diff options
Diffstat (limited to 'config/snort')
| -rwxr-xr-x | config/snort/snort.inc | 551 | ||||
| -rwxr-xr-x | config/snort/snort.xml | 10 | ||||
| -rwxr-xr-x | config/snort/snort_alerts.php | 2 | ||||
| -rw-r--r-- | config/snort/snort_barnyard.php | 11 | ||||
| -rw-r--r-- | config/snort/snort_blocked.php | 89 | ||||
| -rwxr-xr-x | config/snort/snort_check_for_rule_updates.php | 496 | ||||
| -rwxr-xr-x | config/snort/snort_define_servers.php | 6 | ||||
| -rwxr-xr-x | config/snort/snort_download_updates.php | 96 | ||||
| -rwxr-xr-x | config/snort/snort_interfaces.php | 216 | ||||
| -rwxr-xr-x | config/snort/snort_interfaces_edit.php | 27 | ||||
| -rw-r--r-- | config/snort/snort_interfaces_global.php | 181 | ||||
| -rw-r--r-- | config/snort/snort_interfaces_suppress.php | 6 | ||||
| -rw-r--r-- | config/snort/snort_interfaces_whitelist.php | 11 | ||||
| -rw-r--r-- | config/snort/snort_log_view.php | 89 | ||||
| -rwxr-xr-x | config/snort/snort_preprocessors.php | 189 | ||||
| -rwxr-xr-x | config/snort/snort_rules.php | 85 | ||||
| -rwxr-xr-x | config/snort/snort_rules_edit.php | 26 | ||||
| -rwxr-xr-x | config/snort/snort_rulesets.php | 178 |
18 files changed, 1647 insertions, 622 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index c36fc873..8062834f 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -33,21 +33,54 @@ require_once("pfsense-utils.inc"); require_once("config.inc"); require_once("functions.inc"); +require_once("service-utils.inc"); // Needed on 2.0 because of filter_get_vpns_list() require_once("filter.inc"); +// Explicitly declare these as global so they work through function call includes +global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log; +global $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall; +global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename; + /* package version */ -$snort_version = "2.9.2.3"; -$pfSense_snort_version = "2.5.4"; +$snort_version = "2.9.4.1"; +$pfSense_snort_version = "2.5.7"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; -$snort_rules_file = "snortrules-snapshot-2923.tar.gz"; -$emerging_threats_version = "2.9.3"; + +// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) +if (floatval(php_uname("r")) >= 8.3) { + exec("/usr/local/sbin/pbi_info | grep 'snort-{$snort_version}' | xargs /usr/local/sbin/pbi_info | awk '/Prefix/ {print $2}'",$pbidirarray); + $snort_pbidir = "{$pbidirarray[0]}"; + /* In case this is an initial Snort install and pbi_info() above returned null, set a sane default value */ + if (empty($snort_pbidir)) + $snort_pbidir = "/usr/pbi/snort-" . php_uname("m"); + define("SNORTDIR", "{$snort_pbidir}/etc/snort"); + define("SNORTLIBDIR", "{$snort_pbidir}/lib/snort"); +} +else { + define("SNORTDIR", "/usr/local/etc/snort"); + define("SNORTLIBDIR", "/usr/local/lib/snort"); +} + +define("SNORTLOGDIR", "/var/log/snort"); + +/* Important file definitions */ +$snort_rules_file = "snortrules-snapshot-2941.tar.gz"; +$emerging_threats_version = "2.9.0"; +$emergingthreats_filename = "emerging.rules.tar.gz"; +$snort_community_rules_url = "https://s3.amazonaws.com/snort-org/www/rules/community/"; +$snort_community_rules_filename = "community-rules.tar.gz"; $flowbit_rules_file = "flowbit-required.rules"; $snort_enforcing_rules_file = "snort.rules"; +$snort_rules_upd_log = SNORTLOGDIR; +$snort_rules_upd_log .= "/snort_rules_update.log"; -define("SNORTDIR", "/usr/local/etc/snort"); -define("SNORTLOGDIR", "/var/log/snort"); +/* Rebuild Rules Flag -- if "on", rebuild enforcing rules and flowbit-rules files */ +$rebuild_rules = "off"; + +/* Post-install Flag -- normally "false" except during post-install of package */ +$is_postinstall = false; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); @@ -296,7 +329,6 @@ function snort_barnyard_stop($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; if (file_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); - @unlink("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); } } @@ -306,12 +338,11 @@ function snort_stop($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { killbypid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); - exec("/bin/rm {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); } snort_barnyard_stop($snortcfg, $if_real); - log_error("Interface Rule STOP for {$snortcfg['descr']}({$if_real})..."); + log_error("Snort STOP for {$snortcfg['descr']}({$if_real})..."); } function snort_barnyard_start($snortcfg, $if_real) { @@ -339,7 +370,7 @@ function snort_start($snortcfg, $if_real) { snort_barnyard_start($snortcfg, $if_real); - log_error("Interface Rule START for {$snortcfg['descr']}({$if_real})..."); + log_error("Snort START for {$snortcfg['descr']}({$if_real})..."); } function snort_get_friendly_interface($interface) { @@ -427,9 +458,15 @@ function snort_post_delete_logs($snort_uuid = 0) { } function snort_postinstall() { - global $config, $g; + global $config, $g, $snort_rules_file, $emerging_threats_version; + global $snort_version, $rebuild_rules, $is_postinstall; $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; + $rcdir = RCFILEPREFIX; + + /* Set flag for post-install in progress */ + $is_postinstall = true; /* cleanup default files */ @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); @@ -440,25 +477,48 @@ function snort_postinstall() { @rename("{$snortdir}/generators-sample", "{$snortdir}/generators"); @rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config"); @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); - @unlink("{$snortdir}/sid"); - @unlink("/usr/local/etc/rc.d/snort"); - @unlink("/usr/local/etc/rc.d/barnyard2"); - /* remove example files */ - if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) - exec('rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); + /* fix up the preprocessor rules filenames from a PBI package install */ + $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); + foreach ($preproc_rules as $file) { + if (file_exists("{$snortdir}/preproc_rules/{$file}-sample")) + @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}"); + } + + /* Remove any previously installed scripts since we rebuild them */ + @unlink("{$snortdir}/sid"); + @unlink("{$rcdir}/snort.sh"); + @unlink("{$rcdir}/barnyard2"); - if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) - exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + /* remove example library files */ + $files = glob("{$snortlibdir}/dynamicrules/*_example*"); + foreach ($files as $f) + @unlink($f); + $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*"); + foreach ($files as $f) + @unlink($f); /* remake saved settings */ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { + log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings...")); update_status(gettext("Saved settings detected...")); - update_output_window(gettext("Please wait... rebuilding files...")); + update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); + log_error(gettext("[Snort] Downloading and updating configured rule types...")); @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); + update_status(gettext("Generating snort.conf configuration file from saved settings...")); + $rebuild_rules = "on"; sync_snort_package_config(); - update_output_window(gettext("Finnished Rebuilding files...")); + $rebuild_rules = "off"; + update_output_window(gettext("Finished rebuilding files...")); + log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); + update_status(gettext("Starting Snort using rebuilt configuration...")); + log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); + start_service("snort"); } + + /* Done with post-install, so clear flag */ + $is_postinstall = false; + log_error(gettext("[Snort] Package post-installation tasks completed...")); } function snort_Getdirsize($node) { @@ -592,17 +652,20 @@ function snort_rm_blocked_install_cron($should_install) { } switch($should_install) { case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + + /* Add cron job if not already installed, else just update the existing one */ + if (!$is_installed) $config['cron']['item'][] = $cron_item; - } + elseif ($is_installed) + $config['cron']['item'][$x] = $cron_item; break; case false: if ($is_installed == true) @@ -672,17 +735,20 @@ function snort_rules_up_install_cron($should_install) { } switch($should_install) { case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; + + /* Add cron job if not already installed, else just update the existing one */ + if (!$is_installed) $config['cron']['item'][] = $cron_item; - } + elseif ($is_installed) + $config['cron']['item'][$x] = $cron_item; break; case false: if($is_installed == true) @@ -693,12 +759,15 @@ function snort_rules_up_install_cron($should_install) { /* Only run when all ifaces needed to sync. Expects filesystem rw */ function sync_snort_package_config() { - global $config, $g; + global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file; + global $snort_version, $rebuild_rules; + + $snortdir = SNORTDIR; conf_mount_rw(); - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']) && !is_array($config['installedpackages']['snortglobal']['rule'])) { + /* do not start config build if rules is empty or there are no Snort settings */ + if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) { exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); conf_mount_ro(); return; @@ -708,10 +777,10 @@ function sync_snort_package_config() { foreach ($snortconf as $value) { $if_real = snort_get_real_interface($value['interface']); - /* create snort configuration file */ + /* create a snort.conf file for interface */ snort_generate_conf($value); - /* create barnyard2 configuration file */ + /* create barnyard2.conf file for interface */ if ($value['barnyard_enable'] == 'on') snort_create_barnyard2_conf($value, $if_real); } @@ -748,7 +817,7 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { /* First check if we were passed a directory, a single file */ /* or an array of filenames to read. Set our $rule_files */ /* variable accordingly. If we can't figure it out, return */ - /* an empty rules map array. */ + /* and don't write a sid_msg_map file. */ if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -858,11 +927,19 @@ function snort_merge_reference_configs($cfg_in, $cfg_out) { /* Sort the new reference map. */ uksort($outMap,'strnatcasecmp'); + /**********************************************************/ + /* Do NOT write an empty references.config file, just */ + /* exit instead. */ + /**********************************************************/ + if (empty($outMap)) + return false; + /* Format and write it to the supplied output file. */ $format = "config reference: %-12s %s\n"; foreach ($outMap as $key=>$value) $outMap[$key] = sprintf($format, $key, $value); @file_put_contents($cfg_out, array_values($outMap)); + return true; } function snort_merge_classification_configs($cfg_in, $cfg_out) { @@ -895,11 +972,19 @@ function snort_merge_classification_configs($cfg_in, $cfg_out) { /* Sort the new classification map. */ uksort($outMap,'strnatcasecmp'); + /**********************************************************/ + /* Do NOT write an empty classification.config file, just */ + /* exit instead. */ + /**********************************************************/ + if (empty($outMap)) + return false; + /* Format and write it to the supplied output file. */ $format = "config classification: %s,%s\n"; foreach ($outMap as $key=>$value) $outMap[$key] = sprintf($format, $key, $value); @file_put_contents($cfg_out, array_values($outMap)); + return true; } function snort_load_rules_map($rules_path) { @@ -1272,11 +1357,13 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { /* given. */ /************************************************/ + global $flowbit_rules_file; + /* See if we were passed a directory or full */ /* filename to write the rules to, and adjust */ /* the destination argument accordingly. */ if (is_dir($rule_file)) - $rule_file = rtrim($rule_file, '/').'/flowbit-required.rules'; + $rule_file = rtrim($rule_file, '/')."/{$flowbit_rules_file}"; if (empty($flowbit_rules)) { @file_put_contents($rule_file, ""); @@ -1363,7 +1450,7 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) { global $snort_enforcing_rules_file; - $rule_file = "/snort.rules"; + $rule_file = "/{$snort_enforcing_rules_file}"; /* See if we were passed a directory or full */ /* filename to write the rules to, and adjust */ @@ -1402,9 +1489,17 @@ function snort_load_sid_mods($sids, $value) { /* This function parses the string of */ /* SID values in $sids and returns an */ /* array with the SID as the key and */ - /* passed $value as the value. The SID */ - /* values in $sids are assumed to be */ - /* delimited by "||". */ + /* value. The SID values in $sids are */ + /* assumed to be delimited by "||". */ + /* */ + /* $sids ==> string of SID values from */ + /* saved config file. */ + /* */ + /* $value ==> type of mod (enable or */ + /* disable). Not currently */ + /* utilized, but maintained */ + /* so as not to break legacy */ + /* code elsewhere. */ /*****************************************/ $result = array(); @@ -1413,7 +1508,7 @@ function snort_load_sid_mods($sids, $value) { $tmp = explode("||", $sids); foreach ($tmp as $v) { if (preg_match('/\s\d+/', $v, $match)) - $result[trim($match[0])] = $value; + $result[trim($match[0])] = trim($match[0]); } unset($tmp); @@ -1458,14 +1553,13 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($disablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $disablesid) && $v['disabled'] == 0) { + if (in_array($k2, $disablesid) && $v['disabled'] == 0) { $rule_map[$k1][$k2]['rule'] = "# " . $v['rule']; $rule_map[$k1][$k2]['disabled'] = 1; } } } } - unset($enablesid, $disablesid); } @@ -1475,6 +1569,7 @@ function snort_create_rc() { global $config, $g; $snortdir = SNORTDIR; + $rcdir = RCFILEPREFIX; if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; @@ -1494,8 +1589,9 @@ function snort_create_rc() { if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then /bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' > {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid + else + /bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid fi - /bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid if [ $? = 0 ]; then /bin/pkill -HUP -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid -a else @@ -1506,10 +1602,30 @@ EOE; $stop_barnyard2 = <<<EOE if [ -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then + pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` /bin/pkill -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid -a - /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then + /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid + fi else + pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q'` /bin/pkill -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done fi EOE; @@ -1521,19 +1637,18 @@ EOE; $start_snort_iface_start[] = <<<EOE ###### For Each Iface -#### Only try to restart if snort is running on Iface + # Start snort and barnyard2 if [ ! -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then - /bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' > {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid + pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'` + else + pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid` fi - /bin/pgrep -nF {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid if [ $? = 0 ]; then - /bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT START For {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill -HUP \$pid + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..." else - # Start snort and barnyard2 - /bin/rm {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START For {$value['descr']}({$snort_uuid}_{$if_real})..." + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..." fi sleep 2 @@ -1543,12 +1658,32 @@ EOE; $start_snort_iface_stop[] = <<<EOE - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP For {$value['descr']}({$snort_uuid}_{$if_real})..." + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." if [ -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then + pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid` /bin/pkill -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a - /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid - else + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + if [ -f /var/run/snort_{$if_real}{$snort_uuid}.pid ]; then + /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid + fi + else + pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'` /bin/pkill -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done fi sleep 2 @@ -1584,6 +1719,7 @@ case $1 in rc_stop ;; restart) + rc_stop rc_start ;; esac @@ -1591,11 +1727,11 @@ esac EOD; /* write out snort.sh */ - if (!@file_put_contents("/usr/local/etc/rc.d/snort.sh", $snort_sh_text)) { - log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); + if (!@file_put_contents("{$rcdir}/snort.sh", $snort_sh_text)) { + log_error("Could not open {$rcdir}/snort.sh for writing."); return; } - @chmod("/usr/local/etc/rc.d/snort.sh", 0755); + @chmod("{$rcdir}/snort.sh", 0755); } /* open barnyard2.conf for writing */ @@ -1642,13 +1778,16 @@ function snort_generate_barnyard2_conf($snortcfg, $if_real) { config reference_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/reference.config config classification_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/classification.config config gen_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/gen-msg.map -config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map +config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map config hostname: $snortbarnyardlog_hostname_info_chk config interface: {$if_real} config decode_data_link config waldo_file: /var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo +# Show year in timestamps +config show_year + ## START user pass through ## {$snortbarnyardlog_config_pass_thru} @@ -1671,12 +1810,15 @@ EOD; } function snort_deinstall() { - global $config, $g; + + global $config, $g, $snort_rules_upd_log; $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; + $rcdir = RCFILEPREFIX; - /* decrease bpf buffers back to 4096, from 20480 */ + /* Make sure all active Snort processes are terminated */ mwexec('/usr/bin/killall snort', true); sleep(2); mwexec('/usr/bin/killall -9 snort', true); @@ -1685,9 +1827,11 @@ function snort_deinstall() { sleep(2); mwexec('/usr/bin/killall -9 barnyard2', true); sleep(2); + + /* Remove the snort user and group */ mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); - /* Remove snort cron entries Ugly code needs smoothness*/ + /* Remove snort cron entries Ugly code needs smoothness */ if (!function_exists('snort_deinstall_cron')) { function snort_deinstall_cron($crontask) { global $config, $g; @@ -1709,25 +1853,62 @@ function snort_deinstall() { } } - mwexec("/bin/rm {$snortdir}/*.md5; /bin/rm -r {$snortdir}/snort_*"); + /* Remove all the Snort cron jobs. */ snort_deinstall_cron("snort2c"); snort_deinstall_cron("snort_check_for_rule_updates.php"); snort_deinstall_cron("snort_check_cron_misc.inc"); configure_cron(); + /**********************************************************/ + /* Test for existence of library backup tarballs in /tmp. */ + /* If these are present, then a package "delete" */ + /* operation is in progress and we need to wipe out the */ + /* configuration files. Otherwise we leave the binary- */ + /* side configuration intact since only a GUI files */ + /* deinstall and reinstall operation is in progress. */ + /* */ + /* XXX: hopefully a better method presents itself in */ + /* future versions of pfSense. */ + /**********************************************************/ + if (file_exists("/tmp/pkg_libs.tgz") || file_exists("/tmp/pkg_bins.tgz")) { + log_error(gettext("[Snort] Package deletion requested... removing all files...")); + mwexec("/bin/rm -rf {$snortdir}"); + mwexec("/bin/rm -rf {$snortlibdir}/dynamicrules"); + mwexec("/bin/rm -f {$rcdir}/snort.sh"); + mwexec("/bin/rm -rf /usr/local/pkg/snort"); + mwexec("/bin/rm -rf /usr/local/www/snort"); + mwexec("/bin/rm -rf /usr/local/etc/snort"); + } + /* Keep this as a last step */ - if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') { + log_error(gettext("Not saving settings... all Snort configuration info and logs deleted...")); unset($config['installedpackages']['snortglobal']); + @unlink("{$snort_rules_upd_log}"); + mwexec("/bin/rm -rf {$snortlogdir}"); + log_error(gettext("[Snort] The package has been removed from this system...")); + } } function snort_prepare_rule_files($snortcfg, $snortcfgdir) { - global $snort_enforcing_rules_file, $flowbit_rules_file; + + global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules; $snortdir = SNORTDIR; + $no_rules_defined = true; + + /* If there is no reason to rebuild the rules, exit to save time. */ + if ($rebuild_rules == "off") + return; + + /* Log a message for rules rebuild in progress */ + log_error(gettext("[Snort] Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + /* Only rebuild rules if some are selected or an IPS Policy is enabled */ if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') { $enabled_rules = array(); $enabled_files = array(); + $no_rules_defined = false; /* Create an array with the full path filenames of the enabled */ /* rule category files if we have any. */ @@ -1741,16 +1922,6 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_rules = snort_load_rules_map($enabled_files); } - /* Remove any existing rules files (except custom rules) prior to building a new set. */ - foreach (glob("{$snortcfgdir}/rules/*.rules") as $file) { - $tmpfile = basename($file); - if (in_array("{$snortdir}/rules/{$tmpfile}", $enabled_files)) - continue; - if ($tmpfile != "custom.rules" && $tmpfile != $flowbit_rules_file && - $tmpfile != $snort_enforcing_rules_file) - @unlink($file); - } - /* Check if a pre-defined Snort VRT policy is selected. If so, */ /* add all the VRT policy rules to our enforcing rule set. */ if (!empty($snortcfg['ips_policy'])) { @@ -1773,9 +1944,12 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Process any enablesid or disablesid modifications for the selected rules. */ snort_modify_sids($enabled_rules, $snortcfg); - /* Check for and disable any rules dependent upon disabled preprocessors. */ - log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); - snort_filter_preproc_rules($snortcfg, $enabled_rules); + /* Check for and disable any rules dependent upon disabled preprocessors if */ + /* this option is enabled for the interface. */ + if ($snortcfg['preproc_auto_rule_disable'] == "on") { + log_error('[Snort] Checking for rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $enabled_rules); + } /* Write the enforcing rules file to the Snort interface's "rules" directory. */ snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); @@ -1783,9 +1957,19 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */ if ($snortcfg['autoflowbitrules'] == 'on') { - log_error('Resolving and auto-enabling flowbit required rules for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); $enabled_files[] = "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"; - snort_write_flowbit_rules_file(snort_resolve_flowbits($enabled_files), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); + $fbits = snort_resolve_flowbits($enabled_files); + + /* Check for and disable any flowbit-required rules dependent upon */ + /* disabled preprocessors if this option is enabled for the interface. */ + if ($snortcfg['preproc_auto_rule_disable'] == "on") { + log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $fbits, true); + } + snort_filter_preproc_rules($snortcfg, $fbits, true); + snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}"); + unset($fbits); } else /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); @@ -1796,17 +1980,24 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); } - if (!empty($snortcfg['customrules'])) + if (!empty($snortcfg['customrules'])) { @file_put_contents("{$snortcfgdir}/rules/custom.rules", base64_decode($snortcfg['customrules'])); + $no_rules_defined = false; + } else @file_put_contents("{$snortcfgdir}/rules/custom.rules", ""); + /* Log a warning if the interface has no rules defined or enabled */ + if ($no_rules_defined) + log_error(gettext("[Snort] Warning - no text rules selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + /* Build a new sid-msg.map file from the enabled */ /* rules and copy it to the interface directory. */ + log_error(gettext("[Snort] Building new sig-msg.map file for " . snort_get_friendly_interface($snortcfg['interface']) . "...")); snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map"); } -function snort_filter_preproc_rules($snortcfg, &$active_rules) { +function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = false) { /**************************************************/ /* This function checks the $active_rules array */ @@ -1819,11 +2010,22 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { /* the interface */ /* $active_rules -> rules_map array of enabled */ /* rules for the interface */ + /* */ + /* NOTE: This feature must be enabled in the GUI */ + /* by the user. Use of this feature can */ + /* severely degrade Snort's ability to */ + /* detect threats by disabling potentially */ + /* crucial detection rules. */ /**************************************************/ global $config; - if (empty($active_rules)) + $snortlogdir = SNORTLOGDIR; + $disabled_count = 0; + $log_msg = array(); + + /* Check if no rules or if this option is disabled */ + if (empty($active_rules) || $snortcfg['preproc_auto_rule_disable'] <> 'on') return; /*************************************************** @@ -1833,8 +2035,20 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { * IMPORTANT -- Keep this part of the code current * * with changes to preprocessor rule options in * * Snort VRT rules. * + * * + * * + * Format of array is: * + * "rule_option" => "dependent_preprocessor" * + * * + * Last Update: 04/05/2013 * + * * + * Added: http_inspect content modifiers and * + * various "service" metadata values. * + * * ***************************************************/ $rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc", + "service ssl" => "ssl_preproc", "service ftp" => "ftp_preprocessor", + "service telnet" => "ftp_preprocessor", "service dns" => "dns_preprocessor", "dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2", "dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data", "sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc", @@ -1843,7 +2057,16 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { "gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc", "modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc", "dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc", - "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc"); + "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc", + "http_client_body;" => "http_inspect", "http_cookie;" => "http_inspect", + "http_raw_cookie;" => "http_inspect", "http_header;" => "http_inspect", + "http_raw_header;" => "http_inspect", "http_method;" => "http_inspect", + "http_uri;" => "http_inspect", "http_raw_uri;" => "http_inspect", + "http_stat_code;" => "http_inspect", "http_stat_msg;" => "http_inspect", + "uricontent:" => "http_inspect", "urilen:" => "http_inspect", + "http_encode;" => "http_inspect", "service http" => "http_inspect", + "service imap" => "imap_preproc", "service pop2" => "pop_preproc", + "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor"); /*************************************************** * Iterate the enabled rules, and check for rule * @@ -1855,31 +2078,99 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { ***************************************************/ foreach ($active_rules as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if ($v['disabled'] == 0) + + /* If rule is already disabled, skip it. */ + if ($v['disabled'] == 1) continue; + foreach ($rule_opts_preprocs as $opt => $preproc) { - $pcre = "/\s*\b" . $opt . "/i"; + $pcre = "/\s*\b" . preg_quote($opt) . "/i"; if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) { $active_rules[$k1][$k2]['rule'] = "# " . $v['rule']; $active_rules[$k1][$k2]['disabled'] = 1; + $disabled_count++; + + /* Accumulate auto-disabled rules for logging */ + $tmp = $active_rules[$k1][$k2]['category'] . ","; + $tmp .= "{$k1}:{$k2},{$preproc},{$opt}"; + $log_msg[] = $tmp; break; } } } } + + /***************************************************************/ + /* If we are persisting the log from the last pass, then open */ + /* the log file in append mode. Otherwise open in overwrite */ + /* to clear the log in case we have zero disabled rules. */ + /* */ + /* Typically "persist log" mode is used on the second pass */ + /* when flowbit-required rules are being assessed after the */ + /* primary enforcing rules have been evaluated. */ + /***************************************************************/ + $iface = snort_get_friendly_interface($snortcfg['interface']); + $file = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; + if ($persist_log) + $fp = fopen($file, 'a'); + else + $fp = fopen($file, 'w'); + + /***************************************************/ + /* Log a warning if we auto-disabled any rules */ + /* just so the user is aware protection is less */ + /* than optimal with the preprocessors disabled. */ + /***************************************************/ + if ($disabled_count > 0) { + log_error(gettext("[Snort] Warning: auto-disabled {$disabled_count} rules due to disabled preprocessor dependencies.")); + natcasesort($log_msg); + if ($fp) { + /* Only write the header when not persisting the log */ + if (!$persist_log) { + @fwrite($fp, "#\n# Run Time: " . date("Y-m-d H:i:s") . "\n#\n"); + @fwrite($fp, "#\n# These rules were auto-disabled because they contain options or operators\n"); + @fwrite($fp, "# dependent on preprocessors that are currently NOT ENABLED on the Preprocessors\n"); + @fwrite($fp, "# tab. Without these dependent preprocessors enabled, Snort would fail to start\n"); + @fwrite($fp, "# if the rules listed below were enabled. Therefore the listed rules have been\n"); + @fwrite($fp, "# automatically disabled. This behavior is controlled by the Auto-Rule Disable\n"); + @fwrite($fp, "# feature on the Preprocessors tab.\n#\n"); + @fwrite($fp, "# WARNING: Using the auto-disable rule feature is not recommended because it can\n"); + @fwrite($fp, "# significantly reduce the threat detection capabilities of Snort!\n#"); + @fwrite($fp, "\n# In the list below, the PREPROCESSOR column is the disabled preprocessor that\n"); + @fwrite($fp, "# triggered the auto-disable of the rule represented by GID:SID. The RULE OPTION\n"); + @fwrite($fp, "# column shows the specific rule option or content modifier contained within\n"); + @fwrite($fp, "# the rule text that requires the preprocessor be enabled in order to execute.\n#"); + @fwrite($fp, "\n# RULE CATEGORY GID:SID PREPROCESSOR RULE OPTION\n"); + } + foreach ($log_msg as $m) { + $tmp = explode(",", $m); + @fwrite($fp, sprintf("%-30s %-10s %-20s %s", $tmp[0], $tmp[1], $tmp[2], $tmp[3]) . "\n"); + } + } + log_error(gettext("[Snort] See '{$file}' for list of auto-disabled rules.")); + unset($log_msg); + } + if ($fp) + fclose($fp); } function snort_generate_conf($snortcfg) { - global $config, $g; + + global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules; $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; - $flowbit_rules_file = "flowbit-required.rules"; - $snort_enforcing_rules_file = "snort.rules"; if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; + /* See if we should protect and not modify the preprocessor rules files */ + if (!empty($snortcfg['protect_preproc_rules'])) + $protect_preproc_rules = $snortcfg['protect_preproc_rules']; + else + $protect_preproc_rules = "off"; + $if_real = snort_get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; @@ -1902,8 +2193,8 @@ function snort_generate_conf($snortcfg) { "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "/usr/local/lib/snort/dynamicrules", - "dynamicengine" => "/usr/local/lib/snort/dynamicengine", + "dynamicrules" => "{$snortlibdir}/dynamicrules", + "dynamicengine" => "{$snortlibdir}/dynamicengine", "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" ); foreach ($snort_dirs as $dir) { @@ -1911,13 +2202,24 @@ function snort_generate_conf($snortcfg) { safe_mkdir($dir); } + /********************************************************************/ + /* For fail-safe on an initial startup following installation, and */ + /* before a rules update has occurred, copy the default config */ + /* files to the interface directory. If files already exist in */ + /* the interface directory, or they are newer, that means a rule */ + /* update has been done and we should leave the customized files */ + /* put in place by the rules update process. */ + /********************************************************************/ $snort_files = array("gen-msg.map", "classification.config", "reference.config", "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" ); foreach ($snort_files as $file) { - if (file_exists("{$snortdir}/{$file}")) - @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + if (file_exists("{$snortdir}/{$file}")) { + $ftime = filemtime("{$snortdir}/{$file}"); + if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) + @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + } } /* define alertsystemlog */ @@ -2011,7 +2313,7 @@ EOD; if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) $def_client_flow_depth_type = $snortcfg['client_flow_depth']; - if ($snortcfg['noalert_http_inspect'] == 'on') + if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect'])) $noalert_http_inspect = "no_alerts "; else $noalert_http_inspect = ""; @@ -2256,6 +2558,16 @@ EOD; if (!empty($snortcfg['stream5_mem_cap'])) $def_stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}"; + /* Default the HTTP_INSPECT preprocessor to "on" if not set. */ + /* The preprocessor is required by hundreds of Snort rules, */ + /* and without it Snort may not start and/or the number of */ + /* rules required to be disabled reduces Snort's capability. */ + /* Alerts from the HTTP_INSPECT preprocessor default to "off" */ + /* unless a specific value has been set by the user. */ + /**************************************************************/ + if (empty($snortcfg['http_inspect'])) + $snortcfg['http_inspect'] = 'on'; + /* define servers and ports snortdefservers */ $snort_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", @@ -2294,8 +2606,8 @@ EOD; if (!empty($snort_preproc_libs[$preproc])) { $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { - if (file_exists("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so")) { - @copy("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); + if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { + @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); $snort_preprocessors .= $$preproc; $snort_preprocessors .= "\n"; } else @@ -2317,28 +2629,32 @@ EOD; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; if (is_dir("{$snortcfgdir}/preproc_rules")) { - if ($snortcfg['sensitive_data'] == 'on') { + if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")) $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; } else $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); @unlink("{$g['tmp_path']}/sedcmd"); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } else { + } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } + else { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); } } else { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); } /* generate rule sections to load */ @@ -2346,6 +2662,8 @@ EOD; $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; + + /* Create the actual rules file and save in the interface directory */ snort_prepare_rule_files($snortcfg, $snortcfgdir); $cksumcheck = "all"; @@ -2393,6 +2711,9 @@ config pcre_match_limit_recursion: 1500 config detection: search-method {$snort_performance} search-optimize max-pattern-len 20 max_queue_events 5 config event_queue: max_queue 8 log 5 order_events content_length +# Configure to show year in timestamps +config show_year + # Configure protocol aware flushing # # For more information see README.stream5 # config paf_max: 16000 diff --git a/config/snort/snort.xml b/config/snort/snort.xml index b18e66e1..2f60b7ae 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.9.2.3</version> - <title>Services:2.9.2.3 pkg v. 2.5.3</title> + <version>2.9.4.1</version> + <title>Services:2.9.4.1 pkg v. 2.5.7</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -163,6 +163,11 @@ <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress_edit.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_log_view.php</item> + </additional_files_needed> <fields> </fields> <custom_add_php_command> @@ -177,3 +182,4 @@ snort_deinstall(); </custom_php_deinstall_command> </packagegui> + diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index e6ebefeb..3fcbe6b7 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -219,7 +219,7 @@ if ($pconfig['arefresh'] == 'on') <td width="78%" class="vtable"> <input name="download" type="submit" class="formbtn" value="Download"> <?php echo gettext('All ' . 'log files will be saved.'); ?> <a href="/snort/snort_alerts.php?action=clear&instance=<?=$instanceid;?>"> - <input name="delete" type="button" class="formbtn" value="Clear" + <input name="delete" type="submit" class="formbtn" value="Clear" onclick="return confirm('Do you really want to remove all instance logs?')"></a> <span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span> <?php echo ' ' . gettext('all log files will be deleted.'); ?> </td> diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index ccbe3c26..e1de3efd 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -32,7 +32,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; $id = $_GET['id']; if (isset($_POST['id'])) @@ -87,6 +87,9 @@ if ($_POST) { } write_config(); + + /* No need to rebuild rules if just toggling Barnyard2 on or off */ + $rebuild_rules = "off"; sync_snort_package_config(); /* after click go to this page */ @@ -173,10 +176,10 @@ function enable_change(enable_change) { <?php echo gettext("This will enable barnyard2 for this interface. You will also have to set the database credentials."); ?></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Mysql Settings"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Settings"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a Mysql Database"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td> <td width="78%" class="vtable"><input name="barnyard_mysql" type="text" class="formfld" id="barnyard_mysql" size="100" value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br> @@ -207,7 +210,7 @@ function enable_change(enable_change) { <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <br> - <?php echo gettext("Please save your settings befor you click start."); ?> </td> + <?php echo gettext("Please save your settings before you click start."); ?> </td> </tr> </table> diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index def5dd22..295218f6 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -135,21 +135,23 @@ if ($pconfig['brefresh'] == 'on') <?php if ($savemsg) print_info_box($savemsg); ?> <form action="/snort/snort_blocked.php" method="post"> <table width="99%" border="0" cellpadding="0" cellspacing="0"> -<tr><td> -<?php - $tab_array = array(); - $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); - $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); - $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); - $tab_array[4] = array(gettext("Blocked"), true, "/snort/snort_blocked.php"); - $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); - $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); - display_top_tabs($tab_array); -?> -</td></tr> - <tr> - <td> +<tr> + <td> + <?php + $tab_array = array(); + $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php"); + $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php"); + $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php"); + $tab_array[4] = array(gettext("Blocked"), true, "/snort/snort_blocked.php"); + $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + display_top_tabs($tab_array); + ?> + </td> +</tr> +<tr> + <td> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> @@ -164,7 +166,7 @@ if ($pconfig['brefresh'] == 'on') <input name="download" type="submit" class="formbtn" value="Download"> <?php echo gettext("All " . "blocked hosts will be saved."); ?> <input name="remove" type="submit" class="formbtn" value="Clear"> <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> - <?php echo gettext("all hosts will be removed."); ?></form> + <?php echo gettext("all hosts will be removed."); ?> </td> </tr> <tr> @@ -179,17 +181,16 @@ if ($pconfig['brefresh'] == 'on') "number of blocked entries to view. %sDefault%s is %s500%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> </tr> - <tr> - <td colspan="2"> - <table id="sortabletable1" class="sortable" width="100%" border="0" - cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="5%" class="listhdrr">#</td> - <td width="15%" class="listhdrr"><?php echo gettext("IP"); ?></td> - <td width="70%" class="listhdrr"><?php echo gettext("Alert Description"); ?></td> - <td width="5%" class="listhdrr"><?php echo gettext("Remove"); ?></td> - </tr> - <?php + <tr> + <td colspan="2"> + <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">#</td> + <td width="15%" class="listhdrr"><?php echo gettext("IP"); ?></td> + <td width="70%" class="listhdrr"><?php echo gettext("Alert Description"); ?></td> + <td width="5%" class="listhdrr"><?php echo gettext("Remove"); ?></td> + </tr> + <?php /* set the arrays */ $blocked_ips_array = array(); if (is_array($blocked_ips)) { @@ -242,27 +243,25 @@ if ($pconfig['brefresh'] == 'on') $counter++; /* use one echo to do the magic*/ - echo "<tr> - <td width='5%' > {$counter}</td> - <td width='15%' > {$blocked_ip}</td> - <td width='70%' > {$blocked_desc}</td> - <td width='5%' align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'> - <img title=\"" . gettext("Delete") . "\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> - </tr>\n"; - + echo "<tr> + <td width='5%' > {$counter}</td> + <td width='15%' > {$blocked_ip}</td> + <td width='70%' > {$blocked_desc}</td> + <td width='5%' align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'> + <img title=\"" . gettext("Delete") . "\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + </tr>\n"; } - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; - } else - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; - - ?> + echo "\n<tr><td colspan='4' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; + } else + echo "\n<tr><td colspan='4' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; + ?> + </table> + </td> + </tr> </table> - </td> - </tr> -</table> - </td> - </tr> + </td> +</tr> </table> </form> <?php diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index af5d378c..f69c3b98 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -31,54 +31,73 @@ require_once("functions.inc"); require_once("service-utils.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); +require_once "/usr/local/pkg/snort/snort.inc"; +require_once("service-utils.inc"); -global $snort_gui_include; +global $snort_gui_include, $vrt_enabled, $et_enabled, $rebuild_rules, $snort_rules_upd_log; +global $protect_preproc_rules, $is_postinstall, $snort_community_rules_filename; +global $snort_community_rules_url, $snort_rules_file, $emergingthreats_filename; $snortdir = SNORTDIR; +$snortlibdir = SNORTLIBDIR; +$snortlogdir = SNORTLOGDIR; if (!isset($snort_gui_include)) $pkg_interface = "console"; -$tmpfname = "{$snortdir}/tmp/snort_rules_up"; -$snort_filename_md5 = "{$snort_rules_file}.md5"; -$snort_filename = "{$snort_rules_file}"; -$emergingthreats_filename_md5 = "emerging.rules.tar.gz.md5"; -$emergingthreats_filename = "emerging.rules.tar.gz"; - /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; $vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; -/* Start of code */ -conf_mount_rw(); +/* Directory where we download rule tarballs */ +$tmpfname = "{$snortdir}/tmp/snort_rules_up"; + +/* Snort VRT rules files and URL */ +$snort_filename_md5 = "{$snort_rules_file}.md5"; +$snort_filename = "{$snort_rules_file}"; +$snort_rule_url = "http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/"; -if (!is_dir($tmpfname)) - exec("/bin/mkdir -p {$tmpfname}"); +/* Emerging Threats rules MD5 file */ +$emergingthreats_filename_md5 = "{$emergingthreats_filename}.md5"; -/* Set user agent to Mozilla */ -ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); -ini_set("memory_limit","150M"); +/* Snort GPLv2 Community Rules MD5 file */ +$snort_community_rules_filename_md5 = "{$snort_community_rules_filename}.md5"; + +/* Start of code */ +conf_mount_rw(); /* remove old $tmpfname files */ if (is_dir("{$tmpfname}")) exec("/bin/rm -r {$tmpfname}"); -/* Make sure snortdir exits */ +/* Make sure required snortdirs exsist */ exec("/bin/mkdir -p {$snortdir}/rules"); exec("/bin/mkdir -p {$snortdir}/signatures"); +exec("/bin/mkdir -p {$snortdir}/preproc_rules"); exec("/bin/mkdir -p {$tmpfname}"); -exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules"); +exec("/bin/mkdir -p {$snortlibdir}/dynamicrules"); +exec("/bin/mkdir -p {$snortlogdir}"); + +/* See if we need to automatically clear the Update Log based on 1024K size limit */ +if (file_exists($snort_rules_upd_log)) { + if (1048576 < filesize($snort_rules_upd_log)) + exec("/bin/rm -r {$snort_rules_upd_log}"); +} + +/* Log start time for this rules update */ +error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log); /* download md5 sig from snort.org */ if ($snortdownload == 'on') { - update_status(gettext("Downloading snort.org md5 file...")); + update_status(gettext("Downloading Snort VRT md5 file...")); + error_log(gettext("\tDownloading Snort VRT md5 file...\n"), 3, $snort_rules_upd_log); $max_tries = 4; while ($max_tries > 0) { - $image = @file_get_contents("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); + $image = @file_get_contents("{$snort_rule_url}{$snort_filename_md5}"); if (false === $image) { $max_tries--; if ($max_tries > 0) @@ -87,15 +106,17 @@ if ($snortdownload == 'on') { } else break; } - log_error("Snort MD5 Attempts: " . (4 - $max_tries + 1)); + log_error("[Snort] Snort MD5 Attempts: " . (4 - $max_tries + 1)); + error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log); @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) { update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); - log_error(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + log_error(gettext("[Snort] Please wait... You may only check for New Rules every 15 minutes...")); update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); $snortdownload = 'off'; + error_log(gettext("\tSnort VRT md5 download failed. Site may be offline or Oinkcode is not authorized for this level or version.\n"), 3, $snort_rules_upd_log); } else - update_status(gettext("Done downloading snort.org md5")); + update_status(gettext("Done downloading snort.org md5.")); } /* Check if were up to date snort.org */ @@ -104,8 +125,9 @@ if ($snortdownload == 'on') { $md5_check_new = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); $md5_check_old = file_get_contents("{$snortdir}/{$snort_filename_md5}"); if ($md5_check_new == $md5_check_old) { - update_status(gettext("Snort rules are up to date...")); - log_error("Snort rules are up to date..."); + update_status(gettext("Snort VRT rules are up to date...")); + log_error(gettext("[Snort] Snort VRT rules are up to date...")); + error_log(gettext("\tSnort VRT rules are up to date.\n"), 3, $snort_rules_upd_log); $snortdownload = 'off'; } } @@ -113,50 +135,159 @@ if ($snortdownload == 'on') { /* download snortrules file */ if ($snortdownload == 'on') { - update_status(gettext("There is a new set of Snort.org rules posted. Downloading...")); - log_error(gettext("There is a new set of Snort.org rules posted. Downloading...")); + update_status(gettext("There is a new set of Snort VRT rules posted. Downloading...")); + log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of Snort VRT rules posted. Downloading...\n"), 3, $snort_rules_upd_log); $max_tries = 4; while ($max_tries > 0) { - download_file_with_progress_bar("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", "{$tmpfname}/{$snort_filename}"); - if (300000 > filesize("{$tmpfname}/$snort_filename")){ + download_file_with_progress_bar("{$snort_rule_url}{$snort_filename}", "{$tmpfname}/{$snort_filename}"); + if (5000 > filesize("{$tmpfname}/{$snort_filename}")){ $max_tries--; if ($max_tries > 0) sleep(30); continue; } else break; - } - update_status(gettext("Done downloading rules file.")); - log_error("Snort Rules Attempts: " . (4 - $max_tries + 1)); - if (300000 > filesize("{$tmpfname}/$snort_filename")){ - update_output_window(gettext("Snort rules file download failed...")); - log_error(gettext("Snort rules file download failed...")); - log_error("Failed Rules Filesize: " . filesize("{$tmpfname}/$snort_filename")); + } + if (filesize("{$tmpfname}/{$snort_filename}") == 0) { + update_output_window(gettext("Snort VRT rules file download failed...")); + log_error(gettext("[Snort] Snort VRT rules file download failed...")); + error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); $snortdownload = 'off'; } + else { + update_status(gettext("Done downloading Snort VRT rules file.")); + log_error("[Snort] Snort VRT Rules Attempts: " . (4 - $max_tries + 1)); + error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); + if (trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_filename}"))){ + update_output_window(gettext("Snort VRT rules file download failed...")); + log_error(gettext("[Snort] Snort VRT rules file download failed...")); + log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_filename}"))); + log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}"))); + error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded Snort VRT file MD5: " . md5_file("{$tmpfname}/{$snort_filename}") . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected Snort VRT file MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}") . "\n"), 3, $snort_rules_upd_log); + $snortdownload = 'off'; + } + } +} + +/* download md5 sig from Snort GPLv2 Community Rules */ +if ($snortcommunityrules == 'on') { + update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file...")); + error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file...\n"), 3, $snort_rules_upd_log); + $image = file_get_contents("{$snort_community_rules_url}{$snort_community_rules_filename_md5}"); + update_status(gettext("Done downloading Snort GPLv2 Community Rules md5")); + error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log); + @file_put_contents("{$tmpfname}/{$snort_community_rules_filename_md5}", $image); + + /* See if the file download was successful, and turn off Snort GPLv2 update if it failed. */ + if (0 == filesize("{$tmpfname}/{$snort_community_rules_filename_md5}")){ + update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); + log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); + error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } + + if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") { + /* Check if were up to date Snort GPLv2 Community Rules */ + $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"); + $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}"); + if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) { + update_status(gettext("Snort GPLv2 Community Rules are up to date...")); + log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date...")); + error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } + } +} + +/* download Snort GPLv2 Community rules file */ +if ($snortcommunityrules == "on") { + update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); + log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted. Downloading...\n"), 3, $snort_rules_upd_log); + download_file_with_progress_bar("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); + + /* Test for a valid rules file download. Turn off Snort Community update if download failed. */ + if (trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_community_rules_filename}"))){ + update_output_window(gettext("Snort GPLv2 Community Rules file download failed...")); + log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed...")); + log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}"))); + log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"))); + error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded Snort GPLv2 file MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}") . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected Snort GPLv2 file MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}") . "\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } + else { + update_status(gettext('Done downloading Snort GPLv2 Community Rules file.')); + log_error("[Snort] Snort GPLv2 Community Rules file update downloaded successfully"); + error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log); + } +} + +/* Untar Snort GPLv2 Community rules to tmp */ +if ($snortcommunityrules == 'on') { + safe_mkdir("{$snortdir}/tmp/community"); + if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { + update_status(gettext("Extracting Snort GPLv2 Community Rules...")); + error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $snort_rules_upd_log); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$snortdir}/tmp/community/"); + + $files = glob("{$snortdir}/tmp/community/community-rules/*.rules"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/rules/GPLv2_{$newfile}"); + } + /* base etc files for Snort GPLv2 Community rules */ + foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { + if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}")) + @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/GPLv2_{$file}"); + } + + /* Copy snort community md5 sig to snort dir */ + if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { + update_status(gettext("Copying md5 signature to snort directory...")); + @copy("{$tmpfname}/{$snort_community_rules_filename_md5}", "{$snortdir}/{$snort_community_rules_filename_md5}"); + } + update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); + error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log); + exec("rm -r {$snortdir}/tmp/community"); + } } /* download md5 sig from emergingthreats.net */ if ($emergingthreats == 'on') { - update_status(gettext("Downloading emergingthreats md5 file...")); + update_status(gettext("Downloading EmergingThreats md5 file...")); + error_log(gettext("\tDownloading EmergingThreats md5 file...\n"), 3, $snort_rules_upd_log); /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ if ($vrt_enabled == "on") - $image = @file_get_contents("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/emerging.rules.tar.gz.md5"); + $image = @file_get_contents("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}"); else - $image = @file_get_contents("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz.md5"); + $image = @file_get_contents("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}"); - /* XXX: error checking */ + update_status(gettext("Done downloading EmergingThreats md5")); + error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); - update_status(gettext("Done downloading emergingthreats md5")); - if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}")) { + /* See if the file download was successful, and turn off ET update if it failed. */ + if (0 == filesize("{$tmpfname}/{$emergingthreats_filename_md5}")){ + update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); + log_error(gettext("[Snort] EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); + error_log(gettext("\tEmergingThreats md5 file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; + } + + if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { /* Check if were up to date emergingthreats.net */ $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); if ($emerg_md5_check_new == $emerg_md5_check_old) { - update_status(gettext("Emerging threat rules are up to date...")); - log_error(gettext("Emerging threat rules are up to date...")); + update_status(gettext("Emerging Threats rules are up to date...")); + log_error(gettext("[Snort] Emerging Threat rules are up to date...")); + error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } } @@ -164,8 +295,9 @@ if ($emergingthreats == 'on') { /* download emergingthreats rules file */ if ($emergingthreats == "on") { - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - log_error(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading...")); + log_error(gettext("[Snort] There is a new set of EmergingThreats rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of EmergingThreats rules posted. Downloading...\n"), 3, $snort_rules_upd_log); /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ if ($vrt_enabled == "on") @@ -173,24 +305,31 @@ if ($emergingthreats == "on") { else download_file_with_progress_bar("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); - update_status(gettext('Done downloading Emergingthreats rules file.')); - log_error("Emergingthreats rules file update downloaded succsesfully"); + /* Test for a valid rules file download. Turn off ET update if download failed. */ + + if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ + update_output_window(gettext("EmergingThreats rules file download failed...")); + log_error(gettext("[Snort] EmergingThreats rules file download failed...")); + log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); + log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); + error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; + } + else { + update_status(gettext('Done downloading EmergingThreats rules file.')); + log_error("[Snort] EmergingThreats rules file update downloaded successfully"); + error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); + } } -/* Normalize rulesets */ -$sedcmd = "s/^#alert/# alert/g\n"; -$sedcmd .= "s/^##alert/# alert/g\n"; -$sedcmd .= "s/^#[ \\t#]*alert/# alert/g\n"; -$sedcmd .= "s/^##\\talert/# alert/g\n"; -$sedcmd .= "s/^\\talert/alert/g\n"; -$sedcmd .= "s/^[ \\t]*alert/alert/g\n"; -@file_put_contents("{$snortdir}/tmp/sedcmd", $sedcmd); - /* Untar emergingthreats rules to tmp */ if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { update_status(gettext("Extracting EmergingThreats.org rules...")); + error_log(gettext("\tExtracting and installing EmergingThreats.org rules...\n"), 3, $snort_rules_upd_log); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); @@ -199,7 +338,7 @@ if ($emergingthreats == 'on') { @copy($file, "{$snortdir}/rules/{$newfile}"); } /* IP lists for Emerging Threats rules */ - $files = glob("{$snortdir}/tmp/emerging/rules/*.txt"); + $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt"); foreach ($files as $file) { $newfile = basename($file); @copy($file, "{$snortdir}/rules/{$newfile}"); @@ -207,31 +346,33 @@ if ($emergingthreats == 'on') { /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { if (file_exists("{$snortdir}/tmp/emerging/rules/{$file}")) - @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/ET_{$file}"); + @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/tmp/ET_{$file}"); } -// /* make sure default rules are in the right format */ -// exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/emerging*.rules"); - /* Copy emergingthreats md5 sig to snort dir */ - if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - @copy("{$tmpfname}/$emergingthreats_filename_md5", "{$snortdir}/$emergingthreats_filename_md5"); + if (file_exists("{$tmpfname}/{$emergingthreats_filename_md5}")) { + update_status(gettext("Copying md5 signature to snort directory...")); + @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } update_status(gettext("Extraction of EmergingThreats.org rules completed...")); + error_log(gettext("\tInstallation of EmergingThreats.org rules completed.\n"), 3, $snort_rules_upd_log); + exec("rm -r {$snortdir}/tmp/emerging"); } } /* Untar snort rules file individually to help people with low system specs */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { - if ($pfsense_stable == 'yes') - $freebsd_version_so = 'FreeBSD-7-2'; - else - $freebsd_version_so = 'FreeBSD-8-1'; + + /* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */ + /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x */ + $freebsd_version_so = 'FreeBSD-8-1'; + if (substr(php_uname("r"), 0, 1) == '9') + $freebsd_version_so = 'FreeBSD-9-0'; update_status(gettext("Extracting Snort VRT rules...")); - /* extract snort.org rules and add prefix to all snort.org files*/ + error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log); + /* extract snort.org rules and add prefix to all snort.org files */ safe_mkdir("{$snortdir}/tmp/snortrules"); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp/snortrules rules/"); $files = glob("{$snortdir}/tmp/snortrules/rules/*.rules"); @@ -249,151 +390,188 @@ if ($snortdownload == 'on') { /* extract so rules */ update_status(gettext("Extracting Snort VRT Shared Objects rules...")); - exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); + exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/"); + error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log); $snort_arch = php_uname("m"); $nosorules = false; if ($snort_arch == 'i386'){ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/$freebsd_version_so/i386/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/i386/{$snort_version}/* /usr/local/lib/snort/dynamicrules/"); - } else if ($snort_arch == 'amd64') { - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/$freebsd_version_so/x86-64/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/x86-64/{$snort_version}/* /usr/local/lib/snort/dynamicrules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/"); + exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/* {$snortlibdir}/dynamicrules/"); + } elseif ($snort_arch == 'amd64') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/"); + exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/* {$snortlibdir}/dynamicrules/"); } else $nosorules = true; exec("rm -r {$snortdir}/tmp/so_rules"); if ($nosorules == false) { - /* extract so rules none bin and rename */ + /* extract so stub rules, rename and copy to the rules folder. */ update_status(gettext("Copying Snort VRT Shared Objects rules...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp --exclude precompiled/ --exclude src/ so_rules/"); $files = glob("{$snortdir}/tmp/so_rules/*.rules"); foreach ($files as $file) { $newfile = basename($file, ".rules"); @copy($file, "{$snortdir}/rules/snort_{$newfile}.so.rules"); } exec("rm -r {$snortdir}/tmp/so_rules"); - - /* extract base etc files */ - update_status(gettext("Extracting Snort VRT base config files...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/"); - foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/etc/{$file}")) - @copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/VRT_{$file}"); - } - exec("rm -r {$snortdir}/tmp/etc"); - - /* Untar snort signatures */ - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == 'on') { - update_status(gettext("Extracting Snort VRT Signatures...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - update_status(gettext("Done extracting Signatures.")); - - if (is_dir("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying Snort VRT signatures...")); - exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures"); - update_status(gettext("Done copying signatures.")); - } + } + + /* extract base etc files */ + update_status(gettext("Extracting Snort VRT config and map files...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/"); + foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { + if (file_exists("{$snortdir}/tmp/etc/{$file}")) + @copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/tmp/VRT_{$file}"); + } + exec("rm -r {$snortdir}/tmp/etc"); + + /* Untar snort signatures */ + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') { + update_status(gettext("Extracting Snort VRT Signatures...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + update_status(gettext("Done extracting Signatures.")); + + if (is_dir("{$snortdir}/doc/signatures")) { + update_status(gettext("Copying Snort VRT signatures...")); + exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures"); + update_status(gettext("Done copying signatures.")); } + } - foreach (glob("/usr/local/lib/snort/dynamicrules/*example*") as $file) - @unlink($file); - - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} preproc_rules/"); - -// /* make sure default rules are in the right format */ -// exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/snort_*.rules"); + /* Extract the Snort preprocessor rules */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp preproc_rules/"); - if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - update_status(gettext("Copying md5 sig to snort directory...")); - @copy("{$tmpfname}/$snort_filename_md5", "{$snortdir}/$snort_filename_md5"); - } + if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { + update_status(gettext("Copying md5 signature to snort directory...")); + @copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}"); } - update_status(gettext("Extraction of Snort VRT rules completed...")); + update_status(gettext("Extraction of Snort VRT rules completed...")); + error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log); } } -/* remove old $tmpfname files */ -if (is_dir("{$snortdir}/tmp")) { - update_status(gettext("Cleaning up after rules extraction...")); - exec("/bin/rm -r {$snortdir}/tmp"); -} - function snort_apply_customizations($snortcfg, $if_real) { + global $vrt_enabled; $snortdir = SNORTDIR; + + /* Update the Preprocessor rules for the master configuration and for the interface if Snort VRT rules are in use. */ + if ($vrt_enabled == 'on') { + exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules"); + $preproc_files = glob("{$snortdir}/tmp/preproc_rules/*.rules"); + foreach ($preproc_files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/preproc_rules/{$newfile}"); + /* Check if customized preprocessor rule protection is enabled for interface before overwriting them. */ + if ($snortcfg['protect_preproc_rules'] <> 'on') + @copy($file, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules/{$newfile}"); + } + } + else { + exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules"); + } + snort_prepare_rule_files($snortcfg, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}"); - /* Copy the master *.config and other *.map files to the interface's directory */ + /* Copy the master config and map files to the interface directory */ @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); } -if ($snortdownload == 'on' || $emergingthreats == 'on') { +if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') { update_status(gettext('Copying new config and map files...')); + error_log(gettext("\tCopying new config and map files...\n"), 3, $snort_rules_upd_log); - /* Determine which base etc file set to use for the master copy. */ - /* If the Snort VRT rules are not enabled, then use Emerging Threats. */ + /* Determine which config and map file set to use for the master copy. */ + /* If the Snort VRT rules are not enabled, then use Emerging Threats. */ if (($vrt_enabled == 'off') && ($et_enabled == 'on')) { - foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/ET_{$file}")) - @rename("{$snortdir}/ET_{$file}", "{$snortdir}/{$file}"); - } + $cfgs = glob("{$snortdir}/tmp/*reference.config"); + $cfgs[] = "{$snortdir}/reference.config"; + snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); + $cfgs = glob("{$snortdir}/tmp/*classification.config"); + $cfgs[] = "{$snortdir}/classification.config"; + snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); } elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) { foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/VRT_{$file}")) - @rename("{$snortdir}/VRT_{$file}", "{$snortdir}/{$file}"); + if (file_exists("{$snortdir}/tmp/VRT_{$file}")) + @copy("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/{$file}"); } } - else { - /* Both VRT and ET rules are enabled, so build combined */ - /* reference.config and classification.config files. */ - $cfgs = glob("{$snortdir}/*reference.config"); - snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); - $cfgs = glob("{$snortdir}/*classification.config"); - snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); + elseif (($vrt_enabled == 'on') && ($et_enabled == 'on')) { + /* Both VRT and ET rules are enabled, so build combined */ + /* reference.config and classification.config files. */ + $cfgs = glob("{$snortdir}/tmp/*reference.config"); + $cfgs[] = "{$snortdir}/reference.config"; + snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); + $cfgs = glob("{$snortdir}/tmp/*classification.config"); + $cfgs[] = "{$snortdir}/classification.config"; + snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); + /* Use the unicode.map and gen-msg.map files from VRT rules. */ + if (file_exists("{$snortdir}/tmp/VRT_unicode.map")) + @copy("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/unicode.map"); + if (file_exists("{$snortdir}/tmp/VRT_gen-msg.map")) + @copy("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/gen-msg.map"); } - /* Clean-up our temp versions of the config and map files. */ - update_status(gettext('Cleaning up temp files...')); - $cfgs = glob("{$snortdir}/??*_*.config"); - foreach ($cfgs as $file) { - if (file_exists($file)) - @unlink($file); - } - $cfgs = glob("{$snortdir}/??*_*.map"); - foreach ($cfgs as $file) { - if (file_exists($file)) - @unlink($file); - } - - /* Start the proccess for each configured interface */ + /* Start the rules rebuild proccess for each configured interface */ if (is_array($config['installedpackages']['snortglobal']['rule'])) { - foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { - /* Create configuration for each active Snort interface */ + /* Set the flag to force rule rebuilds since we downloaded new rules, */ + /* except when in post-install mode. Post-install does its own rebuild. */ + if ($is_postinstall) + $rebuild_rules = 'off'; + else + $rebuild_rules = 'on'; + + /* Create configuration for each active Snort interface */ + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { $if_real = snort_get_real_interface($value['interface']); $tmp = "Updating rules configuration for: " . snort_get_friendly_interface($value['interface']) . " ..."; update_status(gettext($tmp)); - log_error($tmp); snort_apply_customizations($value, $if_real); + + /* Log a message in Update Log if protecting customized preprocessor rules. */ + $tmp = "\t" . $tmp . "\n"; + if ($value['protect_preproc_rules'] == 'on') { + $tmp .= gettext("\tPreprocessor text rules flagged as protected and not updated for "); + $tmp .= snort_get_friendly_interface($value['interface']) . "...\n"; + } + error_log($tmp, 3, $snort_rules_upd_log); } } - update_status(gettext('Restarting Snort to activate the new set of rules...')); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh restart"); - sleep(20); - if (!is_process_running("snort")) - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); - update_output_window(gettext("Snort has restarted with your new set of rules...")); - log_error("Snort has restarted with your new set of rules..."); + else { + update_output_window(gettext("Warning: No interfaces configured for Snort were found...")); + error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, $snort_rules_upd_log); + } + + /* Clear the rebuild rules flag. */ + $rebuild_rules = 'off'; + + /* remove old $tmpfname files */ + if (is_dir("{$snortdir}/tmp")) { + update_status(gettext("Cleaning up after rules extraction...")); + exec("/bin/rm -r {$snortdir}/tmp"); + } + + /* Restart snort if already running to pick up the new rules. */ + if (is_process_running("snort")) { + update_status(gettext('Restarting Snort to activate the new set of rules...')); + error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, $snort_rules_upd_log); + restart_service("snort"); + update_output_window(gettext("Snort has restarted with your new set of rules...")); + log_error(gettext("[Snort] Snort has restarted with your new set of rules...")); + error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, $snort_rules_upd_log); + } } update_status(gettext("The Rules update has finished...")); -log_error("The Rules update has finished..."); +log_error(gettext("[Snort] The Rules update has finished.")); +error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $snort_rules_upd_log); conf_mount_ro(); ?> diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 4085b325..b1d71631 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -33,7 +33,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; $id = $_GET['id']; if (isset($_POST['id'])) @@ -126,7 +126,9 @@ if ($_POST) { write_config(); - sync_snort_package_config(); + /* Update the snort conf file for this interface. */ + $rebuild_rules = "off"; + snort_generate_conf($a_nat[$id]); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 0c879e44..36319977 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -36,16 +36,18 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $snort_rules_upd_log, $snort_rules_file, $emergingthreats_filename; $snortdir = SNORTDIR; -$snort_upd_log = "/tmp/snort_update.log"; + +$log = $snort_rules_upd_log; /* load only javascript that is needed */ $snort_load_jquery = 'yes'; $snort_load_jquery_colorbox = 'yes'; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; /* quick md5s chk */ $snort_org_sig_chk_local = 'N/A'; @@ -53,13 +55,28 @@ if (file_exists("{$snortdir}/{$snort_rules_file}.md5")) $snort_org_sig_chk_local = file_get_contents("{$snortdir}/{$snort_rules_file}.md5"); $emergingt_net_sig_chk_local = 'N/A'; -if (file_exists("{$snortdir}/emerging.rules.tar.gz.md5")) - $emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/emerging.rules.tar.gz.md5"); +if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5")) + $emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/{$emergingthreats_filename}.md5"); + +$snort_community_sig_chk_local = 'N/A'; +if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5")) + $snort_community_sig_chk_local = file_get_contents("{$snortdir}/{$snort_community_rules_filename}.md5"); + +/* Check for postback to see if we should clear the update log file. */ +if (isset($_POST['clear'])) { + if (file_exists("{$snort_rules_upd_log}")) + mwexec("/bin/rm -f {$snort_rules_upd_log}"); +} + +if (isset($_POST['update'])) { + header("Location: /snort/snort_download_rules.php"); + exit; +} /* check for logfile */ -$update_logfile_chk = 'no'; -if (file_exists("{$snort_upd_log}")) - $update_logfile_chk = 'yes'; +$snort_rules_upd_logfile_chk = 'no'; +if (file_exists("{$snort_rules_upd_log}")) + $snort_rules_upd_logfile_chk = 'yes'; $pgtitle = "Services: Snort: Updates"; include_once("head.inc"); @@ -78,12 +95,30 @@ function popup(url) params += ', top=0, left=0' params += ', fullscreen=yes'; - newwin=window.open(url,'windowname4', params); + newwin=window.open(url,'LogViewer', params); if (window.focus) {newwin.focus()} return false; } + +function wopen(url, name, w, h) +{ +// Fudge factors for window decoration space. +// In my tests these work well on all platforms & browsers. +w += 32; +h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} + </script> +<form action="snort_download_updates.php" method="post" name="iform" id="iform"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -101,8 +136,7 @@ function popup(url) <tr> <td> <div id="mainarea3"> - <table id="maintable4" class="tabcont" width="100%" border="0" - cellpadding="0" cellspacing="0"> + <table id="maintable4" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr align="center"> <td> <br/> @@ -112,14 +146,15 @@ function popup(url) <td id="download_rules_td" style="background-color: #eeeeee"> <div height="32" width="725px" style="background-color: #eeeeee"> - <font color="#777777" size="1.5px"> + <font color="#777777" size="2.5px"> <p style="text-align: left; margin-left: 225px;"> - <b><?php echo gettext("INSTALLED SIGNATURE RULESET"); ?></b></font><br> - <br> - <font color="#FF850A" size="1px"><b>SNORT.ORG >>></b></font> + <b><?php echo gettext("INSTALLED RULESET SIGNATURES"); ?></b></font><br/> + <font color="#FF850A" size="1px"><b>SNORT.ORG --></b></font> <font size="1px" color="#000000"> <? echo $snort_org_sig_chk_local; ?></font><br> - <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET >>></b></font> + <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET --></b></font> <font size="1px" color="#000000"> <? echo $emergingt_net_sig_chk_local; ?></font><br> + <font color="#FF850A" size="1px"><b>SNORT GPLv2 COMMUNITY RULES --></b></font> + <font size="1px" color="#000000"> <? echo $snort_community_sig_chk_local; ?></font><br> </p> </div> </td> @@ -133,22 +168,23 @@ function popup(url) <div height="32" width="725px" style='background-color: #eeeeee'> <p style="text-align: left; margin-left: 225px;"> - <font color='#777777' size='1.5px'><b><?php echo gettext("UPDATE YOUR RULES"); ?></b></font><br> + <font color='#777777' size='2.5px'><b><?php echo gettext("UPDATE YOUR RULESET"); ?></b></font><br> <br/> <?php if ($snortdownload != 'on' && $emergingthreats != 'on') { echo ' - <button disabled="disabled"><span class="download">' . gettext("Update Rules") . ' </span></button><br/> + <button disabled="disabled"><span class="download">' . gettext("Update Rules") . '</span></button><br/> <p style="text-align:left; margin-left:150px;"> - <font color="#fc3608" size="2px"><b>' . gettext("WARNING:") . '</b></font><font size="1px" color="#000000"> ' . gettext('No rule types have been selected for download. "Global Settings Tab"') . '</font><br>'; + <font color="#fc3608" size="2px"><b>' . gettext("WARNING:") . '</b></font><font size="1px" color="#000000"> ' . gettext('No rule types have been selected for download. ') . + gettext('Visit the ') . '<a href="snort_interfaces_global.php">Global Settings Tab</a>' . gettext(' to select rule types.') . '</font><br>'; echo '</p>' . "\n"; } else { echo ' - <a href="/snort/snort_download_rules.php"><button ><span class="download">' . gettext("Update Rules") . ' </span></button></a><br/>' . "\n"; + <input type="submit" value="' . gettext("Update Rules") . '" name="update" id="Submit" class="formbtn" /><br/>' . "\n"; } @@ -166,19 +202,19 @@ function popup(url) <div height="32" width="725px" style='background-color: #eeeeee'> <p style="text-align: left; margin-left: 225px;"> - <font color='#777777' size='1.5px'><b><?php echo gettext("VIEW UPDATE LOG"); ?></b></font><br> + <font color='#777777' size='2.5px'><b><?php echo gettext("VIEW UPDATE LOG"); ?></b></font><br> <br> - <?php - if ($update_logfile_chk == 'yes') { + if ($snort_rules_upd_logfile_chk == 'yes') { echo " - <button href='/snort/snort_rules_edit.php?openruleset={$snort_upd_log}'><span class='pwhitetxt'>" . gettext("Update Log") . " </span></button>\n"; + <button class=\"formbtn\" onclick=\"wopen('snort_log_view.php?logfile={$log}', 'LogViewer', 800, 600)\"><span class='pwhitetxt'>" . gettext("View Log") . "</span></button>"; + echo " <input type=\"submit\" value=\"Clear Log\" name=\"clear\" id=\"Submit\" class=\"formbtn\" />\n"; }else{ echo " - <button disabled='disabled' href='/snort/snort_rules_edit.php?openruleset={$snort_upd_log}'><span class='pwhitetxt'>" . gettext("Update Log") . " </span></button>\n"; + <button disabled='disabled'><span class='pwhitetxt'>" . gettext("View Log") . "</span></button> " . gettext("Log is empty.") . "\n"; } - + echo '<br><br>' . gettext("The log file is limited to 1024K in size and automatically clears when the limit is exceeded."); ?> <br/> </p> @@ -194,8 +230,8 @@ function popup(url) <tr> <td id="download_rules_td" style='background-color: #eeeeee'> <div height="32" width="725px" style='background-color: #eeeeee'> - <font color='#FF850A' size='1px'><b><?php echo gettext("NOTE:"); ?></b></font><font size='1px' - color='#000000'> <?php echo gettext("Snort.org and Emergingthreats.net " . + <font size='1px'><span class="red"><b><?php echo gettext("NOTE:"); ?></b></span></font><font size='1px' + color='#000000'> <?php echo gettext("Snort.org and EmergingThreats.net " . "will go down from time to time. Please be patient."); ?> </font> </div> @@ -207,16 +243,12 @@ function popup(url) </tr> </table> </div> - - - - - <br> </td> </tr> </table> <!-- end of final table --></div> + </form> <?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index e8e690a8..e96be262 100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -28,11 +28,17 @@ * POSSIBILITY OF SUCH DAMAGE. */ +// Turn on buffering to speed up rendering +ini_set('output_buffering','true'); + +// Start buffering with a cache size of 100000 +ob_start(null, "1000"); + $nocsrf = true; require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; $snortdir = SNORTDIR; @@ -61,10 +67,14 @@ if (isset($_POST['del_x'])) { } conf_mount_ro(); + /* If all the Snort interfaces are removed, then unset the config array. */ + if (empty($a_nat)) + unset($a_nat); + write_config(); sleep(2); - /* if there are no ifaces do not create snort.sh */ + /* if there are no ifaces remaining do not create snort.sh */ if (!empty($config['installedpackages']['snortglobal']['rule'])) snort_create_rc(); else { @@ -93,11 +103,11 @@ if ($_GET['act'] == 'bartoggle' && is_numeric($id)) { $if_friendly = snort_get_friendly_interface($snortcfg['interface']); if (snort_is_running($snortcfg['uuid'], $if_real, 'barnyard2') == 'no') { - log_error("Toggle(barnyard starting) for {$if_friendly}({$snortcfg['descr']}}..."); + log_error("Toggle (barnyard starting) for {$if_friendly}({$snortcfg['descr']})..."); sync_snort_package_config(); snort_barnyard_start($snortcfg, $if_real); } else { - log_error("Toggle(barnyard stopping) for {$if_friendly}({$snortcfg['descr']}}..."); + log_error("Toggle (barnyard stopping) for {$if_friendly}({$snortcfg['descr']})..."); snort_barnyard_stop($snortcfg, $if_real); } @@ -113,7 +123,7 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { $if_friendly = snort_get_friendly_interface($snortcfg['interface']); if (snort_is_running($snortcfg['uuid'], $if_real) == 'yes') { - log_error("Toggle(snort stopping) for {$if_friendly}({$snortcfg['descr']})..."); + log_error("Toggle (snort stopping) for {$if_friendly}({$snortcfg['descr']})..."); snort_stop($snortcfg, $if_real); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -122,8 +132,12 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); } else { - log_error("Toggle(snort starting) for {$if_friendly}({$snortcfg['descr']})..."); + log_error("Toggle (snort starting) for {$if_friendly}({$snortcfg['descr']})..."); + + /* set flag to rebuild interface rules before starting Snort */ + $rebuild_rules = "on"; sync_snort_package_config(); + $rebuild_rules = "off"; snort_start($snortcfg, $if_real); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -190,10 +204,9 @@ if ($pfsense_stable == 'yes') <tr> <td> <div id="mainarea2"> - <table class="tabcont" width="100%" border="0" cellpadding="0" - cellspacing="0"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr id="frheader"> - <td width="5%" class="list"> </td> + <td width="3%" class="list"> </td> <td width="10%" class="listhdrr"><?php echo gettext("If"); ?></td> <td width="13%" class="listhdrr"><?php echo gettext("Snort"); ?></td> <td width="10%" class="listhdrr"><?php echo gettext("Performance"); ?></td> @@ -201,18 +214,26 @@ if ($pfsense_stable == 'yes') <td width="12%" class="listhdrr"><?php echo gettext("Barnyard2"); ?></td> <td width="30%" class="listhdr"><?php echo gettext("Description"); ?></td> <td width="3%" class="list"> - <table border="0" cellspacing="0" cellpadding="1"> + <table border="0" cellspacing="0" cellpadding="0"> <tr> - <td width="17"></td> - <td><a href="snort_interfaces_edit.php?id=<?php echo $id_gen;?>"><img + <td></td> + <td align="center" valign="middle"><a href="snort_interfaces_edit.php?id=<?php echo $id_gen;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" title="<?php echo gettext('add interface');?>"></a></td> </tr> </table> </td> </tr> -<?php $nnats = $i = 0; foreach ($a_nat as $natent): ?> -<tr valign="top" id="fr<?=$nnats;?>"> +<?php $nnats = $i = 0; +/* If no interfaces are defined, then turn off the "no rules" warning */ +$no_rules_footnote = false; +if ($id_gen == 0) + $no_rules = false; +else + $no_rules = true; + +foreach ($a_nat as $natent): ?> + <tr valign="top" id="fr<?=$nnats;?>"> <?php /* convert fake interfaces to real and check if iface is up */ @@ -228,9 +249,23 @@ if ($pfsense_stable == 'yes') else $biconfn = 'block'; - ?> + /* See if interface has any rules defined and set boolean flag */ + $no_rules = true; + if (isset($natent['customrules']) && !empty($natent['customrules'])) + $no_rules = false; + if (isset($natent['rulesets']) && !empty($natent['rulesets'])) + $no_rules = false; + if (isset($natent['ips_policy']) && !empty($natent['ips_policy'])) + $no_rules = false; + /* Do not display the "no rules" warning if interface disabled */ + if ($natent['enable'] == "off") + $no_rules = false; + if ($no_rules) + $no_rules_footnote = true; +?> <td class="listt"> - <input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0;"></td> + <input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0;"> + </td> <td class="listr" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> @@ -249,6 +284,7 @@ if ($pfsense_stable == 'yes') <img src='../themes/{$g['theme']}/images/icons/icon_{$iconfn}.gif' width='13' height='13' border='0' title='" . gettext('click to toggle start/stop snort') . "'></a>"; + echo ($no_rules) ? " <img src=\"../themes/{$g['theme']}/images/icons/icon_frmfld_imp.png\" width=\"15\" height=\"15\" border=\"0\">" : ""; } else echo strtoupper("disabled"); ?> @@ -263,7 +299,8 @@ if ($pfsense_stable == 'yes') }else{ $check_performance = "lowmem"; } - ?> <?=strtoupper($check_performance);?></td> + ?> <?=strtoupper($check_performance);?> + </td> <td class="listr" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> @@ -275,7 +312,8 @@ if ($pfsense_stable == 'yes') } else { $check_blockoffenders = disabled; } - ?> <?=strtoupper($check_blockoffenders);?></td> + ?> <?=strtoupper($check_blockoffenders);?> + </td> <td class="listr" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> @@ -293,33 +331,40 @@ if ($pfsense_stable == 'yes') </td> <td class="listbg" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> - <font color="#ffffff"> <?=htmlspecialchars($natent['descr']);?> + <font color="#ffffff"> <?=htmlspecialchars($natent['descr']);?> </td> <td valign="middle" class="list" nowrap> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><a href="snort_interfaces_edit.php?id=<?=$i;?>"><img - src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" - width="17" height="17" border="0" title="<?php echo gettext('edit interface'); ?>"></a></td> - </tr> - </table> - - </tr> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td><a href="snort_interfaces_edit.php?id=<?=$i;?>"><img + src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?php echo gettext('edit interface'); ?>"></a> + </td> + </tr> + </table> + </td> + </tr> <?php $i++; $nnats++; endforeach; ?> <tr> - <td class="list" colspan="8"></td> + <td class="list"></td> + <td class="list" colspan="6"> + <?php if ($no_rules_footnote): ?><br><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_frmfld_imp.png" width="15" height="15" border="0"> + <span class="red">   <?php echo gettext("WARNING: Marked interface currently has no rules defined for Snort"); ?></span> + <?php else: ?> + <?php endif; ?> + </td> <td class="list" valign="middle" nowrap> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><?php if ($nnats == 0): ?><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" - width="17" height="17" title="<?php echo gettext("delete selected interface"); ?>" border="0"><?php else: ?><input - name="del" type="image" - src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" - width="17" height="17" title="<?php echo gettext("delete selected interface"); ?>" - onclick="return confirm('Do you really want to delete the selected Snort mapping?')"><?php endif; ?></td> - </tr> - </table> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td><?php if ($nnats == 0): ?><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" + width="17" height="17" title="<?php echo gettext("delete selected interface"); ?>" border="0"><?php else: ?> + <input name="del" type="image" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + width="17" height="17" title="<?php echo gettext("delete selected interface"); ?>" + onclick="return confirm('Do you really want to delete the selected Snort mapping?')"><?php endif; ?></td> + </tr> + </table> </td> </tr> </table> @@ -332,46 +377,59 @@ if ($pfsense_stable == 'yes') <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> - <div id="mainarea4"> - <table class="tabcont" width="100%" border="0" cellpadding="0" - cellspacing="0"> - <tr id="frheader"> - <td width="100%"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <br> - <?php echo gettext('This is the <strong>Snort Menu</strong> where you can see an over ' . - 'view of all your interface settings. <br> ' . - 'Please edit the <strong>Global Settings</strong> tab before adding ' . - 'an interface.'); ?> <br> - <br> - <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <br> - <strong><?php echo gettext("New settings will not take effect until interface restart."); ?></strong> - <br> - <br> - <strong>Click</strong> on the <img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" - width="17" height="17" border="0" title="<?php echo gettext("Add Icon"); ?>"> icon to add a - interface.<strong> Click</strong> - on the <img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" - width="13" height="13" border="0" title="<?php echo gettext("Start Icon"); ?>"> icon to <strong>start</strong> - snort and barnyard2. <br> - <strong>Click</strong> on the <img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" - width="17" height="17" border="0" title="<?php echo gettext("Edit Icon"); ?>"> icon to edit a - interface and settings.<strong> Click</strong> - on the <img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" - width="13" height="13" border="0" title="<?php echo gettext("Stop Icon"); ?>"> icon to <strong>stop</strong> - snort and barnyard2. <br> - <strong> Click</strong> on the <img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" - width="17" height="17" border="0" title="<?php echo gettext("Delete Icon"); ?>"> icon to - delete a interface and settings.</td> - </tr> - </table> - </div> - + <table class="tabcont" width="100%" border="0" cellpadding="1" cellspacing="1"> + <tr> + <td colspan="3"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <br> + <?php echo gettext('This is the <strong>Snort Menu</strong> where you can see an over ' . + 'view of all your interface settings. ' . + 'Please visit the <strong>Global Settings</strong> tab before adding ' . 'an interface.'); ?> + </td> + </tr> + <tr> + <td colspan="3"><br> + </td> + </tr> + <tr> + <td colspan="3"><span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span><br> + <strong><?php echo gettext("New settings will not take effect until interface restart."); ?></strong> + </td> + </tr> + <tr> + <td colspan="3"><br> + </td> + </tr> + <tr> + <td><strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0" title="<?php echo gettext("Add Icon"); ?>"> icon to add + an interface. + </td> + <td width="3%"> + </td> + <td><strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" + width="13" height="13" border="0" title="<?php echo gettext("Start Icon"); ?>"> icon to <strong>start</strong> + snort and barnyard2. + </td> + </tr> + <tr> + <td><strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?php echo gettext("Edit Icon"); ?>"> icon to edit + an interface and settings. + <td width="3%"> + </td> + <td><strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" + width="13" height="13" border="0" title="<?php echo gettext("Stop Icon"); ?>"> icon to <strong>stop</strong> + snort and barnyard2. + </td> + </tr> + <tr> + <td colspan="3"><strong> Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + width="17" height="17" border="0" title="<?php echo gettext("Delete Icon"); ?>"> icon to + delete an interface and settings. + </td> + </tr> + </table> + </td> </tr> - </td> </table> </form> <?php diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index d0fabbf4..8d7b9c06 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -31,7 +31,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); @@ -50,10 +50,15 @@ if (is_null($id)) { } $pconfig = array(); -if (empty($snortglob['rule'][$id]['uuid'])) +if (empty($snortglob['rule'][$id]['uuid'])) { + /* Adding new interface, so flag rules to build. */ $pconfig['uuid'] = snort_generate_id(); -else + $rebuild_rules = "on"; +} +else { $pconfig['uuid'] = $a_rule[$id]['uuid']; + $rebuild_rules = "off"; +} $snort_uuid = $pconfig['uuid']; if (isset($id) && $a_rule[$id]) { @@ -77,14 +82,6 @@ if ($_POST["Submit"]) { if (!$_POST['interface']) $input_errors[] = "Interface is mandatory"; -/* - foreach ($a_rule as $natent) { - if (isset($id) && ($a_rule[$id]) && ($a_rule[$id] === $natent)) - continue; - if ($natent['interface'] == $_POST['interface']) - $input_errors[] = "This interface is already configured for another instance"; - } -*/ /* if no errors write to conf */ if (!$input_errors) { @@ -118,9 +115,17 @@ if ($_POST["Submit"]) { } else $a_rule[] = $natent; + /* If Snort is disabled on this interface, stop any running instance */ if ($natent['enable'] != 'on') snort_stop($natent, $if_real); + + /* Save configuration changes */ write_config(); + + /* Most changes don't require a rules rebuild, so default to "off" */ + $rebuild_rules = "off"; + + /* Update snort.conf and snort.sh files for this interface */ sync_snort_package_config(); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 9dde8aaf..3c544436 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -50,6 +50,10 @@ $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortlo $pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; $pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7']; $pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings']; +$pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules']; + +if (empty($pconfig['snortloglimit'])) + $pconfig['snortloglimit'] = 'on'; /* if no errors move foward */ if (!$input_errors) { @@ -58,7 +62,9 @@ if (!$input_errors) { $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; + $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; if ($_POST['snortloglimitsize']) { $config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit']; @@ -110,6 +116,20 @@ if ($input_errors) ?> +<script language="JavaScript"> +<!-- +function enable_snort_vrt(btn) { + if (btn == 'off') { + document.iform.oinkmastercode.disabled = "true"; + } + if (btn == 'on') { + document.iform.oinkmastercode.disabled = ""; + } +} +//--> +</script> + + <form action="snort_interfaces_global.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> @@ -124,7 +144,8 @@ if ($input_errors) $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); display_top_tabs($tab_array); ?> -</td></tr> +</td> +</tr> <tr> <td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> @@ -132,55 +153,69 @@ if ($input_errors) <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The " . "Type Of Rules You Wish To Download"); ?></td> </tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Install Snort.org rules"); ?></td> + <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort VRT%s rules"), '<strong>' , '</strong>'); ?></td> <td width="78%" class="vtable"> - <table cellpadding="0" cellspacing="0"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td colspan="2"><input name="snortdownload" type="radio" - id="snortdownload" value="off" -<?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?>> - <?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></td> + <td><input name="snortdownload" type="radio" id="snortdownload" value="off" onclick="enable_snort_vrt('off')" + <?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?> > </td> + <td><span class="vexpl"><?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></span></td> </tr> <tr> - <td colspan="2"><input name="snortdownload" type="radio" - id="snortdownload" value="on" - <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>> <?php echo gettext("Install " . - "Basic Rules or Premium rules"); ?> <br> - <a - href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a " . - "Basic Rule Account"); ?></a><br> - <a - href="http://www.snort.org/vrt/buy-a-subscription" - target="_blank"><?php echo gettext("Sign Up for Sourcefire VRT Certified Premium " . - "Rules. This Is Highly Recommended"); ?></a></td> - </tr> + <td><input name="snortdownload" type="radio" id="snortdownload" value="on" onclick="enable_snort_vrt('on')" + <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>></td> + <td><span class="vexpl"><?php echo gettext("Install Basic Rules or Premium rules"); ?></span></td> <tr> <td> </td> + <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a Basic Rule Account"); ?> </a><br> + <a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank"> + <?php echo gettext("Sign Up for Sourcefire VRT Certified Premium Rules. This Is Highly Recommended"); ?></a></td> </tr> - </table> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="optsect_t2"><?php echo gettext("Oinkmaster code"); ?></td> + <td colspan="2"> </td> </tr> + </table> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td class="vncell" valign="top"><?php echo gettext("Code"); ?></td> - <td class="vtable"><input name="oinkmastercode" type="text" + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Oinkmaster Configuration"); ?></span></b></td> + </tr> + <tr> + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code"); ?><strong></span</td> + <td><input name="oinkmastercode" type="text" class="formfld" id="oinkmastercode" size="52" - value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br> - <?php echo gettext("Obtain a snort.org Oinkmaster code and paste here."); ?></td> - + value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>" + <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br> + <?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td> + </tr> </table> - </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmergingthreats%s " . + <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " . + "rules"), '<strong>' , '</strong>'); ?></td> + <td width="78%" class="vtable"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="yes" + <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td> + <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " . + "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?> + <br/><br/><?php printf(gettext("%sNote: %sIf you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the Snort VRT rules, and there is no benefit in adding this rule set."),'<span class="red"><strong>' ,'</strong></span>'); ?></span><br></td> + </tr> + </table></td> +</tr> +<tr> + <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmerging Threats%s " . "rules"), '<strong>' , '</strong>'); ?></td> - <td width="78%" class="vtable"><input name="emergingthreats" - type="checkbox" value="yes" - <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?> - ><br> - <?php echo gettext("Emerging Threats is an open source community that produces fastest " . - "moving and diverse Snort Rules."); ?></td> + <td width="78%" class="vtable"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="yes" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>> + <td><span class="vexpl"><?php echo gettext("Emerging Threats is an open source community that produces fast " . + "moving and diverse Snort Rules."); ?></span></td> + </tr> + </table> + </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Update rules " . @@ -194,9 +229,9 @@ if ($input_errors) <?php if ($iface3 == $pconfig['autorulesupdate7']) echo "selected"; ?>> <?=htmlspecialchars($ifacename3);?></option> <?php endforeach; ?> - </select><br> - <span class="vexpl"><?php echo gettext("Please select the update times for rules."); ?><br> - <?php echo gettext("Hint: in most cases, every 12 hours is a good choice."); ?></span></td> + </select><span class="vexpl"> <?php echo gettext("Please select the update times for rules."); ?><br/><br/> + + <?php printf(gettext("%sHint%s: in most cases, every 12 hours is a good choice."), '<span class="red"><strong>','</strong></span>'); ?></span></td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td> @@ -209,40 +244,32 @@ if ($input_errors) <br/> <br/> <span class="red"><strong><?php echo gettext("Note"); ?></span>:</strong><br> - <?php echo gettext("Available space is"); ?> <strong><?php echo $snortlogCurrentDSKsize; ?>MB</strong></td> + <?php echo gettext("Available space is"); ?> <strong><?php echo $snortlogCurrentDSKsize; ?> MB</strong></td> <td width="78%" class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td colspan="2"><input name="snortloglimit" type="radio" - id="snortloglimit" value="on" -<?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?>> - <strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</td> - </tr> - <tr> - <td colspan="2"><input name="snortloglimit" type="radio" - id="snortloglimit" value="off" -<?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <strong><?php echo gettext("Disable"); ?></strong> - <?php echo gettext("directory size limit"); ?><br> - <br> - <span class="red"><strong><?php echo gettext("Warning"); ?></span>:</strong> <?php echo gettext("Nanobsd " . - "should use no more than 10MB of space."); ?></td> - </tr> - <tr> - <td> </td> - </tr> - </table> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td class="vncell3"><?php echo gettext("Size in"); ?> <strong>MB</strong></td> - <td class="vtable"><input name="snortloglimitsize" type="text" - class="formfld" id="snortloglimitsize" size="7" - value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> - <?php echo gettext("Default is"); ?> <strong>20%</strong> <?php echo gettext("of available space."); ?></td> - - </table> - + <table cellpadding="0" cellspacing="0"> + <tr> + <td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="on" + <?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?>><span class="vexpl"> + <strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</span></td> + </tr> + <tr> + <td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="off" + <?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong> + <?php echo gettext("directory size limit"); ?></span><br> + <br> + <span class="red"><strong><?php echo gettext("Warning"); ?></span>:</strong> <?php echo gettext("Nanobsd " . + "should use no more than 10MB of space."); ?></td> + </tr> + </table> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td><span class="vexpl"><?php echo gettext("Size in"); ?> <strong>MB</strong></span></td> + <td><input name="snortloglimitsize" type="text" class="formfld" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> + <?php printf(gettext("Default is %s20%%%s of available space."), '<strong>', '</strong>'); ?></td> + </tr> + </table> + </td> </tr> - <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove blocked hosts " . "every"); ?></td> @@ -255,10 +282,9 @@ if ($input_errors) <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>> <?=htmlspecialchars($ifacename3);?></option> <?php endforeach; ?> - </select><br> - <span class="vexpl"><?php echo gettext("Please select the amount of time you would like " . - "hosts to be blocked for."); ?><br> - <?php echo gettext("Hint: in most cases, 1 hour is a good choice."); ?></span></td> + </select> + <?php echo gettext("Please select the amount of time you would like hosts to be blocked for."); ?><br/><br/> + <?php printf(gettext("%sHint:%s in most cases, 1 hour is a good choice."), '<span class="red"><strong>', '</strong></span>'); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep snort settings " . @@ -266,8 +292,7 @@ if ($input_errors) <td width="78%" class="vtable"><input name="forcekeepsettings" id="forcekeepsettings" type="checkbox" value="yes" <?php if ($config['installedpackages']['snortglobal']['forcekeepsettings']=="on") echo "checked"; ?> - ><br> - <?php echo gettext("Settings will not be removed during deinstall."); ?></td> + > <?php echo gettext("Settings will not be removed during deinstall."); ?></td> </tr> <tr> <td width="22%" valign="top"> @@ -279,8 +304,8 @@ if ($input_errors) <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?><br> </strong></span> <?php echo gettext("Changing any settings on this page will affect all " . - "interfaces. Please, double check if your oink code is correct and " . - "the type of snort.org account you hold."); ?></span></td> + "interfaces. Double check that your oink code is correct, and verify the " . + "type of Snort.org account you hold."); ?></span></td> </tr> </table> </td></tr> diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php index 93d3f2dc..32f2f6ba 100644 --- a/config/snort/snort_interfaces_suppress.php +++ b/config/snort/snort_interfaces_suppress.php @@ -134,10 +134,10 @@ if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} </table> </td></tr> <tr> - <td colspan="3" width="100%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> + <td colspan="3" width="100%"><br/><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <p><span class="vexpl"><?php echo gettext("Here you can create event filtering and " . - "suppression for your snort package rules."); ?><br> - <?php echo gettext("Please note that you must restart a running rule so that changes can " . + "suppression for your snort package rules."); ?><br/><br/> + <?php echo gettext("Please note that you must restart a running Interface so that changes can " . "take effect."); ?></span></p></td> </tr> </table> diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php index f90cbe1f..a925ad45 100644 --- a/config/snort/snort_interfaces_whitelist.php +++ b/config/snort/snort_interfaces_whitelist.php @@ -154,15 +154,20 @@ if ($savemsg) print_info_box($savemsg); </tr> </table> <br> -<table width="100%" border="0" cellpadding="0" - cellspacing="0"> +<table width="100%" border="0" cellpadding="1" + cellspacing="1"> + <tr> <td width="100%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <p><span class="vexpl"><?php echo gettext("Here you can create whitelist files for your " . "snort package rules."); ?><br> <?php echo gettext("Please add all the ips or networks you want to protect against snort " . "block decisions."); ?><br> <?php echo gettext("Remember that the default whitelist only includes local networks."); ?><br> - <?php echo gettext("Be careful, it is very easy to get locked out of you system."); ?></span></p></td> + <?php echo gettext("Be careful, it is very easy to get locked out of your system."); ?></span></p></td> + </tr> + <tr> + <td width="100%"><span class="vexpl"><?php echo gettext("Remember you must restart Snort on the interface for changes to take effect!"); ?></span></td> + </tr> </table> </form> <?php include("fend.inc"); ?> diff --git a/config/snort/snort_log_view.php b/config/snort/snort_log_view.php new file mode 100644 index 00000000..4fc8d990 --- /dev/null +++ b/config/snort/snort_log_view.php @@ -0,0 +1,89 @@ +<?php +/* + * snort_log_view.php + * + * Copyright (C) 2004, 2005 Scott Ullrich + * Copyright (C) 2011 Ermal Luci + * All rights reserved. + * + * Adapted for FreeNAS by Volker Theile (votdev@gmx.de) + * Copyright (C) 2006-2009 Volker Theile + * + * Adapted for Pfsense Snort package by Robert Zelaya + * Copyright (C) 2008-2009 Robert Zelaya + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +$contents = ''; + +// Read the contents of the argument passed to us. +// Is it a fully qualified path and file? +if (file_exists($_GET['logfile'])) + $contents = file_get_contents($_GET['logfile']); +// It is not something we can display, so print an error. +else + $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not found!"); + +$pgtitle = array(gettext("Snort"), gettext("Log File Viewer")); +?> + +<?php include("head.inc");?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php // include("fbegin.inc");?> + +<form action="snort_log_view.php" method="post"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td class="tabcont"> + <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee"> + <tr> + <td class="pgtitle" colspan="2">Snort: Log File Viewer</td> + </tr> + <tr> + <td align="left" width="20%"> + <input type="button" class="formbtn" value="Return" onclick="window.close()"> + </td> + <td align="right"> + <b><?php echo gettext("Log File: ") . '</b> ' . $_GET['logfile']; ?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="label"> + <div style="background: #eeeeee; width:100%; height:100%;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea style="width:100%; height:100%;" readonly wrap="off" rows="33" cols="80" name="code2"><?=$contents;?></textarea> + </div> + </td> + </tr> + </table> + </td> +</tr> +</table> +</form> +<?php // include("fend.inc");?> +</body> +</html> diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 7d0348e9..cf6146cf 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -34,7 +34,13 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; +$snortlogdir = SNORTLOGDIR; + +if (!is_array($config['installedpackages']['snortglobal'])) { + $config['installedpackages']['snortglobal'] = array(); +} +$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); @@ -77,8 +83,43 @@ if (isset($id) && $a_nat[$id]) { $pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc']; $pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc']; $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; + $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable']; + $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules']; + + /* If not using the Snort VRT rules, then disable */ + /* the Sensitive Data (sdf) preprocessor. */ + if ($vrt_enabled == "off") + $pconfig['sensitive_data'] = "off"; + + /**********************************************************/ + /* To keep new users from shooting themselves in the foot */ + /* enable the most common and necessary preprocessors by */ + /* default. */ + /**********************************************************/ + if (empty($pconfig['ftp_preprocessor'])) + $pconfig['ftp_preprocessor'] = 'on'; + if (empty($pconfig['smtp_preprocessor'])) + $pconfig['smtp_preprocessor'] = 'on'; + if (empty($pconfig['dce_rpc_2'])) + $pconfig['dce_rpc_2'] = 'on'; + if (empty($pconfig['dns_preprocessor'])) + $pconfig['dns_preprocessor'] = 'on'; + if (empty($pconfig['ssl_preproc'])) + $pconfig['ssl_preproc'] = 'on'; + if (empty($pconfig['pop_preproc'])) + $pconfig['pop_preproc'] = 'on'; + if (empty($pconfig['imap_preproc'])) + $pconfig['imap_preproc'] = 'on'; + if (empty($pconfig['sip_preproc'])) + $pconfig['sip_preproc'] = 'on'; + if (empty($pconfig['other_preprocs'])) + $pconfig['other_preprocs'] = 'on'; } +/* Define the "disabled_preproc_rules.log" file for this interface */ +$iface = snort_get_friendly_interface($pconfig['interface']); +$disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; + if ($_POST) { $natent = array(); $natent = $pconfig; @@ -120,6 +161,12 @@ if ($_POST) { $natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off'; $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; + $natent['preproc_auto_rule_disable'] = $_POST['preproc_auto_rule_disable'] ? 'on' : 'off'; + $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off'; + + /* If 'preproc_auto_rule_disable' is off, then clear log file */ + if ($natent['preproc_auto_rule_disable'] == 'off') + @unlink("{$disabled_rules_log}"); if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -132,8 +179,15 @@ if ($_POST) { write_config(); - $if_real = snort_get_real_interface($pconfig['interface']); - sync_snort_package_config(); + /* Set flag to rebuild rules for this interface */ + $rebuild_rules = "on"; + + /*************************************************/ + /* Update the snort conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + snort_generate_conf($natent); + $rebuild_rules = "off"; /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -172,6 +226,25 @@ include_once("head.inc"); </script> <script type="text/javascript" src="/javascript/suggestions.js"> </script> + +<script language="javascript" type="text/javascript"> + +function wopen(url, name, w, h) +{ +// Fudge factors for window decoration space. +// In my tests these work well on all platforms & browsers. +w += 32; +h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} +</script> + <form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -191,32 +264,76 @@ include_once("head.inc"); <tr><td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" align="center" valign="middle"> - <span class="red"><strong><?php echo gettext("NOTE"); ?></strong></span><br> + <td colspan="2" align="left" valign="middle"> <?php echo gettext("Rules may be dependent on preprocessors! Disabling preprocessors may result in "); ?> - <?php echo gettext("dependent rules being automatically disabled."); ?><br> - <?php echo gettext("Defaults will be used when there is no user input."); ?><br></td> + <?php echo gettext("Snort start failures unless dependent rules are also disabled."); ?> + <?php echo gettext("The Auto-Rule Disable feature can be used, but note the warning about compromising protection. " . + "Defaults will be used where no user input is provided."); ?></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Performance Statistics"); ?></td> + + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Preprocessors Configuration"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> - <td width="78%" class="vtable"><input name="perform_stat" - type="checkbox" value="on" + <td width="78%" class="vtable"><input name="perform_stat" type="checkbox" value="on" <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?> onClick="enable_change(false)"> <?php echo gettext("Collect Performance Statistics for this interface."); ?></td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Protect Customized Preprocessor Rules"); ?></td> + <td width="78%" class="vtable"><input name="protect_preproc_rules" type="checkbox" value="on" + <?php if ($pconfig['protect_preproc_rules']=="on") echo "checked "; + if ($vrt_enabled <> 'on') echo "disabled"; ?> + onClick="enable_change(false)"> <?php echo gettext("Check this box if you maintain customized preprocessor text rules files for this interface."); ?> + <table width="100%" border="0" cellpadding="2" cellpadding="2"> + <tr> + <td width="3%"> </td> + <td><?php echo gettext("Enable this only if you use customized preprocessor text rules files and " . + "you do not want them overwritten by automatic Snort VRT rule updates. " . + "This option is disabled when Snort VRT rules download is not enabled on the Global Settings tab."); ?><br/><br/> + <?php printf(gettext("%sHint:%s Most users should leave this unchecked."), '<span class="red"><strong>', '</strong></span>'); ?></span></td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Auto Rule Disable"); ?></td> + <td width="78%" class="vtable"><input name="preproc_auto_rule_disable" type="checkbox" value="on" + <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?> + onClick="enable_change(false)"> <?php echo gettext("Auto-disable text rules dependent on disabled preprocessors for this interface. "); + echo gettext("Default is ") . '<strong>' . gettext("Not Checked."); ?></strong><br/> + <table width="100%" border="0" cellpadding="2" cellpadding="2"> + <tr> + <td width="3%"> </td> + <td><span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span> + <?php echo gettext("Enabling this option allows Snort to automatically disable any text rules " . + "containing rule options or content modifiers that are dependent upon the preprocessors " . + "you have not enabled. This may facilitate starting Snort without errors related to " . + "disabled preprocessors, but can substantially compromise the level of protection by " . + "automatically disabling detection rules."); ?></td> + </tr> + <?php if (file_exists($disabled_rules_log) && filesize($disabled_rules_log) > 0): ?> + <tr> + <td width="3%"> </td> + <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600)"/> + <?php echo gettext("Click to view the list of currently auto-disabled rules"); ?></td> + </tr> + <?php endif; ?> + </table> + </td> + </tr> + <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> <td width="78%" class="vtable"><input name="http_inspect" type="checkbox" value="on" - <?php if ($pconfig['http_inspect']=="on") echo "checked"; ?> + <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?> onClick="enable_change(false)"> <?php echo gettext("Use HTTP Inspect to " . - "Normalize/Decode and detect HTTP traffic and protocol anomalies."); ?></td> + "Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is "); ?> + <strong><?php echo gettext("Checked."); ?></strong></td> </tr> <tr> <td valign="top" class="vncell"><?php echo gettext("HTTP server flow depth"); ?></td> @@ -241,7 +358,7 @@ include_once("head.inc"); <td width="78%" class="vtable"> <select name="http_server_profile" class="formselect" id="http_server_profile"> <?php - $profile = array('All', 'Apache', 'IIS', 'IIS_4.0', 'IIS_5.0'); + $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0'); foreach ($profile as $val): ?> <option value="<?=strtolower($val);?>" <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>> @@ -275,9 +392,10 @@ include_once("head.inc"); <td width="22%" valign="top" class="vncell"><?php echo gettext("Disable HTTP Alerts"); ?></td> <td width="78%" class="vtable"><input name="noalert_http_inspect" type="checkbox" value="on" - <?php if ($pconfig['noalert_http_inspect']=="on") echo "checked"; ?> - onClick="enable_change(false)"> <?php echo gettext("Tick to turn off alerts from the HTTP Inspect " . - "preprocessor. This has no effect on HTTP rules in the rule set."); ?></td> + <?php if ($pconfig['noalert_http_inspect']=="on" || empty($pconfig['noalert_http_inspect'])) echo "checked"; ?> + onClick="enable_change(false)"> <?php echo gettext("Turn off alerts from HTTP Inspect " . + "preprocessor. This has no effect on HTTP rules. Default is "); ?> + <strong><?php echo gettext("Checked."); ?></strong></td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Settings"); ?></td> @@ -382,7 +500,8 @@ include_once("head.inc"); type="checkbox" value="on" <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> - <?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network."); ?></td> + <?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> @@ -391,7 +510,8 @@ include_once("head.inc"); type="checkbox" value="on" <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> - <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies."); ?></td> + <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> @@ -400,7 +520,8 @@ include_once("head.inc"); type="checkbox" value="on" <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> - <?php echo gettext("Normalize/Decode POP protocol for enforcement and buffer overflows."); ?></td> + <?php echo gettext("Normalize/Decode POP protocol for enforcement and buffer overflows. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> @@ -409,7 +530,8 @@ include_once("head.inc"); type="checkbox" value="on" <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> - <?php echo gettext("Normalize/Decode IMAP protocol for enforcement and buffer overflows."); ?></td> + <?php echo gettext("Normalize/Decode IMAP protocol for enforcement and buffer overflows. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> @@ -418,7 +540,8 @@ include_once("head.inc"); type="checkbox" value="on" <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> - <?php echo gettext("Normalize/Decode SMTP protocol for enforcement and buffer overflows."); ?></td> + <?php echo gettext("Normalize/Decode SMTP protocol for enforcement and buffer overflows. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> @@ -427,7 +550,8 @@ include_once("head.inc"); type="checkbox" value="on" <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> - <?php echo gettext("The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic."); ?></td> + <?php echo gettext("The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> @@ -436,7 +560,8 @@ include_once("head.inc"); type="checkbox" value="on" <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> - <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities."); ?></td> + <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> @@ -454,7 +579,8 @@ include_once("head.inc"); type="checkbox" value="on" <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> - <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects some vulnerabilities."); ?></td> + <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects some vulnerabilities. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("SSL Data"); ?></td> @@ -462,16 +588,22 @@ include_once("head.inc"); <input name="ssl_preproc" type="checkbox" value="on" <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> - <?php echo gettext("SSL data searches for irregularities during SSL protocol exchange"); ?> + <?php echo gettext("SSL data searches for irregularities during SSL protocol exchange. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("Sensitive Data"); ?></td> <td width="78%" class="vtable"> <input name="sensitive_data" type="checkbox" value="on" - <?php if ($pconfig['sensitive_data']=="on") echo "checked"; ?> + <?php if ($pconfig['sensitive_data'] == "on") + echo "checked"; + elseif ($vrt_enabled == "off") + echo "disabled"; + ?> onClick="enable_change(false)"><br> - <?php echo gettext("Sensitive data searches for credit card or Social Security numbers in data"); ?> + <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?><br/> + <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."); ?> </td> </tr> <tr> @@ -507,7 +639,8 @@ include_once("head.inc"); <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <br> - <?php echo gettext("Please save your settings before you click Start."); ?> </td> + <?php echo gettext("Please save your settings before you click Start. Preprocessor changes will rebuild the rules file. "); ?> + </br><?php echo gettext("This may take several seconds. Snort must also be restarted to activate any changes made on this screen."); ?></td> </tr> </table> </td></tr></table> diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 7457632d..46c3c264 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -33,7 +33,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g, $flowbit_rules_file; +global $g, $flowbit_rules_file, $rebuild_rules; $snortdir = SNORTDIR; $rules_map = array(); @@ -92,6 +92,11 @@ if (empty($categories[0]) && ($currentruleset != "custom.rules")) { $currentruleset = "custom.rules"; } +/* One last sanity check -- if the rules directory is empty, default to loading custom rules */ +$tmp = glob("{$snortdir}/rules/*.rules"); +if (empty($tmp)) + $currentruleset = "custom.rules"; + $ruledir = "{$snortdir}/rules"; $rulefile = "{$ruledir}/{$currentruleset}"; if ($currentruleset != 'custom.rules') { @@ -100,7 +105,7 @@ if ($currentruleset != 'custom.rules') { if (substr($currentruleset, 0, 10) == "IPS Policy") $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); elseif (!file_exists($rulefile)) - $input_errors[] = "{$currentruleset} seems to be missing!!! Please go to the Category tab and save the rule set again to regenerate it."; + $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again."); else $rules_map = snort_load_rules_map($rulefile); } @@ -207,10 +212,22 @@ if ($_GET['act'] == "resetall" && !empty($rules_map)) { exit; } +if ($_POST['clear']) { + unset($a_rule[$id]['customrules']); + write_config(); + $rebuild_rules = "on"; + snort_generate_conf($a_rule[$id]); + $rebuild_rules = "off"; + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); + exit; +} + if ($_POST['customrules']) { $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); write_config(); - sync_snort_package_config(); + $rebuild_rules = "on"; + snort_generate_conf($a_rule[$id]); + $rebuild_rules = "off"; $output = ""; $retcode = ""; exec("snort -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -T 2>&1", $output, $retcode); @@ -221,11 +238,31 @@ if ($_POST['customrules']) { for($i = $start; $i > $end; $i--) $error .= $output[$i]; $input_errors[] = "Custom rules have errors:\n {$error}"; - } else { + } + else { header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); exit; } -} else if ($_POST) { +} + +else if ($_POST['apply']) { + + /* Save new configuration */ + write_config(); + + /*************************************************/ + /* Update the snort conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = "on"; + snort_generate_conf($a_rule[$id]); + $rebuild_rules = "off"; + + /* Return to this same page */ + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); + exit; +} +else if($_POST) { unset($a_rule[$id]['customrules']); write_config(); header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); @@ -274,6 +311,22 @@ function popup(url) if (window.focus) {newwin.focus()} return false; } + +function wopen(url, name, w, h) +{ +// Fudge factors for window decoration space. +// In my tests these work well on all platforms & browsers. +w += 32; +h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} + </script> <form action="/snort/snort_rules.php" method="post" name="iform" id="iform"> @@ -346,24 +399,30 @@ function popup(url) <input type='hidden' name='openruleset' value='custom.rules'> <input type='hidden' name='id' value='<?=$id;?>'> - <textarea wrap="on" cols="85" rows="40" name="customrules"><?=$pconfig['customrules'];?></textarea> + <textarea wrap="soft" cols="85" rows="40" name="customrules"><?=$pconfig['customrules'];?></textarea> </td> <td width="3%" class="list"> </td> </tr> <tr> + <td colspan="9"> </td> + </tr> + <tr> <td width="3%" class="list"> </td> - <td colspan="7" class="vtable"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <td colspan="7"> + <input name="Submit" type="submit" class="formbtn" value=" Save "> + <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <input name="clear" type="submit" class="formbtn" id="clear" value="Clear" onclick="return confirm('Do you really want to erase all custom rules?')"> </td> <td width="3%" class="list"> </td> </tr> <?php else: ?> <tr> <td width="3%" class="list"> </td> - <td colspan="7" class="listhdr" > </td> + <td colspan="7" class="listhdr" ><input type="submit" name="apply" id="apply" value="Apply Changes" class="formbtn"> + <?php echo gettext("Click to rebuild the rules with your changes. Snort must be restarted to use the new rules."); ?> + <input type='hidden' name='id' value='<?=$id;?>'></td> <td width="3%" align="center" valign="middle" class="listt"><a href="javascript: void(0)" - onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>')"> + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>','FileViewer',800,600)"> <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"' onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_service_restart.gif\"' ";?> @@ -448,8 +507,8 @@ function popup(url) ?> <td width="3%" align="center" valign="middle" nowrap class="listt"> <a href="javascript: void(0)" - onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>')"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" title="<?php echo gettext("Click to view rule"); ?>" width="17" height="17" border="0"></a> <!-- Codes by Quackit.com --> </td> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index ab1a24b2..a1f45c07 100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -62,6 +62,7 @@ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; $file = $_GET['openruleset']; $contents = ''; +$wrap_flag = "off"; // Read the contents of the argument passed to us. // It may be an IPS policy string, an individual SID, @@ -69,8 +70,10 @@ $contents = ''; // Test for the special case of an IPS Policy file. if (substr($file, 0, 10) == "IPS Policy") { $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); - if (isset($_GET['ids'])) + if (isset($_GET['ids'])) { $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; + $wrap_flag = "soft"; + } else { $contents = "# Snort IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']) . "\n\n"; foreach (array_keys($rules_map) as $k1) { @@ -86,6 +89,7 @@ if (substr($file, 0, 10) == "IPS Policy") { elseif (isset($_GET['ids'])) { $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; + $wrap_flag = "soft"; } // Is it our special flowbit rules file? elseif ($file == $flowbit_rules_file) @@ -102,14 +106,14 @@ else { exit; } -$pgtitle = array(gettext("Advanced"), gettext("File Viewer")); +$pgtitle = array(gettext("Snort"), gettext("File Viewer")); ?> <?php include("head.inc");?> <body link="#000000" vlink="#000000" alink="#000000"> <?php if ($savemsg) print_info_box($savemsg); ?> -<?php include("fbegin.inc");?> +<?php // include("fbegin.inc");?> <form action="snort_rules_edit.php" method="post"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -117,14 +121,20 @@ $pgtitle = array(gettext("Advanced"), gettext("File Viewer")); <td class="tabcont"> <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee"> <tr> - <td> + <td class="pgtitle" colspan="2">Snort: Rules Viewer</td> + </tr> + <tr> + <td width="20%"> <input type="button" class="formbtn" value="Return" onclick="window.close()"> </td> + <td align="right"> + <b><?php echo gettext("Rules File: ") . '</b> ' . $file; ?> + </td> </tr> <tr> - <td valign="top" class="label"> - <div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea wrap="off" rows="33" cols="90" name="code2"><?=$contents;?></textarea> + <td valign="top" class="label" colspan="2"> + <div style="background: #eeeeee; width:100%; height:100%;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea style="width:100%; height:100%;" wrap="<?=$wrap_flag?>" rows="33" cols="80" name="code2"><?=$contents;?></textarea> </div> </td> </tr> @@ -133,6 +143,6 @@ $pgtitle = array(gettext("Advanced"), gettext("File Viewer")); </tr> </table> </form> -<?php include("fend.inc");?> +<?php // include("fend.inc");?> </body> </html> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 23a24bea..64998810 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -32,7 +32,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g, $flowbit_rules_file; +global $g, $flowbit_rules_file, $rebuild_rules; $snortdir = SNORTDIR; @@ -62,13 +62,30 @@ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_nat[$id]['uuid']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules']; + +$no_emerging_files = false; +$no_snort_files = false; +$no_community_files = false; + +/* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */ +$test = glob("{$snortdir}/rules/emerging-*.rules"); +if (empty($test)) + $no_emerging_files = true; +$test = glob("{$snortdir}/rules/snort_*.rules"); +if (empty($test)) + $no_snort_files = true; +if (!file_exists("{$snortdir}/rules/GPLv2_community.rules")) + $no_community_files = true; if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on')) $policy_select_disable = "disabled"; if ($a_nat[$id]['autoflowbitrules'] == 'on') { - if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}")) + if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") && + filesize("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) { $btn_view_flowb_rules = ""; + } else $btn_view_flowb_rules = " disabled"; } @@ -119,7 +136,14 @@ if ($_POST["Submit"]) { } write_config(); - sync_snort_package_config(); + + /*************************************************/ + /* Update the snort conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = "on"; + snort_generate_conf($a_nat[$id]); + $rebuild_rules = "off"; header("Location: /snort/snort_rulesets.php?id=$id"); exit; @@ -142,6 +166,11 @@ if ($_POST['selectall']) { foreach ($files as $file) $rulesets[] = basename($file); } + if ($snortcommunitydownload == 'on') { + $files = glob("{$snortdir}/rules/sc_*.rules"); + foreach ($files as $file) + $rulesets[] = basename($file); + } if ($snortdownload == 'on') { $files = glob("{$snortdir}/rules/snort*.rules"); foreach ($files as $file) @@ -193,6 +222,22 @@ function popup(url) if (window.focus) {newwin.focus()} return false; } + +function wopen(url, name, w, h) +{ +// Fudge factors for window decoration space. +// In my tests these work well on all platforms & browsers. +w += 32; +h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} + function enable_change() { var endis = !(document.iform.ips_policy_enable.checked); @@ -233,12 +278,15 @@ function enable_change() $iscfgdirempty = array(); if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/custom.rules")) $iscfgdirempty = (array)("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/custom.rules"); - if (empty($isrulesfolderempty) && empty($iscfgdirempty)): + if (empty($isrulesfolderempty)): ?> <tr> - <td> - <?php printf(gettext("# The rules directory is empty. %s/rules"), $snortdir); ?> <br/> - <?php echo gettext("Please go to the Updates tab to download/fetch the rules configured."); ?> + <td class="vexpl"><br/> + <?php printf(gettext("# The rules directory is empty: %s%s/rules%s"), '<strong>',$snortdir,'</strong>'); ?> <br/><br/> + <?php echo gettext("Please go to the ") . '<a href="snort_download_updates.php"><strong>' . gettext("Updates") . + '</strong></a>' . gettext(" tab to download the rules configured on the ") . + '<a href="snort_interfaces_global.php"><strong>' . gettext("Global") . + '</strong></a>' . gettext(" tab."); ?> </td> </tr> <?php else: @@ -258,28 +306,31 @@ function enable_change() </tr> <tr> <td colspan="6" valign="center" class="listn"> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <table width="100%" border="0" cellpadding="2" cellspacing="2"> <tr> <td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td> - <td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on" <?php if ($a_nat[$id]['autoflowbitrules'] == "on") echo "checked"; ?>/></td> + <td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on" + <?php if ($a_nat[$id]['autoflowbitrules'] == "on" || empty($a_nat[$id]['autoflowbitrules'])) echo "checked"; ?>/> + <span class="vexpl"><?php echo gettext("If checked, Snort will auto-enable rules required for checked flowbits. "); + echo gettext("The Default is "); ?><strong><?php echo gettext("Checked."); ?></strong></span></td> </tr> <tr> <td width="15%" class="vncell"> </td> <td width="85%" class="vtable"> - <?php echo gettext("If ticked, Snort will examine the enabled rules in your chosen " . + <?php echo gettext("Snort will examine the enabled rules in your chosen " . "rule categories for checked flowbits. Any rules that set these dependent flowbits will " . - "be automatically enabled and added to the list of files in the interface rules directory."); ?><br/><br/></td> + "be automatically enabled and added to the list of files in the interface rules directory."); ?><br/></td> </tr> <tr> <td width="15%" class="listn"><?php echo gettext("Auto Flowbit Rules"); ?></td> - <td width="85%"><input type="button" class="formbtn" value="View" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$flowbit_rules_file;?>')" <?php echo $btn_view_flowb_rules; ?>/></td> + <td width="85%"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$flowbit_rules_file;?>','FileViewer',800,600)" <?php echo $btn_view_flowb_rules; ?>/> + <span class="vexpl"><?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit dependencies"); ?></span></td> </tr> <tr> <td width="15%"> </td> <td width="85%"> - <?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit " . - "dependencies from the selected rule categories below. Auto-enabled rules generating unwanted alerts " . - "should have their GID:SID added to the Suppression List for the interface."); ?><br/><br/></td> + <?php printf(gettext("%sNote: %sAuto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."), '<span class="red"><strong>', '</strong></span>'); ?> + <br/></td> </tr> </table> </td> @@ -289,20 +340,20 @@ function enable_change() </tr> <tr> <td colspan="6" valign="center" class="listn"> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <table width="100%" border="0" cellpadding="2" cellspacing="2"> <tr> <td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td> <td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?> - <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/></td> + <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/> <span class="vexpl"> + <?php echo gettext("If checked, Snort will use rules from the pre-defined IPS policy selected below."); ?></span></td> </tr> <tr> <td width="15%" class="vncell"> </td> <td width="85%" class="vtable"> - <?php echo gettext("If ticked, Snort will use rules from the pre-defined IPS policy " . - "selected below. You must be using the Snort VRT rules to use this option."); ?><br/> + <?php printf(gettext("%sNote:%s You must be using the Snort VRT rules to use this option."),'<span class="red"><strong>','</strong></span>'); ?> <?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " . "although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " . - "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br><br/></td> + "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br/></td> </tr> <tr> <td width="15%" class="listn"><?php echo gettext("IPS Policy"); ?></td> @@ -311,15 +362,16 @@ function enable_change() <option value="balanced" <?php if ($pconfig['ips_policy'] == "balanced") echo "selected"; ?>><?php echo gettext("Balanced"); ?></option> <option value="security" <?php if ($pconfig['ips_policy'] == "security") echo "selected"; ?>><?php echo gettext("Security"); ?></option> </select> - </td> + <span class="vexpl"><?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security."); ?></span></td> </tr> <tr> <td width="15%"> </td> <td width="85%"> - <?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security. " . - "Connectivity blocks most major threats with few or no false positives. Balanced is a good starter policy. It " . - "is speedy, has good base coverage level, and covers most threats of the day. It includes all rules in Connectivity. " . - "Security is a stringent policy. It contains everything in the first two plus policy-type rules such as Flash in an Excel file."); ?><br/><br/></td> + <?php echo gettext("Connectivity blocks most major threats with few or no false positives. " . + "Balanced is a good starter policy. It is speedy, has good base coverage level, and covers " . + "most threats of the day. It includes all rules in Connectivity." . + "Security is a stringent policy. It contains everything in the first two " . + "plus policy-type rules such as Flash in an Excel file."); ?><br/></td> </tr> </table> </td> @@ -327,27 +379,75 @@ function enable_change() <tr> <td colspan="6" class="listtopic"><?php echo gettext("Check the rulesets that you would like Snort to load at startup."); ?><br/></td> </tr> + <tr> <td colspan="6"> </td> </tr> + <tr> + <td colspan="6"> + <table width=100% border="0" cellpadding="2" cellspacing="2"> + <tr> + <td valign="middle"><input value="Select All" type="submit" name="selectall" id="selectall" /></td> + <td valign="middle"><input value="Unselect All" type="submit" name="unselectall" id="selectall" /></td> + <td valign="middle"><input value="Save" class="formbtn" type="submit" name="Submit" id="Submit" /></td> + <td valign="middle"><span class="vexpl"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?></span></td> + </tr> + </table> + </tr> <tr> - <td colspan="1" align="middle" valign="center"><br/><input value="Select All" type="submit" name="selectall" id="selectall" /><br/></td> - <td colspan="1" align="middle" valign="center"><br/><input value="Unselect All" type="submit" name="unselectall" id="selectall" /><br/></td> - <td colspan="1" align="middle" valign="center"><br/><input value="Save" class="formbtn" type="submit" name="Submit" id="Submit" /></td> - <td colspan="3" valign="center"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?><br/></td> + <td colspan="6"> </td> </tr> - <tr> <td colspan="6"> </td> </tr> + + <?php if ($no_community_files) + $msg_community = "NOTE: Snort Community Rules have not been downloaded. Perform a Rules Update to enable them."; + else + $msg_community = "Snort GPLv2 Community Rules (VRT certified)"; + ?> + <?php if ($snortcommunitydownload == 'on'): ?> + <tr id="frheader"> + <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> + <td colspan="5" class="listhdrr"><?php echo gettext('Ruleset: Snort GPLv2 Community Rules');?></td> + </tr> + <?php if (in_array("GPLv2_community.rules", $enabled_rulesets_array)): ?> + <tr> + <td width="5" class="listr" align="center" valign="top"> + <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" checked="checked"/></td> + <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=GPLv2_community.rules'><?php echo gettext("{$msg_community}"); ?></a></td> + </tr> + <?php else: ?> + <tr> + <td width="5" class="listr" align="center" valign="top"> + <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td> + <td colspan="5" class="listr"><?php echo gettext("{$msg_community}"); ?></td> + </tr> + + <?php endif; ?> + <?php else: ?> + <tr> + <td colspan="6"> </td> + </tr> + <?php endif; ?> + + <?php if ($no_emerging_files) + $msg_emerging = "downloaded."; + else + $msg_emerging = "enabled."; + if ($no_snort_files) + $msg_snort = "downloaded."; + else + $msg_snort = "enabled."; + ?> <tr id="frheader"> - <?php if ($emergingdownload == 'on'): ?> - <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> + <?php if ($emergingdownload == 'on' && !$no_emerging_files): ?> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats');?></td> <?php else: ?> - <td colspan="2" width="30%" class="listhdrr"><?php echo gettext("Emerging rules have not been enabled"); ?></td> + <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td> <?php endif; ?> - <?php if ($snortdownload == 'on'): ?> - <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort');?></td> - <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort SO');?></td> + <?php if ($snortdownload == 'on' && !$no_snort_files): ?> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort Text Rules');?></td> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort SO Rules');?></td> <?php else: ?> - <td colspan="2" width="60%" class="listhdrr"><?php echo gettext("Snort rules have not been enabled"); ?></td> + <td colspan="4" align="center" width="60%" class="listhdrr"><?php echo gettext("Snort VRT rules have not been {$msg_snort}"); ?></td> <?php endif; ?> </tr> <?php |