diff options
Diffstat (limited to 'config')
27 files changed, 644 insertions, 324 deletions
diff --git a/config/cron/cron.inc b/config/cron/cron.inc index 645575d9..87591e08 100644 --- a/config/cron/cron.inc +++ b/config/cron/cron.inc @@ -27,22 +27,30 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +require_once("pfsense-utils.inc"); require_once("services.inc"); +require_once("util.inc"); function cron_sync_package() { configure_cron(); // Previous package versions were "helpfully" killing cron on uninstall. // Also, need to make sure cron is running, otherwise the package is useless. - // TODO: Something like this needs to be eventually done in configure_cron() in services.inc. - if (!is_process_running("cron")) { - exec("cd /tmp && /usr/sbin/cron -s 2>/dev/null"); + // configure_cron() function in services.inc already does this check on pfSense >=2.2.5 + $pfs_version = str_replace(".", "", substr(trim(file_get_contents("/etc/version")), 0, 5)); + if ($pfs_version < 225) { + if (!is_process_running("cron")) { + exec("cd /tmp && /usr/sbin/cron -s 2>/dev/null"); + } } } function cron_install_command() { // Clean up possible lingering garbage after previous package versions unlink_if_exists("/usr/local/etc/rc.d/cron.sh"); - cron_sync_package(); +} + +function cron_deinstall_command() { + rmdir_recursive("/usr/local/www/packages/cron"); } ?> diff --git a/config/cron/cron.xml b/config/cron/cron.xml index f777faff..181a4506 100644 --- a/config/cron/cron.xml +++ b/config/cron/cron.xml @@ -41,19 +41,16 @@ /* ====================================================================================== */ ]]> </copyright> - <description>Cron</description> - <name>Cron Settings</name> - <version>0.3.1</version> - <title>Settings</title> + <name>cronsettings</name> + <version>0.3.3</version> + <title>Cron Settings</title> <include_file>/usr/local/pkg/cron.inc</include_file> <menu> <name>Cron</name> - <tooltiptext>Cron settings.</tooltiptext> <section>Services</section> <configfile>cron.xml</configfile> <url>/packages/cron/cron.php</url> </menu> - <configpath>installedpackages->package->$packagename->configuration->cron</configpath> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/cron/cron.xml</item> @@ -87,4 +84,7 @@ <custom_php_install_command> cron_install_command(); </custom_php_install_command> + <custom_php_deinstall_command> + cron_deinstall_command(); + </custom_php_deinstall_command> </packagegui> diff --git a/config/siproxd/siproxd.inc b/config/siproxd/siproxd.inc index 50b6e558..9eae2567 100644 --- a/config/siproxd/siproxd.inc +++ b/config/siproxd/siproxd.inc @@ -31,6 +31,7 @@ if (!function_exists("filter_configure")) { require_once("filter.inc"); } +require_once("pfsense-utils.inc"); require_once("service-utils.inc"); // Check to find out on which pfSense version the package is running @@ -42,6 +43,18 @@ if ($pfs_version == "2.1" || $pfs_version == "2.2") { define('SIPROXD', '/usr/local'); } +function install_package_siproxd() { + siproxd_create_chroot(); + /* remove rc script distributed with the package */ + unlink_if_exists(SIPROXD . '/etc/rc.d/siproxd'); +} + +function deinstall_package_siproxd() { + rmdir_recursive("/var/siproxd"); + unlink_if_exists(SIPROXD . '/etc/siproxd.conf'); + unlink_if_exists(SIPROXD . '/etc/siproxd_passwd.cfg'); +} + function sync_package_siproxd_users() { global $g, $config; conf_mount_rw(); @@ -64,23 +77,28 @@ function sync_package_siproxd_users() { function siproxd_generate_rules($type) { global $config; - $siproxd_conf = &$config['installedpackages']['siproxdsettings']['config'][0]; + if (is_array($config['installedpackages']['siproxdsettings'])) { + $siproxd_conf = &$config['installedpackages']['siproxdsettings']['config'][0]; + } else { + $siproxd_conf = array(); + } + if (!is_service_running('siproxd')) { - log_error("Siproxd is installed but not started. Not installing redirect rules."); + log_error("[siproxd] Package is installed but not started. Not installing firewall rules."); return; } /* proxy is turned off in package settings */ - if ($siproxd_conf['sipenable'] == "0") { - log_error("WARNING: siproxd proxy has not been enabled. Not installing rules."); + if ($siproxd_conf['sipenable'] != "on") { + log_error("[siproxd] WARNING: siproxd proxy has not been enabled. Not installing firewall rules."); return "\n"; } $ifaces = explode(",", $siproxd_conf['if_inbound']); $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); - $rtplower = ($siproxd_conf['rtplower'] ? $siproxd_conf['rtplower'] : 7070); - $rtpupper = ($siproxd_conf['rtpupper'] ? $siproxd_conf['rtpupper'] : 7079); - $port = ($siproxd_conf['port'] ? $siproxd_conf['port'] : 5060); + $rtplower = $siproxd_conf['rtplower'] ?: '7070'; + $rtpupper = $siproxd_conf['rtpupper'] ?: '7079'; + $port = $siproxd_conf['port'] ?: '5060'; switch($type) { case 'nat': @@ -108,18 +126,24 @@ function siproxd_generate_rules($type) { return $rules; } -function sync_package_siproxd() { - global $config, $pfs_version; - - conf_mount_rw(); - +function siproxd_create_chroot() { $siproxd_chroot = "/var/siproxd/"; safe_mkdir($siproxd_chroot); @chown($siproxd_chroot, "nobody"); @chgrp($siproxd_chroot, "nobody"); - unlink_if_exists(SIPROXD . '/etc/rc.d/siproxd'); +} + +function sync_package_siproxd() { + global $config, $pfs_version; + + conf_mount_rw(); + siproxd_create_chroot(); - $siproxd_conf = &$config['installedpackages']['siproxdsettings']['config'][0]; + if (is_array($config['installedpackages']['siproxdsettings'])) { + $siproxd_conf = &$config['installedpackages']['siproxdsettings']['config'][0]; + } else { + $siproxd_conf = array(); + } $siproxd_conffile = SIPROXD . '/etc/siproxd.conf'; $siproxd_pwfile = SIPROXD . '/etc/siproxd_passwd.cfg'; @@ -136,9 +160,14 @@ function sync_package_siproxd() { fwrite($fout, "# This file was automatically generated by the pfSense\n"); fwrite($fout, "# package management system.\n\n"); - /* proxy is turned off in package settings */ - if ($siproxd_conf['sipenable'] == "0") { + /* if proxy is turned off in package settings, stop service, remove rc script and do nothing else */ + if ($siproxd_conf['sipenable'] != "on") { fclose($fout); + if (is_service_running('siproxd')) { + stop_service("siproxd"); + sleep(3); + } + unlink_if_exists(SIPROXD . '/etc/rc.d/siproxd.sh'); return; } @@ -147,11 +176,7 @@ function sync_package_siproxd() { } if ($siproxd_conf['if_outbound'] != "") { - if (intval($config['version']) < 6 && $config['interfaces'][$siproxd_conf['if_outbound']]['ipaddr'] == "pppoe") { - fwrite($fout, "if_outbound = ng0\n"); - } else { - fwrite($fout, "if_outbound = " . convert_friendly_interface_to_real_interface_name($siproxd_conf['if_outbound']) . "\n"); - } + fwrite($fout, "if_outbound = " . convert_friendly_interface_to_real_interface_name($siproxd_conf['if_outbound']) . "\n"); } if ($siproxd_conf['port'] != "") { @@ -286,7 +311,7 @@ function sync_package_siproxd() { sleep(3); } /* Only (re)start the service when siproxd is enabled */ - if ($siproxd_conf['sipenable'] != "0") { + if ($siproxd_conf['sipenable'] == "on") { start_service("siproxd"); sleep(3); } diff --git a/config/siproxd/siproxd.priv.inc b/config/siproxd/siproxd.priv.inc new file mode 100644 index 00000000..9980a353 --- /dev/null +++ b/config/siproxd/siproxd.priv.inc @@ -0,0 +1,42 @@ +<?php +/* + siproxd.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-siproxd'] = array(); +$priv_list['page-services-siproxd']['name'] = "WebCfg - Services: siproxd package"; +$priv_list['page-services-siproxd']['descr'] = "Allow access to siproxd package GUI"; + +$priv_list['page-services-siproxd']['match'] = array(); +$priv_list['page-services-siproxd']['match'][] = "pkg.php?xml=siproxd.xml*"; +$priv_list['page-services-siproxd']['match'][] = "pkg.php?xml=siproxdusers.xml*"; +$priv_list['page-services-siproxd']['match'][] = "pkg_edit.php?xml=siproxd.xml*"; +$priv_list['page-services-siproxd']['match'][] = "pkg_edit.php?xml=siproxdusers.xml*"; +$priv_list['page-services-siproxd']['match'][] = "siproxd_registered_phones.php*"; + +?> diff --git a/config/siproxd/siproxd.xml b/config/siproxd/siproxd.xml index e4375d8e..b0866eb1 100644 --- a/config/siproxd/siproxd.xml +++ b/config/siproxd/siproxd.xml @@ -43,25 +43,25 @@ ]]> </copyright> <name>siproxdsettings</name> - <version>1.0.6</version> + <version>1.0.7</version> <title>siproxd: Settings</title> <include_file>/usr/local/pkg/siproxd.inc</include_file> - <aftersaveredirect>/pkg_edit.php?xml=siproxd.xml&id=0</aftersaveredirect> + <aftersaveredirect>/pkg_edit.php?xml=siproxd.xml</aftersaveredirect> <menu> <name>siproxd</name> - <tooltiptext>Modify siproxd users and settings.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=siproxd.xml&id=0</url> + <url>/pkg_edit.php?xml=siproxd.xml</url> </menu> <service> <name>siproxd</name> <rcfile>siproxd.sh</rcfile> <executable>siproxd</executable> + <description>Proxy/Masquerading Daemon for SIP</description> </service> <tabs> <tab> <text>Settings</text> - <url>/pkg_edit.php?xml=siproxd.xml&id=0</url> + <url>/pkg_edit.php?xml=siproxd.xml</url> <active/> </tab> <tab> @@ -82,6 +82,10 @@ <item>https://packages.pfsense.org/packages/config/siproxd/siproxd.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/siproxd/siproxd.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/</prefix> <item>https://packages.pfsense.org/packages/config/siproxd/siproxd_registered_phones.php</item> </additional_files_needed> @@ -89,23 +93,23 @@ <field> <fielddescr>Enable siproxd</fielddescr> <fieldname>sipenable</fieldname> - <description>Enable or disable siproxd</description> + <description>Enable or disable siproxd.</description> <type>checkbox</type> </field> <field> - <fielddescr>Inbound interface</fielddescr> + <fielddescr>Inbound Interface</fielddescr> <fieldname>if_inbound</fieldname> <description>Select the inbound interface.</description> <type>interfaces_selection</type> </field> <field> - <fielddescr>Outbound interface</fielddescr> + <fielddescr>Outbound Interface</fielddescr> <fieldname>if_outbound</fieldname> <description>Select the outbound interface.</description> <type>interfaces_selection</type> </field> <field> - <fielddescr>Listening port</fielddescr> + <fielddescr>Listening Port</fielddescr> <fieldname>port</fieldname> <description> <![CDATA[ @@ -114,11 +118,12 @@ ]]> </description> <type>input</type> + <default_value>5060</default_value> </field> <field> - <fielddescr>Default expiration timeout</fielddescr> + <fielddescr>Default Expiration Timeout</fielddescr> <fieldname>defaulttimeout</fieldname> - <description>If a REGISTER request dose not contain an Expires header or expires= parameter, this number of seconds will be used and reported back to the UA in the answer.</description> + <description>If a REGISTER request does not contain an Expires header or expires= parameter, this number of seconds will be used and reported back to the UA in the answer.</description> <type>input</type> </field> <field> @@ -126,38 +131,36 @@ <type>listtopic</type> </field> <field> - <fielddescr>Enable RTP proxy</fielddescr> + <fielddescr>Enable RTP Proxy</fielddescr> <fieldname>rtpenable</fieldname> - <description>Enable or disable the RTP proxy. (default is enabled)</description> + <description>Enable or disable the RTP proxy. (Default: enabled)</description> <type>select</type> <options> - <option> - <name>Enable</name> - <value>1</value> - </option> - <option> - <name>Disable</name> - <value>0</value> - </option> + <option><name>Enable</name><value>1</value></option> + <option><name>Disable</name><value>0</value></option> </options> + <default_value>1</default_value> </field> <field> - <fielddescr>RTP port range (lower)</fielddescr> + <fielddescr>RTP Port Range (Lower)</fielddescr> <fieldname>rtplower</fieldname> - <description>Enter the bottom edge of the port range siproxd will allocate for incoming RTP traffic. This range must be one not blocked by the firewall (default 7070).</description> + <description>Enter the bottom edge of the port range siproxd will allocate for incoming RTP traffic. This range must not be blocked by the firewall. (Default: 7070)</description> <type>input</type> + <default_value>7070</default_value> </field> <field> - <fielddescr>RTP port range (upper)</fielddescr> + <fielddescr>RTP Port Range (Upper)</fielddescr> <fieldname>rtpupper</fieldname> - <description>Enter the top edge of the port range siproxd will allocate for incoming RTP traffic. This range must be one not blocked by the firewall (default 7079).</description> + <description>Enter the top edge of the port range siproxd will allocate for incoming RTP traffic. This range must not be blocked by the firewall. (Default: 7079)</description> <type>input</type> + <default_value>7079</default_value> </field> <field> - <fielddescr>RTP stream timeout</fielddescr> + <fielddescr>RTP Stream Timeout</fielddescr> <fieldname>rtptimeout</fieldname> - <description>After this number of seconds, an RTP stream is considered dead and proxying it will be stopped (default 300sec).</description> + <description>After this number of seconds, an RTP stream is considered dead and proxying it will be stopped. (Default: 300sec)</description> <type>input</type> + <default_value>300</default_value> </field> <field> <name>Dejittering Settings</name> @@ -180,7 +183,7 @@ <type>listtopic</type> </field> <field> - <fielddescr>TCP inactivity timeout</fielddescr> + <fielddescr>TCP Inactivity Timeout</fielddescr> <fieldname>tcp_timeout</fieldname> <description> <![CDATA[ @@ -195,8 +198,8 @@ <fieldname>tcp_connect_timeout</fieldname> <description> <![CDATA[ - Defines How many msecs siproxd will wait for an successful connect when establishing an outgoing SIP signalling connection.<br /> - This should be kept as short as possible as waiting for an TCP connection to establish is a BLOCKING operation - while waiting for a connect to succeed no SIP messages are processed (RTP is not affected). + Defines How many msecs siproxd will wait for a successful connect when establishing an outgoing SIP signalling connection.<br /> + This should be kept as short as possible as waiting for an TCP connection to establish is a BLOCKING operation - no SIP messages are processed while waiting for a connect to succeed (RTP is not affected). ]]> </description> <type>input</type> @@ -212,19 +215,19 @@ <type>listtopic</type> </field> <field> - <fielddescr>Enable proxy authentication</fielddescr> + <fielddescr>Enable Proxy Authentication</fielddescr> <fieldname>authentication</fieldname> - <description>If this is checked, clients will be forced to authenticate themselves at the proxy (for registration only).</description> + <description>If checked, clients will be forced to authenticate themselves at the proxy (for registration only).</description> <type>checkbox</type> </field> <field> - <fielddescr>Outbound proxy hostname</fielddescr> + <fielddescr>Outbound Proxy Hostname</fielddescr> <fieldname>outboundproxyhost</fieldname> <description>Enter the hostname of an outbound proxy to send all traffic to. This is only useful if you have multiple masquerading firewalls to cross.</description> <type>input</type> </field> <field> - <fielddescr>Outbound proxy port</fielddescr> + <fielddescr>Outbound Proxy Port</fielddescr> <fieldname>outboundproxyport</fieldname> <description>Enter the port of the outbound proxy to send all traffic to. This is only useful if you have multiple masquerading firewalls to cross.</description> <type>input</type> @@ -266,7 +269,7 @@ <type>checkbox</type> </field> <field> - <fielddescr>Log redirected calls</fielddescr> + <fielddescr>Log Redirected Calls</fielddescr> <fieldname>plugin_defaulttarget_log</fieldname> <description>Log redirected calls.</description> <type>checkbox</type> @@ -371,6 +374,12 @@ <type>input</type> </field> </fields> + <custom_php_install_command> + install_package_siproxd(); + </custom_php_install_command> + <custom_php_deinstall_command> + deinstall_package_siproxd(); + </custom_php_deinstall_command> <custom_add_php_command> sync_package_siproxd(); </custom_add_php_command> @@ -378,7 +387,7 @@ sync_package_siproxd(); </custom_php_resync_config_command> <filter_rules_needed> - siproxd_generate_rules(); + siproxd_generate_rules </filter_rules_needed> <custom_php_validation_command> validate_form_siproxd($_POST, $input_errors); diff --git a/config/siproxd/siproxd_registered_phones.php b/config/siproxd/siproxd_registered_phones.php index 51eb474a..0648aa2f 100644 --- a/config/siproxd/siproxd_registered_phones.php +++ b/config/siproxd/siproxd_registered_phones.php @@ -82,7 +82,7 @@ require("head.inc"); <tr><td> <?php $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "pkg_edit.php?xml=siproxd.xml&id=0"); + $tab_array[] = array(gettext("Settings"), false, "pkg_edit.php?xml=siproxd.xml"); $tab_array[] = array(gettext("Users"), false, "pkg.php?xml=siproxdusers.xml"); $tab_array[] = array(gettext("Registered Phones"), true, "siproxd_registered_phones.php"); display_top_tabs($tab_array); diff --git a/config/siproxd/siproxdusers.xml b/config/siproxd/siproxdusers.xml index 6dd53efe..390c4f35 100644 --- a/config/siproxd/siproxdusers.xml +++ b/config/siproxd/siproxdusers.xml @@ -43,13 +43,13 @@ ]]> </copyright> <name>siproxdusers</name> - <version>1.0.6</version> + <version>1.0.7</version> <title>siproxd: Users</title> <include_file>/usr/local/pkg/siproxd.inc</include_file> <tabs> <tab> <text>Settings</text> - <url>/pkg_edit.php?xml=siproxd.xml&id=0</url> + <url>/pkg_edit.php?xml=siproxd.xml</url> </tab> <tab> <text>Users</text> @@ -61,7 +61,6 @@ <url>/siproxd_registered_phones.php</url> </tab> </tabs> - <configpath>installedpackages->package->$packagename->configuration->settings</configpath> <adddeleteeditpagefields> <columnitem> <fielddescr>Username</fielddescr> @@ -76,19 +75,19 @@ <field> <fielddescr>Username</fielddescr> <fieldname>username</fieldname> - <description>Enter the username here</description> + <description>Enter the username here.</description> <type>input</type> </field> <field> <fielddescr>Password</fielddescr> <fieldname>password</fieldname> - <description>Enter the password here</description> + <description>Enter the password here.</description> <type>password</type> </field> <field> <fielddescr>Username Description</fielddescr> <fieldname>description</fieldname> - <description>Enter the description of the user here</description> + <description>Enter the description of the user here.</description> <type>input</type> </field> </fields> diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 60959ad6..5cdd5a00 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -2934,6 +2934,7 @@ rc_start() { ### Remove the lock since we have started all interfaces if [ -f {$g['varrun_path']}/snort_pkg_starting.lck ]; then + sleep 2 /bin/rm {$g['varrun_path']}/snort_pkg_starting.lck fi } @@ -2954,8 +2955,12 @@ case $1 in rc_stop ;; restart) - rc_stop - rc_start + if [ ! -f {$g['varrun_path']}/snort_pkg_starting.lck ]; then + rc_stop + rc_start + else + /usr/bin/logger -p daemon.info -i -t SnortRestart "Ignoring RESTART command since Snort is already starting..." + fi ;; esac diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 9d20a4ab..e9e43202 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -45,7 +45,7 @@ </copyright> <description>Snort IDS/IPS Package</description> <name>Snort</name> - <version>3.2.8.2</version> + <version>3.2.9</version> <title>Services: Snort IDS</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 123661e4..929ddad1 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -5,7 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013-2014 Bill Meeks + * Copyright (C) 2013-2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -35,7 +35,7 @@ require_once("service-utils.inc"); require_once("/usr/local/pkg/snort/snort.inc"); require("/usr/local/pkg/snort/snort_defs.inc"); -global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules; +global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules, $static_output; $snortdir = SNORTDIR; $snortlibdir = SNORT_PBI_BASEDIR . "lib"; @@ -266,45 +266,56 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") { /* error occurred. */ /**********************************************************/ - global $pkg_interface, $last_curl_error, $update_errors; + global $last_curl_error, $update_errors, $static_output; $snortdir = SNORTDIR; $filename_md5 = basename($file_dst); - if ($pkg_interface <> "console") - update_status(gettext("Downloading {$desc} md5 file...")); + update_status(gettext("Downloading {$desc} md5 file...")); + $static_output .= gettext("Downloading {$desc} md5 file..."); + update_output_window($static_output); error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, SNORT_RULES_UPD_LOGFILE); $rc = snort_download_file_url($file_url, $file_dst); // See if download from URL was successful if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading {$filename_md5}.")); + update_status(gettext("Done downloading {$filename_md5}.")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); error_log("\tChecking {$desc} md5 file...\n", 3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext("Checking {$desc} md5 file..."); + update_output_window($static_output); // check md5 hash in new file against current file to see if new download is posted if (file_exists("{$snortdir}/{$filename_md5}")) { $md5_check_new = file_get_contents($file_dst); $md5_check_old = file_get_contents("{$snortdir}/{$filename_md5}"); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); if ($md5_check_new == $md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("{$desc} are up to date...")); + update_status(gettext("{$desc} are up to date...")); log_error(gettext("[Snort] {$desc} are up to date...")); error_log(gettext("\t{$desc} are up to date.\n"), 3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext("{$desc} are current. No update required.\n"); + update_output_window($static_output); return false; } - else + else { return true; + } } + $static_output .= gettext(" done.\n"); + update_output_window($static_output); return true; } else { error_log(gettext("\t{$desc} md5 download failed.\n"), 3, SNORT_RULES_UPD_LOGFILE); $snort_err_msg = gettext("Server returned error code {$rc}."); - if ($pkg_interface <> "console") { - update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); - update_output_window(gettext("{$desc} will not be updated.\n\t{$snort_err_msg}")); - } + update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); + $static_output .= gettext(" FAILED!\n"); + update_output_window($static_output); + $static_output .= gettext("{$desc} will not be updated.\n{$snort_err_msg}\n"); + update_output_window($static_output); log_error(gettext("[Snort] {$desc} md5 download failed...")); log_error(gettext("[Snort] Server returned error code {$rc}...")); error_log(gettext("\t{$snort_err_msg}\n"), 3, SNORT_RULES_UPD_LOGFILE); @@ -334,29 +345,31 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* FALSE if download was not successful. */ /**********************************************************/ - global $pkg_interface, $last_curl_error, $update_errors; + global $last_curl_error, $update_errors, $static_output; $snortdir = SNORTDIR; $filename = basename($file_dst); - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of {$desc} posted. Downloading...")); + update_status(gettext("There is a new set of {$desc} posted. Downloading...")); log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}...")); error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, SNORT_RULES_UPD_LOGFILE); error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext("There is a new set of {$desc} posted.\nDownloading {$filename}..."); + update_output_window($static_output); $rc = snort_download_file_url($file_url, $file_dst); // See if the download from the URL was successful if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading {$desc} file.")); + update_status(gettext("Done downloading {$desc} file.")); log_error("[Snort] {$desc} file update downloaded successfully"); error_log(gettext("\tDone downloading rules file.\n"),3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); // Test integrity of the rules file. Turn off update if file has wrong md5 hash if ($file_md5 != trim(md5_file($file_dst))){ - if ($pkg_interface <> "console") - update_output_window(gettext("{$desc} file MD5 checksum failed...")); + $static_output .= gettext("{$desc} file MD5 checksum failed...\n"); + update_output_window($static_output); log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum...")); log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst))); log_error(gettext("[Snort] Expected File MD5: {$file_md5}")); @@ -370,12 +383,16 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { return true; } else { - if ($pkg_interface <> "console") - update_output_window(gettext("{$desc} file download failed...")); + $static_output .= gettext(" FAILED!\n"); + update_output_window($static_output); + $static_output .= gettext("{$desc} file download failed... server returned error '{$rc}'.\n"); + update_output_window($static_output); log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'...")); error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SNORT_RULES_UPD_LOGFILE); error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, SNORT_RULES_UPD_LOGFILE); error_log(gettext("\t{$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext("{$desc} will not be updated.\n"); + update_output_window($static_output); $update_errors = true; return false; } @@ -462,6 +479,9 @@ if ($emergingthreats == 'on') { /* Untar Snort rules file to tmp and install the rules */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { + $static_output .= gettext("Installing Sourcefire VRT rules..."); + update_output_window($static_output); + /* Currently, only FreeBSD-8-1, FreeBSD-9-0 and FreeBSD-10-0 precompiled SO rules exist from Snort.org */ /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x or FreeBSD 10.x */ $freebsd_version_so = 'FreeBSD-8-1'; @@ -471,13 +491,11 @@ if ($snortdownload == 'on') { $freebsd_version_so = 'FreeBSD-10-0'; /* Remove the old Snort rules files */ + update_status(gettext("Removing old Snort VRT rules...")); $vrt_prefix = VRT_FILE_PREFIX; unlink_if_exists("{$snortdir}/rules/{$vrt_prefix}*.rules"); - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT rules...")); - update_output_window(gettext("Installing Sourcefire VRT rules...")); - } + update_status(gettext("Extracting new Snort VRT rules...")); error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); /* extract snort.org rules and add VRT_FILE_PREFIX prefix to all snort.org files */ safe_mkdir("{$tmpfname}/snortrules"); @@ -495,8 +513,7 @@ if ($snortdownload == 'on') { } rmdir_recursive("{$tmpfname}/snortrules"); /* Extract the Snort preprocessor rules */ - if ($pkg_interface <> "console") - update_output_window(gettext("Extracting preprocessor rules files...")); + update_status(gettext("Extracting preprocessor rules files...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} preproc_rules/"); $files = glob("{$tmpfname}/preproc_rules/*.rules"); foreach ($files as $file) { @@ -505,10 +522,7 @@ if ($snortdownload == 'on') { } rmdir_recursive("{$tmpfname}/preproc_rules"); /* extract so rules */ - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT Shared Objects rules...")); - update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}...")); - } + update_status(gettext("Extracting Snort VRT Shared Objects rules...")); error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, SNORT_RULES_UPD_LOGFILE); $snort_arch = php_uname("m"); $nosorules = false; @@ -523,8 +537,7 @@ if ($snortdownload == 'on') { rmdir_recursive("{$tmpfname}/so_rules/"); if ($nosorules == false) { /* extract Shared Object stub rules, rename and copy to the rules folder. */ - if ($pkg_interface <> "console") - update_status(gettext("Copying Snort VRT Shared Objects rules...")); + update_status(gettext("Copying Snort VRT Shared Objects rules...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} --exclude precompiled/ --exclude src/ so_rules/"); $files = glob("{$tmpfname}/so_rules/*.rules"); foreach ($files as $file) { @@ -534,10 +547,7 @@ if ($snortdownload == 'on') { rmdir_recursive("{$tmpfname}/so_rules/"); } /* extract base etc files */ - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT config and map files...")); - update_output_window(gettext("Copying config and map files...")); - } + update_status(gettext("Extracting Snort VRT config and map files...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { if (file_exists("{$tmpfname}/etc/{$file}")) @@ -545,14 +555,12 @@ if ($snortdownload == 'on') { } rmdir_recursive("{$tmpfname}/etc"); if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying md5 signature to snort directory...")); + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}"); } - if ($pkg_interface <> "console") { - update_status(gettext("Extraction of Snort VRT rules completed...")); - update_output_window(gettext("Installation of Sourcefire VRT rules completed...")); - } + update_status(gettext("Extraction of Snort VRT rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); } } @@ -561,20 +569,25 @@ if ($snortdownload == 'on') { if ($openappid_detectors == 'on') { // If we have a valid downloaded file, then first cleanup the old directory if (file_exists("{$tmpfname}/{$snort_openappid_filename}")) { + update_status(gettext("Extracting Snort OpenAppID detectors...")); + $static_output .= gettext("Installing Snort OpenAppID detectors..."); $snort_openappid_path = SNORT_APPID_ODP_PATH; rmdir_recursive("{$snort_openappid_path}odp"); error_log(gettext("\tExtracting and installing Snort OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE); safe_mkdir(SNORT_APPID_ODP_PATH); exec("/usr/bin/tar oxzf {$tmpfname}/{$snort_openappid_filename} -C {$snort_openappid_path}"); if (file_exists("{$tmpfname}/{$snort_openappid_filename_md5}")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying md5 signature to snort directory...")); + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_openappid_filename_md5}", "{$snortdir}/{$snort_openappid_filename_md5}"); } - if ($pkg_interface <> "console") { - update_status(gettext("Extraction of Snort OpenAppID detectors completed...")); - update_output_window(gettext("Installation of Snort OpenAppID detectors completed...")); + if (!is_dir("{$snort_openappid_path}custom")) { + safe_mkdir("{$snort_openappid_path}custom"); + safe_mkdir("{$snort_openappid_path}custom/lua"); + touch("{$snort_openappid_path}custom/userappid.conf"); } + update_status(gettext("Extraction of Snort OpenAppID detectors completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); unlink_if_exists("{$tmpfname}/{$snort_openappid_filename}"); error_log(gettext("\tInstallation of Snort OpenAppID detectors completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); } @@ -584,10 +597,9 @@ if ($openappid_detectors == 'on') { if ($snortcommunityrules == 'on') { safe_mkdir("{$tmpfname}/community"); if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort GPLv2 Community Rules...")); - update_output_window(gettext("Installing Snort GPLv2 Community Rules...")); - } + update_status(gettext("Extracting Snort GPLv2 Community Rules...")); + $static_output .= gettext("Installing Snort GPLv2 Community Rules...\n"); + update_output_window($static_output); error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/"); @@ -603,14 +615,12 @@ if ($snortcommunityrules == 'on') { } /* Copy snort community md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying md5 signature to snort directory...")); + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_community_rules_filename_md5}", "{$snortdir}/{$snort_community_rules_filename_md5}"); } - if ($pkg_interface <> "console") { - update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); - update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed...")); - } + update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/community/"); } @@ -620,22 +630,23 @@ if ($snortcommunityrules == 'on') { if ($emergingthreats == 'on') { safe_mkdir("{$tmpfname}/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - if ($pkg_interface <> "console") { - update_status(gettext("Extracting {$et_name} rules...")); - update_output_window(gettext("Installing {$et_name} rules...")); - } + update_status(gettext("Extracting {$et_name} rules...")); + $static_output .= gettext("Installing {$et_name} rules..."); + update_output_window($static_output); error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/"); /* Remove the old Emerging Threats rules files */ $eto_prefix = ET_OPEN_FILE_PREFIX; $etpro_prefix = ET_PRO_FILE_PREFIX; + update_status(gettext("Removing old {$et_name} files...")); unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*.rules"); unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*.rules"); unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*ips.txt"); unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*ips.txt"); $files = glob("{$tmpfname}/emerging/rules/*.rules"); + update_status(gettext("Copying new {$et_name} files...")); foreach ($files as $file) { $newfile = basename($file); if ($etpro == "on") @@ -664,14 +675,12 @@ if ($emergingthreats == 'on') { /* Copy emergingthreats md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$emergingthreats_filename_md5}")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying md5 signature to snort directory...")); + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } - if ($pkg_interface <> "console") { - update_status(gettext("Extraction of {$et_name} rules completed...")); - update_output_window(gettext("Installation of {$et_name} rules completed...")); - } + update_status(gettext("Extraction of {$et_name} rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/emerging/"); } @@ -710,8 +719,7 @@ function snort_apply_customizations($snortcfg, $if_real) { if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') { - if ($pkg_interface <> "console") - update_status(gettext('Copying new config and map files...')); + update_status(gettext('Copying new config and map files...')); error_log(gettext("\tCopying new config and map files...\n"), 3, SNORT_RULES_UPD_LOGFILE); /******************************************************************/ @@ -757,10 +765,9 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { $if_real = get_real_interface($value['interface']); $tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ..."; - if ($pkg_interface <> "console"){ - update_status(gettext($tmp)); - update_output_window(gettext("Please wait while Snort interface files are updated...")); - } + update_status(gettext($tmp)); + $static_output .= gettext($tmp . "..."); + update_output_window($static_output); // Make sure the interface subdirectory and required sub-directories exists. // We need to re-create them during a pkg reinstall for the intial rules set @@ -783,13 +790,14 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = $tmp .= convert_friendly_interface_to_friendly_descr($value['interface']) . "...\n"; } error_log($tmp, 3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } } else { - if ($pkg_interface <> "console") { - update_output_window(gettext("Warning: No interfaces configured for Snort were found...")); - update_output_window(gettext("No interfaces currently have Snort configured and enabled on them...")); - } + $static_output .= gettext("Warning: No interfaces configured for Snort were found...\n"); + $static_output .= gettext("No interfaces currently have Snort configured and enabled on them.\n"); + update_output_window($static_output); error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, SNORT_RULES_UPD_LOGFILE); } @@ -798,24 +806,19 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = /* Restart snort if running, and not in post-install, so as to pick up the new rules. */ if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) { - if ($pkg_interface <> "console") { - update_status(gettext('Restarting Snort to activate the new set of rules...')); - update_output_window(gettext("Please wait ... restarting Snort will take some time...")); - } + update_status(gettext('Restarting Snort to activate the new set of rules...')); + $static_output .= gettext("Restarting Snort..."); + update_output_window($static_output); error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); touch("{$g['varrun_path']}/snort_pkg_starting.lck"); snort_restart_all_interfaces(TRUE); sleep(3); unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck"); - if ($pkg_interface <> "console") - update_output_window(gettext("Snort has restarted with your new set of rules...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); log_error(gettext("[Snort] Snort has restarted with your new set of rules...")); error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, SNORT_RULES_UPD_LOGFILE); } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("The rules update task is complete...")); - } } elseif ($openappid_detectors == 'on') { /**************************************************************************************/ @@ -823,33 +826,31 @@ elseif ($openappid_detectors == 'on') { /* Restart snort if running, and not in post-install, so as to pick up the detectors. */ /**************************************************************************************/ if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) { - if ($pkg_interface <> "console") { - update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...')); - update_output_window(gettext("Please wait ... restarting Snort will take some time...")); - } + update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...')); + $static_output .= gettext("Restarting Snort..."); + update_output_window($static_output); error_log(gettext("\tRestarting Snort to activate the new OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE); touch("{$g['varrun_path']}/snort_pkg_starting.lck"); snort_restart_all_interfaces(TRUE); sleep(2); unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck"); - if ($pkg_interface <> "console") - update_output_window(gettext("Snort has restarted with your new set of OpenAppID detectors...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); log_error(gettext("[Snort] Snort has restarted with your new set of OpenAppID detectors...")); error_log(gettext("\tSnort has restarted with your new set of OpenAppID detectors.\n"), 3, SNORT_RULES_UPD_LOGFILE); } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("The rules update task is complete...")); - } } /* remove $tmpfname files */ if (is_dir("{$tmpfname}")) { + $static_output .= gettext("Cleaning up temp dirs and files..."); + update_output_window($static_output); rmdir_recursive($tmpfname); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } -if ($pkg_interface <> "console") - update_status(gettext("The Rules update has finished...")); +update_status(gettext("The Rules update has finished.")); log_error(gettext("[Snort] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SNORT_RULES_UPD_LOGFILE); diff --git a/config/snort/snort_conf_template.inc b/config/snort/snort_conf_template.inc index 6b362ce5..2ee3e72c 100644 --- a/config/snort/snort_conf_template.inc +++ b/config/snort/snort_conf_template.inc @@ -48,6 +48,9 @@ config event_queue: max_queue 8 log 5 order_events content_length # Configure to show year in timestamps config show_year +# Configure IPv6 address logging in unified2 extra data +config log_ipv6_extra_data + # Configure protocol aware flushing # # For more information see README.stream5 # {$paf_max_pdu_config} diff --git a/config/snort/snort_defs.inc b/config/snort/snort_defs.inc index ac09db44..961e8696 100644 --- a/config/snort/snort_defs.inc +++ b/config/snort/snort_defs.inc @@ -54,7 +54,7 @@ if (!defined("SNORT_BIN_VERSION")) { if (!empty($snortver)) define("SNORT_BIN_VERSION", $snortver); else - define("SNORT_BIN_VERSION", "2.9.7.5"); + define("SNORT_BIN_VERSION", "2.9.7.6"); } if (!defined("SNORT_SID_MODS_PATH")) define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/"); diff --git a/config/snort/snort_frag3_engine.php b/config/snort/snort_frag3_engine.php index 9489bf16..33f06a87 100644 --- a/config/snort/snort_frag3_engine.php +++ b/config/snort/snort_frag3_engine.php @@ -187,6 +187,9 @@ if ($_POST['save']) { /* Now write the new engine array to conf */ write_config("Snort pkg: modified frag3 engine settings."); + // We have saved a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row"); exit; } diff --git a/config/snort/snort_ftp_client_engine.php b/config/snort/snort_ftp_client_engine.php index f462efa8..2f3cd1bd 100644 --- a/config/snort/snort_ftp_client_engine.php +++ b/config/snort/snort_ftp_client_engine.php @@ -218,6 +218,9 @@ if ($_POST['save']) { /* Now write the new engine array to conf */ write_config("Snort pkg: modified ftp_telnet_client engine settings."); + // We have saved a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); exit; } diff --git a/config/snort/snort_ftp_server_engine.php b/config/snort/snort_ftp_server_engine.php index cb9abc9c..7f3e5a10 100644 --- a/config/snort/snort_ftp_server_engine.php +++ b/config/snort/snort_ftp_server_engine.php @@ -189,6 +189,9 @@ if ($_POST['save']) { /* Now write the new engine array to conf */ write_config("Snort pkg: modified ftp_telnet_server engine settings."); + // We have saved a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); exit; } diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php index 646697bf..a0b5d425 100644 --- a/config/snort/snort_generate_conf.php +++ b/config/snort/snort_generate_conf.php @@ -896,6 +896,9 @@ EOD; $appid_memcap = $snortcfg['sf_appid_mem_cap'] * 1024 * 1024; $appid_params = "app_detector_dir " . rtrim(SNORT_APPID_ODP_PATH, '/') . ", \\\n\tmemcap {$appid_memcap}"; if ($snortcfg['sf_appid_statslog'] == "on") { + if (!file_exists("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/app-stats.log")) { + touch("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/app-stats.log"); + } $appid_params .= ", \\\n\tapp_stats_filename app-stats.log"; $appid_params .= ", \\\n\tapp_stats_period {$snortcfg['sf_appid_stats_period']}"; $appid_params .= ", \\\n\tapp_stats_rollover_size " . strval($config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] * 1024); @@ -1271,7 +1274,7 @@ if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribut $http_inspect_global = "preprocessor http_inspect: global "; if ($snortcfg['http_inspect'] == "off") $http_inspect_global .= "disabled "; -$http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; +$http_inspect_global .= "\\\n\tiis_unicode_map {$snortdir}/unicode.map 1252 \\\n"; $http_inspect_global .= "\tcompress_depth 65535 \\\n"; $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; if (!empty($snortcfg['http_inspect_memcap'])) @@ -1291,7 +1294,7 @@ $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", " "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, - "max_header_length" => 0, "ports" => "default" ); + "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" ); $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); $http_inspect_servers = ""; @@ -1385,6 +1388,10 @@ if ($snortcfg['http_inspect'] <> "off") { $http_inspect_servers .= " \\\n\tlog_uri"; if ($v['log_hostname'] == "on") $http_inspect_servers .= " \\\n\tlog_hostname"; + if ($v['decompress_swf'] == "on") + $http_inspect_servers .= " \\\n\tdecompress_swf"; + if ($v['decompress_pdf'] == "on") + $http_inspect_servers .= " \\\n\tdecompress_pdf"; // Add a pair of trailing newlines to terminate this server config $http_inspect_servers .= "\n\n"; diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php index c7680892..55bdb5a7 100644 --- a/config/snort/snort_httpinspect_engine.php +++ b/config/snort/snort_httpinspect_engine.php @@ -1,7 +1,7 @@ <?php /* * snort_httpinspect_engine.php - * Copyright (C) 2013-2014 Bill Meeks + * Copyright (C) 2013-2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -66,7 +66,7 @@ if (empty($a_nat[$eng_id])) { "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, - "max_header_length" => 0, "ports" => "default" ); + "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" ); // See if this is initial entry and set to "default" if true if ($eng_id < 1) { $def['name'] = "default"; @@ -124,6 +124,10 @@ else { $pconfig['max_spaces'] = 0; if (empty($pconfig['max_header_length'])) $pconfig['max_header_length'] = 0; + if (empty($pconfig['decompress_swf'])) + $pconfig['decompress_swf'] = "off"; + if (empty($pconfig['decompress_pdf'])) + $pconfig['decompress_pdf'] = "off"; } if ($_POST['Cancel']) { @@ -259,6 +263,8 @@ if ($_POST['save']) { $engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off'; $engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off'; $engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off'; + $engine['decompress_swf'] = $_POST['httpinspect_decompress_swf'] ? 'on' : 'off'; + $engine['decompress_pdf'] = $_POST['httpinspect_decompress_pdf'] ? 'on' : 'off'; // Can only have one "all" Bind_To address if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { @@ -298,6 +304,9 @@ if ($_POST['save']) { // Now write the new engine array to conf write_config("Snort pkg: modified http_inspect engine settings."); + // We have saved a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); exit; } @@ -528,6 +537,24 @@ if ($savemsg) <strong><?php echo gettext("Checked");?></strong>.</td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Decompress SWF");?></td> + <td width="78%" class="vtable"><input name="httpinspect_decompress_swf" + type="checkbox" value="on" id="httpinspect_decompress_swf" + <?php if ($pconfig['decompress_swf']=="on") echo "checked";?>> + <?php echo gettext("Uncompress and inspect Shockwave Flash data in HTTP response. " . + "Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Decompress PDF");?></td> + <td width="78%" class="vtable"><input name="httpinspect_decompress_pdf" + type="checkbox" value="on" id="httpinspect_decompress_pdf" + <?php if ($pconfig['decompress_pdf']=="on") echo "checked";?>> + <?php echo gettext("Uncompress and inspect PDF data in HTTP response. " . + "Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Cookies");?></td> <td width="78%" class="vtable"><input name="httpinspect_normalize_cookies" type="checkbox" value="on" id="httpinspect_normalize_cookies" diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 0d41c7db..41864a4f 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -4,7 +4,7 @@ * * Copyright (C) 2008-2009 Robert Zelaya. * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -269,7 +269,8 @@ if ($_POST["save"] && !$input_errors) { "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, - "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default", + "decompress_swf" => "off", "decompress_pdf" => "off" ); $ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index edcbb2d5..a0cf24fe 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -254,7 +254,8 @@ foreach ($rule as &$r) { "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, - "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default", + "decompress_swf" => "off", "decompress_pdf" => "off" ); // Ensure sensible default values exist for global HTTP_INSPECT parameters if (empty($pconfig['http_inspect'])) diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index bbb2642c..486cd462 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -43,7 +43,7 @@ require_once("functions.inc"); require_once("/usr/local/pkg/snort/snort.inc"); require("/usr/local/pkg/snort/snort_defs.inc"); -global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include; +global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include, $static_output; $snortdir = SNORTDIR; $snortlogdir = SNORTLOGDIR; @@ -180,11 +180,12 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { /****************************************************************/ /* Do one-time settings migration for new multi-engine configurations */ - update_output_window(gettext("Please wait... migrating settings to new configuration...")); + $static_output .= gettext("\nMigrating settings to new configuration..."); + update_output_window($static_output); include('/usr/local/pkg/snort/snort_migrate_config.php'); - update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); - log_error(gettext("[Snort] Downloading and updating configured rule types...")); - update_output_window(gettext("Please wait... downloading and updating configured rule sets...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); + log_error(gettext("[Snort] Downloading and updating configured rule sets...")); if ($pkg_interface <> "console") $snort_gui_include = true; include('/usr/local/pkg/snort/snort_check_for_rule_updates.php'); @@ -198,7 +199,8 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { $if_real = get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; - update_output_window(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "...")); + $static_output .= gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "..."); + update_output_window($static_output); // Pull in the PHP code that generates the snort.conf file // variables that will be substituted further down below. @@ -224,10 +226,17 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { // Create barnyard2.conf file for interface if ($snortcfg['barnyard_enable'] == 'on') snort_generate_barnyard2_conf($snortcfg, $if_real); + + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } /* create snort bootup file snort.sh */ + $static_output .= gettext("Generating snort.sh script in {$rcdir}..."); + update_output_window($static_output); snort_create_rc(); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); /* Set Log Limit, Block Hosts Time and Rules Update Time */ snort_snortloglimit_install_cron(true); @@ -248,12 +257,14 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { if (!($g['booting'])) { if ($pkg_interface <> "console") { update_status(gettext("Starting Snort using rebuilt configuration...")); + $static_output .= gettext("Starting Snort as a background task using the rebuilt configuration... "); mwexec_bg("{$rcdir}snort.sh start"); - update_output_window(gettext("Snort is starting as a background task using the rebuilt configuration...")); + update_output_window($static_output); } else mwexec_bg("{$rcdir}snort.sh start"); } + update_status(""); } /* We're finished with conf partition mods, return to read-only */ diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index dd8ec660..76582763 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -263,6 +263,9 @@ if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalu // Now retrieve the "selected alias" returned from SELECT ALIAS page $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); + + // We have made a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); } // Handle deleting of any of the multiple configuration engines @@ -397,7 +400,7 @@ if ($_POST['ResetAll']) { $savemsg = gettext("All preprocessor settings have been reset to their defaults."); } -if ($_POST['save']) { +if ($_POST['save'] || $_POST['apply']) { $natent = array(); $natent = $pconfig; @@ -590,6 +593,9 @@ if ($_POST['save']) { /* Sync to configured CARP slaves if any are enabled */ snort_sync_on_changes(); + // We have saved changes, so clear "dirty" flag + clear_subsystem_dirty('snort_preprocessors'); + /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -619,6 +625,10 @@ if ($_POST['btn_import']) { $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; write_config("Snort pkg: imported Host Attribute Table data for {$a_nat[$id]['interface']}."); } + + // We have made a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); @@ -675,6 +685,11 @@ if ($savemsg) { <form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> <input name="id" type="hidden" value="<?=$id;?>"/> <input name="eng_id" id="eng_id" type="hidden" value=""/> + +<?php if (is_subsystem_dirty('snort_preprocessors')): ?><p> +<?php print_info_box_np(gettext("A change has been made to the preprocessors configuration.") . "<br/>" . gettext("Click SAVE when finished to apply the change to the Snort configuration."));?> +<?php endif; ?> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php diff --git a/config/snort/snort_stream5_engine.php b/config/snort/snort_stream5_engine.php index 89b0bc02..e501de9f 100644 --- a/config/snort/snort_stream5_engine.php +++ b/config/snort/snort_stream5_engine.php @@ -330,6 +330,9 @@ if ($_POST['save']) { /* Now write the new engine array to conf */ write_config("Snort pkg: save modified stream5 engine."); + // We have saved a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row"); exit; } diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index aee85bcd..b7eb9889 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -41,12 +41,6 @@ require_once('service-utils.inc'); if (!function_exists("filter_configure")) { require_once("filter.inc"); } -/* Squid reverse proxy */ -require_once('/usr/local/pkg/squid_reverse.inc'); -/* Squid javascript helpers */ -require_once('/usr/local/pkg/squid_js.inc'); -/* Squid antivirus intergration features helpers */ -require_once('/usr/local/pkg/squid_antivirus.inc'); $shortcut_section = "squid"; @@ -77,6 +71,13 @@ if ($uname['machine'] == 'amd64') { ini_set('memory_limit', '250M'); } +/* Squid reverse proxy */ +require_once('/usr/local/pkg/squid_reverse.inc'); +/* Squid javascript helpers */ +require_once('/usr/local/pkg/squid_js.inc'); +/* Squid antivirus intergration features helpers */ +require_once('/usr/local/pkg/squid_antivirus.inc'); + /* * Utility functions */ @@ -1222,9 +1223,14 @@ EOD; foreach ($real_ifaces as $iface) { list($ip, $mask) = $iface; $ip = long2ip(ip2long($ip) & ip2long($mask)); - $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); + $mask = 32 - log((ip2long($mask) ^ ip2long('255.255.255.255')) +1, 2); if (!preg_match("@$ip/$mask@", $src)) { - $src .= " $ip/$mask"; + // XXX: Do not add invalid subnets (Bug #4331, Bug #4526) + if (is_subnet("{$ip}/{$mask}")) { + $src .= " $ip/$mask"; + } else { + log_error("[squid] 'Allow Users on Interface' ACL skipped for '{$ip}/{$mask}' since it is not a valid subnet."); + } } } $conf .= "# Allow local network(s) on interface(s)\n"; diff --git a/config/zabbix2/zabbix2.inc b/config/zabbix2/zabbix2-agent.inc index 9b5f3ed3..4aa0d5f7 100644 --- a/config/zabbix2/zabbix2.inc +++ b/config/zabbix2/zabbix2-agent.inc @@ -1,6 +1,6 @@ <?php /* - zabbix2.inc + zabbix2-agent.inc part of pfSense (https://www.pfSense.org/) Copyright (C) 2013 Danilo G. Baio Copyright (C) 2013 Marcello Coutinho @@ -77,50 +77,7 @@ function php_deinstall_zabbix2_agent() { } } -function php_deinstall_zabbix2_proxy() { - global $config, $g; - - $pfs_version = php_zabbix2_pfs_version(); - $zabbix2_pkg_base = php_zabbix2_pkg_base($pfs_version); - - if ($pfs_version == "2.1" || $pfs_version == "2.2") { - define('ZABBIX_PROXY_BASE', '/usr/pbi/' . $zabbix2_pkg_base . '-proxy-' . php_uname("m")); - } else { - define('ZABBIX_PROXY_BASE', '/usr/local'); - } - - exec("/usr/bin/killall zabbix_proxy"); - unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base . "/zabbix_proxy.conf"); - unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log"); - unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid"); - - if (!is_array($config['installedpackages']['zabbixagent'])) { - if (is_dir("/var/log/zabbix2")) { - exec("/bin/rm -r /var/log/zabbix2/"); - } - if (is_dir("/var/run/zabbix2")) { - exec("/bin/rm -r /var/run/zabbix2/"); - } - } - - if (is_dir("/var/db/zabbix2")) { - exec("/bin/rm -r /var/db/zabbix2/"); - } -} - -function validate_input_zabbix2($post, &$input_errors) { - if (isset($post['proxyenabled'])) { - if (!is_numericint($post['serverport'])) { - $input_errors[] = "'Server Port' value is not numeric."; - } elseif ($post['serverport'] < 1 || $post['serverport'] > 65535) { - $input_errors[] = "You must enter a valid value for 'Server Port'."; - } - - if (!is_numericint($post['configfrequency'])) { - $input_errors[] = "'Config Frequency' value is not numeric."; - } - } - +function validate_input_zabbix2_agent($post, &$input_errors) { if (isset($post['agentenabled'])) { if (!preg_match("/\w+/", $post['server'])) { $input_errors[] = "Server field is required."; @@ -186,7 +143,7 @@ function validate_input_zabbix2($post, &$input_errors) { } } -function sync_package_zabbix2() { +function sync_package_zabbix2_agent() { global $config, $g; conf_mount_rw(); @@ -195,38 +152,10 @@ function sync_package_zabbix2() { if ($pfs_version == "2.1" || $pfs_version == "2.2") { define('ZABBIX_AGENT_BASE', '/usr/pbi/' . $zabbix2_pkg_base . '-agent-' . php_uname("m")); - define('ZABBIX_PROXY_BASE', '/usr/pbi/' . $zabbix2_pkg_base . '-proxy-' . php_uname("m")); } else { define('ZABBIX_AGENT_BASE', '/usr/local'); - define('ZABBIX_PROXY_BASE', '/usr/local'); } - // Check zabbix proxy config - if (is_array($config['installedpackages']['zabbixproxy'])) { - $zbproxy_config = $config['installedpackages']['zabbixproxy']['config'][0]; - if ($zbproxy_config['proxyenabled'] == "on") { - $Mode = (is_numericint($zbproxy_config['proxymode']) ? $zbproxy_config['proxymode'] : 0); - $AdvancedParams = base64_decode($zbproxy_config['advancedparams']); - - $zbproxy_conf_file = <<< EOF -Server={$zbproxy_config['server']} -ServerPort={$zbproxy_config['serverport']} -Hostname={$zbproxy_config['hostname']} -PidFile=/var/run/zabbix2/zabbix2_proxy.pid -DBName=/var/db/zabbix2/proxy.db -LogFile=/var/log/zabbix2/zabbix_proxy.log -ConfigFrequency={$zbproxy_config['configfrequency']} -FpingLocation=/usr/local/sbin/fping -# There's currently no fping6 (IPv6) dependency in the package, -# but if there was, the binary would likely also be in /usr/local/sbin. -Fping6Location=/usr/local/sbin/fping6 -ProxyMode={$Mode} -{$AdvancedParams} - -EOF; - file_put_contents(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base . "/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => ""))); - } - } // Check zabbix agent settings if (is_array($config['installedpackages']['zabbixagent'])) { $zbagent_config = $config['installedpackages']['zabbixagent']['config'][0]; @@ -310,8 +239,8 @@ EOF; // Check startup script files // Create a few directories and ensure the sample files are in place - if (!is_dir(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base)) { - mwexec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base); + if (!is_dir(ZABBIX_AGENT_BASE . "/etc/" . $zabbix2_pkg_base)) { + mwexec("/bin/mkdir -p " . ZABBIX_AGENT_BASE . "/etc/" . $zabbix2_pkg_base); } $dir_checks = <<< EOF @@ -336,29 +265,6 @@ EOF; EOF; - $zproxy_rcfile = "/usr/local/etc/rc.d/zabbix2_proxy.sh"; - if (is_array($zbproxy_config) && $zbproxy_config['proxyenabled'] == "on") { - $zproxy_start = strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Proxy\"...\n"; - $zproxy_start .= ZABBIX_PROXY_BASE . "/sbin/zabbix_proxy\n"; - - $zproxy_stop = "echo \"Stopping Zabbix Proxy\"\n"; - $zproxy_stop .= "/usr/bin/killall zabbix_proxy\n"; - $zproxy_stop .= "/bin/sleep 5\n"; - - write_rcfile(array( - "file" => "zabbix2_proxy.sh", - "start" => $zproxy_start, - "stop" => $zproxy_stop - ) - ); - restart_service("zabbix_proxy"); - } else { - if (is_service_running("zabbix_proxy")) { - stop_service("zabbix_proxy"); - } - unlink_if_exists($zproxy_rcfile); - } - $zagent_rcfile="/usr/local/etc/rc.d/zabbix2_agentd.sh"; if (is_array($zbagent_config) && $zbagent_config['agentenabled']=="on") { $zagent_start .= strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Agent...\"\n"; @@ -374,7 +280,11 @@ EOF; "stop" => $zagent_stop ) ); - restart_service("zabbix_agentd"); + if (is_service_running("zabbix_agentd")) { + restart_service("zabbix_agentd"); + } else { + start_service("zabbix_agentd"); + } } else { if (is_service_running("zabbix_agentd")) { stop_service("zabbix_agentd"); diff --git a/config/zabbix2/zabbix2-agent.xml b/config/zabbix2/zabbix2-agent.xml index e02caefc..be081603 100644 --- a/config/zabbix2/zabbix2-agent.xml +++ b/config/zabbix2/zabbix2-agent.xml @@ -45,13 +45,13 @@ <name>zabbixagent</name> <title>Services: Zabbix-2 Agent</title> <category>Monitoring</category> - <version>0.8.4</version> - <include_file>/usr/local/pkg/zabbix2.inc</include_file> - <addedit_string>Zabbix Agent has been created/modified.</addedit_string> - <delete_string>Zabbix Agent has been deleted.</delete_string> + <version>0.8.5</version> + <include_file>/usr/local/pkg/zabbix2-agent.inc</include_file> + <addedit_string>Zabbix Agent configuration has been created/modified.</addedit_string> + <delete_string>Zabbix Agent configuration has been deleted.</delete_string> <restart_command>/usr/local/etc/rc.d/zabbix2_agentd.sh restart</restart_command> <additional_files_needed> - <item>https://packages.pfsense.org/packages/config/zabbix2/zabbix2.inc</item> + <item>https://packages.pfsense.org/packages/config/zabbix2/zabbix2-agent.inc</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> <additional_files_needed> @@ -204,14 +204,11 @@ <advancedfield/> </field> </fields> - <custom_php_install_command> - sync_package_zabbix2(); - </custom_php_install_command> <custom_php_validation_command> - validate_input_zabbix2($_POST, $input_errors); + validate_input_zabbix2_agent($_POST, $input_errors); </custom_php_validation_command> <custom_php_resync_config_command> - sync_package_zabbix2(); + sync_package_zabbix2_agent(); </custom_php_resync_config_command> <custom_php_deinstall_command> php_deinstall_zabbix2_agent(); diff --git a/config/zabbix2/zabbix2-proxy.inc b/config/zabbix2/zabbix2-proxy.inc new file mode 100644 index 00000000..aa21b817 --- /dev/null +++ b/config/zabbix2/zabbix2-proxy.inc @@ -0,0 +1,244 @@ +<?php +/* + zabbix2-proxy.inc + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2013 Danilo G. Baio + Copyright (C) 2013 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +require_once("util.inc"); +require_once("functions.inc"); +require_once("pkg-utils.inc"); +require_once("globals.inc"); + +function php_zabbix2_pfs_version() { + $pfs_version = substr(trim(file_get_contents("/etc/version")), 0, 3); + return $pfs_version; +} + +function php_zabbix2_pkg_base($pfs_version) { + if ($pfs_version >= 2.2) { + // pfSense 2.2 with zabbix 2.4 + $zabbix2_pkg_base = "zabbix24"; + } else { + // pfSense 2.1 with zabbix 2.2 + $zabbix2_pkg_base = "zabbix22"; + } + return $zabbix2_pkg_base; +} + +function php_deinstall_zabbix2_proxy() { + global $config, $g; + + $pfs_version = php_zabbix2_pfs_version(); + $zabbix2_pkg_base = php_zabbix2_pkg_base($pfs_version); + + if ($pfs_version == "2.1" || $pfs_version == "2.2") { + define('ZABBIX_PROXY_BASE', '/usr/pbi/' . $zabbix2_pkg_base . '-proxy-' . php_uname("m")); + } else { + define('ZABBIX_PROXY_BASE', '/usr/local'); + } + + exec("/usr/bin/killall zabbix_proxy"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base . "/zabbix_proxy.conf"); + unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log"); + unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid"); + + if (!is_array($config['installedpackages']['zabbixagent'])) { + if (is_dir("/var/log/zabbix2")) { + exec("/bin/rm -r /var/log/zabbix2/"); + } + if (is_dir("/var/run/zabbix2")) { + exec("/bin/rm -r /var/run/zabbix2/"); + } + if (is_dir("/var/db/zabbix2")) { + exec("/bin/rm -r /var/db/zabbix2/"); + } + } +} + +function validate_input_zabbix2_proxy($post, &$input_errors) { + if (isset($post['proxyenabled'])) { + if (!is_numericint($post['serverport'])) { + $input_errors[] = "'Server Port' value is not numeric."; + } elseif ($post['serverport'] < 1 || $post['serverport'] > 65535) { + $input_errors[] = "You must enter a valid value for 'Server Port'."; + } + + if (!preg_match("/\w+/", $post['hostname'])) { + $input_errors[] = "Hostname field is required."; + } + + if (!is_numericint($post['configfrequency'])) { + $input_errors[] = "'Config Frequency' value is not numeric."; + } + } +} + +function sync_package_zabbix2_proxy() { + global $config, $g; + + conf_mount_rw(); + $pfs_version = php_zabbix2_pfs_version(); + $zabbix2_pkg_base = php_zabbix2_pkg_base($pfs_version); + + if ($pfs_version == "2.1" || $pfs_version == "2.2") { + define('ZABBIX_PROXY_BASE', '/usr/pbi/' . $zabbix2_pkg_base . '-proxy-' . php_uname("m")); + } else { + define('ZABBIX_PROXY_BASE', '/usr/local'); + } + + // Check zabbix proxy config + if (is_array($config['installedpackages']['zabbixproxy'])) { + $zbproxy_config = $config['installedpackages']['zabbixproxy']['config'][0]; + if ($zbproxy_config['proxyenabled'] == "on") { + $Mode = (is_numericint($zbproxy_config['proxymode']) ? $zbproxy_config['proxymode'] : 0); + $AdvancedParams = base64_decode($zbproxy_config['advancedparams']); + + $zbproxy_conf_file = <<< EOF +Server={$zbproxy_config['server']} +ServerPort={$zbproxy_config['serverport']} +Hostname={$zbproxy_config['hostname']} +PidFile=/var/run/zabbix2/zabbix2_proxy.pid +DBName=/var/db/zabbix2/proxy.db +LogFile=/var/log/zabbix2/zabbix_proxy.log +ConfigFrequency={$zbproxy_config['configfrequency']} +FpingLocation=/usr/local/sbin/fping +# There's currently no fping6 (IPv6) dependency in the package, +# but if there was, the binary would likely also be in /usr/local/sbin. +Fping6Location=/usr/local/sbin/fping6 +ProxyMode={$Mode} +{$AdvancedParams} + +EOF; + file_put_contents(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base . "/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => ""))); + } + } + + $want_sysctls = array( + 'kern.ipc.shmall' => '2097152', + 'kern.ipc.shmmax' => '2147483648', + 'kern.ipc.semmsl' => '250' + ); + $sysctls = array(); + // Check sysctl file values + $sc_file=""; + if (file_exists("/etc/sysctl.conf")) { + $sc = file("/etc/sysctl.conf"); + foreach ($sc as $line) { + list($sysk, $sysv) = explode("=", $line, 2); + if (preg_match("/\w/", $line) && !array_key_exists($sysk, $want_sysctls)) { + $sc_file .= $line; + } + } + } + foreach ($want_sysctls as $ws => $wv) { + $sc_file .= "{$ws}={$wv}\n"; + mwexec("/sbin/sysctl {$ws}={$wv}"); + } + file_put_contents("/etc/sysctl.conf", $sc_file); + + // Check bootloader values + $lt_file = ""; + $want_tunables = array( + 'kern.ipc.semopm' => '100', + 'kern.ipc.semmni' => '128', + 'kern.ipc.semmns' => '32000', + 'kern.ipc.shmmni' => '4096' + ); + $tunables = array(); + if (file_exists("/boot/loader.conf")) { + $lt = file("/boot/loader.conf"); + foreach ($lt as $line) { + list($tunable, $val) = explode("=", $line, 2); + if (preg_match("/\w/", $line) && !array_key_exists($tunable, $want_tunables)) { + $lt_file .= $line; + } + } + } + foreach ($want_tunables as $wt => $wv) { + $lt_file .= "{$wt}={$wv}\n"; + } + file_put_contents("/boot/loader.conf", $lt_file); + + // Check startup script files + // Create a few directories and ensure the sample files are in place + if (!is_dir(ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base)) { + mwexec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/" . $zabbix2_pkg_base); + } + + $dir_checks = <<< EOF + + if [ ! -d /var/log/zabbix2 ]; then + /bin/mkdir -p /var/log/zabbix2 + /usr/sbin/chmod 755 /var/log/zabbix2 + fi + /usr/sbin/chown -R zabbix:zabbix /var/log/zabbix2 + + if [ ! -d /var/run/zabbix2 ]; then + /bin/mkdir -p /var/run/zabbix2 + /usr/sbin/chmod 755 /var/run/zabbix2 + fi + /usr/sbin/chown -R zabbix:zabbix /var/run/zabbix2 + + if [ ! -d /var/db/zabbix2 ]; then + /bin/mkdir -p /var/db/zabbix2 + /usr/sbin/chmod 755 /var/db/zabbix2 + fi + /usr/sbin/chown -R zabbix:zabbix /var/db/zabbix2 + +EOF; + + $zproxy_rcfile = "/usr/local/etc/rc.d/zabbix2_proxy.sh"; + if (is_array($zbproxy_config) && $zbproxy_config['proxyenabled'] == "on") { + $zproxy_start = strtr($dir_checks, array("\r" => "")). "\necho \"Starting Zabbix Proxy\"...\n"; + $zproxy_start .= ZABBIX_PROXY_BASE . "/sbin/zabbix_proxy\n"; + + $zproxy_stop = "echo \"Stopping Zabbix Proxy\"\n"; + $zproxy_stop .= "/usr/bin/killall zabbix_proxy\n"; + $zproxy_stop .= "/bin/sleep 5\n"; + + write_rcfile(array( + "file" => "zabbix2_proxy.sh", + "start" => $zproxy_start, + "stop" => $zproxy_stop + ) + ); + if (is_service_running("zabbix_proxy")) { + restart_service("zabbix_proxy"); + } else { + start_service("zabbix_proxy"); + } + } else { + if (is_service_running("zabbix_proxy")) { + stop_service("zabbix_proxy"); + } + unlink_if_exists($zproxy_rcfile); + } + + conf_mount_ro(); +} + +?> diff --git a/config/zabbix2/zabbix2-proxy.xml b/config/zabbix2/zabbix2-proxy.xml index 398c3df4..c39bbdc6 100644 --- a/config/zabbix2/zabbix2-proxy.xml +++ b/config/zabbix2/zabbix2-proxy.xml @@ -45,13 +45,13 @@ <name>zabbixproxy</name> <title>Services: Zabbix-2 Proxy</title> <category>Monitoring</category> - <version>0.8.4</version> - <include_file>/usr/local/pkg/zabbix2.inc</include_file> - <addedit_string>Zabbix Proxy has been created/modified.</addedit_string> - <delete_string>Zabbix Proxy has been deleted.</delete_string> + <version>0.8.5</version> + <include_file>/usr/local/pkg/zabbix2-proxy.inc</include_file> + <addedit_string>Zabbix Proxy configuration has been created/modified.</addedit_string> + <delete_string>Zabbix Proxy configuration has been deleted.</delete_string> <restart_command>/usr/local/etc/rc.d/zabbix2_proxy.sh restart</restart_command> <additional_files_needed> - <item>https://packages.pfsense.org/packages/config/zabbix2/zabbix2.inc</item> + <item>https://packages.pfsense.org/packages/config/zabbix2/zabbix2-proxy.inc</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> <additional_files_needed> @@ -148,14 +148,11 @@ <advancedfield/> </field> </fields> - <custom_php_install_command> - sync_package_zabbix2(); - </custom_php_install_command> <custom_php_validation_command> - validate_input_zabbix2($_POST, $input_errors); + validate_input_zabbix2_proxy($_POST, $input_errors); </custom_php_validation_command> <custom_php_resync_config_command> - sync_package_zabbix2(); + sync_package_zabbix2_proxy(); </custom_php_resync_config_command> <custom_php_deinstall_command> php_deinstall_zabbix2_proxy(); |