diff options
Diffstat (limited to 'config/snort')
-rw-r--r-- | config/snort/snort.inc | 1870 | ||||
-rw-r--r-- | config/snort/snort_alerts.php | 93 | ||||
-rw-r--r-- | config/snort/snort_barnyard.php | 195 | ||||
-rw-r--r-- | config/snort/snort_blocked.php | 63 | ||||
-rw-r--r-- | config/snort/snort_check_cron_misc.inc | 10 | ||||
-rw-r--r-- | config/snort/snort_check_for_rule_updates.php | 87 | ||||
-rw-r--r-- | config/snort/snort_define_servers.php | 20 | ||||
-rw-r--r-- | config/snort/snort_interfaces.php | 44 | ||||
-rw-r--r-- | config/snort/snort_interfaces_edit.php | 116 | ||||
-rw-r--r-- | config/snort/snort_interfaces_global.php | 117 | ||||
-rw-r--r-- | config/snort/snort_interfaces_suppress.php | 24 | ||||
-rw-r--r-- | config/snort/snort_interfaces_suppress_edit.php | 55 | ||||
-rw-r--r-- | config/snort/snort_preprocessors.php | 16 | ||||
-rw-r--r-- | config/snort/snort_rules.php | 8 | ||||
-rw-r--r-- | config/snort/snort_rules_edit.php | 18 | ||||
-rw-r--r-- | config/snort/snort_rulesets.php | 46 |
16 files changed, 1135 insertions, 1647 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 271f10a8..76cb563d 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -39,24 +39,31 @@ require_once("filter.inc"); /* package version */ $snort_package_version = 'Snort 2.8.6.1 pkg v. 1.34'; +/* Allow additional execution time 0 = no limit. */ +ini_set('max_execution_time', '9999'); +ini_set('max_input_time', '9999'); + +/* define oinkid */ +if ($config['installedpackages']['snortglobal']) + $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +else + $config['installedpackages']['snortglobal'] = array(); + /* find out if were in 1.2.3-RELEASE */ -$pfsense_ver_chk = exec('/bin/cat /etc/version'); -if ($pfsense_ver_chk == '1.2.3-RELEASE') -{ - $pfsense_stable = 'yes'; -}else{ - $pfsense_stable = 'no'; -} +$pfsense_ver_chk = trim(file_get_contents("/etc/version"), " \n"); +if (strstr($pfsense_ver_chk, "1.2.3")) + $snort_pfsense_basever = 'yes'; +else + $snort_pfsense_basever = 'no'; /* find out what arch where in x86 , x64 */ -/* TODO: should be more clear in this code */ -$snort_arch_ck = ''; -exec('/usr/bin/uname -m', $snort_arch_ck); -if($snort_arch_ck[0] == 'i386') { +$snort_arch_ck = php_uname("m"); +if ($snort_arch_ck == 'i386') $snort_arch = 'x86'; -}else{ +else if ($snort_arch_ck = "amd64") $snort_arch = 'x64'; -} +else + $snort_arch = "Unknown"; /* tell me my theme */ $pfsense_theme_is = $config['theme']; @@ -65,14 +72,12 @@ $pfsense_theme_is = $config['theme']; function find_whitelist_key($find_wlist_number) { global $config, $g; - $whitelist_array = $config['installedpackages']['snortglobal']['whitelist']['item']; - $w_key = -1; + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return 0; /* XXX */ - foreach ($whitelist_array as $value) { - $w_key += 1; - if ($config['installedpackages']['snortglobal']['whitelist']['item'][$w_key]['uuid'] == $find_wlist_number) { + foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $w_key => $value) { + if ($value['uuid'] == $find_wlist_number) return $w_key; - } } } @@ -80,44 +85,61 @@ function find_whitelist_key($find_wlist_number) { function find_suppress_key($find_slist_number) { global $config, $g; - $suppresslist_array = $config['installedpackages']['snortglobal']['suppress']['item']; - $s_key = -1; + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + return 0; /* XXX */ - foreach ($suppresslist_array as $value2) { - $s_key += 1; - if ($config['installedpackages']['snortglobal']['suppress']['item'][$s_key]['uuid'] == $find_slist_number) { + foreach ($config['installedpackages']['snortglobal']['supppress']['item'] as $s_key => $value) { + if ($value['uuid'] == $find_slist_number) return $s_key; - } } } /* func builds custom whitelests */ function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $userwips) { - global $config, $g; + global $config, $g, $snort_pfsense_basever; /* build an interface array list */ - $int_array = array('lan'); - for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) - if(isset($config['interfaces']['opt' . $j]['enable'])) - if(isset($config['interfaces']['opt' . $j]['gateway'])) - $int_array[] = "opt{$j}"; + if ($snort_pfsense_basever == 'yes') { + $int_array = array('lan'); + for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) + if(isset($config['interfaces']['opt' . $j]['enable'])) + if(isset($config['interfaces']['opt' . $j]['gateway'])) + $int_array[] = "opt{$j}"; + } else + $int_array = get_configured_interface_list(); + + $home_net = ""; /* iterate through interface list and write out whitelist items * and also compile a home_net list for snort. */ - foreach($int_array as $int) { + foreach ($int_array as $int) { /* calculate interface subnet information */ $ifcfg = $config['interfaces'][$int]; - $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); - $subnetmask = gen_subnet_mask($ifcfg['subnet']); - if($subnet == "pppoe" or $subnet == "dhcp") { - $subnet = find_interface_ip("ng0"); - if($subnet) - $home_net .= "{$subnet} "; - } else { - if ($subnet) - if($ifcfg['subnet']) - $home_net .= "{$subnet}/{$ifcfg['subnet']} "; + switch ($ifcfg['ipaddr']) { + case "pppoe": + case "pptp": + case "l2tp": + if (function_exists('get_real_interface')) + $subnet = find_interface_ip(get_real_interface($int)); + else + $subnet = find_interface_ip("ng0"); + + if (is_ipaddr($subnet)) + $home_net .= "{$subnet} "; + break; + case "dhcp": + $subnet = find_interface_ip($int); + if (is_ipaddr($subnet)) + $home_net .= "{$subnet} "; + break; + default: + if (is_ipaddr($ifcfg['ipaddr'])) { + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + if ($ifcfg['subnet']) + $home_net .= "{$subnet}/{$ifcfg['subnet']} "; + } + break; } } @@ -125,86 +147,78 @@ function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $v /* add all WAN ips to the whitelist */ $wan_if = get_real_wan_interface(); $ip = find_interface_ip($wan_if); - if($ip) - $home_net .= "{$ip} "; + if (is_ipaddr($ip)) + $home_net .= "{$ip} "; } if($wangw == 'yes') { /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ $gw = get_interface_gateway('wan'); if($gw) - $home_net .= "{$gw} "; + $home_net .= "{$gw} "; } if($wandns == 'yes') { /* Add DNS server for WAN interface to whitelist */ $dns_servers = get_dns_servers(); - foreach($dns_servers as $dns) { + foreach ($dns_servers as $dns) { if($dns) - $home_net .= "{$dns} "; + $home_net .= "{$dns} "; } } if($vips == 'yes') { /* iterate all vips and add to whitelist */ - if($config['virtualip']) - foreach($config['virtualip']['vip'] as $vip) - if($vip['subnet']) - $home_net .= $vip['subnet'] . " "; + if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { + foreach($config['virtualip']['vip'] as $vip) + if($vip['subnet']) + $home_net .= "{$vip['subnet']} "; + } } /* Add loopback to whitelist (ftphelper) */ - if($userwips > -1 && $build_netlist == 'netlist') { - $home_net .= "127.0.0.1 "; - }elseif ($userwips > -1 && $build_netlist == 'whitelist') { - $home_net .= "127.0.0.1 "; - }else{ - $home_net .= "127.0.0.1"; - } + $home_net .= "127.0.0.1"; /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ - if($vpns == 'yes') - { - if ($pfsense_stable == 'yes') // chk what pfsense version were on - { + if ($vpns == 'yes') { + if ($snort_pfsense_basever == 'yes') // chk what pfsense version were on $vpns_list = get_vpns_list(); - } - - if ($pfsense_stable == 'no') // chk what pfsense version were on - { + else if ($snort_pfsense_basever == 'no') // chk what pfsense version were on $vpns_list = filter_get_vpns_list(); - } - if ($vpns_list != '') { - $home_net .= "$vpns_list "; - } + + if (!empty($vpns_list)) + $home_net .= "{$vpns_list} "; } /* never ever compair numbers to words */ - if($userwips > -1) - { + if ($userwips > -1) { if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) - $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); $home_net .= $config['installedpackages']['snortglobal']['whitelist']['item'][$userwips]['address']; } + $home_net = trim($home_net); + /* this foe whitelistfile, convert spaces to carriage returns */ - $whitelist_home_net = str_replace(" ", "\n", $home_net); - $whitelist_home_net = str_replace(" ", "\n", $home_net); + if ($build_netlist == 'whitelist') { + $whitelist_home_net = str_replace(" ", "\n", $home_net); + $whitelist_home_net = str_replace(" ", "\n", $home_net); + return $whitelist_home_net; + } /* this is for snort.conf */ - $home_net = trim($home_net); - $home_net = str_replace(" ", ",", $home_net); - // $home_net = str_replace(",,", ",", $home_net); // by Thrae, helps people with more than one gateway, breaks snort as is + $validator = explode(" ", $home_net); + $valresult = array(); + foreach ($validator as $vald) { + if (empty($vald)) + continue; + $valresult[] = $vald; + } + $home_net = implode(",", $valresult); $home_net = "[{$home_net}]"; - if($build_netlist == 'netlist') { - return $home_net; - } - - if($build_netlist == 'whitelist') { - return $whitelist_home_net; - } + return $home_net; } @@ -212,7 +226,7 @@ function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $v function Running_Ck($snort_uuid, $if_real, $id) { global $config; - $snort_up_ck = exec("/bin/ps -U snort | grep snort | /usr/bin/awk '{print \$1;}'"); + $snort_up_ck = exec("/bin/ps -U snort | /usr/bin/grep snort | /usr/bin/awk '{print \$1;}'"); if(snort_up_ck == '') { $snort_up = 'no'; @@ -223,7 +237,7 @@ function Running_Ck($snort_uuid, $if_real, $id) { /* use ob_clean to clear output buffer, this code needs to be watched */ ob_clean(); - $snort_up_prell = exec("/bin/ps -U snort | grep \"\-R {$snort_uuid}\" | awk '{print \$1;}'"); + $snort_up_prell = exec("/bin/ps -U snort | /usr/bin/grep \"\-R {$snort_uuid}\" | /usr/bin/awk '{print \$1;}'"); if ($snort_up_prell != '') { $snort_uph = 'yes'; @@ -273,8 +287,7 @@ function Running_Stop($snort_uuid, $if_real, $id) { $start2_upb_s = exec("/bin/ps -U snort | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{ print \$1; }'"); $start2_upb_r = exec("/bin/ps -U root | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{ print \$1; }'"); - if ($start_up_s != '' || $start_up_r != '' || $start2_upb_s != '' || $start2_upb_r != '') - { + if ($start_up_s != '' || $start_up_r != '' || $start2_upb_s != '' || $start2_upb_r != '') { if ($start_up_s != '') { exec("/bin/kill {$start_up_s}"); @@ -311,12 +324,11 @@ function Running_Start($snort_uuid, $if_real, $id) { global $config; /* if snort.sh crashed this will remove the pid */ - exec('/bin/rm /tmp/snort.sh.pid'); + @unlink('/tmp/snort.sh.pid'); $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; - if ($snort_info_chk == 'on') { + if ($snort_info_chk == 'on') exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); - } /* define snortbarnyardlog_chk */ /* top will have trouble if the uuid is to far back */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; @@ -335,13 +347,16 @@ function convert_friendly_interface_to_real_interface_name2($interface) global $config; $lc_interface = strtolower($interface); - if($lc_interface == "lan") return $config['interfaces']['lan']['if']; - if($lc_interface == "wan") return $config['interfaces']['wan']['if']; + if ($lc_interface == "lan") { + if ($config['inerfaces']['lan']) + return $config['interfaces']['lan']['if']; + return $interface; + } + if ($lc_interface == "wan") + return $config['interfaces']['wan']['if']; $ifdescrs = array(); - for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) - $ifdescrs['opt' . $j] = "opt" . $j; - foreach ($ifdescrs as $ifdescr => $ifname) - { + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { + $ifname = "opt{$j}"; if(strtolower($ifname) == $lc_interface) return $config['interfaces'][$ifname]['if']; if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface)) @@ -351,16 +366,6 @@ function convert_friendly_interface_to_real_interface_name2($interface) return $interface; } - -/* Allow additional execution time 0 = no limit. */ -ini_set('max_execution_time', '9999'); -ini_set('max_input_time', '9999'); - -/* define oinkid */ -if($config['installedpackages']['snortglobal']) -$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; - - /* this code block is for deleteing logs while keeping the newest file, snort is linked to these files while running, do not take the easy way out @@ -374,9 +379,8 @@ function snort_file_list($snort_log_dir, $snort_log_file) { $dir = opendir ("$snort_log_dir"); while (false !== ($file = readdir($dir))) { - if (strpos($file, "$snort_log_file",1) ) { + if (strpos($file, "$snort_log_file",1) ) $file_list[] = $file; - } } return $file_list; } @@ -384,31 +388,29 @@ function snort_file_list($snort_log_dir, $snort_log_file) /* snort dir files */ function snort_file_sort($snort_file1, $snort_file2) { - if ($snort_file1 == $snort_file2) { + if ($snort_file1 == $snort_file2) return 0; - } + return ($snort_file1 < $snort_file2); // ? -1 : 1; // this flips the array } /* build files newest first array */ function snort_build_order($snort_list) { - foreach ($snort_list as $value_list) { + foreach ($snort_list as $value_list) $list_order[] = $value_list; - } + return $list_order; } /* keep the newest remove the rest */ function snort_remove_files($snort_list_rm, $snort_file_safe) { - foreach ($snort_list_rm as $value_list) - { - if ($value_list != $snort_file_safe) { - exec("/bin/rm /var/log/snort/$value_list"); - }else{ - exec("/bin/echo '' > /var/log/snort/$snort_file_safe"); - } + foreach ($snort_list_rm as $value_list) { + if ($value_list != $snort_file_safe) + @unlink("/var/log/snort/$value_list"); + else + file_put_contents("/var/log/snort/$snort_file_safe", ""); } } @@ -416,92 +418,55 @@ function post_delete_logs() { global $config, $g; - - $snort_log_dir = '/var/log/snort'; - /* do not start config build if rules is empty */ - if (!empty($config['installedpackages']['snortglobal']['rule'])) - { - - - $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) - { + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; - if ($id == '') { - $id = 0; - } + $snort_log_dir = '/var/log/snort'; - $id += 1; - - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - - if ($if_real != '' && $snort_uuid != '') - { - if ($config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog'] == 'on') - { - $snort_log_file_u2 = "{$snort_uuid}_{$if_real}.u2."; - $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2); - if (is_array($snort_list_u2)) { - usort($snort_list_u2, "snort_file_sort"); - $snort_u2_rm_list = snort_build_order($snort_list_u2); - snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]); - } - }else{ - exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.u2*"); + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $result_lan = $value['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + $snort_uuid = $value['uuid']; + + if ($if_real != '' && $snort_uuid != '') { + if ($value['snortunifiedlog'] == 'on') { + $snort_log_file_u2 = "{$snort_uuid}_{$if_real}.u2."; + $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2); + if (is_array($snort_list_u2)) { + usort($snort_list_u2, "snort_file_sort"); + $snort_u2_rm_list = snort_build_order($snort_list_u2); + snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]); } - - if ($config['installedpackages']['snortglobal']['rule'][$id]['tcpdumplog'] == 'on') - { - $snort_log_file_tcpd = "{$snort_uuid}_{$if_real}.tcpdump."; - $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd); - if (is_array($snort_list_tcpd)) { - usort($snort_list_tcpd, "snort_file_sort"); - $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd); - snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]); - } - }else{ - exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.tcpdump*"); + } else + exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.u2*"); + + if ($value['tcpdumplog'] == 'on') { + $snort_log_file_tcpd = "{$snort_uuid}_{$if_real}.tcpdump."; + $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd); + if (is_array($snort_list_tcpd)) { + usort($snort_list_tcpd, "snort_file_sort"); + $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd); + snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]); } + } else + exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.tcpdump*"); - /* create barnyard2 configuration file */ - //if ($config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'] == 'on') - //create_barnyard2_conf($id, $if_real, $snort_uuid); + /* create barnyard2 configuration file */ + //if ($value['barnyard_enable'] == 'on') + //create_barnyard2_conf($id, $if_real, $snort_uuid); - if ($config['installedpackages']['snortglobal']['rule'][$id]['perform_stat'] == on) - { - exec("/bin/echo '' > /var/log/snort/snort_{$snort_uuid}_{$if_real}.stats"); - } - } + if ($value['perform_stat'] == on) + file_put_contents("/var/log/snort/snort_{$snort_uuid}_{$if_real}.stats", ""); } } } function snort_postinstall() { - global $config; - conf_mount_rw(); + global $config, $g, $snort_pfsense_basever, $snort_arch; - /* find out if were in 1.2.3-RELEASE */ - $pfsense_ver_chk = exec('/bin/cat /etc/version'); - if ($pfsense_ver_chk == '1.2.3-RELEASE') - { - $pfsense_stable = 'yes'; - }else{ - $pfsense_stable = 'no'; - } - - /* find out what arch where in x86 , x64 */ - $snort_arch_ck = ''; - exec('/usr/bin/uname -m', $snort_arch_ck); - if($snort_arch_ck[0] == 'i386') { - $snort_arch = 'x86'; - }else{ - $snort_arch = 'x64'; - } + conf_mount_rw(); /* snort -> advanced features */ $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; @@ -509,32 +474,24 @@ function snort_postinstall() $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; /* cleanup default files */ - if(file_exists('/usr/local/etc/snort/snort.conf-sample')) - { - exec('/bin/rm /usr/local/etc/snort/snort.conf-sample'); - exec('/bin/rm /usr/local/etc/snort/threshold.conf-sample'); - exec('/bin/rm /usr/local/etc/snort/sid-msg.map-sample'); - exec('/bin/rm /usr/local/etc/snort/unicode.map-sample'); - exec('/bin/rm /usr/local/etc/snort/classification.config-sample'); - exec('/bin/rm /usr/local/etc/snort/generators-sample'); - exec('/bin/rm /usr/local/etc/snort/reference.config-sample'); - exec('/bin/rm /usr/local/etc/snort/gen-msg.map-sample'); - exec('/bin/rm /usr/local/etc/snort/sid'); - exec('/bin/rm /usr/local/etc/rc.d/snort'); - exec('/bin/rm /usr/local/etc/rc.d/bardyard2'); - } + @unlink('/usr/local/etc/snort/snort.conf-sample'); + @unlink('/usr/local/etc/snort/threshold.conf-sample'); + @unlink('/usr/local/etc/snort/sid-msg.map-sample'); + @unlink('/usr/local/etc/snort/unicode.map-sample'); + @unlink('/usr/local/etc/snort/classification.config-sample'); + @unlink('/usr/local/etc/snort/generators-sample'); + @unlink('/usr/local/etc/snort/reference.config-sample'); + @unlink('/usr/local/etc/snort/gen-msg.map-sample'); + @unlink('/usr/local/etc/snort/sid'); + @unlink('/usr/local/etc/rc.d/snort'); + @unlink('/usr/local/etc/rc.d/bardyard2'); /* remove example files */ - if(file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) - { + if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); - } - if(file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) - { + if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); - } - /* add snort user and group note: 920 keep the numbers < 2000, above this is reserved in pfSense 2.0 */ exec('/usr/sbin/pw groupadd snort -g 920'); @@ -542,53 +499,35 @@ function snort_postinstall() /* create a few directories and ensure the sample files are in place */ - if(!file_exists('/usr/local/etc/snort')) - { - exec('/bin/mkdir -p /usr/local/etc/snort'); - } - - if(!file_exists('/usr/local/etc/snort/custom_rules')) - { - exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules/'); - } + if (!is_dir('/usr/local/etc/snort')) + exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules'); - if(!file_exists('/usr/local/etc/snort/whitelist')) - { + if (!file_exists('/usr/local/etc/snort/whitelist')) exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); - } - if(!file_exists('/var/log/snort/run')) - { + if (!is_dir('/var/log/snort/run')) exec('/bin/mkdir -p /var/log/snort/run'); - } - if(!file_exists('/var/log/snort/barnyard2')) - { - exec('/bin/mkdir -p /var/log/snort/barnyard2/'); - } + if (!is_dir('/var/log/snort/barnyard2')) + exec('/bin/mkdir -p /var/log/snort/barnyard2'); - if(!file_exists('/usr/local/lib/snort/dynamicrules/')) - { + if (!is_dir('/usr/local/lib/snort/dynamicrules/')) exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); - } - if(!file_exists('/var/db/whitelist')) - { + if (!file_exists('/var/db/whitelist')) touch('/var/db/whitelist'); - } /* if users have old log files delete them */ - if(!file_exists('/var/log/snort/alert')) { + if(!file_exists('/var/log/snort/alert')) touch('/var/log/snort/alert'); - }else{ + else { exec('/bin/rm -rf /var/log/snort/*'); touch('/var/log/snort/alert'); } /* rm barnyard2 important */ - if(!file_exists('/usr/local/bin/barnyard2')) { - exec('/bin/rm /usr/local/bin/barnyard2'); - } + if (!file_exists('/usr/local/bin/barnyard2')) + @unlink('/usr/local/bin/barnyard2'); /* important */ exec('/usr/sbin/chown -R snort:snort /var/log/snort'); @@ -619,7 +558,7 @@ function snort_postinstall() exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/colorbox.css'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/new_tab_menu.css'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/sexybuttons.css'); - chdir ("/usr/local/www/snort/images/"); + chdir("/usr/local/www/snort/images/"); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/alert.jpg'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down2.gif'); @@ -646,83 +585,53 @@ function snort_postinstall() exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/prototype.js'); /* install barnyard2 for 2.0 x86 x64 and 1.2.3 x86 */ - chdir ("/usr/local/bin/"); + chdir("/usr/local/bin/"); update_status(gettext("Installing Barnyard2 for $snort_arch...")); update_output_window(gettext("Please wait...")); - if ($pfsense_stable == 'yes') { + if ($snort_pfsense_basever == 'yes') exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/7.3.x86/barnyard2'); - } - - if ($pfsense_stable == 'no' && $snort_arch == 'x86') { - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.1x86/barnyard2'); - } + else if ($snort_pfsense_basever == 'no') + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.1{$snort_arch}/barnyard2'); - if ($pfsense_stable == 'no' && $snort_arch == 'x64') { - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.1x64/barnyard2'); - } update_output_window(gettext("Finnished Installing Barnyard2...")); exec('/bin/chmod 755 /usr/local/bin/barnyard2'); - /* install perl-threaded */ /* TODO: invoke this through pkg_util.inc */ - if(!file_exists('/tmp/pkg_s')) { + if (!is_dir('/tmp/pkg_s')) exec('/bin/mkdir -p /tmp/pkg_s'); - } - chdir ('/tmp/pkg_s'); + $snort_tmp_pkg_dir = "{$g['tmp_path']}/pkg_s"; + chdir('$snort_tmp_pkg_dir'); - update_status(gettext("Installing perl-threaded for $snort_arch...")); + update_status(gettext("Installing perl-threaded for {$snort_arch}...")); update_output_window(gettext("Please wait downloading...")); - if ($pfsense_stable == 'yes') { - exec('/usr/bin/fetch http://files.pfsense.org/packages/snort/7.3x86/perl-threaded-5.12.1_1.tbz'); - } - - if ($pfsense_stable == 'no' && $snort_arch == 'x86') { - exec('/usr/bin/fetch http://files.pfsense.org/packages/snort//8.1x86/perl-threaded-5.12.1_1.tbz'); - } - - if ($pfsense_stable == 'no' && $snort_arch == 'x64') { - exec('/usr/bin/fetch http://files.pfsense.org/packages/snort/8.1x64/perl-threaded-5.12.1_1.tbz'); - } - - conf_mount_rw(); - if(!file_exists('/root/pkg_s')) { - exec('/bin/mkdir -p /root/pkg_s'); - } + if ($snort_pfsense_basever == 'yes') + exec("/usr/bin/fetch http://files.pfsense.org/packages/snort/7.3x86/perl-threaded-5.12.1_1.tbz"); + else if ($snort_pfsense_basever == 'no') + exec("/usr/bin/fetch http://files.pfsense.org/packages/snort//8.1{$snort_arch}/perl-threaded-5.12.1_1.tbz"); update_output_window(gettext("Please wait Installing...")); - if(file_exists('/tmp/pkg_s/perl-threaded-5.12.1_1.tbz')) { - exec('/bin/cp /tmp/pkg_s/perl-threaded-5.12.1_1.tbz /root/pkg_s/perl-threaded-5.12.1_1.tbz'); - sleep(2); - exec('/usr/sbin/pkg_add -f /root/pkg_s/perl-threaded-5.12.1_1.tbz'); - } + if (file_exists("{$snort_tmp_pkg_dir}/perl-threaded-5.12.1_1.tbz")) + exec("/usr/sbin/pkg_add -f {$snort_tmp_pkg_dir}/perl-threaded-5.12.1_1.tbz"); update_output_window(gettext("Please wait Cleaning Up...")); - if(file_exists('/root/pkg_s/')) { - exec('/bin/rm -r /tmp/pkg_s/'); - exec('/bin/rm -r /root/pkg_s/'); - } + if (is_dir($snort_tmp_pkg_dir)) + exec("/bin/rm -r {$snort_tmp_pkg_dir}"); update_output_window(gettext("Finnished Installing perl-threaded...")); /* back to default */ - chdir ('/root/'); + chdir('/root/'); /* make sure snort-old is deinstalled */ - /* remove when snort-old is removed */ - unset($config['installedpackages']['snort']); - unset($config['installedpackages']['snortdefservers']); - unset($config['installedpackages']['snortwhitelist']); - unset($config['installedpackages']['snortthreshold']); - unset($config['installedpackages']['snortadvanced']); - write_config(); - conf_mount_rw(); + unset($config['installedpackages']['snort'], $config['installedpackages']['snortdefservers'], $config['installedpackages']['snortwhitelist']); + unset($config['installedpackages']['snortthreshold'], $config['installedpackages']['snortadvanced']); /* remake saved settings */ - if($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_status(gettext("Saved settings detected...")); update_output_window(gettext("Please wait... rebuilding files...")); sync_snort_package_empty(); @@ -736,10 +645,11 @@ function snort_postinstall() function sync_package_snort_reinstall() { global $config; + conf_mount_rw(); - if(!$config['installedpackages']['snortglobal']) - return; + if (!$config['installedpackages']['snortglobal']) + return; /* create snort configuration file */ create_snort_conf(); @@ -752,7 +662,7 @@ function sync_package_snort_reinstall() function snort_Getdirsize($node) { if(!is_readable($node)) - return false; + return false; $blah = exec( "/usr/bin/du -kd $node" ); return substr( $blah, 0, strpos($blah, 9) ); @@ -763,12 +673,12 @@ function snort_snortloglimit_install_cron($should_install) { global $config, $g; if ($g['booting']==true) - return; + return; $is_installed = false; - if(!$config['cron']['item']) - return; + if (!is_array($config['cron']['item'])) + $config['cron']['item'] = array(); $x=0; foreach($config['cron']['item'] as $item) { @@ -795,17 +705,17 @@ function snort_snortloglimit_install_cron($should_install) { $cron_item['who'] = "root"; $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc"; $config['cron']['item'][] = $cron_item; - write_config('Installed snort log limit size'); + write_config('Installed snort log limit size'); /* XXX */ + conf_mount_rw(); configure_cron(); exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable } break; case false: if($is_installed == true) { - if($x > 0) - { + if($x > 0) { unset($config['cron']['item'][$x]); - write_config(); + write_config(); /* XXX */ conf_mount_rw(); } configure_cron(); @@ -822,18 +732,16 @@ function snort_rm_blocked_install_cron($should_install) global $config, $g; if ($g['booting']==true) - return; + return; $is_installed = false; - if(!$config['cron']['item']) - return; + if(!is_array($config['cron']['item'])) + $config['cron']['item'] = array(); $x=0; - foreach($config['cron']['item'] as $item) - { - if (strstr($item['command'], "snort2c")) - { + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { $is_installed = true; break; } @@ -841,8 +749,7 @@ function snort_rm_blocked_install_cron($should_install) } $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; - if ($snort_rm_blocked_info_ck == "1h_b") - { + if ($snort_rm_blocked_info_ck == "1h_b") { $snort_rm_blocked_min = "*/5"; $snort_rm_blocked_hr = "*"; $snort_rm_blocked_mday = "*"; @@ -850,8 +757,7 @@ function snort_rm_blocked_install_cron($should_install) $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "3600"; } - if ($snort_rm_blocked_info_ck == "3h_b") - { + if ($snort_rm_blocked_info_ck == "3h_b") { $snort_rm_blocked_min = "*/15"; $snort_rm_blocked_hr = "*"; $snort_rm_blocked_mday = "*"; @@ -859,8 +765,7 @@ function snort_rm_blocked_install_cron($should_install) $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "10800"; } - if ($snort_rm_blocked_info_ck == "6h_b") - { + if ($snort_rm_blocked_info_ck == "6h_b") { $snort_rm_blocked_min = "*/30"; $snort_rm_blocked_hr = "*"; $snort_rm_blocked_mday = "*"; @@ -868,8 +773,7 @@ function snort_rm_blocked_install_cron($should_install) $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "21600"; } - if ($snort_rm_blocked_info_ck == "12h_b") - { + if ($snort_rm_blocked_info_ck == "12h_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/1"; $snort_rm_blocked_mday = "*"; @@ -877,8 +781,7 @@ function snort_rm_blocked_install_cron($should_install) $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "43200"; } - if ($snort_rm_blocked_info_ck == "1d_b") - { + if ($snort_rm_blocked_info_ck == "1d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/2"; $snort_rm_blocked_mday = "*"; @@ -886,8 +789,7 @@ function snort_rm_blocked_install_cron($should_install) $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "86400"; } - if ($snort_rm_blocked_info_ck == "4d_b") - { + if ($snort_rm_blocked_info_ck == "4d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/8"; $snort_rm_blocked_mday = "*"; @@ -895,8 +797,7 @@ function snort_rm_blocked_install_cron($should_install) $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "345600"; } - if ($snort_rm_blocked_info_ck == "7d_b") - { + if ($snort_rm_blocked_info_ck == "7d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/14"; $snort_rm_blocked_mday = "*"; @@ -904,8 +805,7 @@ function snort_rm_blocked_install_cron($should_install) $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "604800"; } - if ($snort_rm_blocked_info_ck == "28d_b") - { + if ($snort_rm_blocked_info_ck == "28d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "0"; $snort_rm_blocked_mday = "*/2"; @@ -913,38 +813,35 @@ function snort_rm_blocked_install_cron($should_install) $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "2419200"; } - switch($should_install) - { - case true: - if(!$is_installed) - { - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; - $config['cron']['item'][] = $cron_item; - write_config("Installed $snort_rm_blocked_info_ck minute filter reload for Time Based Rules"); - configure_cron(); - exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable - } - break; - case false: - if($is_installed == true) - { - if($x > 0) - { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + write_config("Installed $snort_rm_blocked_info_ck minute filter reload for Time Based Rules"); /* XXX */ + conf_mount_rw(); + configure_cron(); + exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable + } + break; + case false: + if ($is_installed == true) { + if ($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); /* XXX */ + conf_mount_rw(); } - break; + configure_cron(); + exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable + } + break; } } @@ -953,12 +850,12 @@ function snort_rules_up_install_cron($should_install) { global $config, $g; if ($g['booting']==true) - return; + return; $is_installed = false; if(!$config['cron']['item']) - return; + $config['cron']['item'] = array(); $x=0; foreach($config['cron']['item'] as $item) { @@ -1012,39 +909,39 @@ function snort_rules_up_install_cron($should_install) { $snort_rules_up_wday = "*"; } switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - configure_cron(); - exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); /* XXX */ + cont_mount_rw(); + configure_cron(); + exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); /* XXX */ + conf_mount_rw(); } - break; + configure_cron(); + exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable + } + break; } } function sync_snort_package_remove_old() { - global $config, $g; $snort_dir_scan = '/usr/local/etc/snort'; @@ -1064,27 +961,18 @@ function sync_snort_package_remove_old() } $rule_array2 = $config['installedpackages']['snortglobal']['rule']; - $id2 = -1; - foreach ($rule_array2 as $value) - { - - $id += 1; - - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + foreach ($rule_array2 as $id => $value) { + $result_lan = $value['interface']; $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); - $snort_rules_list[] = "snort_$id$if_real"; - + $snort_rules_list[] = "snort_{$id}{$if_real}"; } - $snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg')); $snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list); foreach ($snort_dir_filter_search_result as $value) - { - exec("rm -r /usr/local/etc/snort/$value"); - } + exec("/bin/rm -r /usr/local/etc/snort/$value"); } @@ -1092,29 +980,20 @@ function sync_snort_package_remove_old() function sync_snort_package() { global $config, $g; - conf_mount_rw(); /* all new files are for the user snort nologin */ - if(!file_exists('/var/log/snort')) - { + if (!is_dir('/var/log/snort')) exec('/bin/mkdir -p /var/log/snort'); - } - if(!file_exists('/var/log/snort/run')) - { + if (!is_dir('/var/log/snort/run')) exec('/bin/mkdir -p /var/log/snort/run'); - } - if(!file_exists('/var/log/snort/barnyard2')) - { + if (!is_dir('/var/log/snort/barnyard2')) exec('/bin/mkdir -p /var/log/snort/barnyard2'); - } /* all new files are for the user snort nologin */ - if(!file_exists('/var/log/snort/alert')) - { + if (!file_exists('/var/log/snort/alert')) exec('/usr/bin/touch /var/log/snort/alert'); - } /* important */ exec('/usr/sbin/chown -R snort:snort /var/log/snort'); @@ -1134,19 +1013,19 @@ function sync_snort_package() $snortloglimitsize = $config['installedpackages']['snortglobal']['snortloglimitsize']; $snortloglimit = $config['installedpackages']['snortglobal']['snortloglimit']; + $write_config = false; + if ($snortloglimit == '') { /* code will set limit to 21% of slice that is unused */ $config['installedpackages']['snortglobal']['snortloglimit'] = 'on'; - write_config(); - conf_mount_rw(); + $write_config = true; } if ($snortloglimitsize == '') { /* code will set limit to 21% of slice that is unused */ $snortloglimitDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') * .22 / 1024); $config['installedpackages']['snortglobal']['snortloglimitsize'] = $snortloglimitDSKsize; - write_config(); - conf_mount_rw(); + $write_config = true; } $snort_snortloglimit_info_ck = $config['installedpackages']['snortglobal']['snortloglimit']; @@ -1155,13 +1034,15 @@ function sync_snort_package() snort_snortloglimit_install_cron('true'); } - conf_mount_ro(); + /* XXX: Really need write_config here? */ + write_config(); + /* XXX: Restore rw mode since write_config sets ro */ + conf_mount_rw(); } /* only run when a single iface needs to sync */ function sync_snort_package_all($id, $if_real, $snort_uuid) { - //global $config, $g, $id, $if_real, $snort_uuid, $interface_fake; global $config, $g; /* RedDevil suggested code */ @@ -1172,55 +1053,48 @@ function sync_snort_package_all($id, $if_real, $snort_uuid) //exec("/sbin/sysctl net.bpf.maxinsns=512"); //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - # Error checking - if ($id != '' && $if_real != '') //new - { - /* do not start config build if rules is empty */ - if (!empty($config['installedpackages']['snortglobal']['rule'])) - { + /* do not start config build if rules is empty */ + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + if (empty($config['installedpackages']['snortglobal']['rule'][$id])) + return; - conf_mount_rw(); + conf_mount_rw(); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name($result_lan); - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); + /* create snort configuration file */ + create_snort_conf($id, $if_real, $snort_uuid); - /* if rules exist cp rules to each iface */ - create_rules_iface($id, $if_real, $snort_uuid); + /* if rules exist cp rules to each iface */ + create_rules_iface($id, $if_real, $snort_uuid); - /* only build whitelist when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on'){ - create_snort_whitelist($id, $if_real); - } + /* only build whitelist when needed */ + if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on') + create_snort_whitelist($id, $if_real); - /* only build threshold when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default'){ - create_snort_suppress($id, $if_real); - } + /* only build threshold when needed */ + if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') + create_snort_suppress($id, $if_real); - /* create snort bootup file snort.sh only create once */ - create_snort_sh(); + /* create snort bootup file snort.sh only create once */ + create_snort_sh(); - /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); + /* create barnyard2 configuration file */ + if ($config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'] == 'on') + create_barnyard2_conf($id, $if_real, $snort_uuid); - sync_snort_package(); + sync_snort_package(); - conf_mount_ro(); - } - } + conf_mount_ro(); } -/* only run when all ifaces needed to sync */ +/* Only run when all ifaces needed to sync. Expects filesystem rw */ function sync_snort_package_empty() { global $config, $g; - conf_mount_rw(); /* RedDevil suggested code */ /* TODO: more testing needs to be done */ @@ -1231,67 +1105,50 @@ function sync_snort_package_empty() //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); /* do not start config build if rules is empty */ - if (!empty($config['installedpackages']['snortglobal']['rule'])) - { - if ($id == "") - { - - $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) - { - - if ($id == '') { - $id = 0; - } + if (is_array($config['installedpackages']['snortglobal']['rule'])) + return; - $id += 1; + conf_mount_rw(); - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { + $if_real = convert_friendly_interface_to_real_interface_name($value['interface']); + $snort_uuid = $value['uuid']; - if ($if_real != '' && $snort_uuid != '') { - - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); - - /* if rules exist cp rules to each iface */ - create_rules_iface($id, $if_real, $snort_uuid); - - /* only build whitelist when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on'){ - create_snort_whitelist($id, $if_real); - } - - /* only build threshold when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default'){ - create_snort_suppress($id, $if_real); - } - - /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - } - } + if ($if_real != '' && $snort_uuid != '') { + + /* create snort configuration file */ + create_snort_conf($id, $if_real, $snort_uuid); - /* create snort bootup file snort.sh only create once */ - create_snort_sh(); + /* if rules exist cp rules to each iface */ + create_rules_iface($id, $if_real, $snort_uuid); - sync_snort_package(); + /* only build whitelist when needed */ + if ($value['blockoffenders7'] == 'on') + create_snort_whitelist($id, $if_real); - conf_mount_ro(); + /* only build threshold when needed */ + if ($value['suppresslistname'] != 'default') + create_snort_suppress($id, $if_real); + /* create barnyard2 configuration file */ + $snortbarnyardlog_info_chk = $value['barnyard_enable']; + if ($snortbarnyardlog_info_chk == 'on') + create_barnyard2_conf($id, $if_real, $snort_uuid); } } + + /* create snort bootup file snort.sh only create once */ + create_snort_sh(); + + sync_snort_package(); + + conf_mount_ro(); } /* only bootup and ip refresh */ function sync_snort_package_config() { global $config, $g; - conf_mount_rw(); /* RedDevil suggested code */ /* TODO: more testing needs to be done */ @@ -1302,313 +1159,267 @@ function sync_snort_package_config() //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); /* do not start config build if rules is empty */ - if (!empty($config['installedpackages']['snortglobal']['rule'])) - { - if ($id == "") - { + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; - $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) - { + conf_mount_rw(); - if ($id == '') { - $id = 0; - } + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { - $id += 1; + $result_lan = $value['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + $snort_uuid = $value['uuid']; - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + if (!empty($if_real) && !empty($snort_uuid)) { - if ($if_real != '' && $snort_uuid != '') { - - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); - - /* only build whitelist when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on'){ - create_snort_whitelist($id, $if_real); - } - - /* only build threshold when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default'){ - create_snort_suppress($id, $if_real); - } - - /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - } - } + /* create snort configuration file */ + create_snort_conf($id, $if_real, $snort_uuid); - sync_snort_package(); + /* only build whitelist when needed */ + if ($value['blockoffenders7'] == 'on') + create_snort_whitelist($id, $if_real); - conf_mount_ro(); + /* only build threshold when needed */ + if ($value['suppresslistname'] != 'default') + create_snort_suppress($id, $if_real); + /* create barnyard2 configuration file */ + if ($value['barnyard_enable'] == 'on') + create_barnyard2_conf($id, $if_real, $snort_uuid); } } + + sync_snort_package(); + + conf_mount_ro(); } /* Start of main config files */ -/* Start of main config files */ /* create threshold file */ /* TODO: other func should mirror this code */ function create_snort_suppress($id, $if_real) { - global $config, $g; - conf_mount_rw(); /* make sure dir is there */ - if (!file_exists('/usr/local/etc/snort/suppress/')) { - exec('/bin/mkdir -p /usr/local/etc/snort/suppress/'); - } + if (!is_dir('/usr/local/etc/snort/suppress')) + exec('/bin/mkdir -p /usr/local/etc/snort/suppress'); if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') { - preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'], $slist_num_wrt); - - $whitelist_key_s = find_suppress_key($slist_num_wrt[0]); + if (preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'], $slist_num_wrt)) { + $whitelist_key_s = find_suppress_key($slist_num_wrt[0]); - /* file name */ - $suppress_file_name = $config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['name']; - - /* Message */ - $s_data .= '# This file is auto generated by the snort package. Please do not edit this file by hand.' . "\n\n"; + /* file name */ + $suppress_file_name = $config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['name']; + + /* Message */ + $s_data .= '# This file is auto generated by the snort package. Please do not edit this file by hand.' . "\n\n"; - /* user added arguments */ - $s_data .= str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['suppresspassthru'])); + /* user added arguments */ + $s_data .= str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['suppresspassthru'])); - /* open snort's whitelist for writing */ - $suppresslist_w = fopen("/usr/local/etc/snort/suppress/$suppress_file_name", "w"); - if(!$suppresslist_w) { - log_error("Could not open /usr/local/etc/snort/suppress/$suppress_file_name for writing."); - return; + /* open snort's whitelist for writing */ + $suppresslist_w = fopen("/usr/local/etc/snort/suppress/$suppress_file_name", "w"); + if(!$suppresslist_w) { + log_error("Could not open /usr/local/etc/snort/suppress/$suppress_file_name for writing."); + return; + } + fwrite($suppresslist_w, $s_data); + fclose($suppresslist_w); } - - fwrite($suppresslist_w, $s_data); - fclose($suppresslist_w); - conf_mount_ro(); - } - } function create_snort_whitelist($id, $if_real) { - global $config, $g; - conf_mount_rw(); /* make sure dir is there */ - if (!file_exists('/usr/local/etc/snort/whitelist/')) { - exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); - } + if (!is_dir('/usr/local/etc/snort/whitelist')) + exec('/bin/mkdir -p /usr/local/etc/snort/whitelist'); if ($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'] == 'default') { + $w_data = build_base_whitelist('whitelist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); + /* open snort's whitelist for writing */ $whitelist_w = fopen("/usr/local/etc/snort/whitelist/defaultwlist", "w"); - if(!$whitelist_w) { + if (!$whitelist_w) { log_error("Could not open /usr/local/etc/snort/whitelist/defaultwlist for writing."); return; } - - $w_data = build_base_whitelist('whitelist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); - - }else{ - - preg_match('/^([a-zA-z0-9]+)/', $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $wlist_name_wrt); - preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $wlist_num_wrt); - - $whitelist_key_w = find_whitelist_key($wlist_num_wrt[0]); - - $build_netlist = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['snortlisttype']; - $wanip = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['wanips']; - $wangw = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['wangateips']; - $wandns = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['wandnsips']; - $vips = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['vips']; - $vpns = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['vpnips']; - - /* open snort's whitelist for writing */ - $whitelist_w = fopen("/usr/local/etc/snort/whitelist/$wlist_name_wrt[0]", "w"); - if(!$whitelist_w) { - log_error("Could not open /usr/local/etc/snort/whitelist/$wlist_name_wrt[0] for writing."); - return; + fwrite($whitelist_w, $w_data); + fclose($whitelist_w); + + } else if (preg_match('/^([a-zA-z0-9]+)/', $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $wlist_name_wrt)) { + if (preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $wlist_num_wrt)) { + $whitelist_key_w = find_whitelist_key($wlist_num_wrt[0]); + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + + $build_netlist = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['snortlisttype']; + $wanip = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['wanips']; + $wangw = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['wangateips']; + $wandns = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['wandnsips']; + $vips = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['vips']; + $vpns = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['vpnips']; + + $w_data = build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $whitelist_key_w); + + /* open snort's whitelist for writing */ + $whitelist_w = fopen("/usr/local/etc/snort/whitelist/$wlist_name_wrt[0]", "w"); + if(!$whitelist_w) { + log_error("Could not open /usr/local/etc/snort/whitelist/$wlist_name_wrt[0] for writing."); + return; + } + fwrite($whitelist_w, $w_data); + fclose($whitelist_w); } - - $w_data = build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $whitelist_key_w); - } - - fwrite($whitelist_w, $w_data); - fclose($whitelist_w); - conf_mount_ro(); - } function create_snort_homenet($id, $if_real) { - global $config, $g; - conf_mount_rw(); - if ($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == 'default' || $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == '') { + if ($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == 'default' || $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == '') return build_base_whitelist('netlist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); - }else{ - preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'], $hlist_num_wrt); - + else if (preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'], $hlist_num_wrt)) { $whitelist_key_h = find_whitelist_key($hlist_num_wrt[0]); + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + $build_netlist_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['snortlisttype']; $wanip_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wanips']; $wangw_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wangateips']; $wandns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wandnsips']; $vips_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vips']; $vpns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vpnips']; - - return build_base_whitelist($build_netlist_h, $wanip_h, $wangw_h, $wandns_h, $vips_h, $vpns_h, $whitelist_key_h); + return build_base_whitelist($build_netlist_h, $wanip_h, $wangw_h, $wandns_h, $vips_h, $vpns_h, $whitelist_key_h); } - - conf_mount_ro(); - } function create_snort_externalnet($id, $if_real) { - global $config, $g; - conf_mount_rw(); - preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['externallistname'], $exlist_num_wrt); - - $whitelist_key_ex = find_whitelist_key($exlist_num_wrt[0]); - - $build_netlist_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['snortlisttype']; - $wanip_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wanips']; - $wangw_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wangateips']; - $wandns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wandnsips']; - $vips_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vips']; - $vpns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vpnips']; - - return build_base_whitelist($build_netlist_ex, $wanip_ex, $wangw_ex, $wandns_ex, $vips_ex, $vpns_ex, $whitelist_key_ex); + if (preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['externallistname'], $exlist_num_wrt)) { + $whitelist_key_ex = find_whitelist_key($exlist_num_wrt[0]); - conf_mount_ro(); + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + + $build_netlist_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['snortlisttype']; + $wanip_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wanips']; + $wangw_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wangateips']; + $wandns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wandnsips']; + $vips_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vips']; + $vpns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vpnips']; + return build_base_whitelist($build_netlist_ex, $wanip_ex, $wangw_ex, $wandns_ex, $vips_ex, $vpns_ex, $whitelist_key_ex); + } } /* open snort.sh for writing" */ function create_snort_sh() { - # Don not add $id or this will break - global $config, $g; - conf_mount_rw(); - /* do not start config build if rules is empty */ - if (!empty($config['installedpackages']['snortglobal']['rule'])) - { - if ($id == "") - { + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; - $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) - { + $snortconf =& $config['installedpackages']['snortglobal']['rule']; - $id += 1; + $snort_sh_text2 = array(); + $snort_sh_text3 = array(); + $snort_sh_text4 = array(); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + /* do not start config build if rules is empty */ + if (!empty($snortconf)) { + foreach ($snortconf as $value) { + $snort_uuid = $value['uuid']; + $result_lan = $value['interface']; + $if_real = convert_friendly_interface_to_real_interface_name($result_lan); - /* define snortbarnyardlog_chk */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $value['barnyard_enable']; + $snortbarnyardlog_mysql_info_chk = $value['barnyard_mysql']; - if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { - $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"; - } - - /* Get all interface startup commands ready */ + if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') + $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"; - $snort_sh_text2[] = <<<EOD + /* Get all interface startup commands ready */ + $snort_sh_text2[] = <<<EOD ###### For Each Iface - # If Snort proc is NOT running - if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}{$if_real}" | awk '{print $2;}'`" = "" ]; then +# If Snort proc is NOT running +if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" = "" ]; then - /bin/echo "snort.sh run" > /tmp/snort.sh.pid + /bin/echo "snort.sh run" > /tmp/snort.sh.pid - # Start snort and barnyard2 - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck + # Start snort and barnyard2 + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck - /usr/local/bin/snort -u snort -g snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} - $start_barnyard2 + /usr/local/bin/snort -u snort -g snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + $start_barnyard2 - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For {$snort_uuid}_{$if_real}..." + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For {$snort_uuid}_{$if_real}..." + +fi - fi EOD; - $snort_sh_text3[] = <<<EOE + $snort_sh_text3[] = <<<EOE ###### For Each Iface - #### Fake start only used on bootup and Pfsense IP changes - #### Only try to restart if snort is running on Iface - if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" != "" ]; then +#### Fake start only used on bootup and Pfsense IP changes +#### Only try to restart if snort is running on Iface +if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" != "" ]; then - snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" + snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" - #### Restart Iface - /bin/kill -HUP \${snort_pid} - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..." + #### Restart Iface + /bin/kill -HUP \${snort_pid} + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..." - fi +fi EOE; - $snort_sh_text4[] = <<<EOF + $snort_sh_text4[] = <<<EOF - pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print \$2;}'` - sleep 3 - pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/awk '{print \$2;}'` +pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print \$2;}'` +sleep 3 +pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/awk '{print \$2;}'` - if [ \${pid_s} ] ; then +if [ \${pid_s} ] ; then - /bin/echo "snort.sh run" > /tmp/snort.sh.pid - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." + /bin/echo "snort.sh run" > /tmp/snort.sh.pid + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." - /bin/kill \${pid_s} - sleep 3 - /bin/kill \${pid_b} + /bin/kill \${pid_s} + sleep 3 + /bin/kill \${pid_b} - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - fi +fi EOF; - - } } } $start_snort_iface_start = implode("\n\n", $snort_sh_text2); - $start_snort_iface_restart = implode("\n\n", $snort_sh_text3); - $start_snort_iface_stop = implode("\n\n", $snort_sh_text4); - /* open snort.sh for writing" */ - conf_mount_rw(); - $snort_sh_text = <<<EOD #!/bin/sh ######## @@ -1619,58 +1430,58 @@ EOF; rc_start() { - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then + #### Check for double starts, Pfsense has problems with that + if /bin/ls /tmp/snort.sh.pid > /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 - fi + fi - /bin/echo "snort.sh run" > /tmp/snort.sh.pid + /bin/echo "snort.sh run" > /tmp/snort.sh.pid - #### Remake the configs on boot Important! - /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php & - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." + #### Remake the configs on boot Important! + /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php & + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." $start_snort_iface_restart - /bin/rm /tmp/snort.sh.pid + /bin/rm /tmp/snort.sh.pid - #### If on Fake start snort is NOT running DO a real start. - if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}{$if_real}" | awk '{print $2;}'`" = "" ]; then + #### If on Fake start snort is NOT running DO a real start. + if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}{$if_real}" | awk '{print $2;}'`" = "" ]; then rc_start_real - fi + fi } rc_start_real() { - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then + #### Check for double starts, Pfsense has problems with that + if /bin/ls /tmp/snort.sh.pid > /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 - fi + fi $start_snort_iface_start - /bin/rm /tmp/snort.sh.pid + /bin/rm /tmp/snort.sh.pid } rc_stop() { - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then + #### Check for double starts, Pfsense has problems with that + if /bin/ls /tmp/snort.sh.pid > /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 - fi + fi $start_snort_iface_stop - /bin/rm /tmp/snort.sh.pid - /bin/rm /var/run/snort* + /bin/rm /tmp/snort.sh.pid + /bin/rm /var/run/snort* } @@ -1696,12 +1507,10 @@ EOD; $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w"); if(!$bconf) { log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); - exit; + return; } - /* write snort.sh */ fwrite($bconf, $snort_sh_text); fclose($bconf); - } @@ -1710,42 +1519,34 @@ EOD; /* if rules exist copy to new interfaces */ function create_rules_iface($id, $if_real, $snort_uuid) { - global $config, $g; - conf_mount_rw(); - $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"; - $folder_chk = (count(glob("$if_rule_dir/*")) === 0) ? 'empty' : 'full'; + $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"; + $folder_chk = (count(glob("{$if_rule_dir}/rules/*")) === 0) ? 'empty' : 'full'; - if ($folder_chk == "empty") - { - exec("/bin/cp -R /usr/local/etc/snort/rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + if ($folder_chk == "empty") { + exec("/bin/cp -R /usr/local/etc/snort/rules {$if_rule_dir}/rules"); if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) - { - exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules/local_{$snort_uuid}_{$if_real}.rules"); - } + exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules"); } - } /* open barnyard2.conf for writing */ function create_barnyard2_conf($id, $if_real, $snort_uuid) { global $bconfig, $g; - /* write out barnyard2_conf */ - if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) - { + if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); - } - if(!file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo")) - { + if (!file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { exec("/usr/bin/touch /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo"); exec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo"); exec("/bin/chmod 770 /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo"); } $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); + + /* write out barnyard2_conf */ $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); if(!$bconf) { log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); @@ -1757,9 +1558,7 @@ function create_barnyard2_conf($id, $if_real, $snort_uuid) { /* open barnyard2.conf for writing" */ function generate_barnyard2_conf($id, $if_real, $snort_uuid) { - global $config, $g; - conf_mount_rw(); /* define snortbarnyardlog */ /* TODO: add support for the other 5 output plugins */ @@ -1828,42 +1627,44 @@ config logdir: /var/log/snort EOD; return $barnyard2_conf_text; - } function create_snort_conf($id, $if_real, $snort_uuid) { global $config, $g; - /* write out snort.conf */ if ($if_real != '' && $snort_uuid != '') { - - if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf")) { - exec("/bin/mkdir /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/"); - exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf")) { + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + @touch("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); } $snort_conf_text = generate_snort_conf($id, $if_real, $snort_uuid); + if (empty($snort_conf_text)) + return; + conf_mount_rw(); + + /* write out snort.conf */ $conf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf", "w"); if(!$conf) { log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf for writing."); - exit; + return -1; } fwrite($conf, $snort_conf_text); fclose($conf); + conf_mount_ro(); } } function snort_deinstall() { - global $config, $g; - conf_mount_rw(); /* remove custom sysctl */ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); + /* decrease bpf buffers back to 4096, from 20480 */ exec('/sbin/sysctl net.bpf.bufsize=4096'); exec('/usr/usr/bin/killall snort'); @@ -1876,14 +1677,14 @@ function snort_deinstall() sleep(2); exec('/usr/sbin/pw userdel snort'); exec('/usr/sbin/pw groupdel snort'); - exec('rm -rf /usr/local/etc/snort*'); - exec('rm -rf /usr/local/pkg/snort*'); - exec('rm -rf /usr/local/pkg/pf/snort*'); + exec('/bin/rm -rf /usr/local/etc/snort*'); + exec('/bin/rm -rf /usr/local/pkg/snort*'); + exec('/bin/rm -rf /usr/local/pkg/pf/snort*'); - exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep perl-threaded`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client-5.1.50_1`"); - exec('rm -r /usr/local/bin/barnyard2'); + exec("cd /var/db/pkg && pkg_delete -x snort"); + exec("cd /var/db/pkg && pkg_delete -x perl-threaded"); + exec("cd /var/db/pkg && pkg_delete -x mysql-client-5.1.50_1"); + exec('/bin/rm -r /usr/local/bin/barnyard2'); /* TODO: figure out how to detect pfsense packages that use the same freebsd pkckages and not deinstall */ //exec("cd /var/db/pkg && pkg_delete `ls | grep perl`"); @@ -1891,453 +1692,397 @@ function snort_deinstall() //exec("cd /var/db/pkg && pkg_delete `ls | grep pcre`"); // Never remove pcre or pfsense will break /* Remove snort cron entries Ugly code needs smoothness*/ - - function snort_rm_blocked_deinstall_cron($should_install) - { - global $config, $g; - conf_mount_rw(); - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) - { - if (strstr($item['command'], "snort2c")) - { - $is_installed = true; - break; + if (!function_exists('snort_deinstall_cron')) { + function snort_deinstall_cron($crontask) { + global $config, $g; + + if(!$config['cron']['item']) + return; + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], $crontask)) { + $is_installed = true; + break; + } + $x++; } - - $x++; - - } - if($is_installed == true) - { - if($x > 0) - { + if ($is_installed == true) unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - - configure_cron(); - - } - conf_mount_ro(); - - } - - function snort_rules_up_deinstall_cron($should_install) - { - global $config, $g; - conf_mount_rw(); - - $is_installed = false; - - if(!$config['cron']['item']) - return; - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } configure_cron(); } } - snort_rm_blocked_deinstall_cron(""); - snort_rules_up_deinstall_cron(""); - + snort_deinstall_cron("snort2c"); + snort_deinstall_cron("snort_check_for_rule_updates.php"); /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ /* Keep this as a last step */ - if($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') { + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') unset($config['installedpackages']['snortglobal']); - } - write_config(); + + write_config(); /* XXX */ conf_mount_rw(); exec('rm -rf /usr/local/www/snort'); exec('rm -rf /usr/local/lib/snort/'); exec('rm -rf /var/log/snort/'); exec('rm -rf /usr/local/pkg/snort'); - - conf_mount_ro(); - } function generate_snort_conf($id, $if_real, $snort_uuid) { global $config, $g; + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + $snortcfg =& $config['installedpackages']['snortglobal']['rule'][$id]; + conf_mount_rw(); /* custom home nets */ $home_net = create_snort_homenet($id, $if_real); - if ($config['installedpackages']['snortglobal']['rule'][$id]['externallistname'] == 'default'){ + if ($snortcfg['externallistname'] == 'default') $external_net = '!$HOME_NET'; - }else{ + else $external_net = create_snort_externalnet($id, $if_real); - } /* obtain external interface */ /* XXX: make multi wan friendly */ - $snort_ext_int = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $snort_ext_int = $snortcfg['interface']; /* user added arguments */ - $snort_config_pass_thru = str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['rule'][$id]['configpassthru'])); + $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); /* create basic files */ - if(!file_exists("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}")) - { - exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/"); + if (!is_dir("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + + @copy("/usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); + @copy("/usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); + @copy("/usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); + @copy("/usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); + @copy("/usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); + @copy("/usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); + @copy("/usr/local/etc/snort/snort.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); + @touch("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); - if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map")) - { - exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); - exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); - exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); - exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); - exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); - exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); - exec("/bin/cp /usr/local/etc/snort/snort.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); - exec("/bin/cp/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); - exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); - } - } - - /* define basic log filename */ $snortunifiedlogbasic_type = "output unified: filename snort_{$snort_uuid}_{$if_real}.log, limit 128"; /* define snortalertlogtype */ $snortalertlogtype = $config['installedpackages']['snortglobal']['snortalertlogtype']; - if ($snortalertlogtype == fast) - $snortalertlogtype_type = "output alert_fast: alert"; + if ($snortalertlogtype == "fast") + $snortalertlogtype_type = "output alert_fast: alert"; else - $snortalertlogtype_type = "output alert_full: alert"; + $snortalertlogtype_type = "output alert_full: alert"; /* define alertsystemlog */ - $alertsystemlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['alertsystemlog']; - if ($alertsystemlog_info_chk == on) - $alertsystemlog_type = "output alert_syslog: log_alert"; + $alertsystemlog_type = $snortcfg['alertsystemlog']; + if ($alertsystemlog_type == "on") + $alertsystemlog_type = "output alert_syslog: log_alert"; /* define tcpdumplog */ - $tcpdumplog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['tcpdumplog']; - if ($tcpdumplog_info_chk == on) - $tcpdumplog_type = "output log_tcpdump: snort_{$snort_uuid}_{$if_real}.tcpdump"; + $tcpdumplog_info_chk = $snortcfg['tcpdumplog']; + if ($tcpdumplog_info_chk == "on") + $tcpdumplog_type = "output log_tcpdump: snort_{$snort_uuid}_{$if_real}.tcpdump"; /* define snortunifiedlog */ - $snortunifiedlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog']; - if ($snortunifiedlog_info_chk == on) - $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; + $snortunifiedlog_info_chk = $snortcfg['snortunifiedlog']; + if ($snortunifiedlog_info_chk == "on") + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; /* define spoink */ - $spoink_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7']; - if ($spoink_info_chk == on) { + $spoink_info_chk = $snortcfg['blockoffenders7']; + if ($spoink_info_chk == "on") { - preg_match('/^([a-zA-z0-9]+)/', $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $wlist_name_file); + if (preg_match('/^([a-zA-z0-9]+)/', $snortcfg['whitelistname'], $wlist_name_file)) { + if ($wlist_name_file[0] == 'default') + $spoink_whitelist_name = 'defaultwlist'; + else + $spoink_whitelist_name = $wlist_name_file[0]; - if ($wlist_name_file[0] == 'default') { - $spoink_whitelist_name = 'defaultwlist'; - }else{ - $spoink_whitelist_name = $wlist_name_file[0]; + $spoink_type = "output alert_pf: /usr/local/etc/snort/whitelist/{$spoink_whitelist_name},snort2c"; } - - $spoink_type = "output alert_pf: /usr/local/etc/snort/whitelist/$spoink_whitelist_name,snort2c"; - } /* define threshold file */ - $threshold_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname']; + $threshold_info_chk = $snortcfg['suppresslistname']; if ($threshold_info_chk != 'default') { - - preg_match('/^([a-zA-z0-9]+)/', $config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'], $slist_name_file2); - - $threshold_name = $slist_name_file2[0]; - - $threshold_file_name = "include /usr/local/etc/snort/suppress/$threshold_name"; - + if (preg_match('/^([a-zA-z0-9]+)/', $snortcfg['suppresslistname'], $slist_name_file2)) { + $threshold_name = $slist_name_file2[0]; + $threshold_file_name = "include /usr/local/etc/snort/suppress/{$threshold_name}"; + } } /* define servers and ports snortdefservers */ /* def DNS_SERVSERS */ - $def_dns_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_servers']; + $def_dns_servers_info_chk = $snortcfg['def_dns_servers']; if ($def_dns_servers_info_chk == "") - $def_dns_servers_type = "\$HOME_NET"; + $def_dns_servers_type = "\$HOME_NET"; else - $def_dns_servers_type = "$def_dns_servers_info_chk"; + $def_dns_servers_type = "$def_dns_servers_info_chk"; /* def DNS_PORTS */ - $def_dns_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_ports']; + $def_dns_ports_info_chk = $snortcfg['def_dns_ports']; if ($def_dns_ports_info_chk == "") - $def_dns_ports_type = "53"; + $def_dns_ports_type = "53"; else - $def_dns_ports_type = "$def_dns_ports_info_chk"; + $def_dns_ports_type = "$def_dns_ports_info_chk"; /* def SMTP_SERVSERS */ - $def_smtp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_servers']; + $def_smtp_servers_info_chk = $snortcfg['def_smtp_servers']; if ($def_smtp_servers_info_chk == "") - $def_smtp_servers_type = "\$HOME_NET"; + $def_smtp_servers_type = "\$HOME_NET"; else - $def_smtp_servers_type = "$def_smtp_servers_info_chk"; + $def_smtp_servers_type = "$def_smtp_servers_info_chk"; /* def SMTP_PORTS */ - $def_smtp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_ports']; + $def_smtp_ports_info_chk = $snortcfg['def_smtp_ports']; if ($def_smtp_ports_info_chk == "") - $def_smtp_ports_type = "25"; + $def_smtp_ports_type = "25"; else - $def_smtp_ports_type = "$def_smtp_ports_info_chk"; + $def_smtp_ports_type = "$def_smtp_ports_info_chk"; /* def MAIL_PORTS */ - $def_mail_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mail_ports']; + $def_mail_ports_info_chk = $snortcfg['def_mail_ports']; if ($def_mail_ports_info_chk == "") - $def_mail_ports_type = "25,143,465,691"; + $def_mail_ports_type = "25,143,465,691"; else - $def_mail_ports_type = "$def_mail_ports_info_chk"; + $def_mail_ports_type = "$def_mail_ports_info_chk"; /* def HTTP_SERVSERS */ - $def_http_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_servers']; + $def_http_servers_info_chk = $snortcfg['def_http_servers']; if ($def_http_servers_info_chk == "") - $def_http_servers_type = "\$HOME_NET"; + $def_http_servers_type = "\$HOME_NET"; else - $def_http_servers_type = "$def_http_servers_info_chk"; + $def_http_servers_type = "$def_http_servers_info_chk"; /* def WWW_SERVSERS */ - $def_www_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_www_servers']; + $def_www_servers_info_chk = $snortcfg['def_www_servers']; if ($def_www_servers_info_chk == "") - $def_www_servers_type = "\$HOME_NET"; + $def_www_servers_type = "\$HOME_NET"; else - $def_www_servers_type = "$def_www_servers_info_chk"; + $def_www_servers_type = "$def_www_servers_info_chk"; /* def HTTP_PORTS */ - $def_http_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_ports']; + $def_http_ports_info_chk = $snortcfg['def_http_ports']; if ($def_http_ports_info_chk == "") - $def_http_ports_type = "80"; + $def_http_ports_type = "80"; else - $def_http_ports_type = "$def_http_ports_info_chk"; + $def_http_ports_type = "$def_http_ports_info_chk"; /* def SQL_SERVSERS */ - $def_sql_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sql_servers']; + $def_sql_servers_info_chk = $snortcfg['def_sql_servers']; if ($def_sql_servers_info_chk == "") - $def_sql_servers_type = "\$HOME_NET"; + $def_sql_servers_type = "\$HOME_NET"; else - $def_sql_servers_type = "$def_sql_servers_info_chk"; + $def_sql_servers_type = "$def_sql_servers_info_chk"; /* def ORACLE_PORTS */ - $def_oracle_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_oracle_ports']; + $def_oracle_ports_info_chk = $snortcfg['def_oracle_ports']; if ($def_oracle_ports_info_chk == "") - $def_oracle_ports_type = "1521"; + $def_oracle_ports_type = "1521"; else - $def_oracle_ports_type = "$def_oracle_ports_info_chk"; + $def_oracle_ports_type = "$def_oracle_ports_info_chk"; /* def MSSQL_PORTS */ - $def_mssql_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mssql_ports']; + $def_mssql_ports_info_chk = $snortcfg['def_mssql_ports']; if ($def_mssql_ports_info_chk == "") - $def_mssql_ports_type = "1433"; + $def_mssql_ports_type = "1433"; else - $def_mssql_ports_type = "$def_mssql_ports_info_chk"; + $def_mssql_ports_type = "$def_mssql_ports_info_chk"; /* def TELNET_SERVSERS */ - $def_telnet_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_servers']; + $def_telnet_servers_info_chk = $snortcfg['def_telnet_servers']; if ($def_telnet_servers_info_chk == "") - $def_telnet_servers_type = "\$HOME_NET"; + $def_telnet_servers_type = "\$HOME_NET"; else - $def_telnet_servers_type = "$def_telnet_servers_info_chk"; + $def_telnet_servers_type = "$def_telnet_servers_info_chk"; /* def TELNET_PORTS */ - $def_telnet_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_ports']; + $def_telnet_ports_info_chk = $snortcfg['def_telnet_ports']; if ($def_telnet_ports_info_chk == "") - $def_telnet_ports_type = "23"; + $def_telnet_ports_type = "23"; else - $def_telnet_ports_type = "$def_telnet_ports_info_chk"; + $def_telnet_ports_type = "$def_telnet_ports_info_chk"; /* def SNMP_SERVSERS */ - $def_snmp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_servers']; + $def_snmp_servers_info_chk = $snortcfg['def_snmp_servers']; if ($def_snmp_servers_info_chk == "") - $def_snmp_servers_type = "\$HOME_NET"; + $def_snmp_servers_type = "\$HOME_NET"; else - $def_snmp_servers_type = "$def_snmp_servers_info_chk"; + $def_snmp_servers_type = "$def_snmp_servers_info_chk"; /* def SNMP_PORTS */ - $def_snmp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_ports']; + $def_snmp_ports_info_chk = $snortcfg['def_snmp_ports']; if ($def_snmp_ports_info_chk == "") - $def_snmp_ports_type = "161"; + $def_snmp_ports_type = "161"; else - $def_snmp_ports_type = "$def_snmp_ports_info_chk"; + $def_snmp_ports_type = "$def_snmp_ports_info_chk"; /* def FTP_SERVSERS */ - $def_ftp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_servers']; + $def_ftp_servers_info_chk = $snortcfg['def_ftp_servers']; if ($def_ftp_servers_info_chk == "") - $def_ftp_servers_type = "\$HOME_NET"; + $def_ftp_servers_type = "\$HOME_NET"; else - $def_ftp_servers_type = "$def_ftp_servers_info_chk"; + $def_ftp_servers_type = "$def_ftp_servers_info_chk"; /* def FTP_PORTS */ - $def_ftp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_ports']; + $def_ftp_ports_info_chk = $snortcfg['def_ftp_ports']; if ($def_ftp_ports_info_chk == "") - $def_ftp_ports_type = "21"; + $def_ftp_ports_type = "21"; else - $def_ftp_ports_type = "$def_ftp_ports_info_chk"; + $def_ftp_ports_type = "$def_ftp_ports_info_chk"; /* def SSH_SERVSERS */ - $def_ssh_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_servers']; + $def_ssh_servers_info_chk = $snortcfg['def_ssh_servers']; if ($def_ssh_servers_info_chk == "") - $def_ssh_servers_type = "\$HOME_NET"; + $def_ssh_servers_type = "\$HOME_NET"; else - $def_ssh_servers_type = "$def_ssh_servers_info_chk"; + $def_ssh_servers_type = "$def_ssh_servers_info_chk"; /* if user has defined a custom ssh port, use it */ - if($config['system']['ssh']['port']) - $ssh_port = $config['system']['ssh']['port']; + if(isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; else - $ssh_port = "22"; + $ssh_port = "22"; /* def SSH_PORTS */ - $def_ssh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_ports']; + $def_ssh_ports_info_chk = $snortcfg['def_ssh_ports']; if ($def_ssh_ports_info_chk == "") - $def_ssh_ports_type = "{$ssh_port}"; + $def_ssh_ports_type = "{$ssh_port}"; else - $def_ssh_ports_type = "$def_ssh_ports_info_chk"; + $def_ssh_ports_type = "$def_ssh_ports_info_chk"; /* def POP_SERVSERS */ - $def_pop_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop_servers']; + $def_pop_servers_info_chk = $snortcfg['def_pop_servers']; if ($def_pop_servers_info_chk == "") - $def_pop_servers_type = "\$HOME_NET"; + $def_pop_servers_type = "\$HOME_NET"; else - $def_pop_servers_type = "$def_pop_servers_info_chk"; + $def_pop_servers_type = "$def_pop_servers_info_chk"; /* def POP2_PORTS */ - $def_pop2_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop2_ports']; + $def_pop2_ports_info_chk = $snortcfg['def_pop2_ports']; if ($def_pop2_ports_info_chk == "") - $def_pop2_ports_type = "109"; + $def_pop2_ports_type = "109"; else - $def_pop2_ports_type = "$def_pop2_ports_info_chk"; + $def_pop2_ports_type = "$def_pop2_ports_info_chk"; /* def POP3_PORTS */ - $def_pop3_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop3_ports']; + $def_pop3_ports_info_chk = $snortcfg['def_pop3_ports']; if ($def_pop3_ports_info_chk == "") - $def_pop3_ports_type = "110"; + $def_pop3_ports_type = "110"; else - $def_pop3_ports_type = "$def_pop3_ports_info_chk"; + $def_pop3_ports_type = "$def_pop3_ports_info_chk"; /* def IMAP_SERVSERS */ - $def_imap_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_servers']; + $def_imap_servers_info_chk = $snortcfg['def_imap_servers']; if ($def_imap_servers_info_chk == "") - $def_imap_servers_type = "\$HOME_NET"; + $def_imap_servers_type = "\$HOME_NET"; else - $def_imap_servers_type = "$def_imap_servers_info_chk"; + $def_imap_servers_type = "$def_imap_servers_info_chk"; /* def IMAP_PORTS */ - $def_imap_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_ports']; + $def_imap_ports_info_chk = $snortcfg['def_imap_ports']; if ($def_imap_ports_info_chk == "") - $def_imap_ports_type = "143"; + $def_imap_ports_type = "143"; else - $def_imap_ports_type = "$def_imap_ports_info_chk"; + $def_imap_ports_type = "$def_imap_ports_info_chk"; /* def SIP_PROXY_IP */ - $def_sip_proxy_ip_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ip']; + $def_sip_proxy_ip_info_chk = $snortcfg['def_sip_proxy_ip']; if ($def_sip_proxy_ip_info_chk == "") - $def_sip_proxy_ip_type = "\$HOME_NET"; + $def_sip_proxy_ip_type = "\$HOME_NET"; else - $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; + $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; /* def SIP_PROXY_PORTS */ - $def_sip_proxy_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ports']; + $def_sip_proxy_ports_info_chk = $snortcfg['def_sip_proxy_ports']; if ($def_sip_proxy_ports_info_chk == "") - $def_sip_proxy_ports_type = "5060:5090,16384:32768"; + $def_sip_proxy_ports_type = "5060:5090,16384:32768"; else - $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; + $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; /* def AUTH_PORTS */ - $def_auth_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_auth_ports']; + $def_auth_ports_info_chk = $snortcfg['def_auth_ports']; if ($def_auth_ports_info_chk == "") - $def_auth_ports_type = "113"; + $def_auth_ports_type = "113"; else - $def_auth_ports_type = "$def_auth_ports_info_chk"; + $def_auth_ports_type = "$def_auth_ports_info_chk"; /* def FINGER_PORTS */ - $def_finger_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_finger_ports']; + $def_finger_ports_info_chk = $snortcfg['def_finger_ports']; if ($def_finger_ports_info_chk == "") - $def_finger_ports_type = "79"; + $def_finger_ports_type = "79"; else - $def_finger_ports_type = "$def_finger_ports_info_chk"; + $def_finger_ports_type = "$def_finger_ports_info_chk"; /* def IRC_PORTS */ - $def_irc_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_irc_ports']; + $def_irc_ports_info_chk = $snortcfg['def_irc_ports']; if ($def_irc_ports_info_chk == "") - $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; + $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; else - $def_irc_ports_type = "$def_irc_ports_info_chk"; + $def_irc_ports_type = "$def_irc_ports_info_chk"; /* def NNTP_PORTS */ - $def_nntp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_nntp_ports']; + $def_nntp_ports_info_chk = $snortcfg['def_nntp_ports']; if ($def_nntp_ports_info_chk == "") - $def_nntp_ports_type = "119"; + $def_nntp_ports_type = "119"; else - $def_nntp_ports_type = "$def_nntp_ports_info_chk"; + $def_nntp_ports_type = "$def_nntp_ports_info_chk"; /* def RLOGIN_PORTS */ - $def_rlogin_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rlogin_ports']; + $def_rlogin_ports_info_chk = $snortcfg['def_rlogin_ports']; if ($def_rlogin_ports_info_chk == "") - $def_rlogin_ports_type = "513"; + $def_rlogin_ports_type = "513"; else - $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; + $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; /* def RSH_PORTS */ - $def_rsh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rsh_ports']; + $def_rsh_ports_info_chk = $snortcfg['def_rsh_ports']; if ($def_rsh_ports_info_chk == "") - $def_rsh_ports_type = "514"; + $def_rsh_ports_type = "514"; else - $def_rsh_ports_type = "$def_rsh_ports_info_chk"; + $def_rsh_ports_type = "$def_rsh_ports_info_chk"; /* def SSL_PORTS */ - $def_ssl_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports']; + $def_ssl_ports_info_chk = $snortcfg['def_ssl_ports']; if ($def_ssl_ports_info_chk == "") - $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995"; + $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995"; else - $def_ssl_ports_type = "$def_ssl_ports_info_chk"; + $def_ssl_ports_type = "$def_ssl_ports_info_chk"; /* should we install a automatic update crontab entry? */ $automaticrulesupdate = $config['installedpackages']['snortglobal']['automaticrulesupdate7']; /* if user is on pppoe, we really want to use ng0 interface */ - if(isset($config['interfaces'][$snort_ext_int]['ipaddr']) && ($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe")) - $snort_ext_int = "ng0"; + if ($snort_pfsense_basever == 'yes' && $snort_ext_int == "wan") + $snort_ext_int = get_real_wan_interface(); /* set the snort performance model */ - if($config['installedpackages']['snortglobal']['rule'][$id]['performance']) - $snort_performance = $config['installedpackages']['snortglobal']['rule'][$id]['performance']; + if($snortcfg['performance']) + $snort_performance = $snortcfg['performance']; else - $snort_performance = "ac-bnfa"; + $snort_performance = "ac-bnfa"; /* generate rule sections to load */ - $enabled_rulesets = $config['installedpackages']['snortglobal']['rule'][$id]['rulesets']; - if($enabled_rulesets) { + $enabled_rulesets = $snortcfg['rulesets']; + if (!empty($enabled_rulesets)) { $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); foreach($enabled_rulesets_array as $enabled_item) - $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; + $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; } - conf_mount_ro(); - ///////////////////////////// /* preprocessor code */ @@ -2355,19 +2100,17 @@ preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$snort_uuid}_{$if_ EOD; - $def_perform_stat_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['perform_stat']; + $def_perform_stat_info_chk = $snortcfg['perform_stat']; if ($def_perform_stat_info_chk == "on") - $def_perform_stat_type = "$snort_perform_stat"; + $def_perform_stat_type = "$snort_perform_stat"; else - $def_perform_stat_type = ""; + $def_perform_stat_type = ""; - $def_flow_depth_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['flow_depth']; - if ($def_flow_depth_info_chk == '') - { + $def_flow_depth_info_chk = $snortcfg['flow_depth']; + if (empty($def_flow_depth_info_chk)) $def_flow_depth_type = '0'; - }else{ - $def_flow_depth_type = $config['installedpackages']['snortglobal']['rule'][$id]['flow_depth']; - } + else + $def_flow_depth_type = $snortcfg['flow_depth']; /* def http_inspect */ $snort_http_inspect = <<<EOD @@ -2398,11 +2141,11 @@ preprocessor http_inspect_server: server default \ EOD; - $def_http_inspect_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect']; + $def_http_inspect_info_chk = $snortcfg['http_inspect']; if ($def_http_inspect_info_chk == "on") - $def_http_inspect_type = "$snort_http_inspect"; + $def_http_inspect_type = "$snort_http_inspect"; else - $def_http_inspect_type = ""; + $def_http_inspect_type = ""; /* def other_preprocs */ $snort_other_preprocs = <<<EOD @@ -2417,11 +2160,11 @@ preprocessor bo EOD; - $def_other_preprocs_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['other_preprocs']; + $def_other_preprocs_info_chk = $snortcfg['other_preprocs']; if ($def_other_preprocs_info_chk == "on") - $def_other_preprocs_type = "$snort_other_preprocs"; + $def_other_preprocs_type = "$snort_other_preprocs"; else - $def_other_preprocs_type = ""; + $def_other_preprocs_type = ""; /* def ftp_preprocessor */ $snort_ftp_preprocessor = <<<EOD @@ -2476,7 +2219,7 @@ preprocessor ftp_telnet_protocol: ftp client default \ EOD; - $def_ftp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['ftp_preprocessor']; + $def_ftp_preprocessor_info_chk = $snortcfg['ftp_preprocessor']; if ($def_ftp_preprocessor_info_chk == "on") $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; else @@ -2511,11 +2254,11 @@ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB EOD; - $def_smtp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['smtp_preprocessor']; + $def_smtp_preprocessor_info_chk = $snortcfg['smtp_preprocessor']; if ($def_smtp_preprocessor_info_chk == "on") - $def_smtp_preprocessor_type = "$snort_smtp_preprocessor"; + $def_smtp_preprocessor_type = "$snort_smtp_preprocessor"; else - $def_smtp_preprocessor_type = ""; + $def_smtp_preprocessor_type = ""; /* def sf_portscan */ $snort_sf_portscan = <<<EOD @@ -2533,11 +2276,11 @@ preprocessor sfportscan: scan_type { all } \ EOD; - $def_sf_portscan_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['sf_portscan']; + $def_sf_portscan_info_chk = $snortcfg['sf_portscan']; if ($def_sf_portscan_info_chk == "on") - $def_sf_portscan_type = "$snort_sf_portscan"; + $def_sf_portscan_type = "$snort_sf_portscan"; else - $def_sf_portscan_type = ""; + $def_sf_portscan_type = ""; /* def dce_rpc_2 */ $snort_dce_rpc_2 = <<<EOD @@ -2556,11 +2299,11 @@ preprocessor dcerpc2_server: default, policy WinXP, \ EOD; - $def_dce_rpc_2_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dce_rpc_2']; + $def_dce_rpc_2_info_chk = $snortcfg['dce_rpc_2']; if ($def_dce_rpc_2_info_chk == "on") - $def_dce_rpc_2_type = "$snort_dce_rpc_2"; + $def_dce_rpc_2_type = "$snort_dce_rpc_2"; else - $def_dce_rpc_2_type = ""; + $def_dce_rpc_2_type = ""; /* def dns_preprocessor */ $snort_dns_preprocessor = <<<EOD @@ -2576,37 +2319,33 @@ preprocessor dns: \ EOD; - $def_dns_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dns_preprocessor']; + $def_dns_preprocessor_info_chk = $snortcfg['dns_preprocessor']; if ($def_dns_preprocessor_info_chk == "on") - $def_dns_preprocessor_type = "$snort_dns_preprocessor"; + $def_dns_preprocessor_type = "$snort_dns_preprocessor"; else - $def_dns_preprocessor_type = ""; + $def_dns_preprocessor_type = ""; /* def SSL_PORTS IGNORE */ - $def_ssl_ports_ignore_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports_ignore']; + $def_ssl_ports_ignore_info_chk = $snortcfg['def_ssl_ports_ignore']; if ($def_ssl_ports_ignore_info_chk == "") - $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995"; + $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995"; else - $def_ssl_ports_ignore_type = "$def_ssl_ports_ignore_info_chk"; + $def_ssl_ports_ignore_type = "$def_ssl_ports_ignore_info_chk"; /* stream5 queued settings */ - $def_max_queued_bytes_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['max_queued_bytes']; + $def_max_queued_bytes_info_chk = $snortcfg['max_queued_bytes']; if ($def_max_queued_bytes_info_chk == '') - { $def_max_queued_bytes_type = ''; - }else{ - $def_max_queued_bytes_type = ' max_queued_bytes ' . $config['installedpackages']['snortglobal']['rule'][$id]['max_queued_bytes'] . ','; - } + else + $def_max_queued_bytes_type = ' max_queued_bytes ' . $snortcfg['max_queued_bytes'] . ','; - $def_max_queued_segs_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['max_queued_segs']; + $def_max_queued_segs_info_chk = $snortcfg['max_queued_segs']; if ($def_max_queued_segs_info_chk == '') - { $def_max_queued_segs_type = ''; - }else{ - $def_max_queued_segs_type = ' max_queued_segs ' . $config['installedpackages']['snortglobal']['rule'][$id]['max_queued_segs'] . ','; - } + else + $def_max_queued_segs_type = ' max_queued_segs ' . $snortcfg['max_queued_segs'] . ','; /* build snort configuration file */ @@ -2752,9 +2491,9 @@ config detection: search-method {$snort_performance} max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries -dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/ +dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so -dynamicdetection directory /usr/local/lib/snort/dynamicrules/ +dynamicdetection directory /usr/local/lib/snort/dynamicrules ################### # @@ -2850,44 +2589,47 @@ EOD; * for example, if you are not a premium subscriber you can only download rules * so often, etc. TO BE: Removed unneeded. */ - function check_for_common_errors($filename) { global $snort_filename, $snort_filename_md5, $console_mode; - // ob_flush(); + // ob_flush(); $contents = file_get_contents($filename); - if(stristr($contents, "You don't have permission")) { + if (!$contents) { if(!$console_mode) { update_all_status("An error occured while downloading {$filename}."); hide_progress_bar_status(); - } else { + } else log_error("An error occured. Scroll down to inspect it's contents."); - } - if(!$console_mode) { + + if (!$console_mode) update_output_window(strip_tags("$contents")); - } else { + else { $contents = strip_tags($contents); log_error("Error downloading snort rules: {$contents}"); echo "Error downloading snort rules: {$contents}"; } + scroll_down_to_bottom_of_page(); - exit; + + return; } } /* force browser to scroll all the way down */ function scroll_down_to_bottom_of_page() { global $snort_filename, $console_mode; + ob_flush(); if(!$console_mode) - echo "\n<script type=\"text/javascript\">parent.scrollTo(0,1500);\n</script>"; + echo "\n<script type=\"text/javascript\">parent.scrollTo(0,1500);\n</script>"; } /* ensure downloaded file looks sane */ function verify_downloaded_file($filename) { global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); - if(filesize($filename)<9500) { + if (filesize($filename) < 9500) { if(!$console_mode) { update_all_status("Checking {$filename}..."); check_for_common_errors($filename); @@ -2902,7 +2644,7 @@ function verify_downloaded_file($filename) { log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; } - exit; + return; } update_all_status("Verified {$filename}."); } @@ -2910,13 +2652,15 @@ function verify_downloaded_file($filename) { /* extract rules */ function extract_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); if(!$console_mode) { $static_output = gettext("Extracting snort rules..."); update_all_status($static_output); } if(!is_dir("/usr/local/etc/snort/rules/")) - mkdir("/usr/local/etc/snort/rules/"); + @mkdir("/usr/local/etc/snort/rules/"); + $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/"; $handle = popen("{$cmd} 2>&1", 'r'); while(!feof($handle)) { @@ -2937,6 +2681,7 @@ function extract_snort_rules_md5($tmpfname) { /* verify MD5 against downloaded item */ function verify_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); if(!$console_mode) { $static_output = gettext("Verifying md5 signature..."); @@ -2955,29 +2700,32 @@ function verify_snort_rules_md5($tmpfname) { log_error("snort rules: md5 signature of rules mismatch."); echo "snort rules: md5 signature of rules mismatch."; } - exit; + return; } } /* hide progress bar */ function hide_progress_bar_status() { global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); if(!$console_mode) - echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>"; + echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>"; } /* unhide progress bar */ function unhide_progress_bar_status() { global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); if(!$console_mode) - echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='visible';\n</script>"; + echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='visible';\n</script>"; } /* update both top and bottom text box during an operation */ function update_all_status($status) { global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); if(!$console_mode) { update_status($status); @@ -2988,22 +2736,25 @@ function update_all_status($status) { /* obtain alert description for an ip address */ function get_snort_alert($ip) { global $snort_alert_file_split, $snort_config; + if(!file_exists("/var/log/snort/alert")) - return; + return; if(!$snort_config) - $snort_config = read_snort_config_cache(); + $snort_config = read_snort_config_cache(); if($snort_config[$ip]) - return $snort_config[$ip]; + return $snort_config[$ip]; if(!$snort_alert_file_split) - $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); + $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); + foreach($snort_alert_file_split as $fileline) { if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - $alert_title = $matches[2]; + $alert_title = $matches[2]; if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) - $alert_ip = $matches[$id]; + $alert_ip = $matches[$id]; if($alert_ip == $ip) { if(!$snort_config[$ip]) - $snort_config[$ip] = $alert_title; + $snort_config[$ip] = $alert_title; + return $alert_title; } } @@ -3012,10 +2763,12 @@ function get_snort_alert($ip) { function make_clickable($buffer) { global $config, $g; + /* if clickable urls is disabled, simply return buffer back to caller */ $clickablalerteurls = $config['installedpackages']['snort']['config'][$id]['oinkmastercode']; if(!$clickablalerteurls) - return $buffer; + return $buffer; + $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","<a href=\"mailto:\\1\">\\1</a>", $buffer); @@ -3027,18 +2780,19 @@ function make_clickable($buffer) { function read_snort_config_cache() { global $g, $config, $snort_config; + if($snort_config) - return $snort_config; - if(file_exists($g['tmp_path'] . '/snort_config.cache')) { - $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); return $snort_config; - } - return; + + if(file_exists($g['tmp_path'] . '/snort_config.cache')) + $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); + + return $snort_config; } function write_snort_config_cache($snort_config) { global $g, $config; - conf_mount_rw(); + $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w"); if(!$configcache) { log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing."); @@ -3046,17 +2800,19 @@ function write_snort_config_cache($snort_config) { } fwrite($configcache, serialize($snort_config)); fclose($configcache); - conf_mount_ro(); + return true; } function snort_advanced() { global $g, $config; + sync_package_snort(); } function snort_define_servers() { global $g, $config; + sync_package_snort(); } diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 7d7d0323..f89d99ef 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -45,19 +45,18 @@ $snort_load_mootools = 'yes'; $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; $snort_logfile = '/var/log/snort/alert'; -$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; -$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; - -if ($pconfig['alertnumber'] == '' || $pconfig['alertnumber'] == '0') -{ - $anentries = '250'; -}else{ +if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { + $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; + $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; $anentries = $pconfig['alertnumber']; +} else { + $anentries = '250'; + $pconfig['alertnumber'] = '250'; + $pconfig['arefresh'] = 'off'; } if ($_POST['save']) { - //unset($input_errors); //$pconfig = $_POST; @@ -72,19 +71,15 @@ if ($_POST['save']) } /* no errors */ - if (!$input_errors) - { - - $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? on : off; + if (!$input_errors) { + if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) + $config['installedpackages']['snortglobal']['alertsblocks'] = array(); + $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; - conf_mount_rw(); write_config(); - //conf_mount_ro(); - sleep(2); - - header("Location: /snort/snort_alerts.php"); + header("Location: /snort/snort_alerts.php"); } } @@ -112,8 +107,7 @@ if ($_POST['download']) $file_name = "snort_logs_{$save_date}.tar.gz"; exec("/usr/bin/tar cfz /tmp/snort_logs_{$save_date}.tar.gz /var/log/snort"); - if(file_exists("/tmp/snort_logs_{$save_date}.tar.gz")) - { + if (file_exists("/tmp/snort_logs_{$save_date}.tar.gz")) { $file = "/tmp/snort_logs_{$save_date}.tar.gz"; header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); header("Pragma: private"); // needed for IE @@ -125,86 +119,65 @@ if ($_POST['download']) readfile("$file"); exec("/bin/rm /tmp/snort_logs_{$save_date}.tar.gz"); od_end_clean(); //importanr or other post will fail - }else{ + } else echo 'Error no saved file.'; - } - } /* WARNING: took me forever to figure reg expression, dont lose */ // $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; - function get_snort_alert_date($fileline) { /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */ if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1)) - { $alert_date = "$matches1[0]"; - } return $alert_date; - } function get_snort_alert_disc($fileline) { /* disc */ if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - { $alert_disc = "$matches[2]"; - } return $alert_disc; - } function get_snort_alert_class($fileline) { /* class */ if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2)) - { $alert_class = "$matches2[0]"; - } return $alert_class; - } function get_snort_alert_priority($fileline) { /* Priority */ if (preg_match('/Priority:\s\d/', $fileline, $matches3)) - { $alert_priority = "$matches3[0]"; - } return $alert_priority; - } function get_snort_alert_proto($fileline) { /* Priority */ if (preg_match('/\{.+\}/', $fileline, $matches3)) - { $alert_proto = "$matches3[0]"; - } return $alert_proto; - } function get_snort_alert_proto_full($fileline) { /* Protocal full */ if (preg_match('/.+\sTTL/', $fileline, $matches2)) - { $alert_proto_full = "$matches2[0]"; - } return $alert_proto_full; - } function get_snort_alert_ip_src($fileline) @@ -214,36 +187,27 @@ function get_snort_alert_ip_src($fileline) $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - { $alert_ip_src = $matches4[1][0]; - } return $alert_ip_src; - } function get_snort_alert_src_p($fileline) { /* source port */ if (preg_match('/:\d+\s-/', $fileline, $matches5)) - { $alert_src_p = "$matches5[0]"; - } return $alert_src_p; - } function get_snort_alert_flow($fileline) { /* source port */ if (preg_match('/(->|<-)/', $fileline, $matches5)) - { $alert_flow = "$matches5[0]"; - } return $alert_flow; - } function get_snort_alert_ip_dst($fileline) @@ -255,52 +219,38 @@ function get_snort_alert_ip_dst($fileline) $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6)) - { $alert_ip_dst = $matches6[1][0]; - } return $alert_ip_dst; - } function get_snort_alert_dst_p($fileline) { /* dst port */ if (preg_match('/:\d+$/', $fileline, $matches7)) - { $alert_dst_p = "$matches7[0]"; - } return $alert_dst_p; - } function get_snort_alert_dst_p_full($fileline) { /* dst port full */ if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7)) - { $alert_dst_p = "$matches7[0]"; - } return $alert_dst_p; - } function get_snort_alert_sid($fileline) { /* SID */ if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8)) - { $alert_sid = "$matches8[0]"; - } return $alert_sid; - } -// - $pgtitle = "Services: Snort: Snort Alerts"; include("/usr/local/pkg/snort/snort_head.inc"); @@ -324,10 +274,8 @@ include("fbegin.inc"); echo $snort_general_css; /* refresh every 60 secs */ -if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '') -{ +if ($pconfig['arefresh'] == 'on') echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n"; -} ?> <!-- hack to fix the hardcoed fbegin link in header --> @@ -439,26 +387,19 @@ if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '') /* make sure alert file exists */ if(!file_exists('/var/log/snort/alert')) - { - conf_mount_rw(); exec('/usr/bin/touch /var/log/snort/alert'); - conf_mount_ro(); - } $logent = $anentries; /* detect the alert file type */ if ($snortalertlogt == 'full') - { $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); - }else{ + else $alerts_array = array_reverse(array_filter(split("\n", file_get_contents('/var/log/snort/alert')))); - } - if (is_array($alerts_array)) - { + if (is_array($alerts_array)) { $counter = 0; foreach($alerts_array as $fileline) diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index 734c124f..17c49689 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -44,15 +44,15 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g; -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { +if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); -} + //nat_rules_sort(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) -$id = $_POST['id']; + $id = $_POST['id']; if (isset($_GET['dup'])) { $id = $_GET['dup']; @@ -130,136 +130,136 @@ if (isset($id) && $a_nat[$id]) { if (!$pconfig['interface']) + $pconfig['interface'] = "wan"; +} else $pconfig['interface'] = "wan"; -} else { - $pconfig['interface'] = "wan"; -} if (isset($_GET['dup'])) -unset($id); + unset($id); $if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); -$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - +if (!empty($config['installedpackages']['snortglobal']['rule'][$id])) + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; /* alert file */ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; /* this will exec when alert says apply */ if ($_POST['apply']) { - if (file_exists($d_snortconfdirty_path)) { - write_config(); - - sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); - unlink($d_snortconfdirty_path); - } - } if ($_POST["Submit"]) { - /* check for overlaps */ + /* XXX: Mising error reporting?! + * check for overlaps foreach ($a_nat as $natent) { if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) - continue; + continue; if ($natent['interface'] != $_POST['interface']) - continue; + continue; } + */ /* if no errors write to conf */ if (!$input_errors) { $natent = array(); /* repost the options already in conf */ - - if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } - if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } - if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } - if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } - if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } - if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } - if ($pconfig['alertsystemlog'] != "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } - if ($pconfig['tcpdumplog'] != "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } - if ($pconfig['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } - if ($pconfig['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $pconfig['def_ssl_ports_ignore']; } - if ($pconfig['flow_depth'] != "") { $natent['flow_depth'] = $pconfig['flow_depth']; } - if ($pconfig['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $pconfig['max_queued_bytes']; } - if ($pconfig['max_queued_segs'] != "") { $natent['max_queued_segs'] = $pconfig['max_queued_segs']; } - if ($pconfig['perform_stat'] != "") { $natent['perform_stat'] = $pconfig['perform_stat']; } - if ($pconfig['http_inspect'] != "") { $natent['http_inspect'] = $pconfig['http_inspect']; } - if ($pconfig['other_preprocs'] != "") { $natent['other_preprocs'] = $pconfig['other_preprocs']; } - if ($pconfig['ftp_preprocessor'] != "") { $natent['ftp_preprocessor'] = $pconfig['ftp_preprocessor']; } - if ($pconfig['smtp_preprocessor'] != "") { $natent['smtp_preprocessor'] = $pconfig['smtp_preprocessor']; } - if ($pconfig['sf_portscan'] != "") { $natent['sf_portscan'] = $pconfig['sf_portscan']; } - if ($pconfig['dce_rpc_2'] != "") { $natent['dce_rpc_2'] = $pconfig['dce_rpc_2']; } - if ($pconfig['dns_preprocessor'] != "") { $natent['dns_preprocessor'] = $pconfig['dns_preprocessor']; } - if ($pconfig['def_dns_servers'] != "") { $natent['def_dns_servers'] = $pconfig['def_dns_servers']; } - if ($pconfig['def_dns_ports'] != "") { $natent['def_dns_ports'] = $pconfig['def_dns_ports']; } - if ($pconfig['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $pconfig['def_smtp_servers']; } - if ($pconfig['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $pconfig['def_smtp_ports']; } - if ($pconfig['def_mail_ports'] != "") { $natent['def_mail_ports'] = $pconfig['def_mail_ports']; } - if ($pconfig['def_http_servers'] != "") { $natent['def_http_servers'] = $pconfig['def_http_servers']; } - if ($pconfig['def_www_servers'] != "") { $natent['def_www_servers'] = $pconfig['def_www_servers']; } - if ($pconfig['def_http_ports'] != "") { $natent['def_http_ports'] = $pconfig['def_http_ports']; } - if ($pconfig['def_sql_servers'] != "") { $natent['def_sql_servers'] = $pconfig['def_sql_servers']; } - if ($pconfig['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $pconfig['def_oracle_ports']; } - if ($pconfig['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $pconfig['def_mssql_ports']; } - if ($pconfig['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $pconfig['def_telnet_servers']; } - if ($pconfig['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $pconfig['def_telnet_ports']; } - if ($pconfig['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $pconfig['def_snmp_servers']; } - if ($pconfig['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $pconfig['def_snmp_ports']; } - if ($pconfig['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $pconfig['def_ftp_servers']; } - if ($pconfig['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $pconfig['def_ftp_ports']; } - if ($pconfig['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $pconfig['def_ssh_servers']; } - if ($pconfig['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $pconfig['def_ssh_ports']; } - if ($pconfig['def_pop_servers'] != "") { $natent['def_pop_servers'] = $pconfig['def_pop_servers']; } - if ($pconfig['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $pconfig['def_pop2_ports']; } - if ($pconfig['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $pconfig['def_pop3_ports']; } - if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; } - if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; } - if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; } - if ($pconfig['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; } - if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; } - if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; } - if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; } - if ($pconfig['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $pconfig['def_nntp_ports']; } - if ($pconfig['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; } - if ($pconfig['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; } - if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; } - if ($pconfig['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } - if ($pconfig['configpassthru'] != "") { $natent['configpassthru'] = $pconfig['configpassthru']; } - if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } - if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } - if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } - if ($pconfig['whitelistname'] != "") { $natent['whitelistname'] = $pconfig['whitelistname']; } - if ($pconfig['homelistname'] != "") { $natent['homelistname'] = $pconfig['homelistname']; } - if ($pconfig['externallistname'] != "") { $natent['externallistname'] = $pconfig['externallistname']; } - if ($pconfig['suppresslistname'] != "") { $natent['suppresslistname'] = $pconfig['suppresslistname']; } + $natent = $pconfig; /* post new options */ - $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? on : off; + if ($_POST['interface'] != "") { $natent['interface'] = $_POST['interface']; } else unset($natent['interface']); + if ($_POST['enable'] != "") { $natent['enable'] = $_POST['enable']; } else unset($natent['enable']); + if ($_POST['uuid'] != "") { $natent['uuid'] = $_POST['uuid']; } else unset($natent['uuid']); + if ($_POST['descr'] != "") { $natent['descr'] = $_POST['descr']; } else unset($natent['descr']); + if ($_POST['performance'] != "") { $natent['performance'] = $_POST['performance']; } else unset($natent['descr']); + if ($_POST['blockoffenders7'] != "") { $natent['blockoffenders7'] = $_POST['blockoffenders7']; } else unset($natent['blockoffenders7']); + if ($_POST['alertsystemlog'] != "") { $natent['alertsystemlog'] = $_POST['alertsystemlog']; } else unset($natent['alertsystemlog']); + if ($_POST['tcpdumplog'] != "") { $natent['tcpdumplog'] = $_POST['tcpdumplog']; } else unset($natent['tcpdumplog']); + if ($_POST['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $_POST['snortunifiedlog']; } else unset($natent['snortunifiedlog']); + if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; } else unset($natent['def_ssl_ports_ignore']); + if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; } else unset($natent['flow_depth']); + if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; } else unset($natent['max_queued_bytes']); + if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; } else unset($natent['max_queued_segs']); + if ($_POST['perform_stat'] != "") { $natent['perform_stat'] = $_POST['perform_stat']; } else unset($natent['perform_stat']); + if ($_POST['http_inspect'] != "") { $natent['http_inspect'] = $_POST['http_inspect']; } else unset($natent['http_inspect']); + if ($_POST['other_preprocs'] != "") { $natent['other_preprocs'] = $_POST['other_preprocs']; } else unset($natent['other_preprocs']); + if ($_POST['ftp_preprocessor'] != "") { $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor']; } else unset($natent['ftp_preprocessor']); + if ($_POST['smtp_preprocessor'] != "") { $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor']; } else unset($natent['smtp_preprocessor']); + if ($_POST['sf_portscan'] != "") { $natent['sf_portscan'] = $_POST['sf_portscan']; } else unset($natent['sf_portscan']); + if ($_POST['dce_rpc_2'] != "") { $natent['dce_rpc_2'] = $_POST['dce_rpc_2']; } else unset($natent['dce_rpc_2']); + if ($_POST['dns_preprocessor'] != "") { $natent['dns_preprocessor'] = $_POST['dns_preprocessor']; } else unset($natent['dns_preprocessor']); + if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; } else unset($natent['def_dns_servers']); + if ($_POST['def_dns_ports'] != "") { $natent['def_dns_ports'] = $_POST['def_dns_ports']; } else unset($natent['def_dns_ports']); + if ($_POST['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $_POST['def_smtp_servers']; } else unset($natent['def_smtp_servers']); + if ($_POST['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $_POST['def_smtp_ports']; } else unset($natent['def_mail_ports']); + if ($_POST['def_mail_ports'] != "") { $natent['def_mail_ports'] = $_POST['def_mail_ports']; } else unset($natent['def_mail_ports']); + if ($_POST['def_http_servers'] != "") { $natent['def_http_servers'] = $_POST['def_http_servers']; } else unset($natent['def_http_servers']); + if ($_POST['def_www_servers'] != "") { $natent['def_www_servers'] = $_POST['def_www_servers']; } else unset($natent['def_www_servers']); + if ($_POST['def_http_ports'] != "") { $natent['def_http_ports'] = $_POST['def_http_ports']; } else unset($natent['def_http_ports']); + if ($_POST['def_sql_servers'] != "") { $natent['def_sql_servers'] = $_POST['def_sql_servers']; } else unset($natent['def_sql_servers']); + if ($_POST['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $_POST['def_oracle_ports']; } else unset($natent['def_oracle_ports']); + if ($_POST['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $_POST['def_mssql_ports']; } else unset($natent['def_mssql_ports']); + if ($_POST['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $_POST['def_telnet_servers']; } else unset($natent['def_telnet_ports']); + if ($_POST['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $_POST['def_telnet_ports']; } else unset($natent['def_telnet_ports']); + if ($_POST['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $_POST['def_snmp_servers']; } else unset($natent['def_snmp_servers']); + if ($_POST['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $_POST['def_snmp_ports']; } else unset($natent['def_snmp_ports']); + if ($_POST['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $_POST['def_ftp_servers']; } else unset($natent['def_ftp_servers']); + if ($_POST['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $_POST['def_ftp_ports']; } else unset($natent['def_ftp_ports']); + if ($_POST['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $_POST['def_ssh_servers']; } else unset($natent['def_ssh_servers']); + if ($_POST['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $_POST['def_ssh_ports']; } else unset($natent['def_ssh_ports']); + if ($_POST['def_pop_servers'] != "") { $natent['def_pop_servers'] = $_POST['def_pop_servers']; } else unset($natent['def_pop_servers']); + if ($_POST['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $_POST['def_pop2_ports']; } else unset($natent['def_pop2_ports']); + if ($_POST['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $_POST['def_pop3_ports']; } else unset($natent['def_pop3_ports']); + if ($_POST['def_imap_servers'] != "") { $natent['def_imap_servers'] = $_POST['def_imap_servers']; } else unset($natent['def_imap_servers']); + if ($_POST['def_imap_ports'] != "") { $natent['def_imap_ports'] = $_POST['def_imap_ports']; } else unset($natent['def_imap_ports']); + if ($_POST['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $_POST['def_sip_proxy_ip']; } else unset($natent['def_sip_proxy_ip']); + if ($_POST['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $_POST['def_sip_proxy_ports']; } else unset($natent['def_sip_proxy_ports']); + if ($_POST['def_auth_ports'] != "") { $natent['def_auth_ports'] = $_POST['def_auth_ports']; } else unset($natent['def_auth_ports']); + if ($_POST['def_finger_ports'] != "") { $natent['def_finger_ports'] = $_POST['def_finger_ports']; } else unset($natent['def_finger_ports']); + if ($_POST['def_irc_ports'] != "") { $natent['def_irc_ports'] = $_POST['def_irc_ports']; } else unset($natent['def_irc_ports']); + if ($_POST['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $_POST['def_nntp_ports']; } else unset($natent['def_nntp_ports']); + if ($_POST['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $_POST['def_rlogin_ports']; } else unset($natent['def_rlogin_ports']); + if ($_POST['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $_POST['def_rsh_ports']; } else unset($natent['def_rsh_ports']); + if ($_POST['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $_POST['def_ssl_ports']; } else unset($natent['def_ssl_ports']); + if ($_POST['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $_POST['snortunifiedlog']; } else unset($natent['snortunifiedlog']); + if ($_POST['configpassthru'] != "") { $natent['configpassthru'] = $_POST['configpassthru']; } else unset($natent['configpassthru']); + if ($_POST['rulesets'] != "") { $natent['rulesets'] = $_POST['rulesets']; } else unset($natent['rulesets']); + if ($_POST['rule_sid_off'] != "") { $natent['rule_sid_off'] = $_POST['rule_sid_off']; } else unset($natent['rule_sid_off']); + if ($_POST['rule_sid_on'] != "") { $natent['rule_sid_on'] = $_POST['rule_sid_on']; } else unset($natent['rule_sid_on']); + if ($_POST['whitelistname'] != "") { $natent['whitelistname'] = $_POST['whitelistname']; } else unset($natent['whitelistname']); + if ($_POST['homelistname'] != "") { $natent['homelistname'] = $_POST['homelistname']; } else unset($natent['homelistname']); + if ($_POST['externallistname'] != "") { $natent['externallistname'] = $_POST['externallistname']; } else unset($natent['externallistname']); + if ($_POST['suppresslistname'] != "") { $natent['suppresslistname'] = $_POST['suppresslistname']; } else unset($natent['suppresslistname']); + $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? 'on' : 'off'; $natent['barnyard_mysql'] = $_POST['barnyard_mysql'] ? $_POST['barnyard_mysql'] : $pconfig['barnyard_mysql']; - $natent['barnconfigpassthru'] = base64_encode($_POST['barnconfigpassthru']) ? base64_encode($_POST['barnconfigpassthru']) : $pconfig['barnconfigpassthru']; - if ($_POST['barnyard_enable'] == "on") { $natent['snortunifiedlog'] = on; }else{ $natent['snortunifiedlog'] = off; } if ($_POST['barnyard_enable'] == "") { $natent['snortunifiedlog'] = off; } + $natent['barnconfigpassthru'] = $_POST['barnconfigpassthru'] ? base64_encode($_POST['barnconfigpassthru']) : $pconfig['barnconfigpassthru']; + if ($_POST['barnyard_enable'] == "on") + $natent['snortunifiedlog'] = 'on'; + else + $natent['snortunifiedlog'] = 'off'; + if (empty($_POST['barnyard_enable'])) + $natent['snortunifiedlog'] = 'off'; if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; + $a_nat[$id] = $natent; else { if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); + array_splice($a_nat, $after+1, 0, array($natent)); else - $a_nat[] = $natent; + $a_nat[] = $natent; } write_config(); + sync_snort_package_all($id, $if_real, $snort_uuid); + touch($d_snortconfdirty_path); /* after click go to this page */ - touch($d_snortconfdirty_path); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); @@ -422,12 +422,17 @@ echo " <td width="22%" valign="top" class="vncell2">Interface</td> <td width="78%" class="vtable"><select name="interface" class="formfld"> - <?php - $interfaces = array('wan' => 'WAN', 'lan' => 'LAN', 'pptp' => 'PPTP', 'pppoe' => 'PPPOE'); - for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { - $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; + <?php + if (function_exists('get_configured_interface_with_descr')) + $interfaces = get_configured_interface_with_descr(); + else { + $interfaces = array('wan' => 'WAN', 'lan' => 'LAN', 'pptp' => 'PPTP', 'pppoe' => 'PPPOE'); + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; + } } - foreach ($interfaces as $iface => $ifacename): ?> + foreach ($interfaces as $iface => $ifacename): + ?> <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>><?=htmlspecialchars($ifacename);?> </option> diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index c4eb359c..233337a1 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -34,6 +34,9 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort_gui.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) + $config['installedpackages']['snortglobal']['alertsblocks'] = array(); + $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; @@ -46,17 +49,17 @@ if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') if($_POST['todelete'] or $_GET['todelete']) { if($_POST['todelete']) - $ip = $_POST['todelete']; + $ip = $_POST['todelete']; if($_GET['todelete']) - $ip = $_GET['todelete']; + $ip = $_GET['todelete']; exec("/sbin/pfctl -t snort2c -T delete {$ip}"); } if ($_POST['remove']) { - exec("/sbin/pfctl -t snort2c -T flush"); sleep(1); header("Location: /snort/snort_blocked.php"); + exit; } @@ -72,25 +75,16 @@ if ($_POST['download']) $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); - if ($blocked_ips_array_save[0] != '') - { - + if ($blocked_ips_array_save[0] != '') { /* build the list */ - $counter = 0; - foreach($blocked_ips_array_save as $fileline3) - { - - $counter++; - - exec("/bin/echo $fileline3 >> /tmp/snort_blocked/snort_block.pf"); - - } + file_put_contents("/tmp/snort_blocked/snort_block.pf", ""); + foreach($blocked_ips_array_save as $counter => $fileline3) + file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline3}\n", FILE_APPEND); } exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); - if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) - { + if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) { $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); header("Pragma: private"); // needed for IE @@ -104,9 +98,8 @@ if ($_POST['download']) exec("/bin/rm /tmp/snort_block.pf"); exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); od_end_clean(); //importanr or other post will fail - }else{ + } else echo 'Error no saved file.'; - } } @@ -123,15 +116,11 @@ if ($_POST['save']) /* no errors */ if (!$input_errors) { - $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? on : off; $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; - conf_mount_rw(); write_config(); - //conf_mount_ro(); - sleep(2); - + header("Location: /snort/snort_blocked.php"); } @@ -146,24 +135,18 @@ function get_snort_alert_ip_src($fileline) $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - { $alert_ip_src = $matches4[1][0]; - } return $alert_ip_src; - } function get_snort_alert_disc($fileline) { /* disc */ if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - { $alert_disc = "$matches[2]"; - } return $alert_disc; - } /* build sec filters */ @@ -171,24 +154,18 @@ function get_snort_block_ip($fileline) { /* ip */ if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) - { $alert_block_ip = "$matches[0]"; - } return $alert_block_ip; - } function get_snort_block_disc($fileline) { /* disc */ if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) - { $alert_block_disc = "$matches[0]"; - } return $alert_block_disc; - } /* tell the user what settings they have */ @@ -247,10 +224,8 @@ include("fbegin.inc"); echo $snort_general_css; /* refresh every 60 secs */ -if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '') -{ +if ($pconfig['brefresh'] == 'on') echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n"; -} ?> <!-- hack to fix the hardcoed fbegin link in header --> @@ -362,9 +337,7 @@ if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '') $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); if (in_array("$alert_ip_src", $blocked_ips_array)) - { $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; - } } foreach($blocked_ips_array as $alert_block_ip) @@ -428,7 +401,7 @@ if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '') foreach($blocked_ips_array as $alert_block_ip) { if($logent <= $counter2) - continue; + continue; $counter2++; @@ -447,12 +420,10 @@ if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '') echo '</table>' . "\n"; - if ($blocked_ips_array[0] == '') - { + if (empty($blocked_ips_array[0])) echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; - }else{ + else echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>"; - } ?> </td> diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc index a20b42b4..be16c519 100644 --- a/config/snort/snort_check_cron_misc.inc +++ b/config/snort/snort_check_cron_misc.inc @@ -44,13 +44,11 @@ require_once("/usr/local/pkg/snort/snort.inc"); $snortloglimit = $config['installedpackages']['snortglobal']['snortloglimit']; $snortloglimitsize = $config['installedpackages']['snortglobal']['snortloglimitsize']; -if ($g['booting']==true) { - exit(0); -} +if ($g['booting']==true) + return; -if ($snortloglimit == 'off') { - exit(0); -} +if ($snortloglimit == 'off') + return; $snortloglimitDSKsize = exec('/bin/df -k /var | grep -v "Filesystem" | awk \'{print $4}\''); diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index f9975ce8..4f87f1f9 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -40,18 +40,20 @@ require_once("/usr/local/pkg/snort/snort.inc"); function read_header2($ch, $string) { global $file_size, $fout; + $length = strlen($string); $regs = ""; ereg("(Content-Length:) (.*)", $string, $regs); - if($regs[2] <> "") { + if($regs[2] <> "") $file_size = intval($regs[2]); - } + ob_flush(); return $length; } function read_body2($ch, $string) { global $fout, $file_size, $downloaded, $sendto, $static_status, $static_output, $lastseen, $pkg_interface; + $length = strlen($string); $downloaded += intval($length); $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); @@ -77,6 +79,7 @@ function read_body2($ch, $string) { function read_body_firmware($ch, $string) { global $fout, $file_size, $downloaded, $counter, $version, $latest_version, $current_installed_pfsense_version; + $length = strlen($string); $downloaded += intval($length); $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); @@ -101,6 +104,7 @@ function read_body_firmware($ch, $string) { function download_file_with_progress_bar2($url_file, $destination_file, $readbody = 'read_body') { global $ch, $fout, $file_size, $downloaded; + $file_size = 1; $downloaded = 1; /* open destination file */ @@ -173,13 +177,6 @@ echo "\n\n"; exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Checking for needed updates...'"); -/* Begin main code */ -conf_mount_rw(); - -if (!file_exists('/usr/local/etc/snort/tmp')) { - exec('/bin/mkdir -p /usr/local/etc/snort/tmp'); -} - /* Set user agent to Mozilla */ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); ini_set("memory_limit","150M"); @@ -191,12 +188,8 @@ $config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS- ob_flush(); conf_mount_rw(); -/* send current buffer */ -ob_flush(); -conf_mount_rw(); - /* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { +if (is_dir("{$tmpfname}")) { echo 'Removing old tmp files...' . "\n"; exec("/bin/rm -r {$tmpfname}"); apc_clear_cache(); @@ -208,22 +201,17 @@ exec("/bin/mkdir -p {$snortdir}/rules"); exec("/bin/mkdir -p {$snortdir}/signatures"); exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules/"); -/* send current buffer */ -ob_flush(); -conf_mount_rw(); - /* If tmp dir does not exist create it */ -if (file_exists($tmpfname)) { +if (is_dir($tmpfname)) echo 'The directory tmp exists...' . "\n"; -} else { - mkdir("{$tmpfname}", 700); -} +else + @mkdir("{$tmpfname}", 700); /* download md5 sig from snort.org */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename_md5}") && - filesize("{$tmpfname}/{$snort_filename_md5}") > 0) { + filesize("{$tmpfname}/{$snort_filename_md5}") > 0) { echo 'snort.org md5 temp file exists...' . "\n"; } else { echo 'Downloading snort.org md5 file...' . "\n"; @@ -271,7 +259,7 @@ if ($snortdownload == 'on') echo 'Please wait... You may only check for New Rules every 15 minutes...' . "\n"; echo 'Rules are released every month from snort.org. You may download the Rules at any time.' . "\n"; conf_mount_ro(); - exit(0); + return; } } @@ -282,7 +270,7 @@ if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ echo 'Please wait... You may only check for New Pfsense Rules every 15 minutes...' . "\n"; echo 'Rules are released to support Pfsense packages.' . "\n"; conf_mount_ro(); - exit(0); + return; } /* Check if were up to date snort.org */ @@ -294,9 +282,6 @@ if ($snortdownload == 'on') $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - /* Write out time of last sucsessful md5 to cache */ - write_config(); // Will cause switch back to read-only on nanobsd - conf_mount_rw(); if ($md5_check_new == $md5_check_old) { echo 'Your rules are up to date...' . "\n"; @@ -315,14 +300,8 @@ if ($emergingthreats == "on") $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - /* Write out time of last sucsessful md5 to cache */ - // Will cause switch back to read-only on nanobsd - write_config(); - conf_mount_rw(); if ($emerg_md5_check_new == $emerg_md5_check_old) - { $emerg_md5_check_ok = on; - } } } @@ -334,13 +313,8 @@ if (file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; /* Write out time of last sucsessful md5 to cache */ - // Will cause switch back to read-only on nanobsd - write_config(); - conf_mount_rw(); if ($pfsense_md5_check_new == $pfsense_md5_check_old) - { $pfsense_md5_check_ok = on; - } } /* Check if were up to date is so, exit */ @@ -352,7 +326,7 @@ if ($snortdownload == 'on' && $emergingthreats == 'on') echo 'All your rules are up to date...' . "\n"; echo 'You may start Snort now...' . "\n"; conf_mount_ro(); - exit(0); + return; } } @@ -363,7 +337,7 @@ if ($snortdownload == 'on' && $emergingthreats == 'off') echo 'Your snort.org rules are up to date...' . "\n"; echo 'You may start Snort now...' . "\n"; conf_mount_ro(); - exit(0); + return; } } @@ -374,7 +348,7 @@ if ($snortdownload == 'off' && $emergingthreats == 'on') echo 'Your Emergingthreats rules are up to date...' . "\n"; echo 'You may start Snort now...' . "\n"; conf_mount_ro(); - exit(0); + return; } } @@ -397,14 +371,13 @@ if ($snortdownload == 'on') } else { echo 'There is a new set of Snort.org rules posted. Downloading...' . "\n"; echo 'May take 4 to 10 min...' . "\n"; - conf_mount_rw(); download_file_with_progress_bar2("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); echo 'Done downloading rules file.' . "\n"; if (150000 > filesize("{$tmpfname}/$snort_filename")){ echo 'Error with the snort rules download...' . "\n"; echo 'Snort rules file downloaded failed...' . "\n"; conf_mount_ro(); - exit(0); + return; } } } @@ -477,7 +450,7 @@ if ($snortdownload == 'on') { $freebsd_version_so = 'FreeBSD-7-2'; }else{ - $freebsd_version_so = 'FreeBSD-8-0'; + $freebsd_version_so = 'FreeBSD-8-1'; } echo 'Extracting Snort.org rules...' . "\n"; @@ -686,13 +659,11 @@ exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/r /* open oinkmaster_conf for writing" function */ function oinkmaster_conf($id, $if_real, $iface_uuid) { - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - conf_mount_rw(); /* enable disable setting will carry over with updates */ /* TODO carry signature changes with the updates */ - if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) { + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { $enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; @@ -744,11 +715,9 @@ EOD; /* TODO add per interface settings here */ function oinkmaster_run($id, $if_real, $iface_uuid) { - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - conf_mount_rw(); - if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { if ($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'] == '' && $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'] == '') @@ -783,19 +752,15 @@ function oinkmaster_run($id, $if_real, $iface_uuid) /* Start the proccess for every interface rule */ /* TODO: try to make the code smother */ - -if (!empty($config['installedpackages']['snortglobal']['rule'])) +if (is_array($config['installedpackages']['snortglobal']['rule'])) { $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) { + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { - $id += 1; - - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $result_lan = $value['interface']; $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); - $iface_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + $iface_uuid = $value['uuid']; /* make oinkmaster.conf for each interface rule */ oinkmaster_conf($id, $if_real, $iface_uuid); @@ -810,9 +775,11 @@ if (!empty($config['installedpackages']['snortglobal']['rule'])) /* mark the time update finnished */ $config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); +write_config(); /* XXX */ +conf_mount_rw(); /* remove old $tmpfname files */ -if (file_exists('/usr/local/etc/snort/tmp')) +if (is_dir('/usr/local/etc/snort/tmp')) { echo 'Cleaning up...' . "\n"; exec("/bin/rm -r /usr/local/etc/snort/tmp/snort_rules_up"); diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 7a9ed2da..735ea78f 100644 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -54,7 +54,7 @@ $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) -$id = $_POST['id']; + $id = $_POST['id']; if (isset($_GET['dup'])) { $id = $_GET['dup']; @@ -223,26 +223,25 @@ if ($_POST["Submit"]) { if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; + $a_nat[$id] = $natent; else { if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); + array_splice($a_nat, $after+1, 0, array($natent)); else - $a_nat[] = $natent; + $a_nat[] = $natent; } write_config(); - /* after click go to this page */ - + sync_snort_package_all($id, $if_real, $snort_uuid); touch($d_snortconfdirty_path); + /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: snort_define_servers.php?id=$id"); @@ -254,16 +253,9 @@ if ($_POST["Submit"]) { if ($_POST['apply']) { if (file_exists($d_snortconfdirty_path)) { - - write_config(); - - sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); - unlink($d_snortconfdirty_path); - } - } $pgtitle = "Snort: Interface $id$if_real Define Servers"; diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index 531312cc..b5db0857 100644 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -39,18 +39,12 @@ global $g; $id = $_GET['id']; if (isset($_POST['id'])) -$id = $_POST['id']; + $id = $_POST['id']; if (!is_array($config['installedpackages']['snortglobal']['rule'])) -$config['installedpackages']['snortglobal']['rule'] = array(); - + $config['installedpackages']['snortglobal']['rule'] = array(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; - -if (isset($config['installedpackages']['snortglobal']['rule'])) { - $id_gen = count($config['installedpackages']['snortglobal']['rule']); -}else{ - $id_gen = '0'; -} +$id_gen = count($config['installedpackages']['snortglobal']['rule']); /* alert file */ $d_snortconfdirty_path_ls = exec('/bin/ls /var/run/snort_conf_*.dirty'); @@ -59,20 +53,17 @@ $d_snortconfdirty_path_ls = exec('/bin/ls /var/run/snort_conf_*.dirty'); if ($_POST['apply']) { if ($d_snortconfdirty_path_ls != '') { - - write_config(); - + sync_snort_package_empty(); sync_snort_package(); - + exec('/bin/rm /var/run/snort_conf_*.dirty'); - + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: /snort/snort_interfaces.php"); exit; @@ -81,11 +72,11 @@ if ($_POST['apply']) { } - - if (isset($_POST['del_x'])) { /* delete selected rules */ - if (is_array($_POST['rule']) && count($_POST['rule'])) { + if (is_array($_POST['rule'])) { + conf_mount_rw(); + foreach ($_POST['rule'] as $rulei) { /* convert fake interfaces to real */ @@ -157,17 +148,15 @@ if (isset($_POST['del_x'])) { } } - + /* for every iface do these steps */ - conf_mount_rw(); exec("/bin/rm /var/log/snort/snort.u2_{$snort_uuid}_{$if_real}*"); exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); - - conf_mount_ro(); - + unset($a_nat[$rulei]); } + conf_mount_ro(); write_config(); sleep(2); @@ -188,17 +177,15 @@ if (isset($_POST['del_x'])) { header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: /snort/snort_interfaces.php"); - //exit; + exit; } } /* start/stop snort */ -if ($_GET['act'] == 'toggle' && $_GET['id'] != '') -{ +if ($_GET['act'] == 'toggle' && is_numeric($id)) { $if_real = convert_friendly_interface_to_real_interface_name2($config['installedpackages']['snortglobal']['rule'][$id]['interface']); $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; @@ -220,7 +207,6 @@ if ($_GET['act'] == 'toggle' && $_GET['id'] != '') header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: /snort/snort_interfaces.php"); }else{ @@ -235,9 +221,9 @@ if ($_GET['act'] == 'toggle' && $_GET['id'] != '') header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: /snort/snort_interfaces.php"); } + exit; } diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 5ac9c186..26aeb60f 100644 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -36,15 +36,15 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g; -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { +if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); -} -//nat_rules_sort(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) -$id = $_POST['id']; + $id = $_POST['id']; +if (!is_numeric($id)) + $id = 0; /* XXX: Safety belt */ if (isset($_GET['dup'])) { $id = $_GET['dup']; @@ -65,7 +65,7 @@ if (isset($_GET['dup'])) { //} /* gen uuid for each iface !inportant */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['uuid'] == '') { + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]) && !empty($config['installedpackages']['snortglobal']['rule'][$id]['uuid'])) { //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); $snort_uuid = 0; while ($snort_uuid > 65535 || $snort_uuid == 0) { @@ -77,9 +77,8 @@ if (isset($_GET['dup'])) { /* convert fake interfaces to real */ $if_real = convert_friendly_interface_to_real_interface_name2($a_nat[$id]['interface']); - if ($config['installedpackages']['snortglobal']['rule'][$id]['uuid'] != '') { + if ($config['installedpackages']['snortglobal']['rule'][$id]['uuid'] != '') $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - } if (isset($id) && $a_nat[$id]) { @@ -169,34 +168,25 @@ if (isset($_GET['dup'])) { if (file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { - write_config(); - $if_real = convert_friendly_interface_to_real_interface_name2($a_nat[$id]['interface']); sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); - + unlink("/var/run/snort_conf_{$snort_uuid}_.dirty"); - } if (file_exists($d_snortconfdirty_path)) { - - write_config(); - + sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); unlink($d_snortconfdirty_path); - } - } if ($_POST["Submit"]) { - - // if ($config['installedpackages']['snortglobal']['rule']) { if ($_POST['descr'] == '' && $pconfig['descr'] == '') { $input_errors[] = "Please enter a description for your reference."; @@ -205,27 +195,25 @@ if (isset($_GET['dup'])) { if ($id == "" && $config['installedpackages']['snortglobal']['rule'][0]['interface'] != "") { $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id_c = -1; - foreach ($rule_array as $value) { - - $id_c += 1; + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id_c]['interface']; + $result_lan = $value['interface']; $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); - if ($_POST['interface'] == $result_lan) { + if ($_POST['interface'] == $result_lan) $input_errors[] = "Interface $result_lan is in use. Please select another interface."; - } } } - /* check for overlaps */ + /* XXX: Void code + * check for overlaps foreach ($a_nat as $natent) { if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) - continue; + continue; if ($natent['interface'] != $_POST['interface']) - continue; + continue; } + */ /* if no errors write to conf */ if (!$input_errors) { @@ -233,22 +221,29 @@ if (isset($_GET['dup'])) { /* write to conf for 1st time or rewrite the answer */ $natent['interface'] = $_POST['interface'] ? $_POST['interface'] : $pconfig['interface']; + /* if post write to conf or rewite the answer */ - $natent['enable'] = $_POST['enable'] ? on : off; + $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; $natent['descr'] = $_POST['descr'] ? $_POST['descr'] : $pconfig['descr']; $natent['performance'] = $_POST['performance'] ? $_POST['performance'] : $pconfig['performance']; /* if post = on use on off or rewrite the conf */ - if ($_POST['blockoffenders7'] == "on") { $natent['blockoffenders7'] = on; }else{ $natent['blockoffenders7'] = off; } if ($_POST['enable'] == "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } + if ($_POST['blockoffenders7'] == "on") + $natent['blockoffenders7'] = 'on'; + else + $natent['blockoffenders7'] = 'off'; + if ($_POST['enable'] == "") + $natent['blockoffenders7'] = $pconfig['blockoffenders7']; $natent['whitelistname'] = $_POST['whitelistname'] ? $_POST['whitelistname'] : $pconfig['whitelistname']; $natent['homelistname'] = $_POST['homelistname'] ? $_POST['homelistname'] : $pconfig['homelistname']; $natent['externallistname'] = $_POST['externallistname'] ? $_POST['externallistname'] : $pconfig['externallistname']; $natent['suppresslistname'] = $_POST['suppresslistname'] ? $_POST['suppresslistname'] : $pconfig['suppresslistname']; $natent['snortalertlogtype'] = $_POST['snortalertlogtype'] ? $_POST['snortalertlogtype'] : $pconfig['snortalertlogtype']; - if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = on; }else{ $natent['alertsystemlog'] = off; } if ($_POST['enable'] == "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } - if ($_POST['tcpdumplog'] == "on") { $natent['tcpdumplog'] = on; }else{ $natent['tcpdumplog'] = off; } if ($_POST['enable'] == "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } - if ($_POST['snortunifiedlog'] == "on") { $natent['snortunifiedlog'] = on; }else{ $natent['snortunifiedlog'] = off; } if ($_POST['enable'] == "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } - $natent['configpassthru'] = base64_encode($_POST['configpassthru']) ? base64_encode($_POST['configpassthru']) : $pconfig['configpassthru']; + if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = 'on'; }else{ $natent['alertsystemlog'] = 'off'; } + if ($_POST['enable']) { $natent['alertsystemlog'] = 'on'; } else unset($natent['alertsystemlog']); + if ($_POST['tcpdumplog'] == "on") { $natent['tcpdumplog'] = 'on'; }else{ $natent['tcpdumplog'] = 'off'; } + if ($_POST['snortunifiedlog'] == "on") { $natent['snortunifiedlog'] = 'on'; }else{ $natent['snortunifiedlog'] = 'off'; } + $natent['configpassthru'] = $_POST['configpassthru'] ? base64_encode($_POST['configpassthru']) : $pconfig['configpassthru']; /* if optiion = 0 then the old descr way will not work */ /* rewrite the options that are not in post */ @@ -327,7 +322,6 @@ if (isset($_GET['dup'])) { header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: /snort/snort_interfaces_edit.php?id=$id"); exit; @@ -347,8 +341,8 @@ if (isset($_GET['dup'])) { header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: /snort/snort_interfaces_edit.php?id=$id"); + exit; } if ($_POST["Submit3"]) @@ -361,8 +355,8 @@ if (isset($_GET['dup'])) { header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: /snort/snort_interfaces_edit.php?id=$id"); + exit; } @@ -372,21 +366,17 @@ if (isset($_GET['dup'])) { $snort_up_ck2_info = Running_Ck($snort_uuid, $if_real, $id); - if ($snort_up_ck2_info == 'no') { + if ($snort_up_ck2_info == 'no') $snort_up_ck = '<input name="Submit2" type="submit" class="formbtn" value="Start" onClick="enable_change(true)">'; - }else{ + else $snort_up_ck = '<input name="Submit3" type="submit" class="formbtn" value="Stop" onClick="enable_change(true)">'; - } - - }else{ + } else $snort_up_ck = ''; - } - $pgtitle = "Snort: Interface Edit: $id $snort_uuid $if_real"; include("/usr/local/pkg/snort/snort_head.inc"); - ?> +?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); @@ -473,31 +463,20 @@ echo " <td class="tabnavtbl"><?php if ($a_nat[$id]['interface'] != '') { /* get the interface name */ - $first = 0; $snortInterfaces = array(); /* -gtm */ $if_list = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $if_array = split(',', $if_list); - //print_r($if_array); if($if_array) { foreach($if_array as $iface2) { - $if2 = convert_friendly_interface_to_real_interface_name2($iface2); - - if(isset($config['interfaces'][$iface2]['ipaddr']) && ($config['interfaces'][$iface2]['ipaddr'] == "pppoe")) { - $if2 = "ng0"; - } - /* build a list of user specified interfaces -gtm */ - if($if2){ + $if2 = convert_friendly_interface_to_real_interface_name2($iface2); + if ($if2) array_push($snortInterfaces, $if2); - $first = 1; - } } - if (count($snortInterfaces) < 1) { + if (count($snortInterfaces) < 1) log_error("Snort will not start. You must select an interface for it to listen on."); - return; - } } } @@ -599,7 +578,7 @@ echo " <td width="22%" valign="top" class="vncell2">Home net</td> <td width="78%" class="vtable"><select name="homelistname" class="formfld" id="homelistname"> - <?php + <?php /* find whitelist names and filter by type */ $hlist_select = $config['installedpackages']['snortglobal']['whitelist']['item']; $hid = -1; @@ -617,11 +596,10 @@ echo " }else{ echo "<option value=\"$ilistname $whitelist_uuid\">"; } - echo htmlspecialchars($ilistname) . '</option> - '; + echo htmlspecialchars($ilistname) . '</option>'; } endforeach; - ?> + ?> </select><br> <span class="vexpl">Choose the home net you will like this rule to use. </span> <span class="red">Note:</span> Default home @@ -633,7 +611,7 @@ echo " <td width="22%" valign="top" class="vncell2">External net</td> <td width="78%" class="vtable"><select name="externallistname" class="formfld" id="externallistname"> - <?php + <?php /* find whitelist names and filter by type */ $exlist_select = $config['installedpackages']['snortglobal']['whitelist']['item']; $exid = -1; @@ -655,7 +633,7 @@ echo " '; } endforeach; - ?> + ?> </select><br> <span class="vexpl">Choose the external net you will like this rule to use. </span> <span class="red">Note:</span> Default @@ -676,7 +654,7 @@ echo " <td width="22%" valign="top" class="vncell2">Whitelist</td> <td width="78%" class="vtable"><select name="whitelistname" class="formfld" id="whitelistname"> - <?php + <?php /* find whitelist names and filter by type, make sure to track by uuid */ $wlist_select = $config['installedpackages']['snortglobal']['whitelist']['item']; $wid = -1; @@ -698,7 +676,7 @@ echo " '; } endforeach; - ?> + ?> </select><br> <span class="vexpl">Choose the whitelist you will like this rule to use. </span> <span class="red">Note:</span> Default @@ -710,7 +688,7 @@ echo " filtering</td> <td width="78%" class="vtable"><select name="suppresslistname" class="formfld" id="suppresslistname"> - <?php + <?php /* find whitelist names and filter by type, make sure to track by uuid */ $slist_select = $config['installedpackages']['snortglobal']['suppress']['item']; $sid = -1; @@ -730,7 +708,7 @@ echo " echo htmlspecialchars($ilistname) . '</option> '; endforeach; - ?> + ?> </select><br> <span class="vexpl">Choose the suppression or filtering file you will like this rule to use. </span> <span class="red">Note:</span> Default diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index f06dd2a7..0fbc29ae 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -56,21 +56,15 @@ $pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['for if ($_POST['apply']) { if (file_exists("$d_snort_global_dirty_path")) { - conf_mount_rw(); - + /* create whitelist and homenet file then sync files */ sync_snort_package_empty(); sync_snort_package(); unlink("$d_snort_global_dirty_path"); - - write_config(); - conf_mount_ro(); } } - - /* if no errors move foward */ if (!$input_errors) { @@ -78,20 +72,16 @@ if (!$input_errors) { $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; - $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? on : off; + $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; $config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit']; $config['installedpackages']['snortglobal']['snortloglimitsize'] = $_POST['snortloglimitsize']; $config['installedpackages']['snortglobal']['autorulesupdate7'] = $_POST['autorulesupdate7']; $config['installedpackages']['snortglobal']['snortalertlogtype'] = $_POST['snortalertlogtype']; - $config['installedpackages']['snortglobal']['forcekeepsettings'] = $_POST['forcekeepsettings'] ? on : off; - - write_config(); - sleep(2); + $config['installedpackages']['snortglobal']['forcekeepsettings'] = $_POST['forcekeepsettings'] ? 'on' : 'off'; $retval = 0; - $snort_snortloglimit_info_ck = $config['installedpackages']['snortglobal']['snortloglimit']; if ($snort_snortloglimit_info_ck == 'on') { snort_snortloglimit_install_cron(''); @@ -106,9 +96,9 @@ if (!$input_errors) { /* set the snort block hosts time IMPORTANT */ $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; if ($snort_rm_blocked_info_ck == "never_b") - $snort_rm_blocked_false = ""; + $snort_rm_blocked_false = ""; else - $snort_rm_blocked_false = "true"; + $snort_rm_blocked_false = "true"; if ($snort_rm_blocked_info_ck != "") { @@ -119,9 +109,9 @@ if (!$input_errors) { /* set the snort rules update time */ $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; if ($snort_rules_up_info_ck == "never_up") - $snort_rules_up_false = ""; + $snort_rules_up_false = ""; else - $snort_rules_up_false = "true"; + $snort_rules_up_false = "true"; if ($snort_rules_up_info_ck != "") { @@ -143,7 +133,7 @@ if (!$input_errors) { header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); header("Location: /snort/snort_interfaces_global.php"); - + exit; } } @@ -151,10 +141,7 @@ if (!$input_errors) { if ($_POST["Reset"]) { function snort_deinstall_settings() { - global $config, $g, $id, $if_real; - conf_mount_rw(); - exec("/usr/usr/bin/killall snort"); sleep(2); @@ -166,100 +153,54 @@ if ($_POST["Reset"]) { sleep(2); /* Remove snort cron entries Ugly code needs smoothness*/ - function snort_rm_blocked_deinstall_cron($should_install) - { - global $config, $g; - conf_mount_rw(); - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) - { - if (strstr($item['command'], "snort2c")) - { - $is_installed = true; - break; + if (!function_exists('snort_deinstall_cron')) { + function snort_deinstall_cron($cronmatch) { + global $config, $g; + + + if(!$config['cron']['item']) + return; + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; } - - $x++; - - } - if($is_installed == true) - { - if($x > 0) - { + if($is_installed == true) unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } configure_cron(); - } - conf_mount_ro(); - } - function snort_rules_up_deinstall_cron($should_install) - { - global $config, $g; - conf_mount_rw(); - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - } - - snort_rm_blocked_deinstall_cron(""); - snort_rules_up_deinstall_cron(""); + snort_deinstall_cron("snort2c"); + snort_deinstall_cron("snort_check_for_rule_updates.php"); /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ /* Keep this as a last step */ unset($config['installedpackages']['snortglobal']); - write_config(); - conf_mount_rw(); /* remove all snort iface dir */ exec('rm -r /usr/local/etc/snort/snort_*'); exec('rm /var/log/snort/*'); - conf_mount_ro(); - + write_config(); } snort_deinstall_settings(); + write_config(); /* XXX */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); header("Location: /snort/snort_interfaces_global.php"); - exit; } diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php index 0ee1f0c2..dfa890b6 100644 --- a/config/snort/snort_interfaces_suppress.php +++ b/config/snort/snort_interfaces_suppress.php @@ -40,17 +40,12 @@ require_once("/usr/local/pkg/snort/snort_gui.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) -$config['installedpackages']['snortglobal']['suppress']['item'] = array(); - -//aliases_sort(); << what ? + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; - -if (isset($config['installedpackages']['snortglobal']['suppress']['item'])) { - $id_gen = count($config['installedpackages']['snortglobal']['suppress']['item']); -}else{ - $id_gen = '0'; -} +$id_gen = count($config['installedpackages']['snortglobal']['suppress']['item']); $d_suppresslistdirty_path = '/var/run/snort_suppress.dirty'; @@ -62,13 +57,13 @@ if ($_POST) { $retval = 0; if(stristr($retval, "error") <> true) - $savemsg = get_std_save_message($retval); + $savemsg = get_std_save_message($retval); else - $savemsg = $retval; - if ($retval == 0) { - if (file_exists($d_suppresslistdirty_path)) + $savemsg = $retval; + if (file_exists($d_suppresslistdirty_path)) unlink($d_suppresslistdirty_path); - } + + filter_configure(); } } @@ -78,7 +73,6 @@ if ($_GET['act'] == "del") { unset($a_suppress[$_GET['id']]); write_config(); - filter_configure(); touch($d_suppresslistdirty_path); header("Location: /snort/snort_interfaces_suppress.php"); exit; diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 41277787..eb406ac5 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -39,28 +39,33 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort_gui.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) -$config['installedpackages']['snortglobal']['suppress']['item'] = array(); - + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; $id = $_GET['id']; if (isset($_POST['id'])) -$id = $_POST['id']; + $id = $_POST['id']; +if (!is_numeric($id)) + $id = 0; // XXX: safety belt /* gen uuid for each iface !inportant */ -if ($config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid'] == '') { - //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); - $suppress_uuid = 0; - while ($suppress_uuid > 65535 || $suppress_uuid == 0) { - $suppress_uuid = mt_rand(1, 65535); - $pconfig['uuid'] = $suppress_uuid; +if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'][$id])) { + if ($config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid'] == '') { + //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); + $suppress_uuid = 0; + while ($suppress_uuid > 65535 || $suppress_uuid == 0) { + $suppress_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $suppress_uuid; + } } -} -if ($config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid'] != '') { - $suppress_uuid = $config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid']; + if ($config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid'] != '') { + $suppress_uuid = $config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid']; + } } $d_snort_suppress_dirty_path = '/var/run/snort_suppress.dirty'; @@ -68,15 +73,14 @@ $d_snort_suppress_dirty_path = '/var/run/snort_suppress.dirty'; /* returns true if $name is a valid name for a whitelist file name or ip */ function is_validwhitelistname($name) { if (!is_string($name)) - return false; + return false; if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) - return true; + return true; return false; } - if (isset($id) && $a_suppress[$id]) { /* old settings */ @@ -84,25 +88,16 @@ if (isset($id) && $a_suppress[$id]) { $pconfig['uuid'] = $a_suppress[$id]['uuid']; $pconfig['descr'] = $a_suppress[$id]['descr']; $pconfig['suppresspassthru'] = base64_decode($a_suppress[$id]['suppresspassthru']); - - - } /* this will exec when alert says apply */ if ($_POST['apply']) { if (file_exists("$d_snort_suppress_dirty_path")) { - - write_config(); - sync_snort_package_config(); sync_snort_package(); - unlink("$d_snort_suppress_dirty_path"); - } - } if ($_POST['submit']) { @@ -127,7 +122,7 @@ if ($_POST['submit']) { /* check for name conflicts */ foreach ($a_suppress as $s_list) { if (isset($id) && ($a_suppress[$id]) && ($a_suppress[$id] === $s_list)) - continue; + continue; if ($s_list['name'] == $_POST['name']) { $input_errors[] = "A whitelist file name with this name already exists."; @@ -136,21 +131,17 @@ if ($_POST['submit']) { } - $s_list = array(); - /* post user input */ - if (!$input_errors) { - + $s_list = array(); $s_list['name'] = $_POST['name']; $s_list['uuid'] = $suppress_uuid; $s_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); $s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']); - if (isset($id) && $a_suppress[$id]) - $a_suppress[$id] = $s_list; + $a_suppress[$id] = $s_list; else - $a_suppress[] = $s_list; + $a_suppress[] = $s_list; touch($d_snort_suppress_dirty_path); diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 16fbd16c..be7a8892 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -140,19 +140,11 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; if ($_POST['apply']) { if (file_exists($d_snortconfdirty_path)) { - - write_config(); - - sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); - unlink($d_snortconfdirty_path); - } - } - if ($_POST["Submit"]) { /* check for overlaps */ @@ -233,16 +225,18 @@ if ($_POST["Submit"]) { $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? on : off; if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; + $a_nat[$id] = $natent; else { if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); + array_splice($a_nat, $after+1, 0, array($natent)); else - $a_nat[] = $natent; + $a_nat[] = $natent; } write_config(); + sync_snort_package_all($id, $if_real, $snort_uuid); + /* after click go to this page */ touch($d_snortconfdirty_path); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index a7b9ef73..0feef550 100644 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -35,19 +35,15 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g; -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { +if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); -} - -//nat_rules_sort(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) -$id = $_POST['id']; + $id = $_POST['id']; if (isset($id) && $a_nat[$id]) { - $pconfig['enable'] = $a_nat[$id]['enable']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['rulesets'] = $a_nat[$id]['rulesets']; diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index 09e39e7a..05712e49 100644 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -49,15 +49,13 @@ $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) -$id = $_POST['id']; + $id = $_POST['id']; $ids = $_GET['ids']; if (isset($_POST['ids'])) -$ids = $_POST['ids']; - + $ids = $_POST['ids']; if (isset($id) && $a_nat[$id]) { - $pconfig['enable'] = $a_nat[$id]['enable']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['rulesets'] = $a_nat[$id]['rulesets']; @@ -94,6 +92,7 @@ $splitcontents = explode($delimiter, $contents2); //copy rule contents from array into string $tempstring = $splitcontents[$lineid]; +if (!function_exists('write_rule_file')) { function write_rule_file($content_changed, $received_file) { //read snort file with writing enabled @@ -112,6 +111,7 @@ function write_rule_file($content_changed, $received_file) fclose($filehandle); } +} @@ -127,14 +127,14 @@ if($_POST['highlight'] <> "") { } if($_POST['rows'] <> "") -$rows = $_POST['rows']; + $rows = $_POST['rows']; else -$rows = 1; + $rows = 1; if($_POST['cols'] <> "") -$cols = $_POST['cols']; + $cols = $_POST['cols']; else -$cols = 66; + $cols = 66; if ($_POST) { @@ -150,7 +150,7 @@ if ($_POST) write_rule_file($splitcontents, $file); header("Location: /snort/snort_view_edit.php?id=$id&openruleset=$file&ids=$ids"); - + exit; } } diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 059bd5cc..c19c8dd3 100644 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -43,21 +43,18 @@ $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) -$id = $_POST['id']; - + $id = $_POST['id']; if (isset($id) && $a_nat[$id]) { - $pconfig['enable'] = $a_nat[$id]['enable']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['rulesets'] = $a_nat[$id]['rulesets']; -} -/* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); + /* convert fake interfaces to real */ + $if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); - -$iface_uuid = $a_nat[$id]['uuid']; + $iface_uuid = $a_nat[$id]['uuid']; +} $pgtitle = "Snort: Interface $id $iface_uuid $if_real Categories"; @@ -132,16 +129,9 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$iface_uuid}_{$if_real}.dirty"; if ($_POST['apply']) { if (file_exists($d_snortconfdirty_path)) { - - write_config(); - - sync_snort_package_all($id, $if_real, $iface_uuid); sync_snort_package(); - unlink($d_snortconfdirty_path); - } - } if ($_POST["Submit"]) { @@ -161,6 +151,8 @@ if ($_POST["Submit"]) { write_config(); + sync_snort_package_all($id, $if_real, $iface_uuid); + touch($d_snortconfdirty_path); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -168,10 +160,8 @@ if ($_POST["Submit"]) { header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); - sleep(2); - sync_snort_package_all($id, $if_real, $iface_uuid); header("Location: /snort/snort_rulesets.php?id=$id"); - + exit; } $enabled_rulesets = $a_nat[$id]['rulesets']; @@ -325,22 +315,10 @@ if (file_exists($d_snortconfdirty_path)) { </div> - <?php - - include("fend.inc"); - - echo $snort_custom_rnd_box; - - ?> +<?php +include("fend.inc"); +echo $snort_custom_rnd_box; +?> </body> </html> - - <?php - - function get_snort_rule_file_description($filename) { - $filetext = file_get_contents($filename); - - } - -?> |