aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
Diffstat (limited to 'config/snort')
-rwxr-xr-xconfig/snort/bin/snort2cbin0 -> 13508 bytes
-rw-r--r--config/snort/snort.inc751
-rw-r--r--config/snort/snort.xml274
-rw-r--r--config/snort/snort_advanced.xml118
-rw-r--r--config/snort/snort_alerts.php117
-rw-r--r--config/snort/snort_blocked.php138
-rw-r--r--config/snort/snort_check_for_rule_updates.php111
-rw-r--r--config/snort/snort_download_rules.php240
-rw-r--r--config/snort/snort_dynamic_ip_reload.php46
-rw-r--r--config/snort/snort_rules.php506
-rw-r--r--config/snort/snort_rules_edit.php202
-rw-r--r--config/snort/snort_rulesets.php162
-rw-r--r--config/snort/snort_whitelist.xml121
-rw-r--r--config/snort/snort_xmlrpc_sync.php114
14 files changed, 2900 insertions, 0 deletions
diff --git a/config/snort/bin/snort2c b/config/snort/bin/snort2c
new file mode 100755
index 00000000..fdc91ac8
--- /dev/null
+++ b/config/snort/bin/snort2c
Binary files differ
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
new file mode 100644
index 00000000..a8b16681
--- /dev/null
+++ b/config/snort/snort.inc
@@ -0,0 +1,751 @@
+<?php
+/* $Id$ */
+/*
+ snort.inc
+ Copyright (C) 2006 Scott Ullrich
+ part of pfSense
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+require_once("pfsense-utils.inc");
+
+/* define oinkid */
+if($config['installedpackages']['snort'])
+ $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode'];
+
+function sync_package_snort_reinstall()
+{
+ global $config;
+ if(!$config['installedpackages']['snort'])
+ return;
+
+ /* create snort configuration file */
+ create_snort_conf();
+
+ /* start snort service */
+ start_service("snort");
+}
+
+function sync_package_snort()
+{
+ global $config, $g;
+
+ mwexec("mkdir -p /var/log/snort/");
+
+ if(!file_exists("/var/log/snort/alert"))
+ touch("/var/log/snort/alert");
+
+ /* snort -> advanced features */
+ $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize'];
+ $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize'];
+ $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns'];
+
+ /* set the snort performance model */
+ if($config['installedpackages']['snort']['config'][0]['performance'])
+ $snort_performance = $config['installedpackages']['snort']['config'][0]['performance'];
+ else
+ $snort_performance = "ac-bnfa";
+
+ conf_mount_rw();
+ /* create a few directories and ensure the sample files are in place */
+ exec("/bin/mkdir -p /usr/local/etc/snort");
+ exec("/bin/mkdir -p /var/log/snort");
+ exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
+ exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config");
+ exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map");
+ exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators");
+ exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config");
+ exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map");
+ exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid");
+ exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf");
+ exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
+ exec("/bin/rm -f /usr/local/etc/rc.d/snort");
+
+ $first = 0;
+ $snortInterfaces = array(); /* -gtm */
+
+ $if_list = $config['installedpackages']['snort']['config'][0]['iface_array'];
+ $if_array = split(',', $if_list);
+ //print_r($if_array);
+ if($if_array) {
+ foreach($if_array as $iface) {
+ $if = convert_friendly_interface_to_real_interface_name($iface);
+
+ if($config['interfaces'][$iface]['ipaddr'] == "pppoe") {
+ $if = "ng0";
+ }
+
+ /* build a list of user specified interfaces -gtm */
+ if($if){
+ array_push($snortInterfaces, $if);
+ $first = 1;
+ }
+ }
+
+ if (count($snortInterfaces) < 1) {
+ //log_error("Snort will not start. You must select an interface for it to listen on.");
+ echo "Snort will not start. You must select an interface for it to listen on.";
+ return;
+ }
+ }
+ //print_r($snortInterfaces);
+
+ /* create log directory */
+ $start = "/bin/mkdir -p /var/log/snort";
+
+ /* snort advanced features - bpf tuning */
+ if($bpfbufsize)
+ $start .= ";sysctl net.bpf.bufsize={$bpfbufsize}";
+ if($bpfmaxbufsize)
+ $start .= ";sysctl net.bpf.maxbufsize={$bpfmaxbufsize}";
+ if($bpfmaxinsns)
+ $start .= ";sysctl net.bpf.maxinsns={$bpfmaxinsns}";
+
+ /* go ahead and issue bpf changes */
+ if($bpfbufsize)
+ mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}");
+ if($bpfmaxbufsize)
+ mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}");
+ if($bpfmaxinsns)
+ mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}");
+
+ /* always stop snort2c before starting snort -gtm */
+ $start .= ";/usr/bin/killall snort2c";
+
+ /* start a snort process for each interface -gtm */
+ /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */
+ foreach($snortInterfaces as $snortIf)
+ {
+ $start .= ";sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -i {$snortIf} -A fast -D";
+ }
+
+ /* if block offenders is checked, start snort2c */
+ if($_POST['blockoffenders'])
+ $start .= ";sleep 8;snort2c -w /var/db/whitelist -a /var/log/snort/alert";
+
+ $sample_before = "\nBEFORE_MEM=`top | grep Free | grep Wired | awk '{print \$10}'`\n";
+ $sample_after = "\nAFTER_MEM=`top | grep Free | grep Wired | awk '{print \$10}'`\n";
+ $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nsleep 17";
+ $total_free_after = "\nTOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n";
+ $echo_usage = "\necho \"Ram free BEFORE starting Snort: \${BEFORE_MEM} -- Ram free AFTER starting Snort: \${AFTER_MEM}\" -- Mode {$snort_performance} -- Snort memory usage: \$TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup\n";
+
+ /* write out rc.d start/stop file */
+ write_rcfile(array(
+ "file" => "snort.sh",
+ "start" => "{$sample_before}{$start}{$sleep_before_final}{$sample_after}{$echo_usage}",
+ "stop" => "/usr/bin/killall snort; killall snort2c"
+ )
+ );
+
+ /* create snort configuration file */
+ create_snort_conf();
+
+ /* start snort service */
+ conf_mount_ro();
+ start_service("snort");
+}
+
+function create_snort_conf() {
+ global $config, $g;
+ /* write out snort.conf */
+ $snort_conf_text = generate_snort_conf();
+ conf_mount_rw();
+ $conf = fopen("/usr/local/etc/snort/snort.conf", "w");
+ if(!$conf) {
+ log_error("Could not open /usr/local/etc/snort/snort.conf for writing.");
+ exit;
+ }
+ fwrite($conf, $snort_conf_text);
+ fclose($conf);
+ conf_mount_ro();
+}
+
+function snort_deinstall() {
+ $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php";
+ $filenamea = "/etc/crontab";
+ /* remove auto rules update helper */
+ remove_text_from_file($filenamea, $text_ww);
+ /* remove custom sysctl */
+ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480");
+ /* decrease bpf buffers back to 4096, from 20480 */
+ exec("/sbin/sysctl net.bpf.bufsize=4096");
+ exec("/usr/bin/killall snort");
+ sleep(5);
+ exec("/usr/bin/killall -9 snort");
+ exec("rm -f /usr/local/etc/rc.d/snort*");
+ exec("rm -rf /usr/local/etc/snort*");
+ exec("cd /var/db/pkg && pkg_delete `ls | grep snort`");
+}
+
+function generate_snort_conf() {
+ global $config, $g;
+ conf_mount_rw();
+ /* obtain external interface */
+ /* XXX: make multi wan friendly */
+ $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0];
+
+ $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru'];
+
+ /* add auto update scripts to /etc/crontab */
+ $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php";
+ $filenamea = "/etc/crontab";
+ remove_text_from_file($filenamea, $text_ww);
+ add_text_to_file($filenamea, $text_ww);
+ exec("killall -HUP cron");
+
+ /* should we install a automatic update crontab entry? */
+ $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate'];
+
+ /* if user is on pppoe, we really want to use ng0 interface */
+ if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe")
+ $snort_ext_int = "ng0";
+
+ /* set the snort performance model */
+ if($config['installedpackages']['snort']['config'][0]['performance'])
+ $snort_performance = $config['installedpackages']['snort']['config'][0]['performance'];
+ else
+ $snort_performance = "ac-bnfa";
+
+ /* open snort2c's whitelist for writing */
+ $whitelist = fopen("/var/db/whitelist", "w");
+ if(!$whitelist) {
+ log_error("Could not open /var/db/whitelist for writing.");
+ return;
+ }
+
+ /* build an interface array list */
+ $int_array = array('lan');
+ for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++)
+ if(isset($config['interfaces']['opt' . $j]['enable']))
+ if(!$config['interfaces']['opt' . $j]['gateway'])
+ $int_array[] = "opt{$j}";
+
+ /* if user has defined a custom ssh port, use it */
+ if($config['system']['ssh']['port'])
+ $ssh_port = $config['system']['ssh']['port'];
+ else
+ $ssh_port = "22";
+
+ /* iterate through interface list and write out whitelist items
+ * and also compile a home_net list for snort.
+ */
+ foreach($int_array as $int) {
+ /* calculate interface subnet information */
+ $ifcfg = &$config['interfaces'][$int];
+ $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']);
+ $subnetmask = gen_subnet_mask($ifcfg['subnet']);
+ if($subnet == "pppoe" or $subnet == "dhcp") {
+ $subnet = find_interface_ip("ng0");
+ if($subnet)
+ $home_net .= "{$subnet} ";
+ } else {
+ if ($subnet)
+ if($ifcfg['subnet'])
+ $home_net .= "{$subnet}/{$ifcfg['subnet']} ";
+ }
+ }
+
+ /* add all WAN ips to the whitelist */
+ $wan_if = get_real_wan_interface();
+ $ip = find_interface_ip($wan_if);
+ if($ip)
+ $home_net .= "{$ip} ";
+
+ /* Add Gateway on WAN interface to whitelist (For RRD graphs) */
+ $int = convert_friendly_interface_to_real_interface_name("WAN");
+ $gw = get_interface_gateway($int);
+ if($gw)
+ $home_net .= "{$gw} ";
+
+ /* Add DNS server for WAN interface to whitelist */
+ $dns_servers = get_dns_servers();
+ foreach($dns_servers as $dns) {
+ if($dns)
+ $home_net .= "{$dns} ";
+ }
+
+ /* Add loopback to whitelist (ftphelper) */
+ $home_net .= "127.0.0.1 ";
+
+ /* iterate all vips and add to whitelist */
+ if($config['virtualip'])
+ foreach($config['virtualip']['vip'] as $vip)
+ if($vip['subnet'])
+ $home_net .= $vip['subnet'] . " ";
+
+ if($config['installedpackages']['snortwhitelist'])
+ foreach($config['installedpackages']['snortwhitelist']['config'] as $snort)
+ if($snort['ip'])
+ $home_net .= $snort['ip'] . " ";
+
+ /* write out whitelist, convert spaces to carriage returns */
+ $whitelist_home_net = str_replace(" ", " ", $home_net);
+ $whitelist_home_net = str_replace(" ", "\n", $home_net);
+
+ /* make $home_net presentable to snort */
+ $home_net = trim($home_net);
+ $home_net = str_replace(" ", ",", $home_net);
+ $home_net = "[{$home_net}]";
+
+ /* foreach through whitelist, writing out to file */
+ $whitelist_split = split("\n", $whitelist_home_net);
+ foreach($whitelist_split as $wl)
+ if(trim($wl))
+ fwrite($whitelist, trim($wl) . "\n");
+
+ /* should we whitelist vpns? */
+ $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns'];
+
+ /* grab a list of vpns and whitelist if user desires */
+ if($whitelistvpns) {
+ $vpns_list = get_vpns_list();
+ $whitelist_vpns = split(" ", $vpns_list);
+ foreach($whitelist_split as $wl)
+ if(trim($wl))
+ fwrite($whitelist, trim($wl) . "\n");
+ }
+
+ /* close file */
+ fclose($whitelist);
+
+ /* generate rule sections to load */
+ $enabled_rulesets = $config['installedpackages']['snort']['rulesets'];
+ if($enabled_rulesets) {
+ $selected_rules_sections = "";
+ $enabled_rulesets_array = split("\|\|", $enabled_rulesets);
+ foreach($enabled_rulesets_array as $enabled_item)
+ $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n";
+ }
+
+ conf_mount_ro();
+
+ /* build snort configuration file */
+ $snort_conf_text = <<<EOD
+
+# snort configuration file
+# generated by the pfSense
+# package manager system
+# see /usr/local/pkg/snort.inc
+# for more information
+
+var HOME_NET {$home_net}
+var EXTERNAL_NET !\$HOME_NET
+
+var DNS_SERVERS \$HOME_NET
+var SMTP_SERVERS \$HOME_NET
+var HTTP_SERVERS \$HOME_NET
+var SQL_SERVERS \$HOME_NET
+var TELNET_SERVERS \$HOME_NET
+var SNMP_SERVERS \$HOME_NET
+var FTP_SERVERS \$HOME_NET
+var SSH_SERVERS \$HOME_NET
+var POP_SERVERS \$HOME_NET
+var IMAP_SERVERS \$HOME_NET
+var RPC_SERVERS \$HOME_NET
+var WWW_SERVERS \$HOME_NET
+var AIM_SERVERS \
+[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
+
+portvar HTTP_PORTS 80
+portvar SHELLCODE_PORTS !80
+portvar ORACLE_PORTS 1521
+portvar AUTH_PORTS 113
+portvar DNS_PORTS 53
+portvar FINGER_PORTS 79
+portvar FTP_PORTS 21
+portvar IMAP_PORTS 143
+portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
+portvar MSSQL_PORTS 1433
+portvar NNTP_PORTS 119
+portvar POP2_PORTS 109
+portvar POP3_PORTS 110
+portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
+portvar RLOGIN_PORTS 513
+portvar RSH_PORTS 514
+portvar SMB_PORTS [139,445]
+portvar SMTP_PORTS 25
+portvar SNMP_PORTS 161
+portvar SSH_PORTS {$ssh_port}
+portvar TELNET_PORTS 23
+portvar MAIL_PORTS [25,143,465,691]
+portvar SSL_PORTS [25,443,465,636,993,995]
+
+var RULE_PATH /usr/local/etc/snort/rules
+
+# Configure the snort decoder
+config checksum_mode: all
+config disable_decode_alerts
+config disable_tcpopt_experimental_alerts
+config disable_tcpopt_obsolete_alerts
+config disable_ttcp_alerts
+config disable_tcpopt_alerts
+config disable_ipopt_alerts
+config disable_decode_drops
+
+#Configure the detection engine
+#Use lower memory models
+config detection: search-method {$snort_performance}
+config detection: max_queue_events 5
+config event_queue: max_queue 8 log 3 order_events content_length
+
+#Configure dynamic loaded libraries
+dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_dcerpc_preproc.so
+dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_dns_preproc.so
+dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so
+dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_smtp_preproc.so
+dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ssh_preproc.so
+
+dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
+
+#Flow and stream
+
+preprocessor frag3_global: max_frags 8192
+preprocessor frag3_engine: policy last detect_anomalies
+preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
+track_udp yes, track_icmp yes
+preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes
+preprocessor stream5_udp
+preprocessor stream5_icmp
+
+#HTTP Inspect
+preprocessor http_inspect: global iis_unicode_map unicode.map 1252
+
+preprocessor http_inspect_server: server default \
+ ports { 80 8080 3128 } \
+ no_alerts \
+ non_strict \
+ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
+ flow_depth 0 \
+ apache_whitespace yes \
+ directory no \
+ iis_backslash no \
+ u_encode yes \
+ ascii no \
+ chunk_length 500000 \
+ bare_byte yes \
+ double_decode yes \
+ iis_unicode yes \
+ iis_delimiter yes \
+ multi_slash no
+
+#Other preprocs
+preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
+preprocessor bo
+
+preprocessor ftp_telnet: global \
+inspection_type stateless
+preprocessor ftp_telnet_protocol: \
+ ftp server default \
+ def_max_param_len 100 \
+ ports { 21 } \
+ ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
+ ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
+ ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
+ ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
+ ftp_cmds { FEAT OPTS CEL CMD MACB } \
+ ftp_cmds { MDTM REST SIZE MLST MLSD } \
+ ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
+ alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
+ alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
+ alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
+ alt_max_param_len 256 { RNTO CWD } \
+ alt_max_param_len 400 { PORT } \
+ alt_max_param_len 512 { SIZE } \
+ chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
+ chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
+ chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
+ chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
+ chk_str_fmt { FEAT CEL CMD } \
+ chk_str_fmt { MDTM REST SIZE MLST MLSD } \
+ chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
+ cmd_validity MODE < char ASBCZ > \
+ cmd_validity STRU < char FRP > \
+ cmd_validity ALLO < int [ char R int ] > \
+ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
+ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
+ cmd_validity PORT < host_port >
+preprocessor ftp_telnet_protocol: ftp client default \
+ max_resp_len 100
+
+preprocessor SMTP: \
+ ports { 25 465 691 } \
+ inspection_type stateful \
+ normalize cmds \
+ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
+CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
+PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ max_header_line_len 1000 \
+ max_response_line_len 512 \
+ alt_max_command_line_len 260 { MAIL } \
+ alt_max_command_line_len 300 { RCPT } \
+ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
+ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
+ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
+ alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
+ alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ xlink2state { enable }
+
+
+
+
+#sf Portscan
+preprocessor sfportscan: proto { all } \
+ scan_type { all } \
+ sense_level { low } \
+ ignore_scanners { \$HOME_NET }
+
+preprocessor dcerpc: \
+ autodetect \
+ max_frag_size 3000 \
+ memcap 100000
+
+preprocessor dns: ports { 53 } enable_rdata_overflow
+
+#Output plugins
+#output database: alert
+output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID
+
+output alert_unified: filename alert
+
+#Required files
+include /usr/local/etc/snort/classification.config
+include /usr/local/etc/snort/reference.config
+
+# Include any thresholding or suppression commands. See threshold.conf in the
+# include threshold.conf
+
+# Snort user pass through configuration
+{$snort_config_pass_thru}
+
+#Rulesets, all optional
+{$selected_rules_sections}
+
+EOD;
+
+ return $snort_conf_text;
+}
+
+/* check downloaded text from snort.org to make sure that an error did not occur
+ * for example, if you are not a premium subscriber you can only download rules
+ * so often, etc.
+ */
+function check_for_common_errors($filename) {
+ global $snort_filename, $snort_filename_md5, $console_mode;
+ ob_flush();
+ $contents = file_get_contents($filename);
+ if(stristr($contents, "You don't have permission")) {
+ if(!$console_mode) {
+ update_all_status("An error occured. Scroll down to inspect it's contents.");
+ hide_progress_bar_status();
+ } else {
+ log_error("An error occured. Scroll down to inspect it's contents.");
+ echo "An error occured. Scroll down to inspect it's contents.";
+ }
+ if(!$console_mode) {
+ echo "
+ <center>
+ <div id='error' style='background:white;width:90%'>
+ <!-- TODO: The below paragraphs are kind of stupid. Use CSS instead -->
+ <p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p>
+ <p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p>
+ <p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p>
+ <p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p>
+ <p>The following error occured while downloading the snort rules file from snort.org:</p>
+ {$contents}
+ <p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p>
+ </div>
+ </center>
+ ";
+ } else {
+ $contents = strip_tags($contents);
+ log_error("Error downloading snort rules: {$contents}");
+ echo "Error downloading snort rules: {$contents}";
+ }
+ scroll_down_to_bottom_of_page();
+ exit;
+ }
+}
+
+/* force browser to scroll all the way down */
+function scroll_down_to_bottom_of_page() {
+ global $snort_filename, $console_mode;
+ ob_flush();
+ if(!$console_mode)
+ echo "\n<script type=\"text/javascript\">parent.scrollTo(0,1500);\n</script>";
+}
+
+/* ensure downloaded file looks sane */
+function verify_downloaded_file($filename) {
+ global $snort_filename, $snort_filename_md5, $console_mode;
+ ob_flush();
+ if(filesize($filename)<9500) {
+ if(!$console_mode) {
+ update_all_status("Checking {$filename}...");
+ check_for_common_errors($filename);
+ }
+ }
+ update_all_status("Verifying {$filename}...");
+ if(!file_exists($filename)) {
+ if(!$console_mode) {
+ update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again.");
+ hide_progress_bar_status();
+ } else {
+ log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again.");
+ echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again.";
+ }
+ exit;
+ }
+ update_all_status("Verifyied {$filename}.");
+}
+
+/* extract rules */
+function extract_snort_rules_md5($tmpfname) {
+ global $snort_filename, $snort_filename_md5, $console_mode;
+ ob_flush();
+ if(!$console_mode) {
+ $static_output = gettext("Extracting snort rules...");
+ update_all_status($static_output);
+ }
+ exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/");
+ if(!$console_mode) {
+ $static_output = gettext("Snort rules extracted.");
+ update_all_status($static_output);
+ } else {
+ log_error("Snort rules extracted.");
+ echo "Snort rules extracted.";
+ }
+}
+
+/* verify MD5 against downloaded item */
+function verify_snort_rules_md5($tmpfname) {
+ global $snort_filename, $snort_filename_md5, $console_mode;
+ ob_flush();
+ if(!$console_mode) {
+ $static_output = gettext("Verifying md5 signature...");
+ update_all_status($static_output);
+ }
+ $md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}");
+ $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`;
+ if($md5 <> $file_md5_ondisk) {
+ if(!$console_mode) {
+ $static_output = gettext("snort rules: md5 signature of rules mismatch.");
+ update_all_status($static_output);
+ hide_progress_bar_status();
+ } else {
+ log_error("snort rules: md5 signature of rules mismatch.");
+ echo "snort rules: md5 signature of rules mismatch.";
+ }
+ exit;
+ }
+}
+
+/* hide progress bar */
+function hide_progress_bar_status() {
+ global $snort_filename, $snort_filename_md5, $console_mode;
+ ob_flush();
+ if(!$console_mode)
+ echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>";
+}
+
+/* update both top and bottom text box during an operation */
+function update_all_status($status) {
+ global $snort_filename, $snort_filename_md5, $console_mode;
+ ob_flush();
+ if(!$console_mode) {
+ update_status($status);
+ update_output_window($status);
+ }
+}
+
+/* obtain alert description for an ip address */
+function get_snort_alert($ip) {
+ global $snort_alert_file_split, $snort_config;
+ if(!file_exists("/var/log/snort/alert"))
+ return;
+ if(!$snort_config)
+ $snort_config = read_snort_config_cache();
+ if($snort_config[$ip])
+ return $snort_config[$ip];
+ if(!$snort_alert_file_split)
+ $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert"));
+ foreach($snort_alert_file_split as $fileline) {
+ if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
+ $alert_title = $matches[2];
+ if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches))
+ $alert_ip = $matches[0];
+ if($alert_ip == $ip) {
+ if(!$snort_config[$ip])
+ $snort_config[$ip] = $alert_title;
+ return $alert_title;
+ }
+ }
+ return "n/a";
+}
+
+function make_clickable($buffer) {
+ global $config, $g;
+ /* if clickable urls is disabled, simply return buffer back to caller */
+ $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode'];
+ if(!$clickablalerteurls)
+ return $buffer;
+ $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer);
+ $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer);
+ $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","<a href=\"mailto:\\1\">\\1</a>", $buffer);
+ $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $buffer);
+ $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"ftp://\\2\" target=\"_blank\">\\2</a>", $buffer);
+
+ return $buffer;
+}
+
+function read_snort_config_cache() {
+ global $g, $config, $snort_config;
+ if($snort_config)
+ return $snort_config;
+ if(file_exists($g['tmp_path'] . '/snort_config.cache')) {
+ $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache'));
+ return $snort_config;
+ }
+ return;
+}
+
+function write_snort_config_cache($snort_config) {
+ global $g, $config;
+ conf_mount_rw();
+ $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w");
+ if(!$configcache) {
+ log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing.");
+ return false;
+ }
+ fwrite($configcache, serialize($snort_config));
+ fclose($configcache);
+ conf_mount_ro();
+ return true;
+}
+
+function snort_advanced() {
+ global $g, $config;
+ sync_package_snort();
+}
+
+?>
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
new file mode 100644
index 00000000..6ba362c0
--- /dev/null
+++ b/config/snort/snort.xml
@@ -0,0 +1,274 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfsense.com)
+ Copyright (C) 2007 to whom it may belong
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>Snort</name>
+ <version>2.8.2.2</version>
+ <title>Services: Snort</title>
+ <include_file>/usr/local/pkg/snort.inc</include_file>
+ <menu>
+ <name>Snort</name>
+ <tooltiptext>Setup snort specific settings</tooltiptext>
+ <section>Services</section>
+ <url>/pkg_edit.php?xml=snort.xml&amp;id=0</url>
+ </menu>
+ <service>
+ <name>snort</name>
+ <rcfile>snort.sh</rcfile>
+ <executable>snort</executable>
+ </service>
+ <tabs>
+ <tab>
+ <text>Settings</text>
+ <url>/pkg_edit.php?xml=snort.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Update Rules</text>
+ <url>/snort_download_rules.php</url>
+ </tab>
+ <tab>
+ <text>Categories</text>
+ <url>/snort_rulesets.php</url>
+ </tab>
+ <tab>
+ <text>Rules</text>
+ <url>/snort_rules.php</url>
+ </tab>
+ <tab>
+ <text>Blocked</text>
+ <url>/snort_blocked.php</url>
+ </tab>
+ <tab>
+ <text>Whitelist</text>
+ <url>/pkg.php?xml=snort_whitelist.xml</url>
+ </tab>
+ <tab>
+ <text>Alerts</text>
+ <url>/snort_alerts.php</url>
+ </tab>
+ <tab>
+ <text>Advanced</text>
+ <url>/pkg_edit.php?xml=snort_advanced.xml&amp;id=0</url>
+ </tab>
+ </tabs>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/bin/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/bin/snort2c</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/bin/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/bin/mons2c</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_download_rules.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_rules.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_rules_edit.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_rulesets.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_whitelist.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_blocked.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_check_for_rule_updates.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_dynamic_ip_reload.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_advanced.xml</item>
+ </additional_files_needed>
+ <fields>
+ <field>
+ <fielddescr>Interface</fielddescr>
+ <fieldname>iface_array</fieldname>
+ <description>Select the interface(s) Snort will listen on.</description>
+ <type>interfaces_selection</type>
+ <size>3</size>
+ <value>lan</value>
+ <multiple>true</multiple>
+ </field>
+ <field>
+ <fielddescr>Performance</fielddescr>
+ <fieldname>performance</fieldname>
+ <description>ac method is the fastest startup but consumes a lot more memory. acs/ac-banded and ac-sparsebands/mwm/lowmem methods use quite a bit less. ac-sparsebands is recommended.</description>
+ <type>select</type>
+ <options>
+ <option>
+ <name>ac-bnfa</name>
+ <value>ac-bnfa</value>
+ </option>
+ <option>
+ <name>lowmem</name>
+ <value>lowmem</value>
+ </option>
+ <option>
+ <name>ac-std</name>
+ <value>ac-std</value>
+ </option>
+ <option>
+ <name>ac</name>
+ <value>ac</value>
+ </option>
+ <option>
+ <name>ac-banded</name>
+ <value>ac-banded</value>
+ </option>
+ <option>
+ <name>ac-sparsebands</name>
+ <value>ac-sparsebands</value>
+ </option>
+ <option>
+ <name>acs</name>
+ <value>acs</value>
+ </option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Oinkmaster code</fielddescr>
+ <fieldname>oinkmastercode</fieldname>
+ <description>Obtain a snort.org Oinkmaster code and paste here.</description>
+ <type>input</type>
+ <size>60</size>
+ <value></value>
+ </field>
+ <field>
+ <fielddescr>Snort.org subscriber</fielddescr>
+ <fieldname>subscriber</fieldname>
+ <description>Check this box if you are a Snort.org subscriber (premium rules).</description>
+ <type>checkbox</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>Block offenders</fielddescr>
+ <fieldname>blockoffenders</fieldname>
+ <description>Checking this option will automatically block hosts that generate a snort alert.</description>
+ <type>checkbox</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>Update rules automatically</fielddescr>
+ <fieldname>automaticrulesupdate</fieldname>
+ <description>Checking this option will automatically check for and update rules once a week from snort.org.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Whitelist VPNs automatically</fielddescr>
+ <fieldname>whitelistvpns</fieldname>
+ <description>Checking this option will install whitelists for all VPNs.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Convert Snort alerts urls to clickable links</fielddescr>
+ <fieldname>clickablalerteurls</fieldname>
+ <description>Checking this option will automatically convert URLs in the Snort alerts tab to clickable links.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Associate events on Blocked tab</fielddescr>
+ <fieldname>associatealertip</fieldname>
+ <description>Checking this option will automatically associate the blocked reason from the snort alerts file.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Sync Snort configuration to secondary cluster members</fielddescr>
+ <fieldname>syncxmlrpc</fieldname>
+ <description>Checking this option will automatically sync the snort configuration via XMLRPC to CARP cluster members.</description>
+ <type>checkbox</type>
+ </field>
+ </fields>
+ <custom_add_php_command>
+ sync_package_snort();
+ </custom_add_php_command>
+ <custom_php_resync_config_command>
+ sync_package_snort();
+ </custom_php_resync_config_command>
+ <custom_php_install_command>
+ sync_package_snort_reinstall();
+ </custom_php_install_command>
+ <custom_php_deinstall_command>
+ snort_deinstall();
+ </custom_php_deinstall_command>
+</packagegui>
diff --git a/config/snort/snort_advanced.xml b/config/snort/snort_advanced.xml
new file mode 100644
index 00000000..35db6945
--- /dev/null
+++ b/config/snort/snort_advanced.xml
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>SnortAdvanced</name>
+ <version>none</version>
+ <title>Services: Snort Advanced</title>
+ <include_file>/usr/local/pkg/snort.inc</include_file>
+ <tabs>
+ <tab>
+ <text>Settings</text>
+ <url>/pkg_edit.php?xml=snort.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Update Rules</text>
+ <url>/snort_download_rules.php</url>
+ </tab>
+ <tab>
+ <text>Categories</text>
+ <url>/snort_rulesets.php</url>
+ </tab>
+ <tab>
+ <text>Rules</text>
+ <url>/snort_rules.php</url>
+ </tab>
+ <tab>
+ <text>Blocked</text>
+ <url>/snort_blocked.php</url>
+ </tab>
+ <tab>
+ <text>Whitelist</text>
+ <url>/pkg.php?xml=snort_whitelist.xml</url>
+ </tab>
+ <tab>
+ <text>Alerts</text>
+ <url>/snort_alerts.php</url>
+ </tab>
+ <tab>
+ <text>Advanced</text>
+ <url>/pkg_edit.php?xml=snort_advanced.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <fielddescr>BPF Buffer size</fielddescr>
+ <fieldname>bpfbufsize</fieldname>
+ <description>Changing this option adjusts the system BPF buffer size. Leave blank if you do not know what this does. Default is 1024.</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Maximum BPF buffer size</fielddescr>
+ <fieldname>bpfmaxbufsize</fieldname>
+ <description>Changing this option adjusts the system maximum BPF buffer size. Leave blank if you do not know what this does. Default is 524288. This value should never be set above hardware cache size. The best (optimal size) is 50% - 80% of the hardware cache size.</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Maximum BPF inserts</fielddescr>
+ <fieldname>bpfmaxinsns</fieldname>
+ <description>Changing this option adjusts the system maximum BPF insert size. Leave blank if you do not know what this does. Default is 512.</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Advanced configuration pass through</fielddescr>
+ <fieldname>configpassthru</fieldname>
+ <description>Add items to here will be automatically inserted into the running snort configuration</description>
+ <type>textarea</type>
+ <cols>40</cols>
+ <rows>5</rows>
+ </field>
+ </fields>
+ <custom_php_deinstall_command>
+ snort_advanced();
+ </custom_php_deinstall_command>
+</packagegui>
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php
new file mode 100644
index 00000000..70b53656
--- /dev/null
+++ b/config/snort/snort_alerts.php
@@ -0,0 +1,117 @@
+<?php
+/* $Id$ */
+/*
+ snort_alerts.php
+ part of pfSense
+
+ Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require("globals.inc");
+require("guiconfig.inc");
+require("/usr/local/pkg/snort.inc");
+
+$snort_logfile = "{$g['varlog_path']}/snort/alert";
+
+$nentries = $config['syslog']['nentries'];
+if (!$nentries)
+ $nentries = 50;
+
+if ($_POST['clear']) {
+ exec("killall syslogd");
+ exec("rm {$snort_logfile}; touch {$snort_logfile}");
+ system_syslogd_start();
+ exec("/usr/bin/killall -HUP snort");
+ exec("/usr/bin/killall snort2c");
+ if ($config['installedpackages']['snort']['config'][0]['blockoffenders'] == 'on')
+ exec("/usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert");
+}
+
+$pgtitle = "Services: Snort: Snort Alerts";
+include("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+<p class="pgtitle"><?=$pgtitle?></p>
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr><td>
+<?php
+ $tab_array = array();
+ $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0");
+ $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php");
+ $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php");
+ $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php");
+ $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php");
+ $tab_array[] = array(gettext("Whitelist"),false, "/pkg.php?xml=snort_whitelist.xml");
+ $tab_array[] = array(gettext("Alerts"), true, "/snort_alerts.php");
+ $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0");
+ display_top_tabs($tab_array);
+?>
+ </td></tr>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0">
+ <tr>
+ <td colspan="2" class="listtopic">
+ Last <?=$nentries;?> Snort Alert entries</td>
+ </tr>
+ <?php dump_log_file($snort_logfile, $nentries); ?>
+ <tr><td><br><form action="snort_alerts.php" method="post">
+ <input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr>
+ </table>
+ </div>
+ </form>
+ </td>
+ </tr>
+</table>
+<?php include("fend.inc"); ?>
+<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>">
+</body>
+</html>
+<!-- <?php echo $snort_logfile; ?> -->
+
+<?php
+
+function dump_log_file($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") {
+ global $g, $config;
+ $logarr = "";
+ exec("cat {$logfile} | /usr/bin/tail -n {$tail}", $logarr);
+ foreach ($logarr as $logent) {
+ if(!logent)
+ continue;
+ $ww_logent = $logent;
+ $ww_logent = str_replace("[", " [ ", $ww_logent);
+ $ww_logent = str_replace("]", " ] ", $ww_logent);
+ echo "<tr valign=\"top\">\n";
+ echo "<td colspan=\"2\" class=\"listr\">" . make_clickable($ww_logent) . "&nbsp;</td>\n";
+ echo "</tr>\n";
+ }
+}
+
+?> \ No newline at end of file
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
new file mode 100644
index 00000000..29ecf38c
--- /dev/null
+++ b/config/snort/snort_blocked.php
@@ -0,0 +1,138 @@
+<?php
+/* $Id$ */
+/*
+ snort_blocked.php
+ Copyright (C) 2006 Scott Ullrich
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require("guiconfig.inc");
+require("/usr/local/pkg/snort.inc");
+
+if($_POST['todelete'] or $_GET['todelete']) {
+ if($_POST['todelete'])
+ $ip = $_POST['todelete'];
+ if($_GET['todelete'])
+ $ip = $_GET['todelete'];
+ exec("/sbin/pfctl -t snort2c -T delete {$ip}");
+}
+
+$pgtitle = "Snort: Snort Blocked";
+include("head.inc");
+
+?>
+
+<body link="#000000" vlink="#000000" alink="#000000">
+<?php include("fbegin.inc"); ?>
+
+<p class="pgtitle"><?=$pgtitle?></font></p>
+
+<form action="snort_rulesets.php" method="post" name="iform" id="iform">
+<script src="/row_toggle.js" type="text/javascript"></script>
+<script src="/javascript/sorttable.js" type="text/javascript"></script>
+<?php if ($savemsg) print_info_box($savemsg); ?>
+<table width="99%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+<?php
+ $tab_array = array();
+ $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0");
+ $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php");
+ $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php");
+ $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php");
+ $tab_array[] = array(gettext("Blocked"), true, "/snort_blocked.php");
+ $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml");
+ $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php");
+ $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0");
+ display_top_tabs($tab_array);
+?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+ <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr id="frheader">
+ <td width="5%" class="listhdrr">Remove</td>
+ <td class="listhdrr">IP</td>
+ <td class="listhdrr">Alert Description</td>
+ </tr>
+<?php
+
+ $associatealertip = $config['installedpackages']['snort']['config'][0]['associatealertip'];
+ $ips = `/sbin/pfctl -t snort2c -T show`;
+ $ips_array = split("\n", $ips);
+ $counter = 0;
+ foreach($ips_array as $ip) {
+ if(!$ip)
+ continue;
+ $ww_ip = str_replace(" ", "", $ip);
+ $counter++;
+ if($associatealertip)
+ $alert_description = get_snort_alert($ww_ip);
+ else
+ $alert_description = "";
+ echo "\n<tr>";
+ echo "\n<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($ww_ip)) . "'>";
+ echo "\n<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"./themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>";
+ echo "\n<td>&nbsp;{$ww_ip}</td>";
+ echo "\n<td>&nbsp;{$alert_description}<!-- |{$ww_ip}| get_snort_alert($ww_ip); --></td>";
+ echo "\n</tr>";
+ }
+ echo "\n<tr><td colspan='3'>&nbsp;</td></tr>";
+ if($counter < 1)
+ echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">There are currently no items being blocked by snort.</td></tr>";
+ else
+ echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>";
+
+?>
+
+ </table>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </td>
+ </tr>
+</table>
+
+</form>
+
+<p>
+
+This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every 60 minutes.
+<?php include("fend.inc"); ?>
+
+</body>
+</html>
+
+<?php
+
+/* write out snort cache */
+write_snort_config_cache($snort_config);
+
+?> \ No newline at end of file
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
new file mode 100644
index 00000000..92f32900
--- /dev/null
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -0,0 +1,111 @@
+#!/usr/local/bin/php -f
+<?php
+
+/* $Id$ */
+/*
+ snort_check_for_rule_updates.php
+ Copyright (C) 2006 Scott Ullrich
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+$console_mode = true;
+
+require_once("config.inc");
+require_once("functions.inc");
+require_once("/usr/local/pkg/snort.inc");
+require_once("service-utils.inc");
+
+/* check to see if carp settings exist, and get a handle */
+if($config['installedpackages']['carpsettings']) {
+ $carp = &$config['installedpackages']['carpsettings']['config'][0];
+ $password = $carp['password'];
+}
+
+/* if we are not a CARP cluster master, sleep for a random
+ * amount of time allowing for other members to download the configuration
+ */
+if(!$password) {
+ $sleepietime = rand(5,700);
+ sleep($sleepietime);
+}
+
+$last_ruleset_download = $config['installedpackages']['snort']['last_ruleset_download'];
+ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
+$text = file_get_contents("http://www.snort.org/pub-bin/downloads.cgi");
+if (preg_match_all("/.*RELEASED\: (.*)\</", $text, $matches))
+ $last_update_date = trim($matches[1][0]);
+$date1ts = strtotime($last_update_date);
+$date2ts = strtotime($last_ruleset_download);
+/* is there a newer ruleset available? */
+if($date1ts > $date2ts or !$last_ruleset_download) {
+ log_error("There is a new set of Snort rules posted. Downloading...");
+ if(!$oinkid) {
+ log_error("Oinkid is not defined. We cannot automatically update the ruleset.");
+ echo "Oinkid is not defined. We cannot automatically update the ruleset.";
+ exit;
+ }
+ echo "Downloading snort rule updates...";
+ /* setup some variables */
+ $snort_filename = "snortrules-snapshot-CURRENT.tar.gz";
+ $snort_filename_md5 = "snortrules-snapshot-CURRENT.tar.gz.md5";
+ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
+ $dl = "http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}";
+ $dl_md5 = "http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}";
+
+ /* multi user system, request new filename and create directory */
+ $tmpfname = tempnam("/tmp", "snortRules");
+ exec("/bin/rm -rf {$tmpfname};/bin/mkdir -p {$tmpfname}");
+
+ /* download snort rules */
+ exec("fetch -q -o {$tmpfname}/{$snort_filename} $dl");
+ verify_downloaded_file($tmpfname . "/{$snort_filename}");
+
+ /* download snort rules md5 file */
+ $static_output = gettext("Downloading current snort rules md5... ");
+ exec("fetch -q -o {$tmpfname}/{$snort_filename_md5} $dl_md5");
+ verify_downloaded_file($tmpfname . "/{$snort_filename_md5}");
+
+ /* verify downloaded rules signature */
+ verify_snort_rules_md5($tmpfname);
+
+ /* extract rules */
+ extract_snort_rules_md5($tmpfname);
+
+ $config['installedpackages']['snort']['last_ruleset_download'] = date("Y-m-d");
+ write_config();
+
+ stop_service("snort");
+ sleep(2);
+ start_service("snort");
+
+ /* cleanup temporary directory */
+ exec("/bin/rm -rf {$tmpfname};");
+ echo "Rules are now up to date.\n";
+ log_error("Snort rules updated. New version: {$last_update_date}.");
+} else {
+ echo "Rules are up to date.\n";
+ log_error("Snort rules are up to date. Not updating.");
+}
+
+?> \ No newline at end of file
diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php
new file mode 100644
index 00000000..6326a5fe
--- /dev/null
+++ b/config/snort/snort_download_rules.php
@@ -0,0 +1,240 @@
+<?php
+/* $Id$ */
+/*
+ snort_download_rules.php
+ part of pfSense (http://www.pfsense.com)
+ Copyright (C) 2005 Scott Ullrich
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+/* do not require all of this if we already have. */
+if(!$start_me_up) {
+ require_once("guiconfig.inc");
+ require_once("functions.inc");
+ require_once("service-utils.inc");
+ require("/usr/local/pkg/snort.inc");
+}
+
+$pgtitle = "Services: Snort: Update Rules";
+
+/* define oinkid */
+if($config['installedpackages']['snort'])
+ $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode'];
+
+if($_GET['start'] or $_POST['start'])
+ $start_me_up = true;
+else
+ $start_me_up = false;
+
+if(!is_dir("/usr/local/etc/snort/rules"))
+ $start_me_up = true;
+
+include("head.inc");
+
+?>
+<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+
+<p class="pgtitle"><?=$pgtitle?></font></p>
+
+<form action="snort_download_rules.php" method="post">
+<div id="inputerrors"></div>
+
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+<?php
+ $tab_array = array();
+ $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0");
+ $tab_array[] = array(gettext("Update Rules"), true, "/snort_download_rules.php");
+ $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php");
+ $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php");
+ $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php");
+ $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml");
+ $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php");
+ $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0");
+ display_top_tabs($tab_array);
+?>
+ </td>
+ </tr>
+<?php
+ if($start_me_up == false) {
+ echo "<tr>\n";
+ echo "<td>\n";
+ echo "<div id=\"mainarea\">\n";
+ echo "<table class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"6\" cellspacing=\"0\">\n";
+ echo "<tr>\n";
+ echo "<td>\n";
+ $last_ruleset_download = $config['installedpackages']['snort']['last_ruleset_download'];
+ echo "<div id='loading' name='loading'>\n";
+ echo "<img src=\"/themes/metallic/images/misc/loader_tab.gif\"> Getting release information from snort.org...\n";
+ echo "</div>\n";
+ ob_flush();
+ sleep(1);
+ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
+ $text = file_get_contents("http://www.snort.org/pub-bin/downloads.cgi");
+ echo "<script type=\"text/javascript\">\n";
+ echo "$('loading').style.visibility = 'hidden';\n";
+ echo "</script>\n";
+ if (preg_match_all("/.*RELEASED\: (.*)\</", $text, $matches))
+ $last_update_date = trim($matches[1][0]);
+ echo "<table>\n";
+ if($last_update_date)
+ echo "<tr><td><b>Last snort.org rule update:</b></td><td>{$last_update_date}</td></tr>\n";
+ if($last_ruleset_download)
+ echo "<tr><td><b>You last updated the ruleset:</b></td><td>{$last_ruleset_download}</td></tr>\n";
+ else
+ echo "<tr><td><b>You last updated the ruleset:</b></td><td>NEVER</td></tr>\n";
+ echo "</td></tr></table>";
+ if(!$oinkid) {
+ echo "<tr><td colspan='2'>You must obtain an oinkid from snort.org and set its value in the Snort settings tab in order to start the download process.</td></tr>\n";
+ } else {
+ /* get time stamps for comparison operations */
+ $date1ts = strtotime($last_update_date);
+ $date2ts = strtotime($last_ruleset_download);
+ /* is there a newer ruleset available? */
+ if($date1ts > $date2ts or !$last_ruleset_download)
+ echo "<tr><td colspan='2'>Press <a href='snort_download_rules.php?start=yes'>here</a> to start download.</td></tr>\n";
+ else
+ echo "<tr><td colspan='2'>Your snort rulesets are <b>up to date</b>.</td></tr>\n";
+ }
+ echo "</td>\n";
+ echo " </tr>\n";
+ echo " </table>\n";
+ echo " </div>\n";
+ echo "</td>\n";
+ echo "</tr>\n";
+ echo "</table>\n";
+ include("fend.inc");
+ exit;
+ }
+?>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td align="center" valign="top">
+ <!-- progress bar -->
+ <table id="progholder" width='420' style='border-collapse: collapse; border: 1px solid #000000;' cellpadding='2' cellspacing='2'>
+ <tr>
+ <td>
+ <img border='0' src='./themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' />
+ </td>
+ </tr>
+ </table>
+ <br />
+ <!-- status box -->
+ <textarea cols="60" rows="1" name="status" id="status" wrap="hard">
+ <?=gettext("Initializing...");?>
+ </textarea>
+ <!-- command output box -->
+ <textarea cols="60" rows="25" name="output" id="output" wrap="hard">
+ </textarea>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </td>
+ </tr>
+</table>
+</form>
+<?php include("fend.inc"); ?>
+<?php
+
+if(!$oinkid) {
+ $static_output = gettext("You must obtain an oinkid from snort.org and set its value in the Snort settings tab.");
+ update_all_status($static_output);
+ hide_progress_bar_status();
+ exit;
+}
+
+/* send current buffer */
+ob_flush();
+
+/* setup some variables */
+$premium_subscriber = "";
+if($config['installedpackages']['snortadvanced']['config'][0]['subscriber'])
+ $premium_subscriber = "_s";
+$snort_filename = "snortrules-snapshot-CURRENT{$premium_subscriber}.tar.gz";
+$snort_filename_md5 = "snortrules-snapshot-CURRENT.tar.gz.md5";
+ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
+$dl = "http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}";
+$dl_md5 = "http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}";
+
+/* multi user system, request new filename and create directory */
+$tmpfname = tempnam("/tmp", "snortRules");
+exec("/bin/rm -rf {$tmpfname};/bin/mkdir -p {$tmpfname}");
+
+/* download snort rules */
+$static_output = gettext("Downloading current snort rules... ");
+update_all_status($static_output);
+download_file_with_progress_bar($dl, $tmpfname . "/{$snort_filename}");
+verify_downloaded_file($tmpfname . "/{$snort_filename}");
+
+/* download snort rules md5 file */
+$static_output = gettext("Downloading current snort rules md5... ");
+update_all_status($static_output);
+download_file_with_progress_bar($dl_md5, $tmpfname . "/{$snort_filename_md5}");
+verify_downloaded_file($tmpfname . "/{$snort_filename_md5}");
+
+/* verify downloaded rules signature */
+verify_snort_rules_md5($tmpfname);
+
+/* extract rules */
+extract_snort_rules_md5($tmpfname);
+
+$static_output = gettext("Your snort rules are now up to date.");
+update_all_status($static_output);
+
+$config['installedpackages']['snort']['last_ruleset_download'] = date("Y-m-d");
+write_config();
+
+stop_service("snort");
+sleep(2);
+start_service("snort");
+
+/* cleanup temporary directory */
+exec("/bin/rm -rf {$tmpfname};");
+
+/* hide progress bar and lets end this party */
+hide_progress_bar_status();
+
+?>
+
+</body>
+</html>
+
+<script type="text/javascript">
+ document.location.href='snort_download_rules.php?ran=1';
+</script>
+
+<?php
+
+
+
+?> \ No newline at end of file
diff --git a/config/snort/snort_dynamic_ip_reload.php b/config/snort/snort_dynamic_ip_reload.php
new file mode 100644
index 00000000..dbd6d015
--- /dev/null
+++ b/config/snort/snort_dynamic_ip_reload.php
@@ -0,0 +1,46 @@
+<?php
+
+/* $Id$ */
+/*
+ snort_dynamic_ip_reload.php
+ Copyright (C) 2006 Scott Ullrich
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* NOTE: this file gets included from the pfSense filter.inc plugin process */
+
+require_once("/usr/local/pkg/snort.inc");
+require_once("service-utils.inc");
+require_once("config.inc");
+
+
+if($config['interfaces']['wan']['ipaddr'] == "pppoe" or
+ $config['interfaces']['wan']['ipaddr'] == "dhcp") {
+ create_snort_conf();
+ mwexec("/sbin/pfctl -t snort2c -T flush");
+ exec("killall -HUP snort");
+ exec("/usr/bin/killall snort2c; snort2c -w /var/db/whitelist -a /var/log/snort/alert");
+}
+
+?> \ No newline at end of file
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
new file mode 100644
index 00000000..f1b29f83
--- /dev/null
+++ b/config/snort/snort_rules.php
@@ -0,0 +1,506 @@
+<?php
+/* $Id$ */
+/*
+ edit_snortrule.php
+ Copyright (C) 2004, 2005 Scott Ullrich
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+require("guiconfig.inc");
+
+if(!is_dir("/usr/local/etc/snort/rules"))
+ Header("Location: snort_download_rules.php");
+
+function get_middle($source, $beginning, $ending, $init_pos) {
+ $beginning_pos = strpos($source, $beginning, $init_pos);
+ $middle_pos = $beginning_pos + strlen($beginning);
+ $ending_pos = strpos($source, $ending, $beginning_pos);
+ $middle = substr($source, $middle_pos, $ending_pos - $middle_pos);
+ return $middle;
+}
+
+function write_rule_file($content_changed, $received_file)
+{
+ //read snort file with writing enabled
+ $filehandle = fopen($received_file, "w");
+
+ //delimiter for each new rule is a new line
+ $delimiter = "\n";
+
+ //implode the array back into a string for writing purposes
+ $fullfile = implode($delimiter, $content_changed);
+
+ //write data to file
+ fwrite($filehandle, $fullfile);
+
+ //close file handle
+ fclose($filehandle);
+
+}
+
+function load_rule_file($incoming_file)
+{
+
+ //read snort file
+ $filehandle = fopen($incoming_file, "r");
+
+ //read file into string, and get filesize
+ $contents = fread($filehandle, filesize($incoming_file));
+
+ //close handler
+ fclose ($filehandle);
+
+ //string for populating category select
+ $currentruleset = substr($file, 27);
+
+ //delimiter for each new rule is a new line
+ $delimiter = "\n";
+
+ //split the contents of the string file into an array using the delimiter
+ $splitcontents = explode($delimiter, $contents);
+
+ return $splitcontents;
+
+}
+
+$ruledir = "/usr/local/etc/snort/rules/";
+$dh = opendir($ruledir);
+
+$message_reload = "The Snort rule configuration has been changed.<br>You must apply the changes in order for them to take effect.";
+
+while (false !== ($filename = readdir($dh)))
+{
+ //only populate this array if its a rule file
+ $isrulefile = strstr($filename, ".rules");
+ if ($isrulefile !== false)
+ {
+ $files[] = $filename;
+ }
+}
+
+sort($files);
+
+if ($_GET['openruleset'])
+{
+ $file = $_GET['openruleset'];
+}
+else
+{
+ $file = $ruledir.$files[0];
+
+}
+
+//Load the rule file
+$splitcontents = load_rule_file($file);
+
+if ($_POST)
+{
+ if (!$_POST['apply']) {
+ //retrieve POST data
+ $post_lineid = $_POST['lineid'];
+ $post_enabled = $_POST['enabled'];
+ $post_src = $_POST['src'];
+ $post_srcport = $_POST['srcport'];
+ $post_dest = $_POST['dest'];
+ $post_destport = $_POST['destport'];
+
+ //clean up any white spaces insert by accident
+ $post_src = str_replace(" ", "", $post_src);
+ $post_srcport = str_replace(" ", "", $post_srcport);
+ $post_dest = str_replace(" ", "", $post_dest);
+ $post_destport = str_replace(" ", "", $post_destport);
+
+ //copy rule contents from array into string
+ $tempstring = $splitcontents[$post_lineid];
+
+ //search string
+ $findme = "# alert"; //find string for disabled alerts
+
+ //find if alert is disabled
+ $disabled = strstr($tempstring, $findme);
+
+ //if find alert is false, then rule is disabled
+ if ($disabled !== false)
+ {
+ //has rule been enabled
+ if ($post_enabled == "yes")
+ {
+ //move counter up 1, so we do not retrieve the # in the rule_content array
+ $tempstring = str_replace("# alert", "alert", $tempstring);
+ $counter2 = 1;
+ }
+ else
+ {
+ //rule is staying disabled
+ $counter2 = 2;
+ }
+ }
+ else
+ {
+ //has rule been disabled
+ if ($post_enabled != "yes")
+ {
+ //move counter up 1, so we do not retrieve the # in the rule_content array
+ $tempstring = str_replace("alert", "# alert", $tempstring);
+ $counter2 = 2;
+ }
+ else
+ {
+ //rule is staying enabled
+ $counter2 = 1;
+ }
+ }
+
+ //explode rule contents into an array, (delimiter is space)
+ $rule_content = explode(' ', $tempstring);
+
+ //insert new values
+ $counter2++;
+ $rule_content[$counter2] = $post_src;//source location
+ $counter2++;
+ $rule_content[$counter2] = $post_srcport;//source port location
+ $counter2 = $counter2+2;
+ $rule_content[$counter2] = $post_dest;//destination location
+ $counter2++;
+ $rule_content[$counter2] = $post_destport;//destination port location
+
+ //implode the array back into string
+ $tempstring = implode(' ', $rule_content);
+
+ //copy string into file array for writing
+ $splitcontents[$post_lineid] = $tempstring;
+
+ //write the new .rules file
+ write_rule_file($splitcontents, $file);
+
+ //once file has been written, reload file
+ $splitcontents = load_rule_file($file);
+
+ $stopMsg = true;
+ }
+
+ if ($_POST['apply']) {
+ stop_service("snort");
+ sleep(2);
+ start_service("snort");
+ $savemsg = "The snort rules selections have been saved. Restarting Snort.";
+ $stopMsg = false;
+ }
+
+}
+else if ($_GET['act'] == "toggle")
+{
+ $toggleid = $_GET['id'];
+
+ //copy rule contents from array into string
+ $tempstring = $splitcontents[$toggleid];
+
+ //explode rule contents into an array, (delimiter is space)
+ $rule_content = explode(' ', $tempstring);
+
+ //search string
+ $findme = "# alert"; //find string for disabled alerts
+
+ //find if alert is disabled
+ $disabled = strstr($tempstring, $findme);
+
+ //if find alert is false, then rule is disabled
+ if ($disabled !== false)
+ {
+ //rule has been enabled
+ //move counter up 1, so we do not retrieve the # in the rule_content array
+ $tempstring = str_replace("# alert", "alert", $tempstring);
+
+ }
+ else
+ {
+ //has rule been disabled
+ //move counter up 1, so we do not retrieve the # in the rule_content array
+ $tempstring = str_replace("alert", "# alert", $tempstring);
+
+ }
+
+ //copy string into array for writing
+ $splitcontents[$toggleid] = $tempstring;
+
+ //write the new .rules file
+ write_rule_file($splitcontents, $file);
+
+ //once file has been written, reload file
+ $splitcontents = load_rule_file($file);
+
+ $stopMsg = true;
+}
+
+
+$pgtitle = "Snort: Rules";
+require("guiconfig.inc");
+include("head.inc");
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+<p class="pgtitle"><?=$pgtitle?></p>
+<form action="snort_rules.php" method="post" name="iform" id="iform">
+<?php if ($savemsg){print_info_box($savemsg);} else if ($stopMsg){print_info_box_np($message_reload);}?>
+<br>
+</form>
+<script type="text/javascript" language="javascript" src="row_toggle.js">
+ <script src="/javascript/sorttable.js" type="text/javascript">
+</script>
+
+<script language="javascript" type="text/javascript">
+<!--
+function go()
+{
+ var agt=navigator.userAgent.toLowerCase();
+ if (agt.indexOf("msie") != -1) {
+ box = document.forms.selectbox;
+ } else {
+ box = document.forms[1].selectbox;
+ }
+ destination = box.options[box.selectedIndex].value;
+ if (destination)
+ location.href = destination;
+}
+// -->
+</script>
+
+<table width="99%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+<?php
+ $tab_array = array();
+ $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0");
+ $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php");
+ $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php");
+ $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php");
+ $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php");
+ $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml");
+ $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php");
+ $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0");
+ display_top_tabs($tab_array);
+?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+ <table id="ruletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr id="frheader">
+ <td width="3%" class="list">&nbsp;</td>
+ <td width="5%" class="listhdr">SID</td>
+ <td width="6%" class="listhdrr">Proto</td>
+ <td width="15%" class="listhdrr">Source</td>
+ <td width="10%" class="listhdrr">Port</td>
+ <td width="15%" class="listhdrr">Destination</td>
+ <td width="10%" class="listhdrr">Port</td>
+ <td width="32%" class="listhdrr">Message</td>
+
+ </tr>
+ <tr>
+ <?php
+
+ echo "<br>Category: ";
+
+ //string for populating category select
+ $currentruleset = substr($file, 27);
+ ?>
+ <form name="forms">
+ <select name="selectbox" class="formfld" onChange="go()">
+ <?php
+ $i=0;
+ foreach ($files as $value)
+ {
+ $selectedruleset = "";
+ if ($files[$i] === $currentruleset)
+ $selectedruleset = "selected";
+ ?>
+ <option value="?&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>"
+ <?php
+ $i++;
+
+ }
+ ?>
+ </select>
+ </form>
+ </tr>
+ <?php
+
+ $counter = 0;
+ $printcounter = 0;
+
+ foreach ( $splitcontents as $value )
+ {
+
+ $counter++;
+ $disabled = "False";
+ $comments = "False";
+
+ $tempstring = $splitcontents[$counter];
+ $findme = "# alert"; //find string for disabled alerts
+
+ //find alert
+ $disabled_pos = strstr($tempstring, $findme);
+
+
+ //do soemthing, this rule is enabled
+ $counter2 = 1;
+
+ //retrieve sid value
+ $sid = get_middle($tempstring, 'sid:', ';', 0);
+
+ //check to see if the sid is numberical
+ $is_sid_num = is_numeric($sid);
+
+ //if SID is numerical, proceed
+ if ($is_sid_num)
+ {
+
+ //if find alert is false, then rule is disabled
+ if ($disabled_pos !== false){
+ $counter2 = $counter2+1;
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $iconb = "icon_block_d.gif";
+ }
+ else
+ {
+ $textss = $textse = "";
+ $iconb = "icon_block.gif";
+ }
+
+ $rule_content = explode(' ', $tempstring);
+
+ $protocol = $rule_content[$counter2];//protocol location
+ $counter2++;
+ $source = $rule_content[$counter2];//source location
+ $counter2++;
+ $source_port = $rule_content[$counter2];//source port location
+ $counter2 = $counter2+2;
+ $destination = $rule_content[$counter2];//destination location
+ $counter2++;
+ $destination_port = $rule_content[$counter2];//destination port location
+
+ $message = get_middle($tempstring, 'msg:"', '";', 0);
+
+ echo "<tr>";
+ echo "<td class=\"listt\">";
+ echo $textss;
+ ?>
+ <a href="?&openruleset=<?=$file;?>&act=toggle&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="11" height="11" border="0" title="click to toggle enabled/disabled status"></a>
+ <?php
+ echo $textse;
+ echo "</td>";
+
+
+ echo "<td class=\"listlr\">";
+ echo $textss;
+ echo $sid;
+ echo $textse;
+ echo "</td>";
+
+ echo "<td class=\"listlr\">";
+ echo $textss;
+ echo $protocol;
+ $printcounter++;
+ echo $textse;
+ echo "</td>";
+ echo "<td class=\"listlr\">";
+ echo $textss;
+ echo $source;
+ echo $textse;
+ echo "</td>";
+ echo "<td class=\"listlr\">";
+ echo $textss;
+ echo $source_port;
+ echo $textse;
+ echo "</td>";
+ echo "<td class=\"listlr\">";
+ echo $textss;
+ echo $destination;
+ echo $textse;
+ echo "</td>";
+ echo "<td class=\"listlr\">";
+ echo $textss;
+ echo $destination_port;
+ echo $textse;
+ echo "</td>";
+ ?>
+ <td class="listbg"><font color="white">
+ <?php
+ echo $textss;
+ echo $message;
+ echo $textse;
+ echo "</td>";
+ ?>
+ <td valign="middle" nowrap class="list">
+ <table border="0" cellspacing="0" cellpadding="1">
+ <tr>
+ <td><a href="snort_rules_edit.php?openruleset=<?=$file;?>&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td>
+ </tr>
+ </table>
+ </td>
+ <?php
+ }
+ }
+ echo " ";
+ echo "There are ";
+ echo $printcounter;
+ echo " rules in this category. <br><br>";
+ ?>
+ </table>
+ </td>
+ </tr>
+ <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0">
+ <tr>
+ <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td>
+ <td>Rule Enabled</td>
+ </tr>
+ <tr>
+ <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td>
+ <td nowrap>Rule Disabled</td>
+
+
+ </tr>
+ <tr>
+ <td colspan="10">
+ <p>
+ <!--<strong><span class="red">Warning:<br>
+ </span></strong>Editing these r</p>-->
+ </td>
+ </tr>
+ </table>
+ </table>
+
+ </td>
+ </tr>
+</table>
+
+
+<?php include("fend.inc"); ?>
+</div></body>
+</html> \ No newline at end of file
diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php
new file mode 100644
index 00000000..d393a309
--- /dev/null
+++ b/config/snort/snort_rules_edit.php
@@ -0,0 +1,202 @@
+<?php
+/* $Id$ */
+/*
+ snort_rules_edit.php
+ Copyright (C) 2004, 2005 Scott Ullrich
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function get_middle($source, $beginning, $ending, $init_pos) {
+ $beginning_pos = strpos($source, $beginning, $init_pos);
+ $middle_pos = $beginning_pos + strlen($beginning);
+ $ending_pos = strpos($source, $ending, $beginning_pos);
+ $middle = substr($source, $middle_pos, $ending_pos - $middle_pos);
+ return $middle;
+}
+
+
+$file = $_GET['openruleset'];
+
+//read snort file
+$filehandle = fopen($file, "r");
+
+//get rule id
+$lineid = $_GET['id'];
+
+//read file into string, and get filesize
+$contents = fread($filehandle, filesize($file));
+
+//close handler
+fclose ($filehandle);
+
+//delimiter for each new rule is a new line
+$delimiter = "\n";
+
+//split the contents of the string file into an array using the delimiter
+$splitcontents = explode($delimiter, $contents);
+
+//copy rule contents from array into string
+$tempstring = $splitcontents[$lineid];
+
+//explode rule contents into an array, (delimiter is space)
+$rule_content = explode(' ', $tempstring);
+
+//search string
+$findme = "# alert"; //find string for disabled alerts
+
+//find if alert is disabled
+$disabled = strstr($tempstring, $findme);
+
+//get sid
+$sid = get_middle($tempstring, 'sid:', ';', 0);
+
+
+//if find alert is false, then rule is disabled
+if ($disabled !== false)
+{
+ //move counter up 1, so we do not retrieve the # in the rule_content array
+ $counter2 = 2;
+}
+else
+{
+ $counter2 = 1;
+}
+
+
+$protocol = $rule_content[$counter2];//protocol location
+$counter2++;
+$source = $rule_content[$counter2];//source location
+$counter2++;
+$source_port = $rule_content[$counter2];//source port location
+$counter2++;
+$direction = $rule_content[$counter2];
+$counter2++;
+$destination = $rule_content[$counter2];//destination location
+$counter2++;
+$destination_port = $rule_content[$counter2];//destination port location
+$message = get_middle($tempstring, 'msg:"', '";', 0);
+
+$content = get_middle($tempstring, 'content:"', '";', 0);
+$classtype = get_middle($tempstring, 'classtype:', ';', 0);
+$revision = get_middle($tempstring, 'rev:', ';',0);
+
+$pgtitle = "Snort: Edit Rule";
+require("guiconfig.inc");
+include("head.inc");
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+
+<?php include("fbegin.inc"); ?>
+<p class="pgtitle"><?=$pgtitle?></p>
+<table width="99%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+<?php
+ $tab_array = array();
+ $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0");
+ $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php");
+ $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php");
+ $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php?openruleset=/usr/local/etc/snort/rules/attack-responses.rules");
+ $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php");
+ $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml");
+ $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php");
+ $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0");
+ display_top_tabs($tab_array);
+?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+ <form action="snort_rules.php?openruleset=<?=$file;?>&id=<?=$lineid;?>" target="" method="post" name="editform" id="editform">
+ <table id="edittable" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td class="listhdr" width="10%">Enabled: </td>
+ <td class="listlr" width="30%"><input name="enabled" type="checkbox" id="enabled" value="yes" <?php if ($disabled === false) echo "checked";?>></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">SID: </td>
+ <td class="listlr" width="30%"><?php echo $sid; ?></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">Protocol: </td>
+ <td class="listlr" width="30%"><?php echo $protocol; ?></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">Source: </td>
+ <td class="listlr" width="30%"><input name="src" type="text" id="src" size="20" value="<?php echo $source;?>"></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">Source Port: </td>
+ <td class="listlr" width="30%"><input name="srcport" type="text" id="srcport" size="20" value="<?php echo $source_port;?>"></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">Direction:</td>
+ <td class="listlr" width="30%"><?php echo $direction;?></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">Destination:</td>
+ <td class="listlr" width="30%"><input name="dest" type="text" id="dest" size="20" value="<?php echo $destination;?>"></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">Destination Port: </td>
+ <td class="listlr" width="30%"><input name="destport" type="text" id="destport" size="20" value="<?php echo $destination_port;?>"></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">Message: </td>
+ <td class="listlr" width="30%"><?php echo $message; ?></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">Content: </td>
+ <td class="listlr" width="30%"><?php echo $content; ?></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">Classtype: </td>
+ <td class="listlr" width="30%"><?php echo $classtype; ?></td>
+ </tr>
+ <tr>
+ <td class="listhdr" width="10%">Revision: </td>
+ <td class="listlr" width="30%"><?php echo $revision; ?></td>
+ </tr>
+ <tr><td>&nbsp</td></tr>
+ <tr>
+ <td><input name="lineid" type="hidden" value="<?=$lineid;?>"></td>
+ <td><input class="formbtn" value="Save" type="submit" name="editsave" id="editsave">&nbsp&nbsp&nbsp<input type="button" class="formbtn" value="Cancel" onclick="history.back()"></td>
+ </tr>
+ </table>
+ </form>
+ </td>
+ </tr>
+ </table>
+ </td>
+</tr>
+</table>
+
+<?php include("fend.inc"); ?>
+</div></body>
+</html> \ No newline at end of file
diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php
new file mode 100644
index 00000000..a06ba106
--- /dev/null
+++ b/config/snort/snort_rulesets.php
@@ -0,0 +1,162 @@
+<?php
+/* $Id$ */
+/*
+ snort_rulesets.php
+ Copyright (C) 2006 Scott Ullrich
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+if(!is_dir("/usr/local/etc/snort/rules"))
+ Header("Location: snort_download_rules.php");
+
+require("guiconfig.inc");
+require_once("service-utils.inc");
+require("/usr/local/pkg/snort.inc");
+
+if($_POST) {
+ $enabled_items = "";
+ $isfirst = true;
+ foreach($_POST['toenable'] as $toenable) {
+ if(!$isfirst)
+ $enabled_items .= "||";
+ $enabled_items .= "{$toenable}";
+ $isfirst = false;
+ }
+ $config['installedpackages']['snort']['rulesets'] = $enabled_items;
+ write_config();
+ stop_service("snort");
+ create_snort_conf();
+ sleep(2);
+ start_service("snort");
+ $savemsg = "The snort ruleset selections have been saved.";
+}
+
+$enabled_rulesets = $config['installedpackages']['snort']['rulesets'];
+if($enabled_rulesets)
+ $enabled_rulesets_array = split("\|\|", $enabled_rulesets);
+
+$pgtitle = "Snort: Categories";
+include("head.inc");
+
+?>
+
+<body link="#000000" vlink="#000000" alink="#000000">
+<?php include("fbegin.inc"); ?>
+
+<p class="pgtitle"><?=$pgtitle?></font></p>
+
+<form action="snort_rulesets.php" method="post" name="iform" id="iform">
+<script src="/row_toggle.js" type="text/javascript"></script>
+<script src="/javascript/sorttable.js" type="text/javascript"></script>
+<?php if ($savemsg) print_info_box($savemsg); ?>
+<table width="99%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+<?php
+ $tab_array = array();
+ $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0");
+ $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php");
+ $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php");
+ $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php");
+ $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php");
+ $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml");
+ $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php");
+ $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0");
+ display_top_tabs($tab_array);
+?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+ <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr id="frheader">
+ <td width="5%" class="listhdrr">Enabled</td>
+ <td class="listhdrr">Ruleset</td>
+ <!-- <td class="listhdrr">Description</td> -->
+ </tr>
+<?php
+ $dir = "/usr/local/etc/snort/rules/";
+ $dh = opendir($dir);
+ while (false !== ($filename = readdir($dh))) {
+ $files[] = $filename;
+ }
+ sort($files);
+ foreach($files as $file) {
+ if(!stristr($file, ".rules"))
+ continue;
+ echo "<tr>";
+ echo "<td align=\"center\" valign=\"top\">";
+ if(is_array($enabled_rulesets_array))
+ if(in_array($file, $enabled_rulesets_array)) {
+ $CHECKED = " checked=\"checked\"";
+ } else {
+ $CHECKED = "";
+ }
+ else
+ $CHECKED = "";
+ echo " <input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />";
+ echo "</td>";
+ echo "<td>";
+ echo "<a href='snort_rules.php?openruleset=/usr/local/etc/snort/rules/" . urlencode($file) . "'>{$file}</a>";
+ echo "</td>";
+ //echo "<td>";
+ //echo "description";
+ //echo "</td>";
+ }
+
+?>
+ </table>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr>
+ <tr><td>Check the rulesets that you would like Snort to load at startup.</td></tr>
+ <tr><td>&nbsp;</td></tr>
+ <tr><td><input value="Save" type="submit" name="save" id="save" /></td></tr>
+ </table>
+ </div>
+ </td>
+ </tr>
+</table>
+
+</form>
+
+<p><b>NOTE:</b> You can click on a ruleset name to edit the ruleset.
+
+<?php include("fend.inc"); ?>
+
+</body>
+</html>
+
+<?php
+
+ function get_snort_rule_file_description($filename) {
+ $filetext = file_get_contents($filename);
+
+ }
+
+?> \ No newline at end of file
diff --git a/config/snort/snort_whitelist.xml b/config/snort/snort_whitelist.xml
new file mode 100644
index 00000000..5ac41802
--- /dev/null
+++ b/config/snort/snort_whitelist.xml
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>snort-whitelist</name>
+ <version>0.1.0</version>
+ <title>Snort: Whitelist</title>
+ <include_file>/usr/local/pkg/snort.inc</include_file>
+ <!-- Menu is where this packages menu will appear -->
+ <tabs>
+ <tab>
+ <text>Settings</text>
+ <url>/pkg_edit.php?xml=snort.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Update Rules</text>
+ <url>/snort_download_rules.php</url>
+ </tab>
+ <tab>
+ <text>Categories</text>
+ <url>/snort_rulesets.php</url>
+ </tab>
+ <tab>
+ <text>Rules</text>
+ <url>/snort_rules.php</url>
+ </tab>
+ <tab>
+ <text>Blocked</text>
+ <url>/snort_blocked.php</url>
+ </tab>
+ <tab>
+ <text>Whitelist</text>
+ <url>/pkg.php?xml=snort_whitelist.xml</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Alerts</text>
+ <url>/snort_alerts.php</url>
+ </tab>
+ <tab>
+ <text>Advanced</text>
+ <url>/pkg_edit.php?xml=snort_advanced.xml&amp;id=0</url>
+ </tab>
+ </tabs>
+ <adddeleteeditpagefields>
+ <columnitem>
+ <fielddescr>Whitelisted IP</fielddescr>
+ <fieldname>ip</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ </columnitem>
+ </adddeleteeditpagefields>
+ <fields>
+ <field>
+ <fielddescr>Whitelisted IP</fielddescr>
+ <fieldname>ip</fieldname>
+ <description>Enter the IP or network to whitelist from snort blocking. Network items should be expressed in CIDR notation. Example: 0.0.0.0/24 or 0.0.0.0/32</description>
+ <type>input</type>
+ <size>40</size>
+ </field>
+ <field>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ <description>Enter the description for this item</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ </fields>
+ <custom_php_command_before_form>
+ </custom_php_command_before_form>
+ <custom_delete_php_command>
+ </custom_delete_php_command>
+ <custom_php_resync_config_command>
+ create_snort_conf();
+ </custom_php_resync_config_command>
+</packagegui> \ No newline at end of file
diff --git a/config/snort/snort_xmlrpc_sync.php b/config/snort/snort_xmlrpc_sync.php
new file mode 100644
index 00000000..db8b3f3e
--- /dev/null
+++ b/config/snort/snort_xmlrpc_sync.php
@@ -0,0 +1,114 @@
+<?php
+
+/* $Id$ */
+/*
+ snort_xmlrpc_sync.php
+ Copyright (C) 2006 Scott Ullrich
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* NOTE: this file gets included from the pfSense filter.inc plugin process */
+
+require_once("/usr/local/pkg/snort.inc");
+require_once("service-utils.inc");
+
+if(!$config) {
+ log_error("\$config is not enabled!!");
+} else {
+ if(!$g['booting'])
+ snort_do_xmlrpc_sync();
+}
+
+function snort_do_xmlrpc_sync() {
+
+ return; /* need to fix the bug which whipes out carp sync settings, etc */
+
+ global $config, $g;
+ $syncxmlrpc = $config['installedpackages']['snort']['config'][0]['syncxmlrpc'];
+ /* option enabled? */
+ if(!$syncxmlrpc)
+ return;
+
+ $carp = &$config['installedpackages']['carpsettings']['config'][0];
+ $password = $carp['password'];
+
+ if(!$carp['synchronizetoip'])
+ return;
+
+ log_error("[SNORT] snort_xmlrpc_sync.php is starting.");
+ $xmlrpc_sync_neighbor = $carp['synchronizetoip'];
+ if($config['system']['webgui']['protocol'] != "") {
+ $synchronizetoip = $config['system']['webgui']['protocol'];
+ $synchronizetoip .= "://";
+ }
+ $port = $config['system']['webgui']['port'];
+ /* if port is empty lets rely on the protocol selection */
+ if($port == "") {
+ if($config['system']['webgui']['protocol'] == "http") {
+ $port = "80";
+ } else {
+ $port = "443";
+ }
+ }
+ $synchronizetoip .= $carp['synchronizetoip'];
+
+ /* xml will hold the sections to sync */
+ $xml = array();
+ $xml['installedpackages']['snort'] = &$config['installedpackages']['snort'];
+ $xml['installedpackages']['snortwhitelist'] = &$config['installedpackages']['snortwhitelist'];
+
+ /* assemble xmlrpc payload */
+ $params = array(
+ XML_RPC_encode($password),
+ XML_RPC_encode($xml)
+ );
+
+ /* set a few variables needed for sync code borrowed from filter.inc */
+ $url = $synchronizetoip;
+ $method = 'pfsense.restore_config_section';
+
+ /* Sync! */
+ log_error("Beginning Snort XMLRPC sync to {$url}:{$port}.");
+ $msg = new XML_RPC_Message($method, $params);
+ $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
+ $cli->setCredentials('admin', $password);
+ if($g['debug'])
+ $cli->setDebug(1);
+ /* send our XMLRPC message and timeout after 240 seconds */
+ $resp = $cli->send($msg, "999");
+ if(!$resp) {
+ $error = "A communications error occured while attempting Snort XMLRPC sync with {$url}:{$port}.";
+ log_error($error);
+ file_notice("sync_settings", $error, "Snort Settings Sync", "");
+ } elseif($resp->faultCode()) {
+ $error = "An error code was received while attempting Snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ log_error($error);
+ file_notice("sync_settings", $error, "Snort Settings Sync", "");
+ } else {
+ log_error("Snort XMLRPC sync successfully completed with {$url}:{$port}.");
+ }
+ log_error("[SNORT] snort_xmlrpc_sync.php is ending.");
+}
+
+?> \ No newline at end of file