diff options
Diffstat (limited to 'config/snort')
-rwxr-xr-x | config/snort/snort.inc | 95 | ||||
-rwxr-xr-x | config/snort/snort_sync.xml | 52 |
2 files changed, 86 insertions, 61 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 3759f7be..46c66128 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -849,7 +849,7 @@ function snort_rules_up_install_cron($should_install) { /* Only run when all ifaces needed to sync. Expects filesystem rw */ function sync_snort_package_config() { global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file; - global $snort_version, $rebuild_rules; + global $snort_version, $rebuild_rules, $is_postinstall; $snortdir = SNORTDIR; @@ -889,7 +889,9 @@ function sync_snort_package_config() { configure_cron(); - snort_sync_on_changes(); + /* Do not attempt package sync if reinstalling package or booting */ + if (!$is_postinstall && !$g['booting']) + snort_sync_on_changes(); conf_mount_ro(); } @@ -2048,6 +2050,7 @@ function snort_deinstall() { if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') { log_error(gettext("Not saving settings... all Snort configuration info and logs deleted...")); unset($config['installedpackages']['snortglobal']); + unset($config['installedpackages']['snortsync']); @unlink("{$snort_rules_upd_log}"); mwexec("/bin/rm -rf {$snortlogdir}"); log_error(gettext("[Snort] The package has been removed from this system...")); @@ -3047,11 +3050,17 @@ EOD; /* Uses XMLRPC to synchronize the changes to a remote node */ function snort_sync_on_changes() { - global $config, $g; + global $config, $g, $is_postinstall; + + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || $is_postinstall == true) + return; + if (is_array($config['installedpackages']['snortsync']['config'])){ $snort_sync=$config['installedpackages']['snortsync']['config'][0]; $synconchanges = $snort_sync['varsynconchanges']; $synctimeout = $snort_sync['varsynctimeout']; + $syncdownloadrules = $snort_sync['vardownloadrules']; switch ($synconchanges){ case "manual": if (is_array($snort_sync[row])){ @@ -3068,6 +3077,7 @@ function snort_sync_on_changes() { $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; $rs[0]['varsyncusername']=$system_carp['username']; $rs[0]['varsyncpassword']=$system_carp['password']; + $rs[0]['varsyncsnortstart']="no"; if ($system_carp['synchronizetoip'] ==""){ log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts configured as replication targets."); return; @@ -3085,6 +3095,10 @@ function snort_sync_on_changes() { if (is_array($rs)){ log_error("[snort] Snort pkg xmlrpc sync is starting."); foreach($rs as $sh){ + if ($sh['varsyncsnortstart']) + $syncstartsnort = $sh['varsyncsnortstart']; + else + $syncstartsnort = "OFF"; $sync_to_ip = $sh['varsyncipaddress']; $password = $sh['varsyncpassword']; if($sh['varsyncusername']) @@ -3092,7 +3106,7 @@ function snort_sync_on_changes() { else $username = 'admin'; if($password && $sync_to_ip) - snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); + snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort); } log_error("[snort] Snort pkg xmlrpc sync completed."); } @@ -3100,17 +3114,22 @@ function snort_sync_on_changes() { } /* Do the actual XMLRPC sync */ -function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { - global $config, $g; +function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort) { + global $config, $g, $is_postinstall; + + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || $is_postinstall == true) + return; if(!$username || !$password || !$sync_to_ip) { log_error("[snort] A required XMLRPC sync parameter (user, host IP or password) is empty ... aborting pkg sync"); return; } + /* Test key variables and set defaults if empty */ if(!$synctimeout) $synctimeout=150; - + $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; @@ -3160,22 +3179,37 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { log_error("[snort] Snort pkg configuration XMLRPC sync successfully completed with {$url}:{$port}."); } - /* Build a series of commands for the secondary host to execute to will reload the new settings. */ + $downloadrulescmd = ""; + if ($syncdownloadrules == "yes") { + $downloadrulescmd = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested update of downloaded rules files...\"));\n"; + $downloadrulescmd .= "include_once(\"/usr/local/pkg/snort/snort_check_for_rule_updates.php\");\n"; + } + $snortstart = ""; + if ($syncstartsnort == "ON") { + $snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested restart of Snort...\"));\n"; + $snortstart .= "if (!is_process_running(\"snort\")) {\n"; + $snortstart .= "exec(\"/usr/local/etc/rc.d/snort.sh start 2>&1 &\");\n}\n"; + } + + /* Build a series of commands for the secondary host to execute that will load the new settings. */ $execcmd = <<<EOD - include_once("/usr/local/pkg/snort/snort.inc"); + require_once("/usr/local/pkg/snort/snort.inc"); + require_once("service-utils.inc"); global \$g, \$rebuild_rules, \$snort_gui_include, \$is_postinstall, \$pkg_interface; + \$orig_pkg_interface = \$pkg_interface; \$is_postinstall = true; \$snort_gui_include = false; - log_error(gettext("[snort] XMLRPC pkg sync: Downloading and updating configured rule types...")); - ob_start(); - include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); + \$pkg_interface = "console"; + {$downloadrulescmd} \$is_postinstall = false; - ob_end_clean(); log_error(gettext("[snort] XMLRPC pkg sync: Generating snort.conf file using Master Host's settings...")); \$rebuild_rules = "on"; sync_snort_package_config(); \$rebuild_rules = "off"; + {$snortstart} log_error(gettext("[snort] XMLRPC pkg sync process on this host is complete...")); + \$pkg_interface = \$orig_pkg_interface; + return true; EOD; @@ -3199,45 +3233,10 @@ EOD; } elseif($resp->faultCode()) { $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); - $value = $resp->value(); - log_error(print_r($value, true)); file_notice("sync_settings", $error, "snort Settings Sync", ""); } else { log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } } -function snort_sync_build_slave_conf() { - - /*************************************************/ - /* This function is called by the XMLRPC package */ - /* sync process on the master host and is used */ - /* to build the initial Snort configuration on */ - /* a slave (or secondary) host after the push */ - /* of the config.xml data. */ - /*************************************************/ - - global $g, $rebuild_rules, $snort_gui_include, $is_postinstall; - - // First download fresh rules if necessary - unset($snort_gui_include); - $is_postinstall = true; - log_error(gettext("[snort] XMLRPC pkg sync: Downloading and updating configured rule types...")); - - // Suppress all PHP output by swallowing it in the output buffer and then discarding it - ob_start(); - - // Now start the actual configuration build on the remote slave - @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); - $is_postinstall = false; - log_error(gettext("[snort] XMLRPC pkg sync: Generating snort.conf file using Master Host's settings...")); - $rebuild_rules = "on"; - sync_snort_package_config(); - $rebuild_rules = "off"; - log_error(gettext("[snort] XMLRPC pkg sync process on this host is complete...")); - - // Finally, discard any buffered PHP output and return - ob_end_clean(); -} - ?> diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml index 5bfeba12..274d3fc9 100755 --- a/config/snort/snort_sync.xml +++ b/config/snort/snort_sync.xml @@ -47,7 +47,7 @@ POSSIBILITY OF SUCH DAMAGE. <faq>Currently there are no FAQ items provided.</faq> <name>snortsync</name> <version>1.0</version> - <title>Proxy server snort: XMLRPC Sync</title> + <title>Snort: XMLRPC Sync (EXPERIMENTAL)</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <tabs> <tab> @@ -86,17 +86,17 @@ POSSIBILITY OF SUCH DAMAGE. </tabs> <fields> <field> - <name>Snort XMLRPC Sync</name> + <name>Snort Package XMLRPC Sync Settings</name> <type>listtopic</type> </field> <field> <fielddescr>Enable Sync</fielddescr> <fieldname>varsynconchanges</fieldname> - <description><![CDATA[All changes will be synced with apply config to the IPs listed below if this option is checked.<br> + <description><![CDATA[All changes will be synced with apply config to the IPs listed below if this option is checked.<br/><br/> <b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> <type>select</type> <required/> - <default_value>auto</default_value> + <default_value>disabled</default_value> <options> <option><name>Sync to configured system backup server</name><value>auto</value></option> <option><name>Sync to host(s) defined below</name><value>manual</value></option> @@ -104,26 +104,42 @@ POSSIBILITY OF SUCH DAMAGE. </options> </field> <field> - <fielddescr>XMLRPC timeout</fielddescr> + <fielddescr>XMLRPC Timeout</fielddescr> <fieldname>varsynctimeout</fieldname> <description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description> <type>input</type> - <default_value>150</default_value> + <default_value>150</default_value> <size>5</size> </field> <field> - <fielddescr>Destination Server</fielddescr> + <fielddescr>Refresh Rule Sets</fielddescr> + <fieldname>vardownloadrules</fieldname> + <description><![CDATA[Ask target hosts to refresh rule sets files on each sync operation.<br/><br/> + During each Snort package sync operation, ask the target host to check for + a new set of posted rule sets files and refresh the local copies if necessary. The default is + to refresh the files if newer versions have been posted.]]></description> + <type>select</type> + <default_value>yes</default_value> + <options> + <option><name>Signal target hosts to refresh rules files</name><value>yes</value></option> + <option><name>Do NOT ask target host to refresh rules files</name><value>no</value></option> + </options> + </field> + + <field> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> <rowhelperfield> <fielddescr>Enable</fielddescr> <fieldname>varsyncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> <type>checkbox</type> </rowhelperfield> <rowhelperfield> - <fielddescr>GUI Protocol</fielddescr> + <fielddescr>Protocol</fielddescr> <fieldname>varsyncprotocol</fieldname> <description><![CDATA[Choose the protocol of the destination host. Probably <b>http</b> or <b>https</b>]]></description> <type>select</type> @@ -134,28 +150,38 @@ POSSIBILITY OF SUCH DAMAGE. </options> </rowhelperfield> <rowhelperfield> - <fielddescr>GUI IP-Address</fielddescr> + <fielddescr>IP-Address</fielddescr> <fieldname>varsyncipaddress</fieldname> <description><![CDATA[IP Address of the destination host.]]></description> <type>input</type> <size>15</size> </rowhelperfield> <rowhelperfield> - <fielddescr>GUI Port</fielddescr> + <fielddescr>Port</fielddescr> <fieldname>varsyncport</fieldname> - <description><![CDATA[Choose the port of the destination host.]]></description> + <description><![CDATA[Choose the sync port of the destination host.]]></description> <type>input</type> <size>3</size> </rowhelperfield> - <rowhelperfield> - <fielddescr>GUI Admin Password</fielddescr> + <rowhelperfield> + <fielddescr>Admin Password</fielddescr> <fieldname>varsyncpassword</fieldname> <description><![CDATA[Password of the user "admin" on the destination host.]]></description> <type>password</type> <size>20</size> </rowhelperfield> + <rowhelperfield> + <fielddescr>Start Snort</fielddescr> + <fieldname>varsyncsnortstart</fieldname> + <description><![CDATA[Start Snort on target host if not already running.]]></description> + <type>checkbox</type> + </rowhelperfield> </rowhelper> </field> + <field> + <name>WARNING: This feature is considered experimental and not recommended for production use</name> + <type>listtopic</type> + </field> </fields> <custom_delete_php_command> write_config();snort_sync_on_changes(); |