11 files changed, 42 insertions, 255 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 5b5e3dae..5fdc7a8b 100644
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -592,7 +592,7 @@ function snort_postinstall()
 	if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
 		update_status(gettext("Saved settings detected..."));
 		update_output_window(gettext("Please wait... rebuilding files..."));
-		sync_snort_package_empty();
+		sync_snort_package_config();
 		update_output_window(gettext("Finnished Rebuilding files..."));
 	}
 }
@@ -845,135 +845,8 @@ function snort_rules_up_install_cron($should_install) {
 	}
 }
 
-function sync_snort_package_remove_old()
-{
-	global $config, $g;
-
-	$snort_dir_scan = '/usr/local/etc/snort';
-
-	// scan dirm might have to make this into a funtion
-	$dh_scan  = opendir($snort_dir_scan);
-	while (false !== ($dir_filename = readdir($dh_scan))) {
-		$list_dir_files[] = $dir_filename;
-	}
-
-	// find  patern in a array, very cool code
-	class array_ereg {
-		function array_ereg($pattern) { $this->pattern = $pattern; }
-		function ereg($string) {
-			return ereg($this->pattern, $string);
-		}
-	}
-
-	$rule_array2 = $config['installedpackages']['snortglobal']['rule'];
-	foreach ($rule_array2 as $id => $value) {
-		$result_lan = $value['interface'];
-		$if_real = snort_get_real_interface($result_lan);
-
-		$snort_rules_list[] = "snort_{$id}{$if_real}";
-	}
-
-	$snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg'));
-	$snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list);
-
-	foreach ($snort_dir_filter_search_result as $value)
-		exec("/bin/rm -r /usr/local/etc/snort/$value");
-
-}
-
-/* make sure this func on writes to files and does not start snort */
-function sync_snort_package() {
-	global $config, $g;
-
-	/* all new files are for the user snort nologin */
-	if (!is_dir('/var/log/snort'))
-		exec('/bin/mkdir -p /var/log/snort');
-
-	if (!is_dir('/var/log/snort/run'))
-		exec('/bin/mkdir -p /var/log/snort/run');
-
-	if (!is_dir('/var/log/snort/barnyard2'))
-		exec('/bin/mkdir -p /var/log/snort/barnyard2');
-
-	/* all new files are for the user snort nologin */
-	if (!file_exists('/var/log/snort/alert'))
-		exec('/usr/bin/touch /var/log/snort/alert');
-
-	/* XXX: These are needed if snort is run as snort user
-	mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true);
-	mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true);
-	mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true);
-	mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true);
-	mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true);
-	*/
-
-	/* important  */
-	mwexec('/bin/chmod 770 /var/db/whitelist', true);
-	mwexec('/bin/chmod 770 /var/run/snort*', true);
-	mwexec('/bin/chmod 770 /tmp/snort*', true);
-	mwexec('/bin/chmod -R 770 /var/log/snort', true);
-	mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true);
-	mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true);
-}
-
-/* only run when a single iface needs to sync */
-function sync_snort_package_all($id, $if_real, $snort_uuid)
-{
-	global $config, $g;
-
-	/* RedDevil suggested code */
-	/* TODO: more testing needs to be done */
-	/* may cause voip to fail */
-	//exec("/sbin/sysctl net.bpf.bufsize=8388608");
-	//exec("/sbin/sysctl net.bpf.maxbufsize=4194304");
-	//exec("/sbin/sysctl net.bpf.maxinsns=512");
-	//exec("/sbin/sysctl net.inet.tcp.rfc1323=1");
-
-	conf_mount_rw();
-
-	/* do not start config build if rules is empty */
-	if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
-		exec('/bin/rm /usr/local/etc/rc.d/snort.sh');
-		conf_mount_ro();
-		return;
-	}
-	if (!is_array($config['installedpackages']['snortglobal']['rule'][$id])) {
-		conf_mount_ro();
-		return;
-	}
-
-	$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid'];
-	$result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface'];
-	$if_real = snort_get_real_interface($result_lan);
-
-	/* only build whitelist when needed */
-	if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on')
-		create_snort_whitelist($id, $if_real);
-
-	/* only build threshold when needed */
-	if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default')
-		create_snort_suppress($id, $if_real);
-
-	/* create snort configuration file */
-	create_snort_conf($id, $if_real, $snort_uuid);
-
-	/* if rules exist cp rules to each iface */
-	create_rules_iface($id, $if_real, $snort_uuid);
-
-	/* create snort bootup file snort.sh only create once */
-	create_snort_sh();
-
-	/* create barnyard2 configuration file */
-	if ($config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'] == 'on')
-		create_barnyard2_conf($id, $if_real, $snort_uuid);
-
-	sync_snort_package();
-
-	conf_mount_ro();
-}
-
 /* Only run when all ifaces needed to sync. Expects filesystem rw */
-function sync_snort_package_empty()
+function sync_snort_package_config()
 {
 	global $config, $g;
 
@@ -1015,8 +888,7 @@ function sync_snort_package_empty()
 			create_rules_iface($id, $if_real, $snort_uuid);
 
 			/* create barnyard2 configuration file */
-			$snortbarnyardlog_info_chk = $value['barnyard_enable'];
-			if ($snortbarnyardlog_info_chk == 'on')
+			if ($value['barnyard_enable'] == 'on')
 				create_barnyard2_conf($id, $if_real, $snort_uuid);
 		}
 	}
@@ -1024,61 +896,39 @@ function sync_snort_package_empty()
 	/* create snort bootup file snort.sh only create once */
 	create_snort_sh();
 
-	sync_snort_package();
-
-	conf_mount_ro();
-}
-
-/* only bootup and ip refresh */
-function sync_snort_package_config()
-{
-	global $config, $g;
-
-	/* RedDevil suggested code */
-	/* TODO: more testing needs to be done */
-	/* may cause voip to fail */
-	//exec("/sbin/sysctl net.bpf.bufsize=8388608");
-	//exec("/sbin/sysctl net.bpf.maxbufsize=4194304");
-	//exec("/sbin/sysctl net.bpf.maxinsns=512");
-	//exec("/sbin/sysctl net.inet.tcp.rfc1323=1");
-
-	/* do not start config build if rules is empty */
-	if (!is_array($config['installedpackages']['snortglobal']['rule']))
-		return;
-
-	conf_mount_rw();
-
-	foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) {
-
-		$result_lan = $value['interface'];
-		$if_real = snort_get_real_interface($result_lan);
-		$snort_uuid = $value['uuid'];
-
-		if (!empty($if_real) && !empty($snort_uuid)) {
+	/* all new files are for the user snort nologin */
+	if (!is_dir('/var/log/snort'))
+		exec('/bin/mkdir -p /var/log/snort');
 
-			/* only build whitelist when needed */
-			if ($value['blockoffenders7'] == 'on')
-				create_snort_whitelist($id, $if_real);
+	if (!is_dir('/var/log/snort/run'))
+		exec('/bin/mkdir -p /var/log/snort/run');
 
-			/* only build threshold when needed */
-			if ($value['suppresslistname'] != 'default')
-				create_snort_suppress($id, $if_real);
+	if (!is_dir('/var/log/snort/barnyard2'))
+		exec('/bin/mkdir -p /var/log/snort/barnyard2');
 
-			/* create snort configuration file */
-			create_snort_conf($id, $if_real, $snort_uuid);
+	/* all new files are for the user snort nologin */
+	if (!file_exists('/var/log/snort/alert'))
+		exec('/usr/bin/touch /var/log/snort/alert');
 
-			/* create barnyard2 configuration file */
-			if ($value['barnyard_enable'] == 'on')
-				create_barnyard2_conf($id, $if_real, $snort_uuid);
-		}
-	}
+	/* XXX: These are needed if snort is run as snort user
+	mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true);
+	mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true);
+	mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true);
+	mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true);
+	mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true);
+	*/
 
-	sync_snort_package();
+	/* important  */
+	mwexec('/bin/chmod 770 /var/db/whitelist', true);
+	mwexec('/bin/chmod 770 /var/run/snort*', true);
+	mwexec('/bin/chmod 770 /tmp/snort*', true);
+	mwexec('/bin/chmod -R 770 /var/log/snort', true);
+	mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true);
+	mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true);
 
 	conf_mount_ro();
 }
 
-
 /* Start of main config files */
 
 /* create threshold file */
@@ -1214,8 +1064,8 @@ function create_snort_sh()
 
 #### Fake start only used on bootup and Pfsense IP changes
 #### Only try to restart if snort is running on Iface
-if [ "`/bin/ps -auwx | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $2;}'`" != "" ]; then
-	snort_pid=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/awk '{print $2;}'`
+if [ "`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'`" != "" ]; then
+	snort_pid=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'`
 	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart"
 
 	#### Restart Iface
@@ -1236,9 +1086,9 @@ EOE;
 
 			$snort_sh_text4[] = <<<EOF
 
-pid_s=`/bin/ps -auwx | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep |  /usr/bin/awk '{print \$2;}'`
+pid_s=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep |  /usr/bin/awk '{print \$1;}'`
 sleep 3
-pid_b=`/bin/ps -auwx | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$2;}'`
+pid_b=`/bin/ps -ax | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'`
 if [ \${pid_s} ] ; then
 		
 	/bin/echo "snort.sh run" > /tmp/snort.sh.pid
@@ -1270,26 +1120,13 @@ EOF;
 rc_start() {
 
 	/bin/echo "snort.sh run" > /tmp/snort.sh.pid
-
-	#### Remake the configs on boot Important!
-	/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php &
-	/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..."
-
 	$start_snort_iface_start
-
 	/bin/rm /tmp/snort.sh.pid
 }
 
 rc_stop() {
 
-	#### Check for double starts, Pfsense has problems with that
-	if /bin/ls /tmp/snort.sh.pid > /dev/null ; then
-		/usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running"
-		exit 0
-	fi
-
 	$start_snort_iface_stop
-
 	/bin/rm /tmp/snort.sh.pid
 	/bin/rm /var/run/snort*
 
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index c80bf672..2365bbea 100644
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -95,11 +95,6 @@
 		<item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/snort_rename.pl</item>
 	</additional_files_needed>
 	<additional_files_needed>
-		<prefix>/usr/local/pkg/pf/</prefix>
-		<chmod>077</chmod>
-		<item>http://www.pfsense.com/packages/config/snort/snort_dynamic_ip_reload.php</item>
-	</additional_files_needed>
-	<additional_files_needed>
 		<prefix>/usr/local/www/snort/</prefix>
 		<chmod>077</chmod>
 		<item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item>
@@ -199,7 +194,7 @@
 	<custom_add_php_command>
 	</custom_add_php_command>
 	<custom_php_resync_config_command>
-		sync_snort_package();
+		sync_snort_package_config();
 	</custom_php_resync_config_command>
 	<custom_php_install_command>
 		snort_postinstall();
diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php
index c4ac1292..b647c007 100644
--- a/config/snort/snort_barnyard.php
+++ b/config/snort/snort_barnyard.php
@@ -115,7 +115,7 @@ if ($_POST) {
 		}
 
 		write_config();
-		sync_snort_package_all($id, $if_real, $snort_uuid);
+		sync_snort_package_config();
 
 		/* after click go to this page */
 		header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php
index ddb1e378..e3238ef7 100644
--- a/config/snort/snort_define_servers.php
+++ b/config/snort/snort_define_servers.php
@@ -159,7 +159,7 @@ if ($_POST) {
 
 		write_config();
 
-		sync_snort_package_all($id, $if_real, $snort_uuid);
+		sync_snort_package_config();
 
 		/* after click go to this page */
 		header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
diff --git a/config/snort/snort_dynamic_ip_reload.php b/config/snort/snort_dynamic_ip_reload.php
deleted file mode 100644
index 66bc505c..00000000
--- a/config/snort/snort_dynamic_ip_reload.php
+++ /dev/null
@@ -1,45 +0,0 @@
-<?php
-
-/* $Id$ */
-/*
- snort_dynamic_ip_reload.php
- Copyright (C) 2009 Robert Zeleya
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* NOTE: this file gets included from the pfSense filter.inc plugin process */
-/* NOTE: file location /usr/local/pkg/pf, all files in pf dir get exec on filter reloads */
-
-require_once("/usr/local/pkg/snort/snort.inc");
-
-if (file_exists('/var/run/snort_dynamic_ip_reload.dirty')) {
-	exit();
-}
-
-exec('/usr/bin/touch /var/run/snort_dynamic_ip_reload.dirty');
-
-sync_snort_package_config();
-@unlink("/var/run/snort_dynamic_ip_reload.dirty");
-
-?>
diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php
index b00b107e..9174c24f 100644
--- a/config/snort/snort_interfaces.php
+++ b/config/snort/snort_interfaces.php
@@ -75,7 +75,7 @@ if (isset($_POST['del_x'])) {
 			conf_mount_ro();
 		}
 	  
-		sync_snort_package_empty();
+		sync_snort_package_config();
 	  
 		header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
 		header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
@@ -98,7 +98,7 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) {
 	/* Log Iface stop */
 	exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Toggle for {$snort_uuid}_{$if_real}...'");
 
-	sync_snort_package_all($id, $if_real, $snort_uuid);
+	sync_snort_package_config();
 
 	$tester2 = Running_Ck($snort_uuid, $if_real, $id);
 
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index 77f6cea7..b1a091e7 100644
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -284,7 +284,7 @@ if (isset($_GET['dup']))
 
 			write_config();
 
-			sync_snort_package_all($id, $if_real, $snort_uuid);
+			sync_snort_package_config();
 			sleep(1);
 
 			/* if snort.sh crashed this will remove the pid */
@@ -303,7 +303,7 @@ if (isset($_GET['dup']))
 
 	if ($_POST["Submit2"]) {
 
-		sync_snort_package_all($id, $if_real, $snort_uuid);
+		sync_snort_package_config();
 		sleep(1);
 
 		Running_Start($snort_uuid, $if_real, $id);
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php
index 9a47bb24..57fec1f1 100644
--- a/config/snort/snort_interfaces_global.php
+++ b/config/snort/snort_interfaces_global.php
@@ -103,7 +103,7 @@ if (!$input_errors) {
 		write_config();
 
 		/* create whitelist and homenet file  then sync files */
-		sync_snort_package_empty();
+		sync_snort_package_config();
 
 		/* forces page to reload new settings */
 		header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php
index 03ba1df8..fe3c54a5 100644
--- a/config/snort/snort_interfaces_whitelist_edit.php
+++ b/config/snort/snort_interfaces_whitelist_edit.php
@@ -184,7 +184,7 @@ if ($_POST['submit']) {
 		write_config();
 
 		/* create whitelist and homenet file  then sync files */
-		sync_snort_package_empty();
+		sync_snort_package_config();
 
 		header("Location: /snort/snort_interfaces_whitelist.php");
 		exit;
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index c5c7a4a8..7f89d433 100644
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -113,7 +113,7 @@ if ($_POST) {
 		write_config();
 
 		$if_real = snort_get_real_interface($pconfig['interface']);
-		sync_snort_package_all($id, $if_real, $snort_uuid);
+		sync_snort_package_config();
 
 		/* after click go to this page */
 		header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php
index e0bdd882..9e3853f5 100644
--- a/config/snort/snort_rulesets.php
+++ b/config/snort/snort_rulesets.php
@@ -149,7 +149,7 @@ if ($_POST["Submit"]) {
 	$a_nat[$id]['rulesets'] = $enabled_items;
 
 	write_config();
-	sync_snort_package_all($id, $if_real, $iface_uuid);
+	sync_snort_package_config();
 
 	header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
 	header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );