diff options
Diffstat (limited to 'config/snort')
43 files changed, 4522 insertions, 2492 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 52aaed2a..f4fd93b9 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -5,7 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009-2010 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013,2014 Bill Meeks * part of pfSense * All rights reserved. * @@ -51,11 +51,13 @@ $snortver = array(); exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); $snort_version = $snortver[0]; if (empty($snort_version)) - $snort_version = "2.9.5.5"; + $snort_version = "2.9.6.0"; -/* package version */ -$pfSense_snort_version = "3.0.2"; -$snort_package_version = "Snort {$snort_version} pkg v{$pfSense_snort_version}"; +/* Used to indicate latest version of this include file has been loaded */ +$pfSense_snort_version = "3.0.7"; + +/* get installed package version for display */ +$snort_package_version = "Snort {$config['installedpackages']['package'][get_pkg_id("snort")]['version']}"; // Define SNORTDIR and SNORTLIBDIR constants according to pfSense version $pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); @@ -81,6 +83,7 @@ define("VRT_FILE_PREFIX", "snort_"); define("GPL_FILE_PREFIX", "GPLv2_"); define("ET_OPEN_FILE_PREFIX", "emerging-"); define("ET_PRO_FILE_PREFIX", "etpro-"); +define("IPREP_PATH", "/var/db/snort/iprep/"); /* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */ $rebuild_rules = false; @@ -498,21 +501,18 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { return $valresult; } -/* checks to see if service is running yes/no and stop/start */ +/* checks to see if service is running */ function snort_is_running($snort_uuid, $if_real, $type = 'snort') { global $config, $g; - if (file_exists("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid")) - return 'yes'; - - return 'no'; + return isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid"); } function snort_barnyard_stop($snortcfg, $if_real) { global $config, $g; $snort_uuid = $snortcfg['uuid']; - if (file_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { + if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { log_error("[Snort] Barnyard2 STOP for {$snortcfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); } @@ -522,7 +522,7 @@ function snort_stop($snortcfg, $if_real) { global $config, $g; $snort_uuid = $snortcfg['uuid']; - if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + if (isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { log_error("[Snort] Snort STOP for {$snortcfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); } @@ -534,12 +534,13 @@ function snort_barnyard_start($snortcfg, $if_real) { global $config, $g; $snortdir = SNORTDIR; + $snortlogdir = SNORTLOGDIR; $snort_uuid = $snortcfg['uuid']; /* define snortbarnyardlog_chk */ - if ($snortcfg['barnyard_enable'] == 'on' && !empty($snortcfg['barnyard_mysql'])) { + if ($snortcfg['barnyard_enable'] == 'on') { log_error("[Snort] Barnyard2 START for {$snortcfg['descr']}({$if_real})..."); - exec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q"); + mwexec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q"); } } @@ -547,11 +548,12 @@ function snort_start($snortcfg, $if_real) { global $config, $g; $snortdir = SNORTDIR; + $snortlogdir = SNORTLOGDIR; $snort_uuid = $snortcfg['uuid']; if ($snortcfg['enable'] == 'on') { log_error("[Snort] Snort START for {$snortcfg['descr']}({$if_real})..."); - exec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + mwexec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); } else return; @@ -575,64 +577,44 @@ function snort_reload_config($snortcfg, $signal="SIGHUP") { $snortdir = SNORTDIR; $snort_uuid = $snortcfg['uuid']; - $if_real = snort_get_real_interface($snortcfg['interface']); + $if_real = get_real_interface($snortcfg['interface']); /******************************************************/ /* Only send the SIGHUP if Snort is running and we */ /* can find a valid PID for the process. */ /******************************************************/ - if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + if (isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']} ({$if_real})..."); - exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &"); + mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); } } -function snort_get_friendly_interface($interface) { - - if (function_exists('convert_friendly_interface_to_friendly_descr')) - $iface = convert_friendly_interface_to_friendly_descr($interface); - else { - if (!$interface || ($interface == "wan")) - $iface = "WAN"; - else if(strtolower($interface) == "lan") - $iface = "LAN"; - else if(strtolower($interface) == "pppoe") - $iface = "PPPoE"; - else if(strtolower($interface) == "pptp") - $iface = "PPTP"; - else - $iface = strtoupper($interface); - } - - return $iface; -} +function snort_barnyard_reload_config($snortcfg, $signal="HUP") { -/* get the real iface name of wan */ -function snort_get_real_interface($interface) { - global $config; + /**************************************************************/ + /* This function sends the passed SIGNAL to the Barnyard2 */ + /* instance on the passed interface to cause Barnyard to */ + /* reload and parse the running configuration without */ + /* impacting packet processing. It also executes the reload */ + /* as a background process and returns control immediately */ + /* to the caller. */ + /* */ + /* $signal = HUP (default) parses and reloads config. */ + /**************************************************************/ + global $g; - $lc_interface = strtolower($interface); - if (function_exists('get_real_interface')) - return get_real_interface($lc_interface); - else { - if ($lc_interface == "lan") { - if ($config['inerfaces']['lan']) - return $config['interfaces']['lan']['if']; - return $interface; - } - if ($lc_interface == "wan") - return $config['interfaces']['wan']['if']; - $ifdescrs = array(); - for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { - $ifname = "opt{$j}"; - if(strtolower($ifname) == $lc_interface) - return $config['interfaces'][$ifname]['if']; - if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface)) - return $config['interfaces'][$ifname]['if']; - } - } + $snortdir = SNORTDIR; + $snort_uuid = $snortcfg['uuid']; + $if_real = get_real_interface($snortcfg['interface']); - return $interface; + /******************************************************/ + /* Only send the SIGHUP if Barnyard2 is running and */ + /* we can find a valid PID for the process. */ + /******************************************************/ + if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Barnyard2 CONFIG RELOAD initiated for {$snortcfg['descr']} ({$if_real})..."); + mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); + } } /* @@ -650,7 +632,7 @@ function snort_post_delete_logs($snort_uuid = 0) { foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { if ($value['uuid'] != $snort_uuid) continue; - $if_real = snort_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; if ($if_real != '') { @@ -661,18 +643,14 @@ function snort_post_delete_logs($snort_uuid = 0) { @unlink($file); /* Clean-up packet capture files if any exist */ - $filelist = glob("{$snort_log_dir}/snort.log.*"); - foreach ($filelist as $file) - @unlink($file); + unlink_if_exists("{$snort_log_dir}/snort.log.*"); - /* Clean-up stats files if they are enabled */ - if ($value['perform_stat'] == 'on') { - $fd = fopen("{$snort_log_dir}/{$if_real}.stats", "w"); - if ($fd) { - ftruncate($fd, 0); - fclose($fd); - } - } + /* Clean-up Barnyard2 archived files if any exist */ + unlink_if_exists("{$snort_log_dir}/barnyard2/archive/*"); + + /* Clean-up stats file if enabled */ + if ($value['perform_stat'] == 'on') + @file_put_contents("{$snort_log_dir}/{$if_real}.stats", ""); } } } @@ -686,62 +664,16 @@ function snort_Getdirsize($node) { return substr( $blah, 0, strpos($blah, 9) ); } -/* func for log dir size limit cron */ -function snort_snortloglimit_install_cron($should_install) { - global $config, $g; - - if (!is_array($config['cron']['item'])) - $config['cron']['item'] = array(); +function snort_snortloglimit_install_cron($should_install=TRUE) { - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], 'snort_check_cron_misc.inc')) { - $is_installed = true; - break; - } - $x++; - } - - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "*/5"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc"; - $config['cron']['item'][] = $cron_item; - } - break; - case false: - if($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } + install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc", $should_install, "*/5"); } -/* func for updating cron */ function snort_rm_blocked_install_cron($should_install) { global $config, $g; - if (!is_array($config['cron']['item'])) - $config['cron']['item'] = array(); - - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "15m_b") { $snort_rm_blocked_min = "*/2"; $snort_rm_blocked_hr = "*"; @@ -822,46 +754,15 @@ function snort_rm_blocked_install_cron($should_install) { $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "2419200"; } - switch($should_install) { - case true: - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; - - /* Add cron job if not already installed, else just update the existing one */ - if (!$is_installed) - $config['cron']['item'][] = $cron_item; - elseif ($is_installed) - $config['cron']['item'][$x] = $cron_item; - break; - case false: - if ($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } + + $command = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + install_cron_job($command, $should_install, $snort_rm_blocked_min, $snort_rm_blocked_hr, $snort_rm_blocked_mday, $snort_rm_blocked_month, $snort_rm_blocked_wday, "root"); } /* func to install snort update */ function snort_rules_up_install_cron($should_install) { global $config, $g; - if(!$config['cron']['item']) - $config['cron']['item'] = array(); - - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; /* See if a customized start time has been set for rule file updates */ @@ -924,28 +825,9 @@ function snort_rules_up_install_cron($should_install) { $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } - switch($should_install) { - case true: - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php"; - - /* Add cron job if not already installed, else just update the existing one */ - if (!$is_installed) - $config['cron']['item'][] = $cron_item; - elseif ($is_installed) - $config['cron']['item'][$x] = $cron_item; - break; - case false: - if($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } + + $command = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/snort/snort_check_for_rule_updates.php"; + install_cron_job($command, $should_install, $snort_rules_up_min, $snort_rules_up_hr, $snort_rules_up_mday, $snort_rules_up_month, $snort_rules_up_wday, "root"); } /* Only run when all ifaces needed to sync. Expects filesystem rw */ @@ -967,14 +849,14 @@ function sync_snort_package_config() { $snortconf = $config['installedpackages']['snortglobal']['rule']; foreach ($snortconf as $value) { - $if_real = snort_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); /* create a snort.conf file for interface */ snort_generate_conf($value); /* create barnyard2.conf file for interface */ if ($value['barnyard_enable'] == 'on') - snort_create_barnyard2_conf($value, $if_real); + snort_generate_barnyard2_conf($value, $if_real); } /* create snort bootup file snort.sh only create once */ @@ -982,7 +864,7 @@ function sync_snort_package_config() { $snortglob = $config['installedpackages']['snortglobal']; - snort_snortloglimit_install_cron($snortglob['snortloglimit'] == 'on' ? true : false); + snort_snortloglimit_install_cron(true); /* set the snort block hosts time IMPORTANT */ snort_rm_blocked_install_cron($snortglob['rm_blocked'] != "never_b" ? true : false); @@ -1004,7 +886,19 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { /*************************************************************/ /* This function reads all the rules file in the passed */ /* $rules_path variable and produces a properly formatted */ - /* sid-msg.map file for use by Snort and/or barnyard2. */ + /* sid-msg.map v2 file for use by Snort and/or barnyard2. */ + /* */ + /* This function produces the new v2 format sid-msg.map */ + /* with the field layout as follows: */ + /* */ + /* GID || SID || REV || CLASSTYPE || PRI || MSG || REF ... */ + /* */ + /* On Entry: $rules_path --> array or directory of files */ + /* or a single file containing */ + /* the rules to read. */ + /* $sid_file --> the complete destination path */ + /* and filename for the output */ + /* sid-msg.map file. */ /*************************************************************/ $sidMap = array(); @@ -1013,7 +907,7 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { /* First check if we were passed a directory, a single file */ /* or an array of filenames to read. Set our $rule_files */ /* variable accordingly. If we can't figure it out, return */ - /* and don't write a sid_msg_map file. */ + /* and don't write a sid-msg.map file. */ if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -1066,7 +960,11 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { $record = ""; /* Parse the rule to find sid and any references. */ + $gid = '1'; // default to 1 for regular rules $sid = ''; + $rev = ''; + $classtype = 'NOCLASS'; // required default for v2 format + $priority = '0'; // required default for v2 format $msg = ''; $matches = ''; $sidEntry = ''; @@ -1074,23 +972,32 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { $msg = trim($matches[1]); if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) $sid = trim($matches[1]); - if (!empty($sid) && !empty($msg)) { - $sidEntry = $sid . ' || ' . $msg; + if (preg_match('/\bgid\s*:\s*(\d+)\s*;/i', $rule, $matches)) + $gid = trim($matches[1]); + if (preg_match('/\brev\s*:\s*([^\;]+)/i', $rule, $matches)) + $rev = trim($matches[1]); + if (preg_match('/\bclasstype\s*:\s*([^\;]+)/i', $rule, $matches)) + $classtype = trim($matches[1]); + if (preg_match('/\bpriority\s*:\s*([^\;]+)/i', $rule, $matches)) + $priority = trim($matches[1]); + + if (!empty($gid) && !empty($sid) && !empty($msg)) { + $sidEntry = $gid . ' || ' . $sid . ' || ' . $rev . ' || ' . $classtype . ' || '; + $sidEntry .= $priority . ' || ' . $msg; preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); foreach ($matches[1] as $ref) $sidEntry .= " || " . trim($ref); $sidEntry .= "\n"; - if (!is_array($sidMap[$sid])) - $sidMap[$sid] = array(); - $sidMap[$sid] = $sidEntry; + $sidMap[] = $sidEntry; } } } - /* Sort the generated sid-msg map by sid */ - ksort($sidMap); + /* Sort the generated sid-msg map */ + natcasesort($sidMap); /* Now print the result to the supplied file */ - @file_put_contents($sid_file, array_values($sidMap)); + @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Snort.\n\n"); + @file_put_contents($sid_file, array_values($sidMap), FILE_APPEND); } function snort_merge_reference_configs($cfg_in, $cfg_out) { @@ -1211,7 +1118,7 @@ function snort_load_rules_map($rules_path) { * Read all the rules into the map array. * The structure of the map array is: * - * map[gid][sid]['rule']['category']['disabled']['flowbits'] + * map[gid][sid]['rule']['category']['disabled']['action']['flowbits'] * * where: * gid = Generator ID from rule, or 1 if general text @@ -1221,6 +1128,7 @@ function snort_load_rules_map($rules_path) { * category = File name of file containing the rule * disabled = 1 if rule is disabled (commented out), 0 if * rule is enabled + * action = alert|log|pass|drop|reject|sdrop * flowbits = Array of applicable flowbits if rule contains * flowbits options ***************************************************************/ @@ -1267,7 +1175,7 @@ function snort_load_rules_map($rules_path) { /* Skip any non-rule lines unless we're in */ /* multiline mode. */ - if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) + if (!preg_match('/^\s*#*\s*(alert|log|pass|drop|reject|sdrop)/i', $rule) && !$b_Multiline) continue; /* Test for a multi-line rule; loop and reassemble */ @@ -1312,6 +1220,13 @@ function snort_load_rules_map($rules_path) { else $map_ref[$gid][$sid]['disabled'] = 0; + /* Grab the rule action (this is for a future option) */ + $matches = array(); + if (preg_match('/^\s*#*\s*(alert|log|pass|drop|reject|sdrop)/i', $rule, $matches)) + $map_ref[$gid][$sid]['action'] = $matches[1]; + else + $map_ref[$gid][$sid]['action'] = ""; + /* Grab any associated flowbits from the rule. */ $map_ref[$gid][$sid]['flowbits'] = snort_get_flowbits($rule); @@ -1715,7 +1630,7 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) { /* If the $rule_map array is empty, then exit. */ if (empty($rule_map)) { - file_put_contents($rule_file, ""); + @file_put_contents($rule_file, ""); return; } @@ -1739,34 +1654,32 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) { } } -function snort_load_sid_mods($sids, $value) { +function snort_load_sid_mods($sids) { /*****************************************/ /* This function parses the string of */ - /* SID values in $sids and returns an */ - /* array with the SID as the key and */ - /* value. The SID values in $sids are */ + /* GID:SID values in $sids and returns */ + /* an array with the GID and SID as the */ + /* keys. The values in $sids are */ /* assumed to be delimited by "||". */ /* */ - /* $sids ==> string of SID values from */ - /* saved config file. */ + /* $sids ==> string of GID:SID values */ + /* from the config file. */ /* */ - /* $value ==> type of mod (enable or */ - /* disable). Not currently */ - /* utilized, but maintained */ - /* so as not to break legacy */ - /* code elsewhere. */ + /* Returns ==> a multidimensional array */ + /* with GID and SID as the */ + /* keys ($result[GID][SID]) */ /*****************************************/ $result = array(); - if (empty($sids) || empty($value)) + if (empty($sids)) return $result; $tmp = explode("||", $sids); foreach ($tmp as $v) { - if (preg_match('/\s\d+/', $v, $match)) { - if (!is_array($result[trim($match[0])])) - $result[trim($match[0])] = array(); - $result[trim($match[0])] = trim($match[0]); + if (preg_match('/(\d+)\s*:\s*(\d+)/', $v, $match)) { + if (!is_array($result[$match[1]])) + $result[$match[1]] = array(); + $result[$match[1]][$match[2]] = "{$match[1]}:{$match[2]}"; } } unset($tmp); @@ -1791,15 +1704,15 @@ function snort_modify_sids(&$rule_map, $snortcfg) { /* Load up our enablesid and disablesid */ /* arrays with lists of modified SIDs */ - $enablesid = snort_load_sid_mods($snortcfg['rule_sid_on'], "enablesid"); - $disablesid = snort_load_sid_mods($snortcfg['rule_sid_off'], "disablesid"); + $enablesid = snort_load_sid_mods($snortcfg['rule_sid_on']); + $disablesid = snort_load_sid_mods($snortcfg['rule_sid_off']); /* Turn on any rules that need to be */ /* forced "on" with enablesid mods. */ if (!empty($enablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $enablesid) && $v['disabled'] == 1) { + if (isset($enablesid[$k1][$k2]) && $v['disabled'] == 1) { $rule_map[$k1][$k2]['rule'] = ltrim($v['rule'], " \t#"); $rule_map[$k1][$k2]['disabled'] = 0; } @@ -1812,7 +1725,7 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($disablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $disablesid) && $v['disabled'] == 0) { + if (isset($disablesid[$k1][$k2]) && $v['disabled'] == 0) { $rule_map[$k1][$k2]['rule'] = "# " . $v['rule']; $rule_map[$k1][$k2]['disabled'] = 1; } @@ -1831,9 +1744,10 @@ function snort_create_rc() { /* after any changes to snort.conf saved in the GUI. */ /*********************************************************/ - global $config, $g; + global $config, $g, $pfs_version; $snortdir = SNORTDIR; + $snortlogdir = SNORTLOGDIR; $rcdir = RCFILEPREFIX; // If no interfaces are configured for Snort, exit @@ -1847,36 +1761,37 @@ function snort_create_rc() { $start_snort_iface_start = array(); $start_snort_iface_stop = array(); + // If not using PBI package, then make sure Barnyard2 can + // find the latest MySQL shared libs in /usr/local/lib/mysql + if ($pfs_version < 2.1) { + $sql_lib_path = "\n# Ensure MySQL shared libs are in ldconfig search path\n"; + $sql_lib_path .= "/sbin/ldconfig -m /usr/local/lib/mysql"; + $start_snort_iface_start[] = $sql_lib_path; + } + // Loop thru each configured interface and build // the shell script. foreach ($snortconf as $value) { + // Skip disabled Snort interfaces + if ($value['enable'] <> 'on') + continue; $snort_uuid = $value['uuid']; - $if_real = snort_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); $start_barnyard = <<<EOE if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then - pid=`/bin/pgrep -f "barnyard2 -r {$snort_uuid} "` + pid=`/bin/pgrep -fn "barnyard2 -r {$snort_uuid} "` else pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` fi if [ ! -z \$pid ]; then - /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." - /bin/pkill \$pid -a - time=0 timeout=30 - while kill -0 \$pid 2>/dev/null; do - sleep 1 - time=\$((time+1)) - if [ \$time -gt \$timeout ]; then - break - fi - done - if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then - /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid - fi + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill -HUP \$pid + else + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..." + /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q fi - /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..." - /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q EOE; $stop_barnyard2 = <<<EOE @@ -1897,7 +1812,7 @@ EOE; /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid fi else - pid=`/bin/pgrep -f "barnyard2 -r {$snort_uuid} "` + pid=`/bin/pgrep -fn "barnyard2 -r {$snort_uuid} "` if [ ! -z \$pid ]; then /bin/pkill -f "barnyard2 -r {$snort_uuid} " time=0 timeout=30 @@ -1912,7 +1827,7 @@ EOE; fi EOE; - if ($value['barnyard_enable'] == 'on' && !empty($value['barnyard_mysql'])) + if ($value['barnyard_enable'] == 'on') $start_barnyard2 = $start_barnyard; else $start_barnyard2 = $stop_barnyard2; @@ -1922,7 +1837,7 @@ EOE; ###### For Each Iface # Start snort and barnyard2 if [ ! -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then - pid=`/bin/pgrep -f "snort -R {$snort_uuid} "` + pid=`/bin/pgrep -fn "snort -R {$snort_uuid} "` else pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid` fi @@ -1932,7 +1847,7 @@ EOE; /bin/pkill -HUP \$pid else /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..." - /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + /usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} fi sleep 2 @@ -1958,10 +1873,10 @@ EOE; /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid fi else - pid=`/bin/pgrep -f "snort -R {$snort_uuid} "` + pid=`/bin/pgrep -fn "snort -R {$snort_uuid} "` if [ ! -z \$pid ]; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." - /bin/pkill -f "snort -R {$snort_uuid} " + /bin/pkill -fn "snort -R {$snort_uuid} " time=0 timeout=30 while kill -0 \$pid 2>/dev/null; do sleep 1 @@ -2021,79 +1936,122 @@ EOD; @chmod("{$rcdir}/snort.sh", 0755); } -/* open barnyard2.conf for writing */ -function snort_create_barnyard2_conf($snortcfg, $if_real) { - global $config, $g; - - $snortdir = SNORTDIR; - $snort_uuid = $snortcfg['uuid']; - - if (!file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) - exec("/usr/bin/touch {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); - - if (!file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { - @touch("/var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo"); - mwexec("/bin/chmod 770 /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); - } - - $barnyard2_conf_text = snort_generate_barnyard2_conf($snortcfg, $if_real); +function snort_generate_barnyard2_conf($snortcfg, $if_real) { - /* write out barnyard2_conf */ - @file_put_contents("{$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", $barnyard2_conf_text); -} + /****************************************************/ + /* This function creates the barnyard2.conf config */ + /* file for the passed interface when Barnyard2 is */ + /* enabled. */ + /****************************************************/ -/* open barnyard2.conf for writing" */ -function snort_generate_barnyard2_conf($snortcfg, $if_real) { global $config, $g; - $snortdir = SNORTDIR; $snort_uuid = $snortcfg['uuid']; + $snortdir = SNORTDIR; + $snortcfgdir = SNORTDIR . "/snort_{$snort_uuid}_{$if_real}"; + $snortlogdir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; + + // Create required directories for barnyard2 if missing + if (!is_dir("{$snortlogdir}/barnyard2")) + safe_mkdir("{$snortlogdir}/barnyard2"); + if (!is_dir("{$snortlogdir}/barnyard2/archive")) + safe_mkdir("{$snortlogdir}/barnyard2/archive"); + + // Create the barnyard2 waldo file if missing + if (!file_exists("{$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { + @touch("{$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo"); + mwexec("/bin/chmod 770 {$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); + } + + // If there is no gen-msg.map file present, create an + // empty one so Barnyard2 will at least start. + if (!file_exists("{$snortcfgdir}/gen-msg.map")) + @file_put_contents("{$snortcfgdir}/gen-msg.map", ""); + + $snortbarnyard_hostname_info = php_uname("n"); + + // Set general config parameters + $gen_configs = "config quiet\nconfig daemon\nconfig decode_data_link\nconfig alert_with_interface_name\nconfig event_cache_size: 8192"; + if ($snortcfg['barnyard_show_year'] == 'on') + $gen_configs .= "\nconfig show_year"; + if ($snortcfg['barnyard_obfuscate_ip'] == 'on') + $gen_configs .= "\nconfig obfuscate"; + if ($snortcfg['barnyard_dump_payload'] == 'on') + $gen_configs .= "\nconfig dump_payload"; + if ($snortcfg['barnyard_archive_enable'] == 'on') + $gen_configs .= "\nconfig archivedir: {$snortlogdir}/barnyard2/archive"; + + // Set output plugins + $snortbarnyardlog_output_plugins = ""; + if ($snortcfg['barnyard_mysql_enable'] == 'on') { + $by2_dbpwd = base64_decode($snortcfg['barnyard_dbpwd']); + $snortbarnyardlog_output_plugins .= "# database: log to a MySQL DB\noutput database: log, mysql, "; + $snortbarnyardlog_output_plugins .= "user={$snortcfg['barnyard_dbuser']} password={$by2_dbpwd} "; + $snortbarnyardlog_output_plugins .= "dbname={$snortcfg['barnyard_dbname']} host={$snortcfg['barnyard_dbhost']}"; + if (isset($snortcfg['barnyard_sensor_name']) && strlen($snortcfg['barnyard_sensor_name']) > 0) + $snortbarnyardlog_output_plugins .= " sensor_name={$snortcfg['barnyard_sensor_name']}"; + if ($snortcfg['barnyard_disable_sig_ref_tbl'] == 'on') + $snortbarnyardlog_output_plugins .= " disable_signature_reference_table"; + $snortbarnyardlog_output_plugins .= "\n\n"; + } + if ($snortcfg['barnyard_syslog_enable'] == 'on') { + $snortbarnyardlog_output_plugins .= "# syslog_full: log to a syslog receiver\noutput alert_syslog_full: "; + if (isset($snortcfg['barnyard_sensor_name']) && strlen($snortcfg['barnyard_sensor_name']) > 0) + $snortbarnyardlog_output_plugins .= "sensor_name {$snortcfg['barnyard_sensor_name']}, "; + else + $snortbarnyardlog_output_plugins .= "sensor_name {$snortbarnyard_hostname_info}, "; + if ($snortcfg['barnyard_syslog_local'] == 'on') + $snortbarnyardlog_output_plugins .= "local, log_facility LOG_AUTH, log_priority LOG_INFO\n\n"; + else { + $snortbarnyardlog_output_plugins .= "server {$snortcfg['barnyard_syslog_rhost']}, protocol {$snortcfg['barnyard_syslog_proto']}, "; + $snortbarnyardlog_output_plugins .= "port {$snortcfg['barnyard_syslog_dport']}, operation_mode {$snortcfg['barnyard_syslog_opmode']}, "; + $snortbarnyardlog_output_plugins .= "log_facility {$snortcfg['barnyard_syslog_facility']}, log_priority {$snortcfg['barnyard_syslog_priority']}\n\n"; + } + } + if ($snortcfg['barnyard_bro_ids_enable'] == 'on') { + $snortbarnyardlog_output_plugins .= "# alert_bro: log to a Bro-IDS receiver\n"; + $snortbarnyardlog_output_plugins .= "output alert_bro: {$snortcfg['barnyard_bro_ids_rhost']}:{$snortcfg['barnyard_bro_ids_dport']}\n"; + } + + // Trim leading and trailing newlines and spaces + $snortbarnyardlog_output_plugins = rtrim($snortbarnyardlog_output_plugins, "\n"); - /* TODO: add support for the other 5 output plugins */ - $snortbarnyardlog_database_info_chk = $snortcfg['barnyard_mysql']; - $snortbarnyardlog_hostname_info_chk = php_uname("n"); - /* user add arguments */ + // User pass-through arguments $snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['barnconfigpassthru'])); + // Create the conf file as a text string $barnyard2_conf_text = <<<EOD -# barnyard2.conf +# barnyard2.conf # barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php # -# set the appropriate paths to the file(s) your Snort process is using -config reference_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/reference.config -config classification_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/classification.config -config gen_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/gen-msg.map -config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map - -config hostname: $snortbarnyardlog_hostname_info_chk -config interface: {$if_real} -config decode_data_link -config waldo_file: /var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo - -# Show year in timestamps -config show_year +## General Barnyard2 settings ## +{$gen_configs} +config reference_file: {$snortcfgdir}/reference.config +config classification_file: {$snortcfgdir}/classification.config +config sid_file: {$snortcfgdir}/sid-msg.map +config gen_file: {$snortcfgdir}/gen-msg.map +config hostname: {$snortbarnyard_hostname_info} +config interface: {$if_real} +config waldo_file: {$snortlogdir}/barnyard2/{$snort_uuid}_{$if_real}.waldo +config logdir: {$snortlogdir} ## START user pass through ## - - {$snortbarnyardlog_config_pass_thru} - +{$snortbarnyardlog_config_pass_thru} ## END user pass through ## -# Step 2: setup the input plugins +## Setup input plugins ## input unified2 -config logdir: /var/log/snort/snort_{$if_real}{$snort_uuid} - -# database: log to a variety of databases -# output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx - - $snortbarnyardlog_database_info_chk +## Setup output plugins ## +{$snortbarnyardlog_output_plugins} EOD; - return $barnyard2_conf_text; + /* Write out barnyard2_conf text string to disk */ + @file_put_contents("{$snortcfgdir}/barnyard2.conf", $barnyard2_conf_text); + unset($barnyard2_conf_text); } function snort_deinstall() { @@ -2105,6 +2063,7 @@ function snort_deinstall() { $snortlogdir = SNORTLOGDIR; $rcdir = RCFILEPREFIX; $snort_rules_upd_log = RULES_UPD_LOGFILE; + $iprep_path = IPREP_PATH; log_error(gettext("[Snort] Snort package uninstall in progress...")); @@ -2117,7 +2076,7 @@ function snort_deinstall() { mwexec('/usr/bin/killall -9 snort', true); sleep(2); // Delete any leftover snort PID files in /var/run - array_map('@unlink', glob("/var/run/snort_*.pid")); + unlink_if_exists("/var/run/snort_*.pid"); /* Make sure all active Barnyard2 processes are terminated */ /* Log a message only if a running process is detected */ @@ -2128,38 +2087,48 @@ function snort_deinstall() { mwexec('/usr/bin/killall -9 barnyard2', true); sleep(2); // Delete any leftover barnyard2 PID files in /var/run - array_map('@unlink', glob("/var/run/barnyard2_*.pid")); + unlink_if_exists("/var/run/barnyard2_*.pid"); /* Remove the snort user and group */ mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); - /* Remove snort cron entries Ugly code needs smoothness */ - if (!function_exists('snort_deinstall_cron')) { - function snort_deinstall_cron($crontask) { - global $config, $g; - - if(!is_array($config['cron']['item'])) - return; + /* Remove all the Snort cron jobs. */ + install_cron_job("snort2c", false); + install_cron_job("snort_check_for_rule_updates.php", false); + install_cron_job("snort_check_cron_misc.inc", false); + configure_cron(); - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], $crontask)) { - $is_installed = true; - break; + /* Remove our associated Dashboard widget config. If */ + /* "save settings" is enabled, then save old widget */ + /* container settings so we can restore them later. */ + $widgets = $config['widgets']['sequence']; + if (!empty($widgets)) { + $widgetlist = explode(",", $widgets); + foreach ($widgetlist as $key => $widget) { + if (strstr($widget, "snort_alerts-container")) { + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { + $config['installedpackages']['snortglobal']['dashboard_widget'] = $widget; } - $x++; + unset($widgetlist[$key]); + break; } - if ($is_installed == true) - unset($config['cron']['item'][$x]); } + $config['widgets']['sequence'] = implode(",", $widgetlist); + write_config("Snort pkg: remove Snort Dashboard Widget on package deinstall."); } - /* Remove all the Snort cron jobs. */ - snort_deinstall_cron("snort2c"); - snort_deinstall_cron("snort_check_for_rule_updates.php"); - snort_deinstall_cron("snort_check_cron_misc.inc"); - configure_cron(); + /* See if we are to clear blocked hosts on uninstall */ + if ($config['installedpackages']['snortglobal']['clearblocks'] == 'on') { + log_error(gettext("[Snort] Removing all blocked hosts from <snort2c> table...")); + mwexec("/sbin/pfctl -t snort2c -T flush"); + } + + /* See if we are to clear Snort log files on uninstall */ + if ($config['installedpackages']['snortglobal']['clearlogs'] == 'on') { + log_error(gettext("[Snort] Clearing all Snort-related log files...")); + unlink_if_exists("{$snort_rules_upd_log}"); + mwexec("/bin/rm -rf {$snortlogdir}"); + } /**********************************************************/ /* Test for existence of library backup tarballs in /tmp. */ @@ -2188,8 +2157,11 @@ function snort_deinstall() { log_error(gettext("Not saving settings... all Snort configuration info and logs deleted...")); unset($config['installedpackages']['snortglobal']); unset($config['installedpackages']['snortsync']); - @unlink("{$snort_rules_upd_log}"); + unlink_if_exists("{$snort_rules_upd_log}"); + log_error(gettext("[Snort] Flushing <snort2c> firewall table to remove addresses blocked by Snort...")); + mwexec("/sbin/pfctl -t snort2c -T flush"); mwexec("/bin/rm -rf {$snortlogdir}"); + mwexec("/bin/rm -rf {$iprep_path}"); log_error(gettext("[Snort] The package has been removed from this system...")); } } @@ -2209,28 +2181,52 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* to be written. */ /***********************************************************/ - global $rebuild_rules; + global $g, $rebuild_rules; $snortdir = SNORTDIR; $flowbit_rules_file = FLOWBITS_FILENAME; $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; $no_rules_defined = true; + $enabled_rules = array(); /* If there is no reason to rebuild the rules, exit to save time. */ if (!$rebuild_rules) return; /* Log a message for rules rebuild in progress */ - log_error(gettext("[Snort] Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + log_error(gettext("[Snort] Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . " ...")); + + /* Enable all, some or none of the SDF rules depending on setting. */ + if ($snortcfg['sensitive_data'] == 'on' && $snortcfg['protect_preproc_rules'] != 'on') { + if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")) { + $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; + $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); + $sd_tmp_new_file=""; + foreach ($sd_tmp_file as $sd_tmp_line) + $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; + @file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); + } + } + elseif ($snortcfg['sensitive_data'] != 'on' && $snortcfg['protect_preproc_rules'] != 'on') { + /* Setting is "off", so disable all SDF rules. */ + $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; + @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/sensitive-data.rules"); + @unlink("{$g['tmp_path']}/sedcmd"); + } + + /* Load the decoder, preprocessor and sensitive-data */ + /* rules from the interface's preproc_rule directory */ + /* into the $enabled_rules array. */ + $enabled_rules = snort_load_rules_map("{$snortcfgdir}/preproc_rules/"); /* Only rebuild rules if some are selected or an IPS Policy is enabled */ if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') { - $enabled_rules = array(); $enabled_files = array(); $all_rules = array(); $no_rules_defined = false; - /* Load up all the rules into a Rules Map array. */ + /* Load up all the text rules into a Rules Map array. */ $all_rules = snort_load_rules_map("{$snortdir}/rules/"); /* Create an array with the filenames of the enabled */ @@ -2258,6 +2254,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_rules[$k1][$k2]['rule'] = $v['rule']; $enabled_rules[$k1][$k2]['category'] = $v['category']; $enabled_rules[$k1][$k2]['disabled'] = $v['disabled']; + $enabled_rules[$k1][$k2]['action'] = $v['action']; $enabled_rules[$k1][$k2]['flowbits'] = $v['flowbits']; } } @@ -2280,6 +2277,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_rules[$k1][$k2]['rule'] = $p['rule']; $enabled_rules[$k1][$k2]['category'] = $p['category']; $enabled_rules[$k1][$k2]['disabled'] = $p['disabled']; + $enabled_rules[$k1][$k2]['action'] = $p['action']; $enabled_rules[$k1][$k2]['flowbits'] = $p['flowbits']; } } @@ -2292,7 +2290,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Check for and disable any rules dependent upon disabled preprocessors if */ /* this option is enabled for the interface. */ if ($snortcfg['preproc_auto_rule_disable'] == "on") { - log_error('[Snort] Checking for rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + log_error('[Snort] Checking for rules dependent on disabled preprocessors for: ' . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . '...'); snort_filter_preproc_rules($snortcfg, $enabled_rules); } @@ -2301,7 +2299,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */ if ($snortcfg['autoflowbitrules'] == 'on') { - log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + log_error('[Snort] Enabling any flowbit-required rules for: ' . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . '...'); $fbits = snort_resolve_flowbits($all_rules, $enabled_rules); /* Check for and disable any flowbit-required rules the user has */ @@ -2311,7 +2309,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Check for and disable any flowbit-required rules dependent upon */ /* disabled preprocessors if this option is enabled for the interface. */ if ($snortcfg['preproc_auto_rule_disable'] == "on") { - log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . '...'); snort_filter_preproc_rules($snortcfg, $fbits, true); } snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}"); @@ -2320,7 +2318,8 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); } else { - snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); + /* No regular rules or policy were selected, so just use the decoder and preproc rules */ + snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); } @@ -2333,11 +2332,11 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Log a warning if the interface has no rules defined or enabled */ if ($no_rules_defined) - log_error(gettext("[Snort] Warning - no text rules selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + log_error(gettext("[Snort] Warning - no text rules or IPS-Policy selected for: " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . " ...")); /* Build a new sid-msg.map file from the enabled */ /* rules and copy it to the interface directory. */ - log_error(gettext("[Snort] Building new sig-msg.map file for " . snort_get_friendly_interface($snortcfg['interface']) . "...")); + log_error(gettext("[Snort] Building new sig-msg.map file for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "...")); snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map"); } @@ -2462,7 +2461,7 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa /* when flowbit-required rules are being assessed after the */ /* primary enforcing rules have been evaluated. */ /***************************************************************/ - $iface = snort_get_friendly_interface($snortcfg['interface']); + $iface = convert_friendly_interface_to_friendly_descr($snortcfg['interface']); $file = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; if ($persist_log) $fp = fopen($file, 'a'); @@ -2528,7 +2527,7 @@ function snort_generate_conf($snortcfg) { else $protect_preproc_rules = "off"; - $if_real = snort_get_real_interface($snortcfg['interface']); + $if_real = get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; @@ -2588,8 +2587,18 @@ function snort_generate_conf($snortcfg) { /* define snortunifiedlog */ $snortunifiedlog_type = ""; - if ($snortcfg['snortunifiedlog'] == "on") - $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; + if ($snortcfg['barnyard_enable'] == "on") { + if (isset($snortcfg['unified2_log_limit'])) + $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}"; + else + $u2_log_limit = "limit 128"; + + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}"; + if ($snortcfg['barnyard_log_vlan_events'] == 'on') + $snortunifiedlog_type .= ", vlan_event_types"; + if ($snortcfg['barnyard_log_mpls_events'] == 'on') + $snortunifiedlog_type .= ", mpls_event_types"; + } /* define spoink */ $spoink_type = ""; @@ -2598,7 +2607,7 @@ function snort_generate_conf($snortcfg) { if ($snortcfg['blockoffenderskill'] == "on") $pfkill = "kill"; $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); - /* write whitelist */ + /* write Pass List */ @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; } @@ -3147,6 +3156,49 @@ preprocessor sensitive_data: \ EOD; + /* define IP Reputation preprocessor */ + if (is_array($snortcfg['blist_files']['item'])) { + $blist_files = ""; + $bIsFirst = TRUE; + foreach ($snortcfg['blist_files']['item'] as $blist) { + if ($bIsFirst) { + $blist_files .= "blacklist " . IPREP_PATH . $blist; + $bIsFirst = FALSE; + } + else + $blist_files .= ", \\ \n\tblacklist " . IPREP_PATH . $blist; + } + } + if (is_array($snortcfg['wlist_files']['item'])) { + $wlist_files = ""; + $bIsFirst = TRUE; + foreach ($snortcfg['wlist_files']['item'] as $wlist) { + if ($bIsFirst) { + $wlist_files .= "whitelist " . IPREP_PATH . $wlist; + $bIsFirst = FALSE; + } + else + $wlist_files .= ", \\ \n\twhitelist " . IPREP_PATH . $wlist; + } + } + if (!empty($blist_files)) + $ip_lists = $blist_files; + if (!empty($wlist_files)) + $ip_lists .= ", \\ \n" . $wlist_files; + if ($snortcfg['iprep_scan_local'] == 'on') + $ip_lists .= ", \\ \n\tscan_local"; + + $reputation_preproc = <<<EOD +# IP Reputation preprocessor # +preprocessor reputation: \ + memcap {$snortcfg['iprep_memcap']}, \ + priority {$snortcfg['iprep_priority']}, \ + nested_ip {$snortcfg['iprep_nested_ip']}, \ + white {$snortcfg['iprep_white']}, \ + {$ip_lists} + +EOD; + /* define servers as IP variables */ $snort_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", @@ -3177,11 +3229,11 @@ EOD; "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", - "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", + "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc" ); $default_disabled_preprocs = array( - "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc" + "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat" ); $snort_preprocessors = ""; foreach ($snort_preproc as $preproc) { @@ -3219,43 +3271,9 @@ EOD; $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (is_dir("{$snortcfgdir}/preproc_rules")) { - if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { - $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; - if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){ - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; - #enable only selected sensitive data - if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){ - $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; - $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); - $sd_tmp_new_file=""; - foreach ($sd_tmp_file as $sd_tmp_line) - $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; - file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); - } - } - } else - $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; - if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { - @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); - mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); - mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); - @unlink("{$g['tmp_path']}/sedcmd"); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } - else { - $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); - } - } else { + if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); } /* generate rule sections to load */ @@ -3528,7 +3546,7 @@ EOD; // Check for and configure Host Attribute Table if enabled $host_attrib_config = ""; if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { - file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); + @file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); $host_attrib_config = "# Host Attribute Table #\n"; $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; if (!empty($snortcfg['max_attribute_hosts'])) @@ -3673,9 +3691,8 @@ EOD; ipvar HOME_NET [{$home_net}] ipvar EXTERNAL_NET [{$external_net}] -# Define Rule Paths # +# Define Rule Path # var RULE_PATH {$snortcfgdir}/rules -var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules # Define Servers # {$ipvardef} @@ -3766,14 +3783,7 @@ output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,src EOD; // Write out snort.conf file - $conf = fopen("{$snortcfgdir}/snort.conf", "w"); - if(!$conf) { - log_error("Could not open {$snortcfgdir}/snort.conf for writing."); - conf_mount_ro(); - return -1; - } - fwrite($conf, $snort_conf_text); - fclose($conf); + @file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text); conf_mount_ro(); unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type); unset($home_net, $external_net, $ipvardef, $portvardef); diff --git a/config/snort/snort.priv.inc b/config/snort/snort.priv.inc index 5e159747..8db5408d 100644 --- a/config/snort/snort.priv.inc +++ b/config/snort/snort.priv.inc @@ -24,10 +24,9 @@ $priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_edit.php* $priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_global.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_suppress.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_suppress_edit.php*"; -$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_whitelist.php*"; -$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_whitelist_edit.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_passlist.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_passlist_edit.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_list_view.php*"; -$priv_list['page-services-snort']['match'][] = "snort/snort_log_view.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_migrate_config.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_post_install.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_preprocessors.php*"; @@ -37,9 +36,14 @@ $priv_list['page-services-snort']['match'][] = "snort/snort_rules_flowbits.php*" $priv_list['page-services-snort']['match'][] = "snort/snort_rulesets.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_select_alias.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_stream5_engine.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_ip_list_mgmt.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_ip_reputation.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_iprep_list_browser.php*"; +$priv_list['page-services-snort']['match'][] = "widgets/javascript/snort_alerts.js*"; +$priv_list['page-services-snort']['match'][] = "widgets/include/widget-snort.inc*"; +$priv_list['page-services-snort']['match'][] = "widgets/widgets/snort_alerts.widget.php*"; $priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=snort_sync.xml*"; -$priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=sort/snort.xml*"; +$priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=snort/snort.xml*"; $priv_list['page-services-snort']['match'][] = "snort/snort_check_cron_misc.inc*"; $priv_list['page-services-snort']['match'][] = "snort/snort.inc*"; - ?>
\ No newline at end of file diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 9d4f1d61..9d52aa6c 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -8,7 +8,7 @@ /* ========================================================================== */ /* authng.xml - part of pfSense (http://www.pfsense.com) + part of pfSense (https://www.pfsense.org) Copyright (C) 2007 to whom it may belong All rights reserved. @@ -46,12 +46,12 @@ <requirements>None</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.9.5.5</version> - <title>Services:2.9.5.5 pkg v3.0.2</title> + <version>2.9.6.0</version> + <title>Services:2.9.6.0 pkg v3.0.7</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> - <tooltiptext>Setup snort specific settings</tooltiptext> + <tooltiptext>Set up snort specific settings</tooltiptext> <section>Services</section> <url>/snort/snort_interfaces.php</url> </menu> @@ -66,177 +66,202 @@ <additional_files_needed> <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort.inc</item> + <item>https://packages.pfsense.org/packages/config/snort/snort.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_check_cron_misc.inc</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_check_cron_misc.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/snort/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_migrate_config.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_migrate_config.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/snort/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_post_install.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_post_install.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_sync.xml</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_sync.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_alerts.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_barnyard.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_barnyard.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_blocked.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_blocked.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_define_servers.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_define_servers.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_download_rules.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_download_rules.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_download_updates.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_download_updates.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/snort/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_check_for_rule_updates.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_check_for_rule_updates.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_interfaces.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_interfaces.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_edit.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_interfaces_edit.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_global.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_interfaces_global.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_rules.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_rules.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_rules_edit.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_rules_edit.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_rulesets.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_rulesets.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_preprocessors.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_preprocessors.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_whitelist.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_passlist.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_whitelist_edit.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_passlist_edit.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_interfaces_suppress.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress_edit.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_interfaces_suppress_edit.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_log_view.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_list_view.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_list_view.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_rules_flowbits.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_rules_flowbits.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_edit_hat_data.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_edit_hat_data.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_frag3_engine.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_frag3_engine.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_stream5_engine.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_stream5_engine.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_httpinspect_engine.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_httpinspect_engine.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_ftp_client_engine.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_ftp_client_engine.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_ftp_server_engine.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_ftp_server_engine.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_import_aliases.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_import_aliases.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_select_alias.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <chmod>077</chmod> + <item>https://packages.pfsense.org/packages/config/snort/snort.priv.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_select_alias.php</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_ip_reputation.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/etc/inc/priv/</prefix> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>https://packages.pfsense.org/packages/config/snort/snort_ip_list_mgmt.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort.priv.inc</item> + <item>https://packages.pfsense.org/packages/config/snort/snort_iprep_list_browser.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/widgets/javascript/</prefix> + <chmod>0644</chmod> + <item>https://packages.pfsense.org/packages/config/snort/snort_alerts.js</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/widgets/widgets/</prefix> + <chmod>0644</chmod> + <item>https://packages.pfsense.org/packages/config/snort/snort_alerts.widget.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/widgets/include/</prefix> + <chmod>0644</chmod> + <item>https://packages.pfsense.org/packages/config/snort/widget-snort.inc</item> </additional_files_needed> <fields> </fields> @@ -244,13 +269,13 @@ </custom_add_php_command> <custom_php_resync_config_command> <![CDATA[ - if ($GLOBALS['pfSense_snort_version'] == "3.0.2") + if ($GLOBALS['pfSense_snort_version'] == "3.0.7") sync_snort_package_config(); ]]> </custom_php_resync_config_command> <custom_php_install_command> <![CDATA[ - include_once("/usr/local/pkg/snort/snort_post_install.php"); + include_once("/usr/local/www/snort/snort_post_install.php"); ]]> </custom_php_install_command> <custom_php_deinstall_command> diff --git a/config/snort/snort_alerts.js b/config/snort/snort_alerts.js new file mode 100644 index 00000000..647eb1b1 --- /dev/null +++ b/config/snort/snort_alerts.js @@ -0,0 +1,115 @@ + +var snorttimer; +var snortisBusy = false; +var snortisPaused = false; + +if (typeof getURL == 'undefined') { + getURL = function(url, callback) { + if (!url) + throw 'No URL for getURL'; + try { + if (typeof callback.operationComplete == 'function') + callback = callback.operationComplete; + } catch (e) {} + if (typeof callback != 'function') + throw 'No callback function for getURL'; + var http_request = null; + if (typeof XMLHttpRequest != 'undefined') { + http_request = new XMLHttpRequest(); + } + else if (typeof ActiveXObject != 'undefined') { + try { + http_request = new ActiveXObject('Msxml2.XMLHTTP'); + } catch (e) { + try { + http_request = new ActiveXObject('Microsoft.XMLHTTP'); + } catch (e) {} + } + } + if (!http_request) + throw 'Both getURL and XMLHttpRequest are undefined'; + http_request.onreadystatechange = function() { + if (http_request.readyState == 4) { + callback( { success : true, + content : http_request.responseText, + contentType : http_request.getResponseHeader("Content-Type") } ); + } + } + http_request.open('GET', url, true); + http_request.send(null); + } +} + +function snort_alerts_fetch_new_events_callback(callback_data) { + var data_split; + var new_data_to_add = Array(); + var data = callback_data.content; + data_split = data.split("\n"); + + // Loop through rows and generate replacement HTML + for(var x=0; x<data_split.length-1; x++) { + row_split = data_split[x].split("||"); + var line = ''; + line = '<td class="' + snortWidgetColClass + '">' + row_split[0] + '<br/>' + row_split[1] + '</td>'; + line += '<td class="' + snortWidgetColClass + '" style="overflow: hidden; text-overflow: ellipsis;" nowrap>'; + line += '<div style="display:inline;" title="' + row_split[2] + '">' + row_split[2] + '</div><br/>'; + line += '<div style="display:inline;" title="' + row_split[3] + '">' + row_split[3] + '</div></td>'; + line += '<td class="' + snortWidgetColClass + '">' + 'Priority: ' + row_split[4] + ' ' + row_split[5] + '</td>'; + new_data_to_add[new_data_to_add.length] = line; + } + snort_alerts_update_div_rows(new_data_to_add); + snortisBusy = false; +} + +function snort_alerts_update_div_rows(data) { + if(snortisPaused) + return; + + var rows = $$('#snort-alert-entries>tr'); + + // Number of rows to move by + var move = rows.length + data.length - snort_nentries; + if (move < 0) + move = 0; + + for (var i = rows.length - 1; i >= move; i--) { + rows[i].innerHTML = rows[i - move].innerHTML; + } + + var tbody = $$('#snort-alert-entries'); + for (var i = data.length - 1; i >= 0; i--) { + if (i < rows.length) { + rows[i].innerHTML = data[i]; + } else { + var newRow = document.getElementById('snort-alert-entries').insertRow(0); + newRow.innerHTML = data[i]; + } + } + + // Add the even/odd class to each of the rows now + // they have all been added. + rows = $$('#snort-alert-entries>tr'); + for (var i = 0; i < rows.length; i++) { + rows[i].className = i % 2 == 0 ? snortWidgetRowOddClass : snortWidgetRowEvenClass; + } +} + +function fetch_new_snortalerts() { + if(snortisPaused) + return; + if(snortisBusy) + return; + snortisBusy = true; + getURL('/widgets/widgets/snort_alerts.widget.php?getNewAlerts=' + new Date().getTime(), snort_alerts_fetch_new_events_callback); +} + +function snort_alerts_toggle_pause() { + if(snortisPaused) { + snortisPaused = false; + fetch_new_snortalerts(); + } else { + snortisPaused = true; + } +} +/* start local AJAX engine */ +snorttimer = setInterval('fetch_new_snortalerts()', snortupdateDelay); diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index f232f897..45443ec2 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -7,6 +7,7 @@ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2012 Ermal Luci + * Copyright (C) 2013,2014 Bill Meeks * All rights reserved. * * Modified for the Pfsense snort package v. 1.8+ @@ -39,6 +40,7 @@ require_once("/usr/local/pkg/snort/snort.inc"); $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; $supplist = array(); +$snortlogdir = SNORTLOGDIR; function snort_is_alert_globally_suppressed($list, $gid, $sid) { @@ -97,11 +99,13 @@ function snort_add_supplist_entry($suppress) { $a_suppress[] = $s_list; $a_instance[$instanceid]['suppresslistname'] = $s_list['name']; $found_list = true; + $list_name = $s_list['name']; } else { /* If we get here, a Suppress List is defined for the interface so see if we can find it */ foreach ($a_suppress as $a_id => $alist) { if ($alist['name'] == $a_instance[$instanceid]['suppresslistname']) { $found_list = true; + $list_name = $alist['name']; if (!empty($alist['suppresspassthru'])) { $tmplist = base64_decode($alist['suppresspassthru']); $tmplist .= "\n{$suppress}"; @@ -119,7 +123,7 @@ function snort_add_supplist_entry($suppress) { /* If we created a new list or updated an existing one, save the change, */ /* tell Snort to load it, and return true; otherwise return false. */ if ($found_list) { - write_config(); + write_config("Snort pkg: modified Suppress List {$list_name}."); sync_snort_package_config(); snort_reload_config($a_instance[$instanceid]); return true; @@ -128,19 +132,27 @@ function snort_add_supplist_entry($suppress) { return false; } -if ($_GET['instance']) - $instanceid = $_GET['instance']; -if ($_POST['instance']) +if (isset($_POST['instance']) && is_numericint($_POST['instance'])) $instanceid = $_POST['instance']; -if (empty($instanceid)) +elseif (isset($_GET['instance']) && is_numericint($_GET['instance'])) + $instanceid = htmlspecialchars($_GET['instance']); +if (empty($instanceid) || !is_numericint($instanceid)) $instanceid = 0; if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); $a_instance = &$config['installedpackages']['snortglobal']['rule']; $snort_uuid = $a_instance[$instanceid]['uuid']; -$if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); +$if_real = get_real_interface($a_instance[$instanceid]['interface']); +// Load up the arrays of force-enabled and force-disabled SIDs +$enablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_on']); +$disablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_off']); + +// Grab pfSense version so we can refer to it later on this page +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); + +$pconfig = array(); if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; @@ -158,70 +170,136 @@ if ($_POST['save']) { $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; - write_config(); + write_config("Snort pkg: updated ALERTS tab settings."); header("Location: /snort/snort_alerts.php?instance={$instanceid}"); exit; } -if ($_POST['todelete'] || $_GET['todelete']) { +if ($_POST['todelete']) { $ip = ""; - if($_POST['todelete']) - $ip = $_POST['todelete']; - else if($_GET['todelete']) - $ip = $_GET['todelete']; - if (is_ipaddr($ip)) { - exec("/sbin/pfctl -t snort2c -T delete {$ip}"); - $savemsg = gettext("Host IP address {$ip} has been removed from the Blocked Table."); + if($_POST['ip']) { + $ip = $_POST['ip']; + if (is_ipaddr($_POST['ip'])) { + exec("/sbin/pfctl -t snort2c -T delete {$ip}"); + $savemsg = gettext("Host IP address {$ip} has been removed from the Blocked Hosts Table."); + } } } -if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { - if (empty($_GET['descr'])) - $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; +if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsuppress']) && is_numeric($_POST['sidid']) && is_numeric($_POST['gen_id'])) { + if ($_POST['addsuppress_srcip']) + $method = "by_src"; + elseif ($_POST['addsuppress_dstip']) + $method = "by_dst"; else - $suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}"; + $method ="all"; + + // See which kind of Suppress Entry to create + switch ($method) { + case "all": + if (empty($_POST['descr'])) + $suppress = "suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}\n"; + else + $suppress = "#{$_POST['descr']}\nsuppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}\n"; + $success = gettext("An entry for 'suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}' has been added to the Suppress List."); + break; + case "by_src": + case "by_dst": + // Check for valid IP addresses, exit if not valid + if (is_ipaddr($_POST['ip'])) { + if (empty($_POST['descr'])) + $suppress = "suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}, track {$method}, ip {$_POST['ip']}\n"; + else + $suppress = "#{$_POST['descr']}\nsuppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}, track {$method}, ip {$_POST['ip']}\n"; + $success = gettext("An entry for 'suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}, track {$method}, ip {$_POST['ip']}' has been added to the Suppress List."); + } + else { + $input_errors[] = gettext("An invalid IP address was passed as a Suppress List parameter."); + } + break; + default: + header("Location: /snort/snort_alerts.php?instance={$instanceid}"); + exit; + } - /* Add the new entry to the Suppress List */ - if (snort_add_supplist_entry($suppress)) - $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."); - else - $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); + if (!$input_errors) { + /* Add the new entry to the Suppress List and signal Snort to reload config */ + if (snort_add_supplist_entry($suppress)) { + snort_reload_config($a_instance[$instanceid]); + $savemsg = $success; + /* Give Snort a couple seconds to reload the configuration */ + sleep(2); + } + else + $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); + } } -if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { - if ($_GET['act'] == "addsuppress_srcip") - $method = "by_src"; - else - $method = "by_dst"; - - /* Check for valid IP addresses, exit if not valid */ - if (is_ipaddr($_GET['ip']) || is_ipaddrv6($_GET['ip'])) { - if (empty($_GET['descr'])) - $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}\n"; - else - $suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}\n"; +if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen_id'])) { + // Get the GID and SID tags embedded in the clicked rule icon. + $gid = $_POST['gen_id']; + $sid= $_POST['sidid']; + + // See if the target SID is in our list of modified SIDs, + // and toggle it if present. + if (isset($enablesid[$gid][$sid])) + unset($enablesid[$gid][$sid]); + if (isset($disablesid[$gid][$sid])) + unset($disablesid[$gid][$sid]); + elseif (!isset($disablesid[$gid][$sid])) + $disablesid[$gid][$sid] = "disablesid"; + + // Write the updated enablesid and disablesid values to the config file. + $tmp = ""; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } - else { - header("Location: /snort/snort_alerts.php?instance={$instanceid}"); - exit; + $tmp = rtrim($tmp, "||"); + + if (!empty($tmp)) + $a_instance[$instanceid]['rule_sid_on'] = $tmp; + else + unset($a_instance[$instanceid]['rule_sid_on']); + + $tmp = ""; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); - /* Add the new entry to the Suppress List */ - if (snort_add_supplist_entry($suppress)) - $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."); - else - /* We did not find the defined list, so notify the user with an error */ - $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); + if (!empty($tmp)) + $a_instance[$instanceid]['rule_sid_off'] = $tmp; + else + unset($a_instance[$instanceid]['rule_sid_off']); + + /* Update the config.xml file. */ + write_config("Snort pkg: modified state for rule {$gid}:{$sid}"); + + /*************************************************/ + /* Update the snort.conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = true; + snort_generate_conf($a_instance[$instanceid]); + $rebuild_rules = false; + + /* Soft-restart Snort to live-load the new rules */ + snort_reload_config($a_instance[$instanceid]); + + /* Give Snort a couple seconds to reload the configuration */ + sleep(2); + + $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Snort is 'live-reloading' the new rules list. Please wait at least 15 secs for the process to complete before toggling additional rules."); } -if ($_GET['action'] == "clear" || $_POST['delete']) { +if ($_POST['delete']) { snort_post_delete_logs($snort_uuid); - $fd = @fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w+"); - if ($fd) - fclose($fd); + file_put_contents("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/alert", ""); /* XXX: This is needed if snort is run as snort user */ - mwexec('/bin/chmod 660 /var/log/snort/*', true); + mwexec("/bin/chmod 660 {$snortlogdir}/*", true); if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); header("Location: /snort/snort_alerts.php?instance={$instanceid}"); @@ -231,7 +309,7 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { if ($_POST['download']) { $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_logs_{$save_date}_{$if_real}.tar.gz"; - exec("cd /var/log/snort/snort_{$if_real}{$snort_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *"); + exec("cd {$snortlogdir}/snort_{$if_real}{$snort_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *"); if (file_exists("/tmp/{$file_name}")) { ob_start(); //important or other posts will fail @@ -264,25 +342,28 @@ include_once("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - +<script src="/javascript/filter_log.js" type="text/javascript"></script> <?php include_once("fbegin.inc"); /* refresh every 60 secs */ if ($pconfig['arefresh'] == 'on') echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php?instance={$instanceid}\" />\n"; -?> -<?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} - /* Display Alert message */ - if ($input_errors) { - print_input_errors($input_errors); // TODO: add checks - } - if ($savemsg) { - print_info_box($savemsg); - } +/* Display Alert message */ +if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks +} +if ($savemsg) { + print_info_box($savemsg); +} ?> <form action="/snort/snort_alerts.php" method="post" id="formalert"> +<input type="hidden" name="instance" id="instance" value="<?=$instanceid;?>"/> +<input type="hidden" name="sidid" id="sidid" value=""/> +<input type="hidden" name="gen_id" id="gen_id" value=""/> +<input type="hidden" name="ip" id="ip" value=""/> +<input type="hidden" name="descr" id="descr" value=""/> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -292,10 +373,11 @@ if ($pconfig['arefresh'] == 'on') $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); $tab_array[3] = array(gettext("Alerts"), true, "/snort/snort_alerts.php?instance={$instanceid}"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr> @@ -307,13 +389,13 @@ if ($pconfig['arefresh'] == 'on') <tr> <td width="22%" class="vncell"><?php echo gettext('Instance to inspect'); ?></td> <td width="78%" class="vtable"> - <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').method='get';document.getElementById('formalert').submit()"> + <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').method='post';document.getElementById('formalert').submit()"> <?php foreach ($a_instance as $id => $instance) { $selected = ""; if ($id == $instanceid) $selected = "selected"; - echo "<option value='{$id}' {$selected}> (" . snort_get_friendly_interface($instance['interface']) . "){$instance['descr']}</option>\n"; + echo "<option value='{$id}' {$selected}> (" . convert_friendly_interface_to_friendly_descr($instance['interface']) . ") {$instance['descr']}</option>\n"; } ?> </select> <?php echo gettext('Choose which instance alerts you want to inspect.'); ?> @@ -321,22 +403,23 @@ if ($pconfig['arefresh'] == 'on') <tr> <td width="22%" class="vncell"><?php echo gettext('Save or Remove Logs'); ?></td> <td width="78%" class="vtable"> - <input name="download" type="submit" class="formbtns" value="Download"> <?php echo gettext('All ' . - 'log files will be saved.'); ?> <a href="/snort/snort_alerts.php?action=clear&instance=<?=$instanceid;?>"> + <input name="download" type="submit" class="formbtns" value="Download" + title="<?=gettext("Download interface log files as a gzip archive");?>"/> + <?php echo gettext('All log files will be saved.');?> <input name="delete" type="submit" class="formbtns" value="Clear" - onclick="return confirm('Do you really want to remove all instance logs?')"></a> - <span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span> <?php echo ' ' . gettext('all log files will be deleted.'); ?> + onclick="return confirm('Do you really want to remove all instance logs?')" title="<?=gettext("Clear all interface log files");?>"/> + <span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span> <?php echo ' ' . gettext('all log files will be deleted.'); ?> </td> </tr> <tr> <td width="22%" class="vncell"><?php echo gettext('Auto Refresh and Log View'); ?></td> <td width="78%" class="vtable"> - <input name="save" type="submit" class="formbtns" value="Save"> - <?php echo gettext('Refresh'); ?> <input name="arefresh" type="checkbox" value="on" - <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> - <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> - <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> - <?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <input name="save" type="submit" class="formbtns" value=" Save " title="<?=gettext("Save auto-refresh and view settings");?>"/> + <?php echo gettext('Refresh');?> <input name="arefresh" type="checkbox" value="on" + <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>/> + <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"/> + <?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> </tr> <tr> @@ -345,39 +428,39 @@ if ($pconfig['arefresh'] == 'on') </tr> <tr> <td width="100%" colspan="2"> - <table id="myTable" style="table-layout: fixed;" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0"> + <table id="myTable" style="table-layout: fixed;" width="100%" class="sortable" border="0" cellpadding="0" cellspacing="0"> <colgroup> - <col width="9%" align="center" axis="date"> - <col width="45" align="center" axis="number"> - <col width="65" align="center" axis="string"> + <col width="10%" align="center" axis="date"> + <col width="40" align="center" axis="number"> + <col width="52" align="center" axis="string"> <col width="10%" axis="string"> <col width="13%" align="center" axis="string"> - <col width="8%" align="center" axis="string"> + <col width="7%" align="center" axis="string"> <col width="13%" align="center" axis="string"> - <col width="8%" align="center" axis="string"> - <col width="9%" align="center" axis="number"> + <col width="7%" align="center" axis="string"> + <col width="10%" align="center" axis="number"> <col axis="string"> </colgroup> <thead> <tr> - <th class="listhdrr" axis="date"><?php echo gettext("DATE"); ?></th> - <th class="listhdrr" axis="number"><?php echo gettext("PRI"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("PROTO"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("CLASS"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("SRC"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("SPORT"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("DST"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("DPORT"); ?></th> + <th class="listhdrr" axis="date"><?php echo gettext("Date"); ?></th> + <th class="listhdrr" axis="number"><?php echo gettext("Pri"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Proto"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Class"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Source"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("SPort"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Destination"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("DPort"); ?></th> <th class="listhdrr" axis="number"><?php echo gettext("SID"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("DESCRIPTION"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Description"); ?></th> </tr> </thead> <tbody> <?php /* make sure alert file exists */ -if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { - exec("tail -{$anentries} -r /var/log/snort/snort_{$if_real}{$snort_uuid}/alert > /tmp/alert_{$snort_uuid}"); +if (file_exists("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/alert")) { + exec("tail -{$anentries} -r {$snortlogdir}/snort_{$if_real}{$snort_uuid}/alert > /tmp/alert_{$snort_uuid}"); if (file_exists("/tmp/alert_{$snort_uuid}")) { $tmpblocked = array_flip(snort_get_blocked_ips()); $counter = 0; @@ -385,7 +468,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ $fd = fopen("/tmp/alert_{$snort_uuid}", "r"); while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { - if(count($fields) < 11) + if(count($fields) < 13) continue; /* Time */ @@ -403,16 +486,23 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_src = $fields[6]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":​", $alert_ip_src); - /* Add Reverse DNS lookup icon */ - $alert_ip_src .= "<br/><a href='/diag_dns.php?host={$fields[6]}&instance={$instanceid}'>"; + /* Add Reverse DNS lookup icons (two different links if pfSense version supports them) */ + $alert_ip_src .= "<br/>"; + if ($pfs_version > 2.0) { + $alert_ip_src .= "<a onclick=\"javascript:getURL('/diag_dns.php?host={$fields[6]}&dialog_output=true', outputrule);\">"; + $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' "; + $alert_ip_src .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a> "; + } + $alert_ip_src .= "<a href='/diag_dns.php?host={$fields[6]}&instance={$instanceid}'>"; $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' "; $alert_ip_src .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>"; + /* Add icons for auto-adding to Suppress List if appropriate */ if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) && !isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) { - $alert_ip_src .= " <a href='?instance={$instanceid}&act=addsuppress_srcip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[6])) . "'>"; - $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; - $alert_ip_src .= "title='" . gettext("Add this alert to the Suppress List and track by_src IP") . "'></a>"; + $alert_ip_src .= " <input type='image' name='addsuppress_srcip[]' onClick=\"encRuleSig('{$fields[1]}','{$fields[2]}','{$fields[6]}','{$alert_descr}');\" "; + $alert_ip_src .= "src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; + $alert_ip_src .= "title='" . gettext("Add this alert to the Suppress List and track by_src IP") . "'>"; } elseif (isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) { $alert_ip_src .= " <img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; @@ -420,9 +510,8 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { } /* Add icon for auto-removing from Blocked Table if required */ if (isset($tmpblocked[$fields[6]])) { - $alert_ip_src .= " "; - $alert_ip_src .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'> - <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; + $alert_ip_src .= " <input type='image' name='todelete[]' onClick=\"document.getElementById('ip').value='{$fields[6]}';\" "; + $alert_ip_src .= "src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12'>"; } /* IP SRC Port */ $alert_src_p = $fields[7]; @@ -430,16 +519,22 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_dst = $fields[8]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); - /* Add Reverse DNS lookup icon */ - $alert_ip_dst .= "<br/><a href='/diag_dns.php?host={$fields[8]}&instance={$instanceid}'>"; + /* Add Reverse DNS lookup icons (two different links if pfSense version supports them) */ + $alert_ip_dst .= "<br/>"; + if ($pfs_version > 2.0) { + $alert_ip_dst .= "<a onclick=\"javascript:getURL('/diag_dns.php?host={$fields[8]}&dialog_output=true', outputrule);\">"; + $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' "; + $alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a> "; + } + $alert_ip_dst .= "<a href='/diag_dns.php?host={$fields[8]}&instance={$instanceid}'>"; $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' "; $alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>"; /* Add icons for auto-adding to Suppress List if appropriate */ if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) && !isset($supplist[$fields[1]][$fields[2]]['by_dst'][$fields[8]])) { - $alert_ip_dst .= " <a href='?instance={$instanceid}&act=addsuppress_dstip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[8])) . "'>"; - $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; - $alert_ip_dst .= "title='" . gettext("Add this alert to the Suppress List and track by_dst IP") . "'></a>"; + $alert_ip_dst .= " <input type='image' name='addsuppress_dstip[]' onClick=\"encRuleSig('{$fields[1]}','{$fields[2]}','{$fields[8]}','{$alert_descr}');\" "; + $alert_ip_dst .= "src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; + $alert_ip_dst .= "title='" . gettext("Add this alert to the Suppress List and track by_dst IP") . "'/>"; } elseif (isset($supplist[$fields[1]][$fields[2]]['by_dst'][$fields[8]])) { $alert_ip_dst .= " <img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; @@ -447,38 +542,49 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { } /* Add icon for auto-removing from Blocked Table if required */ if (isset($tmpblocked[$fields[8]])) { - $alert_ip_dst .= " "; - $alert_ip_dst .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'> - <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; + $alert_ip_dst .= " <input type='image' name='todelete[]' onClick=\"document.getElementById('ip').value='{$fields[8]}';\" "; + $alert_ip_dst .= "src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12'>"; } /* IP DST Port */ $alert_dst_p = $fields[9]; /* SID */ $alert_sid_str = "{$fields[1]}:{$fields[2]}"; if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2])) { - $sidsupplink = "<a href='?instance={$instanceid}&act=addsuppress&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}'>"; - $sidsupplink .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; - $sidsupplink .= "title='" . gettext("Add this alert to the Suppress List") . "'></a>"; + $sidsupplink = "<input type='image' name='addsuppress[]' onClick=\"encRuleSig('{$fields[1]}','{$fields[2]}','','{$alert_descr}');\" "; + $sidsupplink .= "src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; + $sidsupplink .= "title='" . gettext("Add this alert to the Suppress List") . "'/>"; } else { $sidsupplink = "<img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; $sidsupplink .= "title='" . gettext("This alert is already in the Suppress List") . "'/>"; } + /* Add icon for toggling rule state */ + if (isset($disablesid[$fields[1]][$fields[2]])) { + $sid_dsbl_link = "<input type='image' name='togglesid[]' onClick=\"encRuleSig('{$fields[1]}','{$fields[2]}','','');\" "; + $sid_dsbl_link .= "src='../themes/{$g['theme']}/images/icons/icon_reject.gif' width='11' height='11' border='0' "; + $sid_dsbl_link .= "title='" . gettext("Rule is forced to a disabled state. Click to remove the force-disable action from this rule.") . "'/>"; + } + else { + $sid_dsbl_link = "<input type='image' name='togglesid[]' onClick=\"encRuleSig('{$fields[1]}','{$fields[2]}','','');\" "; + $sid_dsbl_link .= "src='../themes/{$g['theme']}/images/icons/icon_block.gif' width='11' height='11' border='0' "; + $sid_dsbl_link .= "title='" . gettext("Force-disable this rule and remove it from current rules set.") . "'/>"; + } + /* DESCRIPTION */ $alert_class = $fields[11]; + /* Write out a table row */ echo "<tr> <td class='listr' align='center'>{$alert_date}<br/>{$alert_time}</td> <td class='listr' align='center'>{$alert_priority}</td> <td class='listr' align='center'>{$alert_proto}</td> <td class='listr' style=\"word-wrap:break-word;\">{$alert_class}</td> - <td class='listr' align='center'>{$alert_ip_src}</td> + <td class='listr' align='center' sorttable_customkey='{$fields[6]}'>{$alert_ip_src}</td> <td class='listr' align='center'>{$alert_src_p}</td> - <td class='listr' align='center'>{$alert_ip_dst}</td> + <td class='listr' align='center' sorttable_customkey='{$fields[8]}'>{$alert_ip_dst}</td> <td class='listr' align='center'>{$alert_dst_p}</td> - <td class='listr' align='center'>{$alert_sid_str}<br/>{$sidsupplink}</td> - <td class='listr' style=\"word-wrap:break-word;\">{$alert_descr}</td> + <td class='listr' align='center' sorttable_customkey='{$fields[2]}'>{$alert_sid_str}<br/>{$sidsupplink} {$sid_dsbl_link}</td> + <td class='listbg' style=\"word-wrap:break-word;\">{$alert_descr}</td> </tr>\n"; - $counter++; } fclose($fd); @@ -498,6 +604,21 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { <?php include("fend.inc"); ?> - +<script type="text/javascript"> +function encRuleSig(rulegid,rulesid,srcip,ruledescr) { + + // This function stuffs the passed GID, SID + // and other values into hidden Form Fields + // for postback. + if (typeof srcipip == "undefined") + var srcipip = ""; + if (typeof ruledescr == "undefined") + var ruledescr = ""; + document.getElementById("sidid").value = rulesid; + document.getElementById("gen_id").value = rulegid; + document.getElementById("ip").value = srcip; + document.getElementById("descr").value = ruledescr; +} +</script> </body> </html> diff --git a/config/snort/snort_alerts.widget.php b/config/snort/snort_alerts.widget.php new file mode 100644 index 00000000..0700ef2a --- /dev/null +++ b/config/snort/snort_alerts.widget.php @@ -0,0 +1,246 @@ +<?php +/* + snort_alerts.widget.php + Copyright (C) 2009 Jim Pingle + mod 24-07-2012 + mod 28-02-2014 by Bill Meeks + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$nocsrf = true; + +require_once("guiconfig.inc"); +require_once("/usr/local/www/widgets/include/widget-snort.inc"); + +global $config, $g; + +/* retrieve snort variables */ +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_instance = &$config['installedpackages']['snortglobal']['rule']; + +// Test pfSense version and set different CSS class variables +// depending on version. 2.1 offers enhanced CSS styles. +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pfs_version > '2.0') { + $alertRowEvenClass = "listMReven"; + $alertRowOddClass = "listMRodd"; + $alertColClass = "listMRr"; +} +else { + $alertRowEvenClass = "listr"; + $alertRowOddClass = "listr"; + $alertColClass = "listr"; +} + +/* check if Snort widget alert display lines value is set */ +$snort_nentries = $config['widgets']['widget_snort_display_lines']; +if (!isset($snort_nentries) || $snort_nentries < 0) + $snort_nentries = 5; + +/* array sorting of the alerts */ +function sksort(&$array, $subkey="id", $sort_ascending=false) { + /* an empty array causes sksort to fail - this test alleviates the error */ + if(empty($array)) + return false; + if (count($array)) { + $temp_array[key($array)] = array_shift($array); + }; + foreach ($array as $key => $val){ + $offset = 0; + $found = false; + foreach ($temp_array as $tmp_key => $tmp_val) { + if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) { + $temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset)); + $found = true; + }; + $offset++; + }; + if (!$found) $temp_array = array_merge($temp_array, array($key => $val)); + }; + + if ($sort_ascending) { + $array = array_reverse($temp_array); + } else $array = $temp_array; + /* below is the complement for empty array test */ + return true; +}; + +// Called by Ajax to update the "snort-alert-entries" <tbody> table element's contents +if (isset($_GET['getNewAlerts'])) { + $response = ""; + $s_alerts = snort_widget_get_alerts(); + $counter = 0; + foreach ($s_alerts as $a) { + $response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . "||"; + $response .= $a['dst'] . "||" . $a['priority'] . "||" . $a['category'] . "\n"; + $counter++; + if($counter >= $snort_nentries) + break; + } + echo $response; + return; +} + +// See if saving new display line count value +if(isset($_POST['widget_snort_display_lines'])) { + $config['widgets']['widget_snort_display_lines'] = $_POST['widget_snort_display_lines']; + write_config("Saved Snort Alerts Widget Displayed Lines Parameter via Dashboard"); + header("Location: ../../index.php"); +} + +// Read "$snort_nentries" worth of alerts from the top of the alert.log file +// of each configured interface, and then return the most recent '$snort_entries' +// alerts in a sorted array (most recent alert first). +function snort_widget_get_alerts() { + + global $config, $a_instance, $snort_nentries; + $snort_alerts = array(); + /* read log file(s) */ + $counter=0; + foreach ($a_instance as $instanceid => $instance) { + $snort_uuid = $a_instance[$instanceid]['uuid']; + $if_real = get_real_interface($a_instance[$instanceid]['interface']); + + /* make sure alert file exists, then "tail" the last '$snort_nentries' from it */ + if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { + exec("tail -{$snort_nentries} -r /var/log/snort/snort_{$if_real}{$snort_uuid}/alert > /tmp/alert_snort{$snort_uuid}"); + + if (file_exists("/tmp/alert_snort{$snort_uuid}")) { + + /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ + /* File format: timestamp,generator_id,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ + $fd = fopen("/tmp/alert_snort{$snort_uuid}", "r"); + while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { + if(count($fields) < 13) + continue; + + // Get the Snort interface this alert was received from + $snort_alerts[$counter]['instanceid'] = strtoupper($a_instance[$instanceid]['interface']); + + // "fields[0]" is the complete timestamp in ASCII form. Convert + // to a UNIX timestamp so we can use it for various date and + // time formatting. Also extract the MM/DD/YY component and + // reverse its order to YY/MM/DD for proper sorting. + $fields[0] = trim($fields[0]); // remove trailing space before comma delimiter + $tstamp = strtotime(str_replace("-", " ", $fields[0])); // remove "-" between date and time components + $tmp = substr($fields[0],6,2) . '/' . substr($fields[0],0,2) . '/' . substr($fields[0],3,2); + $snort_alerts[$counter]['timestamp'] = str_replace(substr($fields[0],0,8),$tmp,$fields[0]); + + $snort_alerts[$counter]['timeonly'] = date("H:i:s", $tstamp); + $snort_alerts[$counter]['dateonly'] = date("M d", $tstamp); + // Add square brackets around any any IPv6 address + if (strpos($fields[6], ":") === FALSE) + $snort_alerts[$counter]['src'] = trim($fields[6]); + else + $snort_alerts[$counter]['src'] = "[" . trim($fields[6]) . "]"; + // Add the SRC PORT if not null + if (!empty($fields[7])) + $snort_alerts[$counter]['src'] .= ":" . trim($fields[7]); + // Add square brackets around any any IPv6 address + if (strpos($fields[8], ":") === FALSE) + $snort_alerts[$counter]['dst'] = trim($fields[8]); + else + $snort_alerts[$counter]['dst'] = "[" . trim($fields[8]) . "]"; + // Add the DST PORT if not null + if (!empty($fields[9])) + $snort_alerts[$counter]['dst'] .= ":" . trim($fields[9]); + $snort_alerts[$counter]['priority'] = trim($fields[12]); + $snort_alerts[$counter]['category'] = trim($fields[11]); + $counter++; + }; + fclose($fd); + @unlink("/tmp/alert_snort{$snort_uuid}"); + }; + }; + }; + + /* sort the alerts array */ + if (isset($config['syslog']['reverse'])) { + sksort($snort_alerts, 'timestamp', false); + } else { + sksort($snort_alerts, 'timestamp', true); + }; + + return $snort_alerts; +} +?> + +<input type="hidden" id="snort_alerts-config" name="snort_alerts-config" value="" /> +<div id="snort_alerts-settings" class="widgetconfigdiv" style="display:none;"> + <form action="/widgets/widgets/snort_alerts.widget.php" method="post" name="iformd"> + Enter number of recent alerts to display (default is 5)<br/> + <input type="text" size="5" name="widget_snort_display_lines" class="formfld unknown" id="widget_snort_display_lines" value="<?= $config['widgets']['widget_snort_display_lines'] ?>" /> + <input id="submitd" name="submitd" type="submit" class="formbtn" value="Save" /> + </form> +</div> + +<table id="snort-alert-tbl" width="100%" border="0" cellspacing="0" cellpadding="0" style="table-layout: fixed;"> + <colgroup> + <col style="width: 24%;" /> + <col style="width: 38%;" /> + <col style="width: 38%;" /> + </colgroup> + <thead> + <tr> + <th class="widgetsubheader"><?=gettext("IF/Date");?></th> + <th class="widgetsubheader"><?=gettext("Src/Dst Address");?></th> + <th class="widgetsubheader"><?=gettext("Classification");?></th> + </tr> + </thead> + <tbody id="snort-alert-entries"> + <?php + $snort_alerts = snort_widget_get_alerts(); + $counter=0; + if (is_array($snort_alerts)) { + foreach ($snort_alerts as $alert) { + $alertRowClass = $counter % 2 ? $alertRowEvenClass : $alertRowOddClass; + echo(" <tr class='" . $alertRowClass . "'> + <td class='" . $alertColClass . "'>" . $alert['instanceid'] . " " . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td> + <td class='" . $alertColClass . "' style='overflow: hidden; text-overflow: ellipsis;' nowrap><div style='display:inline;' title='" . $alert['src'] . "'>" . $alert['src'] . "</div><br/><div style='display:inline;' title='" . $alert['dst'] . "'>" . $alert['dst'] . "</div></td> + <td class='" . $alertColClass . "'>Priority: " . $alert['priority'] . " " . $alert['category'] . "</td></tr>"); + $counter++; + if($counter >= $snort_nentries) + break; + } + } + ?> + </tbody> +</table> + +<script type="text/javascript"> +//<![CDATA[ +<!-- needed in the snort_alerts.js file code --> + var snortupdateDelay = 10000; // update every 10 seconds + var snort_nentries = <?=$snort_nentries;?>; // number of alerts to display (5 is default) + var snortWidgetRowEvenClass = "<?=$alertRowEvenClass;?>"; // allows alternating background on 2.1 and higher + var snortWidgetRowOddClass = "<?=$alertRowOddClass;?>"; // allows alternating background on 2.1 and higher + var snortWidgetColClass = "<?=$alertColClass;?>"; // sets column CSS style (different on 2.1 and higher) + +<!-- needed to display the widget settings menu --> + selectIntLink = "snort_alerts-configure"; + textlink = document.getElementById(selectIntLink); + textlink.style.display = "inline"; +//]]> +</script> + diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index 2457b573..902c1637 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -5,6 +5,7 @@ * * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. * Copyright (C) 2008-2009 Robert Zelaya. + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -34,9 +35,11 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g, $rebuild_rules; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (is_null($id)) { header("Location: /snort/snort_interfaces.php"); exit; @@ -47,63 +50,151 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) $a_nat = &$config['installedpackages']['snortglobal']['rule']; $pconfig = array(); + +// The keys in the $retentions array are the retention period +// converted to hours. +$retentions = array( '0' => gettext('KEEP ALL'), '24' => gettext('1 DAY'), '168' => gettext('7 DAYS'), '336' => gettext('14 DAYS'), + '720' => gettext('30 DAYS'), '1080' => gettext("45 DAYS"), '2160' => gettext('90 DAYS'), '4320' => gettext('180 DAYS'), + '8766' => gettext('1 YEAR'), '26298' => gettext("3 YEARS") ); + +$log_sizes = array( '0' => gettext('NO LIMIT'), '8' => gettext('8 MB'), '16' => gettext('16 MB'), '32' => gettext('32 MB'), + '64' => gettext('64 MB'), '128' => gettext('128 MB'), '256' => gettext('256 MB') ); + if (isset($id) && $a_nat[$id]) { - /* old options */ $pconfig = $a_nat[$id]; if (!empty($a_nat[$id]['barnconfigpassthru'])) $pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']); + if (!empty($a_nat[$id]['barnyard_dbpwd'])) + $pconfig['barnyard_dbpwd'] = base64_decode($a_nat[$id]['barnyard_dbpwd']); + if (empty($a_nat[$id]['barnyard_show_year'])) + $pconfig['barnyard_show_year'] = "on"; + if (empty($a_nat[$id]['unified2_log_limit'])) + $pconfig['unified2_log_limit'] = "32"; + if (empty($a_nat[$id]['barnyard_archive_enable'])) + $pconfig['barnyard_archive_enable'] = "on"; + if (empty($a_nat[$id]['u2_archived_log_retention'])) + $pconfig['u2_archived_log_retention'] = "168"; + if (empty($a_nat[$id]['barnyard_obfuscate_ip'])) + $pconfig['barnyard_obfuscate_ip'] = "off"; + if (empty($a_nat[$id]['barnyard_syslog_dport'])) + $pconfig['barnyard_syslog_dport'] = "514"; + if (empty($a_nat[$id]['barnyard_syslog_proto'])) + $pconfig['barnyard_syslog_proto'] = "udp"; + if (empty($a_nat[$id]['barnyard_syslog_opmode'])) + $pconfig['barnyard_syslog_opmode'] = "default"; + if (empty($a_nat[$id]['barnyard_syslog_facility'])) + $pconfig['barnyard_syslog_facility'] = "LOG_USER"; + if (empty($a_nat[$id]['barnyard_syslog_priority'])) + $pconfig['barnyard_syslog_priority'] = "LOG_INFO"; + if (empty($a_nat[$id]['barnyard_bro_ids_dport'])) + $pconfig['barnyard_bro_ids_dport'] = "47760"; } -if (isset($_GET['dup'])) - unset($id); +if ($_POST['save']) { + // Check that at least one output plugin is enabled + if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on' && + $_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on") + $input_errors[] = gettext("You must enable at least one output option when using Barnyard2."); -if ($_POST) { + // Validate inputs if MySQL database loggging enabled + if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { + if (empty($_POST['barnyard_dbhost'])) + $input_errors[] = gettext("Please provide a valid hostname or IP address for the MySQL database host."); + if (empty($_POST['barnyard_dbname'])) + $input_errors[] = gettext("You must provide a DB instance name when logging to a MySQL database."); + if (empty($_POST['barnyard_dbuser'])) + $input_errors[] = gettext("You must provide a DB user login name when logging to a MySQL database."); + } + + // Validate inputs if syslog output enabled + if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { + if ($_POST['barnyard_log_vlan_events'] == 'on' || $_POST['barnyard_log_mpls_events'] == 'on') + $input_errors[] = gettext("Logging of VLAN or MPLS events is not compatible with syslog output. You must disable VLAN and MPLS event type logging when using the syslog output option."); + } + if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_syslog_local'] <> 'on' && + $_POST['barnyard_enable'] == "on") { + if (empty($_POST['barnyard_syslog_dport']) || !is_numeric($_POST['barnyard_syslog_dport'])) + $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Syslog Remote Port."); + if (empty($_POST['barnyard_syslog_rhost'])) + $input_errors[] = gettext("Please provide a valid hostname or IP address for the Syslog Remote Host."); + } - foreach ($a_nat as $natent) { - if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) - continue; - if ($natent['interface'] != $_POST['interface']) - $input_error[] = "This interface has already an instance defined"; + // Validate inputs if Bro-IDS output enabled + if ($_POST['barnyard_bro_ids_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { + if (empty($_POST['barnyard_bro_ids_dport']) || !is_numeric($_POST['barnyard_bro_ids_dport'])) + $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Bro-IDS Remote Port."); + if (empty($_POST['barnyard_bro_ids_rhost'])) + $input_errors[] = gettext("Please provide a valid hostname or IP address for the Bro-IDS Remote Host."); } - /* if no errors write to conf */ + // if no errors write to conf if (!$input_errors) { $natent = array(); /* repost the options already in conf */ $natent = $pconfig; $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? 'on' : 'off'; - if ($_POST['barnyard_mysql']) $natent['barnyard_mysql'] = $_POST['barnyard_mysql']; else unset($natent['barnyard_mysql']); + $natent['barnyard_show_year'] = $_POST['barnyard_show_year'] ? 'on' : 'off'; + $natent['barnyard_archive_enable'] = $_POST['barnyard_archive_enable'] ? 'on' : 'off'; + $natent['barnyard_dump_payload'] = $_POST['barnyard_dump_payload'] ? 'on' : 'off'; + $natent['barnyard_obfuscate_ip'] = $_POST['barnyard_obfuscate_ip'] ? 'on' : 'off'; + $natent['barnyard_log_vlan_events'] = $_POST['barnyard_log_vlan_events'] ? 'on' : 'off'; + $natent['barnyard_log_mpls_events'] = $_POST['barnyard_log_mpls_events'] ? 'on' : 'off'; + $natent['barnyard_mysql_enable'] = $_POST['barnyard_mysql_enable'] ? 'on' : 'off'; + $natent['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable'] ? 'on' : 'off'; + $natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off'; + $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off'; + $natent['barnyard_disable_sig_ref_tbl'] = $_POST['barnyard_disable_sig_ref_tbl'] ? 'on' : 'off'; + $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; + $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; + + if ($_POST['unified2_log_limit']) $natent['unified2_log_limit'] = $_POST['unified2_log_limit']; else unset($natent['unified2_log_limit']); + if ($_POST['u2_archived_log_retention']) $natent['u2_archived_log_retention'] = $_POST['u2_archived_log_retention']; else unset($natent['u2_archived_log_retention']); + if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']); + if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']); + if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']); + if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']); + if ($_POST['barnyard_dbpwd']) $natent['barnyard_dbpwd'] = base64_encode($_POST['barnyard_dbpwd']); else unset($natent['barnyard_dbpwd']); + if ($_POST['barnyard_syslog_rhost']) $natent['barnyard_syslog_rhost'] = $_POST['barnyard_syslog_rhost']; else unset($natent['barnyard_syslog_rhost']); + if ($_POST['barnyard_syslog_dport']) $natent['barnyard_syslog_dport'] = $_POST['barnyard_syslog_dport']; else $natent['barnyard_syslog_dport'] = '514'; + if ($_POST['barnyard_syslog_facility']) $natent['barnyard_syslog_facility'] = $_POST['barnyard_syslog_facility']; else $natent['barnyard_syslog_facility'] = 'LOG_USER'; + if ($_POST['barnyard_syslog_priority']) $natent['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; else $natent['barnyard_syslog_priority'] = 'LOG_INFO'; + if ($_POST['barnyard_bro_ids_rhost']) $natent['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; else unset($natent['barnyard_bro_ids_rhost']); + if ($_POST['barnyard_bro_ids_dport']) $natent['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; else $natent['barnyard_bro_ids_dport'] = '47760'; if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode($_POST['barnconfigpassthru']); else unset($natent['barnconfigpassthru']); - if ($_POST['barnyard_enable'] == "on") - $natent['snortunifiedlog'] = 'on'; - else - $natent['snortunifiedlog'] = 'off'; - - if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; - else { - $a_nat[] = $natent; - } - write_config(); + $a_nat[$id] = $natent; + write_config("Snort pkg: modified Barnyard2 settings."); - /* No need to rebuild rules if just toggling Barnyard2 on or off */ + // No need to rebuild rules for Barnyard2 changes $rebuild_rules = false; sync_snort_package_config(); - /* after click go to this page */ - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: snort_barnyard.php?id=$id"); - exit; + // If disabling Barnyard2 on the interface, stop any + // currently running instance. If an instance is + // running, signal it to reload the configuration. + // If Barnyard2 is enabled but not running, notify the + // user to restart Snort to enable Unified2 output. + if ($a_nat[$id]['barnyard_enable'] == "off") { + snort_barnyard_stop($a_nat[$id], get_real_interface($a_nat[$id]['interface'])); + } + elseif ($a_nat[$id]['barnyard_enable'] == "on") { + if (snort_is_running($a_nat[$id]['uuid'], get_real_interface($a_nat[$id]['interface']), "barnyard2")) + snort_barnyard_reload_config($a_nat[$id], "HUP"); + else { + // Notify user a Snort restart is required if enabling Barnyard2 for the first time + $savemsg = gettext("NOTE: you must restart Snort on this interface to activate unified2 logging for Barnyard2."); + } + } + $pconfig = $natent; + } + else { + // We had errors, so save previous field data to prevent retyping + $pconfig = $_POST; } } -$if_friendly = snort_get_friendly_interface($pconfig['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Barnyard2 Settings"); include_once("head.inc"); @@ -111,21 +202,6 @@ include_once("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> - -<script language="JavaScript"> -<!-- - -function enable_change(enable_change) { - endis = !(document.iform.barnyard_enable.checked || enable_change); - // make shure a default answer is called if this is envoked. - endis2 = (document.iform.barnyard_enable); - - document.iform.barnyard_mysql.disabled = endis; - document.iform.barnconfigpassthru.disabled = endis; -} -//--> -</script> <?php @@ -138,10 +214,10 @@ function enable_change(enable_change) { print_info_box($savemsg); } - ?> +?> -<form action="snort_barnyard.php" method="post" - enctype="multipart/form-data" name="iform" id="iform"> +<form action="snort_barnyard.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id;?>" /> </td> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -149,23 +225,25 @@ function enable_change(enable_change) { $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php?instance={$id}"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); echo '</td></tr>'; echo '<tr><td>'; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); - $tab_array = array(); - $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr> @@ -178,46 +256,282 @@ function enable_change(enable_change) { <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Enable"); ?></td> <td width="78%" class="vtable"> - <input name="barnyard_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_enable'] == "on") echo "checked"; ?> onClick="enable_change(false)"> + <input name="barnyard_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_enable'] == "on") echo "checked"; ?> onClick="enable_change(false)"/> <strong><?php echo gettext("Enable Barnyard2"); ?></strong><br/> - <?php echo gettext("This will enable barnyard2 for this interface. You will also have to set the database credentials."); ?></td> + <?php echo gettext("This will enable barnyard2 for this interface. You will also to enable at least one logging destination below."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Show Year"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_show_year" type="checkbox" value="on" <?php if ($pconfig['barnyard_show_year'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable the year being shown in timestamps. Default value is ") . "<strong>" . gettext("Checked") . "</strong>"; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Unified2 Log Limit"); ?></td> + <td width="78%" class="vtable"><select name="unified2_log_limit" class="formselect" id="unified2_log_limit"> + <?php foreach ($log_sizes as $k => $p): ?> + <option value="<?=$k;?>" + <?php if ($k == $pconfig['unified2_log_limit']) echo "selected"; ?>> + <?=htmlspecialchars($p);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose a Unified2 Log file size limit in megabytes (MB). Default is "); ?><strong><?=gettext("32 MB.");?></strong><br/><br/> + <?php echo gettext("This sets the maximum size for a Unified2 Log file before it is rotated and a new one created."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Archive Unified2 Logs"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_archive_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_archive_enable'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable the archiving of processed unified2 log files. Default value is ") . "<strong>" . gettext("Checked") . "</strong>"; ?><br/> + <?php echo gettext("Unified2 log files will be moved to an archive folder for subsequent cleanup when processed."); ?> + </td> + </tr> + <tr> + <td class="vncell" width="22%" valign="top"><?=gettext("Unified2 Archived Log Retention Period");?></td> + <td width="78%" class="vtable"><select name="u2_archived_log_retention" class="formselect" id="u2_archived_log_retention"> + <?php foreach ($retentions as $k => $p): ?> + <option value="<?=$k;?>" + <?php if ($k == $pconfig['u2_archived_log_retention']) echo "selected"; ?>> + <?=htmlspecialchars($p);?></option> + <?php endforeach; ?> + </select> <?=gettext("Choose retention period for archived Barnyard2 binary log files. Default is ") . "<strong>" . gettext("7 days."). "</strong>";?><br/><br/> + <?=gettext("When Barnyard2 output is enabled, Snort writes event data to a binary format file that Barnyard2 reads and processes. ") . + gettext("When finished processing a file, Barnyard2 moves it to an archive folder. This setting determines how long files ") . + gettext("remain in the archive folder before they are automatically deleted.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Dump Payload"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_dump_payload" type="checkbox" value="on" <?php if ($pconfig['barnyard_dump_payload'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable dumping of application data from unified2 files. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Obfuscate IP Addresses"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_obfuscate_ip" type="checkbox" value="on" <?php if ($pconfig['barnyard_obfuscate_ip'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable obfuscation of logged IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?> + </td> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log VLAN Events"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_log_vlan_events" type="checkbox" value="on" <?php if ($pconfig['barnyard_log_vlan_events'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable logging of VLAN event types in unified2 files. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log MPLS Events"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_log_mpls_events" type="checkbox" value="on" <?php if ($pconfig['barnyard_log_mpls_events'] == "on") echo "checked"; ?>/> + <?php echo gettext("Enable logging of MPLS event types in unified2 files. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensor Name"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_sensor_name" type="text" class="formfld unknown" + id="barnyard_sensor_name" size="25" value="<?=htmlspecialchars($pconfig['barnyard_sensor_name']);?>"/> + <?php echo gettext("Unique name for this sensor. Leave blank to use internal default."); ?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable MySQL Database"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_mysql_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_mysql_enable'] == "on") echo "checked"; ?> + onClick="toggle_mySQL()"/><?php echo gettext("Enable logging of alerts to a MySQL database instance"); ?><br/> + <?php echo gettext("You will also have to provide the database credentials in the fields below."); ?></td> + </tr> + <tbody id="mysql_config_rows"> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Database Host"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_dbhost" type="text" class="formfld host" + id="barnyard_dbhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbhost']);?>"/> + <?php echo gettext("Hostname or IP address of the MySQL database server"); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Database Name"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_dbname" type="text" class="formfld unknown" + id="barnyard_dbname" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbname']);?>"/> + <?php echo gettext("Instance or DB name of the MySQL database"); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Database User Name"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_dbuser" type="text" class="formfld user" + id="barnyard_dbuser" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbuser']);?>"/> + <?php echo gettext("Username for the MySQL database"); ?> + </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Settings"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Database User Password"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_dbpwd" type="password" class="formfld pwd" + id="barnyard_dbpwd" size="25" value="<?=htmlspecialchars($pconfig['barnyard_dbpwd']);?>"/> + <?php echo gettext("Password for the MySQL database user"); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Disable Signature Reference Table"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_disable_sig_ref_tbl" type="checkbox" value="on" <?php if ($pconfig['barnyard_disable_sig_ref_tbl'] == "on") echo "checked"; ?>/> + <?php echo gettext("Disable synchronization of sig_reference table in schema. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/> + <br/><?php echo gettext("This option will speedup the process when checked, plus it can help work around a 'duplicate entry' error when running multiple Snort instances."); ?> + </td> + </tr> + </tbody> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Syslog Output Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Syslog"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_syslog_enable'] == "on") echo "checked"; ?> + onClick="toggle_syslog()"/> + <?php echo gettext("Enable logging of alerts to a syslog receiver"); ?><br/> + <?php echo gettext("This will send alert data to either a local or remote syslog receiver."); ?></td> + </tr> + <tbody id="syslog_config_rows"> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Operation Mode"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_opmode" type="radio" id="barnyard_syslog_opmode_default" + value="default" <?php if ($pconfig['barnyard_syslog_opmode'] == 'default') echo "checked";?>/> + <?php echo gettext("DEFAULT"); ?> <input name="barnyard_syslog_opmode" type="radio" id="barnyard_syslog_opmode_complete" + value="complete" <?php if ($pconfig['barnyard_syslog_opmode'] == 'complete') echo "checked";?>/> + <?php echo gettext("COMPLETE"); ?> + <?php echo gettext("Select the level of detail to include when reporting"); ?><br/><br/> + <?php echo gettext("DEFAULT mode is compatible with the standard Snort syslog format. COMPLETE mode includes additional information such as the raw packet data (displayed in hex format)."); ?> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td> - <td width="78%" class="vtable"><input name="barnyard_mysql" - type="text" class="formfld unknown" id="barnyard_mysql" style="width:95%;" size="85" - value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br/> - <span class="vexpl"><?php echo gettext("Example: output database: alert, mysql, " . - "dbname=snort user=snort host=localhost password=xyz"); ?><br/> - <?php echo gettext("Example: output database: log, mysql, dbname=snort user=snort " . - "host=localhost password=xyz"); ?></span></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Local Only"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_local" type="checkbox" value="on" <?php if ($pconfig['barnyard_syslog_local'] == "on") echo "checked"; ?> + onClick="toggle_local_syslog()"/> + <?php echo gettext("Enable logging of alerts to the local system only"); ?><br/> + <?php echo gettext("This will send alert data to the local system only and overrides the host, port, protocol, facility and priority values below."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Host"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_rhost" type="text" class="formfld host" + id="barnyard_syslog_rhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_syslog_rhost']);?>"/> + <?php echo gettext("Hostname or IP address of remote syslog host"); ?> + </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Port"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_dport" type="text" class="formfld unknown" + id="barnyard_syslog_dport" size="25" value="<?=htmlspecialchars($pconfig['barnyard_syslog_dport']);?>"/> + <?php echo gettext("Port number for syslog on remote host. Default is ") . "<strong>" . gettext("514") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_syslog_proto" type="radio" id="barnyard_syslog_proto_udp" + value="udp" <?php if ($pconfig['barnyard_syslog_proto'] == 'udp') echo "checked";?>/> + <?php echo gettext("UDP"); ?> <input name="barnyard_syslog_proto" type="radio" id="barnyard_syslog_proto_tcp" + value="tcp" <?php if ($pconfig['barnyard_syslog_proto'] == 'tcp') echo "checked";?>/> + <?php echo gettext("TCP"); ?> + <?php echo gettext("Select IP protocol to use for remote reporting. Default is ") . "<strong>" . gettext("UDP") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Facility"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_syslog_facility" id="barnyard_syslog_facility" class="formselect"> + <?php + $log_facility = array( "LOG_AUTH", "LOG_AUTHPRIV", "LOG_DAEMON", "LOG_KERN", "LOG_SYSLOG", "LOG_USER", "LOG_LOCAL1", + "LOG_LOCAL2", "LOG_LOCAL3", "LOG_LOCAL4", "LOG_LOCAL5", "LOG_LOCAL6", "LOG_LOCAL7" ); + foreach ($log_facility as $facility) { + $selected = ""; + if ($facility == $pconfig['barnyard_syslog_facility']) + $selected = " selected"; + echo "<option value='{$facility}'{$selected}>" . $facility . "</option>\n"; + } + ?></select> + <?php echo gettext("Select Syslog Facility to use for remote reporting. Default is ") . "<strong>" . gettext("LOG_USER") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Priority"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_syslog_priority" id="barnyard_syslog_priority" class="formselect"> + <?php + $log_priority = array( "LOG_EMERG", "LOG_ALERT", "LOG_CRIT", "LOG_ERR", "LOG_WARNING", "LOG_NOTICE", "LOG_INFO" ); + foreach ($log_priority as $priority) { + $selected = ""; + if ($priority == $pconfig['barnyard_syslog_priority']) + $selected = " selected"; + echo "<option value='{$priority}'{$selected}>" . $priority . "</option>\n"; + } + ?></select> + <?php echo gettext("Select Syslog Priority (Level) to use for remote reporting. Default is ") . "<strong>" . gettext("LOG_INFO") . "</strong>."; ?> + </td> + </tr> + </tbody> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Bro-IDS Output Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Bro-IDS"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_bro_ids_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_bro_ids_enable'] == "on") echo "checked"; ?> + onClick="toggle_bro_ids()"/> + <?php echo gettext("Enable logging of alerts to a Bro-IDS receiver"); ?><br/> + <?php echo gettext("This will send alert data to either a local or remote Bro-IDS receiver."); ?></td> + </tr> + <tbody id="bro_ids_config_rows"> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Host"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_bro_ids_rhost" type="text" class="formfld host" + id="barnyard_bro_ids_rhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_bro_ids_rhost']);?>"/> + <?php echo gettext("Hostname or IP address of remote Bro-IDS host"); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Port"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_bro_ids_dport" type="text" class="formfld unknown" + id="barnyard_bro_ids_dport" size="25" value="<?=htmlspecialchars($pconfig['barnyard_bro_ids_dport']);?>"/> + <?php echo gettext("Port number for Bro-IDS instance on remote host. Default is ") . "<strong>" . gettext("47760") . "</strong>."; ?> + </td> + </tr> + </tbody> + <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Advanced Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Advanced configuration " . - "pass through"); ?></td> + "pass-through"); ?></td> <td width="78%" class="vtable"><textarea name="barnconfigpassthru" style="width:95%;" cols="65" rows="7" id="barnconfigpassthru" ><?=htmlspecialchars($pconfig['barnconfigpassthru']);?></textarea> <br/> - <?php echo gettext("Arguments here will be automatically inserted into the running " . + <?php echo gettext("Arguments entered here will be automatically inserted into the running " . "barnyard2 configuration."); ?></td> </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <input name="id" type="hidden" value="<?=$id;?>"> </td> + <input name="save" type="submit" class="formbtn" value="Save" title="<?=gettext("Save Barnyard2 configuration");?>" /> </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span></span> <br/> - <?php echo gettext("Please save your settings before you click start."); ?> </td> + <?php echo gettext("Remember to save your settings before you leave this tab."); ?> </td> </tr> </table> </div> @@ -225,10 +539,107 @@ function enable_change(enable_change) { </tr> </table> </form> + <script language="JavaScript"> -<!-- +function toggle_mySQL() { + var endis = !document.iform.barnyard_mysql_enable.checked; + + document.iform.barnyard_dbhost.disabled = endis; + document.iform.barnyard_dbname.disabled = endis; + document.iform.barnyard_dbuser.disabled = endis; + document.iform.barnyard_dbpwd.disabled = endis; + document.iform.barnyard_disable_sig_ref_tbl.disabled = endis; + + if (endis) + document.getElementById("mysql_config_rows").style.display = "none"; + else + document.getElementById("mysql_config_rows").style.display = ""; +} + +function toggle_syslog() { + var endis = !document.iform.barnyard_syslog_enable.checked; + + document.iform.barnyard_syslog_opmode_default.disabled = endis; + document.iform.barnyard_syslog_opmode_complete.disabled = endis; + document.iform.barnyard_syslog_local.disabled = endis; + document.iform.barnyard_syslog_rhost.disabled = endis; + document.iform.barnyard_syslog_dport.disabled = endis; + document.iform.barnyard_syslog_proto_udp.disabled = endis; + document.iform.barnyard_syslog_proto_tcp.disabled = endis; + document.iform.barnyard_syslog_facility.disabled = endis; + document.iform.barnyard_syslog_priority.disabled = endis; + + if (endis) + document.getElementById("syslog_config_rows").style.display = "none"; + else + document.getElementById("syslog_config_rows").style.display = ""; +} + +function toggle_local_syslog() { + var endis = document.iform.barnyard_syslog_local.checked; + + if (document.iform.barnyard_syslog_enable.checked) { + document.iform.barnyard_syslog_rhost.disabled = endis; + document.iform.barnyard_syslog_dport.disabled = endis; + document.iform.barnyard_syslog_proto_udp.disabled = endis; + document.iform.barnyard_syslog_proto_tcp.disabled = endis; + document.iform.barnyard_syslog_facility.disabled = endis; + document.iform.barnyard_syslog_priority.disabled = endis; + } +} + +function toggle_bro_ids() { + var endis = !document.iform.barnyard_bro_ids_enable.checked; + + document.iform.barnyard_bro_ids_rhost.disabled = endis; + document.iform.barnyard_bro_ids_dport.disabled = endis; + + if (endis) + document.getElementById("bro_ids_config_rows").style.display = "none"; + else + document.getElementById("bro_ids_config_rows").style.display = ""; +} + +function enable_change(enable_change) { + endis = !(document.iform.barnyard_enable.checked || enable_change); + // make sure a default answer is called if this is invoked. + endis2 = (document.iform.barnyard_enable); + document.iform.unified2_log_limit.disabled = endis; + document.iform.barnyard_archive_enable.disabled = endis; + document.iform.u2_archived_log_retention.disabled = endis; + document.iform.barnyard_show_year.disabled = endis; + document.iform.barnyard_dump_payload.disabled = endis; + document.iform.barnyard_obfuscate_ip.disabled = endis; + document.iform.barnyard_log_vlan_events.disabled = endis; + document.iform.barnyard_log_mpls_events.disabled = endis; + document.iform.barnyard_sensor_name.disabled = endis; + document.iform.barnyard_mysql_enable.disabled = endis; + document.iform.barnyard_dbhost.disabled = endis; + document.iform.barnyard_dbname.disabled = endis; + document.iform.barnyard_dbuser.disabled = endis; + document.iform.barnyard_dbpwd.disabled = endis; + document.iform.barnyard_disable_sig_ref_tbl.disabled = endis; + document.iform.barnyard_syslog_enable.disabled = endis; + document.iform.barnyard_syslog_local.disabled = endis; + document.iform.barnyard_syslog_opmode_default.disabled = endis; + document.iform.barnyard_syslog_opmode_complete.disabled = endis; + document.iform.barnyard_syslog_rhost.disabled = endis; + document.iform.barnyard_syslog_dport.disabled = endis; + document.iform.barnyard_syslog_proto_udp.disabled = endis; + document.iform.barnyard_syslog_proto_tcp.disabled = endis; + document.iform.barnyard_syslog_facility.disabled = endis; + document.iform.barnyard_syslog_priority.disabled = endis; + document.iform.barnyard_bro_ids_enable.disabled = endis; + document.iform.barnyard_bro_ids_rhost.disabled = endis; + document.iform.barnyard_bro_ids_dport.disabled = endis; + document.iform.barnconfigpassthru.disabled = endis; +} + enable_change(false); -//--> +toggle_mySQL(); +toggle_syslog(); +toggle_local_syslog(); +toggle_bro_ids(); </script> <?php include("fend.inc"); ?> </body> diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 8d106a90..76d5a9df 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -7,6 +7,7 @@ * * Modified for the Pfsense snort package v. 1.8+ * Copyright (C) 2009 Robert Zelaya Sr. Developer + * Copyright (C) 2014 Bill Meeks * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -33,6 +34,11 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +$snortlogdir = SNORTLOGDIR; + +// Grab pfSense version so we can refer to it later on this page +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); + if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) $config['installedpackages']['snortglobal']['alertsblocks'] = array(); @@ -44,14 +50,14 @@ if (empty($pconfig['blertnumber'])) else $bnentries = $pconfig['blertnumber']; -if ($_POST['todelete'] || $_GET['todelete']) { +if ($_POST['todelete']) { $ip = ""; - if($_POST['todelete']) - $ip = $_POST['todelete']; - else if($_GET['todelete']) - $ip = $_GET['todelete']; + if ($_POST['ip']) + $ip = $_POST['ip']; if (is_ipaddr($ip)) exec("/sbin/pfctl -t snort2c -T delete {$ip}"); + else + $input_errors[] = gettext("An invalid IP address was provided as a parameter."); } if ($_POST['remove']) { @@ -113,7 +119,7 @@ if ($_POST['save']) $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; - write_config(); + write_config("Snort pkg: updated BLOCKED tab settings."); header("Location: /snort/snort_blocked.php"); exit; @@ -127,6 +133,7 @@ include_once("head.inc"); ?> <body link="#000000" vlink="#000000" alink="#000000"> +<script src="/javascript/filter_log.js" type="text/javascript"></script> <?php @@ -135,12 +142,19 @@ include_once("fbegin.inc"); /* refresh every 60 secs */ if ($pconfig['brefresh'] == 'on') echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n"; -?> -<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> +/* Display Alert message */ +if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks +} +if ($savemsg) { + print_info_box($savemsg); +} +?> -<?php if ($savemsg) print_info_box($savemsg); ?> <form action="/snort/snort_blocked.php" method="post"> +<input type="hidden" name="ip" id="ip" value=""/> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> @@ -151,10 +165,11 @@ if ($pconfig['brefresh'] == 'on') $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); $tab_array[4] = array(gettext("Blocked"), true, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); ?> </td> </tr> @@ -167,22 +182,23 @@ if ($pconfig['brefresh'] == 'on') <tr> <td width="22%" class="vncell"><?php echo gettext("Save or Remove Hosts"); ?></td> <td width="78%" class="vtable"> - <input name="download" type="submit" class="formbtns" value="Download"> <?php echo gettext("All " . - "blocked hosts will be saved."); ?> <input name="remove" type="submit" - class="formbtns" value="Clear"> <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> - <?php echo gettext("all hosts will be removed."); ?> + <input name="download" type="submit" class="formbtns" value="Download" title="<?=gettext("Download list of blocked hosts as a gzip archive");?>"/> + <?php echo gettext("All blocked hosts will be saved."); ?> + <input name="remove" type="submit" class="formbtns" value="Clear" title="<?=gettext("Remove blocks for all listed hosts");?>" + onClick="return confirm('<?=gettext("Are you sure you want to remove all blocked hosts? Click OK to continue or CANCLE to quit.");?>');"/> + <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("all hosts will be removed."); ?> </td> </tr> <tr> <td width="22%" class="vncell"><?php echo gettext("Auto Refresh and Log View"); ?></td> <td width="78%" class="vtable"> - <input name="save" type="submit" class="formbtns" value="Save"> <?php echo gettext("Refresh"); ?> <input - name="brefresh" type="checkbox" value="on" - <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> - <?php printf(gettext("%sDefault%s is %sON%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> <input - name="blertnumber" type="text" class="formfld unknown" id="blertnumber" - size="5" value="<?=htmlspecialchars($bnentries);?>"> <?php printf(gettext("Enter the " . - "number of blocked entries to view. %sDefault%s is %s500%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <input name="save" type="submit" class="formbtns" value=" Save " title="<?=gettext("Save auto-refresh and view settings");?>"/> + <?php echo gettext("Refresh"); ?> <input name="brefresh" type="checkbox" value="on" + <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>/> + <?php printf(gettext("%sDefault%s is %sON%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <input name="blertnumber" type="text" class="formfld unknown" id="blertnumber" + size="5" value="<?=htmlspecialchars($bnentries);?>"/> <?php printf(gettext("Enter number of " . + "blocked entries to view. %sDefault%s is %s500%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> </tr> <tr> @@ -220,13 +236,13 @@ if ($pconfig['brefresh'] == 'on') if (!empty($blocked_ips_array)) { $tmpblocked = array_flip($blocked_ips_array); $src_ip_list = array(); - foreach (glob("/var/log/snort/*/alert") as $alertfile) { + foreach (glob("{$snortlogdir}/*/alert") as $alertfile) { $fd = fopen($alertfile, "r"); if ($fd) { /* 0 1 2 3 4 5 6 7 8 9 10 11 12 /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { - if(count($fields) < 11) + if(count($fields) < 13) continue; if (isset($tmpblocked[$fields[6]])) { @@ -260,19 +276,26 @@ if ($pconfig['brefresh'] == 'on') /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $tmp_ip = str_replace(":", ":​", $blocked_ip); - + /* Add reverse DNS lookup icons (two different links if pfSense version supports them) */ + $rdns_link = ""; + if ($pfs_version > 2.0) { + $rdns_link .= "<a onclick=\"javascript:getURL('/diag_dns.php?host={$blocked_ip}&dialog_output=true', outputrule);\">"; + $rdns_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' "; + $rdns_link .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a> "; + } + $rdns_link .= "<a href='/diag_dns.php?host={$blocked_ip}'>"; + $rdns_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' "; + $rdns_link .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>"; /* use one echo to do the magic*/ echo "<tr> <td align=\"center\" valign=\"middle\" class=\"listr\">{$counter}</td> - <td valign=\"middle\" class=\"listr\">{$tmp_ip} <a href='/diag_dns.php?host={$blocked_ip}'> - <img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' - title='" . gettext("Resolve host via reverse DNS lookup") . "'></a></td> + <td align=\"center\" valign=\"middle\" class=\"listr\">{$tmp_ip}<br/>{$rdns_link}</td> <td valign=\"middle\" class=\"listr\">{$blocked_desc}</td> - <td align=\"center\" valign=\"middle\" class=\"listr\"><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'> - <img title=\"" . gettext("Delete host from Blocked Table") . "\" border=\"0\" name='todelete' id='todelete' alt=\"Delete host from Blocked Table\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + <td align=\"center\" valign=\"middle\" class=\"listr\" sorttable_customkey=\"\"> + <input type=\"image\" name=\"todelete[]\" onClick=\"document.getElementById('ip').value='{$blocked_ip}';\" + src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" title=\"" . gettext("Delete host from Blocked Table") . "\" border=\"0\" /></td> </tr>\n"; } - } ?> </tbody> diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc index 038a11cd..a5b9e65e 100644 --- a/config/snort/snort_check_cron_misc.inc +++ b/config/snort/snort_check_cron_misc.inc @@ -1,10 +1,11 @@ <?php /* - * snort_chk_log_dir_size.php + * snort_check_cron_misc.inc * part of pfSense * - * Modified for the Pfsense snort package v. 1.8+ + * Modified for the pfSense snort package v. 1.8+ * Copyright (C) 2009-2010 Robert Zelaya Developer + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -31,68 +32,98 @@ require_once("/usr/local/pkg/snort/snort.inc"); -// 'B' => 1, -// 'KB' => 1024, -// 'MB' => 1024 * 1024, -// 'GB' => 1024 * 1024 * 1024, -// 'TB' => 1024 * 1024 * 1024 * 1024, -// 'PB' => 1024 * 1024 * 1024 * 1024 * 1024, +$snortlogdir = SNORTLOGDIR; +function snort_check_dir_size_limit($snortloglimitsize) { -/* chk if snort log dir is full if so clear it */ -$snortloglimit = $config['installedpackages']['snortglobal']['snortloglimit']; -$snortloglimitsize = $config['installedpackages']['snortglobal']['snortloglimitsize']; + /******************************************************** + * This function checks the total size of the Snort * + * logging sub-directory structure and prunes the files * + * for all Snort interfaces if the size exceeds the * + * passed limit. * + * * + * On Entry: $snortloglimitsize = dir size limit in * + * in megabytes * + ********************************************************/ -if ($g['booting']==true) - return; + global $g, $config; -if ($snortloglimit == 'off') - return; + // Convert Log Limit Size setting from MB to KB + $snortloglimitsizeKB = round($snortloglimitsize * 1024); + $snortlogdirsizeKB = snort_Getdirsize(SNORTLOGDIR); + if ($snortlogdirsizeKB > 0 && $snortlogdirsizeKB > $snortloglimitsizeKB) { + log_error(gettext("[Snort] Log directory size exceeds configured limit of " . number_format($snortloglimitsize) . " MB set on Global Settings tab. All Snort log files will be truncated.")); + conf_mount_rw(); -if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; + // Truncate the Rules Update Log file if it exists + if (file_exists(RULES_UPD_LOGFILE)) { + log_error(gettext("[Snort] Truncating the Rules Update Log file...")); + @file_put_contents(RULES_UPD_LOGFILE, ""); + } -/* Convert Log Limit Size setting from MB to KB */ -$snortloglimitsizeKB = round($snortloglimitsize * 1024); -$snortlogdirsizeKB = snort_Getdirsize(SNORTLOGDIR); -if ($snortlogdirsizeKB > 0 && $snortlogdirsizeKB > $snortloglimitsizeKB) { - log_error(gettext("[Snort] Log directory size exceeds configured limit of " . number_format($snortloglimitsize) . " MB set on Global Settings tab. All Snort log files will be truncated.")); - conf_mount_rw(); - - /* Truncate the Rules Update Log file if it exists */ - if (file_exists(RULES_UPD_LOGFILE)) { - log_error(gettext("[Snort] Truncating the Rules Update Log file...")); - $fd = @fopen(RULES_UPD_LOGFILE, "w+"); - if ($fd) - fclose($fd); - } + // Clean-up the logs for each configured Snort instance + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $if_real = get_real_interface($value['interface']); + $snort_uuid = $value['uuid']; + $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; + log_error(gettext("[Snort] Truncating logs for {$value['descr']} ({$if_real})...")); + snort_post_delete_logs($snort_uuid); + + // Truncate the alert log file if it exists + if (file_exists("{$snort_log_dir}/alert")) { + @file_put_contents("{$snort_log_dir}/alert", ""); + } - /* Clean-up the logs for each configured Snort instance */ - foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { - $if_real = snort_get_real_interface($value['interface']); - $snort_uuid = $value['uuid']; - $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; - log_error(gettext("[Snort] Truncating logs for {$value['descr']} ({$if_real})...")); - snort_post_delete_logs($snort_uuid); - - /* Truncate the alert log file if it exists */ - if (file_exists("{$snort_log_dir}/alert")) { - $fd = @fopen("{$snort_log_dir}/alert", "w+"); - if ($fd) - fclose($fd); + // This is needed if snort is run as snort user + mwexec('/bin/chmod 660 {$snort_log_dir}/*', true); + + // Soft-restart Snort process to resync logging + if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + log_error(gettext("[Snort] Restarting logging on {$value['descr']} ({$if_real})...")); + mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); + } } + conf_mount_ro(); + log_error(gettext("[Snort] Automatic clean-up of Snort logs completed.")); + } +} + +/************************* + * Start of main code * + *************************/ + +// If firewall is booting, do nothing +if ($g['booting'] == true) + return; - /* This is needed if snort is run as snort user */ - mwexec('/bin/chmod 660 /var/log/snort/*', true); +// If no interfaces defined, there is nothing to clean up +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; - /* Soft-restart Snort process to resync logging */ - if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { - log_error(gettext("[Snort] Restarting logging on {$value['descr']} ({$if_real})...")); - mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); +// Check unified2 archived log retention in the interface logging directories if enabled +foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $if_real = get_real_interface($value['interface']); + $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$value['uuid']}"; + if (is_dir("{$snort_log_dir}/barnyard2/archive") && $value['u2_archived_log_retention'] > 0) { + $now = time(); + $files = glob("{$snort_log_dir}/barnyard2/archive/snort_{$value['uuid']}_{$if_real}.u2.*"); + $prune_count = 0; + foreach ($files as $f) { + if (($now - filemtime($f)) > ($value['u2_archived_log_retention'] * 3600)) { + $prune_count++; + unlink_if_exists($f); + } } + unset($files); + if ($prune_count > 0) + log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s)...")); } - conf_mount_ro(); - log_error(gettext("[Snort] Automatic clean-up of Snort logs completed.")); } +// Check the overall log directory limit (if enabled) and prune if necessary +if ($config['installedpackages']['snortglobal']['snortloglimit'] == 'on') + snort_check_dir_size_limit($config['installedpackages']['snortglobal']['snortloglimitsize']); + +return; + ?> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 807b7844..667f4044 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -5,7 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013-2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -34,7 +34,7 @@ require_once("functions.inc"); require_once("service-utils.inc"); require_once "/usr/local/pkg/snort/snort.inc"; -global $g, $pkg_interface, $snort_gui_include, $rebuild_rules; +global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules; if (!defined("VRT_DNLD_URL")) define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); @@ -62,10 +62,13 @@ if (!defined("ET_OPEN_FILE_PREFIX")) define("ET_OPEN_FILE_PREFIX", "emerging-"); if (!defined("ET_PRO_FILE_PREFIX")) define("ET_PRO_FILE_PREFIX", "etpro-"); +if (!defined("IPREP_PATH")) + define("IPREP_PATH", "/var/db/snort/iprep/"); $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; +$snortiprepdir = IPREP_PATH; $snort_rules_upd_log = RULES_UPD_LOGFILE; /* Save the state of $pkg_interface so we can restore it */ @@ -78,15 +81,14 @@ else /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; $etproid = $config['installedpackages']['snortglobal']['etpro_code']; -$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; -$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; -$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; -$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; -$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; -$et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'] == 'on' ? 'on' : 'off'; +$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'] == 'on' ? 'on' : 'off'; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == 'on' ? 'on' : 'off'; +$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules'] == 'on' ? 'on' : 'off'; +$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'] == 'on' ? 'on' : 'off'; -/* Working directory for downloaded rules tarballs */ -$tmpfname = "{$snortdir}/tmp/snort_rules_up"; +/* Working directory for downloaded rules tarballs and extraction */ +$tmpfname = "/tmp/snort_rules_up"; /* Grab the Snort binary version programmatically and use it to construct */ /* the proper Snort VRT rules tarball and md5 filenames. Fallback to a */ @@ -96,7 +98,7 @@ exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26 // Save the version with decimal delimiters for use in extracting the rules $snort_version = $snortver[0]; if (empty($snort_version)) - $snort_version = "2.9.5.5"; + $snort_version = "2.9.6.0"; // Create a collapsed version string for use in the tarball filename $snortver[0] = str_replace(".", "", $snortver[0]); @@ -114,7 +116,6 @@ if ($etpro == "on") { $emergingthreats_url = ETPRO_BASE_DNLD_URL; $emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/"; $emergingthreats = "on"; - $et_enabled= "on"; $et_name = "Emerging Threats Pro"; $et_md5_remove = ET_DNLD_FILENAME . ".md5"; @unlink("{$snortdir}/{$et_md5_remove}"); @@ -152,22 +153,54 @@ function snort_download_file_url($url, $file_out) { global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; + $rfc2616 = array( + 100 => "100 Continue", + 101 => "101 Switching Protocols", + 200 => "200 OK", + 201 => "201 Created", + 202 => "202 Accepted", + 203 => "203 Non-Authoritative Information", + 204 => "204 No Content", + 205 => "205 Reset Content", + 206 => "206 Partial Content", + 300 => "300 Multiple Choices", + 301 => "301 Moved Permanently", + 302 => "302 Found", + 303 => "303 See Other", + 304 => "304 Not Modified", + 305 => "305 Use Proxy", + 306 => "306 (Unused)", + 307 => "307 Temporary Redirect", + 400 => "400 Bad Request", + 401 => "401 Unauthorized", + 402 => "402 Payment Required", + 403 => "403 Forbidden", + 404 => "404 Not Found", + 405 => "405 Method Not Allowed", + 406 => "406 Not Acceptable", + 407 => "407 Proxy Authentication Required", + 408 => "408 Request Timeout", + 409 => "409 Conflict", + 410 => "410 Gone", + 411 => "411 Length Required", + 412 => "412 Precondition Failed", + 413 => "413 Request Entity Too Large", + 414 => "414 Request-URI Too Long", + 415 => "415 Unsupported Media Type", + 416 => "416 Requested Range Not Satisfiable", + 417 => "417 Expectation Failed", + 500 => "500 Internal Server Error", + 501 => "501 Not Implemented", + 502 => "502 Bad Gateway", + 503 => "503 Service Unavailable", + 504 => "504 Gateway Timeout", + 505 => "505 HTTP Version Not Supported" + ); + // Initialize required variables for the pfSense "read_body()" function $file_size = 1; $downloaded = 1; $first_progress_update = TRUE; - - - // Array of message strings for HTTP Response Codes - $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", - 206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found", - 305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request", - 401 => "Unauthorized", 402 => "Payment Required", 403 => "Forbidden", - 404 => "Not Found", 405 => "Method Not Allowed", 407 => "Proxy Authentication Required", - 408 => "Request Timeout", 410 => "Gone", 500 => "Internal Server Error", - 501 => "Not Implemented", 502 => "Bad Gateway", 503 => "Service Unavailable", - 504 => "Gateway Timeout", 505 => "HTTP Version Not Supported" ); - $last_curl_error = ""; $fout = fopen($file_out, "wb"); @@ -217,8 +250,8 @@ function snort_download_file_url($url, $file_out) { if ($rc === false) $last_curl_error = curl_error($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); - if (isset($http_resp_msg[$http_code])) - $last_curl_error = $http_resp_msg[$http_code]; + if (isset($rfc2616[$http_code])) + $last_curl_error = $rfc2616[$http_code]; curl_close($ch); fclose($fout); @@ -252,7 +285,7 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") { /* error occurred. */ /**********************************************************/ - global $pkg_interface, $snort_rules_upd_log, $last_curl_error; + global $pkg_interface, $snort_rules_upd_log, $last_curl_error, $update_errors; $snortdir = SNORTDIR; $filename_md5 = basename($file_dst); @@ -294,9 +327,9 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") { log_error(gettext("[Snort] {$desc} md5 download failed...")); log_error(gettext("[Snort] Server returned error code {$rc}...")); error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $snort_rules_upd_log); error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + $update_errors = true; return false; } } @@ -320,7 +353,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* FALSE if download was not successful. */ /**********************************************************/ - global $pkg_interface, $snort_rules_upd_log, $last_curl_error; + global $pkg_interface, $snort_rules_upd_log, $last_curl_error, $update_errors; $snortdir = SNORTDIR; $filename = basename($file_dst); @@ -350,6 +383,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $snort_rules_upd_log); error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $snort_rules_upd_log); error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + $update_errors = true; return false; } return true; @@ -359,9 +393,9 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { update_output_window(gettext("{$desc} file download failed...")); log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'...")); error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $snort_rules_upd_log); error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + $update_errors = true; return false; } @@ -371,27 +405,29 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* Start of main code */ /**********************/ -/* remove old $tmpfname files */ +/* remove any old $tmpfname files */ if (is_dir("{$tmpfname}")) - exec("/bin/rm -r {$tmpfname}"); + exec("/bin/rm -rf {$tmpfname}"); /* Make sure required snortdirs exsist */ -exec("/bin/mkdir -p {$snortdir}/rules"); -exec("/bin/mkdir -p {$snortdir}/signatures"); -exec("/bin/mkdir -p {$snortdir}/preproc_rules"); -exec("/bin/mkdir -p {$tmpfname}"); -exec("/bin/mkdir -p {$snortlibdir}/dynamicrules"); -exec("/bin/mkdir -p {$snortlogdir}"); +safe_mkdir("{$snortdir}/rules"); +safe_mkdir("{$snortdir}/signatures"); +safe_mkdir("{$snortdir}/preproc_rules"); +safe_mkdir("{$tmpfname}"); +safe_mkdir("{$snortlibdir}/dynamicrules"); +safe_mkdir("{$snortlogdir}"); +safe_mkdir("{$snortiprepdir}"); /* See if we need to automatically clear the Update Log based on 1024K size limit */ if (file_exists($snort_rules_upd_log)) { if (1048576 < filesize($snort_rules_upd_log)) - exec("/bin/rm -r {$snort_rules_upd_log}"); + @unlink("{$snort_rules_upd_log}"); } /* Log start time for this rules update */ error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log); $last_curl_error = ""; +$update_errors = false; /* Check for and download any new Snort VRT sigs */ if ($snortdownload == 'on') { @@ -429,26 +465,125 @@ if ($emergingthreats == 'on') { $emergingthreats = 'off'; } -/* Untar Snort GPLv2 Community rules file to tmp */ +/* Untar Snort rules file to tmp and install the rules */ +if ($snortdownload == 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + /* Currently, only FreeBSD-8-1, FreeBSD-9-0 and FreeBSD-10-0 precompiled SO rules exist from Snort.org */ + /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x or FreeBSD 10.x */ + $freebsd_version_so = 'FreeBSD-8-1'; + if (substr(php_uname("r"), 0, 1) == '9') + $freebsd_version_so = 'FreeBSD-9-0'; + elseif (substr(php_uname("r"), 0, 2) == '10') + $freebsd_version_so = 'FreeBSD-10-0'; + + /* Remove the old Snort rules files */ + $vrt_prefix = VRT_FILE_PREFIX; + unlink_if_exists("{$snortdir}/rules/{$vrt_prefix}*.rules"); + + if ($pkg_interface <> "console") { + update_status(gettext("Extracting Snort VRT rules...")); + update_output_window(gettext("Installing Sourcefire VRT rules...")); + } + error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log); + /* extract snort.org rules and add VRT_FILE_PREFIX prefix to all snort.org files */ + safe_mkdir("{$tmpfname}/snortrules"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname}/snortrules rules/"); + $files = glob("{$tmpfname}/snortrules/rules/*.rules"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}"); + } + /* Extract any IP lists */ + $files = glob("{$tmpfname}/snortrules/rules/*.txt"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/rules/{$newfile}"); + } + exec("rm -r {$tmpfname}/snortrules"); + /* Extract the Snort preprocessor rules */ + if ($pkg_interface <> "console") + update_output_window(gettext("Extracting preprocessor rules files...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} preproc_rules/"); + $files = glob("{$tmpfname}/preproc_rules/*.rules"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/preproc_rules/{$newfile}"); + } + exec("rm -r {$tmpfname}/preproc_rules"); + /* extract so rules */ + if ($pkg_interface <> "console") { + update_status(gettext("Extracting Snort VRT Shared Objects rules...")); + update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}...")); + } + exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/"); + error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log); + $snort_arch = php_uname("m"); + $nosorules = false; + if ($snort_arch == 'i386'){ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/"); + exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/dynamicrules/"); + } elseif ($snort_arch == 'amd64') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/"); + exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/"); + } else + $nosorules = true; + exec("rm -rf {$tmpfname}/so_rules"); + if ($nosorules == false) { + /* extract Shared Object stub rules, rename and copy to the rules folder. */ + if ($pkg_interface <> "console") + update_status(gettext("Copying Snort VRT Shared Objects rules...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} --exclude precompiled/ --exclude src/ so_rules/"); + $files = glob("{$tmpfname}/so_rules/*.rules"); + foreach ($files as $file) { + $newfile = basename($file, ".rules"); + @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules"); + } + exec("rm -rf {$tmpfname}/so_rules"); + } + /* extract base etc files */ + if ($pkg_interface <> "console") { + update_status(gettext("Extracting Snort VRT config and map files...")); + update_output_window(gettext("Copying config and map files...")); + } + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); + foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { + if (file_exists("{$tmpfname}/etc/{$file}")) + @copy("{$tmpfname}/etc/{$file}", "{$tmpfname}/VRT_{$file}"); + } + exec("rm -r {$tmpfname}/etc"); + if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { + if ($pkg_interface <> "console") + update_status(gettext("Copying md5 signature to snort directory...")); + @copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}"); + } + if ($pkg_interface <> "console") { + update_status(gettext("Extraction of Snort VRT rules completed...")); + update_output_window(gettext("Installation of Sourcefire VRT rules completed...")); + } + error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log); + } +} + +/* Untar Snort GPLv2 Community rules file to tmp and install the rules */ if ($snortcommunityrules == 'on') { - safe_mkdir("{$snortdir}/tmp/community"); + safe_mkdir("{$tmpfname}/community"); if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort GPLv2 Community Rules...")); update_output_window(gettext("Installing Snort GPLv2 Community Rules...")); } error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $snort_rules_upd_log); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$snortdir}/tmp/community/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/"); - $files = glob("{$snortdir}/tmp/community/community-rules/*.rules"); + $files = glob("{$tmpfname}/community/community-rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); @copy($file, "{$snortdir}/rules/" . GPL_FILE_PREFIX . "{$newfile}"); } /* base etc files for Snort GPLv2 Community rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}")) - @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/" . GPL_FILE_PREFIX . "{$file}"); + if (file_exists("{$tmpfname}/community/community-rules/{$file}")) + @copy("{$tmpfname}/community/community-rules/{$file}", "{$tmpfname}/" . GPL_FILE_PREFIX . "{$file}"); } /* Copy snort community md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { @@ -461,30 +596,30 @@ if ($snortcommunityrules == 'on') { update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed...")); } error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log); - exec("rm -r {$snortdir}/tmp/community"); + exec("rm -rf {$tmpfname}/community"); } } -/* Untar Emerging Threats rules file to tmp */ +/* Untar Emerging Threats rules file to tmp and install the rules */ if ($emergingthreats == 'on') { - safe_mkdir("{$snortdir}/tmp/emerging"); + safe_mkdir("{$tmpfname}/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if ($pkg_interface <> "console") { update_status(gettext("Extracting {$et_name} rules...")); update_output_window(gettext("Installing {$et_name} rules...")); } error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $snort_rules_upd_log); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/"); /* Remove the old Emerging Threats rules files */ $eto_prefix = ET_OPEN_FILE_PREFIX; $etpro_prefix = ET_PRO_FILE_PREFIX; - array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*.rules")); - array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*.rules")); - array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*ips.txt")); - array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*ips.txt")); + unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*.rules"); + unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*.rules"); + unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*ips.txt"); + unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*ips.txt"); - $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); + $files = glob("{$tmpfname}/emerging/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); if ($etpro == "on") @@ -493,18 +628,22 @@ if ($emergingthreats == 'on') { @copy($file, "{$snortdir}/rules/{$newfile}"); } /* IP lists for Emerging Threats rules */ - $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt"); + $files = glob("{$tmpfname}/emerging/rules/*ips.txt"); foreach ($files as $file) { $newfile = basename($file); - if ($etpro == "on") + if ($etpro == "on") { + @copy($file, IPREP_PATH . ET_PRO_FILE_PREFIX . "{$newfile}"); @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}"); - else + } + else { + @copy($file, IPREP_PATH . ET_OPEN_FILE_PREFIX . "{$newfile}"); @copy($file, "{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "{$newfile}"); + } } /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/emerging/rules/{$file}")) - @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/tmp/ET_{$file}"); + if (file_exists("{$tmpfname}/emerging/rules/{$file}")) + @copy("{$tmpfname}/emerging/rules/{$file}", "{$tmpfname}/ET_{$file}"); } /* Copy emergingthreats md5 sig to snort dir */ @@ -518,146 +657,32 @@ if ($emergingthreats == 'on') { update_output_window(gettext("Installation of {$et_name} rules completed...")); } error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log); - exec("rm -r {$snortdir}/tmp/emerging"); - } -} - -/* Untar Snort rules file to tmp */ -if ($snortdownload == 'on') { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - /* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */ - /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x */ - $freebsd_version_so = 'FreeBSD-8-1'; - if (substr(php_uname("r"), 0, 1) == '9') - $freebsd_version_so = 'FreeBSD-9-0'; - - /* Remove the old Snort rules files */ - $vrt_prefix = VRT_FILE_PREFIX; - array_map('unlink', glob("{$snortdir}/rules/{$vrt_prefix}*.rules")); - - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT rules...")); - update_output_window(gettext("Installing Sourcefire VRT rules...")); - } - error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log); - /* extract snort.org rules and add prefix to all snort.org files */ - safe_mkdir("{$snortdir}/tmp/snortrules"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp/snortrules rules/"); - $files = glob("{$snortdir}/tmp/snortrules/rules/*.rules"); - foreach ($files as $file) { - $newfile = basename($file); - @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}"); - } - /* IP lists */ - $files = glob("{$snortdir}/tmp/snortrules/rules/*.txt"); - foreach ($files as $file) { - $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); - } - exec("rm -r {$snortdir}/tmp/snortrules"); - /* extract so rules */ - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT Shared Objects rules...")); - update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}...")); - } - exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/"); - error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log); - $snort_arch = php_uname("m"); - $nosorules = false; - if ($snort_arch == 'i386'){ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/dynamicrules/"); - } elseif ($snort_arch == 'amd64') { - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/"); - } else - $nosorules = true; - exec("rm -r {$snortdir}/tmp/so_rules"); - if ($nosorules == false) { - /* extract so stub rules, rename and copy to the rules folder. */ - if ($pkg_interface <> "console") - update_status(gettext("Copying Snort VRT Shared Objects rules...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp --exclude precompiled/ --exclude src/ so_rules/"); - $files = glob("{$snortdir}/tmp/so_rules/*.rules"); - foreach ($files as $file) { - $newfile = basename($file, ".rules"); - @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules"); - } - exec("rm -r {$snortdir}/tmp/so_rules"); - } - /* extract base etc files */ - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT config and map files...")); - update_output_window(gettext("Copying config and map files...")); - } - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/"); - foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/etc/{$file}")) - @copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/tmp/VRT_{$file}"); - } - exec("rm -r {$snortdir}/tmp/etc"); - /* Untar snort signatures */ - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Extracting Snort VRT Signatures...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - if ($pkg_interface <> "console") - update_status(gettext("Done extracting Signatures.")); - - if (is_dir("{$snortdir}/doc/signatures")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying Snort VRT signatures...")); - exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures"); - if ($pkg_interface <> "console") - update_status(gettext("Done copying signatures.")); - } - } - /* Extract the Snort preprocessor rules */ - if ($pkg_interface <> "console") - update_output_window(gettext("Extracting preprocessor rules files...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp preproc_rules/"); - - if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying md5 signature to snort directory...")); - @copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}"); - } - if ($pkg_interface <> "console") { - update_status(gettext("Extraction of Snort VRT rules completed...")); - update_output_window(gettext("Installation of Sourcefire VRT rules completed...")); - } - error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log); + exec("rm -rf {$tmpfname}/emerging"); } } function snort_apply_customizations($snortcfg, $if_real) { - global $vrt_enabled; + global $vrt_enabled, $rebuild_rules; $snortdir = SNORTDIR; - /* Update the Preprocessor rules for the master configuration and for the interface if Snort VRT rules are in use. */ - if ($vrt_enabled == 'on') { - exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules"); - $preproc_files = glob("{$snortdir}/tmp/preproc_rules/*.rules"); + /* Update the Preprocessor rules from the master configuration for the interface if Snort */ + /* VRT rules are in use and the interface's preprocessor rules are not protected. */ + if ($vrt_enabled == 'on' && $snortcfg['protect_preproc_rules'] != 'on') { + $preproc_files = glob("{$snortdir}/preproc_rules/*.rules"); foreach ($preproc_files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/preproc_rules/{$newfile}"); - /* Check if customized preprocessor rule protection is enabled for interface before overwriting them. */ - if ($snortcfg['protect_preproc_rules'] <> 'on') - @copy($file, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules/{$newfile}"); + @copy($file, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules/{$newfile}"); } } - else { - exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules"); - } - snort_prepare_rule_files($snortcfg, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}"); + if ($rebuild_rules == true) + snort_prepare_rule_files($snortcfg, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}"); /* Copy the master config and map files to the interface directory */ @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); - @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); + @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); } @@ -667,45 +692,37 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = update_status(gettext('Copying new config and map files...')); error_log(gettext("\tCopying new config and map files...\n"), 3, $snort_rules_upd_log); - /* Determine which config and map file set to use for the master copy. */ - /* If the Snort VRT rules are not enabled, then use Emerging Threats. */ - if (($vrt_enabled == 'off') && ($et_enabled == 'on')) { - $cfgs = glob("{$snortdir}/tmp/*reference.config"); - $cfgs[] = "{$snortdir}/reference.config"; - snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); - $cfgs = glob("{$snortdir}/tmp/*classification.config"); - $cfgs[] = "{$snortdir}/classification.config"; - snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); - /* Use the unicode.map and gen-msg.map files from ET rules. */ - if (file_exists("{$snortdir}/tmp/ET_unicode.map")) - @copy("{$snortdir}/tmp/ET_unicode.map", "{$snortdir}/unicode.map"); - if (file_exists("{$snortdir}/tmp/ET_gen-msg.map")) - @copy("{$snortdir}/tmp/ET_gen-msg.map", "{$snortdir}/gen-msg.map"); - } - elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) { - foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/VRT_{$file}")) - @copy("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/{$file}"); - } - } - elseif (($vrt_enabled == 'on') && ($et_enabled == 'on')) { - /* Both VRT and ET rules are enabled, so build combined */ - /* reference.config and classification.config files. */ - $cfgs = glob("{$snortdir}/tmp/*reference.config"); - $cfgs[] = "{$snortdir}/reference.config"; - snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); - $cfgs = glob("{$snortdir}/tmp/*classification.config"); - $cfgs[] = "{$snortdir}/classification.config"; - snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); - /* Use the unicode.map and gen-msg.map files from VRT rules. */ - if (file_exists("{$snortdir}/tmp/VRT_unicode.map")) - @copy("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/unicode.map"); - if (file_exists("{$snortdir}/tmp/VRT_gen-msg.map")) - @copy("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/gen-msg.map"); - } + /******************************************************************/ + /* Build the classification.config and reference.config files */ + /* using the ones from all the downloaded rules plus the default */ + /* files installed with Snort. */ + /******************************************************************/ + $cfgs = glob("{$tmpfname}/*reference.config"); + $cfgs[] = "{$snortdir}/reference.config"; + snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); + $cfgs = glob("{$tmpfname}/*classification.config"); + $cfgs[] = "{$snortdir}/classification.config"; + snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); + + /*******************************************************************/ + /* Determine which map files set to use for the master copy. If */ + /* the Snort VRT rules are not enabled, then use Emerging Threats */ + /* or Snort Community Rules, in that order, if either is enabled. */ + /*******************************************************************/ + if ($snortdownload == 'on' || $vrt_enabled == 'on') + $prefix = "VRT_"; + elseif ($emergingthreats == 'on') + $prefix = "ET_"; + elseif ($snortcommunityrules == 'on') + $prefix = GPL_FILE_PREFIX; + if (file_exists("{$tmpfname}/{$prefix}unicode.map")) + @copy("{$tmpfname}/{$prefix}unicode.map", "{$snortdir}/unicode.map"); + if (file_exists("{$tmpfname}/{$prefix}gen-msg.map")) + @copy("{$tmpfname}/{$prefix}gen-msg.map", "{$snortdir}/gen-msg.map"); /* Start the rules rebuild proccess for each configured interface */ - if (is_array($config['installedpackages']['snortglobal']['rule'])) { + if (is_array($config['installedpackages']['snortglobal']['rule']) && + !empty($config['installedpackages']['snortglobal']['rule'])) { /* Set the flag to force rule rebuilds since we downloaded new rules, */ /* except when in post-install mode. Post-install does its own rebuild. */ @@ -716,19 +733,32 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = /* Create configuration for each active Snort interface */ foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { - $if_real = snort_get_real_interface($value['interface']); - $tmp = "Updating rules configuration for: " . snort_get_friendly_interface($value['interface']) . " ..."; + $if_real = get_real_interface($value['interface']); + $tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ..."; if ($pkg_interface <> "console"){ update_status(gettext($tmp)); - update_output_window(gettext("Please wait while Snort interface files are being updated...")); + update_output_window(gettext("Please wait while Snort interface files are updated...")); } + + // Make sure the interface subdirectory and required sub-directories exists. + // We need to re-create them during a pkg reinstall for the intial rules set + // download and configuration done as part of restoring saved settings. + if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}")) + safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}"); + if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/rules")) + safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/rules"); + if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/preproc_rules")) + safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/preproc_rules"); + if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/dynamicpreprocessor")) + safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/dynamicpreprocessor"); + snort_apply_customizations($value, $if_real); /* Log a message in Update Log if protecting customized preprocessor rules. */ $tmp = "\t" . $tmp . "\n"; if ($value['protect_preproc_rules'] == 'on') { $tmp .= gettext("\tPreprocessor text rules flagged as protected and not updated for "); - $tmp .= snort_get_friendly_interface($value['interface']) . "...\n"; + $tmp .= convert_friendly_interface_to_friendly_descr($value['interface']) . "...\n"; } error_log($tmp, 3, $snort_rules_upd_log); } @@ -744,13 +774,6 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = /* Clear the rebuild rules flag. */ $rebuild_rules = false; - /* remove old $tmpfname files */ - if (is_dir("{$snortdir}/tmp")) { - if ($pkg_interface <> "console") - update_status(gettext("Cleaning up after rules extraction...")); - exec("/bin/rm -r {$snortdir}/tmp"); - } - /* Restart snort if already running and we are not rebooting to pick up the new rules. */ if (is_process_running("snort") && !$g['booting']) { if ($pkg_interface <> "console") { @@ -770,6 +793,11 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = } } +/* remove $tmpfname files */ +if (is_dir("{$tmpfname}")) { + exec("/bin/rm -rf {$tmpfname}"); +} + if ($pkg_interface <> "console") update_status(gettext("The Rules update has finished...")); log_error(gettext("[Snort] The Rules update has finished.")); @@ -779,4 +807,11 @@ conf_mount_ro(); /* Restore the state of $pkg_interface */ $pkg_interface = $pkg_interface_orig; +/* Save this update status to the configuration file */ +if ($update_errors) + $config['installedpackages']['snortglobal']['last_rule_upd_status'] = gettext("failed"); +else + $config['installedpackages']['snortglobal']['last_rule_upd_status'] = gettext("success"); +$config['installedpackages']['snortglobal']['last_rule_upd_time'] = time(); +write_config("Snort pkg: updated status for updated rules package(s) check."); ?> diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 7c057b19..4d1b3c2e 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -5,6 +5,7 @@ * * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. * Copyright (C) 2008-2009 Robert Zelaya. + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -35,12 +36,14 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g, $rebuild_rules; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (is_null($id)) { - header("Location: /snort/snort_interfaces.php"); - exit; + header("Location: /snort/snort_interfaces.php"); + exit; } if (!is_array($config['installedpackages']['snortglobal']['rule'])) { @@ -87,20 +90,20 @@ $snort_ports = array( ); // Sort our SERVERS and PORTS arrays to make values -// easier to locate by the the user. +// easier to locate for the user. ksort($snort_servers); ksort($snort_ports); $pconfig = $a_nat[$id]; /* convert fake interfaces to real */ -$if_real = snort_get_real_interface($pconfig['interface']); +$if_real = get_real_interface($pconfig['interface']); $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; /* alert file */ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; -if ($_POST) { +if ($_POST['save']) { $natent = array(); $natent = $pconfig; @@ -131,7 +134,7 @@ if ($_POST) { $a_nat[$id] = $natent; - write_config(); + write_config("Snort pkg: modified settings for VARIABLES tab."); /* Update the snort conf file for this interface. */ $rebuild_rules = false; @@ -149,9 +152,11 @@ if ($_POST) { header("Location: snort_define_servers.php?id=$id"); exit; } + else + $pconfig = $_POST; } -$if_friendly = snort_get_friendly_interface($pconfig['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} Variables - Servers and Ports"); include_once("head.inc"); @@ -160,7 +165,6 @@ include_once("head.inc"); <?php include("fbegin.inc"); -if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} /* Display Alert message */ if ($input_errors) print_input_errors($input_errors); // TODO: add checks @@ -180,23 +184,25 @@ if ($savemsg) $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php?instance={$id}"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); echo '</td></tr>'; echo '<tr><td class="tabnavtbl">'; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); - $tab_array = array(); - $tab_array[] = array($menu_iface . gettext(" Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Variables"), true, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext(" Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), true, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr> @@ -256,7 +262,7 @@ if ($savemsg) <tr> <td width="30%" valign="top"> </td> <td width="70%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> + <input name="save" type="submit" class="formbtn" value="Save"> <input name="id" type="hidden" value="<?=$id;?>"> </td> </tr> @@ -276,9 +282,6 @@ if ($savemsg) if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { - // Skip any Aliases that resolve to an empty string - if (trim(filter_expand_alias($alias_name['name'])) == "") - continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index 562a6b36..f35341f1 100755 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -91,7 +91,7 @@ include("head.inc"); <?php $snort_gui_include = true; -include("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); +include("/usr/local/www/snort/snort_check_for_rule_updates.php"); /* hide progress bar and lets end this party */ echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>"; diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 5c9b8210..ecc1e5b5 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -39,7 +39,6 @@ require_once("/usr/local/pkg/snort/snort.inc"); /* Define some locally required variables from Snort constants */ $snortdir = SNORTDIR; $snort_rules_upd_log = RULES_UPD_LOGFILE; -$log = $snort_rules_upd_log; /* Grab the Snort binary version programmatically and */ /* use it to construct the proper Snort VRT rules */ @@ -52,38 +51,71 @@ if (empty($snortver[0])) $snortver[0] = str_replace(".", "", $snortver[0]); $snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz"; -//$snort_rules_file = VRT_DNLD_FILENAME; $snort_community_rules_filename = GPLV2_DNLD_FILENAME; -/* load only javascript that is needed */ -$snort_load_jquery = 'yes'; -$snort_load_jquery_colorbox = 'yes'; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; $etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; +/* Get last update information if available */ +if (!empty($config['installedpackages']['snortglobal']['last_rule_upd_time'])) + $last_rule_upd_time = date('M-d Y H:i', $config['installedpackages']['snortglobal']['last_rule_upd_time']); +else + $last_rule_upd_time = gettext("Unknown"); +if (!empty($config['installedpackages']['snortglobal']['last_rule_upd_status'])) + $last_rule_upd_status = htmlspecialchars($config['installedpackages']['snortglobal']['last_rule_upd_status']); +else + $last_rule_upd_status = gettext("Unknown"); + if ($etpro == "on") { $emergingthreats_filename = ETPRO_DNLD_FILENAME; - $et_name = "EMERGING THREATS PRO RULES"; + $et_name = "Emerging Threats Pro Rules"; } else { $emergingthreats_filename = ET_DNLD_FILENAME; - $et_name = "EMERGING THREATS RULES"; + $et_name = "Emerging Threats Open Rules"; } -/* quick md5s chk */ -$snort_org_sig_chk_local = 'N/A'; -if (file_exists("{$snortdir}/{$snort_rules_file}.md5")) +/* quick md5 chk of downloaded rules */ +if ($snortdownload == 'on') { + $snort_org_sig_chk_local = 'Not Downloaded'; + $snort_org_sig_date = 'Not Downloaded'; +} +else { + $snort_org_sig_chk_local = 'Not Enabled'; + $snort_org_sig_date = 'Not Enabled'; +} +if (file_exists("{$snortdir}/{$snort_rules_file}.md5") && $snortdownload == 'on') { $snort_org_sig_chk_local = file_get_contents("{$snortdir}/{$snort_rules_file}.md5"); + $snort_org_sig_date = date(DATE_RFC850, filemtime("{$snortdir}/{$snort_rules_file}.md5")); +} -$emergingt_net_sig_chk_local = 'N/A'; -if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5")) +if ($etpro == "on" || $emergingthreats == "on") { + $emergingt_net_sig_chk_local = 'Not Downloaded'; + $emergingt_net_sig_date = 'Not Downloaded'; +} +else { + $emergingt_net_sig_chk_local = 'Not Enabled'; + $emergingt_net_sig_date = 'Not Enabled'; +} +if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5") && ($etpro == "on" || $emergingthreats == "on")) { $emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/{$emergingthreats_filename}.md5"); + $emergingt_net_sig_date = date(DATE_RFC850, filemtime("{$snortdir}/{$emergingthreats_filename}.md5")); +} -$snort_community_sig_chk_local = 'N/A'; -if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5")) +if ($snortcommunityrules == 'on') { + $snort_community_sig_chk_local = 'Not Downloaded'; + $snort_community_sig_sig_date = 'Not Downloaded'; +} +else { + $snort_community_sig_chk_local = 'Not Enabled'; + $snort_community_sig_sig_date = 'Not Enabled'; +} +if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5") && $snortcommunityrules == 'on') { $snort_community_sig_chk_local = file_get_contents("{$snortdir}/{$snort_community_rules_filename}.md5"); + $snort_community_sig_sig_date = date(DATE_RFC850, filemtime("{$snortdir}/{$snort_community_rules_filename}.md5")); +} /* Check for postback to see if we should clear the update log file. */ if (isset($_POST['clear'])) { @@ -91,7 +123,27 @@ if (isset($_POST['clear'])) { mwexec("/bin/rm -f {$snort_rules_upd_log}"); } -if (isset($_POST['update'])) { +if (isset($_POST['check'])) { + header("Location: /snort/snort_download_rules.php"); + exit; +} + +if ($_POST['force']) { + // Mount file system R/W since we need to remove files + conf_mount_rw(); + + // Remove the existing MD5 signature files to force a download + if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5")) + @unlink("{$snortdir}/{$emergingthreats_filename}.md5"); + if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5")) + @unlink("{$snortdir}/{$snort_community_rules_filename}.md5"); + if (file_exists("{$snortdir}/{$snort_rules_file}.md5")) + @unlink("{$snortdir}/{$snort_rules_file}.md5"); + + // Revert file system to R/O. + conf_mount_ro(); + + // Go download the updates header("Location: /snort/snort_download_rules.php"); exit; } @@ -101,6 +153,15 @@ $snort_rules_upd_logfile_chk = 'no'; if (file_exists("{$snort_rules_upd_log}")) $snort_rules_upd_logfile_chk = 'yes'; +if ($_POST['view']&& $snort_rules_upd_logfile_chk == 'yes') { + $contents = @file_get_contents($snort_rules_upd_log); + if (empty($contents)) + $input_errors[] = gettext("Unable to read log file: {$snort_rules_upd_log}"); +} + +if ($_POST['hide']) + $contents = ""; + $pgtitle = gettext("Snort: Updates"); include_once("head.inc"); ?> @@ -108,25 +169,6 @@ include_once("head.inc"); <body link="#000000" vlink="#000000" alink="#000000"> <?php include("fbegin.inc"); ?> -<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> - -<script language="javascript" type="text/javascript"> -function wopen(url, name, w, h) -{ -// Fudge factors for window decoration space. -// In my tests these work well on all platforms & browsers. -w += 32; -h += 96; - var win = window.open(url, - name, - 'width=' + w + ', height=' + h + ', ' + - 'location=no, menubar=no, ' + - 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); - win.resizeTo(w, h); - win.focus(); -} - -</script> <form action="snort_download_updates.php" method="post" name="iform" id="iform"> @@ -139,111 +181,134 @@ h += 96; $tab_array[2] = array(gettext("Updates"), true, "/snort/snort_download_updates.php"); $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr> <td> <div id="mainarea"> <table id="maintable4" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr align="center"> - <td> - <br/> - <table id="download_rules" height="32px" width="725px" border="0" cellpadding="5px" cellspacing="0"> + <tr> + <td valign="top" class="listtopic" align="center"><?php echo gettext("INSTALLED RULE SET MD5 SIGNATURE");?></td> + </tr> + <tr> + <td align="center"><br/> + <table width="95%" border="0" cellpadding="2" cellspacing="2"> + <thead> + <tr> + <th class="listhdrr"><?=gettext("Rule Set Name/Publisher");?></th> + <th class="listhdrr"><?=gettext("MD5 Signature Hash");?></th> + <th class="listhdrr"><?=gettext("MD5 Signature Date");?></th> + </tr> + </thead> <tr> - <td id="download_rules_td" style="background-color: #eeeeee"> - <div height="32" width="725px" style="background-color: #eeeeee"> - <p style="text-align: left; margin-left: 225px;"> - <font color="#777777" size="2.5px"> - <b><?php echo gettext("INSTALLED RULESET SIGNATURES"); ?></b></font><br/><br/> - <font color="#FF850A" size="1px"><b>SNORT VRT RULES --></b></font> - <font size="1px" color="#000000"> <? echo $snort_org_sig_chk_local; ?></font><br/> - <font color="#FF850A" size="1px"><b><?=$et_name;?> --></b></font> - <font size="1px" color="#000000"> <? echo $emergingt_net_sig_chk_local; ?></font><br/> - <font color="#FF850A" size="1px"><b>SNORT GPLv2 COMMUNITY RULES --></b></font> - <font size="1px" color="#000000"> <? echo $snort_community_sig_chk_local; ?></font><br/> - </p> - </div> - </td> + <td align="center" class="vncell vexpl"><b>Snort VRT Rules</b></td> + <td align="center" class="vncell vexpl"><? echo trim($snort_org_sig_chk_local);?></td> + <td align="center" class="vncell vexpl"><?php echo gettext($snort_org_sig_date);?></td> </tr> - </table> - <br/> - <table id="download_rules" height="32px" width="725px" border="0" cellpadding="5px" cellspacing="0"> <tr> - <td id="download_rules_td" style='background-color: #eeeeee'> - <div height="32" width="725px" style='background-color: #eeeeee'> - <p style="text-align: left; margin-left: 225px;"> - <font color='#777777' size='2.5px'><b><?php echo gettext("UPDATE YOUR RULESET"); ?></b></font><br/> - <br/> - - <?php - - if ($snortdownload != 'on' && $emergingthreats != 'on' && $etpro != 'on') { - echo ' - <button disabled="disabled"><span class="download">' . gettext("Update Rules") . '</span></button><br/> - <p style="text-align:left; margin-left:150px;"> - <font color="#fc3608" size="2px"><b>' . gettext("WARNING:") . '</b></font><font size="1px" color="#000000"> ' . gettext('No rule types have been selected for download. ') . - gettext('Visit the ') . '<a href="snort_interfaces_global.php">Global Settings Tab</a>' . gettext(' to select rule types.') . '</font><br/>'; - - echo '</p>' . "\n"; - } else { - - echo ' - <input type="submit" value="' . gettext("Update Rules") . '" name="update" id="Submit" class="formbtn" /><br/>' . "\n"; - - } - - ?> <br/> - </p> - </div> - </td> + <td align="center" class="vncell vexpl"><b>Snort GPLv2 Community Rules</b></td> + <td align="center" class="vncell vexpl"><? echo trim($snort_community_sig_chk_local);?></td> + <td align="center" class="vncell vexpl"><?php echo gettext($snort_community_sig_sig_date);?></td> </tr> - </table> - <br/> - <table id="download_rules" height="32px" width="725px" border="0" cellpadding="5px" cellspacing="0"> <tr> - <td id="download_rules_td" style='background-color: #eeeeee'> - <div height="32" width="725px" style='background-color: #eeeeee'> - <p style="text-align: left; margin-left: 225px;"> - <font color='#777777' size='2.5px'><b><?php echo gettext("VIEW UPDATE LOG"); ?></b></font><br/> - <br> - <?php - - if ($snort_rules_upd_logfile_chk == 'yes') { - echo " - <button class=\"formbtn\" onclick=\"wopen('snort_log_view.php?logfile={$log}', 'LogViewer', 800, 600)\"><span class='pwhitetxt'>" . gettext("View Log") . "</span></button>"; - echo " <input type=\"submit\" value=\"Clear Log\" name=\"clear\" id=\"Submit\" class=\"formbtn\" />\n"; - }else{ - echo " - <button disabled='disabled'><span class='pwhitetxt'>" . gettext("View Log") . "</span></button> " . gettext("Log is empty.") . "\n"; - } - echo '<br><br>' . gettext("The log file is limited to 1024K in size and automatically clears when the limit is exceeded."); - ?> - <br/> - </p> - </div> - </td> + <td align="center" class="vncell vexpl"><b><?=$et_name;?></b></td> + <td align="center" class="vncell vexpl"><? echo trim($emergingt_net_sig_chk_local);?></td> + <td align="center" class="vncell vexpl"><?php echo gettext($emergingt_net_sig_date);?></td> </tr> - </table> - - <br/> + </table><br/> + </td> + </tr> + <tr> + <td valign="top" class="listtopic" align="center"><?php echo gettext("UPDATE YOUR RULE SET");?></td> + </tr> + <tr> + <td align="center"> + <table width="45%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr> + <td class="list" align="right"><strong><?php echo gettext("Last Update:");?></strong></td> + <td class="list" align="left"><?php echo $last_rule_upd_time;?></td> + </tr> + <tr> + <td class="list" align="right"><strong><?php echo gettext("Result:");?></strong></td> + <td class="list" align="left"><?php echo $last_rule_upd_status;?></td> + </tr> + </tbody> + </table> + </td> + </tr> + <tr> + <td align="center"> + <?php if ($snortdownload != 'on' && $emergingthreats != 'on' && $etpro != 'on'): ?> + <br/><button disabled="disabled"><?=gettext("Check");?></button> + <button disabled="disabled"><?=gettext("Force");?></button> + <br/> + <p style="text-align:center;" class="vexpl"> + <font class="red"><b><?php echo gettext("WARNING:");?></b></font> + <?php echo gettext('No rule types have been selected for download. ') . + gettext('Visit the ') . '<a href="/snort/snort_global.php">Global Settings Tab</a>' . gettext(' to select rule types.'); ?> + <br/></p> + <?php else: ?> + <br/> + <input type="submit" value="<?=gettext("Check");?>" name="check" id="check" class="formbtn" + title="<?php echo gettext("Check for new updates to enabled rule sets"); ?>"/> + <input type="submit" value="<?=gettext("Force");?>" name="force" id="force" class="formbtn" + title="<?=gettext("Force an update of all enabled rule sets");?>" + onclick="return confirm('<?=gettext("This will zero-out the MD5 hashes to force a fresh download of enabled rule sets. Click OK to continue or CANCEL to quit");?>');"/> + <br/><br/> + <?php endif; ?> + </td> + </tr> - <table id="download_rules" height="32px" width="725px" border="0" cellpadding="5px" cellspacing="0"> - <tr> - <td id="download_rules_td" style='background-color: #eeeeee'> - <div height="32" width="725px" style='background-color: #eeeeee'><span class="vexpl"> - <span class="red"><b><?php echo gettext("NOTE:"); ?></b></span> - <a href="http://www.snort.org/" target="_blank"><?php echo gettext("Snort.org") . "</a>" . - gettext(" and ") . "<a href=\"http://www.emergingthreats.net/\" target=\"_blank\">" . gettext("EmergingThreats.net") . "</a>" . - gettext(" will go down from time to time. Please be patient."); ?></span> + <tr> + <td valign="top" class="listtopic" align="center"><?php echo gettext("MANAGE RULE SET LOG");?></td> + </tr> + <tr> + <td align="center" valign="middle" class="vexpl"> + <?php if ($snort_rules_upd_logfile_chk == 'yes'): ?> + <br/> + <?php if (!empty($contents)): ?> + <input type="submit" value="<?php echo gettext("Hide"); ?>" name="hide" id="hide" class="formbtn" + title="<?php echo gettext("Hide rules update log"); ?>"/> + <?php else: ?> + <input type="submit" value="<?php echo gettext("View"); ?>" name="view" id="view" class="formbtn" + title="<?php echo gettext("View rules update log"); ?>"/> + <?php endif; ?> + + <input type="submit" value="<?php echo gettext("Clear"); ?>" name="clear" id="clear" class="formbtn" + title="<?php echo gettext("Clear rules update log"); ?>" onClick="return confirm('Are you sure you want to delete the log contents?\nOK to confirm, or CANCEL to quit');"/> + <br/> + <?php else: ?> + <br/> + <button disabled='disabled'><?php echo gettext("View Log"); ?></button><br/><?php echo gettext("Log is empty."); ?><br/> + <?php endif; ?> + <br/><?php echo gettext("The log file is limited to 1024K in size and automatically clears when the limit is exceeded."); ?><br/><br/> + </td> + </tr> + <?php if (!empty($contents)): ?> + <tr> + <td valign="top" class="listtopic" align="center"><?php echo gettext("RULE SET UPDATE LOG");?></td> + </tr> + <tr> + <td align="center"> + <div style="background: #eeeeee; width:100%; height:100%;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea style="width:100%; height:100%;" readonly wrap="off" rows="24" cols="80" name="logtext"><?=$contents;?></textarea> </div> - </td> - </tr> - </table> - + </td> + </tr> + <?php endif; ?> + <tr> + <td align="center"> + <span class="vexpl"><br/> + <span class="red"><b><?php echo gettext("NOTE:"); ?></b></span> + <a href="http://www.snort.org/" target="_blank"><?php echo gettext("Snort.org") . "</a>" . + gettext(" and ") . "<a href=\"http://www.emergingthreats.net/\" target=\"_blank\">" . gettext("EmergingThreats.net") . "</a>" . + gettext(" will go down from time to time. Please be patient."); ?></span><br/> </td> </tr> </table> @@ -252,7 +317,6 @@ h += 96; </td> </tr> </table> -<!-- end of final table --> </form> <?php include("fend.inc"); ?> </body> diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php index f6d00b0b..a5ec0aad 100644 --- a/config/snort/snort_edit_hat_data.php +++ b/config/snort/snort_edit_hat_data.php @@ -3,6 +3,7 @@ * snort_edit_hat_data.php * Copyright (C) 2004 Scott Ullrich * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2013-2014 Bill Meeks * All rights reserved. * * originially part of m0n0wall (http://m0n0.ch/wall) @@ -47,9 +48,11 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) { } $a_nat = &$config['installedpackages']['snortglobal']['rule']; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (is_null($id)) { header("Location: /snort/snort_interfaces.php"); exit; @@ -62,24 +65,27 @@ else if ($_POST['clear']) { unset($a_nat[$id]['host_attribute_data']); - write_config(); + $a_nat[$id]['host_attribute_table'] = 'off'; + write_config("Snort pkg: cleared Host Attribute Table data for {$a_nat[$id]['interface']}."); $rebuild_rules = false; snort_generate_conf($a_nat[$id]); - header("Location: /snort/snort_edit_hat_data.php?id={$id}"); - exit; + $pconfig['host_attribute_data'] = ""; } -if ($_POST['host_attribute_data']) { +if ($_POST['save']) { $a_nat[$id]['host_attribute_data'] = base64_encode($_POST['host_attribute_data']); - write_config(); + if (strlen($_POST['host_attribute_data']) > 0) + $a_nat[$id]['host_attribute_table'] = 'on'; + else + $a_nat[$id]['host_attribute_table'] = 'off'; + write_config("Snort pkg: modified Host Attribute Table data for {$a_nat[$id]['interface']}."); $rebuild_rules = false; snort_generate_conf($a_nat[$id]); - header("Location: /snort/snort_preprocessors.php?id={$id}"); - exit; + $pconfig['host_attribute_data'] = $_POST['host_attribute_data']; } -$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Host Attribute Table Data"); include_once("head.inc"); @@ -89,8 +95,8 @@ include_once("head.inc"); <?php include("fbegin.inc"); -if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} -if ($input_errors) print_input_errors($input_errors); +if ($input_errors) + print_input_errors($input_errors); if ($savemsg) print_info_box($savemsg); ?> @@ -106,11 +112,11 @@ if ($savemsg) <tr> <td> <input type='hidden' name='id' value='<?=$id;?>'> - <textarea wrap="off" cols="80" rows="35" name="host_attribute_data" id="host_attribute_data" style="width:99%; height:100%;"><?=$pconfig['host_attribute_data'];?></textarea></td> + <textarea wrap="off" cols="80" rows="35" name="host_attribute_data" id="host_attribute_data" style="width:99%; height:100%;"><?=htmlspecialchars($pconfig['host_attribute_data']);?></textarea></td> </tr> <tr> <td> - <input name="Submit" type="submit" class="formbtn" value="<?php echo gettext(" Save "); ?>" title=" <?php echo gettext("Save Host Attribute data"); ?>"/> + <input name="save" type="submit" class="formbtn" value="<?php echo gettext(" Save "); ?>" title=" <?php echo gettext("Save Host Attribute data"); ?>"/> <input type="button" class="formbtn" value=" <?php echo gettext("Return"); ?>" onclick="parent.location='snort_preprocessors.php?id=<?=$id;?>'" title="<?php echo gettext("Return to Preprocessors tab"); ?>"/> <input name="clear" type="submit" class="formbtn" id="clear" value="<?php echo gettext("Clear"); ?>" onclick="return confirm('<?php echo gettext("This will erase all Host Attribute data for the interface. Are you sure?"); ?>')" title="<?php echo gettext("Deletes all Host Attribute data"); ?>"/> </td> diff --git a/config/snort/snort_frag3_engine.php b/config/snort/snort_frag3_engine.php index 89a21dc8..9489bf16 100644 --- a/config/snort/snort_frag3_engine.php +++ b/config/snort/snort_frag3_engine.php @@ -1,7 +1,7 @@ <?php /* * snort_frag3_engine.php - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013-2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -34,12 +34,15 @@ global $g; $snortdir = SNORTDIR; // Grab the incoming QUERY STRING or POST variables -$id = $_GET['id']; -$eng_id = $_GET['eng_id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; -if (isset($_POST['eng_id'])) +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + +if (isset($_POST['eng_id']) && isset($_POST['eng_id'])) $eng_id = $_POST['eng_id']; +elseif (isset($_GET['eng_id']) && is_numericint($_GET['eng_id'])) + $eng_id = htmlspecialchars($_GET['eng_id']); if (is_null($id)) { header("Location: /snort/snort_interfaces.php"); @@ -90,10 +93,10 @@ if ($_POST['Cancel']) { // Check for returned "selected alias" if action is import if ($_GET['act'] == "import") { if ($_GET['varname'] == "bind_to" && !empty($_GET['varvalue'])) - $pconfig[$_GET['varname']] = $_GET['varvalue']; + $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); } -if ($_POST['Submit']) { +if ($_POST['save']) { /* Grab all the POST values and save in new temp array */ $engine = array(); @@ -182,14 +185,14 @@ if ($_POST['Submit']) { } /* Now write the new engine array to conf */ - write_config(); + write_config("Snort pkg: modified frag3 engine settings."); header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row"); exit; } } -$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($config['installedpackages']['snortglobal']['rule'][$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} Frag3 Preprocessor Engine"); include_once("head.inc"); @@ -324,7 +327,7 @@ if ($savemsg) <tr> <td width="22%" valign="bottom"> </td> <td width="78%" valign="bottom"> - <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + <input name="save" id="save" type="submit" class="formbtn" value=" Save " title="<?php echo gettext("Save Frag3 engine settings and return to Preprocessors tab"); ?>"> <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo diff --git a/config/snort/snort_ftp_client_engine.php b/config/snort/snort_ftp_client_engine.php index b039df5b..f462efa8 100644 --- a/config/snort/snort_ftp_client_engine.php +++ b/config/snort/snort_ftp_client_engine.php @@ -1,7 +1,7 @@ <?php /* * snort_ftp_client_engine.php - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013-2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -33,12 +33,15 @@ global $g; $snortdir = SNORTDIR; -$id = $_GET['id']; -$eng_id = $_GET['eng_id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; -if (isset($_POST['eng_id'])) +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + +if (isset($_POST['eng_id']) && isset($_POST['eng_id'])) $eng_id = $_POST['eng_id']; +elseif (isset($_GET['eng_id']) && is_numericint($_GET['eng_id'])) + $eng_id = htmlspecialchars($_GET['eng_id']); if (is_null($id)) { // Clear and close out any session variable we created @@ -84,7 +87,7 @@ if ($_GET['act'] == "import") { session_start(); if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "bounce_to_net" || $_GET['varname'] == "bounce_to_port") && !empty($_GET['varvalue'])) { - $pconfig[$_GET['varname']] = $_GET['varvalue']; + $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); if(!isset($_SESSION['ftp_client_import'])) $_SESSION['ftp_client_import'] = array(); @@ -112,7 +115,7 @@ if ($_GET['act'] == "import") { } } -if ($_POST['Submit']) { +if ($_POST['save']) { // Clear and close out any session variable we created session_start(); @@ -213,14 +216,14 @@ if ($_POST['Submit']) { } /* Now write the new engine array to conf */ - write_config(); + write_config("Snort pkg: modified ftp_telnet_client engine settings."); header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); exit; } } -$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($config['installedpackages']['snortglobal']['rule'][$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Client Engine"); include_once("head.inc"); @@ -353,7 +356,7 @@ if ($savemsg) <tr> <td width="22%" valign="bottom"> </td> <td width="78%" valign="bottom"> - <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + <input name="save" id="save" type="submit" class="formbtn" value=" Save " title="<?php echo gettext("Save ftp engine settings and return to Preprocessors tab"); ?>"> <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo diff --git a/config/snort/snort_ftp_server_engine.php b/config/snort/snort_ftp_server_engine.php index e70033e7..cb9abc9c 100644 --- a/config/snort/snort_ftp_server_engine.php +++ b/config/snort/snort_ftp_server_engine.php @@ -1,7 +1,7 @@ <?php /* * snort_ftp_server_engine.php - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013-2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -34,12 +34,15 @@ global $g; $snortdir = SNORTDIR; // Grab any QUERY STRING or POST variables -$id = $_GET['id']; -$eng_id = $_GET['eng_id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; -if (isset($_POST['eng_id'])) +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + +if (isset($_POST['eng_id']) && isset($_POST['eng_id'])) $eng_id = $_POST['eng_id']; +elseif (isset($_GET['eng_id']) && is_numericint($_GET['eng_id'])) + $eng_id = htmlspecialchars($_GET['eng_id']); if (is_null($id)) { // Clear and close out any session variable we created @@ -85,7 +88,7 @@ if ($_GET['act'] == "import") { session_start(); if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports") && !empty($_GET['varvalue'])) { - $pconfig[$_GET['varname']] = $_GET['varvalue']; + $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); if(!isset($_SESSION['ftp_server_import'])) $_SESSION['ftp_server_import'] = array(); @@ -109,7 +112,7 @@ if ($_GET['act'] == "import") { } } -if ($_POST['Submit']) { +if ($_POST['save']) { // Clear and close out any session variable we created session_start(); @@ -184,14 +187,14 @@ if ($_POST['Submit']) { } /* Now write the new engine array to conf */ - write_config(); + write_config("Snort pkg: modified ftp_telnet_server engine settings."); header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); exit; } } -$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($config['installedpackages']['snortglobal']['rule'][$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Server Engine"); include_once("head.inc"); @@ -316,7 +319,7 @@ if ($savemsg) <tr> <td width="22%" valign="bottom"> </td> <td width="78%" valign="bottom"> - <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + <input name="save" id="save" type="submit" class="formbtn" value=" Save " title="<?php echo gettext("Save ftp engine settings and return to Preprocessors tab"); ?>"> <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php index 94d3364f..c7680892 100644 --- a/config/snort/snort_httpinspect_engine.php +++ b/config/snort/snort_httpinspect_engine.php @@ -1,7 +1,7 @@ <?php /* * snort_httpinspect_engine.php - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013-2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -33,12 +33,15 @@ global $g; $snortdir = SNORTDIR; -$id = $_GET['id']; -$eng_id = $_GET['eng_id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; -if (isset($_POST['eng_id'])) +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + +if (isset($_POST['eng_id']) && isset($_POST['eng_id'])) $eng_id = $_POST['eng_id']; +elseif (isset($_GET['eng_id']) && is_numericint($_GET['eng_id'])) + $eng_id = htmlspecialchars($_GET['eng_id']); if (is_null($id)) { // Clear and close out any session variable we created @@ -137,7 +140,7 @@ if ($_GET['act'] == "import") { session_start(); if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports") && !empty($_GET['varvalue'])) { - $pconfig[$_GET['varname']] = $_GET['varvalue']; + $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); $_SESSION['http_inspect_import'] = array(); $_SESSION['http_inspect_import'][$_GET['varname']] = $_GET['varvalue']; @@ -160,7 +163,7 @@ if ($_GET['act'] == "import") { } } -if ($_POST['Submit']) { +if ($_POST['save']) { // Clear and close out any session variable we created session_start(); @@ -293,14 +296,14 @@ if ($_POST['Submit']) { } // Now write the new engine array to conf - write_config(); + write_config("Snort pkg: modified http_inspect engine settings."); header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); exit; } } -$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($config['installedpackages']['snortglobal']['rule'][$id]['interface']); $pgtitle = gettext("Snort: {$if_friendly} - HTTP_Inspect Preprocessor Engine"); include_once("head.inc"); @@ -637,7 +640,7 @@ if ($savemsg) <tr> <td width="22%" valign="bottom"> </td> <td width="78%" valign="bottom"> - <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + <input name="save" id="save" type="submit" class="formbtn" value=" Save " title="<?php echo gettext("Save httpinspect engine settings and return to Preprocessors tab"); ?>"> <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo diff --git a/config/snort/snort_import_aliases.php b/config/snort/snort_import_aliases.php index 77cd5490..80b3bb1d 100644 --- a/config/snort/snort_import_aliases.php +++ b/config/snort/snort_import_aliases.php @@ -2,7 +2,7 @@ /* $Id$ */ /* snort_import_aliases.php - Copyright (C) 2013 Bill Meeks + Copyright (C) 2013, 2014 Bill Meeks All rights reserved. Redistribution and use in source and binary forms, with or without @@ -32,12 +32,15 @@ require_once("functions.inc"); require_once("/usr/local/pkg/snort/snort.inc"); // Retrieve any passed QUERY STRING or POST variables -$id = $_GET['id']; -$eng = $_GET['eng']; if (isset($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (isset($_POST['eng'])) $eng = $_POST['eng']; +elseif (isset($_GET['eng'])) + $eng = htmlspecialchars($_GET['eng']); // Make sure we have a valid rule ID and ENGINE name, or // else bail out to top-level menu. @@ -46,7 +49,10 @@ if (is_null($id) || is_null($eng)) { exit; } -// Used to track if any selectable Aliases are found +// Used to track if any selectable Aliases are found. Selectable +// means aliases matching the requirements of the configuration +// engine we are importing into (e.g., single IP only or +// multiple IP alias). $selectablealias = false; // Initialize required array variables as necessary @@ -89,7 +95,7 @@ switch ($eng) { break; case "stream5_tcp_engine": $anchor = "#stream5_row"; - $multi_ip = true; + $multi_ip = false; $title = "Stream5 TCP Engine"; break; case "ftp_server_engine": @@ -200,7 +206,7 @@ if ($_POST['save']) { } // Now write the new engine array to conf and return - write_config(); + write_config("Snort pkg: imported new host or network alias."); header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}"); exit; @@ -269,7 +275,7 @@ include("head.inc"); ?> <?php if ($disable): ?> <tr title="<?=$tooltip;?>"> - <td class="listlr" align="center"><img src="../themes/<?=$g['theme'];?>/images/icons/icon_block_d.gif" width="11" height"11" border="0"/> + <td class="listlr" align="center" sorttable_customkey=""><img src="../themes/<?=$g['theme'];?>/images/icons/icon_block_d.gif" width="11" height="11" border="0"/> <?php else: ?> <tr> <td class="listlr" align="center"><input type="checkbox" name="toimport[]" value="<?=htmlspecialchars($alias['name']);?>" title="<?=$tooltip;?>"/></td> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index 15d9addc..c82ec57e 100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -4,6 +4,7 @@ * * Copyright (C) 2008-2009 Robert Zelaya. * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -28,60 +29,43 @@ * POSSIBILITY OF SUCH DAMAGE. */ -$nocsrf = true; require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); global $g, $rebuild_rules; $snortdir = SNORTDIR; +$snortlogdir = SNORTLOGDIR; $rcdir = RCFILEPREFIX; -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; + +// Calculate the index of the next added Snort interface $id_gen = count($config['installedpackages']['snortglobal']['rule']); if (isset($_POST['del_x'])) { - /* delete selected rules */ + /* Delete selected Snort interfaces */ if (is_array($_POST['rule'])) { conf_mount_rw(); foreach ($_POST['rule'] as $rulei) { - /* convert fake interfaces to real */ - $if_real = snort_get_real_interface($a_nat[$rulei]['interface']); + $if_real = get_real_interface($a_nat[$rulei]['interface']); $snort_uuid = $a_nat[$rulei]['uuid']; snort_stop($a_nat[$rulei], $if_real); - exec("/bin/rm -r /var/log/snort/snort_{$if_real}{$snort_uuid}"); + exec("/bin/rm -r {$snortlogdir}/snort_{$if_real}{$snort_uuid}"); exec("/bin/rm -r {$snortdir}/snort_{$snort_uuid}_{$if_real}"); - // If interface had auto-generated Suppress List, then - // delete that along with the interface - $autolist = "{$a_nat[$rulei]['interface']}" . "suppress"; - if (is_array($config['installedpackages']['snortglobal']['suppress']) && - is_array($config['installedpackages']['snortglobal']['suppress']['item'])) { - $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; - foreach ($a_suppress as $k => $i) { - if ($i['name'] == $autolist) { - unset($config['installedpackages']['snortglobal']['suppress']['item'][$k]); - break; - } - } - } - // Finally delete the interface's config entry entirely unset($a_nat[$rulei]); } conf_mount_ro(); - /* If all the Snort interfaces are removed, then unset the config array. */ + /* If all the Snort interfaces are removed, then unset the interfaces config array. */ if (empty($a_nat)) unset($a_nat); - write_config(); + write_config("Snort pkg: deleted one or more Snort interfaces."); sleep(2); /* if there are no ifaces remaining do not create snort.sh */ @@ -106,13 +90,13 @@ if (isset($_POST['del_x'])) { } -/* start/stop snort */ -if ($_GET['act'] == 'bartoggle' && is_numeric($id)) { - $snortcfg = $config['installedpackages']['snortglobal']['rule'][$id]; - $if_real = snort_get_real_interface($snortcfg['interface']); - $if_friendly = snort_get_friendly_interface($snortcfg['interface']); +/* start/stop barnyard2 */ +if ($_POST['bartoggle'] && is_numericint($_POST['id'])) { + $snortcfg = $config['installedpackages']['snortglobal']['rule'][$_POST['id']]; + $if_real = get_real_interface($snortcfg['interface']); + $if_friendly = convert_friendly_interface_to_friendly_descr($snortcfg['interface']); - if (snort_is_running($snortcfg['uuid'], $if_real, 'barnyard2') == 'no') { + if (!snort_is_running($snortcfg['uuid'], $if_real, 'barnyard2')) { log_error("Toggle (barnyard starting) for {$if_friendly}({$snortcfg['descr']})..."); sync_snort_package_config(); snort_barnyard_start($snortcfg, $if_real); @@ -120,27 +104,18 @@ if ($_GET['act'] == 'bartoggle' && is_numeric($id)) { log_error("Toggle (barnyard stopping) for {$if_friendly}({$snortcfg['descr']})..."); snort_barnyard_stop($snortcfg, $if_real); } - sleep(3); // So the GUI reports correctly - header("Location: /snort/snort_interfaces.php"); - exit; } /* start/stop snort */ -if ($_GET['act'] == 'toggle' && is_numeric($id)) { - $snortcfg = $config['installedpackages']['snortglobal']['rule'][$id]; - $if_real = snort_get_real_interface($snortcfg['interface']); - $if_friendly = snort_get_friendly_interface($snortcfg['interface']); +if ($_POST['toggle'] && is_numericint($_POST['id'])) { + $snortcfg = $config['installedpackages']['snortglobal']['rule'][$_POST['id']]; + $if_real = get_real_interface($snortcfg['interface']); + $if_friendly = convert_friendly_interface_to_friendly_descr($snortcfg['interface']); - if (snort_is_running($snortcfg['uuid'], $if_real) == 'yes') { + if (snort_is_running($snortcfg['uuid'], $if_real)) { log_error("Toggle (snort stopping) for {$if_friendly}({$snortcfg['descr']})..."); snort_stop($snortcfg, $if_real); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); } else { log_error("Toggle (snort starting) for {$if_friendly}({$snortcfg['descr']})..."); @@ -149,16 +124,8 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { sync_snort_package_config(); $rebuild_rules = false; snort_start($snortcfg, $if_real); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); } sleep(3); // So the GUI reports correctly - header("Location: /snort/snort_interfaces.php"); - exit; } $pgtitle = "Services: $snort_package_version"; @@ -169,34 +136,18 @@ include_once("head.inc"); <?php include_once("fbegin.inc"); -if ($pfsense_stable == 'yes') - echo '<p class="pgtitle">' . $pgtitle . '</p>'; -?> -<form action="snort_interfaces.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> -<?php /* Display Alert message */ if ($input_errors) - print_input_errors($input_errors); // TODO: add checks + print_input_errors($input_errors); if ($savemsg) print_info_box($savemsg); - - //if (file_exists($d_snortconfdirty_path)) { - if ($d_snortconfdirty_path_ls != '') { - echo '<p>'; - - if($savemsg) - print_info_box_np("{$savemsg}"); - else { - print_info_box_np(gettext( - 'The Snort configuration has changed for one or more interfaces.<br>' . - 'You must apply the changes in order for them to take effect.<br>' - )); - } - } ?> +<form action="snort_interfaces.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<input type="hidden" name="id" id="id" value=""> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> @@ -207,10 +158,11 @@ if ($pfsense_stable == 'yes') $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); ?> </td> </tr> @@ -257,11 +209,10 @@ if ($pfsense_stable == 'yes') <?php /* convert fake interfaces to real and check if iface is up */ - /* There has to be a smarter way to do this */ - $if_real = snort_get_real_interface($natent['interface']); - $natend_friendly= snort_get_friendly_interface($natent['interface']); + $if_real = get_real_interface($natent['interface']); + $natend_friendly = convert_friendly_interface_to_friendly_descr($natent['interface']); $snort_uuid = $natent['uuid']; - if (snort_is_running($snort_uuid, $if_real) == 'no'){ + if (!snort_is_running($snort_uuid, $if_real)){ $iconfn = 'block'; $iconfn_msg1 = 'Snort is not running on '; $iconfn_msg2 = '. Click to start.'; @@ -271,7 +222,7 @@ if ($pfsense_stable == 'yes') $iconfn_msg1 = 'Snort is running on '; $iconfn_msg2 = '. Click to stop.'; } - if (snort_is_running($snort_uuid, $if_real, 'barnyard2') == 'no'){ + if (!snort_is_running($snort_uuid, $if_real, 'barnyard2')){ $biconfn = 'block'; $biconfn_msg1 = 'Barnyard2 is not running on '; $biconfn_msg2 = '. Click to start.'; @@ -312,14 +263,13 @@ if ($pfsense_stable == 'yes') <?php $check_snort_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['enable']; if ($check_snort_info == "on") { - echo strtoupper("enabled"); - echo "<a href='?act=toggle&id={$i}'> - <img src='../themes/{$g['theme']}/images/icons/icon_{$iconfn}.gif' - width='13' height='13' border='0' - title='" . gettext($iconfn_msg1.$natend_friendly.$iconfn_msg2) . "'></a>"; + echo gettext("ENABLED") . " "; + echo "<input type='image' src='../themes/{$g['theme']}/images/icons/icon_{$iconfn}.gif' width='13' height='13' border='0' "; + echo "onClick='document.getElementById(\"id\").value=\"{$nnats}\";' name=\"toggle[]\" "; + echo "title='" . gettext($iconfn_msg1.$natend_friendly.$iconfn_msg2) . "'/>"; echo ($no_rules) ? " <img src=\"../themes/{$g['theme']}/images/icons/icon_frmfld_imp.png\" width=\"15\" height=\"15\" border=\"0\">" : ""; } else - echo strtoupper("disabled"); + echo gettext("DISABLED"); ?> </td> <td class="listr" @@ -353,13 +303,11 @@ if ($pfsense_stable == 'yes') <?php $check_snortbarnyardlog_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['barnyard_enable']; if ($check_snortbarnyardlog_info == "on") { - echo strtoupper("enabled"); - echo "<a href='?act=bartoggle&id={$i}'> - <img src='../themes/{$g['theme']}/images/icons/icon_{$biconfn}.gif' - width='13' height='13' border='0' - title='" . gettext($biconfn_msg1.$natend_friendly.$biconfn_msg2) . "'></a>"; + echo gettext("ENABLED") . " "; + echo "<input type='image' name='bartoggle[]' src='../themes/{$g['theme']}/images/icons/icon_{$biconfn}.gif' width='13' height='13' border='0' "; + echo "onClick='document.getElementById(\"id\").value=\"{$nnats}\"'; title='" . gettext($biconfn_msg1.$natend_friendly.$biconfn_msg2) . "'/>"; } else - echo strtoupper("disabled"); + echo gettext("DISABLED"); ?> </td> <td class="listbg" @@ -393,8 +341,7 @@ if ($pfsense_stable == 'yes') src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" " border="0"> <?php else: ?> - <input name="del" type="image" - src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + <input name="del" type="image" src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="<?php echo gettext("Delete selected Snort interface mapping(s)"); ?>" onclick="return intf_del()"> <?php endif; ?></td> @@ -420,12 +367,8 @@ if ($pfsense_stable == 'yes') </td> </tr> <tr> - <td colspan="3" class="vexpl"><br> - </td> - </tr> - <tr> - <td colspan="3" class="vexpl"><span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span><br> - <strong><?php echo gettext("New settings will not take effect until interface restart."); ?></strong> + <td colspan="3" class="vexpl"> + <?php echo gettext("New settings will not take effect until interface restart."); ?> </td> </tr> <tr> @@ -484,9 +427,9 @@ function intf_del() { } } if (isSelected) - return confirm('Do you really want to delete the selected Snort mapping?'); + return confirm('Do you really want to delete the selected Snort interface mapping(s)?'); else - alert("There is no Snort mapping selected for deletion. Click the checkbox beside the Snort mapping(s) you wish to delete."); + alert("There is no Snort interface mapping selected for deletion. Click the checkbox beside the Snort mapping(s) you wish to delete."); } </script> diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 72aa82e2..4c868844 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -4,6 +4,7 @@ * * Copyright (C) 2008-2009 Robert Zelaya. * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -33,6 +34,9 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g, $rebuild_rules; +$snortdir = SNORTDIR; +$snortlogdir = SNORTLOGDIR; + if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); $snortglob = $config['installedpackages']['snortglobal']; @@ -41,9 +45,11 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); $a_rule = &$config['installedpackages']['snortglobal']['rule']; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (is_null($id)) { header("Location: /snort/snort_interfaces.php"); exit; @@ -63,13 +69,7 @@ else { $snort_uuid = $pconfig['uuid']; // Get the physical configured interfaces on the firewall -if (function_exists('get_configured_interface_with_descr')) - $interfaces = get_configured_interface_with_descr(); -else { - $interfaces = array('wan' => 'WAN', 'lan' => 'LAN'); - for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) - $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; -} +$interfaces = get_configured_interface_with_descr(); // See if interface is already configured, and use its values if (isset($id) && $a_rule[$id]) { @@ -89,6 +89,8 @@ elseif (isset($id) && !isset($a_rule[$id])) { foreach ($ifaces as $i) { if (!in_array($i, $ifrules)) { $pconfig['interface'] = $i; + $pconfig['descr'] = strtoupper($i); + $pconfig['enable'] = 'on'; break; } } @@ -99,19 +101,26 @@ elseif (isset($id) && !isset($a_rule[$id])) { } } -if (isset($_GET['dup'])) - unset($id); - // Set defaults for empty key parameters if (empty($pconfig['blockoffendersip'])) $pconfig['blockoffendersip'] = "both"; if (empty($pconfig['performance'])) $pconfig['performance'] = "ac-bnfa"; -if ($_POST["Submit"]) { - if (!$_POST['interface']) +if ($_POST["save"]) { + if (!isset($_POST['interface'])) $input_errors[] = "Interface is mandatory"; + /* See if assigned interface is already in use */ + if (isset($_POST['interface'])) { + foreach ($a_rule as $k => $v) { + if (($v['interface'] == $_POST['interface']) && ($id <> $k)) { + $input_errors[] = gettext("The '{$_POST['interface']}' interface is already assigned to another Snort instance."); + break; + } + } + } + /* if no errors write to conf */ if (!$input_errors) { $natent = $a_rule[$id]; @@ -136,6 +145,8 @@ if ($_POST["Submit"]) { if ($_POST['blockoffendersip']) $natent['blockoffendersip'] = $_POST['blockoffendersip']; else unset($natent['blockoffendersip']); if ($_POST['whitelistname']) $natent['whitelistname'] = $_POST['whitelistname']; else unset($natent['whitelistname']); if ($_POST['homelistname']) $natent['homelistname'] = $_POST['homelistname']; else unset($natent['homelistname']); + if ($_POST['alert_log_limit']) $natent['alert_log_limit'] = $_POST['alert_log_limit']; else unset($natent['alert_log_limit']); + if ($_POST['alert_log_retention']) $natent['alert_log_retention'] = $_POST['alert_log_retention']; else unset($natent['alert_log_retention']); if ($_POST['externallistname']) $natent['externallistname'] = $_POST['externallistname']; else unset($natent['externallistname']); if ($_POST['suppresslistname']) $natent['suppresslistname'] = $_POST['suppresslistname']; else unset($natent['suppresslistname']); if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = 'on'; }else{ $natent['alertsystemlog'] = 'off'; } @@ -145,14 +156,20 @@ if ($_POST["Submit"]) { if ($_POST['fpm_search_optimize'] == "on") { $natent['fpm_search_optimize'] = 'on'; }else{ $natent['fpm_search_optimize'] = 'off'; } if ($_POST['fpm_no_stream_inserts'] == "on") { $natent['fpm_no_stream_inserts'] = 'on'; }else{ $natent['fpm_no_stream_inserts'] = 'off'; } - $if_real = snort_get_real_interface($natent['interface']); + $if_real = get_real_interface($natent['interface']); if (isset($id) && $a_rule[$id]) { + // See if moving an existing Snort instance to another physical interface if ($natent['interface'] != $a_rule[$id]['interface']) { - $oif_real = snort_get_real_interface($a_rule[$id]['interface']); - snort_stop($a_rule[$id], $oif_real); - exec("rm -r /var/log/snort_{$oif_real}" . $a_rule[$id]['uuid']); + $oif_real = get_real_interface($a_rule[$id]['interface']); + if (snort_is_running($a_rule[$id]['uuid'], $oif_real)) { + snort_stop($a_rule[$id], $oif_real); + $snort_start = true; + } + else + $snort_start = false; + exec("mv -f {$snortlogdir}/snort_{$oif_real}{$a_rule[$id]['uuid']} {$snortlogdir}/snort_{$if_real}{$a_rule[$id]['uuid']}"); conf_mount_rw(); - exec("mv -f {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$if_real}"); + exec("mv -f {$snortdir}/snort_{$a_rule[$id]['uuid']}_{$oif_real} {$snortdir}/snort_{$a_rule[$id]['uuid']}_{$if_real}"); conf_mount_ro(); } $a_rule[$id] = $natent; @@ -256,7 +273,7 @@ if ($_POST["Submit"]) { snort_stop($natent, $if_real); /* Save configuration changes */ - write_config(); + write_config("Snort pkg: modified interface configuration for {$natent['interface']}."); /* Most changes don't require a rules rebuild, so default to "off" */ $rebuild_rules = false; @@ -264,6 +281,10 @@ if ($_POST["Submit"]) { /* Update snort.conf and snort.sh files for this interface */ sync_snort_package_config(); + /* See if we need to restart Snort after an interface re-assignment */ + if ($snort_start == true) + snort_start($natent, $if_real); + /*******************************************************/ /* Signal Snort to reload configuration if we changed */ /* HOME_NET, EXTERNAL_NET or Suppress list values. */ @@ -284,21 +305,18 @@ if ($_POST["Submit"]) { $pconfig = $_POST; } -$if_friendly = snort_get_friendly_interface($pconfig['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_rule[$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Edit Settings"); include_once("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> - -<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> +<?php include("fbegin.inc"); -<?php /* Display Alert message */ if ($input_errors) { - print_input_errors($input_errors); // TODO: add checks + print_input_errors($input_errors); } if ($savemsg) { @@ -306,7 +324,8 @@ include_once("head.inc"); } ?> -<form action="snort_interfaces_edit.php<?php echo "?id=$id";?>" method="post" name="iform" id="iform"> +<form action="snort_interfaces_edit.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id;?>"/> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -314,12 +333,13 @@ include_once("head.inc"); $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php?instance={$id}"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); echo '</td></tr>'; echo '<tr><td class="tabnavtbl">'; $tab_array = array(); @@ -328,9 +348,10 @@ include_once("head.inc"); $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr><td><div id="mainarea"> @@ -345,7 +366,7 @@ include_once("head.inc"); if ($pconfig['enable'] == "on") $checked = "checked"; echo " - <input name=\"enable\" type=\"checkbox\" value=\"on\" $checked onClick=\"enable_change(false)\"> + <input name=\"enable\" type=\"checkbox\" value=\"on\" $checked onClick=\"enable_change(false)\"/> " . gettext("Enable or Disable") . "\n"; ?> <br/> @@ -368,15 +389,15 @@ include_once("head.inc"); <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Description"); ?></td> <td width="78%" class="vtable"><input name="descr" type="text" - class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"> <br/> + class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"/><br/> <span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference."); ?></span><br/></td> </tr> -<tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Alert Settings"); ?></td> -</tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Alert Settings"); ?></td> + </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Send Alerts to System Logs"); ?></td> - <td width="78%" class="vtable"><input name="alertsystemlog" type="checkbox" value="on" <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?>> + <td width="78%" class="vtable"><input name="alertsystemlog" type="checkbox" value="on" <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?>/> <?php echo gettext("Snort will send Alerts to the firewall's system logs."); ?></td> </tr> <tr> @@ -384,14 +405,14 @@ include_once("head.inc"); <td width="78%" class="vtable"> <input name="blockoffenders7" id="blockoffenders7" type="checkbox" value="on" <?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?> - onClick="enable_blockoffenders()"> + onClick="enable_blockoffenders();" /> <?php echo gettext("Checking this option will automatically block hosts that generate a " . "Snort alert."); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill States"); ?></td> <td width="78%" class="vtable"> - <input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>> + <input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>/> <?php echo gettext("Checking this option will kill firewall states for the blocked IP"); ?> </td> </tr> @@ -410,12 +431,12 @@ include_once("head.inc"); ?> </select> <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?><br/> - <span class="red"><?php echo gettext("Hint:") . "</span> " . gettext("Choosing BOTH is suggested, and it is the default value."); ?></span><br/></td> + <span class="red"><?php echo gettext("Hint:") . "</span> " . gettext("Choosing BOTH is suggested, and it is the default value."); ?><br/> </td> </tr> -<tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Detection Performance Settings"); ?></td> -</tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Detection Performance Settings"); ?></td> + </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Search Method"); ?></td> <td width="78%" class="vtable"> @@ -442,7 +463,7 @@ include_once("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Split ANY-ANY"); ?></td> <td width="78%" class="vtable"> - <input name="fpm_split_any_any" id="fpm_split_any_any" type="checkbox" value="on" <?php if ($pconfig['fpm_split_any_any'] == "on") echo "checked"; ?>> + <input name="fpm_split_any_any" id="fpm_split_any_any" type="checkbox" value="on" <?php if ($pconfig['fpm_split_any_any'] == "on") echo "checked"; ?>/> <?php echo gettext("Enable splitting of ANY-ANY port group.") . " <strong>" . gettext("Default") . "</strong>" . gettext(" is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> <br/><?php echo gettext("This setting is a memory/performance trade-off. It reduces memory footprint by not " . @@ -454,7 +475,7 @@ include_once("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Search Optimize"); ?></td> <td width="78%" class="vtable"> - <input name="fpm_search_optimize" id="fpm_search_optimize" type="checkbox" value="on" <?php if ($pconfig['fpm_search_optimize'] == "on" || empty($pconfig['fpm_search_optimize'])) echo "checked"; ?>> + <input name="fpm_search_optimize" id="fpm_search_optimize" type="checkbox" value="on" <?php if ($pconfig['fpm_search_optimize'] == "on" || empty($pconfig['fpm_search_optimize'])) echo "checked"; ?>/> <?php echo gettext("Enable search optimization.") . " <strong>" . gettext("Default") . "</strong>" . gettext(" is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/> <br/><?php echo gettext("This setting optimizes fast pattern memory when used with search-methods AC or AC-SPLIT " . @@ -465,7 +486,7 @@ include_once("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Stream Inserts"); ?></td> <td width="78%" class="vtable"> - <input name="fpm_no_stream_inserts" id="fpm_no_stream_inserts" type="checkbox" value="on" <? if ($pconfig['fpm_no_stream_inserts'] == "on") echo "checked"; ?>> + <input name="fpm_no_stream_inserts" id="fpm_no_stream_inserts" type="checkbox" value="on" <? if ($pconfig['fpm_no_stream_inserts'] == "on") echo "checked"; ?>/> <?php echo gettext("Do not evaluate stream inserted packets against the detection engine.") . " <strong>" . gettext("Default") . "</strong>" . gettext(" is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> <br/><?php echo gettext("This is a potential performance improvement based on the idea the stream rebuilt packet " . @@ -475,15 +496,14 @@ include_once("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Checksum Check Disable"); ?></td> <td width="78%" class="vtable"> - <input name="cksumcheck" id="cksumcheck" type="checkbox" value="on" <?php if ($pconfig['cksumcheck'] == "on") echo "checked"; ?>> + <input name="cksumcheck" id="cksumcheck" type="checkbox" value="on" <?php if ($pconfig['cksumcheck'] == "on") echo "checked"; ?>/> <?php echo gettext("Disable checksum checking within Snort to improve performance."); ?> <br><span class="red"><?php echo gettext("Hint: ") . "</span>" . gettext("Most of this is already done at the firewall/filter level, so it is usually safe to check this box."); ?> </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose the networks " . - "Snort should inspect and whitelist."); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose the networks Snort should inspect and whitelist"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Home Net"); ?></td> @@ -545,11 +565,11 @@ include_once("head.inc"); </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Whitelist"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Pass List"); ?></td> <td width="78%" class="vtable"> <select name="whitelistname" class="formselect" id="whitelistname"> <?php - /* find whitelist names and filter by type, make sure to track by uuid */ + /* find whitelist (Pass List) names and filter by type, make sure to track by uuid */ echo "<option value='default' >default</option>\n"; if (is_array($snortglob['whitelist']['item'])) { foreach ($snortglob['whitelist']['item'] as $value) { @@ -562,19 +582,19 @@ include_once("head.inc"); } ?> </select> - <input type="button" class="formbtns" value="View List" onclick="viewList('<?=$id;?>','whitelistname','whitelist')" - id="btnWhitelist" title="<?php echo gettext("Click to view currently selected Whitelist contents"); ?>"/> + <input type="button" class="formbtns" value="View List" onclick="viewList('<?=$id;?>','whitelistname','passlist')" + id="btnWhitelist" title="<?php echo gettext("Click to view currently selected Pass List contents"); ?>"/> <br/> - <span class="vexpl"><?php echo gettext("Choose the whitelist you want this interface to " . + <span class="vexpl"><?php echo gettext("Choose the Pass List you want this interface to " . "use."); ?> </span><br/><br/> <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("This option will only be used when block offenders is on."); ?><br/> - <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Default " . - "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?> + <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("The default " . + "Pass List adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?> </td> </tr> -<tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering file if desired."); ?></td> -</tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering file if desired"); ?></td> + </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert Suppression and Filtering"); ?></td> <td width="78%" class="vtable"> @@ -602,29 +622,28 @@ include_once("head.inc"); gettext("Default option disables suppression and filtering."); ?> </td> </tr> -<tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Arguments here will " . - "be automatically inserted into the Snort configuration."); ?></td> -</tr> -<tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Advanced configuration pass-through"); ?></td> - <td width="78%" class="vtable"> - <textarea style="width:98%; height:100%;" wrap="off" name="configpassthru" cols="60" rows="8" id="configpassthru"><?=htmlspecialchars($pconfig['configpassthru']);?></textarea> - </td> -</tr> -<tr> - <td width="22%" valign="top"></td> - <td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" title="<?php echo + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Arguments here will " . + "be automatically inserted into the Snort configuration."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Advanced configuration pass-through"); ?></td> + <td width="78%" class="vtable"> + <textarea style="width:98%; height:100%;" wrap="off" name="configpassthru" cols="60" rows="8" id="configpassthru"><?=htmlspecialchars($pconfig['configpassthru']);?></textarea> + </td> + </tr> + <tr> + <td width="22%" valign="top"></td> + <td width="78%"><input name="save" type="submit" class="formbtn" value="Save" title="<?php echo gettext("Click to save settings and exit"); ?>"/> - <input name="id" type="hidden" value="<?=$id;?>"/> - </td> -</tr> -<tr> - <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span></span>" . - gettext("Please save your settings before you attempt to start Snort."); ?> - </td> -</tr> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span></span>" . + gettext("Please save your settings before you attempt to start Snort."); ?> + </td> + </tr> </table> </div> </td></tr> @@ -684,11 +703,12 @@ function getSelectedValue(elemID) { function viewList(id, elemID, elemType) { if (typeof elemType == "undefined") { - elemType = "whitelist"; + elemType = "passlist"; } var url = "snort_list_view.php?id=" + id + "&wlist="; url = url + getSelectedValue(elemID) + "&type=" + elemType; - wopen(url, 'WhitelistViewer', 640, 480); + url = url + "&time=" + new Date().getTime(); + wopen(url, 'PassListViewer', 640, 480); } enable_change(false); diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index b22a6934..69a182bd 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -5,6 +5,7 @@ * * Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Copyright (C) 2008-2009 Robert Zelaya @@ -42,23 +43,26 @@ global $g; $snortdir = SNORTDIR; /* make things short */ -$pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; +$pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload'] == "on" ? 'on' : 'off'; $pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; $pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code']; -$pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; -$pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro']; +$pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats'] == "on" ? 'on' : 'off'; +$pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == "on" ? 'on' : 'off'; $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; $pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; $pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7']; $pconfig['rule_update_starttime'] = $config['installedpackages']['snortglobal']['rule_update_starttime']; -$pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings']; -$pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules']; +$pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings'] == "on" ? 'on' : 'off'; +$pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules'] == "on" ? 'on' : 'off'; +$pconfig['clearlogs'] = $config['installedpackages']['snortglobal']['clearlogs'] == "on" ? 'on' : 'off'; +$pconfig['clearblocks'] = $config['installedpackages']['snortglobal']['clearblocks'] == "on" ? 'on' : 'off'; +/* Set sensible values for any empty default params */ if (empty($pconfig['snortloglimit'])) $pconfig['snortloglimit'] = 'on'; -if (empty($pconfig['rule_update_starttime'])) - $pconfig['rule_update_starttime'] = '00:30'; +if (!isset($pconfig['rule_update_starttime'])) + $pconfig['rule_update_starttime'] = '00:05'; if ($_POST['rule_update_starttime']) { if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['rule_update_starttime'])) @@ -73,12 +77,14 @@ if ($_POST['emergingthreats_pro'] == "on" && empty($_POST['etpro_code'])) /* if no errors move foward with save */ if (!$input_errors) { - if ($_POST["Submit"]) { + if ($_POST["save"]) { $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['clearlogs'] = $_POST['clearlogs'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['clearblocks'] = $_POST['clearblocks'] ? 'on' : 'off'; // If any rule sets are being turned off, then remove them // from the active rules section of each interface. Start @@ -145,7 +151,7 @@ if (!$input_errors) { /* create whitelist and homenet file then sync files */ sync_snort_package_config(); - write_config(); + write_config("Snort pkg: modified global settings."); /* forces page to reload new settings */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -187,10 +193,11 @@ if ($input_errors) $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr> @@ -268,7 +275,7 @@ if ($input_errors) <tr> <td> </td> <td class="vexpl"><?php echo "<span class='red'><strong>" . gettext("Note:") . "</strong></span>" . " " . - gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?></td> + gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are automatically disabled when the ETPro rules are selected."); ?></td> </tr> </table> <table id="etpro_code_tbl" width="100%" border="0" cellpadding="2" cellspacing="0"> @@ -310,11 +317,11 @@ if ($input_errors) <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Update Start Time"); ?></td> <td width="78%" class="vtable"><input type="text" class="formfld time" name="rule_update_starttime" id="rule_update_starttime" size="4" - maxlength="5" value="<?=$pconfig['rule_update_starttime'];?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?>><span class="vexpl"> + maxlength="5" value="<?=htmlspecialchars($pconfig['rule_update_starttime']);?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?>><span class="vexpl"> <?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). ") . "<strong>" . - gettext("Default") . " </strong>" . gettext("is ") . "<strong>" . gettext("00:03") . "</strong></span>"; ?>.<br/><br/> + gettext("Default") . " </strong>" . gettext("is ") . "<strong>" . gettext("00:05") . "</strong></span>"; ?>.<br/><br/> <?php echo gettext("Rules will update at the interval chosen above starting at the time specified here. For example, using the default " . - "start time of 00:03 and choosing 12 Hours for the interval, the rules will update at 00:03 and 12:03 each day."); ?></td> + "start time of 00:03 and choosing 12 Hours for the interval, the rules will update at 00:05 and 12:05 each day."); ?></td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td> @@ -322,7 +329,7 @@ if ($input_errors) <tr> <?php $snortlogCurrentDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') / 1024); ?> <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Directory Size " . - "Limit"); ?><br/> + "Limit"); ?><br/><br/> <br/> <br/> <span class="red"><strong><?php echo gettext("Note:"); ?></strong></span><br/> @@ -368,6 +375,18 @@ if ($input_errors) <?php echo "<span class=\"red\"><strong>" . gettext("Hint:") . "</strong></span>" . gettext(" in most cases, 1 hour is a good choice.");?></td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Blocked Hosts After Deinstall"); ?></td> + <td width="78%" class="vtable"><input name="clearblocks" id="clearblocks" type="checkbox" value="yes" + <?php if ($config['installedpackages']['snortglobal']['clearblocks']=="on") echo " checked"; ?>/> + <?php echo gettext("All blocked hosts added by Snort will be removed during package deinstallation."); ?></td> +</tr> +<tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Snort Log Files After Deinstall"); ?></td> + <td width="78%" class="vtable"><input name="clearlogs" id="clearlogs" type="checkbox" value="yes" + <?php if ($config['installedpackages']['snortglobal']['clearlogs']=="on") echo " checked"; ?>/> + <?php echo gettext("All Snort log files will be removed during package deinstallation."); ?></td> +</tr> +<tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep Snort Settings After Deinstall"); ?></td> <td width="78%" class="vtable"><input name="forcekeepsettings" id="forcekeepsettings" type="checkbox" value="yes" @@ -377,7 +396,7 @@ if ($input_errors) <tr> <td width="22%" valign="top"> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" > + <input name="save" type="submit" class="formbtn" value="Save" > </td> </tr> <tr> diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php index e42b7f8c..ecbd04a7 100644 --- a/config/snort/snort_interfaces_suppress.php +++ b/config/snort/snort_interfaces_suppress.php @@ -46,7 +46,6 @@ if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; $id_gen = count($config['installedpackages']['snortglobal']['suppress']['item']); - function snort_suppresslist_used($supplist) { /****************************************************************/ @@ -69,15 +68,15 @@ function snort_suppresslist_used($supplist) { return false; } -if ($_GET['act'] == "del") { - if ($a_suppress[$_GET['id']]) { - /* make sure rule is not being referenced by any nat or filter rules */ - if (snort_suppresslist_used($a_suppress[$_GET['id']]['name'])) { - $input_errors[] = gettext("ERROR -- Suppress List is currently assigned to an interface and cannot be removed!"); +if ($_POST['del']) { + if ($a_suppress[$_POST['list_id']] && is_numericint($_POST['list_id'])) { + /* make sure list is not being referenced by any Snort interfaces */ + if (snort_suppresslist_used($a_suppress[$_POST['list_id']]['name'])) { + $input_errors[] = gettext("ERROR -- Suppress List is currently assigned to a Snort interface and cannot be removed! Unassign it from all Snort interfaces first."); } else { - unset($a_suppress[$_GET['id']]); - write_config(); + unset($a_suppress[$_POST['list_id']]); + write_config("Snort pkg: deleted a Suppress List."); header("Location: /snort/snort_interfaces_suppress.php"); exit; } @@ -93,14 +92,16 @@ include_once("head.inc"); <?php include_once("fbegin.inc"); -if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} if ($input_errors) { print_input_errors($input_errors); } +if ($savemsg) + print_info_box($savemsg); ?> -<form action="/snort/snort_interfaces_suppress.php" method="post"><?php if ($savemsg) print_info_box($savemsg); ?> +<form action="/snort/snort_interfaces_suppress.php" method="post"> +<input type="hidden" name="list_id" id="list_id" value=""/> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -110,10 +111,11 @@ if ($input_errors) { $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), true, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); ?> </td> </tr> @@ -137,15 +139,13 @@ if ($input_errors) { <td valign="middle" nowrap class="list"> <table border="0" cellspacing="0" cellpadding="1"> <tr> - <td valign="middle"><a - href="snort_interfaces_suppress_edit.php?id=<?=$i;?>"><img - src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" - width="17" height="17" border="0" title="<?php echo gettext("edit Suppress List"); ?>"></a></td> - <td><a - href="/snort/snort_interfaces_suppress.php?act=del&id=<?=$i;?>" - onclick="return confirm('<?php echo gettext("Do you really want to delete this Suppress List?"); ?>')"><img - src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" - width="17" height="17" border="0" title="<?php echo gettext("delete Suppress List"); ?>"></a></td> + <td valign="middle"><a href="snort_interfaces_suppress_edit.php?id=<?=$i;?>"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?php echo gettext("Edit Suppress List"); ?>"></a></td> + <td><input type="image" name="del[]" + onclick="document.getElementById('list_id').value='<?=$i;?>';return confirm('<?=gettext("Do you really want to delete this Suppress List?");?>');" + src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete Suppress List");?>"/></td> </tr> </table> </td> @@ -160,7 +160,7 @@ if ($input_errors) { <td valign="middle"><a href="snort_interfaces_suppress_edit.php?id=<?php echo $id_gen;?> "><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" - width="17" height="17" border="0" title="<?php echo gettext("add a new list"); ?>"></a></td> + width="17" height="17" border="0" title="<?php echo gettext("Add a new list"); ?>"></a></td> </tr> </table> </td> diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 3d703987..986bfc38 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -10,6 +10,7 @@ * * modified for the pfsense snort package * Copyright (C) 2009-2010 Robert Zelaya. + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -37,7 +38,6 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); - if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); $snortglob = $config['installedpackages']['snortglobal']; @@ -48,9 +48,16 @@ if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) $config['installedpackages']['snortglobal']['suppress']['item'] = array(); $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + +/* Should never be called without identifying list index, so bail */ +if (is_null($id)) { + header("Location: /snort/snort_interfaces_suppress.php"); + exit; +} /* returns true if $name is a valid name for a whitelist file name or ip */ function is_validwhitelistname($name) { @@ -77,7 +84,7 @@ if (isset($id) && $a_suppress[$id]) { $pconfig['uuid'] = uniqid(); } -if ($_POST['submit']) { +if ($_POST['save']) { unset($input_errors); $pconfig = $_POST; @@ -102,7 +109,6 @@ if ($_POST['submit']) { } } - if (!$input_errors) { $s_list = array(); $s_list['name'] = $_POST['name']; @@ -118,7 +124,7 @@ if ($_POST['submit']) { else $a_suppress[] = $s_list; - write_config(); + write_config("Snort pkg: modified Suppress List {$s_list['name']}."); sync_snort_package_config(); header("Location: /snort/snort_interfaces_suppress.php"); @@ -135,14 +141,14 @@ include_once("head.inc"); <?php include("fbegin.inc"); -if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} - -if ($input_errors) print_input_errors($input_errors); +if ($input_errors) + print_input_errors($input_errors); if ($savemsg) print_info_box($savemsg); ?> <form action="/snort/snort_interfaces_suppress_edit.php" name="iform" id="iform" method="post"> +<input name="id" type="hidden" value="<?=$id;?>"/> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -152,10 +158,11 @@ if ($savemsg) $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), true, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=/snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr><td><div id="mainarea"> @@ -204,11 +211,10 @@ if ($savemsg) </td> </tr> <tr> - <td colspan="2"><input id="submit" name="submit" type="submit" + <td colspan="2"><input id="save" name="save" type="submit" class="formbtn" value="Save" /> <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" value="Cancel" - onclick="history.back();"/> <?php if (isset($id) && $a_suppress[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"/> <?php endif; ?> + onclick="history.back();"/> </td> </tr> </table> diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php deleted file mode 100644 index 9391eb85..00000000 --- a/config/snort/snort_interfaces_whitelist.php +++ /dev/null @@ -1,177 +0,0 @@ -<?php -/* - * snort_interfaces_whitelist.php - * - * Copyright (C) 2004 Scott Ullrich - * Copyright (C) 2011-2012 Ermal Luci - * All rights reserved. - * - * originially part of m0n0wall (http://m0n0.ch/wall) - * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. - * All rights reserved. - * - * modified for the pfsense snort package - * Copyright (C) 2009-2010 Robert Zelaya. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) - $config['installedpackages']['snortglobal']['whitelist'] = array(); -if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) - $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); -$a_whitelist = &$config['installedpackages']['snortglobal']['whitelist']['item']; - -if (isset($config['installedpackages']['snortglobal']['whitelist']['item'])) - $id_gen = count($config['installedpackages']['snortglobal']['whitelist']['item']); -else - $id_gen = '0'; - -if ($_GET['act'] == "del") { - if ($a_whitelist[$_GET['id']]) { - /* make sure rule is not being referenced by any nat or filter rules */ - unset($a_whitelist[$_GET['id']]); - write_config(); - sync_snort_package_config(); - header("Location: /snort/snort_interfaces_whitelist.php"); - exit; - } -} - -$pgtitle = gettext("Snort: Whitelists"); -include_once("head.inc"); -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php -include_once("fbegin.inc"); -if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} -if ($savemsg) print_info_box($savemsg); -?> - -<form action="/snort/snort_interfaces_whitelist.php" method="post"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> -<tr><td> -<?php - $tab_array = array(); - $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); - $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); - $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), true, "/snort/snort_interfaces_whitelist.php"); - $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); -?> - </td> -</tr> -<tr> - <td><div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td width="20%" class="listhdrr">File Name</td> - <td width="40%" class="listhdrr">Values</td> - <td width="40%" class="listhdr">Description</td> - <td width="10%" class="list"></td> - </tr> - <?php foreach ($a_whitelist as $i => $list): ?> - <tr> - <td class="listlr" - ondblclick="document.location='snort_interfaces_whitelist_edit.php?id=<?=$i;?>';"> - <?=htmlspecialchars($list['name']);?></td> - <td class="listr" - ondblclick="document.location='snort_interfaces_whitelist_edit.php?id=<?=$i;?>';"> - <?php - $addresses = implode(", ", array_slice(explode(" ", $list['address']), 0, 10)); - echo $addresses; - if(count($addresses) < 10) { - echo " "; - } else { - echo "..."; - } - ?></td> - <td class="listbg" - ondblclick="document.location='snort_interfaces_whitelist_edit.php?id=<?=$i;?>';"> - <font color="#FFFFFF"> <?=htmlspecialchars($list['descr']);?> - </td> - <td valign="middle" nowrap class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td valign="middle"><a - href="snort_interfaces_whitelist_edit.php?id=<?=$i;?>"><img - src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" - width="17" height="17" border="0" title="<?php echo gettext("edit whitelist"); ?>"></a></td> - <td><a - href="/snort/snort_interfaces_whitelist.php?act=del&id=<?=$i;?>" - onclick="return confirm('<?php echo gettext("Do you really want to delete this whitelist? All elements that still use it will become invalid (e.g. snort rules will fall back to the default whitelist)!"); ?>')"><img - src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" - width="17" height="17" border="0" title="<?php echo gettext("delete whitelist"); ?>"></a></td> - </tr> - </table> - </td> - </tr> - <?php endforeach; ?> - <tr> - <td class="list" colspan="3"></td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td valign="middle" width="17"> </td> - <td valign="middle"><a - href="snort_interfaces_whitelist_edit.php?id=<?php echo $id_gen;?> "><img - src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" - width="17" height="17" border="0" title="<?php echo gettext("add a new list"); ?>"></a></td> - </tr> - </table> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -<br> -<table width="100%" border="0" cellpadding="1" - cellspacing="1"> - <tr> - <td width="100%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> - <p><?php echo gettext("Here you can create whitelist files for your " . - "snort package rules."); ?><br> - <?php echo gettext("Please add all the ips or networks you want to protect against snort " . - "block decisions."); ?><br> - <?php echo gettext("Remember that the default whitelist only includes local networks."); ?><br> - <?php echo gettext("Be careful, it is very easy to get locked out of your system."); ?></p></span></td> - </tr> - <tr> - <td width="100%"><span class="vexpl"><?php echo gettext("Remember you must restart Snort on the interface for changes to take effect!"); ?></span></td> - </tr> -</table> -</form> -<?php include("fend.inc"); ?> -</body> -</html> diff --git a/config/snort/snort_ip_list_mgmt.php b/config/snort/snort_ip_list_mgmt.php new file mode 100644 index 00000000..ae4a1032 --- /dev/null +++ b/config/snort/snort_ip_list_mgmt.php @@ -0,0 +1,275 @@ +<?php +/* + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2011-2012 Ermal Luci + * All rights reserved. + * + * originially part of m0n0wall (http://m0n0.ch/wall) + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * Copyright (C) 2014 Bill Meeks + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + +// Hard-code the path where IP Lists are stored +// and disregard any user-supplied path element. +$iprep_path = IPREP_PATH; + +// Set default to not show IP List editor controls +$iplist_edit_style = "display: none;"; + +function snort_is_iplist_active($iplist) { + + /*************************************************** + * This function checks all the configured Snort * + * interfaces to see if the passed IP List is used * + * as a whitelist or blacklist by an interface. * + * * + * Returns: TRUE if IP List is in use * + * FALSE if IP List is not in use * + ***************************************************/ + + global $g, $config; + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return FALSE; + + foreach ($config['installedpackages']['snortglobal']['rule'] as $rule) { + if (is_array($rule['wlist_files']['item'])) { + foreach ($rule['wlist_files']['item'] as $file) { + if ($file == $iplist) + return TRUE; + } + } + if (is_array($rule['blist_files']['item'])) { + foreach ($rule['blist_files']['item'] as $file) { + if ($file == $iplist) + return TRUE; + } + } + } + return FALSE; +} + + +if (isset($_POST['upload'])) { + if ($_FILES["iprep_fileup"]["error"] == UPLOAD_ERR_OK) { + $tmp_name = $_FILES["iprep_fileup"]["tmp_name"]; + $name = $_FILES["iprep_fileup"]["name"]; + move_uploaded_file($tmp_name, "{$iprep_path}{$name}"); + } + else + $input_errors[] = gettext("Failed to upload file {$_FILES["iprep_fileup"]["name"]}"); +} + +if (isset($_POST['iplist_delete']) && isset($_POST['iplist_fname'])) { + if (!snort_is_iplist_active($_POST['iplist_fname'])) + unlink_if_exists("{$iprep_path}{$_POST['iplist_fname']}"); + else + $input_errors[] = gettext("This IP List is currently assigned as a Whitelist or Blackist for an interface and cannot be deleted."); +} + +if (isset($_POST['iplist_edit']) && isset($_POST['iplist_fname'])) { + $file = $iprep_path . basename($_POST['iplist_fname']); + $data = file_get_contents($file); + if ($data !== FALSE) { + $iplist_data = htmlspecialchars($data); + $iplist_edit_style = "display: table-row-group;"; + $iplist_name = basename($_POST['iplist_fname']); + unset($data); + } + else { + $input_errors[] = gettext("An error occurred reading the file."); + } +} + +if (isset($_POST['save']) && isset($_POST['iplist_data'])) { + if (strlen(basename($_POST['iplist_name'])) > 0) { + $file = $iprep_path . basename($_POST['iplist_name']); + $data = str_replace("\r\n", "\n", $_POST['iplist_data']); + file_put_contents($file, $data); + unset($data); + } + else { + $input_errors[] = gettext("You must provide a valid filename for the IP List."); + $iplist_edit_style = "display: table-row-group;"; + } +} + +// Get all files in the IP Lists sub-directory as an array +// Leave this as the last thing before spewing the page HTML +// so we can pick up any changes made to files in code above. +$ipfiles = return_dir_as_array($iprep_path); + +$pgtitle = gettext("Snort: IP Reputation Lists"); +include_once("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> + +<?php +include_once("fbegin.inc"); +if ($input_errors) { + print_input_errors($input_errors); +} + +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="/snort/snort_ip_list_mgmt.php" enctype="multipart/form-data" method="post"> +<input type="hidden" name="MAX_FILE_SIZE" value="100000000" /> +<input type="hidden" name="iplist_fname" id="iplist_fname" value=""/> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("IP Lists"), true, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); +?> +</td> +</tr> +<tbody id="uploader" style="display: none;" class="tabcont"> + <tr> + <td colspan="4" class="list"><br/><?php echo gettext("Click BROWSE to select a file to import, and then click UPLOAD. Click CLOSE to quit."); ?></td> + </tr> + <tr> + <td colspan="4" class="list"><input type="file" name="iprep_fileup" id="iprep_fileup" class="formfld file" size="50" /> + <input type="submit" name="upload" id="upload" value="<?=gettext("Upload");?>" + title="<?=gettext("Upload selected IP list to firewall");?>"/> <input type="button" + value="<?=gettext("Close");?>" onClick="document.getElementById('uploader').style.display='none';" /><br/></td> + <td class="list"></td> + </tr> +</tbody> +<tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <colgroup> + <col style="width: 50%;"> + <col style="width: 25%;"> + <col style="width: 15%;"> + <col style="width: 10%;"> + </colgroup> + <thead> + <tr> + <th class="listhdrr"><?php echo gettext("IP List File Name"); ?></th> + <th class="listhdrr"><?php echo gettext("Last Modified Time"); ?></th> + <th class="listhdrr"><?php echo gettext("File Size"); ?></th> + <th class="list" align="left"><img style="cursor:pointer;" name="iplist_new" id="iplist_new" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext('Create a new IP List');?>" + onClick="document.getElementById('iplist_data').value=''; document.getElementById('iplist_name').value=''; document.getElementById('iplist_editor').style.display='table-row-group'; document.getElementById('iplist_name').focus();" /> + <img style="cursor:pointer;" name="iplist_import" id="iplist_import" + onClick="document.getElementById('uploader').style.display='table-row-group';" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext('Import/Upload an IP List');?>"/></th> + </tr> + </thead> + <?php foreach ($ipfiles as $file): ?> + <tr> + <td class="listr"><?php echo gettext($file); ?></td> + <td class="listr"><?=date('M-d Y g:i a', filemtime("{$iprep_path}{$file}")); ?></td> + <td class="listr"><?=format_bytes(filesize("{$iprep_path}{$file}")); ?> </td> + <td class="list"><input type="image" name="iplist_edit[]" id="iplist_edit[]" + onClick="document.getElementById('iplist_fname').value='<?=$file;?>';" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" + height="17" border="0" title="<?php echo gettext('Edit this IP List');?>"/> + <input type="image" name="iplist_delete[]" id="iplist_delete[]" + onClick="document.getElementById('iplist_fname').value='<?=$file;?>'; + return confirm('<?=gettext("Are you sure you want to permanently delete this IP List file? Click OK to continue or CANCEL to quit.");?>');" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" + height="17" border="0" title="<?php echo gettext('Delete this IP List');?>"/></td> + </tr> + <?php endforeach; ?> + <tbody id="iplist_editor" style="<?=$iplist_edit_style;?>"> + <tr> + <td colspan="4"> </td> + </tr> + <tr> + <td colspan="4"><strong><?=gettext("File Name: ");?></strong><input type="text" size="45" class="formfld file" id="iplist_name" name="iplist_name" value="<?=$iplist_name;?>" /> + <input type="submit" id="save" name="save" value="<?=gettext(" Save ");?>" title="<?=gettext("Save changes and close editor");?>" /> + <input type="button" id="cancel" name="cancel" value="<?=gettext("Cancel");?>" onClick="document.getElementById('iplist_editor').style.display='none';" + title="<?=gettext("Abandon changes and quit editor");?>" /></td> + </tr> + <tr> + <td colspan="4"> </td> + </tr> + <tr> + <td colspan="4"><textarea wrap="off" cols="80" rows="20" name="iplist_data" id="iplist_data" + style="width:95%; height:100%;"><?=$iplist_data;?></textarea> + </td> + </tr> + </tbody> + + <tr> + <td colspan="3" class="vexpl"><br/><span class="red"><strong><?php echo gettext("Notes:"); ?></strong></span> + <br/><?php echo gettext("1. IP Lists are used by the IP Reputation Preprocessor and are text files formatted " . + "with one IP address (or CIDR network) per line."); ?></td> + <td class="list"></td> + </tr> + <tr> + <td colspan="3" class="vexpl" style="height: 20px; vertical-align: middle;"><?php echo gettext("2. IP Lists are stored as local files on the firewall and their contents are " . + "not saved as part of the firewall configuration file."); ?></td> + <td class="list"></td> + </tr> + <tr> + <td colspan="3" class="vexpl"><br/><strong><?php echo gettext("IP List Controls:"); ?></strong><br/><br/> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" /> + <?=gettext("Opens the editor window to create a new IP List. You must provide a valid filename before saving.");?><br/> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_import_alias.gif" width="17" height="17" border="0" /> + <?=gettext("Opens the file upload control for uploading a new IP List from your local machine.");?><br/> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" /> + <?=gettext("Opens the IP List in a text edit control for viewing or editing its contents.");?><br/> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" /> + <?=gettext("Deletes the IP List from the file system after confirmation.");?></td> + <td class="list"></td> + </tr> + </table> + </div> + </td> +</tr> +</table> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_ip_reputation.php b/config/snort/snort_ip_reputation.php new file mode 100644 index 00000000..3de8c661 --- /dev/null +++ b/config/snort/snort_ip_reputation.php @@ -0,0 +1,506 @@ +<?php +/* + * snort_ip_reputation.php + * part of pfSense + * + * Copyright (C) 2014 Bill Meeks + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g, $rebuild_rules; + +if (isset($_POST['id']) && is_numericint($_POST['id'])) + $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['wlist_files']['item'])) { + $config['installedpackages']['snortglobal']['rule'][$id]['wlist_files']['item'] = array(); +} +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['blist_files']['item'])) { + $config['installedpackages']['snortglobal']['rule'][$id]['blist_files']['item'] = array(); +} + +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$pconfig = $a_nat[$id]; +$iprep_path = IPREP_PATH; +$if_real = get_real_interface($a_nat[$id]['interface']); +$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + +// Set sensible defaults for any empty parameters +if (empty($pconfig['iprep_memcap'])) + $pconfig['iprep_memcap'] = '500'; +if (empty($pconfig['iprep_priority'])) + $pconfig['iprep_priority'] = 'whitelist'; +if (empty($pconfig['iprep_nested_ip'])) + $pconfig['iprep_nested_ip'] = 'inner'; +if (empty($pconfig['iprep_white'])) + $pconfig['iprep_white'] = 'unblack'; + +if ($_POST['mode'] == 'blist_add' && isset($_POST['iplist'])) { + $pconfig = $_POST; + + // Test the supplied IP List file to see if it exists + if (file_exists($_POST['iplist'])) { + // See if the file is already assigned to the interface + foreach ($a_nat[$id]['blist_files']['item'] as $f) { + if ($f == basename($_POST['iplist'])) { + $input_errors[] = gettext("The file {$f} is already assigned as a blacklist file."); + break; + } + } + if (!$input_errors) { + $a_nat[$id]['blist_files']['item'][] = basename($_POST['iplist']); + write_config("Snort pkg: added new blacklist file for IP REPUTATION preprocessor."); + mark_subsystem_dirty('snort_iprep'); + } + } + else + $input_errors[] = gettext("The file '{$_POST['iplist']}' could not be found."); + + $pconfig['blist_files'] = $a_nat[$id]['blist_files']; + $pconfig['wlist_files'] = $a_nat[$id]['wlist_files']; +} + +if ($_POST['mode'] == 'wlist_add' && isset($_POST['iplist'])) { + $pconfig = $_POST; + + // Test the supplied IP List file to see if it exists + if (file_exists($_POST['iplist'])) { + // See if the file is already assigned to the interface + foreach ($a_nat[$id]['wlist_files']['item'] as $f) { + if ($f == basename($_POST['iplist'])) { + $input_errors[] = gettext("The file {$f} is already assigned as a whitelist file."); + break; + } + } + if (!$input_errors) { + $a_nat[$id]['wlist_files']['item'][] = basename($_POST['iplist']); + write_config("Snort pkg: added new whitelist file for IP REPUTATION preprocessor."); + mark_subsystem_dirty('snort_iprep'); + } + } + else + $input_errors[] = gettext("The file '{$_POST['iplist']}' could not be found."); + + $pconfig['blist_files'] = $a_nat[$id]['blist_files']; + $pconfig['wlist_files'] = $a_nat[$id]['wlist_files']; +} + +if ($_POST['blist_del'] && is_numericint($_POST['list_id'])) { + $pconfig = $_POST; + unset($a_nat[$id]['blist_files']['item'][$_POST['list_id']]); + write_config("Snort pkg: deleted blacklist file for IP REPUTATION preprocessor."); + mark_subsystem_dirty('snort_iprep'); + $pconfig['blist_files'] = $a_nat[$id]['blist_files']; + $pconfig['wlist_files'] = $a_nat[$id]['wlist_files']; +} + +if ($_POST['wlist_del'] && is_numericint($_POST['list_id'])) { + $pconfig = $_POST; + unset($a_nat[$id]['wlist_files']['item'][$_POST['list_id']]); + write_config("Snort pkg: deleted whitelist file for IP REPUTATION preprocessor."); + mark_subsystem_dirty('snort_iprep'); + $pconfig['wlist_files'] = $a_nat[$id]['wlist_files']; + $pconfig['blist_files'] = $a_nat[$id]['blist_files']; +} + +if ($_POST['save'] || $_POST['apply']) { + + $natent = array(); + $natent = $pconfig; + + if (!is_numericint($_POST['iprep_memcap']) || strval($_POST['iprep_memcap']) < 1 || strval($_POST['iprep_memcap']) > 4095) + $input_errors[] = gettext("The value for Memory Cap must be an integer between 1 and 4095."); + + // if no errors write to conf + if (!$input_errors) { + + $natent['reputation_preproc'] = $_POST['reputation_preproc'] ? 'on' : 'off'; + $natent['iprep_scan_local'] = $_POST['iprep_scan_local'] ? 'on' : 'off'; + $natent['iprep_memcap'] = $_POST['iprep_memcap']; + $natent['iprep_priority'] = $_POST['iprep_priority']; + $natent['iprep_nested_ip'] = $_POST['iprep_nested_ip']; + $natent['iprep_white'] = $_POST['iprep_white']; + + $a_nat[$id] = $natent; + + write_config("Snort pkg: modified IP REPUTATION preprocessor settings for {$a_nat[$id]['interface']}."); + + // Update the snort conf file for this interface + $rebuild_rules = false; + snort_generate_conf($a_nat[$id]); + + // Soft-restart Snort to live-load new variables + snort_reload_config($a_nat[$id]); + $pconfig = $natent; + + // We have saved changes and done a soft restart, so clear "dirty" flag + clear_subsystem_dirty('snort_iprep'); + } + else + $pconfig = $_POST; +} + +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} IP Reputation Preprocessor"); +include_once("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php +include("fbegin.inc"); +/* Display Alert message */ +if ($input_errors) + print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_ip_reputation.php" method="post" name="iform" id="iform" > +<input name="id" type="hidden" value="<?=$id;?>" /> +<input type="hidden" id="mode" name="mode" value="" /> +<input name="iplist" id="iplist" type="hidden" value="" /> +<input name="list_id" id="list_id" type="hidden" value="" /> + +<?php if (is_subsystem_dirty('snort_iprep')): ?><p> +<?php print_info_box_np(gettext("A change has been made to blacklist or whitelist file assignments.") . "<br/>" . gettext("You must apply the changes in order for them to take effect."));?> +<?php endif; ?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php?instance={$id}"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); + echo '</td></tr>'; + echo '<tr><td class="tabnavtbl">'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext(" Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("IP Rep"), true, "/snort/snort_ip_reputation.php?id={$id}"); + display_top_tabs($tab_array, true); + ?> + </td> + </tr> + <tr> + <td><div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("IP Reputation Preprocessor Configuration"); ?></td> + </tr> + <tr> + <td width="22%" valign='top' class='vncell'><?php echo gettext("Enable"); ?> + </td> + <td width="78%" class="vtable"><input name="reputation_preproc" type="checkbox" value="on" <?php if ($pconfig['reputation_preproc'] == "on") echo "checked"; ?>/> + <?php echo gettext("Use IP Reputation Lists on this interface. Default is ") . "<strong>" . gettext("Not Checked.") . "</strong>"; ?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <td class="vtable"><input name="iprep_memcap" type="text" class="formfld unknown" + id="http_inspect_memcap" size="9" + value="<?=htmlspecialchars($pconfig['iprep_memcap']);?>"> + <?php echo gettext("Maximum memory in megabytes (MB) supported for IP Reputation Lists. Default is ") . "<strong>" . + gettext("500.") . "</strong><br/>" . gettext("The Minimum value is ") . + "<strong>" . gettext("1 MB") . "</strong>" . gettext(" and the Maximum is ") . "<strong>" . + gettext("4095 MB.") . "</strong> " . gettext("Enter an integer value between 1 and 4095."); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign='top' class='vncell'><?php echo gettext("Scan Local"); ?> + </td> + <td width="78%" class="vtable"><input name="iprep_scan_local" type="checkbox" value="on" <?php if ($pconfig['iprep_scan_local'] == "on") echo "checked"; ?>/> + <?php echo gettext("Scan RFC 1918 addresses on this interface. Default is ") . "<strong>" . gettext("Not Checked.") . "</strong>"; ?><br/> + <?php echo gettext("When checked, Snort will inspect addresses in the 10/8, 172.16/12 and 192.168/16 ranges defined in RFC 1918.");?><br/><br/> + <span class="red"><strong><?=gettext("Hint: ");?></strong></span><?=gettext("if these address ranges are used in your internal network, and this instance ") . + gettext("is on an internal interface, this option should usually be enabled (checked).");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Nested IP"); ?></td> + <td width="78%" class="vtable"> + <input name="iprep_nested_ip" type="radio" id="iprep_nested_ip_inner" + value="inner" <?php if ($pconfig['iprep_nested_ip'] == 'inner') echo "checked";?>/> + <?php echo gettext("Inner"); ?> <input name="iprep_nested_ip" type="radio" id="iprep_nested_ip_outer" + value="outer" <?php if ($pconfig['iprep_nested_ip'] == 'outer') echo "checked";?>/> + <?php echo gettext("Outer"); ?> <input name="iprep_nested_ip" type="radio" id="iprep_nested_ip_both" + value="both" <?php if ($pconfig['iprep_nested_ip'] == 'both') echo "checked";?>/> + <?php echo gettext("Both"); ?><br/> + <?php echo gettext("Specify which IP address to use for whitelist/blacklist matching when there is IP encapsulation. Default is ") . "<strong>" . gettext("Inner") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Priority"); ?></td> + <td width="78%" class="vtable"> + <input name="iprep_priority" type="radio" id="iprep_priority_blacklist" + value="blacklist" <?php if ($pconfig['iprep_priority'] == 'blacklist') echo "checked";?>/> + <?php echo gettext("Blacklist"); ?> <input name="iprep_priority" type="radio" id="iprep_priority" + value="whitelist" <?php if ($pconfig['iprep_priority'] == 'whitelist') echo "checked";?>/> + <?php echo gettext("Whitelist"); ?><br/> + <?php echo gettext("Specify which list has priority when source/destination is on blacklist while destination/source is on whitelist.") . + "<br/>" . gettext("Default is ") . "<strong>" . gettext("Whitelist") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Whitelist Meaning"); ?></td> + <td width="78%" class="vtable"> + <input name="iprep_white" type="radio" id="iprep_white_unblack" + value="unblack" <?php if ($pconfig['iprep_white'] == 'unblack') echo "checked";?>/> + <?php echo gettext("Unblack"); ?> <input name="iprep_white" type="radio" id="iprep_white_trust" + value="trust" <?php if ($pconfig['iprep_white'] == 'trust') echo "checked";?>/> + <?php echo gettext("Trust"); ?><br/> + <?php echo gettext("Specify the meaning of whitelist. \"Unblack\" unblacks blacklisted IP addresses and routes them for further inspection. \"Trust\" means the packet bypasses all further Snort detection. ") . + gettext("Default is ") . "<strong>" . gettext("Unblack") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <input name="save" type="submit" class="formbtn" value="Save" title="<?=gettext("Save IP Reputation configuration");?>" /> + <?=gettext("Click to save configuration settings and live-reload the running Snort configuration.");?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Assign Blacklists/Whitelists to IP Reputation Preprocessor"); ?></td> + </tr> + <tr> + <td width="22%" valign='top' class='vncell'><?php echo gettext("Blacklist Files"); ?> + </td> + <td width="78%" class="vtable"> + <!-- blist_chooser --> + <div id="blistChooser" name="blistChooser" style="display:none; border:1px dashed gray; width:98%;"></div> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <colgroup> + <col style="text-align:left;"> + <col style="width: 30%; text-align:left;"> + <col style="width: 17px;"> + </colgroup> + <thead> + <tr> + <th class="listhdrr"><?php echo gettext("Blacklist Filename"); ?></th> + <th class="listhdrr"><?php echo gettext("Modification Time"); ?></th> + <th class="list" align="left" valign="middle"><img style="cursor:pointer;" name="blist_add" id="blist_add" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext('Assign a blacklist file');?>"/></th> + </tr> + </thead> + <tbody> + <?php foreach($pconfig['blist_files']['item'] as $k => $f): + $class = "listr"; + if (!file_exists("{$iprep_path}{$f}")) { + $filedate = gettext("Unknown -- file missing"); + $class .= " red"; + } + else + $filedate = date('M-d Y g:i a', filemtime("{$iprep_path}{$f}")); + ?> + <tr> + <td class="<?=$class;?>"><?=htmlspecialchars($f);?></td> + <td class="<?=$class;?>" align="center"><?=$filedate;?></td> + <td class="list"><input type="image" name="blist_del[]" id="blist_del[]" onClick="document.getElementById('list_id').value='<?=$k;?>';" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" + border="0" title="<?php echo gettext('Remove this blacklist file');?>"/></td> + </tr> + <?php endforeach; ?> + <tr> + <td colspan="2" class="vexpl"><span class="red"><strong><?=gettext("Note: ");?></strong></span> + <?=gettext("changes to blacklist assignments are immediately saved.");?></td> + </tr> + </tbody> + </table> + </td> + </tr> + <tr> + <td width="22%" valign='top' class='vncell'><?php echo gettext("Whitelist Files"); ?> + </td> + <td width="78%" class="vtable"> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <!-- wlist_chooser --> + <div id="wlistChooser" name="wlistChooser" style="display:none; border:1px dashed gray; width:98%;"></div> + <colgroup> + <col style="text-align:left;"> + <col style="width: 30%; text-align:left;"> + <col style="width: 17px;"> + </colgroup> + <thead> + <tr> + <th class="listhdrr"><?php echo gettext("Whitelist Filename"); ?></th> + <th class="listhdrr"><?php echo gettext("Modification Time"); ?></th> + <th class="list" align="left" valign="middle"><img style="cursor:pointer;" name="wlist_add" id="wlist_add" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" + border="0" title="<?php echo gettext('Assign a whitelist file');?>"/></th> + </tr> + </thead> + <tbody> + <?php foreach($pconfig['wlist_files']['item'] as $k => $f): + $class = "listr"; + if (!file_exists("{$iprep_path}{$f}")) { + $filedate = gettext("Unknown -- file missing"); + $class .= " red"; + } + else + $filedate = date('M-d Y g:i a', filemtime("{$iprep_path}{$f}")); + ?> + <tr> + <td class="<?=$class;?>"><?=htmlspecialchars($f);?></td> + <td class="<?=$class;?>" align="center"><?=$filedate;?></td> + <td class="list"><input type="image" name="wlist_del[]" id="wlist_del[]" onClick="document.getElementById('list_id').value='<?=$k;?>';" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" + border="0" title="<?php echo gettext('Remove this whitelist file');?>"/></td> + </tr> + <?php endforeach; ?> + <tr> + <td colspan="2" class="vexpl"><span class="red"><strong><?=gettext("Note: ");?></strong></span> + <?=gettext("changes to whitelist assignments are immediately saved.");?></td> + </tr> + </tbody> + </table> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> + +<script type="text/javascript"> +Event.observe( + window, "load", + function() { + Event.observe( + "blist_add", "click", + function() { + Effect.Appear("blistChooser", { duration: 0.25 }); + blistChoose(); + } + ); + + Event.observe( + "wlist_add", "click", + function() { + Effect.Appear("wlistChooser", { duration: 0.25 }); + wlistChoose(); + } + ); + } +); + +function blistChoose() { + Effect.Appear("blistChooser", { duration: 0.25 }); + if($("fbCurrentDir")) + $("fbCurrentDir").innerHTML = "Loading ..."; + + new Ajax.Request( + "/snort/snort_iprep_list_browser.php?container=blistChooser&target=iplist&val=" + new Date().getTime(), + { method: "get", onComplete: blistComplete } + ); +} + +function wlistChoose() { + Effect.Appear("wlistChooser", { duration: 0.25 }); + if($("fbCurrentDir")) + $("fbCurrentDir").innerHTML = "Loading ..."; + + new Ajax.Request( + "/snort/snort_iprep_list_browser.php?container=wlistChooser&target=iplist&val=" + new Date().getTime(), + { method: "get", onComplete: wlistComplete } + ); +} + +function blistComplete(req) { + $("blistChooser").innerHTML = req.responseText; + + var actions = { + fbClose: function() { $("blistChooser").hide(); }, + fbFile: function() { $("iplist").value = this.id; + $("mode").value = 'blist_add'; + document.getElementById('iform').submit(); + } + } + + for(var type in actions) { + var elem = $("blistChooser"); + var list = elem.getElementsByClassName(type); + for (var i=0; i<list.length; i++) { + Event.observe(list[i], "click", actions[type]); + list[i].style.cursor = "pointer"; + } + } +} + +function wlistComplete(req) { + $("wlistChooser").innerHTML = req.responseText; + + var actions = { + fbClose: function() { $("wlistChooser").hide(); }, + fbFile: function() { $("iplist").value = this.id; + $("mode").value = 'wlist_add'; + document.getElementById('iform').submit(); + } + } + + for(var type in actions) { + var elem = $("wlistChooser"); + var list = elem.getElementsByClassName(type); + for (var i=0; i<list.length; i++) { + Event.observe(list[i], "click", actions[type]); + list[i].style.cursor = "pointer"; + } + } +} + +</script> + +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_iprep_list_browser.php b/config/snort/snort_iprep_list_browser.php new file mode 100644 index 00000000..3e4d6b6a --- /dev/null +++ b/config/snort/snort_iprep_list_browser.php @@ -0,0 +1,99 @@ +<?php + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +// Fetch a list of files inside a given directory +function get_content($dir) { + $files = array(); + + clearstatcache(); + $fd = @opendir($dir); + while($entry = @readdir($fd)) { + if($entry == ".") continue; + if($entry == "..") continue; + + if(is_dir("{$dir}/{$entry}")) + continue; + else + array_push($files, $entry); + } + @closedir($fd); + natsort($files); + return $files; +} + +$path = IPREP_PATH; +$container = htmlspecialchars($_GET['container']); +$target = htmlspecialchars($_GET['target']); + +// ----- header ----- +?> +<table width="100%"> + <tr> + <td width="25px" align="left"> + <img src="/filebrowser/images/icon_home.gif" alt="Home" title="Home" /> + </td> + <td><b><?=$path;?></b></td> + <td class="fbClose" align="right"> + <img onClick="$('<?=$container;?>').hide();" border="0" src="/filebrowser/images/icon_cancel.gif" alt="Close" title="Close" /> + </td> + </tr> + <tr> + <td id="fbCurrentDir" colspan="3" class="vexpl" align="left"> + </td> + </tr> +<?php +$files = get_content($path); + +// ----- files ----- +foreach($files as $file): + $ext = strrchr($file, "."); + + if($ext == ".css" ) $type = "code"; + elseif($ext == ".html") $type = "code"; + elseif($ext == ".xml" ) $type = "code"; + elseif($ext == ".rrd" ) $type = "database"; + elseif($ext == ".gif" ) $type = "image"; + elseif($ext == ".jpg" ) $type = "image"; + elseif($ext == ".png" ) $type = "image"; + elseif($ext == ".js" ) $type = "js"; + elseif($ext == ".pdf" ) $type = "pdf"; + elseif($ext == ".inc" ) $type = "php"; + elseif($ext == ".php" ) $type = "php"; + elseif($ext == ".conf") $type = "system"; + elseif($ext == ".pid" ) $type = "system"; + elseif($ext == ".sh" ) $type = "system"; + elseif($ext == ".bz2" ) $type = "zip"; + elseif($ext == ".gz" ) $type = "zip"; + elseif($ext == ".tgz" ) $type = "zip"; + elseif($ext == ".zip" ) $type = "zip"; + else $type = "generic"; + + $fqpn = "{$path}/{$file}"; + + if(is_file($fqpn)) { + $fqpn = realpath($fqpn); + $size = sprintf("%.2f KiB", filesize($fqpn) / 1024); + } + else + $size = ""; +?> + <tr> + <td></td> + <td class="fbFile vexpl" id="<?=$fqpn;?>" align="left"> + <?php $filename = str_replace("//","/", "{$path}/{$file}"); ?> + <div onClick="$('<?=$target;?>').value='<?=$filename?>'; $('<?=$container;?>').hide();"> + <img src="/filebrowser/images/file_<?=$type;?>.gif" alt="" title=""> + <?=$file;?> + </div> + </td> + <td align="right" class="vexpl"> + <?=$size;?> + </td> + </tr> +<?php +endforeach; +?> +</table> + diff --git a/config/snort/snort_list_view.php b/config/snort/snort_list_view.php index 856367ef..8c3d0134 100644 --- a/config/snort/snort_list_view.php +++ b/config/snort/snort_list_view.php @@ -4,6 +4,7 @@ * * Copyright (C) 2004, 2005 Scott Ullrich * Copyright (C) 2011 Ermal Luci + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Adapted for FreeNAS by Volker Theile (votdev@gmx.de) @@ -41,23 +42,29 @@ global $g, $config; $contents = ''; -$id = $_GET['id']; -$wlist = $_GET['wlist']; -$type = $_GET['type']; +if (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + +$wlist = htmlspecialchars($_GET['wlist']); +$type = htmlspecialchars($_GET['type']); +$title = "List"; if (isset($id) && isset($wlist)) { $a_rule = $config['installedpackages']['snortglobal']['rule'][$id]; if ($type == "homenet") { $list = snort_build_list($a_rule, $wlist); $contents = implode("\n", $list); + $title = "HOME_NET"; } - elseif ($type == "whitelist") { + elseif ($type == "passlist") { $list = snort_build_list($a_rule, $wlist, true); $contents = implode("\n", $list); + $title = "Pass List"; } elseif ($type == "suppress") { $list = snort_find_list($wlist, $type); $contents = str_replace("\r", "", base64_decode($list['suppresspassthru'])); + $title = "Suppress List"; } else $contents = gettext("\n\nERROR -- Requested List Type entity is not valid!"); @@ -65,35 +72,32 @@ if (isset($id) && isset($wlist)) { else $contents = gettext("\n\nERROR -- Supplied interface or List entity is not valid!"); -$pgtitle = array(gettext("Snort"), gettext(ucfirst($type) . " Viewer")); +$pgtitle = array(gettext("Snort"), gettext($title . " Viewer")); ?> <?php include("head.inc");?> <body link="#000000" vlink="#000000" alink="#000000"> -<?php if ($savemsg) print_info_box($savemsg); ?> -<?php // include("fbegin.inc");?> -<form action="snort_whitelist_view.php" method="post"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td class="tabcont"> <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee"> <tr> - <td class="pgtitle" colspan="2">Snort: <?php echo gettext(ucfirst($type) . " Viewer"); ?></td> + <td class="pgtitle" colspan="2">Snort: <?php echo gettext($title . " Viewer"); ?></td> </tr> <tr> <td align="left" width="20%"> <input type="button" class="formbtn" value="Return" onclick="window.close()"> </td> <td align="right"> - <b><?php echo gettext(ucfirst($type) . ": ") . '</b> ' . $_GET['wlist']; ?> + <b><?php echo gettext($title . ": ") . '</b> ' . htmlspecialchars($_GET['wlist']); ?> </td> </tr> <tr> <td colspan="2" valign="top" class="label"> <div style="background: #eeeeee; width:100%; height:100%;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea style="width:100%; height:100%;" readonly wrap="off" rows="25" cols="80" name="code2"><?=$contents;?></textarea> + <textarea style="width:100%; height:100%;" readonly wrap="off" rows="25" cols="80" name="code2"><?=htmlspecialchars($contents);?></textarea> </div> </td> </tr> @@ -101,7 +105,5 @@ $pgtitle = array(gettext("Snort"), gettext(ucfirst($type) . " Viewer")); </td> </tr> </table> -</form> -<?php // include("fend.inc");?> </body> </html> diff --git a/config/snort/snort_log_view.php b/config/snort/snort_log_view.php deleted file mode 100644 index 4fc8d990..00000000 --- a/config/snort/snort_log_view.php +++ /dev/null @@ -1,89 +0,0 @@ -<?php -/* - * snort_log_view.php - * - * Copyright (C) 2004, 2005 Scott Ullrich - * Copyright (C) 2011 Ermal Luci - * All rights reserved. - * - * Adapted for FreeNAS by Volker Theile (votdev@gmx.de) - * Copyright (C) 2006-2009 Volker Theile - * - * Adapted for Pfsense Snort package by Robert Zelaya - * Copyright (C) 2008-2009 Robert Zelaya - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -$contents = ''; - -// Read the contents of the argument passed to us. -// Is it a fully qualified path and file? -if (file_exists($_GET['logfile'])) - $contents = file_get_contents($_GET['logfile']); -// It is not something we can display, so print an error. -else - $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not found!"); - -$pgtitle = array(gettext("Snort"), gettext("Log File Viewer")); -?> - -<?php include("head.inc");?> - -<body link="#000000" vlink="#000000" alink="#000000"> -<?php if ($savemsg) print_info_box($savemsg); ?> -<?php // include("fbegin.inc");?> - -<form action="snort_log_view.php" method="post"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> -<tr> - <td class="tabcont"> - <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee"> - <tr> - <td class="pgtitle" colspan="2">Snort: Log File Viewer</td> - </tr> - <tr> - <td align="left" width="20%"> - <input type="button" class="formbtn" value="Return" onclick="window.close()"> - </td> - <td align="right"> - <b><?php echo gettext("Log File: ") . '</b> ' . $_GET['logfile']; ?> - </td> - </tr> - <tr> - <td colspan="2" valign="top" class="label"> - <div style="background: #eeeeee; width:100%; height:100%;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea style="width:100%; height:100%;" readonly wrap="off" rows="33" cols="80" name="code2"><?=$contents;?></textarea> - </div> - </td> - </tr> - </table> - </td> -</tr> -</table> -</form> -<?php // include("fend.inc");?> -</body> -</html> diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index 61989e99..b3152d5d 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -1,8 +1,8 @@ <?php /* - * snort_migrate_config.inc + * snort_migrate_config.php * - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013, 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -288,6 +288,75 @@ foreach ($rule as &$r) { } } + // Change any ENABLE_SID settings to new format of GID:SID + if (!empty($pconfig['rule_sid_on'])) { + $tmp = explode("||", $pconfig['rule_sid_on']); + $new_tmp = ""; + foreach ($tmp as $v) { + if (strpos($v, ":") === false) { + if (preg_match('/(\d+)/', $v, $match)) + $new_tmp .= "1:{$match[1]}||"; + } + } + $new_tmp = rtrim($new_tmp, " ||"); + if (!empty($new_tmp)) { + $pconfig['rule_sid_on'] = $new_tmp; + $updated_cfg = true; + } + } + + // Change any DISABLE_SID settings to new format of GID:SID + if (!empty($pconfig['rule_sid_off'])) { + $tmp = explode("||", $pconfig['rule_sid_off']); + $new_tmp = ""; + foreach ($tmp as $v) { + if (strpos($v, ":") === false) { + if (preg_match('/(\d+)/', $v, $match)) + $new_tmp .= "1:{$match[1]}||"; + } + } + $new_tmp = rtrim($new_tmp, " ||"); + if (!empty($new_tmp)) { + $pconfig['rule_sid_off'] = $new_tmp; + $updated_cfg = true; + } + } + + // Migrate any Barnyard2 settings to the new advanced fields. + // Parse the old DB connect string and find the "host", "user", + // "dbname" and "password" values and save them in the new + // MySQL field names in the config file. + if (!empty($pconfig['barnyard_mysql'])) { + if (preg_match_all('/(dbname|host|user|password)\s*\=\s*([^\s]*)/i', $pconfig['barnyard_mysql'], $matches)) { + foreach ($matches[1] as $k => $p) { + if (strcasecmp($p, 'dbname') == 0) + $pconfig['barnyard_dbname'] = $matches[2][$k]; + elseif (strcasecmp($p, 'host') == 0) + $pconfig['barnyard_dbhost'] = $matches[2][$k]; + elseif (strcasecmp($p, 'user') == 0) + $pconfig['barnyard_dbuser'] = $matches[2][$k]; + elseif (strcasecmp($p, 'password') == 0) + $pconfig['barnyard_dbpwd'] = base64_encode($matches[2][$k]); + } + $pconfig['barnyard_mysql_enable'] = 'on'; + unset($pconfig['barnyard_mysql']); + } + // Since Barnyard2 was enabled, configure the new archived log settings + $pconfig['u2_archived_log_retention'] = '168'; + $pconfig['barnyard_archive_enable'] = 'on'; + $pconfig['unified2_log_limit'] = '32'; + $updated_cfg = true; + } + + // This setting is deprecated and replaced + // by 'barnyard_enable' since any Barnyard2 + // chaining requires unified2 logging. + if (isset($pconfig['snortunifiedlog'])) { + unset($pconfig['snortunifiedlog']); + $pconfig['barnyard_enable'] = 'on'; + $updated_cfg = true; + } + // Save the new configuration data into the $config array pointer $r = $pconfig; } @@ -296,9 +365,9 @@ unset($r); // Write out the new configuration to disk if we changed anything if ($updated_cfg) { - $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.2"; + $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.7"; log_error("[Snort] Saving configuration settings in new format..."); - write_config(); + write_config("Snort pkg: migrate existing settings to new format as part of package upgrade."); log_error("[Snort] Settings successfully migrated to new configuration format..."); } else diff --git a/config/snort/snort_passlist.php b/config/snort/snort_passlist.php new file mode 100644 index 00000000..2cac9cd4 --- /dev/null +++ b/config/snort/snort_passlist.php @@ -0,0 +1,205 @@ +<?php +/* + * snort_passlist.php + * + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2014 Bill Meeks + * All rights reserved. + * + * originially part of m0n0wall (http://m0n0.ch/wall) + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) + $config['installedpackages']['snortglobal']['whitelist'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); +$a_passlist = &$config['installedpackages']['snortglobal']['whitelist']['item']; + +// Calculate the next Pass List index ID +if (isset($config['installedpackages']['snortglobal']['whitelist']['item'])) + $id_gen = count($config['installedpackages']['snortglobal']['whitelist']['item']); +else + $id_gen = '0'; + +function snort_is_passlist_used($list) { + + /********************************************** + * This function tests the provided Pass List * + * to determine if it is assigned to an * + * interface. * + * * + * On Entry: $list -> Pass List name to test * + * * + * Returns: TRUE if Pass List is in use or * + * FALSE if not in use * + **********************************************/ + + global $config; + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return FALSE; + + foreach($config['installedpackages']['snortglobal']['rule'] as $v) { + if (isset($v['whitelistname']) && $v['whitelistname'] == $list) + return TRUE; + } + return FALSE; +} + +if ($_POST['del'] && is_numericint($_POST['list_id'])) { + if ($a_passlist[$_POST['list_id']]) { + /* make sure list is not being referenced by any interface */ + if (snort_is_passlist_used($a_passlist[$_POST['list_id']]['name'])) { + $input_errors[] = gettext("This Pass List is currently assigned to a Snort interface and cannot be deleted. Unassign it from all Snort interfaces first."); + } + if (!$input_errors) { + unset($a_passlist[$_POST['list_id']]); + write_config("Snort pkg: deleted PASS LIST."); + sync_snort_package_config(); + header("Location: /snort/snort_passlist.php"); + exit; + } + } +} + +$pgtitle = gettext("Snort: Pass Lists"); +include_once("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php +include_once("fbegin.inc"); + +/* Display Alert message */ +if ($input_errors) { + print_input_errors($input_errors); +} +if ($savemsg) { + print_info_box($savemsg); +} +?> + +<form action="/snort/snort_passlist.php" method="post"> +<input type="hidden" name="list_id" id="list_id" value=""/> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Pass Lists"), true, "/snort/snort_passlist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); +?> + </td> +</tr> +<tr> + <td><div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="25%" class="listhdrr">List Name</td> + <td width="30%" class="listhdrr">Assigned Alias</td> + <td class="listhdr">Description</td> + <td width="40px" class="list"></td> + </tr> + <?php foreach ($a_passlist as $i => $list): ?> + <tr> + <td class="listlr" + ondblclick="document.location='snort_passlist_edit.php?id=<?=$i;?>';"> + <?=htmlspecialchars($list['name']);?></td> + <td class="listr" + ondblclick="document.location='snort_passlist_edit.php?id=<?=$i;?>';" + title="<?=filter_expand_alias($list['address']);?>"> + <?php echo gettext($list['address']);?></td> + <td class="listbg" + ondblclick="document.location='snort_passlist_edit.php?id=<?=$i;?>';"> + <font color="#FFFFFF"> <?=htmlspecialchars($list['descr']);?> + </td> + <td valign="middle" nowrap class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="snort_passlist_edit.php?id=<?=$i;?>"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="<?php echo gettext("Edit pass list"); ?>"></a> + </td> + <td><input type="image" name="del[]" onclick="document.getElementById('list_id').value='<?=$i;?>';return confirm('<?=gettext("Do you really want to delete this pass list? Click OK to continue or CANCEL to quit.)!");?>');" + src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?php echo gettext("Delete pass list"); ?>"/> + </td> + </tr> + </table> + </td> + </tr> + <?php endforeach; ?> + <tr> + <td class="list" colspan="3"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle" width="17"> </td> + <td valign="middle"><a href="snort_passlist_edit.php?id=<?php echo $id_gen;?> "> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0" title="<?php echo gettext("add a new pass list"); ?>"/></a> + </td> + </tr> + </table> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> +<br> +<table width="100%" border="0" cellpadding="1" + cellspacing="1"> + <tr> + <td width="100%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Notes:"); ?></strong></span> + <p><?php echo gettext("1. Here you can create Pass List files for your Snort package rules. Hosts on a Pass List are never blocked by Snort."); ?><br/> + <?php echo gettext("2. Add all the IP addresses or networks (in CIDR notation) you want to protect against Snort block decisions."); ?><br/> + <?php echo gettext("3. The default Pass List includes the WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks."); ?><br/> + <?php echo gettext("4. Be careful, it is very easy to get locked out of your system by altering the default settings."); ?></p></span></td> + </tr> + <tr> + <td width="100%"><span class="vexpl"><?php echo gettext("Remember you must restart Snort on the interface for changes to take effect!"); ?></span></td> + </tr> +</table> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_passlist_edit.php index 882c2b6f..3be776f4 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_passlist_edit.php @@ -1,8 +1,9 @@ <?php /* - * snort_interfaces_whitelist_edit.php + * snort_passlist_edit.php * Copyright (C) 2004 Scott Ullrich * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * originially part of m0n0wall (http://m0n0.ch/wall) @@ -39,7 +40,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); if ($_POST['cancel']) { - header("Location: /snort/snort_interfaces_whitelist.php"); + header("Location: /snort/snort_passlist.php"); exit; } @@ -47,27 +48,32 @@ if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) $config['installedpackages']['snortglobal']['whitelist'] = array(); if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); -$a_whitelist = &$config['installedpackages']['snortglobal']['whitelist']['item']; +$a_passlist = &$config['installedpackages']['snortglobal']['whitelist']['item']; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + +/* Should never be called without identifying list index, so bail */ if (is_null($id)) { header("Location: /snort/snort_interfaces_whitelist.php"); exit; } -if (empty($config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid'])) { - $whitelist_uuid = 0; - while ($whitelist_uuid > 65535 || $whitelist_uuid == 0) { - $whitelist_uuid = mt_rand(1, 65535); - $pconfig['uuid'] = $whitelist_uuid; +/* If no entry for this passlist, then create a UUID and treat it like a new list */ +if (!isset($a_passlist[$id]['uuid'])) { + $passlist_uuid = 0; + while ($passlist_uuid > 65535 || $passlist_uuid == 0) { + $passlist_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $passlist_uuid; + $pconfig['name'] = "passlist_{$passlist_uuid}"; } } else - $whitelist_uuid = $config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid']; + $passlist_uuid = $a_passlist[$id]['uuid']; -/* returns true if $name is a valid name for a whitelist file name or ip */ -function is_validwhitelistname($name) { +/* returns true if $name is a valid name for a pass list file name or ip */ +function is_validpasslistname($name) { if (!is_string($name)) return false; @@ -77,29 +83,29 @@ function is_validwhitelistname($name) { return false; } -if (isset($id) && $a_whitelist[$id]) { +if (isset($id) && $a_passlist[$id]) { /* old settings */ $pconfig = array(); - $pconfig['name'] = $a_whitelist[$id]['name']; - $pconfig['uuid'] = $a_whitelist[$id]['uuid']; - $pconfig['detail'] = $a_whitelist[$id]['detail']; - $pconfig['address'] = $a_whitelist[$id]['address']; - $pconfig['descr'] = html_entity_decode($a_whitelist[$id]['descr']); - $pconfig['localnets'] = $a_whitelist[$id]['localnets']; - $pconfig['wanips'] = $a_whitelist[$id]['wanips']; - $pconfig['wangateips'] = $a_whitelist[$id]['wangateips']; - $pconfig['wandnsips'] = $a_whitelist[$id]['wandnsips']; - $pconfig['vips'] = $a_whitelist[$id]['vips']; - $pconfig['vpnips'] = $a_whitelist[$id]['vpnips']; + $pconfig['name'] = $a_passlist[$id]['name']; + $pconfig['uuid'] = $a_passlist[$id]['uuid']; + $pconfig['detail'] = $a_passlist[$id]['detail']; + $pconfig['address'] = $a_passlist[$id]['address']; + $pconfig['descr'] = html_entity_decode($a_passlist[$id]['descr']); + $pconfig['localnets'] = $a_passlist[$id]['localnets']; + $pconfig['wanips'] = $a_passlist[$id]['wanips']; + $pconfig['wangateips'] = $a_passlist[$id]['wangateips']; + $pconfig['wandnsips'] = $a_passlist[$id]['wandnsips']; + $pconfig['vips'] = $a_passlist[$id]['vips']; + $pconfig['vpnips'] = $a_passlist[$id]['vpnips']; } // Check for returned "selected alias" if action is import if ($_GET['act'] == "import") { - if ($_GET['varname'] == "address" && !empty($_GET['varvalue'])) - $pconfig[$_GET['varname']] = $_GET['varvalue']; + if ($_GET['varname'] == "address" && isset($_GET['varvalue'])) + $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); } -if ($_POST['submit']) { +if ($_POST['save']) { unset($input_errors); $pconfig = $_POST; @@ -108,19 +114,19 @@ if ($_POST['submit']) { $reqdfieldsn = explode(",", "Name"); do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - if(strtolower($_POST['name']) == "defaultwhitelist") - $input_errors[] = gettext("Whitelist file names may not be named defaultwhitelist."); + if(strtolower($_POST['name']) == "defaultpasslist") + $input_errors[] = gettext("Pass List file names may not be named defaultpasslist."); - if (is_validwhitelistname($_POST['name']) == false) - $input_errors[] = gettext("Whitelist file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset."); + if (is_validpasslistname($_POST['name']) == false) + $input_errors[] = gettext("Pass List file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset."); /* check for name conflicts */ - foreach ($a_whitelist as $w_list) { - if (isset($id) && ($a_whitelist[$id]) && ($a_whitelist[$id] === $w_list)) + foreach ($a_passlist as $w_list) { + if (isset($id) && ($a_passlist[$id]) && ($a_passlist[$id] === $w_list)) continue; if ($w_list['name'] == $_POST['name']) { - $input_errors[] = gettext("A whitelist file name with this name already exists."); + $input_errors[] = gettext("A Pass List file name with this name already exists."); break; } } @@ -133,7 +139,7 @@ if ($_POST['submit']) { $w_list = array(); /* post user input */ $w_list['name'] = $_POST['name']; - $w_list['uuid'] = $whitelist_uuid; + $w_list['uuid'] = $passlist_uuid; $w_list['localnets'] = $_POST['localnets']? 'yes' : 'no'; $w_list['wanips'] = $_POST['wanips']? 'yes' : 'no'; $w_list['wangateips'] = $_POST['wangateips']? 'yes' : 'no'; @@ -145,22 +151,22 @@ if ($_POST['submit']) { $w_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); $w_list['detail'] = $final_address_details; - if (isset($id) && $a_whitelist[$id]) - $a_whitelist[$id] = $w_list; + if (isset($id) && $a_passlist[$id]) + $a_passlist[$id] = $w_list; else - $a_whitelist[] = $w_list; + $a_passlist[] = $w_list; - write_config(); + write_config("Snort pkg: modified PASS LIST {$w_list['name']}."); - /* create whitelist and homenet file then sync files */ + /* create pass list and homenet file, then sync files */ sync_snort_package_config(); - header("Location: /snort/snort_interfaces_whitelist.php"); + header("Location: /snort/snort_passlist.php"); exit; } } -$pgtitle = gettext("Snort: Whitelist Edit - {$a_whitelist[$id]['name']}"); +$pgtitle = gettext("Snort: Pass List Edit - {$pconfig['name']}"); include_once("head.inc"); ?> @@ -168,8 +174,8 @@ include_once("head.inc"); <?php include("fbegin.inc"); -if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} -if ($input_errors) print_input_errors($input_errors); +if ($input_errors) + print_input_errors($input_errors); if ($savemsg) print_info_box($savemsg); ?> @@ -177,7 +183,8 @@ if ($savemsg) </script> <script type="text/javascript" src="/javascript/suggestions.js"> </script> -<form action="snort_interfaces_whitelist_edit.php" method="post" name="iform" id="iform"> +<form action="snort_passlist_edit.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id;?>" /> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -187,10 +194,11 @@ if ($savemsg) $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), true, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), true, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array,true); ?> </td> </tr> @@ -266,12 +274,12 @@ if ($savemsg) <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Add custom IP Addresses from configured Aliases."); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncellreq"> - <div id="addressnetworkport"><?php echo gettext("Alias Name:"); ?></div> + <td width="22%" valign="top" class="vncell"> + <?php echo gettext("Assigned Aliases:"); ?> </td> <td width="78%" class="vtable"> <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" - title="<?=trim(filter_expand_alias($pconfig['address']));?>" /> + title="<?=trim(filter_expand_alias($pconfig['address']));?>"/> <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=0&type=host|network&varname=address&act=import&multi_ip=yes&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" title="<?php echo gettext("Select an existing IP alias");?>"/> </td> @@ -279,9 +287,8 @@ if ($savemsg) <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input id="submit" name="submit" type="submit" class="formbtn" value="Save" /> + <input id="save" name="save" type="submit" class="formbtn" value="Save" /> <input id="cancel" name="cancel" type="submit" class="formbtn" value="Cancel" /> - <input name="id" type="hidden" value="<?=$id;?>" /> </td> </tr> </table> @@ -299,15 +306,11 @@ if ($savemsg) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] != "host" && $alias_name['type'] != "network") continue; - // Skip any Aliases that resolve to an empty string - if (trim(filter_expand_alias($alias_name['name'])) == "") - continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; } ?> - var addressarray=new Array(<?php echo $aliasesaddr; ?>); function createAutoSuggest() { diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index 003628be..dbac41ef 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -96,13 +96,15 @@ function snort_build_new_conf($snortcfg) { if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; + conf_mount_rw(); + /* See if we should protect and not modify the preprocessor rules files */ if (!empty($snortcfg['protect_preproc_rules'])) $protect_preproc_rules = $snortcfg['protect_preproc_rules']; else $protect_preproc_rules = "off"; - $if_real = snort_get_real_interface($snortcfg['interface']); + $if_real = get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; @@ -162,8 +164,18 @@ function snort_build_new_conf($snortcfg) { /* define snortunifiedlog */ $snortunifiedlog_type = ""; - if ($snortcfg['snortunifiedlog'] == "on") - $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; + if ($snortcfg['barnyard_enable'] == "on") { + if (isset($snortcfg['unified2_log_limit'])) + $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}"; + else + $u2_log_limit = "limit 128"; + + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}"; + if ($snortcfg['barnyard_log_vlan_events'] == 'on') + $snortunifiedlog_type .= ", vlan_event_types"; + if ($snortcfg['barnyard_log_mpls_events'] == 'on') + $snortunifiedlog_type .= ", mpls_event_types"; + } /* define spoink */ $spoink_type = ""; @@ -721,6 +733,49 @@ preprocessor sensitive_data: \ EOD; + /* define IP Reputation preprocessor */ + if (is_array($snortcfg['blist_files']['item'])) { + $blist_files = ""; + $bIsFirst = TRUE; + foreach ($snortcfg['blist_files']['item'] as $blist) { + if ($bIsFirst) { + $blist_files .= "blacklist " . IPREP_PATH . $blist; + $bIsFirst = FALSE; + } + else + $blist_files .= ", \\ \n\tblacklist " . IPREP_PATH . $blist; + } + } + if (is_array($snortcfg['wlist_files']['item'])) { + $wlist_files = ""; + $bIsFirst = TRUE; + foreach ($snortcfg['wlist_files']['item'] as $wlist) { + if ($bIsFirst) { + $wlist_files .= "whitelist " . IPREP_PATH . $wlist; + $bIsFirst = FALSE; + } + else + $wlist_files .= ", \\ \n\twhitelist " . IPREP_PATH . $wlist; + } + } + if (!empty($blist_files)) + $ip_lists = $blist_files; + if (!empty($wlist_files)) + $ip_lists .= ", \\ \n" . $wlist_files; + if ($snortcfg['iprep_scan_local'] == 'on') + $ip_lists .= ", \\ \n\tscan_local"; + + $reputation_preproc = <<<EOD +# IP Reputation preprocessor # +preprocessor reputation: \ + memcap {$snortcfg['iprep_memcap']}, \ + priority {$snortcfg['iprep_priority']}, \ + nested_ip {$snortcfg['iprep_nested_ip']}, \ + white {$snortcfg['iprep_white']}, \ + {$ip_lists} + +EOD; + /* define servers as IP variables */ $snort_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", @@ -751,11 +806,11 @@ EOD; "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", - "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", + "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc" ); $default_disabled_preprocs = array( - "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc" + "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat" ); $snort_preprocessors = ""; foreach ($snort_preproc as $preproc) { @@ -793,43 +848,9 @@ EOD; $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (is_dir("{$snortcfgdir}/preproc_rules")) { - if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { - $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; - if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){ - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; - #enable only selected sensitive data - if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){ - $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; - $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); - $sd_tmp_new_file=""; - foreach ($sd_tmp_file as $sd_tmp_line) - $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; - file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); - } - } - } else - $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; - if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { - @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); - mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); - mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); - @unlink("{$g['tmp_path']}/sedcmd"); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } - else { - $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); - } - } else { + if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); } /* generate rule sections to load */ @@ -1247,9 +1268,8 @@ EOD; ipvar HOME_NET [{$home_net}] ipvar EXTERNAL_NET [{$external_net}] -# Define Rule Paths # +# Define Rule Path # var RULE_PATH {$snortcfgdir}/rules -var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules # Define Servers # {$ipvardef} @@ -1340,13 +1360,8 @@ output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,src EOD; // Write out snort.conf file - $conf = fopen("{$snortcfgdir}/snort.conf", "w"); - if(!$conf) { - log_error("Could not open {$snortcfgdir}/snort.conf for writing."); - return -1; - } - fwrite($conf, $snort_conf_text); - fclose($conf); + file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text); + conf_mount_ro(); unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type); unset($home_net, $external_net, $ipvardef, $portvardef); } @@ -1361,14 +1376,14 @@ if(is_process_running("snort")) { exec("/usr/bin/killall -z snort"); sleep(2); // Delete any leftover snort PID files in /var/run - array_map('@unlink', glob("/var/run/snort_*.pid")); + unlink_if_exists("/var/run/snort_*.pid"); } // Hard kill any running Barnyard2 processes if(is_process_running("barnyard")) { exec("/usr/bin/killall -z barnyard2"); sleep(2); // Delete any leftover barnyard2 PID files in /var/run - array_map('@unlink', glob("/var/run/barnyard2_*.pid")); + unlink_if_exists("/var/run/barnyard2_*.pid"); } /* Set flag for post-install in progress */ @@ -1397,46 +1412,68 @@ foreach ($preproc_rules as $file) { @unlink("{$rcdir}/snort.sh"); @unlink("{$rcdir}/barnyard2"); +/* Create required log and db directories in /var */ +safe_mkdir(SNORTLOGDIR); +safe_mkdir(IPREP_PATH); + +/* If installed, absorb the Snort Dashboard Widget into this package */ +/* by removing it as a separately installed package. */ +$pkgid = get_pkg_id("Dashboard Widget: Snort"); +if ($pkgid >= 0) { + log_error(gettext("[Snort] Removing legacy 'Dashboard Widget: Snort' package because the widget is now part of the Snort package.")); + unset($config['installedpackages']['package'][$pkgid]); + unlink_if_exists("/usr/local/pkg/widget-snort.xml"); + write_config("Snort pkg: removed legacy Snort Dashboard Widget."); +} + +/* Define a default Dashboard Widget Container for Snort */ +$snort_widget_container = "snort_alerts-container:col2:close"; + /* remake saved settings */ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings...")); update_status(gettext("Saved settings detected...")); /* Do one-time settings migration for new multi-engine configurations */ - update_output_window(gettext("Please wait... migrating settings to new multi-engine configuration...")); - include "/usr/local/pkg/snort/snort_migrate_config.php"; + update_output_window(gettext("Please wait... migrating settings to new configuration...")); + include('/usr/local/www/snort/snort_migrate_config.php'); update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); log_error(gettext("[Snort] Downloading and updating configured rule types...")); update_output_window(gettext("Please wait... downloading and updating configured rule types...")); if ($pkg_interface <> "console") $snort_gui_include = true; - include "/usr/local/pkg/snort/snort_check_for_rule_updates.php"; + include('/usr/local/www/snort/snort_check_for_rule_updates.php'); update_status(gettext("Generating snort.conf configuration file from saved settings...")); $rebuild_rules = true; /* Create the snort.conf files for each enabled interface */ $snortconf = $config['installedpackages']['snortglobal']['rule']; foreach ($snortconf as $value) { - $if_real = snort_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); /* create a snort.conf file for interface */ snort_build_new_conf($value); /* create barnyard2.conf file for interface */ if ($value['barnyard_enable'] == 'on') - snort_create_barnyard2_conf($value, $if_real); + snort_generate_barnyard2_conf($value, $if_real); } /* create snort bootup file snort.sh */ snort_create_rc(); /* Set Log Limit, Block Hosts Time and Rules Update Time */ - snort_snortloglimit_install_cron($config['installedpackages']['snortglobal']['snortloglimit'] == 'on' ? true : false); + snort_snortloglimit_install_cron(true); snort_rm_blocked_install_cron($config['installedpackages']['snortglobal']['rm_blocked'] != "never_b" ? true : false); snort_rules_up_install_cron($config['installedpackages']['snortglobal']['autorulesupdate7'] != "never_up" ? true : false); /* Add the recurring jobs created above to crontab */ configure_cron(); + /* Restore the last Snort Dashboard Widget setting if none is set */ + if (!empty($config['installedpackages']['snortglobal']['dashboard_widget']) && + stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE) + $config['widgets']['sequence'] .= "," . $config['installedpackages']['snortglobal']['dashboard_widget']; + $rebuild_rules = false; update_output_window(gettext("Finished rebuilding Snort configuration files...")); log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); @@ -1451,9 +1488,14 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { } } +/* If an existing Snort Dashboard Widget container is not found, */ +/* then insert our default Widget Dashboard container. */ +if (stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE) + $config['widgets']['sequence'] .= ",{$snort_widget_container}"; + /* Update Snort package version in configuration */ -$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.2"; -write_config(); +$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.7"; +write_config("Snort pkg: post-install configuration saved."); /* Done with post-install, so clear flag */ unset($g['snort_postinstall']); diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 26b37e81..5cee95df 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -6,7 +6,7 @@ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. * Copyright (C) 2008-2009 Robert Zelaya. * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013, 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -38,9 +38,11 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g, $rebuild_rules; $snortlogdir = SNORTLOGDIR; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (is_null($id)) { header("Location: /snort/snort_interfaces.php"); exit; @@ -66,6 +68,8 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_clie $a_nat = &$config['installedpackages']['snortglobal']['rule']; $vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; + +// Calculate the "next engine ID" to use for the multi-config engine arrays $frag3_engine_next_id = count($a_nat[$id]['frag3_engine']['item']); $stream5_tcp_engine_next_id = count($a_nat[$id]['stream5_tcp_engine']['item']); $http_inspect_engine_next_id = count($a_nat[$id]['http_inspect_engine']['item']); @@ -73,170 +77,9 @@ $ftp_server_engine_next_id = count($a_nat[$id]['ftp_server_engine']['item']); $ftp_client_engine_next_id = count($a_nat[$id]['ftp_client_engine']['item']); $pconfig = array(); -if (isset($id) && $a_nat[$id]) { +if (isset($id) && isset($a_nat[$id])) { $pconfig = $a_nat[$id]; - /* Get current values from config for page form fields */ - $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['host_attribute_table'] = $a_nat[$id]['host_attribute_table']; - $pconfig['host_attribute_data'] = $a_nat[$id]['host_attribute_data']; - $pconfig['max_attribute_hosts'] = $a_nat[$id]['max_attribute_hosts']; - $pconfig['max_attribute_services_per_host'] = $a_nat[$id]['max_attribute_services_per_host']; - $pconfig['max_paf'] = $a_nat[$id]['max_paf']; - $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; - $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; - $pconfig['ftp_telnet_inspection_type'] = $a_nat[$id]['ftp_telnet_inspection_type']; - $pconfig['ftp_telnet_alert_encrypted'] = $a_nat[$id]['ftp_telnet_alert_encrypted']; - $pconfig['ftp_telnet_check_encrypted'] = $a_nat[$id]['ftp_telnet_check_encrypted']; - $pconfig['ftp_telnet_normalize'] = $a_nat[$id]['ftp_telnet_normalize']; - $pconfig['ftp_telnet_detect_anomalies'] = $a_nat[$id]['ftp_telnet_detect_anomalies']; - $pconfig['ftp_telnet_ayt_attack_threshold'] = $a_nat[$id]['ftp_telnet_ayt_attack_threshold']; - $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; - $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; - $pconfig['pscan_protocol'] = $a_nat[$id]['pscan_protocol']; - $pconfig['pscan_type'] = $a_nat[$id]['pscan_type']; - $pconfig['pscan_sense_level'] = $a_nat[$id]['pscan_sense_level']; - $pconfig['pscan_memcap'] = $a_nat[$id]['pscan_memcap']; - $pconfig['pscan_ignore_scanners'] = $a_nat[$id]['pscan_ignore_scanners']; - $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; - $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; - $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; - $pconfig['sdf_alert_data_type'] = $a_nat[$id]['sdf_alert_data_type']; - $pconfig['sdf_alert_threshold'] = $a_nat[$id]['sdf_alert_threshold']; - $pconfig['sdf_mask_output'] = $a_nat[$id]['sdf_mask_output']; - $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc']; - $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc']; - $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc']; - $pconfig['sip_preproc'] = $a_nat[$id]['sip_preproc']; - $pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc']; - $pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc']; - $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; - $pconfig['ssh_preproc'] = $a_nat[$id]['ssh_preproc']; - $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable']; - $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules']; - - // Frag3 global settings - $pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection']; - $pconfig['frag3_max_frags'] = $a_nat[$id]['frag3_max_frags']; - $pconfig['frag3_memcap'] = $a_nat[$id]['frag3_memcap']; - - // See if new Frag3 engine array is configured and use it; - // otherwise create a default engine configuration. - if (empty($pconfig['frag3_engine']['item'])) { - $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", - "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", - "overlap_limit" => 0, "min_frag_len" => 0 ); - $pconfig['frag3_engine']['item'] = array(); - $pconfig['frag3_engine']['item'][] = $default; - if (!is_array($a_nat[$id]['frag3_engine']['item'])) - $a_nat[$id]['frag3_engine']['item'] = array(); - $a_nat[$id]['frag3_engine']['item'][] = $default; - write_config(); - $frag3_engine_next_id++; - } - else - $pconfig['frag3_engine'] = $a_nat[$id]['frag3_engine']; - - // Stream5 global settings - $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly']; - $pconfig['stream5_flush_on_alert'] = $a_nat[$id]['stream5_flush_on_alert']; - $pconfig['stream5_prune_log_max'] = $a_nat[$id]['stream5_prune_log_max']; - $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap']; - $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp']; - $pconfig['stream5_max_tcp'] = $a_nat[$id]['stream5_max_tcp']; - $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp']; - $pconfig['stream5_max_udp'] = $a_nat[$id]['stream5_max_udp']; - $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout']; - $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp']; - $pconfig['stream5_max_icmp'] = $a_nat[$id]['stream5_max_icmp']; - $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout']; - - // See if new Stream5 engine array is configured and use it; - // otherwise create a default engine configuration. - if (empty($pconfig['stream5_tcp_engine']['item'])) { - $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, - "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, - "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, - "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", - "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", - "ports_both" => "default", "ports_server" => "none" ); - $pconfig['stream5_tcp_engine']['item'] = array(); - $pconfig['stream5_tcp_engine']['item'][] = $default; - if (!is_array($a_nat[$id]['stream5_tcp_engine']['item'])) - $a_nat[$id]['stream5_tcp_engine']['item'] = array(); - $a_nat[$id]['stream5_tcp_engine']['item'][] = $default; - write_config(); - $stream5_tcp_engine_next_id++; - } - else - $pconfig['stream5_tcp_engine'] = $a_nat[$id]['stream5_tcp_engine']; - - // HTTP_INSPECT global settings - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap']; - $pconfig['http_inspect_proxy_alert'] = $a_nat[$id]['http_inspect_proxy_alert']; - $pconfig['http_inspect_max_gzip_mem'] = $a_nat[$id]['http_inspect_max_gzip_mem']; - - // See if new HTTP_INSPECT engine array is configured and use it; - // otherwise create a default engine configuration. - if (empty($pconfig['http_inspect_engine']['item'])) { - $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", - "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", - "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", - "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", - "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", - "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, - "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); - $pconfig['http_inspect_engine']['item'] = array(); - $pconfig['http_inspect_engine']['item'][] = $default; - if (!is_array($a_nat[$id]['http_inspect_engine']['item'])) - $a_nat[$id]['http_inspect_engine']['item'] = array(); - $a_nat[$id]['http_inspect_engine']['item'][] = $default; - write_config(); - $http_inspect_engine_next_id++; - } - else - $pconfig['http_inspect_engine'] = $a_nat[$id]['http_inspect_engine']; - - // See if new FTP client engine array is configured and use it; - // otherwise create a default engine configuration.. - if (empty($pconfig['ftp_client_engine']['item'])) { - $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, - "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", - "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); - $pconfig['ftp_client_engine']['item'] = array(); - $pconfig['ftp_client_engine']['item'][] = $default; - if (!is_array($a_nat[$id]['ftp_client_engine']['item'])) - $a_nat[$id]['ftp_client_engine']['item'] = array(); - $a_nat[$id]['ftp_client_engine']['item'][] = $default; - write_config(); - $ftp_client_engine_next_id++; - } - else - $pconfig['ftp_client_engine'] = $a_nat[$id]['ftp_client_engine']; - - // See if new FTP server engine array is configured and use it; - // otherwise create a default engine configuration.. - if (empty($pconfig['ftp_server_engine']['item'])) { - $default = array( "name" => "default", "bind_to" => "all", "ports" => "default", - "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", - "ignore_data_chan" => "no", "def_max_param_len" => 100 ); - $pconfig['ftp_server_engine']['item'] = array(); - $pconfig['ftp_server_engine']['item'][] = $default; - if (!is_array($a_nat[$id]['ftp_server_engine']['item'])) - $a_nat[$id]['ftp_server_engine']['item'] = array(); - $a_nat[$id]['ftp_server_engine']['item'][] = $default; - write_config(); - $ftp_server_engine_next_id++; - } - else - $pconfig['ftp_server_engine'] = $a_nat[$id]['ftp_server_engine']; - - /* If not using the Snort VRT rules, then disable */ - /* the Sensitive Data (sdf) preprocessor. */ - if ($vrt_enabled == "off") - $pconfig['sensitive_data'] = "off"; - /************************************************************/ /* To keep new users from shooting themselves in the foot */ /* enable the most common required preprocessors by default */ @@ -264,12 +107,14 @@ if (isset($id) && $a_nat[$id]) { $pconfig['ftp_telnet_detect_anomalies'] = 'on'; if (empty($pconfig['ftp_telnet_ayt_attack_threshold']) && $pconfig['ftp_telnet_ayt_attack_threshold'] <> 0) $pconfig['ftp_telnet_ayt_attack_threshold'] = '20'; + if (empty($pconfig['sdf_alert_data_type'])) $pconfig['sdf_alert_data_type'] = "Credit Card,Email Addresses,U.S. Phone Numbers,U.S. Social Security Numbers"; if (empty($pconfig['sdf_alert_threshold'])) $pconfig['sdf_alert_threshold'] = '25'; if (empty($pconfig['sdf_mask_output'])) $pconfig['sdf_mask_output'] = 'off'; + if (empty($pconfig['smtp_preprocessor'])) $pconfig['smtp_preprocessor'] = 'on'; if (empty($pconfig['dce_rpc_2'])) @@ -340,36 +185,56 @@ if (isset($id) && $a_nat[$id]) { $pconfig['pscan_sense_level'] = 'medium'; } -/* Define the "disabled_preproc_rules.log" file for this interface */ -$iface = snort_get_friendly_interface($pconfig['interface']); -$disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); -if ($_GET['act'] && isset($_GET['eng_id'])) { +/* Define the "disabled_preproc_rules.log" file for this interface */ +$disabled_rules_log = "{$if_friendly}_disabled_preproc_rules.log"; - $natent = array(); - $natent = $pconfig; +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); +} - if ($_GET['act'] == "del_frag3") - unset($natent['frag3_engine']['item'][$_GET['eng_id']]); - elseif ($_GET['act'] == "del_stream5_tcp") - unset($natent['stream5_tcp_engine']['item'][$_GET['eng_id']]); - elseif ($_GET['act'] == "del_http_inspect") - unset($natent['http_inspect_engine']['item'][$_GET['eng_id']]); - elseif ($_GET['act'] == "del_ftp_server") - unset($natent['ftp_server_engine']['item'][$_GET['eng_id']]); - - if (isset($id) && $a_nat[$id]) { - $a_nat[$id] = $natent; - write_config(); +// Handle deleting of any of the multiple configuration engines +if ($_POST['del_http_inspect']) { + if (isset($_POST['eng_id']) && isset($id) && issset($a_nat[$id])) { + unset($a_nat[$id]['http_inspect_engine']['item'][$_POST['eng_id']]); + write_config("Snort pkg: deleted http_inspect engine for {$a_nat[$id]['interface']}."); + header("Location: snort_preprocessors.php?id=$id#httpinspect_row"); + exit; } - - header("Location: snort_preprocessors.php?id=$id"); - exit; } - -// Check for returned "selected alias" if action is import -if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) { - $pconfig[$_GET['varname']] = $_GET['varvalue']; +elseif ($_POST['del_frag3']) { + if (isset($_POST['eng_id']) && isset($id) && isset($a_nat[$id])) { + unset($a_nat[$id]['frag3_engine']['item'][$_POST['eng_id']]); + write_config("Snort pkg: deleted frag3 engine for {$a_nat[$id]['interface']}."); + header("Location: snort_preprocessors.php?id=$id#frag3_row"); + exit; + } +} +elseif ($_POST['del_stream5_tcp']) { + if (isset($_POST['eng_id']) && isset($id) && isset($a_nat[$id])) { + unset($a_nat[$id]['stream5_tcp_engine']['item'][$_POST['eng_id']]); + write_config("Snort pkg: deleted stream5 engine for {$a_nat[$id]['interface']}."); + header("Location: snort_preprocessors.php?id=$id#stream5_row"); + exit; + } +} +elseif ($_POST['del_ftp_client']) { + if (isset($_POST['eng_id']) && isset($id) && isset($a_nat[$id])) { + unset($a_nat[$id]['ftp_client_engine']['item'][$_POST['eng_id']]); + write_config("Snort pkg: deleted ftp_client engine for {$a_nat[$id]['interface']}."); + header("Location: snort_preprocessors.php?id=$id#ftp_telnet_row"); + exit; + } +} +elseif ($_POST['del_ftp_server']) { + if (isset($_POST['eng_id']) && isset($id) && isset($a_nat[$id])) { + unset($a_nat[$id]['ftp_server_engine']['item'][$_POST['eng_id']]); + write_config("Snort pkg: deleted ftp_server engine for {$a_nat[$id]['interface']}."); + header("Location: snort_preprocessors.php?id=$id#ftp_telnet_row"); + exit; + } } if ($_POST['ResetAll']) { @@ -434,7 +299,8 @@ if ($_POST['ResetAll']) { /* Log a message at the top of the page to inform the user */ $savemsg = gettext("All preprocessor settings have been reset to their defaults."); } -elseif ($_POST['Submit']) { + +if ($_POST['save']) { $natent = array(); $natent = $pconfig; @@ -509,9 +375,9 @@ elseif ($_POST['Submit']) { $natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off'; $natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off'; - if (isset($id) && $a_nat[$id]) { + if (isset($id) && isset($a_nat[$id])) { $a_nat[$id] = $natent; - write_config(); + write_config("Snort pkg: saved modified preprocessor settings for {$a_nat[$id]['interface']}."); } /*************************************************/ @@ -524,7 +390,7 @@ elseif ($_POST['Submit']) { /* If 'preproc_auto_rule_disable' is off, then clear log file */ if ($natent['preproc_auto_rule_disable'] == 'off') - @unlink("{$disabled_rules_log}"); + unlink_if_exists("{$snortlogdir}/{$disabled_rules_log}"); /*******************************************************/ /* Signal Snort to reload Host Attribute Table if one */ @@ -543,20 +409,25 @@ elseif ($_POST['Submit']) { header("Location: snort_preprocessors.php?id=$id"); exit; } + else + $pconfig = $_POST; } -elseif ($_POST['btn_import']) { + +if ($_POST['btn_import']) { if (is_uploaded_file($_FILES['host_attribute_file']['tmp_name'])) { $data = file_get_contents($_FILES['host_attribute_file']['tmp_name']); - if ($data === false) + if ($data === false) { $input_errors[] = gettext("Error uploading file {$_FILES['host_attribute_file']}!"); + $pconfig = $_POST; + } else { - if (isset($id) && $a_nat[$id]) { + if (isset($id) && isset($a_nat[$id])) { $a_nat[$id]['host_attribute_table'] = "on"; $a_nat[$id]['host_attribute_data'] = base64_encode($data); $pconfig['host_attribute_data'] = $a_nat[$id]['host_attribute_data']; $a_nat[$id]['max_attribute_hosts'] = $pconfig['max_attribute_hosts']; $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; - write_config(); + write_config("Snort pkg: imported Host Attribute Table data for {$a_nat[$id]['interface']}."); } header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -567,15 +438,18 @@ elseif ($_POST['btn_import']) { exit; } } - else + else { $input_errors[] = gettext("No filename specified for import!"); + $pconfig = $_POST; + } } -elseif ($_POST['btn_edit_hat']) { - if (isset($id) && $a_nat[$id]) { + +if ($_POST['btn_edit_hat']) { + if (isset($id) && isset($a_nat[$id])) { $a_nat[$id]['host_attribute_table'] = "on"; $a_nat[$id]['max_attribute_hosts'] = $pconfig['max_attribute_hosts']; $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; - write_config(); + write_config("Snort pkg: modified Host Attribute Table data for {$a_nat[$id]['interface']}."); header("Location: snort_edit_hat_data.php?id=$id"); exit; } @@ -586,26 +460,21 @@ elseif ($_POST['btn_edit_hat']) { if ($pconfig['host_attribute_table'] == 'on' && empty($pconfig['host_attribute_data'])) $input_errors[] = gettext("The Host Attribute Table option is enabled, but no Host Attribute data has been loaded. Data may be entered manually or imported from a suitable file."); -$if_friendly = snort_get_friendly_interface($pconfig['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Preprocessors and Flow"); include_once("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="enable_change_all()"> -<?php include("fbegin.inc"); ?> -<?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} - - - /* Display Alert message */ +<?php include("fbegin.inc"); - if ($input_errors) { - print_input_errors($input_errors); // TODO: add checks - } - - if ($savemsg) { - print_info_box($savemsg); - } +/* Display Alert message */ +if ($input_errors) { + print_input_errors($input_errors); +} +if ($savemsg) { + print_info_box($savemsg); +} ?> <script type="text/javascript" src="/javascript/autosuggest.js"> @@ -613,8 +482,9 @@ include_once("head.inc"); <script type="text/javascript" src="/javascript/suggestions.js"> </script> -<form action="snort_preprocessors.php" method="post" - enctype="multipart/form-data" name="iform" id="iform"> +<form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id;?>"/> +<input name="eng_id" id="eng_id" type="hidden" value=""/> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -622,23 +492,25 @@ include_once("head.inc"); $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php?instance={$id}"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); echo '</td></tr>'; echo '<tr><td>'; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); - $tab_array = array(); - $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Preprocessors"), true, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocs"), true, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr><td><div id="mainarea"> @@ -694,7 +566,7 @@ include_once("head.inc"); "disabled preprocessors, but can substantially compromise the level of protection by " . "automatically disabling detection rules."); ?></td> </tr> - <?php if (file_exists($disabled_rules_log) && filesize($disabled_rules_log) > 0): ?> + <?php if (file_exists("{$snortlogdir}/{$disabled_rules_log}") && filesize("{$snortlogdir}/{$disabled_rules_log}") > 0): ?> <tr> <td width="3%"> </td> <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600);"> @@ -718,8 +590,8 @@ include_once("head.inc"); <tr id="host_attrib_table_data_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Host Attribute Data"); ?></td> <td width="78%" class="vtable"><strong><?php echo gettext("Import From File"); ?></strong><br/> - <input name="host_attribute_file" type="file" class="formfld file" value="on" id="host_attribute_file" size="40"> - <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn"><br/> + <input name="host_attribute_file" type="file" class="formfld file" value="on" id="host_attribute_file" size="40"/> + <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn"/><br/> <?php echo gettext("Choose the Host Attributes file to use for auto-configuration."); ?><br/><br/> <span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span> <?php echo gettext("The Host Attributes file has a required format. See the "); ?><a href="http://manual.snort.org/" target="_blank"> @@ -744,7 +616,7 @@ include_once("head.inc"); <table cellpadding="0" cellspacing="0"> <tr> <td><input name="max_attribute_hosts" type="text" class="formfld unknown" id="max_attribute_hosts" size="9" - value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>"> + value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>"/> <?php echo gettext("Max number of hosts to read from the Attribute Table. Min is ") . "<strong>" . gettext("32") . "</strong>" . gettext(" and Max is ") . "<strong>" . gettext("524288") . "</strong>"; ?>.</td> @@ -761,7 +633,7 @@ include_once("head.inc"); <table cellpadding="0" cellspacing="0"> <tr> <td><input name="max_attribute_services_per_host" type="text" class="formfld unknown" id="max_attribute_services_per_host" size="9" - value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>"> + value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>"/> <?php echo gettext("Max number of per host services to read from the Attribute Table. Min is ") . "<strong>" . gettext("1") . "</strong>" . gettext(" and Max is ") . "<strong>" . gettext("65535") . "</strong>"; ?>.</td> @@ -868,10 +740,10 @@ include_once("head.inc"); <td class="listt" align="right"><a href="snort_httpinspect_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="<?=gettext("Edit this server configuration");?>"></a> - <?php if ($v['bind_to'] <> "all") : ?> - <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_http_inspect" onclick="return confirm('Are you sure you want to delete this entry?');"> - <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" - title="<?=gettext("Delete this server configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <input type="image" name="del_http_inspect[]" onclick="document.getElementById('eng_id').value='<?=$f;?>'; return confirm('Are you sure you want to delete this entry?');" + src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this server configuration");?>"/> <?php else : ?> <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" title="<?=gettext("Default server configuration cannot be deleted");?>"> @@ -937,9 +809,9 @@ include_once("head.inc"); <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="<?=gettext("Edit this engine configuration");?>"></a> <?php if ($v['bind_to'] <> "all") : ?> - <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_frag3" onclick="return confirm('Are you sure you want to delete this entry?');"> - <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" - title="<?=gettext("Delete this engine configuration");?>"></a> + <input type="image" name="del_frag3[]" onclick="document.getElementById('eng_id').value='<?=$f;?>'; return confirm('Are you sure you want to delete this entry?');" + src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this engine configuration");?>"/> <?php else : ?> <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" title="<?=gettext("Default engine configuration cannot be deleted");?>"> @@ -1094,9 +966,9 @@ include_once("head.inc"); <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="<?=gettext("Edit this TCP engine configuration");?>"></a> <?php if ($v['bind_to'] <> "all") : ?> - <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_stream5_tcp" onclick="return confirm('Are you sure you want to delete this entry?');"> - <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" - title="<?=gettext("Delete this TCP engine configuration");?>"></a> + <input type="image" name="del_stream5_tcp[]" onclick="document.getElementById('eng_id').value='<?=$f;?>'; return confirm('Are you sure you want to delete this entry?');" + src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this TCP engine configuration");?>"/> <?php else : ?> <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" title="<?=gettext("Default engine configuration cannot be deleted");?>"> @@ -1329,9 +1201,9 @@ include_once("head.inc"); <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="<?=gettext("Edit this FTP client configuration");?>"></a> <?php if ($v['bind_to'] <> "all") : ?> - <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_ftp_server" onclick="return confirm('Are you sure you want to delete this entry?');"> - <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" - title="<?=gettext("Delete this FTP client configuration");?>"></a> + <input type="image" name="del_ftp_client[]" onclick="document.getElementById('eng_id').value='<?=$f;?>'; return confirm('Are you sure you want to delete this entry?');" + src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this FTP client configuration");?>"/> <?php else : ?> <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" title="<?=gettext("Default client configuration cannot be deleted");?>"> @@ -1371,9 +1243,9 @@ include_once("head.inc"); <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="<?=gettext("Edit this FTP server configuration");?>"></a> <?php if ($v['bind_to'] <> "all") : ?> - <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_ftp_server" onclick="return confirm('Are you sure you want to delete this entry?');"> - <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" - title="<?=gettext("Delete this FTP server configuration");?>"></a> + <input type="image" name="del_ftp_server[]" onclick="document.getElementById('eng_id').value='<?=$f;?>'; return confirm('Are you sure you want to delete this entry?');" + src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this FTP server configuration");?>"/> <?php else : ?> <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" title="<?=gettext("Default server configuration cannot be deleted");?>"> @@ -1399,7 +1271,7 @@ include_once("head.inc"); <?php echo gettext("Sensitive data searches for credit card numbers, Social Security numbers and e-mail addresses in data."); ?> <br/> <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the ") . - "<a href=\"/snort/snort_interfaces_global.php\" title=\"" . gettext("Modify Snort global settings") . "\"/>" . gettext("Global Settings") . "</a>" . gettext(" tab."); ?> + "<a href=\"/snort/snort_interfaces_global.php\" title=\"" . gettext("Modify Snort global settings") . "\">" . gettext("Global Settings") . "</a>" . gettext(" tab."); ?> </td> </tr> <tr id="sdf_alert_data_row"> @@ -1533,9 +1405,9 @@ include_once("head.inc"); <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" title="<?php echo + <input name="save" type="submit" class="formbtn" value="Save" title="<?php echo gettext("Save preprocessor settings"); ?>"> - <input name="id" type="hidden" value="<?=$id;?>"> + <input name="ResetAll" type="submit" class="formbtn" value="Reset" title="<?php echo gettext("Reset all settings to defaults") . "\" onclick=\"return confirm('" . gettext("WARNING: This will reset ALL preprocessor settings to their defaults. Click OK to continue or CANCEL to quit.") . @@ -1582,8 +1454,6 @@ include_once("head.inc"); function createAutoSuggest() { <?php echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n"; - echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_telnet_bounce_to_net'), new StateSuggestions(addressarray));\n"; - echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_telnet_bounce_to_port'), new StateSuggestions(portsarray));\n"; ?> } diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index a82d81d2..e69152c3 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -5,6 +5,7 @@ * Copyright (C) 2004, 2005 Scott Ullrich * Copyright (C) 2008, 2009 Robert Zelaya * Copyright (C) 2011 Ermal Luci + * Copyright (C) 2013, 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -29,7 +30,6 @@ * POSSIBILITY OF SUCH DAMAGE. */ - require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); @@ -37,38 +37,26 @@ global $g, $rebuild_rules; $snortdir = SNORTDIR; $rules_map = array(); +$categories = array(); +$pconfig = array(); if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); $a_rule = &$config['installedpackages']['snortglobal']['rule']; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (is_null($id)) { - header("Location: /snort/snort_interfaces.php"); - exit; + header("Location: /snort/snort_interfaces.php"); + exit; } -if (isset($id) && $a_rule[$id]) { - $pconfig['enable'] = $a_rule[$id]['enable']; +if (isset($id) && isset($a_rule[$id])) { $pconfig['interface'] = $a_rule[$id]['interface']; $pconfig['rulesets'] = $a_rule[$id]['rulesets']; - if (!empty($a_rule[$id]['customrules'])) - $pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']); -} - -function truncate($string, $length) { - - /******************************** - * This function truncates the * - * passed string to the length * - * specified adding ellipsis if * - * truncation was necessary. * - ********************************/ - if (strlen($string) > $length) - $string = substr($string, 0, ($length - 2)) . "..."; - return $string; } function add_title_attribute($tag, $title) { @@ -104,233 +92,255 @@ function add_title_attribute($tag, $title) { } /* convert fake interfaces to real */ -$if_real = snort_get_real_interface($pconfig['interface']); +$if_real = get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules'] == 'on' ? 'on' : 'off'; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; -$categories = explode("||", $pconfig['rulesets']); - -if ($_GET['openruleset']) - $currentruleset = $_GET['openruleset']; -else if ($_POST['openruleset']) +$etprodownload = $config['installedpackages']['snortglobal']['emergingthreats_pro']; + +// Add any previously saved rules files to the categories array +if (!empty($pconfig['rulesets'])) + $categories = explode("||", $pconfig['rulesets']); + +// add the standard rules files to the categories array +$categories[] = "custom.rules"; +$categories[] = "decoder.rules"; +$categories[] = "preprocessor.rules"; +$categories[] = "sensitive-data.rules"; +if (!empty($a_rule[$id]['ips_policy'])) + $categories[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); +if ($a_rule[$id]['autoflowbitrules'] == 'on') + $categories[] = "Auto-Flowbit Rules"; +natcasesort($categories); + +if (isset($_POST['openruleset'])) $currentruleset = $_POST['openruleset']; +elseif (isset($_GET['openruleset'])) + $currentruleset = htmlspecialchars($_GET['openruleset']); else - $currentruleset = $categories[0]; - -if (empty($categories[0]) && ($currentruleset != "custom.rules") && ($currentruleset != "Auto-Flowbit Rules")) { - if (!empty($a_rule[$id]['ips_policy'])) - $currentruleset = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); - else - $currentruleset = "custom.rules"; -} + $currentruleset = $categories[key($categories)]; /* One last sanity check -- if the rules directory is empty, default to loading custom rules */ $tmp = glob("{$snortdir}/rules/*.rules"); if (empty($tmp)) $currentruleset = "custom.rules"; -$ruledir = "{$snortdir}/rules"; -$rulefile = "{$ruledir}/{$currentruleset}"; +$rulefile = "{$snortdir}/rules/{$currentruleset}"; if ($currentruleset != 'custom.rules') { // Read the current rules file into our rules map array. // If it is the auto-flowbits file, set the full path. if ($currentruleset == "Auto-Flowbit Rules") - $rulefile = "{$snortcfgdir}/rules/" . FLOWBITS_FILENAME; + $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); // Test for the special case of an IPS Policy file. - if (substr($currentruleset, 0, 10) == "IPS Policy") + elseif (substr($currentruleset, 0, 10) == "IPS Policy") $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); - elseif (!file_exists($rulefile)) - $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again."); - else + // Test for preproc_rules file and set the full path. + elseif (file_exists("{$snortdir}/preproc_rules/{$currentruleset}")) + $rules_map = snort_load_rules_map("{$snortdir}/preproc_rules/{$currentruleset}"); + // Test for existence of regular text rules file and load it. + elseif (file_exists($rulefile)) $rules_map = snort_load_rules_map($rulefile); + else + $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again."); } /* Load up our enablesid and disablesid arrays with enabled or disabled SIDs */ -$enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on'], "enablesid"); -$disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off'], "disablesid"); +$enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on']); +$disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off']); -if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { +if ($_POST['toggle'] && is_numeric($_POST['sid']) && is_numeric($_POST['gid']) && !empty($rules_map)) { - // Get the SID tag embedded in the clicked rule icon. - $sid= $_GET['ids']; + // Get the GID:SID tags embedded in the clicked rule icon. + $gid = $_POST['gid']; + $sid = $_POST['sid']; // See if the target SID is in our list of modified SIDs, - // and toggle it if present; otherwise, add it to the - // appropriate list. - if (isset($enablesid[$sid])) { - unset($enablesid[$sid]); - if (!isset($disablesid[$sid])) - $disablesid[$sid] = "disablesid"; - } - elseif (isset($disablesid[$sid])) { - unset($disablesid[$sid]); - if (!isset($enablesid[$sid])) - $enablesid[$sid] = "enablesid"; - } + // and toggle it back to default if present; otherwise, + // add it to the appropriate modified SID list. + if (isset($enablesid[$gid][$sid])) + unset($enablesid[$gid][$sid]); + elseif (isset($disablesid[$gid][$sid])) + unset($disablesid[$gid][$sid]); else { - if ($rules_map[1][$sid]['disabled'] == 1) - $enablesid[$sid] = "enablesid"; + if ($rules_map[$gid][$sid]['disabled'] == 1) + $enablesid[$gid][$sid] = "enablesid"; else - $disablesid[$sid] = "disablesid"; + $disablesid[$gid][$sid] = "disablesid"; } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); /* Update the config.xml file. */ - write_config(); + write_config("Snort pkg: modified state for rule {$gid}:{$sid} on {$a_rule[$id]['interface']}."); - $_GET['openruleset'] = $currentruleset; - $anchor = "rule_{$sid}"; + $anchor = "rule_{$gid}_{$sid}"; } - -if ($_GET['act'] == "disable_all" && !empty($rules_map)) { +elseif ($_POST['disable_all'] && !empty($rules_map)) { // Mark all rules in the currently selected category "disabled". foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { - if (isset($enablesid[$k2])) - unset($enablesid[$k2]); - $disablesid[$k2] = "disablesid"; + if (isset($enablesid[$k1][$k2])) + unset($enablesid[$k1][$k2]); + $disablesid[$k1][$k2] = "disablesid"; } } + // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); - write_config(); - $_GET['openruleset'] = $currentruleset; - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; + write_config("Snort pkg: disabled all rules in category {$currentruleset} for {$a_rule[$id]['interface']}."); } - -if ($_GET['act'] == "enable_all" && !empty($rules_map)) { +elseif ($_POST['enable_all'] && !empty($rules_map)) { // Mark all rules in the currently selected category "enabled". foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { - if (isset($disablesid[$k2])) - unset($disablesid[$k2]); - $enablesid[$k2] = "enablesid"; + if (isset($disablesid[$k1][$k2])) + unset($disablesid[$k1][$k2]); + $enablesid[$k1][$k2] = "enablesid"; } } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); - write_config(); - $_GET['openruleset'] = $currentruleset; - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; + write_config("Snort pkg: enable all rules in category {$currentruleset} for {$a_rule[$id]['interface']}."); } - -if ($_GET['act'] == "resetcategory" && !empty($rules_map)) { +elseif ($_POST['resetcategory'] && !empty($rules_map)) { // Reset any modified SIDs in the current rule category to their defaults. foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { - if (isset($enablesid[$k2])) - unset($enablesid[$k2]); - if (isset($disablesid[$k2])) - unset($disablesid[$k2]); + if (isset($enablesid[$k1][$k2])) + unset($enablesid[$k1][$k2]); + if (isset($disablesid[$k1][$k2])) + unset($disablesid[$k1][$k2]); } } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); - write_config(); - $_GET['openruleset'] = $currentruleset; - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; + write_config("Snort pkg: remove enablesid/disablesid changes for category {$currentruleset} on {$a_rule[$id]['interface']}."); } - -if ($_GET['act'] == "resetall" && !empty($rules_map)) { +elseif ($_POST['resetall'] && !empty($rules_map)) { // Remove all modified SIDs from config.xml and save the changes. unset($a_rule[$id]['rule_sid_on']); unset($a_rule[$id]['rule_sid_off']); /* Update the config.xml file. */ - write_config(); - - $_GET['openruleset'] = $currentruleset; - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; + write_config("Snort pkg: remove all enablesid/disablesid changes for {$a_rule[$id]['interface']}."); } - -if ($_POST['clear']) { +else if ($_POST['cancel']) { + $pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']); +} +elseif ($_POST['clear']) { unset($a_rule[$id]['customrules']); - write_config(); + write_config("Snort pkg: clear all custom rules for {$a_rule[$id]['interface']}."); $rebuild_rules = true; snort_generate_conf($a_rule[$id]); $rebuild_rules = false; - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; + $pconfig['customrules'] = ''; } - -if ($_POST['customrules']) { - $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); - write_config(); +elseif ($_POST['save']) { + $pconfig['customrules'] = $_POST['customrules']; + if ($_POST['customrules']) + $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); + else + unset($a_rule[$id]['customrules']); + write_config("Snort pkg: save modified custom rules for {$a_rule[$id]['interface']}."); $rebuild_rules = true; snort_generate_conf($a_rule[$id]); $rebuild_rules = false; @@ -346,14 +356,15 @@ if ($_POST['customrules']) { $input_errors[] = "Custom rules have errors:\n {$error}"; } else { - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; + /* Soft-restart Snort to live-load new rules */ + snort_reload_config($a_rule[$id]); + $savemsg = gettext("Custom rules validated successfully and have been saved to the Snort configuration files. "); + $savemsg .= gettext("Any active Snort process on this interface has been signalled to live-load the new rules."); } } - else if ($_POST['apply']) { /* Save new configuration */ - write_config(); + write_config("Snort pkg: save new rules configuration for {$a_rule[$id]['interface']}."); /*************************************************/ /* Update the snort conf file and rebuild the */ @@ -365,29 +376,18 @@ else if ($_POST['apply']) { /* Soft-restart Snort to live-load new rules */ snort_reload_config($a_rule[$id]); - - /* Return to this same page */ - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; -} -else if ($_POST['cancel']) { - - /* Return to this same page */ - header("Location: /snort/snort_rules.php?id={$id}"); - exit; } require_once("guiconfig.inc"); include_once("head.inc"); -$if_friendly = snort_get_friendly_interface($pconfig['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_rule[$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Rules: {$currentruleset}"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); -if ($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} /* Display message */ if ($input_errors) { @@ -401,6 +401,10 @@ if ($savemsg) { ?> <form action="/snort/snort_rules.php" method="post" name="iform" id="iform"> +<input type='hidden' name='id' id='id' value='<?=$id;?>'/> +<input type='hidden' name='openruleset' id='openruleset' value='<?=$currentruleset;?>'/> +<input type='hidden' name='sid' id='sid' value=''/> +<input type='hidden' name='gid' id='gid' value=''/> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -408,23 +412,25 @@ if ($savemsg) { $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php?instance={$id}"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array,true); echo '</td></tr>'; echo '<tr><td class="tabnavtbl">'; - $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");; - $tab_array = array(); - $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr><td><div id="mainarea"> @@ -432,25 +438,21 @@ if ($savemsg) { <tr> <td class="listtopic"><?php echo gettext("Available Rule Categories"); ?></td> </tr> - <tr> <td class="vncell" height="30px"><strong><?php echo gettext("Category:"); ?></strong> <select id="selectbox" name="selectbox" class="formselect" onChange="go()"> - <option value='?id=<?=$id;?>&openruleset=custom.rules'>custom.rules</option> <?php - $files = explode("||", $pconfig['rulesets']); - if ($a_rule[$id]['ips_policy_enable'] == 'on') - $files[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); - if ($a_rule[$id]['autoflowbitrules'] == 'on') - $files[] = "Auto-Flowbit Rules"; - natcasesort($files); - foreach ($files as $value) { - if ($snortdownload != 'on' && substr($value, 0, 6) == "snort_") + foreach ($categories as $value) { + if ($snortdownload != 'on' && substr($value, 0, mb_strlen(VRT_FILE_PREFIX)) == VRT_FILE_PREFIX) + continue; + if ($emergingdownload != 'on' && substr($value, 0, mb_strlen(ET_OPEN_FILE_PREFIX)) == ET_OPEN_FILE_PREFIX) + continue; + if ($etprodownload != 'on' && substr($value, 0, mb_strlen(ET_PRO_FILE_PREFIX)) == ET_PRO_FILE_PREFIX) continue; - if ($emergingdownload != 'on' && substr($value, 0, 8) == "emerging") + if ($snortcommunitydownload != 'on' && substr($value, 0, mb_strlen(GPL_FILE_PREFIX)) == GPL_FILE_PREFIX) continue; if (empty($value)) continue; - echo "<option value='?id={$id}&openruleset={$value}' "; + echo "<option value='{$value}' "; if ($value == $currentruleset) echo "selected"; echo ">{$value}</option>\n"; @@ -459,21 +461,18 @@ if ($savemsg) { </select> <?php echo gettext("Select the rule category to view"); ?> </td> </tr> - <?php if ($currentruleset == 'custom.rules'): ?> <tr> <td class="listtopic"><?php echo gettext("Defined Custom Rules"); ?></td> </tr> <tr> <td valign="top" class="vtable"> - <input type='hidden' name='openruleset' value='custom.rules'> - <input type='hidden' name='id' value='<?=$id;?>'> - <textarea wrap="soft" cols="90" rows="40" name="customrules"><?=$pconfig['customrules'];?></textarea> + <textarea wrap="soft" cols="90" rows="40" name="customrules"><?=base64_decode($a_rule[$id]['customrules']);?></textarea> </td> </tr> <tr> <td> - <input name="Submit" type="submit" class="formbtn" id="submit" value="<?php echo gettext(" Save "); ?>" title=" <?php echo gettext("Save custom rules"); ?>"/> + <input name="save" type="submit" class="formbtn" id="save" value="<?php echo gettext(" Save "); ?>" title=" <?php echo gettext("Save custom rules"); ?>"/> <input name="cancel" type="submit" class="formbtn" id="cancel" value="<?php echo gettext("Cancel"); ?>" title="<?php echo gettext("Cancel changes and return to last page"); ?>"/> <input name="clear" type="submit" class="formbtn" id="clear" value="<?php echo gettext("Clear"); ?>" onclick="return confirm('<?php echo gettext("This will erase all custom rules for the interface. Are you sure?"); ?>')" title="<?php echo gettext("Deletes all custom rules"); ?>"/> </td> @@ -486,43 +485,50 @@ if ($savemsg) { <td class="vncell"> <table width="100%" align="center" border="0" cellpadding="0" cellspacing="0"> <tr> - <td rowspan="4" width="48%" valign="middle"><input type="submit" name="apply" id="apply" value="<?php echo gettext("Apply"); ?>" class="formbtn" - title="<?php echo gettext("Click to rebuild the rules with your changes"); ?>"/> - <input type='hidden' name='id' value='<?=$id;?>'/> - <input type='hidden' name='openruleset' value='<?=$currentruleset;?>'/><br/><br/> + <td rowspan="5" width="48%" valign="middle"><input type="submit" name="apply" id="apply" value="<?php echo gettext("Apply"); ?>" class="formbtn" + title="<?php echo gettext("Click to rebuild the rules with your changes"); ?>"/><br/><br/> <span class="vexpl"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . - gettext("Snort must be restarted to activate any SID enable/disable changes made on this tab."); ?></span></td> - <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetcategory'> - <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" + gettext("When finished, click APPLY to save and send any SID enable/disable changes made on this tab to Snort."); ?></span></td> + <td class="vexpl" valign="middle"><?php echo "<input type='image' name='resetcategory[]' + src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' - title='" . gettext("Click to remove enable/disable changes for rules in the selected category only") . "'></a>"?> + title='" . gettext("Click to remove enable/disable changes for rules in the selected category only") . "'/>"?> <?php echo gettext("Remove Enable/Disable changes in the current Category"); ?></td> </tr> <tr> - <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetall'> - <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" + <td class="vexpl" valign="middle"><?php echo "<input type='image' name='resetall[]' + src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' - title='" . gettext("Click to remove all enable/disable changes for rules in all categories") . "'></a>"?> + title='" . gettext("Click to remove all enable/disable changes for rules in all categories") . "'/>"?> <?php echo gettext("Remove all Enable/Disable changes in all Categories"); ?></td> </tr> <tr> - <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=disable_all'> - <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" + <td class="vexpl" valign="middle"><?php echo "<input type='image' name='disable_all[]' + src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' - title='" . gettext("Click to disable all rules in the selected category") . "'></a>"?> + title='" . gettext("Click to disable all rules in the selected category") . "'/>"?> <?php echo gettext("Disable all rules in the current Category"); ?></td> </tr> <tr> - <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=enable_all'> - <img src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" width=\"15\" height=\"15\" + <td class="vexpl" valign="middle"><?php echo "<input type='image' name='enable_all[]' + src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" width=\"15\" height=\"15\" onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\"' onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_plus_mo.gif\"' border='0' - title='" . gettext("Click to enable all rules in the selected category") . "'></a>"?> + title='" . gettext("Click to enable all rules in the selected category") . "'/>"?> <?php echo gettext("Enable all rules in the current Category"); ?></td> </tr> + <tr> + <td class="vexpl" valign="middle"><a href="javascript: void(0)" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>','FileViewer',800,600)"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" width="15" height="15" <?php + echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"' + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_service_restart.gif\"' ";?> + title="<?php echo gettext("Click to view full text of all the category rules"); ?>" width="17" height="17" border="0"></a> + <?php echo gettext("View full file contents for the current Category"); ?></td> + </tr> <?php if ($currentruleset == 'Auto-Flowbit Rules'): ?> <tr> <td colspan="3"> </td> @@ -530,77 +536,73 @@ if ($savemsg) { <tr> <td colspan="3" class="vexpl" align="center"><?php echo "<span class=\"red\"><b>" . gettext("WARNING: ") . "</b></span>" . gettext("You should not disable flowbit rules! Add Suppress List entries for them instead by ") . - "<a href='snort_rules_flowbits.php?id={$id}&openruleset={$currentruleset}&returl=" . urlencode($_SERVER['PHP_SELF']) . "' title=\"" . gettext("Add Suppress List entry for Flowbit Rule") . "\">" . + "<a href='snort_rules_flowbits.php?id={$id}' title=\"" . gettext("Add Suppress List entry for Flowbit Rule") . "\">" . gettext("clicking here") . ".</a>";?></td> </tr> <?php endif;?> </table> </td> </tr> - <tr> <td class="listtopic"><?php echo gettext("Selected Category's Rules"); ?></td> </tr> <tr> <td> + + <?php if ($currentruleset != 'decoder.rules' && $currentruleset != 'preprocessor.rules'): ?> + <table id="myTable" class="sortable" style="table-layout: fixed;" width="100%" border="0" cellpadding="0" cellspacing="0"> <colgroup> - <col width="15" align="left" valign="middle"> + <col width="14" align="left" valign="middle"> + <col width="6%" align="center" axis="number"> <col width="9%" align="center" axis="number"> - <col width="60" align="center" axis="string"> + <col width="52" align="center" axis="string"> <col width="14%" align="center" axis="string"> - <col width="11%" align="center" axis="string"> + <col width="10%" align="center" axis="string"> <col width="14%" align="center" axis="string"> - <col width="11%" align="center" axis="string"> + <col width="10%" align="center" axis="string"> <col axis="string"> - <col width="22" align="right" valign="middle"> </colgroup> <thead> <tr> <th class="list"> </th> + <th class="listhdrr"><?php echo gettext("GID"); ?></th> <th class="listhdrr"><?php echo gettext("SID"); ?></th> <th class="listhdrr"><?php echo gettext("Proto"); ?></th> <th class="listhdrr"><?php echo gettext("Source"); ?></th> - <th class="listhdrr"><?php echo gettext("Port"); ?></th> + <th class="listhdrr"><?php echo gettext("SPort"); ?></th> <th class="listhdrr"><?php echo gettext("Destination"); ?></th> - <th class="listhdrr"><?php echo gettext("Port"); ?></th> + <th class="listhdrr"><?php echo gettext("DPort"); ?></th> <th class="listhdrr"><?php echo gettext("Message"); ?></th> - <th class="list"><a href="javascript: void(0)" - onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>','FileViewer',800,600)"> - <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php - echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"' - onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_service_restart.gif\"' ";?> - title="<?php echo gettext("Click to view full text of all the category rules"); ?>" width="17" height="17" border="0"></a></th> </tr> </thead> <tbody> - <?php $counter = $enable_cnt = $disable_cnt = 0; foreach ($rules_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - $sid = snort_get_sid($v['rule']); - $gid = snort_get_gid($v['rule']); + $sid = $k2; + $gid = $k1; - if (isset($disablesid[$sid])) { + if (isset($disablesid[$gid][$sid])) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_reject_d.gif"; $disable_cnt++; - $title = gettext("Disabled by user. Click to toggle to enabled state"); + $title = gettext("Disabled by user. Click to toggle to default state"); } - elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) { + elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_block_d.gif"; $disable_cnt++; $title = gettext("Disabled by default. Click to toggle to enabled state"); } - elseif (isset($enablesid[$sid])) { + elseif (isset($enablesid[$gid][$sid])) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; - $title = gettext("Enabled by user. Click to toggle to disabled state"); + $title = gettext("Enabled by user. Click to toggle to default state"); } else { $textss = $textse = ""; @@ -622,48 +624,47 @@ if ($savemsg) { $dstspan = add_title_attribute($textss, $rule_content[5]); $dstprtspan = add_title_attribute($textss, $rule_content[6]); - $protocol = $rule_content[1]; //protocol field - $source = truncate($rule_content[2], 14); //source field - $source_port = truncate($rule_content[3], 10); //source port field - $destination = truncate($rule_content[5], 14); //destination field - $destination_port = truncate($rule_content[6], 10); //destination port field - $message = snort_get_msg($v['rule']); - - echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\"> $textss - <a id=\"rule_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}'> - <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" - width=\"11\" height=\"11\" border=\"0\" - title='{$title}'></a> - $textse + $protocol = $rule_content[1]; //protocol field + $source = $rule_content[2]; //source field + $source_port = $rule_content[3]; //source port field + $destination = $rule_content[5]; //destination field + $destination_port = $rule_content[6]; //destination port field + $message = snort_get_msg($v['rule']); // description field + $sid_tooltip = gettext("View the raw text for this rule"); + + echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\" sorttable_customkey=\"\">{$textss} + <a id=\"rule_{$gid}_{$sid}\" href=''><input type=\"image\" onClick=\"document.getElementById('sid').value='{$sid}'; + document.getElementById('gid').value='{$gid}';\" + src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\" + title='{$title}' name=\"toggle[]\"/></a>{$textse} </td> - <td class=\"listlr\" align=\"center\"> - {$textss}{$sid}{$textse} + <td class=\"listr\" align=\"center\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + {$textss}{$gid}{$textse} </td> - <td class=\"listlr\" align=\"center\"> + <td class=\"listr\" align=\"center\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + <a href=\"javascript: void(0)\" + onclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\" + title='{$sid_tooltip}'>{$textss}{$sid}{$textse}</a> + </td> + <td class=\"listr\" style=\"text-align:center;\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$textss}{$protocol}{$textse} </td> - <td class=\"listlr\" align=\"center\"> + <td class=\"listr\" style=\"overflow: hidden; text-overflow: ellipsis; text-align:center;\" nowrap ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$srcspan}{$source}</span> </td> - <td class=\"listlr\" align=\"center\"> + <td class=\"listr\" style=\"overflow: hidden; text-overflow: ellipsis; text-align:center;\" nowrap ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$srcprtspan}{$source_port}</span> </td> - <td class=\"listlr\" align=\"center\"> + <td class=\"listr\" style=\"overflow: hidden; text-overflow: ellipsis; text-align:center;\" nowrap ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$dstspan}{$destination}</span> </td> - <td class=\"listlr\" align=\"center\"> + <td class=\"listr\" style=\"overflow: hidden; text-overflow: ellipsis; text-align:center;\" nowrap ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$dstprtspan}{$destination_port}</span> </td> - <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line;\"><font color=\"white\"> - {$textss}{$message}{$textse}</font> + <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line;\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + {$textss}{$message}{$textse} </td>"; ?> - <td align="right" valign="middle" nowrap class="listt"> - <a href="javascript: void(0)" - onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"> - <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" - title="<?php echo gettext("Click to view the entire rule text"); ?>" width="17" height="17" border="0"></a> - </td> </tr> <?php $counter++; @@ -673,6 +674,109 @@ if ($savemsg) { ?> </tbody> </table> + + <?php else: ?> + + <table id="myTable" class="sortable" style="table-layout: fixed;" width="100%" border="0" cellpadding="0" cellspacing="0"> + <colgroup> + <col width="15" align="left" valign="middle"> + <col width="6%" align="center" axis="number"> + <col width="6%" align="center" axis="number"> + <col width="22%" align="center" axis="string"> + <col width="15%" align="center" axis="string"> + <col align="left" axis="string"> + </colgroup> + <thead> + <tr> + <th class="list"> </th> + <th class="listhdrr"><?php echo gettext("GID"); ?></th> + <th class="listhdrr"><?php echo gettext("SID"); ?></th> + <th class="listhdrr"><?php echo gettext("Classification"); ?></th> + <th class="listhdrr"><?php echo gettext("IPS Policy"); ?></th> + <th class="listhdrr"><?php echo gettext("Message"); ?></th> + </tr> + </thead> + <tbody> + <?php + $counter = $enable_cnt = $disable_cnt = 0; + foreach ($rules_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + $sid = snort_get_sid($v['rule']); + $gid = snort_get_gid($v['rule']); + if (isset($disablesid[$gid][$sid])) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_reject_d.gif"; + $disable_cnt++; + $title = gettext("Disabled by user. Click to toggle to default state"); + } + elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_block_d.gif"; + $disable_cnt++; + $title = gettext("Disabled by default. Click to toggle to enabled state"); + } + elseif (isset($enablesid[$gid][$sid])) { + $textss = $textse = ""; + $iconb = "icon_reject.gif"; + $enable_cnt++; + $title = gettext("Enabled by user. Click to toggle to default state"); + } + else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + $enable_cnt++; + $title = gettext("Enabled by default. Click to toggle to disabled state"); + } + $message = snort_get_msg($v['rule']); + $matches = array(); + if (preg_match('/(?:classtype\b\s*:)\s*(\S*\s*;)/iU', $v['rule'], $matches)) + $classtype = trim($matches[1], " ;"); + else + $classtype = "No Classtype Defined"; + $matches = array(); + if (preg_match_all('/(\S*-ips)(?:\s*drop|alert)(?:,|\s*|;)/i', $v['rule'], $matches)) + $policy = implode("<br/>", $matches[1]); + else + $policy = "none"; + + echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\" sorttable_customkey=\"\">{$textss} + <input type=\"image\" onClick=\"document.getElementById('sid').value='{$sid}'; + document.getElementById('gid').value='{$gid}';\" + src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\" + title='{$title}' name=\"toggle[]\"/>{$textse} + </td> + <td class=\"listr\" align=\"center\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + {$textss}{$gid}{$textse} + </td> + <td class=\"listr\" align=\"center\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + <a href=\"javascript: void(0)\" + onclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\" + title='{$sid_tooltip}'>{$textss}{$sid}{$textse}</a> + </td> + <td class=\"listr\" align=\"center\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + {$textss}{$classtype}</span> + </td> + <td class=\"listr\" align=\"center\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + {$textss}{$policy}</span> + </td> + <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line;\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + {$textss}{$message}{$textse} + </td>"; + ?> + </tr> + <?php + $counter++; + } + } + unset($rulem, $v); + ?> + </tbody> + </table> + + <?php endif;?> + </td> </tr> <tr> @@ -721,10 +825,11 @@ if ($savemsg) { <script language="javascript" type="text/javascript"> function go() { - var box = document.iform.selectbox; - destination = box.options[box.selectedIndex].value; - if (destination) - location.href = destination; + var box = document.getElementById("selectbox"); + var ruleset = box.options[box.selectedIndex].value; + if (ruleset) + document.getElementById("openruleset").value = ruleset; + document.getElementById("iform").submit(); } function wopen(url, name, w, h) diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index c0087464..49423440 100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -4,6 +4,7 @@ * * Copyright (C) 2004, 2005 Scott Ullrich * Copyright (C) 2011 Ermal Luci + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Adapted for FreeNAS by Volker Theile (votdev@gmx.de) @@ -40,28 +41,30 @@ require_once("/usr/local/pkg/snort/snort.inc"); $flowbit_rules_file = FLOWBITS_FILENAME; $snortdir = SNORTDIR; -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} -$a_rule = &$config['installedpackages']['snortglobal']['rule']; +if (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); -$id = $_GET['id']; +// If we were not passed a valid index ID, close the pop-up and exit if (is_null($id)) { - header("Location: /snort/snort_interfaces.php"); + echo '<html><body link="#000000" vlink="#000000" alink="#000000">'; + echo '<script language="javascript" type="text/javascript">'; + echo 'window.close();</script>'; + echo '</body></html>'; exit; } -if (isset($id) && $a_rule[$id]) { - $pconfig['enable'] = $a_rule[$id]['enable']; - $pconfig['interface'] = $a_rule[$id]['interface']; - $pconfig['rulesets'] = $a_rule[$id]['rulesets']; +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); } -/* convert fake interfaces to real */ -$if_real = snort_get_real_interface($pconfig['interface']); +$a_rule = &$config['installedpackages']['snortglobal']['rule']; + +$if_real = get_real_interface($a_rule[$id]['interface']); $snort_uuid = $a_rule[$id]['uuid']; -$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; -$file = $_GET['openruleset']; +$snortlogdir = SNORTLOGDIR; +$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}/"; + +$file = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401); $contents = ''; $wrap_flag = "off"; @@ -76,13 +79,13 @@ else // a standard rules file, or a complete file name. // Test for the special case of an IPS Policy file. if (substr($file, 0, 10) == "IPS Policy") { - $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); - if (isset($_GET['ids'])) { - $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; + $rules_map = snort_load_vrt_policy(strtolower(trim(substr($file, strpos($file, "-")+1)))); + if (isset($_GET['sid']) && is_numericint($_GET['sid']) && isset($_GET['gid']) && is_numericint($_GET['gid'])) { + $contents = $rules_map[$_GET['gid']][trim($_GET['sid'])]['rule']; $wrap_flag = "soft"; } else { - $contents = "# Snort IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']) . "\n\n"; + $contents = "# Snort IPS Policy - " . ucfirst(trim(substr($file, strpos($file, "-")+1))) . "\n\n"; foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { $contents .= "# Category: " . $rules_map[$k1][$k2]['category'] . " SID: {$k2}\n"; @@ -93,28 +96,32 @@ if (substr($file, 0, 10) == "IPS Policy") { unset($rules_map); } // Is it a SID to load the rule text from? -elseif (isset($_GET['ids'])) { +elseif (isset($_GET['sid']) && is_numericint($_GET['sid']) && isset($_GET['gid']) && is_numericint($_GET['gid'])) { // If flowbit rule, point to interface-specific file if ($file == "Auto-Flowbit Rules") $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); + elseif (file_exists("{$snortdir}/preproc_rules/{$file}")) + $rules_map = snort_load_rules_map("{$snortdir}/preproc_rules/{$file}"); else $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); - $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; + $contents = $rules_map[$_GET['gid']][trim($_GET['sid'])]['rule']; $wrap_flag = "soft"; } - // Is it our special flowbit rules file? elseif ($file == "Auto-Flowbit Rules") $contents = file_get_contents("{$snortcfgdir}/rules/{$flowbit_rules_file}"); // Is it a rules file in the ../rules/ directory? elseif (file_exists("{$snortdir}/rules/{$file}")) $contents = file_get_contents("{$snortdir}/rules/{$file}"); -// Is it a fully qualified path and file? -elseif (file_exists($file)) - $contents = file_get_contents($file); +// Is it a rules file in the ../preproc_rules/ directory? +elseif (file_exists("{$snortdir}/preproc_rules/{$file}")) + $contents = file_get_contents("{$snortdir}/preproc_rules/{$file}"); +// Is it a disabled preprocessor auto-rules-disable file? +elseif (file_exists("{$snortlogdir}/{$file}")) + $contents = file_get_contents("{$snortlogdir}/{$file}"); // It is not something we can display, so exit. else - $input_errors[] = gettext("Unable to open file: {$displayfile}"); + $contents = gettext("Unable to open file: {$displayfile}"); $pgtitle = array(gettext("Snort"), gettext("File Viewer")); ?> @@ -122,10 +129,8 @@ $pgtitle = array(gettext("Snort"), gettext("File Viewer")); <?php include("head.inc");?> <body link="#000000" vlink="#000000" alink="#000000"> -<?php if ($savemsg) print_info_box($savemsg); ?> <?php // include("fbegin.inc");?> -<form action="snort_rules_edit.php" method="post"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td class="tabcont"> @@ -152,7 +157,6 @@ $pgtitle = array(gettext("Snort"), gettext("File Viewer")); </td> </tr> </table> -</form> <?php // include("fend.inc");?> </body> </html> diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php index 325276ee..daf1c4ef 100644 --- a/config/snort/snort_rules_flowbits.php +++ b/config/snort/snort_rules_flowbits.php @@ -1,7 +1,7 @@ <?php /* * snort_rules_flowbits.php - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013, 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -41,40 +41,34 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) { } $a_nat = &$config['installedpackages']['snortglobal']['rule']; -// Set who called us so we can return to the correct page with -// the RETURN button. Save the original referrer and the query -// string in session variables. -session_start(); -if (!isset($_SESSION['org_referrer']) || isset($_GET['returl'])) { - $_SESSION['org_referrer'] = urldecode($_GET['returl']); - $_SESSION['org_querystr'] = $_SERVER['QUERY_STRING']; -} -$referrer = $_SESSION['org_referrer']; -$querystr = $_SESSION['org_querystr']; -session_write_close(); +if (isset($_POST['id']) && is_numericint($_POST['id'])) + $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); -if ($_POST['cancel']) { - session_start(); - unset($_SESSION['org_referrer']); - unset($_SESSION['org_querystr']); - session_write_close(); - header("Location: {$referrer}?{$querystr}"); +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); exit; } -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; -if (is_null($id)) { - session_start(); - unset($_SESSION['org_referrer']); - unset($_SESSION['org_querystr']); - session_write_close(); - header("Location: /snort/snort_interfaces.php"); +// Set who called us so we can return to the correct page with +// the RETURN ('cancel') button. +if ($_POST['referrer']) + $referrer = $_POST['referrer']; +else + $referrer = $_SERVER['HTTP_REFERER']; + +// Make sure a rule index ID is appended to the return URL +if (strpos($referrer, "?id={$id}") === FALSE) + $referrer .= "?id={$id}"; + +// If RETURN button clicked, exit to original calling page +if ($_POST['cancel']) { + header("Location: {$referrer}"); exit; } -$if_real = snort_get_real_interface($a_nat[$id]['interface']); +$if_real = get_real_interface($a_nat[$id]['interface']); $snort_uuid = $a_nat[$id]['uuid']; /* We should normally never get to this page if Auto-Flowbits are disabled, but just in case... */ @@ -89,12 +83,13 @@ if ($a_nat[$id]['autoflowbitrules'] == 'on') { else $input_errors[] = gettext("Auto-Flowbit rule generation is disabled for this interface!"); -if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { - $descr = snort_get_msg($rules_map[$_GET['gen_id']][$_GET['sidid']]['rule']); +if ($_POST['addsuppress'] && is_numeric($_POST['sid']) && is_numeric($_POST['gid'])) { + $descr = snort_get_msg($rules_map[$_POST['gid']][$_POST['sid']]['rule']); + $suppress = gettext("## -- This rule manually suppressed from the Auto-Flowbits list. -- ##\n"); if (empty($descr)) - $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; + $suppress .= "suppress gen_id {$_POST['gid']}, sig_id {$_POST['sid']}\n"; else - $suppress = "# {$descr}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}"; + $suppress .= "# {$descr}\nsuppress gen_id {$_POST['gid']}, sig_id {$_POST['sid']}\n"; if (!is_array($config['installedpackages']['snortglobal']['suppress'])) $config['installedpackages']['snortglobal']['suppress'] = array(); if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) @@ -130,11 +125,11 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ } } if ($found_list) { - write_config(); + write_config("Snort pkg: modified Suppress List for {$a_nat[$id]['interface']}."); $rebuild_rules = false; sync_snort_package_config(); snort_reload_config($a_nat[$id]); - $savemsg = gettext("An entry to suppress the Alert for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to Suppress List '{$a_nat[$id]['suppresslistname']}'."); + $savemsg = gettext("An entry to suppress the Alert for 'gen_id {$_POST['gid']}, sig_id {$_POST['sid']}' has been added to Suppress List '{$a_nat[$id]['suppresslistname']}'."); } else { /* We did not find the defined list, so notify the user with an error */ @@ -142,23 +137,10 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ } } -function truncate($string, $length) { - - /******************************** - * This function truncates the * - * passed string to the length * - * specified adding ellipsis if * - * truncation was necessary. * - ********************************/ - if (strlen($string) > $length) - $string = substr($string, 0, ($length - 3)) . "..."; - return $string; -} - /* Load up an array with the current Suppression List GID,SID values */ $supplist = snort_load_suppress_sigs($a_nat[$id]); -$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Flowbit Rules"); include_once("head.inc"); @@ -168,12 +150,16 @@ include_once("head.inc"); <?php include("fbegin.inc"); -if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} -if ($input_errors) print_input_errors($input_errors); +if ($input_errors) + print_input_errors($input_errors); if ($savemsg) print_info_box($savemsg); ?> <form action="snort_rules_flowbits.php" method="post" name="iform" id="iform"> +<input type="hidden" name="id" value="<?=$id;?>"/> +<input type="hidden" name="referrer" value="<?=$referrer;?>"/> +<input type="hidden" name="sid" id="sid" value=""/> +<input type="hidden" name="gid" id="gid" value=""/> <div id="boxarea"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> @@ -203,7 +189,7 @@ if ($savemsg) <td><span class="vexpl"><?php echo gettext("Alert is Not Suppressed"); ?></span></td> <td rowspan="3" align="right"><input id="cancel" name="cancel" type="submit" class="formbtn" <?php echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> - <input name="id" type="hidden" value="<?=$id;?>" /></td> + </td> </tr> <tr> <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus_d.gif" width='12' height='12' border='0'/></td> @@ -220,13 +206,13 @@ if ($savemsg) </tr> <tr> <td> - <table id="myTable" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0"> + <table id="myTable" width="100%" class="sortable" style="table-layout: fixed;" border="0" cellpadding="0" cellspacing="0"> <colgroup> <col width="11%" axis="number"> - <col width="10%" axis="string"> + <col width="54" axis="string"> <col width="14%" axis="string"> <col width="14%" axis="string"> - <col width="20%" axis="string"> + <col width="24%" axis="string"> <col axis="string"> </colgroup> <thead> @@ -253,19 +239,20 @@ if ($savemsg) $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); $rule_content = preg_split('/[\s]+/', $tmp); - $protocol = $rule_content[1]; //protocol - $source = truncate($rule_content[2], 14); //source - $destination = truncate($rule_content[5], 14); //destination - $message = snort_get_msg($v['rule']); + $protocol = $rule_content[1]; //protocol + $source = $rule_content[2]; //source + $destination = $rule_content[5]; //destination + $message = snort_get_msg($v['rule']); // description $flowbits = implode("; ", snort_get_flowbits($v['rule'])); if (strstr($flowbits, "noalert")) $supplink = ""; else { if (!isset($supplist[$gid][$sid])) { - $supplink = "<a href=\"?id={$id}&act=addsuppress&sidid={$sid}&gen_id={$gid}\">"; - $supplink .= "<img src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" "; + $supplink = "<input type=\"image\" name=\"addsuppress[]\" onClick=\"document.getElementById('sid').value='{$sid}';"; + $supplink .= "document.getElementById('gid').value='{$gid}';\" "; + $supplink .= "src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" "; $supplink .= "width='12' height='12' border='0' title='"; - $supplink .= gettext("Click to add to Suppress List") . "'/></a>"; + $supplink .= gettext("Click to add to Suppress List") . "'/>"; } else { $supplink = "<img src=\"../themes/{$g['theme']}/images/icons/icon_plus_d.gif\" "; @@ -276,12 +263,12 @@ if ($savemsg) // Use "echo" to write the table HTML row-by-row. echo "<tr>" . - "<td class=\"listr\">{$sid} {$supplink}</td>" . - "<td class=\"listr\">{$protocol}</td>" . - "<td class=\"listr\"><span title=\"{$rule_content[2]}\">{$source}</span></td>" . - "<td class=\"listr\"><span title=\"{$rule_content[5]}\">{$destination}</span></td>" . + "<td class=\"listr\" sorttable_customkey=\"{$sid}\">{$sid} {$supplink}</td>" . + "<td class=\"listr\" style=\"text-align:center;\">{$protocol}</td>" . + "<td class=\"listr\" style=\"overflow: hidden; text-overflow: ellipsis; text-align:center;\" nowrap><span title=\"{$rule_content[2]}\">{$source}</span></td>" . + "<td class=\"listr\" style=\"overflow: hidden; text-overflow: ellipsis; text-align:center;\" nowrap><span title=\"{$rule_content[5]}\">{$destination}</span></td>" . "<td class=\"listr\" style=\"word-wrap:break-word; word-break:normal;\">{$flowbits}</td>" . - "<td class=\"listr\" style=\"word-wrap:break-word; word-break:normal;\">{$message}</td>" . + "<td class=\"listbg\" style=\"word-wrap:break-word; word-break:normal;\">{$message}</td>" . "</tr>"; $count++; } @@ -297,7 +284,6 @@ if ($savemsg) <td align="center" valign="middle"> <input id="cancel" name="cancel" type="submit" class="formbtn" <?php echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> - <input name="id" type="hidden" value="<?=$id;?>" /> </td> </tr> <?php endif; ?> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 9c14392d..79365f5f 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -5,6 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009 Robert Zelaya * Copyright (C) 2011 Ermal Luci + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -42,12 +43,14 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) { } $a_nat = &$config['installedpackages']['snortglobal']['rule']; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (is_null($id)) { - header("Location: /snort/snort_interfaces.php"); - exit; + header("Location: /snort/snort_interfaces.php"); + exit; } if (isset($id) && $a_nat[$id]) { @@ -59,12 +62,12 @@ if (isset($id) && $a_nat[$id]) { $pconfig['ips_policy'] = $a_nat[$id]['ips_policy']; } -$if_real = snort_get_real_interface($pconfig['interface']); +$if_real = get_real_interface($pconfig['interface']); $snort_uuid = $a_nat[$id]['uuid']; -$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; -$emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; -$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; -$snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'] == 'on' ? 'on' : 'off'; +$emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats'] == 'on' ? 'on' : 'off'; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == 'on' ? 'on' : 'off'; +$snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules'] == 'on' ? 'on' : 'off'; $no_emerging_files = false; $no_snort_files = false; @@ -118,7 +121,12 @@ if ($a_nat[$id]['ips_policy_enable'] == 'on') { else $disable_vrt_rules = ""; -if ($_POST["Submit"]) { +if (!empty($a_nat[$id]['rulesets'])) + $enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']); +else + $enabled_rulesets_array = array(); + +if ($_POST["save"]) { if ($_POST['ips_policy_enable'] == "on") { $a_nat[$id]['ips_policy_enable'] = 'on'; @@ -145,7 +153,7 @@ if ($_POST["Submit"]) { @unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); } - write_config(); + write_config("Snort pkg: save enabled rule categories for {$a_nat[$id]['interface']}."); /*************************************************/ /* Update the snort conf file and rebuild the */ @@ -158,8 +166,10 @@ if ($_POST["Submit"]) { /* Soft-restart Snort to live-load new rules */ snort_reload_config($a_nat[$id]); - header("Location: /snort/snort_rulesets.php?id=$id"); - exit; + $pconfig = $_POST; + $enabled_rulesets_array = explode("||", $enabled_items); + if (snort_is_running($snort_uuid, $if_real)) + $savemsg = gettext("Snort is 'live-reloading' the new rule set."); } if ($_POST['unselectall']) { @@ -174,61 +184,47 @@ if ($_POST['unselectall']) { unset($a_nat[$id]['ips_policy']); } - write_config(); - sync_snort_package_config(); + $pconfig['autoflowbits'] = $_POST['autoflowbits']; + $pconfig['ips_policy_enable'] = $_POST['ips_policy_enable']; + $pconfig['ips_policy'] = $_POST['ips_policy']; + $enabled_rulesets_array = array(); - header("Location: /snort/snort_rulesets.php?id=$id"); - exit; + $savemsg = gettext("All rule categories have been de-selected. "); + if ($a_nat[$id]['ips_policy_enable'] = 'on') + $savemsg .= gettext("Only the rules included in the selected IPS Policy will be used."); + else + $savemsg .= gettext("There currently are no inspection rules enabled for this Snort instance!"); } if ($_POST['selectall']) { - $rulesets = array(); - - if ($_POST['ips_policy_enable'] == "on") { - $a_nat[$id]['ips_policy_enable'] = 'on'; - $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; - } - else { - $a_nat[$id]['ips_policy_enable'] = 'off'; - unset($a_nat[$id]['ips_policy']); - } + $enabled_rulesets_array = array(); if ($emergingdownload == 'on') { $files = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules"); foreach ($files as $file) - $rulesets[] = basename($file); + $enabled_rulesets_array[] = basename($file); } elseif ($etpro == 'on') { $files = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules"); foreach ($files as $file) - $rulesets[] = basename($file); + $enabled_rulesets_array[] = basename($file); } if ($snortcommunitydownload == 'on') { $files = glob("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules"); foreach ($files as $file) - $rulesets[] = basename($file); + $enabled_rulesets_array[] = basename($file); } /* Include the Snort VRT rules only if enabled and no IPS policy is set */ if ($snortdownload == 'on' && $a_nat[$id]['ips_policy_enable'] == 'off') { $files = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules"); foreach ($files as $file) - $rulesets[] = basename($file); + $enabled_rulesets_array[] = basename($file); } - - $a_nat[$id]['rulesets'] = implode("||", $rulesets); - - write_config(); - sync_snort_package_config(); - - header("Location: /snort/snort_rulesets.php?id=$id"); - exit; } -$enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']); - -$if_friendly = snort_get_friendly_interface($pconfig['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Categories"); include_once("head.inc"); ?> @@ -237,11 +233,10 @@ include_once("head.inc"); <?php include("fbegin.inc"); -if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} /* Display message */ if ($input_errors) { - print_input_errors($input_errors); // TODO: add checks + print_input_errors($input_errors); } if ($savemsg) { @@ -259,12 +254,13 @@ if ($savemsg) { $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php"); $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php?instance={$id}"); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); - display_top_tabs($tab_array); + $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php"); + $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); + display_top_tabs($tab_array, true); echo '</td></tr>'; echo '<tr><td class="tabnavtbl">'; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); @@ -273,9 +269,10 @@ if ($savemsg) { $tab_array[] = array($menu_iface . gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}"); + display_top_tabs($tab_array, true); ?> </td></tr> <tr> @@ -392,9 +389,9 @@ if ($savemsg) { <td colspan="6"> <table width=90% align="center" border="0" cellpadding="2" cellspacing="0"> <tr height="45px"> - <td valign="middle"><input value="Select All" class="formbtns" type="submit" name="selectall" id="selectall" title="<?php echo gettext("Add all to enforcing rules"); ?>"/></td> - <td valign="middle"><input value="Unselect All" class="formbtns" type="submit" name="unselectall" id="unselectall" title="<?php echo gettext("Remove all from enforcing rules"); ?>"/></td> - <td valign="middle"><input value=" Save " class="formbtns" type="submit" name="Submit" id="Submit" title="<?php echo gettext("Save changes to enforcing rules and rebuild"); ?>"/></td> + <td valign="middle"><input value="Select All" class="formbtns" type="submit" name="selectall" id="selectall" title="<?php echo gettext("Add all categories to enforcing rules"); ?>"/></td> + <td valign="middle"><input value="Unselect All" class="formbtns" type="submit" name="unselectall" id="unselectall" title="<?php echo gettext("Remove categories all from enforcing rules"); ?>"/></td> + <td valign="middle"><input value=" Save " class="formbtns" type="submit" name="save" id="save" title="<?php echo gettext("Save changes to enforcing rules and rebuild"); ?>"/></td> <td valign="middle"><span class="vexpl"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?></span></td> </tr> </table> @@ -426,14 +423,14 @@ if ($savemsg) { <?php endif; ?> <?php endif; ?> - <?php if ($no_emerging_files) - $msg_emerging = "downloaded."; + <?php if ($no_emerging_files && ($emergingdownload == 'on' || $etpro == 'on')) + $msg_emerging = "have not been downloaded."; else - $msg_emerging = "enabled."; - if ($no_snort_files) - $msg_snort = "downloaded."; + $msg_emerging = "are not enabled."; + if ($no_snort_files && $snortdownload == 'on') + $msg_snort = "have not been downloaded."; else - $msg_snort = "enabled."; + $msg_snort = "are not enabled."; ?> <tr id="frheader"> <?php if ($emergingdownload == 'on' && !$no_emerging_files): ?> @@ -443,7 +440,7 @@ if ($savemsg) { <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Pro Rules');?></td> <?php else: ?> - <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("{$et_type} rules not {$msg_emerging}"); ?></td> + <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("{$et_type} rules {$msg_emerging}"); ?></td> <?php endif; ?> <?php if ($snortdownload == 'on' && !$no_snort_files): ?> <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> @@ -451,7 +448,7 @@ if ($savemsg) { <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort SO Rules');?></td> <?php else: ?> - <td colspan="4" align="center" width="60%" class="listhdrr"><?php echo gettext("Snort VRT rules have not been {$msg_snort}"); ?></td> + <td colspan="4" align="center" width="60%" class="listhdrr"><?php echo gettext("Snort VRT rules {$msg_snort}"); ?></td> <?php endif; ?> </tr> <?php @@ -561,7 +558,7 @@ if ($savemsg) { </tr> <tr> <td colspan="6" align="center" valign="middle"> - <input value="Save" type="submit" name="Submit" id="Submit" class="formbtn" title=" <?php echo gettext("Click to Save changes and rebuild rules"); ?>"/></td> + <input value="Save" type="submit" name="save" id="save" class="formbtn" title="<?php echo gettext("Click to Save changes and rebuild rules");?>"/></td> </tr> <?php endif; ?> </table> diff --git a/config/snort/snort_select_alias.php b/config/snort/snort_select_alias.php index c5c6347e..c632b388 100644 --- a/config/snort/snort_select_alias.php +++ b/config/snort/snort_select_alias.php @@ -2,7 +2,7 @@ /* $Id$ */ /* snort_select_alias.php - Copyright (C) 2013 Bill Meeks + Copyright (C) 2013, 2014 Bill Meeks All rights reserved. Redistribution and use in source and binary forms, with or without @@ -42,22 +42,29 @@ require_once("/usr/local/pkg/snort/snort.inc"); // overwrite it on subsequent POST-BACKs to this page. if (!isset($_POST['org_querystr'])) $querystr = $_SERVER['QUERY_STRING']; +else + $querystr = $_POST['org_querystr']; // Retrieve any passed QUERY STRING or POST variables -$type = $_GET['type']; -$varname = $_GET['varname']; -$multi_ip = $_GET['multi_ip']; -$referrer = urldecode($_GET['returl']); if (isset($_POST['type'])) $type = $_POST['type']; +elseif (isset($_GET['type'])) + $type = htmlspecialchars($_GET['type']); + if (isset($_POST['varname'])) $varname = $_POST['varname']; +elseif (isset($_GET['varname'])) + $varname = htmlspecialchars($_GET['varname']); + if (isset($_POST['multi_ip'])) $multi_ip = $_POST['multi_ip']; +elseif (isset($_GET['multi_ip'])) + $multi_ip = htmlspecialchars($_GET['multi_ip']); + if (isset($_POST['returl'])) $referrer = urldecode($_POST['returl']); -if (isset($_POST['org_querystr'])) - $querystr = $_POST['org_querystr']; +elseif (isset($_GET['returl'])) + $referrer = urldecode($_GET['returl']); // Make sure we have a valid VARIABLE name // and ALIAS TYPE, or else bail out. @@ -122,11 +129,11 @@ include("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <form action="snort_select_alias.php" method="post"> -<input type="hidden" name="varname" value="<?=$varname;?>"> -<input type="hidden" name="type" value="<?=$type;?>"> -<input type="hidden" name="multi_ip" value="<?=$multi_ip;?>"> -<input type="hidden" name="returl" value="<?=$referrer;?>"> -<input type="hidden" name="org_querystr" value="<?=$querystr;?>"> +<input type="hidden" name="varname" value="<?=$varname;?>"/> +<input type="hidden" name="type" value="<?=$type;?>"/> +<input type="hidden" name="multi_ip" value="<?=$multi_ip;?>"/> +<input type="hidden" name="returl" value="<?=$referrer;?>"/> +<input type="hidden" name="org_querystr" value="<?=$querystr;?>"/> <?php if ($input_errors) print_input_errors($input_errors); ?> <div id="boxarea"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> diff --git a/config/snort/snort_stream5_engine.php b/config/snort/snort_stream5_engine.php index b3d81f37..89b0bc02 100644 --- a/config/snort/snort_stream5_engine.php +++ b/config/snort/snort_stream5_engine.php @@ -1,7 +1,7 @@ <?php /* * snort_stream5_engine.php - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013, 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -36,14 +36,16 @@ $snortdir = SNORTDIR; /* Retrieve required array index values from QUERY string if available. */ /* 'id' is the [rule] array index, and 'eng_id' is the index for the */ /* stream5_tcp_engine's [item] array. */ -$id = $_GET['id']; -$eng_id = $_GET['eng_id']; - /* See if values are in our form's POST content */ -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; -if (isset($_POST['eng_id'])) +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + +if (isset($_POST['eng_id']) && isset($_POST['eng_id'])) $eng_id = $_POST['eng_id']; +elseif (isset($_GET['eng_id']) && is_numericint($_GET['eng_id'])) + $eng_id = htmlspecialchars($_GET['eng_id']); /* If we don't have a [rule] index specified, exit */ if (is_null($id)) { @@ -131,7 +133,7 @@ if ($_GET['act'] == "import") { session_start(); if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports_client" || $_GET['varname'] == "ports_both" || $_GET['varname'] == "ports_server") && !empty($_GET['varvalue'])) { - $pconfig[$_GET['varname']] = $_GET['varvalue']; + $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); if(!isset($_SESSION['stream5_client_import'])) $_SESSION['stream5_client_import'] = array(); @@ -165,7 +167,7 @@ if ($_GET['act'] == "import") { } } -if ($_POST['Submit']) { +if ($_POST['save']) { // Clear and close out any session variable we created session_start(); unset($_SESSION['org_referer']); @@ -326,14 +328,14 @@ if ($_POST['Submit']) { } /* Now write the new engine array to conf */ - write_config(); + write_config("Snort pkg: save modified stream5 engine."); header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row"); exit; } } -$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($config['installedpackages']['snortglobal']['rule'][$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Stream5 Preprocessor TCP Engine"); include_once("head.inc"); @@ -586,7 +588,7 @@ if ($savemsg) <tr> <td width="22%" valign="bottom"> </td> <td width="78%" valign="bottom"> - <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + <input name="save" id="save" type="submit" class="formbtn" value=" Save " title="<?php echo gettext("Save Stream5 engine settings and return to Preprocessors tab"); ?>"> <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml index 14a13321..2b9594ea 100755 --- a/config/snort/snort_sync.xml +++ b/config/snort/snort_sync.xml @@ -47,7 +47,7 @@ POSSIBILITY OF SUCH DAMAGE. <faq>Currently there are no FAQ items provided.</faq> <name>snortsync</name> <version>1.0</version> - <title>Snort: XMLRPC Sync (EXPERIMENTAL)</title> + <title>Snort: XMLRPC Sync</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <tabs> <tab> @@ -71,14 +71,18 @@ POSSIBILITY OF SUCH DAMAGE. <url>/snort/snort_blocked.php</url> </tab> <tab> - <text>Whitelists</text> - <url>/snort/snort_interfaces_whitelist.php</url> + <text>Pass Lists</text> + <url>/snort/snort_passlist.php</url> </tab> <tab> <text>Suppress</text> <url>/snort/snort_interfaces_suppress.php</url> </tab> <tab> + <text>IP Lists</text> + <url>/snort/snort_ip_list_mgmt.php</url> + </tab> + <tab> <text>Sync</text> <url>/pkg_edit.php?xml=snort/snort_sync.xml</url> <active/> @@ -180,10 +184,6 @@ POSSIBILITY OF SUCH DAMAGE. </rowhelperfield> </rowhelper> </field> - <field> - <name>WARNING: This feature is considered experimental and not recommended for production use</name> - <type>listtopic</type> - </field> </fields> <custom_delete_php_command> </custom_delete_php_command> diff --git a/config/snort/widget-snort.inc b/config/snort/widget-snort.inc new file mode 100644 index 00000000..3c4d9718 --- /dev/null +++ b/config/snort/widget-snort.inc @@ -0,0 +1,24 @@ +<?php +require_once("config.inc"); + +//set variables for custom title and link +$snort_alerts_title = "Snort Alerts"; +$snort_alerts_title_link = "snort/snort_alerts.php"; + +function widget_snort_uninstall() { + + global $config; + + /* Remove the Snort widget from the Dashboard display list */ + $widgets = $config['widgets']['sequence']; + if (!empty($widgets)) { + $widgetlist = explode(",", $widgets); + foreach ($widgetlist as $key => $widget) { + if (strstr($widget, "snort_alerts-container")) + unset($widgetlist[$key]); + } + $config['widgets']['sequence'] = implode(",", $widgetlist); + write_config(); + } +} +?> |