aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/cron/cron.inc16
-rw-r--r--config/cron/cron.xml12
-rw-r--r--config/siproxd/siproxd.inc69
-rw-r--r--config/siproxd/siproxd.priv.inc42
-rw-r--r--config/siproxd/siproxd.xml81
-rw-r--r--config/siproxd/siproxd_registered_phones.php2
-rw-r--r--config/siproxd/siproxdusers.xml11
-rwxr-xr-xconfig/snort/snort.inc9
-rwxr-xr-xconfig/snort/snort.xml2
-rwxr-xr-xconfig/snort/snort_check_for_rule_updates.php205
-rw-r--r--config/snort/snort_conf_template.inc3
-rw-r--r--config/snort/snort_defs.inc2
-rw-r--r--config/snort/snort_frag3_engine.php3
-rw-r--r--config/snort/snort_ftp_client_engine.php3
-rw-r--r--config/snort/snort_ftp_server_engine.php3
-rw-r--r--config/snort/snort_generate_conf.php11
-rw-r--r--config/snort/snort_httpinspect_engine.php31
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php5
-rw-r--r--config/snort/snort_migrate_config.php3
-rw-r--r--config/snort/snort_post_install.php25
-rwxr-xr-xconfig/snort/snort_preprocessors.php17
-rw-r--r--config/snort/snort_stream5_engine.php3
-rwxr-xr-xconfig/squid3/34/squid.inc22
-rw-r--r--config/zabbix2/zabbix2-agent.inc (renamed from config/zabbix2/zabbix2.inc)110
-rw-r--r--config/zabbix2/zabbix2-agent.xml17
-rw-r--r--config/zabbix2/zabbix2-proxy.inc244
-rw-r--r--config/zabbix2/zabbix2-proxy.xml17
27 files changed, 644 insertions, 324 deletions
diff --git a/config/cron/cron.inc b/config/cron/cron.inc
index 645575d9..87591e08 100644
--- a/config/cron/cron.inc
+++ b/config/cron/cron.inc
@@ -27,22 +27,30 @@
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
+require_once("pfsense-utils.inc");
require_once("services.inc");
+require_once("util.inc");
function cron_sync_package() {
configure_cron();
// Previous package versions were "helpfully" killing cron on uninstall.
// Also, need to make sure cron is running, otherwise the package is useless.
- // TODO: Something like this needs to be eventually done in configure_cron() in services.inc.
- if (!is_process_running("cron")) {
- exec("cd /tmp && /usr/sbin/cron -s 2>/dev/null");
+ // configure_cron() function in services.inc already does this check on pfSense >=2.2.5
+ $pfs_version = str_replace(".", "", substr(trim(file_get_contents("/etc/version")), 0, 5));
+ if ($pfs_version < 225) {
+ if (!is_process_running("cron")) {
+ exec("cd /tmp && /usr/sbin/cron -s 2>/dev/null");
+ }
}
}
function cron_install_command() {
// Clean up possible lingering garbage after previous package versions
unlink_if_exists("/usr/local/etc/rc.d/cron.sh");
- cron_sync_package();
+}
+
+function cron_deinstall_command() {
+ rmdir_recursive("/usr/local/www/packages/cron");
}
?>
diff --git a/config/cron/cron.xml b/config/cron/cron.xml
index f777faff..181a4506 100644
--- a/config/cron/cron.xml
+++ b/config/cron/cron.xml
@@ -41,19 +41,16 @@
/* ====================================================================================== */
]]>
</copyright>
- <description>Cron</description>
- <name>Cron Settings</name>
- <version>0.3.1</version>
- <title>Settings</title>
+ <name>cronsettings</name>
+ <version>0.3.3</version>
+ <title>Cron Settings</title>
<include_file>/usr/local/pkg/cron.inc</include_file>
<menu>
<name>Cron</name>
- <tooltiptext>Cron settings.</tooltiptext>
<section>Services</section>
<configfile>cron.xml</configfile>
<url>/packages/cron/cron.php</url>
</menu>
- <configpath>installedpackages->package->$packagename->configuration->cron</configpath>
<additional_files_needed>
<prefix>/usr/local/pkg/</prefix>
<item>https://packages.pfsense.org/packages/config/cron/cron.xml</item>
@@ -87,4 +84,7 @@
<custom_php_install_command>
cron_install_command();
</custom_php_install_command>
+ <custom_php_deinstall_command>
+ cron_deinstall_command();
+ </custom_php_deinstall_command>
</packagegui>
diff --git a/config/siproxd/siproxd.inc b/config/siproxd/siproxd.inc
index 50b6e558..9eae2567 100644
--- a/config/siproxd/siproxd.inc
+++ b/config/siproxd/siproxd.inc
@@ -31,6 +31,7 @@
if (!function_exists("filter_configure")) {
require_once("filter.inc");
}
+require_once("pfsense-utils.inc");
require_once("service-utils.inc");
// Check to find out on which pfSense version the package is running
@@ -42,6 +43,18 @@ if ($pfs_version == "2.1" || $pfs_version == "2.2") {
define('SIPROXD', '/usr/local');
}
+function install_package_siproxd() {
+ siproxd_create_chroot();
+ /* remove rc script distributed with the package */
+ unlink_if_exists(SIPROXD . '/etc/rc.d/siproxd');
+}
+
+function deinstall_package_siproxd() {
+ rmdir_recursive("/var/siproxd");
+ unlink_if_exists(SIPROXD . '/etc/siproxd.conf');
+ unlink_if_exists(SIPROXD . '/etc/siproxd_passwd.cfg');
+}
+
function sync_package_siproxd_users() {
global $g, $config;
conf_mount_rw();
@@ -64,23 +77,28 @@ function sync_package_siproxd_users() {
function siproxd_generate_rules($type) {
global $config;
- $siproxd_conf = &$config['installedpackages']['siproxdsettings']['config'][0];
+ if (is_array($config['installedpackages']['siproxdsettings'])) {
+ $siproxd_conf = &$config['installedpackages']['siproxdsettings']['config'][0];
+ } else {
+ $siproxd_conf = array();
+ }
+
if (!is_service_running('siproxd')) {
- log_error("Siproxd is installed but not started. Not installing redirect rules.");
+ log_error("[siproxd] Package is installed but not started. Not installing firewall rules.");
return;
}
/* proxy is turned off in package settings */
- if ($siproxd_conf['sipenable'] == "0") {
- log_error("WARNING: siproxd proxy has not been enabled. Not installing rules.");
+ if ($siproxd_conf['sipenable'] != "on") {
+ log_error("[siproxd] WARNING: siproxd proxy has not been enabled. Not installing firewall rules.");
return "\n";
}
$ifaces = explode(",", $siproxd_conf['if_inbound']);
$ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces);
- $rtplower = ($siproxd_conf['rtplower'] ? $siproxd_conf['rtplower'] : 7070);
- $rtpupper = ($siproxd_conf['rtpupper'] ? $siproxd_conf['rtpupper'] : 7079);
- $port = ($siproxd_conf['port'] ? $siproxd_conf['port'] : 5060);
+ $rtplower = $siproxd_conf['rtplower'] ?: '7070';
+ $rtpupper = $siproxd_conf['rtpupper'] ?: '7079';
+ $port = $siproxd_conf['port'] ?: '5060';
switch($type) {
case 'nat':
@@ -108,18 +126,24 @@ function siproxd_generate_rules($type) {
return $rules;
}
-function sync_package_siproxd() {
- global $config, $pfs_version;
-
- conf_mount_rw();
-
+function siproxd_create_chroot() {
$siproxd_chroot = "/var/siproxd/";
safe_mkdir($siproxd_chroot);
@chown($siproxd_chroot, "nobody");
@chgrp($siproxd_chroot, "nobody");
- unlink_if_exists(SIPROXD . '/etc/rc.d/siproxd');
+}
+
+function sync_package_siproxd() {
+ global $config, $pfs_version;
+
+ conf_mount_rw();
+ siproxd_create_chroot();
- $siproxd_conf = &$config['installedpackages']['siproxdsettings']['config'][0];
+ if (is_array($config['installedpackages']['siproxdsettings'])) {
+ $siproxd_conf = &$config['installedpackages']['siproxdsettings']['config'][0];
+ } else {
+ $siproxd_conf = array();
+ }
$siproxd_conffile = SIPROXD . '/etc/siproxd.conf';
$siproxd_pwfile = SIPROXD . '/etc/siproxd_passwd.cfg';
@@ -136,9 +160,14 @@ function sync_package_siproxd() {
fwrite($fout, "# This file was automatically generated by the pfSense\n");
fwrite($fout, "# package management system.\n\n");
- /* proxy is turned off in package settings */
- if ($siproxd_conf['sipenable'] == "0") {
+ /* if proxy is turned off in package settings, stop service, remove rc script and do nothing else */
+ if ($siproxd_conf['sipenable'] != "on") {
fclose($fout);
+ if (is_service_running('siproxd')) {
+ stop_service("siproxd");
+ sleep(3);
+ }
+ unlink_if_exists(SIPROXD . '/etc/rc.d/siproxd.sh');
return;
}
@@ -147,11 +176,7 @@ function sync_package_siproxd() {
}
if ($siproxd_conf['if_outbound'] != "") {
- if (intval($config['version']) < 6 && $config['interfaces'][$siproxd_conf['if_outbound']]['ipaddr'] == "pppoe") {
- fwrite($fout, "if_outbound = ng0\n");
- } else {
- fwrite($fout, "if_outbound = " . convert_friendly_interface_to_real_interface_name($siproxd_conf['if_outbound']) . "\n");
- }
+ fwrite($fout, "if_outbound = " . convert_friendly_interface_to_real_interface_name($siproxd_conf['if_outbound']) . "\n");
}
if ($siproxd_conf['port'] != "") {
@@ -286,7 +311,7 @@ function sync_package_siproxd() {
sleep(3);
}
/* Only (re)start the service when siproxd is enabled */
- if ($siproxd_conf['sipenable'] != "0") {
+ if ($siproxd_conf['sipenable'] == "on") {
start_service("siproxd");
sleep(3);
}
diff --git a/config/siproxd/siproxd.priv.inc b/config/siproxd/siproxd.priv.inc
new file mode 100644
index 00000000..9980a353
--- /dev/null
+++ b/config/siproxd/siproxd.priv.inc
@@ -0,0 +1,42 @@
+<?php
+/*
+ siproxd.priv.inc
+ part of pfSense (http://www.pfSense.org/)
+ Copyright (C) 2015 ESF, LLC
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+global $priv_list;
+
+$priv_list['page-services-siproxd'] = array();
+$priv_list['page-services-siproxd']['name'] = "WebCfg - Services: siproxd package";
+$priv_list['page-services-siproxd']['descr'] = "Allow access to siproxd package GUI";
+
+$priv_list['page-services-siproxd']['match'] = array();
+$priv_list['page-services-siproxd']['match'][] = "pkg.php?xml=siproxd.xml*";
+$priv_list['page-services-siproxd']['match'][] = "pkg.php?xml=siproxdusers.xml*";
+$priv_list['page-services-siproxd']['match'][] = "pkg_edit.php?xml=siproxd.xml*";
+$priv_list['page-services-siproxd']['match'][] = "pkg_edit.php?xml=siproxdusers.xml*";
+$priv_list['page-services-siproxd']['match'][] = "siproxd_registered_phones.php*";
+
+?>
diff --git a/config/siproxd/siproxd.xml b/config/siproxd/siproxd.xml
index e4375d8e..b0866eb1 100644
--- a/config/siproxd/siproxd.xml
+++ b/config/siproxd/siproxd.xml
@@ -43,25 +43,25 @@
]]>
</copyright>
<name>siproxdsettings</name>
- <version>1.0.6</version>
+ <version>1.0.7</version>
<title>siproxd: Settings</title>
<include_file>/usr/local/pkg/siproxd.inc</include_file>
- <aftersaveredirect>/pkg_edit.php?xml=siproxd.xml&amp;id=0</aftersaveredirect>
+ <aftersaveredirect>/pkg_edit.php?xml=siproxd.xml</aftersaveredirect>
<menu>
<name>siproxd</name>
- <tooltiptext>Modify siproxd users and settings.</tooltiptext>
<section>Services</section>
- <url>/pkg_edit.php?xml=siproxd.xml&amp;id=0</url>
+ <url>/pkg_edit.php?xml=siproxd.xml</url>
</menu>
<service>
<name>siproxd</name>
<rcfile>siproxd.sh</rcfile>
<executable>siproxd</executable>
+ <description>Proxy/Masquerading Daemon for SIP</description>
</service>
<tabs>
<tab>
<text>Settings</text>
- <url>/pkg_edit.php?xml=siproxd.xml&amp;id=0</url>
+ <url>/pkg_edit.php?xml=siproxd.xml</url>
<active/>
</tab>
<tab>
@@ -82,6 +82,10 @@
<item>https://packages.pfsense.org/packages/config/siproxd/siproxd.inc</item>
</additional_files_needed>
<additional_files_needed>
+ <prefix>/etc/inc/priv/</prefix>
+ <item>https://packages.pfsense.org/packages/config/siproxd/siproxd.priv.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
<prefix>/usr/local/www/</prefix>
<item>https://packages.pfsense.org/packages/config/siproxd/siproxd_registered_phones.php</item>
</additional_files_needed>
@@ -89,23 +93,23 @@
<field>
<fielddescr>Enable siproxd</fielddescr>
<fieldname>sipenable</fieldname>
- <description>Enable or disable siproxd</description>
+ <description>Enable or disable siproxd.</description>
<type>checkbox</type>
</field>
<field>
- <fielddescr>Inbound interface</fielddescr>
+ <fielddescr>Inbound Interface</fielddescr>
<fieldname>if_inbound</fieldname>
<description>Select the inbound interface.</description>
<type>interfaces_selection</type>
</field>
<field>
- <fielddescr>Outbound interface</fielddescr>
+ <fielddescr>Outbound Interface</fielddescr>
<fieldname>if_outbound</fieldname>
<description>Select the outbound interface.</description>
<type>interfaces_selection</type>
</field>
<field>
- <fielddescr>Listening port</fielddescr>
+ <fielddescr>Listening Port</fielddescr>
<fieldname>port</fieldname>
<description>
<![CDATA[
@@ -114,11 +118,12 @@
]]>
</description>
<type>input</type>
+ <default_value>5060</default_value>
</field>
<field>
- <fielddescr>Default expiration timeout</fielddescr>
+ <fielddescr>Default Expiration Timeout</fielddescr>
<fieldname>defaulttimeout</fieldname>
- <description>If a REGISTER request dose not contain an Expires header or expires= parameter, this number of seconds will be used and reported back to the UA in the answer.</description>
+ <description>If a REGISTER request does not contain an Expires header or expires= parameter, this number of seconds will be used and reported back to the UA in the answer.</description>
<type>input</type>
</field>
<field>
@@ -126,38 +131,36 @@
<type>listtopic</type>
</field>
<field>
- <fielddescr>Enable RTP proxy</fielddescr>
+ <fielddescr>Enable RTP Proxy</fielddescr>
<fieldname>rtpenable</fieldname>
- <description>Enable or disable the RTP proxy. (default is enabled)</description>
+ <description>Enable or disable the RTP proxy. (Default: enabled)</description>
<type>select</type>
<options>
- <option>
- <name>Enable</name>
- <value>1</value>
- </option>
- <option>
- <name>Disable</name>
- <value>0</value>
- </option>
+ <option><name>Enable</name><value>1</value></option>
+ <option><name>Disable</name><value>0</value></option>
</options>
+ <default_value>1</default_value>
</field>
<field>
- <fielddescr>RTP port range (lower)</fielddescr>
+ <fielddescr>RTP Port Range (Lower)</fielddescr>
<fieldname>rtplower</fieldname>
- <description>Enter the bottom edge of the port range siproxd will allocate for incoming RTP traffic. This range must be one not blocked by the firewall (default 7070).</description>
+ <description>Enter the bottom edge of the port range siproxd will allocate for incoming RTP traffic. This range must not be blocked by the firewall. (Default: 7070)</description>
<type>input</type>
+ <default_value>7070</default_value>
</field>
<field>
- <fielddescr>RTP port range (upper)</fielddescr>
+ <fielddescr>RTP Port Range (Upper)</fielddescr>
<fieldname>rtpupper</fieldname>
- <description>Enter the top edge of the port range siproxd will allocate for incoming RTP traffic. This range must be one not blocked by the firewall (default 7079).</description>
+ <description>Enter the top edge of the port range siproxd will allocate for incoming RTP traffic. This range must not be blocked by the firewall. (Default: 7079)</description>
<type>input</type>
+ <default_value>7079</default_value>
</field>
<field>
- <fielddescr>RTP stream timeout</fielddescr>
+ <fielddescr>RTP Stream Timeout</fielddescr>
<fieldname>rtptimeout</fieldname>
- <description>After this number of seconds, an RTP stream is considered dead and proxying it will be stopped (default 300sec).</description>
+ <description>After this number of seconds, an RTP stream is considered dead and proxying it will be stopped. (Default: 300sec)</description>
<type>input</type>
+ <default_value>300</default_value>
</field>
<field>
<name>Dejittering Settings</name>
@@ -180,7 +183,7 @@
<type>listtopic</type>
</field>
<field>
- <fielddescr>TCP inactivity timeout</fielddescr>
+ <fielddescr>TCP Inactivity Timeout</fielddescr>
<fieldname>tcp_timeout</fieldname>
<description>
<![CDATA[
@@ -195,8 +198,8 @@
<fieldname>tcp_connect_timeout</fieldname>
<description>
<![CDATA[
- Defines How many msecs siproxd will wait for an successful connect when establishing an outgoing SIP signalling connection.<br />
- This should be kept as short as possible as waiting for an TCP connection to establish is a BLOCKING operation - while waiting for a connect to succeed no SIP messages are processed (RTP is not affected).
+ Defines How many msecs siproxd will wait for a successful connect when establishing an outgoing SIP signalling connection.<br />
+ This should be kept as short as possible as waiting for an TCP connection to establish is a BLOCKING operation - no SIP messages are processed while waiting for a connect to succeed (RTP is not affected).
]]>
</description>
<type>input</type>
@@ -212,19 +215,19 @@
<type>listtopic</type>
</field>
<field>
- <fielddescr>Enable proxy authentication</fielddescr>
+ <fielddescr>Enable Proxy Authentication</fielddescr>
<fieldname>authentication</fieldname>
- <description>If this is checked, clients will be forced to authenticate themselves at the proxy (for registration only).</description>
+ <description>If checked, clients will be forced to authenticate themselves at the proxy (for registration only).</description>
<type>checkbox</type>
</field>
<field>
- <fielddescr>Outbound proxy hostname</fielddescr>
+ <fielddescr>Outbound Proxy Hostname</fielddescr>
<fieldname>outboundproxyhost</fieldname>
<description>Enter the hostname of an outbound proxy to send all traffic to. This is only useful if you have multiple masquerading firewalls to cross.</description>
<type>input</type>
</field>
<field>
- <fielddescr>Outbound proxy port</fielddescr>
+ <fielddescr>Outbound Proxy Port</fielddescr>
<fieldname>outboundproxyport</fieldname>
<description>Enter the port of the outbound proxy to send all traffic to. This is only useful if you have multiple masquerading firewalls to cross.</description>
<type>input</type>
@@ -266,7 +269,7 @@
<type>checkbox</type>
</field>
<field>
- <fielddescr>Log redirected calls</fielddescr>
+ <fielddescr>Log Redirected Calls</fielddescr>
<fieldname>plugin_defaulttarget_log</fieldname>
<description>Log redirected calls.</description>
<type>checkbox</type>
@@ -371,6 +374,12 @@
<type>input</type>
</field>
</fields>
+ <custom_php_install_command>
+ install_package_siproxd();
+ </custom_php_install_command>
+ <custom_php_deinstall_command>
+ deinstall_package_siproxd();
+ </custom_php_deinstall_command>
<custom_add_php_command>
sync_package_siproxd();
</custom_add_php_command>
@@ -378,7 +387,7 @@
sync_package_siproxd();
</custom_php_resync_config_command>
<filter_rules_needed>
- siproxd_generate_rules();
+ siproxd_generate_rules
</filter_rules_needed>
<custom_php_validation_command>
validate_form_siproxd($_POST, $input_errors);
diff --git a/config/siproxd/siproxd_registered_phones.php b/config/siproxd/siproxd_registered_phones.php
index 51eb474a..0648aa2f 100644
--- a/config/siproxd/siproxd_registered_phones.php
+++ b/config/siproxd/siproxd_registered_phones.php
@@ -82,7 +82,7 @@ require("head.inc");
<tr><td>
<?php
$tab_array = array();
- $tab_array[] = array(gettext("Settings"), false, "pkg_edit.php?xml=siproxd.xml&amp;id=0");
+ $tab_array[] = array(gettext("Settings"), false, "pkg_edit.php?xml=siproxd.xml");
$tab_array[] = array(gettext("Users"), false, "pkg.php?xml=siproxdusers.xml");
$tab_array[] = array(gettext("Registered Phones"), true, "siproxd_registered_phones.php");
display_top_tabs($tab_array);
diff --git a/config/siproxd/siproxdusers.xml b/config/siproxd/siproxdusers.xml
index 6dd53efe..390c4f35 100644
--- a/config/siproxd/siproxdusers.xml
+++ b/config/siproxd/siproxdusers.xml
@@ -43,13 +43,13 @@
]]>
</copyright>
<name>siproxdusers</name>
- <version>1.0.6</version>
+ <version>1.0.7</version>
<title>siproxd: Users</title>
<include_file>/usr/local/pkg/siproxd.inc</include_file>
<tabs>
<tab>
<text>Settings</text>
- <url>/pkg_edit.php?xml=siproxd.xml&amp;id=0</url>
+ <url>/pkg_edit.php?xml=siproxd.xml</url>
</tab>
<tab>
<text>Users</text>
@@ -61,7 +61,6 @@
<url>/siproxd_registered_phones.php</url>
</tab>
</tabs>
- <configpath>installedpackages->package->$packagename->configuration->settings</configpath>
<adddeleteeditpagefields>
<columnitem>
<fielddescr>Username</fielddescr>
@@ -76,19 +75,19 @@
<field>
<fielddescr>Username</fielddescr>
<fieldname>username</fieldname>
- <description>Enter the username here</description>
+ <description>Enter the username here.</description>
<type>input</type>
</field>
<field>
<fielddescr>Password</fielddescr>
<fieldname>password</fieldname>
- <description>Enter the password here</description>
+ <description>Enter the password here.</description>
<type>password</type>
</field>
<field>
<fielddescr>Username Description</fielddescr>
<fieldname>description</fieldname>
- <description>Enter the description of the user here</description>
+ <description>Enter the description of the user here.</description>
<type>input</type>
</field>
</fields>
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 60959ad6..5cdd5a00 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -2934,6 +2934,7 @@ rc_start() {
### Remove the lock since we have started all interfaces
if [ -f {$g['varrun_path']}/snort_pkg_starting.lck ]; then
+ sleep 2
/bin/rm {$g['varrun_path']}/snort_pkg_starting.lck
fi
}
@@ -2954,8 +2955,12 @@ case $1 in
rc_stop
;;
restart)
- rc_stop
- rc_start
+ if [ ! -f {$g['varrun_path']}/snort_pkg_starting.lck ]; then
+ rc_stop
+ rc_start
+ else
+ /usr/bin/logger -p daemon.info -i -t SnortRestart "Ignoring RESTART command since Snort is already starting..."
+ fi
;;
esac
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index 9d20a4ab..e9e43202 100755
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -45,7 +45,7 @@
</copyright>
<description>Snort IDS/IPS Package</description>
<name>Snort</name>
- <version>3.2.8.2</version>
+ <version>3.2.9</version>
<title>Services: Snort IDS</title>
<include_file>/usr/local/pkg/snort/snort.inc</include_file>
<menu>
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index 123661e4..929ddad1 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -5,7 +5,7 @@
* Copyright (C) 2006 Scott Ullrich
* Copyright (C) 2009 Robert Zelaya
* Copyright (C) 2011-2012 Ermal Luci
- * Copyright (C) 2013-2014 Bill Meeks
+ * Copyright (C) 2013-2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -35,7 +35,7 @@ require_once("service-utils.inc");
require_once("/usr/local/pkg/snort/snort.inc");
require("/usr/local/pkg/snort/snort_defs.inc");
-global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules;
+global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules, $static_output;
$snortdir = SNORTDIR;
$snortlibdir = SNORT_PBI_BASEDIR . "lib";
@@ -266,45 +266,56 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
/* error occurred. */
/**********************************************************/
- global $pkg_interface, $last_curl_error, $update_errors;
+ global $last_curl_error, $update_errors, $static_output;
$snortdir = SNORTDIR;
$filename_md5 = basename($file_dst);
- if ($pkg_interface <> "console")
- update_status(gettext("Downloading {$desc} md5 file..."));
+ update_status(gettext("Downloading {$desc} md5 file..."));
+ $static_output .= gettext("Downloading {$desc} md5 file...");
+ update_output_window($static_output);
error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, SNORT_RULES_UPD_LOGFILE);
$rc = snort_download_file_url($file_url, $file_dst);
// See if download from URL was successful
if ($rc === true) {
- if ($pkg_interface <> "console")
- update_status(gettext("Done downloading {$filename_md5}."));
+ update_status(gettext("Done downloading {$filename_md5}."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
error_log("\tChecking {$desc} md5 file...\n", 3, SNORT_RULES_UPD_LOGFILE);
+ $static_output .= gettext("Checking {$desc} md5 file...");
+ update_output_window($static_output);
// check md5 hash in new file against current file to see if new download is posted
if (file_exists("{$snortdir}/{$filename_md5}")) {
$md5_check_new = file_get_contents($file_dst);
$md5_check_old = file_get_contents("{$snortdir}/{$filename_md5}");
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
if ($md5_check_new == $md5_check_old) {
- if ($pkg_interface <> "console")
- update_status(gettext("{$desc} are up to date..."));
+ update_status(gettext("{$desc} are up to date..."));
log_error(gettext("[Snort] {$desc} are up to date..."));
error_log(gettext("\t{$desc} are up to date.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ $static_output .= gettext("{$desc} are current. No update required.\n");
+ update_output_window($static_output);
return false;
}
- else
+ else {
return true;
+ }
}
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
return true;
}
else {
error_log(gettext("\t{$desc} md5 download failed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
$snort_err_msg = gettext("Server returned error code {$rc}.");
- if ($pkg_interface <> "console") {
- update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
- update_output_window(gettext("{$desc} will not be updated.\n\t{$snort_err_msg}"));
- }
+ update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
+ $static_output .= gettext(" FAILED!\n");
+ update_output_window($static_output);
+ $static_output .= gettext("{$desc} will not be updated.\n{$snort_err_msg}\n");
+ update_output_window($static_output);
log_error(gettext("[Snort] {$desc} md5 download failed..."));
log_error(gettext("[Snort] Server returned error code {$rc}..."));
error_log(gettext("\t{$snort_err_msg}\n"), 3, SNORT_RULES_UPD_LOGFILE);
@@ -334,29 +345,31 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* FALSE if download was not successful. */
/**********************************************************/
- global $pkg_interface, $last_curl_error, $update_errors;
+ global $last_curl_error, $update_errors, $static_output;
$snortdir = SNORTDIR;
$filename = basename($file_dst);
- if ($pkg_interface <> "console")
- update_status(gettext("There is a new set of {$desc} posted. Downloading..."));
+ update_status(gettext("There is a new set of {$desc} posted. Downloading..."));
log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}..."));
error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, SNORT_RULES_UPD_LOGFILE);
error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ $static_output .= gettext("There is a new set of {$desc} posted.\nDownloading {$filename}...");
+ update_output_window($static_output);
$rc = snort_download_file_url($file_url, $file_dst);
// See if the download from the URL was successful
if ($rc === true) {
- if ($pkg_interface <> "console")
- update_status(gettext("Done downloading {$desc} file."));
+ update_status(gettext("Done downloading {$desc} file."));
log_error("[Snort] {$desc} file update downloaded successfully");
error_log(gettext("\tDone downloading rules file.\n"),3, SNORT_RULES_UPD_LOGFILE);
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
// Test integrity of the rules file. Turn off update if file has wrong md5 hash
if ($file_md5 != trim(md5_file($file_dst))){
- if ($pkg_interface <> "console")
- update_output_window(gettext("{$desc} file MD5 checksum failed..."));
+ $static_output .= gettext("{$desc} file MD5 checksum failed...\n");
+ update_output_window($static_output);
log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum..."));
log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst)));
log_error(gettext("[Snort] Expected File MD5: {$file_md5}"));
@@ -370,12 +383,16 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
return true;
}
else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("{$desc} file download failed..."));
+ $static_output .= gettext(" FAILED!\n");
+ update_output_window($static_output);
+ $static_output .= gettext("{$desc} file download failed... server returned error '{$rc}'.\n");
+ update_output_window($static_output);
log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'..."));
error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SNORT_RULES_UPD_LOGFILE);
error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, SNORT_RULES_UPD_LOGFILE);
error_log(gettext("\t{$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ $static_output .= gettext("{$desc} will not be updated.\n");
+ update_output_window($static_output);
$update_errors = true;
return false;
}
@@ -462,6 +479,9 @@ if ($emergingthreats == 'on') {
/* Untar Snort rules file to tmp and install the rules */
if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/{$snort_filename}")) {
+ $static_output .= gettext("Installing Sourcefire VRT rules...");
+ update_output_window($static_output);
+
/* Currently, only FreeBSD-8-1, FreeBSD-9-0 and FreeBSD-10-0 precompiled SO rules exist from Snort.org */
/* Default to FreeBSD 8.1, and then test for FreeBSD 9.x or FreeBSD 10.x */
$freebsd_version_so = 'FreeBSD-8-1';
@@ -471,13 +491,11 @@ if ($snortdownload == 'on') {
$freebsd_version_so = 'FreeBSD-10-0';
/* Remove the old Snort rules files */
+ update_status(gettext("Removing old Snort VRT rules..."));
$vrt_prefix = VRT_FILE_PREFIX;
unlink_if_exists("{$snortdir}/rules/{$vrt_prefix}*.rules");
- if ($pkg_interface <> "console") {
- update_status(gettext("Extracting Snort VRT rules..."));
- update_output_window(gettext("Installing Sourcefire VRT rules..."));
- }
+ update_status(gettext("Extracting new Snort VRT rules..."));
error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
/* extract snort.org rules and add VRT_FILE_PREFIX prefix to all snort.org files */
safe_mkdir("{$tmpfname}/snortrules");
@@ -495,8 +513,7 @@ if ($snortdownload == 'on') {
}
rmdir_recursive("{$tmpfname}/snortrules");
/* Extract the Snort preprocessor rules */
- if ($pkg_interface <> "console")
- update_output_window(gettext("Extracting preprocessor rules files..."));
+ update_status(gettext("Extracting preprocessor rules files..."));
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} preproc_rules/");
$files = glob("{$tmpfname}/preproc_rules/*.rules");
foreach ($files as $file) {
@@ -505,10 +522,7 @@ if ($snortdownload == 'on') {
}
rmdir_recursive("{$tmpfname}/preproc_rules");
/* extract so rules */
- if ($pkg_interface <> "console") {
- update_status(gettext("Extracting Snort VRT Shared Objects rules..."));
- update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}..."));
- }
+ update_status(gettext("Extracting Snort VRT Shared Objects rules..."));
error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, SNORT_RULES_UPD_LOGFILE);
$snort_arch = php_uname("m");
$nosorules = false;
@@ -523,8 +537,7 @@ if ($snortdownload == 'on') {
rmdir_recursive("{$tmpfname}/so_rules/");
if ($nosorules == false) {
/* extract Shared Object stub rules, rename and copy to the rules folder. */
- if ($pkg_interface <> "console")
- update_status(gettext("Copying Snort VRT Shared Objects rules..."));
+ update_status(gettext("Copying Snort VRT Shared Objects rules..."));
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} --exclude precompiled/ --exclude src/ so_rules/");
$files = glob("{$tmpfname}/so_rules/*.rules");
foreach ($files as $file) {
@@ -534,10 +547,7 @@ if ($snortdownload == 'on') {
rmdir_recursive("{$tmpfname}/so_rules/");
}
/* extract base etc files */
- if ($pkg_interface <> "console") {
- update_status(gettext("Extracting Snort VRT config and map files..."));
- update_output_window(gettext("Copying config and map files..."));
- }
+ update_status(gettext("Extracting Snort VRT config and map files..."));
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/");
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
if (file_exists("{$tmpfname}/etc/{$file}"))
@@ -545,14 +555,12 @@ if ($snortdownload == 'on') {
}
rmdir_recursive("{$tmpfname}/etc");
if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
- if ($pkg_interface <> "console")
- update_status(gettext("Copying md5 signature to snort directory..."));
+ update_status(gettext("Copying md5 signature to snort directory..."));
@copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}");
}
- if ($pkg_interface <> "console") {
- update_status(gettext("Extraction of Snort VRT rules completed..."));
- update_output_window(gettext("Installation of Sourcefire VRT rules completed..."));
- }
+ update_status(gettext("Extraction of Snort VRT rules completed..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
}
@@ -561,20 +569,25 @@ if ($snortdownload == 'on') {
if ($openappid_detectors == 'on') {
// If we have a valid downloaded file, then first cleanup the old directory
if (file_exists("{$tmpfname}/{$snort_openappid_filename}")) {
+ update_status(gettext("Extracting Snort OpenAppID detectors..."));
+ $static_output .= gettext("Installing Snort OpenAppID detectors...");
$snort_openappid_path = SNORT_APPID_ODP_PATH;
rmdir_recursive("{$snort_openappid_path}odp");
error_log(gettext("\tExtracting and installing Snort OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE);
safe_mkdir(SNORT_APPID_ODP_PATH);
exec("/usr/bin/tar oxzf {$tmpfname}/{$snort_openappid_filename} -C {$snort_openappid_path}");
if (file_exists("{$tmpfname}/{$snort_openappid_filename_md5}")) {
- if ($pkg_interface <> "console")
- update_status(gettext("Copying md5 signature to snort directory..."));
+ update_status(gettext("Copying md5 signature to snort directory..."));
@copy("{$tmpfname}/{$snort_openappid_filename_md5}", "{$snortdir}/{$snort_openappid_filename_md5}");
}
- if ($pkg_interface <> "console") {
- update_status(gettext("Extraction of Snort OpenAppID detectors completed..."));
- update_output_window(gettext("Installation of Snort OpenAppID detectors completed..."));
+ if (!is_dir("{$snort_openappid_path}custom")) {
+ safe_mkdir("{$snort_openappid_path}custom");
+ safe_mkdir("{$snort_openappid_path}custom/lua");
+ touch("{$snort_openappid_path}custom/userappid.conf");
}
+ update_status(gettext("Extraction of Snort OpenAppID detectors completed..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
unlink_if_exists("{$tmpfname}/{$snort_openappid_filename}");
error_log(gettext("\tInstallation of Snort OpenAppID detectors completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
@@ -584,10 +597,9 @@ if ($openappid_detectors == 'on') {
if ($snortcommunityrules == 'on') {
safe_mkdir("{$tmpfname}/community");
if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) {
- if ($pkg_interface <> "console") {
- update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
- update_output_window(gettext("Installing Snort GPLv2 Community Rules..."));
- }
+ update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
+ $static_output .= gettext("Installing Snort GPLv2 Community Rules...\n");
+ update_output_window($static_output);
error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/");
@@ -603,14 +615,12 @@ if ($snortcommunityrules == 'on') {
}
/* Copy snort community md5 sig to snort dir */
if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) {
- if ($pkg_interface <> "console")
- update_status(gettext("Copying md5 signature to snort directory..."));
+ update_status(gettext("Copying md5 signature to snort directory..."));
@copy("{$tmpfname}/{$snort_community_rules_filename_md5}", "{$snortdir}/{$snort_community_rules_filename_md5}");
}
- if ($pkg_interface <> "console") {
- update_status(gettext("Extraction of Snort GPLv2 Community Rules completed..."));
- update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed..."));
- }
+ update_status(gettext("Extraction of Snort GPLv2 Community Rules completed..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/community/");
}
@@ -620,22 +630,23 @@ if ($snortcommunityrules == 'on') {
if ($emergingthreats == 'on') {
safe_mkdir("{$tmpfname}/emerging");
if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
- if ($pkg_interface <> "console") {
- update_status(gettext("Extracting {$et_name} rules..."));
- update_output_window(gettext("Installing {$et_name} rules..."));
- }
+ update_status(gettext("Extracting {$et_name} rules..."));
+ $static_output .= gettext("Installing {$et_name} rules...");
+ update_output_window($static_output);
error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/");
/* Remove the old Emerging Threats rules files */
$eto_prefix = ET_OPEN_FILE_PREFIX;
$etpro_prefix = ET_PRO_FILE_PREFIX;
+ update_status(gettext("Removing old {$et_name} files..."));
unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*.rules");
unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*.rules");
unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*ips.txt");
unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*ips.txt");
$files = glob("{$tmpfname}/emerging/rules/*.rules");
+ update_status(gettext("Copying new {$et_name} files..."));
foreach ($files as $file) {
$newfile = basename($file);
if ($etpro == "on")
@@ -664,14 +675,12 @@ if ($emergingthreats == 'on') {
/* Copy emergingthreats md5 sig to snort dir */
if (file_exists("{$tmpfname}/{$emergingthreats_filename_md5}")) {
- if ($pkg_interface <> "console")
- update_status(gettext("Copying md5 signature to snort directory..."));
+ update_status(gettext("Copying md5 signature to snort directory..."));
@copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}");
}
- if ($pkg_interface <> "console") {
- update_status(gettext("Extraction of {$et_name} rules completed..."));
- update_output_window(gettext("Installation of {$et_name} rules completed..."));
- }
+ update_status(gettext("Extraction of {$et_name} rules completed..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/emerging/");
}
@@ -710,8 +719,7 @@ function snort_apply_customizations($snortcfg, $if_real) {
if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') {
- if ($pkg_interface <> "console")
- update_status(gettext('Copying new config and map files...'));
+ update_status(gettext('Copying new config and map files...'));
error_log(gettext("\tCopying new config and map files...\n"), 3, SNORT_RULES_UPD_LOGFILE);
/******************************************************************/
@@ -757,10 +765,9 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) {
$if_real = get_real_interface($value['interface']);
$tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ...";
- if ($pkg_interface <> "console"){
- update_status(gettext($tmp));
- update_output_window(gettext("Please wait while Snort interface files are updated..."));
- }
+ update_status(gettext($tmp));
+ $static_output .= gettext($tmp . "...");
+ update_output_window($static_output);
// Make sure the interface subdirectory and required sub-directories exists.
// We need to re-create them during a pkg reinstall for the intial rules set
@@ -783,13 +790,14 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
$tmp .= convert_friendly_interface_to_friendly_descr($value['interface']) . "...\n";
}
error_log($tmp, 3, SNORT_RULES_UPD_LOGFILE);
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
}
else {
- if ($pkg_interface <> "console") {
- update_output_window(gettext("Warning: No interfaces configured for Snort were found..."));
- update_output_window(gettext("No interfaces currently have Snort configured and enabled on them..."));
- }
+ $static_output .= gettext("Warning: No interfaces configured for Snort were found...\n");
+ $static_output .= gettext("No interfaces currently have Snort configured and enabled on them.\n");
+ update_output_window($static_output);
error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
@@ -798,24 +806,19 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
/* Restart snort if running, and not in post-install, so as to pick up the new rules. */
if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) {
- if ($pkg_interface <> "console") {
- update_status(gettext('Restarting Snort to activate the new set of rules...'));
- update_output_window(gettext("Please wait ... restarting Snort will take some time..."));
- }
+ update_status(gettext('Restarting Snort to activate the new set of rules...'));
+ $static_output .= gettext("Restarting Snort...");
+ update_output_window($static_output);
error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
touch("{$g['varrun_path']}/snort_pkg_starting.lck");
snort_restart_all_interfaces(TRUE);
sleep(3);
unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck");
- if ($pkg_interface <> "console")
- update_output_window(gettext("Snort has restarted with your new set of rules..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
log_error(gettext("[Snort] Snort has restarted with your new set of rules..."));
error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
- else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("The rules update task is complete..."));
- }
}
elseif ($openappid_detectors == 'on') {
/**************************************************************************************/
@@ -823,33 +826,31 @@ elseif ($openappid_detectors == 'on') {
/* Restart snort if running, and not in post-install, so as to pick up the detectors. */
/**************************************************************************************/
if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) {
- if ($pkg_interface <> "console") {
- update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...'));
- update_output_window(gettext("Please wait ... restarting Snort will take some time..."));
- }
+ update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...'));
+ $static_output .= gettext("Restarting Snort...");
+ update_output_window($static_output);
error_log(gettext("\tRestarting Snort to activate the new OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE);
touch("{$g['varrun_path']}/snort_pkg_starting.lck");
snort_restart_all_interfaces(TRUE);
sleep(2);
unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck");
- if ($pkg_interface <> "console")
- update_output_window(gettext("Snort has restarted with your new set of OpenAppID detectors..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
log_error(gettext("[Snort] Snort has restarted with your new set of OpenAppID detectors..."));
error_log(gettext("\tSnort has restarted with your new set of OpenAppID detectors.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
- else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("The rules update task is complete..."));
- }
}
/* remove $tmpfname files */
if (is_dir("{$tmpfname}")) {
+ $static_output .= gettext("Cleaning up temp dirs and files...");
+ update_output_window($static_output);
rmdir_recursive($tmpfname);
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
-if ($pkg_interface <> "console")
- update_status(gettext("The Rules update has finished..."));
+update_status(gettext("The Rules update has finished."));
log_error(gettext("[Snort] The Rules update has finished."));
error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SNORT_RULES_UPD_LOGFILE);
diff --git a/config/snort/snort_conf_template.inc b/config/snort/snort_conf_template.inc
index 6b362ce5..2ee3e72c 100644
--- a/config/snort/snort_conf_template.inc
+++ b/config/snort/snort_conf_template.inc
@@ -48,6 +48,9 @@ config event_queue: max_queue 8 log 5 order_events content_length
# Configure to show year in timestamps
config show_year
+# Configure IPv6 address logging in unified2 extra data
+config log_ipv6_extra_data
+
# Configure protocol aware flushing #
# For more information see README.stream5 #
{$paf_max_pdu_config}
diff --git a/config/snort/snort_defs.inc b/config/snort/snort_defs.inc
index ac09db44..961e8696 100644
--- a/config/snort/snort_defs.inc
+++ b/config/snort/snort_defs.inc
@@ -54,7 +54,7 @@ if (!defined("SNORT_BIN_VERSION")) {
if (!empty($snortver))
define("SNORT_BIN_VERSION", $snortver);
else
- define("SNORT_BIN_VERSION", "2.9.7.5");
+ define("SNORT_BIN_VERSION", "2.9.7.6");
}
if (!defined("SNORT_SID_MODS_PATH"))
define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
diff --git a/config/snort/snort_frag3_engine.php b/config/snort/snort_frag3_engine.php
index 9489bf16..33f06a87 100644
--- a/config/snort/snort_frag3_engine.php
+++ b/config/snort/snort_frag3_engine.php
@@ -187,6 +187,9 @@ if ($_POST['save']) {
/* Now write the new engine array to conf */
write_config("Snort pkg: modified frag3 engine settings.");
+ // We have saved a preproc config change, so set "dirty" flag
+ mark_subsystem_dirty('snort_preprocessors');
+
header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row");
exit;
}
diff --git a/config/snort/snort_ftp_client_engine.php b/config/snort/snort_ftp_client_engine.php
index f462efa8..2f3cd1bd 100644
--- a/config/snort/snort_ftp_client_engine.php
+++ b/config/snort/snort_ftp_client_engine.php
@@ -218,6 +218,9 @@ if ($_POST['save']) {
/* Now write the new engine array to conf */
write_config("Snort pkg: modified ftp_telnet_client engine settings.");
+ // We have saved a preproc config change, so set "dirty" flag
+ mark_subsystem_dirty('snort_preprocessors');
+
header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts");
exit;
}
diff --git a/config/snort/snort_ftp_server_engine.php b/config/snort/snort_ftp_server_engine.php
index cb9abc9c..7f3e5a10 100644
--- a/config/snort/snort_ftp_server_engine.php
+++ b/config/snort/snort_ftp_server_engine.php
@@ -189,6 +189,9 @@ if ($_POST['save']) {
/* Now write the new engine array to conf */
write_config("Snort pkg: modified ftp_telnet_server engine settings.");
+ // We have saved a preproc config change, so set "dirty" flag
+ mark_subsystem_dirty('snort_preprocessors');
+
header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts");
exit;
}
diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php
index 646697bf..a0b5d425 100644
--- a/config/snort/snort_generate_conf.php
+++ b/config/snort/snort_generate_conf.php
@@ -896,6 +896,9 @@ EOD;
$appid_memcap = $snortcfg['sf_appid_mem_cap'] * 1024 * 1024;
$appid_params = "app_detector_dir " . rtrim(SNORT_APPID_ODP_PATH, '/') . ", \\\n\tmemcap {$appid_memcap}";
if ($snortcfg['sf_appid_statslog'] == "on") {
+ if (!file_exists("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/app-stats.log")) {
+ touch("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/app-stats.log");
+ }
$appid_params .= ", \\\n\tapp_stats_filename app-stats.log";
$appid_params .= ", \\\n\tapp_stats_period {$snortcfg['sf_appid_stats_period']}";
$appid_params .= ", \\\n\tapp_stats_rollover_size " . strval($config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] * 1024);
@@ -1271,7 +1274,7 @@ if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribut
$http_inspect_global = "preprocessor http_inspect: global ";
if ($snortcfg['http_inspect'] == "off")
$http_inspect_global .= "disabled ";
-$http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n";
+$http_inspect_global .= "\\\n\tiis_unicode_map {$snortdir}/unicode.map 1252 \\\n";
$http_inspect_global .= "\tcompress_depth 65535 \\\n";
$http_inspect_global .= "\tdecompress_depth 65535 \\\n";
if (!empty($snortcfg['http_inspect_memcap']))
@@ -1291,7 +1294,7 @@ $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "
"unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
"normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
"max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
- "max_header_length" => 0, "ports" => "default" );
+ "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" );
$http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports']));
$http_inspect_servers = "";
@@ -1385,6 +1388,10 @@ if ($snortcfg['http_inspect'] <> "off") {
$http_inspect_servers .= " \\\n\tlog_uri";
if ($v['log_hostname'] == "on")
$http_inspect_servers .= " \\\n\tlog_hostname";
+ if ($v['decompress_swf'] == "on")
+ $http_inspect_servers .= " \\\n\tdecompress_swf";
+ if ($v['decompress_pdf'] == "on")
+ $http_inspect_servers .= " \\\n\tdecompress_pdf";
// Add a pair of trailing newlines to terminate this server config
$http_inspect_servers .= "\n\n";
diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php
index c7680892..55bdb5a7 100644
--- a/config/snort/snort_httpinspect_engine.php
+++ b/config/snort/snort_httpinspect_engine.php
@@ -1,7 +1,7 @@
<?php
/*
* snort_httpinspect_engine.php
- * Copyright (C) 2013-2014 Bill Meeks
+ * Copyright (C) 2013-2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -66,7 +66,7 @@ if (empty($a_nat[$eng_id])) {
"unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
"normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
"max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
- "max_header_length" => 0, "ports" => "default" );
+ "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" );
// See if this is initial entry and set to "default" if true
if ($eng_id < 1) {
$def['name'] = "default";
@@ -124,6 +124,10 @@ else {
$pconfig['max_spaces'] = 0;
if (empty($pconfig['max_header_length']))
$pconfig['max_header_length'] = 0;
+ if (empty($pconfig['decompress_swf']))
+ $pconfig['decompress_swf'] = "off";
+ if (empty($pconfig['decompress_pdf']))
+ $pconfig['decompress_pdf'] = "off";
}
if ($_POST['Cancel']) {
@@ -259,6 +263,8 @@ if ($_POST['save']) {
$engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off';
$engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off';
$engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off';
+ $engine['decompress_swf'] = $_POST['httpinspect_decompress_swf'] ? 'on' : 'off';
+ $engine['decompress_pdf'] = $_POST['httpinspect_decompress_pdf'] ? 'on' : 'off';
// Can only have one "all" Bind_To address
if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
@@ -298,6 +304,9 @@ if ($_POST['save']) {
// Now write the new engine array to conf
write_config("Snort pkg: modified http_inspect engine settings.");
+ // We have saved a preproc config change, so set "dirty" flag
+ mark_subsystem_dirty('snort_preprocessors');
+
header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row");
exit;
}
@@ -528,6 +537,24 @@ if ($savemsg)
<strong><?php echo gettext("Checked");?></strong>.</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Decompress SWF");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_decompress_swf"
+ type="checkbox" value="on" id="httpinspect_decompress_swf"
+ <?php if ($pconfig['decompress_swf']=="on") echo "checked";?>>
+ <?php echo gettext("Uncompress and inspect Shockwave Flash data in HTTP response. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Decompress PDF");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_decompress_pdf"
+ type="checkbox" value="on" id="httpinspect_decompress_pdf"
+ <?php if ($pconfig['decompress_pdf']=="on") echo "checked";?>>
+ <?php echo gettext("Uncompress and inspect PDF data in HTTP response. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Cookies");?></td>
<td width="78%" class="vtable"><input name="httpinspect_normalize_cookies"
type="checkbox" value="on" id="httpinspect_normalize_cookies"
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index 0d41c7db..41864a4f 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -4,7 +4,7 @@
*
* Copyright (C) 2008-2009 Robert Zelaya.
* Copyright (C) 2011-2012 Ermal Luci
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -269,7 +269,8 @@ if ($_POST["save"] && !$input_errors) {
"unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on",
"normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on",
"allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
- "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+ "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default",
+ "decompress_swf" => "off", "decompress_pdf" => "off" );
$ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
"telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
index edcbb2d5..a0cf24fe 100644
--- a/config/snort/snort_migrate_config.php
+++ b/config/snort/snort_migrate_config.php
@@ -254,7 +254,8 @@ foreach ($rule as &$r) {
"unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on",
"normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on",
"allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
- "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+ "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default",
+ "decompress_swf" => "off", "decompress_pdf" => "off" );
// Ensure sensible default values exist for global HTTP_INSPECT parameters
if (empty($pconfig['http_inspect']))
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
index bbb2642c..486cd462 100644
--- a/config/snort/snort_post_install.php
+++ b/config/snort/snort_post_install.php
@@ -43,7 +43,7 @@ require_once("functions.inc");
require_once("/usr/local/pkg/snort/snort.inc");
require("/usr/local/pkg/snort/snort_defs.inc");
-global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include;
+global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include, $static_output;
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
@@ -180,11 +180,12 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
/****************************************************************/
/* Do one-time settings migration for new multi-engine configurations */
- update_output_window(gettext("Please wait... migrating settings to new configuration..."));
+ $static_output .= gettext("\nMigrating settings to new configuration...");
+ update_output_window($static_output);
include('/usr/local/pkg/snort/snort_migrate_config.php');
- update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
- log_error(gettext("[Snort] Downloading and updating configured rule types..."));
- update_output_window(gettext("Please wait... downloading and updating configured rule sets..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
+ log_error(gettext("[Snort] Downloading and updating configured rule sets..."));
if ($pkg_interface <> "console")
$snort_gui_include = true;
include('/usr/local/pkg/snort/snort_check_for_rule_updates.php');
@@ -198,7 +199,8 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
$if_real = get_real_interface($snortcfg['interface']);
$snort_uuid = $snortcfg['uuid'];
$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
- update_output_window(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "..."));
+ $static_output .= gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "...");
+ update_output_window($static_output);
// Pull in the PHP code that generates the snort.conf file
// variables that will be substituted further down below.
@@ -224,10 +226,17 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
// Create barnyard2.conf file for interface
if ($snortcfg['barnyard_enable'] == 'on')
snort_generate_barnyard2_conf($snortcfg, $if_real);
+
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
/* create snort bootup file snort.sh */
+ $static_output .= gettext("Generating snort.sh script in {$rcdir}...");
+ update_output_window($static_output);
snort_create_rc();
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
/* Set Log Limit, Block Hosts Time and Rules Update Time */
snort_snortloglimit_install_cron(true);
@@ -248,12 +257,14 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
if (!($g['booting'])) {
if ($pkg_interface <> "console") {
update_status(gettext("Starting Snort using rebuilt configuration..."));
+ $static_output .= gettext("Starting Snort as a background task using the rebuilt configuration... ");
mwexec_bg("{$rcdir}snort.sh start");
- update_output_window(gettext("Snort is starting as a background task using the rebuilt configuration..."));
+ update_output_window($static_output);
}
else
mwexec_bg("{$rcdir}snort.sh start");
}
+ update_status("");
}
/* We're finished with conf partition mods, return to read-only */
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index dd8ec660..76582763 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -263,6 +263,9 @@ if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalu
// Now retrieve the "selected alias" returned from SELECT ALIAS page
$pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']);
+
+ // We have made a preproc config change, so set "dirty" flag
+ mark_subsystem_dirty('snort_preprocessors');
}
// Handle deleting of any of the multiple configuration engines
@@ -397,7 +400,7 @@ if ($_POST['ResetAll']) {
$savemsg = gettext("All preprocessor settings have been reset to their defaults.");
}
-if ($_POST['save']) {
+if ($_POST['save'] || $_POST['apply']) {
$natent = array();
$natent = $pconfig;
@@ -590,6 +593,9 @@ if ($_POST['save']) {
/* Sync to configured CARP slaves if any are enabled */
snort_sync_on_changes();
+ // We have saved changes, so clear "dirty" flag
+ clear_subsystem_dirty('snort_preprocessors');
+
/* after click go to this page */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
@@ -619,6 +625,10 @@ if ($_POST['btn_import']) {
$a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host'];
write_config("Snort pkg: imported Host Attribute Table data for {$a_nat[$id]['interface']}.");
}
+
+ // We have made a preproc config change, so set "dirty" flag
+ mark_subsystem_dirty('snort_preprocessors');
+
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
header( 'Cache-Control: no-store, no-cache, must-revalidate' );
@@ -675,6 +685,11 @@ if ($savemsg) {
<form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform">
<input name="id" type="hidden" value="<?=$id;?>"/>
<input name="eng_id" id="eng_id" type="hidden" value=""/>
+
+<?php if (is_subsystem_dirty('snort_preprocessors')): ?><p>
+<?php print_info_box_np(gettext("A change has been made to the preprocessors configuration.") . "<br/>" . gettext("Click SAVE when finished to apply the change to the Snort configuration."));?>
+<?php endif; ?>
+
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
<?php
diff --git a/config/snort/snort_stream5_engine.php b/config/snort/snort_stream5_engine.php
index 89b0bc02..e501de9f 100644
--- a/config/snort/snort_stream5_engine.php
+++ b/config/snort/snort_stream5_engine.php
@@ -330,6 +330,9 @@ if ($_POST['save']) {
/* Now write the new engine array to conf */
write_config("Snort pkg: save modified stream5 engine.");
+ // We have saved a preproc config change, so set "dirty" flag
+ mark_subsystem_dirty('snort_preprocessors');
+
header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row");
exit;
}
diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc
index aee85bcd..b7eb9889 100755
--- a/config/squid3/34/squid.inc
+++ b/config/squid3/34/squid.inc
@@ -41,12 +41,6 @@ require_once('service-utils.inc');
if (!function_exists("filter_configure")) {
require_once("filter.inc");
}
-/* Squid reverse proxy */
-require_once('/usr/local/pkg/squid_reverse.inc');
-/* Squid javascript helpers */
-require_once('/usr/local/pkg/squid_js.inc');
-/* Squid antivirus intergration features helpers */
-require_once('/usr/local/pkg/squid_antivirus.inc');
$shortcut_section = "squid";
@@ -77,6 +71,13 @@ if ($uname['machine'] == 'amd64') {
ini_set('memory_limit', '250M');
}
+/* Squid reverse proxy */
+require_once('/usr/local/pkg/squid_reverse.inc');
+/* Squid javascript helpers */
+require_once('/usr/local/pkg/squid_js.inc');
+/* Squid antivirus intergration features helpers */
+require_once('/usr/local/pkg/squid_antivirus.inc');
+
/*
* Utility functions
*/
@@ -1222,9 +1223,14 @@ EOD;
foreach ($real_ifaces as $iface) {
list($ip, $mask) = $iface;
$ip = long2ip(ip2long($ip) & ip2long($mask));
- $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2);
+ $mask = 32 - log((ip2long($mask) ^ ip2long('255.255.255.255')) +1, 2);
if (!preg_match("@$ip/$mask@", $src)) {
- $src .= " $ip/$mask";
+ // XXX: Do not add invalid subnets (Bug #4331, Bug #4526)
+ if (is_subnet("{$ip}/{$mask}")) {
+ $src .= " $ip/$mask";
+ } else {
+ log_error("[squid] 'Allow Users on Interface' ACL skipped for '{$ip}/{$mask}' since it is not a valid subnet.");
+ }
}
}
$conf .= "# Allow local network(s) on interface(s)\n";
diff --git a/config/zabbix2/zabbix2.inc b/config/zabbix2/zabbix2-agent.inc
index 9b5f3ed3..4aa0d5f7 100644
--- a/config/zabbix2/zabbix2.inc
+++ b/config/zabbix2/zabbix2-agent.inc
@@ -1,6 +1,6 @@
<?php
/*
- zabbix2.inc
+ zabbix2-agent.inc
part of pfSense (https://www.pfSense.org/)
Copyright (C) 2013 Danilo G. Baio
Copyright (C) 2013 Marcello Coutinho
@@ -77,50 +77,7 @@ function php_deinstall_zabbix2_agent() {
}
}
-function php_deinstall_zabbix2_proxy() {
- global $config, $g;
-
- $pfs_version = php_zabbix2_pfs_version();
- $zabbix2_pkg_base = php_zabbix2_pkg_base($pfs_version);
-
- if ($pfs_version == "2.1" || $pfs_version == "2.2") {
- define('ZABBIX_PROXY_BASE', '/usr/pbi/' . $zabbix2_pkg_base . '-proxy-' . php_uname("m"));
- } else {
- define('ZABBIX_PROXY_BASE', '/usr/local');
- }
-
- exec("/usr/bin/killall zabbix_proxy");
- unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base . "/zabbix_proxy.conf");
- unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log");
- unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid");
-
- if (!is_array($config['installedpackages']['zabbixagent'])) {
- if (is_dir("/var/log/zabbix2")) {
- exec("/bin/rm -r /var/log/zabbix2/");
- }
- if (is_dir("/var/run/zabbix2")) {
- exec("/bin/rm -r /var/run/zabbix2/");
- }
- }
-
- if (is_dir("/var/db/zabbix2")) {
- exec("/bin/rm -r /var/db/zabbix2/");
- }
-}
-
-function validate_input_zabbix2($post, &$input_errors) {
- if (isset($post['proxyenabled'])) {
- if (!is_numericint($post['serverport'])) {
- $input_errors[] = "'Server Port' value is not numeric.";
- } elseif ($post['serverport'] < 1 || $post['serverport'] > 65535) {
- $input_errors[] = "You must enter a valid value for 'Server Port'.";
- }
-
- if (!is_numericint($post['configfrequency'])) {
- $input_errors[] = "'Config Frequency' value is not numeric.";
- }
- }
-
+function validate_input_zabbix2_agent($post, &$input_errors) {
if (isset($post['agentenabled'])) {
if (!preg_match("/\w+/", $post['server'])) {
$input_errors[] = "Server field is required.";
@@ -186,7 +143,7 @@ function validate_input_zabbix2($post, &$input_errors) {
}
}
-function sync_package_zabbix2() {
+function sync_package_zabbix2_agent() {
global $config, $g;
conf_mount_rw();
@@ -195,38 +152,10 @@ function sync_package_zabbix2() {
if ($pfs_version == "2.1" || $pfs_version == "2.2") {
define('ZABBIX_AGENT_BASE', '/usr/pbi/' . $zabbix2_pkg_base . '-agent-' . php_uname("m"));
- define('ZABBIX_PROXY_BASE', '/usr/pbi/' . $zabbix2_pkg_base . '-proxy-' . php_uname("m"));
} else {
define('ZABBIX_AGENT_BASE', '/usr/local');
- define('ZABBIX_PROXY_BASE', '/usr/local');
}
- // Check zabbix proxy config
- if (is_array($config['installedpackages']['zabbixproxy'])) {
- $zbproxy_config = $config['installedpackages']['zabbixproxy']['config'][0];
- if ($zbproxy_config['proxyenabled'] == "on") {
- $Mode = (is_numericint($zbproxy_config['proxymode']) ? $zbproxy_config['proxymode'] : 0);
- $AdvancedParams = base64_decode($zbproxy_config['advancedparams']);
-
- $zbproxy_conf_file = <<< EOF
-Server={$zbproxy_config['server']}
-ServerPort={$zbproxy_config['serverport']}
-Hostname={$zbproxy_config['hostname']}
-PidFile=/var/run/zabbix2/zabbix2_proxy.pid
-DBName=/var/db/zabbix2/proxy.db
-LogFile=/var/log/zabbix2/zabbix_proxy.log
-ConfigFrequency={$zbproxy_config['configfrequency']}
-FpingLocation=/usr/local/sbin/fping
-# There's currently no fping6 (IPv6) dependency in the package,
-# but if there was, the binary would likely also be in /usr/local/sbin.
-Fping6Location=/usr/local/sbin/fping6
-ProxyMode={$Mode}
-{$AdvancedParams}
-
-EOF;
- file_put_contents(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base . "/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => "")));
- }
- }
// Check zabbix agent settings
if (is_array($config['installedpackages']['zabbixagent'])) {
$zbagent_config = $config['installedpackages']['zabbixagent']['config'][0];
@@ -310,8 +239,8 @@ EOF;
// Check startup script files
// Create a few directories and ensure the sample files are in place
- if (!is_dir(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base)) {
- mwexec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base);
+ if (!is_dir(ZABBIX_AGENT_BASE . "/etc/" . $zabbix2_pkg_base)) {
+ mwexec("/bin/mkdir -p " . ZABBIX_AGENT_BASE . "/etc/" . $zabbix2_pkg_base);
}
$dir_checks = <<< EOF
@@ -336,29 +265,6 @@ EOF;
EOF;
- $zproxy_rcfile = "/usr/local/etc/rc.d/zabbix2_proxy.sh";
- if (is_array($zbproxy_config) && $zbproxy_config['proxyenabled'] == "on") {
- $zproxy_start = strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Proxy\"...\n";
- $zproxy_start .= ZABBIX_PROXY_BASE . "/sbin/zabbix_proxy\n";
-
- $zproxy_stop = "echo \"Stopping Zabbix Proxy\"\n";
- $zproxy_stop .= "/usr/bin/killall zabbix_proxy\n";
- $zproxy_stop .= "/bin/sleep 5\n";
-
- write_rcfile(array(
- "file" => "zabbix2_proxy.sh",
- "start" => $zproxy_start,
- "stop" => $zproxy_stop
- )
- );
- restart_service("zabbix_proxy");
- } else {
- if (is_service_running("zabbix_proxy")) {
- stop_service("zabbix_proxy");
- }
- unlink_if_exists($zproxy_rcfile);
- }
-
$zagent_rcfile="/usr/local/etc/rc.d/zabbix2_agentd.sh";
if (is_array($zbagent_config) && $zbagent_config['agentenabled']=="on") {
$zagent_start .= strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Agent...\"\n";
@@ -374,7 +280,11 @@ EOF;
"stop" => $zagent_stop
)
);
- restart_service("zabbix_agentd");
+ if (is_service_running("zabbix_agentd")) {
+ restart_service("zabbix_agentd");
+ } else {
+ start_service("zabbix_agentd");
+ }
} else {
if (is_service_running("zabbix_agentd")) {
stop_service("zabbix_agentd");
diff --git a/config/zabbix2/zabbix2-agent.xml b/config/zabbix2/zabbix2-agent.xml
index e02caefc..be081603 100644
--- a/config/zabbix2/zabbix2-agent.xml
+++ b/config/zabbix2/zabbix2-agent.xml
@@ -45,13 +45,13 @@
<name>zabbixagent</name>
<title>Services: Zabbix-2 Agent</title>
<category>Monitoring</category>
- <version>0.8.4</version>
- <include_file>/usr/local/pkg/zabbix2.inc</include_file>
- <addedit_string>Zabbix Agent has been created/modified.</addedit_string>
- <delete_string>Zabbix Agent has been deleted.</delete_string>
+ <version>0.8.5</version>
+ <include_file>/usr/local/pkg/zabbix2-agent.inc</include_file>
+ <addedit_string>Zabbix Agent configuration has been created/modified.</addedit_string>
+ <delete_string>Zabbix Agent configuration has been deleted.</delete_string>
<restart_command>/usr/local/etc/rc.d/zabbix2_agentd.sh restart</restart_command>
<additional_files_needed>
- <item>https://packages.pfsense.org/packages/config/zabbix2/zabbix2.inc</item>
+ <item>https://packages.pfsense.org/packages/config/zabbix2/zabbix2-agent.inc</item>
<prefix>/usr/local/pkg/</prefix>
</additional_files_needed>
<additional_files_needed>
@@ -204,14 +204,11 @@
<advancedfield/>
</field>
</fields>
- <custom_php_install_command>
- sync_package_zabbix2();
- </custom_php_install_command>
<custom_php_validation_command>
- validate_input_zabbix2($_POST, $input_errors);
+ validate_input_zabbix2_agent($_POST, $input_errors);
</custom_php_validation_command>
<custom_php_resync_config_command>
- sync_package_zabbix2();
+ sync_package_zabbix2_agent();
</custom_php_resync_config_command>
<custom_php_deinstall_command>
php_deinstall_zabbix2_agent();
diff --git a/config/zabbix2/zabbix2-proxy.inc b/config/zabbix2/zabbix2-proxy.inc
new file mode 100644
index 00000000..aa21b817
--- /dev/null
+++ b/config/zabbix2/zabbix2-proxy.inc
@@ -0,0 +1,244 @@
+<?php
+/*
+ zabbix2-proxy.inc
+ part of pfSense (https://www.pfSense.org/)
+ Copyright (C) 2013 Danilo G. Baio
+ Copyright (C) 2013 Marcello Coutinho
+ Copyright (C) 2015 ESF, LLC
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+require_once("util.inc");
+require_once("functions.inc");
+require_once("pkg-utils.inc");
+require_once("globals.inc");
+
+function php_zabbix2_pfs_version() {
+ $pfs_version = substr(trim(file_get_contents("/etc/version")), 0, 3);
+ return $pfs_version;
+}
+
+function php_zabbix2_pkg_base($pfs_version) {
+ if ($pfs_version >= 2.2) {
+ // pfSense 2.2 with zabbix 2.4
+ $zabbix2_pkg_base = "zabbix24";
+ } else {
+ // pfSense 2.1 with zabbix 2.2
+ $zabbix2_pkg_base = "zabbix22";
+ }
+ return $zabbix2_pkg_base;
+}
+
+function php_deinstall_zabbix2_proxy() {
+ global $config, $g;
+
+ $pfs_version = php_zabbix2_pfs_version();
+ $zabbix2_pkg_base = php_zabbix2_pkg_base($pfs_version);
+
+ if ($pfs_version == "2.1" || $pfs_version == "2.2") {
+ define('ZABBIX_PROXY_BASE', '/usr/pbi/' . $zabbix2_pkg_base . '-proxy-' . php_uname("m"));
+ } else {
+ define('ZABBIX_PROXY_BASE', '/usr/local');
+ }
+
+ exec("/usr/bin/killall zabbix_proxy");
+ unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base . "/zabbix_proxy.conf");
+ unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log");
+ unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid");
+
+ if (!is_array($config['installedpackages']['zabbixagent'])) {
+ if (is_dir("/var/log/zabbix2")) {
+ exec("/bin/rm -r /var/log/zabbix2/");
+ }
+ if (is_dir("/var/run/zabbix2")) {
+ exec("/bin/rm -r /var/run/zabbix2/");
+ }
+ if (is_dir("/var/db/zabbix2")) {
+ exec("/bin/rm -r /var/db/zabbix2/");
+ }
+ }
+}
+
+function validate_input_zabbix2_proxy($post, &$input_errors) {
+ if (isset($post['proxyenabled'])) {
+ if (!is_numericint($post['serverport'])) {
+ $input_errors[] = "'Server Port' value is not numeric.";
+ } elseif ($post['serverport'] < 1 || $post['serverport'] > 65535) {
+ $input_errors[] = "You must enter a valid value for 'Server Port'.";
+ }
+
+ if (!preg_match("/\w+/", $post['hostname'])) {
+ $input_errors[] = "Hostname field is required.";
+ }
+
+ if (!is_numericint($post['configfrequency'])) {
+ $input_errors[] = "'Config Frequency' value is not numeric.";
+ }
+ }
+}
+
+function sync_package_zabbix2_proxy() {
+ global $config, $g;
+
+ conf_mount_rw();
+ $pfs_version = php_zabbix2_pfs_version();
+ $zabbix2_pkg_base = php_zabbix2_pkg_base($pfs_version);
+
+ if ($pfs_version == "2.1" || $pfs_version == "2.2") {
+ define('ZABBIX_PROXY_BASE', '/usr/pbi/' . $zabbix2_pkg_base . '-proxy-' . php_uname("m"));
+ } else {
+ define('ZABBIX_PROXY_BASE', '/usr/local');
+ }
+
+ // Check zabbix proxy config
+ if (is_array($config['installedpackages']['zabbixproxy'])) {
+ $zbproxy_config = $config['installedpackages']['zabbixproxy']['config'][0];
+ if ($zbproxy_config['proxyenabled'] == "on") {
+ $Mode = (is_numericint($zbproxy_config['proxymode']) ? $zbproxy_config['proxymode'] : 0);
+ $AdvancedParams = base64_decode($zbproxy_config['advancedparams']);
+
+ $zbproxy_conf_file = <<< EOF
+Server={$zbproxy_config['server']}
+ServerPort={$zbproxy_config['serverport']}
+Hostname={$zbproxy_config['hostname']}
+PidFile=/var/run/zabbix2/zabbix2_proxy.pid
+DBName=/var/db/zabbix2/proxy.db
+LogFile=/var/log/zabbix2/zabbix_proxy.log
+ConfigFrequency={$zbproxy_config['configfrequency']}
+FpingLocation=/usr/local/sbin/fping
+# There's currently no fping6 (IPv6) dependency in the package,
+# but if there was, the binary would likely also be in /usr/local/sbin.
+Fping6Location=/usr/local/sbin/fping6
+ProxyMode={$Mode}
+{$AdvancedParams}
+
+EOF;
+ file_put_contents(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base . "/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => "")));
+ }
+ }
+
+ $want_sysctls = array(
+ 'kern.ipc.shmall' => '2097152',
+ 'kern.ipc.shmmax' => '2147483648',
+ 'kern.ipc.semmsl' => '250'
+ );
+ $sysctls = array();
+ // Check sysctl file values
+ $sc_file="";
+ if (file_exists("/etc/sysctl.conf")) {
+ $sc = file("/etc/sysctl.conf");
+ foreach ($sc as $line) {
+ list($sysk, $sysv) = explode("=", $line, 2);
+ if (preg_match("/\w/", $line) && !array_key_exists($sysk, $want_sysctls)) {
+ $sc_file .= $line;
+ }
+ }
+ }
+ foreach ($want_sysctls as $ws => $wv) {
+ $sc_file .= "{$ws}={$wv}\n";
+ mwexec("/sbin/sysctl {$ws}={$wv}");
+ }
+ file_put_contents("/etc/sysctl.conf", $sc_file);
+
+ // Check bootloader values
+ $lt_file = "";
+ $want_tunables = array(
+ 'kern.ipc.semopm' => '100',
+ 'kern.ipc.semmni' => '128',
+ 'kern.ipc.semmns' => '32000',
+ 'kern.ipc.shmmni' => '4096'
+ );
+ $tunables = array();
+ if (file_exists("/boot/loader.conf")) {
+ $lt = file("/boot/loader.conf");
+ foreach ($lt as $line) {
+ list($tunable, $val) = explode("=", $line, 2);
+ if (preg_match("/\w/", $line) && !array_key_exists($tunable, $want_tunables)) {
+ $lt_file .= $line;
+ }
+ }
+ }
+ foreach ($want_tunables as $wt => $wv) {
+ $lt_file .= "{$wt}={$wv}\n";
+ }
+ file_put_contents("/boot/loader.conf", $lt_file);
+
+ // Check startup script files
+ // Create a few directories and ensure the sample files are in place
+ if (!is_dir(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base)) {
+ mwexec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base);
+ }
+
+ $dir_checks = <<< EOF
+
+ if [ ! -d /var/log/zabbix2 ]; then
+ /bin/mkdir -p /var/log/zabbix2
+ /usr/sbin/chmod 755 /var/log/zabbix2
+ fi
+ /usr/sbin/chown -R zabbix:zabbix /var/log/zabbix2
+
+ if [ ! -d /var/run/zabbix2 ]; then
+ /bin/mkdir -p /var/run/zabbix2
+ /usr/sbin/chmod 755 /var/run/zabbix2
+ fi
+ /usr/sbin/chown -R zabbix:zabbix /var/run/zabbix2
+
+ if [ ! -d /var/db/zabbix2 ]; then
+ /bin/mkdir -p /var/db/zabbix2
+ /usr/sbin/chmod 755 /var/db/zabbix2
+ fi
+ /usr/sbin/chown -R zabbix:zabbix /var/db/zabbix2
+
+EOF;
+
+ $zproxy_rcfile = "/usr/local/etc/rc.d/zabbix2_proxy.sh";
+ if (is_array($zbproxy_config) && $zbproxy_config['proxyenabled'] == "on") {
+ $zproxy_start = strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Proxy\"...\n";
+ $zproxy_start .= ZABBIX_PROXY_BASE . "/sbin/zabbix_proxy\n";
+
+ $zproxy_stop = "echo \"Stopping Zabbix Proxy\"\n";
+ $zproxy_stop .= "/usr/bin/killall zabbix_proxy\n";
+ $zproxy_stop .= "/bin/sleep 5\n";
+
+ write_rcfile(array(
+ "file" => "zabbix2_proxy.sh",
+ "start" => $zproxy_start,
+ "stop" => $zproxy_stop
+ )
+ );
+ if (is_service_running("zabbix_proxy")) {
+ restart_service("zabbix_proxy");
+ } else {
+ start_service("zabbix_proxy");
+ }
+ } else {
+ if (is_service_running("zabbix_proxy")) {
+ stop_service("zabbix_proxy");
+ }
+ unlink_if_exists($zproxy_rcfile);
+ }
+
+ conf_mount_ro();
+}
+
+?>
diff --git a/config/zabbix2/zabbix2-proxy.xml b/config/zabbix2/zabbix2-proxy.xml
index 398c3df4..c39bbdc6 100644
--- a/config/zabbix2/zabbix2-proxy.xml
+++ b/config/zabbix2/zabbix2-proxy.xml
@@ -45,13 +45,13 @@
<name>zabbixproxy</name>
<title>Services: Zabbix-2 Proxy</title>
<category>Monitoring</category>
- <version>0.8.4</version>
- <include_file>/usr/local/pkg/zabbix2.inc</include_file>
- <addedit_string>Zabbix Proxy has been created/modified.</addedit_string>
- <delete_string>Zabbix Proxy has been deleted.</delete_string>
+ <version>0.8.5</version>
+ <include_file>/usr/local/pkg/zabbix2-proxy.inc</include_file>
+ <addedit_string>Zabbix Proxy configuration has been created/modified.</addedit_string>
+ <delete_string>Zabbix Proxy configuration has been deleted.</delete_string>
<restart_command>/usr/local/etc/rc.d/zabbix2_proxy.sh restart</restart_command>
<additional_files_needed>
- <item>https://packages.pfsense.org/packages/config/zabbix2/zabbix2.inc</item>
+ <item>https://packages.pfsense.org/packages/config/zabbix2/zabbix2-proxy.inc</item>
<prefix>/usr/local/pkg/</prefix>
</additional_files_needed>
<additional_files_needed>
@@ -148,14 +148,11 @@
<advancedfield/>
</field>
</fields>
- <custom_php_install_command>
- sync_package_zabbix2();
- </custom_php_install_command>
<custom_php_validation_command>
- validate_input_zabbix2($_POST, $input_errors);
+ validate_input_zabbix2_proxy($_POST, $input_errors);
</custom_php_validation_command>
<custom_php_resync_config_command>
- sync_package_zabbix2();
+ sync_package_zabbix2_proxy();
</custom_php_resync_config_command>
<custom_php_deinstall_command>
php_deinstall_zabbix2_proxy();