aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/snort/snort.inc13
-rw-r--r--config/snort/snort_check_for_rule_updates.php142
-rw-r--r--config/snort/snort_rules.php20
-rw-r--r--config/snort/snort_rules_edit.php12
4 files changed, 94 insertions, 93 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index c83d1983..fe6ad11b 100644
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -49,6 +49,19 @@ define("SNORTLOGDIR", "/var/log/snort");
if (!is_array($config['installedpackages']['snortglobal']))
$config['installedpackages']['snortglobal'] = array();
+function snort_get_rule_part($source, $beginning, $ending, $start_pos) {
+
+ $beginning_pos = strpos($source, $beginning, $start_pos);
+ if (!$beginning_pos)
+ return false;
+ $middle_pos = $beginning_pos + strlen($beginning);
+ $source = substr($source, $middle_pos);
+ $ending_pos = strpos($source, $ending, 0);
+ if (!$ending_pos)
+ return false;
+ return substr($source, 0, $ending_pos);
+}
+
function snort_generate_id() {
global $config;
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index 6a6390cb..e1da6bf3 100644
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -157,10 +157,13 @@ if ($emergingthreats == "on") {
/* Normalize rulesets */
$sedcmd = "s/^#alert/# alert/g\n";
-$sedcmd = "s/^##alert/# alert/g\n";
-$sedcmd = "s/^# alert/# alert/g\n";
-$sedcmd = "s/^#\talert/# alert/g\n";
-$sedcmd = "s/^##\talert/# alert/g\n";
+$sedcmd .= "s/^##alert/# alert/g\n";
+$sedcmd .= "s/^# alert/# alert/g\n";
+$sedcmd .= "s/^#\talert/# alert/g\n";
+$sedcmd .= "s/^##\talert/# alert/g\n";
+$sedcmd .= "s/^\talert/alert/g\n";
+$sedcmd .= "s/^ alert/alert/g\n";
+$sedcmd .= "s/^ alert/alert/g\n";
@file_put_contents("{$snortdir}/tmp/sedcmd", $sedcmd);
/* Untar snort rules file individually to help people with low system specs */
@@ -264,79 +267,89 @@ if (is_dir($tmpfname)) {
exec("/bin/rm -r {$tmpfname}");
}
-//////////////////
-/* open oinkmaster_conf for writing" function */
-function oinkmaster_conf($snortcfg, $if_real) {
+function snort_apply_customizations($snortcfg, $if_real) {
global $config, $g, $snortdir;
- $selected_sid_on_sections = "";
- $selected_sid_off_sections = "";
+ if (empty($snortcfg['rulesets']))
+ return;
+ else {
+ update_status(gettext("Your set of configured rules are being copied..."));
+ log_error(gettext("Your set of configured rules are being copied..."));
+ $files = explode("||", $snortcfg['rulesets']);
+ foreach ($files as $file)
+ @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$file}");
+
+ @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config");
+ @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
+ exec("/bin/cp -r {$snortdir}/generators {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}");
+ @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config");
+ @copy("{$snortdir}/sid", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/sid");
+ @copy("{$snortdir}/sid-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/sid-msg.map");
+ @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map");
+ }
if (!empty($snortcfg['rule_sid_on']) || !empty($snortcfg['rule_sid_off'])) {
if (!empty($snortcfg['rule_sid_on'])) {
$enabled_sid_on_array = explode("||", trim($snortcfg['rule_sid_on']));
- foreach($enabled_sid_on_array as $enabled_item_on)
- $selected_sid_on_sections .= "$enabled_item_on\n";
+ $enabled_sids = array_flip($enabled_sid_on_array);
}
if (!empty($snortcfg['rule_sid_off'])) {
$enabled_sid_off_array = explode("||", trim($snortcfg['rule_sid_off']));
- foreach($enabled_sid_off_array as $enabled_item_off)
- $selected_sid_off_sections .= "$enabled_item_off\n";
+ $disabled_sids = array_flip($enabled_sid_off_array);
}
- $snort_sid_text = <<<EOD
-
-###########################################
-# #
-# this is auto generated on snort updates #
-# #
-###########################################
-
-path = /bin:/usr/bin:/usr/local/bin
-
-update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
-
-url = dir://{$snortdir}/rules
+ $files = glob("{$snortdir}/snort_{$snortcfg}_{$if_real}/rules");
+ foreach ($files as $file) {
+ $splitcontents = file($file);
+ $changed = false;
+ foreach ( $splitcontents as $counter => $value ) {
+ $disabled = "False";
+ $findme = "# alert"; //find string for disabled alerts
+ $counter2 = 1;
+ $sid = snort_get_rule_part($value, 'sid:', ';', 0);
+ if (!is_numeric($sid))
+ continue;
+ if (isset($enabled_sids[$sid])) {
+ if (substr($value, 0, 5) == "alert")
+ /* Rule is already enabled */
+ continue;
+ if (substr($value, 0, 7) == "# alert") {
+ /* Rule is disabled, change */
+ $splitcontents[$counter] = substr($value, 2);
+ $changed = true;
+ } else if (substr($splitcontents[$counter - 1], 0, 5) == "alert") {
+ /* Rule is already enabled */
+ continue;
+ } else if (substr($splitcontents[$counter - 1], 0, 7) == "# alert") {
+ /* Rule is disabled, change */
+ $splitcontents[$counter - 1] = substr($value, 2);
+ $changed = true;
+ }
+ } else if (isset($disabled_sids[$sid])) {
+ if (substr($value, 0, 7) == "# alert")
+ /* Rule is already disabled */
+ continue;
+ if (substr($value, 0, 5) == "alert") {
+ /* Rule is enabled, change */
+ $splitcontents[$counter] = "# {$value}";
+ $changed = true;
+ } else if (substr($splitcontents[$counter - 1], 0, 7) == "# alert") {
+ /* Rule is already disabled */
+ continue;
+ } else if (substr($splitcontents[$counter - 1], 0, 5) == "alert") {
+ /* Rule is enabled, change */
+ $splitcontents[$counter - 1] = "# {$value}";
+ $changed = true;
+ }
-{$selected_sid_on_sections}
-
-{$selected_sid_off_sections}
-
-EOD;
-
- /* open snort's oinkmaster.conf for writing */
- @file_put_contents("{$snortdir}/tmp/oinkmaster_{$snortcfg['uuid']}.conf", $snort_sid_text);
- }
-}
-
-function oinkmaster_run($snortcfg, $if_real) {
- global $config, $g, $snortdir;
-
-
- if (empty($snortcfg['rulesets']))
- return;
- else {
- update_status(gettext("Your set of configured rules are being copied..."));
- log_error(gettext("Your set of configured rules are being copied..."));
- $files = explode("||", $snortcfg['rulesets']);
- foreach ($files as $file)
- @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$file}");
- }
- if (!empty($snortcfg['rule_sid_on']) || !empty($snortcfg['rule_sid_off'])) {
- @unlink("{$snortdir}/oinkmaster.log");
- log_error(gettext("Your enable and disable changes are being applied to your fresh set of rules..."));
- exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C {$snortdir}/tmp/oinkmaster_{$snortcfg['uuid']}.conf -o {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules >> {$snortdir}/oinkmaster.log");
+ }
+ if ($changed == true)
+ @file_put_contents($file, implode("\n", $splitcontents));
+ }
+ }
}
- @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config");
- @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
- exec("/bin/cp -r {$snortdir}/generators {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}");
- @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config");
- @copy("{$snortdir}/sid", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/sid");
- @copy("{$snortdir}/sid-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/sid-msg.map");
- @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map");
}
-//////////////
if ($snortdownload == 'on' || $emergingthreats == 'on') {
/* You are Not Up to date, always stop snort when updating rules for low end machines */;
@@ -347,10 +360,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on') {
$if_real = snort_get_real_interface($value['interface']);
/* make oinkmaster.conf for each interface rule */
- oinkmaster_conf($value, $if_real);
-
- /* run oinkmaster for each interface rule */
- oinkmaster_run($value, $if_real);
+ snort_apply_customizations($value, $if_real);
}
}
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index a171dc06..79067c26 100644
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -55,18 +55,6 @@ if (isset($id) && $a_rule[$id]) {
$pconfig['rulesets'] = $a_rule[$id]['rulesets'];
}
-function get_middle($source, $beginning, $ending, $init_pos) {
- $beginning_pos = strpos($source, $beginning, $init_pos);
- if (!$beginning_pos)
- return false;
- $middle_pos = $beginning_pos + strlen($beginning);
- $source = substr($source, $middle_pos);
- $ending_pos = strpos($source, $ending, 0);
- if (!$ending_pos)
- return false;
- return substr($source, 0, $ending_pos);
-}
-
function load_rule_file($incoming_file)
{
//read file into string, and get filesize
@@ -124,7 +112,7 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($splitcontents)) {
@file_put_contents($rulefile, implode("\n", $splitcontents));
//write disable/enable sid to config.xml
- $sid = get_middle($tempstring, 'sid:', ";", 0);
+ $sid = snort_get_rule_part($tempstring, 'sid:', ";", 0);
if (is_numeric($sid)) {
// rule_sid_on registers
$sidon = explode("||", $a_rule[$id]['rule_sid_on']);
@@ -269,7 +257,7 @@ if (empty($pconfig['rulesets'])):
$disabled_pos = strstr($value, $findme);
$counter2 = 1;
- $sid = get_middle($value, 'sid:', ';', 0);
+ $sid = snort_get_rule_part($value, 'sid:', ';', 0);
//check to see if the sid is numberical
if (!is_numeric($sid))
continue;
@@ -302,9 +290,9 @@ if (empty($pconfig['rulesets'])):
$destination_port = $rule_content[$counter2];//destination port location
if (strstr($value, 'msg: "'))
- $message = get_middle($value, 'msg: "', '";', 0);
+ $message = snort_get_rule_part($value, 'msg: "', '";', 0);
else if (strstr($value, 'msg:"'))
- $message = get_middle($value, 'msg:"', '";', 0);
+ $message = snort_get_rule_part($value, 'msg:"', '";', 0);
echo "<tr><td width='3%' class='listt'> $textss
<a href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$counter}'>
diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php
index 454b250b..127bfe0c 100644
--- a/config/snort/snort_rules_edit.php
+++ b/config/snort/snort_rules_edit.php
@@ -82,16 +82,6 @@ if (strstr($splitcontents[$lineid], $findme))
if ($highlight == "no")
$splitcontents[$lineid] = substr($splitcontents[$lineid], 2);
-if (!function_exists('get_middle')) {
- function get_middle($source, $beginning, $ending, $init_pos) {
- $beginning_pos = strpos($source, $beginning, $init_pos);
- $middle_pos = $beginning_pos + strlen($beginning);
- $ending_pos = strpos($source, $ending, $beginning_pos);
- $middle = substr($source, $middle_pos, $ending_pos - $middle_pos);
- return $middle;
- }
-}
-
if ($_POST) {
if ($_POST['save']) {
@@ -102,7 +92,7 @@ if ($_POST) {
$splitcontents[$lineid] = "# " . $_POST['code'];
//write disable/enable sid to config.xml
- $sid = get_middle($splitcontents[$lineid], 'sid:', ';', 0);
+ $sid = snort_get_rule_part($splitcontents[$lineid], 'sid:', ';', 0);
if (is_numeric($sid)) {
// rule_sid_on registers
if (!empty($a_nat[$id]['rule_sid_on']))