.1"; + $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.2"; log_error("[Snort] Saving configuration settings in new format..."); write_config(); log_error("[Snort] Settings successfully migrated to new configuration format..."); diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 289a3941..d1b3e5be 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -509,25 +509,27 @@ elseif ($_POST['Submit']) { $natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off'; $natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off'; - /* If 'preproc_auto_rule_disable' is off, then clear log file */ - if ($natent['preproc_auto_rule_disable'] == 'off') - @unlink("{$disabled_rules_log}"); - if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; write_config(); } - /* Set flag to rebuild rules for this interface */ - $rebuild_rules = true; + conf_mount_rw(); /*************************************************/ /* Update the snort.conf file and rebuild the */ /* rules for this interface. */ /*************************************************/ + $rebuild_rules = true; snort_generate_conf($natent); $rebuild_rules = false; + /* If 'preproc_auto_rule_disable' is off, then clear log file */ + if ($natent['preproc_auto_rule_disable'] == 'off') + @unlink("{$disabled_rules_log}"); + + conf_mount_ro(); + /*******************************************************/ /* Signal Snort to reload Host Attribute Table if one */ /* is configured and saved. */ diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 0434f88f..37b06914 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -319,21 +319,25 @@ if ($_GET['act'] == "resetall" && !empty($rules_map)) { } if ($_POST['clear']) { + conf_mount_rw(); unset($a_rule[$id]['customrules']); write_config(); $rebuild_rules = true; snort_generate_conf($a_rule[$id]); $rebuild_rules = false; + conf_mount_ro(); header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); exit; } if ($_POST['customrules']) { + conf_mount_rw(); $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); write_config(); $rebuild_rules = true; snort_generate_conf($a_rule[$id]); $rebuild_rules = false; + conf_mount_ro(); $output = ""; $retcode = ""; exec("/usr/local/bin/snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode); @@ -352,7 +356,7 @@ if ($_POST['customrules']) { } else if ($_POST['apply']) { - + conf_mount_rw(); /* Save new configuration */ write_config(); @@ -363,6 +367,10 @@ else if ($_POST['apply']) { $rebuild_rules = true; snort_generate_conf($a_rule[$id]); $rebuild_rules = false; + conf_mount_ro(); + + /* Soft-restart Snort to live-load new rules */ + snort_reload_config($a_rule[$id]); /* Return to this same page */ header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 62b68a1b..dc37cb10 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -118,7 +118,6 @@ if ($a_nat[$id]['ips_policy_enable'] == 'on') { else $disable_vrt_rules = ""; -/* alert file */ if ($_POST["Submit"]) { if ($_POST['ips_policy_enable'] == "on") { @@ -146,6 +145,7 @@ if ($_POST["Submit"]) { @unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); } + conf_mount_rw(); write_config(); /*************************************************/ @@ -155,6 +155,10 @@ if ($_POST["Submit"]) { $rebuild_rules = true; snort_generate_conf($a_nat[$id]); $rebuild_rules = false; + conf_mount_ro(); + + /* Soft-restart Snort to live-load new rules */ + snort_reload_config($a_nat[$id]); header("Location: /snort/snort_rulesets.php?id=$id"); exit; |