aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/snort/snort.inc124
-rw-r--r--config/snort/snort.xml2
-rw-r--r--config/snort/snort_check_for_rule_updates.php87
-rw-r--r--config/snort/snort_preprocessors.php33
-rw-r--r--config/snort/snort_rulesets.php8
-rw-r--r--config/widget-snort/snort_alerts.inc20
-rw-r--r--config/widget-snort/snort_alerts.inc.php92
-rw-r--r--config/widget-snort/snort_alerts.js57
-rw-r--r--config/widget-snort/snort_alerts.widget.php29
-rw-r--r--config/widget-snort/snort_alerts_helper.php20
-rw-r--r--config/widget-snort/widget-snort.inc13
-rw-r--r--config/widget-snort/widget-snort.xml26
12 files changed, 209 insertions, 302 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index a1d5a1de..f45134c5 100644
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -39,7 +39,7 @@ require_once("filter.inc");
/* package version */
$snort_version = "2.9.2.3";
-$pfSense_snort_version = "2.5.0";
+$pfSense_snort_version = "2.5.1";
$snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}";
$snort_rules_file = "snortrules-snapshot-2923.tar.gz";
$emerging_threats_version = "2.9.0";
@@ -115,7 +115,7 @@ function snort_find_list($find_name, $type = 'whitelist') {
}
/* func builds custom whitelests */
-function snort_build_list($snortcfg, $listname = "") {
+function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
global $config, $g;
/* Add loopback to whitelist (ftphelper) */
@@ -156,14 +156,20 @@ function snort_build_list($snortcfg, $listname = "") {
if (function_exists('get_interface_ip')) {
$subnet = get_interface_ip($int);
if (is_ipaddr($subnet)) {
- $sn = get_interface_subnet($int);
- $home_net .= "{$subnet}/{$sn} ";
+ if ($whitelist == false) {
+ $sn = get_interface_subnet($int);
+ $home_net .= "{$subnet}/{$sn} ";
+ } else
+ $home_net .= "{$subnet} ";
}
if (function_exists("get_interface_ipv6")) {
$subnet = get_interface_ipv6($int);
if (is_ipaddrv6($subnet)) {
- $sn = get_interface_subnetv6($int);
- $home_net .= "{$subnet}/{$sn} ";
+ if ($whitelist == false) {
+ $sn = get_interface_subnetv6($int);
+ $home_net .= "{$subnet}/{$sn} ";
+ } else
+ $home_net .= "{$subnet} ";
}
}
} else {
@@ -217,9 +223,14 @@ function snort_build_list($snortcfg, $listname = "") {
if($vips == 'yes') {
/* iterate all vips and add to whitelist */
if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) {
- foreach($config['virtualip']['vip'] as $vip)
- if ($vip['subnet'] && $vip['mode'] != 'proxyarp')
- $home_net .= "{$vip['subnet']}/{$vip['subnet_bits']} ";
+ foreach($config['virtualip']['vip'] as $vip) {
+ if ($vip['subnet'] && $vip['mode'] != 'proxyarp') {
+ if ($whitelist == false)
+ $home_net .= "{$vip['subnet']}/{$vip['subnet_bits']} ";
+ else
+ $home_net .= "{$vip['subnet']} ";
+ }
+ }
}
}
@@ -1002,9 +1013,9 @@ function snort_generate_conf($snortcfg) {
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}",
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2",
"{$snortcfgdir}/preproc_rules",
- "dynamicrules" => "/usr/local/lib/snort/dynamicrules",
+ "dynamicrules" => "{$snortcfgdir}/dynamicrules",
"dynamicengine" => "/usr/local/lib/snort/dynamicengine",
- "dynamicpreprocessor" => "/usr/local/lib/snort/dynamicpreprocessor"
+ "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor"
);
foreach ($snort_dirs as $dir) {
if (!is_dir($dir))
@@ -1036,7 +1047,8 @@ function snort_generate_conf($snortcfg) {
$pfkill = "";
if ($snortcfg['blockoffenderskill'] == "on")
$pfkill = "kill";
- $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname']);
+ /* No subnets to default addresses */
+ $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true);
/* write whitelist */
@file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist));
$spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}";
@@ -1079,6 +1091,15 @@ function snort_generate_conf($snortcfg) {
"DCERPC_BRIGHTSTORE" => "6503,6504"
);
+ $portvardef = "";
+ foreach ($snort_ports as $alias => $avalue) {
+ if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
+ $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]);
+ $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias]));
+ $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
+ }
+
+
/////////////////////////////
/* preprocessor code */
/* def perform_stat */
@@ -1170,6 +1191,24 @@ preprocessor ftp_telnet_protocol: ftp client default \
EOD;
+ $pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']);
+ $pop_preproc = <<<EOD
+preprocessor pop: \
+ ports { {$pop_ports} } \
+ qp_decode_depth -1 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 100
+EOD;
+
+ $imap_ports = str_replace(",", " ", $snort_ports['imap_ports']);
+ $imap_preproc = <<<EOD
+preprocessor imap: \
+ ports { {$imap_ports} } \
+ qp_decode_depth -1 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 100
+EOD;
+
$smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']);
/* def smtp_preprocessor */
$smtp_preprocessor = <<<EOD
@@ -1238,6 +1277,13 @@ preprocessor dns: \
EOD;
+ $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']);
+ $ssl_preproc = <<<EOD
+# Ignore SSL and Encryption #
+preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted
+
+EOD;
+
$sensitive_data = "preprocessor sensitive_data:\n";
/* stream5 queued settings */
@@ -1268,25 +1314,36 @@ EOD;
$vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n";
}
- $portvardef = "";
- foreach ($snort_ports as $alias => $avalue) {
- if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
- $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]);
- $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias]));
- $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
- }
- $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']);
-
+ $snort_preproc_libs = array(
+ "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc",
+ "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc",
+ "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc",
+ "ssl_preproc" => "ssl_preproc"
+ );
$snort_preproc = array (
- "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor",
- "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data"
+ "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc",
+ "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc"
);
$snort_preprocessors = "";
foreach ($snort_preproc as $preproc) {
if ($snortcfg[$preproc] == 'on') {
/* NOTE: The $$ is not a bug. Its a advanced feature of php */
- $snort_preprocessors .= $$preproc;
- $snort_preprocessors .= "\n";
+ if (!empty($snort_preproc_libs[$preproc])) {
+ $preproclib = "libsf_" . $snort_preproc_libs[$preproc];
+ if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) {
+ if (file_exists("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so")) {
+ @copy("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ }
+ } else {
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ }
+ } else {
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ }
}
}
@@ -1297,16 +1354,16 @@ EOD;
$snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n";
if (is_dir("{$snortcfgdir}/preproc_rules")) {
if ($snortcfg['sensitive_data'] == 'on') {
- $sedcmd = "s/^# alert\(.*\)classtype:sdf;\(.*\)/alert\1classtype:sdf\2/g";
+ $sedcmd = '/^#alert.*classtype:sdf/s/^#//';
if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules"))
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
} else
- $sedcmd = "s/^alert\(.*\)classtype:sdf;\(.*\)/# alert\1classtype:sdf\2/g";
+ $sedcmd = '/^alert.*classtype:sdf/s/^/#/';
if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) {
@file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
- mwexec("/usr/bin/sed -I '' -e -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
- mwexec("/usr/bin/sed -I '' -e -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
+ mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
+ mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
@unlink("{$g['tmp_path']}/sedcmd");
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
@@ -1326,10 +1383,12 @@ EOD;
if (!empty($snortcfg['rulesets'])) {
$enabled_rulesets_array = explode("||", $snortcfg['rulesets']);
foreach($enabled_rulesets_array as $enabled_item) {
- if (file_exists("{$snortdir}}/rules/{$enabled_item}") && !file_exists("{$snortcfgdir}}/rules/{$enabled_item}"))
- @copy("{$snortdir}/rules/{$file}", "{$rule_dir}/rules/{$file}");
+ if (file_exists("{$snortdir}/rules/{$enabled_item}") && !file_exists("{$snortcfgdir}/rules/{$enabled_item}"))
+ @copy("{$snortdir}/rules/{$enabled_item}", "{$snortcfgdir}/rules/{$enabled_item}");
if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") {
$slib = substr($enabled_item, 6, -6);
+ if (!file_exists("{$snort_dirs['dynamicrules']}/{$slib}"))
+ @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}");
if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}") &&
file_exists("{$snortcfgdir}/rules/{$enabled_item}"))
$selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n";
@@ -1398,9 +1457,6 @@ preprocessor stream5_icmp:
{$snort_preprocessors}
-# Ignore SSL and Encryption #
-preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted
-
# Snort Output Logs #
output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
{$alertsystemlog_type}
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index 05e349be..07603176 100644
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -47,7 +47,7 @@
<faq>Currently there are no FAQ items provided.</faq>
<name>Snort</name>
<version>2.9.2.3</version>
- <title>Services:2.9.2.3 pkg v. 2.5.0</title>
+ <title>Services:2.9.2.3 pkg v. 2.5.1</title>
<include_file>/usr/local/pkg/snort/snort.inc</include_file>
<menu>
<name>Snort</name>
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index 6c6440e9..5b357cb7 100644
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -164,6 +164,42 @@ $sedcmd .= "s/^\\talert/alert/g\n";
$sedcmd .= "s/^[ \\t]*alert/alert/g\n";
@file_put_contents("{$snortdir}/tmp/sedcmd", $sedcmd);
+/* Untar emergingthreats rules to tmp */
+if ($emergingthreats == 'on') {
+ safe_mkdir("{$snortdir}/tmp/emerging");
+ if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
+ update_status(gettext("Extracting rules..."));
+ exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/");
+
+ $files = glob("{$snortdir}/tmp/emerging/rules/*.rules");
+ foreach ($files as $file) {
+ $newfile = basename($file);
+ @copy($file, "{$snortdir}/rules/{$newfile}");
+ }
+ /* IP lists */
+ $files = glob("{$snortdir}/tmp/emerging/rules/*.txt");
+ foreach ($files as $file) {
+ $newfile = basename($file);
+ @copy($file, "{$snortdir}/rules/{$newfile}");
+ }
+ if ($snortdownload == 'off') {
+ foreach (array("classification.config", "reference.config", "sid-msg.map", "unicode.map") as $file) {
+ if (file_exists("{$snortdir}/tmp/emerging/rules/{$file}"))
+ @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/{$file}");
+ }
+ }
+
+ /* make shure default rules are in the right format */
+ exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/emerging*.rules");
+
+ /* Copy emergingthreats md5 sig to snort dir */
+ if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) {
+ update_status(gettext("Copying md5 sig to snort directory..."));
+ @copy("{$tmpfname}/$emergingthreats_filename_md5", "{$snortdir}/$emergingthreats_filename_md5");
+ }
+ }
+}
+
/* Untar snort rules file individually to help people with low system specs */
if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/{$snort_filename}")) {
@@ -181,7 +217,13 @@ if ($snortdownload == 'on') {
$newfile = basename($file);
@copy($file, "{$snortdir}/rules/snort_{$newfile}");
}
- exec("rm -r {$snortdir}/snortrules");
+ /* IP lists */
+ $files = glob("{$snortdir}/tmp/snortrules/rules/*.txt");
+ foreach ($files as $file) {
+ $newfile = basename($file);
+ @copy($file, "{$snortdir}/rules/{$newfile}");
+ }
+ exec("rm -r {$snortdir}/tmp/snortrules");
/* extract so rules */
exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/');
@@ -235,7 +277,7 @@ if ($snortdownload == 'on') {
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} preproc_rules/");
/* make shure default rules are in the right format */
- exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/*.rules");
+ exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/snort_*.rules");
if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
update_status(gettext("Copying md5 sig to snort directory..."));
@@ -245,34 +287,10 @@ if ($snortdownload == 'on') {
}
}
-/* Untar emergingthreats rules to tmp */
-if ($emergingthreats == 'on') {
- if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
- update_status(gettext("Extracting rules..."));
- exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/");
- }
-
- /* make shure default rules are in the right format */
- exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/emerging*.rules");
-
- /* Copy emergingthreats md5 sig to snort dir */
- if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) {
- update_status(gettext("Copying md5 sig to snort directory..."));
- @copy("{$tmpfname}/$emergingthreats_filename_md5", "{$snortdir}/$emergingthreats_filename_md5");
- }
-
- if ($snortdownload == 'off') {
- foreach (array("classification.config", "reference.config", "sid-msg.map", "unicode.map") as $file) {
- if (file_exists("{$snortdir}/rules/{$file}"))
- @copy("{$snortdir}/rules/{$file}", "{$snortdir}/{$file}");
- }
- }
-}
-
/* remove old $tmpfname files */
-if (is_dir($tmpfname)) {
+if (is_dir("{$snortdir}/tmp")) {
update_status(gettext("Cleaning up..."));
- exec("/bin/rm -r {$tmpfname}");
+ exec("/bin/rm -r {$snortdir}/tmp");
}
function snort_apply_customizations($snortcfg, $if_real) {
@@ -283,9 +301,16 @@ function snort_apply_customizations($snortcfg, $if_real) {
else {
update_status(gettext("Your set of configured rules are being copied..."));
log_error(gettext("Your set of configured rules are being copied..."));
- $files = explode("||", $snortcfg['rulesets']);
- foreach ($files as $file)
- @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$file}");
+ $enabled_rulesets_array = explode("||", $snortcfg['rulesets']);
+ foreach($enabled_rulesets_array as $enabled_item) {
+ @copy("{$snortdir}/rules/{$enabled_item}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$enabled_item}");
+ if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") {
+ $slib = substr($enabled_item, 6, -6);
+ if (file_exists("/usr/local/lib/snort/dynamicrules/{$slib}"))
+ @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/dynamicrules/{$slib}");
+
+ }
+ }
@copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config");
@copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index e38418e5..84313577 100644
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -66,6 +66,9 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2'];
$pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor'];
$pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data'];
+ $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc'];
+ $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc'];
+ $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc'];
}
if ($_POST) {
@@ -88,6 +91,9 @@ if ($_POST) {
$natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off';
$natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off';
$natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off';
+ $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off';
+ $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off';
+ $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off';
if (isset($id) && $a_nat[$id])
$a_nat[$id] = $natent;
@@ -265,6 +271,24 @@ include_once("head.inc");
<tr>
<td width="22%" valign="top" class="vncell">Enable <br>
SMTP Normalizer</td>
+ <td width="78%" class="vtable"><input name="pop_preproc"
+ type="checkbox" value="on"
+ <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"><br>
+ Normalize/Decode POP protocol for enforcement and buffer overflows.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>
+ SMTP Normalizer</td>
+ <td width="78%" class="vtable"><input name="imap_preproc"
+ type="checkbox" value="on"
+ <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"><br>
+ Normalize/Decode IMAP protocol for enforcement and buffer overflows.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>
+ SMTP Normalizer</td>
<td width="78%" class="vtable"><input name="smtp_preprocessor"
type="checkbox" value="on"
<?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?>
@@ -301,6 +325,15 @@ include_once("head.inc");
vulnerabilities.</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell">Enable <br> SSL Data</td>
+ <td width="78%" class="vtable">
+ <input name="ssl_preproc" type="checkbox" value="on"
+ <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"><br>
+ SSL data searches for irregularities during SSL protocol exchange
+ </td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vncell">Enable <br> Sensitive Data</td>
<td width="78%" class="vtable">
<input name="sensitive_data" type="checkbox" value="on"
diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php
index a3d41762..3d6de228 100644
--- a/config/snort/snort_rulesets.php
+++ b/config/snort/snort_rulesets.php
@@ -177,7 +177,8 @@ if ($savemsg) {
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
<?php
$isrulesfolderempty = glob("{$snortdir}/rules/*.rules");
- if (empty($isrulesfolderempty)):
+ $iscfgdirempty = glob("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/*.rules");
+ if (empty($isrulesfolderempty) && empty($iscfgdirempty)):
?>
<tr>
<td>
@@ -226,7 +227,10 @@ if ($savemsg) {
$emergingrules = array();
$snortsorules = array();
$snortrules = array();
- $dh = opendir("{$snortdir}/rules/");
+ if (empty($isrulesfolderempty))
+ $dh = opendir("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/");
+ else
+ $dh = opendir("{$snortdir}/rules/");
while (false !== ($filename = readdir($dh))) {
$filename = basename($filename);
if (substr($filename, -5) != "rules")
diff --git a/config/widget-snort/snort_alerts.inc b/config/widget-snort/snort_alerts.inc
deleted file mode 100644
index 159452dd..00000000
--- a/config/widget-snort/snort_alerts.inc
+++ /dev/null
@@ -1,20 +0,0 @@
-<?php
-
-require_once("globals.inc");
-require_once("includes/snort_alerts.inc.php");
-
-$snort_alerts_title = "Snort Alerts";
-$snort_alerts_title_link = "snort/snort_alerts.php";
-
-foreach (glob("{$g['varlog_path']}/snort/*/alert") as $alert) {
- $snort_alerts_logfile = $alert;
- $nentries = 10;
- $snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries);
-
- /* AJAX related routines */
- handle_snort_ajax($snort_alerts_logfile, $nentries);
-}
-if($_GET['lastsawtime'] or $_POST['lastsawtime'])
- exit;
-
-?>
diff --git a/config/widget-snort/snort_alerts.inc.php b/config/widget-snort/snort_alerts.inc.php
deleted file mode 100644
index 46d2b9a7..00000000
--- a/config/widget-snort/snort_alerts.inc.php
+++ /dev/null
@@ -1,92 +0,0 @@
-<?
-function get_snort_alerts($snort_alerts, $nentries, $tail = 20) {
- global $config, $g;
- $logarr = "";
- /* Always do a reverse tail, to be sure we're grabbing the 'end' of the alerts. */
- exec("/usr/bin/tail -r -n {$tail} {$snort_alerts}", $logarr);
-
- $snortalerts = array();
-
- $counter = 0;
-
- foreach ($logarr as $logent) {
- if($counter >= $nentries)
- break;
-
- $alert = parse_snort_alert_line($logent);
- if ($alert != "") {
- $counter++;
- $snortalerts[] = $alert;
- }
-
- }
- /* Since the rules are in reverse order, flip them around if needed based on the user's preference */
- return isset($config['syslog']['reverse']) ? $snortalerts : array_reverse($snortalerts);
-}
-
-function parse_snort_alert_line($line) {
- $log_split = "";
- $datesplit = "";
- preg_match("/^(.*)\s+\[\*\*\]\s+\[(\d+\:\d+:\d+)\]\s(.*)\s(.*)\s+\[\*\*\].*\s+\[Priority:\s(\d+)\]\s{(.*)}\s+(.*)\s->\s(.*)$/U", $line, $log_split);
-
- list($all, $alert['time'], $alert['rule'], $alert['category'], $alert['descr'],
- $alert['priority'], $alert['proto'], $alert['src'], $alert['dst']) = $log_split;
-
- $usableline = true;
-
- if(trim($alert['src']) == "")
- $usableline = false;
- if(trim($alert['dst']) == "")
- $usableline = false;
-
- if($usableline == true) {
- preg_match("/^(\d+)\/(\d+)-(\d+\:\d+\:\d+).\d+$/U", $alert['time'], $datesplit);
- $now_time = strtotime("now");
- $checkdate = $datesplit[1] . "/" . $datesplit[2] . "/" . date("Y");
- $fulldate = $datesplit[2] . "/" . $datesplit[1] . "/" . date("Y");
- $logdate = $checkdate . " " . $datesplit[3];
- if ($now_time < strtotime($logdate)) {
- $fulldate = $datesplit[2] . "/" . $datesplit[1] . "/" . ((int)date("Y") - 1);
- }
-
- $alert['dateonly'] = $fulldate;
- $alert['timeonly'] = $datesplit[3];
- $alert['category'] = strtoupper( substr($alert["category"],0 , 1) ) . strtolower( substr($alert["category"],1 ) );
- return $alert;
- } else {
- if($g['debug']) {
- log_error("There was a error parsing line: $line. Please report to mailing list or forum.");
- }
- return "";
- }
-}
-
-/* AJAX specific handlers */
-function handle_snort_ajax($snort_alerts_logfile, $nentries = 5, $tail = 50) {
- if($_GET['lastsawtime'] or $_POST['lastsawtime']) {
- if($_GET['lastsawtime'])
- $lastsawtime = $_GET['lastsawtime'];
- if($_POST['lastsawtime'])
- $lastsawtime = $_POST['lastsawtime'];
- /* compare lastsawrule's time stamp to alert logs.
- * afterwards return the newer records so that client
- * can update AJAX interface screen.
- */
- $new_rules = "";
- $snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries);
- foreach($snort_alerts as $log_row) {
- $time_regex = "";
- preg_match("/.*([0-9][0-9])\/([0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $log_row['time'], $time_regex);
- $logdate = $time_regex[1] . "/" . $time_regex[2] . "/" . date("Y") . " " . $time_regex[3];
- //preg_match("/.*([0-9][0-9])\/([0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $testsplit[1], $time_regex);
- // preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $log_row['time'], $time_regex);
- $row_time = strtotime($logdate);
- $now_time = strtotime("now");
- if($row_time > $lastsawtime and $row_time <= $nowtime) {
- $new_rules .= "{$log_row['time']}||{$log_row['priority']}||{$log_row['category']}||{$log_row['src']}||{$log_row['dst']}||" . time() . "||{$log_row['timeonly']}||{$log_row['dateonly']}" . "||\n";
- }
- }
- echo $new_rules;
- }
-}
-?>
diff --git a/config/widget-snort/snort_alerts.js b/config/widget-snort/snort_alerts.js
index 0cc76ab1..0c2d9ca6 100644
--- a/config/widget-snort/snort_alerts.js
+++ b/config/widget-snort/snort_alerts.js
@@ -1,63 +1,10 @@
-snortlastsawtime = '<?php echo time(); ?>';
var snortlines = Array();
var snorttimer;
var snortupdateDelay = 25500;
var snortisBusy = false;
var snortisPaused = false;
-<?php
- if(isset($config['syslog']['reverse']))
- echo "var isReverse = true;\n";
- else
- echo "var isReverse = false;\n";
-?>
-
-if (typeof getURL == 'undefined') {
- getURL = function(url, callback) {
- if (!url)
- throw 'No URL for getURL';
- try {
- if (typeof callback.operationComplete == 'function')
- callback = callback.operationComplete;
- } catch (e) {}
- if (typeof callback != 'function')
- throw 'No callback function for getURL';
- var http_request = null;
- if (typeof XMLHttpRequest != 'undefined') {
- http_request = new XMLHttpRequest();
- }
- else if (typeof ActiveXObject != 'undefined') {
- try {
- http_request = new ActiveXObject('Msxml2.XMLHTTP');
- } catch (e) {
- try {
- http_request = new ActiveXObject('Microsoft.XMLHTTP');
- } catch (e) {}
- }
- }
- if (!http_request)
- throw 'Both getURL and XMLHttpRequest are undefined';
- http_request.onreadystatechange = function() {
- if (http_request.readyState == 4) {
- callback( { success : true,
- content : http_request.responseText,
- contentType : http_request.getResponseHeader("Content-Type") } );
- }
- }
- http_request.open('GET', url, true);
- http_request.send(null);
- }
-}
-
-function snort_alerts_fetch_new_rules() {
- if(snortisPaused)
- return;
- if(snortisBusy)
- return;
- snortisBusy = true;
- getURL('widgets/helpers/snort_alerts_helper.php?lastsawtime=' + snortlastsawtime, snort_alerts_fetch_new_rules_callback);
-}
function snort_alerts_fetch_new_rules_callback(callback_data) {
if(snortisPaused)
return;
@@ -75,8 +22,6 @@ function snort_alerts_fetch_new_rules_callback(callback_data) {
line = '<td width="30%" class="listr" >' + row_split[6] + '<br>' + row_split[7]+ '</td>';
line += '<td width="40%" class="listr" >' + row_split[3] + '<br>' + row_split[4] + '</td>';
line += '<td width="40%" class="listr" >' + 'Pri : ' + row_split[1] + '<br>' + 'Cat : ' + row_split[2] + '</td>';
- snortlastsawtime = row_split[5];
- //alert(row_split[0]);
new_data_to_add[new_data_to_add.length] = line;
}
snort_alerts_update_div_rows(new_data_to_add);
@@ -131,7 +76,7 @@ function snort_alerts_update_div_rows(data) {
}
}
/* rechedule AJAX interval */
- //snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay);
+ snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay);
}
function snort_alerts_toggle_pause() {
if(snortisPaused) {
diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php
index ad7827b7..c579a35e 100644
--- a/config/widget-snort/snort_alerts.widget.php
+++ b/config/widget-snort/snort_alerts.widget.php
@@ -26,6 +26,8 @@
POSSIBILITY OF SUCH DAMAGE.
*/
global $config, $g;
+$snort_alerts_title = "Snort Alerts";
+$snort_alerts_title_link = "snort/snort_alerts.php";
/* retrieve snort variables */
require_once("/usr/local/pkg/snort/snort.inc");
@@ -38,12 +40,14 @@ $a_instance = &$config['installedpackages']['snortglobal']['rule'];
$snort_alerts = array();
$tmpblocked = array_flip(snort_get_blocked_ips());
foreach ($a_instance as $instanceid => $instance) {
- $snort_uuid = $a_instance[$instanceid]['uuid'];
- $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']);
- $tmpfile = "{$g['tmp_path']}/.widget_alert_{$snort_uuid}";
+ if ($instance['enable'] != 'on')
+ continue;
/* make sure alert file exists */
if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
+ $snort_uuid = $instance['uuid'];
+ $if_real = snort_get_real_interface($instance['interface']);
+ $tmpfile = "{$g['tmp_path']}/.widget_alert_{$snort_uuid}";
if (isset($config['syslog']['reverse']))
exec("tail -10 /var/log/snort/snort_{$if_real}{$snort_uuid}/alert | sort -r > {$tmpfile}");
else
@@ -58,7 +62,7 @@ foreach ($a_instance as $instanceid => $instance) {
$fields = explode(",", $fileline);
$snort_alert = array();
- $snort_alert[]['instanceid'] = snort_get_friendly_interface($a_instance[$instanceid]['interface']);
+ $snort_alert[]['instanceid'] = snort_get_friendly_interface($instance['interface']);
$snort_alert[]['timestamp'] = $fields[0];
$snort_alert[]['timeonly'] = substr($fields[0], 6, -8);
$snort_alert[]['dateonly'] = substr($fields[0], 0, -17);
@@ -69,13 +73,21 @@ foreach ($a_instance as $instanceid => $instance) {
$snort_alert[]['priority'] = $fields[12];
$snort_alert[]['category'] = $fields[11];
$snort_alerts[] = $snort_alert;
- };
+ }
fclose($fd);
@unlink($tmpfile);
- };
- };
-};
+ }
+ }
+}
+
+if ($_GET['evalScripts']) {
+ /* AJAX specific handlers */
+ $new_rules = "";
+ foreach($snort_alerts as $log_row)
+ $new_rules .= "{$log_row['time']}||{$log_row['priority']}||{$log_row['category']}||{$log_row['src']}||{$log_row['dst']}||{$log_row['timestamp']}||{$log_row['timeonly']}||{$log_row['dateonly']}\n";
+ echo $new_rules;
+} else {
/* display the result */
?>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
@@ -96,3 +108,4 @@ foreach ($snort_alerts as $counter => $alert) {
?>
</tbody>
</table>
+<?php } ?>
diff --git a/config/widget-snort/snort_alerts_helper.php b/config/widget-snort/snort_alerts_helper.php
deleted file mode 100644
index 5df0da04..00000000
--- a/config/widget-snort/snort_alerts_helper.php
+++ /dev/null
@@ -1,20 +0,0 @@
-<?php
-require_once("globals.inc");
-require_once("guiconfig.inc");
-require_once("includes/snort_alerts.inc.php");
-
-foreach (glob("{$g['varlog_path']}/snort/*/alert") as $alert) {
- $snort_alerts_logfile = $alert;
- $nentries = 5;
- $snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries);
-
- /* AJAX related routines */
- handle_snort_ajax($snort_alerts_logfile, $nentries);
-}
-if($_GET['lastsawtime'] or $_POST['lastsawtime'])
- exit;
-
-?>
-<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script>
-<script src="/javascript/scriptaculous/scriptaculous.js" type="text/javascript"></script>
-<script src="/widgets/javascript/snort_alerts.js" type="text/javascript"></script>
diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc
deleted file mode 100644
index 584e5f2d..00000000
--- a/config/widget-snort/widget-snort.inc
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
-
-function widget_snort_uninstall() {
-
- unlink("/usr/local/www/includes/snort_alerts.inc.php");
- unlink("/usr/local/www/widgets/helpers/snort_alerts_helper.php");
- unlink("/usr/local/www/widgets/include/snort_alerts.inc");
- unlink("/usr/local/www/widgets/javascript/snort_alerts.js");
- unlink("/usr/local/www/widgets/widgets/snort_alerts.widget.php");
-
-}
-
-?> \ No newline at end of file
diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml
index 1644181c..785ac5b1 100644
--- a/config/widget-snort/widget-snort.xml
+++ b/config/widget-snort/widget-snort.xml
@@ -46,29 +46,8 @@
<requirements>Dashboard package and Snort</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>widget-snort</name>
- <version>0.2</version>
+ <version>0.5</version>
<title>Widget - Snort</title>
- <include_file>/usr/local/pkg/widget-snort.inc</include_file>
- <additional_files_needed>
- <prefix>/usr/local/pkg/</prefix>
- <chmod>077</chmod>
- <item>http://www.pfsense.com/packages/config/widget-snort/widget-snort.inc</item>
- </additional_files_needed>
- <additional_files_needed>
- <prefix>/usr/local/www/includes/</prefix>
- <chmod>0644</chmod>
- <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc.php</item>
- </additional_files_needed>
- <additional_files_needed>
- <prefix>/usr/local/www/widgets/helpers/</prefix>
- <chmod>0644</chmod>
- <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts_helper.php</item>
- </additional_files_needed>
- <additional_files_needed>
- <prefix>/usr/local/www/widgets/include/</prefix>
- <chmod>0644</chmod>
- <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc</item>
- </additional_files_needed>
<additional_files_needed>
<prefix>/usr/local/www/widgets/javascript/</prefix>
<chmod>0644</chmod>
@@ -79,7 +58,4 @@
<chmod>0644</chmod>
<item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.widget.php</item>
</additional_files_needed>
- <custom_php_deinstall_command>
- widget_snort_uninstall();
- </custom_php_deinstall_command>
</packagegui>