diff options
Diffstat (limited to 'config')
137 files changed, 12706 insertions, 3526 deletions
diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template index 69ffb9c7..ab981a9e 100644 --- a/config/apache_mod_security-dev/apache.template +++ b/config/apache_mod_security-dev/apache.template @@ -4,69 +4,8 @@ if(file_exists( APACHEDIR ."/libexec/apache22/mod_memcache.so")) $mod_mem_cache = "LoadModule memcache_module libexec/apache22/mod_memcache.so\n"; } - -/* -<IfModule mod_security2.c> - - - # Turn the filtering engine On or Off - SecFilterEngine On - - # XXX Add knobs for these - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess On - - SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit} - SecRequestBodyLimit {$secrequestbodylimit} - - {$mod_security_custom} - - SecResponseBodyMimeTypesClear - SecResponseBodyMimeType (null) text/plain text/html text/css text/xml - - # XXX Add knobs for these - SecUploadDir /var/spool/apache/private - SecUploadKeepFiles Off - - # The audit engine works independently and - # can be turned On of Off on the per-server or - # on the per-directory basis - SecAuditEngine {$secauditengine} - - # XXX Add knobs for these - # Make sure that URL encoding is valid - SecFilterCheckURLEncoding On - - # XXX Add knobs for these - # Unicode encoding check - SecFilterCheckUnicodeEncoding On - - # XXX Add knobs for these - # Only allow bytes from this range - SecFilterForceByteRange 1 255 - - # Help prevent the effects of a Slowloris-type of attack - # $secreadstatelimit - - # Cookie format checks. - SecFilterCheckCookieFormat On - - # The name of the audit log file - SecAuditLog logs/audit_log - - #http-guardian Anti-dos protection - {$SecGuardianLog} - - # Should mod_security inspect POST payloads - SecFilterScanPOST On - - # Include rules from rules/ directory - {$mod_security_rules} - -</IfModule> - -*/ + if($mods_settings['enablemodsecurity']=="on") + $mod_security_module= "LoadModule security2_module libexec/apache22/mod_security2.so\n"; $apache_dir=APACHEDIR; $apache_config = <<<EOF @@ -176,7 +115,7 @@ LoadModule status_module libexec/apache22/mod_status.so LoadModule autoindex_module libexec/apache22/mod_autoindex.so LoadModule asis_module libexec/apache22/mod_asis.so LoadModule info_module libexec/apache22/mod_info.so -LoadModule cgi_module libexec/apache22/mod_cgi.so +#LoadModule cgi_module libexec/apache22/mod_cgi.so LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so LoadModule negotiation_module libexec/apache22/mod_negotiation.so LoadModule dir_module libexec/apache22/mod_dir.so @@ -188,6 +127,7 @@ LoadModule alias_module libexec/apache22/mod_alias.so LoadModule rewrite_module libexec/apache22/mod_rewrite.so LoadModule reqtimeout_module libexec/apache22/mod_reqtimeout.so {$mod_mem_cache} +{$mod_security_module} <IfModule !mpm_netware_module> <IfModule !mpm_winnt_module> @@ -564,9 +504,13 @@ AcceptFilter https none # Proxysettings {$mod_proxy} +# Mod status +{$mod_status} + + # Include anything else Include etc/apache22/Includes/*.conf EOF; -?>
\ No newline at end of file +?> diff --git a/config/apache_mod_security-dev/apache_balancer.xml b/config/apache_mod_security-dev/apache_balancer.xml index b3acba57..5e02f9d4 100755 --- a/config/apache_mod_security-dev/apache_balancer.xml +++ b/config/apache_mod_security-dev/apache_balancer.xml @@ -75,7 +75,12 @@ <active/> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> </tab> @@ -103,23 +108,24 @@ <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> - <name>apache Reverse Peer Mappings</name> + <name>Apache Reverse Peer Mappings</name> <type>listtopic</type> </field> <field> <fielddescr>Enable</fielddescr> <fieldname>enable</fieldname> - <description>If this field is checked, then this server poll will be available for virtual hosts config.</description> + <description>If this field is checked, then this server pool will be available for Virtual Hosts configuration.</description> <type>checkbox</type> </field> <field> <fielddescr>Balancer name</fielddescr> <fieldname>name</fieldname> - <description><![CDATA[Name to identify this peer on apache conf<br> - example: www_site1]]></description> + <description><![CDATA[Name to identify this peer in Apache configuration<br> + Example: www_site1]]></description> <type>input</type> <size>20</size> </field> @@ -133,61 +139,66 @@ <field> <fielddescr>Protocol</fielddescr> <fieldname>proto</fieldname> - <description><![CDATA[Protocol listening on this internal server(s) port.]]></description> + <description><![CDATA[Protocol used on the internal server(s).]]></description> <type>select</type> - <options> - <option> <name>HTTP</name> <value>http</value> </option> - <option> <name>HTTPS</name> <value>https</value> </option> - </options> + <options> + <option> <name>HTTP</name> <value>http</value> </option> + <option> <name>HTTPS</name> <value>https</value> </option> + </options> </field> -<field> - <fielddescr> - <![CDATA[Internal Servers]]> - </fielddescr> + <field> + <name><![CDATA[Internal Server(s)]]></name> + <type>listtopic</type> + </field> + <field> + <fielddescr><![CDATA[Internal Servers]]></fielddescr> <fieldname>additionalparameters</fieldname> - <type>rowhelper</type> - <rowhelper> + <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> + <movable>on</movable> + <rowhelper> <rowhelperfield> - <fielddescr>fqdn or ip</fielddescr> - <fieldname>host</fieldname> - <description>Internal site IP or Hostnamesite</description> - <type>input</type> - <size>20</size> + <fielddescr>FQDN or IP Address</fielddescr> + <fieldname>host</fieldname> + <description>Internal site IP or site hostname</description> + <type>input</type> + <size>27</size> </rowhelperfield> <rowhelperfield> - <fielddescr>port</fielddescr> - <fieldname>port</fieldname> - <description>Internal site port</description> - <type>input</type> - <size>4</size> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + <description>Internal site port</description> + <type>input</type> + <size>5</size> </rowhelperfield> <rowhelperfield> - <fielddescr>routeid</fielddescr> - <fieldname>routeid</fieldname> - <description>id to define stick connections</description> - <type>input</type> - <size>4</size> + <fielddescr>Route ID</fielddescr> + <fieldname>routeid</fieldname> + <description>ID to define sticky connections</description> + <type>input</type> + <size>6</size> </rowhelperfield> <rowhelperfield> - <fielddescr>weight</fielddescr> - <fieldname>loadfactor</fieldname> - <description>Server weight</description> - <type>input</type> - <size>4</size> + <fielddescr>Weight</fielddescr> + <fieldname>loadfactor</fieldname> + <description>Server weight</description> + <type>input</type> + <size>4</size> </rowhelperfield> <rowhelperfield> - <fielddescr>ping</fielddescr> - <fieldname>ping</fieldname> - <description>Server ping test interval</description> - <type>input</type> - <size>4</size> + <fielddescr>Ping</fielddescr> + <fieldname>ping</fieldname> + <description>Server ping test interval</description> + <type>input</type> + <size>6</size> </rowhelperfield> <rowhelperfield> - <fielddescr>ttl</fielddescr> - <fieldname>ttl</fieldname> - <description>Server pint ttl</description> - <type>input</type> - <size>4</size> + <fielddescr>TTL</fielddescr> + <fieldname>ttl</fieldname> + <description>Server ping TTL</description> + <type>input</type> + <size>6</size> </rowhelperfield> </rowhelper> </field> @@ -196,4 +207,4 @@ <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_location.xml b/config/apache_mod_security-dev/apache_location.xml new file mode 100644 index 00000000..ea957f43 --- /dev/null +++ b/config/apache_mod_security-dev/apache_location.xml @@ -0,0 +1,237 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apache_location.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C)2012 Marcello Coutinho + Copyright (C)2013 Stephane Lapie <stephane.lapie@asahinet.com> + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]> + </copyright> + <name>apachelocation</name> + <version>1.0</version> + <title>Apache reverse proxy: Locations</title> + + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + <active/> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + </tab> + <tab> + <text>Daemon Options</text> + <url>/pkg_edit.php?xml=apache_settings.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Backends / Balancers</text> + <url>/pkg.php?xml=apache_balancer.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <active/> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> + <url>/pkg.php?xml=apache_virtualhost.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Logs</text> + <url>/apache_view_logs.php</url> + <tab_level>2</tab_level> + </tab> + </tabs> + <adddeleteeditpagefields> + <movable>on</movable> + <columnitem> + <fielddescr>Identifier</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Compress</fielddescr> + <fieldname>compress</fieldname> + </columnitem> + <columnitem> + <fielddescr>Site Path</fielddescr> + <fieldname>sitepath</fieldname> + <listmodeoff>/</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Balancer</fielddescr> + <fieldname>balancer</fieldname> + </columnitem> + <columnitem> + <fielddescr>LB Method</fielddescr> + <fieldname>lbmethod</fieldname> + </columnitem> + <columnitem> + <fielddescr>Backendpath</fielddescr> + <fieldname>backendpath</fieldname> + <listmodeoff>/</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Modsecurity</fielddescr> + <fieldname>modsecgroup</fieldname> + <listmodeoff>None</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Rule Manipulation</fielddescr> + <fieldname>modsecmanipulation</fieldname> + <listmodeoff>None</listmodeoff> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Location Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr><![CDATA[Identifier]]></fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Location name/identifier.]]></description> + <type>input</type> + <required/> + <size>20</size> + </field> + <field> + <fielddescr><![CDATA[gzip?]]></fielddescr> + <fieldname>compress</fieldname> + <description>Compress data to save bandwidth?</description> + <type>select</type> + <options> + <option><name>yes</name><value>yes</value></option> + <option><name>no</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr><![CDATA[Site Path]]></fielddescr> + <fieldname>sitepath</fieldname> + <description><![CDATA[Site path to publish.<br>leave blank to use /]]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <fielddescr><![CDATA[Balancer]]></fielddescr> + <fieldname>balancer</fieldname> + <description>Server balancer / pool</description> + <source><![CDATA[$config['installedpackages']['apachebalancer']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + <type>select_source</type> + <size>5</size> + </field> + <field> + <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'>LB Method</a>]]></fielddescr> + <fieldname>lbmethod</fieldname> + <description>Server balance method</description> + <type>select</type> + <options> + <option><name>byrequests</name><value>byrequests</value></option> + <option><name>bytraffic</name><value>bytraffic</value></option> + <option><name>bybusyness</name><value>bybusyness</value></option> + </options> + </field> + <field> + <fielddescr>Backend Path</fielddescr> + <fieldname>backendpath</fieldname> + <description><![CDATA[Backend redirect path.<br>Leave blank to use /]]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <fielddescr><![CDATA[ModSecurity]]></fielddescr> + <fieldname>modsecgroup</fieldname> + <description>Choose ModSecurity group to use on this virtual host.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['apachemodsecuritygroups']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + </field> + <field> + <fielddescr><![CDATA[Manipulations]]></fielddescr> + <fieldname>modsecmanipulation</fieldname> + <description>Choose Modsecurity group to use on this virtual host.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['apachemodsecuritymanipulation']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + </field> + <field> + <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'> Balancer options</a>]]></fielddescr> + <fieldname>options</fieldname> + <description><![CDATA[Additional proxypass options for this path.<br>ex: ttl=60 stickysession='JSESSIONID']]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <name>Custom Location Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>custom</fieldname> + <description><![CDATA[Pass extra Apache config for this Location. This is useful for SSLRequire rules for example.]]></description> + <type>textarea</type> + <cols>90</cols> + <rows>10</rows> + <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> + </field> + </fields> + <service> + <name>apache_mod_security</name> + <rcfile>apache_mod_security.sh</rcfile> + <executable>httpd</executable> + </service> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> +</packagegui> diff --git a/config/apache_mod_security-dev/apache_logs_data.php b/config/apache_mod_security-dev/apache_logs_data.php index 256ff144..fdcc04b0 100644 --- a/config/apache_mod_security-dev/apache_logs_data.php +++ b/config/apache_mod_security-dev/apache_logs_data.php @@ -92,7 +92,7 @@ if ($_GET) { // Apply filter and color if ($filter != "") $line = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$line); - $agent_info="onmouseover=\"jQuery('#bowserinfo').empty().html('{$line[13]}');\"\n"; + $agent_info="onmouseover=\"jQuery('#browserinfo').empty().html('{$line[13]}');\"\n"; echo "<tr valign=\"top\" $agent_info>\n"; echo "<td class=\"listlr\" align=\"center\" nowrap>{$line[5]}({$line[6]})</td>\n"; echo "<td class=\"listr\" align=\"center\">{$line[1]}</td>\n"; diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index fb83f9a6..31be95cf 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -3,7 +3,8 @@ apache_mod_security.inc part of apache_mod_security package (http://www.pfSense.com) Copyright (C) 2009, 2010 Scott Ullrich - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho + Copyright (C) 2013 Stephane Lapie <stephane.lapie@asahinet.com> All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$shortcut_section = "apache"; // Check to find out on which system the package is running $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0) @@ -35,9 +37,9 @@ if ($pf_version > 2.0) else define('APACHEDIR', '/usr/local'); // End of system check -define ('MODSECURITY_DIR','modsecurity-crs_2.2.5'); +define ('MODSECURITY_DIR','crs'); // Rules directory location -define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR); +define("RULES_DIRECTORY", APACHEDIR . "/". MODSECURITY_DIR); function apache_textarea_decode($base64){ return preg_replace("/\r\n/","\n",base64_decode($base64)); } @@ -57,10 +59,6 @@ function apache_get_real_interface_address($iface) { // Ensure NanoBSD can write. pkg_mgr will remount RO conf_mount_rw(); -// Needed mod_security directories -if(!is_dir(APACHEDIR . "/". MODSECURITY_DIR)) - safe_mkdir(APACHEDIR . "/". MODSECURITY_DIR); - // Startup function function apache_mod_security_start() { exec(APACHEDIR . "/sbin/httpd -D NOHTTPACCEPT -k start"); @@ -127,24 +125,179 @@ function apache_mod_security_resync() { global $config, $g; apache_mod_security_install(); $dirs=array("base", "experimental","optional", "slr"); - if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")) - exec ("tar -xzf /usr/local/pkg/modsecurity-crs_2.2.5.tar.gz -C ".APACHEDIR); + log_error("apache_mod_security_package: configuration resync is starting."); + if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")){ + exec ("/usr/local/bin/git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git ".APACHEDIR."/".MODSECURITY_DIR); + //chdir (APACHEDIR."/".MODSECURITY_DIR); + //exec ("/usr/local/bin/git checkout -q 2.2.8"); + } $write_config=0; foreach ($dirs as $dir){ if ($handle = opendir(APACHEDIR ."/".MODSECURITY_DIR."/{$dir}_rules")) { - $write_config++; - $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); - while (false !== ($entry = readdir($handle))) { - if (preg_match("/(\S+).conf/",$entry,$matches)) - $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); - } - closedir($handle); + $write_config++; + $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); + while (false !== ($entry = readdir($handle))) { + if (preg_match("/(\S+).conf$/",$entry,$matches)) + $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); + } + closedir($handle); } } if ($write_config > 0) write_config(); apache_mod_security_checkconfig(); apache_mod_security_restart(); + log_error("apache_mod_security_package: configuration resync is ending."); + + if (is_array($config['installedpackages']['apachesync']['config'])){ + $apache_sync = $config['installedpackages']['apachesync']['config'][0]; + $synconchanges = $apache_sync['synconchanges']; + $synctimeout = $apache_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($apache_sync[row])){ + $rs = $apache_sync[row]; + } else { + log_error("apache_mod_security_package: xmlrpc sync is enabled but there is no hosts to push on apache config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ // pfSense 2.0.x + $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + } else if (is_array($config['hasync'])) { // pfSense 2.1 + $system_carp = $config['hasync']; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + } else { + log_error("apache_mod_security_package: xmlrpc sync is enabled but there is no system backup hosts to push apache config."); + return; + } + break; + default: + return; + break; + } + } + if (is_array($rs)){ + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if ($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if ($password && $sync_to_ip) + apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); + } + } +} + +// Do the actual XMLRPC Sync +function apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$synctimeout) + $synctimeout=25; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['apachesettings'] = $config['installedpackages']['apachesettings']; + $xml['apachemodsecurity'] = $config['installedpackages']['apachemodsecurity']; + $xml['apachemodsecuritysettings'] = $config['installedpackages']['apachemodsecuritysettings']; + $xml['apachebalancer'] = $config['installedpackages']['apachebalancer']; + $xml['apachevirtualhost'] = $config['installedpackages']['apachevirtualhost']; + $xml['apachelisten'] = $config['installedpackages']['apachelisten']; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("apache_mod_security_package: Beginning apache_mod_security XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } else { + log_error("apache_mod_security_package: XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell apache_mod_security to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/apache_mod_security.inc');\n"; + $execcmd .= "apache_mod_security_resync();"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("apache_mod_security_package: XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } else { + log_error("apache_mod_security XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + + } function apache_mod_security_checkconfig() { @@ -198,7 +351,9 @@ function generate_apache_configuration() { file_notice("apache_mod_security", $error, "apache_mod_security", ""); } // Set global listening directive and ensure nothing is listening on this port already - $globalbind_ip = ($settings['globalbindtoipaddr'] ? $settings['globalbindtoipaddr'] : "*"); + $iface_address = apache_get_real_interface_address($settings['globalbindtoipaddr']); + $ip=$iface_address[0]; + $globalbind_ip = ($ip ? $ip : "*"); $globalbind_port = $settings['globalbindtoport']; if ($globalbind_port == ""){ $globalbind_port ="80"; @@ -230,7 +385,8 @@ function generate_apache_configuration() { //performance settings //reference http://httpd.apache.org/docs/2.2/mod/mpm_common.html - $performance_settings="KeepAlive {$settings['keepalive']}\n"; + $keepalive=($settings['keepalive']?$settings['keepalive']:"on"); + $performance_settings="KeepAlive {$keepalive}\n"; if ($settings['maxkeepalivereq']) $performance_settings .= "MaxKeepAliveRequests {$settings['maxkeepalivereq']}\n"; if ($settings['keepalivetimeout']) @@ -296,7 +452,7 @@ function generate_apache_configuration() { $options.=($server['routeid'] ? " route={$server['routeid']}" : ""); $options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : ""); - if (isset($server['ping'])){ + if (isset($server['ping']) && $server['ping']!=""){ $options.= " ping={$server['ping']}"; $options.=($server['ttl'] ? " ttl={$server['ttl']}" : ""); } @@ -311,8 +467,50 @@ function generate_apache_configuration() { //write balancer conf file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX); } - + + // configure modsecurity group options + //chroot apache http://forums.freebsd.org/showthread.php?t=6858 + if (is_array($config['installedpackages']['apachemodsecuritygroups'])){ + unset($mods_group); + foreach ($config['installedpackages']['apachemodsecuritygroups']['config'] as $mods_groups){ + //RULES_DIRECTORY + foreach (split(",",$mods_groups['baserules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/base_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['optionalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/optional_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['slrrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/slr_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['experimentalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/experimental_rules/{$baserule}.conf\n"; + } + } + } + //print "<PRE>"; + //var_dump($mods_group); + + //mod_security settings + if (is_array($config['installedpackages']['apachemodsecuritysettings'])){ + $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; + + if ($mods_settings['crs10']=="" && file_exists(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')){ + $config['installedpackages']['apachemodsecuritysettings']['config'][0]['crs10']=base64_encode(file_get_contents(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')); + write_config("modsecurity - Load crs 10 default setup file."); + } + + $cr10_setup="Include ".RULES_DIRECTORY ."/modsecurity_crs_10_setup.conf\n"; + file_put_contents(RULES_DIRECTORY ."/modsecurity_crs_10_setup.conf",apache_textarea_decode($config['installedpackages']['apachemodsecuritygroups']['config'][0]['crs10']),LOCK_EX); + } + // create location(s) array + if (is_array($config['installedpackages']['apachelocation'])){ + foreach ($config['installedpackages']['apachelocation']['config'] as $location) + $apache_location[$location['name']]=$location; + } //configure virtual hosts + $namevirtualhosts=array(); + $namevirtualhosts[0]=$global_listen; if (is_array($config['installedpackages']['apachevirtualhost'])){ $vh_config= <<<EOF ################################################################################## @@ -332,6 +530,9 @@ EOF; $iface_address = apache_get_real_interface_address($virtualhost['interface']); $ip=$iface_address[0]; $port=($virtualhost['port'] ? $virtualhost['port'] : $default_port[$virtualhost['proto']]); + if (!in_array("{$ip}:{$port}",$namevirtualhosts)) + $namevirtualhosts[]="{$ip}:{$port}"; + $vh_config.="# {$virtualhost['description']}\n"; $vh_config.="<VirtualHost {$ip}:{$port}>\n"; $vh_config.=" ServerName ". preg_replace ("/\r\n(\S+)/","\n ServerAlias $1",base64_decode($virtualhost['primarysitehostname'])) ."\n"; @@ -378,23 +579,31 @@ EOF; $vh_config.= apache_textarea_decode($virtualhost['custom'])."\n\n"; #Check virtualhost locations - foreach ($virtualhost['row'] as $backend){ - $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; - $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; - $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; - if ($backend['compress']== "no") - $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; - if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){ - foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ - if ($backend['modsecmanipulation'] == $manipulation['name']){ - if (is_array($manipulation['row'])) - foreach ($manipulation['row'] as $secrule) - $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + foreach ($virtualhost['row'] as $be){ + if ($be['location'] != "none"){ + $backend=$apache_location[$be['location']]; + $vh_config.="# {$backend['name']}\n"; + $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; + $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + if ($backend['compress']== "no") + $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; + if ($backend['modsecgroup']!="" && $backend['modsecgroup']!="none" && $mods_settings['enablemodsecurity']=="on"){ + $vh_config.=$mods_group[$backend['modsecgroup']]; + } + if (is_array($config['installedpackages']['apachemodsecuritymanipulation']) && $mods_settings['enablemodsecurity']=="on"){ + foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ + if ($backend['modsecmanipulation'] == $manipulation['name']){ + if (is_array($manipulation['row'])) + foreach ($manipulation['row'] as $secrule) + $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + } } } - } - $vh_config.=" </Location>\n\n"; + $vh_config.= apache_textarea_decode($backend['custom'])."\n\n"; + $vh_config.=" </Location>\n\n"; } + } $vh_config.="</VirtualHost>\n"; } } @@ -404,7 +613,7 @@ EOF; // check/fix perl version on mod_security util files $perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl"); foreach ($perl_files as $perl_file){ - $file_path=rules_directory."/util/"; + $file_path=RULES_DIRECTORY."/util/"; if (file_exists($file_path.$perl_file)){ $script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file)); file_put_contents($file_path.$perl_file,$script,LOCK_EX); @@ -421,12 +630,8 @@ EOF; } } - //mod_security settings - if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){ - $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; - if ($mods_settings!="") - $SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\""; - } + if ($mods_settings!="") + $SecGuardianLog="SecGuardianLog \"|".RULES_DIRECTORY."/util/httpd-guardian\""; //fix http-guardian.pl block bins //$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib; @@ -480,51 +685,44 @@ EOF; // Read already configured addresses if (is_array($settings['row'])){ foreach($settings['row'] as $row) { - if ($row['ipaddress'] && $row['ipport']) + if ($row['interface'] && $row['ipport']) $configuredaliases[] = $row; } } // clear list of bound addresses before updating $config['installedpackages']['apachesettings']['config'][0]['row'] = array(); - // Process proxy sites // Configure NameVirtualHost directives $aliases = ""; - $processed = array(); - if(is_array($config['installedpackages']['apachemodsecurity'])) { - foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { - if($ams['ipaddress'] && $ams['port']) - $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; - else - $local_ip_port = $global_listen; - // Do not add entries twice. - if(!in_array($local_ip_port, $processed)) { - // explicit bind if not global ip:port - if ($local_ip_port != $global_listen) { - $aliases .= "Listen $local_ip_port\n"; - // Automatically add this to configuration - $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); - } - $mod_proxy .= "NameVirtualHost $local_ip_port\n"; - $processed[] = $local_ip_port; - } + //add NameVirtualHost and listening entries to configured virtualhosts + foreach ($namevirtualhosts as $namevirtualhost){ + // explicit bind if not global ip:port + if ($namevirtualhost != $global_listen) { + $mod_proxy .= "NameVirtualHost {$namevirtualhost}\n"; + $aliases .= "Listen $namevirtualhost\n"; + // Automatically add this to configuration + $aplisten=split(":",$namevirtualhost); + $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $aplisten[0], 'ipport' => $aplisten[1]); } } + // Process Status Page + $mod_status = ""; + if ($settings['statuspage'] == "on") { + if($settings['extendedstatuspage']== "on"){ + $extendedstatus="ExtendedStatus On"; + } + $mod_status .= <<<EOF +{$extendedstatus} +<Location /server-status> + SetHandler server-status + Order Deny,Allow + Deny from all -//** Uncomment to allow adding ip/ports not used by any site proxies -//** Otherwise unused addresses/ports will be automatically deleted from the configuration -// foreach ($configuredaliases as $ams) { -// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}"; -// if(!in_array($local_ip_port, $processed)) { -// // explicit bind if not global ip:port -// if ($local_ip_port != $global_listen) { -// $aliases .= "Listen $local_ip_port\n"; -// // Automatically add this to configuration -// $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']); -// } -// } -// } +EOF; + $mod_status .= "Allow from ".($settings['netaccessstatus'] ? $settings['netaccessstatus'] : "All")."\n"; + $mod_status .= "</Location>\n"; + } // update configuration with actual ip bindings write_config($pkg['addedit_string']); @@ -632,19 +830,20 @@ EOF; $mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']; // Process and include rules - if(is_dir(rules_directory)) { + if(is_dir(RULES_DIRECTORY)) { $mod_security_rules = ""; - $files = return_dir_as_array(rules_directory); + $files = return_dir_as_array(RULES_DIRECTORY); foreach($files as $file) { - if(file_exists(rules_directory . "/" . $file)) { + if(file_exists(RULES_DIRECTORY . "/" . $file)) { // XXX: TODO integrate snorts rule on / off thingie - $file_txt = file_get_contents(rules_directory . "/" . $file); + $file_txt = file_get_contents(RULES_DIRECTORY . "/" . $file); $mod_security_rules .= $file_txt . "\n"; } } } #include file templates + include ("/usr/local/pkg/apache_mod_security.template"); include ("/usr/local/pkg/apache.template"); file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX); diff --git a/config/apache_mod_security-dev/apache_mod_security.template b/config/apache_mod_security-dev/apache_mod_security.template index e5a2c864..d004a9ae 100644 --- a/config/apache_mod_security-dev/apache_mod_security.template +++ b/config/apache_mod_security-dev/apache_mod_security.template @@ -1,8 +1,8 @@ <?php - // Mod_security enabled? - if($modsec_settings['enablemodsecurity']) { - $enable_mod_security = true; - $mod_security = <<< EOF +// Mod_security enabled? +if($mods_settings['enablemodsecurity']=="on") { + $enable_mod_security = true; + $mod_security = <<< EOF # -- Rule engine initialization ---------------------------------------------- # Enable ModSecurity, attaching it to every transaction. Use detection @@ -208,3 +208,5 @@ SecArgumentSeparator & # SecCookieFormat 0 +EOF; +} diff --git a/config/apache_mod_security-dev/apache_mod_security_groups.xml b/config/apache_mod_security-dev/apache_mod_security_groups.xml index 92b41243..4775fb3c 100644 --- a/config/apache_mod_security-dev/apache_mod_security_groups.xml +++ b/config/apache_mod_security-dev/apache_mod_security_groups.xml @@ -73,15 +73,21 @@ <tab_level>2</tab_level> </tab> </tabs> - <adddeleteeditpagefields> + <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Name</fielddescr> <fieldname>name</fieldname> </columnitem> <columnitem> + <fielddescr>Logging</fielddescr> + <fieldname>secauditengine</fieldname> + </columnitem> + <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + </adddeleteeditpagefields> <fields> <field> @@ -94,6 +100,7 @@ <description>Enter group name</description> <type>input</type> <size>25</size> + <required/> </field> <field> <fielddescr>Description</fielddescr> @@ -102,6 +109,7 @@ <type>input</type> <size>45</size> </field> + <field> <fielddescr>Base Rules</fielddescr> <fieldname>baserules</fieldname> @@ -182,30 +190,24 @@ <option><name>log everything, including very detailed debugging information</name><value>9</value></option> </options> </field> - <field> - <name>Custom options</name> + <name>Custom mod_security rules</name> <type>listtopic</type> </field> <field> - <fielddescr>Custom mod_security ErrorDocument</fielddescr> - <fieldname>errordocument</fieldname> - <description></description> - <type>textarea</type> - <rows>10</rows> - <cols>75</cols> - </field> - <field> <fielddescr>Custom mod_security rules</fielddescr> <fieldname>modsecuritycustom</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste any custom mod_security rules that you would like to use</description> <type>textarea</type> - <rows>10</rows> - <cols>75</cols> + <encoding>base64</encoding> + <rows>10</rows> + <cols>90</cols> </field> </fields> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml index 54738d83..7477e540 100644 --- a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml +++ b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml @@ -82,6 +82,7 @@ <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -141,4 +142,4 @@ apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_settings.xml b/config/apache_mod_security-dev/apache_mod_security_settings.xml index 985f6bcc..bbc7da4a 100644 --- a/config/apache_mod_security-dev/apache_mod_security_settings.xml +++ b/config/apache_mod_security-dev/apache_mod_security_settings.xml @@ -101,7 +101,6 @@ <fielddescr>Max request per IP</fielddescr> <fieldname>SecReadStateLimit</fieldname> <description> - //274 <![CDATA[This option limits number of POSTS accepted from same IP address and help prevent the effects of a Slowloris-type of attack.<br> More info about this attack can be found here: http://en.wikipedia.org/wiki/Slowloris ]]> @@ -124,6 +123,36 @@ <size>10</size> </field> <field> + <name>mod_security crs 10 setup</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>mod_security crs 10 setup</fielddescr> + <fieldname>crs10</fieldname> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[<b>modsecurity_crs_10_setup.conf file.</b><br>Leave empty to load setup defaults.]]></description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>15</rows> + <cols>90</cols> + </field> + <field> + <name>Custom mod_security ErrorDocument</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom mod_security ErrorDocument</fielddescr> + <fieldname>errordocument</fieldname> + <dontdisplayname/> + <usecolspan2/> + <description>Custom mod_security ErrorDocument.</description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>10</rows> + <cols>90</cols> + </field> + <field> <name>Modsecurity addons</name> <type>listtopic</type> </field> @@ -164,4 +193,4 @@ apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_sync.xml b/config/apache_mod_security-dev/apache_mod_security_sync.xml index 0d8d8c8f..7ecfb68e 100755 --- a/config/apache_mod_security-dev/apache_mod_security_sync.xml +++ b/config/apache_mod_security-dev/apache_mod_security_sync.xml @@ -68,8 +68,30 @@ <field> <fielddescr>Automatically sync apache configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>Automatically sync apache changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for Apache + ModSecurity.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>250 seconds</name><value>250</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> diff --git a/config/apache_mod_security-dev/apache_mod_security_view_logs.php b/config/apache_mod_security-dev/apache_mod_security_view_logs.php index 1956a217..669c71f4 100755 --- a/config/apache_mod_security-dev/apache_mod_security_view_logs.php +++ b/config/apache_mod_security-dev/apache_mod_security_view_logs.php @@ -68,7 +68,7 @@ include("head.inc"); <?php $tab_array = array(); $tab_array[] = array(gettext("Apache"), false, "/pkg_edit.php?xml=apache_settings.xml&id=0"); - $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); $tab_array[] = array(gettext("Backends"), false, "/pkg.php?xml=apache_mod_security_backends.xml",2); $tab_array[] = array(gettext("VirtualHosts"), false, "/pkg.php?xml=apache_mod_security.xml",2); diff --git a/config/apache_mod_security-dev/apache_settings.xml b/config/apache_mod_security-dev/apache_settings.xml index 20ba59c2..1dd4bc78 100644 --- a/config/apache_mod_security-dev/apache_settings.xml +++ b/config/apache_mod_security-dev/apache_settings.xml @@ -10,7 +10,7 @@ apache_mod_security_settings.xml part of apache_mod_security package (http://www.pfSense.com) Copyright (C) 2008, 2009, 2010 Scott Ullrich - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -68,7 +68,12 @@ <tab_level>2</tab_level> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> </tab> @@ -88,36 +93,35 @@ <fieldname>globalsiteadminemail</fieldname> <description>Enter the site administrators e-mail address</description> <type>input</type> + <size>25</size> </field> <field> <fielddescr>Server hostname</fielddescr> <fieldname>hostname</fieldname> <description> - <![CDATA[Enter the servers hostname<br/ + <![CDATA[Enter the servers hostname<br> NOTE: Leave blank to use this devices hostname.]]> </description> <type>input</type> + <size>25</size> </field> <field> <fielddescr>Default Bind to IP Address</fielddescr> <fieldname>globalbindtoipaddr</fieldname> <description> - <![CDATA[ - This is the IP address the Proxy Server will listen on. - <br/> - NOTE: Leave blank to bind to * - ]]> + <![CDATA[This is the IP address the Proxy Server will listen on.]]> </description> - <type>input</type> + <type>interfaces_selection</type> + <showlistenall/> + <showvirtualips/> + <showips/> </field> <field> <fielddescr>Default Bind to port</fielddescr> <fieldname>globalbindtoport</fieldname> <description> - <![CDATA[ - This is the port the Proxy Server will listen on.<br> - NOTE: Leave blank to bind to 80 - ]]> + <![CDATA[This is the port the Proxy Server will listen on.<br> + NOTE: Leave blank to bind to 80]]> </description> <type>input</type> <size>5</size> @@ -278,9 +282,42 @@ <type>input</type> <size>10</size> </field> + <field> + <name>Status Page</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Status Page</fielddescr> + <fieldname>statuspage</fieldname> + <description> + <![CDATA[Enable a status page for Apache and Mod_proxy. Access http://DefaultBindIP:DefaultBindPort/status-server]]> + </description> + <type>select</type> + <options> + <option><name>Disabled (Default)</name><value>off</value></option> + <option><name>Enabled</name><value>on</value></option> + </options> + </field> + <field> + <fielddescr>Extended Status</fielddescr> + <fieldname>extendedstatuspage</fieldname> + <description> + <![CDATA[Keep track of extended status information for each request]]> + </description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Status Page ACL</fielddescr> + <fieldname>netaccessstatus</fieldname> + <description> + <![CDATA[Networks that can access apache status page. Ex: 172.16.1.0/24<br> + NOTE: Leave blank to allow access from any ip.(Not recommended for security reasons)]]> + </description> + <type>input</type> + </field> </fields> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_view_logs.php b/config/apache_mod_security-dev/apache_view_logs.php index da82baaa..10bb1db6 100644 --- a/config/apache_mod_security-dev/apache_view_logs.php +++ b/config/apache_mod_security-dev/apache_view_logs.php @@ -42,7 +42,7 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; -$pgtitle = "Status: Apache Vhosts Logs"; +$pgtitle = "Status: Apache VirtualHost Logs"; include("head.inc"); ?> @@ -96,7 +96,7 @@ function showLog(content,url,logtype) <?php $tab_array = array(); $tab_array[] = array(gettext("Apache"), true, "/pkg_edit.php?xml=apache_settings.xml&id=0"); - $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); display_top_tabs($tab_array); ?> @@ -106,6 +106,7 @@ function showLog(content,url,logtype) unset ($tab_array); $tab_array[] = array(gettext("Daemon Options"), false, "pkg_edit.php?xml=apache_settings.xml"); $tab_array[] = array(gettext("Backends / Balancers"), false, "/pkg.php?xml=apache_balancer.xml"); + $tab_array[] = array(gettext("Location(s)"), false, "/pkg.php?xml=apache_location.xml"); $tab_array[] = array(gettext("Virtual Hosts"), false, "/pkg.php?xml=apache_virtualhost.xml"); $tab_array[] = array(gettext("Logs"), true, "/apache_view_logs.php"); display_top_tabs($tab_array); @@ -171,8 +172,8 @@ function showLog(content,url,logtype) </tbody> </table> </form> - <div id="bowserinfo" style='padding: 5px; border: 1px dashed #990000; font-weight:bold; font-size: 0.9em; text-align: center; margin: 1px; display:block; height: 12px;'> - <span><span> + <div id="browserinfo" style='padding: 5px; border: 1px dashed #990000; font-weight:bold; font-size: 0.9em; text-align: center; margin: 1px; display:block; height: 12px;'> + <span></span> </div> <!-- Squid Table --> <table width="100%" border="0" cellpadding="0" cellspacing="0"> diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml index f971b570..747ef975 100644 --- a/config/apache_mod_security-dev/apache_virtualhost.xml +++ b/config/apache_mod_security-dev/apache_virtualhost.xml @@ -4,40 +4,41 @@ <packagegui> <copyright> <![CDATA[ - /* $Id$ */ - /* ========================================================================== */ - /* - apache_virtualhost.xml - part of apache_mod_security package (http://www.pfSense.com) - Copyright (C)2009, 2010 Scott Ullrich - Copyright (C)2012 Marcello Coutinho - All rights reserved. - */ - /* ========================================================================== */ - /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: +/* $Id$ */ +/* ========================================================================== */ +/* + apache_virtualhost.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C)2009, 2010 Scott Ullrich + Copyright (C)2012 Marcello Coutinho + Copyright (C)2013 Stephane Lapie <stephane.lapie@asahinet.com> + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form MUST reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - /* ========================================================================== */ - ]]> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]> </copyright> <name>apachevirtualhost</name> <version>1.0</version> @@ -113,6 +114,16 @@ <chmod>0644</chmod> <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_view_logs.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/apache_mod_security-dev/pkg_apache.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/apache_mod_security-dev/apache_location.xml</item> + </additional_files_needed> <tabs> <tab> <text>Apache</text> @@ -138,7 +149,12 @@ <tab_level>2</tab_level> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> <active/> @@ -150,9 +166,12 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Status</fielddescr> <fieldname>enable</fieldname> + <listmodeon>Enabled</listmodeon> + <listmodeoff>Disabled</listmodeoff> </columnitem> <columnitem> <fielddescr>Iface</fielddescr> @@ -193,17 +212,14 @@ <description>Select protocols that this virtual host will accept connections</description> <type>select</type> <options> - <option><name>HTTP</name><value>http</value></option> - <option><name>HTTPS</name><value>https</value></option> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> </options> </field> <field> <fielddescr>Server Name(s)</fielddescr> <fieldname>primarysitehostname</fieldname> - <description> - <![CDATA[Enter hostnames one per line in FQDN format for this website (e.g. www.example.com)<br/> - Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)]]> - </description> + <description><![CDATA[Enter hostnames one per line in FQDN format for this website (e.g. www.example.com)<br/>Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)]]></description> <cols>40</cols> <rows>2</rows> <type>textarea</type> @@ -230,34 +246,28 @@ <fielddescr>Site Webmaster E-Mail address</fielddescr> <fieldname>siteemail</fieldname> <size>50</size> - <description> - <![CDATA[ - Enter the Webmaster E-Mail address for this site. - ]]> - </description> + <description><![CDATA[Enter the Webmaster E-Mail address for this site.]]></description> <type>input</type> </field> <field> <fielddescr>Site description</fielddescr> <fieldname>description</fieldname> <size>50</size> - <description> - <![CDATA[Enter a site description]]> - </description> + <description><![CDATA[Enter a site description]]></description> <type>input</type> </field> <field> <fielddescr>HTTPS SSL certificate</fielddescr> <fieldname>ssl_cert</fieldname> <description>Choose the SSL Server Certificate here.</description> - <type>select_source</type> + <type>select_source</type> <source><![CDATA[$config['cert']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> <show_disable_value>none</show_disable_value> </field> <field> - <fielddescr>intermediate CA certificate(optional)</fielddescr> + <fielddescr>Intermediate CA certificate (optional)</fielddescr> <fieldname>reverse_int_ca</fieldname> <description>Select intermediate CA assigned to certificate. Not all certificates require this.</description> <type>select_source</type> @@ -271,82 +281,19 @@ <![CDATA[Location(s)]]> </fielddescr> <fieldname>locations</fieldname> - <type>rowhelper</type> - <rowhelper> - <rowhelperfield> - <fielddescr><![CDATA[gzip?]]></fielddescr> - <fieldname>compress</fieldname> - <description>Compress data to save bandwidth?</description> - <type>select</type> - <options> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[site path]]></fielddescr> - <fieldname>sitepath</fieldname> - <description><![CDATA[Site path to publish.<br>leave blank to use /]]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> + <type>rowhelper</type> + <rowhelper> <rowhelperfield> - <fielddescr><![CDATA[Balancer]]></fielddescr> - <fieldname>balancer</fieldname> - <description>Server balancer / pool</description> - <source><![CDATA[$config['installedpackages']['apachebalancer']['config']]]></source> + <fielddescr><![CDATA[Location]]></fielddescr> + <fieldname>location</fieldname> + <description>Server Location</description> + <source><![CDATA[$config['installedpackages']['apachelocation']['config']]]></source> <source_name>name</source_name> <source_value>name</source_value> <show_disable_value>none</show_disable_value> <type>select_source</type> - <size>5</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'>LbMethod</a>]]></fielddescr> - <fieldname>lbmethod</fieldname> - <description>Server balance method</description> - <type>select</type> - <options> - <option><name>byrequests</name><value>byrequests</value></option> - <option><name>bytraffic</name><value>bytraffic</value></option> - <option><name>bybusyness</name><value>bybusyness</value></option> - </options> </rowhelperfield> - <rowhelperfield> - <fielddescr>Backend path</fielddescr> - <fieldname>backendpath</fieldname> - <description><![CDATA[Backend redirect path.<br>Leave blank to use /]]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[ModSecurity]]></fielddescr> - <fieldname>modsecgroup</fieldname> - <description>Choose Modsecurity group to use on this virtual host.</description> - <type>select_source</type> - <source><![CDATA[$config['installedpackages']['apachemodsecuritygroups']['config']]]></source> - <source_name>name</source_name> - <source_value>name</source_value> - <show_disable_value>none</show_disable_value> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[Manipulations]]></fielddescr> - <fieldname>modsecmanipulation</fieldname> - <description>Choose Modsecurity group to use on this virtual host.</description> - <type>select_source</type> - <source><![CDATA[$config['installedpackages']['apachemodsecuritymanipulation']['config']]]></source> - <source_name>name</source_name> - <source_value>name</source_value> - <show_disable_value>none</show_disable_value> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'> Balancer options</a>]]></fielddescr> - <fieldname>options</fieldname> - <description><![CDATA[Additional proxypass options for this path.<br>ex: ttl=60 stickysession='JSESSIONID']]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> - </rowhelper> + </rowhelper> </field> <field> <name>Logging</name> @@ -355,25 +302,19 @@ <field> <fielddescr>Preserve Proxy hostname</fielddescr> <fieldname>preserveproxyhostname</fieldname> - <description> - <![CDATA[ - When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address. - ]]> - </description> + <description><![CDATA[When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address.]]></description> <type>checkbox</type> </field> <field> <fielddescr>Log file</fielddescr> <fieldname>logfile</fieldname> - <description> - <![CDATA[Enable access and error log for this virtual host.]]> - </description> + <description><![CDATA[Enable access and error log for this virtual host.]]></description> <type>select</type> - <options> - <option><name>Log to default apache log file</name><value>default</value></option> - <option><name>Create a log file for this site</name><value>create</value></option> - <option><name>Do not not this website</name><value>disabled</value></option> - </options> + <options> + <option><name>Log to default apache log file</name><value>default</value></option> + <option><name>Create a log file for this site</name><value>create</value></option> + <option><name>Do not log this website</name><value>disabled</value></option> + </options> </field> <field> <name>Custom Options</name> @@ -382,13 +323,14 @@ <field> <fielddescr>Custom Options</fielddescr> <fieldname>custom</fieldname> - <description>Paste extra apache config for this virtualhost. This is usefull for rewrite rules for example.</description> + <description>Pass extra Apache config for this VirtualHost. This is useful for Rewrite rules for example.</description> <type>textarea</type> - <cols>65</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> </field> - </fields> <service> <name>apache_mod_security</name> @@ -399,4 +341,4 @@ apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/pkg_apache.inc b/config/apache_mod_security-dev/pkg_apache.inc new file mode 100755 index 00000000..97fb2417 --- /dev/null +++ b/config/apache_mod_security-dev/pkg_apache.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['apache'] = array(); +$shortcuts['apache']['main'] = "pkg_edit.php?xml=apache_virtualhost.xml"; +$shortcuts['apache']['log'] = "diag_logs.php"; +$shortcuts['apache']['status'] = "status_services.php"; +$shortcuts['apache']['service'] = "apache_mod_security"; + +?> diff --git a/config/apcupsd/apcupsd.conf.php b/config/apcupsd/apcupsd.conf.php new file mode 100644 index 00000000..6a19b915 --- /dev/null +++ b/config/apcupsd/apcupsd.conf.php @@ -0,0 +1,362 @@ +<?php +/* + apcupsd.conf.php + part of the apcupsd package for pfSense + Copyright (C) 2013 Danilo G. Baio <dbaio@bsd.com.br> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +// create apcupsd.conf +$apcupsdconf=<<<EOF +## apcupsd.conf v1.1 ## +# +# for apcupsd release 3.14.10 (13 September 2011) - freebsd +# +# "apcupsd" POSIX config file + +# +# ========= General configuration parameters ============ +# + +# UPSNAME xxx +# Use this to give your UPS a name in log files and such. This +# is particulary useful if you have multiple UPSes. This does not +# set the EEPROM. It should be 8 characters or less. +UPSNAME {$upsname} + +# UPSCABLE <cable> +# Defines the type of cable connecting the UPS to your computer. +# +# Possible generic choices for <cable> are: +# simple, smart, ether, usb +# +# Or a specific cable model number may be used: +# 940-0119A, 940-0127A, 940-0128A, 940-0020B, +# 940-0020C, 940-0023A, 940-0024B, 940-0024C, +# 940-1524C, 940-0024G, 940-0095A, 940-0095B, +# 940-0095C, M-04-02-2000 +# +UPSCABLE {$upscable} + +# To get apcupsd to work, in addition to defining the cable +# above, you must also define a UPSTYPE, which corresponds to +# the type of UPS you have (see the Description for more details). +# You must also specify a DEVICE, sometimes referred to as a port. +# For USB UPSes, please leave the DEVICE directive blank. For +# other UPS types, you must specify an appropriate port or address. +# +# UPSTYPE DEVICE Description +# apcsmart /dev/tty** Newer serial character device, appropriate for +# SmartUPS models using a serial cable (not USB). +# +# usb <BLANK> Most new UPSes are USB. A blank DEVICE +# setting enables autodetection, which is +# the best choice for most installations. +# +# net hostname:port Network link to a master apcupsd through apcupsd's +# Network Information Server. This is used if the +# UPS powering your computer is connected to a +# different computer for monitoring. +# +# snmp hostname:port:vendor:community +# SNMP network link to an SNMP-enabled UPS device. +# Hostname is the ip address or hostname of the UPS +# on the network. Vendor can be can be "APC" or +# "APC_NOTRAP". "APC_NOTRAP" will disable SNMP trap +# catching; you usually want "APC". Port is usually +# 161. Community is usually "private". +# +# netsnmp hostname:port:vendor:community +# OBSOLETE +# Same as SNMP above but requires use of the +# net-snmp library. Unless you have a specific need +# for this old driver, you should use 'snmp' instead. +# +# dumb /dev/tty** Old serial character device for use with +# simple-signaling UPSes. +# +# pcnet ipaddr:username:passphrase:port +# PowerChute Network Shutdown protocol which can be +# used as an alternative to SNMP with the AP9617 +# family of smart slot cards. ipaddr is the IP +# address of the UPS management card. username and +# passphrase are the credentials for which the card +# has been configured. port is the port number on +# which to listen for messages from the UPS, normally +# 3052. If this parameter is empty or missing, the +# default of 3052 will be used. +# +UPSTYPE {$upstype} + +# POLLTIME <int> +# Interval (in seconds) at which apcupsd polls the UPS for status. This +# setting applies both to directly-attached UPSes (UPSTYPE apcsmart, usb, +# dumb) and networked UPSes (UPSTYPE net, snmp). Lowering this setting +# will improve apcupsd's responsiveness to certain events at the cost of +# higher CPU utilization. The default of 60 is appropriate for most +# situations. +POLLTIME {$polltime} + +# LOCKFILE <path to lockfile> +# Path for device lock file. Not used on Win32. +LOCKFILE /var/spool/lock + +# SCRIPTDIR <path to script directory> +# Directory in which apccontrol and event scripts are located. +SCRIPTDIR /usr/local/etc/apcupsd + +# PWRFAILDIR <path to powerfail directory> +# Directory in which to write the powerfail flag file. This file +# is created when apcupsd initiates a system shutdown and is +# checked in the OS halt scripts to determine if a killpower +# (turning off UPS output power) is required. +PWRFAILDIR /var/run + +# NOLOGINDIR <path to nologin directory> +# Directory in which to write the nologin file. The existence +# of this flag file tells the OS to disallow new logins. +NOLOGINDIR /var/run + + +# +# ======== Configuration parameters used during power failures ========== +# + +# The ONBATTERYDELAY is the time in seconds from when a power failure +# is detected until we react to it with an onbattery event. +# +# This means that, apccontrol will be called with the powerout argument +# immediately when a power failure is detected. However, the +# onbattery argument is passed to apccontrol only after the +# ONBATTERYDELAY time. If you don't want to be annoyed by short +# powerfailures, make sure that apccontrol powerout does nothing +# i.e. comment out the wall. +ONBATTERYDELAY {$onbatterydelay} + +# +# Note: BATTERYLEVEL, MINUTES, and TIMEOUT work in conjunction, so +# the first that occurs will cause the initation of a shutdown. +# + +# If during a power failure, the remaining battery percentage +# (as reported by the UPS) is below or equal to BATTERYLEVEL, +# apcupsd will initiate a system shutdown. +BATTERYLEVEL {$batterylevel} + +# If during a power failure, the remaining runtime in minutes +# (as calculated internally by the UPS) is below or equal to MINUTES, +# apcupsd, will initiate a system shutdown. +MINUTES {$minutes} + +# If during a power failure, the UPS has run on batteries for TIMEOUT +# many seconds or longer, apcupsd will initiate a system shutdown. +# A value of 0 disables this timer. +# +# Note, if you have a Smart UPS, you will most likely want to disable +# this timer by setting it to zero. That way, you UPS will continue +# on batteries until either the % charge remaing drops to or below BATTERYLEVEL, +# or the remaining battery runtime drops to or below MINUTES. Of course, +# if you are testing, setting this to 60 causes a quick system shutdown +# if you pull the power plug. +# If you have an older dumb UPS, you will want to set this to less than +# the time you know you can run on batteries. +TIMEOUT {$timeout} + +# Time in seconds between annoying users to signoff prior to +# system shutdown. 0 disables. +ANNOY {$annoy} + +# Initial delay after power failure before warning users to get +# off the system. +ANNOYDELAY {$annoydelay} + +# The condition which determines when users are prevented from +# logging in during a power failure. +# NOLOGON <string> [ disable | timeout | percent | minutes | always ] +NOLOGON disable + +# If KILLDELAY is non-zero, apcupsd will continue running after a +# shutdown has been requested, and after the specified time in +# seconds attempt to kill the power. This is for use on systems +# where apcupsd cannot regain control after a shutdown. +# KILLDELAY <seconds> 0 disables +KILLDELAY {$killdelay} + +# +# ==== Configuration statements for Network Information Server ==== +# + +# NETSERVER [ on | off ] on enables, off disables the network +# information server. If netstatus is on, a network information +# server process will be started for serving the STATUS and +# EVENT data over the network (used by CGI programs). +NETSERVER {$netserver} + +# NISIP <dotted notation ip address> +# IP address on which NIS server will listen for incoming connections. +# This is useful if your server is multi-homed (has more than one +# network interface and IP address). Default value is 0.0.0.0 which +# means any incoming request will be serviced. Alternatively, you can +# configure this setting to any specific IP address of your server and +# NIS will listen for connections only on that interface. Use the +# loopback address (127.0.0.1) to accept connections only from the +# local machine. +NISIP ${nisip} + +# NISPORT <port> default is 3551 as registered with the IANA +# port to use for sending STATUS and EVENTS data over the network. +# It is not used unless NETSERVER is on. If you change this port, +# you will need to change the corresponding value in the cgi directory +# and rebuild the cgi programs. +NISPORT ${nisport} + +# If you want the last few EVENTS to be available over the network +# by the network information server, you must define an EVENTSFILE. +EVENTSFILE /var/log/apcupsd.events + +# EVENTSFILEMAX <kilobytes> +# By default, the size of the EVENTSFILE will be not be allowed to exceed +# 10 kilobytes. When the file grows beyond this limit, older EVENTS will +# be removed from the beginning of the file (first in first out). The +# parameter EVENTSFILEMAX can be set to a different kilobyte value, or set +# to zero to allow the EVENTSFILE to grow without limit. +EVENTSFILEMAX 10 + +# +# ========== Configuration statements used if sharing ============= +# a UPS with more than one machine + +# +# Remaining items are for ShareUPS (APC expansion card) ONLY +# + +# UPSCLASS [ standalone | shareslave | sharemaster ] +# Normally standalone unless you share an UPS using an APC ShareUPS +# card. +UPSCLASS {$upsclass} + +# UPSMODE [ disable | share ] +# Normally disable unless you share an UPS using an APC ShareUPS card. +UPSMODE {$upsmode} + +# +# ===== Configuration statements to control apcupsd system logging ======== +# + +# Time interval in seconds between writing the STATUS file; 0 disables +STATTIME 0 + +# Location of STATUS file (written to only if STATTIME is non-zero) +STATFILE /var/log/apcupsd.status + +# LOGSTATS [ on | off ] on enables, off disables +# Note! This generates a lot of output, so if +# you turn this on, be sure that the +# file defined in syslog.conf for LOG_NOTICE is a named pipe. +# You probably do not want this on. +LOGSTATS off + +# Time interval in seconds between writing the DATA records to +# the log file. 0 disables. +DATATIME 0 + +# FACILITY defines the logging facility (class) for logging to syslog. +# If not specified, it defaults to "daemon". This is useful +# if you want to separate the data logged by apcupsd from other +# programs. +#FACILITY DAEMON + +# +# ========== Configuration statements used in updating the UPS EPROM ========= +# + +# +# These statements are used only by apctest when choosing "Set EEPROM with conf +# file values" from the EEPROM menu. THESE STATEMENTS HAVE NO EFFECT ON APCUPSD. +# + +# UPS name, max 8 characters +#UPSNAME UPS_IDEN + +# Battery date - 8 characters +#BATTDATE mm/dd/yy + +# Sensitivity to line voltage quality (H cause faster transfer to batteries) +# SENSITIVITY H M L (default = H) +#SENSITIVITY H + +# UPS delay after power return (seconds) +# WAKEUP 000 060 180 300 (default = 0) +#WAKEUP 60 + +# UPS Grace period after request to power off (seconds) +# SLEEP 020 180 300 600 (default = 20) +#SLEEP 180 + +# Low line voltage causing transfer to batteries +# The permitted values depend on your model as defined by last letter +# of FIRMWARE or APCMODEL. Some representative values are: +# D 106 103 100 097 +# M 177 172 168 182 +# A 092 090 088 086 +# I 208 204 200 196 (default = 0 => not valid) +#LOTRANSFER 208 + +# High line voltage causing transfer to batteries +# The permitted values depend on your model as defined by last letter +# of FIRMWARE or APCMODEL. Some representative values are: +# D 127 130 133 136 +# M 229 234 239 224 +# A 108 110 112 114 +# I 253 257 261 265 (default = 0 => not valid) +#HITRANSFER 253 + +# Battery charge needed to restore power +# RETURNCHARGE 00 15 50 90 (default = 15) +#RETURNCHARGE 15 + +# Alarm delay +# 0 = zero delay after pwr fail, T = power fail + 30 sec, L = low battery, N = never +# BEEPSTATE 0 T L N (default = 0) +#BEEPSTATE T + +# Low battery warning delay in minutes +# LOWBATT 02 05 07 10 (default = 02) +#LOWBATT 2 + +# UPS Output voltage when running on batteries +# The permitted values depend on your model as defined by last letter +# of FIRMWARE or APCMODEL. Some representative values are: +# D 115 +# M 208 +# A 100 +# I 230 240 220 225 (default = 0 => not valid) +#OUTPUTVOLTS 230 + +# Self test interval in hours 336=2 weeks, 168=1 week, ON=at power on +# SELFTEST 336 168 ON OFF (default = 336) +#SELFTEST 336 +EOF; +?> diff --git a/config/apcupsd/apcupsd.inc b/config/apcupsd/apcupsd.inc new file mode 100644 index 00000000..9abc23ba --- /dev/null +++ b/config/apcupsd/apcupsd.inc @@ -0,0 +1,191 @@ +<?php +/* $Id$ */ +/* ========================================================================== */ +/* + apcupsd.inc + part of the apcupsd package for pfSense + Copyright (C) 2013 Danilo G. Baio <dbaio@bsd.com.br> + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +require_once("util.inc"); +require_once("functions.inc"); +require_once("pkg-utils.inc"); +require_once("globals.inc"); + +function php_install_apcupsd(){ + sync_package_apcupsd(); +} + +function php_deinstall_apcupsd(){ + global $config, $g; + + conf_mount_rw(); + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version > 2.0){ + define('APCUPSD_BASE', '/usr/pbi/apcupsd-' . php_uname("m")); + } else { + define('APCUPSD_BASE', '/usr/local'); + } + + exec("/usr/bin/killall apcupsd"); + unlink_if_exists(APCUPSD_BASE . "/etc/rc.d/apcupsd.sh"); + unlink_if_exists(APCUPSD_BASE . "/etc/apcupsd/apcupsd.conf"); + unlink_if_exists("/var/log/apcupsd/apcupsd.log"); + unlink_if_exists("/var/run/apcupsd/apcupsd.pid"); + + if (is_dir("/var/log/apcupsd")) + exec("/bin/rm -r /var/log/apcupsd/"); + if (is_dir("/var/run/apcupsd")) + exec("/bin/rm -r /var/run/apcupsd/"); + + conf_mount_ro(); +} + +function validate_input_apcupsd($post,&$input_errors){ + + if (isset($post['apcupsdenabled'])){ + + if ($post['polltime'] != '' && !is_numericint($post['polltime'])) { + $input_errors[]='Poll Time is not numeric.'; + } + + if ($post['onbatterydelay'] != '' && !is_numericint($post['onbatterydelay'])) { + $input_errors[]='OnBattery Delay is not numeric.'; + } + + if ($post['batterylevel'] != '' && !is_numericint($post['batterylevel'])) { + $input_errors[]='Battery Level is not numeric.'; + } + + if ($post['minutes'] != '' && !is_numericint($post['minutes'])) { + $input_errors[]='Minutes is not numeric.'; + } + + if ($post['timeout'] != '' && !is_numericint($post['timeout'])) { + $input_errors[]='Timeout is not numeric.'; + } + + if ($post['annoy'] != '' && !is_numericint($post['annoy'])) { + $input_errors[]='Annoy is not numeric.'; + } + + if ($post['annoydelay'] != '' && !is_numericint($post['annoydelay'])) { + $input_errors[]='Annoy Delay is not numeric.'; + } + + if ($post['killdelay'] != '' && !is_numericint($post['killdelay'])) { + $input_errors[]='Kill Delay is not numeric.'; + } + + if ($post['nisip'] != '') { + if (!is_ipaddr_configured($post['nisip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['nisip'])) { + $input_errors[]='NIS Ip is not a configured IP address.'; + } + } + + if ($post['nisport'] != '') { + if (!preg_match("/^\d+$/", $post['nisport'])) { + $input_errors[]='NIS Port is not numeric.'; + } + } + + } // apcupsdenabled +} + +function sync_package_apcupsd(){ + global $config, $g; + + conf_mount_rw(); + + // check pfsense version + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version > 2.0){ + define('APCUPSD_BASE', '/usr/pbi/apcupsd-' . php_uname("m")); + } + else { + define('APCUPSD_BASE', '/usr/local'); + } + + // check apcupsd settings + if (is_array($config['installedpackages']['apcupsd'])){ + $apcupsd_config = $config['installedpackages']['apcupsd']['config'][0]; + if ($apcupsd_config['apcupsdenabled']=="on"){ + $upsname=$apcupsd_config['upsname']; + $upscable=$apcupsd_config['upscable']; + $upstype=$apcupsd_config['upstype']; + $polltime=($apcupsd_config['polltime'] != ''? $apcupsd_config['polltime'] : "60"); + $onbatterydelay=($apcupsd_config['onbatterydelay'] != ''? $apcupsd_config['onbatterydelay'] : "6"); + $batterylevel=($apcupsd_config['batterylevel'] != ''? $apcupsd_config['batterylevel'] : "5"); + $minutes=($apcupsd_config['minutes'] != ''? $apcupsd_config['minutes'] : "3"); + $timeout=($apcupsd_config['timeout'] != ''? $apcupsd_config['timeout'] : "0"); + $annoy=($apcupsd_config['annoy'] != ''? $apcupsd_config['annoy'] : "300"); + $annoydelay=($apcupsd_config['annoydelay'] != ''? $apcupsd_config['annoydelay'] : "60"); + $killdelay=($apcupsd_config['killdelay'] != ''? $apcupsd_config['killdelay'] : "0"); + $netserver=$apcupsd_config['netserver']; + $nisip=($apcupsd_config['nisip'] != ''? $apcupsd_config['nisip'] : "0.0.0.0"); + $nisport=($apcupsd_config['nisport'] != ''? $apcupsd_config['nisport'] : "3551"); + $upsclass=$apcupsd_config['upsclass']; + $upsmode=$apcupsd_config['upsmode']; + + include("/usr/local/pkg/apcupsd.conf.php"); + file_put_contents(APCUPSD_BASE . "/etc/apcupsd/apcupsd.conf", $apcupsdconf, LOCK_EX); + } + } + + // RC FILE + $apcupsd_rcfile="/usr/local/etc/rc.d/apcupsd.sh"; + if (is_array($apcupsd_config) && $apcupsd_config['apcupsdenabled']=="on"){ + $apcupsd_start = "echo \"Starting APC UPS Daemon...\"\n"; + if ($apcupsd_config['killonpowerfail']=="on"){ + $apcupsd_start .= " " . APCUPSD_BASE . "/sbin/apcupsd --kill-on-powerfail"; + }else{ + $apcupsd_start .= " " . APCUPSD_BASE . "/sbin/apcupsd"; + } + + $apcupsd_stop = "echo \"Stopping APC UPS Daemon...\"\n"; + $apcupsd_stop .= " /usr/bin/killall apcupsd\n"; + $apcupsd_stop .= " /bin/sleep 5"; + + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "apcupsd.sh", + "start" => "$apcupsd_start", + "stop" => "$apcupsd_stop" + ) + ); + mwexec("{$apcupsd_rcfile} restart"); + }else{ + if (file_exists($apcupsd_rcfile)){ + mwexec("{$apcupsd_rcfile} stop"); + unlink($apcupsd_rcfile); + } + } + + conf_mount_ro(); +} +?> diff --git a/config/apcupsd/apcupsd.xml b/config/apcupsd/apcupsd.xml new file mode 100644 index 00000000..8674af61 --- /dev/null +++ b/config/apcupsd/apcupsd.xml @@ -0,0 +1,333 @@ +<?xml version="1.0" encoding="utf-8"?> +<packagegui> +<copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apcupsd.xml + part of the apcupsd package for pfSense + Copyright (C) 2013 Danilo G. Baio <dbaio@bsd.com.br> + + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <name>Apcupsd</name> + <title>Services: Apcupsd (General)</title> + <category>Monitoring</category> + <version>0.1</version> + <include_file>/usr/local/pkg/apcupsd.inc</include_file> + <addedit_string>Apcupsd has been created/modified.</addedit_string> + <delete_string>Apcupsd has been deleted.</delete_string> + <restart_command>/usr/local/etc/rc.d/apcupsd.sh restart</restart_command> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/apcupsd/apcupsd.inc</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/apcupsd/apcupsd_status.php</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> + <item>http://www.pfsense.org/packages/config/apcupsd/apcupsd.conf.php</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <menu> + <name>Apcupsd</name> + <tooltiptext>Setup Apcupsd specific settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=apcupsd.xml&id=0</url> + </menu> + <service> + <name>apcupsd</name> + <rcfile>apcupsd.sh</rcfile> + <executable>apcupsd</executable> + <description>Apcupsd a daemon for controlling APC UPSes</description> + </service> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=apcupsd.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Status</text> + <url>apcupsd_status.php</url> + </tab> + </tabs> + <fields> + <field> + <name>General configuration parameters</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>apcupsdenabled</fieldname> + <description>Enable APC UPS Daemon service</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>UPS Name</fielddescr> + <fieldname>upsname</fieldname> + <description>Use this to give your UPS a name in log files and such</description> + <type>input</type> + <size>60</size> + <required>true</required> + </field> + <field> + <fielddescr>UPS Cable</fielddescr> + <fieldname>upscable</fieldname> + <description><![CDATA[Defines the type of cable connecting the UPS to your computer.<br> +<br> +Possible generic choices for <cable> are:<br> + simple, smart, ether, usb<br> +<br> +Or a specific cable model number may be used:<br> + 940-0119A, 940-0127A, 940-0128A, 940-0020B,<br> + 940-0020C, 940-0023A, 940-0024B, 940-0024C,<br> + 940-1524C, 940-0024G, 940-0095A, 940-0095B,<br> + 940-0095C, M-04-02-2000 + ]]></description> + <type>input</type> + <size>60</size> + <required>true</required> + </field> + <field> + <fielddescr>UPS Type / Device</fielddescr> + <fieldname>upstype</fieldname> + <description><![CDATA[To get apcupsd to work, in addition to defining the cable +above, you must also define a UPSTYPE, which corresponds to +the type of UPS you have (see the Description for more details). +You must also specify a DEVICE, sometimes referred to as a port. +For USB UPSes, please leave the DEVICE directive blank. For +other UPS types, you must specify an appropriate port or address.<br> +<br> +UPSTYPE DEVICE Description <br> +<br> +<strong>apcsmart /dev/tty**</strong> Newer serial character device, appropriate for + SmartUPS models using a serial cable (not USB).<br> +<br> +<strong>usb BLANK</strong> Most new UPSes are USB. A blank DEVICE + setting enables autodetection, which is + the best choice for most installations.<br> +<br> +<strong>net hostname:port</strong> Network link to a master apcupsd through apcupsd's + Network Information Server. This is used if the + UPS powering your computer is connected to a + different computer for monitoring.<br> +<br> +<strong>snmp hostname:port:vendor:community</strong> + SNMP network link to an SNMP-enabled UPS device. + Hostname is the ip address or hostname of the UPS + on the network. Vendor can be can be "APC" or + "APC_NOTRAP". "APC_NOTRAP" will disable SNMP trap + catching; you usually want "APC". Port is usually + 161. Community is usually "private".<br> +<br> +<strong>netsnmp hostname:port:vendor:community</strong> + OBSOLETE + Same as SNMP above but requires use of the + net-snmp library. Unless you have a specific need + for this old driver, you should use 'snmp' instead.<br> +<br> +<strong>dumb /dev/tty**</strong> Old serial character device for use with + simple-signaling UPSes.<br> +<br> +<strong>pcnet ipaddr:username:passphrase:port</strong> + PowerChute Network Shutdown protocol which can be + used as an alternative to SNMP with the AP9617 + family of smart slot cards. ipaddr is the IP + address of the UPS management card. username and + passphrase are the credentials for which the card + has been configured. port is the port number on + which to listen for messages from the UPS, normally + 3052. If this parameter is empty or missing, the + default of 3052 will be used.<br> +<br> + ]]></description> + <type>input</type> + <size>60</size> + <required>true</required> + </field> + <field> + <fielddescr>Poll Time</fielddescr> + <fieldname>polltime</fieldname> + <description>Interval (in seconds) at which apcupsd polls the UPS for status. Default is 60</description> + <type>input</type> + <size>10</size> + <default_value>60</default_value> + </field> + <field> + <fielddescr>Kill on Power Fail</fielddescr> + <fieldname>killonpowerfail</fieldname> + <description>Hibernate UPS on powerfail</description> + <type>checkbox</type> + </field> + <field> + <name>Configuration parameters used during power failures</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>OnBattery Delay</fielddescr> + <fieldname>onbatterydelay</fieldname> + <description>Time in seconds from when a power failure is detected until we react to it with an onbattery event. Default is 6</description> + <type>input</type> + <size>10</size> + <default_value>6</default_value> + </field> + <field> + <fielddescr>Battery Level</fielddescr> + <fieldname>batterylevel</fieldname> + <description>If during a power failure, the remaining battery percentage (as reported by the UPS) is + below or equal to BATTERYLEVEL, apcupsd will initiate a system shutdown. Default is 5</description> + <type>input</type> + <size>10</size> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Minutes</fielddescr> + <fieldname>minutes</fieldname> + <description>If during a power failure, the remaining runtime in minutes (as calculated internally + by the UPS) is below or equal to MINUTES, apcupsd, will initiate a system shutdown. Default is 3</description> + <type>input</type> + <size>10</size> + <default_value>3</default_value> + </field> + <field> + <fielddescr>Timeout</fielddescr> + <fieldname>timeout</fieldname> + <description>If during a power failure, the UPS has run on batteries for TIMEOUT many seconds + or longer, apcupsd will initiate a system shutdown. A value of 0 (default) disables this timer</description> + <type>input</type> + <size>10</size> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Annoy</fielddescr> + <fieldname>annoy</fieldname> + <description>Time in seconds between annoying users to signoff prior to system shutdown. 0 disables. Default is 300</description> + <type>input</type> + <size>10</size> + <default_value>300</default_value> + </field> + <field> + <fielddescr>Annoy Delay</fielddescr> + <fieldname>annoydelay</fieldname> + <description>Initial delay after power failure before warning users to get off the system. Default is 60</description> + <type>input</type> + <size>10</size> + <default_value>60</default_value> + </field> + <field> + <fielddescr>Kill Delay</fielddescr> + <fieldname>killdelay</fieldname> + <description>If KILLDELAY is non-zero, apcupsd will continue running after a shutdown has been + requested, and after the specified time in seconds attempt to kill the power. This is for use + on systems where apcupsd cannot regain control after a shutdown. 0 disables (default)</description> + <type>input</type> + <size>10</size> + <default_value>0</default_value> + </field> + <field> + <name>Configuration statements for Network Information Server</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Net Server</fielddescr> + <fieldname>netserver</fieldname> + <description>If netstatus is on, a network information server process will be started for serving + the STATUS and EVENT data over the network (used by CGI programs)</description> + <type>select</type> + <default_value>on</default_value> + <options> + <option><name>On</name><value>on</value></option> + <option><name>Off</name><value>off</value></option> + </options> + </field> + <field> + <fielddescr>NIS Ip</fielddescr> + <fieldname>nisip</fieldname> + <description>IP address on which NIS server will listen for incoming connections. Default value is + 0.0.0.0 which means any incoming request will be serviced. Alternatively, you can configure this + setting to any specific IP address of your server and NIS will listen for connections only on that + interface. Use the loopback address (127.0.0.1) to accept connections only from the local machine</description> + <type>input</type> + <size>10</size> + <default_value>0.0.0.0</default_value> + </field> + <field> + <fielddescr>NIS Port</fielddescr> + <fieldname>nisport</fieldname> + <description>Port to use for sending STATUS and EVENTS data over the network. + It is not used unless NETSERVER is on. If you change this port, + you will need to change the corresponding value in the cgi directory + and rebuild the cgi programs. Default is 3551 as registered with the IANA</description> + <type>input</type> + <size>10</size> + <default_value>3551</default_value> + </field> + <field> + <name>Configuration statements used if sharing</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>UPS Class</fielddescr> + <fieldname>upsclass</fieldname> + <description>Normally standalone unless you share an UPS using an APC ShareUPS card</description> + <type>select</type> + <default_value>standalone</default_value> + <options> + <option><name>Standalone</name><value>standalone</value></option> + <option><name>Share Master</name><value>sharemaster</value></option> + <option><name>Share Slave</name><value>shareslave</value></option> + </options> + </field> + <field> + <fielddescr>UPS Mode</fielddescr> + <fieldname>upsmode</fieldname> + <description>Normally disable unless you share an UPS using an APC ShareUPS card</description> + <type>select</type> + <default_value>disable</default_value> + <options> + <option><name>Disable</name><value>disable</value></option> + <option><name>Share</name><value>share</value></option> + </options> + </field> + </fields> + <custom_php_install_command>sync_package_apcupsd();</custom_php_install_command> + <custom_php_command_before_form></custom_php_command_before_form> + <custom_php_after_head_command></custom_php_after_head_command> + <custom_php_after_form_command></custom_php_after_form_command> + <custom_php_validation_command>validate_input_apcupsd($_POST, &$input_errors);</custom_php_validation_command> + <custom_add_php_command></custom_add_php_command> + <custom_php_resync_config_command>sync_package_apcupsd();</custom_php_resync_config_command> + <custom_php_deinstall_command>php_deinstall_apcupsd();</custom_php_deinstall_command> +</packagegui> diff --git a/config/apcupsd/apcupsd_status.php b/config/apcupsd/apcupsd_status.php new file mode 100755 index 00000000..e465f62c --- /dev/null +++ b/config/apcupsd/apcupsd_status.php @@ -0,0 +1,118 @@ +<?php +/* + apcupsd_status.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2013 Danilo G. Baio <dbaio@bsd.com.br> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); + +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Services: Apcupsd (Status)"; +include("head.inc"); + +function puts( $arg ) { echo "$arg\n"; } + +?> + +<style> +<!-- + +input { + font-family: courier new, courier; + font-weight: normal; + font-size: 9pt; +} + +pre { + border: 2px solid #435370; + background: #F0F0F0; + padding: 1em; + font-family: courier new, courier; + white-space: pre; + line-height: 10pt; + font-size: 10pt; +} + +.label { + font-family: tahoma, verdana, arial, helvetica; + font-size: 11px; + font-weight: bold; +} + +.button { + font-family: tahoma, verdana, arial, helvetica; + font-weight: bold; + font-size: 11px; +} + +--> +</style> +</head> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + + <?php include("fbegin.inc"); ?> + + <?php if($one_two): ?> + <p class="pgtitle"><?=$pgtitle?></font></p> + <?php endif; ?> + + +<div id="mainlevel"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=apcupsd.xml&id=0"); + $tab_array[] = array(gettext("Status"), true, "/apcupsd_status.php"); + display_top_tabs($tab_array); + ?> + </td></tr> + </table> +</div> + +<div id="mainarea" style="padding-top: 0px; padding-bottom: 0px; "> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> + <tr><td> +<?php + puts("<pre>"); + putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"); + $ph = popen('apcaccess 2>&1', "r" ); + while ($line = fgets($ph)) echo htmlspecialchars($line); + pclose($ph); + puts("</pre>"); +?> + </td></tr> + </table> +</div> +<?php +include("fend.inc"); +?> +</body> +</html> diff --git a/config/arpwatch.xml b/config/arpwatch.xml index 64aadcea..bf163ad6 100644 --- a/config/arpwatch.xml +++ b/config/arpwatch.xml @@ -45,7 +45,7 @@ <requirements>None</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>arpwatch</name> - <version>2.1.a14 pkg v1.1</version> + <version>2.1.a14 pkg v1.1.1</version> <title>arpwatch: Settings</title> <aftersaveredirect>pkg_edit.php?xml=arpwatch.xml&id=0</aftersaveredirect> <menu> diff --git a/config/bandwidthd/bandwidthd.inc b/config/bandwidthd/bandwidthd.inc index 1220e033..7cdc8006 100644 --- a/config/bandwidthd/bandwidthd.inc +++ b/config/bandwidthd/bandwidthd.inc @@ -40,6 +40,10 @@ switch ($pfs_version) { } // End: Check pfSense version +function is_blank($value) { + return empty($value) && !is_numeric($value); +} + function bandwidthd_install_deinstall() { conf_mount_rw(); config_lock(); @@ -66,8 +70,11 @@ function bandwidthd_install_config() { /* user defined values */ $bandwidthd_config = $config['installedpackages']['bandwidthd']['config'][0]; $meta_refresh = $bandwidthd_config['meta_refresh']; - if ($meta_refresh) + if (is_numeric($meta_refresh)) $meta_refresh = "meta_refresh $meta_refresh\n"; + else + $meta_refresh = ""; + $graph = $bandwidthd_config['drawgraphs']; if ($graph) $graph = "graph true\n"; @@ -75,11 +82,17 @@ function bandwidthd_install_config() { $graph = "graph false\n"; $filter_text = $bandwidthd_config['filter']; - if ($filter_text) + if (!is_blank($filter_text)) $filter_text = "filter $filter_text\n"; + else + $filter_text = ""; + $recover_cdf = $bandwidthd_config['recovercdf']; if ($recover_cdf) $recover_cdf = "recover_cdf true\n"; + else + $recover_cdf = ""; + $output_cdf = $bandwidthd_config['outputcdf']; if ($output_cdf) $output_cdf_string = "output_cdf true\n"; @@ -93,15 +106,15 @@ function bandwidthd_install_config() { $postgresql_password = $bandwidthd_config['postgresqlpassword']; $postgresql_string = ""; if ($output_postgresql) { - if ($postgresql_host && $postgresql_username && $postgresql_database && $postgresql_password) + if (!is_blank($postgresql_host) && !is_blank($postgresql_username) && !is_blank($postgresql_database) && !is_blank($postgresql_password)) $postgresql_string = "pgsql_connect_string \"user = $postgresql_username dbname = $postgresql_database password = $postgresql_password host = $postgresql_host\"\n"; else - log_error("You have to specify the postgreSQL Host, Database, Username and Password. Exiting."); + log_error("bandwidthd: You have to specify the postgreSQL Host, Database, Username and Password. postgreSQL details have been ignored."); } $sensor_id = $bandwidthd_config['sensorid']; - if ($sensor_id) + if (!is_blank($sensor_id)) $sensor_id_string = "sensor_id \"$sensor_id\""; else $sensor_id_string = ""; @@ -113,13 +126,20 @@ function bandwidthd_install_config() { $promiscuous = "promiscuous false\n"; $graph_cutoff = $bandwidthd_config['graphcutoff']; - if ($graph_cutoff) + if (!is_blank($graph_cutoff)) $graph_cutoff = "graph_cutoff $graph_cutoff\n"; + else + $graph_cutoff = ""; + $skip_intervals = $bandwidthd_config['skipintervals']; - if ($skip_intervals) + if ($skip_intervals) { $skip_intervals = "skip_intervals $skip_intervals\n"; + } else { + /* Includes the case where 0 is explicitly specified, which is the default anyway. */ + $skip_intervals = ""; + } - if ($bandwidthd_config['active_interface']){ + if (!is_blank($bandwidthd_config['active_interface'])){ $ifdescrs = array($bandwidthd_config['active_interface']); } else { log_error("You should specify an interface for bandwidthd to listen on. Exiting."); diff --git a/config/bandwidthd/bandwidthd.xml b/config/bandwidthd/bandwidthd.xml index 672b5367..44a33bac 100644 --- a/config/bandwidthd/bandwidthd.xml +++ b/config/bandwidthd/bandwidthd.xml @@ -46,7 +46,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>bandwidthd</name> - <version>2.0.1_5 pkg v.0.2</version> + <version>2.0.1_5 pkg v.0.3</version> <title>Bandwidthd</title> <aftersaveredirect>/pkg_edit.php?xml=bandwidthd.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/bandwidthd.inc</include_file> diff --git a/config/bind/bind.inc b/config/bind/bind.inc index e680099f..ff3728fb 100644 --- a/config/bind/bind.inc +++ b/config/bind/bind.inc @@ -105,10 +105,10 @@ function bind_zone_validate($post, $input_errors){ exec("$rndc_confgen ",$rndc_conf); foreach($rndc_conf as $line) $confgen_file.="$line\n"; - file_put_contents(BIND_LOCALBASE."/etc/rndc-confgen.pfsese",$confgen_file); + file_put_contents(BIND_LOCALBASE."/etc/rndc-confgen.pfsense",$confgen_file); } - if (file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsese")){ - $rndc_conf=file(BIND_LOCALBASE."/etc/rndc-confgen.pfsese"); + if (file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsense")){ + $rndc_conf=file(BIND_LOCALBASE."/etc/rndc-confgen.pfsense"); $confgen="rndc.conf"; $rndc_bindconf=""; foreach ($rndc_conf as $line){ @@ -179,8 +179,8 @@ EOD; $listenon=(pfSense_get_interface_addresses(convert_friendly_interface_to_real_interface_name($listenon))); if (is_ipaddr($listenon['ipaddr'])) $bind_listenon .= $listenon['ipaddr']."; "; - elseif(is_ipaddrv6($listenon['ipaddr'])) - $bind_listenonv6 .= $listenon['ipaddr']."; "; + if(is_ipaddrv6($listenon['ipaddr6'])) + $bind_listenonv6 .= $listenon['ipaddr6']."; "; } } } @@ -238,6 +238,9 @@ EOD; $bind_conf .="\t\t};\n\n"; } } + else { + $bind_conf .="\t\tlogging { category default { null; }; };\n\n"; + } #Config Zone domain if(!is_array($config["installedpackages"]["bindacls"]) || !is_array($config["installedpackages"]["bindacls"]["config"])){ @@ -429,12 +432,20 @@ EOD; $hostname = (preg_match("/(MX|NS)/",$zone['row'][$y]['hosttype'])?"@":$zone['row'][$y]['hostname']); $hosttype = $zone['row'][$y]['hosttype']; $hostdst = $zone['row'][$y]['hostdst']; - if (preg_match("/[a-zA-Z]/",$hostdst) && $hosttype !="TXT") + if (preg_match("/[a-zA-Z]/",$hostdst) && !preg_match("/(TXT|SPF|AAAA)/",$hosttype)) $hostdst .= "."; $hostvalue = $zone['row'][$y]['hostvalue']; $zone_conf .= "$hostname \t IN $hosttype $hostvalue \t$hostdst\n"; } + if (($zone[regdhcpstatic] == 'on') && is_array($config['dhcpd'])) { + foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) + if(is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) + foreach ($dhcpifconf['staticmap'] as $host) + if ($host['ipaddr'] && $host['hostname']) { + $zone_conf .= "{$host['hostname']}\tIN A\t{$host['ipaddr']}\n"; + } + } if ($zone['customzonerecords']!=""){ $zone_conf .= "\n\n;\n;custom zone records\n;\n".base64_decode($zone['customzonerecords'])."\n"; } @@ -578,10 +589,15 @@ EOD; chown(CHROOT_LOCALBASE."/var/log","bind"); chown(CHROOT_LOCALBASE."/var/run/named","bind"); chgrp(CHROOT_LOCALBASE."/var/log","bind"); - if($bind_enable == "on") - mwexec("/usr/local/etc/rc.d/named.sh restart"); - else - mwexec("/usr/local/etc/rc.d/named.sh stop"); + $bind_sh="/usr/local/etc/rc.d/named.sh"; + if($bind_enable == "on"){ + chmod ($bind_sh,0755); + mwexec("{$bind_sh} restart"); + } + elseif (is_service_running('named')){ + mwexec("{$bind_sh} stop"); + chmod ($bind_sh,0644); + } //sync to backup servers bind_sync_on_changes(); conf_mount_ro(); @@ -604,6 +620,7 @@ function bind_print_javascript_type_zone(){ document.iform.forwarders.disabled = 1; document.iform.dnssec.disabled = 0; document.iform.backupkeys.disabled = 0; + document.iform.regdhcpstatic.disabled = 0; document.iform.ipns.disabled = 0; document.iform.mail.disabled = 0; document.iform.serial.disabled = 0; @@ -620,6 +637,7 @@ function bind_print_javascript_type_zone(){ document.iform.forwarders.disabled = 1; document.iform.dnssec.disabled = 0; document.iform.backupkeys.disabled = 0; + document.iform.regdhcpstatic.disabled = 0; document.iform.ipns.disabled = 1; document.iform.mail.disabled = 1; document.iform.serial.disabled = 1; @@ -636,6 +654,7 @@ function bind_print_javascript_type_zone(){ document.iform.forwarders.disabled = 0; document.iform.dnssec.disabled = 1; document.iform.backupkeys.disabled = 1; + document.iform.regdhcpstatic.disabled = 1; document.iform.ipns.disabled = 1; document.iform.mail.disabled = 1; document.iform.serial.disabled = 1; @@ -652,6 +671,7 @@ function bind_print_javascript_type_zone(){ document.iform.forwarders.disabled = 1; document.iform.dnssec.disabled = 1; document.iform.backupkeys.disabled = 1; + document.iform.regdhcpstatic.disabled = 1; document.iform.ipns.disabled = 1; document.iform.mail.disabled = 0; document.iform.serial.disabled = 0; diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml index 7fde01a7..be4da9cf 100644 --- a/config/bind/bind_zones.xml +++ b/config/bind/bind_zones.xml @@ -364,6 +364,7 @@ <option><name>SRV</name><value>SRV</value></option> <option><name>PTR</name><value>PTR</value></option> <option><name>TXT</name><value>TXT</value></option> + <option><name>SPF</name><value>SPF</value></option> </options> </rowhelperfield> <rowhelperfield> @@ -384,6 +385,12 @@ </rowhelper> </field> <field> + <fieldname>regdhcpstatic</fieldname> + <fielddescr>Register DHCP static mappings</fielddescr> + <description>If this option is set, then DHCP static mappings will be registered in DNS, so that their name can be resolved.</description> + <type>checkbox</type> + </field> + <field> <type>listtopic</type> <name>Custom Zone Domain records</name> <fieldname>temp02</fieldname> diff --git a/config/dansguardian/dansguardian.conf.template b/config/dansguardian/dansguardian.conf.template index ed514eca..a6bcee1c 100755 --- a/config/dansguardian/dansguardian.conf.template +++ b/config/dansguardian/dansguardian.conf.template @@ -90,7 +90,7 @@ anonymizelogs = {$anonymizelogs} # # Use syslog for access logging instead of logging to the file # at the defined or built-in "loglocation" -#logsyslog = off +logsyslog = {$logsyslog} # Log file location # diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc index b31df8ab..ad6e6482 100755 --- a/config/dansguardian/dansguardian.inc +++ b/config/dansguardian/dansguardian.inc @@ -232,6 +232,7 @@ function sync_package_dansguardian($via_rpc="no",$install_process=false) { $nologger=(preg_match('/nologger/',$dansguardian_log['logging_options'])?"on":"off"); $logadblocks=(preg_match('/logadblocks/',$dansguardian_log['logging_options'])?"on":"off"); $anonymizelogs=(preg_match('/anonymizelogs/',$dansguardian_log['logging_options'])?"on":"off"); + $logsyslog=(preg_match('/logsyslog/',$dansguardian_log['logging_options'])?"on":"off"); $loglevel=($dansguardian_log['loglevel']?$dansguardian_log['loglevel']:"2"); $logexceptionhits=($dansguardian_log['logexceptionhits']?$dansguardian_log['logexceptionhits']:"2"); diff --git a/config/dansguardian/dansguardian_ips_header.template b/config/dansguardian/dansguardian_ips_header.template index f742d9ea..be4f28de 100644 --- a/config/dansguardian/dansguardian_ips_header.template +++ b/config/dansguardian/dansguardian_ips_header.template @@ -64,7 +64,7 @@ </tab> <tab> <text>ACLs</text> - <url>/pkg_edit.php?xml=dansguardian_site_acl.xml&id=0</url> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> diff --git a/config/dansguardian/dansguardian_log.xml b/config/dansguardian/dansguardian_log.xml index 88281dff..97cd5b0b 100644 --- a/config/dansguardian/dansguardian_log.xml +++ b/config/dansguardian/dansguardian_log.xml @@ -197,6 +197,7 @@ <option><name>nologger (off)</name><value>nologger</value></option> <option><name>logadblocks (off)</name><value>logadblocks</value></option> <option><name>Anonymize logs (off)</name><value>anonymizelogs</value></option> + <option><name>Log to syslog (off)</name><value>logsyslog</value></option> </options> <multiple/> <size>6</size> diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 0f7010d6..a18872fc 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -2971,6 +2971,7 @@ function freeradius_modulesldap_resync() { // Variables for General Configuration ldap1 $varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver']?$arrmodulesldap['varmodulesldapserver']:'ldap.your.domain'); + $varmodulesldapserverport = ($arrmodulesldap['varmodulesldapserverport']?$arrmodulesldap['varmodulesldapserverport']:'389'); $varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity']?$arrmodulesldap['varmodulesldapidentity']:'cn=admin,o=My Org,c=UA'); $varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword']?$arrmodulesldap['varmodulesldappassword']:'mypass'); $varmodulesldapbasedn = ($arrmodulesldap['varmodulesldapbasedn']?$arrmodulesldap['varmodulesldapbasedn']:'o=My Org,c=UA'); @@ -2983,6 +2984,7 @@ function freeradius_modulesldap_resync() { // Variables for General Configuration ldap2 $varmodulesldap2server = ($arrmodulesldap['varmodulesldap2server']?$arrmodulesldap['varmodulesldap2server']:'ldap.your.domain'); + $varmodulesldap2serverport = ($arrmodulesldap['varmodulesldap2serverport']?$arrmodulesldap['varmodulesldap2serverport']:'389'); $varmodulesldap2identity = ($arrmodulesldap['varmodulesldap2identity']?$arrmodulesldap['varmodulesldap2identity']:'cn=admin,o=My Org,c=UA'); $varmodulesldap2password = ($arrmodulesldap['varmodulesldap2password']?$arrmodulesldap['varmodulesldap2password']:'mypass'); $varmodulesldap2basedn = ($arrmodulesldap['varmodulesldap2basedn']?$arrmodulesldap['varmodulesldap2basedn']:'o=My Org,c=UA'); @@ -3237,6 +3239,7 @@ ldap { # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "$varmodulesldapserver" + port = "$varmodulesldapserverport" identity = "$varmodulesldapidentity" password = $varmodulesldappassword basedn = "$varmodulesldapbasedn" @@ -3396,6 +3399,7 @@ ldap ldap2{ # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "$varmodulesldap2server" + port = "$varmodulesldap2serverport" identity = "$varmodulesldap2identity" password = $varmodulesldap2password basedn = "$varmodulesldap2basedn" diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml index aec71697..5abe85cb 100644 --- a/config/freeradius2/freeradiusmodulesldap.xml +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -127,6 +127,14 @@ <default_value>ldap.your.domain</default_value> </field> <field> + <fielddescr>Port</fielddescr> + <fieldname>varmodulesldapserverport</fieldname> + <description><![CDATA[No description. (Default: 389 )]]></description> + <type>input</type> + <size>80</size> + <default_value>389</default_value> + </field> + <field> <fielddescr>Identity</fielddescr> <fieldname>varmodulesldapidentity</fieldname> <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> @@ -438,6 +446,14 @@ <default_value>ldap.your.domain</default_value> </field> <field> + <fielddescr>Port</fielddescr> + <fieldname>varmodulesldap2serverport</fieldname> + <description><![CDATA[No description. (Default: 389 )]]></description> + <type>input</type> + <size>80</size> + <default_value>389</default_value> + </field> + <field> <fielddescr>Identity</fielddescr> <fieldname>varmodulesldap2identity</fieldname> <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 94d13c22..5e798dc2 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -1,6 +1,7 @@ <?php /* haproxy.inc + Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef All rights reserved. @@ -31,48 +32,51 @@ require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("notices.inc"); +require_once("haproxy_utils.inc"); require_once("haproxy_xmlrpcsyncclient.inc"); $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; $a_acltypes = array(); -$a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', +$a_acltypes["host_starts_with"] = array('name' => 'Host starts with', 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i %1$s'); -$a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', +$a_acltypes["host_ends_with"] = array('name' => 'Host ends with', 'mode' =>'http', 'syntax' => 'hdr_end(host) -i %1$s'); -$a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', +$a_acltypes["host_matches"] = array('name' => 'Host matches', 'mode' =>'http', 'syntax' => 'hdr(host) -i %1$s'); -$a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', +$a_acltypes["host_regex"] = array('name' => 'Host regex', 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i %1$s'); -$a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', +$a_acltypes["host_contains"] = array('name' => 'Host contains', 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i %1$s'); -$a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', +$a_acltypes["path_starts_with"] = array('name' => 'Path starts with', 'mode' => 'http', 'syntax' => 'path_beg -i %1$s'); -$a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', +$a_acltypes["path_ends_with"] = array('name' => 'Path ends with', 'mode' => 'http', 'syntax' => 'path_end -i %1$s'); -$a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', +$a_acltypes["path_matches"] = array('name' => 'Path matches', 'mode' => 'http', 'syntax' => 'path -i %1$s'); -$a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', +$a_acltypes["path_regex"] = array('name' => 'Path regex', 'mode' => 'http', 'syntax' => 'path_reg -i %1$s'); -$a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', +$a_acltypes["path_contains"] = array('name' => 'Path contains', 'mode' => 'http', 'syntax' => 'path_dir -i %1$s'); -$a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', +$a_acltypes["source_ip"] = array('name' => 'Source IP', 'mode' => '', 'syntax' => 'src %1$s'); -$a_acltypes[] = array('name' => 'backendservercount', 'descr' => 'Minimum count usable servers', +$a_acltypes["backendservercount"] = array('name' => 'Minimum count usable servers', 'mode' => '', 'syntax' => 'nbsrv(%2$s) ge %1$d', 'parameters' => 'value,backendname'); // 'ssl_sni_matches' was added in HAProxy1.5dev17 -$a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches', +$a_acltypes["ssl_sni_matches"] = array('name' => 'Server Name Indication TLS extension matches', 'mode' => 'https', 'syntax' => 'req_ssl_sni -i %1$s', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }"); +$a_checktypes = array(); $a_checktypes['none'] = array('name' => 'none', 'syntax' => '', 'descr' => 'No health checks will be performed.'); $a_checktypes['Basic'] = array('name' => 'Basic', 'syntax' => '', 'descr' => 'Basic socket connection check'); $a_checktypes['HTTP'] = array('name' => 'HTTP', 'syntax' => 'httpchk', 'descr' => 'HTTP protocol to check on the servers health, can also be used for HTTPS servers(requirs checking the SSL box for the servers).', 'parameters' => "uri,method,version"); -// 'Agent' was added in HAProxy1.5dev18 +// 'Agent' was added in HAProxy1.5dev18, and removed in 1.5dev20, in favor of the seperate agent-check option. $a_checktypes['Agent'] = array('name' => 'Agent', 'syntax' => 'lb-agent-chk', 'usedifferenport' => 'yes', - 'descr' => 'Use a TCP connection to read an ASCII string of the form 100%,75%,drain,down (others in haproxy manual)'); + 'descr' => 'Use a TCP connection to read an ASCII string of the form 100%,75%,drain,down (others in haproxy manual)', + deprecated => true); $a_checktypes['LDAP'] = array('name' => 'LDAP', 'syntax' => 'ldap-check', 'descr' => 'Use LDAPv3 health checks for server testing'); $a_checktypes['MySQL'] = array('name' => 'MySQL', 'syntax' => 'mysql-check', @@ -88,6 +92,7 @@ $a_checktypes['ESMTP'] = array('name' => 'ESMTP', 'syntax' => 'smtpchk EHLO', $a_checktypes['SSL'] = array('name' => 'SSL', 'syntax' => 'ssl-hello-chk', 'descr' => 'Use SSLv3 client hello health checks for server testing.'); +$a_httpcheck_method = array(); $a_httpcheck_method['OPTIONS'] = array('name' => 'OPTIONS', 'syntax' => 'OPTIONS'); $a_httpcheck_method['HEAD'] = array('name' => 'HEAD', 'syntax' => 'HEAD'); $a_httpcheck_method['GET'] = array('name' => 'GET', 'syntax' => 'GET'); @@ -96,9 +101,27 @@ $a_httpcheck_method['PUT'] = array('name' => 'PUT', 'syntax' => 'PUT'); $a_httpcheck_method['DELETE'] = array('name' => 'DELETE', 'syntax' => 'DELETE'); $a_httpcheck_method['TRACE'] = array('name' => 'TRACE', 'syntax' => 'TRACE'); +$a_closetypes = array(); +$a_closetypes['none'] = array('name' => 'none', 'syntax' => '', + 'descr' => 'No close headers will be changed.'); +$a_closetypes['httpclose'] = array('name' => 'httpclose', 'syntax' => 'httpclose', + 'descr' => 'The "httpclose" option removes any "Connection" header both ways, and adds a "Connection: close" header in each direction. This makes it easier to disable HTTP keep-alive than the previous 4-rules block.'); +$a_closetypes['http-server-close'] = array('name' => 'http-server-close', 'syntax' => 'http-server-close', + 'descr' => 'By default, when a client communicates with a server, HAProxy will only analyze, log, and process the first request of each connection. Setting "option http-server-close" enables HTTP connection-close mode on the server side while keeping the ability to support HTTP keep-alive and pipelining on the client side. This provides the lowest latency on the client side (slow network) and the fastest session reuse on the server side to save server resources.'); +$a_closetypes['forceclose'] = array('name' => 'forceclose', 'syntax' => 'forceclose', + 'descr' => 'Some HTTP servers do not necessarily close the connections when they receive the "Connection: close" set by "option httpclose", and if the client does not close either, then the connection remains open till the timeout expires. This causes high number of simultaneous connections on the servers and shows high global session times in the logs. Note that this option also enables the parsing of the full request and response, which means we can close the connection to the server very quickly, releasing some resources earlier than with httpclose.'); +$a_closetypes['http-keep-alive'] = array('name' => 'http-keep-alive', 'syntax' => 'http-keep-alive', + 'descr' => 'By default, when a client communicates with a server, HAProxy will only analyze, log, and process the first request of each connection. Setting "option http-keep-alive" enables HTTP keep-alive mode on the client- and server- sides. This provides the lowest latency on the client side (slow network) and the fastest session reuse on the server side at the expense of maintaining idle connections to the servers. In general, it is possible with this option to achieve approximately twice the request rate that the "http-server-close" option achieves on small objects. There are mainly two situations where this option may be useful : - when the server is non-HTTP compliant and authenticates the connection instead of requests (eg: NTLM authentication) - when the cost of establishing the connection to the server is significant compared to the cost of retrieving the associated object from the server.'); + +$a_servermodes = array(); +$a_servermodes["active"]['name'] = "active"; +$a_servermodes["backup"]['name'] = "backup"; +$a_servermodes["disabled"]['name'] = "disabled"; +$a_servermodes["inactive"]['name'] = "inactive"; + function haproxy_custom_php_deinstall_command() { exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`"); - exec("rm /usr/local/pkg/haproxy.inc"); + exec("rm /usr/local/pkg/haproxy*"); exec("rm /usr/local/www/haproxy*"); exec("rm /usr/local/etc/rc.d/haproxy.sh"); exec("rm /etc/devd/haproxy.conf"); @@ -110,6 +133,12 @@ function haproxy_custom_php_install_command() { global $g, $config; conf_mount_rw(); + $freebsd_version = substr(trim(`uname -r`), 0, 1); + if(!file_exists("/usr/bin/limits")) { + exec("fetch -q -o /usr/bin/limits http://files.pfsense.org/extras/{$freebsd_version}/limits"); + exec("chmod a+rx /usr/bin/limits"); + } + $haproxy = <<<EOD #!/bin/sh @@ -194,6 +223,7 @@ EOD; fclose($fd); exec("/etc/rc.d/devd restart"); + $writeconfigupdate = false; /* Do XML upgrade from haproxy 0.31 to haproxy-dev */ if (is_array($config['installedpackages']['haproxy']['ha_servers'])) { /* We have an old config */ @@ -237,7 +267,7 @@ EOD; $a_pools[] = $pool; } unset($config['installedpackages']['haproxy']['ha_servers']); - write_config(); + $writeconfigupdate = true; } /* XML update to: pkg v1.3 and 'pool' changed to 'backend_serverpool' because 'pool' was added to listtags() in xmlparse.inc */ @@ -249,7 +279,7 @@ EOD; $frontend['backend_serverpool'] = $backend_serverpool; unset($frontend['pool']); } - write_config(); + $writeconfigupdate = true; } //also move setting for existing 2.0 installations as only the new variable is used if (isset($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool'])) @@ -260,11 +290,35 @@ EOD; $frontend['backend_serverpool'] = $backend_serverpool; unset($frontend['pool']); } - write_config(); + $writeconfigupdate = true; } - + // update config to "haproxy-devel 1.5-dev19 pkg v0.5" + $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + if(is_array($a_backends)) { + foreach ($a_backends as &$bind) { + if($bind['httpclose'] && $bind['httpclose'] == "yes" ) { + $bind['httpclose'] = "httpclose"; + $writeconfigupdate = true; + } + if (!$bind['extaddr']){ + $bind['extaddr'] = "wan_ipv4"; + $writeconfigupdate = true; + } + if ($bind['extaddr'] == "localhost"){ + $bind['extaddr'] = "localhost_ipv4"; + $writeconfigupdate = true; + } + if ($bind['extaddr'] == "any"){ + $bind['extaddr'] = "any_ipv4"; + $writeconfigupdate = true; + } + } + } + if ($writeconfigupdate) + write_config("haproxy, update xml config version"); + conf_mount_ro(); - + exec("/usr/local/etc/rc.d/haproxy.sh start"); } @@ -296,7 +350,7 @@ function haproxy_install_cron($should_install) { $cron_item['command'] = "/usr/local/etc/rc.d/haproxy.sh check"; $config['cron']['item'][] = $cron_item; parse_config(true); - write_config(); + write_config("haproxy, install cron CARP job"); configure_cron(); } break; @@ -305,7 +359,7 @@ function haproxy_install_cron($should_install) { if($x > 0) { unset($config['cron']['item'][$x]); parse_config(true); - write_config(); + write_config("haproxy, remove cron CARP job"); } configure_cron(); } @@ -316,8 +370,8 @@ function haproxy_install_cron($should_install) { function haproxy_find_acl($name) { global $a_acltypes; if($a_acltypes) { - foreach ($a_acltypes as $acl) { - if ($acl['name'] == $name) + foreach ($a_acltypes as $key => $acl) { + if ($key == $name) return $acl; } } @@ -451,6 +505,10 @@ function write_backend($fd, $name, $pool, $frontend) { else $checkinter = "check inter 1000"; } + + //agent-check requires at least haproxy v1.5dev20 + if ($pool['agent_check']) + $agentcheck = " agent-check agent-inter {$pool['agent_inter']} agent-port {$pool['agent_port']}"; if (is_array($a_servers)) { @@ -470,7 +528,7 @@ function write_backend($fd, $name, $pool, $frontend) { { $ssl = $backend_type == "http" ? ' ssl' : ' check-ssl'; } - fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . "$ssl $cookie $checkinter$checkport $isbackup weight " . $be['weight'] . "{$advanced_txt} {$be['advanced']}\n"); + fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . "$ssl $cookie $checkinter$checkport$agentcheck $isbackup weight " . $be['weight'] . "{$advanced_txt} {$be['advanced']}\n"); } } fwrite ($fd, "\n"); @@ -479,15 +537,16 @@ function write_backend($fd, $name, $pool, $frontend) { function haproxy_configure() { global $g; // reload haproxy - haproxy_writeconf("{$g['varetc_path']}/haproxy.cfg"); + haproxy_writeconf("{$g['varetc_path']}/haproxy"); return haproxy_check_run(1); } function haproxy_check_and_run(&$messages, $reload) { global $g; - $configname = "{$g['varetc_path']}/haproxy.cfg"; - haproxy_writeconf("$configname.new"); - $retval = exec("haproxy -c -V -f $configname.new 2>&1", $output, $err); + $configpath = "{$g['varetc_path']}/haproxy"; + $testpath = "{$g['varetc_path']}/haproxy_test"; + haproxy_writeconf($testpath); + $retval = exec("haproxy -c -V -f $testpath/haproxy.cfg 2>&1", $output, $err); $messages = ""; if ($err > 1) $messages = "<h2><strong>FATAL ERROR CODE: $err while starting haproxy</strong></h2>"; @@ -502,25 +561,46 @@ function haproxy_check_and_run(&$messages, $reload) { $ok = strstr($retval, "Configuration file is valid"); if ($ok && $reload) { global $haproxy_run_message; - exec("mv $configname.new $configname"); + haproxy_writeconf($configpath); + rmdir_recursive($testpath); $ok = haproxy_check_run(1) == 0; $messages = $haproxy_run_message; } return $ok; } +function haproxy_write_certificate_file($filename, $certid) { + $cert = lookup_cert($certid); -function haproxy_writeconf($configfile) { + $certcontent = base64_decode($cert['crt']); + $certcontent .= "\r\n".base64_decode($cert['prv']); + + $certchaincontent = ca_chain($cert); + if ($certchaincontent != "") { + $certcontent .= "\r\n" . $certchaincontent; + } + unset($certchaincontent); + file_put_contents($filename, $certcontent); + unset($certcontent); + unset($cert); +} + +function haproxy_writeconf($configpath) { global $config; - $a_global = &$config['installedpackages']['haproxy']; - $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; - $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; + $configfile = $configpath . "/haproxy.cfg"; + rmdir_recursive($configpath); + make_dirs($configpath); + + $a_global = &$config['installedpackages']['haproxy']; + $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; + $fd = fopen($configfile, "w"); - if(is_array($a_global)) { fwrite ($fd, "global\n"); - fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n"); + if ($a_global['maxconn']) + fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n"); if($a_global['remotesyslog']) fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\t{$a_global['logfacility']}\t{$a_global['loglevel']}\n"); fwrite ($fd, "\tstats socket /tmp/haproxy.socket level admin\n"); @@ -551,39 +631,48 @@ function haproxy_writeconf($configfile) { // Try and get a unique array for address:port as frontends can duplicate $a_bind = array(); - if(is_array($a_backends)) { - foreach ($a_backends as $backend) { - if($backend['status'] != 'active') + if(is_array($a_frontends)) { + foreach ($a_frontends as $frontend) { + if($frontend['status'] != 'active') { - unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); + unlink_if_exists("var/etc/{$frontend['name']}.{$frontend['port']}.crt"); continue; } - if(!$backend['backend_serverpool']) + if(!$frontend['backend_serverpool']) { - unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); + unlink_if_exists("var/etc/{$frontend['name']}.{$frontend['port']}.crt"); continue; } + + $bname = get_frontend_ipport($frontend); //check ssl info - if (strtolower($backend['type']) == "http" && $backend['ssloffload']){ + if (strtolower($frontend['type']) == "http" && $frontend['ssloffload']){ //ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem - $ssl_crt=" crt /var/etc/{$backend['name']}.{$backend['port']}.crt"; - $cert = lookup_cert($backend['ssloffloadcert']); - $certcontent = base64_decode($cert['crt'])."\r\n".base64_decode($cert['prv']); - file_put_contents("/var/etc/{$backend['name']}.{$backend['port']}.crt", $certcontent); - unset($certcontent); + $filename = "$configpath/{$frontend['name']}.{$frontend['port']}.pem"; + $ssl_crt = " crt $filename"; + haproxy_write_certificate_file($filename, $frontend['ssloffloadcert']); + $subfolder = "$configpath/{$frontend['name']}.{$frontend['port']}"; + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)){ + if (count($certs) > 0){ + make_dirs($subfolder); + foreach($certs as $cert){ + haproxy_write_certificate_file("$subfolder/{$cert['ssl_certificate']}.pem", $cert['ssl_certificate']); + } + $ssl_crt .= " crt $subfolder"; + } + } }else{ $ssl_crt=""; - unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); + unlink_if_exists("var/etc/{$frontend['name']}.{$frontend['port']}.crt"); } - - $bname = get_frontend_ipport($backend); if (!is_array($a_bind[$bname])) { $a_bind[$bname] = array(); $a_bind[$bname]['config'] = array(); // Settings which are used only from the primary frontend - $primaryfrontend = get_primaryfrontend($backend); + $primaryfrontend = get_primaryfrontend($frontend); $a_bind[$bname]['name'] = $primaryfrontend['name']; $a_bind[$bname]['extaddr'] = $primaryfrontend['extaddr']; $a_bind[$bname]['port'] = $primaryfrontend['port']; @@ -598,19 +687,19 @@ function haproxy_writeconf($configfile) { } $b = &$a_bind[$bname]; - if (($backend['secondary'] != 'yes') && ($backend['name'] != $b['name'])) { + if (($frontend['secondary'] != 'yes') && ($frontend['name'] != $b['name'])) { // only 1 frontend can be the primary for a set of frontends that share 1 address:port. $input_errors[] = "Multiple primary frondends for $bname"; } if ($ssl_crt != "") { if ($b['ssl_info'] == "") - $b['ssl_info'] = "ssl {$backend['dcertadv']}"; + $b['ssl_info'] = "ssl {$frontend['dcertadv']}"; $b['ssl_info'] .= $ssl_crt; } - // pointer to each backend - $b['config'][] = $backend; + // pointer to each frontend + $b['config'][] = $frontend; } } @@ -635,14 +724,12 @@ function haproxy_writeconf($configfile) { $listenip = ""; // Process and add bind directives for ports - foreach($ports as $port) { - if($port) { - if($bind['extaddr'] == "any") - $listenip .= "\tbind\t\t\t0.0.0.0:{$port} {$ssl_info} {$advanced_bind}\n"; - elseif($bind['extaddr']) - $listenip .= "\tbind\t\t\t{$bind['extaddr']}:{$port} {$ssl_info} {$advanced_bind}\n"; - else - $listenip .= "\tbind\t\t\t" . get_current_wan_address('wan') . ":{$port} {$ssl_info} {$advanced_bind}\n"; + $ip = haproxy_interface_ip($bind['extaddr']); + if ($ip){ + foreach($ports as $port) { + if($port) { + $listenip .= "\tbind\t\t\t$ip:{$port} {$ssl_info} {$advanced_bind}\n"; + } } } @@ -672,8 +759,8 @@ function haproxy_writeconf($configfile) { if ($backend_type == 'http') { - if($bind['httpclose']) - fwrite ($fd, "\toption\t\t\thttpclose\n"); + if($bind['httpclose'] && $bind['httpclose'] != "none" ) + fwrite ($fd, "\toption\t\t\t{$bind['httpclose']}\n"); if($bind['forwardfor']) { fwrite ($fd, "\toption\t\t\tforwardfor\n"); @@ -693,35 +780,54 @@ function haproxy_writeconf($configfile) { fwrite ($fd, "\ttimeout client\t\t" . $bind['client_timeout'] . "\n"); - // Combine the rest of the listener configs + // Combine the rest of the frontend configs $default_backend = ""; $i = 0; - foreach ($bind['config'] as $bconfig) { - $a_acl=&$bconfig['ha_acls']['item']; + foreach ($bind['config'] as $frontend) { + $a_acl=&$frontend['ha_acls']['item']; if(!is_array($a_acl)) $a_acl=array(); - $poolname = $bconfig['backend_serverpool'] . "_" . strtolower($bconfig['type']); + $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); // Create different pools if the svrport is set - if ($bconfig['svrport'] > 0) - $poolname .= "_" . $bconfig['svrport']; - - // Write this out once, and must be before any backend config text - if ($default_backend == "" || $bconfig['secondary'] != 'yes') { - $default_backend = $poolname; - } + if ($frontend['svrport'] > 0) + $poolname .= "_" . $frontend['svrport']; if (!isset($a_pendingpl[$poolname])) { $a_pendingpl[$poolname] = array(); $a_pendingpl[$poolname]['name'] = $poolname; - $a_pendingpl[$poolname]['frontend'] = $bconfig; + $a_pendingpl[$poolname]['frontend'] = $frontend; } - if (strtolower($bind['type']) == "http" && $bconfig['ssloffload'] && $bconfig['ssloffloadacl']) { + if (strtolower($bind['type']) == "http" && $frontend['ssloffload']) { $aclname = "SNI_" . $poolname; - $cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true); - $a_acl[] = array('name' => $aclname,'expression' => 'host_matches', 'value' => $cert_cn); + if ($frontend['ssloffloadacl']){ + $cert = lookup_cert($frontend['ssloffloadcert']); + $cert_cn = cert_get_cn($cert['crt']); + $descr = haproxy_escape_acl_name($cert['descr']); + $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); + unset($cert); + } + if ($frontend['ssloffloadacladditional']){ + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)){ + if (count($certs) > 0){ + foreach($certs as $certref){ + $cert = lookup_cert($certref['ssl_certificate']); + $cert_cn = cert_get_cn($cert['crt']); + $descr = haproxy_escape_acl_name($cert['descr']); + $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); + unset($cert); + } + } + } + } + } + + // Write this out once, and must be before any backend config text + if (($default_backend == "" || $frontend['secondary'] != 'yes') && count($a_acl) == 0 ) { + $default_backend = $poolname; } // combine acl's with same name to allow for 'combined checks' to check for example hostname and fileextension together.. @@ -755,7 +861,8 @@ function haproxy_writeconf($configfile) { fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclnames . "\n"); } } - fwrite ($fd, "\tdefault_backend\t\t" . $default_backend . "\n"); + if ($default_backend) + fwrite ($fd, "\tdefault_backend\t\t" . $default_backend . "\n"); foreach($advancedextra as $extra) fwrite ($fd, "\t".$extra."\n"); @@ -763,9 +870,9 @@ function haproxy_writeconf($configfile) { } } // Construct and write out configuration for each "backend" - if (is_array($a_pendingpl) && is_array($a_pools)) { + if (is_array($a_pendingpl) && is_array($a_backends)) { foreach ($a_pendingpl as $pending) { - foreach ($a_pools as $pool) { + foreach ($a_backends as $pool) { if ($pending['frontend']['backend_serverpool'] == $pool['name']) { write_backend($fd, $pending['name'], $pool, $pending['frontend']); } @@ -792,12 +899,6 @@ function haproxy_writeconf($configfile) { haproxy_install_cron(true); else haproxy_install_cron(false); - - $freebsd_version = substr(trim(`uname -r`), 0, 1); - if(!file_exists("/usr/bin/limits")) { - exec("fetch -q -o /usr/bin/limits http://files.pfsense.org/extras/{$freebsd_version}/limits"); - exec("chmod a+rx /usr/bin/limits"); - } } function haproxy_is_running() { @@ -805,7 +906,6 @@ function haproxy_is_running() { return $running; } - function haproxy_load_modules() { // On FreeBSD 8 ipfw is needed to allow 'transparent' proxying (getting reply's to a non-local ip to pass back to the client-socket).. // On FreeBSD 9 it is probably possible to do the same with the pf option "divert-reply" @@ -892,6 +992,7 @@ function haproxy_check_run($reload) { global $config, $g, $haproxy_run_message; $a_global = &$config['installedpackages']['haproxy']; + $configpath = "{$g['varetc_path']}/haproxy"; exec("/usr/bin/limits -n 300014"); @@ -923,9 +1024,9 @@ function haproxy_check_run($reload) { $sf_st = "-st";//terminate old process as soon as the new process is listening else $sf_st = "-sf";//finish serving existing connections exit when done, and the new process is listening - exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid $sf_st `cat /var/run/haproxy.pid` 2>&1", $output, $errcode); + exec("/usr/local/sbin/haproxy -f {$configpath}/haproxy.cfg -p /var/run/haproxy.pid $sf_st `cat /var/run/haproxy.pid` 2>&1", $output, $errcode); } else { - exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D 2>&1", $output, $errcode); + exec("/usr/local/sbin/haproxy -f {$configpath}/haproxy.cfg -p /var/run/haproxy.pid -D 2>&1", $output, $errcode); } foreach($output as $line) $haproxy_run_message .= "<br/>" . htmlspecialchars($line) . "\n"; @@ -962,7 +1063,7 @@ function haproxy_sync_xmlrpc_settings() { // restore 'old' settings. $config['installedpackages']['haproxy']['enablesync'] = $enable ? true : false; - write_config("HAPROXY xmlrpc config synced"); // Write new 'merged' configuration + write_config("haproxy, xmlrpc config synced"); // Write new 'merged' configuration } function haproxy_do_xmlrpc_sync() { @@ -1017,16 +1118,11 @@ function get_primaryfrontend($frontend) { return $mainfrontend; } -function get_frontend_ipport($frontend) { +function get_frontend_ipport($frontend,$userfriendly=false) { $mainfrontend = get_primaryfrontend($frontend); - if($mainfrontend['extaddr'] == "any") - $result = "0.0.0.0"; - elseif ($mainfrontend['extaddr'] == "localhost") - $result = "127.0.0.1"; - elseif($mainfrontend['extaddr']) - $result = $mainfrontend['extaddr']; - else - $result = get_current_wan_address('wan'); + $result = haproxy_interface_ip($mainfrontend['extaddr'],$userfriendly); + if ($userfriendly and is_ipaddrv6($result)) + $result = "[{$result}]"; return $result . ":" . $mainfrontend['port']; } @@ -1077,7 +1173,7 @@ function get_haproxy_frontends($excludeitem="") { return $result; } -function get_frontent_acls($frontend) { +function get_frontend_acls($frontend) { $result = array(); $a_acl = &$frontend['ha_acls']['item']; if (is_array($a_acl)) @@ -1092,7 +1188,7 @@ function get_frontent_acls($frontend) { continue; $acl_item = array(); - $acl_item['descr'] = $acl['descr'] . ": " . $entry['value']; + $acl_item['descr'] = $acl['name'] . ": " . $entry['value']; $acl_item['ref'] = $entry; $result[] = $acl_item; @@ -1101,30 +1197,15 @@ function get_frontent_acls($frontend) { return $result; } -function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) { - $offset = str_repeat(' ',$nestID); - $itemName = "item$nestID"; - echo "{$offset}$nodeName = {};\n"; - if (is_array($items)) - foreach ($items as $key => $item) - { - if (in_array($path.'/'.$key, $includeitems)) - $subpath = $path.'/'.$key; - else - $subpath = $path.'/*'; - if (in_array($subpath, $includeitems) || in_array($path.'/*', $includeitems)) { - if (is_array($item)) { - $subNodeName = "item$nestID"; - phparray_to_javascriptarray_recursive($nestID+1, $subpath, $items[$key], $subNodeName, $includeitems); - echo "{$offset}{$nodeName}['{$key}'] = $itemName;\n"; - } else - echo "{$offset}{$nodeName}['$key'] = '$item';\n"; - } - } -} - -function phparray_to_javascriptarray($items, $javaMapName, $includeitems) { - phparray_to_javascriptarray_recursive(1,'',$items, $javaMapName, $includeitems); +function get_backend($name) { + global $config; + $a_backend = &$config['installedpackages']['haproxy']['ha_pools']['item']; + foreach($a_backend as $key => $backend) + { + if ($backend['name'] == $name) + return $backend; + } + return null; } function haproxy_escapestring($configurationsting) { @@ -1133,19 +1214,8 @@ function haproxy_escapestring($configurationsting) { return str_replace('#', '\\#', $result); } -function echo_html_select($name, $keyvaluelist, $selected, $listEmptyMessage="", $onchangeEvent="") { - if (count($keyvaluelist)>0){ - if ($onchangeEvent != "") - $onchangeEvent .= " onchange=$onchangeEvent"; - echo "<select name=\"$name\" id=\"$name\" class=\"formselect\"$onchangeEvent>"; - foreach($keyvaluelist as $key => $desc){ - $selectedhtml = $key == $selected ? "selected" : ""; - echo "<option value=\"{$key}\" {$selectedhtml}>{$desc['name']}</option>"; - } - echo "</select>"; - } else { - echo $listEmptyMessage; - } +function haproxy_escape_acl_name($aclname) { + return preg_replace_callback('([^A-Za-z0-9\._\-\:])', function($match){return "_".dechex(ord($match[0]));}, $aclname); } ?> diff --git a/config/haproxy-devel/haproxy.widget.php b/config/haproxy-devel/haproxy.widget.php index abc5d935..7954e404 100644 --- a/config/haproxy-devel/haproxy.widget.php +++ b/config/haproxy-devel/haproxy.widget.php @@ -1,5 +1,6 @@ <?php /* + Copyright (C) 2013 PiBa-NL Copyright 2011 Thomas Schaefer - Tomschaefer.org Copyright 2011 Marcello Coutinho Part of pfSense widgets (www.pfsense.com) diff --git a/config/haproxy-devel/haproxy.xml b/config/haproxy-devel/haproxy.xml index bfd7f437..6b25dd46 100644 --- a/config/haproxy-devel/haproxy.xml +++ b/config/haproxy-devel/haproxy.xml @@ -100,10 +100,25 @@ <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_htmllist.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_utils.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/widgets/widgets/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.widget.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/haproxy-devel/pkg_haproxy.inc</item> + </additional_files_needed> <custom_delete_php_command> </custom_delete_php_command> <custom_add_php_command> diff --git a/config/haproxy-devel/haproxy_global.php b/config/haproxy-devel/haproxy_global.php index ff8d1280..0a92cde7 100755 --- a/config/haproxy-devel/haproxy_global.php +++ b/config/haproxy-devel/haproxy_global.php @@ -3,6 +3,7 @@ /* haproxy_global.php part of pfSense (http://www.pfsense.com/) + Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> All rights reserved. @@ -28,9 +29,10 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "haproxy"; require_once("guiconfig.inc"); require_once("haproxy.inc"); +require_once("haproxy_utils.inc"); require_once("globals.inc"); if (!is_array($config['installedpackages']['haproxy'])) @@ -41,20 +43,25 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + if ($_POST['calculate_certificate_chain']) { + $changed = haproxy_recalculate_certifcate_chain(); + if ($changed > 0) + touch($d_haproxyconfdirty_path); + } else if ($_POST['apply']) { $result = haproxy_check_and_run($savemsg, true); if ($result) unlink_if_exists($d_haproxyconfdirty_path); } else { - if ($_POST['enable']) { - $reqdfields = explode(" ", "maxconn"); - $reqdfieldsn = explode(",", "Maximum connections"); - } + //if ($_POST['enable']) { + // $reqdfields = explode(" ", "maxconn"); + // $reqdfieldsn = explode(",", "Maximum connections"); + //} if ($_POST['carpdev'] == "disabled") unset($_POST['carpdev']); - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + //do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if ($_POST['maxconn'] && (!is_numeric($_POST['maxconn']))) $input_errors[] = "The maximum number of connections should be numeric."; @@ -120,7 +127,7 @@ include("head.inc"); <script type="text/javascript" src="javascript/scriptaculous/prototype.js"></script> <script type="text/javascript" src="javascript/scriptaculous/scriptaculous.js"></script> <?php include("fbegin.inc"); ?> -<script language="JavaScript"> +<script type="text/javascript"> <!-- function enable_change(enable_change) { var endis; @@ -135,8 +142,8 @@ function enable_change(enable_change) { <form action="haproxy_global.php" method="post" name="iform"> <?php if ($input_errors) print_input_errors($input_errors); ?> <?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (file_exists($d_haproxyconfdirty_path)): ?><p> -<?php print_info_box_np("The haproxy configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> +<?php if (file_exists($d_haproxyconfdirty_path)): ?> +<?php print_info_box_np("The haproxy configuration has been changed.<br/>You must apply the changes in order for them to take effect.");?><br/> <?php endif; ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> @@ -144,8 +151,8 @@ function enable_change(enable_change) { /* active tabs */ $tab_array = array(); $tab_array[] = array("Settings", true, "haproxy_global.php"); - $tab_array[] = array("Listener", false, "haproxy_listeners.php"); - $tab_array[] = array("Server Pool", false, "haproxy_pools.php"); + $tab_array[] = array("Frontend", false, "haproxy_listeners.php"); + $tab_array[] = array("Backend", false, "haproxy_pools.php"); display_top_tabs($tab_array); ?> </td></tr> @@ -154,12 +161,26 @@ function enable_change(enable_change) { <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> + <td colspan="2" valign="top" class="listtopic">Recalculate certificate chain.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <input type="hidden" name="calculate_certificate_chain" id="calculate_certificate_chain" /> + <input type="button" class="formbtn" value="Recalculate certificate chains" onclick="$('calculate_certificate_chain').value='true';document.iform.submit();" /> + <br/> + This can be required after certificates have been created or imported. As pfSense 2.1.0 currently does not + always keep track of these dependencies which might be required to create a proper certificate chain when using SSLoffloading. + </td> + </tr> + + <tr> <td colspan="2" valign="top" class="listtopic">General settings</td> </tr> <tr> <td width="22%" valign="top" class="vncell"> </td> <td width="78%" class="vtable"> - <input name="enable" type="checkbox" value="yes" <?php if ($pconfig['enable']) echo "checked"; ?> onClick="enable_change(false)"> + <input name="enable" type="checkbox" value="yes" <?php if ($pconfig['enable']) echo "checked"; ?> onClick="enable_change(false)" /> <strong>Enable HAProxy</strong></td> </tr> <tr> @@ -171,7 +192,7 @@ function enable_change(enable_change) { <table cellpadding="0" cellspacing="0"> <tr> <td> - <input name="maxconn" type="text" class="formfld" id="maxconn" size="5" <?if ($pconfig['enable']!='yes') echo "enabled=\"false\"";?> value="<?=htmlspecialchars($pconfig['maxconn']);?>"> per Backend. + <input name="maxconn" type="text" class="formfld" id="maxconn" size="5" <?if ($pconfig['enable']!='yes') echo "enabled=\"false\"";?> value="<?=htmlspecialchars($pconfig['maxconn']);?>" /> per Backend. </td> </tr> </table> @@ -185,29 +206,29 @@ function enable_change(enable_change) { </td><td> <table style="border: 1px solid #000;"> <tr> - <td><font size=-1>Connections</td> - <td><font size=-1>Memory usage</td> + <td><font size=-1>Connections</font></td> + <td><font size=-1>Memory usage</font></td> </tr> <tr> <td colspan="2"> - <hr noshade style="border: 1px solid #000;"> + <hr noshade style="border: 1px solid #000;"></hr> </td> </tr> <tr> - <td align="right"><font size=-1>999</td> - <td><font size=-1>1888K</td> + <td align="right"><font size=-1>999</font></td> + <td><font size=-1>1888K</font></td> </tr> <tr> - <td align="right"><font size=-1>99999</td> - <td><font size=-1>8032K</td> + <td align="right"><font size=-1>99999</font></td> + <td><font size=-1>8032K</font></td> </tr> <tr> - <td align="right"><font size=-1>999999</td> - <td><font size=-1>50016K</td> + <td align="right"><font size=-1>999999</font></td> + <td><font size=-1>50016K</font></td> </tr> <tr> - <td align="right"><font size=-1>9999999</td> - <td><font size=-1>467M</td> + <td align="right"><font size=-1>9999999</font></td> + <td><font size=-1>467M</font></td> </tr> </table> </td></tr></table> @@ -218,17 +239,17 @@ function enable_change(enable_change) { Number of processes to start </td> <td class="vtable"> - <input name="nbproc" type="text" class="formfld" id="nbproc" size="18" value="<?=htmlspecialchars($pconfig['nbproc']);?>"> + <input name="nbproc" type="text" class="formfld" id="nbproc" size="18" value="<?=htmlspecialchars($pconfig['nbproc']);?>" /> <br/> Defaults to 1 if left blank (<?php echo trim(`/sbin/sysctl kern.smp.cpus | cut -d" " -f2`); ?> CPU core(s) detected).<br/> Note : Consider leaving this value empty or 1 because in multi-process mode (nbproc > 1) memory is not shared between the processes, which could result in random behaviours for several options like ACL's, sticky connections and some others.<br/> - For more information about the <b>"nbproc"</b> option please see <b><a href='http://haproxy.1wt.eu/download/1.5/doc/configuration.txt' target='_new'>HAProxy Documentation</a> </b> + For more information about the <b>"nbproc"</b> option please see <b><a href='http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#nbproc' target='_blank'>HAProxy Documentation</a> </b> </td> </tr> <tr> <td width="22%" valign="top" class="vncell">Reload behaviour</td> <td width="78%" class="vtable"> - <input name="terminate_on_reload" type="checkbox" value="yes" <?php if ($pconfig['terminate_on_reload']) echo "checked"; ?>> + <input name="terminate_on_reload" type="checkbox" value="yes" <?php if ($pconfig['terminate_on_reload']) echo "checked"; ?> /> Force immediate stop of old process on reload. (closes existing connections)<br/><br/>Note: when this option is selected connections will be closed when haproxy is restarted. Otherwise the existing connections will be served by the old haproxy process untill they are closed. Checking this option will interupt existing connections on a restart. (which happens when the configuration is applied, @@ -239,7 +260,7 @@ function enable_change(enable_change) { Remote syslog host </td> <td class="vtable"> - <input name="remotesyslog" type="text" class="formfld" id="remotesyslog" size="18" value="<?=htmlspecialchars($pconfig['remotesyslog']);?>"><br/> + <input name="remotesyslog" type="text" class="formfld" id="remotesyslog" size="18" value="<?=htmlspecialchars($pconfig['remotesyslog']);?>" /><br/> To log to the local pfSense systemlog fill the host with the value <b>/var/run/log</b>, however if a lot of messages are generated logging is likely to be incomplete. (Also currently no informational logging gets shown in the systemlog.) </td> </tr> @@ -339,7 +360,7 @@ function enable_change(enable_change) { <tr> <td width="22%" valign="top" class="vncell">HAProxy Sync</td> <td width="78%" class="vtable"> - <input name="enablesync" type="checkbox" value="yes" <?php if ($pconfig['enablesync']) echo "checked"; ?>> + <input name="enablesync" type="checkbox" value="yes" <?php if ($pconfig['enablesync']) echo "checked"; ?> /> <strong>Sync HAProxy configuration to backup CARP members via XMLRPC.</strong><br/> Note: remember to also turn on HAProxy Sync on the backup nodes.<br/> The synchronisation host and password are those configured in pfSense main <a href="/system_hasync.php">"System: High Availability Sync"</a> settings. @@ -386,22 +407,20 @@ function enable_change(enable_change) { </tr> <tr> <td width="22%" valign="top"> </td> - <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change(true)"> - </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change(true)" /> </td> </tr> </table> </div> </table> -<?php if(file_exists("/var/etc/haproxy.cfg")): ?> - <p/> +<?php if(file_exists("/var/etc/haproxy/haproxy.cfg")): ?> <div id="configuration" style="display:none; border-style:dashed; padding: 8px;"> - <b><i>/var/etc/haproxy.cfg file contents:</b></i> + <b><i>/var/etc/haproxy.cfg file contents:</i></b> <?php - if(file_exists("/var/etc/haproxy.cfg")) { - echo "<pre>" . trim(file_get_contents("/var/etc/haproxy.cfg")) . "</pre>"; + if(file_exists("/var/etc/haproxy/haproxy.cfg")) { + echo "<pre>" . trim(file_get_contents("/var/etc/haproxy/haproxy.cfg")) . "</pre>"; } ?> </div> @@ -411,7 +430,7 @@ function enable_change(enable_change) { <?php endif; ?> </form> -<script language="JavaScript"> +<script type="text/javascript"> function scroll_after_fade() { scrollTo(0,99999999999); } diff --git a/config/haproxy-devel/haproxy_htmllist.inc b/config/haproxy-devel/haproxy_htmllist.inc new file mode 100644 index 00000000..2e93ca2a --- /dev/null +++ b/config/haproxy-devel/haproxy_htmllist.inc @@ -0,0 +1,246 @@ +<?php +/* + haproxy_htmllist.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2013 PiBa-NL + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + This file contains functions which are NOT specific to HAProxy and may/could/should + be moved to the general pfSense php library for possible easy use by other parts of pfSense +*/ + +require_once("config.inc"); +require_once("haproxy_utils.inc"); + +function haproxy_htmllist_get_values($html_list){ + $values = array(); + for($x=0; $x<99; $x++) { + $value = array(); + $add_item = false; + foreach($html_list as $item){ + $itemname = $item['name']; + $value[$itemname] = $_POST[$itemname.$x]; + $add_item |= isset($_POST[$itemname.$x]); + } + if ($add_item) + $values[] = $value; + } + return $values; +} + +function haproxy_htmllist($tablename,$values,$items,$editstate=false){ + global $g, $counter; + echo "<table class='' width='100%' cellpadding='0' cellspacing='0' id='$tablename'> + <tr>"; + foreach($items as $item){ + echo "<td width='{$item['colwidth']}' class='listhdrr'>{$item['columnheader']}</td>"; + } + echo "<td width='5%' class=''></td> + </tr>"; + if (is_array($values)){ + foreach($values as $value){ + if (!$editstate) { + echo "<tr id='tr_view_$counter' ondblclick='editRow($counter); return false;' >"; + $leftitem = true; + foreach($items as $item){ + $tdclass = $leftitem ? "vtable listlr" : "vtable listr"; + echo "<td class='$tdclass'>"; + $itemname = $item['name']; + $itemtype = $item['type']; + $itemvalue = $value[$itemname]; + if ($itemtype == "select"){ + echo $item['items'][$itemvalue]['name']; + } else + if ($itemtype == "checkbox"){ + echo $itemvalue=='yes' ? gettext('yes') : gettext('no'); + } else + echo $itemvalue; + echo "</td>"; + $leftitem = false; + } + echo " + <td class='list'> + <table border='0' cellspacing='0' cellpadding='1'><tr> + <td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_e.gif' title='edit entry' width='17' height='17' border='0' onclick='editRow($counter); return false;' /> + </td> + <td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_x.gif' title='delete entry' width='17' height='17' border='0' onclick='deleteRow($counter, \"$tablename\"); return false;' /> + </td> + <td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_plus.gif' title='duplicate entry' width='17' height='17' border='0' onclick='dupRow($counter, \"$tablename\"); return false;' /> + </td></tr></table> + </td>"; + echo "</tr>"; + } + $displaystyle = $editstate ? "" : "display: none;"; + echo "<tr id='tr_edit_$counter' style='$displaystyle'>"; + foreach($items as $item){ + $itemname = $item['name']; + $itemtype = $item['type']; + $itemvalue = $value[$itemname]; + $itemnamenr = $itemname.$counter; + echo "<td class='vtable'>"; + if ($itemtype == "select"){ + echo_html_select($itemnamenr, $item['items'], $itemvalue,"","updatevisibility();", "width:{$item['size']}"); + } else + if ($itemtype == "checkbox"){ + $checked = $itemvalue=='yes' ? " checked" : ""; + echo "<input name='$itemnamenr' id='$itemnamenr' type='checkbox'$checked value='yes' size='{$item['size']}' />"; + + } else + echo "<input name='$itemnamenr' id='$itemnamenr' type='text' value='{$itemvalue}' size='{$item['size']}' />"; + echo "</td>"; + } + echo " + <td class='list'> + <table border='0' cellspacing='0' cellpadding='1'><tr> + <td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_x.gif' title='delete entry' width='17' height='17' border='0' onclick='removeRow(this); return false;' /> + </td> + <td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_plus.gif' title='duplicate entry' width='17' height='17' border='0' onclick='dupRow($counter, \"$tablename\"); return false;' /> + </td></tr></table> + </td>"; + echo "</tr>"; + $counter++; + } + } + echo "</table> + <a onclick='javascript:addRowTo(\"$tablename\"); return false;' href='#'> + <img border='0' src='/themes/{$g['theme']}/images/icons/icon_plus.gif' alt='' title='add another entry' /> + </a>"; +} + +function haproxy_htmllist_js(){ +?><script type="text/javascript"> + function htmllist_get_select_items(tableId) { + var items; + var i = tableId.lastIndexOf('_'); + var items_name = "fields_"+tableId.substr(i+1); + items = eval(items_name); + return items; + } + + var addRowTo = (function() { + return (function (tableId) { + var d, tbody, tr, td, bgc, i, ii, j, type, seltext, items; + var btable, btbody, btr, btd; + d = document; + + items = htmllist_get_select_items(tableId); + seltext = htmllist_get_select_options(tableId); + + tbody = d.getElementById(tableId).getElementsByTagName("tbody").item(0); + tr = d.createElement("tr"); + totalrows++; + tr.setAttribute("id","aclrow" + totalrows); + + for (var i in items) { + td = d.createElement("td"); + if(items[i]['type'] == 'textbox') { + td.innerHTML="<input size='" + items[i]['size'] + "' name='" + items[i]['name'] + totalrows + + "' id='" + items[i]['name'] + totalrows + + "'><\/input> "; + } else if(items[i]['type'] == 'select') { + td.innerHTML="<select style='width:" + items[i]['size'] + "' name='" + items[i]['name'] + totalrows + + "' id='" + items[i]['name'] + totalrows + + "'>" + seltext + "<\/select> "; + } else { + td.innerHTML="<input type='checkbox' name='" + items[i]['name'] + totalrows + + "' id='" + items[i]['name'] + totalrows + "' value='yes'><\/input> "; + } + tr.appendChild(td); + } + td = d.createElement("td"); + td.rowSpan = "1"; + td.setAttribute("class","list"); + + // Recreate the button table. + btable = document.createElement("table"); + btable.setAttribute("border", "0"); + btable.setAttribute("cellspacing", "0"); + btable.setAttribute("cellpadding", "1"); + btbody = document.createElement("tbody"); + btr = document.createElement("tr"); + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + '/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;" />'; + btr.appendChild(btd); + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + "/images/icons/icon_plus.gif\" title=\"duplicate entry\" width=\"17\" height=\"17\" border=\"0\" onclick=\"dupRow(" + totalrows + ", '" + tableId + "'); return false;\" />"; + btr.appendChild(btd); + btbody.appendChild(btr); + btable.appendChild(btbody); + td.appendChild(btable); + tr.appendChild(td); + tbody.appendChild(tr); + }); + })(); + function dupRow(rowId, tableId) { + var dupEl; + var newEl; + addRowTo(tableId); + items = htmllist_get_select_items(tableId); + for (var i in items) { + dupEl = document.getElementById(items[i]['name'] + rowId); + newEl = document.getElementById(items[i]['name'] + totalrows); + if (dupEl && newEl) + if(items[i]['type'] == 'checkbox') + newEl.checked = dupEl.checked; + else + newEl.value = dupEl.value; + } + } + function editRow(num) { + var trview = document.getElementById('tr_view_' + num); + var tredit = document.getElementById('tr_edit_' + num); + trview.style.display='none'; + tredit.style.display=''; + } + function deleteRow(rowId, tableId) { + var view = document.getElementById("tr_view_" + rowId); + var edit = document.getElementById("tr_edit_" + rowId); + view.parentNode.removeChild(view); + edit.parentNode.removeChild(edit); + } + function removeRow(el) { + var cel; + // Break out of one table first + while (el && el.nodeName.toLowerCase() != "table") + el = el.parentNode; + while (el && el.nodeName.toLowerCase() != "tr") + el = el.parentNode; + + if (el && el.parentNode) { + cel = el.getElementsByTagName("td").item(0); + el.parentNode.removeChild(el); + } + } +</script><? +} + +?> diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php index 7b6e3d58..3ff53cea 100644 --- a/config/haproxy-devel/haproxy_listeners.php +++ b/config/haproxy-devel/haproxy_listeners.php @@ -1,8 +1,9 @@ <?php /* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */ /* - haproxy_baclkends.php + haproxy_listeners.php part of pfSense (http://www.pfsense.com/) + Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> All rights reserved. @@ -28,10 +29,11 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "haproxy"; require_once("guiconfig.inc"); require_once("haproxy.inc"); require_once("certs.inc"); +require_once("haproxy_utils.inc"); if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); @@ -71,7 +73,7 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; -$pgtitle = "Services: HAProxy: Listener"; +$pgtitle = "Services: HAProxy: Frontends"; include("head.inc"); ?> @@ -83,17 +85,17 @@ include("head.inc"); <?php endif; ?> <?php if ($input_errors) print_input_errors($input_errors); ?> <?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (file_exists($d_haproxyconfdirty_path)): ?><p> -<?php print_info_box_np("The haproxy configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> +<?php if (file_exists($d_haproxyconfdirty_path)): ?> +<?php print_info_box_np("The haproxy configuration has been changed.<br/>You must apply the changes in order for them to take effect.");?><br/> <?php endif; ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> <?php - /* active tabs */ - $tab_array = array(); + /* active tabs */ + $tab_array = array(); $tab_array[] = array("Settings", false, "haproxy_global.php"); - $tab_array[] = array("Listener", true, "haproxy_listeners.php"); - $tab_array[] = array("Server Pool", false, "haproxy_pools.php"); + $tab_array[] = array("Frontend", true, "haproxy_listeners.php"); + $tab_array[] = array("Backend", false, "haproxy_pools.php"); display_top_tabs($tab_array); ?> </td></tr> @@ -108,7 +110,7 @@ include("head.inc"); <td width="30%" class="listhdrr">Description</td> <td width="20%" class="listhdrr">Address</td> <td width="5%" class="listhdrr">Type</td> - <td width="10%" class="listhdrr">Server pool</td> + <td width="10%" class="listhdrr">Backend</td> <td width="20%" class="listhdrr">Parent</td> <td width="5%" class="list"></td> </tr> @@ -125,7 +127,7 @@ include("head.inc"); $a_frontend_grouped = array(); foreach($a_frontend as &$frontend2) { - $ipport = get_frontend_ipport($frontend2); + $ipport = get_frontend_ipport($frontend2, true); $frontend2['ipport'] = $ipport; $a_frontend_grouped[$ipport][] = $frontend2; } @@ -138,7 +140,7 @@ include("head.inc"); foreach ($a_frontend_grouped as $a_frontend) { usort($a_frontend,'sort_sharedfrontends'); if (count($a_frontend) > 1 || $last_frontend_shared) { - ?> <tr class="<?=$textgray?>"><td collspan="7"> </td></tr> <? + ?> <tr class="<?=$textgray?>"><td colspan="7"> </td></tr> <? } $last_frontend_shared = count($a_frontend) > 1; foreach ($a_frontend as $frontend) { @@ -153,23 +155,47 @@ include("head.inc"); <? if (strtolower($frontend['type']) == "http" && $frontend['ssloffload']) { $cert = lookup_cert($frontend['ssloffloadcert']); - echo '<img src="'.$img_cert.'" title="SSL offloading cert: '.$cert['descr'].'" alt="SSL offloading" border="0" height="16" width="16" />'; + $descr = htmlspecialchars($cert['descr']); + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)){ + if (count($certs) > 0){ + foreach($certs as $certitem){ + $cert = lookup_cert($certitem['ssl_certificate']); + $descr .= "\n".htmlspecialchars($cert['descr']); + } + } + } + echo '<img src="'.$img_cert.'" title="SSL offloading cert: '.$descr.'" alt="SSL offloading" border="0" height="16" width="16" />'; } - $acls = get_frontent_acls($frontend); + $acls = get_frontend_acls($frontend); $isaclset = ""; foreach ($acls as $acl) { $isaclset .= " " . $acl['descr']; } + if ($frontend['ssloffloadacl']) + $isaclset .= " " . "Certificate ACL"; + if ($frontend['ssloffloadacladditional']) + $isaclset .= " " . "Additional certificate ACLs"; + if ($isaclset) - echo "<img src=\"$img_acl\" title=\"" . gettext("acl's used") . ": {$isaclset}\" border=\"0\">"; + echo "<img src=\"$img_acl\" title=\"" . gettext("acl's used") . ": {$isaclset}\" border=\"0\" />"; $isadvset = ""; if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: {$frontend['advanced_bind']}\r\n"; - if ($frontend['advanced']) $isadvset .= "advanced settings used\r\n"; + if ($frontend['advanced']) $isadvset .= "Advanced pass thru setting used\r\n"; if ($isadvset) - echo "<img src=\"$img_adv\" title=\"" . gettext("advanced settings set") . ": {$isadvset}\" border=\"0\">"; + echo "<img src=\"$img_adv\" title=\"" . gettext("Advanced settings set") . ": {$isadvset}\" border=\"0\" />"; + $backend_serverpool = $frontend['backend_serverpool']; + $backend = get_backend($backend_serverpool ); + $servers = $backend['ha_servers']['item']; + $backend_serverpool_hint = gettext("Servers in pool:"); + if (is_array($servers)){ + foreach($servers as $server){ + $backend_serverpool_hint .= "\n".$server['address'].":".$server['port']; + } + } ?> </td> <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> @@ -179,13 +205,15 @@ include("head.inc"); <?=$frontend['desc'];?> </td> <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> - <?=$frontend['ipport'];?> + <?=str_replace(" "," ",$frontend['ipport']);?> </td> <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> <?=$frontend['type']?> </td> <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> + <div title='<?=$backend_serverpool_hint;?>'> <?=$frontend['backend_serverpool']?> + </div> </td> <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> <?=$frontend['secondary'] == 'yes' ? $frontend['primary_frontend'] : "";?> @@ -193,9 +221,9 @@ include("head.inc"); <td class="list" nowrap> <table border="0" cellspacing="0" cellpadding="1"> <tr> - <td valign="middle"><a href="haproxy_listeners_edit.php?id=<?=$frontendname;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a></td> - <td valign="middle"><a href="haproxy_listeners.php?act=del&id=<?=$frontendname;?>" onclick="return confirm('Do you really want to delete this entry?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a></td> - <td valign="middle"><a href="haproxy_listeners_edit.php?dup=<?=$frontendname;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_listeners_edit.php?id=<?=$frontendname;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit frontend");?>" width="17" height="17" border="0" /></a></td> + <td valign="middle"><a href="haproxy_listeners.php?act=del&id=<?=$frontendname;?>" onclick="return confirm('Do you really want to delete this entry?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="<?=gettext("delete frontend");?>" width="17" height="17" border="0" /></a></td> + <td valign="middle"><a href="haproxy_listeners_edit.php?dup=<?=$frontendname;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("clone frontend");?>" width="17" height="17" border="0" /></a></td> </tr> </table> </td> @@ -208,7 +236,7 @@ include("head.inc"); <td class="list"> <table border="0" cellspacing="0" cellpadding="1"> <tr> - <td valign="middle"><a href="haproxy_listeners_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_listeners_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add new frontend");?>" width="17" height="17" border="0" /></a></td> </tr> </table> </td> diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index e95b88ea..2fd9a6c3 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -29,9 +29,11 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "haproxy"; require("guiconfig.inc"); require_once("haproxy.inc"); +require_once("haproxy_utils.inc"); +require_once("haproxy_htmllist.inc"); /* Compatibility function for pfSense 2.0 */ if (!function_exists("cert_get_purpose")) { @@ -43,76 +45,13 @@ if (!function_exists("cert_get_purpose")) { } /**/ -function get_certificat_usage($refid) { - $usage = array(); - $cert = lookup_cert($refid); - if (is_cert_revoked($cert)) - $usage[] = "Revoked"; - if (is_webgui_cert($refid)) - $usage[] = "webConfigurator"; - if (is_user_cert($refid)) - $usage[] = "User Cert"; - if (is_openvpn_server_cert($refid)) - $usage[] = "OpenVPN Server"; - if (is_openvpn_client_cert($refid)) - $usage[] = "OpenVPN Client"; - if (is_ipsec_cert($cert['refid'])) - $usage[] = "IPsec Tunnel"; - if (function_exists("is_captiveportal_cert")) - if (is_captiveportal_cert($refid)) - $usage[] = "Captive Portal"; - - return $usage; -} - -// This function (is intended to) provides a uniform way to retrieve a list of server certificates -function get_certificates_server($get_includeWebCert=false) { - global $config; - $certificates=array(); - $a_cert = &$config['cert']; - foreach ($a_cert as $cert) - { - if ($get_ca == false && is_webgui_cert($cert['refid'])) - continue; - - $purpose = cert_get_purpose($cert['crt']); - //$certserverpurpose = $purpose['server'] == 'Yes' ? " [Server certificate]" : ""; - $certserverpurpose = ""; - - $selected = ""; - $caname = ""; - $inuse = ""; - $revoked = ""; - $ca = lookup_ca($cert['caref']); - if ($ca) - $caname = " (CA: {$ca['descr']})"; - if ($pconfig['certref'] == $cert['refid']) - $selected = "selected"; - if (cert_in_use($cert['refid'])) - $inuse = " *In Use"; - if (is_cert_revoked($cert)) - $revoked = " *Revoked"; - - $usagestr=""; - $usage = get_certificat_usage($cert['refid']); - foreach($usage as $use){ - $usagestr .= " " . $use; - } - if ($usagestr != "") - $usagestr = " (".trim($usagestr).")"; - - $certificates[$cert['refid']]['name'] = $cert['descr'] . $caname . $certserverpurpose . $inuse . $revoked . $usagestr; - } - return $certificates; -} - -function haproxy_acl_select($mode) { +function haproxy_js_acl_select($mode) { global $a_acltypes; $seltext = ''; - foreach ($a_acltypes as $expr) { + foreach ($a_acltypes as $key => $expr) { if ($expr['mode'] == '' || $expr['mode'] == $mode) - $seltext .= "<option value='" . $expr['name'] . "'>" . $expr['descr'] .":</option>"; + $seltext .= "<option value='" . $key . "'>" . $expr['name'] .":<\/option>"; } return $seltext; } @@ -128,7 +67,7 @@ $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; global $simplefields; $simplefields = array('name','desc','status','secondary','primary_frontend','type','forwardfor','httpclose','extaddr','backend_serverpool', - 'max_connections','client_timeout','port','ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','advanced_bind'); + 'max_connections','client_timeout','port','ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','advanced_bind','ssloffloadacladditional'); if (isset($_POST['id'])) $id = $_POST['id']; @@ -140,10 +79,41 @@ if (isset($_GET['dup'])) $id = get_frontend_id($id); +$servercerts = get_certificates_server(); + +$fields_sslCertificates=array(); +$fields_sslCertificates[0]['name']="ssl_certificate"; +$fields_sslCertificates[0]['columnheader']="Certificates"; +$fields_sslCertificates[0]['colwidth']="95%"; +$fields_sslCertificates[0]['type']="select"; +$fields_sslCertificates[0]['size']="500px"; +$fields_sslCertificates[0]['items']=&$servercerts; + +$fields_aclSelectionList=array(); +$fields_aclSelectionList[0]['name']="name"; +$fields_aclSelectionList[0]['columnheader']="Name"; +$fields_aclSelectionList[0]['colwidth']="30%"; +$fields_aclSelectionList[0]['type']="textbox"; +$fields_aclSelectionList[0]['size']="20"; + +$fields_aclSelectionList[1]['name']="expression"; +$fields_aclSelectionList[1]['columnheader']="Expression"; +$fields_aclSelectionList[1]['colwidth']="30%"; +$fields_aclSelectionList[1]['type']="select"; +$fields_aclSelectionList[1]['size']="10"; +$fields_aclSelectionList[1]['items']=&$a_acltypes; + +$fields_aclSelectionList[2]['name']="value"; +$fields_aclSelectionList[2]['columnheader']="Value"; +$fields_aclSelectionList[2]['colwidth']="35%"; +$fields_aclSelectionList[2]['type']="textbox"; +$fields_aclSelectionList[2]['size']="35"; + + if (isset($id) && $a_backend[$id]) { $pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item']; + $pconfig['a_certificates']=&$a_backend[$id]['ha_certificates']['item']; $pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']); - foreach($simplefields as $stat) $pconfig[$stat] = $a_backend[$id][$stat]; } @@ -162,8 +132,8 @@ if ($_POST) { if ($pconfig['secondary'] != "yes") { - $reqdfields = explode(" ", "name type port max_connections"); - $reqdfieldsn = explode(",", "Name,Type,Port,Max connections"); + $reqdfields = explode(" ", "name type port"); + $reqdfieldsn = explode(",", "Name,Type,Port"); } else { $reqdfields = explode(" ", "name"); $reqdfieldsn = explode(",", "Name"); @@ -175,7 +145,7 @@ if ($_POST) { $input_errors[] = "The field 'Name' contains invalid characters."; if ($pconfig['secondary'] != "yes") { - if (!is_numeric($_POST['max_connections'])) + if ($_POST['max_connections'] && !is_numeric($_POST['max_connections'])) $input_errors[] = "The field 'Max connections' value is not a number."; $ports = split(",", $_POST['port'] . ","); @@ -192,36 +162,26 @@ if ($_POST) { if (($_POST['name'] == $config['installedpackages']['haproxy']['ha_backends']['item'][$i]['name']) && ($i != $id)) $input_errors[] = "This frontend name has already been used. Frontend names must be unique. $i != $id"; - $a_acl=array(); - $acl_names=array(); - for($x=0; $x<99; $x++) { - $acl_name=$_POST['acl_name'.$x]; - $acl_expression=$_POST['acl_expression'.$x]; - $acl_value=$_POST['acl_value'.$x]; - - if ($acl_name) { - $acl_names[]=$acl_name; - - $acl=array(); - $acl['name']=$acl_name; - $acl['expression']=$acl_expression; - $acl['value']=$acl_value; - $a_acl[]=$acl; - - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $acl_name)) - $input_errors[] = "The field 'Name' contains invalid characters."; - - if (!preg_match("/.{1,}/", $acl_value)) - $input_errors[] = "The field 'Value' is required."; + $a_certificates = haproxy_htmllist_get_values($fields_sslCertificates); + $pconfig['a_certificates'] = $a_certificates; + + $a_acl = haproxy_htmllist_get_values($fields_aclSelectionList); + $pconfig['a_acl'] = $a_acl; + + foreach($a_acl as $acl) { + $acl_name = $acl['name']; + $acl_value = $acl['value']; + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $acl_name)) + $input_errors[] = "The field 'Name' contains invalid characters."; - if (!preg_match("/.{2,}/", $acl_name)) - $input_errors[] = "The field 'Name' is required."; + if (!preg_match("/.{1,}/", $acl_value)) + $input_errors[] = "The field 'Value' is required."; - } + if (!preg_match("/.{2,}/", $acl_name)) + $input_errors[] = "The field 'Name' is required with at least 2 characters."; } - $pconfig['a_acl']=$a_acl; - if (!$input_errors) { $backend = array(); if(isset($id) && $a_backend[$id]) @@ -241,10 +201,10 @@ if ($_POST) { foreach($simplefields as $stat) update_if_changed($stat, $backend[$stat], $_POST[$stat]); - update_if_changed("advanced", $backend['advanced'], base64_encode($_POST['advanced'])); $backend['ha_acls']['item'] = $a_acl; + $backend['ha_certificates']['item'] = $a_certificates; if (isset($id) && $a_backend[$id]) { $a_backend[$id] = $backend; @@ -272,167 +232,55 @@ if (!$id) $pconfig['ssloffloadacl'] = "yes"; } +$closehead = false; $pgtitle = "HAProxy: Frontend: Edit"; include("head.inc"); -?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +$primaryfrontends = get_haproxy_frontends($pconfig['name']); +$interfaces = haproxy_get_bindable_interfaces(); + +?> <style type="text/css"> .haproxy_mode_http{display:none;} .haproxy_ssloffloading_enabled{display:none;} .haproxy_primary{} .haproxy_secondary{display:none;} </style> +</head> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php if($one_two): ?> <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script> <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> <?php endif; ?> -<script type="text/javascript"> - // Global Variables - var rowname = new Array(99); - var rowtype = new Array(99); - var newrow = new Array(99); - var rowsize = new Array(99); - - for (i = 0; i < 99; i++) { - rowname[i] = ''; - rowtype[i] = ''; - newrow[i] = ''; - rowsize[i] = '25'; - } - var field_counter_js = 0; - var loaded = 0; - var is_streaming_progress_bar = 0; - var temp_streaming_text = ""; - - var addRowTo = (function() { - return (function (tableId) { - var d, tbody, tr, td, bgc, i, ii, j, type, seltext; - var btable, btbody, btr, btd; - - d = document; - type = d.getElementById("type").value; - if (type == 'health') - seltext = "<?php echo haproxy_acl_select('health');?>"; - else if (type == 'tcp') - seltext = "<?php echo haproxy_acl_select('tcp');?>"; - else if (type == 'https') - seltext = "<?php echo haproxy_acl_select('https');?>"; - else - seltext = "<?php echo haproxy_acl_select('http');?>"; - if (seltext == '') { - alert("No ACL types available in current listener mode"); - return; - } - tbody = d.getElementById(tableId).getElementsByTagName("tbody").item(0); - tr = d.createElement("tr"); - totalrows++; - tr.setAttribute("id","aclrow" + totalrows); - for (i = 0; i < field_counter_js; i++) { - td = d.createElement("td"); - if(rowtype[i] == 'textbox') { - td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + - "'></input><input size='" + rowsize[i] + "' name='" + rowname[i] + totalrows + - "' id='" + rowname[i] + totalrows + - "'></input> "; - } else if(rowtype[i] == 'select') { - td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + - "'></input><select name='" + rowname[i] + totalrows + - "' id='" + rowname[i] + totalrows + - "'>" + seltext + "</select> "; - } else { - td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + - "'></input><input type='checkbox' name='" + rowname[i] + totalrows + - "' id='" + rowname[i] + totalrows + "'></input> "; - } - tr.appendChild(td); - } - td = d.createElement("td"); - td.rowSpan = "1"; - td.setAttribute("class","list"); - - // Recreate the button table. - btable = document.createElement("table"); - btable.setAttribute("border", "0"); - btable.setAttribute("cellspacing", "0"); - btable.setAttribute("cellpadding", "1"); - btbody = document.createElement("tbody"); - btr = document.createElement("tr"); - btd = document.createElement("td"); - btd.setAttribute("valign", "middle"); - btd.innerHTML = '<img src="/themes/' + theme + '/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;">'; - btr.appendChild(btd); - btd = document.createElement("td"); - btd.setAttribute("valign", "middle"); - btd.innerHTML = '<img src="/themes/' + theme + "/images/icons/icon_plus.gif\" title=\"duplicate entry\" width=\"17\" height=\"17\" border=\"0\" onclick=\"dupRow(" + totalrows + ", 'acltable'); return false;\">"; - btr.appendChild(btd); - btbody.appendChild(btr); - btable.appendChild(btbody); - - td.appendChild(btable); - tr.appendChild(td); - tbody.appendChild(tr); - }); - })(); - - function dupRow(rowId, tableId) { - var dupEl; - var newEl; - - addRowTo(tableId); - for (i = 0; i < field_counter_js; i++) { - dupEl = document.getElementById(rowname[i] + rowId); - newEl = document.getElementById(rowname[i] + totalrows); - if (dupEl && newEl) - newEl.value = dupEl.value; +<script type="text/javascript"> + function htmllist_get_select_options(tableId) { + var seltext; + seltext = ""; + var type = d.getElementById("type").value; + if (tableId == 'tableA_acltable'){ + if (type == 'health') + seltext = "<?php echo haproxy_js_acl_select('health');?>"; + else if (type == 'tcp') + seltext = "<?php echo haproxy_js_acl_select('tcp');?>"; + else if (type == 'https') + seltext = "<?php echo haproxy_js_acl_select('https');?>"; + else + seltext = "<?php echo haproxy_js_acl_select('http');?>"; + if (seltext == '') { + alert("No ACL types available in current frontend type"); + return; + } } + if (tableId == 'tableA_sslCertificates'){ + seltext = "<?=haproxy_js_select_options($servercerts);?>"; + } + return seltext; } - function removeRow(el) { - var cel; - // Break out of one table first - while (el && el.nodeName.toLowerCase() != "table") - el = el.parentNode; - while (el && el.nodeName.toLowerCase() != "tr") - el = el.parentNode; - - if (el && el.parentNode) { - cel = el.getElementsByTagName("td").item(0); - el.parentNode.removeChild(el); - } - } - - function find_unique_field_name(field_name) { - // loop through field_name and strip off -NUMBER - var last_found_dash = 0; - for (var i = 0; i < field_name.length; i++) { - // is this a dash, if so, update - // last_found_dash - if (field_name.substr(i,1) == "-" ) - last_found_dash = i; - } - if (last_found_dash < 1) - return field_name; - return(field_name.substr(0,last_found_dash)); - } - - rowname[0] = "acl_name"; - rowtype[0] = "textbox"; - rowsize[0] = "20"; - - rowname[1] = "acl_expression"; - rowtype[1] = "select"; - rowsize[1] = "10"; - - rowname[2] = "acl_value"; - rowtype[2] = "textbox"; - rowsize[2] = "35"; - - function setCSSdisplay(cssID, display) - { + function setCSSdisplay(cssID, display) { var ss = document.styleSheets; for (var i=0; i<ss.length; i++) { var rules = ss[i].cssRules || ss[i].rules; @@ -444,8 +292,7 @@ include("head.inc"); } } - function updatevisibility() - { + function updatevisibility() { d = document; ssloffload = d.getElementById("ssloffload"); type = d.getElementById("type"); @@ -463,13 +310,19 @@ include("head.inc"); setCSSdisplay(".haproxy_secondary", secondary.checked); type_change(type); + + http_close = d.getElementById("httpclose").value; + http_close_description = d.getElementById("http_close_description"); + http_close_description.innerHTML=closetypes[http_close]["descr"]; + http_close_description.setAttribute('style','padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt; height:30px'); + http_close_description.setAttribute('style','padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt; height:'+http_close_description.scrollHeight+'px'); } function type_change(type) { var d, i, j, el, row; var count = <?=count($a_acltypes);?>; - var acl = [ <?php foreach ($a_acltypes as $expr) echo "'".$expr['name']."'," ?> ]; - var mode = [ <?php foreach ($a_acltypes as $expr) echo "'".$expr['mode']."'," ?> ]; + var acl = [ <?php foreach ($a_acltypes as $key => $expr) echo "'".$key."'," ?> ]; + var mode = [ <?php foreach ($a_acltypes as $key => $expr) echo "'".$expr['mode']."'," ?> ]; d = document; for (i = 0; i < 99; i++) { @@ -487,6 +340,26 @@ include("head.inc"); } } } + + for (i = 0; i < 99; i++) { + el = d.getElementById("expression" + i); + //row_v = d.getElementById("tr_view_" + i); + row_e = d.getElementById("tr_edit_" + i); + if (!el) + continue; + for (j = 0; j < count; j++) { + if (acl[j] == el.value) { + if (mode[j] != '' && mode[j] != type) { + //Effect.Fade(row_v,{ duration: 1.0 }); + Effect.Fade(row_e,{ duration: 1.0 }); + } else { + //Effect.Appear(row_v,{ duration: 1.0 }); + Effect.Appear(row_e,{ duration: 1.0 }); + } + } + } + } + } </script> <?php include("fbegin.inc"); ?> @@ -495,6 +368,19 @@ include("head.inc"); <p class="pgtitle"><?=$pgtitle?></p> <?php endif; ?> <form action="haproxy_listeners_edit.php" method="post" name="iform" id="iform"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> + <?php + /* active tabs */ + $tab_array = array(); + $tab_array[] = array("Settings", false, "haproxy_global.php"); + $tab_array[] = array("Frontend", true, "haproxy_listeners.php"); + $tab_array[] = array("Backend", false, "haproxy_pools.php"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr> + <td> <div class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> @@ -503,13 +389,13 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncellreq">Name</td> <td width="78%" class="vtable" colspan="2"> - <input name="name" type="text" <?if(isset($pconfig['name'])) echo "value=\"{$pconfig['name']}\"";?> size="25" maxlength="25"> + <input name="name" type="text" <?if(isset($pconfig['name'])) echo "value=\"{$pconfig['name']}\"";?> size="25" maxlength="25" /> </td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Description</td> <td width="78%" class="vtable" colspan="2"> - <input name="desc" type="text" <?if(isset($pconfig['desc'])) echo "value=\"{$pconfig['desc']}\"";?> size="64"> + <input name="desc" type="text" <?if(isset($pconfig['desc'])) echo "value=\"{$pconfig['desc']}\"";?> size="64" /> </td> </tr> <tr align="left"> @@ -520,11 +406,16 @@ include("head.inc"); <option value="disabled"<?php if($pconfig['status'] == "disabled") echo " SELECTED"; ?>>Disabled</option> </select> </td> - </tr> + </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Shared Frontend</td> <td width="78%" class="vtable" colspan="2"> - <input id="secondary" name="secondary" type="checkbox" value="yes" <?php if ($pconfig['secondary']=='yes') echo "checked"; ?> onclick="updatevisibility();"/> + <?if (count($primaryfrontends)==0){ ?> + <b>At least 1 primary frontend is needed.</b><br/><br/> + <? } else{ ?> + <input id="secondary" name="secondary" type="checkbox" value="yes" <?php if ($pconfig['secondary']=='yes') echo "checked"; ?> onclick="updatevisibility();" /> + <? } ?> + This can be used to host a second or more website on the same IP:Port combination.<br/> Use this setting to configure multiple backends/accesslists for a single frontend.<br/> All settings of which only 1 can exist will be hidden.<br/> The frontend settings will be merged into 1 set of frontend configuration. @@ -534,7 +425,6 @@ include("head.inc"); <td width="22%" valign="top" class="vncellreq">Primary frontend</td> <td width="78%" class="vtable" colspan="2"> <? - $primaryfrontends = get_haproxy_frontends($pconfig['name']); echo_html_select('primary_frontend',$primaryfrontends, $pconfig['primary_frontend'],"You must first create a 'primary' frontend.","updatevisibility();"); ?> </td> @@ -542,22 +432,9 @@ include("head.inc"); <tr class="haproxy_primary"> <td width="22%" valign="top" class="vncellreq">External address</td> <td width="78%" class="vtable"> - <select name="extaddr" class="formfld"> - <option value="" <?php if (!$pconfig['extaddr']) echo "selected"; ?>>Interface address</option> - <option value="localhost" <?php if ('localhost' == $pconfig['extaddr']) echo "selected"; ?>>Localhost</option> - <?php - if (is_array($config['virtualip']['vip'])): - foreach ($config['virtualip']['vip'] as $sn): - ?> - <option value="<?=$sn['subnet'];?>" <?php if ($sn['subnet'] == $pconfig['extaddr']) echo "selected"; ?>> - <?=htmlspecialchars("{$sn['subnet']} ({$sn['descr']})");?> - </option> - <?php - endforeach; - endif; + <? + echo_html_select('extaddr', $interfaces, $pconfig['extaddr']); ?> - <option value="any" <?php if($pconfig['extaddr'] == "any") echo "selected"; ?>>any</option> - </select> <br /> <span class="vexpl"> If you want this rule to apply to another IP address than the IP address of the interface chosen above, @@ -569,14 +446,14 @@ include("head.inc"); <tr class="haproxy_primary" align="left"> <td width="22%" valign="top" class="vncellreq">External port</td> <td width="78%" class="vtable" colspan="2"> - <input name="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="30" maxlength="500"> + <input name="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="10" maxlength="500" /> <div>The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,443</div> </td> </tr> <tr class="haproxy_primary" align="left"> - <td width="22%" valign="top" class="vncellreq">Max connections</td> + <td width="22%" valign="top" class="vncell">Max connections</td> <td width="78%" class="vtable" colspan="2"> - <input name="max_connections" type="text" <?if(isset($pconfig['max_connections'])) echo "value=\"{$pconfig['max_connections']}\"";?> size="10" maxlength="10"> + <input name="max_connections" type="text" <?if(isset($pconfig['max_connections'])) echo "value=\"{$pconfig['max_connections']}\"";?> size="10" maxlength="10" /> </td> </tr> <tr> @@ -614,58 +491,14 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell">Access Control lists</td> <td width="78%" class="vtable" colspan="2" valign="top"> - <table class="" width="100%" cellpadding="0" cellspacing="0" id='acltable'> - <tr> - <td width="35%" class="">Name</td> - <td width="40%" class="">Expression</td> - <td width="20%" class="">Value</td> - <td width="5%" class=""></td> - </tr> - <?php - $a_acl=$pconfig['a_acl']; - - if (!is_array($a_acl)) { - $a_acl=array(); - } - - $counter=0; - foreach ($a_acl as $acl) { - $t = haproxy_find_acl($acl['expression']); - $display = ''; - if (!$t || ($t['mode'] != '' && $t['mode'] != strtolower($pconfig['type']))) - $display = 'style="display: none;"'; - ?> - <tr id="aclrow<?=$counter;?>" <?=$display;?>> - <td><input name="acl_name<?=$counter;?>" id="acl_name<?=$counter;?>" type="text" value="<?=$acl['name']; ?>" size="20"/></td> - <td> - <select name="acl_expression<?=$counter;?>" id="acl_expression<?=$counter;?>"> - <?php - foreach ($a_acltypes as $expr) { ?> - <option value="<?=$expr['name'];?>"<?php if($acl['expression'] == $expr['name']) echo " SELECTED"; ?>><?=$expr['descr'];?>:</option> - <?php } ?> - </select> - </td> - <td><input name="acl_value<?=$counter;?>" id="acl_value<?=$counter;?>" type="text" value="<?=$acl['value']; ?>" size="35"/></td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"><tr> - <td valign="middle"> - <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;"> - </td> - <td valign="middle"> - <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="duplicate entry" width="17" height="17" border="0" onclick="dupRow(<?=$counter;?>, 'acltable'); return false;"> - </td></tr></table> - </td> - </tr> - <?php - $counter++; - } - ?> - </table> - <a onclick="javascript:addRowTo('acltable'); return false;" href="#"> - <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" alt="" title="add another entry" /> - </a><br/> + <? + $counter=0; + $a_acl = $pconfig['a_acl']; + haproxy_htmllist("tableA_acltable", $a_acl, $fields_aclSelectionList, true); + ?> + <br/> acl's with the same name wil be 'combined', acl's with different names will be evaluated seperately.<br/> - For more information about ACL's please see <a href='http://haproxy.1wt.eu/download/1.5/doc/configuration.txt' target='_new'>HAProxy Documentation</a> Section 7 - Using ACL's + For more information about ACL's please see <a href='http://haproxy.1wt.eu/download/1.5/doc/configuration.txt' target='_blank'>HAProxy Documentation</a> Section 7 - Using ACL's </td> </tr> </table> @@ -677,14 +510,14 @@ include("head.inc"); <tr align="left"> <td width="22%" valign="top" class="vncell">Client timeout</td> <td width="78%" class="vtable" colspan="2"> - <input name="client_timeout" type="text" <?if(isset($pconfig['client_timeout'])) echo "value=\"{$pconfig['client_timeout']}\"";?> size="10" maxlength="10"> + <input name="client_timeout" type="text" <?if(isset($pconfig['client_timeout'])) echo "value=\"{$pconfig['client_timeout']}\"";?> size="10" maxlength="10" /> <div>the time (in milliseconds) we accept to wait for data from the client, or for the client to accept data (default 30000).</div> </td> </tr> <tr align="left" class="haproxy_mode_http"> <td width="22%" valign="top" class="vncell">Use 'forwardfor' option</td> <td width="78%" class="vtable" colspan="2"> - <input id="forwardfor" name="forwardfor" type="checkbox" value="yes" <?php if ($pconfig['forwardfor']=='yes') echo "checked"; ?>> + <input id="forwardfor" name="forwardfor" type="checkbox" value="yes" <?php if ($pconfig['forwardfor']=='yes') echo "checked"; ?> /> <br/> The 'forwardfor' option creates an HTTP 'X-Forwarded-For' header which contains the client's IP address. This is useful to let the final web server @@ -698,17 +531,16 @@ include("head.inc"); <tr align="left" class="haproxy_mode_http"> <td width="22%" valign="top" class="vncell">Use 'httpclose' option</td> <td width="78%" class="vtable" colspan="2"> - <input id="httpclose" name="httpclose" type="checkbox" value="yes" <?php if ($pconfig['httpclose']=='yes') echo "checked"; ?>> - <br/> - The 'httpclose' option removes any 'Connection' header both ways, and - adds a 'Connection: close' header in each direction. This makes it easier to - disable HTTP keep-alive than the previous 4-rules block. + <? + echo_html_select("httpclose",$a_closetypes,$pconfig['httpclose']?$pconfig['httpclose']:"none","","updatevisibility();"); + ?><br/> + <textarea readonly="yes" cols="70" rows="3" id="http_close_description" name="http_close_description" style="padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt;"></textarea> </td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Bind pass thru</td> <td width="78%" class="vtable" colspan="2"> - <input name="advanced_bind" type="text" <?if(isset($pconfig['advanced_bind'])) echo "value=\"".htmlspecialchars($pconfig['advanced_bind'])."\"";?> size="64"> + <input name="advanced_bind" type="text" <?if(isset($pconfig['advanced_bind'])) echo "value=\"".htmlspecialchars($pconfig['advanced_bind'])."\"";?> size="64" /> <br/> NOTE: paste text into this box that you would like to pass behind the bind option. </td> @@ -732,34 +564,44 @@ include("head.inc"); <tr align="left"> <td width="22%" valign="top" class="vncell">Use Offloading</td> <td width="78%" class="vtable" colspan="2"> - <input id="ssloffload" name="ssloffload" type="checkbox" value="yes" <?php if ($pconfig['ssloffload']=='yes') echo "checked";?> onclick="updatevisibility();"><strong>Use Offloading</strong></input> + <input id="ssloffload" name="ssloffload" type="checkbox" value="yes" <?php if ($pconfig['ssloffload']=='yes') echo "checked";?> onclick="updatevisibility();" /><strong>Use Offloading</strong> <br/> - The SSL Offloading will reduce web servers load by encrypt data to users on internet and send it without encrytion to internal servers. + SSL Offloading will reduce web servers load by maintaining and encrypting connection with users on internet while sending and retrieving data without encrytion to internal servers. + Also more ACL rules and http logging may be configured when this option is used. + Certificates can be imported into the <a href="/system_camanager.php" target="_blank">pfSense "Certificate Authority Manager"</a> + Please be aware this possibly will not work with all web applications. Some applications will require setting the SSL checkbox on the backend server configurations so the connection to the webserver will also be a encrypted connection, in that case there will be a slight overall performance loss. </td> </tr> <tr class="haproxy_ssloffloading_enabled" align="left"> <td width="22%" valign="top" class="vncell">Certificate</td> <td width="78%" class="vtable" colspan="2"> <? - $servercerts = get_certificates_server(); echo_html_select("ssloffloadcert", $servercerts, $pconfig['ssloffloadcert'], '<b>No Certificates defined.</b> <br/>Create one under <a href="system_certmanager.php">System > Cert Manager</a>.'); ?> <br/> NOTE: choose the cert to use on this frontend. + <br/> + <input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();" />Add ACL for certificate CommonName. </td> </tr> - <tr class="haproxy_ssloffloading_enabled" align="left"> - <td width="22%" valign="top" class="vncell">ACL for certificate CN</td> - <td width="78%" class="vtable" colspan="2"> - <input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();">Add ACL for certificate CommonName.</input> + <tr class="haproxy_ssloffloading_enabled"> + <td width="22%" valign="top" class="vncell">Additional certificates</td> + <td width="78%" class="vtable" colspan="2" valign="top"> + Which of these certificate will be send will be determined by haproxys SNI recognition. If the browser does not send SNI this will not work properly. (IE on XP is one example, possibly also older browsers or mobile devices) + <? + $a_certificates = $pconfig['a_certificates']; + haproxy_htmllist("tableA_sslCertificates", $a_certificates, $fields_sslCertificates); + ?> + <br/> + <input id="ssloffloadacladditional" name="ssloffloadacladditional" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacladditional']=='yes') echo "checked";?> onclick="updatevisibility();" />Add ACL for certificate CommonName. </td> </tr> <tr class="haproxy_ssloffloading_enabled haproxy_primary" align="left"> <td width="22%" valign="top" class="vncell">Advanced ssl options</td> <td width="78%" class="vtable" colspan="2"> - <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo "value=\"{$pconfig['dcertadv']}\"";?> size="10" maxlength="64"> + <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo "value=\"{$pconfig['dcertadv']}\"";?> maxlength="64" /> <br/> - NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br> + NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br/> some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets </td> </tr> @@ -771,10 +613,10 @@ include("head.inc"); <tr align="left"> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <input name="Submit" type="submit" class="formbtn" value="Save" /> + <input type="button" class="formbtn" value="Cancel" onclick="history.back()" /> <?php if (isset($id) && $a_backend[$id]): ?> - <input name="id" type="hidden" value="<?=$a_backend[$id]['name'];?>"> + <input name="id" type="hidden" value="<?=$a_backend[$id]['name'];?>" /> <?php endif; ?> </td> </tr> @@ -784,23 +626,23 @@ include("head.inc"); </td> </tr> </table> - </div> + </div></td></tr></table> </form> -<br> +<br/> <script type="text/javascript"> <? phparray_to_javascriptarray($primaryfrontends,"primaryfrontends",Array('/*','/*/name','/*/ref','/*/ref/type','/*/ref/ssloffload')); + phparray_to_javascriptarray($a_closetypes,"closetypes",Array('/*','/*/name','/*/descr')); + phparray_to_javascriptarray($fields_sslCertificates,"fields_sslCertificates",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); + phparray_to_javascriptarray($fields_aclSelectionList,"fields_acltable",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); ?> - </script> <script type="text/javascript"> - field_counter_js = 3; - rows = 1; totalrows = <?php echo $counter; ?>; - loaded = <?php echo $counter; ?>; - updatevisibility(); </script> -<?php include("fend.inc"); ?> +<?php +haproxy_htmllist_js(); +include("fend.inc"); ?> </body> </html> diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index a7a56b1c..93fa20dc 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -3,6 +3,7 @@ /* haproxy_pool_edit.php part of pfSense (http://www.pfsense.com/) + Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> All rights reserved. @@ -28,9 +29,11 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "haproxy"; require("guiconfig.inc"); require_once("haproxy.inc"); +require_once("haproxy_utils.inc"); +require_once("haproxy_htmllist.inc"); $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; @@ -52,9 +55,48 @@ global $simplefields; $simplefields = array( "name","cookie","balance","transparent_clientip","transparent_interface", "check_type","checkinter","httpcheck_method","monitor_uri","monitor_httpversion","monitor_username","monitor_domain","monitor_agentport", +"agent_check","agent_port","agent_inter", "connection_timeout","server_timeout","retries", "stats_enabled","stats_username","stats_password","stats_uri","stats_realm","stats_admin","stats_node_enabled","stats_node","stats_desc","stats_refresh"); +$fields_servers=array(); +$fields_servers[0]['name']="name"; +$fields_servers[0]['columnheader']="Name"; +$fields_servers[0]['colwidth']="20%"; +$fields_servers[0]['type']="textbox"; +$fields_servers[0]['size']="30"; +$fields_servers[1]['name']="address"; +$fields_servers[1]['columnheader']="Address"; +$fields_servers[1]['colwidth']="10%"; +$fields_servers[1]['type']="textbox"; +$fields_servers[1]['size']="20"; +$fields_servers[2]['name']="port"; +$fields_servers[2]['columnheader']="Port"; +$fields_servers[2]['colwidth']="5%"; +$fields_servers[2]['type']="textbox"; +$fields_servers[2]['size']="5"; +$fields_servers[3]['name']="ssl"; +$fields_servers[3]['columnheader']="SSL"; +$fields_servers[3]['colwidth']="5%"; +$fields_servers[3]['type']="checkbox"; +$fields_servers[3]['size']="30"; +$fields_servers[4]['name']="weight"; +$fields_servers[4]['columnheader']="Weight"; +$fields_servers[4]['colwidth']="8%"; +$fields_servers[4]['type']="textbox"; +$fields_servers[4]['size']="5"; +$fields_servers[5]['name']="status"; +$fields_servers[5]['columnheader']="Mode"; +$fields_servers[5]['colwidth']="5%"; +$fields_servers[5]['type']="select"; +$fields_servers[5]['size']="5"; +$fields_servers[5]['items']=&$a_servermodes; +$fields_servers[6]['name']="advanced"; +$fields_servers[6]['columnheader']="Advanced"; +$fields_servers[6]['colwidth']="15%"; +$fields_servers[6]['type']="textbox"; +$fields_servers[6]['size']="20"; + if (isset($id) && $a_pools[$id]) { $pconfig['advanced'] = base64_decode($a_pools[$id]['advanced']); $pconfig['advanced_backend'] = base64_decode($a_pools[$id]['advanced_backend']); @@ -67,7 +109,7 @@ if (isset($id) && $a_pools[$id]) { if (isset($_GET['dup'])) unset($id); -$changedesc = "Services: HAProxy: pools: "; +$changedesc = "Services: HAProxy: Backend server pool: "; $changecount = 0; if ($_POST) { @@ -114,45 +156,28 @@ if ($_POST) { if (($_POST['name'] == $config['installedpackages']['haproxy']['ha_pools']['item'][$i]['name']) && ($i != $id)) $input_errors[] = "This pool name has already been used. Pool names must be unique."; - $a_servers=array(); - for($x=0; $x<99; $x++) { - $server_name = $_POST['server_name'.$x]; - $server_address = $_POST['server_address'.$x]; - $server_port = $_POST['server_port'.$x]; - $server_ssl = $_POST['server_ssl'.$x]; - $server_weight = $_POST['server_weight'.$x]; - $server_status = $_POST['server_status'.$x]; - $server_advanced = $_POST['server_advanced'.$x]; - - if ($server_address) { - $server = array(); - $server['name'] = $server_name; - $server['address'] = $server_address; - $server['port'] = $server_port; - $server['ssl'] = $server_ssl; - $server['weight'] = $server_weight; - $server['status'] = $server_status; - $server['advanced'] = $server_advanced; - $a_servers[] = $server; - - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_name)) - $input_errors[] = "The field 'Name' contains invalid characters."; - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_address)) - $input_errors[] = "The field 'Address' contains invalid characters."; - - if (!preg_match("/.{2,}/", $server_name)) - $input_errors[] = "The field 'Name' is required (and must be at least 2 characters)."; - - if (!preg_match("/.{2,}/", $server_address)) - $input_errors[] = "The field 'Address' is required (and must be at least 2 characters)."; - - - if (!is_numeric($server_weight)) - $input_errors[] = "The field 'Weight' value is not a number."; - - if ($server_port && !is_numeric($server_port)) - $input_errors[] = "The field 'Port' value is not a number."; - } + $a_servers = haproxy_htmllist_get_values($fields_servers); + foreach($a_servers as $server){ + $server_name = $server['name']; + $server_address = $server['address']; + $server_port = $server['port']; + $server_weight = $server['weight']; + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_name)) + $input_errors[] = "The field 'Name' contains invalid characters."; + if (!is_ipaddr($server_address)) + $input_errors[] = "The field 'Address' is not a valid ip address."; + + if (!preg_match("/.{2,}/", $server_name)) + $input_errors[] = "The field 'Name' is required (and must be at least 2 characters)."; + + if (!preg_match("/.{2,}/", $server_address)) + $input_errors[] = "The field 'Address' is required (and must be at least 2 characters)."; + + if (!is_numeric($server_weight)) + $input_errors[] = "The field 'Weight' value is not a number."; + + if ($server_port && !is_numeric($server_port)) + $input_errors[] = "The field 'Port' value is not a number."; } if (!$input_errors) { @@ -215,20 +240,16 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; -$pgtitle = "HAProxy: Backend: Edit"; +$closehead = false; +$pgtitle = "HAProxy: Backend server pool: Edit"; include("head.inc"); -row_helper(); - // 'processing' done, make all simple fields usable in html. foreach($simplefields as $field){ $pconfig[$field] = htmlspecialchars($pconfig[$field]); } -?> - -<input type='hidden' name='address_type' value='textbox' /> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +?> <style type="text/css"> .haproxy_stats_visible{display:none;} .haproxy_check_enabled{display:none;} @@ -237,8 +258,15 @@ foreach($simplefields as $field){ .haproxy_check_smtp{display:none;} .haproxy_transparent_clientip{display:none;} .haproxy_check_agent{display:none;} + .haproxy_agent_check{display:none;} </style> -<script language="javascript"> +</head> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<script type="text/javascript"> + function htmllist_get_select_options(tableId) { + return "<?=haproxy_js_select_options($a_servermodes);?>"; + } + function clearcombo(){ for (var i=document.iform.serversSelect.options.length-1; i>=0; i--){ document.iform.serversSelect.options[i] = null; @@ -272,6 +300,8 @@ foreach($simplefields as $field){ setCSSdisplay(".haproxy_check_username", check_type == 'MySQL' || check_type == 'PostgreSQL'); setCSSdisplay(".haproxy_check_smtp", check_type == 'SMTP' || check_type == 'ESMTP'); setCSSdisplay(".haproxy_check_agent", check_type == 'Agent'); + + setCSSdisplay(".haproxy_agent_check", agent_check.checked); transparent_clientip = d.getElementById("transparent_clientip"); setCSSdisplay(".haproxy_transparent_clientip", transparent_clientip.checked); @@ -284,31 +314,6 @@ foreach($simplefields as $field){ sqlcheckusername.innerText = monitor_username.value; } } - - -</script> -<script type="text/javascript"> - rowname[0] = "server_name"; - rowtype[0] = "textbox"; - rowsize[0] = "30"; - rowname[1] = "server_address"; - rowtype[1] = "textbox"; - rowsize[1] = "20"; - rowname[2] = "server_port"; - rowtype[2] = "textbox"; - rowsize[2] = "5"; - rowname[3] = "server_ssl"; - rowtype[3] = "checkbox"; - rowsize[3] = "5"; - rowname[4] = "server_weight"; - rowtype[4] = "textbox"; - rowsize[4] = "5"; - rowname[5] = "server_status"; - rowtype[5] = "select"; - rowsize[5] = "1"; - rowname[6] = "server_advanced"; - rowtype[6] = "textbox"; - rowsize[6] = "20"; </script> <?php include("fbegin.inc"); ?> <?php if ($input_errors) print_input_errors($input_errors); ?> @@ -316,21 +321,35 @@ foreach($simplefields as $field){ <p class="pgtitle"><?=$pgtitle?></p> <?php endif; ?> <form action="haproxy_pool_edit.php" method="post" name="iform" id="iform"> + + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> + <?php + /* active tabs */ + $tab_array = array(); + $tab_array[] = array("Settings", false, "haproxy_global.php"); + $tab_array[] = array("Frontend", false, "haproxy_listeners.php"); + $tab_array[] = array("Backend", true, "haproxy_pools.php"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr> + <td> <div class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="listtopic">Edit HAProxy pool</td> + <td colspan="2" valign="top" class="listtopic">Edit HAProxy Backend server pool</td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncellreq">Name</td> <td width="78%" class="vtable" colspan="2"> - <input name="name" type="text" <?if(isset($pconfig['name'])) echo "value=\"{$pconfig['name']}\"";?> size="16" maxlength="16"> + <input name="name" type="text" <?if(isset($pconfig['name'])) echo "value=\"{$pconfig['name']}\"";?> size="16" maxlength="16" /> </td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Cookie</td> <td width="78%" class="vtable" colspan="2"> - <input name="cookie" type="text" <?if(isset($pconfig['cookie'])) echo "value=\"{$pconfig['cookie']}\"";?>size="64"><br/> + <input name="cookie" type="text" <?if(isset($pconfig['cookie'])) echo "value=\"{$pconfig['cookie']}\"";?>size="64" /><br/> This value will be checked in incoming requests, and the first operational pool possessing the same value will be selected. In return, in cookie insertion or rewrite modes, this value will be assigned to the cookie @@ -342,88 +361,11 @@ foreach($simplefields as $field){ </tr> <tr align="left"> <td class="vncell" colspan="3"><strong>Server list</strong> - - <table class="" width="100%" cellpadding="0" cellspacing="0" id='servertable'> - <tr> - <td width="20%" class="listhdrr">Name</td> - <td width="10%" class="listhdrr">Address</td> - <td width="5%" class="listhdrr">Port</td> - <td width="5%" class="listhdrr">SSL</td> - <td width="8%" class="listhdrr">Weight</td> - <td width="5%" class="listhdr">Backup</td> - <td width="15%" class="listhdr">Advanced</td> - <td width="4%" class=""></td> - </tr> - <?php - $a_servers=$pconfig['a_servers']; - - if (!is_array($a_servers)) { - $a_servers=array(); - } - + <? $counter=0; - foreach ($a_servers as $server) { - ?> - <tr id="tr_view_<?=$counter;?>" name="tr_view_<?=$counter;?>" ondblclick="editRow(<?=$counter;?>); return false;" > - <td class="vtable listlr"><?=$server['name']; ?></td> - <td class="vtable listr"><?=$server['address']; ?></td> - <td class="vtable listr"><?=$server['port']; ?></td> - <td class="vtable listr"><?=$server['ssl']=='yes'?'yes':'no'; ?></td> - <td class="vtable listr"><?=$server['weight']; ?></td> - <td class="vtable listr"><?=$server['status']; ?></td> - <td class="vtable listr"><?=htmlspecialchars($server['advanced']); ?></td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"><tr> - <td valign="middle"> - <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit entry" width="17" height="17" border="0" onclick="editRow(<?=$counter;?>); return false;"> - </td> - <td valign="middle"> - <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="deleteRow(<?=$counter;?>, 'servertable'); return false;"> - </td> - <td valign="middle"> - <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="duplicate entry" width="17" height="17" border="0" onclick="dupRow(<?=$counter;?>, 'servertable'); return false;"> - </td></tr></table> - </td> - </tr> - <tr id="tr_edit_<?=$counter;?>" name="tr_edit_<?=$counter;?>" style="display: none;"> - <td class="vtable"> - <input name="server_name<?=$counter;?>" id="server_name<?=$counter;?>" type="text" value="<?=$server['name']; ?>" size="30"/></td> - <td class="vtable"> - <input name="server_address<?=$counter;?>" id="server_address<?=$counter;?>" type="text" value="<?=$server['address']; ?>" size="20"/></td> - <td class="vtable"> - <input name="server_port<?=$counter;?>" id="server_port<?=$counter;?>" type="text" value="<?=$server['port']; ?>" size="5"/></td> - <td class="vtable"> - <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="yes" <?=$server['ssl']=='yes'?"checked":""; ?> size="5"/></td> - <td class="vtable"> - <input name="server_weight<?=$counter;?>" id="server_weight<?=$counter;?>" type="text" value="<?=$server['weight']; ?>" size="5"/></td> - <td class="vtable"> - <select name="server_status<?=$counter;?>" id="server_status<?=$counter;?>"> - <option value="active" <?php if($server['status']=='active') echo "SELECTED";?>>active</option> - <option value="backup" <?php if($server['status']=='backup') echo "SELECTED";?>>backup</option> - <option value="disabled" <?php if($server['status']=='disabled') echo "SELECTED";?>>disabled</option> - <option value="inactive" <?php if($server['status']=='inactive') echo "SELECTED";?>>inactive</option> - </select> - </td> - <td class="vtable"> - <input name="server_advanced<?=$counter;?>" id="server_advanced<?=$counter;?>" type="text" value="<?=htmlspecialchars($server['advanced']); ?>" size="20"/></td> - <td class="list"> - <table border="0" cellspacing="0" cellpadding="1"><tr> - <td valign="middle"> - <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;"> - </td> - <td valign="middle"> - <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="duplicate entry" width="17" height="17" border="0" onclick="dupRow(<?=$counter;?>, 'servertable'); return false;"> - </td></tr></table> - </td> - </tr> - <?php - $counter++; - } + $a_servers = $pconfig['a_servers']; + haproxy_htmllist("tableA_servers", $a_servers, $fields_servers); ?> - </table> - <a onclick="javascript:addRowTo('servertable'); return false;" href="#"> - <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" alt="" title="add another entry" /> - </a> </td> </tr> <tr align="left"> @@ -432,7 +374,7 @@ foreach($simplefields as $field){ <table width="100%"> <tr> <td width="25%" valign="top"> - <input type="radio" name="balance" id="balance" value="roundrobin"<?php if($pconfig['balance'] == "roundrobin") echo " CHECKED"; ?>>Round robin</input> + <input type="radio" name="balance" value="roundrobin"<?php if($pconfig['balance'] == "roundrobin") echo " CHECKED"; ?> />Round robin </td> <td> Each server is used in turns, according to their weights. @@ -444,7 +386,7 @@ foreach($simplefields as $field){ </tr> <tr> <td width="25%" valign="top"> - <input type="radio" name="balance" id="balance" value="static-rr"<?php if($pconfig['balance'] == "static-rr") echo " CHECKED"; ?>>Static Round Robin</input> + <input type="radio" name="balance" value="static-rr"<?php if($pconfig['balance'] == "static-rr") echo " CHECKED"; ?> />Static Round Robin </td> <td> Each server is used in turns, according to their weights. @@ -459,7 +401,7 @@ foreach($simplefields as $field){ </tr> <tr> <td width="25%" valign="top"> - <input type="radio" name="balance" id="balance" value="leastconn"<?php if($pconfig['balance'] == "leastconn") echo " CHECKED"; ?>>Least Connections</input> + <input type="radio" name="balance" value="leastconn"<?php if($pconfig['balance'] == "leastconn") echo " CHECKED"; ?> />Least Connections </td> <td> The server with the lowest number of connections receives the @@ -472,8 +414,9 @@ foreach($simplefields as $field){ adjusted on the fly for slow starts for instance. </td> </tr> - <tr><td valign="top"><input type="radio" name="balance" id="balance" value="source"<?php if($pconfig['balance'] == -"source") echo " CHECKED"; ?>>Source</input></td><td> + <tr><td valign="top"><input type="radio" name="balance" value="source"<?php if($pconfig['balance'] == "source") echo " CHECKED"; ?> />Source + </td> + <td> The source IP address is hashed and divided by the total weight of the running servers to designate which server will receive the request. This ensures that the same client IP @@ -494,7 +437,7 @@ foreach($simplefields as $field){ <tr align="left"> <td width="22%" valign="top" class="vncell">Transparent ClientIP</td> <td width="78%" class="vtable" colspan="2"> - <input id="transparent_clientip" name="transparent_clientip" type="checkbox" value="yes" <?php if ($pconfig['transparent_clientip']=='yes') echo "checked"; ?> onclick='updatevisibility();'> + <input id="transparent_clientip" name="transparent_clientip" type="checkbox" value="yes" <?php if ($pconfig['transparent_clientip']=='yes') echo "checked"; ?> onclick='updatevisibility();' /> Use Client-IP to connect to backend servers. <div class="haproxy_transparent_clientip"> @@ -520,7 +463,7 @@ foreach($simplefields as $field){ <tr align="left"> <td width="22%" valign="top" class="vncell">Per server pass thru</td> <td width="78%" class="vtable" colspan="2"> - <input type="text" name='advanced' id='advanced' value='<?php echo $pconfig['advanced']; ?>' size="64"> + <input type="text" name='advanced' id='advanced' value='<?php echo $pconfig['advanced']; ?>' size="64" /> <br/> NOTE: paste text into this box that you would like to pass thru. Applied to each 'server' line. </td> @@ -534,10 +477,7 @@ foreach($simplefields as $field){ NOTE: paste text into this box that you would like to pass thru. Applied to the backend section. </td> </tr> - - </table> - <br/> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr><td> </td></tr> <tr> <td colspan="2" valign="top" class="listtopic">Health checking</td> </tr> @@ -553,7 +493,7 @@ foreach($simplefields as $field){ <tr align="left" class="haproxy_check_enabled"> <td width="22%" valign="top" class="vncell">Check frequency</td> <td width="78%" class="vtable" colspan="2"> - <input name="checkinter" type="text" <?if(isset($pconfig['checkinter'])) echo "value=\"{$pconfig['checkinter']}\"";?>size="20"> milliseconds + <input name="checkinter" type="text" <?if(isset($pconfig['checkinter'])) echo "value=\"{$pconfig['checkinter']}\"";?> size="20" /> milliseconds <br/>For HTTP/HTTPS defaults to 1000 if left blank. For TCP no check will be performed if left empty. </td> </tr> @@ -569,14 +509,14 @@ foreach($simplefields as $field){ <tr align="left" class="haproxy_check_http"> <td width="22%" valign="top" class="vncell">Http check URI</td> <td width="78%" class="vtable" colspan="2"> - <input name="monitor_uri" type="text" <?if(isset($pconfig['monitor_uri'])) echo "value=\"{$pconfig['monitor_uri']}\"";?>size="64"> + <input name="monitor_uri" type="text" <?if(isset($pconfig['monitor_uri'])) echo "value=\"{$pconfig['monitor_uri']}\"";?>size="64" /> <br/>Defaults to / if left blank. </td> </tr> <tr align="left" class="haproxy_check_http"> <td width="22%" valign="top" class="vncell">Http check version</td> <td width="78%" class="vtable" colspan="2"> - <input name="monitor_httpversion" type="text" <?if(isset($pconfig['monitor_httpversion'])) echo "value=\"{$pconfig['monitor_httpversion']}\"";?>size="64"> + <input name="monitor_httpversion" type="text" <?if(isset($pconfig['monitor_httpversion'])) echo "value=\"{$pconfig['monitor_httpversion']}\"";?> size="64" /> <br/>Defaults to "HTTP/1.0" if left blank. Note that the Host field is mandatory in HTTP/1.1, and as a trick, it is possible to pass it after "\r\n" following the version string like this:<br/> @@ -588,316 +528,188 @@ foreach($simplefields as $field){ <tr align="left" class="haproxy_check_username"> <td width="22%" valign="top" class="vncell">Check with Username</td> <td width="78%" class="vtable" colspan="2"> - <input name="monitor_username" id="monitor_username" type="text" <?if(isset($pconfig['monitor_username'])) echo "value=\"{$pconfig['monitor_username']}\"";?>size="64" onchange="updatevisibility();" onkeyup="updatevisibility();"> + <input name="monitor_username" id="monitor_username" type="text" <?if(isset($pconfig['monitor_username'])) echo "value=\"{$pconfig['monitor_username']}\"";?>size="64" onchange="updatevisibility();" onkeyup="updatevisibility();" /> <br/> This is the username which will be used when connecting to MySQL/PostgreSQL server. <pre> USE mysql; -CREATE USER '<span id="sqlcheckusername" name="sqlcheckusername"></span>'@'<pfSenseIP>'; +CREATE USER '<span id="sqlcheckusername"></span>'@'<pfSenseIP>'; FLUSH PRIVILEGES;</pre> </td> </tr> <tr align="left" class="haproxy_check_smtp"> <td width="22%" valign="top" class="vncell">Domain</td> <td width="78%" class="vtable" colspan="2"> - <input name="monitor_domain" type="text" <?if(isset($pconfig['monitor_domain'])) echo "value=\"{$pconfig['monitor_domain']}\"";?>size="64"> + <input name="monitor_domain" type="text" <?if(isset($pconfig['monitor_domain'])) echo "value=\"{$pconfig['monitor_domain']}\"";?> size="64" /> </td> </tr> <tr align="left" class="haproxy_check_agent"> <td width="22%" valign="top" class="vncell">Agentport</td> <td width="78%" class="vtable" colspan="2"> - <input name="monitor_agentport" type="text" <?if(isset($pconfig['monitor_agentport'])) echo "value=\"{$pconfig['monitor_agentport']}\"";?>size="64"> + <input name="monitor_agentport" type="text" <?if(isset($pconfig['monitor_agentport'])) echo "value=\"{$pconfig['monitor_agentport']}\"";?> size="64" /> <br/> Fill in the TCP portnumber the healthcheck should be performed on. </td> </tr> - </table> - <br/> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr><td> </td></tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Agent checks</td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Use agent checks</td> + <td width="78%" class="vtable" colspan="2"> + <input id="agent_check" name="agent_check" type="checkbox" value="yes" <?php if ($pconfig['agent_check']=='yes') echo "checked"; ?> onclick='updatevisibility();' /> + Use a TCP connection to read an ASCII string of the form 100%,75%,drain,down (more about this in the <a href='http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#agent-check' target='_blank'>haproxy manual</a>) + </td> + </tr> + <tr align="left" class="haproxy_agent_check"> + <td width="22%" valign="top" class="vncell">Agent port</td> + <td width="78%" class="vtable" colspan="2"> + <input name="agent_port" type="text" <?if(isset($pconfig['agent_port'])) echo "value=\"{$pconfig['agent_port']}\"";?> size="64" /> + <br/> + Fill in the TCP portnumber the healthcheck should be performed on. + </td> + </tr> + <tr align="left" class="haproxy_agent_check"> + <td width="22%" valign="top" class="vncell">Agent interval</td> + <td width="78%" class="vtable" colspan="2"> + <input name="agent_inter" type="text" <?if(isset($pconfig['agent_inter'])) echo "value=\"{$pconfig['agent_inter']}\"";?> size="64" /> + <br/> + Interval between two agent checks, defaults to 2000 ms. + </td> + </tr> + <tr><td> </td></tr> <tr> <td colspan="2" valign="top" class="listtopic">Advanced settings</td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Connection timeout</td> <td width="78%" class="vtable" colspan="2"> - <input name="connection_timeout" type="text" <?if(isset($pconfig['connection_timeout'])) echo "value=\"{$pconfig['connection_timeout']}\"";?> size="64"> + <input name="connection_timeout" type="text" <?if(isset($pconfig['connection_timeout'])) echo "value=\"{$pconfig['connection_timeout']}\"";?> size="20" /> <div>the time (in milliseconds) we give up if the connection does not complete within (default 30000).</div> </td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Server timeout</td> <td width="78%" class="vtable" colspan="2"> - <input name="server_timeout" type="text" <?if(isset($pconfig['server_timeout'])) echo "value=\"{$pconfig['server_timeout']}\"";?> size="64"> + <input name="server_timeout" type="text" <?if(isset($pconfig['server_timeout'])) echo "value=\"{$pconfig['server_timeout']}\"";?> size="20" /> <div>the time (in milliseconds) we accept to wait for data from the server, or for the server to accept data (default 30000).</div> </td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Retries</td> <td width="78%" class="vtable" colspan="2"> - <input name="retries" type="text" <?if(isset($pconfig['retries'])) echo "value=\"{$pconfig['retries']}\"";?> size="64"> + <input name="retries" type="text" <?if(isset($pconfig['retries'])) echo "value=\"{$pconfig['retries']}\"";?> size="20" /> <div>After a connection failure to a server, it is possible to retry, potentially on another server. This is useful if health-checks are too rare and you don't want the clients to see the failures. The number of attempts to reconnect is set by the 'retries' parameter.</div> </td> </tr> - </table> - <br/> <br/> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr><td> </td></tr> <tr> <td colspan="2" valign="top" class="listtopic">Statistics</td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Stats Enabled</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_enabled" name="stats_enabled" type="checkbox" value="yes" <?php if ($pconfig['stats_enabled']=='yes') echo "checked"; ?> onclick='updatevisibility();'> + <input id="stats_enabled" name="stats_enabled" type="checkbox" value="yes" <?php if ($pconfig['stats_enabled']=='yes') echo "checked"; ?> onclick='updatevisibility();' /> </td> </tr> - <tr class="haproxy_stats_visible" align="left" id='stats_realm_row' name='stats_realm_row'> + <tr class="haproxy_stats_visible" align="left" id='stats_realm_row'> <td width="22%" valign="top" class="vncellreq">Stats Realm</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_realm" name="stats_realm" type="text" <?if(isset($pconfig['stats_realm'])) echo "value=\"{$pconfig['stats_realm']}\"";?> size="64"><br/> + <input id="stats_realm" name="stats_realm" type="text" <?if(isset($pconfig['stats_realm'])) echo "value=\"{$pconfig['stats_realm']}\"";?> size="64" /><br/> EXAMPLE: haproxystats </td> </tr> - <tr class="haproxy_stats_visible" align="left" id='stats_uri_row' name='stats_uri_row'> + <tr class="haproxy_stats_visible" align="left" id='stats_uri_row'> <td width="22%" valign="top" class="vncellreq">Stats Uri</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_uri" name="stats_uri" type="text" <?if(isset($pconfig['stats_uri'])) echo "value=\"{$pconfig['stats_uri']}\"";?> size="64"><br/> + <input id="stats_uri" name="stats_uri" type="text" <?if(isset($pconfig['stats_uri'])) echo "value=\"{$pconfig['stats_uri']}\"";?> size="64" /><br/> EXAMPLE: /haproxy?stats </td> </tr> - <tr class="haproxy_stats_visible" align="left" id='stats_username_row' name='stats_username_row'> + <tr class="haproxy_stats_visible" align="left" id='stats_username_row'> <td width="22%" valign="top" class="vncellreq">Stats Username</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_username" name="stats_username" type="text" <?if(isset($pconfig['stats_username'])) echo "value=\"".$pconfig['stats_username']."\"";?> size="64"> + <input id="stats_username" name="stats_username" type="text" <?if(isset($pconfig['stats_username'])) echo "value=\"".$pconfig['stats_username']."\"";?> size="64" /> </td> </tr> - <tr class="haproxy_stats_visible" align="left" id='stats_password_row' name='stats_password_row'> + <tr class="haproxy_stats_visible" align="left" id='stats_password_row'> <td width="22%" valign="top" class="vncellreq">Stats Password</td> <td width="78%" class="vtable" colspan="2"> <input id="stats_password" name="stats_password" type="password" <? if(isset($pconfig['stats_password'])) echo "value=\"".$pconfig['stats_password']."\""; - ?> size="64"> + ?> size="64" /> <br/> </td> </tr> - <tr class="haproxy_stats_visible" align="left" id='stats_node_admin_row' name='stats_node_enabled_row'> + <tr class="haproxy_stats_visible" align="left" id='stats_node_admin_row'> <td width="22%" valign="top" class="vncell">Stats Admin</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_admin" name="stats_admin" type="checkbox" value="yes" <?php if ($pconfig['stats_admin']=='yes') echo "checked"; ?>> + <input id="stats_admin" name="stats_admin" type="checkbox" value="yes" <?php if ($pconfig['stats_admin']=='yes') echo "checked"; ?> /> <br/> </td> </tr> - <tr class="haproxy_stats_visible" align="left" id='stats_node_enabled_row' name='stats_node_enabled_row'> + <tr class="haproxy_stats_visible" align="left" id='stats_node_enabled_row'> <td width="22%" valign="top" class="vncell">Stats Enable Node Name</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_node_enabled" name="stats_node_enabled" type="checkbox" value="yes" <?php if ($pconfig['stats_node_enabled']=='yes') echo "checked"; ?>> + <input id="stats_node_enabled" name="stats_node_enabled" type="checkbox" value="yes" <?php if ($pconfig['stats_node_enabled']=='yes') echo "checked"; ?> /> <br/> </td> </tr> - <tr class="haproxy_stats_visible" align="left" id='stats_node_row' name='stats_node_row'> + <tr class="haproxy_stats_visible" align="left" id='stats_node_row'> <td width="22%" valign="top" class="vncell">Stats Node</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_node" name="stats_node" type="text" <?if(isset($pconfig['stats_node'])) echo "value=\"{$pconfig['stats_node']}\"";?> size="64"><br/> + <input id="stats_node" name="stats_node" type="text" <?if(isset($pconfig['stats_node'])) echo "value=\"{$pconfig['stats_node']}\"";?> size="64" /><br/> The node name is displayed in the stats and helps to differentiate which server in a cluster is actually serving clients.<br/> Leave blank to use the system name. </td> </tr> - <tr class="haproxy_stats_visible" align="left" id='stats_desc_row' name='stats_desc_row'> + <tr class="haproxy_stats_visible" align="left" id='stats_desc_row'> <td width="22%" valign="top" class="vncell">Stats Description</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_desc" name="stats_desc" type="text" <?if(isset($pconfig['stats_node'])) echo "value=\"{$pconfig['stats_desc']}\"";?> size="64"><br/> + <input id="stats_desc" name="stats_desc" type="text" <?if(isset($pconfig['stats_node'])) echo "value=\"{$pconfig['stats_desc']}\"";?> size="64" /><br/> </td> </tr> - <tr class="haproxy_stats_visible" align="left" id='stats_refresh_row' name='stats_refresh_row'> + <tr class="haproxy_stats_visible" align="left" id='stats_refresh_row'> <td width="22%" valign="top" class="vncell">Stats Refresh</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_refresh" name="stats_refresh" type="text" <?if(isset($pconfig['stats_refresh'])) echo "value=\"{$pconfig['stats_refresh']}\"";?> size="10" maxlength="30"><br/> + <input id="stats_refresh" name="stats_refresh" type="text" <?if(isset($pconfig['stats_refresh'])) echo "value=\"{$pconfig['stats_refresh']}\"";?> size="10" maxlength="30" /><br/> Specify the refresh rate of the stats page in seconds, or specified time unit (us, ms, s, m, h, d). </td> </tr> - </table> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr><td> </td></tr> <tr align="left"> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <input name="Submit" type="submit" class="formbtn" value="Save" /> + <input type="button" class="formbtn" value="Cancel" onclick="history.back()" /> <?php if (isset($id) && $a_pools[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> + <input name="id" type="hidden" value="<?=$id;?>" /> <?php endif; ?> </td> </tr> </table> </div> + </td></tr></table> </form> -<br> -<?php include("fend.inc"); ?> +<br/> <script type="text/javascript"> <? + phparray_to_javascriptarray($fields_servers,"fields_servers",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); phparray_to_javascriptarray($a_checktypes,"checktypes",Array('/*','/*/name','/*/descr')); ?> browser_InnerText_support = (document.getElementsByTagName("body")[0].innerText != undefined) ? true : false; - field_counter_js = 7; - rows = 1; totalrows = <?php echo $counter; ?>; - loaded = <?php echo $counter; ?>; updatevisibility(); </script> +<?php +haproxy_htmllist_js(); +include("fend.inc"); ?> </body> </html> - -<?php - -function row_helper() { - $options = <<<EOD - <option value='active' SELECTED>active</option>"+ -" <option value='backup'>backup</option>"+ -" <option value='disabled'>disabled</option>"+ -" <option value='inactive'>inactive</option> -EOD; - - echo <<<EOF -<script type="text/javascript"> -// Global Variables -var rowname = new Array(99); -var rowtype = new Array(99); -var newrow = new Array(99); -var rowsize = new Array(99); - -for (i = 0; i < 99; i++) { - rowname[i] = ''; - rowtype[i] = ''; - newrow[i] = ''; - rowsize[i] = '25'; -} - -var field_counter_js = 0; -var loaded = 0; -var is_streaming_progress_bar = 0; -var temp_streaming_text = ""; - -var addRowTo = (function() { - return (function (tableId) { - var d, tbody, tr, td, bgc, i, ii, j; - var btable, btbody, btr, btd; - - d = document; - tbody = d.getElementById(tableId).getElementsByTagName("tbody").item(0); - tr = d.createElement("tr"); - totalrows++; - for (i = 0; i < field_counter_js; i++) { - td = d.createElement("td"); - if(rowtype[i] == 'textbox') { - td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + - "'></input><input size='" + rowsize[i] + "' name='" + rowname[i] + totalrows + - "' id='" + rowname[i] + totalrows + "'></input> "; - } else if(rowtype[i] == 'select') { - td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + - "'></input><select size='" + rowsize[i] + "' name='" + rowname[i] + totalrows + - "' id='" + rowname[i] + totalrows + "'>$options</select> "; - } else { - td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + - "'></input><input type='checkbox' name='" + rowname[i] + totalrows + - "' id='" + rowname[i] + totalrows + "' value='yes'></input> "; - } - td.setAttribute("class","vtable"); - tr.appendChild(td); - } - td = d.createElement("td"); - td.rowSpan = "1"; - td.setAttribute("class","list"); - - // Recreate the button table. - btable = document.createElement("table"); - btable.setAttribute("border", "0"); - btable.setAttribute("cellspacing", "0"); - btable.setAttribute("cellpadding", "1"); - btbody = document.createElement("tbody"); - btr = document.createElement("tr"); - btd = document.createElement("td"); - btd.setAttribute("valign", "middle"); - btd.innerHTML = '<img src="/themes/' + theme + '/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;">'; - btr.appendChild(btd); - btd = document.createElement("td"); - btd.setAttribute("valign", "middle"); - btd.innerHTML = '<img src="/themes/' + theme + "/images/icons/icon_plus.gif\" title=\"duplicate entry\" width=\"17\" height=\"17\" border=\"0\" onclick=\"dupRow(" + totalrows + ", 'servertable'); return false;\">"; - btr.appendChild(btd); - btbody.appendChild(btr); - btable.appendChild(btbody); - - td.appendChild(btable); - tr.appendChild(td); - tbody.appendChild(tr); - }); -})(); - -function dupRow(rowId, tableId) { - var dupEl; - var newEl; - - addRowTo(tableId); - for (i = 0; i < field_counter_js; i++) { - dupEl = document.getElementById(rowname[i] + rowId); - newEl = document.getElementById(rowname[i] + totalrows); - if (dupEl && newEl) - if(rowtype[i] == 'checkbox') - newEl.checked = dupEl.checked; - else - newEl.value = dupEl.value; - } -} - -function deleteRow(rowId, tableId) { - var view = document.getElementById("tr_view_" + rowId); - var edit = document.getElementById("tr_edit_" + rowId); - - view.parentNode.removeChild(view); - edit.parentNode.removeChild(edit); -} - -function removeRow(el) { - var cel; - // Break out of one table first - while (el && el.nodeName.toLowerCase() != "table") - el = el.parentNode; - while (el && el.nodeName.toLowerCase() != "tr") - el = el.parentNode; - - if (el && el.parentNode) { - cel = el.getElementsByTagName("td").item(0); - el.parentNode.removeChild(el); - } -} -function editRow(num) { - var trview = document.getElementById('tr_view_' + num); - var tredit = document.getElementById('tr_edit_' + num); - - trview.style.display='none'; - tredit.style.display=''; -} - -function find_unique_field_name(field_name) { - // loop through field_name and strip off -NUMBER - var last_found_dash = 0; - for (var i = 0; i < field_name.length; i++) { - // is this a dash, if so, update - // last_found_dash - if (field_name.substr(i,1) == "-" ) - last_found_dash = i; - } - if (last_found_dash < 1) - return field_name; - return(field_name.substr(0,last_found_dash)); -} -</script> - -EOF; - -} - -?> diff --git a/config/haproxy-devel/haproxy_pools.php b/config/haproxy-devel/haproxy_pools.php index 2d0189a5..39009633 100644 --- a/config/haproxy-devel/haproxy_pools.php +++ b/config/haproxy-devel/haproxy_pools.php @@ -3,6 +3,7 @@ /* haproxy_pools.php part of pfSense (http://www.pfsense.com/) + Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> All rights reserved. @@ -28,7 +29,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "haproxy"; require_once("guiconfig.inc"); require_once("haproxy.inc"); @@ -67,7 +68,7 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; -$pgtitle = "Services: HAProxy: Server pools"; +$pgtitle = "Services: HAProxy: Backend server pools"; include("head.inc"); ?> @@ -79,8 +80,8 @@ include("head.inc"); <form action="haproxy_pools.php" method="post"> <?php if ($input_errors) print_input_errors($input_errors); ?> <?php if ($savemsg) print_info_box($savemsg); ?> -<?php if (file_exists($d_haproxyconfdirty_path)): ?><p> -<?php print_info_box_np("The haproxy configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> +<?php if (file_exists($d_haproxyconfdirty_path)): ?> +<?php print_info_box_np("The haproxy configuration has been changed.<br/>You must apply the changes in order for them to take effect.");?><br/> <?php endif; ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> @@ -88,8 +89,8 @@ include("head.inc"); /* active tabs */ $tab_array = array(); $tab_array[] = array("Settings", false, "haproxy_global.php"); - $tab_array[] = array("Listener", false, "haproxy_listeners.php"); - $tab_array[] = array("Server Pool", true, "haproxy_pools.php"); + $tab_array[] = array("Frontend", false, "haproxy_listeners.php"); + $tab_array[] = array("Backend", true, "haproxy_pools.php"); display_top_tabs($tab_array); ?> </td></tr> @@ -102,7 +103,7 @@ include("head.inc"); <td width="25%" class="listhdrr">Name</td> <td width="10%" class="listhdrr">Servers</td> <td width="10%" class="listhdrr">Check</td> - <td width="30%" class="listhdrr">Listener</td> + <td width="30%" class="listhdrr">Frontend</td> <td width="10%" class="list"></td> </tr> <?php @@ -128,13 +129,13 @@ include("head.inc"); <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> <? if ($pool['stats_enabled']=='yes'){ - echo "<img src=\"./themes/{$g['theme']}/images/icons/icon_log_s.gif\"" . ' title="stats enabled" width="11" height="15" border="0">'; + echo "<img src=\"./themes/{$g['theme']}/images/icons/icon_log_s.gif\"" . ' title="stats enabled" width="11" height="15" border="0" />'; } $isadvset = ""; if ($pool['advanced']) $isadvset .= "Per server pass thru\r\n"; if ($pool['advanced_backend']) $isadvset .= "Backend pass thru\r\n"; if ($isadvset) - echo "<img src=\"$img_adv\" title=\"" . gettext("advanced settings set") . ": {$isadvset}\" border=\"0\">"; + echo "<img src=\"$img_adv\" title=\"" . gettext("advanced settings set") . ": {$isadvset}\" border=\"0\" />"; ?> </td> <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> @@ -152,9 +153,9 @@ include("head.inc"); <td class="list" nowrap> <table border="0" cellspacing="0" cellpadding="1"> <tr> - <td valign="middle"><a href="haproxy_pool_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a></td> - <td valign="middle"><a href="haproxy_pools.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this entry?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a></td> - <td valign="middle"><a href="haproxy_pool_edit.php?dup=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_pool_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit backend");?>" width="17" height="17" border="0" /></a></td> + <td valign="middle"><a href="haproxy_pools.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this entry?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="<?=gettext("delete backend");?>" width="17" height="17" border="0" /></a></td> + <td valign="middle"><a href="haproxy_pool_edit.php?dup=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("clone backend");?>" width="17" height="17" border="0" /></a></td> </tr> </table> </td> @@ -169,7 +170,7 @@ include("head.inc"); <td class="list"> <table border="0" cellspacing="0" cellpadding="1"> <tr> - <td valign="middle"><a href="haproxy_pool_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_pool_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add new backend");?>" width="17" height="17" border="0" /></a></td> </tr> </table> </td> diff --git a/config/haproxy-devel/haproxy_socketinfo.inc b/config/haproxy-devel/haproxy_socketinfo.inc index 5b31afeb..eeaba8b6 100644 --- a/config/haproxy-devel/haproxy_socketinfo.inc +++ b/config/haproxy-devel/haproxy_socketinfo.inc @@ -1,5 +1,6 @@ <?php /* + Copyright (C) 2013 PiBa-NL Copyright 2011 Thomas Schaefer - Tomschaefer.org Copyright 2011 Marcello Coutinho Part of pfSense widgets (www.pfsense.com) diff --git a/config/haproxy-devel/haproxy_utils.inc b/config/haproxy-devel/haproxy_utils.inc new file mode 100644 index 00000000..058efc98 --- /dev/null +++ b/config/haproxy-devel/haproxy_utils.inc @@ -0,0 +1,380 @@ +<?php +/* + haproxy_utils.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2013 PiBa-NL + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + This file contains functions which are NOT specific to HAProxy and may/could/should + be moved to the general pfSense php library for possible easy use by other parts of pfSense +*/ + +require_once("config.inc"); + +function haproxy_interface_ip($interfacebindname,$userfriendly=false){ + $list = haproxy_get_bindable_interfaces(); + $item = $list[$interfacebindname]; + $result = $item['ip']; + if ($userfriendly && !$result) + $result = $item['name']; + return $result; +} + +function haproxy_get_bindable_interfaces($ipv="ipv4,ipv6", $interfacetype="any,localhost,real,carp,ipalias"){ + // returns a list of ALL interface/IPs that can be used to bind a service to. + // filtered by the conditions given in the two filter parameters. + // result array includes: + // $bindable[key] can be stored and compared with previous setings + // $bindable[key]['ip'] the current IP (possibly changes for dhcp enabled interfaces..) + // $bindable[key]['description'] can be shown to user in a selection box + + global $config; + $ipverions = split(',',$ipv); + $interfacetypes= split(',',$interfacetype); + + $bindable = array(); + if (in_array("ipv4",$ipverions)){ + if (in_array('any',$interfacetypes)){ + $item = array(); + $item[ip] = '0.0.0.0'; + $item[name] = 'any (IPv4)'; + $bindable['any_ipv4'] = $item; + } + if (in_array('localhost',$interfacetypes)){ + $item = array(); + $item[ip] = '127.0.0.1'; + $item[name] = 'localhost (IPv4)'; + $bindable['localhost_ipv4'] = $item; + } + if (in_array('real',$interfacetypes)){ + foreach($config['interfaces'] as $if => $ifdetail) { + if (!isset($ifdetail['enable'])) + continue; + if (!isset($ifdetail['ipaddr'])) + continue; + $descr = $ifdetail['descr']; + if (!$descr){ + if ($if == "wan" && !$ifdetail['descr']) + $descr = "WAN"; + else if ($if == "lan" && !$ifdetail['descr']) + $descr = "LAN"; + else + $descr = $if; + } + $item = array(); + $item['ip'] = get_interface_ip($if); + $item['name'] = "$descr address (IPv4)"; + $bindable[$if.'_ipv4'] = $item; + } + } + if (in_array('carp',$interfacetypes)){ + $carplist = get_configured_carp_interface_list(); + foreach ($carplist as $carpif => $carpip){ + if (is_ipaddrv4($carpip)){ + $item = array(); + $item['ip'] = $carpip; + $item['name'] = $carpip." (".get_vip_descr($carpip).")"; + $bindable[$carpip] = $item; + } + } + + } + if (in_array('ipalias',$interfacetypes)){ + $aliaslist = get_configured_ip_aliases_list(); + foreach ($aliaslist as $aliasip => $aliasif){ + if (is_ipaddrv4($aliasip)){ + $item = array(); + $item['ip'] = $aliasip; + $item['name'] = $aliasip." (".get_vip_descr($aliasip).")"; + $bindable[$aliasip.'_ipv4'] = $item; + } + } + } + } + if (!isset($config['system']['ipv6allow'])) + return $bindable;// skip adding the IPv6 addresses if those are not 'allowed' + + if (in_array("ipv6",$ipverions)){ + if (in_array('any',$interfacetypes)){ + $item = array(); + $item[ip] = '::'; + $item[name] = 'any (IPv6)'; + $bindable['any_ipv6'] = $item; + } + if (in_array('localhost',$interfacetypes)){ + $item = array(); + $item[ip] = '::1'; + $item[name] = 'localhost (IPv6)'; + $bindable['localhost_ipv6'] = $item; + } + if (in_array('real',$interfacetypes)){ + foreach($config['interfaces'] as $if => $ifdetail) { + if (!isset($ifdetail['enable'])) + continue; + if (!isset($ifdetail['ipaddrv6'])) + continue; + $descr = $ifdetail['descr']; + if (!$descr){ + if ($if == "wan" && !$ifdetail['descr']) + $descr = "WAN"; + else if ($if == "lan" && !$ifdetail['descr']) + $descr = "LAN"; + else + $descr = $if; + } + $item = array(); + $item['ip'] = get_interface_ipv6($if); + $item['name'] = "$descr address (IPv6)"; + $bindable[$if.'_ipv6'] = $item; + } + } + if (in_array('carp',$interfacetypes)){ + $carplist = get_configured_carp_interface_list(); + foreach ($carplist as $carpif => $carpip){ + if (is_ipaddrv6($carpip)){ + $item = array(); + $item['ip'] = $carpip; + $item['name'] = $carpip." (".get_vip_descr($carpip).")"; + $bindable[$carpip] = $item; + } + } + + } + if (in_array('ipalias',$interfacetypes)){ + $aliaslist = get_configured_ip_aliases_list(); + foreach ($aliaslist as $aliasip => $aliasif){ + if (is_ipaddrv6($aliasip)){ + $item = array(); + $item['ip'] = $aliasip; + $item['name'] = $aliasip." (".get_vip_descr($aliasip).")"; + $bindable[$aliasip] = $item; + } + } + } + } + return $bindable; +} + +function haproxy_get_cert_extensions($crt){ + $cert = openssl_x509_parse(base64_decode($crt['crt'])); + return $cert['extensions']; +} + +function haproxy_get_cert_authoritykeyidentifier($cert) +{ + $certextension = haproxy_get_cert_extensions($cert); + $lines = preg_split('/[\n]+/',$certextension['authorityKeyIdentifier']); + return substr($lines[0],6);// cut off the starting string 'keyid:' +} +function haproxy_get_cert_subjectKeyIdentifier($cert) +{ + $certextension = haproxy_get_cert_extensions($cert); + $lines = preg_split('/[\n]+/',$certextension['subjectKeyIdentifier']); + return $lines[0]; +} + +function haproxy_cert_signed_by($cert, $signedbycert) { + // checks if $cert was signed by $signedbycert + // this does NOT validate a proper signature but only checks if the extension properties match. + $authoritykeyid = haproxy_get_cert_authoritykeyidentifier($cert); + $subjectid = haproxy_get_cert_subjectKeyIdentifier($signedbycert); + return $authoritykeyid == $subjectid; +} + +function haproxy_get_certificates(){ + global $config; + $allcerts = array(); + foreach($config['cert'] as &$cert) + $allcerts[] = &$cert; + foreach($config['ca'] as &$cert) + $allcerts[] = &$cert; + return $allcerts; +} +function haproxy_recalculate_certifcate_chain(){ + // and set "selfsigned" for certificates that where used to sign themselves + // recalculate the "caref" for all certificates where it is currently unkown. + + $allcertificates = haproxy_get_certificates(); + $items_recalculated = 0; + foreach($allcertificates as &$cert){ + $recalculate=false; + if (!isset($cert['selfsigned'])){ + if (!isset($cert['caref'])) + $recalculate=true; + else { + $ca = lookup_ca($cert['caref']); + if (!$ca) + $recalculate=true; + } + } + if ($recalculate){ + foreach($allcertificates as &$signedbycert){ + if(haproxy_cert_signed_by($cert, $signedbycert)){ + if ($cert['refid'] == $signedbycert['refid']){ + $cert['selfsigned'] = true; + } else { + $cert['caref'] = $signedbycert['refid']; + } + $items_recalculated++; + } + } + } + } + if ($items_recalculated > 0) + write_config("Services: HAProxy: Recalculated $items_recalculated certificate chains."); + return $items_recalculated; +} + +function get_certificat_usage($refid) { + $usage = array(); + $cert = lookup_cert($refid); + if (is_cert_revoked($cert)) + $usage[] = "Revoked"; + if (is_webgui_cert($refid)) + $usage[] = "webConfigurator"; + if (is_user_cert($refid)) + $usage[] = "User Cert"; + if (is_openvpn_server_cert($refid)) + $usage[] = "OpenVPN Server"; + if (is_openvpn_client_cert($refid)) + $usage[] = "OpenVPN Client"; + if (is_ipsec_cert($cert['refid'])) + $usage[] = "IPsec Tunnel"; + if (function_exists("is_captiveportal_cert")) + if (is_captiveportal_cert($refid)) + $usage[] = "Captive Portal"; + + return $usage; +} +function get_certificates_server($get_includeWebCert=false) { + // This function (is intended to) provide a uniform way to retrieve a list of server certificates + global $config; + $certificates=array(); + $a_cert = &$config['cert']; + foreach ($a_cert as $cert) + { + if ($get_ca == false && is_webgui_cert($cert['refid'])) + continue; + + $purpose = cert_get_purpose($cert['crt']); + //$certserverpurpose = $purpose['server'] == 'Yes' ? " [Server certificate]" : ""; + $certserverpurpose = ""; + + $selected = ""; + $caname = ""; + $inuse = ""; + $revoked = ""; + $ca = lookup_ca($cert['caref']); + if ($ca) + $caname = " (CA: {$ca['descr']})"; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected"; + if (cert_in_use($cert['refid'])) + $inuse = " *In Use"; + if (is_cert_revoked($cert)) + $revoked = " *Revoked"; + + $usagestr=""; + $usage = get_certificat_usage($cert['refid']); + foreach($usage as $use){ + $usagestr .= " " . $use; + } + if ($usagestr != "") + $usagestr = " (".trim($usagestr).")"; + + $certificates[$cert['refid']]['name'] = $cert['descr'] . $caname . $certserverpurpose . $inuse . $revoked . $usagestr; + } + return $certificates; +} + + +function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) { + $offset = str_repeat(' ',$nestID); + $itemName = "item$nestID"; + echo "{$offset}$nodeName = {};\n"; + if (is_array($items)) + foreach ($items as $key => $item) + { + if (in_array($path.'/'.$key, $includeitems)) + $subpath = $path.'/'.$key; + else + $subpath = $path.'/*'; + if (in_array($subpath, $includeitems) || in_array($path.'/*', $includeitems)) { + if (is_array($item)) { + $subNodeName = "item$nestID"; + phparray_to_javascriptarray_recursive($nestID+1, $subpath, $items[$key], $subNodeName, $includeitems); + echo "{$offset}{$nodeName}['{$key}'] = $itemName;\n"; + } else { + $item = json_encode($item); + echo "{$offset}{$nodeName}['$key'] = $item;\n"; + } + } + } +} +function phparray_to_javascriptarray($items, $javaMapName, $includeitems) { + phparray_to_javascriptarray_recursive(1,'',$items, $javaMapName, $includeitems); +} + +function haproxy_html_select_options($keyvaluelist, $selected="") { + $result = ""; + foreach($keyvaluelist as $key => $desc){ + $selectedhtml = $key == $selected ? "selected" : ""; + if ($desc['deprecated'] && $key != $selected){ + continue; + } + $name = htmlspecialchars($desc['name']); + $result .= "<option value='{$key}' {$selectedhtml}>{$name}</option>"; + } + return $result; +} + +function haproxy_js_select_options($keyvaluelist, $selected="") { + $result = ""; + foreach($keyvaluelist as $key => $desc){ + $selectedhtml = $key == $selected ? "selected" : ""; + if ($desc['deprecated'] && $key != $selected){ + continue; + } + $name = htmlspecialchars($desc['name']); + $result .= "<option value='{$key}' {$selectedhtml}>{$name}<\/option>"; + } + return $result; +} + +function echo_html_select($name, $keyvaluelist, $selected, $listEmptyMessage="", $onchangeEvent="", $style="") { + if (count($keyvaluelist)>0){ + if ($onchangeEvent != "") + $onchangeEvent = " onchange='$onchangeEvent'"; + if ($style != "") + $style = " style='$style'"; + echo "<select name=\"$name\" id=\"$name\" class=\"formselect\"$onchangeEvent$style>"; + echo haproxy_html_select_options($keyvaluelist, $selected); + echo "</select>"; + } else { + echo $listEmptyMessage; + } +} + +?>
\ No newline at end of file diff --git a/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc b/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc index 781b7544..699dffd1 100644 --- a/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc +++ b/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc @@ -1,6 +1,7 @@ <?php /* haproxy_xmlrpcsyncclient.inc + Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef All rights reserved. diff --git a/config/haproxy-devel/pkg_haproxy.inc b/config/haproxy-devel/pkg_haproxy.inc new file mode 100755 index 00000000..1e5c75c2 --- /dev/null +++ b/config/haproxy-devel/pkg_haproxy.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['haproxy'] = array(); +$shortcuts['haproxy']['main'] = "haproxy_global.php"; +$shortcuts['haproxy']['log'] = "diag_logs.php"; +$shortcuts['haproxy']['status'] = "status_services.php"; +$shortcuts['haproxy']['service'] = "HAProxy"; + +?> diff --git a/config/haproxy-legacy/haproxy.inc b/config/haproxy-legacy/haproxy.inc index dfbec28c..47dc5474 100644 --- a/config/haproxy-legacy/haproxy.inc +++ b/config/haproxy-legacy/haproxy.inc @@ -1,6 +1,7 @@ <?php /* haproxy.inc + Copyright (C) 2013 Marcello Coutinho Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef All rights reserved. @@ -28,6 +29,7 @@ */ /* include all configuration functions */ +$shortcut_section = "haproxy"; require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("notices.inc"); @@ -40,6 +42,31 @@ function haproxy_custom_php_deinstall_command() { exec("rm /usr/local/www/haproxy*"); } +function migrate_old_sync_config(){ + global $g, $config; + //move Sync HAProxy configuration (if enabled) + $write_config=0; + if(is_array($config['installedpackages']['haproxy'])){ + $haproxy_cfg=$config['installedpackages']['haproxy']; + if (isset($haproxy_cfg['enablesync'])) { + for($si=1;$si<=3;$si++){ + if($haproxy_cfg['synchost'.$si]) { + $config['installedpackages']['haproxysync']['config'][0]['row'][]=array('enabless'=>'ON', + 'ipaddress'=>$haproxy_cfg['synchost'.$si], + 'username'=> 'admin', + 'password'=> $haproxy_cfg['syncpassword']); + unset($config['installedpackages']['haproxy']['synchost'.$si]); + $write_config++; + } + } + } + } + if ($write_config > 0){ + unset($config['installedpackages']['haproxy']['enablesync']); + unset($config['installedpackages']['haproxy']['syncpassword']); + write_config("Haproxy - Migrate old sync config from global to sync tab."); + } +} function haproxy_custom_php_install_command() { global $g, $config; conf_mount_rw(); @@ -90,7 +117,7 @@ EOD; fwrite($fd, $haproxy); fclose($fd); exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh"); - + migrate_old_sync_config(); conf_mount_ro(); exec("/usr/local/etc/rc.d/haproxy.sh start"); @@ -274,26 +301,11 @@ function haproxy_configure() { } fwrite ($fd, "\n"); } - // Sync HAProxy configuration (if enabled) - if(isset($config['installedpackages']['haproxy']['enablesync'])) { - if($config['installedpackages']['haproxy']['synchost1']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'], - $config['installedpackages']['haproxy']['syncpassword']); - } - if($config['installedpackages']['haproxy']['synchost2']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'], - $config['installedpackages']['haproxy']['syncpassword']); - } - if($config['installedpackages']['haproxy']['synchost3']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'], - $config['installedpackages']['haproxy']['syncpassword']); - } - } } // create config file fclose($fd); - + $freebsd_version = substr(trim(`uname -r`), 0, 1); if(!file_exists("/usr/bin/limits")) { exec("fetch -q -o /usr/bin/limits http://files.pfsense.org/extras/{$freebsd_version}/limits"); @@ -301,7 +313,7 @@ function haproxy_configure() { } exec("/usr/bin/limits -n 300014"); - + // reload haproxy if(isset($a_global['enable'])) { if(is_process_running('haproxy')) { @@ -309,13 +321,69 @@ function haproxy_configure() { } else { exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D"); } + haproxy_sync_on_changes(); return (0); } else { + haproxy_sync_on_changes(); return (1); } } -function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { +/* Uses XMLRPC to synchronize the changes to a remote node */ +function haproxy_sync_on_changes() { + global $config, $g; + if (is_array($config['installedpackages']['haproxysync']['config'])){ + $haproxy_sync=$config['installedpackages']['haproxysync']['config'][0]; + $synctimeout = $haproxy_sync['synctimeout']; + $synconchanges = $haproxy_sync['synconchanges']; + switch ($synconchanges){ + case "manual": + if (is_array($haproxy_sync['row'])){ + $rs=$haproxy_sync['row']; + } + else{ + log_error("[haproxy] xmlrpc sync is enabled but there is no hosts to push haproxy config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + $rs[0]['enabless']=true; + if (! is_ipaddr($system_carp['synchronizetoip'])){ + log_error("[haproxy] xmlrpc sync is enabled but there is no system backup hosts to push haproxy config."); + return; + } + } + else{ + log_error("[haproxy] xmlrpc sync is enabled but there is no system backup hosts to push haproxy config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[haproxy] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($sh['password'] && $sh['ipaddress'] && $sh['enabless']) + haproxy_do_xmlrpc_sync($sh['ipaddress'], $username, $sh['password'],$synctimeout); + } + log_error("[haproxy] xmlrpc sync is ending."); + } + } +} + +function haproxy_do_xmlrpc_sync($sync_to_ip, $username="admin", $password,$synctimeout="30") { global $config, $g; if(!$password) @@ -323,6 +391,7 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { if(!$sync_to_ip) return; + // Do not allow syncing to self. $donotsync = false; @@ -379,18 +448,18 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); if($g['debug']) $cli->setDebug(1); - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); + /* send our XMLRPC message and timeout after $synctimeout seconds */ + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting HAProxy XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); @@ -412,15 +481,15 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { log_error("HAProxy XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "250"); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "HAProxy Settings Reload", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting HAProxy XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); diff --git a/config/haproxy-legacy/haproxy.xml b/config/haproxy-legacy/haproxy.xml index 556a1178..5706f3c7 100644 --- a/config/haproxy-legacy/haproxy.xml +++ b/config/haproxy-legacy/haproxy.xml @@ -65,6 +65,11 @@ <item>http://www.pfsense.com/packages/config/haproxy-legacy/haproxy.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-legacy/haproxy_sync.xml</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/haproxy-legacy/haproxy_frontends.php</item> @@ -89,6 +94,11 @@ <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/haproxy-legacy/haproxy_servers_edit.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/haproxy-legacy/pkg_haproxy.inc</item> + </additional_files_needed> <custom_delete_php_command> </custom_delete_php_command> <custom_add_php_command> diff --git a/config/haproxy-legacy/haproxy_frontends.php b/config/haproxy-legacy/haproxy_frontends.php index d50133b8..e97fbc7b 100755 --- a/config/haproxy-legacy/haproxy_frontends.php +++ b/config/haproxy-legacy/haproxy_frontends.php @@ -28,7 +28,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "haproxy"; require_once("guiconfig.inc"); $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; @@ -92,6 +92,7 @@ include("head.inc"); $tab_array[] = array("Settings", false, "haproxy_global.php"); $tab_array[] = array("Frontends", true, "haproxy_frontends.php"); $tab_array[] = array("Servers", false, "haproxy_servers.php"); + $tab_array[] = array("Sync", false, "pkg_edit.php?xml=haproxy_sync.xml"); display_top_tabs($tab_array); ?> </td></tr> diff --git a/config/haproxy-legacy/haproxy_frontends_edit.php b/config/haproxy-legacy/haproxy_frontends_edit.php index df2411b2..99391fe9 100755 --- a/config/haproxy-legacy/haproxy_frontends_edit.php +++ b/config/haproxy-legacy/haproxy_frontends_edit.php @@ -3,6 +3,7 @@ /* haproxy_frontends_edit.php part of pfSense (http://www.pfsense.com/) + Copyright (C) 2013 Marcello Coutinho Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> All rights reserved. @@ -28,7 +29,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "haproxy"; require("guiconfig.inc"); $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; @@ -113,12 +114,14 @@ if ($_POST) { if (!$_POST['retries'] && is_numeric($_POST['retries'])) $input_errors[] = "The field 'Retries' value is not a number."; + + if ($_POST['stats_enabled'] == "yes"){ + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['stats_username'])) + $input_errors[] = "The field 'Stats Username' contains invalid characters."; - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['stats_username'])) - $input_errors[] = "The field 'Stats Username' contains invalid characters."; - - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['stats_password'])) - $input_errors[] = "The field 'Stats Password' contains invalid characters."; + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['stats_password'])) + $input_errors[] = "The field 'Stats Password' contains invalid characters."; + } if (!is_numeric($_POST['max_connections'])) $input_errors[] = "The field 'Max connections' value is not a number."; @@ -391,7 +394,21 @@ include("head.inc"); <p class="pgtitle"><?=$pgtitle?></p> <?php endif; ?> <form action="haproxy_frontends_edit.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td class="tabnavtbl"> + <?php + /* active tabs */ + $tab_array = array(); + $tab_array[] = array("Settings", false, "haproxy_global.php"); + $tab_array[] = array("Frontends", true, "haproxy_frontends.php"); + $tab_array[] = array("Servers", false, "haproxy_servers.php"); + $tab_array[] = array("Sync", false, "pkg_edit.php?xml=haproxy_sync.xml"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr><td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> <td colspan="2" valign="top" class="listtopic">Edit haproxy backend</td> </tr> @@ -408,30 +425,6 @@ include("head.inc"); </td> </tr> <tr align="left"> - <td width="22%" valign="top" class="vncellreq">Connection timeout</td> - <td width="78%" class="vtable" colspan="2"> - <input name="connection_timeout" type="text" <?if(isset($pconfig['connection_timeout'])) echo "value=\"{$pconfig['connection_timeout']}\"";?> size="64"> - <div>the time (in milliseconds) we give up if the connection does not complete within (30000).</div> - </td> - </tr> - <tr align="left"> - <td width="22%" valign="top" class="vncellreq">Server timeout</td> - <td width="78%" class="vtable" colspan="2"> - <input name="server_timeout" type="text" <?if(isset($pconfig['server_timeout'])) echo "value=\"{$pconfig['server_timeout']}\"";?> size="64"> - <div>the time (in milliseconds) we accept to wait for data from the server, or for the server to accept data (30000).</div> - </td> - </tr> - <tr align="left"> - <td width="22%" valign="top" class="vncell">Retries</td> - <td width="78%" class="vtable" colspan="2"> - <input name="retries" type="text" <?if(isset($pconfig['retries'])) echo "value=\"{$pconfig['retries']}\"";?> size="64"> - <div>After a connection failure to a server, it is possible to retry, potentially -on another server. This is useful if health-checks are too rare and you don't -want the clients to see the failures. The number of attempts to reconnect is -set by the 'retries' parameter (2).</div> - </td> - </tr> - <tr align="left"> <td width="22%" valign="top" class="vncellreq">Type</td> <td width="78%" class="vtable" colspan="2"> <select name="type" id="type" onchange="type_change();"> @@ -441,7 +434,43 @@ set by the 'retries' parameter (2).</div> <option value="health"<?php if($pconfig['type'] == "health") echo " SELECTED"; ?>>Health</option> </select> </td> - </tr> + </tr> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Port</td> + <td width="78%" class="vtable" colspan="2"> + <input name="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="6" maxlength="500"> + <div>The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,443</div> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Listen address</td> + <td width="78%" class="vtable"> + <select name="extaddr" class="formfld"> + <option value="" <?php if (!$pconfig['extaddr']) echo "selected"; ?>>Interface address</option> + <option value="127.0.0.1" <?php if($pconfig['extaddr'] == "127.0.0.1") echo "selected"; ?>>127.0.0.1 (Localhost)</option> + <?php + if (is_array($config['virtualip']['vip'])): + foreach ($config['virtualip']['vip'] as $sn): + ?> + <option value="<?=$sn['subnet'];?>" <?php if ($sn['subnet'] == $pconfig['extaddr']) echo "selected"; ?>> + <?=htmlspecialchars("{$sn['subnet']} ({$sn['descr']})");?> + </option> + <?php + endforeach; + endif; + ?> + <option value="any" <?php if($pconfig['extaddr'] == "any") echo "selected"; ?>>any</option> + </select> + <br/> + <span class="vexpl"> + If you want this rule to apply to another IP address than the IP address of the interface chosen above, + select it here (you need to define <a href="firewall_virtual_ip.php">Virtual IP</a> addresses on the first). + Also note that if you are trying to redirect connections on the LAN select the "any" option.<br> + While using carp, select localhost and forward via NAT. + </span> + </td> + </tr> <tr align="left"> <td width="22%" valign="top" class="vncellreq">Balance</td> <td width="78%" class="vtable" colspan="2"> @@ -507,6 +536,69 @@ set by the 'retries' parameter (2).</div> </table> </td> </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Use 'forwardfor' option</td> + <td width="78%" class="vtable" colspan="2"> + <input id="forwardfor" name="forwardfor" type="checkbox" value="yes" <?php if ($pconfig['forwardfor']=='yes') echo "checked"; ?>> + <br/> + The 'forwardfor' option creates an HTTP 'X-Forwarded-For' header which + contains the client's IP address. This is useful to let the final web server + know what the client address was (eg for statistics on domains) + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Use 'httpclose' option</td> + <td width="78%" class="vtable" colspan="2"> + <input id="httpclose" name="httpclose" type="checkbox" value="yes" <?php if ($pconfig['httpclose']=='yes') echo "checked"; ?>> + <br/> + The 'httpclose' option removes any 'Connection' header both ways, and + adds a 'Connection: close' header in each direction. This makes it easier to + disable HTTP keep-alive than the previous 4-rules block. + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Connection limits</td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Connection timeout</td> + <td width="78%" class="vtable" colspan="2"> + <input name="connection_timeout" type="text" <?if(isset($pconfig['connection_timeout'])) echo "value=\"{$pconfig['connection_timeout']}\"";?> size="64"> + <div>the time (in milliseconds) we give up if the connection does not complete within (30000).</div> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Server timeout</td> + <td width="78%" class="vtable" colspan="2"> + <input name="server_timeout" type="text" <?if(isset($pconfig['server_timeout'])) echo "value=\"{$pconfig['server_timeout']}\"";?> size="64"> + <div>the time (in milliseconds) we accept to wait for data from the server, or for the server to accept data (30000).</div> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Retries</td> + <td width="78%" class="vtable" colspan="2"> + <input name="retries" type="text" <?if(isset($pconfig['retries'])) echo "value=\"{$pconfig['retries']}\"";?> size="6"> + <div>After a connection failure to a server, it is possible to retry, potentially +on another server. This is useful if health-checks are too rare and you don't +want the clients to see the failures. The number of attempts to reconnect is +set by the 'retries' parameter (2).</div> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Max connections</td> + <td width="78%" class="vtable" colspan="2"> + <input name="max_connections" type="text" <?if(isset($pconfig['max_connections'])) echo "value=\"{$pconfig['max_connections']}\"";?> size="10" maxlength="10"> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Client timeout</td> + <td width="78%" class="vtable" colspan="2"> + <input name="client_timeout" type="text" <?if(isset($pconfig['client_timeout'])) echo "value=\"{$pconfig['client_timeout']}\"";?> size="10" maxlength="10"> + <div>the time (in milliseconds) we accept to wait for data from the client, or for the client to accept data (30000).</div> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Backend stats</td> + </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Stats Enabled</td> <td width="78%" class="vtable" colspan="2"> @@ -530,14 +622,14 @@ set by the 'retries' parameter (2).</div> <tr align="left" id='stats_username_row' name='stats_username_row' <?if ($pconfig['stats_enabled']!='yes') echo "style=\"display: none;\"";?>> <td width="22%" valign="top" class="vncellreq">Stats Username</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_username" name="stats_username" type="text" <?if(isset($pconfig['stats_username'])) echo "value=\"{$pconfig['stats_username']}\"";?> size="64"> + <input id="stats_username" name="stats_username" type="text" <?if(isset($pconfig['stats_username'])) echo "value=\"{$pconfig['stats_username']}\"";?> size="25"> </td> </tr> <tr align="left" id='stats_password_row' name='stats_password_row' <?if ($pconfig['stats_enabled']!='yes') echo "style=\"display: none;\"";?>> <td width="22%" valign="top" class="vncellreq">Stats Password</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_password" name="stats_password" type="password" <?if(isset($pconfig['stats_password'])) echo "value=\"{$pconfig['stats_password']}\"";?> size="64"> + <input id="stats_password" name="stats_password" type="password" <?if(isset($pconfig['stats_password'])) echo "value=\"{$pconfig['stats_password']}\"";?> size="25"> <br/> </td> </tr> @@ -565,7 +657,7 @@ set by the 'retries' parameter (2).</div> <tr align="left" id='stats_refresh_row' name='stats_refresh_row' <?if ($pconfig['stats_enabled']!='yes') echo "style=\"display: none;\"";?>> <td width="22%" valign="top" class="vncell">Stats Refresh</td> <td width="78%" class="vtable" colspan="2"> - <input id="stats_refresh" name="stats_refresh" type="text" <?if(isset($pconfig['stats_refresh'])) echo "value=\"{$pconfig['stats_refresh']}\"";?> size="10" maxlength="30"><br/> + <input id="stats_refresh" name="stats_refresh" type="text" <?if(isset($pconfig['stats_refresh'])) echo "value=\"{$pconfig['stats_refresh']}\"";?> size="6" maxlength="30"><br/> Specify the refresh rate of the stats page in seconds, or specified time unit (us, ms, s, m, h, d). </td> </tr> @@ -577,53 +669,7 @@ set by the 'retries' parameter (2).</div> Example: / or /index.php or /index.html or /testmypage.cgi </td> </tr> - </tr> - <tr align="left"> - <td width="22%" valign="top" class="vncellreq">Port</td> - <td width="78%" class="vtable" colspan="2"> - <input name="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="30" maxlength="500"> - <div>The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,443</div> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">External address</td> - <td width="78%" class="vtable"> - <select name="extaddr" class="formfld"> - <option value="" <?php if (!$pconfig['extaddr']) echo "selected"; ?>>Interface address</option> - <?php - if (is_array($config['virtualip']['vip'])): - foreach ($config['virtualip']['vip'] as $sn): - ?> - <option value="<?=$sn['subnet'];?>" <?php if ($sn['subnet'] == $pconfig['extaddr']) echo "selected"; ?>> - <?=htmlspecialchars("{$sn['subnet']} ({$sn['descr']})");?> - </option> - <?php - endforeach; - endif; - ?> - <option value="any" <?php if($pconfig['extaddr'] == "any") echo "selected"; ?>>any</option> - </select> - <br /> - <span class="vexpl"> - If you want this rule to apply to another IP address than the IP address of the interface chosen above, - select it here (you need to define <a href="firewall_virtual_ip.php">Virtual IP</a> addresses on the first). - Also note that if you are trying to redirect connections on the LAN select the "any" option. - </span> - </td> - </tr> - <tr align="left"> - <td width="22%" valign="top" class="vncell">Max connections</td> - <td width="78%" class="vtable" colspan="2"> - <input name="max_connections" type="text" <?if(isset($pconfig['max_connections'])) echo "value=\"{$pconfig['max_connections']}\"";?> size="10" maxlength="10"> - </td> - </tr> - <tr align="left"> - <td width="22%" valign="top" class="vncell">Client timeout</td> - <td width="78%" class="vtable" colspan="2"> - <input name="client_timeout" type="text" <?if(isset($pconfig['client_timeout'])) echo "value=\"{$pconfig['client_timeout']}\"";?> size="10" maxlength="10"> - <div>the time (in milliseconds) we accept to wait for data from the client, or for the client to accept data (30000).</div> - </td> - </tr> + <?php /* <tr> @@ -676,30 +722,12 @@ set by the 'retries' parameter (2).</div> </tr> */ ?> - <tr align="left"> - <td width="22%" valign="top" class="vncell">Use 'forwardfor' option</td> - <td width="78%" class="vtable" colspan="2"> - <input id="forwardfor" name="forwardfor" type="checkbox" value="yes" <?php if ($pconfig['forwardfor']=='yes') echo "checked"; ?>> - <br/> - The 'forwardfor' option creates an HTTP 'X-Forwarded-For' header which - contains the client's IP address. This is useful to let the final web server - know what the client address was (eg for statistics on domains) - </td> - </tr> - <tr align="left"> - <td width="22%" valign="top" class="vncell">Use 'httpclose' option</td> - <td width="78%" class="vtable" colspan="2"> - <input id="httpclose" name="httpclose" type="checkbox" value="yes" <?php if ($pconfig['httpclose']=='yes') echo "checked"; ?>> - <br/> - The 'httpclose' option removes any 'Connection' header both ways, and - adds a 'Connection: close' header in each direction. This makes it easier to - disable HTTP keep-alive than the previous 4-rules block. - </td> - </tr> - <tr align="left"> - <td width="22%" valign="top" class="vncell">Advanced pass thru</td> - <td width="78%" class="vtable" colspan="2"> - <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> + <tr> + <td colspan="2" valign="top" class="listtopic">Advanced pass thru</td> + </tr> + <tr align="left" colspan="2" > + <td width="100%" class="vtable" colspan="2"> + <textarea name='advanced' rows="6" cols="90" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> <br/> NOTE: paste text into this box that you would like to pass thru. </td> @@ -715,12 +743,14 @@ set by the 'retries' parameter (2).</div> </td> </tr> <tr> - <br/> <br/> + <td colspan='3'> <span class="vexpl"><b>NOTE:</b> You must add a firewall rule permitting access to this frontend!</span> </td> </tr> </table> + </div> + </td></tr></table> </form> <br> <script type="text/javascript"> diff --git a/config/haproxy-legacy/haproxy_global.php b/config/haproxy-legacy/haproxy_global.php index b0486fb8..f47ada8b 100755 --- a/config/haproxy-legacy/haproxy_global.php +++ b/config/haproxy-legacy/haproxy_global.php @@ -3,6 +3,7 @@ /* haproxy_global.php part of pfSense (http://www.pfsense.com/) + Copyright (C) 2013 Marcello Coutinho Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> All rights reserved. @@ -28,7 +29,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "haproxy"; require("globals.inc"); require("guiconfig.inc"); require_once("haproxy.inc"); @@ -61,22 +62,10 @@ if ($_POST) { if ($_POST['maxconn'] && (!is_numeric($_POST['maxconn']))) $input_errors[] = "The maximum number of connections should be numeric."; - if($_POST['synchost1'] && !is_ipaddr($_POST['synchost1'])) - $input_errors[] = "Synchost1 needs to be an IPAddress."; - if($_POST['synchost2'] && !is_ipaddr($_POST['synchost2'])) - $input_errors[] = "Synchost2 needs to be an IPAddress."; - if($_POST['synchost3'] && !is_ipaddr($_POST['synchost3'])) - $input_errors[] = "Synchost3 needs to be an IPAddress."; - if (!$input_errors) { $config['installedpackages']['haproxy']['enable'] = $_POST['enable'] ? true : false; $config['installedpackages']['haproxy']['maxconn'] = $_POST['maxconn'] ? $_POST['maxconn'] : false; - $config['installedpackages']['haproxy']['enablesync'] = $_POST['enablesync'] ? true : false; - $config['installedpackages']['haproxy']['synchost1'] = $_POST['synchost1'] ? $_POST['synchost1'] : false; - $config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost2'] ? $_POST['synchost2'] : false; - $config['installedpackages']['haproxy']['synchost3'] = $_POST['synchost3'] ? $_POST['synchost3'] : false; $config['installedpackages']['haproxy']['remotesyslog'] = $_POST['remotesyslog'] ? $_POST['remotesyslog'] : false; - $config['installedpackages']['haproxy']['syncpassword'] = $_POST['syncpassword'] ? $_POST['syncpassword'] : false; $config['installedpackages']['haproxy']['advanced'] = $_POST['advanced'] ? base64_encode($_POST['advanced']) : false; $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; touch($d_haproxyconfdirty_path); @@ -88,11 +77,6 @@ if ($_POST) { $pconfig['enable'] = isset($config['installedpackages']['haproxy']['enable']); $pconfig['maxconn'] = $config['installedpackages']['haproxy']['maxconn']; -$pconfig['enablesync'] = isset($config['installedpackages']['haproxy']['enablesync']); -$pconfig['syncpassword'] = $config['installedpackages']['haproxy']['syncpassword']; -$pconfig['synchost1'] = $config['installedpackages']['haproxy']['synchost1']; -$pconfig['synchost2'] = $config['installedpackages']['haproxy']['synchost2']; -$pconfig['synchost3'] = $config['installedpackages']['haproxy']['synchost3']; $pconfig['remotesyslog'] = $config['installedpackages']['haproxy']['remotesyslog']; $pconfig['advanced'] = base64_decode($config['installedpackages']['haproxy']['advanced']); $pconfig['nbproc'] = $config['installedpackages']['haproxy']['nbproc']; @@ -134,7 +118,8 @@ function enable_change(enable_change) { $tab_array = array(); $tab_array[] = array("Settings", true, "haproxy_global.php"); $tab_array[] = array("Frontends", false, "haproxy_frontends.php"); - $tab_array[] = array("Servers", false, "haproxy_servers.php"); + $tab_array[] = array("Servers", false, "haproxy_servers.php"); + $tab_array[] = array("Sync", false, "pkg_edit.php?xml=haproxy_sync.xml"); display_top_tabs($tab_array); ?> </td></tr> @@ -207,7 +192,7 @@ function enable_change(enable_change) { Number of processes to start </td> <td class="vtable"> - <input name="nbproc" type="text" class="formfld" id="nbproc" size="18" value="<?=htmlspecialchars($pconfig['nbproc']);?>"> + <input name="nbproc" type="text" class="formfld" id="nbproc" size="4" value="<?=htmlspecialchars($pconfig['nbproc']);?>"> <br/> Defaults to number of cores/processors installed if left blank (<?php echo trim(`/sbin/sysctl kern.smp.cpus | cut -d" " -f2`); ?> detected). </td> @@ -229,58 +214,15 @@ function enable_change(enable_change) { <td colspan="2" valign="top" class="listtopic">Global Advanced pass thru</td> </tr> <tr> - <td width="22%" valign="top" class="vncell"> </td> - <td width="78%" class="vtable"> - <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> + <td width="100%" class="vtable" colspan="2"> + <textarea name='advanced' rows="6" cols="90" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> <br/> NOTE: paste text into this box that you would like to pass thru in the global settings area. </td> </tr> <tr> <td> - - </td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic">Configuration synchronization</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"> </td> - <td width="78%" class="vtable"> - <input name="enablesync" type="checkbox" value="yes" <?php if ($pconfig['enablesync']) echo "checked"; ?>> - <strong>Sync HAProxy configuration to backup CARP members via XMLRPC.</strong> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Synchronization password</td> - <td width="78%" class="vtable"> - <input name="syncpassword" type="password" value="<?=$pconfig['syncpassword'];?>"> - <br/> - <strong>Enter the password that will be used during configuration synchronization. This is generally the remote webConfigurator password.</strong> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Sync host #1</td> - <td width="78%" class="vtable"> - <input name="synchost1" value="<?=$pconfig['synchost1'];?>"> - <br/> - <strong>Synchronize settings to this hosts IP address.</strong> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Sync host #2</td> - <td width="78%" class="vtable"> - <input name="synchost2" value="<?=$pconfig['synchost2'];?>"> - <br/> - <strong>Synchronize settings to this hosts IP address.</strong> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Sync host #3</td> - <td width="78%" class="vtable"> - <input name="synchost3" value="<?=$pconfig['synchost3'];?>"> - <br/> - <strong>Synchronize settings to this hosts IP address.</strong> + </td> </tr> <tr> diff --git a/config/haproxy-legacy/haproxy_servers.php b/config/haproxy-legacy/haproxy_servers.php index cacf995a..b8f58b73 100755 --- a/config/haproxy-legacy/haproxy_servers.php +++ b/config/haproxy-legacy/haproxy_servers.php @@ -28,7 +28,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "haproxy"; require_once("guiconfig.inc"); require_once("haproxy.inc"); @@ -93,6 +93,7 @@ include("head.inc"); $tab_array[] = array("Settings", false, "haproxy_global.php"); $tab_array[] = array("Frontends", false, "haproxy_frontends.php"); $tab_array[] = array("Servers", true, "haproxy_servers.php"); + $tab_array[] = array("Sync", false, "pkg_edit.php?xml=haproxy_sync.xml"); display_top_tabs($tab_array); ?> </td></tr> diff --git a/config/haproxy-legacy/haproxy_servers_edit.php b/config/haproxy-legacy/haproxy_servers_edit.php index a4360b04..4a8072b3 100755 --- a/config/haproxy-legacy/haproxy_servers_edit.php +++ b/config/haproxy-legacy/haproxy_servers_edit.php @@ -3,6 +3,7 @@ /* haproxy_servers_edit.php part of pfSense (http://www.pfsense.com/) + Copyright (C) 2013 Marcello Coutinho Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> All rights reserved. @@ -28,7 +29,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "haproxy"; require("guiconfig.inc"); $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; @@ -183,14 +184,29 @@ function clearcombo(){ <p class="pgtitle"><?=$pgtitle?></p> <?php endif; ?> <form action="haproxy_servers_edit.php" method="post" name="iform" id="iform"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> + <?php + /* active tabs */ + $tab_array = array(); + $tab_array[] = array("Settings", false, "haproxy_global.php"); + $tab_array[] = array("Frontends", false, "haproxy_frontends.php"); + $tab_array[] = array("Servers", true, "haproxy_servers.php"); + $tab_array[] = array("Sync", false, "pkg_edit.php?xml=haproxy_sync.xml"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td colspan="2" valign="top" class="listtopic">Edit HAProxy server</td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncellreq">Name</td> <td width="78%" class="vtable" colspan="2"> - <input name="name" type="text" <?if(isset($pconfig['name'])) echo "value=\"{$pconfig['name']}\"";?> size="16" maxlength="16"> + <input name="name" type="text" <?if(isset($pconfig['name'])) echo "value=\"{$pconfig['name']}\"";?> size="16" maxlength="16"><br> </td> </tr> <tr align="left"> @@ -225,7 +241,7 @@ function clearcombo(){ <?=$backend['name'];?> </option> <?php } ?> - </select> + </select><br> </td> <td> <?php @@ -244,7 +260,7 @@ function clearcombo(){ </table> <a onclick="javascript:addRowTo('frontendtable'); return false;" href="#"> <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" alt="" title="add another entry" /> - </a> + </a><br/> </td> </tr> <tr> @@ -253,8 +269,8 @@ function clearcombo(){ IP Address </div> </td> - <td width="78%" class="vtable"> - <input name="address" type="text" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" /> + <td width="78%" class="vtable" colspan="2"> + <input name="address" type="text" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" /><br/> </td> </tr> <tr align="left"> @@ -274,7 +290,7 @@ function clearcombo(){ <option value="disabled" <?php if($pconfig['status']=='disabled') echo "SELECTED";?>>disabled</option> <option value="inactive" <?php if($pconfig['status']=='inactive') echo "SELECTED";?>>inactive</option> </select> - </td> + <br>Select Server Status</td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Cookie</td> @@ -286,20 +302,20 @@ function clearcombo(){ sent to the client. There is nothing wrong in having several servers sharing the same cookie value, and it is in fact somewhat common between normal and backup servers. See also the "cookie" keyword in backend section. - + <br/> </td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Check inter</td> <td width="78%" class="vtable" colspan="2"> - <input name="checkinter" type="text" <?if(isset($pconfig['checkinter'])) echo "value=\"{$pconfig['checkinter']}\"";?>size="64"> + <input name="checkinter" type="text" <?if(isset($pconfig['checkinter'])) echo "value=\"{$pconfig['checkinter']}\"";?>size="10"> <br/>Defaults to 1000 if left blank. </td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Weight</td> <td width="78%" class="vtable" colspan="2"> - <input name="weight" type="text" <?if(isset($pconfig['weight'])) echo "value=\"{$pconfig['weight']}\"";?>size="64"><br/> + <input name="weight" type="text" <?if(isset($pconfig['weight'])) echo "value=\"{$pconfig['weight']}\"";?>size="6"><br/> The default weight is 1, and the maximal value is 255.<br/> NOTE: If this parameter is used to distribute the load according to server's capacity, it @@ -327,6 +343,7 @@ function clearcombo(){ </td> </tr> </table> + </div></td></tr></table> </form> <br> <?php include("fend.inc"); ?> diff --git a/config/haproxy-legacy/haproxy_sync.xml b/config/haproxy-legacy/haproxy_sync.xml new file mode 100644 index 00000000..5c2b6ab7 --- /dev/null +++ b/config/haproxy-legacy/haproxy_sync.xml @@ -0,0 +1,146 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + haproxy_sync.xml + part of the Haproxy package for pfSense + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>haproxysync</name> + <version>1.0</version> + <title>Services: Haproxy: Sync</title> + <include_file>/usr/local/pkg/haproxy.inc</include_file> +<tabs> + <tab> + <text>Settings</text> + <url>/haproxy_global.php</url> + </tab> + <tab> + <text>Frontends</text> + <url>/haproxy_frontends.php</url> + </tab> + <tab> + <text>Servers</text> + <url>haproxy_servers.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=haproxy_sync.xml</url> + <active/> + </tab> +</tabs> + <fields> + <field> + <name>Haproxy Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Sync method</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Automatically sync Haproxy configuration changes to remote/backup server.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>30</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>250 seconds</name><value>250</value></option> + </options> + </field> + <field> + <fielddescr><![CDATA[Remote Server(s)]]></fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> + <rowhelper> + <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>enabless</fieldname> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Remote Server IP</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>10</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + <description>Username for remote server.</description> + <type>input</type> + <size>10</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>10</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <type>input</type> + <size>27</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + </custom_php_resync_config_command> +</packagegui> diff --git a/config/haproxy-legacy/pkg_haproxy.inc b/config/haproxy-legacy/pkg_haproxy.inc new file mode 100755 index 00000000..1e5c75c2 --- /dev/null +++ b/config/haproxy-legacy/pkg_haproxy.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['haproxy'] = array(); +$shortcuts['haproxy']['main'] = "haproxy_global.php"; +$shortcuts['haproxy']['log'] = "diag_logs.php"; +$shortcuts['haproxy']['status'] = "status_services.php"; +$shortcuts['haproxy']['service'] = "HAProxy"; + +?> diff --git a/config/lightsquid/sqstat.class.php b/config/lightsquid/sqstat.class.php index 228aecfe..03695a47 100644 --- a/config/lightsquid/sqstat.class.php +++ b/config/lightsquid/sqstat.class.php @@ -179,7 +179,8 @@ class squidstat{ } fclose($this->fp); - if ($raw[0]!="HTTP/1.0 200 OK") { $this->errorMsg(1, "Cannot get data. Server answered: $raw[0]"); + if (!preg_match("/^HTTP.* 200 OK$/", $raw[0])) { + $this->errorMsg(1, "Cannot get data. Server answered: $raw[0]"); return false; } diff --git a/config/mailreport/status_mail_report.php b/config/mailreport/status_mail_report.php index b1705fac..e08a7272 100644 --- a/config/mailreport/status_mail_report.php +++ b/config/mailreport/status_mail_report.php @@ -1,9 +1,9 @@ <?php /* $Id$ */ /* - status_rrd_graph.php + status_mail_report.php Part of pfSense - Copyright (C) 2011 Jim Pingle <jimp@pfsense.org> + Copyright (C) 2011-2014 Jim Pingle <jimp@pfsense.org> All rights reserved. Redistribution and use in source and binary forms, with or without @@ -32,20 +32,15 @@ */ ##|+PRIV -##|*IDENT=page-status-rrdgraphs -##|*NAME=Status: RRD Graphs page -##|*DESCR=Allow access to the 'Status: RRD Graphs' page. -##|*MATCH=status_rrd_graph.php* +##|*IDENT=page-status-mailreports +##|*NAME=Status: E-Mail Reports page +##|*DESCR=Allow access to the 'Status: E-Mail Reports' page. +##|*MATCH=status_mail_report.php* ##|-PRIV require("guiconfig.inc"); require_once("mail_reports.inc"); -/* if the rrd graphs are not enabled redirect to settings page */ -if(! isset($config['rrd']['enable'])) { - header("Location: status_rrd_graph_settings.php"); -} - if (!is_array($config['mailreports']['schedule'])) $config['mailreports']['schedule'] = array(); diff --git a/config/mailreport/status_mail_report_add_cmd.php b/config/mailreport/status_mail_report_add_cmd.php index 7693f7a4..b4527584 100644 --- a/config/mailreport/status_mail_report_add_cmd.php +++ b/config/mailreport/status_mail_report_add_cmd.php @@ -1,9 +1,9 @@ <?php /* $Id$ */ /* - status_rrd_graph.php + status_mail_report_add_cmd.php Part of pfSense - Copyright (C) 2011 Jim Pingle <jimp@pfsense.org> + Copyright (C) 2011-2014 Jim Pingle <jimp@pfsense.org> Portions Copyright (C) 2007-2011 Seth Mos <seth.mos@dds.nl> All rights reserved. @@ -33,10 +33,10 @@ */ ##|+PRIV -##|*IDENT=page-status-rrdgraphs -##|*NAME=Status: RRD Graphs page -##|*DESCR=Allow access to the 'Status: RRD Graphs' page. -##|*MATCH=status_rrd_graph.php* +##|*IDENT=page-status-mailreportsaddcmd +##|*NAME=Status: E-Mail Reports: Add Command page +##|*DESCR=Allow access to the 'Status: E-Mail Reports: Add Command' page. +##|*MATCH=status_mail_report_add_cmd.php* ##|-PRIV require("guiconfig.inc"); diff --git a/config/mailreport/status_mail_report_add_graph.php b/config/mailreport/status_mail_report_add_graph.php index 165124f3..663d8f9b 100644 --- a/config/mailreport/status_mail_report_add_graph.php +++ b/config/mailreport/status_mail_report_add_graph.php @@ -1,9 +1,9 @@ <?php /* $Id$ */ /* - status_rrd_graph.php + status_mail_report_add_graph.php Part of pfSense - Copyright (C) 2011 Jim Pingle <jimp@pfsense.org> + Copyright (C) 2011-2014 Jim Pingle <jimp@pfsense.org> Portions Copyright (C) 2007-2011 Seth Mos <seth.mos@dds.nl> All rights reserved. @@ -33,10 +33,10 @@ */ ##|+PRIV -##|*IDENT=page-status-rrdgraphs -##|*NAME=Status: RRD Graphs page -##|*DESCR=Allow access to the 'Status: RRD Graphs' page. -##|*MATCH=status_rrd_graph.php* +##|*IDENT=page-status-mailreportsaddgraph +##|*NAME=Status: E-Mail Reports: Add Graph page +##|*DESCR=Allow access to the 'Status: E-Mail Reports: Add Graph' page. +##|*MATCH=status_mail_report_add_graph.php* ##|-PRIV require("guiconfig.inc"); diff --git a/config/mailreport/status_mail_report_add_log.php b/config/mailreport/status_mail_report_add_log.php index 75d092b5..0b140723 100644 --- a/config/mailreport/status_mail_report_add_log.php +++ b/config/mailreport/status_mail_report_add_log.php @@ -1,9 +1,9 @@ <?php /* $Id$ */ /* - status_rrd_graph.php + status_mail_report_add_log.php Part of pfSense - Copyright (C) 2011 Jim Pingle <jimp@pfsense.org> + Copyright (C) 2011-2014 Jim Pingle <jimp@pfsense.org> Portions Copyright (C) 2007-2011 Seth Mos <seth.mos@dds.nl> All rights reserved. @@ -33,10 +33,10 @@ */ ##|+PRIV -##|*IDENT=page-status-rrdgraphs -##|*NAME=Status: RRD Graphs page -##|*DESCR=Allow access to the 'Status: RRD Graphs' page. -##|*MATCH=status_rrd_graph.php* +##|*IDENT=page-status-mailreportsaddlog +##|*NAME=Status: E-Mail Reports: Add Log page +##|*DESCR=Allow access to the 'Status: E-Mail Reports: Add Log' page. +##|*MATCH=status_mail_report_add_log.php* ##|-PRIV require("guiconfig.inc"); diff --git a/config/mailreport/status_mail_report_edit.php b/config/mailreport/status_mail_report_edit.php index dcfa6d98..9e6bb071 100644 --- a/config/mailreport/status_mail_report_edit.php +++ b/config/mailreport/status_mail_report_edit.php @@ -1,9 +1,9 @@ <?php /* $Id$ */ /* - status_rrd_graph.php + status_mail_report_edit.php Part of pfSense - Copyright (C) 2011 Jim Pingle <jimp@pfsense.org> + Copyright (C) 2011-2014 Jim Pingle <jimp@pfsense.org> All rights reserved. Redistribution and use in source and binary forms, with or without @@ -32,21 +32,15 @@ */ ##|+PRIV -##|*IDENT=page-status-rrdgraphs -##|*NAME=Status: RRD Graphs page -##|*DESCR=Allow access to the 'Status: RRD Graphs' page. -##|*MATCH=status_rrd_graph.php* +##|*IDENT=page-status-mailreportsedit +##|*NAME=Status: E-Mail Reports: Edit Report page +##|*DESCR=Allow access to the 'Status: E-Mail Reports: Edit Report' page. +##|*MATCH=status_mail_report_edit.php* ##|-PRIV require("guiconfig.inc"); require_once("mail_reports.inc"); -/* if the rrd graphs are not enabled redirect to settings page */ -if(! isset($config['rrd']['enable'])) { - header("Location: status_rrd_graph_settings.php"); - return; -} - $cmdid = $_REQUEST['cmdid']; $logid = $_REQUEST['logid']; $graphid = $_REQUEST['graphid']; diff --git a/config/mailscanner/mailscanner.conf.template b/config/mailscanner/mailscanner.conf.template index 06090be3..c801c5d6 100644 --- a/config/mailscanner/mailscanner.conf.template +++ b/config/mailscanner/mailscanner.conf.template @@ -3,17 +3,17 @@ $mc=<<<EOF {$info} # Configuration directory containing this file -%etc-dir% = /usr/local/etc/MailScanner +%etc-dir% = {$mlb}/etc/MailScanner # Set the directory containing all the reports in the required language -%report-dir% = /usr/local/share/MailScanner/reports/{$report_language} +%report-dir% = {$mlb}/share/MailScanner/reports/{$report_language} # Rulesets directory containing your ".rules" files -%rules-dir% = /usr/local/etc/MailScanner/rules +%rules-dir% = {$mlb}/etc/MailScanner/rules # Configuration directory containing files related to MCP # (Message Content Protection) -%mcp-dir% = /usr/local/etc/MailScanner/mcp +%mcp-dir% = {$mlb}/etc/MailScanner/mcp # # System settings @@ -417,7 +417,7 @@ Log SpamAssassin Rule Actions = {$log_sa_rule_action} SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir = SpamAssassin Install Prefix = -SpamAssassin Site Rules Dir = /usr/local/etc/mail/spamassassin +SpamAssassin Site Rules Dir = {$mlb}/etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib/spamassassin SpamAssassin Default Rules Dir = @@ -469,7 +469,7 @@ Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = {$default_rule_multiple} Read IP Address From Received Header = {$read_ipaddress} Spam Score Number Format = {$spam_score_format} -MailScanner Version Number = 4.83.5 +MailScanner Version Number = {$mailscanner_version} SpamAssassin Cache Timings = {$cache_timings} Debug = {$debug} Debug SpamAssassin = {$debug_spam} @@ -480,12 +480,12 @@ Deliver In Background = {$deliver_background} Delivery Method = {$mailscanner['deliver_method']} Split Exim Spool = {$split_exim_spool} Lockfile Dir = /var/spool/MailScanner/incoming/Locks -Custom Functions Dir = /usr/local/lib/MailScanner/MailScanner/CustomFunctions +Custom Functions Dir = {$mlb}/lib/MailScanner/MailScanner/CustomFunctions Lock Type = Syslog Socket Type = Automatic Syntax Check = {$syntax_check} Minimum Code Status = {$mailscanner['minimum_code']} -include /usr/local/etc/MailScanner/conf.d/* +include {$mlb}/etc/MailScanner/conf.d/* diff --git a/config/mailscanner/mailscanner.inc b/config/mailscanner/mailscanner.inc index 1ba0a4ca..9f5fd11d 100644 --- a/config/mailscanner/mailscanner.inc +++ b/config/mailscanner/mailscanner.inc @@ -27,7 +27,7 @@ POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "mailscanner"; require_once("util.inc"); require("globals.inc"); #require("guiconfig.inc"); @@ -101,6 +101,7 @@ function sync_package_mailscanner($via_rpc=false) { $config['installedpackages']['mscontent']['config'][0]=array('checks'=>'DangerousContentScanning,UseStricterPhishingNet,HighlightPhishingFraud', 'iframe_tags'=>'disarm', 'form_tags'=>'disarm', + 'script_tags'=>'disarm', 'web_bugs'=>'disarm', 'codebase_tags'=>'disarm'); $load_samples++; @@ -116,7 +117,7 @@ function sync_package_mailscanner($via_rpc=false) { $report=$config['installedpackages']['msreport']['config'][0]; if (!is_array($config['installedpackages']['msantispam'])){ $config['installedpackages']['msantispam']['config'][0]=array( 'rblfeatures'=>'spam_checks', - 'safeatures'=>'use_sa,sa_auto_whitelist,check_sa_if_on_spam_list,spam_score,cache_spamassassin_results,use_pyzor,use_razor,use_dcc,use_bayes,use_auto_learn_bayes', + 'safeatures'=>'use_sa,sa_auto_whitelist,check_sa_if_on_spam_list,spam_score,cache_spamassassin_results,use_razor,use_dcc,use_bayes,use_auto_learn_bayes', 'sa_score'=>'6', 'spam_actions'=>'deliver', 'hi_score'=>'20', @@ -259,6 +260,7 @@ function sync_package_mailscanner($via_rpc=false) { /* Language Strings = %report-dir%/languages.conf */ + #check files $mailscanner_dir=MAILSCANNER_LOCALBASE ."/etc/MailScanner"; @@ -309,7 +311,8 @@ Language Strings = %report-dir%/languages.conf $load_samples++; } - $report_dir=MAILSCANNER_LOCALBASE."/share/MailScanner/reports/".strtolower($report['language']); + //$report_dir=MAILSCANNER_LOCALBASE."/share/MailScanner/reports/".strtolower($report['language']); + $report_dir="/usr/local/share/MailScanner/reports/".strtolower($report['language']); #CHECK REPORT FILES $report_files= array('deletedbadcontent' => 'deleted.content.message.txt', 'deletedbadfilename' => 'deleted.filename.message.txt', @@ -377,8 +380,18 @@ Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf */ - + #get mailscanner version + $msc_bin=MAILSCANNER_LOCALBASE. "/sbin/mailscanner"; + if (file_exists($msc_bin)){ + $msc_bin_file=file_get_contents($msc_bin); + if (preg_match("/MailScannerVersion = '(\S+)'/",$msc_bin_file,$msv_matches)) + $mailscanner_version=$msv_matches[1]; + else + $mailscanner_version='4.83.5'; + } #create MailScanner.conf + $mlb=MAILSCANNER_LOCALBASE; + include("mailscanner.conf.template"); #write files conf_mount_rw(); @@ -404,76 +417,83 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf #update spam.assassin.prefs.conf $sa_temp=ms_text_area_decode($config['installedpackages']['msantispam']['config'][0]['sa_pref_file']); - $pattern[0]='/#ifplugin/'; - $pattern[1]='/#pyzor_path/'; - $pattern[2]='/usr.bin.pyzor/'; - $pattern[3]='/#dcc_path/'; - $pattern[4]='/#endif/'; - $replacement[0]="ifplugin"; - $replacement[1]="pyzor_path"; - $replacement[2]="usr/local/bin/pyzor"; - $replacement[3]="dcc_path"; - $replacement[4]="endif"; + $pattern[]='/#ifplugin/'; + $pattern[]='/#dcc_path/'; + $pattern[]='/#endif/'; + + $replacement[]="ifplugin"; + $replacement[]="dcc_path"; + $replacement[]="endif"; if (preg_match('/use_razor/',$antispam['safeatures'])){ - $pattern[5]='/\nuse_razor2\s+0/'; - $replacement[5]="\n".'# use_razor2 0'; + $pattern[]='/\nuse_razor2\s+0/'; + $replacement[]="\n".'# use_razor2 0'; } else{ - $pattern[5]='/\n#\s+use_razor2\s+0/'; - $replacement[5]="\n".'use_razor2 0'; + $pattern[]='/\n#\s+use_razor2\s+0/'; + $replacement[]="\n".'use_razor2 0'; } if (preg_match('/use_dcc/',$antispam['safeatures'])){ - $pattern[6]='/\nuse_dcc\s+0/'; - $replacement[6]="\n".'# use_dcc 0'; + $pattern[]='/\nuse_dcc\s+0/'; + $replacement[]="\n".'# use_dcc 0'; } else{ - $pattern[6]='/\n#\s+use_dcc\s+0/'; - $replacement[6]="\n".'use_dcc 0'; + $pattern[]='/\n#\s+use_dcc\s+0/'; + $replacement[]="\n".'use_dcc 0'; } if (preg_match('/use_pyzor/',$antispam['safeatures'])){ - $pattern[7]='/\nuse_pyzor\s+0/'; - $replacement[7]="\n".'# use_pyzor 0'; + $pattern[]='/#pyzor_path/'; + $pattern[]="/\S+yzor_disabled/"; + $pattern[]='/usr.bin.pyzor/'; + $pattern[]='/use_pyzor/'; + $pattern[]="/\S+o_not_use_pyzor/"; + $replacement[]="pyzor_path"; + $replacement[]="pyzor_path"; + $replacement[]="usr/local/bin/pyzor"; + $replacement[]="use_pyzor"; + $replacement[]="use_pyzor"; } else{ - $pattern[7]='/\n#\s+use_pyzor\s+0/'; - $replacement[7]="\n".'# use_pyzor 0'; + $pattern[]='/use_pyzor/'; + $pattern[]='/pyzor_path/'; + $replacement[]="#do_not_use_pyzor"; + $replacement[]="#pyzor_disabled"; } if (preg_match('/use_auto_learn_bayes/',$antispam['safeatures'])){ - $pattern[8]='/\nbayes_auto_learn\s+0/'; - $replacement[8]="\n".'# bayes_auto_learn 0'; + $pattern[]='/\nbayes_auto_learn\s+0/'; + $replacement[]="\n".'# bayes_auto_learn 0'; } else{ - $pattern[8]='/\n#\s+bayes_auto_learn\s+0/'; - $replacement[8]="\n".'bayes_auto_learn 0'; + $pattern[]='/\n#\s+bayes_auto_learn\s+0/'; + $replacement[]="\n".'bayes_auto_learn 0'; } if (preg_match('/use_bayes/',$antispam['safeatures'])){ - $pattern[9]='/\nuse_bayes\s+0/'; - $replacement[9]="\n".'# use_bayes 0'; + $pattern[]='/\nuse_bayes\s+0/'; + $replacement[]="\n".'# use_bayes 0'; } else{ - $pattern[9]='/\n#\s+use_bayes\s+0/'; - $replacement[9]="\n".'use_bayes 0'; + $pattern[]='/\n#\s+use_bayes\s+0/'; + $replacement[]="\n".'use_bayes 0'; } if (preg_match('/sa_auto_whitelist/',$antispam['safeatures'])){ - $pattern[10]='/\nuse_auto_whitelist\s+0/'; - $replacement[10]="\n".'# use_auto_whitelist 0'; + $pattern[]='/\nuse_auto_whitelist\s+0/'; + $replacement[]="\n".'# use_auto_whitelist 0'; } else{ - $pattern[10]='/\n#\s*use_auto_whitelist 0/'; - $replacement[10]="\n".'use_auto_whitelist 0'; + $pattern[]='/\n#\s*use_auto_whitelist 0/'; + $replacement[]="\n".'use_auto_whitelist 0'; } if ($antispam['rblchecks']){ - $pattern[11]='/\nskip_rbl_checks\s+1/'; - $replacement[11]="\n".'# skip_rbl_checks 1'; + $pattern[]='/\nskip_rbl_checks\s+1/'; + $replacement[]="\n".'# skip_rbl_checks 1'; } else{ - $pattern[11]='/\n#\s+skip_rbl_checks\s+\d/'; - $replacement[11]="\n".'skip_rbl_checks 1'; + $pattern[]='/\n#\s+skip_rbl_checks\s+\d/'; + $replacement[]="\n".'skip_rbl_checks 1'; } - $pattern[12]='/bayes_ignore_header ([a-zA-Z0-9_.-]+)MailScanner/'; - $replacement[12]="bayes_ignore_header ".($mailscanner['orgname']!=""?$mailscanner['orgname']:"pfsense")."-MailScanner"; - $pattern[13]='/envelope_sender_header X([a-zA-Z0-9_.-]+)MailScanner-From/'; - $replacement[13]="envelope_sender_header X-".($mailscanner['orgname']!=""?$mailscanner['orgname']:"pfsense")."-MailScanner-From"; + $pattern[]='/bayes_ignore_header ([a-zA-Z0-9_.-]+)MailScanner/'; + $replacement[]="bayes_ignore_header ".($mailscanner['orgname']!=""?$mailscanner['orgname']:"Pfsense")."-MailScanner"; + $pattern[]='/envelope_sender_header X([a-zA-Z0-9_.-]+)MailScanner-From/'; + $replacement[]="envelope_sender_header X-".($mailscanner['orgname']!=""?$mailscanner['orgname']:"Pfsense")."-MailScanner-From"; $sa_temp=preg_replace($pattern,$replacement,$sa_temp); @@ -525,34 +545,24 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf unlink_if_exists($libexec_dir.'clamav-wrapper'); } else{ - if (file_exists('/var/run/clamav/')) - chown('/var/run/clamav/', 'postfix'); - if (file_exists('/var/log/clamav/')) - chown('/var/log/clamav/', 'postfix'); - if (file_exists('/var/db/clamav/')) - chown('/var/db/clamav/', 'postfix'); - if (file_exists('/var/db/clamav/bytecode.cld')) - chown('/var/db/clamav/bytecode.cld', 'postfix'); - if (file_exists('/var/db/clamav/daily.cld')) - chown('/var/db/clamav/daily.cld', 'postfix'); - if (file_exists('/var/db/clamav/main.cvd')) - chown('/var/db/clamav/main.cvd', 'postfix'); - if (file_exists('/var/db/clamav/mirrors.dat')) - chown('/var/db/clamav/mirrors.dat', 'postfix'); - if (file_exists('/var/log/clamav/clamd.log')) - chown('/var/log/clamav/clamd.log', 'postfix'); - if (file_exists('/var/log/clamav/freshclam.log')) - chown('/var/log/clamav/freshclam.log', 'postfix'); - + $av_dirs=array('run','log','db'); + foreach ($av_dirs as $av_dir){ + if (!is_dir("/var/$av_dir/clamav")) + mkdir("/var/$av_dir/clamav",0774,true); + chown("/var/$av_dir/clamav", 'postfix'); + chgrp("/var/$av_dir/clamav", 'wheel'); + } + $av_files=array('/var/db/clamav/daily.cld','/var/db/clamav/main.cvd','/var/db/clamav/mirrors.dat', + '/var/log/clamav/clamd.log','/var/log/clamav/freshclam.log','/var/db/clamav/bytecode.cld'); + foreach ($av_files as $av_file){ + if (file_exists($av_file)) + chown($av_file, 'postfix'); + } copy($libexec_dir.'clamav-autoupdate.sample',$libexec_dir.'clamav-autoupdate'); chmod ($libexec_dir.'clamav-autoupdate',0755); copy($libexec_dir.'clamav-wrapper.sample',$libexec_dir.'clamav-wrapper'); chmod ($libexec_dir.'clamav-autoupdate',0755); - if (!file_exists('/var/db/clamav/main.cvd')){ - log_error('No clamav database found, running freshclam in background.'); - mwexec_bg(MAILSCANNER_LOCALBASE. '/bin/freshclam'); - } - + #clamav-wrapper file $cconf=$libexec_dir."clamav-wrapper"; if (file_exists($cconf)){ @@ -565,7 +575,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf #freshclam conf file $cconf=MAILSCANNER_LOCALBASE. "/etc/freshclam.conf"; - if (file_exists($conf)){ + if (file_exists($cconf)){ $cconf_file=file_get_contents($cconf); if (preg_match('/DatabaseOwner clamav/',$cconf_file)){ $cconf_file=preg_replace("/DatabaseOwner clamav/","DatabaseOwner postfix",$cconf_file); @@ -575,7 +585,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf #clamd conf file $cconf=MAILSCANNER_LOCALBASE. "/etc/clamd.conf"; - if (file_exists($conf)){ + if (file_exists($cconf)){ $cconf_file=file_get_contents($cconf); if (preg_match('/User clamav/',$cconf_file)){ $cconf_file=preg_replace("/User clamav/","User postfix",$cconf_file); @@ -616,6 +626,13 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } } } + + #check clamav database + if (!file_exists('/var/db/clamav/main.cvd')){ + log_error('No clamav database found, running freshclam in background.'); + mwexec_bg(MAILSCANNER_LOCALBASE. '/bin/freshclam --config-file='.MAILSCANNER_LOCALBASE.'/etc/freshclam.conf --user=root'); + } + } } else{ @@ -660,30 +677,45 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } } } - + $script=MAILSCANNER_LOCALBASE. '/etc/rc.d/mailscanner'; #fix MIME::ToolUtils deprecated function and usecure dependency calls in /usr/local/sbin/mailscanner $cconf=MAILSCANNER_LOCALBASE. "/sbin/mailscanner"; if (file_exists($cconf)){ - #check perl's version - exec('find '.MAILSCANNER_LOCALBASE. '/lib/perl5/site_perl -name Df.pm',$find_out); - $perl_bin="perl"; - foreach($find_out as $perl_dir){ - if (preg_match ('@usr/local/lib/perl5/site_perl/([.0-9]+)/mach/Filesys/Df.pm@',$perl_dir,$perl_match)) - $perl_bin.=$perl_match[1]; - } - $cconf_file=file_get_contents($cconf); - $pattern2[0]='@#!/usr.*bin/perl.*I@'; - $pattern2[1]='/\smy .current = config MIME::ToolUtils/'; - $replacement2[0]='#!'.MAILSCANNER_LOCALBASE. "/bin/{$perl_bin} -U -I"; - $replacement2[1]=' #my $current = config MIME::ToolUtils'; - if (preg_match('@#!/usr.*bin/perl.*I@',$cconf_file)){ - $cconf_file=preg_replace($pattern2,$replacement2,$cconf_file); - file_put_contents($cconf, $cconf_file, LOCK_EX); - } + $perl_bin="perl_mailscanner"; + if(file_exists(MAILSCANNER_LOCALBASE . '/bin/perl') && !file_exists(MAILSCANNER_LOCALBASE . "/bin/{$perl_bin}")){ + link(MAILSCANNER_LOCALBASE . '/bin/perl',MAILSCANNER_LOCALBASE . '/bin/perl_mailscanner'); + } + if (file_exists(MAILSCANNER_LOCALBASE . "/bin/{$perl_bin}")){ + $cconf_file=file_get_contents($cconf); + $pattern2[0]='@#!/usr\S+bin/perl.*I@'; + //$pattern2[1]='/\smy .current = config MIME::ToolUtils/'; + $replacement2[0]='#!'.MAILSCANNER_LOCALBASE. "/bin/{$perl_bin} -U -I"; + //$replacement2[1]=' #my $current = config MIME::ToolUtils'; + if (preg_match('@#!/usr\S+bin/perl.*I@',$cconf_file)){ + $cconf_file=preg_replace($pattern2,$replacement2,$cconf_file); + file_put_contents($cconf, $cconf_file, LOCK_EX); + } + } + } + + #check spam assassin rules + $saupdate="/usr/local/bin/sa-update"; + if (file_exists($saupdate)){ + $rules_found=0; + if (file_exists("/var/db/spamassassin")){ + foreach (glob("/var/db/spamassassin/*",GLOB_ONLYDIR) as $dirname) + $rules_found++; + } + if ($rules_found==0){ + log_error("Mailscanner- No spamassassin rules found, forcing sa-update."); + mwexec($saupdate); + } + } + if (file_exists($script)){ $script_file=file_get_contents($script); if (preg_match('/NO/',$script_file)){ diff --git a/config/mailscanner/mailscanner.xml b/config/mailscanner/mailscanner.xml index 0e644196..2f97fcec 100644 --- a/config/mailscanner/mailscanner.xml +++ b/config/mailscanner/mailscanner.xml @@ -9,7 +9,7 @@ /* mailscanner.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -54,7 +54,7 @@ <service> <name>mailscanner</name> <rcfile>mailscanner</rcfile> - <executable>perl5.12.4</executable> + <executable>perl_mailscanner</executable> <description>MailScanner</description> </service> <additional_files_needed> @@ -112,6 +112,11 @@ <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/mailscanner/pkg_mailscanner.inc</item> + </additional_files_needed> <tabs> <tab> <text>General</text> @@ -228,7 +233,7 @@ <fielddescr>Logging</fielddescr> <fieldname>syslog</fieldname> <description> - <![CDATA[Select virus scanner tests to enable. Mailscanner default options are in ( ).]]> + <![CDATA[Select logging options to enable. Mailscanner default options are in ( ).]]> </description> <type>select</type> <options> diff --git a/config/mailscanner/mailscanner_antispam.xml b/config/mailscanner/mailscanner_antispam.xml index 652935f5..26295059 100644 --- a/config/mailscanner/mailscanner_antispam.xml +++ b/config/mailscanner/mailscanner_antispam.xml @@ -9,7 +9,7 @@ /* mailscanner_antispam.xml part of the mailscanner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -169,7 +169,7 @@ <option><name>Spam Score (yes)</name><value>spam_score</value></option> <option><name>Cache SpamAssassin Results (yes)</name><value>cache_spamassassin_results</value></option> <option><name>Wait During Bayes Rebuild (no)</name><value>wait_during_bayes_rebuild</value></option> - <option><name>Use Pyzor plugin (yes)</name><value>use_pyzor</value></option> + <option><name>Use Pyzor plugin (no)</name><value>use_pyzor</value></option> <option><name>Use Razor plugin (yes)</name><value>use_razor</value></option> <option><name>Use DCC plugin (yes)</name><value>use_dcc</value></option> <option><name>Use Bayes (yes)</name><value>use_bayes</value></option> @@ -346,62 +346,93 @@ <size>5</size> </field> <field> - <name>Antispam Files</name> + <name>spam.assassin.prefs.conf</name> <type>listtopic</type> </field> <field> <fielddescr>spam.assassin.prefs.conf</fielddescr> <fieldname>sa_pref_file</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>spam.lists.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>spam.lists.conf</fielddescr> <fieldname>rbl_file</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.lists.conf. Leave Blank to load sample file.<br> <strong>Use this list only when not using postscreen RBL checks(postfix-forwareder package).</strong>]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>bounce.rules</name> + <type>listtopic</type> + </field> + <field> <fielddescr>bounce.rules</fielddescr> <fieldname>bounce</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>max.message.size.rules</name> + <type>listtopic</type> + </field> + <field> <fielddescr>max.message.size.rules</fielddescr> <fieldname>max_message_size</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>spam.whitelist.rules</name> + <type>listtopic</type> + </field> + <field> <fielddescr>spam.whitelist.rules</fielddescr> <fieldname>spam_whitelist</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - + <field> + <name>mcp.spam.assassin.prefs.conf</name> + <type>listtopic</type> + </field> <field> <fielddescr>mcp.spam.assassin.prefs.conf</fielddescr> <fieldname>mcp_pref_file</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit mcp.spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_antivirus.xml b/config/mailscanner/mailscanner_antivirus.xml index 4a3bfe6c..590a61f6 100644 --- a/config/mailscanner/mailscanner_antivirus.xml +++ b/config/mailscanner/mailscanner_antivirus.xml @@ -9,7 +9,7 @@ /* mailscanner_antivirus.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -159,11 +159,17 @@ <size>30</size> </field> <field> + <name>Custom antivirus options</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Custom antivirus options</fielddescr> <fieldname>custom</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Paste your custom mailscanner antivirus settings here.]]></description> <type>textarea</type> - <cols>60</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_attachments.xml b/config/mailscanner/mailscanner_attachments.xml index 1b031466..e89fbd46 100644 --- a/config/mailscanner/mailscanner_attachments.xml +++ b/config/mailscanner/mailscanner_attachments.xml @@ -9,7 +9,7 @@ /* mailscanner_attachments.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -174,24 +174,32 @@ <size>5</size> </field> <field> - <name>Fileset rules</name> + <name>filename.rules.conf</name> <type>listtopic</type> </field> <field> <fielddescr>filename.rules.conf</fielddescr> <fieldname>filename_rules</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit archives.filename.rules.conf file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>85</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>filetypes.rules.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>filetypes.rules.conf</fielddescr> <fieldname>filetype_rules</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit archives.filetype.rules.conf file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>85</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_content.xml b/config/mailscanner/mailscanner_content.xml index ca79b07f..07342dce 100644 --- a/config/mailscanner/mailscanner_content.xml +++ b/config/mailscanner/mailscanner_content.xml @@ -9,7 +9,7 @@ /* mailscanner_contents.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -114,13 +114,13 @@ <multiple/> </field> <field> - <fielddescr>Allow IFrame Tags</fielddescr> + <fielddescr>IFrame Tags</fielddescr> <fieldname>iframe_tags</fieldname> <type>select</type> <options> - <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Disarm</name><value>disarm</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'IFrame' tags in email messages?<br> This is not a good idea as it allows various Microsoft Outlook security vulnerabilities to remain unprotected, but if you have a load of mailing lists sending them, @@ -128,39 +128,39 @@ </description> </field> <field> - <fielddescr>Allow Form Tags</fielddescr> + <fielddescr>Form Tags</fielddescr> <fieldname>form_tags</fieldname> <type>select</type> <options> <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'Form' tags in email messages?<br> This is a bad idea as these are used as scams to pursuade people to part with credit card information and other personal data.]]> </description> </field> <field> - <fielddescr>Allow Script Tags</fielddescr> + <fielddescr>Script Tags</fielddescr> <fieldname>script_tags</fieldname> <type>select</type> <options> - <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Disarm</name><value>disarm</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'Script' tags in email messages?<br> This is a bad idea as these are used to exploit vulnerabilities in email applications and web browsers.]]> </description> </field> <field> - <fielddescr>Allow web bugs</fielddescr> + <fielddescr>Web bugs</fielddescr> <fieldname>web_bugs</fieldname> <type>select</type> <options> - <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Disarm</name><value>disarm</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'Img' tags with very small images in email messages?<br> This is a bad idea as these are used as 'web bugs' to find out if a message has been read.<br> @@ -168,13 +168,13 @@ </description> </field> <field> - <fielddescr>Allow Object Codebase Tags</fielddescr> + <fielddescr>Object Codebase Tags</fielddescr> <fieldname>codebase_tags</fieldname> <type>select</type> <options> <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>allow</name><value>yes</value></option> + <option><name>deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow <strong>'Object Codebase=...' or 'Object Data=...'</strong> tags in email messages?<br> This is a bad idea as it leaves you unprotected against various Microsoft-specific security vulnerabilities.<br> @@ -182,33 +182,47 @@ </description> </field> <field> - <name>Phishing files</name> + <name>phishing.safe.sites.conf</name> <type>listtopic</type> </field> <field> <fielddescr>phishing.safe.sites.conf</fielddescr> <fieldname>phishing_safe</fieldname> - <description><![CDATA[edit phishing.safe.sites.conf file here.<br>If you leave this field blank, it will load sample file.]]></description> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[phishing.safe.sites.conf config file.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>70</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>phishing.bad.sites.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>phishing.bad.sites.conf</fielddescr> <fieldname>phishing_bad</fieldname> - <description><![CDATA[edit phishing.bad.sites.conf file here.<br>If you leave this field blank, it will load sample file.]]></description> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[phishing.bad.sites.conf config file.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>70</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>country.domains.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>country.domains.conf</fielddescr> <fieldname>country_domains</fieldname> - <description><![CDATA[edit country.domains.conf file here.<br>If you leave this field blank, it will load sample file.]]></description> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[country.domains.conf config file.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>70</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_report.xml b/config/mailscanner/mailscanner_report.xml index 60e7385c..e12ed341 100644 --- a/config/mailscanner/mailscanner_report.xml +++ b/config/mailscanner/mailscanner_report.xml @@ -9,7 +9,7 @@ /* mailscanner_report.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -90,6 +90,31 @@ <type>listtopic</type> </field> <field> + <fielddescr>Language</fielddescr> + <fieldname>language</fieldname> + <description> + <![CDATA[Select report language.]]> + </description> + <type>select</type> + <options> + <option><name>EN (Default)</name><value>en</value></option> + <option><name>CA</name><value>ca</value></option> + <option><name>CY+EN</name><value>cy+en</value></option> + <option><name>CZ</name><value>cz</value></option> + <option><name>DE</name><value>de</value></option> + <option><name>DK</name><value>dk</value></option> + <option><name>ES</name><value>es</value></option> + <option><name>FR</name><value>fr</value></option> + <option><name>HU</name><value>hu</value></option> + <option><name>IT</name><value>it</value></option> + <option><name>NL</name><value>nl</value></option> + <option><name>PT_BR</name><value>pt_br</value></option> + <option><name>RO</name><value>ro</value></option> + <option><name>SE</name><value>se</value></option> + <option><name>SK</name><value>sk</value></option> + </options> + </field> + <field> <fielddescr>Reports</fielddescr> <fieldname>features</fieldname> <description> @@ -177,46 +202,29 @@ <size>20</size> </field> <field> - <name>Message Reports</name> + <name>Deleted Bad Content</name> <type>listtopic</type> </field> <field> - <fielddescr>Language</fielddescr> - <fieldname>language</fieldname> - <description> - <![CDATA[Select report language.]]> - </description> - <type>select</type> - <options> - <option><name>EN (Default)</name><value>en</value></option> - <option><name>CA</name><value>ca</value></option> - <option><name>CY+EN</name><value>cy+en</value></option> - <option><name>CZ</name><value>cz</value></option> - <option><name>DE</name><value>de</value></option> - <option><name>DK</name><value>dk</value></option> - <option><name>ES</name><value>es</value></option> - <option><name>FR</name><value>fr</value></option> - <option><name>HU</name><value>hu</value></option> - <option><name>IT</name><value>it</value></option> - <option><name>NL</name><value>nl</value></option> - <option><name>PT_BR</name><value>pt_br</value></option> - <option><name>RO</name><value>ro</value></option> - <option><name>SE</name><value>se</value></option> - <option><name>SK</name><value>sk</value></option> - </options> - </field> - <field> <fielddescr>Deleted Bad Content</fielddescr> <fieldname>deletedbadcontent</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.content.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Deleted Bad Filename</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Deleted Bad Filename</fielddescr> <fieldname>deletedbadfilename</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.filename.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -224,8 +232,14 @@ <encoding>base64</encoding> </field> <field> + <name>Deleted Virus</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Deleted Virus</fielddescr> <fieldname>deletedvirus</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.virus.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -233,35 +247,59 @@ <encoding>base64</encoding> </field> <field> + <name>Deleted Size</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Deleted Size</fielddescr> <fieldname>deletedsize</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.size.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Stored Bad Content</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Bad Content</fielddescr> <fieldname>storedbadcontent</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.content.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Stored Bad Filename</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Bad Filename</fielddescr> <fieldname>storedbadfilename</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.filename.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Stored Virus</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Virus</fielddescr> <fieldname>storedvirus</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.virus.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -269,8 +307,14 @@ <encoding>base64</encoding> </field> <field> + <name>Disinfected Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Disinfected Report</fielddescr> <fieldname>disinfected</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.size.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -278,8 +322,14 @@ <encoding>base64</encoding> </field> <field> + <name>Stored Size</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Size</fielddescr> <fieldname>storedsize</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit disinfected.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -287,8 +337,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender content</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender content</fielddescr> <fieldname>sendercontent</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.content.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -296,8 +352,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Error</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Error</fielddescr> <fieldname>sendererror</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.error.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -305,8 +367,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Bad Filename</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Bad Filename</fielddescr> <fieldname>senderbadfilename</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.filename.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -314,8 +382,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Virus Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Virus Report</fielddescr> <fieldname>sendervirus</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.virus.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -323,8 +397,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Size Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Size Report</fielddescr> <fieldname>sendersize</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.size.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -332,8 +412,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Spam report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Spam report</fielddescr> <fieldname>senderspam</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.spam.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -341,8 +427,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender SPam RBL report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender SPam RBL report</fielddescr> <fieldname>senderrbl</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.spam.rbl.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -350,8 +442,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Spam SA report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Spam SA report</fielddescr> <fieldname>sendersa</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.spam.sa.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -359,18 +457,29 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Spam MCP report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Spam MCP report</fielddescr> <fieldname>sendermcp</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.mcp.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - + <field> + <name>Recipients Spam report</name> + <type>listtopic</type> + </field> <field> <fielddescr>Recipients Spam report</fielddescr> <fieldname>recipientspam</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit recipient.spam.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -378,8 +487,14 @@ <encoding>base64</encoding> </field> <field> + <name>Recipients MCP report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Recipients MCP report</fielddescr> <fieldname>recipientmcp</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit recipient.mcp.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -387,16 +502,20 @@ <encoding>base64</encoding> </field> <field> + <name>Rejection Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Rejection Report</fielddescr> <fieldname>rejection</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit rejection.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - - </fields> <custom_php_install_command> mailscanner_php_install_command(); diff --git a/config/mailscanner/pkg_mailscanner.inc b/config/mailscanner/pkg_mailscanner.inc new file mode 100755 index 00000000..cbd83cf5 --- /dev/null +++ b/config/mailscanner/pkg_mailscanner.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['mailscanner'] = array(); +$shortcuts['mailscanner']['main'] = "pkg_edit.php?xml=mailscanner.xml"; +$shortcuts['mailscanner']['log'] = "diag_logs.php"; +$shortcuts['mailscanner']['status'] = "status_services.php"; +$shortcuts['mailscanner']['service'] = "mailscanner"; + +?> diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index c7afb9e6..4d6ded8f 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -170,7 +170,7 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { return array($settings, $server_cert, $server_ca, $servercn, $user, $cert, $nokeys); } -function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { +function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { global $config, $input_errors, $g; $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); @@ -209,9 +209,29 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese if (($expformat != "inlinedroid") && ($expformat != "inlineios")) $conf .= "resolv-retry infinite{$nl}"; $conf .= "$remotes{$nl}"; - if (!empty($servercn)) { - $qw = ($quoteservercn) ? "\"" : ""; - $conf .= "verify-x509-name {$qw}{$servercn}{$qw} name{$nl}"; + + /* Use a random local port, otherwise two clients will conflict if they run at the same time. + May not be supported on older clients (Released before May 2010) */ + if (($randomlocalport != 0) && (substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) + $conf .= "lport 0{$nl}"; + + /* This line can cause problems with auth-only setups and also with Yealink/Snom phones + since they are stuck on an older OpenVPN version that does not support this feature. */ + if (!empty($servercn) && !$nokeys) { + switch ($verifyservercn) { + case "none": + break; + case "tls-remote": + $conf .= "tls-remote {$servercn}{$nl}"; + break; + case "tls-remote-quote": + $conf .= "tls-remote \"{$servercn}\"{$nl}"; + break; + default: + if ((substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) { + $conf .= "verify-x509-name \"{$servercn}\" name{$nl}"; + } + } } if (!empty($proxy)) { @@ -457,7 +477,7 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } } -function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions, $openvpn_version = "2.1") { +function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions, $openvpn_version = "2.1") { global $config, $g, $input_errors; $uname_p = trim(exec("uname -p")); @@ -469,7 +489,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot $client_install_exe = "openvpn-install-2.3-x86_64.exe"; break; default: - $client_install_exe = "openvpn-install-2.2.exe"; + $client_install_exe = "openvpn-install-2.3-i686.exe"; } $ovpndir = "/usr/local/share/openvpn"; @@ -497,6 +517,8 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot exec("cp -r {$workdir}/template/* {$tempdir}"); // and put the required installer exe in place exec("/bin/cp {$tempdir}/{$client_install_exe} {$tempdir}/openvpn-install.exe"); + if (stristr($openvpn_version, "x64")) + rename("{$tempdir}/openvpn-postinstall64.exe", "{$tempdir}/openvpn-postinstall.exe"); // write configuration file $prefix = openvpn_client_export_prefix($srvid, $usrid, $crtid); @@ -507,7 +529,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot $pwdfle .= "{$proxy['password']}\r\n"; file_put_contents("{$confdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys, $proxy, "", "baseconf", false, true, $openvpnmanager, $advancedoptions); + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, $nokeys, $proxy, "", "baseconf", false, true, $openvpnmanager, $advancedoptions); if (!$conf) { $input_errors[] = "Could not create a config to export."; return false; @@ -542,8 +564,6 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot if ($openvpnmanager) $files .= "openvpnmanager "; - unlink("openvpn-postinstall.exe"); - rename("openvpnmanager/openvpn-postinstall.exe","openvpn-postinstall.exe"); $files .= "openvpn-install.exe "; $files .= "openvpn-postinstall.exe "; if ($usetoken) @@ -574,7 +594,7 @@ RunProgram="openvpn-postinstall.exe" return $outfile; } -function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions) { +function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions) { global $config, $g; $uname_p = trim(exec("uname -p")); @@ -609,14 +629,14 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead file_put_contents("{$tempdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, true, $proxy, "baseconf", "", true, $openvpnmanager, $advancedoptions); + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, true, $proxy, "baseconf", "", true, $openvpnmanager, $advancedoptions); if (!$conf) return false; // We need to nuke the ca line from the above config if it exists. $conf = explode("\n", $conf); for ($i=0; $i < count($conf); $i++) { - if (substr($conf[$i], 0, 3) == "ca ") + if ((substr($conf[$i], 0, 3) == "ca ") || (substr($conf[$i], 0, 7) == "pkcs12 ")) unset($conf[$i]); } $conf = implode("\n", $conf); diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index a1c263f1..0af838e9 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> <name>OpenVPN Client Export</name> - <version>1.1.3</version> + <version>1.2.4</version> <title>OpenVPN Client Export</title> <include_file>/usr/local/pkg/openvpn-client-export.inc</include_file> <backup_file></backup_file> diff --git a/config/openvpn-client-export/source/openvpn-postinstall64.nsi b/config/openvpn-client-export/source/openvpn-postinstall64.nsi new file mode 100644 index 00000000..b962ddff --- /dev/null +++ b/config/openvpn-client-export/source/openvpn-postinstall64.nsi @@ -0,0 +1,215 @@ +;-------------------------------- +; OpenVPN NSIS Post-Installer +;-------------------------------- + +;-------------------------------- +;Include Modern UI + +Var /GLOBAL mui.FinishPage.Run +!define MUI_FINISHPAGE_RUN_VARIABLES + + !include "MUI2.nsh" + !include "FileFunc.nsh" + !include "LogicLib.nsh" + +;-------------------------------- +; General +;-------------------------------- + + Name "OpenVPN Configuration" + OutFile "openvpn-postinstall64.exe" + SetCompressor /SOLID lzma + + ShowInstDetails show + + !include "dotnet2.nsh" + !include "x64.nsh" +;-------------------------------- +;Include Settings +;-------------------------------- + + !define MUI_ICON "openvpn-postinstall.ico" + !define MUI_ABORTWARNING + +;-------------------------------- +;Pages +;-------------------------------- + +!define WELCOME_TITLE 'Welcome to OpenVPN installer.' + +!define WELCOME_TEXT "This wizard will guide you through the installation of the OpenVPN client and configuration.$\r$\n$\r$\n\ +This wil automaticaly install the configuration files needed for your connection. \ +And if needed install the required DotNet2 framework." + !define MUI_WELCOMEPAGE_TITLE '${WELCOME_TITLE}' + ;!define MUI_WELCOMEPAGE_TITLE_3LINES + !define MUI_WELCOMEPAGE_TEXT '${WELCOME_TEXT}' + !insertmacro MUI_PAGE_WELCOME + + !insertmacro MUI_PAGE_INSTFILES + + + !define MUI_FINISHPAGE_RUN "C:\User\test.lnk" + !define MUI_FINISHPAGE_RUN_TEXT "Start OpenVPNManager." + !define MUI_FINISHPAGE_RUN_FUNCTION "LaunchLink" + !define MUI_PAGE_CUSTOMFUNCTION_SHOW finish_show + !insertmacro MUI_PAGE_FINISH + + !insertmacro Locate + !insertmacro GetParameters + !insertmacro GetOptions + +;-------------------------------- +;Languages +;-------------------------------- + + !insertmacro MUI_LANGUAGE "English" + +;-------------------------------- +;Functions +;-------------------------------- + +Function .onInit + Var /GLOBAL BINPATH + Var /GLOBAL CONFPATH + Var /GLOBAL OpenVPNManager + + ; If we are running on a 64-bit OS with a 64-bit payload then we must operate in the 64-bit registry + ; This should not be done if the payload is a 32-bit OpenVPN even on a 64-bit OS. + ${If} ${RunningX64} + SetRegView 64 + ${EndIf} + IfFileExists ".\OpenVPNManager" InstallOpenVPNManager1 DontInstallOpenVPNManager1 + InstallOpenVPNManager1: + strcpy $OpenVPNManager true + !insertmacro CheckForDotNET2 + Goto OpenVPNManagerDone1 + DontInstallOpenVPNManager1: + strcpy $OpenVPNManager false + OpenVPNManagerDone1: +FunctionEnd + +Function CopyConfFile + CopyFiles $R9 $CONFPATH\$R7 + Push $0 +FunctionEnd + +Function ImportConfFile + ExecWait "rundll32.exe cryptext.dll,CryptExtAddPFX $R9" + Push $0 +FunctionEnd + +Function CopyOpenVPNManager + DetailPrint "Installing OpenVPNManager..." + DetailPrint "Installing in: $BINPATH\OpenVPNManager\" + CreateDirectory "$BINPATH\OpenVPNManager" + CreateDirectory "$BINPATH\OpenVPNManager\config" + CopyFiles ".\OpenVPNManager\*.*" "$BINPATH\OpenVPNManager" + CreateShortcut "$desktop\OpenVPNManager.lnk" "$BINPATH\OpenVPNManager\OpenVPNManager.exe" + Push $0 +FunctionEnd + +Function finish_show + ${If} $OpenVPNManager != "true" + ;If OpenVPNManager is not installed then dont give the option to run it. (hide and uncheck the checkbox) + ShowWindow $mui.FinishPage.Run 0 + ${NSD_Uncheck} $mui.FinishPage.Run + ${EndIf} +FunctionEnd + +Function LaunchLink + ExecShell "" "$desktop\OpenVPNManager.lnk" +FunctionEnd +;-------------------------------- +;Installer Sections +;-------------------------------- + +Section "Import Configuration" SectionImport + ${If} $OpenVPNManager == "true" + ; OpenVPNManager needs dotnet2 + !insertmacro InstallDotNet2 + ${Endif} + + ClearErrors + ReadRegStr $BINPATH HKLM "Software\OpenVPN" "" + IfErrors OpenVPNInstall OpenVPNAlreadyInstalled + OpenVPNInstall: + DetailPrint "Pausing installation while OpenVPN installer runs." + ExecWait '".\openvpn-install.exe"' $1 + ${if} $OpenVPNManager == "true" + SetShellVarContext all + Delete "$desktop\OpenVPN GUI.lnk" + SetShellVarContext current + ${Endif} + Pop $0 + OpenVPNAlreadyInstalled: + + ClearErrors + ReadRegStr $BINPATH HKLM "Software\OpenVPN" "" + IfErrors OpenVPNnotFound OpenVPNok + OpenVPNnotFound: + Abort "OpenVPN installation not found, installation aborted." + OpenVPNok: + DetailPrint "Completed OpenVPN installation." + + ${If} $OpenVPNManager == "true" + strcpy $OpenVPNManager true + StrCpy $CONFPATH "$BINPATH\OpenVPNManager\config" + call "CopyOpenVPNManager" + ${Else} + strcpy $OpenVPNManager false + ClearErrors + ReadRegStr $CONFPATH HKLM "Software\OpenVPN" "config_dir" + IfErrors configNotFound configFound + configNotFound: + ReadRegStr $CONFPATH HKLM "Software\OpenVPN" "" + StrCpy $CONFPATH "$CONFPATH\config" + configFound: + + ${Endif} + + DetailPrint "Installing configuration files ..." + ${Locate} ".\config" "/L=F /M=*.ovpn" "CopyConfFile" + + DetailPrint "Installing certificate and key files ..." + ${Locate} ".\config" "/L=F /M=*.crt" "CopyConfFile" + ${Locate} ".\config" "/L=F /M=*.key" "CopyConfFile" + + ${If} $OpenVPNManager == "true" + DetailPrint "Registering OpenVPNManager service..." + ExecWait '"$BINPATH\OpenVPNManager\OpenVPNManager.exe" /install' + DetailPrint "Starting OpenVPNManager service..." + SimpleSC::StartService "OpenVPNManager" "" 30 + Pop $0 + ${Else} + ;DetailPrint "Starting OpenVPN Service..." + ;SimpleSC::StartService "OpenVPNService" "" 30 + ;Pop $0 + ${Endif} + + ${GetParameters} $R0 + ${GetOptions} $R0 "/Import" $R1 + IfErrors p12_copy p12_import + p12_copy: + ${Locate} ".\config" "/L=F /M=*.p12" "CopyConfFile" + Goto p12_done + p12_import: + ${Locate} ".\config" "/L=F /M=*.p12" "ImportConfFile" + Goto p12_done + p12_done: + +SectionEnd +;-------------------------------- +;Descriptions +;-------------------------------- + + ;Language strings + LangString DESC_SectionImport ${LANG_ENGLISH} "Import OpenVPN Configurations and Key Files." + + ;Assign language strings to sections + !insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN + !insertmacro MUI_DESCRIPTION_TEXT ${SectionImport} $(DESC_SectionImport) + !insertmacro MUI_FUNCTION_DESCRIPTION_END + +;-------------------------------- +; END +;-------------------------------- diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index ad6c65da..8d002397 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -138,7 +138,8 @@ if (!empty($act)) { $advancedoptions = $_GET['advancedoptions']; $openvpnmanager = $_GET['openvpnmanager']; - $quoteservercn = $_GET['quoteservercn']; + $verifyservercn = $_GET['verifyservercn']; + $randomlocalport = $_GET['randomlocalport']; $usetoken = $_GET['usetoken']; if ($usetoken && (substr($act, 0, 10) == "confinline")) $input_errors[] = "You cannot use Microsoft Certificate Storage with an Inline configuration."; @@ -213,17 +214,17 @@ if (!empty($act)) { $exp_name = urlencode($exp_name."-config.ovpn"); $expformat = "baseconf"; } - $exp_path = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys, $proxy, $expformat, $password, false, false, $openvpnmanager, $advancedoptions); + $exp_path = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, $nokeys, $proxy, $expformat, $password, false, false, $openvpnmanager, $advancedoptions); } if($act == "visc") { $exp_name = urlencode($exp_name."-Viscosity.visc.zip"); - $exp_path = viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions); + $exp_path = viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions); } if(substr($act, 0, 4) == "inst") { $exp_name = urlencode($exp_name."-install.exe"); - $exp_path = openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions, substr($act, 5)); + $exp_path = openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions, substr($act, 5)); } if (!$exp_path) { @@ -304,9 +305,12 @@ function download_begin(act, i, j) { advancedoptions = document.getElementById("advancedoptions").value; - var quoteservercn = 0; - if (document.getElementById("quoteservercn").checked) - quoteservercn = 1; + var verifyservercn; + verifyservercn = document.getElementById("verifyservercn").value; + + var randomlocalport = 0; + if (document.getElementById("randomlocalport").checked) + randomlocalport = 1; var usetoken = 0; if (document.getElementById("usetoken").checked) usetoken = 1; @@ -380,7 +384,8 @@ function download_begin(act, i, j) { dlurl += "&crtid=" + escape(certs[j][0]); } dlurl += "&useaddr=" + escape(useaddr); - dlurl += ""eservercn=" + escape(quoteservercn); + dlurl += "&verifyservercn=" + escape(verifyservercn); + dlurl += "&randomlocalport=" + escape(randomlocalport); dlurl += "&openvpnmanager=" + escape(openvpnmanager); dlurl += "&usetoken=" + escape(usetoken); if (usepass) @@ -434,11 +439,9 @@ function server_changed() { cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ", -1)'>Others<\/a>"; cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ", -1)'>2.2<\/a>"; - cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\"," + i + ", -1)'>2.3-x86<\/a>"; -// cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ", -1)'>2.3-x64<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ", -1)'>2.3-x64<\/a>"; cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ", -1)'>Viscosity Bundle<\/a>"; @@ -471,11 +474,9 @@ function server_changed() { cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\", -1," + j + ")'>Others<\/a>"; cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\", -1," + j + ")'>2.2<\/a>"; - cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\", -1," + j + ")'>2.3-x86<\/a>"; -// cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\", -1," + j + ")'>2.3-x64<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\", -1," + j + ")'>2.3-x64<\/a>"; cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\", -1," + j + ")'>Viscosity Bundle<\/a>"; @@ -515,11 +516,9 @@ function server_changed() { cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ")'>Others<\/a>"; cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>2.2<\/a>"; - cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\"," + i + ")'>2.3-x86<\/a>"; -// cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ")'>2.3-x64<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ")'>2.3-x64<\/a>"; cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle<\/a>"; @@ -625,21 +624,48 @@ function useproxy_changed(obj) { </td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Quote Server CN</td> + <td width="22%" valign="top" class="vncell">Verify Server CN</td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0" summary="verify server cn"> + <tr> + <td> + <select name="verifyservercn" id="verifyservercn" class="formselect"> + <option value="auto">Automatic - Use verify-x509-name (OpenVPN 2.3+) where possible</option> + <option value="tls-remote">Use tls-remote (Deprecated, use only on old clients <= OpenVPN 2.2.x)</option> + <option value="tls-remote-quote">Use tls-remote and quote the server CN</option> + <option value="none">Do not verify the server CN</option> + </select> + <br/> + <span class="vexpl"> + Optionally verify the server certificate Common Name (CN) when the client connects. Current clients, including the most recent versions of Windows, Viscosity, Tunnelblick, OpenVPN on iOS and Android and so on should all work at the default automatic setting. + <br/><br/>Only use tls-remote if you must use an older client that you cannot control. The option has been deprecated by OpenVPN and will be removed in the next major version. + <br/><br/>With tls-remote the server CN may optionally be enclosed in quotes. This can help if the server CN contains spaces and certain clients cannot parse the server CN. Some clients have problems parsing the CN with quotes. Use only as needed. + </span> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Use Random Local Port</td> <td width="78%" class="vtable"> - <table border="0" cellpadding="2" cellspacing="0" summary="quote server cn"> + <table border="0" cellpadding="2" cellspacing="0" summary="random local port"> <tr> <td> - <input name="quoteservercn" id="quoteservercn" type="checkbox" value="yes" /> + <input name="randomlocalport" id="randomlocalport" type="checkbox" value="yes" checked="CHECKED" /> </td> <td> <span class="vexpl"> - Enclose the server CN in quotes. Can help if your server CN contains spaces and certain clients cannot parse the server CN. Some clients have problems parsing the CN with quotes. Use only as needed. + Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently. </span> </td> </tr> + <tr> + <td colspan="2"> + <span class="vexpl"><br/>NOTE: Not supported on older clients. Automatically disabled for Yealink and Snom configurations.</span> + </td> + </tr> </table> - </td> </tr> <tr> <td width="22%" valign="top" class="vncell">Certificate Export Options</td> @@ -809,6 +835,11 @@ function useproxy_changed(obj) { </span> </td> </tr> + <tr> + <td colspan="2"> + <span class="vexpl"><br/>NOTE: This is not currently compatible with the 64-bit OpenVPN installer. It will work with the 32-bit installer on a 64-bit system.</span> + </td> + </tr> </table> </td> </tr> diff --git a/config/postfix/pkg_postfix.inc b/config/postfix/pkg_postfix.inc new file mode 100755 index 00000000..18da1c11 --- /dev/null +++ b/config/postfix/pkg_postfix.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['postfix'] = array(); +$shortcuts['postfix']['main'] = "pkg_edit.php?xml=postfix.xml"; +$shortcuts['postfix']['log'] = "diag_logs_resolver.php"; +$shortcuts['postfix']['status'] = "status_services.php"; +$shortcuts['postfix']['service'] = "postfix"; + +?> diff --git a/config/postfix/postfix.inc b/config/postfix/postfix.inc index 193ec6c7..50979f38 100755 --- a/config/postfix/postfix.inc +++ b/config/postfix/postfix.inc @@ -29,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$shortcut_section = "postfix"; require_once("util.inc"); require_once("functions.inc"); require_once("pkg-utils.inc"); @@ -580,6 +581,34 @@ switch ($antispam['zombie_blocker']) $postfix_main.="soft_bounce = yes\n"; } + //check ips to listen on + $inet_protocols=($postfix_config['inet_protocol'] ? $postfix_config['inet_protocol'] : "ipv4"); + $inet_interfaces =array(); + if (preg_match("/All/",$postfix_config['enabled_interface'])){ + $inet_interfaces[]=""; + } + elseif ($postfix_config['enabled_interface'] == "lo0"){ + $inet_interfaces[]="loopback-only"; + } + else{ + $ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'wan'); + foreach (explode(',',$ifaces) as $listenon){ + if (is_ipaddrv6($listenon) && preg_match("/(ipv6|all)/i",$inet_protocols)) + $inet_interfaces[]= "{$listenon}"; + elseif (is_ipaddr($listenon) && preg_match("/(ipv4|all)/i",$inet_protocols)) + $inet_interfaces[]= "{$listenon}"; + else{ + $listenon=(pfSense_get_interface_addresses(convert_friendly_interface_to_real_interface_name($listenon))); + if (is_ipaddr($listenon['ipaddr']) && preg_match("/(ipv4|all)/i",$inet_protocols)) + $inet_interfaces []= "{$listenon['ipaddr']}"; + if(is_ipaddrv6($listenon['ipaddr6']) && preg_match("/(ipv6|all)/i",$inet_protocols)) + $inet_interfaces []= "{$listenon['ipaddr6']}"; + } + } + } + $postfix_main.= "inet_protocols = {$inet_protocols}\n"; + $postfix_main.= "inet_interfaces = ".implode(",",$inet_interfaces)."\n"; + if ($postscreen==1) #Postscreen enabled { if(preg_match("/(\d+),(\d+)(s|m|h|w)/",$antispam['greet_time'],$greet)){ @@ -610,16 +639,17 @@ switch ($antispam['zombie_blocker']) $postfix_main.="postscreen_blacklist_action= ".$antispam['zombie_blocker']."\n"; #postscreen interface loop - $ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'wan'); - $real_ifaces = array(); - $postfix_master=""; - foreach (explode(",", $ifaces) as $i => $iface) { - $real_ifaces[] = px_get_real_interface_address($iface); - if($real_ifaces[$i][0]) { - $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - 1 postscreen\n\t-o user=postfix\n"; - $postfix_master .=($antispam['soft_bounce'] == "postscreen"?"\t-o soft_bounce=yes\n":""); - } - } + //$ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'wan'); + //$real_ifaces = array(); + //$postfix_master=""; + //foreach (explode(",", $ifaces) as $i => $iface) { + // $real_ifaces[] = px_get_real_interface_address($iface); + // if($real_ifaces[$i][0]) { + // $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - 1 postscreen\n\t-o user=postfix\n"; + $postfix_master = "smtp inet n - n - 1 postscreen\n\t-o user=postfix\n"; + $postfix_master .=($antispam['soft_bounce'] == "postscreen"?"\t-o soft_bounce=yes\n":""); + // } + //} $postfix_master .= $postfix_inets.<<<MASTEREOF smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog @@ -646,7 +676,7 @@ MASTEREOF; } #interface loop - $postfix_inets=""; + /*$postfix_inets=""; $ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'loopback'); $real_ifaces = array(); $postfix_master=""; @@ -656,6 +686,8 @@ MASTEREOF; $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - - smtpd\n"; } } + */ + $postfix_master ="25 inet n - n - - smtpd\n"; } $rbl2.=($rbl2 !=""?"\t\t\t\tpermit\n":"permit\n"); diff --git a/config/postfix/postfix.php b/config/postfix/postfix.php index a11af2dd..78eb551d 100644 --- a/config/postfix/postfix.php +++ b/config/postfix/postfix.php @@ -150,10 +150,13 @@ function grep_log(){ $m=date('M',strtotime($postfix_arg['time'],$curr_time)); $j=substr(" ".date('j',strtotime($postfix_arg['time'],$curr_time)),-3); # file grep loop + $maillog_filename = "/var/log/maillog"; foreach ($postfix_arg['grep'] as $hour){ - print "/usr/bin/grep '^".$m.$j." ".$hour.".*".$grep."' /var/log/maillog\n"; + if (!file_exists($maillog_filename) || !is_readable($maillog_filename)) + continue; + print "/usr/bin/grep '^".$m.$j." ".$hour.".*".$grep."' {$maillog_filename}\n"; $lists=array(); - exec("/usr/bin/grep " . escapeshellarg('^'.$m.$j." ".$hour.".*".$grep)." /var/log/maillog", $lists); + exec("/usr/bin/grep " . escapeshellarg('^'.$m.$j." ".$hour.".*".$grep)." {$maillog_filename}", $lists); foreach ($lists as $line){ #check where is first mail record if (preg_match("/ delay=(\d+)/",$line,$delay)){ @@ -294,7 +297,7 @@ function grep_log(){ } $config=parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']); - print count($config['installedpackages']); + //print count($config['installedpackages']); #start db replication if configured if ($config['installedpackages']['postfixsync']['config'][0]['rsync']) foreach ($config['installedpackages']['postfixsync']['config'] as $rs ) diff --git a/config/postfix/postfix.xml b/config/postfix/postfix.xml index 25f7a81d..e9d2d953 100644 --- a/config/postfix/postfix.xml +++ b/config/postfix/postfix.xml @@ -145,6 +145,11 @@ <prefix>/usr/local/bin/</prefix> <chmod>0755</chmod> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/postfix/pkg_postfix.inc</item> + </additional_files_needed> <tabs> <tab> <text>General</text> @@ -202,13 +207,31 @@ <description></description> </field> <field> - <fielddescr>Listen interface(s)</fielddescr> + <fielddescr>Listen Protocol</fielddescr> + <fieldname>inet_protocol</fieldname> + <description><![CDATA[Specify what protocols Postfix will use when it makes or accepts network connections<br> + This option controls what DNS lookups Postfix will use when it makes network connections.<br><br> + <b>Restart postfix daemon after changing Listen protocol.</b>]]></description> + <type>select</type> + <options> + <option><name>ipv4 (DEFAULT: enable IPv4 only)</name><value>ipv4</value></option> + <option><name>all (enable IPv4, and IPv6 if supported)</name><value>all</value></option> + <option><name>ipv4, ipv6 (enable both IPv4 and IPv6)</name><value>ipv4,ipv6</value></option> + <option><name>ipv6 (enable IPv6 only</name><value>ipv6</value></option> + </options> + <required/> + </field> + <field> + <fielddescr>Listen on</fielddescr> <fieldname>enabled_interface</fieldname> <description><![CDATA[Interface(s) that daemon will bind to.<br>Do not listen on WAN without a good "antispam/close relay" configuration.<br> - If you need postfix on other ip then Interface address, choose localhost and then create a nat rule from external ip to localhost.]]></description> + If you need postfix on other ip then Interface address, choose localhost and then create a nat rule from external ip to localhost.<br><br> + <b>Restart postfix daemon after changing Listen on addresses/interfaces.</b>]]></description> <type>interfaces_selection</type> <required/> <default_value>loopback</default_value> + <showlistenall/> + <showvirtualips/> <multiple/> </field> <field> diff --git a/config/postfix/postfix_about.php b/config/postfix/postfix_about.php index 3f3e272a..56645646 100755 --- a/config/postfix/postfix_about.php +++ b/config/postfix/postfix_about.php @@ -2,7 +2,7 @@ /* postfix_about.php part of pfSense (http://www.pfsense.com/) - Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com> + Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com> based on varnish_view_config. All rights reserved. @@ -27,7 +27,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "postfix"; require("guiconfig.inc"); $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); diff --git a/config/postfix/postfix_acl.xml b/config/postfix/postfix_acl.xml index 4eeda7a4..d704c189 100644 --- a/config/postfix/postfix_acl.xml +++ b/config/postfix/postfix_acl.xml @@ -110,7 +110,7 @@ See http://www.postfix.org/header_checks.5.html for more help]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -124,7 +124,7 @@ See http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions for more help]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -142,7 +142,7 @@ <strong>Note: a result of "OK" in this field is not allowed/wanted for safety reasons(it may accept forged senders as it will not do other spam checks). Instead, use DUNNO in order to exclude specific hosts from blacklists.</strong>]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -154,7 +154,7 @@ /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|drv|em(ai)?l|ex[_e]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -166,7 +166,7 @@ ~^[[:alnum:]+/]{60,}$~ OK]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/postfix/postfix_queue.php b/config/postfix/postfix_queue.php index 76bed31f..f60ac83e 100755 --- a/config/postfix/postfix_queue.php +++ b/config/postfix/postfix_queue.php @@ -27,7 +27,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "postfix"; require("guiconfig.inc"); $uname=posix_uname(); diff --git a/config/postfix/postfix_recipients.xml b/config/postfix/postfix_recipients.xml index 97e39fb2..2b07bae8 100644 --- a/config/postfix/postfix_recipients.xml +++ b/config/postfix/postfix_recipients.xml @@ -9,7 +9,7 @@ /* postfix_recipients.xml part of the Postfix package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -119,33 +119,38 @@ Before using LDAP fetch you must install p5-perl-ldap package(hint: <strong>/usr/sbin/pkg_add -r p5-perl-ldap</strong>)]]></description> </field> <field> - <fielddescr><![CDATA[<strong>HINTS</strong><br>Hostname:<br>dc1.mysite.com<br><br>Domain:<br>dc=mysite,dc=com<br><br>Username:<br>cn=antispam,cn=Users<br>]]></fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> + <movable>on</movable> <rowhelper> <rowhelperfield> <fielddescr>Hostname</fielddescr> + <description><![CDATA[<strong>Hostname Hint:</strong><br>dc1.mysite.com]]></description> <fieldname>dc</fieldname> <type>input</type> - <size>20</size> + <size>23</size> </rowhelperfield> <rowhelperfield> <fielddescr>Domain</fielddescr> + <description><![CDATA[<strong>Domain Hint:</strong><br>dc=mysite,dc=com]]></description> <fieldname>cn</fieldname> <type>input</type> - <size>22</size> + <size>25</size> </rowhelperfield> <rowhelperfield> <fielddescr>Username</fielddescr> + <description><![CDATA[<strong>Username Hint:</strong><br>Username:cn=antispam,cn=Users]]></description> <fieldname>username</fieldname> <type>input</type> - <size>20</size> + <size>24</size> </rowhelperfield> <rowhelperfield> <fielddescr>Password</fielddescr> <fieldname>password</fieldname> <type>password</type> - <size>10</size> + <size>12</size> </rowhelperfield> </rowhelper> </field> diff --git a/config/postfix/postfix_search.php b/config/postfix/postfix_search.php index a1cf6b3f..85648287 100755 --- a/config/postfix/postfix_search.php +++ b/config/postfix/postfix_search.php @@ -27,7 +27,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "postfix"; require("guiconfig.inc"); $uname=posix_uname(); diff --git a/config/postfix/postfix_view_config.php b/config/postfix/postfix_view_config.php index 5e1f6271..59deb11e 100644 --- a/config/postfix/postfix_view_config.php +++ b/config/postfix/postfix_view_config.php @@ -27,7 +27,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "postfix"; require("guiconfig.inc"); $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0) diff --git a/config/quagga_ospfd/quagga_ospfd.inc b/config/quagga_ospfd/quagga_ospfd.inc index aabd27a8..782baf0f 100644 --- a/config/quagga_ospfd/quagga_ospfd.inc +++ b/config/quagga_ospfd/quagga_ospfd.inc @@ -73,6 +73,8 @@ function quagga_ospfd_install_conf() { // Since we need to embed this in a string, copy to a var. Can't embed constnats. $quagga_config_base = PKG_QUAGGA_CONFIG_BASE; + $noaccept = ""; + if ($config['installedpackages']['quaggaospfd']['rawconfig'] && $config['installedpackages']['quaggaospfd']['rawconfig']['item']) { // if there is a raw config specifyed in tthe config.xml use that instead of the assisted config $conffile = implode("\n",$config['installedpackages']['quaggaospfd']['rawconfig']['item']); @@ -132,6 +134,9 @@ function quagga_ospfd_install_conf() { if ($interface_subnet == 32) $interface_subnet = 30; $subnet = gen_subnet($interface_ip, $interface_subnet); + if (!empty($conf['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$subnet}/{$interface_subnet}\n"; + } if (!empty($conf['interfacearea'])) { $interface_networks[] = array( "subnet" => "{$subnet}/{$interface_subnet}", "area" => $conf['interfacearea']); } @@ -151,6 +156,9 @@ function quagga_ospfd_install_conf() { foreach ($ospfd_conf['row'] as $redistr) { if (empty($redistr['routevalue'])) continue; + if (isset($redistr['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$redistr['routevalue']}\n"; + } if (isset($redistr['redistribute'])) { $noredist .= " access-list dnr-list deny {$redistr['routevalue']}\n"; } else { @@ -239,6 +247,13 @@ function quagga_ospfd_install_conf() { $zebraconffile .= "password {$ospfd_conf['password']}\n"; if ($ospfd_conf['logging']) $zebraconffile .= "log syslog\n"; + if (!empty($noaccept)) { + $zebraconffile .= $noaccept; + $zebraconffile .= "ip prefix-list ACCEPTFILTER permit any\n"; + $zebraconffile .= "route-map ACCEPTFILTER permit 10\n"; + $zebraconffile .= "match ip address prefix-list ACCEPTFILTER\n"; + $zebraconffile .= "ip protocol ospf route-map ACCEPTFILTER\n"; + } $fd = fopen("{$quagga_config_base}/zebra.conf", "w"); fwrite($fd, $zebraconffile); fclose($fd); diff --git a/config/quagga_ospfd/quagga_ospfd.xml b/config/quagga_ospfd/quagga_ospfd.xml index 61bf3e94..c975961b 100644 --- a/config/quagga_ospfd/quagga_ospfd.xml +++ b/config/quagga_ospfd/quagga_ospfd.xml @@ -1,6 +1,6 @@ <packagegui> <name>quagga_ospfd</name> - <version>0.5.4</version> + <version>0.6.1</version> <title>Services: Quagga OSPFd</title> <include_file>/usr/local/pkg/quagga_ospfd.inc</include_file> <aftersaveredirect>pkg_edit.php?xml=quagga_ospfd.xml&id=0</aftersaveredirect> @@ -165,6 +165,13 @@ <size>20</size> </rowhelperfield> <rowhelperfield> + <fielddescr>Disable <br/>Acceptance</fielddescr> + <fieldname>acceptfilter</fieldname> + <description>Accept Filter</description> + <type>checkbox</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> <fielddescr>Subnet to Route</fielddescr> <fieldname>routevalue</fieldname> <type>input</type> diff --git a/config/quagga_ospfd/quagga_ospfd_interfaces.xml b/config/quagga_ospfd/quagga_ospfd_interfaces.xml index 21bc877f..beb6f2b0 100644 --- a/config/quagga_ospfd/quagga_ospfd_interfaces.xml +++ b/config/quagga_ospfd/quagga_ospfd_interfaces.xml @@ -87,6 +87,12 @@ <type>checkbox</type> </field> <field> + <fielddescr>Accept Filter</fielddescr> + <fieldname>acceptfilter</fieldname> + <description>Do not add routes for this interface subnet from OSPF into the routing table. (Suggested for Multi-WAN environments).</description> + <type>checkbox</type> + </field> + <field> <fielddescr>Enable MD5 password for this Quagga OSPFd interface (default no)</fielddescr> <fieldname>md5password</fieldname> <description>Enables the use of an MD5 password to on this instance</description> diff --git a/config/sarg/sarg.inc b/config/sarg/sarg.inc index 59b7eb11..1a4db315 100644 --- a/config/sarg/sarg.inc +++ b/config/sarg/sarg.inc @@ -272,6 +272,8 @@ function sync_package_sarg() { $bytes_in_sites_users_report=(preg_match('/bytes_in_sites_users_report/',$sarg['report_options'])?"yes":"no"); $date_time_by=(preg_match('/date_time_by_bytes/',$sarg['report_options'])?"bytes":""); $date_time_by.=(preg_match('/date_time_by_elap/',$sarg['report_options'])?" elap":""); + if(empty($date_time_by)) + $date_time_by="bytes"; $date_format=(preg_match("/\w/",$sarg['report_date_format'])?$sarg['report_date_format']:"u"); $report_type=preg_replace('/,/',' ',$sarg['report_type']); $report_charset=(empty($sarg['report_charset'])?"UTF-8":$sarg['report_charset']); diff --git a/config/sarg/sarg_schedule.xml b/config/sarg/sarg_schedule.xml index 0c452335..9e1ad709 100644 --- a/config/sarg/sarg_schedule.xml +++ b/config/sarg/sarg_schedule.xml @@ -141,8 +141,11 @@ <fielddescr>Sarg args</fielddescr> <fieldname>args</fieldname> <description><![CDATA[Enter sarg extra args to run on this schedule.<br> - To force sarg to create a report only from current day, use:<br> - <strong>-d `date +%d/%m/%Y`-`date +%d/%m/%Y`</strong>]]></description> + To force sarg to create a report only for specific days, use:<br> + <b>TODAY:</b> -d `date +%d/%m/%Y`<br> + <b>YESTERDAY:</b> -d `date -v-1d +%d/%m/%Y`<br> + <b>WEEKAGO:</b> -d `date -v-1w +%d/%m/%Y`- `date -v-1d +%d/%m/%Y`<br> + <b>MONTHAGO:</b> -d `date -v-1m +01/%m/%Y`-`date -v-1m +31/%m/%Y`]]></description> <type>input</type> <size>50</size> </field> diff --git a/config/sm.php b/config/sm.php index e2c56fc4..2e1cc4a0 100644 --- a/config/sm.php +++ b/config/sm.php @@ -23,6 +23,7 @@ if($options['s'] <> "") { $in = file("php://stdin"); foreach($in as $line){ + $line = trim($line); if ( (substr($line, 0, 6) == "From: ") || (substr($line, 0, 6) == "Date: ") || (substr($line, 0, 4) == "To: ")) @@ -31,7 +32,7 @@ foreach($in as $line){ $subject = substr($line, 9); continue; } - $message .= "$line"; + $message .= "$line\n"; } if (!empty($subject)) diff --git a/config/snort/snort.inc b/config/snort/snort.inc index d69f6237..79fef4fa 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -5,6 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009-2010 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2013 Bill Meeks * part of pfSense * All rights reserved. * @@ -43,22 +44,24 @@ require_once("filter.inc"); ini_set("memory_limit", "192M"); // Explicitly declare this as global so it works through function call includes -global $rebuild_rules; +global $rebuild_rules, $pfSense_snort_version; + +// Grab the Snort binary version programmatically, but if that fails use a safe default +$snortver = array(); +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +$snort_version = $snortver[0]; +if (empty($snort_version)) + $snort_version = "2.9.5.5"; /* package version */ -$snort_version = "2.9.4.6"; -$pfSense_snort_version = "2.6.0"; -$snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; - -// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) -if (floatval(php_uname("r")) >= 8.3) { - exec("/usr/local/sbin/pbi_info | grep 'snort-{$snort_version}' | xargs /usr/local/sbin/pbi_info | awk '/Prefix/ {print $2}'",$pbidirarray); - $snort_pbidir = "{$pbidirarray[0]}"; - /* In case this is an initial Snort install and pbi_info() above returned null, set a sane default value */ - if (empty($snort_pbidir)) - $snort_pbidir = "/usr/pbi/snort-" . php_uname("m"); - define("SNORTDIR", "{$snort_pbidir}/etc/snort"); - define("SNORTLIBDIR", "{$snort_pbidir}/lib/snort"); +$pfSense_snort_version = "3.0.1"; +$snort_package_version = "Snort {$snort_version} pkg v{$pfSense_snort_version}"; + +// Define SNORTDIR and SNORTLIBDIR constants according to pfSense version +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pfs_version > 2.0) { + define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/etc/snort"); + define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/lib/snort"); } else { define("SNORTDIR", "/usr/local/etc/snort"); @@ -66,16 +69,18 @@ else { } /* Define some useful constants for Snort */ +/* Be sure to include trailing slash on the URL defines */ define("SNORTLOGDIR", "/var/log/snort"); -define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); -define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); -define("ET_VERSION", "2.9.0"); define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); -define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); define("FLOWBITS_FILENAME", "flowbit-required.rules"); define("ENFORCING_RULES_FILENAME", "snort.rules"); define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); +define("VRT_FILE_PREFIX", "snort_"); +define("GPL_FILE_PREFIX", "GPLv2_"); +define("ET_OPEN_FILE_PREFIX", "emerging-"); +define("ET_PRO_FILE_PREFIX", "etpro-"); /* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */ $rebuild_rules = false; @@ -83,81 +88,6 @@ $rebuild_rules = false; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); -function snort_get_alias_value($alias) { - /***************************************************/ - /* This function returns the value of the passed */ - /* Alias, or an empty string if the value cannot */ - /* be determined. */ - /* */ - /* On Entry: $alias ==> Alias to be evaluated */ - /* Returns: Alias value as a string or an empty */ - /* string */ - /***************************************************/ - - global $config; - - $entries = array(); - $tmp = ""; - - // If no Aliases are defined in the configuration, - // return an empty string. - if (empty($config['aliases'])) - return $tmp; - - // See if we were passed a valid Alias and return - // an empty string if not. - if (!is_alias($alias)) - return $tmp; - - // We have a valid Alias, so find its value or - // values and return as a string. - return snort_unpack_alias($alias); -} - -function snort_unpack_alias($alias) { - - /**************************************************/ - /* This function unpacks an Alias to determine */ - /* the actual values it represents. Any nested */ - /* Aliases encountered are also unpacked via */ - /* recursive calls to this function. */ - /* */ - /* Fully-qualified-domain-name (FQDN) aliases */ - /* are detected and resolved via a pfctl() call. */ - /**************************************************/ - - global $config; - $value = ""; - - // Find the matching Alias entry in config - foreach ($config['aliases']['alias'] as $aliased) { - if($aliased['name'] == $alias) { - $addr = array(); - $addr = explode(" ", trim($aliased['address'])); - foreach ($addr as $a) { - if (!is_alias($a) && !empty($a)) { - if (is_ipaddr($a) || is_subnet($a) || is_port($a)) - // If address, subnet or port, we found the final value - $value .= $a . " "; - elseif (is_hostname($a)) { - // Found a FQDN value for this Alias, so resolve it - $entries = array(); - exec("/sbin/pfctl -t " . escapeshellarg($alias) . " -T show", $entries); - $value .= trim(implode(" ", $entries)); - } - else - continue; - } - elseif (is_alias($a)) - // Found a nested Alias, so recursively resolve it - $value .= snort_unpack_alias($a) . " "; - } - return trim($value); - } - } - return $value; -} - function snort_is_single_addr_alias($alias) { /***************************************************/ /* This function evaluates the passed Alias to */ @@ -172,12 +102,52 @@ function snort_is_single_addr_alias($alias) { /***************************************************/ /* If spaces in expanded Alias, it's not a single entity */ - if (strpos(snort_get_alias_value($alias), " ") !== false) + if (strpos(trim(filter_expand_alias($alias)), " ") !== false) return false; else return true; } +function snort_expand_port_range($ports, $delim = ',') { + /**************************************************/ + /* This function examines the passed ports string */ + /* and expands any embedded port ranges into the */ + /* individual ports separated by the specified */ + /* delimiter. A port range is indicated by a */ + /* colon in the string. */ + /* */ + /* On Entry: $ports ==> string to be evaluated */ + /* with {$delim} separating */ + /* the port values. */ + /* Returns: string with any encountered port */ + /* ranges expanded and the values */ + /* delimited by {$delim}. */ + /**************************************************/ + + $value = ""; + + // Split the incoming string on the specified delimiter + $tmp = explode($delim, $ports); + + // Look for any included port range and expand it + foreach ($tmp as $val) { + if (is_portrange($val)) { + $start = strtok($val, ":"); + $end = strtok(":"); + if ($end !== false) { + $val = $start . $delim; + for ($i = intval($start) + 1; $i < intval($end); $i++) + $val .= strval($i) . $delim; + $val .= $end; + } + } + $value .= $val . $delim; + } + + // Remove any trailing delimiter in return value + return trim($value, $delim); +} + function snort_get_blocked_ips() { $blocked_ips = ""; exec('/sbin/pfctl -t snort2c -T show', $blocked_ips); @@ -358,9 +328,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { $wandns = $list['wandnsips']; $vips = $list['vips']; $vpns = $list['vpnips']; - if (!empty($list['address']) && is_alias($list['address'])) { - $home_net = explode(" ", trim(snort_get_alias_value($list['address']))); - } + if (!empty($list['address']) && is_alias($list['address'])) + $home_net = explode(" ", trim(filter_expand_alias($list['address']))); } /* Always add loopback to HOME_NET and whitelist (ftphelper) */ @@ -613,7 +582,7 @@ function snort_reload_config($snortcfg, $signal="SIGHUP") { /* can find a valid PID for the process. */ /******************************************************/ if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { - log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']}({$if_real})..."); + log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']} ({$if_real})..."); exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &"); } } @@ -701,78 +670,6 @@ function snort_post_delete_logs($snort_uuid = 0) { } } -function snort_postinstall() { - global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include; - - $snortdir = SNORTDIR; - $snortlibdir = SNORTLIBDIR; - $rcdir = RCFILEPREFIX; - - /* Set flag for post-install in progress */ - $g['snort_postinstall'] = true; - - /* cleanup default files */ - @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); - @rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf"); - @rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map"); - @rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map"); - @rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config"); - @rename("{$snortdir}/generators-sample", "{$snortdir}/generators"); - @rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config"); - @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); - - /* fix up the preprocessor rules filenames from a PBI package install */ - $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); - foreach ($preproc_rules as $file) { - if (file_exists("{$snortdir}/preproc_rules/{$file}-sample")) - @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}"); - } - - /* Remove any previously installed scripts since we rebuild them */ - @unlink("{$snortdir}/sid"); - @unlink("{$rcdir}/snort.sh"); - @unlink("{$rcdir}/barnyard2"); - - /* remove example library files */ - $files = glob("{$snortlibdir}/dynamicrules/*_example*"); - foreach ($files as $f) - @unlink($f); - $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*"); - foreach ($files as $f) - @unlink($f); - - /* remake saved settings */ - if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { - log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings...")); - update_status(gettext("Saved settings detected...")); - update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); - log_error(gettext("[Snort] Downloading and updating configured rule types...")); - update_output_window(gettext("Please wait... downloading and updating configured rule types...")); - if ($pkg_interface <> "console") - $snort_gui_include = true; - @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); - update_status(gettext("Generating snort.conf configuration file from saved settings...")); - $rebuild_rules = true; - sync_snort_package_config(); - $rebuild_rules = false; - update_output_window(gettext("Finished rebuilding files...")); - log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); - - /* Only try to start Snort if not in reboot */ - if (!$g['booting']) { - update_status(gettext("Starting Snort using rebuilt configuration...")); - update_output_window(gettext("Please wait... while Snort is started...")); - log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); - update_output_window(gettext("Snort has been started using the rebuilt configuration...")); - start_service("snort"); - } - } - - /* Done with post-install, so clear flag */ - unset($g['snort_postinstall']); - log_error(gettext("[Snort] Package post-installation tasks completed...")); -} - function snort_Getdirsize($node) { if(!is_readable($node)) return false; @@ -801,7 +698,6 @@ function snort_snortloglimit_install_cron($should_install) { switch($should_install) { case true: if(!$is_installed) { - $cron_item = array(); $cron_item['minute'] = "*/5"; $cron_item['hour'] = "*"; @@ -838,6 +734,22 @@ function snort_rm_blocked_install_cron($should_install) { } $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "15m_b") { + $snort_rm_blocked_min = "*/2"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "900"; + } + if ($snort_rm_blocked_info_ck == "30m_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "1800"; + } if ($snort_rm_blocked_info_ck == "1h_b") { $snort_rm_blocked_min = "*/5"; $snort_rm_blocked_hr = "*"; @@ -1087,13 +999,13 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { /* sid-msg.map file for use by Snort and/or barnyard2. */ /*************************************************************/ - $sidMap = array(); + $sidMap = array(); $rule_files = array(); - /* First check if we were passed a directory, a single file */ - /* or an array of filenames to read. Set our $rule_files */ - /* variable accordingly. If we can't figure it out, return */ - /* and don't write a sid_msg_map file. */ + /* First check if we were passed a directory, a single file */ + /* or an array of filenames to read. Set our $rule_files */ + /* variable accordingly. If we can't figure it out, return */ + /* and don't write a sid_msg_map file. */ if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -1105,71 +1017,71 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { else return; - /* Read the rule files into an array, then iterate the list */ - foreach ($rule_files as $file) { + /* Read the rule files into an array, then iterate the list */ + foreach ($rule_files as $file) { - /* Don't process files with "deleted" in the filename */ - if (stristr($file, "deleted")) - continue; + /* Don't process files with "deleted" in the filename */ + if (stristr($file, "deleted")) + continue; - /* Read the file into an array, skipping missing files. */ - if (!file_exists($file)) + /* Read the file into an array, skipping missing files. */ + if (!file_exists($file)) continue; - $rules_array = file($file, FILE_SKIP_EMPTY_LINES); - $record = ""; - $b_Multiline = false; - - /* Read and process each line from the rules in the */ - /* current file. */ - foreach ($rules_array as $rule) { - - /* Skip any non-rule lines unless we're in */ - /* multiline mode. */ - if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) - continue; - - /* Test for a multi-line rule, and reassemble the */ - /* pieces back into a single line. */ - if (preg_match('/\\\\s*[\n]$/m', $rule)) { - $rule = substr($rule, 0, strrpos($rule, '\\')); - $record .= $rule; - $b_Multiline = true; - continue; - } - /* If the last segment of a multiline rule, then */ - /* append it onto the previous parts to form a */ - /* single-line rule for further processing below. */ - elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) { - $record .= $rule; - $rule = $record; - } - $b_Multiline = false; - $record = ""; - - /* Parse the rule to find sid and any references. */ - $sid = ''; - $msg = ''; - $matches = ''; - $sidEntry = ''; - if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches)) - $msg = trim($matches[1]); - if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) - $sid = trim($matches[1]); - if (!empty($sid) && !empty($msg)) { - $sidEntry = $sid . ' || ' . $msg; - preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); - foreach ($matches[1] as $ref) - $sidEntry .= " || " . trim($ref); - $sidEntry .= "\n"; - $sidMap[$sid] = $sidEntry; - } - } + $rules_array = file($file, FILE_SKIP_EMPTY_LINES); + $record = ""; + $b_Multiline = false; + + /* Read and process each line from the rules in the current file */ + foreach ($rules_array as $rule) { + + /* Skip any non-rule lines unless we're in multiline mode. */ + if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) + continue; + + /* Test for a multi-line rule, and reassemble the */ + /* pieces back into a single line. */ + if (preg_match('/\\\\s*[\n]$/m', $rule)) { + $rule = substr($rule, 0, strrpos($rule, '\\')); + $record .= $rule; + $b_Multiline = true; + continue; + } + /* If the last segment of a multiline rule, then */ + /* append it onto the previous parts to form a */ + /* single-line rule for further processing below. */ + elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) { + $record .= $rule; + $rule = $record; + } + $b_Multiline = false; + $record = ""; + + /* Parse the rule to find sid and any references. */ + $sid = ''; + $msg = ''; + $matches = ''; + $sidEntry = ''; + if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches)) + $msg = trim($matches[1]); + if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) + $sid = trim($matches[1]); + if (!empty($sid) && !empty($msg)) { + $sidEntry = $sid . ' || ' . $msg; + preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); + foreach ($matches[1] as $ref) + $sidEntry .= " || " . trim($ref); + $sidEntry .= "\n"; + if (!is_array($sidMap[$sid])) + $sidMap[$sid] = array(); + $sidMap[$sid] = $sidEntry; + } + } } - /* Sort the generated sid-msg map by sid */ - ksort($sidMap); + /* Sort the generated sid-msg map by sid */ + ksort($sidMap); - /* Now print the result to the supplied file */ + /* Now print the result to the supplied file */ @file_put_contents($sid_file, array_values($sidMap)); } @@ -1194,8 +1106,11 @@ function snort_merge_reference_configs($cfg_in, $cfg_out) { if (preg_match('/(\:)\s*(\w+)\s*(.*)/', $line, $matches)) { if (!empty($matches[2]) && !empty($matches[3])) { $matches[2] = trim($matches[2]); - if (!array_key_exists($matches[2], $outMap)) + if (!array_key_exists($matches[2], $outMap)) { + if (!is_array($outMap[$matches[2]])) + $outMap[$matches[2]] = array(); $outMap[$matches[2]] = trim($matches[3]); + } } } } @@ -1239,8 +1154,11 @@ function snort_merge_classification_configs($cfg_in, $cfg_out) { continue; if (!empty($matches[2]) && !empty($matches[3]) && !empty($matches[4])) { $matches[2] = trim($matches[2]); - if (!array_key_exists($matches[2], $outMap)) + if (!array_key_exists($matches[2], $outMap)) { + if (!is_array($outMap[$matches[2]])) + $outMap[$matches[2]] = array(); $outMap[$matches[2]] = trim($matches[3]) . "," . trim($matches[4]); + } } } } @@ -1503,8 +1421,11 @@ function snort_get_checked_flowbits($rules_map) { if ($action == "isset" || $action == "isnotset") { $target = preg_split('/[&|]/', substr($flowbit, $pos + 1)); foreach ($target as $t) - if (!empty($t) && !isset($checked_flowbits[$t])) + if (!empty($t) && !isset($checked_flowbits[$t])) { + if (!is_array($checked_flowbits[$t])) + $checked_flowbits[$t] = array(); $checked_flowbits[$t] = $action; + } } } } @@ -1544,8 +1465,11 @@ function snort_get_set_flowbits($rules_map) { if ($action == "set" || $action == "toggle" || $action == "setx") { $target = preg_split('/[&|]/', substr($flowbit, $pos + 1)); foreach ($target as $t) - if (!empty($t) && !isset($set_flowbits[$t])) + if (!empty($t) && !isset($set_flowbits[$t])) { + if (!is_array($set_flowbits[$t])) + $set_flowbits[$t] = array(); $set_flowbits[$t] = $action; + } } } } @@ -1624,7 +1548,7 @@ function snort_resolve_flowbits($rules, $active_rules) { $snortdir = SNORTDIR; - /* Check $all_rules array to be sure it is filled. */ + /* Check $rules array to be sure it is filled. */ if (empty($rules)) { log_error(gettext("[Snort] WARNING: Flowbit resolution not done - no rules in {$snortdir}/rules/ ...")); return array(); @@ -1683,7 +1607,7 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { $fp = fopen($rule_file, "w"); if ($fp) { @fwrite($fp, "# These rules set flowbits checked by your other enabled rules. If the\n"); - @fwrite($fp, "# the dependent flowbits are not set, then some of your chosen rules may\n"); + @fwrite($fp, "# dependent flowbits are not set, then some of your chosen rules may\n"); @fwrite($fp, "# not fire. Enabling all rules that set these dependent flowbits ensures\n"); @fwrite($fp, "# your chosen rules fire as intended.\n#\n"); @fwrite($fp, "# If you wish to prevent alerts from any of these rules, add the GID:SID\n"); @@ -1831,8 +1755,11 @@ function snort_load_sid_mods($sids, $value) { return $result; $tmp = explode("||", $sids); foreach ($tmp as $v) { - if (preg_match('/\s\d+/', $v, $match)) + if (preg_match('/\s\d+/', $v, $match)) { + if (!is_array($result[trim($match[0])])) + $result[trim($match[0])] = array(); $result[trim($match[0])] = trim($match[0]); + } } unset($tmp); @@ -1889,12 +1816,12 @@ function snort_modify_sids(&$rule_map, $snortcfg) { function snort_create_rc() { - /*********************************************************/ - /* This function builds the /usr/local/etc/rc.d/snort.sh */ - /* shell script for starting and stopping Snort. The */ - /* script is rebuilt on each package sync operation and */ - /* after any changes to snort.conf saved in the GUI. */ - /*********************************************************/ +/*********************************************************/ +/* This function builds the /usr/local/etc/rc.d/snort.sh */ +/* shell script for starting and stopping Snort. The */ +/* script is rebuilt on each package sync operation and */ +/* after any changes to snort.conf saved in the GUI. */ +/*********************************************************/ global $config, $g; @@ -1927,7 +1854,7 @@ function snort_create_rc() { fi if [ ! -z \$pid ]; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." - /bin/pkill $pid -a + /bin/pkill \$pid -a time=0 timeout=30 while kill -0 \$pid 2>/dev/null; do sleep 1 @@ -2177,19 +2104,23 @@ function snort_deinstall() { /* Log a message only if a running process is detected */ if (is_service_running("snort")) log_error(gettext("[Snort] Snort STOP for all interfaces...")); - mwexec('/usr/bin/killall snort', true); + mwexec('/usr/bin/killall -z snort', true); sleep(2); mwexec('/usr/bin/killall -9 snort', true); sleep(2); + // Delete any leftover snort PID files in /var/run + array_map('@unlink', glob("/var/run/snort_*.pid")); /* Make sure all active Barnyard2 processes are terminated */ /* Log a message only if a running process is detected */ if (is_service_running("barnyard2")) log_error(gettext("[Snort] Barnyard2 STOP for all interfaces...")); - mwexec('/usr/bin/killall barnyard2', true); + mwexec('/usr/bin/killall -z barnyard2', true); sleep(2); mwexec('/usr/bin/killall -9 barnyard2', true); sleep(2); + // Delete any leftover barnyard2 PID files in /var/run + array_map('@unlink', glob("/var/run/barnyard2_*.pid")); /* Remove the snort user and group */ mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); @@ -2241,6 +2172,7 @@ function snort_deinstall() { mwexec("/bin/rm -rf /usr/local/pkg/snort"); mwexec("/bin/rm -rf /usr/local/www/snort"); mwexec("/bin/rm -rf /usr/local/etc/snort"); + mwexec("/bin/rm -rf /usr/local/lib/snort"); } /* Keep this as a last step */ @@ -2602,6 +2534,8 @@ function snort_generate_conf($snortcfg) { /* user added arguments */ $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); + // Remove the trailing newline + $snort_config_pass_thru = rtrim($snort_config_pass_thru); /* create a few directories and ensure the sample files are in place */ $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", @@ -2625,7 +2559,7 @@ function snort_generate_conf($snortcfg) { /* update has been done and we should leave the customized files */ /* put in place by the rules update process. */ /********************************************************************/ - $snort_files = array("gen-msg.map", "classification.config", "reference.config", + $snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd", "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" ); @@ -2678,14 +2612,15 @@ function snort_generate_conf($snortcfg) { $ssh_port = $config['system']['ssh']['port']; else $ssh_port = "22"; + + /* Define an array of default values for the various preprocessor ports */ $snort_ports = array( - "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", - "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555", - "oracle_ports" => "1024:", "mssql_ports" => "1433", - "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535", - "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", - "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", - "sip_ports" => "5060,5061, 5600", "auth_ports" => "113", "finger_ports" => "79", + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", + "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", + "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, + "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", + "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", @@ -2698,14 +2633,32 @@ function snort_generate_conf($snortcfg) { "GTP_PORTS" => "2123,2152,3386" ); + /* Check for defined Aliases that may override default port settings as we build the portvars array */ $portvardef = ""; foreach ($snort_ports as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = snort_get_alias_value($snortcfg["def_{$alias}"]); + $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; } + /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ + $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; + $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; + $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; + $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; + $stream5_ports_client .= "\t 32778 32779"; + $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; + $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; + $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; + $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; + $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; + $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; + $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; + $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; + $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; + $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; + $stream5_ports_both .= "\t 55555 56712"; ///////////////////////////// /* preprocessor code */ @@ -2716,166 +2669,288 @@ preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_u EOD; - /* Pull in the user-configurable HTTP_INSPECT global preprocessor options */ - $http_inspect_memcap = "150994944"; - if (!empty($snortcfg['http_inspect_memcap'])) - $http_inspect_memcap = $snortcfg['http_inspect_memcap']; - - /* Pull in the user-configurable HTTP_INSPECT server preprocessor options */ - $server_flow_depth = '300'; - if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) - $server_flow_depth = $snortcfg['server_flow_depth']; - $http_server_profile = "all"; - if (!empty($snortcfg['http_server_profile'])) - $http_server_profile = $snortcfg['http_server_profile']; - $client_flow_depth = '300'; - if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) - $client_flow_depth = $snortcfg['client_flow_depth']; - if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect'])) - $noalert_http_inspect = "no_alerts"; + /* def ftp_preprocessor */ + $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); + $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); + + // Configure FTP_Telnet global options + $ftp_telnet_globals = "inspection_type "; + if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; } + if ($snortcfg['ftp_telnet_alert_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes"; else - $noalert_http_inspect = ""; - $http_inspect_server_opts = "enable_cookie \\\n\textended_response_inspection \\\n\tnormalize_javascript \\\n"; - $http_inspect_server_opts .= "\tinspect_gzip \\\n\tnormalize_utf \\\n\tunlimited_decompress \\\n"; - $http_inspect_server_opts .= "\tnormalize_headers \\\n\tnormalize_cookies"; - if ($snortcfg['http_inspect_enable_xff'] == "on") - $http_inspect_server_opts .= " \\\n\tenable_xff"; - - /* If Stream5 is enabled, then we can enable the "log_uri" and "log_hostname" options */ - if ($snortcfg['stream5_reassembly'] == "on") { - if ($snortcfg['http_inspect_log_uri'] == "on") - $http_inspect_server_opts .= " \\\n\tlog_uri"; - if ($snortcfg['http_inspect_log_hostname'] == "on") - $http_inspect_server_opts .= " \\\n\tlog_hostname"; - } + $ftp_telnet_globals .= " \\\n\tencrypted_traffic no"; + if ($snortcfg['ftp_telnet_check_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tcheck_encrypted"; + + // Configure FTP_Telnet Telnet protocol options + $ftp_telnet_protocol = "ports { {$telnet_ports} }"; + if ($snortcfg['ftp_telnet_normalize'] == "on") + $ftp_telnet_protocol .= " \\\n\tnormalize"; + if ($snortcfg['ftp_telnet_detect_anomalies'] == "on") + $ftp_telnet_protocol .= " \\\n\tdetect_anomalies"; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') { + $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") + $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; + else + $ftp_telnet_protocol .= "20"; + } + + // Setup the standard FTP commands used for all FTP Server engines + $ftp_cmds = <<<EOD + ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ + ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ + ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ + ftp_cmds { LPSV MACB MAIL MDTM MFMT MIC MKD MLSD MLST } \ + ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ + ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ + ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ + ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ + ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ + ftp_cmds { XSEN XSHA1 XSHA256 } \ + alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ + alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ + alt_max_param_len 256 { CWD RNTO } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { MFMT SIZE } \ + chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ + chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ + chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ + chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ + chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ + chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ + chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ + chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ + cmd_validity MACB < string > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity PORT < host_port > \ + cmd_validity PROT < char CSEP > \ + cmd_validity STRU < char FRPO [ string ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > - $http_ports = str_replace(",", " ", $snort_ports['http_ports']); +EOD; - /* def http_inspect */ - $http_inspect = <<<EOD -# HTTP Inspect # -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 memcap {$http_inspect_memcap} + // Configure all the FTP_Telnet FTP protocol options + // Iterate and configure the FTP Client engines + $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + if (!is_array($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'] = array(); + + // If no FTP client engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; + $ftp_client_engine = ""; + + foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp client "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['max_resp_len'] == "") + $buffer .= "\tmax_resp_len 256 \\\n"; + else + $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + + if ($v['bounce'] == "yes") { + if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { + $net = trim(filter_expand_alias($v['bounce_to_net'])); + $port = trim(filter_expand_alias($v['bounce_to_port'])); + if (!empty($net) && !empty($port) && + snort_is_single_addr_alias($v['bounce_to_net']) && + (is_port($port) || is_portrange($port))) { + $port = preg_replace('/\s+/', ',', $port); + // Change port range delimiter to comma for ftp_telnet client preprocessor + if (is_portrange($port)) + $port = str_replace(":", ",", $port); + $buffer .= "\tbounce yes \\\n"; + $buffer .= "\tbounce_to { {$net},{$port} }\n"; + } + else { + // One or both of the BOUNCE_TO alias values is not right, + // so figure out which and log an appropriate error. + if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) + log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + if (empty($port) || !(is_port($port) || is_portrange($port))) + log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + $buffer .= "\tbounce yes\n"; + } + } + else + $buffer .= "\tbounce yes\n"; + } + else + $buffer .= "\tbounce no\n"; + + // Add this FTP client engine to the master string + $ftp_client_engine .= "{$buffer}\n"; + } + // Trim final trailing newline + rtrim($ftp_client_engine); + + // Iterate and configure the FTP Server engines + $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + if (!is_array($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'] = array(); + + // If no FTP server engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; + $ftp_server_engine = ""; + + foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp server "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } -preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect} \ - ports { {$http_ports} } \ - http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ - server_flow_depth {$server_flow_depth} \ - client_flow_depth {$client_flow_depth} \ - {$http_inspect_server_opts} + if ($v['def_max_param_len'] == "") + $buffer .= "\tdef_max_param_len 100 \\\n"; + elseif ($v['def_max_param_len'] <> '0') + $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; + + if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) + $buffer .= "\tports { {$ftp_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $buffer .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); + $buffer .= "\tports { {$ftp_ports} } \\\n"; + } + } -EOD; + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + if ($v['ignore_data_chan'] == "yes") + $buffer .= "\tignore_data_chan yes \\\n"; + $buffer .= "{$ftp_cmds}\n"; + + // Add this FTP server engine to the master string + $ftp_server_engine .= $buffer; + } + // Remove trailing newlines + rtrim($ftp_server_engine); - /* def ftp_preprocessor */ - $telnet_ports = str_replace(",", " ", $snort_ports['telnet_ports']); - $ftp_ports = str_replace(",", " ", $snort_ports['ftp_ports']); $ftp_preprocessor = <<<EOD # ftp_telnet preprocessor # preprocessor ftp_telnet: global \ -inspection_type stateless + {$ftp_telnet_globals} preprocessor ftp_telnet_protocol: telnet \ - normalize ports { {$telnet_ports} } \ - ayt_attack_thresh 20 \ - detect_anomalies - -preprocessor ftp_telnet_protocol: ftp server default \ - def_max_param_len 100 \ - ports { $ftp_ports } \ - telnet_cmds yes \ - ignore_telnet_erase_cmds yes \ - ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ - ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ - ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ - ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ - ftp_cmds { FEAT CEL CMD MACB } \ - ftp_cmds { MDTM REST SIZE MLST MLSD } \ - ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ - alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ - alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ - alt_max_param_len 256 { RNTO CWD } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { SIZE } \ - chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ - chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ - chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ - chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ - chk_str_fmt { FEAT CEL CMD } \ - chk_str_fmt { MDTM REST SIZE MLST MLSD } \ - chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity STRU < char FRP > \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity PORT < host_port > - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - ignore_telnet_erase_cmds yes \ - telnet_cmds yes - + {$ftp_telnet_protocol} + +{$ftp_server_engine} +{$ftp_client_engine} EOD; - $pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']); + $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); $pop_preproc = <<<EOD # POP preprocessor # preprocessor pop: \ ports { {$pop_ports} } \ - memcap 1310700 \ + memcap 1310700 \ qp_decode_depth 0 \ b64_decode_depth 0 \ bitenc_decode_depth 0 EOD; - $imap_ports = str_replace(",", " ", $snort_ports['imap_ports']); + $imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports'])); $imap_preproc = <<<EOD # IMAP preprocessor # preprocessor imap: \ ports { {$imap_ports} } \ - memcap 1310700 \ + memcap 1310700 \ qp_decode_depth 0 \ b64_decode_depth 0 \ bitenc_decode_depth 0 EOD; - $smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']); + $smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports'])); /* def smtp_preprocessor */ $smtp_preprocessor = <<<EOD # SMTP preprocessor # preprocessor SMTP: \ - ports { {$smtp_ports} } \ - inspection_type stateful \ - normalize cmds \ - ignore_tls_data \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET \ - SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME \ - TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP \ - RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK \ - TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } \ - log_mailfrom \ - log_rcptto \ - log_email_hdrs \ - email_hdrs_log_depth 1464 \ - log_filename \ - qp_decode_depth 0 \ - b64_decode_depth 0 \ - bitenc_decode_depth 0 \ - uu_decode_depth 0 + ports { {$smtp_ports} } \ + inspection_type stateful \ + normalize cmds \ + ignore_tls_data \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \ + NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \ + STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \ + XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \ + IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \ + ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \ + XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } \ + log_mailfrom \ + log_rcptto \ + log_email_hdrs \ + email_hdrs_log_depth 1464 \ + log_filename \ + qp_decode_depth 0 \ + b64_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 EOD; @@ -2894,25 +2969,27 @@ EOD; $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; $sf_pscan_ignore_scanners = "\$HOME_NET"; if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { - $sf_pscan_ignore_scanners = snort_get_alias_value($snortcfg['pscan_ignore_scanners']); + $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners'])); $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); } $sf_portscan = <<<EOD -# sf Portscan preprocessor # -preprocessor sfportscan: scan_type { {$sf_pscan_type} } \ - proto { {$sf_pscan_protocol} } \ - memcap { {$sf_pscan_memcap} } \ - sense_level { {$sf_pscan_sense_level} } \ - ignore_scanners { {$sf_pscan_ignore_scanners} } +# sf Portscan # +preprocessor sfportscan: \ + scan_type { {$sf_pscan_type} } \ + proto { {$sf_pscan_protocol} } \ + memcap { {$sf_pscan_memcap} } \ + sense_level { {$sf_pscan_sense_level} } \ + ignore_scanners { {$sf_pscan_ignore_scanners} } EOD; /* def ssh_preproc */ - $ssh_ports = str_replace(",", " ", $snort_ports['ssh_ports']); + $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports'])); $ssh_preproc = <<<EOD # SSH preprocessor # -preprocessor ssh: server_ports { {$ssh_ports} } \ +preprocessor ssh: \ + server_ports { {$ssh_ports} } \ autodetect \ max_client_bytes 19600 \ max_encrypted_packets 20 \ @@ -2923,10 +3000,14 @@ preprocessor ssh: server_ports { {$ssh_ports} } \ EOD; /* def other_preprocs */ - $sun_rpc_ports = str_replace(",", " ", $snort_ports['sun_rpc_ports']); + $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports'])); $other_preprocs = <<<EOD # Other preprocs # -preprocessor rpc_decode: {$sun_rpc_ports} no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete +preprocessor rpc_decode: \ + {$sun_rpc_ports} \ + no_alert_multiple_requests \ + no_alert_large_fragments \ + no_alert_incomplete # Back Orifice preprocessor # preprocessor bo @@ -2936,18 +3017,28 @@ EOD; /* def dce_rpc_2 */ $dce_rpc_2 = <<<EOD # DCE/RPC 2 # -preprocessor dcerpc2: memcap 102400, events [co] -preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [{$snort_ports['smb_ports']}], tcp 135, udp 135, rpc-over-http-server 593], \ - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] +preprocessor dcerpc2: \ + memcap 102400, \ + events [co] + +preprocessor dcerpc2_server: default, \ + policy WinXP, \ + detect [smb [{$snort_ports['smb_ports']}], \ + tcp 135, \ + udp 135, \ + rpc-over-http-server 593], \ + autodetect [tcp 1025:, \ + udp 1025:, \ + rpc-over-http-server 1025:], \ + smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] EOD; - $sip_ports = str_replace(",", " ", $snort_ports['sip_ports']); + $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports'])); $sip_preproc = <<<EOD # SIP preprocessor # -preprocessor sip: max_sessions 40000, \ +preprocessor sip: \ + max_sessions 40000, \ ports { {$sip_ports} }, \ methods { invite \ cancel \ @@ -2982,68 +3073,71 @@ preprocessor sip: max_sessions 40000, \ EOD; - $dns_ports = str_replace(",", " ", $snort_ports['dns_ports']); + $dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports'])); /* def dns_preprocessor */ $dns_preprocessor = <<<EOD # DNS preprocessor # preprocessor dns: \ - ports { {$dns_ports} } \ - enable_rdata_overflow + ports { {$dns_ports} } \ + enable_rdata_overflow EOD; /* def dnp3_preprocessor */ - $dnp3_ports = str_replace(",", " ", $snort_ports['DNP3_PORTS']); + $dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS'])); $dnp3_preproc = <<<EOD # DNP3 preprocessor # preprocessor dnp3: \ - ports { {$dnp3_ports} } \ - memcap 262144 \ - check_crc + ports { {$dnp3_ports} } \ + memcap 262144 \ + check_crc EOD; /* def modbus_preprocessor */ - $modbus_ports = str_replace(",", " ", $snort_ports['MODBUS_PORTS']); + $modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS'])); $modbus_preproc = <<<EOD # Modbus preprocessor # preprocessor modbus: \ - ports { {$modbus_ports} } + ports { {$modbus_ports} } EOD; /* def gtp_preprocessor */ - $gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']); + $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS'])); $gtp_preproc = <<<EOD # GTP preprocessor # -preprocessor gtp: ports { {$gtp_ports} } +preprocessor gtp: \ + ports { {$gtp_ports} } EOD; /* def ssl_preprocessor */ - $ssl_ports = str_replace(",", " ", $snort_ports['ssl_ports']); + $ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports'])); $ssl_preproc = <<<EOD # SSL preprocessor # preprocessor ssl: \ ports { {$ssl_ports} }, \ - trustservers, noinspect_encrypted + trustservers, \ + noinspect_encrypted EOD; - $sensitive_data = "preprocessor sensitive_data:\n"; + /* def sensitive_data_preprocessor */ + if ($snortcfg['sdf_mask_output'] == "on") + $sdf_mask_output = "\\\n\tmask_output"; + else + $sdf_mask_output = ""; + if (empty($snortcfg['sdf_alert_threshold'])) + $snortcfg['sdf_alert_threshold'] = 25; + $sensitive_data = <<<EOD +# SDF preprocessor # +preprocessor sensitive_data: \ + alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output} - /**************************************************************/ - /* Default the HTTP_INSPECT preprocessor to "on" if not set. */ - /* The preprocessor is required by hundreds of Snort rules, */ - /* and without it Snort may not start and/or the number of */ - /* rules required to be disabled reduces Snort's capability. */ - /* Alerts from the HTTP_INSPECT preprocessor default to "off" */ - /* unless a specific value has been set by the user. */ - /**************************************************************/ - if (empty($snortcfg['http_inspect'])) - $snortcfg['http_inspect'] = 'on'; +EOD; - /* define servers and ports snortdefservers */ + /* define servers as IP variables */ $snort_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", @@ -3055,13 +3149,15 @@ EOD; "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" ); - $vardef = ""; + // Change old name from "var" to new name of "ipvar" for IP variables because + // Snort is deprecating the old "var" name in newer versions. + $ipvardef = ""; foreach ($snort_servers as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { - $avalue = snort_get_alias_value($snortcfg["def_{$alias}"]); - $avalue = str_replace(" ", ",", trim($avalue)); + $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $avalue = preg_replace('/\s+/', ',', trim($avalue)); } - $vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n"; + $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; } $snort_preproc_libs = array( @@ -3071,7 +3167,7 @@ EOD; "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" ); $default_disabled_preprocs = array( @@ -3105,6 +3201,8 @@ EOD; } } } + // Remove final trailing newline + $snort_preprocessors = rtrim($snort_preprocessors); $snort_misc_include_rules = ""; if (file_exists("{$snortcfgdir}/reference.config")) @@ -3114,8 +3212,18 @@ EOD; if (is_dir("{$snortcfgdir}/preproc_rules")) { if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; - if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")) + if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; + #enable only selected sensitive data + if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){ + $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; + $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); + $sd_tmp_new_file=""; + foreach ($sd_tmp_file as $sd_tmp_line) + $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; + file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); + } + } } else $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && @@ -3146,6 +3254,10 @@ EOD; $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; + // Remove trailing newlines + $snort_misc_include_rules = rtrim($snort_misc_include_rules); + $selected_rules_sections = rtrim($selected_rules_sections); + /* Create the actual rules files and save in the interface directory */ snort_prepare_rule_files($snortcfg, $snortcfgdir); @@ -3163,83 +3275,247 @@ EOD; $cfg_detect_settings .= " no_stream_inserts"; /* Pull in user-configurable options for Frag3 preprocessor settings */ - $frag3_disabled = ""; - if ($snortcfg['frag3_detection'] == "off") - $frag3_disabled = ", disabled"; - $frag3_memcap = "memcap 4194304"; + /* Get global Frag3 options first and put into a string */ + $frag3_global = "preprocessor frag3_global: "; if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") - $frag3_memcap = "memcap {$snortcfg['frag3_memcap']}"; - $frag3_max_frags = "max_frags 8192"; + $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; + else + $frag3_global .= "memcap 4194304, "; if (!empty($snortcfg['frag3_max_frags'])) - $frag3_max_frags = "max_frags {$snortcfg['frag3_max_frags']}"; - $frag3_overlap_limit = "overlap_limit 0"; - if (!empty($snortcfg['frag3_overlap_limit'])) - $frag3_overlap_limit = "overlap_limit {$snortcfg['frag3_overlap_limit']}"; - $frag3_min_frag_len = "min_fragment_length 0"; - if (!empty($snortcfg['frag3_min_frag_len'])) - $frag3_min_frag_len = "min_fragment_length {$snortcfg['frag3_min_frag_len']}"; - $frag3_timeout = "timeout 60"; - if (!empty($snortcfg['frag3_timeout'])) - $frag3_timeout = "timeout {$snortcfg['frag3_timeout']}"; - $frag3_policy = "policy bsd"; - if (!empty($snortcfg['frag3_policy'])) - $frag3_policy = "policy {$snortcfg['frag3_policy']}"; - - /* Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs */ + $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; + else + $frag3_global .= "max_frags 8192"; + if ($snortcfg['frag3_detection'] == "off") + $frag3_global .= ", disabled"; + + $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + $frag3_engine = ""; + + // Now iterate configured Frag3 engines and write them to a string if enabled + if ($snortcfg['frag3_detection'] == "on") { + if (!is_array($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'] = array(); + + // If no frag3 tcp engine is configured, use the default + if (empty($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; + + foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { + $frag3_engine .= "preprocessor frag3_engine: "; + $frag3_engine .= "policy {$v['policy']}"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; + else + $frag3_engine .= " \\\n\tbind_to {$tmp}"; + } + else + log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); + } + $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; + $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; + if ($v['detect_anomalies'] == "on") { + $frag3_engine .= " \\\n\tdetect_anomalies"; + $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; + $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; + } + // Add newlines to terminate this engine + $frag3_engine .= "\n\n"; + } + // Remove trailing newline + $frag3_engine = rtrim($frag3_engine); + } + + // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs $paf_max_pdu_config = "config paf_max: "; - if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == "0") + if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') $paf_max_pdu_config .= "0"; else $paf_max_pdu_config .= $snortcfg['max_paf']; - /* Pull in user-configurable options for Stream5 preprocessor settings */ - $stream5_reassembly = ""; + // Pull in user-configurable options for Stream5 preprocessor settings + // Get global options first and put into a string + $stream5_global = "preprocessor stream5_global: \\\n"; if ($snortcfg['stream5_reassembly'] == "off") - $stream5_reassembly = "disabled,"; - $stream5_track_tcp = "yes"; - if ($snortcfg['stream5_track_tcp'] =="off") - $stream5_track_tcp = "no"; - $stream5_track_udp = "yes"; - if ($snortcfg['stream5_track_udp'] =="off") - $stream5_track_udp = "no"; - $stream5_track_icmp = "no"; - if ($snortcfg['stream5_track_icmp'] =="on") - $stream5_track_icmp = "yes"; - $stream5_require_3whs = ""; - if ($snortcfg['stream5_require_3whs'] == "on") - $stream5_require_3whs = ", require_3whs 0"; - $stream5_no_reassemble_async = ""; - if ($snortcfg['stream5_no_reassemble_async'] == "on") - $stream5_no_reassemble_async = ", dont_reassemble_async"; - $stream5_dont_store_lg_pkts = ""; - if ($snortcfg['stream5_dont_store_lg_pkts'] == "on") - $stream5_dont_store_lg_pkts = ", dont_store_large_packets"; - $stream5_max_queued_bytes_type = ""; - if ((!empty($snortcfg['max_queued_bytes'])) || ($snortcfg['max_queued_bytes'] == '0')) - $stream5_max_queued_bytes_type = ", max_queued_bytes {$snortcfg['max_queued_bytes']}"; - $stream5_max_queued_segs_type = ""; - if ((!empty($snortcfg['max_queued_segs'])) || ($snortcfg['max_queued_segs'] == '0')) - $stream5_max_queued_segs_type = ", max_queued_segs {$snortcfg['max_queued_segs']}"; - $stream5_mem_cap = ""; + $stream5_global .= "\tdisabled, \\\n"; + if ($snortcfg['stream5_track_tcp'] == "off") + $stream5_global .= "\ttrack_tcp no,"; + else { + $stream5_global .= "\ttrack_tcp yes,"; + if (!empty($snortcfg['stream5_max_tcp'])) + $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; + else + $stream5_global .= " \\\n\tmax_tcp 262144,"; + } + if ($snortcfg['stream5_track_udp'] == "off") + $stream5_global .= " \\\n\ttrack_udp no,"; + else { + $stream5_global .= " \\\n\ttrack_udp yes,"; + if (!empty($snortcfg['stream5_max_udp'])) + $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; + else + $stream5_global .= " \\\n\tmax_udp 131072,"; + } + if ($snortcfg['stream5_track_icmp'] == "on") { + $stream5_global .= " \\\n\ttrack_icmp yes,"; + if (!empty($snortcfg['stream5_max_icmp'])) + $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; + else + $stream5_global .= " \\\n\tmax_icmp 65536,"; + } + else + $stream5_global .= " \\\n\ttrack_icmp no,"; if (!empty($snortcfg['stream5_mem_cap'])) - $stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}"; - $stream5_overlap_limit = "overlap_limit 0"; - if (!empty($snortcfg['stream5_overlap_limit'])) - $stream5_overlap_limit = "overlap_limit {$snortcfg['stream5_overlap_limit']}"; - $stream5_policy = "policy bsd"; - if (!empty($snortcfg['stream5_policy'])) - $stream5_policy = "policy {$snortcfg['stream5_policy']}"; - $stream5_tcp_timeout = "timeout 30"; - if (!empty($snortcfg['stream5_tcp_timeout'])) - $stream5_tcp_timeout = "timeout {$snortcfg['stream5_tcp_timeout']}"; - $stream5_udp_timeout = "timeout 30"; - if (!empty($snortcfg['stream5_udp_timeout'])) - $stream5_udp_timeout = "timeout {$snortcfg['stream5_udp_timeout']}"; - $stream5_icmp_timeout = "timeout 30"; - if (!empty($snortcfg['stream5_icmp_timeout'])) - $stream5_icmp_timeout = "timeout {$snortcfg['stream5_icmp_timeout']}"; - - /* Check for and configure Host Attribute Table if enabled */ + $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; + else + $stream5_global .= " \\\n\tmemcap 8388608,"; + + if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') + $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; + else + $stream5_global .= " \\\n\tprune_log_max 1048576"; + if ($snortcfg['stream5_flush_on_alert'] == "on") + $stream5_global .= ", \\\n\tflush_on_alert"; + + $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + $stream5_tcp_engine = ""; + + // Now iterate configured Stream5 TCP engines and write them to a string if enabled + if ($snortcfg['stream5_reassembly'] == "on") { + if (!is_array($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'] = array(); + + // If no stream5 tcp engine is configured, use the default + if (empty($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; + + foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { + $buffer = "preprocessor stream5_tcp: "; + $buffer .= "policy {$v['policy']},"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $buffer .= " \\\n\tbind_to [{$tmp}],"; + else + $buffer .= " \\\n\tbind_to {$tmp},"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); + continue; + } + } + $stream5_tcp_engine .= $buffer; + $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; + $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; + $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; + if ($v['use_static_footprint_sizes'] == "on") + $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; + if ($v['check_session_hijacking'] == "on") + $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; + if ($v['dont_store_lg_pkts'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; + if ($v['no_reassemble_async'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; + if ($v['detect_anomalies'] == "on") + $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; + if ($v['require_3whs'] == "on") + $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; + if (!empty($v['ports_client'])) { + $stream5_tcp_engine .= ", \\\n\tports client"; + if ($v['ports_client'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_client'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_client}"; + else { + $tmp = trim(filter_expand_alias($v['ports_client'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_client}"; + log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_both'])) { + $stream5_tcp_engine .= ", \\\n\tports both"; + if ($v['ports_both'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_both'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_both}"; + else { + $tmp = trim(filter_expand_alias($v['ports_both'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_both}"; + log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { + if ($v['ports_server'] == " all") { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " all"; + } + else { + $tmp = trim(filter_expand_alias($v['ports_server'])); + if (!empty($tmp)) { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + } + else + log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); + } + } + + // Make sure the "ports" parameter is set, or else default to a safe value + if (strpos($stream5_tcp_engine, "ports ") === false) + $stream5_tcp_engine .= ", \\\n\tports both all"; + + // Add a pair of newlines to terminate this engine + $stream5_tcp_engine .= "\n\n"; + } + // Trim off the final trailing newline + $stream5_tcp_engine = rtrim($stream5_tcp_engine); + } + + // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") + $stream5_udp_engine = ""; + else { + $stream5_udp_engine = "preprocessor stream5_udp: "; + if (!empty($snortcfg['stream5_udp_timeout'])) + $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; + else + $stream5_udp_engine .= "timeout 30"; + } + + // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { + $stream5_icmp_engine = "preprocessor stream5_icmp: "; + if (!empty($snortcfg['stream5_icmp_timeout'])) + $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; + else + $stream5_icmp_engine .= "timeout 30"; + } + else + $stream5_icmp_engine = ""; + + // Check for and configure Host Attribute Table if enabled $host_attrib_config = ""; if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); @@ -3251,22 +3527,148 @@ EOD; $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; } - /* Finally, build the Snort configuration file */ - $snort_conf_text = <<<EOD + // Configure the HTTP_INSPECT preprocessor + // Get global options first and put into a string + $http_inspect_global = "preprocessor http_inspect: global "; + if ($snortcfg['http_inspect'] == "off") + $http_inspect_global .= "disabled "; + $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; + $http_inspect_global .= "\tcompress_depth 65535 \\\n"; + $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; + if (!empty($snortcfg['http_inspect_memcap'])) + $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; + else + $http_inspect_global .= "\tmemcap 150994944 \\\n"; + if (!empty($snortcfg['http_inspect_max_gzip_mem'])) + $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; + else + $http_inspect_global .= "\tmax_gzip_mem 838860"; + if ($snortcfg['http_inspect_proxy_alert'] == "on") + $http_inspect_global .= " \\\n\tproxy_alert"; + + $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); + $http_inspect_servers = ""; + + // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled + if ($snortcfg['http_inspect'] <> "off") { + if (!is_array($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'] = array(); + + // If no http_inspect_engine is configured, use the default + if (empty($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; + + foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { + $buffer = "preprocessor http_inspect_server: \\\n"; + if ($v['name'] == "default") + $buffer .= "\tserver default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "\tserver { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + $http_inspect_servers .= $buffer; + $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; + + if ($v['no_alerts'] == "on") + $http_inspect_servers .= "\tno_alerts \\\n"; + + if ($v['ports'] == "default" || empty($v['ports'])) + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $http_inspect_servers .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; + $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; + $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; + $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; + $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; + $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; + $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; + if ($v['enable_xff'] == "on") + $http_inspect_servers .= " \\\n\tenable_xff"; + if ($v['enable_cookie'] == "on") + $http_inspect_servers .= " \\\n\tenable_cookie"; + if ($v['normalize_cookies'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_cookies"; + if ($v['normalize_headers'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_headers"; + if ($v['normalize_utf'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_utf"; + if ($v['allow_proxy_use'] == "on") + $http_inspect_servers .= " \\\n\tallow_proxy_use"; + if ($v['inspect_uri_only'] == "on") + $http_inspect_servers .= " \\\n\tinspect_uri_only"; + if ($v['extended_response_inspection'] == "on") { + $http_inspect_servers .= " \\\n\textended_response_inspection"; + if ($v['inspect_gzip'] == "on") { + $http_inspect_servers .= " \\\n\tinspect_gzip"; + if ($v['unlimited_decompress'] == "on") + $http_inspect_servers .= " \\\n\tunlimited_decompress"; + } + if ($v['normalize_javascript'] == "on") { + $http_inspect_servers .= " \\\n\tnormalize_javascript"; + $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; + } + } + if ($v['log_uri'] == "on") + $http_inspect_servers .= " \\\n\tlog_uri"; + if ($v['log_hostname'] == "on") + $http_inspect_servers .= " \\\n\tlog_hostname"; + + // Add a pair of trailing newlines to terminate this server config + $http_inspect_servers .= "\n\n"; + } + /* Trim off the final trailing newline */ + $http_inspect_server = rtrim($http_inspect_server); + } + + // Finally, build the Snort configuration file + $snort_conf_text = <<<EOD # snort configuration file # generated automatically by the pfSense subsystems do not modify manually # Define Local Network # -var HOME_NET [{$home_net}] -var EXTERNAL_NET [{$external_net}] +ipvar HOME_NET [{$home_net}] +ipvar EXTERNAL_NET [{$external_net}] # Define Rule Paths # var RULE_PATH {$snortcfgdir}/rules var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules # Define Servers # -{$vardef} +{$ipvardef} # Define Server Ports # {$portvardef} @@ -3302,7 +3704,7 @@ config show_year # For more information see README.stream5 # {$paf_max_pdu_config} -#Configure dynamically loaded libraries +# Configure dynamically loaded libraries dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']} dynamicengine directory {$snort_dirs['dynamicengine']} dynamicdetection directory {$snort_dirs['dynamicrules']} @@ -3316,16 +3718,23 @@ dynamicdetection directory {$snort_dirs['dynamicrules']} # preprocessor normalize_icmp6 # Flow and stream # -preprocessor frag3_global: {$frag3_memcap}, {$frag3_max_frags}{$frag3_disabled} -preprocessor frag3_engine: {$frag3_policy} detect_anomalies {$frag3_timeout} {$frag3_overlap_limit} {$frag3_min_frag_len} +{$frag3_global} -preprocessor stream5_global:{$stream5_reassembly} track_tcp {$stream5_track_tcp}, track_udp {$stream5_track_udp}, track_icmp {$stream5_track_icmp}, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5{$stream5_mem_cap} -preprocessor stream5_tcp: {$stream5_policy}, {$stream5_overlap_limit}, {$stream5_tcp_timeout}, ports both all{$stream5_max_queued_bytes_type}{$stream5_max_queued_segs_type}{$stream5_require_3whs}{$stream5_no_reassemble_async}{$stream5_dont_store_lg_pkts} -preprocessor stream5_udp: {$stream5_udp_timeout} -preprocessor stream5_icmp: {$stream5_icmp_timeout} +{$frag3_engine} -{$snort_preprocessors} +{$stream5_global} +{$stream5_tcp_engine} + +{$stream5_udp_engine} + +{$stream5_icmp_engine} + +# HTTP Inspect # +{$http_inspect_global} + +{$http_inspect_servers} +{$snort_preprocessors} {$host_attrib_config} # Snort Output Logs # @@ -3344,10 +3753,9 @@ output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,src # Rules Selection # {$selected_rules_sections} - EOD; - /* write out snort.conf */ + // Write out snort.conf file $conf = fopen("{$snortcfgdir}/snort.conf", "w"); if(!$conf) { log_error("Could not open {$snortcfgdir}/snort.conf for writing."); @@ -3356,7 +3764,7 @@ EOD; fwrite($conf, $snort_conf_text); fclose($conf); unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type); - unset($home_net, $external_net, $vardef, $portvardef); + unset($home_net, $external_net, $ipvardef, $portvardef); } /* Uses XMLRPC to synchronize the changes to a remote node */ diff --git a/config/snort/snort.priv.inc b/config/snort/snort.priv.inc new file mode 100644 index 00000000..5e159747 --- /dev/null +++ b/config/snort/snort.priv.inc @@ -0,0 +1,45 @@ +<?php + +global $priv_list; + +$priv_list['page-services-snort'] = array(); +$priv_list['page-services-snort']['name'] = "WebCfg - Services: Snort package."; +$priv_list['page-services-snort']['descr'] = "Allow access to Snort package gui"; +$priv_list['page-services-snort']['match'] = array(); +$priv_list['page-services-snort']['match'][] = "snort/snort_alerts.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_barnyard.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_blocked.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_check_for_rule_updates.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_define_servers.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_download_rules.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_download_updates.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_edit_hat_data.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_frag3_engine.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_ftp_client_engine.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_ftp_server_engine.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_httpinspect_engine.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_import_aliases.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_edit.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_global.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_suppress.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_suppress_edit.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_whitelist.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_whitelist_edit.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_list_view.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_log_view.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_migrate_config.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_post_install.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_preprocessors.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_rules.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_rules_edit.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_rules_flowbits.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_rulesets.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_select_alias.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_stream5_engine.php*"; +$priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=snort_sync.xml*"; +$priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=sort/snort.xml*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_check_cron_misc.inc*"; +$priv_list['page-services-snort']['match'][] = "snort/snort.inc*"; + +?>
\ No newline at end of file diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 3d4c8016..c50c066a 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -42,12 +42,12 @@ /* ========================================================================== */ ]]> </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> + <description>Snort IDS/IPS Package</description> + <requirements>None</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.9.4.6</version> - <title>Services:2.9.4.6 pkg v. 2.6.0</title> + <version>2.9.5.5</version> + <title>Services:2.9.5.5 pkg v3.0.1</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -76,6 +76,16 @@ <additional_files_needed> <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_migrate_config.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_post_install.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_sync.xml</item> </additional_files_needed> <additional_files_needed> @@ -188,18 +198,64 @@ <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_edit_hat_data.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_frag3_engine.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_stream5_engine.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_httpinspect_engine.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_ftp_client_engine.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_ftp_server_engine.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_import_aliases.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_select_alias.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort.priv.inc</item> + </additional_files_needed> <fields> </fields> <custom_add_php_command> </custom_add_php_command> <custom_php_resync_config_command> + <![CDATA[ + if ($GLOBALS['pfSense_snort_version'] == "3.0.1") sync_snort_package_config(); + ]]> </custom_php_resync_config_command> <custom_php_install_command> - snort_postinstall(); + <![CDATA[ + include_once("/usr/local/pkg/snort/snort_post_install.php"); + ]]> </custom_php_install_command> <custom_php_deinstall_command> + <![CDATA[ snort_deinstall(); + ]]> </custom_php_deinstall_command> </packagegui> - diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 0295ed2f..2b957f61 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -144,12 +144,13 @@ $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; - $anentries = $pconfig['alertnumber']; -} else { - $anentries = '250'; +} + +if (empty($pconfig['alertnumber'])) $pconfig['alertnumber'] = '250'; +if (empty($pconfig['arefresh'])) $pconfig['arefresh'] = 'off'; -} +$anentries = $pconfig['alertnumber']; if ($_POST['save']) { if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) @@ -171,7 +172,7 @@ if ($_POST['todelete'] || $_GET['todelete']) { $ip = $_GET['todelete']; if (is_ipaddr($ip)) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); - $savemsg = "Host IP address {$ip} has been removed from the Blocked Table."; + $savemsg = gettext("Host IP address {$ip} has been removed from the Blocked Table."); } } @@ -183,7 +184,7 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ /* Add the new entry to the Suppress List */ if (snort_add_supplist_entry($suppress)) - $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."; + $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."); else $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } @@ -208,7 +209,7 @@ if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") /* Add the new entry to the Suppress List */ if (snort_add_supplist_entry($suppress)) - $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."; + $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."); else /* We did not find the defined list, so notify the user with an error */ $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); @@ -221,8 +222,7 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { if ($fd) fclose($fd); conf_mount_ro(); - /* XXX: This is needed is snort is run as snort user */ - //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); + /* XXX: This is needed if snort is run as snort user */ mwexec('/bin/chmod 660 /var/log/snort/*', true); if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); @@ -233,28 +233,34 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { if ($_POST['download']) { $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_logs_{$save_date}_{$if_real}.tar.gz"; - exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort/snort_{$if_real}{$snort_uuid}"); + exec("cd /var/log/snort/snort_{$if_real}{$snort_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *"); if (file_exists("/tmp/{$file_name}")) { - $file = "/tmp/snort_logs_{$save_date}.tar.gz"; - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); + ob_start(); //important or other posts will fail + if (isset($_SERVER['HTTPS'])) { + header('Pragma: '); + header('Cache-Control: '); + } else { + header("Pragma: private"); + header("Cache-Control: private, must-revalidate"); + } + header("Content-Type: application/octet-stream"); + header("Content-length: " . filesize("/tmp/{$file_name}")); header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); + ob_end_clean(); //important or other post will fail + readfile("/tmp/{$file_name}"); + + // Clean up the temp file @unlink("/tmp/{$file_name}"); } - header("Location: /snort/snort_alerts.php?instance={$instanceid}"); - exit; + else + $savemsg = gettext("An error occurred while creating archive"); } /* Load up an array with the current Suppression List GID,SID values */ $supplist = snort_load_suppress_sigs($a_instance[$instanceid], true); -$pgtitle = "Services: Snort: Snort Alerts"; +$pgtitle = gettext("Snort: Snort Alerts"); include_once("head.inc"); ?> @@ -331,7 +337,7 @@ if ($pconfig['arefresh'] == 'on') <?php echo gettext('Refresh'); ?> <input name="arefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> - <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> + <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> <?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> </tr> @@ -373,7 +379,7 @@ if ($pconfig['arefresh'] == 'on') /* make sure alert file exists */ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { - exec("tail -{$anentries} /var/log/snort/snort_{$if_real}{$snort_uuid}/alert | sort -r > /tmp/alert_{$snort_uuid}"); + exec("tail -{$anentries} -r /var/log/snort/snort_{$if_real}{$snort_uuid}/alert > /tmp/alert_{$snort_uuid}"); if (file_exists("/tmp/alert_{$snort_uuid}")) { $tmpblocked = array_flip(snort_get_blocked_ips()); $counter = 0; diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index a5c1ffec..2457b573 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -104,7 +104,7 @@ if ($_POST) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface: {$if_friendly} Barnyard2 Edit"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Barnyard2 Settings"); include_once("head.inc"); ?> @@ -188,7 +188,7 @@ function enable_change(enable_change) { <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td> <td width="78%" class="vtable"><input name="barnyard_mysql" - type="text" class="formfld" id="barnyard_mysql" style="width:95%;" size="85" + type="text" class="formfld unknown" id="barnyard_mysql" style="width:95%;" size="85" value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br/> <span class="vexpl"><?php echo gettext("Example: output database: alert, mysql, " . "dbname=snort user=snort host=localhost password=xyz"); ?><br/> diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index a81b03d7..8d106a90 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -67,7 +67,6 @@ if ($_POST['download']) exec('/sbin/pfctl -t snort2c -T show', $blocked_ips_array_save); /* build the list */ if (is_array($blocked_ips_array_save) && count($blocked_ips_array_save) > 0) { - ob_start(); //important or other posts will fail $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_blocked_{$save_date}.tar.gz"; exec('/bin/mkdir -p /tmp/snort_blocked'); @@ -79,24 +78,32 @@ if ($_POST['download']) file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND); } - exec("/usr/bin/tar cf /tmp/{$file_name} /tmp/snort_blocked"); + // Create a tar gzip archive of blocked host IP addresses + exec("/usr/bin/tar -czf /tmp/{$file_name} -C/tmp/snort_blocked snort_block.pf"); + // If we successfully created the archive, send it to the browser. if(file_exists("/tmp/{$file_name}")) { - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); + ob_start(); //important or other posts will fail + if (isset($_SERVER['HTTPS'])) { + header('Pragma: '); + header('Cache-Control: '); + } else { + header("Pragma: private"); + header("Cache-Control: private, must-revalidate"); + } + header("Content-Type: application/octet-stream"); header("Content-length: " . filesize("/tmp/{$file_name}")); header("Content-disposition: attachment; filename = {$file_name}"); + ob_end_clean(); //important or other post will fail readfile("/tmp/{$file_name}"); - ob_end_clean(); //importanr or other post will fail + + // Clean up the temp files and directory @unlink("/tmp/{$file_name}"); exec("/bin/rm -fr /tmp/snort_blocked"); } else - $savemsg = "An error occurred while creating archive"; + $savemsg = gettext("An error occurred while creating archive"); } else - $savemsg = "No content on snort block list"; + $savemsg = gettext("No content on snort block list"); } if ($_POST['save']) @@ -114,7 +121,7 @@ if ($_POST['save']) } -$pgtitle = "Services: Snort Blocked Hosts"; +$pgtitle = gettext("Snort: Blocked Hosts"); include_once("head.inc"); ?> @@ -173,7 +180,7 @@ if ($pconfig['brefresh'] == 'on') name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> <?php printf(gettext("%sDefault%s is %sON%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> <input - name="blertnumber" type="text" class="formfld" id="blertnumber" + name="blertnumber" type="text" class="formfld unknown" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>"> <?php printf(gettext("Enter the " . "number of blocked entries to view. %sDefault%s is %s500%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 30da4b74..a93aef56 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -5,6 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2013 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -35,28 +36,32 @@ require_once "/usr/local/pkg/snort/snort.inc"; global $g, $pkg_interface, $snort_gui_include, $rebuild_rules; - -if (!defined("VRT_DNLD_FILENAME")) - define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); if (!defined("VRT_DNLD_URL")) define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); if (!defined("ET_VERSION")) define("ET_VERSION", "2.9.0"); if (!defined("ET_BASE_DNLD_URL")) define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/"); +if (!defined("ETPRO_BASE_DNLD_URL")) + define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/"); if (!defined("ET_DNLD_FILENAME")) define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +if (!defined("ETPRO_DNLD_FILENAME")) + define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); if (!defined("GPLV2_DNLD_FILENAME")) define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); if (!defined("GPLV2_DNLD_URL")) define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); -if (!defined("FLOWBITS_FILENAME")) - define("FLOWBITS_FILENAME", "flowbit-required.rules"); -if (!defined("ENFORCING_RULES_FILENAME")) - define("ENFORCING_RULES_FILENAME", "snort.rules"); if (!defined("RULES_UPD_LOGFILE")) define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); - +if (!defined("VRT_FILE_PREFIX")) + define("VRT_FILE_PREFIX", "snort_"); +if (!defined("GPL_FILE_PREFIX")) + define("GPL_FILE_PREFIX", "GPLv2_"); +if (!defined("ET_OPEN_FILE_PREFIX")) + define("ET_OPEN_FILE_PREFIX", "emerging-"); +if (!defined("ET_PRO_FILE_PREFIX")) + define("ET_PRO_FILE_PREFIX", "etpro-"); $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; @@ -72,8 +77,10 @@ else /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$etproid = $config['installedpackages']['snortglobal']['etpro_code']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; $vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; @@ -81,26 +88,51 @@ $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; /* Working directory for downloaded rules tarballs */ $tmpfname = "{$snortdir}/tmp/snort_rules_up"; -/* Snort VRT rules filenames and URL */ -$snort_filename = VRT_DNLD_FILENAME; -$snort_filename_md5 = VRT_DNLD_FILENAME . ".md5"; +/* Grab the Snort binary version programmatically and use it to construct */ +/* the proper Snort VRT rules tarball and md5 filenames. Fallback to a */ +/* default in the event we fail. */ +$snortver = array(); +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +// Save the version with decimal delimiters for use in extracting the rules +$snort_version = $snortver[0]; +if (empty($snort_version)) + $snort_version = "2.9.5.5"; + +// Create a collapsed version string for use in the tarball filename +$snortver[0] = str_replace(".", "", $snortver[0]); +$snort_filename = "snortrules-snapshot-{$snortver[0]}.tar.gz"; +$snort_filename_md5 = "{$snort_filename}.md5"; $snort_rule_url = VRT_DNLD_URL; -/* Emerging Threats rules filenames and URL */ -$emergingthreats_filename = ET_DNLD_FILENAME; -$emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; -$emerging_threats_version = ET_VERSION; -$emergingthreats_url = ET_BASE_DNLD_URL; -// If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules -$emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/"; -$emergingthreats_url .= "snort-" . ET_VERSION . "/"; +/* Set up Emerging Threats rules filenames and URL */ +if ($etpro == "on") { + $emergingthreats_filename = ETPRO_DNLD_FILENAME; + $emergingthreats_filename_md5 = ETPRO_DNLD_FILENAME . ".md5"; + $emergingthreats_url = ETPRO_BASE_DNLD_URL; + $emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/"; + $emergingthreats = "on"; + $et_enabled= "on"; + $et_name = "Emerging Threats Pro"; + $et_md5_remove = ET_DNLD_FILENAME . ".md5"; + @unlink("{$snortdir}/{$et_md5_remove}"); +} +else { + $emergingthreats_filename = ET_DNLD_FILENAME; + $emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; + $emergingthreats_url = ET_BASE_DNLD_URL; + // If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules + $emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/"; + $emergingthreats_url .= "snort-" . ET_VERSION . "/"; + $et_name = "Emerging Threats Open"; + $et_md5_remove = ETPRO_DNLD_FILENAME . ".md5"; + @unlink("{$snortdir}/{$et_md5_remove}"); +} /* Snort GPLv2 Community Rules filenames and URL */ $snort_community_rules_filename = GPLV2_DNLD_FILENAME; $snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5"; $snort_community_rules_url = GPLV2_DNLD_URL; -/* Custom function for rules file download via URL */ function snort_download_file_url($url, $file_out) { /************************************************/ @@ -109,12 +141,21 @@ function snort_download_file_url($url, $file_out) { /* saves the content to the file specified by */ /* $file. */ /* */ + /* This is needed so console output can be */ + /* suppressed to prevent XMLRPC sync errors. */ + /* */ /* It provides logging of returned CURL errors. */ /************************************************/ - global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded; + global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; - /* Array of message strings for HTTP Response Codes */ + // Initialize required variables for the pfSense "read_body()" function + $file_size = 1; + $downloaded = 1; + $first_progress_update = TRUE; + + + // Array of message strings for HTTP Response Codes $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", 206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found", 305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request", @@ -133,7 +174,7 @@ function snort_download_file_url($url, $file_out) { return false; curl_setopt($ch, CURLOPT_FILE, $fout); - /* NOTE: required to suppress errors from XMLRPC due to progress bar output */ + // NOTE: required to suppress errors from XMLRPC due to progress bar output if ($g['snort_sync_in_progress']) curl_setopt($ch, CURLOPT_HEADER, false); else { @@ -143,7 +184,6 @@ function snort_download_file_url($url, $file_out) { curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)"); - /* Don't verify SSL peers since we don't have the certificates to do so. */ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); curl_setopt($ch, CURLOPT_TIMEOUT, 0); @@ -161,7 +201,7 @@ function snort_download_file_url($url, $file_out) { $counter = 0; $rc = true; - /* Try up to 4 times to download the file before giving up */ + // Try up to 4 times to download the file before giving up while ($counter < 4) { $counter++; $rc = curl_exec($ch); @@ -178,7 +218,8 @@ function snort_download_file_url($url, $file_out) { $last_curl_error = $http_resp_msg[$http_code]; curl_close($ch); fclose($fout); - /* If we had to try more than once, log it */ + + // If we had to try more than once, log it if ($counter > 1) log_error(gettext("File '" . basename($file_out) . "' download attempts: {$counter} ...")); return ($http_code == 200) ? true : $http_code; @@ -190,7 +231,140 @@ function snort_download_file_url($url, $file_out) { } } -/* Start of code */ +function snort_check_rule_md5($file_url, $file_dst, $desc = "") { + + /**********************************************************/ + /* This function attempts to download the passed MD5 hash */ + /* file and compare its contents to the currently stored */ + /* hash file to see if a new rules file has been posted. */ + /* */ + /* On Entry: $file_url = URL for md5 hash file */ + /* $file_dst = Temp destination to store the */ + /* downloaded hash file */ + /* $desc = Short text string used to label */ + /* log messages with rules type */ + /* */ + /* Returns: TRUE if new rule file download required. */ + /* FALSE if rule download not required or an */ + /* error occurred. */ + /**********************************************************/ + + global $pkg_interface, $snort_rules_upd_log, $last_curl_error; + + $snortdir = SNORTDIR; + $filename_md5 = basename($file_dst); + + if ($pkg_interface <> "console") + update_status(gettext("Downloading {$desc} md5 file...")); + error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url($file_url, $file_dst); + + // See if download from URL was successful + if ($rc === true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading {$filename_md5}.")); + error_log("\tChecking {$desc} md5 file...\n", 3, $snort_rules_upd_log); + + // check md5 hash in new file against current file to see if new download is posted + if (file_exists("{$snortdir}/{$filename_md5}")) { + $md5_check_new = file_get_contents($file_dst); + $md5_check_old = file_get_contents("{$snortdir}/{$filename_md5}"); + if ($md5_check_new == $md5_check_old) { + if ($pkg_interface <> "console") + update_status(gettext("{$desc} are up to date...")); + log_error(gettext("[Snort] {$desc} are up to date...")); + error_log(gettext("\t{$desc} are up to date.\n"), 3, $snort_rules_upd_log); + return false; + } + else + return true; + } + return true; + } + else { + error_log(gettext("\t{$desc} md5 download failed.\n"), 3, $snort_rules_upd_log); + $snort_err_msg = gettext("Server returned error code {$rc}."); + if ($pkg_interface <> "console") { + update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); + update_output_window(gettext("{$desc} will not be updated.\n\t{$snort_err_msg}")); + } + log_error(gettext("[Snort] {$desc} md5 download failed...")); + log_error(gettext("[Snort] Server returned error code {$rc}...")); + error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + return false; + } +} + +function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { + + /**********************************************************/ + /* This function downloads the passed rules file and */ + /* compares its computed md5 hash to the passed md5 hash */ + /* to verify the file's integrity. */ + /* */ + /* On Entry: $file_url = URL of rules file */ + /* $file_dst = Temp destination to store the */ + /* downloaded rules file */ + /* $file_md5 = Expected md5 hash for the new */ + /* downloaded rules file */ + /* $desc = Short text string for use in */ + /* log messages */ + /* */ + /* Returns: TRUE if download was successful. */ + /* FALSE if download was not successful. */ + /**********************************************************/ + + global $pkg_interface, $snort_rules_upd_log, $last_curl_error; + + $snortdir = SNORTDIR; + $filename = basename($file_dst); + + if ($pkg_interface <> "console") + update_status(gettext("There is a new set of {$desc} posted. Downloading...")); + log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}...")); + error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url($file_url, $file_dst); + + // See if the download from the URL was successful + if ($rc === true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading {$desc} file.")); + log_error("[Snort] {$desc} file update downloaded successfully"); + error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); + + // Test integrity of the rules file. Turn off update if file has wrong md5 hash + if ($file_md5 != trim(md5_file($file_dst))){ + if ($pkg_interface <> "console") + update_output_window(gettext("{$desc} file MD5 checksum failed...")); + log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum...")); + log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst))); + log_error(gettext("[Snort] Expected File MD5: {$file_md5}")); + error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + return false; + } + return true; + } + else { + if ($pkg_interface <> "console") + update_output_window(gettext("{$desc} file download failed...")); + log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'...")); + error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + return false; + } + +} + +/* Start of main code */ conf_mount_rw(); /* remove old $tmpfname files */ @@ -215,171 +389,43 @@ if (file_exists($snort_rules_upd_log)) { error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log); $last_curl_error = ""; -/* download md5 sig from snort.org */ +/* Check for and download any new Snort VRT sigs */ if ($snortdownload == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Downloading Snort VRT md5 file {$snort_filename_md5}...")); - error_log(gettext("\tDownloading Snort VRT md5 file '{$snort_filename_md5}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading {$snort_filename_md5}.")); - error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log); - } - else { - error_log(gettext("\tSnort VRT md5 download failed.\n"), 3, $snort_rules_upd_log); - if ($rc == 403) { - $snort_err_msg = gettext("Too many attempts or Oinkcode not authorized for this Snort version.\n"); - $snort_err_msg .= gettext("\tFree Registered Users may download VRT Rules once every 15 minutes.\n"); - $snort_err_msg .= gettext("\tPaid Subscribers have no download limits.\n"); - } - else - $snort_err_msg = gettext("Server returned error code '{$rc}'."); - if ($pkg_interface <> "console") { - update_status(gettext("Snort VRT md5 error ... Server returned error code {$rc} ...")); - update_output_window(gettext("Snort VRT rules will not be updated.\n\t{$snort_err_msg}")); - } - log_error(gettext("[Snort] Snort VRT md5 download failed...")); - log_error(gettext("[Snort] Server returned error code '{$rc}'...")); - error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tServer error message was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); - $snortdownload = 'off'; - } -} - -/* Check if were up to date snort.org */ -if ($snortdownload == 'on') { - if (file_exists("{$snortdir}/{$snort_filename_md5}")) { - $md5_check_new = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5_check_old = file_get_contents("{$snortdir}/{$snort_filename_md5}"); - if ($md5_check_new == $md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("Snort VRT rules are up to date...")); - log_error(gettext("[Snort] Snort VRT rules are up to date...")); - error_log(gettext("\tSnort VRT rules are up to date.\n"), 3, $snort_rules_upd_log); + if (snort_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) { + /* download snortrules file */ + $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")); + if (!snort_fetch_new_rules("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules")) $snortdownload = 'off'; - } } -} - -/* download snortrules file */ -if ($snortdownload == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of Snort VRT rules posted. Downloading {$snort_filename}...")); - log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of Snort VRT rules posted.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloading file '{$snort_filename}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading Snort VRT rules file.")); - log_error("[Snort] Snort VRT rules file update downloaded successfully"); - error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); - if (trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("Snort VRT rules file MD5 checksum failed...")); - log_error(gettext("[Snort] Snort VRT rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}"))); - error_log(gettext("\tSnort VRT rules file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded Snort VRT file MD5: " . md5_file("{$tmpfname}/{$snort_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected Snort VRT file MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); - $snortdownload = 'off'; - } - } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("Snort VRT rules file download failed...")); - log_error(gettext("[Snort] Snort VRT rules file download failed... server returned error '{$rc}'...")); - error_log(gettext("\tSnort VRT rules file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); + else $snortdownload = 'off'; - } } -/* download md5 sig from Snort GPLv2 Community Rules */ +/* Check for and download any new Snort GPLv2 Community Rules sigs */ if ($snortcommunityrules == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file {$snort_community_rules_filename_md5}...")); - error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file '{$snort_community_rules_filename_md5}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading Snort GPLv2 Community Rules md5")); - error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log); - if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") { - /* Check if were up to date Snort GPLv2 Community Rules */ - $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"); - $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}"); - if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("Snort GPLv2 Community Rules are up to date...")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date...")); - error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; - } - } + if (snort_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) { + /* download Snort GPLv2 Community Rules file */ + $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")); + if (!snort_fetch_new_rules("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}", $file_md5, "Snort GPLv2 Community Rules")) + $snortcommunityrules = 'off'; } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.")); - error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort GPLv2 Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + else $snortcommunityrules = 'off'; - } } -/* download Snort GPLv2 Community rules file */ -if ($snortcommunityrules == "on") { - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading {$snort_community_rules_filename} ...")); - log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloading file '{$snort_community_rules_filename}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); - - /* Test for a valid rules file download. Turn off Snort Community update if download failed. */ - if ($rc === true) { - if (trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_community_rules_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("Snort GPLv2 Community Rules file MD5 checksum failed...")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"))); - error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded Snort GPLv2 file MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected Snort GPLv2 file MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; - } - else { - if ($pkg_interface <> "console") - update_status(gettext('Done downloading Snort GPLv2 Community Rules file.')); - log_error("[Snort] Snort GPLv2 Community Rules file update downloaded successfully"); - error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log); - } - } - else { - if ($pkg_interface <> "console") { - update_status(gettext("The server returned error code {$rc} ... skipping GPLv2 Community Rules...")); - update_output_window(gettext("Snort GPLv2 Community Rules file download failed...")); - } - log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Server returned error '{$rc}'...")); - error_log(gettext("\tSnort GPLv2 Community Rules download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; +/* Check for and download any new Emerging Threats Rules sigs */ +if ($emergingthreats == 'on') { + if (snort_check_rule_md5("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}", "{$et_name} rules")) { + /* download Emerging Threats rules file */ + $file_md5 = trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")); + if (!snort_fetch_new_rules("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}", $file_md5, "{$et_name} rules")) + $emergingthreats = 'off'; } + else + $emergingthreats = 'off'; } -/* Untar Snort GPLv2 Community rules to tmp */ +/* Untar Snort GPLv2 Community rules file to tmp */ if ($snortcommunityrules == 'on') { safe_mkdir("{$snortdir}/tmp/community"); if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { @@ -393,12 +439,12 @@ if ($snortcommunityrules == 'on') { $files = glob("{$snortdir}/tmp/community/community-rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/GPLv2_{$newfile}"); + @copy($file, "{$snortdir}/rules/" . GPL_FILE_PREFIX . "{$newfile}"); } /* base etc files for Snort GPLv2 Community rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}")) - @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/GPLv2_{$file}"); + @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/" . GPL_FILE_PREFIX . "{$file}"); } /* Copy snort community md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { @@ -415,104 +461,41 @@ if ($snortcommunityrules == 'on') { } } -/* download md5 sig from emergingthreats.net */ -if ($emergingthreats == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Downloading EmergingThreats md5 file...")); - error_log(gettext("\tDownloading EmergingThreats md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading EmergingThreats md5 file {$emergingthreats_filename_md5}")); - error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); - if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { - /* Check if were up to date emergingthreats.net */ - $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); - $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); - if ($emerg_md5_check_new == $emerg_md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("Emerging Threats rules are up to date...")); - log_error(gettext("[Snort] Emerging Threat rules are up to date...")); - error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } - } - } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); - log_error(gettext("[Snort] EmergingThreats md5 file download failed. Server returned error code '{$rc}'.")); - error_log(gettext("\tEmergingThreats md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tEmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats == "on") { - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading {$emergingthreats_filename}...")); - log_error(gettext("[Snort] There is a new set of EmergingThreats rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of EmergingThreats rules posted.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloading file '{$emergingthreats_filename}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); - - /* Test for a valid rules file download. Turn off ET update if download failed. */ - if ($rc === true) { - if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats rules file MD5 checksum failed...")); - log_error(gettext("[Snort] EmergingThreats rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); - error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } - else { - if ($pkg_interface <> "console") - update_status(gettext('Done downloading EmergingThreats rules file.')); - log_error("[Snort] EmergingThreats rules file update downloaded successfully"); - error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); - } - } - else { - if ($pkg_interface <> "console") { - update_status(gettext("The server returned error code {$rc} ... skipping EmergingThreats update...")); - update_output_window(gettext("EmergingThreats rules file download failed...")); - } - log_error(gettext("[Snort] EmergingThreats rules file download failed. Server returned error '{$rc}'...")); - error_log(gettext("\tEmergingThreats rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } -} - -/* Untar emergingthreats rules to tmp */ +/* Untar Emerging Threats rules file to tmp */ if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if ($pkg_interface <> "console") { - update_status(gettext("Extracting EmergingThreats.org rules...")); - update_output_window(gettext("Installing EmergingThreats rules...")); + update_status(gettext("Extracting {$et_name} rules...")); + update_output_window(gettext("Installing {$et_name} rules...")); } - error_log(gettext("\tExtracting and installing EmergingThreats.org rules...\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $snort_rules_upd_log); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); + /* Remove the old Emerging Threats rules files */ + $eto_prefix = ET_OPEN_FILE_PREFIX; + $etpro_prefix = ET_PRO_FILE_PREFIX; + array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*.rules")); + array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*.rules")); + array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*ips.txt")); + array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*ips.txt")); + $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); + if ($etpro == "on") + @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}"); + else + @copy($file, "{$snortdir}/rules/{$newfile}"); } /* IP lists for Emerging Threats rules */ $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); + if ($etpro == "on") + @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}"); + else + @copy($file, "{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "{$newfile}"); } /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { @@ -527,15 +510,15 @@ if ($emergingthreats == 'on') { @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } if ($pkg_interface <> "console") { - update_status(gettext("Extraction of EmergingThreats.org rules completed...")); - update_output_window(gettext("Installation of EmergingThreats rules completed...")); + update_status(gettext("Extraction of {$et_name} rules completed...")); + update_output_window(gettext("Installation of {$et_name} rules completed...")); } - error_log(gettext("\tInstallation of EmergingThreats.org rules completed.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log); exec("rm -r {$snortdir}/tmp/emerging"); } } -/* Untar snort rules file individually to help people with low system specs */ +/* Untar Snort rules file to tmp */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { /* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */ @@ -544,6 +527,10 @@ if ($snortdownload == 'on') { if (substr(php_uname("r"), 0, 1) == '9') $freebsd_version_so = 'FreeBSD-9-0'; + /* Remove the old Snort rules files */ + $vrt_prefix = VRT_FILE_PREFIX; + array_map('unlink', glob("{$snortdir}/rules/{$vrt_prefix}*.rules")); + if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); update_output_window(gettext("Installing Sourcefire VRT rules...")); @@ -555,7 +542,7 @@ if ($snortdownload == 'on') { $files = glob("{$snortdir}/tmp/snortrules/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/snort_{$newfile}"); + @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}"); } /* IP lists */ $files = glob("{$snortdir}/tmp/snortrules/rules/*.txt"); @@ -590,7 +577,7 @@ if ($snortdownload == 'on') { $files = glob("{$snortdir}/tmp/so_rules/*.rules"); foreach ($files as $file) { $newfile = basename($file, ".rules"); - @copy($file, "{$snortdir}/rules/snort_{$newfile}.so.rules"); + @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules"); } exec("rm -r {$snortdir}/tmp/so_rules"); } @@ -685,6 +672,11 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = $cfgs = glob("{$snortdir}/tmp/*classification.config"); $cfgs[] = "{$snortdir}/classification.config"; snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); + /* Use the unicode.map and gen-msg.map files from ET rules. */ + if (file_exists("{$snortdir}/tmp/ET_unicode.map")) + @copy("{$snortdir}/tmp/ET_unicode.map", "{$snortdir}/unicode.map"); + if (file_exists("{$snortdir}/tmp/ET_gen-msg.map")) + @copy("{$snortdir}/tmp/ET_gen-msg.map", "{$snortdir}/gen-msg.map"); } elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) { foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 2a6d47ff..e9fcfcab 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -68,7 +68,7 @@ else $ssh_port = "22"; $snort_ports = array( "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", - "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", @@ -86,6 +86,11 @@ $snort_ports = array( "GTP_PORTS" => "2123,2152,3386" ); +// Sort our SERVERS and PORTS arrays to make values +// easier to locate by the the user. +ksort($snort_servers); +ksort($snort_ports); + $pconfig = $a_nat[$id]; /* convert fake interfaces to real */ @@ -144,7 +149,7 @@ if ($_POST) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly} Define Servers"; +$pgtitle = gettext("Snort: Interface {$if_friendly} Variables - Servers and Ports"); include_once("head.inc"); ?> @@ -195,7 +200,7 @@ if ($savemsg) <td><div id="mainarea"> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Servers"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Servers (IP variables)"); ?></td> </tr> <?php foreach ($snort_servers as $key => $server): @@ -203,22 +208,25 @@ if ($savemsg) $server = substr($server, 0, 40) . "..."; $label = strtoupper($key); $value = ""; - if (!empty($pconfig["def_{$key}"])) + $title = ""; + if (!empty($pconfig["def_{$key}"])) { $value = htmlspecialchars($pconfig["def_{$key}"]); + $title = trim(filter_expand_alias($pconfig["def_{$key}"])); + } ?> <tr> - <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> - <td width="78%" class="vtable"> + <td width='30%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> + <td width="70%" class="vtable"> <input name="def_<?=$key;?>" size="40" type="text" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" - value="<?=$value;?>"> <br/> + value="<?=$value;?>" title="<?=$title;?>"> <br/> <span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/><?php echo gettext("Leave " . "blank for default value."); ?></span> </td> </tr> <?php endforeach; ?> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Ports"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Ports (port variables)"); ?></td> </tr> <?php foreach ($snort_ports as $key => $server): @@ -226,22 +234,25 @@ if ($savemsg) $server = substr($server, 0, 40) . "..."; $label = strtoupper($key); $value = ""; - if (!empty($pconfig["def_{$key}"])) + $title = ""; + if (!empty($pconfig["def_{$key}"])) { $value = htmlspecialchars($pconfig["def_{$key}"]); + $title = trim(filter_expand_alias($pconfig["def_{$key}"])); + } ?> <tr> - <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> - <td width="78%" class="vtable"> + <td width='30%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> + <td width="70%" class="vtable"> <input name="def_<?=$key;?>" type="text" size="40" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" - value="<?=$value;?>"> <br/> + value="<?=$value;?>" title="<?=$title;?>"> <br/> <span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/> <?php echo gettext("Leave " . "blank for default value."); ?></span> </td> </tr> <?php endforeach; ?> <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> + <td width="30%" valign="top"> </td> + <td width="70%"> <input name="Submit" type="submit" class="formbtn" value="Save"> <input name="id" type="hidden" value="<?=$id;?>"> </td> @@ -262,6 +273,9 @@ if ($savemsg) if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 1f87fbbc..5c9b8210 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -40,8 +40,19 @@ require_once("/usr/local/pkg/snort/snort.inc"); $snortdir = SNORTDIR; $snort_rules_upd_log = RULES_UPD_LOGFILE; $log = $snort_rules_upd_log; -$snort_rules_file = VRT_DNLD_FILENAME; -$emergingthreats_filename = ET_DNLD_FILENAME; + +/* Grab the Snort binary version programmatically and */ +/* use it to construct the proper Snort VRT rules */ +/* tarball filename. Fallback to a safe default if */ +/* we fail. */ +$snortver = array(); +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +if (empty($snortver[0])) + $snortver[0] = "2.9.5.5"; +$snortver[0] = str_replace(".", "", $snortver[0]); + +$snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz"; +//$snort_rules_file = VRT_DNLD_FILENAME; $snort_community_rules_filename = GPLV2_DNLD_FILENAME; /* load only javascript that is needed */ @@ -49,8 +60,18 @@ $snort_load_jquery = 'yes'; $snort_load_jquery_colorbox = 'yes'; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; +if ($etpro == "on") { + $emergingthreats_filename = ETPRO_DNLD_FILENAME; + $et_name = "EMERGING THREATS PRO RULES"; +} +else { + $emergingthreats_filename = ET_DNLD_FILENAME; + $et_name = "EMERGING THREATS RULES"; +} + /* quick md5s chk */ $snort_org_sig_chk_local = 'N/A'; if (file_exists("{$snortdir}/{$snort_rules_file}.md5")) @@ -80,7 +101,7 @@ $snort_rules_upd_logfile_chk = 'no'; if (file_exists("{$snort_rules_upd_log}")) $snort_rules_upd_logfile_chk = 'yes'; -$pgtitle = "Services: Snort: Updates"; +$pgtitle = gettext("Snort: Updates"); include_once("head.inc"); ?> @@ -138,9 +159,9 @@ h += 96; <p style="text-align: left; margin-left: 225px;"> <font color="#777777" size="2.5px"> <b><?php echo gettext("INSTALLED RULESET SIGNATURES"); ?></b></font><br/><br/> - <font color="#FF850A" size="1px"><b>SNORT.ORG --></b></font> + <font color="#FF850A" size="1px"><b>SNORT VRT RULES --></b></font> <font size="1px" color="#000000"> <? echo $snort_org_sig_chk_local; ?></font><br/> - <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET --></b></font> + <font color="#FF850A" size="1px"><b><?=$et_name;?> --></b></font> <font size="1px" color="#000000"> <? echo $emergingt_net_sig_chk_local; ?></font><br/> <font color="#FF850A" size="1px"><b>SNORT GPLv2 COMMUNITY RULES --></b></font> <font size="1px" color="#000000"> <? echo $snort_community_sig_chk_local; ?></font><br/> @@ -160,7 +181,7 @@ h += 96; <?php - if ($snortdownload != 'on' && $emergingthreats != 'on') { + if ($snortdownload != 'on' && $emergingthreats != 'on' && $etpro != 'on') { echo ' <button disabled="disabled"><span class="download">' . gettext("Update Rules") . '</span></button><br/> <p style="text-align:left; margin-left:150px;"> diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php index f0562046..f6d00b0b 100644 --- a/config/snort/snort_edit_hat_data.php +++ b/config/snort/snort_edit_hat_data.php @@ -80,7 +80,7 @@ if ($_POST['host_attribute_data']) { $if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); -$pgtitle = "Services: Snort: {$if_friendly} Host Attribute Table Data"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Host Attribute Table Data"); include_once("head.inc"); ?> diff --git a/config/snort/snort_frag3_engine.php b/config/snort/snort_frag3_engine.php new file mode 100644 index 00000000..89a21dc8 --- /dev/null +++ b/config/snort/snort_frag3_engine.php @@ -0,0 +1,393 @@ +<?php +/* + * snort_frag3_engine.php + * Copyright (C) 2013 Bill Meeks + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +// Grab the incoming QUERY STRING or POST variables +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else { + $pconfig = $a_nat[$eng_id]; + + // Check for any empty values and set sensible defaults + if (empty($pconfig['policy'])) + $pconfig['policy'] = "bsd"; + if (empty($pconfig['timeout'])) + $pconfig['timeout'] = 60; + if (empty($pconfig['min_ttl'])) + $pconfig['min_ttl'] = 1; + if (empty($pconfig['detect_anomalies'])) + $pconfig['detect_anomalies'] = "on"; + if (empty($pconfig['overlap_limit'])) + $pconfig['overlap_limit'] = 0; + if (empty($pconfig['min_frag_len'])) + $pconfig['min_frag_len'] = 0; +} + +if ($_POST['Cancel']) { + header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + if ($_GET['varname'] == "bind_to" && !empty($_GET['varvalue'])) + $pconfig[$_GET['varname']] = $_GET['varvalue']; +} + +if ($_POST['Submit']) { + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['frag3_name']) { $engine['name'] = trim($_POST['frag3_name']); } else { $engine['name'] = "default"; } + if ($_POST['frag3_bind_to']) { + if (is_alias($_POST['frag3_bind_to'])) + $engine['bind_to'] = $_POST['frag3_bind_to']; + elseif (strtolower(trim($_POST['frag3_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + + /* Validate the text input fields before saving */ + if (!empty($_POST['frag3_timeout']) || $_POST['frag3_timeout'] == 0) { + $engine['timeout'] = $_POST['frag3_timeout']; + if (!is_numeric($_POST['frag3_timeout']) || $_POST['frag3_timeout'] < 1) + $input_errors[] = gettext("The value for Timeout must be numeric and greater than zero."); + } + else + $engine['timeout'] = 60; + + if (!empty($_POST['frag3_min_ttl']) || $_POST['frag3_min_ttl'] == 0) { + $engine['min_ttl'] = $_POST['frag3_min_ttl']; + if ($_POST['frag3_min_ttl'] < 1 || $_POST['frag3_min_ttl'] > 255) + $input_errors[] = gettext("The value for Minimum_Time-To-Live must be between 1 and 255."); + } + else + $engine['min_ttl'] = 1; + + if (!empty($_POST['frag3_overlap_limit']) || $_POST['frag3_overlap_limit'] == 0) { + $engine['overlap_limit'] = $_POST['frag3_overlap_limit']; + if (!is_numeric($_POST['frag3_overlap_limit']) || $_POST['frag3_overlap_limit'] < 0) + $input_errors[] = gettext("The value for Overlap_Limit must be a number greater than or equal to zero."); + } + else + $engine['overlap_limit'] = 0; + + if (!empty($_POST['frag3_min_frag_len']) || $_POST['frag3_min_frag_len'] == 0) { + $engine['min_frag_len'] = $_POST['frag3_min_frag_len']; + if (!is_numeric($_POST['frag3_min_frag_len']) || $_POST['frag3_min_frag_len'] < 0) + $input_errors[] = gettext("The value for Min_Fragment_Length must be a number greater than or equal to zero."); + } + else + $engine['min_frag_len'] = 0; + + if ($_POST['frag3_policy']) { $engine['policy'] = $_POST['frag3_policy']; } else { $engine['policy'] = "bsd"; } + $engine['detect_anomalies'] = $_POST['frag3_detect_anomalies'] ? 'on' : 'off'; + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default Frag3 Engine can be bound to all addresses."); + $pconfig = $engine; + } + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} Frag3 Preprocessor Engine"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_frag3_engine.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id?>"> +<input name="eng_id" type="hidden" value="<?=$eng_id?>"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based IP Defragmentation Engine Configuration"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td> + <td class="vtable"> + <input name="frag3_name" type="text" class="formfld unknown" id="frag3_name" size="25" maxlength="25" + value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>> + <?php if (htmlspecialchars($pconfig['name']) <> "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/> + <?php echo gettext("Unique name or description for this engine configuration. Default value is ") . + "<strong>" . gettext("default") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td> + <td class="vtable"> + <?php if ($pconfig['name'] <> "default") : ?> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="frag3_bind_to" type="text" class="formfldalias" id="frag3_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off"> + <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td> + <td class="vexpl" align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=yes&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within this IP List.");?></td> + </tr> + </table> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> + + <?php else : ?> + <input name="frag3_bind_to" type="text" class="formfldalias" id="frag3_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly> + <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/> + <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/> + <?php endif ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Target Policy"); ?> </td> + <td width="78%" class="vtable"> + <select name="frag3_policy" class="formselect" id="policy"> + <?php + $profile = array( 'BSD', 'BSD-Right', 'First', 'Last', 'Linux', 'Solaris', 'Windows' ); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['policy']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the IP fragmentation target policy appropriate for the protected hosts. The default is ") . + "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/><br/> + <?php echo gettext("Available OS targets are BSD, BSD-Right, First, Last, Linux, Solaris and Windows."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Timeout"); ?></td> + <td class="vtable"> + <input name="frag3_timeout" type="text" class="formfld unknown" id="frag3_timeout" size="6" + value="<?=htmlspecialchars($pconfig['timeout']);?>"> + <?php echo gettext("Timeout period in seconds for fragments in the engine."); ?><br/><br/> + <?php echo gettext("Fragments in the engine for longer than this period will be automatically dropped. Default value is ") . + "<strong>" . gettext("60 ") . "</strong>" . gettext("seconds."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Minimum Time-to-Live"); ?></td> + <td class="vtable"> + <input name="frag3_min_ttl" type="text" class="formfld unknown" id="frag3_min_ttl" size="6" + value="<?=htmlspecialchars($pconfig['min_ttl']);?>"> + <?php echo gettext("Minimum acceptable TTL for a fragment in the engine."); ?><br/><br/> + <?php echo gettext("The accepted range for this option is 1 - 255. Default value is ") . + "<strong>" . gettext("1") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Anomalies"); ?></td> + <td width="78%" class="vtable"><input name="frag3_detect_anomalies" id="frag3_detect_anomalies" type="checkbox" value="on" + <?php if ($pconfig['detect_anomalies']=="on") echo "checked "; ?> onclick="frag3_enable_change();"> + <?php echo gettext("Use Frag3 Engine to detect fragment anomalies. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("In order to customize the Overlap Limit and Minimum Fragment Length parameters for this engine, Anomaly Detection must be enabled."); ?> + </td> + </tr> + <tr id="frag3_overlaplimit_row"> + <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td> + <td class="vtable"> + <input name="frag3_overlap_limit" type="text" class="formfld unknown" id="frag3_overlap_limit" size="6" + value="<?=htmlspecialchars($pconfig['overlap_limit']);?>"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited). Values greater than zero set the overlapped limit."); ?><br/><br/> + <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") . + "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/> + </td> + </tr> + <tr id="frag3_minfraglen_row"> + <td valign="top" class="vncell"><?php echo gettext("Minimum Fragment Length"); ?></td> + <td class="vtable"> + <input name="frag3_min_frag_len" type="text" class="formfld unknown" id="frag3_min_frag_len" size="6" + value="<?=htmlspecialchars($pconfig['min_frag_len']);?>"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (check is disabled). Values greater than zero enable the check."); ?><br/><br/> + <?php echo gettext("Defines smallest fragment size (payload size) that should be considered valid. " . + "Fragments smaller than or equal to this limit are considered malicious. Default value is ") . + "<strong>0</strong>" . gettext(" (check is disabled)."); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="bottom"> </td> + <td width="78%" valign="bottom"> + <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + gettext("Save Frag3 engine settings and return to Preprocessors tab"); ?>"> + + <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo + gettext("Cancel changes and return to Preprocessors tab"); ?>"></td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> +<script type="text/javascript"> + +function frag3_enable_change() { + var endis = !(document.iform.frag3_detect_anomalies.checked); + + // Hide the "frag3_overlap_limit and frag3_min_frag_len" rows if frag3_detect_anomablies disabled + if (endis) { + document.getElementById("frag3_overlaplimit_row").style.display="none"; + document.getElementById("frag3_minfraglen_row").style.display="none"; + } + else { + document.getElementById("frag3_overlaplimit_row").style.display="table-row"; + document.getElementById("frag3_minfraglen_row").style.display="table-row"; + } +} + +// Set initial state of form controls +frag3_enable_change(); + +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $aliasesaddr = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + if ($alias_name['type'] != "host" && $alias_name['type'] != "network") + continue; + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } +?> + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + +function createAutoSuggest() { +<?php + echo "objAlias = new AutoSuggestControl(document.getElementById('frag3_bind_to'), new StateSuggestions(addressarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); + +</script> + +</html> diff --git a/config/snort/snort_ftp_client_engine.php b/config/snort/snort_ftp_client_engine.php new file mode 100644 index 00000000..b039df5b --- /dev/null +++ b/config/snort/snort_ftp_client_engine.php @@ -0,0 +1,429 @@ +<?php +/* + * snort_ftp_client_engine.php + * Copyright (C) 2013 Bill Meeks + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_client_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else + $pconfig = $a_nat[$eng_id]; + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_client_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "bounce_to_net" || $_GET['varname'] == "bounce_to_port") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + if(!isset($_SESSION['ftp_client_import'])) + $_SESSION['ftp_client_import'] = array(); + + $_SESSION['ftp_client_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['ftp_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_client_import']['bind_to']; + if (isset($_SESSION['ftp_client_import']['bounce_to_net'])) + $pconfig['bounce_to_net'] = $_SESSION['ftp_client_import']['bounce_to_net']; + if (isset($_SESSION['ftp_client_import']['bounce_to_port'])) + $pconfig['bounce_to_port'] = $_SESSION['ftp_client_import']['bounce_to_port']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['ftp_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_client_import']['bind_to']; + if (isset($_SESSION['ftp_client_import']['bounce_to_net'])) + $pconfig['bounce_to_net'] = $_SESSION['ftp_client_import']['bounce_to_net']; + if (isset($_SESSION['ftp_client_import']['bounce_to_port'])) + $pconfig['bounce_to_port'] = $_SESSION['ftp_client_import']['bounce_to_port']; + } + else { + unset($_SESSION['ftp_client_import']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_client_import']); + session_write_close(); + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['ftp_name']) { $engine['name'] = trim($_POST['ftp_name']); } else { $engine['name'] = "default"; } + if ($_POST['ftp_bind_to']) { + if (is_alias($_POST['ftp_bind_to'])) + $engine['bind_to'] = $_POST['ftp_bind_to']; + elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + + // Validate BOUNCE-TO Alias entries to be sure if one is set, then both are set; since + // if you define a BOUNCE-TO address, you must also define the BOUNCE-TO port. + if ($_POST['ftp_client_bounce_to_net'] && !is_alias($_POST['ftp_client_bounce_to_net'])) + $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO ADDRESS option."); + + if ($_POST['ftp_client_bounce_to_port'] && !is_alias($_POST['ftp_client_bounce_to_port'])) + $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO PORT option."); + + if ($_POST['ftp_client_bounce_to_net'] && empty($_POST['ftp_client_bounce_to_port'])) + $input_errors[] = gettext("FTP Protocol BOUNCE-TO PORT cannot be empty when BOUNCE-TO ADDRESS is set."); + + if ($_POST['ftp_client_bounce_to_port'] && empty($_POST['ftp_client_bounce_to_net'])) + $input_errors[] = gettext("FTP Protocol BOUNCE-TO ADDRESS cannot be empty when BOUNCE-TO PORT is set."); + + // Validate the BOUNCE-TO Alias entries for correct format of their defined values. BOUNCE-TO ADDRESS must be + // a valid single IP, and BOUNCE-TO PORT must be either a single port value or a port range value. Provide + // detailed error messages for the user that explain any problems. + if ($_POST['ftp_client_bounce_to_net'] && $_POST['ftp_client_bounce_to_port']) { + if (!snort_is_single_addr_alias($_POST['ftp_client_bounce_to_net'])){ + $net = trim(filter_expand_alias($_POST['ftp_client_bounce_to_net'])); + $net = preg_replace('/\s+/', ',', $net); + $msg = gettext("The FTP Protocol BOUNCE-TO ADDRESS parameter must be a single IP network or address, "); + $msg .= gettext("so the supplied Alias must be defined as a single address or network in CIDR form. "); + $msg .= gettext("The Alias [ {$_POST['ftp_client_bounce_to_net']} ] is currently defined as [ {$net} ]."); + $input_errors[] = $msg; + } + $port = trim(filter_expand_alias($_POST['ftp_client_bounce_to_port'])); + $port = preg_replace('/\s+/', ',', $port); + if (!is_port($port) && !is_portrange($port)) { + $msg = gettext("The FTP Protocol BOUNCE-TO PORT parameter must be a single port or port-range, "); + $msg .= gettext("so the supplied Alias must be defined as a single port or port-range value. "); + $msg .= gettext("The Alias [ {$_POST['ftp_client_bounce_to_port']} ] is currently defined as [ {$port} ]."); + $input_errors[] = $msg; + } + } + + $engine['bounce_to_net'] = $_POST['ftp_client_bounce_to_net']; + $engine['bounce_to_port'] = $_POST['ftp_client_bounce_to_port']; + $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no'; + $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no'; + $engine['bounce'] = $_POST['ftp_client_bounce_detect'] ? 'yes' : 'no'; + $engine['max_resp_len'] = $_POST['ftp_max_resp_len']; + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default FTP Engine can be bound to all addresses."); + $pconfig = $engine; + } + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Client Engine"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_ftp_client_engine.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id?>"> +<input name="eng_id" type="hidden" value="<?=$eng_id?>"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based FTP Client Engine Configuration"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td> + <td class="vtable"> + <input name="ftp_name" type="text" class="formfld unknown" id="ftp_name" size="25" maxlength="25" + value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>> + <?php if (htmlspecialchars($pconfig['name']) <> "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/> + <?php echo gettext("Unique name or description for this engine configuration. Default value is ") . + "<strong>" . gettext("default") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td> + <td class="vtable"> + <?php if ($pconfig['name'] <> "default") : ?> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off" > + <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within the IP List.");?>.<br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?></td> + </tr> + </table> + <?php else : ?> + <input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly> + <?php echo "<span class=\"red\">" . gettext("IP address for the default engine is read-only and must be 'all'.") . "</span>";?><br/> + <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP addresses.");?><br/> + <?php endif ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Telnet Commands"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_cmds" id="ftp_telnet_cmds" type="checkbox" value="on" + <?php if ($pconfig['telnet_cmds']=="yes") echo "checked "; ?>> + <?php echo gettext("Alert when Telnet commands are seen on the FTP command channel. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Telnet Erase Commands"); ?></td> + <td width="78%" class="vtable"><input name="ftp_ignore_telnet_erase_cmds" id="ftp_ignore_telnet_erase_cmds" type="checkbox" value="on" + <?php if ($pconfig['ignore_telnet_erase_cmds']=="yes") echo "checked "; ?>> + <?php echo gettext("Ignore Telnet escape sequences for erase character and erase line when normalizing FTP command channel.") . "<br/>" . + gettext("Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Maximum Response Length"); ?></td> + <td class="vtable"> + <input name="ftp_max_resp_len" type="text" class="formfld unknown" id="ftp_max_resp_len" size="6" + value="<?=htmlspecialchars($pconfig['max_resp_len']);?>"> + <?php echo gettext("Max FTP command response length accepted by client. Enter ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" to disable. Default is ") . "<strong>" . gettext("256.") . "</strong>";?><br/> + <?php echo gettext("Specifies the maximum allowed response length to an FTP command accepted by the client. It can be used as ") . + gettext("a basic buffer overflow detection.");?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Bounce Detection"); ?></td> + <td width="78%" class="vtable"><input name="ftp_client_bounce_detect" type="checkbox" value="on" + <?php if ($pconfig['bounce']=="yes") echo "checked"; ?> onclick="ftp_client_bounce_enable_change();"> + <?php echo gettext("Enable detection and alerting of FTP bounce attacks. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_client_row_bounce_to"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Bounce-To Configuration"); ?></td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><strong><?php echo gettext("Bounce-To Address:"); ?></strong></td> + <td class="vexpl"><input name="ftp_client_bounce_to_net" type="text" class="formfldalias" id="ftp_client_bounce_to_net" size="20" + value="<?=htmlspecialchars($pconfig['bounce_to_net']);?>" title="<?=trim(filter_expand_alias($pconfig['bounce_to_net']));?>" autocomplete="off"><span class="vexpl"> + <?php echo gettext("Default is ") . "<strong>" . gettext("blank") . "</strong>.";?></span> + </td> + <td class="vexpl"> <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bounce_to_net&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing IP alias");?>"/> + </td> + </tr> + <tr> + <td class="vexpl"><strong><?php echo gettext("Bounce-To Port:"); ?></strong></td> + <td class="vexpl"><input name="ftp_client_bounce_to_port" type="text" class="formfldalias" id="ftp_client_bounce_to_port" size="20" + value="<?=htmlspecialchars($pconfig['bounce_to_port']);?>" title="<?=trim(filter_expand_alias($pconfig['bounce_to_port']));?>" autocomplete="off"><span class="vexpl"> + <?php echo gettext("Default is ") . "<strong>" . gettext("blank") . "</strong>.";?></span> + </td> + <td class="vexpl"> <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=bounce_to_port&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing port alias");?>"/> + </td> + </tr> + </table> + <?php echo gettext("When the Bounce option is enabled, this allows the PORT command to use the address and port (or inclusive port range) ") . + gettext("specified without generating an alert. It can be used with proxied FTP connections where the FTP data channel is different from the client.");?><br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("Supplied value must be a pre-configured Alias or left blank.");?><br/> + <span class="red"><?php echo gettext("Hint: ") . "</span>" . gettext("Leave these settings at their defaults unless you are proxying FTP connections.");?> + </td> + </tr> + <tr> + <td width="22%" valign="bottom"> </td> + <td width="78%" valign="bottom"> + <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + gettext("Save ftp engine settings and return to Preprocessors tab"); ?>"> + + <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo + gettext("Cancel changes and return to Preprocessors tab"); ?>"></td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> +<script type="text/javascript"> + +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesport = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } + elseif ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesport .= ","; + $aliasesport .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } + +?> + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portarray=new Array(<?php echo $aliasesport; ?>); + +function createAutoSuggest() { +<?php + echo "objAliasBindTo = new AutoSuggestControl(document.getElementById('ftp_bind_to'), new StateSuggestions(addressarray));\n"; + echo "objAliasBounceNet = new AutoSuggestControl(document.getElementById('ftp_client_bounce_to_net'), new StateSuggestions(addressarray));\n"; + echo "objAliasBouncePort = new AutoSuggestControl(document.getElementById('ftp_client_bounce_to_port'), new StateSuggestions(portarray));\n"; + + +?> +} + +setTimeout("createAutoSuggest();", 500); + +function ftp_client_bounce_enable_change() { + var endis = !(document.iform.ftp_client_bounce_detect.checked); + if (endis) + document.getElementById("ftp_client_row_bounce_to").style.display="none"; + else + document.getElementById("ftp_client_row_bounce_to").style.display="table-row"; +} + +// Set initial state of form controls +ftp_client_bounce_enable_change(); + +</script> + +</html> diff --git a/config/snort/snort_ftp_server_engine.php b/config/snort/snort_ftp_server_engine.php new file mode 100644 index 00000000..e70033e7 --- /dev/null +++ b/config/snort/snort_ftp_server_engine.php @@ -0,0 +1,378 @@ +<?php +/* + * snort_ftp_server_engine.php + * Copyright (C) 2013 Bill Meeks + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +// Grab any QUERY STRING or POST variables +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_server_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else + $pconfig = $a_nat[$eng_id]; + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_server_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + if(!isset($_SESSION['ftp_server_import'])) + $_SESSION['ftp_server_import'] = array(); + + $_SESSION['ftp_server_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['ftp_server_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_server_import']['bind_to']; + if (isset($_SESSION['ftp_server_import']['ports'])) + $pconfig['ports'] = $_SESSION['ftp_server_import']['ports']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['ftp_server_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_server_import']['bind_to']; + if (isset($_SESSION['ftp_server_import']['ports'])) + $pconfig['ports'] = $_SESSION['ftp_server_import']['ports']; + } + else { + unset($_SESSION['ftp_server_import']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_server_import']); + session_write_close(); + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['ftp_name']) { $engine['name'] = trim($_POST['ftp_name']); } else { $engine['name'] = "default"; } + if ($_POST['ftp_bind_to']) { + if (is_alias($_POST['ftp_bind_to'])) + $engine['bind_to'] = $_POST['ftp_bind_to']; + elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + + if ($_POST['ftp_ports']) { + if ($_POST['ftp_ports'] == "default") + $engine['ports'] = $_POST['ftp_ports']; + elseif (is_alias($_POST['ftp_ports'])) + $engine['ports'] = $_POST['ftp_ports']; + else + $input_errors[] = gettext("The value for Ports must be a valid Alias name or the keyword 'default'."); + } + else + $engine['ports'] = 21; + + $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no'; + $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no'; + $engine['ignore_data_chan'] = $_POST['ftp_ignore_data_chan'] ? 'yes' : 'no'; + $engine['def_max_param_len'] = $_POST['ftp_def_max_param_len']; + + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default ftp Engine can be bound to all addresses."); + $pconfig = $engine; + } + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Server Engine"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_ftp_server_engine.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id?>"> +<input name="eng_id" type="hidden" value="<?=$eng_id?>"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based FTP Server Engine Configuration"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td> + <td class="vtable"> + <input name="ftp_name" type="text" class="formfld unknown" id="ftp_name" size="25" maxlength="25" + value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>> + <?php if (htmlspecialchars($pconfig['name']) <> "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/> + <?php echo gettext("Unique name or description for this engine configuration. Default value is ") . + "<strong>" . gettext("default") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td> + <td class="vtable"> + <?php if ($pconfig['name'] <> "default") : ?> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off"> + <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within the IP List.");?>.</td> + </tr> + </table><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> + <?php else : ?> + <input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly> + <?php echo "<span class=\"red\">" . gettext("IP address for the default engine is read-only and must be 'all'.") . "</span>";?><br/> + <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP addresses.");?><br/> + <?php endif ?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Ports"); ?></td> + <td class="vtable"> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="ftp_ports" type="text" class="formfldalias" id="ftp_ports" size="25" + value="<?=htmlspecialchars($pconfig['ports']);?>" title="<?=trim(filter_expand_alias($pconfig['ports']));?>"> + <?php echo gettext("Specifiy which ports to check for FTP data.");?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports&act=import'" + title="<?php echo gettext("Select an existing port alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("Default value is '") . "<strong>" . gettext("'default'") . "</strong>" . + gettext(" Using 'default' will include the FTP Ports defined on the ") . "<a href='snort_define_servers.php?id={$id}' title=\"" . + gettext("Go to {$if_friendly} Variables tab to define custom port variables") . "\">" . gettext("VARIABLES") . "</a>" . + gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?></td> + </tr> + </table><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Telnet Commands"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_cmds" id="ftp_telnet_cmds" type="checkbox" value="on" + <?php if ($pconfig['telnet_cmds']=="yes") echo "checked "; ?>> + <?php echo gettext("Alert when Telnet commands are seen on the FTP command channel. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Telnet Erase Commands"); ?></td> + <td width="78%" class="vtable"><input name="ftp_ignore_telnet_erase_cmds" id="ftp_ignore_telnet_erase_cmds" type="checkbox" value="on" + <?php if ($pconfig['ignore_telnet_erase_cmds']=="yes") echo "checked "; ?>> + <?php echo gettext("Ignore Telnet escape sequences for erase character and erase line when normalizing FTP command channel. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Data Channel"); ?></td> + <td width="78%" class="vtable"><input name="ftp_ignore_data_chan" id="ftp_ignore_data_chan" type="checkbox" value="on" + <?php if ($pconfig['ignore_data_chan']=="yes") echo "checked "; ?>> + <?php echo gettext("Force Snort to ignore the FTP data channel connections. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/> + <span class="red"><strong><?php echo gettext("Warning: ") . "</strong></span>" . gettext("When checked, NO INSPECTION other than state will be ") . + gettext("performed on the data channel. Enabling this option can improve performance for large FTP transfers from trusted servers.");?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Default Max Allowed Parameter Length"); ?></td> + <td class="vtable"> + <input name="ftp_def_max_param_len" type="text" class="formfld unknown" id="ftp_def_max_param_len" size="6" + value="<?=htmlspecialchars($pconfig['def_max_param_len']);?>"> + <?php echo gettext("Default allowed maximum parameter length for command. Enter ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" to disable. Default is ") . "<strong>" . gettext("100.") . "</strong>";?><br/> + <?php echo gettext("Specifies the maximum allowed parameter length for and FTP command. It can be used as a ") . + gettext("basic buffer overflow detection.");?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="bottom"> </td> + <td width="78%" valign="bottom"> + <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + gettext("Save ftp engine settings and return to Preprocessors tab"); ?>"> + + <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo + gettext("Cancel changes and return to Preprocessors tab"); ?>"></td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> +<script type="text/javascript"> + +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesport = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } + elseif ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesport .= ","; + $aliasesport .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } + +?> + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portarray=new Array(<?php echo $aliasesport; ?>); + +function createAutoSuggest() { +<?php + echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_bind_to'), new StateSuggestions(addressarray));\n"; + echo "objAliasPort = new AutoSuggestControl(document.getElementById('ftp_ports'), new StateSuggestions(portarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); + +</script> + +</html> diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php new file mode 100644 index 00000000..94d3364f --- /dev/null +++ b/config/snort/snort_httpinspect_engine.php @@ -0,0 +1,742 @@ +<?php +/* + * snort_httpinspect_engine.php + * Copyright (C) 2013 Bill Meeks + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else { + $pconfig = $a_nat[$eng_id]; + + // Check for any empty values and set sensible defaults + if (empty($pconfig['ports'])) + $pconfig['ports'] = "default"; + if (empty($pconfig['server_profile'])) + $pconfig['server_profile'] = "all"; + if (empty($pconfig['enable_xff'])) + $pconfig['enable_xff'] = "off"; + if (empty($pconfig['log_uri'])) + $pconfig['log_uri'] = "off"; + if (empty($pconfig['log_hostname'])) + $pconfig['log_hostname'] = "off"; + if (empty($pconfig['server_flow_depth']) && $pconfig['server_flow_depth'] <> 0) + $pconfig['server_flow_depth'] = 65535; + if (empty($pconfig['enable_cookie'])) + $pconfig['enable_cookie'] = "on"; + if (empty($pconfig['client_flow_depth']) && $pconfig['client_flow_depth'] <> 0) + $pconfig['client_flow_depth'] = 1460; + if (empty($pconfig['extended_response_inspection'])) + $pconfig['extended_response_inspection'] = "on"; + if (empty($pconfig['no_alerts'])) + $pconfig['no_alerts'] = "off"; + if (empty($pconfig['unlimited_decompress'])) + $pconfig['unlimited_decompress'] = "on"; + if (empty($pconfig['inspect_gzip'])) + $pconfig['inspect_gzip'] = "on"; + if (empty($pconfig['normalize_cookies'])) + $pconfig['normalize_cookies'] = "on"; + if (empty($pconfig['normalize_headers'])) + $pconfig['normalize_headers'] = "on"; + if (empty($pconfig['normalize_utf'])) + $pconfig['normalize_utf'] = "on"; + if (empty($pconfig['normalize_javascript'])) + $pconfig['normalize_javascript'] = "on"; + if (empty($pconfig['allow_proxy_use'])) + $pconfig['allow_proxy_use'] = "off"; + if (empty($pconfig['inspect_uri_only'])) + $pconfig['inspect_uri_only'] = "off"; + if (empty($pconfig['max_javascript_whitespaces']) && $pconfig['max_javascript_whitespaces'] <> 0) + $pconfig['max_javascript_whitespaces'] = 200; + if (empty($pconfig['post_depth']) && $pconfig['post_depth'] <> 0) + $pconfig['post_depth'] = -1; + if (empty($pconfig['max_headers'])) + $pconfig['max_headers'] = 0; + if (empty($pconfig['max_spaces'])) + $pconfig['max_spaces'] = 0; + if (empty($pconfig['max_header_length'])) + $pconfig['max_header_length'] = 0; +} + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + $_SESSION['http_inspect_import'] = array(); + + $_SESSION['http_inspect_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['http_inspect_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to']; + if (isset($_SESSION['http_inspect_import']['ports'])) + $pconfig['ports'] = $_SESSION['http_inspect_import']['ports']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['http_inspect_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to']; + if (isset($_SESSION['http_inspect_import']['ports'])) + $pconfig['ports'] = $_SESSION['http_inspect_import']['ports']; + } + else { + unset($_SESSION['http_inspect_import']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + + // Grab all the POST values and save in new temp array + $engine = array(); + if ($_POST['httpinspect_name']) { $engine['name'] = trim($_POST['httpinspect_name']); } else { $engine['name'] = "default"; } + if ($_POST['httpinspect_bind_to']) { + if (is_alias($_POST['httpinspect_bind_to'])) + $engine['bind_to'] = $_POST['httpinspect_bind_to']; + elseif (strtolower(trim($_POST['httpinspect_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + if ($_POST['httpinspect_ports']) { $engine['ports'] = trim($_POST['httpinspect_ports']); } else { $engine['ports'] = "default"; } + + // Validate the text input fields before saving + if (!empty($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] == 0) { + $engine['server_flow_depth'] = $_POST['httpinspect_server_flow_depth']; + if (!is_numeric($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] < -1 || $_POST['httpinspect_server_flow_depth'] > 65535) + $input_errors[] = gettext("The value for Server_Flow_Depth must be numeric and between -1 and 65535."); + } + else + $engine['server_flow_depth'] = 65535; + + if (!empty($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] == 0) { + $engine['client_flow_depth'] = $_POST['httpinspect_client_flow_depth']; + if (!is_numeric($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] < -1 || $_POST['httpinspect_client_flow_depth'] > 1460) + $input_errors[] = gettext("The value for Client_Flow_Depth must be between -1 and 1460."); + } + else + $engine['client_flow_depth'] = 1460; + + if (!empty($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] == 0) { + $engine['max_javascript_whitespaces'] = $_POST['httpinspect_max_javascript_whitespaces']; + if (!is_numeric($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] < 0 || $_POST['httpinspect_max_javascript_whitespaces'] > 65535) + $input_errors[] = gettext("The value for Max_Javascript_Whitespaces must be between 0 and 65535."); + } + else + $engine['max_javascript_whitespaces'] = 200; + + if (!empty($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] == 0) { + $engine['post_depth'] = $_POST['httpinspect_post_depth']; + if (!is_numeric($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] < -1 || $_POST['httpinspect_post_depth'] > 65495) + $input_errors[] = gettext("The value for Post_Depth must be between -1 and 65495."); + } + else + $engine['post_depth'] = -1; + + if (!empty($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] == 0) { + $engine['max_headers'] = $_POST['httpinspect_max_headers']; + if (!is_numeric($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] < 0 || $_POST['httpinspect_max_headers'] > 65535) + $input_errors[] = gettext("The value for Max_Headers must be between 0 and 65535."); + } + else + $engine['max_headers'] = 0; + + if (!empty($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] == 0) { + $engine['max_spaces'] = $_POST['httpinspect_max_spaces']; + if (!is_numeric($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] < 0 || $_POST['httpinspect_max_spaces'] > 65535) + $input_errors[] = gettext("The value for Max_Spaces must be between 0 and 65535."); + } + else + $engine['max_spaces'] = 0; + + if (!empty($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] == 0) { + $engine['max_header_length'] = $_POST['httpinspect_max_header_length']; + if (!is_numeric($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] < 0 || $_POST['httpinspect_max_header_length'] > 65535) + $input_errors[] = gettext("The value for Max_Header_Length must be between 0 and 65535."); + } + else + $engine['max_header_length'] = 0; + + if ($_POST['httpinspect_server_profile']) { $engine['server_profile'] = $_POST['httpinspect_server_profile']; } else { $engine['server_profile'] = "all"; } + + $engine['no_alerts'] = $_POST['httpinspect_no_alerts'] ? 'on' : 'off'; + $engine['enable_xff'] = $_POST['httpinspect_enable_xff'] ? 'on' : 'off'; + $engine['log_uri'] = $_POST['httpinspect_log_uri'] ? 'on' : 'off'; + $engine['log_hostname'] = $_POST['httpinspect_log_hostname'] ? 'on' : 'off'; + $engine['extended_response_inspection'] = $_POST['httpinspect_extended_response_inspection'] ? 'on' : 'off'; + $engine['enable_cookie'] = $_POST['httpinspect_enable_cookie'] ? 'on' : 'off'; + $engine['unlimited_decompress'] = $_POST['httpinspect_unlimited_decompress'] ? 'on' : 'off'; + $engine['inspect_gzip'] = $_POST['httpinspect_inspect_gzip'] ? 'on' : 'off'; + $engine['normalize_cookies'] = $_POST['httpinspect_normalize_cookies'] ? 'on' : 'off'; + $engine['normalize_headers'] = $_POST['httpinspect_normalize_headers'] ? 'on' : 'off'; + $engine['normalize_utf'] = $_POST['httpinspect_normalize_utf'] ? 'on' : 'off'; + $engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off'; + $engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off'; + $engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off'; + + // Can only have one "all" Bind_To address + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default http_inspect Engine can be bound to all addresses."); + $pconfig = $engine; + } + + // if no errors, write new entry to conf + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom + // if it contains more than one entry. + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + // Now write the new engine array to conf + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: {$if_friendly} - HTTP_Inspect Preprocessor Engine"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_httpinspect_engine.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id?>"> +<input name="eng_id" type="hidden" value="<?=$eng_id?>"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("HTTP Inspection Server Configuration"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td> + <td class="vtable"> + <input name="httpinspect_name" type="text" class="formfld unknown" id="httpinspect_name" size="25" maxlength="25" + value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo " readonly";?>> + <?php if (htmlspecialchars($pconfig['name']) <> "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/> + <?php echo gettext("Unique name or description for this engine configuration. Default value is ") . + "<strong>" . gettext("default") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td> + <td class="vtable"> + <?php if ($pconfig['name'] <> "default") : ?> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="httpinspect_bind_to" type="text" class="formfldalias" id="httpinspect_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off"> + <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=yes&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within this IP List.");?></td> + </tr> + </table><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> + <?php else : ?> + <input name="httpinspect_bind_to" type="text" class="formfldalias" id="httpinspect_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly> + <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/> + <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/> + <?php endif ?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Ports"); ?></td> + <td class="vtable"> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="httpinspect_ports" type="text" class="formfldalias" id="httpinspect_ports" size="25" + value="<?=htmlspecialchars($pconfig['ports']);?>" title="<?=trim(filter_expand_alias($pconfig['ports']));?>"> + <?php echo gettext("Specifiy which ports to check for HTTP data.");?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing port alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("Default value is '") . "<strong>" . gettext("'default'. ") . "</strong>";?> + <?php echo gettext("Using 'default' will include the HTTP Ports defined on the ") . "<a href='snort_define_servers.php?id={$id}' title=\"" . + gettext("Go to {$if_friendly} Variables tab to define custom port variables") . "\">" . gettext("VARIABLES") . "</a>" . + gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?></td> + </tr> + </table><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Profile");?> </td> + <td width="78%" class="vtable"> + <select name="httpinspect_server_profile" class="formselect" id="httpinspect_server_profile"> + <?php + $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0'); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['server_profile']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach;?> + </select> <?php echo gettext("Choose the profile type of the protected web server. The default is ") . + "<strong>" . gettext("All") . "</strong>";?><br/> + <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the ") . + gettext("double decoding vulnerability present in those versions.");?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("No Alerts");?></td> + <td width="78%" class="vtable"><input name="httpinspect_no_alerts" + type="checkbox" value="on" id="httpinspect_no_alerts" + <?php if ($pconfig['no_alerts']=="on") echo "checked";?>> + <?php echo gettext("Disable Alerts from this engine configuration. Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Allow Proxy Use");?></td> + <td width="78%" class="vtable"><input name="httpinspect_allow_proxy_use" + type="checkbox" value="on" id="httpinspect_allow_proxy_use" + <?php if ($pconfig['allow_proxy_use']=="on") echo "checked";?>> + <?php echo gettext("Allow proxy use on this server. " . + "Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.<br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("This prevents proxy alerts for this server. The global option Proxy_Alert must also be " . + "enabled, otherwise this setting does nothing.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("XFF/True-Client-IP");?></td> + <td width="78%" class="vtable"><input name="httpinspect_enable_xff" + type="checkbox" value="on" id="httpinspect_enable_xff" + <?php if ($pconfig['enable_xff']=="on") echo "checked";?>> + <?php echo gettext("Log original client IP present in X-Forwarded-For or True-Client-IP " . + "HTTP headers. Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("URI Logging"); ?></td> + <td width="78%" class="vtable"><input name="httpinspect_log_uri" + type="checkbox" value="on" id="hhttpinspect_log_uri" + <?php if ($pconfig['log_uri']=="on") echo "checked"; ?>> + <?php echo gettext("Parse URI data from the HTTP request and log it with other session data." . + " Default is "); ?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Hostname Logging");?></td> + <td width="78%" class="vtable"><input name="httpinspect_log_hostname" + type="checkbox" value="on" id="httpinspect_log_hostname" + <?php if ($pconfig['log_hostname']=="on") echo "checked";?>> + <?php echo gettext("Parse Hostname data from the HTTP request and log it with other session data." . + " Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Cookie Extraction/Inspection");?></td> + <td width="78%" class="vtable"><input name="httpinspect_enable_cookie" + type="checkbox" value="on" id="httpinspect_enable_cookie" + <?php if ($pconfig['enable_cookie']=="on") echo "checked";?>> + <?php echo gettext("Enable HTTP cookie extraction and inspection. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect URI Only");?></td> + <td width="78%" class="vtable"><input name="httpinspect_inspect_uri_only" + type="checkbox" value="on" id="httpinspect_inspect_uri_only" + <?php if ($pconfig['inspect_uri_only']=="on") echo "checked";?>> + <?php echo gettext("Inspect only URI portion of HTTP requests. This is a performance enhancement. " . + "Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.<br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("If this option is used without any uricontent rules, then no inspection will take place. " . + "The URI is only inspected with uricontent rules, and if there are none available, then there is nothing to inspect.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Extended Response Inspection");?></td> + <td width="78%" class="vtable"><input name="httpinspect_extended_response_inspection" + type="checkbox" value="on" id="httpinspect_extended_response_inspection" onclick="extended_response_enable_change();" + <?php if ($pconfig['extended_response_inspection']=="on") echo "checked";?>> + <?php echo gettext("Enable extended response inspection to thoroughly inspect the HTTP response. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr id="httpinspect_normalizejavascript_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Javascript");?></td> + <td width="78%" class="vtable"><input name="httpinspect_normalize_javascript" + type="checkbox" value="on" id="httpinspect_normalize_javascript" onclick="normalize_javascript_enable_change();" + <?php if ($pconfig['normalize_javascript']=="on") echo "checked";?>> + <?php echo gettext("Enable Javascript normalization in HTTP response body. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr id="httpinspect_maxjavascriptwhitespaces_row"> + <td valign="top" class="vncell"><?php echo gettext("Maximum Javascript Whitespaces"); ?></td> + <td class="vtable"> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td valign="top"><input name="httpinspect_max_javascript_whitespaces" type="text" class="formfld unknown" + id="httpinspect_max_javascript_whitespaces" size="6" + value="<?=htmlspecialchars($pconfig['max_javascript_whitespaces']);?>"></td> + <td class="vexpl" valign="top"><?php echo gettext("Maximum consecutive whitespaces allowed in Javascript obfuscated data. ");?> + <?php echo gettext("Minimum is ") . "<strong>" . gettext("1") . "</strong>" . gettext(" and maximum is ") . + "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") . + "</strong>" . gettext(" disables this alert). "). gettext("The default value is ") . + "<strong>" . gettext("200") . "</strong>."?></td> + </tr> + </table> + </td> + </tr> + <tr id="httpinspect_inspectgzip_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect gzip");?></td> + <td width="78%" class="vtable"><input name="httpinspect_inspect_gzip" + type="checkbox" value="on" id="httpinspect_inspect_gzip" onclick="httpinspect_inspectgzip_enable_change();" + <?php if ($pconfig['inspect_gzip']=="on") echo "checked";?>> + <?php echo gettext("Uncompress and inspect compressed data in HTTP response. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr id="httpinspect_unlimiteddecompress_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Unlimited Decompress");?></td> + <td width="78%" class="vtable"><input name="httpinspect_unlimited_decompress" + type="checkbox" value="on" id="httpinspect_unlimited_decompress" + <?php if ($pconfig['unlimited_decompress']=="on") echo "checked";?>> + <?php echo gettext("Decompress unlimited gzip data (across multiple packets). Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Cookies");?></td> + <td width="78%" class="vtable"><input name="httpinspect_normalize_cookies" + type="checkbox" value="on" id="httpinspect_normalize_cookies" + <?php if ($pconfig['normalize_cookies']=="on") echo "checked";?>> + <?php echo gettext("Normalize HTTP cookie fields. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize UTF");?></td> + <td width="78%" class="vtable"><input name="httpinspect_normalize_utf" + type="checkbox" value="on" id="httpinspect_normalize_utf" + <?php if ($pconfig['normalize_utf']=="on") echo "checked";?>> + <?php echo gettext("Normalize HTTP response body character sets to 8-bit encoding. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Headers");?></td> + <td width="78%" class="vtable"><input name="httpinspect_normalize_headers" + type="checkbox" value="on" id="httpinspect_normalize_headers" + <?php if ($pconfig['normalize_headers']=="on") echo "checked";?>> + <?php echo gettext("Normalize HTTP Header fields. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Server Flow Depth"); ?></td> + <td class="vtable"> + <input name="httpinspect_server_flow_depth" type="text" class="formfld unknown" + id="httpinspect_server_flow_depth" size="6" + value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <strong><?php echo gettext("-1") . + "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong> " . gettext("(") . "<strong>" . + gettext("-1") . "</strong>" . gettext(" disables HTTP inspect, ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" enables all HTTP inspect).");?><br/><br/> + <?php echo gettext("Amount of HTTP server response payload to inspect. Snort's performance " . + "may increase by adjusting this value. Setting this value too low may cause false negatives. ") . + gettext("Values above 0 are specified in bytes. Recommended setting is maximum (65535). " . + "Default value is ") . "<strong>" . gettext("65535") . "</strong>.";?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Client Flow Depth"); ?></td> + <td class="vtable"> + <input name="httpinspect_client_flow_depth" type="text" class="formfld unknown" + id="httpinspect_client_flow_depth" size="6" + value="<?=htmlspecialchars($pconfig['client_flow_depth']);?>"> <strong><?php echo gettext("-1") . "</strong>" . + gettext(" to ") . "<strong>" . gettext("1460") . "</strong>" . gettext(" (") . "<strong>" . gettext("-1") . + "</strong>" . gettext(" disables HTTP inspect, ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" enables all HTTP inspect).");?><br/><br/> + <?php echo gettext("Amount of raw HTTP client request payload to inspect. Snort's " . + "performance may increase by adjusting this value. Setting this value too low may cause false negatives. ");?> + <?php echo gettext("Values above 0 are specified in bytes. Recommended setting is maximum (1460). " . + "Default value is ") . "<strong>" . gettext("1460") . "</strong>.";?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Post Depth"); ?></td> + <td class="vtable"> + <input name="httpinspect_post_depth" type="text" class="formfld unknown" + id="httpinspect_post_depth" size="6" + value="<?=htmlspecialchars($pconfig['post_depth']);?>"> <strong><?php echo gettext("-1") . "</strong>" . + gettext(" to ") . "<strong>" . gettext("65495") . "</strong>" . gettext(" (") . "<strong>" . gettext("-1") . + "</strong>" . gettext(" ignores all post data, ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" inspects all post data).");?><br/><br/> + <?php echo gettext("Amount of data to inspect in client post message. Snort's performance may " . + "increase by adjusting this value. Values above 0 are specified in bytes. ") . + gettext("Default value is ") . "<strong>" . gettext("-1") . "</strong>.";?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Max Headers"); ?></td> + <td class="vtable"> + <input name="httpinspect_max_headers" type="text" class="formfld unknown" + id="httpinspect_max_headers" size="6" + value="<?=htmlspecialchars($pconfig['max_headers']);?>"> <strong><?php echo gettext("1") . "</strong>" . + gettext(" to ") . "<strong>" . gettext("1024") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") . + "</strong>" . gettext(" disables the alert).");?><br/><br/> + <?php echo gettext("Sets the maximum number of HTTP client request header fields allowed. Requests that " . + "contain more HTTP headers than this value will cause a \"Max Header\" alert. ") . + gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Max Header Length"); ?></td> + <td class="vtable"> + <input name="httpinspect_max_header_length" type="text" class="formfld unknown" + id="httpinspect_max_header_length" size="6" + value="<?=htmlspecialchars($pconfig['max_header_length']);?>"> <strong><?php echo gettext("1") . "</strong>" . + gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") . + "</strong>" . gettext(" disables the alert).");?><br/><br/> + <?php echo gettext("This sets the maximum length allowed for an HTTP client request header field. " . + "Requests that exceed this limit well cause a \"Long Header\" alert. ") . + gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Max Spaces"); ?></td> + <td class="vtable"> + <input name="httpinspect_max_spaces" type="text" class="formfld unknown" + id="httpinspect_max_spaces" size="6" + value="<?=htmlspecialchars($pconfig['max_spaces']);?>"> <strong><?php echo gettext("1") . "</strong>" . + gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") . + "</strong>" . gettext(" disables the alert).");?><br/><br/> + <?php echo gettext("This sets the maximum number of whitespaces allowed with HTTP client request line folding. " . + "Request headers folded with whitespaces equal to or greater than this value will cause a \"Whitespace Saturation\" alert. ") . + gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?> + </td> + </tr> + <tr> + <td width="22%" valign="bottom"> </td> + <td width="78%" valign="bottom"> + <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + gettext("Save httpinspect engine settings and return to Preprocessors tab"); ?>"> + + <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo + gettext("Cancel changes and return to Preprocessors tab"); ?>"></td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> + +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> + +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> + +<script type="text/javascript"> + +function extended_response_enable_change() { + var endis = !(document.iform.httpinspect_extended_response_inspection.checked); + + // Hide the "httpinspect_inspectgzip and httpinspect_normalizejavascript" rows if httpinspect_extended_response_inspection disabled + if (endis) { + document.getElementById("httpinspect_inspectgzip_row").style.display="none"; + document.getElementById("httpinspect_unlimiteddecompress_row").style.display="none"; + document.getElementById("httpinspect_normalizejavascript_row").style.display="none"; + document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="none"; + } + else { + document.getElementById("httpinspect_inspectgzip_row").style.display="table-row"; + document.getElementById("httpinspect_unlimiteddecompress_row").style.display="table-row"; + document.getElementById("httpinspect_normalizejavascript_row").style.display="table-row"; + document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="table-row"; + } +} + +function httpinspect_inspectgzip_enable_change() { + var endis = !(document.iform.httpinspect_inspect_gzip.checked); + // Hide the "httpinspect_unlimited_decompress" row if httpinspect_inspect_gzip disabled + if (endis) + document.getElementById("httpinspect_unlimiteddecompress_row").style.display="none"; + else + document.getElementById("httpinspect_unlimiteddecompress_row").style.display="table-row"; +} + +function normalize_javascript_enable_change() { + var endis = !(document.iform.httpinspect_normalize_javascript.checked); + + // Hide the "httpinspect_maxjavascriptwhitespaces" row if httpinspect_normalize_javascript disabled + if (endis) + document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="none"; + else + document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="table-row"; +} + +// Set initial state of form controls +extended_response_enable_change(); +normalize_javascript_enable_change(); +httpinspect_inspectgzip_enable_change(); + +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesport = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } + elseif ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesport .= ","; + $aliasesport .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } +?> + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portarray=new Array(<?php echo $aliasesport; ?>); + +function createAutoSuggest() { +<?php + echo "objAliasAddr = new AutoSuggestControl(document.getElementById('httpinspect_bind_to'), new StateSuggestions(addressarray));\n"; + echo "objAliasPort = new AutoSuggestControl(document.getElementById('httpinspect_ports'), new StateSuggestions(portarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); + +</script> +<?php include("fend.inc");?> +</body> +</html> diff --git a/config/snort/snort_import_aliases.php b/config/snort/snort_import_aliases.php new file mode 100644 index 00000000..77cd5490 --- /dev/null +++ b/config/snort/snort_import_aliases.php @@ -0,0 +1,323 @@ +<?php +/* $Id$ */ +/* + snort_import_aliases.php + Copyright (C) 2013 Bill Meeks + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require_once("functions.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +// Retrieve any passed QUERY STRING or POST variables +$id = $_GET['id']; +$eng = $_GET['eng']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng'])) + $eng = $_POST['eng']; + +// Make sure we have a valid rule ID and ENGINE name, or +// else bail out to top-level menu. +if (is_null($id) || is_null($eng)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +// Used to track if any selectable Aliases are found +$selectablealias = false; + +// Initialize required array variables as necessary +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); +$a_aliases = $config['aliases']['alias']; +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + +// The $eng variable points to the specific Snort config section +// engine we are importing values into. Initialize the config.xml +// array if necessary. +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id][$eng]['item'])) + $config['installedpackages']['snortglobal']['rule'][$id][$eng]['item'] = array(); + +// Initialize a pointer to the Snort config section engine we are +// importing values into. +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id][$eng]['item']; + +// Build a lookup array of currently used engine 'bind_to' Aliases +// so we can screen matching Alias names from the list. +$used = array(); +foreach ($a_nat as $v) + $used[$v['bind_to']] = true; + +// Construct the correct return anchor string based on the Snort config section +// engine we were called with. This lets us return to the page and section +// we were called from. Also set the flag for those engines which accept +// multiple IP addresses for the "bind_to" parameter. +switch ($eng) { + case "frag3_engine": + $anchor = "#frag3_row"; + $multi_ip = true; + $title = "Frag3 Engine"; + break; + case "http_inspect_engine": + $anchor = "#httpinspect_row"; + $multi_ip = true; + $title = "HTTP_Inspect Engine"; + break; + case "stream5_tcp_engine": + $anchor = "#stream5_row"; + $multi_ip = true; + $title = "Stream5 TCP Engine"; + break; + case "ftp_server_engine": + $anchor = "#ftp_telnet_row"; + $multi_ip = false; + $title = "FTP Server Engine"; + break; + case "ftp_client_engine": + $anchor = "#ftp_telnet_row"; + $multi_ip = false; + $title = "FTP Client Engine"; + break; + default: + $anchor = ""; +} + +if ($_POST['cancel']) { + header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}"); + exit; +} + +if ($_POST['save']) { + + // Define default engine configurations for each of the supported engines. + + $def_frag3 = array( "name" => "", "bind_to" => "", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + + $def_ftp_server = array( "name" => "", "bind_to" => "", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + $def_ftp_client = array( "name" => "", "bind_to" => "", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + $def_http_inspect = array( "name" => "", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + + $def_stream5 = array( "name" => "", "bind_to" => "", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + + // Figure out which engine type we are importing and set up default engine array + $engine = array(); + switch ($eng) { + case "frag3_engine": + $engine = $def_frag3; + break; + case "http_inspect_engine": + $engine = $def_http_inspect; + break; + case "stream5_tcp_engine": + $engine = $def_stream5; + break; + case "ftp_server_engine": + $engine = $def_ftp_server; + break; + case "ftp_client_engine": + $engine = $def_ftp_client; + break; + default: + $engine = ""; + $input_errors[] = gettext("Invalid ENGINE TYPE passed in query string. Aborting operation."); + } + + // See if anything was checked to import + if (is_array($_POST['toimport']) && count($_POST['toimport']) > 0) { + foreach ($_POST['toimport'] as $item) { + $engine['name'] = strtolower($item); + $engine['bind_to'] = $item; + $a_nat[] = $engine; + } + } + else + $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); + + // if no errors, write new entry to conf + if (!$input_errors) { + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom if + // the array contains more than one entry. + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + // Only relocate the entry if we + // found it, and it's not already + // at the end. + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + // Now write the new engine array to conf and return + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}"); + exit; + } +} + +$pgtitle = gettext("Snort: Import Host/Network Alias for {$title}"); +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<form action="snort_import_aliases.php" method="post"> +<input type="hidden" name="id" value="<?=$id;?>"> +<input type="hidden" name="eng" value="<?=$eng;?>"> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td class="tabcont"><strong><?=gettext("Select one or more Aliases to use as {$title} targets from the list below.");?></strong><br/> + </td> +</tr> +<tr> + <td class="tabcont"> + <table id="sortabletable1" style="table-layout: fixed;" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <colgroup> + <col width="5%" align="center"> + <col width="25%" align="left" axis="string"> + <col width="35%" align="left" axis="string"> + <col width="35%" align="left" axis="string"> + </colgroup> + <thead> + <tr> + <th class="listhdrr"></th> + <th class="listhdrr" axis="string"><?=gettext("Alias Name"); ?></th> + <th class="listhdrr" axis="string"><?=gettext("Values"); ?></th> + <th class="listhdrr" axis="string"><?=gettext("Description"); ?></th> + </tr> + </thead> + <tbody> + <?php $i = 0; foreach ($a_aliases as $alias): ?> + <?php if ($alias['type'] <> "host" && $alias['type'] <> "network") + continue; + if (isset($used[$alias['name']])) + continue; + if (!$multi_ip && !snort_is_single_addr_alias($alias['name'])) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $disable = true; + $tooltip = gettext("Aliases resolving to multiple addresses cannot be used with the '{$eng}'."); + } + elseif (trim(filter_expand_alias($alias['name'])) == "") { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $disable = true; + $tooltip = gettext("Aliases representing a FQDN host cannot be used in Snort preprocessor configurations."); + } + else { + $textss = ""; + $textse = ""; + $disable = ""; + $selectablealias = true; + $tooltip = gettext("Selected entries will be imported. Click to toggle selection of this entry."); + } + ?> + <?php if ($disable): ?> + <tr title="<?=$tooltip;?>"> + <td class="listlr" align="center"><img src="../themes/<?=$g['theme'];?>/images/icons/icon_block_d.gif" width="11" height"11" border="0"/> + <?php else: ?> + <tr> + <td class="listlr" align="center"><input type="checkbox" name="toimport[]" value="<?=htmlspecialchars($alias['name']);?>" title="<?=$tooltip;?>"/></td> + <?php endif; ?> + <td class="listr" align="left"><?=$textss . htmlspecialchars($alias['name']) . $textse;?></td> + <td class="listr" align="left"> + <?php + $tmpaddr = explode(" ", $alias['address']); + $addresses = implode(", ", array_slice($tmpaddr, 0, 10)); + echo "{$textss}{$addresses}{$textse}"; + if(count($tmpaddr) > 10) { + echo "..."; + } + ?> + </td> + <td class="listbg" align="left"> + <?=$textss . htmlspecialchars($alias['descr']) . $textse;?> + </td> + </tr> + <?php $i++; endforeach; ?> + </table> + </td> +</tr> +<?php if (!$selectablealias): ?> +<tr> + <td class="tabcont" align="center"><b><?php echo gettext("There are currently no defined Aliases eligible for import.");?></b></td> +</tr> +<tr> + <td class="tabcont" align="center"> + <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/> + </td> +</tr> +<?php else: ?> +<tr> + <td class="tabcont" align="center"> + <input type="Submit" name="save" value="Save" id="save" class="formbtn" title="<?=gettext("Import selected item and return");?>"/> + <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/> + </td> +</tr> +<?php endif; ?> +<tr> + <td class="tabcont"> + <span class="vexpl"><span class="red"><strong><?=gettext("Note:"); ?><br></strong></span><?=gettext("Fully-Qualified Domain Name (FQDN) host Aliases cannot be used as Snort configuration parameters. Aliases resolving to a single FQDN value are disabled in the list above. In the case of nested Aliases where one or more of the nested values is a FQDN host, the FQDN host will not be included in the {$title} configuration.");?></span> + </td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index bbd4338c..9d488207 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -102,6 +102,12 @@ elseif (isset($id) && !isset($a_rule[$id])) { if (isset($_GET['dup'])) unset($id); +// Set defaults for empty key parameters +if (empty($pconfig['blockoffendersip'])) + $pconfig['blockoffendersip'] = "both"; +if (empty($pconfig['performance'])) + $pconfig['performance'] = "ac-bnfa"; + if ($_POST["Submit"]) { if (!$_POST['interface']) $input_errors[] = "Interface is mandatory"; @@ -113,7 +119,7 @@ if ($_POST["Submit"]) { $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; - /* See if the HOME_NET, EXTERNAL_NET, WHITELIST or SUPPRESS LIST values were changed */ + /* See if the HOME_NET, EXTERNAL_NET, or SUPPRESS LIST values were changed */ $snort_reload = false; if ($_POST['homelistname'] && ($_POST['homelistname'] <> $natent['homelistname'])) $snort_reload = true; @@ -121,8 +127,6 @@ if ($_POST["Submit"]) { $snort_reload = true; if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname'])) $snort_reload = true; - if ($_POST['whitelistname'] && ($_POST['whitelistname'] <> $natent['whitelistname'])) - $snort_reload = true; if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']); if ($_POST['performance']) $natent['performance'] = $_POST['performance']; else unset($natent['performance']); @@ -150,8 +154,100 @@ if ($_POST["Submit"]) { exec("mv -f {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$if_real}"); } $a_rule[$id] = $natent; - } else + } else { + // Adding new interface, so set required interface configuration defaults + $frag3_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + + $stream5_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", + "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + + $http_eng = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", + "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", + "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + + $ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + $ftp_server_eng = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + $natent['max_attribute_hosts'] = '10000'; + $natent['max_attribute_services_per_host'] = '10'; + $natent['max_paf'] = '16000'; + + $natent['ftp_preprocessor'] = 'on'; + $natent['ftp_telnet_inspection_type'] = "stateful"; + $natent['ftp_telnet_alert_encrypted'] = "off"; + $natent['ftp_telnet_check_encrypted'] = "on"; + $natent['ftp_telnet_normalize'] = "on"; + $natent['ftp_telnet_detect_anomalies'] = "on"; + $natent['ftp_telnet_ayt_attack_threshold'] = "20"; + if (!is_array($natent['ftp_client_engine']['item'])) + $natent['ftp_client_engine']['item'] = array(); + $natent['ftp_client_engine']['item'][] = $ftp_client_eng; + if (!is_array($natent['ftp_server_engine']['item'])) + $natent['ftp_server_engine']['item'] = array(); + $natent['ftp_server_engine']['item'][] = $ftp_server_eng; + + $natent['smtp_preprocessor'] = 'on'; + $natent['dce_rpc_2'] = 'on'; + $natent['dns_preprocessor'] = 'on'; + $natent['ssl_preproc'] = 'on'; + $natent['pop_preproc'] = 'on'; + $natent['imap_preproc'] = 'on'; + $natent['sip_preproc'] = 'on'; + $natent['other_preprocs'] = 'on'; + + $natent['pscan_protocol'] = 'all'; + $natent['pscan_type'] = 'all'; + $natent['pscan_memcap'] = '10000000'; + $natent['pscan_sense_level'] = 'medium'; + + $natent['http_inspect'] = "on"; + $natent['http_inspect_proxy_alert'] = "off"; + $natent['http_inspect_memcap'] = "150994944"; + $natent['http_inspect_max_gzip_mem'] = "838860"; + if (!is_array($natent['http_inspect_engine']['item'])) + $natent['http_inspect_engine']['item'] = array(); + $natent['http_inspect_engine']['item'][] = $http_eng; + + $natent['frag3_max_frags'] = '8192'; + $natent['frag3_memcap'] = '4194304'; + $natent['frag3_detection'] = 'on'; + if (!is_array($natent['frag3_engine']['item'])) + $natent['frag3_engine']['item'] = array(); + $natent['frag3_engine']['item'][] = $frag3_eng; + + $natent['stream5_reassembly'] = 'on'; + $natent['stream5_flush_on_alert'] = 'off'; + $natent['stream5_prune_log_max'] = '1048576'; + $natent['stream5_track_tcp'] = 'on'; + $natent['stream5_max_tcp'] = '262144'; + $natent['stream5_track_udp'] = 'on'; + $natent['stream5_max_udp'] = '131072'; + $natent['stream5_udp_timeout'] = '30'; + $natent['stream5_track_icmp'] = 'off'; + $natent['stream5_max_icmp'] = '65536'; + $natent['stream5_icmp_timeout'] = '30'; + $natent['stream5_mem_cap']= '8388608'; + if (!is_array($natent['stream5_tcp_engine']['item'])) + $natent['stream5_tcp_engine']['item'] = array(); + $natent['stream5_tcp_engine']['item'][] = $stream5_eng; + $a_rule[] = $natent; + } /* If Snort is disabled on this interface, stop any running instance */ if ($natent['enable'] != 'on') @@ -168,9 +264,9 @@ if ($_POST["Submit"]) { /*******************************************************/ /* Signal Snort to reload configuration if we changed */ - /* HOME_NET, the Whitelist, EXTERNAL_NET or Suppress */ - /* list values. The function only signals a running */ - /* Snort instance to safely reload these parameters. */ + /* HOME_NET, EXTERNAL_NET or Suppress list values. */ + /* The function only signals a running Snort instance */ + /* to safely reload these parameters. */ /*******************************************************/ if ($snort_reload == true) snort_reload_config($natent, "SIGHUP"); @@ -187,7 +283,7 @@ if ($_POST["Submit"]) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface Edit: {$if_friendly}"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Edit Settings"); include_once("head.inc"); ?> @@ -265,28 +361,24 @@ include_once("head.inc"); <?php endforeach; ?> </select> <span class="vexpl"><?php echo gettext("Choose which interface this Snort instance applies to."); ?><br/> - <span class="red"><?php echo gettext("Hint:"); ?> </span><?php echo gettext("in most cases, you'll want to use WAN here."); ?></span><br/></td> + <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("In most cases, you'll want to use WAN here."); ?></span><br/></td> </tr> <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Description"); ?></td> - <td width="78%" class="vtable"><input name="descr" type="text" - class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"> <br/> + <td width="78%" class="vtable"><input name="descr" type="text" + class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"> <br/> <span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference."); ?></span><br/></td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Alert Settings"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Send alerts to main " . - "System logs"); ?></td> - <td width="78%" class="vtable"><input name="alertsystemlog" - type="checkbox" value="on" - <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?> - onClick="enable_change(false)"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Send Alerts to System Logs"); ?></td> + <td width="78%" class="vtable"><input name="alertsystemlog" type="checkbox" value="on" <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?>> <?php echo gettext("Snort will send Alerts to the firewall's system logs."); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Block offenders"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Block Offenders"); ?></td> <td width="78%" class="vtable"> <input name="blockoffenders7" id="blockoffenders7" type="checkbox" value="on" <?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?> @@ -295,14 +387,14 @@ include_once("head.inc"); "Snort alert."); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill states"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill States"); ?></td> <td width="78%" class="vtable"> <input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>> <?php echo gettext("Checking this option will kill firewall states for the blocked IP"); ?> </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Which IP to block"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Which IP to Block"); ?></td> <td width="78%" class="vtable"> <select name="blockoffendersip" class="formselect" id="blockoffendersip"> <?php @@ -315,7 +407,8 @@ include_once("head.inc"); } ?> </select> - <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?> + <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?><br/> + <span class="red"><?php echo gettext("Hint:") . "</span> " . gettext("Choosing BOTH is suggested, and it is the default value."); ?></span><br/></td> </td> </tr> <tr> @@ -332,8 +425,8 @@ include_once("head.inc"); foreach ($interfaces2 as $iface2 => $ifacename2): ?> <option value="<?=$iface2;?>" <?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>> - <?=htmlspecialchars($ifacename2);?></option> - <?php endforeach; ?> + <?=htmlspecialchars($ifacename2);?></option> + <?php endforeach; ?> </select> <?php echo gettext("Choose a fast pattern matcher algorithm. ") . "<strong>" . gettext("Default") . "</strong>" . gettext(" is ") . "<strong>" . gettext("AC-BNFA") . "</strong>"; ?>.<br/><br/> @@ -471,17 +564,17 @@ include_once("head.inc"); id="btnWhitelist" title="<?php echo gettext("Click to view currently selected Whitelist contents"); ?>"/> <br/> <span class="vexpl"><?php echo gettext("Choose the whitelist you want this interface to " . - "use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Default " . - "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?><br/> - <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("This option will only be used when block offenders is on."); ?> + "use."); ?> </span><br/><br/> + <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("This option will only be used when block offenders is on."); ?><br/> + <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Default " . + "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?> </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering " . - "file if desired."); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering file if desired."); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Suppression and filtering"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert Suppression and Filtering"); ?></td> <td width="78%" class="vtable"> <select name="suppresslistname" class="formselect" id="suppresslistname"> <?php @@ -563,6 +656,9 @@ function enable_change(enable_change) { document.iform.btnHomeNet.disabled=endis; document.iform.btnWhitelist.disabled=endis; document.iform.btnSuppressList.disabled=endis; + document.iform.fpm_split_any_any.disabled=endis; + document.iform.fpm_search_optimize.disabled=endis; + document.iform.fpm_no_stream_inserts.disabled=endis; } function wopen(url, name, w, h) { @@ -592,6 +688,10 @@ function viewList(id, elemID, elemType) { url = url + getSelectedValue(elemID) + "&type=" + elemType; wopen(url, 'WhitelistViewer', 640, 480); } + +enable_change(false); +enable_blockoffenders(); + //--> </script> <?php include("fend.inc"); ?> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index d28ec2b4..b22a6934 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -44,7 +44,9 @@ $snortdir = SNORTDIR; /* make things short */ $pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; $pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; +$pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code']; $pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; +$pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; $pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; @@ -56,21 +58,65 @@ $pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['s if (empty($pconfig['snortloglimit'])) $pconfig['snortloglimit'] = 'on'; if (empty($pconfig['rule_update_starttime'])) - $pconfig['rule_update_starttime'] = '00:03'; + $pconfig['rule_update_starttime'] = '00:30'; if ($_POST['rule_update_starttime']) { if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['rule_update_starttime'])) $input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'."; } -/* if no errors move foward */ +if ($_POST['snortdownload'] == "on" && empty($_POST['oinkmastercode'])) + $input_errors[] = "You must supply an Oinkmaster code in the box provided in order to enable Snort VRT rules!"; + +if ($_POST['emergingthreats_pro'] == "on" && empty($_POST['etpro_code'])) + $input_errors[] = "You must supply a subscription code in the box provided in order to enable Emerging Threats Pro rules!"; + +/* if no errors move foward with save */ if (!$input_errors) { if ($_POST["Submit"]) { - $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; - $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; + $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off'; + + // If any rule sets are being turned off, then remove them + // from the active rules section of each interface. Start + // by building an arry of prefixes for the disabled rules. + $disabled_rules = array(); + $disable_ips_policy = false; + if ($config['installedpackages']['snortglobal']['snortdownload'] == 'off') { + $disabled_rules[] = VRT_FILE_PREFIX; + $disable_ips_policy = true; + } + if ($config['installedpackages']['snortglobal']['snortcommunityrules'] == 'off') + $disabled_rules[] = GPL_FILE_PREFIX; + if ($config['installedpackages']['snortglobal']['emergingthreats'] == 'off') + $disabled_rules[] = ET_OPEN_FILE_PREFIX; + if ($config['installedpackages']['snortglobal']['emergingthreats_pro'] == 'off') + $disabled_rules[] = ET_PRO_FILE_PREFIX; + + // Now walk all the configured interface rulesets and remove + // any matching the disabled ruleset prefixes. + if (is_array($config['installedpackages']['snortglobal']['rule'])) { + foreach ($config['installedpackages']['snortglobal']['rule'] as &$iface) { + // Disable Snort IPS policy if VRT rules are disabled + if ($disable_ips_policy) { + $iface['ips_policy_enable'] = 'off'; + unset($iface['ips_policy']); + } + $enabled_rules = explode("||", $iface['rulesets']); + foreach ($enabled_rules as $k => $v) { + foreach ($disabled_rules as $d) + if (strpos(trim($v), $d) !== false) + unset($enabled_rules[$k]); + } + $iface['rulesets'] = implode("||", $enabled_rules); + } + } + + $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; + $config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code']; $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; if ($_POST['snortloglimitsize']) { @@ -112,7 +158,7 @@ if (!$input_errors) { } } -$pgtitle = 'Services: Snort: Global Settings'; +$pgtitle = gettext("Snort: Global Settings"); include_once("head.inc"); ?> @@ -127,7 +173,7 @@ if($pfsense_stable == 'yes') /* Display Alert message, under form tag or no refresh */ if ($input_errors) - print_input_errors($input_errors); // TODO: add checks + print_input_errors($input_errors); ?> @@ -152,71 +198,93 @@ if ($input_errors) <div id="mainarea"> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The " . - "Type Of Rules You Wish To Download"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The Type Of Rules You Wish To Download");?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort VRT%s rules"), '<strong>' , '</strong>'); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Snort VRT") . "</strong>" . gettext(" rules");?></td> <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td><input name="snortdownload" type="radio" id="snortdownload" value="off" onclick="enable_snort_vrt('off')" - <?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?> > </td> - <td><span class="vexpl"><?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></span></td> - </tr> - <tr> - <td><input name="snortdownload" type="radio" id="snortdownload" value="on" onclick="enable_snort_vrt('on')" + <td><input name="snortdownload" type="checkbox" id="snortdownload" value="on" onclick="enable_snort_vrt();" <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>></td> - <td><span class="vexpl"><?php echo gettext("Install Basic Rules or Premium rules"); ?></span></td> + <td><span class="vexpl"><?php echo gettext("Snort VRT free Registered User or paid Subscriber rules"); ?></span></td> <tr> <td> </td> - <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a Basic Rule Account"); ?> </a><br> + <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a free Registered User Rule Account"); ?> </a><br/> <a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank"> - <?php echo gettext("Sign Up for Sourcefire VRT Certified Premium Rules. This Is Highly Recommended"); ?></a></td> + <?php echo gettext("Sign Up for paid Sourcefire VRT Certified Subscriber Rules"); ?></a></td> </tr> + </table> + <table id="snort_oink_code_tbl" width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> <td colspan="2"> </td> </tr> - </table> - <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Oinkmaster Configuration"); ?></span></b></td> + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Snort VRT Oinkmaster Configuration"); ?></span></b></td> </tr> <tr> - <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code"); ?></strong></span></td> + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td> <td><input name="oinkmastercode" type="text" - class="formfld" id="oinkmastercode" size="52" - value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>" - <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br> + class="formfld unknown" id="oinkmastercode" size="52" + value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br/> <?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td> </tr> - </table> + </table> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " . - "rules"), '<strong>' , '</strong>'); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Snort Community") . "</strong>" . gettext(" rules");?></td> <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="yes" - <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td> - <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " . - "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?> - <br/><br/><?php printf(gettext("%sNote: %sIf you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the Snort VRT rules, and there is no benefit in adding this rule set."),'<span class="red"><strong>' ,'</strong></span>'); ?></span><br></td> + <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on" + <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked";?> ></td> + <td class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " . + "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset.");?> + <br/><br/><?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . + gettext("If you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the ") . + gettext("Snort VRT rules, and there is no benefit in adding this rule set.");?><br/></td> </tr> </table></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmerging Threats%s " . - "rules"), '<strong>' , '</strong>'); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Emerging Threats") . "</strong>" . gettext(" rules");?></td> <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="yes" - <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>> - <td><span class="vexpl"><?php echo gettext("Emerging Threats is an open source community that produces fast " . - "moving and diverse Snort Rules."); ?></span></td> + <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="on" onclick="enable_et_rules();" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>></td> + <td><span class="vexpl"><?php echo gettext("ETOpen is an open source set of Snort rules whose coverage " . + "is more limited than ETPro."); ?></span></td> + </tr> + <tr> + <td valign="top" width="8%"><input name="emergingthreats_pro" type="checkbox" value="on" onclick="enable_etpro_rules();" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats_pro']=="on") echo "checked"; ?>></td> + <td><span class="vexpl"><?php echo gettext("ETPro for Snort offers daily updates and extensive coverage of current malware threats."); ?></span></td> </tr> + <tr> + <td> </td> + <td><a href="http://www.emergingthreats.net/solutions/etpro-ruleset/" target="_blank"><?php echo gettext("Sign Up for an ETPro Account"); ?> </a></td> + </tr> + <tr> + <td> </td> + <td class="vexpl"><?php echo "<span class='red'><strong>" . gettext("Note:") . "</strong></span>" . " " . + gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?></td> + </tr> + </table> + <table id="etpro_code_tbl" width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td colspan="2"> </td> + </tr> + <tr> + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("ETPro Subscription Configuration"); ?></span></b></td> + </tr> + <tr> + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td> + <td><input name="etpro_code" type="text" + class="formfld unknown" id="etpro_code" size="52" + value="<?=htmlspecialchars($pconfig['etpro_code']);?>"><br/> + <?php echo gettext("Obtain an ETPro subscription code and paste it here."); ?></td> + </tr> </table> </td> </tr> @@ -241,7 +309,7 @@ if ($input_errors) </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Update Start Time"); ?></td> - <td width="78%" class="vtable"><input type="text" class="formfld" name="rule_update_starttime" id="rule_update_starttime" size="4" + <td width="78%" class="vtable"><input type="text" class="formfld time" name="rule_update_starttime" id="rule_update_starttime" size="4" maxlength="5" value="<?=$pconfig['rule_update_starttime'];?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?>><span class="vexpl"> <?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). ") . "<strong>" . gettext("Default") . " </strong>" . gettext("is ") . "<strong>" . gettext("00:03") . "</strong></span>"; ?>.<br/><br/> @@ -269,44 +337,42 @@ if ($input_errors) <tr> <td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="off" <?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong> - <?php echo gettext("directory size limit"); ?></span><br> - <br> + <?php echo gettext("directory size limit"); ?></span><br/> + <br/> <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("Nanobsd " . "should use no more than 10MB of space."); ?></td> </tr> </table> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td><span class="vexpl"><?php echo gettext("Size in"); ?> <strong>MB</strong></span></td> - <td><input name="snortloglimitsize" type="text" class="formfld" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> - <?php printf(gettext("Default is %s20%%%s of available space."), '<strong>', '</strong>'); ?></td> + <td class="vexpl"><?php echo gettext("Size in ") . "<strong>" . gettext("MB:") . "</strong>";?> + <input name="snortloglimitsize" type="text" class="formfld unknown" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> + <?php echo gettext("Default is ") . "<strong>" . gettext("20%") . "</strong>" . gettext(" of available space.");?></td> </tr> </table> </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove blocked hosts " . - "every"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Blocked Hosts Interval"); ?></td> <td width="78%" class="vtable"> <select name="rm_blocked" class="formselect" id="rm_blocked"> <?php - $interfaces3 = array('never_b' => gettext('NEVER'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS')); + $interfaces3 = array('never_b' => gettext('NEVER'), '15m_b' => gettext('15 MINS'), '30m_b' => gettext('30 MINS'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS')); foreach ($interfaces3 as $iface3 => $ifacename3): ?> <option value="<?=$iface3;?>" <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>> <?=htmlspecialchars($ifacename3);?></option> <?php endforeach; ?> - </select> - <?php echo gettext("Please select the amount of time you would like hosts to be blocked for."); ?><br/><br/> - <?php printf(gettext("%sHint:%s in most cases, 1 hour is a good choice."), '<span class="red"><strong>', '</strong></span>'); ?></td> + </select> + <?php echo gettext("Please select the amount of time you would like hosts to be blocked."); ?><br/><br/> + <?php echo "<span class=\"red\"><strong>" . gettext("Hint:") . "</strong></span>" . gettext(" in most cases, 1 hour is a good choice.");?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep snort settings " . - "after deinstall"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep Snort Settings After Deinstall"); ?></td> <td width="78%" class="vtable"><input name="forcekeepsettings" id="forcekeepsettings" type="checkbox" value="yes" <?php if ($config['installedpackages']['snortglobal']['forcekeepsettings']=="on") echo "checked"; ?> - > <?php echo gettext("Settings will not be removed during deinstall."); ?></td> + > <?php echo gettext("Settings will not be removed during package deinstallation."); ?></td> </tr> <tr> <td width="22%" valign="top"> @@ -316,10 +382,8 @@ if ($input_errors) </tr> <tr> <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?><br> - </strong></span> <?php echo gettext("Changing any settings on this page will affect all " . - "interfaces. Double check that your oink code is correct, and verify the " . - "type of Snort.org account you hold."); ?></span></td> + <td width="78%" class="vexpl"><span class="red"><strong><?php echo gettext("Note:");?></strong> + </span><?php echo gettext("Changing any settings on this page will affect all Snort-configured interfaces.");?></td> </tr> </table> </div><br/> @@ -330,13 +394,33 @@ if ($input_errors) <script language="JavaScript"> <!-- -function enable_snort_vrt(btn) { - if (btn == 'off') { - document.iform.oinkmastercode.disabled = "true"; +function enable_snort_vrt() { + var endis = !(document.iform.snortdownload.checked); + if (endis) + document.getElementById("snort_oink_code_tbl").style.display = "none"; + else + document.getElementById("snort_oink_code_tbl").style.display = "table"; +} + +function enable_et_rules() { + var endis = document.iform.emergingthreats.checked; + if (endis) { + document.iform.emergingthreats_pro.checked = !(endis); + document.getElementById("etpro_code_tbl").style.display = "none"; + } +} + +function enable_etpro_rules() { + var endis = document.iform.emergingthreats_pro.checked; + if (endis) { + document.iform.emergingthreats.checked = !(endis); + document.iform.etpro_code.disabled = ""; + document.getElementById("etpro_code_tbl").style.display = "table"; + } + else { + document.iform.etpro_code.disabled = "true"; + document.getElementById("etpro_code_tbl").style.display = "none"; } - if (btn == 'on') { - document.iform.oinkmastercode.disabled = ""; - } } function enable_change_rules_upd() { @@ -346,6 +430,12 @@ function enable_change_rules_upd() { document.iform.rule_update_starttime.disabled=""; } +// Initialize the form controls state based on saved settings +enable_snort_vrt(); +enable_et_rules(); +enable_etpro_rules(); +enable_change_rules_upd(); + //--> </script> diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php index 7eed6dd3..e42b7f8c 100644 --- a/config/snort/snort_interfaces_suppress.php +++ b/config/snort/snort_interfaces_suppress.php @@ -84,7 +84,7 @@ if ($_GET['act'] == "del") { } } -$pgtitle = "Services: Snort: Suppression"; +$pgtitle = gettext("Snort: Suppression Lists"); include_once("head.inc"); ?> diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 1eb16260..3d703987 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -126,7 +126,7 @@ if ($_POST['submit']) { } } -$pgtitle = "Services: Snort: Suppression: Edit"; +$pgtitle = gettext("Snort: Suppression List Edit - {$a_suppress[$id]['name']}"); include_once("head.inc"); ?> @@ -166,7 +166,7 @@ if ($savemsg) <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Name"); ?></td> <td width="78%" class="vtable"><input name="name" type="text" id="name" - class="formfld unkown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> + class="formfld unknown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> <span class="vexpl"> <?php echo gettext("The list name may only consist of the " . "characters \"a-z, A-Z, 0-9 and _\"."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> <?php echo gettext("No Spaces or dashes."); ?> </span></td> @@ -174,7 +174,7 @@ if ($savemsg) <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td> <td width="78%" class="vtable"><input name="descr" type="text" - class="formfld unkown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br /> + class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br /> <span class="vexpl"> <?php echo gettext("You may enter a description here for your " . "reference (not parsed)."); ?> </span></td> </tr> diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php index ab22103e..9391eb85 100644 --- a/config/snort/snort_interfaces_whitelist.php +++ b/config/snort/snort_interfaces_whitelist.php @@ -61,7 +61,7 @@ if ($_GET['act'] == "del") { } } -$pgtitle = "Services: Snort: Whitelist"; +$pgtitle = gettext("Snort: Whitelists"); include_once("head.inc"); ?> diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index fc157375..cbc31378 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -38,6 +38,11 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +if ($_POST['cancel']) { + header("Location: /snort/snort_interfaces_whitelist.php"); + exit; +} + if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) $config['installedpackages']['snortglobal']['whitelist'] = array(); if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) @@ -88,6 +93,12 @@ if (isset($id) && $a_whitelist[$id]) { $pconfig['vpnips'] = $a_whitelist[$id]['vpnips']; } +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + if ($_GET['varname'] == "address" && !empty($_GET['varvalue'])) + $pconfig[$_GET['varname']] = $_GET['varvalue']; +} + if ($_POST['submit']) { conf_mount_rw(); @@ -118,7 +129,7 @@ if ($_POST['submit']) { if ($_POST['address']) if (!is_alias($_POST['address'])) - $input_errors[] = gettext("A valid alias need to be provided"); + $input_errors[] = gettext("A valid alias must be provided"); if (!$input_errors) { $w_list = array(); @@ -151,7 +162,7 @@ if ($_POST['submit']) { } } -$pgtitle = "Services: Snort: Whitelist: Edit $whitelist_uuid"; +$pgtitle = gettext("Snort: Whitelist Edit - {$a_whitelist[$id]['name']}"); include_once("head.inc"); ?> @@ -193,7 +204,7 @@ if ($savemsg) </tr> <tr> <td valign="top" class="vncellreq"><?php echo gettext("Name"); ?></td> - <td class="vtable"><input name="name" type="text" id="name" + <td class="vtable"><input name="name" type="text" id="name" class="formfld unknown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> <span class="vexpl"> <?php echo gettext("The list name may only consist of the " . "characters \"a-z, A-Z, 0-9 and _\"."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> @@ -201,7 +212,7 @@ if ($savemsg) </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td> - <td width="78%" class="vtable"><input name="descr" type="text" + <td width="78%" class="vtable"><input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br /> <span class="vexpl"> <?php echo gettext("You may enter a description here for your " . "reference (not parsed)."); ?> </span></td> @@ -261,14 +272,17 @@ if ($savemsg) <div id="addressnetworkport"><?php echo gettext("Alias Name:"); ?></div> </td> <td width="78%" class="vtable"> - <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" /> + <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" + title="<?=trim(filter_expand_alias($pconfig['address']));?>" /> + <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=0&type=host|network&varname=address&act=import&multi_ip=yes&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing IP alias");?>"/> </td> </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> <input id="submit" name="submit" type="submit" class="formbtn" value="Save" /> - <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" value="Cancel" onclick="history.back()" /> + <input id="cancel" name="cancel" type="submit" class="formbtn" value="Cancel" /> <input name="id" type="hidden" value="<?=$id;?>" /> </td> </tr> @@ -287,6 +301,9 @@ if ($savemsg) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] != "host" && $alias_name['type'] != "network") continue; + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php new file mode 100644 index 00000000..1a555408 --- /dev/null +++ b/config/snort/snort_migrate_config.php @@ -0,0 +1,307 @@ +<?php +/* + * snort_migrate_config.inc + * + * Copyright (C) 2013 Bill Meeks + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("config.inc"); +require_once("functions.inc"); + +/****************************************************************************/ +/* The code in this module is called once during the post-install process */ +/* via an "include" line. It is used to perform a one-time migration of */ +/* Snort preprocessor configuration parameters into the new format used */ +/* by the multi-engine config feature. Configuration parameters for the */ +/* multiple configuration engines of some preprocessors are stored as */ +/* array values within the "config.xml" file in the [snortglobals] section. */ +/****************************************************************************/ + +global $config; + +if (!is_array($config['installedpackages']['snortglobal'])) + $config['installedpackages']['snortglobal'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + +// Just exit if this is a clean install with no saved settings +if (empty($config['installedpackages']['snortglobal']['rule'])) + return; + +$rule = &$config['installedpackages']['snortglobal']['rule']; + +/****************************************************************************/ +/* Loop through all the <rule> elements in the Snort configuration and */ +/* migrate the relevant preprocessor parameters to the new format. */ +/****************************************************************************/ + +$updated_cfg = false; +log_error("[Snort] Checking configuration settings version..."); + +// Check the configuration version to see if XMLRPC Sync should +// auto-disabled as part of the upgrade due to config format changes. +if (empty($config['installedpackages']['snortglobal']['snort_config_ver']) && + ($config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'auto' || + $config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'manual')) { + $config['installedpackages']['snortsync']['config']['varsynconchanges'] = "disabled"; + log_error("[Snort] Turning off Snort Sync on this host due to configuration format changes in this update. Upgrade all Snort Sync targets to this same Snort package version before re-enabling Snort Sync."); + $updated_cfg = true; +} + +foreach ($rule as &$r) { + // Initialize arrays for supported preprocessors if necessary + if (!is_array($r['frag3_engine']['item'])) + $r['frag3_engine']['item'] = array(); + if (!is_array($r['stream5_tcp_engine']['item'])) + $r['stream5_tcp_engine']['item'] = array(); + if (!is_array($r['http_inspect_engine']['item'])) + $r['http_inspect_engine']['item'] = array(); + if (!is_array($r['ftp_client_engine']['item'])) + $r['ftp_client_engine']['item'] = array(); + if (!is_array($r['ftp_server_engine']['item'])) + $r['ftp_server_engine']['item'] = array(); + + $pconfig = array(); + $pconfig = $r; + + // Create a default "frag3_engine" if none are configured + if (empty($pconfig['frag3_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating Frag3 Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + + // Ensure sensible default values exist for global Frag3 parameters + if (empty($pconfig['frag3_max_frags'])) + $pconfig['frag3_max_frags'] = '8192'; + if (empty($pconfig['frag3_memcap'])) + $pconfig['frag3_memcap'] = '4194304'; + if (empty($pconfig['frag3_detection'])) + $pconfig['frag3_detection'] = 'on'; + + // Put any old values in new default engine and remove old value + if (isset($pconfig['frag3_policy'])) + $default['policy'] = $pconfig['frag3_policy']; + unset($pconfig['frag3_policy']); + if (isset($pconfig['frag3_timeout']) && is_numeric($pconfig['frag3_timeout'])) + $default['timeout'] = $pconfig['frag3_timeout']; + unset($pconfig['frag3_timeout']); + if (isset($pconfig['frag3_overlap_limit']) && is_numeric($pconfig['frag3_overlap_limit'])) + $default['overlap_limit'] = $pconfig['frag3_overlap_limit']; + unset($pconfig['frag3_overlap_limit']); + if (isset($pconfig['frag3_min_frag_len']) && is_numeric($pconfig['frag3_min_frag_len'])) + $default['min_frag_len'] = $pconfig['frag3_min_frag_len']; + unset($pconfig['frag3_min_frag_len']); + + $pconfig['frag3_engine']['item'] = array(); + $pconfig['frag3_engine']['item'][] = $default; + } + + // Create a default Stream5 engine array if none are configured + if (empty($pconfig['stream5_tcp_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating Stream5 Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", + "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + + // Ensure sensible defaults exist for Stream5 global parameters + if (empty($pconfig['stream5_reassembly'])) + $pconfig['stream5_reassembly'] = 'on'; + if (empty($pconfig['stream5_flush_on_alert'])) + $pconfig['stream5_flush_on_alert'] = 'off'; + if (empty($pconfig['stream5_prune_log_max'])) + $pconfig['stream5_prune_log_max'] = '1048576'; + if (empty($pconfig['stream5_track_tcp'])) + $pconfig['stream5_track_tcp'] = 'on'; + if (empty($pconfig['stream5_max_tcp'])) + $pconfig['stream5_max_tcp'] = '262144'; + if (empty($pconfig['stream5_track_udp'])) + $pconfig['stream5_track_udp'] = 'on'; + if (empty($pconfig['stream5_max_udp'])) + $pconfig['stream5_max_udp'] = '131072'; + if (empty($pconfig['stream5_udp_timeout'])) + $pconfig['stream5_udp_timeout'] = '30'; + if (empty($pconfig['stream5_track_icmp'])) + $pconfig['stream5_track_icmp'] = 'off'; + if (empty($pconfig['stream5_max_icmp'])) + $pconfig['stream5_max_icmp'] = '65536'; + if (empty($pconfig['stream5_icmp_timeout'])) + $pconfig['stream5_icmp_timeout'] = '30'; + if (empty($pconfig['stream5_mem_cap'])) + $pconfig['stream5_mem_cap']= '8388608'; + + // Put any old values in new default engine and remove old value + if (isset($pconfig['stream5_policy'])) + $default['policy'] = $pconfig['stream5_policy']; + unset($pconfig['stream5_policy']); + if (isset($pconfig['stream5_tcp_timeout']) && is_numeric($pconfig['stream5_tcp_timeout'])) + $default['timeout'] = $pconfig['stream5_tcp_timeout']; + unset($pconfig['stream5_tcp_timeout']); + if (isset($pconfig['stream5_overlap_limit']) && is_numeric($pconfig['stream5_overlap_limit'])) + $default['overlap_limit'] = $pconfig['stream5_overlap_limit']; + unset($pconfig['stream5_overlap_limit']); + if (isset($pconfig['stream5_require_3whs'])) + $default['require_3whs'] = $pconfig['stream5_require_3whs']; + unset($pconfig['stream5_require_3whs']); + if (isset($pconfig['stream5_no_reassemble_async'])) + $default['no_reassemble_async'] = $pconfig['stream5_no_reassemble_async']; + unset($pconfig['stream5_no_reassemble_async']); + if (isset($pconfig['stream5_dont_store_lg_pkts'])) + $default['dont_store_lg_pkts'] = $pconfig['stream5_dont_store_lg_pkts']; + unset($pconfig['stream5_dont_store_lg_pkts']); + if (isset($pconfig['max_queued_bytes']) && is_numeric($pconfig['max_queued_bytes'])) + $default['max_queued_bytes'] = $pconfig['max_queued_bytes']; + unset($pconfig['max_queued_bytes']); + if (isset($pconfig['max_queued_segs']) && is_numeric($pconfig['max_queued_segs'])) + $default['max_queued_segs'] = $pconfig['max_queued_segs']; + unset($pconfig['max_queued_segs']); + + $pconfig['stream5_tcp_engine']['item'] = array(); + $pconfig['stream5_tcp_engine']['item'][] = $default; + } + + // Create a default HTTP_INSPECT engine if none are configured + if (empty($pconfig['http_inspect_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating HTTP_Inspect Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", + "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", + "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + + // Ensure sensible default values exist for global HTTP_INSPECT parameters + if (empty($pconfig['http_inspect'])) + $pconfig['http_inspect'] = "on"; + if (empty($pconfig['http_inspect_proxy_alert'])) + $pconfig['http_inspect_proxy_alert'] = "off"; + if (empty($pconfig['http_inspect_memcap'])) + $pconfig['http_inspect_memcap'] = "150994944"; + if (empty($pconfig['http_inspect_max_gzip_mem'])) + $pconfig['http_inspect_max_gzip_mem'] = "838860"; + + // Put any old values in new default engine and remove old value + if (isset($pconfig['server_flow_depth']) && is_numeric($pconfig['server_flow_depth'])) + $default['server_flow_depth'] = $pconfig['server_flow_depth']; + unset($pconfig['server_flow_depth']); + if (isset($pconfig['client_flow_depth']) & is_numeric($pconfig['client_flow_depth'])) + $default['client_flow_depth'] = $pconfig['client_flow_depth']; + unset($pconfig['client_flow_depth']); + if (isset($pconfig['http_server_profile'])) + $default['server_profile'] = $pconfig['http_server_profile']; + unset($pconfig['http_server_profile']); + if (isset($pconfig['http_inspect_enable_xff'])) + $default['enable_xff'] = $pconfig['http_inspect_enable_xff']; + unset($pconfig['http_inspect_enable_xff']); + if (isset($pconfig['http_inspect_log_uri'])) + $default['log_uri'] = $pconfig['http_inspect_log_uri']; + unset($pconfig['http_inspect_log_uri']); + if (isset($pconfig['http_inspect_log_hostname'])) + $default['log_hostname'] = $pconfig['http_inspect_log_hostname']; + unset($pconfig['http_inspect_log_hostname']); + if (isset($pconfig['noalert_http_inspect'])) + $default['no_alerts'] = $pconfig['noalert_http_inspect']; + unset($pconfig['noalert_http_inspect']); + + $pconfig['http_inspect_engine']['item'] = array(); + $pconfig['http_inspect_engine']['item'][] = $default; + } + + // Create a default FTP_CLIENT engine if none are configured + if (empty($pconfig['ftp_client_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating FTP Client Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + // Set defaults for new FTP_Telnet preprocessor configurable parameters + if (empty($pconfig['ftp_telnet_inspection_type'])) + $pconfig['ftp_telnet_inspection_type'] = 'stateful'; + if (empty($pconfig['ftp_telnet_alert_encrypted'])) + $pconfig['ftp_telnet_alert_encrypted'] = 'off'; + if (empty($pconfig['ftp_telnet_check_encrypted'])) + $pconfig['ftp_telnet_check_encrypted'] = 'on'; + if (empty($pconfig['ftp_telnet_normalize'])) + $pconfig['ftp_telnet_normalize'] = 'on'; + if (empty($pconfig['ftp_telnet_detect_anomalies'])) + $pconfig['ftp_telnet_detect_anomalies'] = 'on'; + if (empty($pconfig['ftp_telnet_ayt_attack_threshold'])) + $pconfig['ftp_telnet_ayt_attack_threshold'] = '20'; + + // Add new FTP_Telnet Client default engine + $pconfig['ftp_client_engine']['item'] = array(); + $pconfig['ftp_client_engine']['item'][] = $default; + } + + // Create a default FTP_SERVER engine if none are configured + if (empty($pconfig['ftp_server_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating FTP Server Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + // Add new FTP_Telnet Server default engine + $pconfig['ftp_server_engine']['item'] = array(); + $pconfig['ftp_server_engine']['item'][] = $default; + } + + // Set sensible defaults for new SDF options if SDF is enabled + if ($pconfig['sensitive_data'] == 'on') { + if (empty($pconfig['sdf_alert_threshold'])) { + $pconfig['sdf_alert_threshold'] = 25; + $updated_cfg = true; + } + if (empty($pconfig['sdf_alert_data_type'])) { + $pconfig['sdf_alert_data_type'] = "Credit Card,Email Addresses,U.S. Phone Numbers,U.S. Social Security Numbers"; + $updated_cfg = true; + } + } + + // Save the new configuration data into the $config array pointer + $r = $pconfig; +} +// Release reference to final array element +unset($r); + +// Write out the new configuration to disk if we changed anything +if ($updated_cfg) { + $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.1"; + log_error("[Snort] Saving configuration settings in new format..."); + write_config(); + log_error("[Snort] Settings successfully migrated to new configuration format..."); +} +else + log_error("[Snort] Configuration version is current..."); + +?> diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php new file mode 100644 index 00000000..a7b54503 --- /dev/null +++ b/config/snort/snort_post_install.php @@ -0,0 +1,1464 @@ +<?php +/* + * snort_post_install.php + * + * Copyright (C) 2006 Scott Ullrich + * Copyright (C) 2009-2010 Robert Zelaya + * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2013 Bill Meeks + * part of pfSense + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/****************************************************************************/ +/* This module is called once during the Snort package installation to */ +/* perform required post-installation setup. It should only be executed */ +/* from the Package Manager process via the custom-post-install hook in */ +/* the snort.xml package configuration file. */ +/****************************************************************************/ + +require_once("config.inc"); +require_once("functions.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include; + +$snortdir = SNORTDIR; +$snortlibdir = SNORTLIBDIR; +$rcdir = RCFILEPREFIX; + +// This is a hack to workaround the caching of the old "snort.inc" by the +// Package Manager installation code. We need this new function which is +// in the new snort.inc file during post-installation. +if (!function_exists('snort_expand_port_range')) { + function snort_expand_port_range($ports, $delim = ',') { + // Split the incoming string on the specified delimiter + $tmp = explode($delim, $ports); + + // Look for any included port range and expand it + foreach ($tmp as $val) { + if (is_portrange($val)) { + $start = strtok($val, ":"); + $end = strtok(":"); + if ($end !== false) { + $val = $start . $delim; + for ($i = intval($start) + 1; $i < intval($end); $i++) + $val .= strval($i) . $delim; + $val .= $end; + } + } + $value .= $val . $delim; + } + + // Remove any trailing delimiter in return value + return trim($value, $delim); + } +} + +// This function mirrors the "snort_generate_conf()" function in the +// "snort.inc" file. It is here with a modified name as a workaround +// so that functionality built into the new package version can be +// implemented during installation. During a package reinstall, the +// Package Manager will cache the old version of "snort.inc" and thus +// new features are not available from the new "snort.inc" file in the +// new package. +function snort_build_new_conf($snortcfg) { + + global $config, $g, $rebuild_rules; + + $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; + $snortlogdir = SNORTLOGDIR; + $flowbit_rules_file = FLOWBITS_FILENAME; + $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + /* See if we should protect and not modify the preprocessor rules files */ + if (!empty($snortcfg['protect_preproc_rules'])) + $protect_preproc_rules = $snortcfg['protect_preproc_rules']; + else + $protect_preproc_rules = "off"; + + $if_real = snort_get_real_interface($snortcfg['interface']); + $snort_uuid = $snortcfg['uuid']; + $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; + + /* custom home nets */ + $home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']); + $home_net = implode(",", $home_net_list); + + $external_net = '!$HOME_NET'; + if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') { + $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']); + $external_net = implode(",", $external_net_list); + } + + /* user added arguments */ + $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); + // Remove the trailing newline + $snort_config_pass_thru = rtrim($snort_config_pass_thru); + + /* create a few directories and ensure the sample files are in place */ + $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", + "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", + "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", + "{$snortcfgdir}/preproc_rules", + "dynamicrules" => "{$snortlibdir}/dynamicrules", + "dynamicengine" => "{$snortlibdir}/dynamicengine", + "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" + ); + foreach ($snort_dirs as $dir) { + if (!is_dir($dir)) + safe_mkdir($dir); + } + + /********************************************************************/ + /* For fail-safe on an initial startup following installation, and */ + /* before a rules update has occurred, copy the default config */ + /* files to the interface directory. If files already exist in */ + /* the interface directory, or they are newer, that means a rule */ + /* update has been done and we should leave the customized files */ + /* put in place by the rules update process. */ + /********************************************************************/ + $snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd", + "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", + "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" + ); + foreach ($snort_files as $file) { + if (file_exists("{$snortdir}/{$file}")) { + $ftime = filemtime("{$snortdir}/{$file}"); + if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) + @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + } + } + + /* define alertsystemlog */ + $alertsystemlog_type = ""; + if ($snortcfg['alertsystemlog'] == "on") + $alertsystemlog_type = "output alert_syslog: log_alert"; + + /* define snortunifiedlog */ + $snortunifiedlog_type = ""; + if ($snortcfg['snortunifiedlog'] == "on") + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; + + /* define spoink */ + $spoink_type = ""; + if ($snortcfg['blockoffenders7'] == "on") { + $pfkill = ""; + if ($snortcfg['blockoffenderskill'] == "on") + $pfkill = "kill"; + $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); + /* write whitelist */ + @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); + $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; + } + + /* define selected suppress file */ + $suppress_file_name = ""; + $suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress'); + if (!empty($suppress)) { + $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru'])); + @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data); + $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}"; + } + + /* set the snort performance model */ + $snort_performance = "ac-bnfa"; + if(!empty($snortcfg['performance'])) + $snort_performance = $snortcfg['performance']; + + /* if user has defined a custom ssh port, use it */ + if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; + else + $ssh_port = "22"; + + /* Define an array of default values for the various preprocessor ports */ + $snort_ports = array( + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", + "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", + "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, + "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", + "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", + "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", + "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", + "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", + "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", + "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", + "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", + "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", + "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" + ); + + /* Check for defined Aliases that may override default port settings as we build the portvars array */ + $portvardef = ""; + foreach ($snort_ports as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) + $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); + $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; + } + + /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ + $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; + $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; + $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; + $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; + $stream5_ports_client .= "\t 32778 32779"; + $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; + $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; + $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; + $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; + $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; + $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; + $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; + $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; + $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; + $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; + $stream5_ports_both .= "\t 55555 56712"; + + ///////////////////////////// + /* preprocessor code */ + /* def perform_stat */ + $perform_stat = <<<EOD +# Performance Statistics # +preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000 + +EOD; + + /* def ftp_preprocessor */ + $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); + $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); + + // Configure FTP_Telnet global options + $ftp_telnet_globals = "inspection_type "; + if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; } + if ($snortcfg['ftp_telnet_alert_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes"; + else + $ftp_telnet_globals .= " \\\n\tencrypted_traffic no"; + if ($snortcfg['ftp_telnet_check_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tcheck_encrypted"; + + // Configure FTP_Telnet Telnet protocol options + $ftp_telnet_protocol = "ports { {$telnet_ports} }"; + if ($snortcfg['ftp_telnet_normalize'] == "on") + $ftp_telnet_protocol .= " \\\n\tnormalize"; + if ($snortcfg['ftp_telnet_detect_anomalies'] == "on") + $ftp_telnet_protocol .= " \\\n\tdetect_anomalies"; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') { + $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") + $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; + else + $ftp_telnet_protocol .= "20"; + } + + // Setup the standard FTP commands used for all FTP Server engines + $ftp_cmds = <<<EOD + ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ + ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ + ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ + ftp_cmds { LPSV MACB MAIL MDTM MFMT MIC MKD MLSD MLST } \ + ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ + ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ + ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ + ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ + ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ + ftp_cmds { XSEN XSHA1 XSHA256 } \ + alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ + alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ + alt_max_param_len 256 { CWD RNTO } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { MFMT SIZE } \ + chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ + chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ + chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ + chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ + chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ + chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ + chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ + chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ + cmd_validity MACB < string > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity PORT < host_port > \ + cmd_validity PROT < char CSEP > \ + cmd_validity STRU < char FRPO [ string ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > + +EOD; + + // Configure all the FTP_Telnet FTP protocol options + // Iterate and configure the FTP Client engines + $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + if (!is_array($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'] = array(); + + // If no FTP client engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; + $ftp_client_engine = ""; + + foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp client "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['max_resp_len'] == "") + $buffer .= "\tmax_resp_len 256 \\\n"; + else + $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + + if ($v['bounce'] == "yes") { + if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { + $net = trim(filter_expand_alias($v['bounce_to_net'])); + $port = trim(filter_expand_alias($v['bounce_to_port'])); + if (!empty($net) && !empty($port) && + snort_is_single_addr_alias($v['bounce_to_net']) && + (is_port($port) || is_portrange($port))) { + $port = preg_replace('/\s+/', ',', $port); + // Change port range delimiter to comma for ftp_telnet client preprocessor + if (is_portrange($port)) + $port = str_replace(":", ",", $port); + $buffer .= "\tbounce yes \\\n"; + $buffer .= "\tbounce_to { {$net},{$port} }\n"; + } + else { + // One or both of the BOUNCE_TO alias values is not right, + // so figure out which and log an appropriate error. + if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) + log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + if (empty($port) || !(is_port($port) || is_portrange($port))) + log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + $buffer .= "\tbounce yes\n"; + } + } + else + $buffer .= "\tbounce yes\n"; + } + else + $buffer .= "\tbounce no\n"; + + // Add this FTP client engine to the master string + $ftp_client_engine .= "{$buffer}\n"; + } + // Trim final trailing newline + rtrim($ftp_client_engine); + + // Iterate and configure the FTP Server engines + $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + if (!is_array($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'] = array(); + + // If no FTP server engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; + $ftp_server_engine = ""; + + foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp server "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['def_max_param_len'] == "") + $buffer .= "\tdef_max_param_len 100 \\\n"; + elseif ($v['def_max_param_len'] <> '0') + $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; + + if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) + $buffer .= "\tports { {$ftp_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $buffer .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); + $buffer .= "\tports { {$ftp_ports} } \\\n"; + } + } + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + if ($v['ignore_data_chan'] == "yes") + $buffer .= "\tignore_data_chan yes \\\n"; + $buffer .= "{$ftp_cmds}\n"; + + // Add this FTP server engine to the master string + $ftp_server_engine .= $buffer; + } + // Remove trailing newlines + rtrim($ftp_server_engine); + + $ftp_preprocessor = <<<EOD +# ftp_telnet preprocessor # +preprocessor ftp_telnet: global \ + {$ftp_telnet_globals} + +preprocessor ftp_telnet_protocol: telnet \ + {$ftp_telnet_protocol} + +{$ftp_server_engine} +{$ftp_client_engine} +EOD; + + $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); + $pop_preproc = <<<EOD +# POP preprocessor # +preprocessor pop: \ + ports { {$pop_ports} } \ + memcap 1310700 \ + qp_decode_depth 0 \ + b64_decode_depth 0 \ + bitenc_decode_depth 0 + +EOD; + + $imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports'])); + $imap_preproc = <<<EOD +# IMAP preprocessor # +preprocessor imap: \ + ports { {$imap_ports} } \ + memcap 1310700 \ + qp_decode_depth 0 \ + b64_decode_depth 0 \ + bitenc_decode_depth 0 + +EOD; + + $smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports'])); + /* def smtp_preprocessor */ + $smtp_preprocessor = <<<EOD +# SMTP preprocessor # +preprocessor SMTP: \ + ports { {$smtp_ports} } \ + inspection_type stateful \ + normalize cmds \ + ignore_tls_data \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \ + NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \ + STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \ + XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \ + IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \ + ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \ + XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } \ + log_mailfrom \ + log_rcptto \ + log_email_hdrs \ + email_hdrs_log_depth 1464 \ + log_filename \ + qp_decode_depth 0 \ + b64_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + +EOD; + + /* def sf_portscan */ + $sf_pscan_protocol = "all"; + if (!empty($snortcfg['pscan_protocol'])) + $sf_pscan_protocol = $snortcfg['pscan_protocol']; + $sf_pscan_type = "all"; + if (!empty($snortcfg['pscan_type'])) + $sf_pscan_type = $snortcfg['pscan_type']; + $sf_pscan_memcap = "10000000"; + if (!empty($snortcfg['pscan_memcap'])) + $sf_pscan_memcap = $snortcfg['pscan_memcap']; + $sf_pscan_sense_level = "medium"; + if (!empty($snortcfg['pscan_sense_level'])) + $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; + $sf_pscan_ignore_scanners = "\$HOME_NET"; + if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { + $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners'])); + $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); + } + + $sf_portscan = <<<EOD +# sf Portscan # +preprocessor sfportscan: \ + scan_type { {$sf_pscan_type} } \ + proto { {$sf_pscan_protocol} } \ + memcap { {$sf_pscan_memcap} } \ + sense_level { {$sf_pscan_sense_level} } \ + ignore_scanners { {$sf_pscan_ignore_scanners} } + +EOD; + + /* def ssh_preproc */ + $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports'])); + $ssh_preproc = <<<EOD +# SSH preprocessor # +preprocessor ssh: \ + server_ports { {$ssh_ports} } \ + autodetect \ + max_client_bytes 19600 \ + max_encrypted_packets 20 \ + max_server_version_len 100 \ + enable_respoverflow enable_ssh1crc32 \ + enable_srvoverflow enable_protomismatch + +EOD; + + /* def other_preprocs */ + $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports'])); + $other_preprocs = <<<EOD +# Other preprocs # +preprocessor rpc_decode: \ + {$sun_rpc_ports} \ + no_alert_multiple_requests \ + no_alert_large_fragments \ + no_alert_incomplete + +# Back Orifice preprocessor # +preprocessor bo + +EOD; + + /* def dce_rpc_2 */ + $dce_rpc_2 = <<<EOD +# DCE/RPC 2 # +preprocessor dcerpc2: \ + memcap 102400, \ + events [co] + +preprocessor dcerpc2_server: default, \ + policy WinXP, \ + detect [smb [{$snort_ports['smb_ports']}], \ + tcp 135, \ + udp 135, \ + rpc-over-http-server 593], \ + autodetect [tcp 1025:, \ + udp 1025:, \ + rpc-over-http-server 1025:], \ + smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] + +EOD; + + $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports'])); + $sip_preproc = <<<EOD +# SIP preprocessor # +preprocessor sip: \ + max_sessions 40000, \ + ports { {$sip_ports} }, \ + methods { invite \ + cancel \ + ack \ + bye \ + register \ + options \ + refer \ + subscribe \ + update \ + join \ + info \ + message \ + notify \ + benotify \ + do \ + qauth \ + sprack \ + publish \ + service \ + unsubscribe \ + prack }, \ + max_call_id_len 80, \ + max_from_len 256, \ + max_to_len 256, \ + max_via_len 1024, \ + max_requestName_len 50, \ + max_uri_len 512, \ + ignore_call_channel, \ + max_content_len 2048, \ + max_contact_len 512 + +EOD; + + $dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports'])); + /* def dns_preprocessor */ + $dns_preprocessor = <<<EOD +# DNS preprocessor # +preprocessor dns: \ + ports { {$dns_ports} } \ + enable_rdata_overflow + +EOD; + + /* def dnp3_preprocessor */ + $dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS'])); + $dnp3_preproc = <<<EOD +# DNP3 preprocessor # +preprocessor dnp3: \ + ports { {$dnp3_ports} } \ + memcap 262144 \ + check_crc + +EOD; + + /* def modbus_preprocessor */ + $modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS'])); + $modbus_preproc = <<<EOD +# Modbus preprocessor # +preprocessor modbus: \ + ports { {$modbus_ports} } + +EOD; + + /* def gtp_preprocessor */ + $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS'])); + $gtp_preproc = <<<EOD +# GTP preprocessor # +preprocessor gtp: \ + ports { {$gtp_ports} } + +EOD; + + /* def ssl_preprocessor */ + $ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports'])); + $ssl_preproc = <<<EOD +# SSL preprocessor # +preprocessor ssl: \ + ports { {$ssl_ports} }, \ + trustservers, \ + noinspect_encrypted + +EOD; + + /* def sensitive_data_preprocessor */ + if ($snortcfg['sdf_mask_output'] == "on") + $sdf_mask_output = "\\\n\tmask_output"; + else + $sdf_mask_output = ""; + if (empty($snortcfg['sdf_alert_threshold'])) + $snortcfg['sdf_alert_threshold'] = 25; + $sensitive_data = <<<EOD +# SDF preprocessor # +preprocessor sensitive_data: \ + alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output} + +EOD; + + /* define servers as IP variables */ + $snort_servers = array ( + "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", + "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", + "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", + "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", + "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", + "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", + "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", + "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" + ); + + // Change old name from "var" to new name of "ipvar" for IP variables because + // Snort is deprecating the old "var" name in newer versions. + $ipvardef = ""; + foreach ($snort_servers as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { + $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $avalue = preg_replace('/\s+/', ',', trim($avalue)); + } + $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; + } + + $snort_preproc_libs = array( + "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", + "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", + "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" + ); + $snort_preproc = array ( + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", + "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" + ); + $default_disabled_preprocs = array( + "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc" + ); + $snort_preprocessors = ""; + foreach ($snort_preproc as $preproc) { + if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { + + /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ + if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) + continue; + + /* NOTE: The $$ is not a bug. It is an advanced feature of php */ + if (!empty($snort_preproc_libs[$preproc])) { + $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; + if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { + if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { + @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } else + log_error("Could not find the {$preproclib} file. Snort might error out!"); + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } + } + // Remove final trailing newline + $snort_preprocessors = rtrim($snort_preprocessors); + + $snort_misc_include_rules = ""; + if (file_exists("{$snortcfgdir}/reference.config")) + $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; + if (file_exists("{$snortcfgdir}/classification.config")) + $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; + if (is_dir("{$snortcfgdir}/preproc_rules")) { + if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { + $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; + if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){ + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; + #enable only selected sensitive data + if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){ + $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; + $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); + $sd_tmp_new_file=""; + foreach ($sd_tmp_file as $sd_tmp_line) + $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; + file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); + } + } + } else + $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; + if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { + @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); + @unlink("{$g['tmp_path']}/sedcmd"); + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } + else { + $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; + log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + } + } else { + $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; + log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + } + + /* generate rule sections to load */ + /* The files are always configured so the update process is easier */ + $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; + $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; + $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; + + // Remove trailing newlines + $snort_misc_include_rules = rtrim($snort_misc_include_rules); + $selected_rules_sections = rtrim($selected_rules_sections); + + /* Create the actual rules files and save in the interface directory */ + snort_prepare_rule_files($snortcfg, $snortcfgdir); + + $cksumcheck = "all"; + if ($snortcfg['cksumcheck'] == 'on') + $cksumcheck = "none"; + + /* Pull in user-configurable detection config options */ + $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; + if ($snortcfg['fpm_split_any_any'] == "on") + $cfg_detect_settings .= " split-any-any"; + if ($snortcfg['fpm_search_optimize'] == "on") + $cfg_detect_settings .= " search-optimize"; + if ($snortcfg['fpm_no_stream_inserts'] == "on") + $cfg_detect_settings .= " no_stream_inserts"; + + /* Pull in user-configurable options for Frag3 preprocessor settings */ + /* Get global Frag3 options first and put into a string */ + $frag3_global = "preprocessor frag3_global: "; + if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") + $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; + else + $frag3_global .= "memcap 4194304, "; + if (!empty($snortcfg['frag3_max_frags'])) + $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; + else + $frag3_global .= "max_frags 8192"; + if ($snortcfg['frag3_detection'] == "off") + $frag3_global .= ", disabled"; + + $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + $frag3_engine = ""; + + // Now iterate configured Frag3 engines and write them to a string if enabled + if ($snortcfg['frag3_detection'] == "on") { + if (!is_array($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'] = array(); + + // If no frag3 tcp engine is configured, use the default + if (empty($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; + + foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { + $frag3_engine .= "preprocessor frag3_engine: "; + $frag3_engine .= "policy {$v['policy']}"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; + else + $frag3_engine .= " \\\n\tbind_to {$tmp}"; + } + else + log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); + } + $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; + $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; + if ($v['detect_anomalies'] == "on") { + $frag3_engine .= " \\\n\tdetect_anomalies"; + $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; + $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; + } + // Add newlines to terminate this engine + $frag3_engine .= "\n\n"; + } + // Remove trailing newline + $frag3_engine = rtrim($frag3_engine); + } + + // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs + $paf_max_pdu_config = "config paf_max: "; + if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') + $paf_max_pdu_config .= "0"; + else + $paf_max_pdu_config .= $snortcfg['max_paf']; + + // Pull in user-configurable options for Stream5 preprocessor settings + // Get global options first and put into a string + $stream5_global = "preprocessor stream5_global: \\\n"; + if ($snortcfg['stream5_reassembly'] == "off") + $stream5_global .= "\tdisabled, \\\n"; + if ($snortcfg['stream5_track_tcp'] == "off") + $stream5_global .= "\ttrack_tcp no,"; + else { + $stream5_global .= "\ttrack_tcp yes,"; + if (!empty($snortcfg['stream5_max_tcp'])) + $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; + else + $stream5_global .= " \\\n\tmax_tcp 262144,"; + } + if ($snortcfg['stream5_track_udp'] == "off") + $stream5_global .= " \\\n\ttrack_udp no,"; + else { + $stream5_global .= " \\\n\ttrack_udp yes,"; + if (!empty($snortcfg['stream5_max_udp'])) + $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; + else + $stream5_global .= " \\\n\tmax_udp 131072,"; + } + if ($snortcfg['stream5_track_icmp'] == "on") { + $stream5_global .= " \\\n\ttrack_icmp yes,"; + if (!empty($snortcfg['stream5_max_icmp'])) + $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; + else + $stream5_global .= " \\\n\tmax_icmp 65536,"; + } + else + $stream5_global .= " \\\n\ttrack_icmp no,"; + if (!empty($snortcfg['stream5_mem_cap'])) + $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; + else + $stream5_global .= " \\\n\tmemcap 8388608,"; + + if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') + $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; + else + $stream5_global .= " \\\n\tprune_log_max 1048576"; + if ($snortcfg['stream5_flush_on_alert'] == "on") + $stream5_global .= ", \\\n\tflush_on_alert"; + + $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + $stream5_tcp_engine = ""; + + // Now iterate configured Stream5 TCP engines and write them to a string if enabled + if ($snortcfg['stream5_reassembly'] == "on") { + if (!is_array($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'] = array(); + + // If no stream5 tcp engine is configured, use the default + if (empty($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; + + foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { + $buffer = "preprocessor stream5_tcp: "; + $buffer .= "policy {$v['policy']},"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $buffer .= " \\\n\tbind_to [{$tmp}],"; + else + $buffer .= " \\\n\tbind_to {$tmp},"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); + continue; + } + } + $stream5_tcp_engine .= $buffer; + $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; + $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; + $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; + if ($v['use_static_footprint_sizes'] == "on") + $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; + if ($v['check_session_hijacking'] == "on") + $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; + if ($v['dont_store_lg_pkts'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; + if ($v['no_reassemble_async'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; + if ($v['detect_anomalies'] == "on") + $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; + if ($v['require_3whs'] == "on") + $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; + if (!empty($v['ports_client'])) { + $stream5_tcp_engine .= ", \\\n\tports client"; + if ($v['ports_client'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_client'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_client}"; + else { + $tmp = trim(filter_expand_alias($v['ports_client'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_client}"; + log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_both'])) { + $stream5_tcp_engine .= ", \\\n\tports both"; + if ($v['ports_both'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_both'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_both}"; + else { + $tmp = trim(filter_expand_alias($v['ports_both'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_both}"; + log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { + if ($v['ports_server'] == " all") { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " all"; + } + else { + $tmp = trim(filter_expand_alias($v['ports_server'])); + if (!empty($tmp)) { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + } + else + log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); + } + } + + // Make sure the "ports" parameter is set, or else default to a safe value + if (strpos($stream5_tcp_engine, "ports ") === false) + $stream5_tcp_engine .= ", \\\n\tports both all"; + + // Add a pair of newlines to terminate this engine + $stream5_tcp_engine .= "\n\n"; + } + // Trim off the final trailing newline + $stream5_tcp_engine = rtrim($stream5_tcp_engine); + } + + // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") + $stream5_udp_engine = ""; + else { + $stream5_udp_engine = "preprocessor stream5_udp: "; + if (!empty($snortcfg['stream5_udp_timeout'])) + $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; + else + $stream5_udp_engine .= "timeout 30"; + } + + // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { + $stream5_icmp_engine = "preprocessor stream5_icmp: "; + if (!empty($snortcfg['stream5_icmp_timeout'])) + $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; + else + $stream5_icmp_engine .= "timeout 30"; + } + else + $stream5_icmp_engine = ""; + + // Check for and configure Host Attribute Table if enabled + $host_attrib_config = ""; + if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { + file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); + $host_attrib_config = "# Host Attribute Table #\n"; + $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; + if (!empty($snortcfg['max_attribute_hosts'])) + $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; + if (!empty($snortcfg['max_attribute_services_per_host'])) + $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; + } + + // Configure the HTTP_INSPECT preprocessor + // Get global options first and put into a string + $http_inspect_global = "preprocessor http_inspect: global "; + if ($snortcfg['http_inspect'] == "off") + $http_inspect_global .= "disabled "; + $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; + $http_inspect_global .= "\tcompress_depth 65535 \\\n"; + $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; + if (!empty($snortcfg['http_inspect_memcap'])) + $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; + else + $http_inspect_global .= "\tmemcap 150994944 \\\n"; + if (!empty($snortcfg['http_inspect_max_gzip_mem'])) + $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; + else + $http_inspect_global .= "\tmax_gzip_mem 838860"; + if ($snortcfg['http_inspect_proxy_alert'] == "on") + $http_inspect_global .= " \\\n\tproxy_alert"; + + $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); + $http_inspect_servers = ""; + + // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled + if ($snortcfg['http_inspect'] <> "off") { + if (!is_array($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'] = array(); + + // If no http_inspect_engine is configured, use the default + if (empty($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; + + foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { + $buffer = "preprocessor http_inspect_server: \\\n"; + if ($v['name'] == "default") + $buffer .= "\tserver default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "\tserver { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + $http_inspect_servers .= $buffer; + $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; + + if ($v['no_alerts'] == "on") + $http_inspect_servers .= "\tno_alerts \\\n"; + + if ($v['ports'] == "default" || empty($v['ports'])) + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $http_inspect_servers .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + + $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; + $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; + $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; + $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; + $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; + $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; + $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; + if ($v['enable_xff'] == "on") + $http_inspect_servers .= " \\\n\tenable_xff"; + if ($v['enable_cookie'] == "on") + $http_inspect_servers .= " \\\n\tenable_cookie"; + if ($v['normalize_cookies'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_cookies"; + if ($v['normalize_headers'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_headers"; + if ($v['normalize_utf'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_utf"; + if ($v['allow_proxy_use'] == "on") + $http_inspect_servers .= " \\\n\tallow_proxy_use"; + if ($v['inspect_uri_only'] == "on") + $http_inspect_servers .= " \\\n\tinspect_uri_only"; + if ($v['extended_response_inspection'] == "on") { + $http_inspect_servers .= " \\\n\textended_response_inspection"; + if ($v['inspect_gzip'] == "on") { + $http_inspect_servers .= " \\\n\tinspect_gzip"; + if ($v['unlimited_decompress'] == "on") + $http_inspect_servers .= " \\\n\tunlimited_decompress"; + } + if ($v['normalize_javascript'] == "on") { + $http_inspect_servers .= " \\\n\tnormalize_javascript"; + $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; + } + } + if ($v['log_uri'] == "on") + $http_inspect_servers .= " \\\n\tlog_uri"; + if ($v['log_hostname'] == "on") + $http_inspect_servers .= " \\\n\tlog_hostname"; + + // Add a pair of trailing newlines to terminate this server config + $http_inspect_servers .= "\n\n"; + } + /* Trim off the final trailing newline */ + $http_inspect_server = rtrim($http_inspect_server); + } + + // Finally, build the Snort configuration file + $snort_conf_text = <<<EOD +# snort configuration file +# generated automatically by the pfSense subsystems do not modify manually + +# Define Local Network # +ipvar HOME_NET [{$home_net}] +ipvar EXTERNAL_NET [{$external_net}] + +# Define Rule Paths # +var RULE_PATH {$snortcfgdir}/rules +var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules + +# Define Servers # +{$ipvardef} + +# Define Server Ports # +{$portvardef} + +# Configure quiet startup mode # +config quiet + +# Configure the snort decoder # +config checksum_mode: {$cksumcheck} +config disable_decode_alerts +config disable_tcpopt_experimental_alerts +config disable_tcpopt_obsolete_alerts +config disable_ttcp_alerts +config disable_tcpopt_alerts +config disable_ipopt_alerts +config disable_decode_drops + +# Enable the GTP decoder # +config enable_gtp + +# Configure PCRE match limitations +config pcre_match_limit: 3500 +config pcre_match_limit_recursion: 1500 + +# Configure the detection engine # +config detection: {$cfg_detect_settings} +config event_queue: max_queue 8 log 5 order_events content_length + +# Configure to show year in timestamps +config show_year + +# Configure protocol aware flushing # +# For more information see README.stream5 # +{$paf_max_pdu_config} + +# Configure dynamically loaded libraries +dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']} +dynamicengine directory {$snort_dirs['dynamicengine']} +dynamicdetection directory {$snort_dirs['dynamicrules']} + +# Inline packet normalization. For more information, see README.normalize +# Disabled since we do not use "inline" mode with pfSense +# preprocessor normalize_ip4 +# preprocessor normalize_tcp: ips ecn stream +# preprocessor normalize_icmp4 +# preprocessor normalize_ip6 +# preprocessor normalize_icmp6 + +# Flow and stream # +{$frag3_global} + +{$frag3_engine} + +{$stream5_global} + +{$stream5_tcp_engine} + +{$stream5_udp_engine} + +{$stream5_icmp_engine} + +# HTTP Inspect # +{$http_inspect_global} + +{$http_inspect_servers} +{$snort_preprocessors} +{$host_attrib_config} + +# Snort Output Logs # +output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority +{$alertsystemlog_type} +{$snortunifiedlog_type} +{$spoink_type} + +# Misc Includes # +{$snort_misc_include_rules} + +{$suppress_file_name} + +# Snort user pass through configuration +{$snort_config_pass_thru} + +# Rules Selection # +{$selected_rules_sections} +EOD; + + // Write out snort.conf file + $conf = fopen("{$snortcfgdir}/snort.conf", "w"); + if(!$conf) { + log_error("Could not open {$snortcfgdir}/snort.conf for writing."); + return -1; + } + fwrite($conf, $snort_conf_text); + fclose($conf); + unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type); + unset($home_net, $external_net, $ipvardef, $portvardef); +} + +/*****************************************************************************/ +/* This starts the actual post-install code */ +/*****************************************************************************/ + +/* Hard kill any running Snort processes that may have been started by any */ +/* of the pfSense scripts such as check_reload_status() or rc.start_packages */ +if(is_process_running("snort")) { + exec("/usr/bin/killall -z snort"); + sleep(2); + // Delete any leftover snort PID files in /var/run + array_map('@unlink', glob("/var/run/snort_*.pid")); +} +// Hard kill any running Barnyard2 processes +if(is_process_running("barnyard")) { + exec("/usr/bin/killall -z barnyard2"); + sleep(2); + // Delete any leftover barnyard2 PID files in /var/run + array_map('@unlink', glob("/var/run/barnyard2_*.pid")); +} + +/* Set flag for post-install in progress */ +$g['snort_postinstall'] = true; + +/* cleanup default files */ +@rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); +@rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf"); +@rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map"); +@rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map"); +@rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config"); +@rename("{$snortdir}/generators-sample", "{$snortdir}/generators"); +@rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config"); +@rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); +@rename("{$snortdir}/attribute_table.dtd-sample", "{$snortdir}/attribute_table.dtd"); + +/* fix up the preprocessor rules filenames from a PBI package install */ +$preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); +foreach ($preproc_rules as $file) { + if (file_exists("{$snortdir}/preproc_rules/{$file}-sample")) + @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}"); +} + +/* Remove any previously installed scripts since we rebuild them */ +@unlink("{$snortdir}/sid"); +@unlink("{$rcdir}/snort.sh"); +@unlink("{$rcdir}/barnyard2"); + +/* remake saved settings */ +if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { + log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings...")); + update_status(gettext("Saved settings detected...")); + /* Do one-time settings migration for new multi-engine configurations */ + update_output_window(gettext("Please wait... migrating settings to new multi-engine configuration...")); + include "/usr/local/pkg/snort/snort_migrate_config.php"; + update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); + log_error(gettext("[Snort] Downloading and updating configured rule types...")); + update_output_window(gettext("Please wait... downloading and updating configured rule types...")); + if ($pkg_interface <> "console") + $snort_gui_include = true; + include "/usr/local/pkg/snort/snort_check_for_rule_updates.php"; + update_status(gettext("Generating snort.conf configuration file from saved settings...")); + $rebuild_rules = true; + + /* Create the snort.conf files for each enabled interface */ + $snortconf = $config['installedpackages']['snortglobal']['rule']; + foreach ($snortconf as $value) { + $if_real = snort_get_real_interface($value['interface']); + + /* create a snort.conf file for interface */ + snort_build_new_conf($value); + + /* create barnyard2.conf file for interface */ + if ($value['barnyard_enable'] == 'on') + snort_create_barnyard2_conf($value, $if_real); + } + + /* create snort bootup file snort.sh */ + snort_create_rc(); + + /* Set Log Limit, Block Hosts Time and Rules Update Time */ + snort_snortloglimit_install_cron($config['installedpackages']['snortglobal']['snortloglimit'] == 'on' ? true : false); + snort_rm_blocked_install_cron($config['installedpackages']['snortglobal']['rm_blocked'] != "never_b" ? true : false); + snort_rules_up_install_cron($config['installedpackages']['snortglobal']['autorulesupdate7'] != "never_up" ? true : false); + + /* Add the recurring jobs created above to crontab */ + configure_cron(); + conf_mount_ro(); + + $rebuild_rules = false; + update_output_window(gettext("Finished rebuilding Snort configuration files...")); + log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); + + /* Only try to start Snort if not in reboot */ + if (!$g['booting']) { + update_status(gettext("Starting Snort using rebuilt configuration...")); + update_output_window(gettext("Please wait... while Snort is started...")); + log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); + start_service("snort"); + update_output_window(gettext("Snort has been started using the rebuilt configuration...")); + } +} + +/* Update Snort package version in configuration */ +$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.1"; +write_config(); + +/* Done with post-install, so clear flag */ +unset($g['snort_postinstall']); +log_error(gettext("[Snort] Package post-installation tasks completed...")); +return true; + +?> diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 6c839846..289a3941 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -6,6 +6,7 @@ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. * Copyright (C) 2008-2009 Robert Zelaya. * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2013 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -37,16 +38,6 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g, $rebuild_rules; $snortlogdir = SNORTLOGDIR; -if (!is_array($config['installedpackages']['snortglobal'])) { - $config['installedpackages']['snortglobal'] = array(); -} -$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; @@ -55,6 +46,32 @@ if (is_null($id)) { exit; } +if (!is_array($config['installedpackages']['snortglobal'])) + $config['installedpackages']['snortglobal'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + +// Initialize multiple config engine arrays for supported preprocessors if necessary +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array(); + +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; +$frag3_engine_next_id = count($a_nat[$id]['frag3_engine']['item']); +$stream5_tcp_engine_next_id = count($a_nat[$id]['stream5_tcp_engine']['item']); +$http_inspect_engine_next_id = count($a_nat[$id]['http_inspect_engine']['item']); +$ftp_server_engine_next_id = count($a_nat[$id]['ftp_server_engine']['item']); +$ftp_client_engine_next_id = count($a_nat[$id]['ftp_client_engine']['item']); + $pconfig = array(); if (isset($id) && $a_nat[$id]) { $pconfig = $a_nat[$id]; @@ -66,32 +83,14 @@ if (isset($id) && $a_nat[$id]) { $pconfig['max_attribute_hosts'] = $a_nat[$id]['max_attribute_hosts']; $pconfig['max_attribute_services_per_host'] = $a_nat[$id]['max_attribute_services_per_host']; $pconfig['max_paf'] = $a_nat[$id]['max_paf']; - $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; - $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; - $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; - $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly']; - $pconfig['stream5_require_3whs'] = $a_nat[$id]['stream5_require_3whs']; - $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp']; - $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp']; - $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp']; - $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; - $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; - $pconfig['stream5_overlap_limit'] = $a_nat[$id]['stream5_overlap_limit']; - $pconfig['stream5_policy'] = $a_nat[$id]['stream5_policy']; - $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap']; - $pconfig['stream5_tcp_timeout'] = $a_nat[$id]['stream5_tcp_timeout']; - $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout']; - $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout']; - $pconfig['stream5_no_reassemble_async'] = $a_nat[$id]['stream5_no_reassemble_async']; - $pconfig['stream5_dont_store_lg_pkts'] = $a_nat[$id]['stream5_dont_store_lg_pkts']; - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap']; - $pconfig['http_inspect_enable_xff'] = $a_nat[$id]['http_inspect_enable_xff']; - $pconfig['http_inspect_log_uri'] = $a_nat[$id]['http_inspect_log_uri']; - $pconfig['http_inspect_log_hostname'] = $a_nat[$id]['http_inspect_log_hostname']; - $pconfig['noalert_http_inspect'] = $a_nat[$id]['noalert_http_inspect']; $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; + $pconfig['ftp_telnet_inspection_type'] = $a_nat[$id]['ftp_telnet_inspection_type']; + $pconfig['ftp_telnet_alert_encrypted'] = $a_nat[$id]['ftp_telnet_alert_encrypted']; + $pconfig['ftp_telnet_check_encrypted'] = $a_nat[$id]['ftp_telnet_check_encrypted']; + $pconfig['ftp_telnet_normalize'] = $a_nat[$id]['ftp_telnet_normalize']; + $pconfig['ftp_telnet_detect_anomalies'] = $a_nat[$id]['ftp_telnet_detect_anomalies']; + $pconfig['ftp_telnet_ayt_attack_threshold'] = $a_nat[$id]['ftp_telnet_ayt_attack_threshold']; $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; $pconfig['pscan_protocol'] = $a_nat[$id]['pscan_protocol']; @@ -102,6 +101,9 @@ if (isset($id) && $a_nat[$id]) { $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; + $pconfig['sdf_alert_data_type'] = $a_nat[$id]['sdf_alert_data_type']; + $pconfig['sdf_alert_threshold'] = $a_nat[$id]['sdf_alert_threshold']; + $pconfig['sdf_mask_output'] = $a_nat[$id]['sdf_mask_output']; $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc']; $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc']; $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc']; @@ -112,13 +114,123 @@ if (isset($id) && $a_nat[$id]) { $pconfig['ssh_preproc'] = $a_nat[$id]['ssh_preproc']; $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable']; $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules']; + + // Frag3 global settings $pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection']; - $pconfig['frag3_overlap_limit'] = $a_nat[$id]['frag3_overlap_limit']; - $pconfig['frag3_min_frag_len'] = $a_nat[$id]['frag3_min_frag_len']; - $pconfig['frag3_policy'] = $a_nat[$id]['frag3_policy']; $pconfig['frag3_max_frags'] = $a_nat[$id]['frag3_max_frags']; $pconfig['frag3_memcap'] = $a_nat[$id]['frag3_memcap']; - $pconfig['frag3_timeout'] = $a_nat[$id]['frag3_timeout']; + + // See if new Frag3 engine array is configured and use it; + // otherwise create a default engine configuration. + if (empty($pconfig['frag3_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + $pconfig['frag3_engine']['item'] = array(); + $pconfig['frag3_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['frag3_engine']['item'])) + $a_nat[$id]['frag3_engine']['item'] = array(); + $a_nat[$id]['frag3_engine']['item'][] = $default; + write_config(); + $frag3_engine_next_id++; + } + else + $pconfig['frag3_engine'] = $a_nat[$id]['frag3_engine']; + + // Stream5 global settings + $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly']; + $pconfig['stream5_flush_on_alert'] = $a_nat[$id]['stream5_flush_on_alert']; + $pconfig['stream5_prune_log_max'] = $a_nat[$id]['stream5_prune_log_max']; + $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap']; + $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp']; + $pconfig['stream5_max_tcp'] = $a_nat[$id]['stream5_max_tcp']; + $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp']; + $pconfig['stream5_max_udp'] = $a_nat[$id]['stream5_max_udp']; + $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout']; + $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp']; + $pconfig['stream5_max_icmp'] = $a_nat[$id]['stream5_max_icmp']; + $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout']; + + // See if new Stream5 engine array is configured and use it; + // otherwise create a default engine configuration. + if (empty($pconfig['stream5_tcp_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", + "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + $pconfig['stream5_tcp_engine']['item'] = array(); + $pconfig['stream5_tcp_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['stream5_tcp_engine']['item'])) + $a_nat[$id]['stream5_tcp_engine']['item'] = array(); + $a_nat[$id]['stream5_tcp_engine']['item'][] = $default; + write_config(); + $stream5_tcp_engine_next_id++; + } + else + $pconfig['stream5_tcp_engine'] = $a_nat[$id]['stream5_tcp_engine']; + + // HTTP_INSPECT global settings + $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap']; + $pconfig['http_inspect_proxy_alert'] = $a_nat[$id]['http_inspect_proxy_alert']; + $pconfig['http_inspect_max_gzip_mem'] = $a_nat[$id]['http_inspect_max_gzip_mem']; + + // See if new HTTP_INSPECT engine array is configured and use it; + // otherwise create a default engine configuration. + if (empty($pconfig['http_inspect_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", + "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", + "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + $pconfig['http_inspect_engine']['item'] = array(); + $pconfig['http_inspect_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['http_inspect_engine']['item'])) + $a_nat[$id]['http_inspect_engine']['item'] = array(); + $a_nat[$id]['http_inspect_engine']['item'][] = $default; + write_config(); + $http_inspect_engine_next_id++; + } + else + $pconfig['http_inspect_engine'] = $a_nat[$id]['http_inspect_engine']; + + // See if new FTP client engine array is configured and use it; + // otherwise create a default engine configuration.. + if (empty($pconfig['ftp_client_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + $pconfig['ftp_client_engine']['item'] = array(); + $pconfig['ftp_client_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['ftp_client_engine']['item'])) + $a_nat[$id]['ftp_client_engine']['item'] = array(); + $a_nat[$id]['ftp_client_engine']['item'][] = $default; + write_config(); + $ftp_client_engine_next_id++; + } + else + $pconfig['ftp_client_engine'] = $a_nat[$id]['ftp_client_engine']; + + // See if new FTP server engine array is configured and use it; + // otherwise create a default engine configuration.. + if (empty($pconfig['ftp_server_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + $pconfig['ftp_server_engine']['item'] = array(); + $pconfig['ftp_server_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['ftp_server_engine']['item'])) + $a_nat[$id]['ftp_server_engine']['item'] = array(); + $a_nat[$id]['ftp_server_engine']['item'][] = $default; + write_config(); + $ftp_server_engine_next_id++; + } + else + $pconfig['ftp_server_engine'] = $a_nat[$id]['ftp_server_engine']; /* If not using the Snort VRT rules, then disable */ /* the Sensitive Data (sdf) preprocessor. */ @@ -134,10 +246,30 @@ if (isset($id) && $a_nat[$id]) { $pconfig['max_attribute_hosts'] = '10000'; if (empty($pconfig['max_attribute_services_per_host'])) $pconfig['max_attribute_services_per_host'] = '10'; - if (empty($pconfig['max_paf'])) + + if (empty($pconfig['max_paf']) && $pconfig['max_paf'] <> 0) $pconfig['max_paf'] = '16000'; + if (empty($pconfig['ftp_preprocessor'])) $pconfig['ftp_preprocessor'] = 'on'; + if (empty($pconfig['ftp_telnet_inspection_type'])) + $pconfig['ftp_telnet_inspection_type'] = 'stateful'; + if (empty($pconfig['ftp_telnet_alert_encrypted'])) + $pconfig['ftp_telnet_alert_encrypted'] = 'off'; + if (empty($pconfig['ftp_telnet_check_encrypted'])) + $pconfig['ftp_telnet_check_encrypted'] = 'on'; + if (empty($pconfig['ftp_telnet_normalize'])) + $pconfig['ftp_telnet_normalize'] = 'on'; + if (empty($pconfig['ftp_telnet_detect_anomalies'])) + $pconfig['ftp_telnet_detect_anomalies'] = 'on'; + if (empty($pconfig['ftp_telnet_ayt_attack_threshold']) && $pconfig['ftp_telnet_ayt_attack_threshold'] <> 0) + $pconfig['ftp_telnet_ayt_attack_threshold'] = '20'; + if (empty($pconfig['sdf_alert_data_type'])) + $pconfig['sdf_alert_data_type'] = "Credit Card,Email Addresses,U.S. Phone Numbers,U.S. Social Security Numbers"; + if (empty($pconfig['sdf_alert_threshold'])) + $pconfig['sdf_alert_threshold'] = '25'; + if (empty($pconfig['sdf_mask_output'])) + $pconfig['sdf_mask_output'] = 'off'; if (empty($pconfig['smtp_preprocessor'])) $pconfig['smtp_preprocessor'] = 'on'; if (empty($pconfig['dce_rpc_2'])) @@ -156,46 +288,48 @@ if (isset($id) && $a_nat[$id]) { $pconfig['other_preprocs'] = 'on'; if (empty($pconfig['ssh_preproc'])) $pconfig['ssh_preproc'] = 'on'; + + if (empty($pconfig['http_inspect'])) + $pconfig['http_inspect'] = "on"; + if (empty($pconfig['http_inspect_proxy_alert'])) + $pconfig['http_inspect_proxy_alert'] = "off"; if (empty($pconfig['http_inspect_memcap'])) $pconfig['http_inspect_memcap'] = "150994944"; - if (empty($pconfig['frag3_overlap_limit'])) - $pconfig['frag3_overlap_limit'] = '0'; - if (empty($pconfig['frag3_min_frag_len'])) - $pconfig['frag3_min_frag_len'] = '0'; + if (empty($pconfig['http_inspect_max_gzip_mem'])) + $pconfig['http_inspect_max_gzip_mem'] = "838860"; + if (empty($pconfig['frag3_max_frags'])) $pconfig['frag3_max_frags'] = '8192'; - if (empty($pconfig['frag3_policy'])) - $pconfig['frag3_policy'] = 'bsd'; if (empty($pconfig['frag3_memcap'])) $pconfig['frag3_memcap'] = '4194304'; - if (empty($pconfig['frag3_timeout'])) - $pconfig['frag3_timeout'] = '60'; if (empty($pconfig['frag3_detection'])) $pconfig['frag3_detection'] = 'on'; + if (empty($pconfig['stream5_reassembly'])) $pconfig['stream5_reassembly'] = 'on'; + if (empty($pconfig['stream5_flush_on_alert'])) + $pconfig['stream5_flush_on_alert'] = 'off'; + if (empty($pconfig['stream5_prune_log_max']) && $pconfig['stream5_prune_log_max'] <> 0) + $pconfig['stream5_prune_log_max'] = '1048576'; if (empty($pconfig['stream5_track_tcp'])) $pconfig['stream5_track_tcp'] = 'on'; + if (empty($pconfig['stream5_max_tcp'])) + $pconfig['stream5_max_tcp'] = '262144'; if (empty($pconfig['stream5_track_udp'])) $pconfig['stream5_track_udp'] = 'on'; - if (empty($pconfig['stream5_track_icmp'])) - $pconfig['stream5_track_icmp'] = 'off'; - if (empty($pconfig['stream5_require_3whs'])) - $pconfig['stream5_require_3whs'] = 'off'; - if (empty($pconfig['stream5_overlap_limit'])) - $pconfig['stream5_overlap_limit'] = '0'; - if (empty($pconfig['stream5_tcp_timeout'])) - $pconfig['stream5_tcp_timeout'] = '30'; + if (empty($pconfig['stream5_max_udp'])) + $pconfig['stream5_max_udp'] = '131072'; if (empty($pconfig['stream5_udp_timeout'])) $pconfig['stream5_udp_timeout'] = '30'; + if (empty($pconfig['stream5_track_icmp'])) + $pconfig['stream5_track_icmp'] = 'off'; + if (empty($pconfig['stream5_max_icmp'])) + $pconfig['stream5_max_icmp'] = '65536'; if (empty($pconfig['stream5_icmp_timeout'])) $pconfig['stream5_icmp_timeout'] = '30'; - if (empty($pconfig['stream5_no_reassemble_async'])) - $pconfig['stream5_no_reassemble_async'] = 'off'; - if (empty($pconfig['stream5_dont_store_lg_pkts'])) - $pconfig['stream5_dont_store_lg_pkts'] = 'off'; - if (empty($pconfig['stream5_policy'])) - $pconfig['stream5_policy'] = 'bsd'; + if (empty($pconfig['stream5_mem_cap'])) + $pconfig['stream5_mem_cap']= '8388608'; + if (empty($pconfig['pscan_protocol'])) $pconfig['pscan_protocol'] = 'all'; if (empty($pconfig['pscan_type'])) @@ -210,6 +344,34 @@ if (isset($id) && $a_nat[$id]) { $iface = snort_get_friendly_interface($pconfig['interface']); $disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; +if ($_GET['act'] && isset($_GET['eng_id'])) { + + $natent = array(); + $natent = $pconfig; + + if ($_GET['act'] == "del_frag3") + unset($natent['frag3_engine']['item'][$_GET['eng_id']]); + elseif ($_GET['act'] == "del_stream5_tcp") + unset($natent['stream5_tcp_engine']['item'][$_GET['eng_id']]); + elseif ($_GET['act'] == "del_http_inspect") + unset($natent['http_inspect_engine']['item'][$_GET['eng_id']]); + elseif ($_GET['act'] == "del_ftp_server") + unset($natent['ftp_server_engine']['item'][$_GET['eng_id']]); + + if (isset($id) && $a_nat[$id]) { + $a_nat[$id] = $natent; + write_config(); + } + + header("Location: snort_preprocessors.php?id=$id"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; +} + if ($_POST['ResetAll']) { /* Reset all the preprocessor settings to defaults */ @@ -218,32 +380,30 @@ if ($_POST['ResetAll']) { $pconfig['max_attribute_hosts'] = '10000'; $pconfig['max_attribute_services_per_host'] = '10'; $pconfig['max_paf'] = '16000'; - $pconfig['server_flow_depth'] = "300"; - $pconfig['http_server_profile'] = "all"; - $pconfig['client_flow_depth'] = "300"; $pconfig['stream5_reassembly'] = "on"; - $pconfig['stream5_require_3whs'] = "off"; + $pconfig['stream5_flush_on_alert'] = 'off'; + $pconfig['stream5_prune_log_max'] = '1048576'; $pconfig['stream5_track_tcp'] = "on"; + $pconfig['stream5_max_tcp'] = "262144"; $pconfig['stream5_track_udp'] = "on"; + $pconfig['stream5_max_udp'] = "131072"; $pconfig['stream5_track_icmp'] = "off"; - $pconfig['max_queued_bytes'] = "1048576"; - $pconfig['max_queued_segs'] = "2621"; - $pconfig['stream5_overlap_limit'] = "0"; - $pconfig['stream5_policy'] = "bsd"; + $pconfig['stream5_max_icmp'] = "65536"; $pconfig['stream5_mem_cap'] = "8388608"; - $pconfig['stream5_tcp_timeout'] = "30"; $pconfig['stream5_udp_timeout'] = "30"; $pconfig['stream5_icmp_timeout'] = "30"; - $pconfig['stream5_no_reassemble_async'] = "off"; - $pconfig['stream5_dont_store_lg_pkts'] = "off"; $pconfig['http_inspect'] = "on"; - $pconfig['http_inspect_enable_xff'] = "off"; - $pconfig['http_inspect_log_uri'] = "off"; - $pconfig['http_inspect_log_hostname'] = "off"; - $pconfig['noalert_http_inspect'] = "on"; + $pconfig['http_inspect_proxy_alert'] = "off"; $pconfig['http_inspect_memcap'] = "150994944"; + $pconfig['http_inspect_max_gzip_mem'] = "838860"; $pconfig['other_preprocs'] = "on"; $pconfig['ftp_preprocessor'] = "on"; + $pconfig['ftp_telnet_inspection_type'] = "stateful"; + $pconfig['ftp_telnet_alert_encrypted'] = "off"; + $pconfig['ftp_telnet_check_encrypted'] = "on"; + $pconfig['ftp_telnet_normalize'] = "on"; + $pconfig['ftp_telnet_detect_anomalies'] = "on"; + $pconfig['ftp_telnet_ayt_attack_threshold'] = "20"; $pconfig['smtp_preprocessor'] = "on"; $pconfig['sf_portscan'] = "off"; $pconfig['pscan_protocol'] = "all"; @@ -254,6 +414,9 @@ if ($_POST['ResetAll']) { $pconfig['dce_rpc_2'] = "on"; $pconfig['dns_preprocessor'] = "on"; $pconfig['sensitive_data'] = "off"; + $pconfig['sdf_alert_data_type'] = "Credit Card,Email Addresses,U.S. Phone Numbers,U.S. Social Security Numbers"; + $pconfig['sdf_alert_threshold'] = "25"; + $pconfig['sdf_mask_output'] = "off"; $pconfig['ssl_preproc'] = "on"; $pconfig['pop_preproc'] = "on"; $pconfig['imap_preproc'] = "on"; @@ -265,22 +428,23 @@ if ($_POST['ResetAll']) { $pconfig['preproc_auto_rule_disable'] = "off"; $pconfig['protect_preproc_rules'] = "off"; $pconfig['frag3_detection'] = "on"; - $pconfig['frag3_overlap_limit'] = "0"; - $pconfig['frag3_min_frag_len'] = "0"; - $pconfig['frag3_policy'] = "bsd"; $pconfig['frag3_max_frags'] = "8192"; $pconfig['frag3_memcap'] = "4194304"; - $pconfig['frag3_timeout'] = "60"; /* Log a message at the top of the page to inform the user */ - $savemsg = "All preprocessor settings have been reset to the defaults."; + $savemsg = gettext("All preprocessor settings have been reset to their defaults."); } elseif ($_POST['Submit']) { $natent = array(); $natent = $pconfig; - if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners'])) - $input_errors[] = "Only aliases are allowed for the Portscan IGNORE_SCANNERS option."; + // Validate SDF alert threshold and alert data type values if SDF is enabled + if ($_POST['sensitive_data'] == 'on') { + if ($_POST['sdf_alert_threshold'] < 1 || $_POST['sdf_alert_threshold'] > 65535) + $input_errors[] = gettext("The value for Sensitive_Data_Alert_Threshold must be between 1 and 65,535."); + if (empty($_POST['sdf_alert_data_type'])) + $input_errors[] = gettext("You must select at least one sensitive data type to inspect for when Sensitive Data detection is enabled."); + } /* if no errors write to conf */ if (!$input_errors) { @@ -288,48 +452,45 @@ elseif ($_POST['Submit']) { if ($_POST['max_attribute_hosts'] != "") { $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts']; }else{ $natent['max_attribute_hosts'] = "10000"; } if ($_POST['max_attribute_services_per_host'] != "") { $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host']; }else{ $natent['max_attribute_services_per_host'] = "10"; } if ($_POST['max_paf'] != "") { $natent['max_paf'] = $_POST['max_paf']; }else{ $natent['max_paf'] = "16000"; } - if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = "300"; } - if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } - if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = "300"; } if ($_POST['http_inspect_memcap'] != "") { $natent['http_inspect_memcap'] = $_POST['http_inspect_memcap']; }else{ $natent['http_inspect_memcap'] = "150994944"; } - if ($_POST['stream5_overlap_limit'] != "") { $natent['stream5_overlap_limit'] = $_POST['stream5_overlap_limit']; }else{ $natent['stream5_overlap_limit'] = "0"; } - if ($_POST['stream5_policy'] != "") { $natent['stream5_policy'] = $_POST['stream5_policy']; }else{ $natent['stream5_policy'] = "bsd"; } + if ($_POST['http_inspect_max_gzip_mem'] != "") { $natent['http_inspect_max_gzip_mem'] = $_POST['http_inspect_max_gzip_mem']; }else{ $natent['http_inspect_max_gzip_mem'] = "838860"; } if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = "8388608"; } - if ($_POST['stream5_tcp_timeout'] != "") { $natent['stream5_tcp_timeout'] = $_POST['stream5_tcp_timeout']; }else{ $natent['stream5_tcp_timeout'] = "30"; } + if ($_POST['stream5_prune_log_max'] != "") { $natent['stream5_prune_log_max'] = $_POST['stream5_prune_log_max']; }else{ $natent['stream5_prune_log_max'] = "1048576"; } if ($_POST['stream5_udp_timeout'] != "") { $natent['stream5_udp_timeout'] = $_POST['stream5_udp_timeout']; }else{ $natent['stream5_udp_timeout'] = "30"; } if ($_POST['stream5_icmp_timeout'] != "") { $natent['stream5_icmp_timeout'] = $_POST['stream5_icmp_timeout']; }else{ $natent['stream5_icmp_timeout'] = "30"; } - if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = "1048576"; } - if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = "2621"; } + if ($_POST['stream5_max_tcp'] != "") { $natent['stream5_max_tcp'] = $_POST['stream5_max_tcp']; }else{ $natent['stream5_max_tcp'] = "262144"; } + if ($_POST['stream5_max_udp'] != "") { $natent['stream5_max_udp'] = $_POST['stream5_max_udp']; }else{ $natent['stream5_max_udp'] = "131072"; } + if ($_POST['stream5_max_icmp'] != "") { $natent['stream5_max_icmp'] = $_POST['stream5_max_icmp']; }else{ $natent['stream5_max_icmp'] = "65536"; } if ($_POST['pscan_protocol'] != "") { $natent['pscan_protocol'] = $_POST['pscan_protocol']; }else{ $natent['pscan_protocol'] = "all"; } if ($_POST['pscan_type'] != "") { $natent['pscan_type'] = $_POST['pscan_type']; }else{ $natent['pscan_type'] = "all"; } if ($_POST['pscan_memcap'] != "") { $natent['pscan_memcap'] = $_POST['pscan_memcap']; }else{ $natent['pscan_memcap'] = "10000000"; } if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; } - if ($_POST['frag3_overlap_limit'] != "") { $natent['frag3_overlap_limit'] = $_POST['frag3_overlap_limit']; }else{ $natent['frag3_overlap_limit'] = "0"; } - if ($_POST['frag3_min_frag_len'] != "") { $natent['frag3_min_frag_len'] = $_POST['frag3_min_frag_len']; }else{ $natent['frag3_min_frag_len'] = "0"; } - if ($_POST['frag3_policy'] != "") { $natent['frag3_policy'] = $_POST['frag3_policy']; }else{ $natent['frag3_policy'] = "bsd"; } + if ($_POST['pscan_ignore_scanners'] != "") { $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; }else{ $natent['pscan_ignore_scanners'] = ""; } if ($_POST['frag3_max_frags'] != "") { $natent['frag3_max_frags'] = $_POST['frag3_max_frags']; }else{ $natent['frag3_max_frags'] = "8192"; } if ($_POST['frag3_memcap'] != "") { $natent['frag3_memcap'] = $_POST['frag3_memcap']; }else{ $natent['frag3_memcap'] = "4194304"; } - if ($_POST['frag3_timeout'] != "") { $natent['frag3_timeout'] = $_POST['frag3_timeout']; }else{ $natent['frag3_timeout'] = "60"; } + if ($_POST['ftp_telnet_inspection_type'] != "") { $natent['ftp_telnet_inspection_type'] = $_POST['ftp_telnet_inspection_type']; }else{ $natent['ftp_telnet_inspection_type'] = "stateful"; } + if ($_POST['ftp_telnet_ayt_attack_threshold'] != "") { $natent['ftp_telnet_ayt_attack_threshold'] = $_POST['ftp_telnet_ayt_attack_threshold']; }else{ $natent['ftp_telnet_ayt_attack_threshold'] = "20"; } + if ($_POST['sdf_alert_threshold'] != "") { $natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold']; }else{ $natent['sdf_alert_threshold'] = "25"; } - if ($_POST['pscan_ignore_scanners']) - $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; - else - unset($natent['pscan_ignore_scanners']); + // Set SDF inspection types + $natent['sdf_alert_data_type'] = implode(",",$_POST['sdf_alert_data_type']); $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; $natent['host_attribute_table'] = $_POST['host_attribute_table'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; - $natent['http_inspect_enable_xff'] = $_POST['http_inspect_enable_xff'] ? 'on' : 'off'; - $natent['http_inspect_log_uri'] = $_POST['http_inspect_log_uri'] ? 'on' : 'off'; - $natent['http_inspect_log_hostname'] = $_POST['http_inspect_log_hostname'] ? 'on' : 'off'; - $natent['noalert_http_inspect'] = $_POST['noalert_http_inspect'] ? 'on' : 'off'; + $natent['http_inspect_proxy_alert'] = $_POST['http_inspect_proxy_alert'] ? 'on' : 'off'; $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; + $natent['ftp_telnet_alert_encrypted'] = $_POST['ftp_telnet_alert_encrypted'] ? 'on' : 'off'; + $natent['ftp_telnet_check_encrypted'] = $_POST['ftp_telnet_check_encrypted'] ? 'on' : 'off'; + $natent['ftp_telnet_normalize'] = $_POST['ftp_telnet_normalize'] ? 'on' : 'off'; + $natent['ftp_telnet_detect_anomalies'] = $_POST['ftp_telnet_detect_anomalies'] ? 'on' : 'off'; $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; $natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off'; + $natent['sdf_mask_output'] = $_POST['sdf_mask_output'] ? 'on' : 'off'; $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off'; $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off'; $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off'; @@ -343,28 +504,20 @@ elseif ($_POST['Submit']) { $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off'; $natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off'; $natent['stream5_reassembly'] = $_POST['stream5_reassembly'] ? 'on' : 'off'; + $natent['stream5_flush_on_alert'] = $_POST['stream5_flush_on_alert'] ? 'on' : 'off'; $natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off'; $natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off'; $natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off'; - $natent['stream5_require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off'; - $natent['stream5_no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off'; - $natent['stream5_dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off'; /* If 'preproc_auto_rule_disable' is off, then clear log file */ if ($natent['preproc_auto_rule_disable'] == 'off') @unlink("{$disabled_rules_log}"); - if (isset($id) && $a_nat[$id]) + if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; - else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); - else - $a_nat[] = $natent; + write_config(); } - write_config(); - /* Set flag to rebuild rules for this interface */ $rebuild_rules = true; @@ -436,7 +589,7 @@ if ($pconfig['host_attribute_table'] == 'on' && empty($pconfig['host_attribute_d $input_errors[] = gettext("The Host Attribute Table option is enabled, but no Host Attribute data has been loaded. Data may be entered manually or imported from a suitable file."); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly}: Preprocessors and Flow"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Preprocessors and Flow"); include_once("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="enable_change_all()"> @@ -546,7 +699,7 @@ include_once("head.inc"); <?php if (file_exists($disabled_rules_log) && filesize($disabled_rules_log) > 0): ?> <tr> <td width="3%"> </td> - <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600)"/> + <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600);"> <?php echo gettext("Click to view the list of currently auto-disabled rules"); ?></td> </tr> <?php endif; ?> @@ -554,7 +707,7 @@ include_once("head.inc"); </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Host Attribute Table Settings"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Host Attribute Table"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> @@ -564,13 +717,11 @@ include_once("head.inc"); <?php echo gettext("Use a Host Attribute Table file to auto-configure applicable preprocessors. " . "Default is "); ?><strong><?php echo gettext("Not Checked"); ?></strong>.</td> </tr> - <tr> + <tr id="host_attrib_table_data_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Host Attribute Data"); ?></td> <td width="78%" class="vtable"><strong><?php echo gettext("Import From File"); ?></strong><br/> - <input name="host_attribute_file" type="file" class="formfld unknown" value="on" id="host_attribute_file" size="40" - <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> - <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn" - <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>><br/> + <input name="host_attribute_file" type="file" class="formfld file" value="on" id="host_attribute_file" size="40"> + <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn"><br/> <?php echo gettext("Choose the Host Attributes file to use for auto-configuration."); ?><br/><br/> <span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span> <?php echo gettext("The Host Attributes file has a required format. See the "); ?><a href="http://manual.snort.org/" target="_blank"> @@ -580,9 +731,8 @@ include_once("head.inc"); <a href="http://code.google.com/p/hogger/" target="_blank"><?php echo gettext("Hogger"); ?></a><?php echo gettext(" or "); ?> <a href="http://gamelinux.github.io/prads/" target="_blank"><?php echo gettext("PRADS"); ?></a><?php echo gettext(" can be used to " . "scan networks and automatically generate a suitable Host Attribute Table file for import."); ?><br/><br/> - <input type="submit" id="btn_edit_hat" name="btn_edit_hat" value="<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext(" Edit ");} else {echo gettext("Create");} ?>" - class="formbtn" - <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> + <input type="submit" id="btn_edit_hat" name="btn_edit_hat" value="<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext(" Edit ");} + else {echo gettext("Create");} ?>" class="formbtn"> <?php if (!empty($pconfig['host_attribute_data'])) {echo gettext("Click to View or Edit the Host Attribute data.");} else {echo gettext("Click to Create Host Attribute data manually.");} if ($pconfig['host_attribute_table']=="on" && empty($pconfig['host_attribute_data'])){ @@ -590,14 +740,13 @@ include_once("head.inc"); gettext("No Host Attribute Data loaded - import from a file or enter it manually."); } ?></td> </tr> - <tr> + <tr id="host_attrib_table_maxhosts_row"> <td valign="top" class="vncell"><?php echo gettext("Maximum Hosts"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> <tr> - <td><input name="max_attribute_hosts" type="text" class="formfld" id="max_attribute_hosts" size="6" - value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>" - <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> + <td><input name="max_attribute_hosts" type="text" class="formfld unknown" id="max_attribute_hosts" size="9" + value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>"> <?php echo gettext("Max number of hosts to read from the Attribute Table. Min is ") . "<strong>" . gettext("32") . "</strong>" . gettext(" and Max is ") . "<strong>" . gettext("524288") . "</strong>"; ?>.</td> @@ -608,14 +757,13 @@ include_once("head.inc"); "Default is ") . "<strong>" . gettext("10000") . "</strong>"; ?>.<br/> </td> </tr> - <tr> + <tr id="host_attrib_table_maxsvcs_row"> <td valign="top" class="vncell"><?php echo gettext("Maximum Services Per Host"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> <tr> - <td><input name="max_attribute_services_per_host" type="text" class="formfld" id="max_attribute_services_per_host" size="6" - value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>" - <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> + <td><input name="max_attribute_services_per_host" type="text" class="formfld unknown" id="max_attribute_services_per_host" size="9" + value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>"> <?php echo gettext("Max number of per host services to read from the Attribute Table. Min is ") . "<strong>" . gettext("1") . "</strong>" . gettext(" and Max is ") . "<strong>" . gettext("65535") . "</strong>"; ?>.</td> @@ -627,250 +775,185 @@ include_once("head.inc"); </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Protocol Aware Flushing Setting"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Protocol Aware Flushing"); ?></td> </tr> <tr> <td valign="top" class="vncell"><?php echo gettext("Protocol Aware Flushing Maximum PDU"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="max_paf" type="text" class="formfld" id="max_paf" size="6" - value="<?=htmlspecialchars($pconfig['max_paf']);?>"> - <?php echo gettext("Max number of PDUs to be reassembled into a single PDU. Min is ") . - "<strong>" . gettext("0") . "</strong>" . gettext(" (off) and Max is ") . "<strong>" . - gettext("63780") . "</strong>"; ?>.</td> - </tr> - </table> - <?php echo gettext("Multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments, will be " . - "reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets. " . - "Default is ") . "<strong>" . gettext("16000") . "</strong>. " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.<br/> + <input name="max_paf" type="text" class="formfld unknown" id="max_paf" size="9" + value="<?=htmlspecialchars($pconfig['max_paf']);?>"> + <?php echo gettext("Max number of PDUs to be reassembled into a single PDU. Min is ") . + "<strong>" . gettext("0") . "</strong>" . gettext(" (off) and Max is ") . "<strong>" . + gettext("63780") . "</strong>"; ?>.<br/><br/> + <?php echo gettext("Multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments, will be " . + "reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets. " . + "Default is ") . "<strong>" . gettext("16000") . "</strong>. " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.<br/> </td> </tr> - <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect Settings"); ?></td> + <tr id="httpinspect_row"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> <td width="78%" class="vtable"><input name="http_inspect" type="checkbox" value="on" id="http_inspect" onclick="http_inspect_enable_change();" - <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?>> - <?php echo gettext("Use HTTP Inspect to " . - "Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is "); ?> + <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked";?>> + <?php echo gettext("Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is ");?> <strong><?php echo gettext("Checked"); ?></strong>.</td> </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable XFF/True-Client-IP"); ?></td> - <td width="78%" class="vtable"><input name="http_inspect_enable_xff" - type="checkbox" value="on" id="http_inspect_enable_xff" - <?php if ($pconfig['http_inspect_enable_xff']=="on") echo "checked"; ?>> - <?php echo gettext("Log original client IP present in X-Forwarded-For or True-Client-IP " . - "HTTP headers. Default is "); ?> - <strong><?php echo gettext("Not Checked"); ?></strong>.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable URI Logging"); ?></td> - <td width="78%" class="vtable"><input name="http_inspect_log_uri" - type="checkbox" value="on" id="http_inspect_log_uri" - <?php if ($pconfig['http_inspect_log_uri']=="on") echo "checked"; ?>> - <?php echo gettext("Parse URI data from the HTTP request and log it with other session data." . - " Default is "); ?> - <strong><?php echo gettext("Not Checked"); ?></strong>.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Hostname Logging"); ?></td> - <td width="78%" class="vtable"><input name="http_inspect_log_hostname" - type="checkbox" value="on" id="http_inspect_log_hostname" - <?php if ($pconfig['http_inspect_log_hostname']=="on") echo "checked"; ?>> - <?php echo gettext("Parse Hostname data from the HTTP request and log it with other session data." . - " Default is "); ?> - <strong><?php echo gettext("Not Checked"); ?></strong>.</td> - </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("HTTP Inspect Memory Cap"); ?></td> + <tr id="httpinspect_proxyalert_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Proxy Alert"); ?></td> + <td width="78%" class="vtable"><input name="http_inspect_proxy_alert" + type="checkbox" value="on" id="http_inspect_proxy_alert" + <?php if ($pconfig['http_inspect_proxy_alert']=="on") echo "checked";?>> + <?php echo gettext("Enable global alerting on HTTP server proxy usage. Default is ");?> + <strong><?php echo gettext("Not Checked"); ?></strong>.<br/><br/><span class="red"><strong> + <?php echo gettext("Note: ") . "</strong></span>" . gettext("By adding Server Configurations below and enabling " . + "the 'allow_proxy_use' parameter within them, alerts will be generated for web users that aren't using the configured " . + "proxies or are using a rogue proxy server.") . "<br/><br/><span class=\"red\"><strong>" . gettext("Warning: ") . + "</strong></span>" . gettext("If users are not required to configure web proxy use, you may get a lot " . + "of proxy alerts. Only use this feature with traditional proxy environments. Blind firewall proxies don't count!");?> + </td> + </tr> + <tr id="httpinspect_memcap_row"> + <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="http_inspect_memcap" type="text" class="formfld" - id="http_inspect_memcap" size="6" - value="<?=htmlspecialchars($pconfig['http_inspect_memcap']);?>"> - <?php echo gettext("Max memory in bytes to use for URI and Hostname logging. Min is ") . - "<strong>" . gettext("2304") . "</strong>" . gettext(" and Max is ") . "<strong>" . - gettext("603979776") . "</strong>" . gettext(" (576 MB)"); ?>.</td> - </tr> - </table> - <?php echo gettext("Maximum amount of memory the preprocessor will use for logging the URI and Hostname data. The default " . - "value is ") . "<strong>" . gettext("150,994,944") . "</strong>" . gettext(" (144 MB)."); ?> - <?php echo gettext(" This option determines the maximum HTTP sessions that will log URI and Hostname data at any given instant. ") . - gettext(" Max Logged Sessions = MEMCAP / 2304"); ?>.<br/> + <input name="http_inspect_memcap" type="text" class="formfld unknown" + id="http_inspect_memcap" size="9" + value="<?=htmlspecialchars($pconfig['http_inspect_memcap']);?>"> + <?php echo gettext("Maximum memory in bytes to use for URI and Hostname logging. The Minimum value is ") . + "<strong>" . gettext("2304") . "</strong>" . gettext(" and the Maximum is ") . "<strong>" . + gettext("603979776") . "</strong>" . gettext(" (576 MB)"); ?>.<br/><br/> + <?php echo gettext("Sets the maximum amount of memory the preprocessor will use for logging the URI and Hostname data. The default " . + "value is ") . "<strong>" . gettext("150,994,944") . "</strong>" . gettext(" (144 MB)."); ?> + <?php echo gettext(" This option determines the maximum HTTP sessions that will log URI and Hostname data at any given instant. ") . + gettext(" Max Logged Sessions = MEMCAP / 2304"); ?>. </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("HTTP server flow depth"); ?></td> + <tr id="httpinspect_maxgzipmem_row"> + <td valign="top" class="vncell"><?php echo gettext("Maximum gzip Memory"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="server_flow_depth" type="text" class="formfld" - id="server_flow_depth" size="6" - value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . - "to <strong>65535</strong> (<strong>-1</strong> disables HTTP " . - "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> - </tr> - </table> - <?php echo gettext("Amount of HTTP server response payload to inspect. Snort's " . - "performance may increase by adjusting this value."); ?><br/> - <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " . - "are specified in bytes. Recommended setting is maximum (65535). Default value is <strong>300</strong>"); ?><br/> + <input name="http_inspect_max_gzip_mem" type="text" class="formfld unknown" + id="http_inspect_memcap" size="9" + value="<?=htmlspecialchars($pconfig['http_inspect_max_gzip_mem']);?>"> + <?php echo gettext("Maximum memory in bytes to use for decompression. The Minimum value is ") . + "<strong>" . gettext("3276") . "</strong>";?>.<br/><br/> + <?php echo gettext("The default value is ") . "<strong>" . gettext("838860") . "</strong>" . gettext(" bytes.");?> + <?php echo gettext(" This option determines the number of concurrent sessions that can be decompressed at any given instant.");?> </td> </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("HTTP server profile"); ?> </td> - <td width="78%" class="vtable"> - <select name="http_server_profile" class="formselect" id="http_server_profile"> - <?php - $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0'); - foreach ($profile as $val): ?> - <option value="<?=strtolower($val);?>" - <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>> - <?=gettext($val);?></option> - <?php endforeach; ?> - </select> <?php echo gettext("Choose the profile type of the protected web server. The default is ") . - "<strong>" . gettext("All") . "</strong>"; ?><br/> - <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the ") . - gettext("double decoding vulnerability present in those versions."); ?><br/> - </td> - </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("HTTP client flow depth"); ?></td> + <tr id="httpinspect_engconf_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Configuration"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="client_flow_depth" type="text" class="formfld" - id="client_flow_depth" size="6" - value="<?=htmlspecialchars($pconfig['client_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . - "to <strong>1460</strong> (<strong>-1</strong> disables HTTP " . - "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> - </tr> - </table> - <?php echo gettext("Amount of raw HTTP client request payload to inspect. Snort's " . - "performance may increase by adjusting this value."); ?><br/> - <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " . - "are specified in bytes. Recommended setting is maximum (1460). Default value is <strong>300</strong>"); ?><br/> + <table width="95%" align="left" id="httpinspectEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> + <colgroup> + <col width="45%" align="left"> + <col width="45%" align="center"> + <col width="10%" align="right"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="string"><?php echo gettext("Server Name");?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> + <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=http_inspect_engine"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"></a> + <a href="snort_httpinspect_engine.php?id=<?=$id?>&eng_id=<?=$http_inspect_engine_next_id?>"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new server configuration");?>"></a></th> + </tr> + </thead> + <?php foreach ($pconfig['http_inspect_engine']['item'] as $f => $v): ?> + <tr> + <td class="listlr" align="left"><?=gettext($v['name']);?></td> + <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> + <td class="listt" align="right"><a href="snort_httpinspect_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this server configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_http_inspect" onclick="return confirm('Are you sure you want to delete this entry?');"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this server configuration");?>"></a> + <?php else : ?> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" + title="<?=gettext("Default server configuration cannot be deleted");?>"> + <?php endif ?> + </td> + </tr> + <?php endforeach; ?> + </table> </td> </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Disable HTTP Alerts"); ?></td> - <td width="78%" class="vtable"><input name="noalert_http_inspect" - type="checkbox" value="on" id="noalert_http_inspect" - <?php if ($pconfig['noalert_http_inspect']=="on" || empty($pconfig['noalert_http_inspect'])) echo "checked"; ?> - onClick="enable_change(false);"> <?php echo gettext("Turn off alerts from HTTP Inspect " . - "preprocessor. This has no effect on HTTP rules. Default is "); ?> - <strong><?php echo gettext("Checked"); ?></strong>.</td> - </tr> - - <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Frag3 Settings"); ?></td> + <tr id="frag3_row"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Frag3 Target-Based IP Defragmentation"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable");?></td> <td width="78%" class="vtable"><input name="frag3_detection" type="checkbox" value="on" onclick="frag3_enable_change();" - <?php if ($pconfig['frag3_detection']=="on") echo "checked "; ?> - onClick="enable_change(false)"> + <?php if ($pconfig['frag3_detection']=="on") echo "checked";?>> <?php echo gettext("Use Frag3 Engine to detect IDS evasion attempts via target-based IP packet fragmentation. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + "<strong>" . gettext("Checked") . "</strong>.";?></td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> - <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="frag3_memcap" type="text" class="formfld" - id="frag3_memcap" size="6" - value="<?=htmlspecialchars($pconfig['frag3_memcap']);?>"> - <?php echo gettext("Memory cap (in bytes) for self preservation."); ?>.</td> - </tr> - </table> + <tr id="frag3_memcap_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Memory Cap");?></td> + <td width="78%" class="vtable"><input name="frag3_memcap" type="text" class="formfld unknown" id="frag3_memcap" size="9" value="<?=htmlspecialchars($pconfig['frag3_memcap']);?>"> + <?php echo gettext("Memory cap (in bytes) for self preservation.");?><br/> <?php echo gettext("The maximum amount of memory allocated for Frag3 fragment reassembly. Default value is ") . - "<strong>" . gettext("4MB") . "</strong>"; ?>.<br/> + "<strong>" . gettext("4MB") . "</strong>."; ?> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Maximum Fragments"); ?></td> - <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="frag3_max_frags" type="text" class="formfld" - id="frag3_max_frags" size="6" - value="<?=htmlspecialchars($pconfig['frag3_max_frags']);?>"> - <?php echo gettext("Maximum simultaneous fragments to track."); ?></td> - </tr> - </table> + <tr id="frag3_maxfrags_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Maximum Fragments"); ?></td> + <td width="78%" class="vtable"><input name="frag3_max_frags" type="text" class="formfld unknown" id="frag3_max_frags" size="9" value="<?=htmlspecialchars($pconfig['frag3_max_frags']);?>"> + <?php echo gettext("Maximum simultaneous fragments to track.");?>.<br/> <?php echo gettext("The maximum number of simultaneous fragments to track. Default value is ") . - "<strong>8192</strong>."; ?><br/> - </td> - </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td> - <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="frag3_overlap_limit" type="text" class="formfld" - id="frag3_overlap_limit" size="6" - value="<?=htmlspecialchars($pconfig['frag3_overlap_limit']);?>"> - <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), values greater than zero set the overlapped fragments per packet limit."); ?></td> - </tr> - </table> - <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") . - "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/> - </td> - </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Minimum Fragment Length"); ?></td> - <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="frag3_min_frag_len" type="text" class="formfld" - id="frag3_min_frag_len" size="6" - value="<?=htmlspecialchars($pconfig['frag3_min_frag_len']);?>"> - <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (check is disabled). Fragments smaller than or equal to this limit are considered malicious."); ?></td> - </tr> - </table> - <?php echo gettext("Defines smallest fragment size (payload size) that should be considered valid. Default value is ") . - "<strong>0</strong>" . gettext(" (check is disabled)."); ?><br/> + "<strong>8192</strong>.";?> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Timeout"); ?></td> + <tr id="frag3_engconf_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Engine Configuration"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="frag3_timeout" type="text" class="formfld" - id="frag3_timeout" size="6" - value="<?=htmlspecialchars($pconfig['frag3_timeout']);?>"> - <?php echo gettext("Timeout period in seconds for fragments in the engine."); ?></td> - </tr> - </table> - <?php echo gettext("Fragments in the engine for longer than this period will be automatically dropped. Default value is ") . - "<strong>" . gettext("60 ") . "</strong>" . gettext("seconds."); ?><br/> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Target Policy"); ?> </td> - <td width="78%" class="vtable"> - <select name="frag3_policy" class="formselect" id="frag3_policy"> - <?php - $profile = array( 'BSD', 'BSD-Right', 'First', 'Last', 'Linux', 'Solaris', 'Windows' ); - foreach ($profile as $val): ?> - <option value="<?=strtolower($val);?>" - <?php if (strtolower($val) == $pconfig['frag3_policy']) echo "selected"; ?>> - <?=gettext($val);?></option> - <?php endforeach; ?> - </select> <?php echo gettext("Choose the IP fragmentation target policy appropriate for the protected hosts. The default is ") . - "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/> - <?php echo gettext("Available OS targets are BSD, BSD-Right, First, Last, Linux, Solaris and Windows."); ?><br/> + <table width="95%" align="left" id="frag3EnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> + <colgroup> + <col width="45%" align="left"> + <col width="45%" align="center"> + <col width="10%" align="right"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> + <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=frag3_engine"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import engine configuration from existing Aliases");?>"></a> + <a href="snort_frag3_engine.php?id=<?=$id?>&eng_id=<?=$frag3_engine_next_id?>"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new engine configuration");?>"></a></th> + </tr> + </thead> + <?php foreach ($pconfig['frag3_engine']['item'] as $f => $v): ?> + <tr> + <td class="listlr" align="left"><?=gettext($v['name']);?></td> + <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> + <td class="listt" align="right"><a href="snort_frag3_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this engine configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_frag3" onclick="return confirm('Are you sure you want to delete this entry?');"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this engine configuration");?>"></a> + <?php else : ?> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" + title="<?=gettext("Default engine configuration cannot be deleted");?>"> + <?php endif ?> + </td> + </tr> + <?php endforeach; ?> + </table> </td> </tr> - <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Settings"); ?></td> + <tr id="stream5_row"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Target-Based Stream Reassembly"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> @@ -879,182 +962,155 @@ include_once("head.inc"); <?php echo gettext("Use Stream5 session reassembly for TCP, UDP and/or ICMP traffic. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> - <tr> + <tr id="stream5_flushonalert_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Flush On Alert"); ?></td> + <td width="78%" class="vtable"><input name="stream5_flush_on_alert" type="checkbox" value="on" + <?php if ($pconfig['stream5_flush_on_alert']=="on") echo "checked"; ?>> + <?php echo gettext("Flush a TCP stream when an alert is generated on that stream. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong><br/><span class=\"red\"><strong>" . + gettext("Note: ") . "</strong></span>" . gettext("This parameter is for backwards compatibility.");?></td> + </tr> + <tr id="stream5_prunelogmax_row"> + <td valign="top" class="vncell"><?php echo gettext("Prune Log Max"); ?></td> + <td class="vtable"> + <input name="stream5_prune_log_max" type="text" class="formfld unknown" id="stream5_prune_log_max" size="9" + value="<?=htmlspecialchars($pconfig['stream5_prune_log_max']);?>"> + <?php echo gettext("Prune Log Max Bytes. Minimum can be either ") . "<strong>0</strong>" . gettext(" (disabled), or if not disabled, ") . + "<strong>1024</strong>" . gettext(". Maximum is ") . "<strong>" . gettext("1073741824") . "</strong>";?>. + <?php echo gettext("Logs a message when a session terminates that was using more than the specified number of bytes. Default value is ") . + "<strong>1048576</strong>" . gettext(" bytes."); ?><br/> + </td> + </tr> + <tr id="stream5_proto_tracking_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol Tracking"); ?></td> <td width="78%" class="vtable"> <input name="stream5_track_tcp" type="checkbox" value="on" id="stream5_track_tcp" - <?php if ($pconfig['stream5_track_tcp']=="on") echo "checked"; ?>> + <?php if ($pconfig['stream5_track_tcp']=="on") echo "checked"; ?> onclick="stream5_track_tcp_enable_change();"> <?php echo gettext("Track and reassemble TCP sessions. Default is ") . "<strong>" . gettext("Checked") . "</strong>."; ?> <br/> <input name="stream5_track_udp" type="checkbox" value="on" id="stream5_track_udp" - <?php if ($pconfig['stream5_track_udp']=="on") echo "checked"; ?>> + <?php if ($pconfig['stream5_track_udp']=="on") echo "checked"; ?> onclick="stream5_track_udp_enable_change();"> <?php echo gettext("Track and reassemble UDP sessions. Default is ") . "<strong>" . gettext("Checked") . "</strong>."; ?> <br/> <input name="stream5_track_icmp" type="checkbox" value="on" id="stream5_track_icmp" - <?php if ($pconfig['stream5_track_icmp']=="on") echo "checked"; ?>> + <?php if ($pconfig['stream5_track_icmp']=="on") echo "checked"; ?> onclick="stream5_track_icmp_enable_change();"> <?php echo gettext("Track and reassemble ICMP sessions. Default is ") . "<strong>" . gettext("Not Checked") . "</strong>."; ?> </td> </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Require 3-Way Handshake"); ?></td> - <td width="78%" class="vtable"><input name="stream5_require_3whs" type="checkbox" value="on" - <?php if ($pconfig['stream5_require_3whs']=="on") echo "checked "; ?>> - <?php echo gettext("Establish sessions only on completion of SYN/SYN-ACK/ACK handshake. Default is ") . - "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Reassemble Async"); ?></td> - <td width="78%" class="vtable"><input name="stream5_no_reassemble_async" type="checkbox" value="on" - <?php if ($pconfig['stream5_no_reassemble_async']=="on") echo "checked "; ?>> - <?php echo gettext("Do not queue packets for reassembly if traffic has not been seen in both directions. Default is ") . - "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Store Large TCP Packets"); ?></td> - <td width="78%" class="vtable"> - <input name="stream5_dont_store_lg_pkts" type="checkbox" value="on" - <?php if ($pconfig['stream5_dont_store_lg_pkts']=="on") echo "checked"; ?>> - <?php echo gettext("Do not queue large packets in reassembly buffer to increase performance. Default is ") . - "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> - <?php echo "<span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" . - gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?></td> - </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Max Queued Bytes"); ?></td> + <tr id="stream5_maxudp_row"> + <td valign="top" class="vncell"><?php echo gettext("Maximum UDP Sessions"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="max_queued_bytes" type="text" class="formfld" - id="max_queued_bytes" size="6" - value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>"> - <?php echo gettext("Minimum is <strong>1024</strong>, Maximum is <strong>1073741824</strong> " . - "( default value is <strong>1048576</strong>, <strong>0</strong> " . - "means Maximum )"); ?>.</td> - </tr> - </table> - <?php echo gettext("The number of bytes to be queued for reassembly for TCP sessions in " . - "memory. Default value is <strong>1048576</strong>"); ?>.<br/> + <input name="stream5_max_udp" type="text" class="formfld unknown" id="stream5_max_udp" size="9" + value="<?=htmlspecialchars($pconfig['stream5_max_udp']);?>"> + <?php echo gettext("Maximum concurrent UDP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") . + "<strong>" . gettext("1048576") . "</strong>.";?><br/> + <?php echo gettext("Sets the maximum number of concurrent UDP sessions that will be tracked. Default value is ") . + "<strong>" . gettext("131072") . "</strong>."; ?><br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Max Queued Segs"); ?></td> + <tr id="stream5_udp_sess_timeout_row"> + <td valign="top" class="vncell"><?php echo gettext("UDP Session Timeout"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="max_queued_segs" type="text" class="formfld" - id="max_queued_segs" size="6" - value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>"> - <?php echo gettext("Minimum is <strong>2</strong>, Maximum is <strong>1073741824</strong> " . - "( default value is <strong>2621</strong>, <strong>0</strong> means " . - "Maximum )"); ?>.</td> - </tr> - </table> - <?php echo gettext("The number of segments to be queued for reassembly for TCP sessions " . - "in memory. Default value is <strong>2621</strong>"); ?>.<br/> + <input name="stream5_udp_timeout" type="text" class="formfld unknown" id="stream5_udp_timeout" size="9" + value="<?=htmlspecialchars($pconfig['stream5_udp_timeout']);?>"> + <?php echo gettext("UDP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") . + "<strong>" . gettext("86400") . "</strong>" . gettext(" (1 day).");?><br/> + <?php echo gettext("Sets the session reassembly timeout period for UDP packets. Default value is ") . + "<strong>" . gettext("30") . "</strong>" . gettext(" seconds."); ?><br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <tr id="stream5_maxicmp_row"> + <td valign="top" class="vncell"><?php echo gettext("Maximum ICMP Sessions"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="stream5_mem_cap" type="text" class="formfld" - id="stream5_mem_cap" size="6" - value="<?=htmlspecialchars($pconfig['stream5_mem_cap']);?>"> - <?php echo gettext("Minimum is <strong>32768</strong>, Maximum is <strong>1073741824</strong> " . - "( default value is <strong>8388608</strong>) "); ?>.</td> - </tr> - </table> - <?php echo gettext("The memory cap in bytes for TCP packet storage " . - "in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?>.<br/> + <input name="stream5_max_icmp" type="text" class="formfld unknown" id="stream5_max_icmp" size="9" + value="<?=htmlspecialchars($pconfig['stream5_max_icmp']);?>"> + <?php echo gettext("Maximum concurrent ICMP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") . + "<strong>" . gettext("1048576") . "</strong>.";?><br/> + <?php echo gettext("Sets the maximum number of concurrent ICMP sessions that will be tracked. Default value is ") . + "<strong>" . gettext("65536") . "</strong>."; ?><br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td> + <tr id="stream5_icmp_sess_timeout_row"> + <td valign="top" class="vncell"><?php echo gettext("ICMP Session Timeout"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="stream5_overlap_limit" type="text" class="formfld" - id="stream5_overlap_limit" size="6" - value="<?=htmlspecialchars($pconfig['stream5_overlap_limit']);?>"> - <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), and the maximum is ") . - "<strong>255</strong>."; ?></td> - </tr> - </table> - <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") . - "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/> + <input name="stream5_icmp_timeout" type="text" class="formfld unknown" id="stream5_icmp_timeout" size="9" + value="<?=htmlspecialchars($pconfig['stream5_icmp_timeout']);?>"> + <?php echo gettext("ICMP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") . + "<strong>86400</strong>" . gettext(" (1 day).");?><br/> + <?php echo gettext("Sets the session reassembly timeout period for ICMP packets. Default value is ") . + "<strong>" . gettext("30") . "</strong>" . gettext(" seconds."); ?><br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("TCP Session Timeout"); ?></td> + <tr id="stream5_maxtcp_row"> + <td valign="top" class="vncell"><?php echo gettext("Maximum TCP Sessions"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="stream5_tcp_timeout" type="text" class="formfld" - id="stream5_tcp_timeout" size="6" - value="<?=htmlspecialchars($pconfig['stream5_tcp_timeout']);?>"> - <?php echo gettext("TCP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . - "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> - </tr> - </table> - <?php echo gettext("Sets the session reassembly timeout period for TCP packets. Default value is ") . - "<strong>30</strong>" . gettext(" seconds."); ?><br/> + <input name="stream5_max_tcp" type="text" class="formfld unknown" id="stream5_max_tcp" size="9" + value="<?=htmlspecialchars($pconfig['stream5_max_tcp']);?>"> + <?php echo gettext("Maximum concurrent TCP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") . + "<strong>" . gettext("1048576") . "</strong>.";?><br/> + <?php echo gettext("Sets the maximum number of concurrent TCP sessions that will be tracked. Default value is ") . + "<strong>" . gettext("262144") . "</strong>."; ?><br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("UDP Session Timeout"); ?></td> + <tr id="stream5_tcp_memcap_row"> + <td valign="top" class="vncell"><?php echo gettext("TCP Memory Cap"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="stream5_udp_timeout" type="text" class="formfld" - id="stream5_udp_timeout" size="6" - value="<?=htmlspecialchars($pconfig['stream5_udp_timeout']);?>"> - <?php echo gettext("UDP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . - "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> - </tr> - </table> - <?php echo gettext("Sets the session reassembly timeout period for UDP packets. Default value is ") . - "<strong>30</strong>" . gettext(" seconds."); ?><br/> + <input name="stream5_mem_cap" type="text" class="formfld unknown" id="stream5_mem_cap" size="9" + value="<?=htmlspecialchars($pconfig['stream5_mem_cap']);?>"> + <?php echo gettext("Memory for TCP packet storage. Min is ") . "<strong>" . gettext("32768") . "</strong>" . + gettext(" and Max is ") . "<strong>" . gettext("1073741824") . "</strong>" . + gettext(" bytes.");?><br/> + <?php echo gettext("The memory cap in bytes for TCP packet storage " . + "in RAM. Default value is ") . "<strong>" . gettext("8388608") . "</strong>" . gettext(" (8 MB)"); ?>.<br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("ICMP Session Timeout"); ?></td> + <tr id="stream5_tcp_engconf_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Engine Configuration"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="stream5_icmp_timeout" type="text" class="formfld" - id="stream5_icmp_timeout" size="6" - value="<?=htmlspecialchars($pconfig['stream5_icmp_timeout']);?>"> - <?php echo gettext("ICMP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . - "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> - </tr> - </table> - <?php echo gettext("Sets the session reassembly timeout period for ICMP packets. Default value is ") . - "<strong>30</strong>" . gettext(" seconds."); ?><br/> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("IP Target Policy"); ?></td> - <td width="78%" class="vtable"> - <select name="stream5_policy" class="formselect" id="stream5_policy"> - <?php - $profile = array( 'BSD', 'First', 'HPUX', 'HPUX10', 'Irix', 'Last', 'Linux', 'MacOS', 'Old-Linux', - 'Solaris', 'Vista', 'Windows', 'Win2003' ); - foreach ($profile as $val): ?> - <option value="<?=strtolower($val);?>" - <?php if (strtolower($val) == $pconfig['stream5_policy']) echo "selected"; ?>> - <?=gettext($val);?></option> - <?php endforeach; ?> - </select> <?php echo gettext("Choose the TCP reassembly target policy appropriate for the protected hosts. The default is ") . - "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/> - <?php echo gettext("Available OS targets are BSD, First, HPUX, HPUX10, Irix, Last, Linux, MacOS, Old Linux, Solaris, Vista, Windows, and Win2003 Server."); ?><br/> + <table width="95%" align="left" id="stream5EnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> + <colgroup> + <col width="45%" align="left"> + <col width="45%" align="center"> + <col width="10%" align="right"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> + <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=stream5_tcp_engine"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import TCP engine configuration from existing Aliases");?>"></a> + <a href="snort_stream5_engine.php?id=<?=$id?>&eng_id=<?=$stream5_tcp_engine_next_id?>"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new TCP engine configuration");?>"></a></th> + </tr> + </thead> + <?php foreach ($pconfig['stream5_tcp_engine']['item'] as $f => $v): ?> + <tr> + <td class="listlr" align="left"><?=gettext($v['name']);?></td> + <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> + <td class="listt" align="right"><a href="snort_stream5_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this TCP engine configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_stream5_tcp" onclick="return confirm('Are you sure you want to delete this entry?');"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this TCP engine configuration");?>"></a> + <?php else : ?> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" + title="<?=gettext("Default engine configuration cannot be deleted");?>"> + <?php endif ?> + </td> + </tr> + <?php endforeach; ?> + </table> </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Detection"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> @@ -1064,7 +1120,7 @@ include_once("head.inc"); <?php echo gettext("Use Portscan Detection to detect various types of port scans and sweeps. Default is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> </tr> - <tr> + <tr id="portscan_protocol_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol"); ?> </td> <td width="78%" class="vtable"> <select name="pscan_protocol" class="formselect" id="pscan_protocol"> @@ -1079,7 +1135,7 @@ include_once("head.inc"); "<strong>" . gettext("all") . "</strong>."; ?><br/> </td> </tr> - <tr> + <tr id="portscan_type_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Scan Type"); ?> </td> <td width="78%" class="vtable"> <select name="pscan_type" class="formselect" id="pscan_type"> @@ -1111,7 +1167,7 @@ include_once("head.inc"); </table> </td> </tr> - <tr> + <tr id="portscan_sensitivity_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td> <td width="78%" class="vtable"> <select name="pscan_sense_level" class="formselect" id="pscan_sense_level"> @@ -1140,13 +1196,13 @@ include_once("head.inc"); </table> </td> </tr> - <tr> + <tr id="portscan_memcap_row"> <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> <tr> - <td><input name="pscan_memcap" type="text" class="formfld" - id="pscan_memcap" size="6" + <td class="vexpl"><input name="pscan_memcap" type="text" class="formfld unknown" + id="pscan_memcap" size="9" value="<?=htmlspecialchars($pconfig['pscan_memcap']);?>"> <?php echo gettext("Maximum memory in bytes to allocate for portscan detection. ") . gettext("Default is ") . "<strong>" . gettext("10000000") . "</strong>" . @@ -1158,17 +1214,231 @@ include_once("head.inc"); "<strong>10,000,000</strong>" . gettext(" bytes. (10 MB)"); ?><br/> </td> </tr> - <tr> + <tr id="portscan_ignorescanners_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?></td> <td width="78%" class="vtable"> - <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" - value="<?=$pconfig['pscan_ignore_scanners'];?>"> <?php echo gettext("Leave blank for default. ") . - gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.<br/> - <?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?><br/> + <table width="95%" cellspacing="0" cellpadding="0" border="0"> + <tr> + <td class="vexpl"> + <input name="pscan_ignore_scanners" type="text" size="25" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" + value="<?=$pconfig['pscan_ignore_scanners'];?>" title="<?=trim(filter_expand_alias($pconfig['pscan_ignore_scanners']));?>"> <?php echo gettext("Leave blank for default. ") . + gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.</td> + <td class="vexpl" align="right"> + <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&type=host|network&varname=pscan_ignore_scanners&act=import&multi_ip=yes&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?></td> + </tr> + </table> </td> </tr> + <tr id="ftp_telnet_row"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("FTP and Telnet Global Options"); ?></td> + </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="78%" class="vtable"><input name="ftp_preprocessor" type="checkbox" value="on" + <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?> onclick="ftp_telnet_enable_change();"> + <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_telnet_row_type"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspection Type"); ?> </td> + <td width="78%" class="vtable"> + <select name="ftp_telnet_inspection_type" class="formselect" id="ftp_telnet_inspection_type"> + <?php + $values = array('stateful', 'stateless'); + foreach ($values as $val): ?> + <option value="<?=$val;?>" + <?php if ($val == $pconfig['ftp_telnet_inspection_type']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose to operate in stateful or stateless mode. Default is ") . + "<strong>" . gettext("stateful") . "</strong>."; ?><br/> + </td> + </tr> + <tr id="ftp_telnet_row_encrypted_check"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Check Encrypted Traffic"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_check_encrypted" type="checkbox" value="on" + <?php if ($pconfig['ftp_telnet_check_encrypted']=="on") echo "checked"; ?>> + <?php echo gettext("Continue to check an encrypted session for subsequent command to cease encryption. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_telnet_row_encrypted_alert"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert on Encrypted Commands"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_alert_encrypted" type="checkbox" value="on" + <?php if ($pconfig['ftp_telnet_alert_encrypted']=="on") echo "checked"; ?>> + <?php echo gettext("Alert on encrypted FTP and Telnet command channels. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_telnet_row_telnet_proto_opts"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Telnet Protocol Options"); ?></td> + </tr> + <tr id="ftp_telnet_row_normalize"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalization"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_normalize" type="checkbox" value="on" + <?php if ($pconfig['ftp_telnet_normalize']=="on") echo "checked"; ?>> + <?php echo gettext("Normalize Telnet traffic by eliminating Telnet escape sequences. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_telnet_row_detect_anomalies"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Anomalies"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_detect_anomalies" type="checkbox" value="on" + <?php if ($pconfig['ftp_telnet_detect_anomalies']=="on") echo "checked"; ?>> + <?php echo gettext("Alert on Telnet subnegotiation begin without corresponding subnegotiation end. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_telnet_row_ayt_threshold"> + <td valign="top" class="vncell"><?php echo gettext("AYT Attack Threshold"); ?></td> + <td class="vtable"> + <input name="ftp_telnet_ayt_attack_threshold" type="text" class="formfld unknown" id="ftp_telnet_ayt_attack_threshold" size="9" + value="<?=htmlspecialchars($pconfig['ftp_telnet_ayt_attack_threshold']);?>"> + <?php echo gettext("Are-You-There (AYT) command alert threshold. Enter ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" to disable. Default is ") . "<strong>" . gettext("20.") . "</strong>";?><br/> + <?php echo gettext("Alert when the number of consecutive Telnet AYT commands reaches the number specified.");?><br/> + </td> + </tr> + <tr id="ftp_telnet_row_ftp_proto_opts"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("FTP Protocol Options"); ?></td> + </tr> + <tr id="ftp_telnet_ftp_client_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Client Configuration"); ?></td> + <td class="vtable"> + <table width="95%" align="left" id="FTPclientEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> + <colgroup> + <col width="45%" align="left"> + <col width="45%" align="center"> + <col width="10%" align="right"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> + <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=ftp_client_engine"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import client configuration from existing Aliases");?>"></a> + <a href="snort_ftp_client_engine.php?id=<?=$id?>&eng_id=<?=$ftp_client_engine_next_id?>"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new FTP client configuration");?>"></a></th> + </tr> + </thead> + <?php foreach ($pconfig['ftp_client_engine']['item'] as $f => $v): ?> + <tr> + <td class="listlr" align="left"><?=gettext($v['name']);?></td> + <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> + <td class="listt" align="right"><a href="snort_ftp_client_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this FTP client configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_ftp_server" onclick="return confirm('Are you sure you want to delete this entry?');"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this FTP client configuration");?>"></a> + <?php else : ?> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" + title="<?=gettext("Default client configuration cannot be deleted");?>"> + <?php endif ?> + </td> + </tr> + <?php endforeach; ?> + </table> + </td> + </tr> + <tr id="ftp_telnet_ftp_server_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Configuration"); ?></td> + <td class="vtable"> + <table width="95%" align="left" id="FTPserverEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> + <colgroup> + <col width="45%" align="left"> + <col width="45%" align="center"> + <col width="10%" align="right"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> + <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=ftp_server_engine"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"></a> + <a href="snort_ftp_server_engine.php?id=<?=$id?>&eng_id=<?=$ftp_server_engine_next_id?>"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new FTP Server configuration");?>"></a></th> + </tr> + </thead> + <?php foreach ($pconfig['ftp_server_engine']['item'] as $f => $v): ?> + <tr> + <td class="listlr" align="left"><?=gettext($v['name']);?></td> + <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> + <td class="listt" align="right"><a href="snort_ftp_server_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this FTP server configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_ftp_server" onclick="return confirm('Are you sure you want to delete this entry?');"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this FTP server configuration");?>"></a> + <?php else : ?> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" + title="<?=gettext("Default server configuration cannot be deleted");?>"> + <?php endif ?> + </td> + </tr> + <?php endforeach; ?> + </table> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Sensitive Data Detection"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="78%" class="vtable"> + <input name="sensitive_data" type="checkbox" value="on" onclick="sensitive_data_enable_change();" + <?php if ($pconfig['sensitive_data'] == "on") + echo "checked"; + elseif ($vrt_enabled == "off") + echo "disabled"; + ?>> + <?php echo gettext("Sensitive data searches for credit card numbers, Social Security numbers and e-mail addresses in data."); ?> + <br/> + <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the ") . + "<a href=\"/snort/snort_interfaces_global.php\" title=\"" . gettext("Modify Snort global settings") . "\"/>" . gettext("Global Settings") . "</a>" . gettext(" tab."); ?> + </td> + </tr> + <tr id="sdf_alert_data_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect for"); ?> </td> + <td width="78%" class="vtable"> + <select name="sdf_alert_data_type[]" class="formselect" id="sdf_alert_data_type" size="4" multiple="multiple"> + <?php + $values = array('Credit Card', 'Email Addresses', 'U.S. Phone Numbers', 'U.S. Social Security Numbers'); + foreach ($values as $val): ?> + <option value="<?=$val;?>" + <?php if (preg_match("/$val/",$pconfig['sdf_alert_data_type'])) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select><br/><?php echo gettext("Choose which types of sensitive data to detect. Use CTRL + Click for multiple selections."); ?><br/> + </td> + </tr> + <tr id="sdf_alert_threshold_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert Threshold"); ?></td> + <td width="78%" class="vtable"><input name="sdf_alert_threshold" type="text" class="formfld unknown" id="sdf_alert_threshold" size="9" value="<?=htmlspecialchars($pconfig['sdf_alert_threshold']);?>"> + <?php echo gettext("Personally Identifiable Information (PII) combination alert threshold.");?><br/> + <?php echo gettext("This value sets the number of PII combinations required to trigger an alert. This should be set higher than the highest individual count in your \"sd_pattern\" rules. Default value is ") . + "<strong>" . gettext("25") . "</strong>.";?> + </td> + </tr> + <tr id="sdf_mask_output_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Mask Output"); ?></td> + <td width="78%" class="vtable"> + <input name="sdf_mask_output" type="checkbox" value="on" + <?php if ($pconfig['sdf_mask_output'] == "on") + echo "checked"; + ?>> + <?php echo gettext("Replace all but last 4 digits of PII with \"X\"s on credit card and Social Security Numbers. ") . + gettext("Default is ") . "<strong>" . gettext("Not Checked") . "</strong>."; ?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessors"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable RPC Decode and Back Orifice detector"); ?></td> @@ -1178,13 +1448,6 @@ include_once("head.inc"); "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable FTP and Telnet Normalizer"); ?></td> - <td width="78%" class="vtable"><input name="ftp_preprocessor" type="checkbox" value="on" - <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?>> - <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> - </tr> - <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable POP Normalizer"); ?></td> <td width="78%" class="vtable"><input name="pop_preproc" type="checkbox" value="on" <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>> @@ -1216,7 +1479,7 @@ include_once("head.inc"); <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SIP Detection"); ?></td> <td width="78%" class="vtable"><input name="sip_preproc" type="checkbox" value="on" <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>> - <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities. Default is ") . + <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> @@ -1235,7 +1498,7 @@ include_once("head.inc"); <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNS Detection"); ?></td> <td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on" <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>> - <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects vulnerabilities. Default is ") . + <?php echo gettext("The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> @@ -1247,21 +1510,7 @@ include_once("head.inc"); "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Sensitive Data"); ?></td> - <td width="78%" class="vtable"> - <input name="sensitive_data" type="checkbox" value="on" - <?php if ($pconfig['sensitive_data'] == "on") - echo "checked"; - elseif ($vrt_enabled == "off") - echo "disabled"; - ?>> - <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?> - <br/> - <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."); ?> - </td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SCADA Preprocessor Settings"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SCADA Preprocessors"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Modbus Detection"); ?></td> @@ -1315,6 +1564,9 @@ include_once("head.inc"); if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; @@ -1332,6 +1584,8 @@ include_once("head.inc"); function createAutoSuggest() { <?php echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n"; + echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_telnet_bounce_to_net'), new StateSuggestions(addressarray));\n"; + echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_telnet_bounce_to_port'), new StateSuggestions(portsarray));\n"; ?> } @@ -1348,41 +1602,125 @@ function frag3_enable_change() { } } var endis = !(document.iform.frag3_detection.checked); - document.iform.frag3_overlap_limit.disabled=endis; - document.iform.frag3_min_frag_len.disabled=endis; - document.iform.frag3_policy.disabled=endis; - document.iform.frag3_max_frags.disabled=endis; - document.iform.frag3_memcap.disabled=endis; - document.iform.frag3_timeout.disabled=endis; + + // Hide the "config engines" table if Frag3 disabled + if (endis) { + document.getElementById("frag3_engconf_row").style.display="none"; + document.getElementById("frag3_memcap_row").style.display="none"; + document.getElementById("frag3_maxfrags_row").style.display="none"; + } + else { + document.getElementById("frag3_engconf_row").style.display="table-row"; + document.getElementById("frag3_memcap_row").style.display="table-row"; + document.getElementById("frag3_maxfrags_row").style.display="table-row"; + } } function host_attribute_table_enable_change() { var endis = !(document.iform.host_attribute_table.checked); - document.iform.host_attribute_file.disabled=endis; - document.iform.btn_import.disabled=endis; - document.iform.btn_edit_hat.disabled=endis; - document.iform.max_attribute_hosts.disabled=endis; - document.iform.max_attribute_services_per_host.disabled=endis; + + // Hide "Host Attribute Table" config rows if HAT disabled + if (endis) { + document.getElementById("host_attrib_table_data_row").style.display="none"; + document.getElementById("host_attrib_table_maxhosts_row").style.display="none"; + document.getElementById("host_attrib_table_maxsvcs_row").style.display="none"; + } + else { + document.getElementById("host_attrib_table_data_row").style.display="table-row"; + document.getElementById("host_attrib_table_maxhosts_row").style.display="table-row"; + document.getElementById("host_attrib_table_maxsvcs_row").style.display="table-row"; + } +} + +function stream5_track_tcp_enable_change() { + var endis = !(document.iform.stream5_track_tcp.checked); + + // Hide the "tcp_memcap and tcp_engconf" rows if stream5_track_tcp disabled + if (endis) { + document.getElementById("stream5_maxtcp_row").style.display="none"; + document.getElementById("stream5_tcp_memcap_row").style.display="none"; + document.getElementById("stream5_tcp_engconf_row").style.display="none"; + } + else { + document.getElementById("stream5_maxtcp_row").style.display="table-row"; + document.getElementById("stream5_tcp_memcap_row").style.display="table-row"; + document.getElementById("stream5_tcp_engconf_row").style.display="table-row"; + } +} + +function stream5_track_udp_enable_change() { + var endis = !(document.iform.stream5_track_udp.checked); + + // Hide the "udp session timeout " row if stream5_track_udp disabled + if (endis) { + var msg = "WARNING: Stream5 UDP tracking is required by the Session Initiation Protocol (SIP) preprocessor! "; + msg = msg + "The SIP preprocessor will be automatically disabled if Stream5 UDP tracking is disabled.\n\n"; + msg = msg + "Snort may fail to start because of rule options dependent on the SIP preprocessor. "; + msg = msg + "Are you sure you want to disable Stream5 UDP tracking?\n\n"; + msg = msg + "Click OK to disable Stream5 UDP tracking, or CANCEL to quit."; + if (!confirm(msg)) + return; + document.iform.sip_preproc.checked=false; + document.getElementById("stream5_maxudp_row").style.display="none"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="none"; + } + else { + document.getElementById("stream5_maxudp_row").style.display="table-row"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row"; + } +} + +function stream5_track_icmp_enable_change() { + var endis = !(document.iform.stream5_track_icmp.checked); + + // Hide the "icmp session timeout " row if stream5_track_icmp disabled + if (endis) { + document.getElementById("stream5_maxicmp_row").style.display="none"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="none"; + } + else { + document.getElementById("stream5_maxicmp_row").style.display="table-row"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row"; + } } function http_inspect_enable_change() { var endis = !(document.iform.http_inspect.checked); - document.iform.http_inspect_enable_xff.disabled=endis; - document.iform.server_flow_depth.disabled=endis; - document.iform.client_flow_depth.disabled=endis; - document.iform.http_server_profile.disabled=endis; document.iform.http_inspect_memcap.disabled=endis; - document.iform.http_inspect_log_uri.disabled=endis; - document.iform.http_inspect_log_hostname.disabled=endis; + + // Hide the "icmp session timeout " row if stream5_track_icmp disabled + if (endis) { + document.getElementById("httpinspect_memcap_row").style.display="none"; + document.getElementById("httpinspect_maxgzipmem_row").style.display="none"; + document.getElementById("httpinspect_proxyalert_row").style.display="none"; + document.getElementById("httpinspect_engconf_row").style.display="none"; + } + else { + document.getElementById("httpinspect_memcap_row").style.display="table-row"; + document.getElementById("httpinspect_maxgzipmem_row").style.display="table-row"; + document.getElementById("httpinspect_proxyalert_row").style.display="table-row"; + document.getElementById("httpinspect_engconf_row").style.display="table-row"; + } } function sf_portscan_enable_change() { var endis = !(document.iform.sf_portscan.checked); - document.iform.pscan_protocol.disabled=endis; - document.iform.pscan_type.disabled=endis; - document.iform.pscan_memcap.disabled=endis; - document.iform.pscan_sense_level.disabled=endis; - document.iform.pscan_ignore_scanners.disabled=endis; + + // Hide the portscan configuration rows if sf_portscan disabled + if (endis) { + document.getElementById("portscan_protocol_row").style.display="none"; + document.getElementById("portscan_type_row").style.display="none"; + document.getElementById("portscan_sensitivity_row").style.display="none"; + document.getElementById("portscan_memcap_row").style.display="none"; + document.getElementById("portscan_ignorescanners_row").style.display="none"; + } + else { + document.getElementById("portscan_protocol_row").style.display="table-row"; + document.getElementById("portscan_type_row").style.display="table-row"; + document.getElementById("portscan_sensitivity_row").style.display="table-row"; + document.getElementById("portscan_memcap_row").style.display="table-row"; + document.getElementById("portscan_ignorescanners_row").style.display="table-row"; + } } function stream5_enable_change() { @@ -1417,43 +1755,129 @@ function stream5_enable_change() { } var endis = !(document.iform.stream5_reassembly.checked); - document.iform.max_queued_bytes.disabled=endis; - document.iform.max_queued_segs.disabled=endis; - document.iform.stream5_mem_cap.disabled=endis; - document.iform.stream5_policy.disabled=endis; - document.iform.stream5_overlap_limit.disabled=endis; - document.iform.stream5_no_reassemble_async.disabled=endis; - document.iform.stream5_dont_store_lg_pkts.disabled=endis; - document.iform.stream5_tcp_timeout.disabled=endis; - document.iform.stream5_udp_timeout.disabled=endis; - document.iform.stream5_icmp_timeout.disabled=endis; + + // Hide the "stream5 conf" rows if stream5 disabled + if (endis) { + document.getElementById("stream5_tcp_memcap_row").style.display="none"; + document.getElementById("stream5_tcp_engconf_row").style.display="none"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_proto_tracking_row").style.display="none"; + document.getElementById("stream5_flushonalert_row").style.display="none"; + document.getElementById("stream5_prunelogmax_row").style.display="none"; + } + else { + document.getElementById("stream5_tcp_memcap_row").style.display="table-row"; + document.getElementById("stream5_tcp_engconf_row").style.display="table-row"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_proto_tracking_row").style.display="table-row"; + document.getElementById("stream5_flushonalert_row").style.display="table-row"; + document.getElementById("stream5_prunelogmax_row").style.display="table-row"; + } +} + +function ftp_telnet_enable_change() { + var endis = !(document.iform.ftp_preprocessor.checked); + + // Hide the ftp_telnet configuration rows if ftp_telnet disabled + if (endis) { + document.getElementById("ftp_telnet_row_type").style.display="none"; + document.getElementById("ftp_telnet_row_encrypted_alert").style.display="none"; + document.getElementById("ftp_telnet_row_encrypted_check").style.display="none"; + document.getElementById("ftp_telnet_row_telnet_proto_opts").style.display="none"; + document.getElementById("ftp_telnet_row_normalize").style.display="none"; + document.getElementById("ftp_telnet_row_detect_anomalies").style.display="none"; + document.getElementById("ftp_telnet_row_ayt_threshold").style.display="none"; + document.getElementById("ftp_telnet_row_ftp_proto_opts").style.display="none"; + document.getElementById("ftp_telnet_ftp_client_row").style.display="none"; + document.getElementById("ftp_telnet_ftp_server_row").style.display="none"; + } + else { + document.getElementById("ftp_telnet_row_type").style.display="table-row"; + document.getElementById("ftp_telnet_row_encrypted_alert").style.display="table-row"; + document.getElementById("ftp_telnet_row_encrypted_check").style.display="table-row"; + document.getElementById("ftp_telnet_row_telnet_proto_opts").style.display="table-row"; + document.getElementById("ftp_telnet_row_normalize").style.display="table-row"; + document.getElementById("ftp_telnet_row_detect_anomalies").style.display="table-row"; + document.getElementById("ftp_telnet_row_ayt_threshold").style.display="table-row"; + document.getElementById("ftp_telnet_row_ftp_proto_opts").style.display="table-row"; + document.getElementById("ftp_telnet_ftp_client_row").style.display="table-row"; + document.getElementById("ftp_telnet_ftp_server_row").style.display="table-row"; + } +} + +function sensitive_data_enable_change() { + var endis = !(document.iform.sensitive_data.checked); + + // Hide the sensitive_data configuration rows if sensitive_data disabled + if (endis) { + document.getElementById("sdf_alert_threshold_row").style.display="none"; + document.getElementById("sdf_mask_output_row").style.display="none"; + document.getElementById("sdf_alert_data_row").style.display="none"; + + } + else { + document.getElementById("sdf_alert_threshold_row").style.display="table-row"; + document.getElementById("sdf_mask_output_row").style.display="table-row"; + document.getElementById("sdf_alert_data_row").style.display="table-row"; + } } function enable_change_all() { http_inspect_enable_change(); sf_portscan_enable_change(); - // Enable/Disable Frag3 settings + // -- Enable/Disable Host Attribute Table settings -- + host_attribute_table_enable_change(); + + // -- Enable/Disable Frag3 settings -- var endis = !(document.iform.frag3_detection.checked); - document.iform.frag3_overlap_limit.disabled=endis; - document.iform.frag3_min_frag_len.disabled=endis; - document.iform.frag3_policy.disabled=endis; - document.iform.frag3_max_frags.disabled=endis; - document.iform.frag3_memcap.disabled=endis; - document.iform.frag3_timeout.disabled=endis; - - // Enable/Disable Stream5 settings + // Hide the "config engines" table if Frag3 disabled + if (endis) { + document.getElementById("frag3_engconf_row").style.display="none"; + document.getElementById("frag3_memcap_row").style.display="none"; + document.getElementById("frag3_maxfrags_row").style.display="none"; + } + else { + document.getElementById("frag3_engconf_row").style.display="table-row"; + document.getElementById("frag3_memcap_row").style.display="table-row"; + document.getElementById("frag3_maxfrags_row").style.display="table-row"; + } + + // -- Enable/Disable Stream5 settings -- endis = !(document.iform.stream5_reassembly.checked); - document.iform.max_queued_bytes.disabled=endis; - document.iform.max_queued_segs.disabled=endis; - document.iform.stream5_mem_cap.disabled=endis; - document.iform.stream5_policy.disabled=endis; - document.iform.stream5_overlap_limit.disabled=endis; - document.iform.stream5_no_reassemble_async.disabled=endis; - document.iform.stream5_dont_store_lg_pkts.disabled=endis; - document.iform.stream5_tcp_timeout.disabled=endis; - document.iform.stream5_udp_timeout.disabled=endis; - document.iform.stream5_icmp_timeout.disabled=endis; + // Hide the "stream5 conf" rows if stream5 disabled + if (endis) { + document.getElementById("stream5_tcp_memcap_row").style.display="none"; + document.getElementById("stream5_tcp_engconf_row").style.display="none"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_proto_tracking_row").style.display="none"; + document.getElementById("stream5_flushonalert_row").style.display="none"; + document.getElementById("stream5_prunelogmax_row").style.display="none"; + document.getElementById("stream5_maxtcp_row").style.display="none"; + document.getElementById("stream5_maxudp_row").style.display="none"; + document.getElementById("stream5_maxicmp_row").style.display="none"; + } + else { + document.getElementById("stream5_tcp_memcap_row").style.display="table-row"; + document.getElementById("stream5_tcp_engconf_row").style.display="table-row"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_proto_tracking_row").style.display="table-row"; + document.getElementById("stream5_flushonalert_row").style.display="table-row"; + document.getElementById("stream5_prunelogmax_row").style.display="table-row"; + document.getElementById("stream5_maxtcp_row").style.display="table-row"; + document.getElementById("stream5_maxudp_row").style.display="table-row"; + document.getElementById("stream5_maxicmp_row").style.display="table-row"; + } + // Set other stream5 initial conditions + stream5_track_tcp_enable_change(); + stream5_track_udp_enable_change(); + stream5_track_icmp_enable_change(); + ftp_telnet_enable_change(); + sensitive_data_enable_change(); } function wopen(url, name, w, h) diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index c9d90597..0434f88f 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -33,7 +33,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g, $flowbit_rules_file, $rebuild_rules; +global $g, $rebuild_rules; $snortdir = SNORTDIR; $rules_map = array(); @@ -106,6 +106,7 @@ function add_title_attribute($tag, $title) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; +$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; $categories = explode("||", $pconfig['rulesets']); @@ -117,7 +118,7 @@ else if ($_POST['openruleset']) else $currentruleset = $categories[0]; -if (empty($categories[0]) && ($currentruleset != "custom.rules")) { +if (empty($categories[0]) && ($currentruleset != "custom.rules") && ($currentruleset != "Auto-Flowbit Rules")) { if (!empty($a_rule[$id]['ips_policy'])) $currentruleset = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); else @@ -133,6 +134,9 @@ $ruledir = "{$snortdir}/rules"; $rulefile = "{$ruledir}/{$currentruleset}"; if ($currentruleset != 'custom.rules') { // Read the current rules file into our rules map array. + // If it is the auto-flowbits file, set the full path. + if ($currentruleset == "Auto-Flowbit Rules") + $rulefile = "{$snortcfgdir}/rules/" . FLOWBITS_FILENAME; // Test for the special case of an IPS Policy file. if (substr($currentruleset, 0, 10) == "IPS Policy") $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); @@ -193,8 +197,6 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { write_config(); $_GET['openruleset'] = $currentruleset; -// header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); -// exit; $anchor = "rule_{$sid}"; } @@ -334,7 +336,7 @@ if ($_POST['customrules']) { $rebuild_rules = false; $output = ""; $retcode = ""; - exec("snort -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -T 2>&1", $output, $retcode); + exec("/usr/local/bin/snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode); if (intval($retcode) != 0) { $error = ""; $start = count($output); @@ -377,7 +379,7 @@ require_once("guiconfig.inc"); include_once("head.inc"); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: {$if_friendly} Category: $currentruleset"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Rules: {$currentruleset}"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> @@ -436,6 +438,8 @@ if ($savemsg) { $files = explode("||", $pconfig['rulesets']); if ($a_rule[$id]['ips_policy_enable'] == 'on') $files[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); + if ($a_rule[$id]['autoflowbitrules'] == 'on') + $files[] = "Auto-Flowbit Rules"; natcasesort($files); foreach ($files as $value) { if ($snortdownload != 'on' && substr($value, 0, 6) == "snort_") @@ -517,6 +521,17 @@ if ($savemsg) { title='" . gettext("Click to enable all rules in the selected category") . "'></a>"?> <?php echo gettext("Enable all rules in the current Category"); ?></td> </tr> + <?php if ($currentruleset == 'Auto-Flowbit Rules'): ?> + <tr> + <td colspan="3"> </td> + </tr> + <tr> + <td colspan="3" class="vexpl" align="center"><?php echo "<span class=\"red\"><b>" . gettext("WARNING: ") . "</b></span>" . + gettext("You should not disable flowbit rules! Add Suppress List entries for them instead by ") . + "<a href='snort_rules_flowbits.php?id={$id}&openruleset={$currentruleset}&returl=" . urlencode($_SERVER['PHP_SELF']) . "' title=\"" . gettext("Add Suppress List entry for Flowbit Rule") . "\">" . + gettext("clicking here") . ".</a>";?></td> + </tr> + <?php endif;?> </table> </td> </tr> @@ -564,27 +579,32 @@ if ($savemsg) { foreach ($rulem as $k2 => $v) { $sid = snort_get_sid($v['rule']); $gid = snort_get_gid($v['rule']); + if (isset($disablesid[$sid])) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_reject_d.gif"; $disable_cnt++; + $title = gettext("Disabled by user. Click to toggle to enabled state"); } elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_block_d.gif"; $disable_cnt++; + $title = gettext("Disabled by default. Click to toggle to enabled state"); } elseif (isset($enablesid[$sid])) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; + $title = gettext("Enabled by user. Click to toggle to disabled state"); } else { $textss = $textse = ""; $iconb = "icon_block.gif"; $enable_cnt++; + $title = gettext("Enabled by default. Click to toggle to disabled state"); } // Pick off the first section of the rule (prior to the start of the MSG field), @@ -611,7 +631,7 @@ if ($savemsg) { <a id=\"rule_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}'> <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\" - title='" . gettext("Click to toggle enabled/disabled state") . "'></a> + title='{$title}'></a> $textse </td> <td class=\"listlr\" align=\"center\"> @@ -638,8 +658,8 @@ if ($savemsg) { ?> <td align="right" valign="middle" nowrap class="listt"> <a href="javascript: void(0)" - onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" title="<?php echo gettext("Click to view the entire rule text"); ?>" width="17" height="17" border="0"></a> </td> </tr> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index a1f45c07..c0087464 100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -37,7 +37,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $flowbit_rules_file; +$flowbit_rules_file = FLOWBITS_FILENAME; $snortdir = SNORTDIR; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { @@ -60,10 +60,17 @@ if (isset($id) && $a_rule[$id]) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; +$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $file = $_GET['openruleset']; $contents = ''; $wrap_flag = "off"; +// Correct displayed file title if necessary +if ($file == "Auto-Flowbit Rules") + $displayfile = FLOWBITS_FILENAME; +else + $displayfile = $file; + // Read the contents of the argument passed to us. // It may be an IPS policy string, an individual SID, // a standard rules file, or a complete file name. @@ -87,13 +94,18 @@ if (substr($file, 0, 10) == "IPS Policy") { } // Is it a SID to load the rule text from? elseif (isset($_GET['ids'])) { - $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); + // If flowbit rule, point to interface-specific file + if ($file == "Auto-Flowbit Rules") + $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); + else + $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; $wrap_flag = "soft"; } + // Is it our special flowbit rules file? -elseif ($file == $flowbit_rules_file) - $contents = file_get_contents("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); +elseif ($file == "Auto-Flowbit Rules") + $contents = file_get_contents("{$snortcfgdir}/rules/{$flowbit_rules_file}"); // Is it a rules file in the ../rules/ directory? elseif (file_exists("{$snortdir}/rules/{$file}")) $contents = file_get_contents("{$snortdir}/rules/{$file}"); @@ -101,10 +113,8 @@ elseif (file_exists("{$snortdir}/rules/{$file}")) elseif (file_exists($file)) $contents = file_get_contents($file); // It is not something we can display, so exit. -else { - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$file}"); - exit; -} +else + $input_errors[] = gettext("Unable to open file: {$displayfile}"); $pgtitle = array(gettext("Snort"), gettext("File Viewer")); ?> @@ -128,7 +138,7 @@ $pgtitle = array(gettext("Snort"), gettext("File Viewer")); <input type="button" class="formbtn" value="Return" onclick="window.close()"> </td> <td align="right"> - <b><?php echo gettext("Rules File: ") . '</b> ' . $file; ?> + <b><?php echo gettext("Rules File: ") . '</b> ' . $displayfile; ?> </td> </tr> <tr> diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php index 7a653af8..325276ee 100644 --- a/config/snort/snort_rules_flowbits.php +++ b/config/snort/snort_rules_flowbits.php @@ -1,16 +1,7 @@ <?php /* * snort_rules_flowbits.php - * Copyright (C) 2004 Scott Ullrich - * Copyright (C) 2011-2012 Ermal Luci - * All rights reserved. - * - * originially part of m0n0wall (http://m0n0.ch/wall) - * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. - * All rights reserved. - * - * modified for the pfsense snort package - * Copyright (C) 2009-2010 Robert Zelaya. + * Copyright (C) 2013 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -50,10 +41,35 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) { } $a_nat = &$config['installedpackages']['snortglobal']['rule']; +// Set who called us so we can return to the correct page with +// the RETURN button. Save the original referrer and the query +// string in session variables. +session_start(); +if (!isset($_SESSION['org_referrer']) || isset($_GET['returl'])) { + $_SESSION['org_referrer'] = urldecode($_GET['returl']); + $_SESSION['org_querystr'] = $_SERVER['QUERY_STRING']; +} +$referrer = $_SESSION['org_referrer']; +$querystr = $_SESSION['org_querystr']; +session_write_close(); + +if ($_POST['cancel']) { + session_start(); + unset($_SESSION['org_referrer']); + unset($_SESSION['org_querystr']); + session_write_close(); + header("Location: {$referrer}?{$querystr}"); + exit; +} + $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; if (is_null($id)) { + session_start(); + unset($_SESSION['org_referrer']); + unset($_SESSION['org_querystr']); + session_write_close(); header("Location: /snort/snort_interfaces.php"); exit; } @@ -88,14 +104,15 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ if (empty($a_nat[$id]['suppresslistname']) || $a_nat[$id]['suppresslistname'] == 'default') { $s_list = array(); - $s_list['name'] = $a_nat[$id]['interface'] . "suppress"; $s_list['uuid'] = uniqid(); - $s_list['descr'] = "Auto-generated list for alert suppression"; + $s_list['name'] = $a_nat[$id]['interface'] . "suppress" . "_" . $s_list['uuid']; + $s_list['descr'] = "Auto-generated list for Alert suppression"; $s_list['suppresspassthru'] = base64_encode($suppress); $a_suppress[] = $s_list; $a_nat[$id]['suppresslistname'] = $s_list['name']; $found_list = true; } else { + /* If we get here, a Suppress List is defined for the interface so see if we can find it */ foreach ($a_suppress as $a_id => $alist) { if ($alist['name'] == $a_nat[$id]['suppresslistname']) { $found_list = true; @@ -105,6 +122,10 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ $alist['suppresspassthru'] = base64_encode($tmplist); $a_suppress[$a_id] = $alist; } + else { + $alist['suppresspassthru'] = base64_encode($suppress); + $a_suppress[$a_id] = $alist; + } } } } @@ -112,7 +133,8 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ write_config(); $rebuild_rules = false; sync_snort_package_config(); - $savemsg = gettext("Wrote suppress rule for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' to the '{$a_nat[$id]['suppresslistname']}' Suppression List."); + snort_reload_config($a_nat[$id]); + $savemsg = gettext("An entry to suppress the Alert for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to Suppress List '{$a_nat[$id]['suppresslistname']}'."); } else { /* We did not find the defined list, so notify the user with an error */ @@ -137,7 +159,7 @@ function truncate($string, $length) { $supplist = snort_load_suppress_sigs($a_nat[$id]); $if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); -$pgtitle = "Services: Snort: {$if_friendly} Flowbit Rules"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Flowbit Rules"); include_once("head.inc"); ?> @@ -179,8 +201,9 @@ if ($savemsg) <tr> <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus.gif" width='12' height='12' border='0'/></td> <td><span class="vexpl"><?php echo gettext("Alert is Not Suppressed"); ?></span></td> - <td rowspan="3" align="right"><input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="parent.location='snort_rulesets.php?id=<?=$id;?>'" <?php - echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/></td> + <td rowspan="3" align="right"><input id="cancel" name="cancel" type="submit" class="formbtn" <?php + echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> + <input name="id" type="hidden" value="<?=$id;?>" /></td> </tr> <tr> <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus_d.gif" width='12' height='12' border='0'/></td> @@ -272,7 +295,7 @@ if ($savemsg) <?php if ($count > 20): ?> <tr> <td align="center" valign="middle"> - <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="parent.location='snort_rulesets.php?id=<?=$id;?>'" <?php + <input id="cancel" name="cancel" type="submit" class="formbtn" <?php echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> <input name="id" type="hidden" value="<?=$id;?>" /> </td> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 7ec0edbd..62b68a1b 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -63,6 +63,7 @@ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_nat[$id]['uuid']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules']; $no_emerging_files = false; @@ -70,13 +71,20 @@ $no_snort_files = false; $no_community_files = false; /* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */ -$test = glob("{$snortdir}/rules/emerging-*.rules"); +if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on') { + $test = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules"); + $et_type = "ET Open"; +} +elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload))) { + $test = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules"); + $et_type = "ET Pro"; +} if (empty($test)) $no_emerging_files = true; -$test = glob("{$snortdir}/rules/snort_*.rules"); +$test = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules"); if (empty($test)) $no_snort_files = true; -if (!file_exists("{$snortdir}/rules/GPLv2_community.rules")) +if (!file_exists("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules")) $no_community_files = true; if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on')) @@ -184,19 +192,25 @@ if ($_POST['selectall']) { } if ($emergingdownload == 'on') { - $files = glob("{$snortdir}/rules/emerging*.rules"); + $files = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules"); + foreach ($files as $file) + $rulesets[] = basename($file); + } + elseif ($etpro == 'on') { + $files = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } + if ($snortcommunitydownload == 'on') { - $files = glob("{$snortdir}/rules/*_community.rules"); + $files = glob("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules"); foreach ($files as $file) $rulesets[] = basename($file); } /* Include the Snort VRT rules only if enabled and no IPS policy is set */ if ($snortdownload == 'on' && $a_nat[$id]['ips_policy_enable'] == 'off') { - $files = glob("{$snortdir}/rules/snort*.rules"); + $files = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } @@ -213,7 +227,7 @@ if ($_POST['selectall']) { $enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly} Categories"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Categories"); include_once("head.inc"); ?> @@ -299,7 +313,7 @@ if ($savemsg) { </tr> <tr> <td colspan="6" valign="center" class="listn"> - <table width="100%" border="0" cellpadding="2" cellspacing="2"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> <td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td> <td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on" @@ -316,13 +330,13 @@ if ($savemsg) { </tr> <tr> <td width="15%" class="listn"><?php echo gettext("Auto Flowbit Rules"); ?></td> - <td width="85%"><input type="button" class="formbtns" value="View" onclick="parent.location='snort_rules_flowbits.php?id=<?=$id;?>'" <?php echo $btn_view_flowb_rules; ?>/> + <td width="85%"><input type="button" class="formbtns" value="View" onclick="parent.location='snort_rules_flowbits.php?id=<?=$id;?>&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" <?php echo $btn_view_flowb_rules; ?>/> <span class="vexpl"><?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit dependencies"); ?></span></td> </tr> <tr> <td width="15%"> </td> <td width="85%"> - <?php printf(gettext("%sNote: %sAuto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."), '<span class="red"><strong>', '</strong></span>'); ?> + <?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . gettext("Auto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."); ?> <br/></td> </tr> </table> @@ -333,23 +347,23 @@ if ($savemsg) { </tr> <tr> <td colspan="6" valign="center" class="listn"> - <table width="100%" border="0" cellpadding="2" cellspacing="2"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> <td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td> <td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?> <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/> <span class="vexpl"> - <?php echo gettext("If checked, Snort will use rules from the pre-defined IPS policy selected below."); ?></span></td> + <?php echo gettext("If checked, Snort will use rules from one of three pre-defined IPS policies."); ?></span></td> </tr> <tr> - <td width="15%" class="vncell"> </td> - <td width="85%" class="vtable"> - <?php printf(gettext("%sNote:%s You must be using the Snort VRT rules to use this option."),'<span class="red"><strong>','</strong></span>'); ?> + <td width="15%" class="vncell" id="ips_col1"> </td> + <td width="85%" class="vtable" id="ips_col2"> + <?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . gettext("You must be using the Snort VRT rules to use this option."); ?> <?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " . "although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " . "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br/></td> </tr> - <tr> - <td width="15%" class="listn"><?php echo gettext("IPS Policy"); ?></td> + <tr id="ips_row1"> + <td width="15%" class="listn"><?php echo gettext("IPS Policy Selection"); ?></td> <td width="85%"><select name="ips_policy" class="formselect" <?=$policy_select_disable?> > <option value="connectivity" <?php if ($pconfig['ips_policy'] == "connected") echo "selected"; ?>><?php echo gettext("Connectivity"); ?></option> <option value="balanced" <?php if ($pconfig['ips_policy'] == "balanced") echo "selected"; ?>><?php echo gettext("Balanced"); ?></option> @@ -357,7 +371,7 @@ if ($savemsg) { </select> <span class="vexpl"><?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security."); ?></span></td> </tr> - <tr> + <tr id="ips_row2"> <td width="15%"> </td> <td width="85%"> <?php echo gettext("Connectivity blocks most major threats with few or no false positives. " . @@ -387,22 +401,23 @@ if ($savemsg) { $msg_community = "NOTE: Snort Community Rules have not been downloaded. Perform a Rules Update to enable them."; else $msg_community = "Snort GPLv2 Community Rules (VRT certified)"; + $community_rules_file = GPL_FILE_PREFIX . "community.rules"; ?> <?php if ($snortcommunitydownload == 'on'): ?> <tr id="frheader"> <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> <td colspan="5" class="listhdrr"><?php echo gettext('Ruleset: Snort GPLv2 Community Rules');?></td> </tr> - <?php if (in_array("GPLv2_community.rules", $enabled_rulesets_array)): ?> + <?php if (in_array($community_rules_file, $enabled_rulesets_array)): ?> <tr> <td width="5" class="listr" align="center" valign="top"> - <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" checked="checked"/></td> - <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=GPLv2_community.rules'><?php echo gettext("{$msg_community}"); ?></a></td> + <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" checked="checked"/></td> + <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?php echo gettext("{$msg_community}"); ?></a></td> </tr> <?php else: ?> <tr> <td width="5" class="listr" align="center" valign="top"> - <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td> + <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td> <td colspan="5" class="listr"><?php echo gettext("{$msg_community}"); ?></td> </tr> @@ -421,9 +436,12 @@ if ($savemsg) { <tr id="frheader"> <?php if ($emergingdownload == 'on' && !$no_emerging_files): ?> <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats');?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Open Rules');?></td> + <?php elseif ($etpro == 'on' && !$no_emerging_files): ?> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Pro Rules');?></td> <?php else: ?> - <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td> + <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("{$et_type} rules not {$msg_emerging}"); ?></td> <?php endif; ?> <?php if ($snortdownload == 'on' && !$no_snort_files): ?> <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> @@ -446,9 +464,11 @@ if ($savemsg) { $filename = basename($filename); if (substr($filename, -5) != "rules") continue; - if (strstr($filename, "emerging") && $emergingdownload == 'on') + if (strstr($filename, ET_OPEN_FILE_PREFIX) && $emergingdownload == 'on') + $emergingrules[] = $filename; + else if (strstr($filename, ET_PRO_FILE_PREFIX) && $etpro == 'on') $emergingrules[] = $filename; - else if (strstr($filename, "snort") && $snortdownload == 'on') { + else if (strstr($filename, VRT_FILE_PREFIX) && $snortdownload == 'on') { if (strstr($filename, ".so.rules")) $snortsorules[] = $filename; else @@ -574,6 +594,18 @@ function enable_change() var endis = !(document.iform.ips_policy_enable.checked); document.iform.ips_policy.disabled=endis; + if (endis) { + document.getElementById("ips_row1").style.display="none"; + document.getElementById("ips_row2").style.display="none"; + document.getElementById("ips_col1").className="vexpl"; + document.getElementById("ips_col2").className="vexpl"; + } + else { + document.getElementById("ips_row1").style.display="table-row"; + document.getElementById("ips_row2").style.display="table-row"; + document.getElementById("ips_col1").className="vncell"; + document.getElementById("ips_col2").className="vtable"; + } for (var i = 0; i < document.iform.elements.length; i++) { if (document.iform.elements[i].type == 'checkbox') { var str = document.iform.elements[i].value; @@ -582,6 +614,10 @@ function enable_change() } } } + +// Set initial state of dynamic HTML form controls +enable_change(); + </script> </body> diff --git a/config/snort/snort_select_alias.php b/config/snort/snort_select_alias.php new file mode 100644 index 00000000..c5c6347e --- /dev/null +++ b/config/snort/snort_select_alias.php @@ -0,0 +1,234 @@ +<?php +/* $Id$ */ +/* + snort_select_alias.php + Copyright (C) 2013 Bill Meeks + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require_once("functions.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +// Need to keep track of who called us so we can return to the correct page +// when the SAVE button is clicked. On initial entry, a GET variable is +// passed with the referrer's URL encoded within. That value is saved and +// used when SAVE or CANCEL is clicked to return to the referring page. +// + +// Retrieve the QUERY STRING of the original referrer so we can return it. +// On the initial pass, we will save it in a hidden POST field so we won't +// overwrite it on subsequent POST-BACKs to this page. +if (!isset($_POST['org_querystr'])) + $querystr = $_SERVER['QUERY_STRING']; + +// Retrieve any passed QUERY STRING or POST variables +$type = $_GET['type']; +$varname = $_GET['varname']; +$multi_ip = $_GET['multi_ip']; +$referrer = urldecode($_GET['returl']); +if (isset($_POST['type'])) + $type = $_POST['type']; +if (isset($_POST['varname'])) + $varname = $_POST['varname']; +if (isset($_POST['multi_ip'])) + $multi_ip = $_POST['multi_ip']; +if (isset($_POST['returl'])) + $referrer = urldecode($_POST['returl']); +if (isset($_POST['org_querystr'])) + $querystr = $_POST['org_querystr']; + +// Make sure we have a valid VARIABLE name +// and ALIAS TYPE, or else bail out. +if (is_null($type) || is_null($varname)) { + header("Location: http://{$referrer}?{$querystr}"); + exit; +} + +// Used to track if any selectable Aliases are found +$selectablealias = false; + +// Initialize required array variables as necessary +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); +$a_aliases = $config['aliases']['alias']; + +// Create an array consisting of the Alias types the +// caller wants to select from. +$a_types = array(); +$a_types = explode('|', strtolower($type)); + +// Create a proper title based on the Alias types +$title = "a"; +switch (count($a_types)) { + case 1: + $title .= " " . ucfirst($a_types[0]); + break; + + case 2: + $title .= " " . ucfirst($a_types[0]) . " or " . ucfirst($a_types[1]); + break; + + case 3: + $title .= " " . ucfirst($a_types[0]) . ", " . ucfirst($a_types[1]) . " or " . ucfirst($a_types[2]); + + default: + $title = "n"; +} + +if ($_POST['cancel']) { + header("Location: {$referrer}?{$querystr}"); + exit; +} + +if ($_POST['save']) { + if(empty($_POST['alias'])) + $input_errors[] = gettext("No alias is selected. Please select an alias before saving."); + + // if no errors, write new entry to conf + if (!$input_errors) { + $selection = $_POST['alias']; + header("Location: {$referrer}?{$querystr}&varvalue={$selection}"); + exit; + } +} + +$pgtitle = gettext("Snort: Select {$title} Alias"); +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<form action="snort_select_alias.php" method="post"> +<input type="hidden" name="varname" value="<?=$varname;?>"> +<input type="hidden" name="type" value="<?=$type;?>"> +<input type="hidden" name="multi_ip" value="<?=$multi_ip;?>"> +<input type="hidden" name="returl" value="<?=$referrer;?>"> +<input type="hidden" name="org_querystr" value="<?=$querystr;?>"> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td class="tabcont"><strong><?=gettext("Select an Alias to use from the list below.");?></strong><br/> + </td> +</tr> +<tr> + <td class="tabcont"> + <table id="sortabletable1" style="table-layout: fixed;" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <colgroup> + <col width="5%" align="center"> + <col width="25%" align="left" axis="string"> + <col width="35%" align="left" axis="string"> + <col width="35%" align="left" axis="string"> + </colgroup> + <thead> + <tr> + <th class="listhdrr"></th> + <th class="listhdrr" axis="string"><?=gettext("Alias Name"); ?></th> + <th class="listhdrr" axis="string"><?=gettext("Values"); ?></th> + <th class="listhdrr" axis="string"><?=gettext("Description"); ?></th> + </tr> + </thead> + <tbody> + <?php $i = 0; foreach ($a_aliases as $alias): ?> + <?php if (!in_array($alias['type'], $a_types)) + continue; + if ( ($alias['type'] == "network" || $alias['type'] == "host") && + $multi_ip != "yes" && + !snort_is_single_addr_alias($alias['name'])) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $disable = true; + $tooltip = gettext("Aliases resolving to multiple address entries cannot be used with the destination target."); + } + elseif (($alias['type'] == "network" || $alias['type'] == "host") && + trim(filter_expand_alias($alias['name'])) == "") { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $disable = true; + $tooltip = gettext("Aliases representing a FQDN host cannot be used in Snort preprocessor configurations."); + } + else { + $textss = ""; + $textse = ""; + $disable = ""; + $selectablealias = true; + $tooltip = gettext("Selected entry will be imported. Click to toggle selection."); + } + ?> + <?php if ($disable): ?> + <tr title="<?=$tooltip;?>"> + <td class="listlr" align="center"><img src="../themes/<?=$g['theme'];?>/images/icons/icon_block_d.gif" width="11" height"11" border="0"/> + <?php else: ?> + <tr> + <td class="listlr" align="center"><input type="radio" name="alias" value="<?=htmlspecialchars($alias['name']);?>" title="<?=$tooltip;?>"/></td> + <?php endif; ?> + <td class="listr" align="left"><?=$textss . htmlspecialchars($alias['name']) . $textse;?></td> + <td class="listr" align="left"> + <?php + $tmpaddr = explode(" ", $alias['address']); + $addresses = implode(", ", array_slice($tmpaddr, 0, 10)); + echo "{$textss}{$addresses}{$textse}"; + if(count($tmpaddr) > 10) { + echo "..."; + } + ?> + </td> + <td class="listbg" align="left"> + <?=$textss . htmlspecialchars($alias['descr']) . $textse;?> + </td> + </tr> + <?php $i++; endforeach; ?> + </table> + </td> +</tr> +<?php if (!$selectablealias): ?> +<tr> + <td class="tabcont" align="center"><b><?php echo gettext("There are currently no defined Aliases eligible for selection.");?></b></td> +</tr> +<tr> + <td class="tabcont" align="center"> + <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/> + </td> +</tr> +<?php else: ?> +<tr> + <td class="tabcont" align="center"> + <input type="Submit" name="save" value="Save" id="save" class="formbtn" title="<?=gettext("Import selected item and return");?>"/> + <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/> + </td> +</tr> +<?php endif; ?> +<tr> + <td class="tabcont"> + <span class="vexpl"><span class="red"><strong><?=gettext("Note:"); ?><br></strong></span><?=gettext("Fully-Qualified Domain Name (FQDN) host Aliases cannot be used as Snort configuration parameters. Aliases resolving to a single FQDN value are disabled in the list above. In the case of nested Aliases where one or more of the nested values is a FQDN host, the FQDN host will not be included in the {$title} configuration.");?></span> + </td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_stream5_engine.php b/config/snort/snort_stream5_engine.php new file mode 100644 index 00000000..b3d81f37 --- /dev/null +++ b/config/snort/snort_stream5_engine.php @@ -0,0 +1,661 @@ +<?php +/* + * snort_stream5_engine.php + * Copyright (C) 2013 Bill Meeks + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +/* Retrieve required array index values from QUERY string if available. */ +/* 'id' is the [rule] array index, and 'eng_id' is the index for the */ +/* stream5_tcp_engine's [item] array. */ +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; + +/* See if values are in our form's POST content */ +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +/* If we don't have a [rule] index specified, exit */ +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['stream5_client_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +/* Initialize pointer into requisite section of [config] array */ +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item']; + +$pconfig = array(); + +// If this is a new entry, intialize it with default values +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else { + $pconfig = $a_nat[$eng_id]; + + // Check for empty values and set sensible defaults + if (empty($pconfig['policy'])) + $pconfig['policy'] = "bsd"; + if (empty($pconfig['timeout'])) + $pconfig['timeout'] = 30; + if (empty($pconfig['max_queued_bytes']) && $pconfig['max_queued_bytes'] <> 0) + $pconfig['max_queued_bytes'] = 1048576; + if (empty($pconfig['detect_anomalies'])) + $pconfig['detect_anomalies'] = "off"; + if (empty($pconfig['overlap_limit'])) + $pconfig['overlap_limit'] = 0; + if (empty($pconfig['max_queued_segs']) && $pconfig['max_queued_segs'] <> 0) + $pconfig['max_queued_segs'] = 2621; + if (empty($pconfig['require_3whs'])) + $pconfig['require_3whs'] = "off"; + if (empty($pconfig['startup_3whs_timeout'])) + $pconfig['startup_3whs_timeout'] = 0; + if (empty($pconfig['no_reassemble_async'])) + $pconfig['no_reassemble_async'] = "off"; + if (empty($pconfig['dont_store_lg_pkts'])) + $pconfig['dont_store_lg_pkts'] = "off"; + if (empty($pconfig['max_window'])) + $pconfig['max_window'] = 0; + if (empty($pconfig['use_static_footprint_sizes'])) + $pconfig['use_static_footprint_sizes'] = "off"; + if (empty($pconfig['check_session_hijacking'])) + $pconfig['check_session_hijacking'] = "off"; + if (empty($pconfig['ports_client'])) + $pconfig['ports_client'] = "default"; + if (empty($pconfig['ports_both'])) + $pconfig['ports_both'] = "default"; + if (empty($pconfig['ports_server'])) + $pconfig['ports_server'] = "none"; +} + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['stream5_client_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports_client" || $_GET['varname'] == "ports_both" || $_GET['varname'] == "ports_server") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + if(!isset($_SESSION['stream5_client_import'])) + $_SESSION['stream5_client_import'] = array(); + + $_SESSION['stream5_client_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['stream5_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['stream5_client_import']['bind_to']; + if (isset($_SESSION['stream5_client_import']['ports_client'])) + $pconfig['ports_client'] = $_SESSION['stream5_client_import']['ports_client']; + if (isset($_SESSION['stream5_client_import']['ports_both'])) + $pconfig['ports_both'] = $_SESSION['stream5_client_import']['ports_both']; + if (isset($_SESSION['stream5_client_import']['ports_server'])) + $pconfig['ports_server'] = $_SESSION['stream5_client_import']['ports_server']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['stream5_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['stream5_client_import']['bind_to']; + if (isset($_SESSION['stream5_client_import']['ports_client'])) + $pconfig['ports_client'] = $_SESSION['stream5_client_import']['ports_client']; + if (isset($_SESSION['stream5_client_import']['ports_both'])) + $pconfig['ports_both'] = $_SESSION['stream5_client_import']['ports_both']; + if (isset($_SESSION['stream5_client_import']['ports_server'])) + $pconfig['ports_server'] = $_SESSION['stream5_client_import']['ports_server']; + } + else { + unset($_SESSION['stream5_client_import']); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + unset($_SESSION['stream5_client_import']); + session_write_close(); + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['stream5_name']) { $engine['name'] = trim($_POST['stream5_name']); } else { $engine['name'] = "default"; } + + /* Validate input values before saving */ + if ($_POST['stream5_bind_to']) { + if (is_alias($_POST['stream5_bind_to'])) { + $engine['bind_to'] = $_POST['stream5_bind_to']; + if (!snort_is_single_addr_alias($_POST['stream5_bind_to'])) + $input_errors[] = gettext("An Alias that evaluates to a single IP address or CIDR network is required for the 'Bind-To IP Address' value."); + } + elseif (strtolower(trim($_POST['stream5_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + if ($_POST['stream5_ports_client']) { + if (is_alias($_POST['stream5_ports_client'])) + $engine['ports_client'] = $_POST['stream5_ports_client']; + elseif (strtolower(trim($_POST['stream5_ports_client'])) == "default") + $engine['ports_client'] = "default"; + elseif (strtolower(trim($_POST['stream5_ports_client'])) == "all") + $engine['ports_client'] = "all"; + elseif (strtolower(trim($_POST['stream5_ports_client'])) == "none") + $engine['ports_client'] = "none"; + else + $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_client' value."); + } + if ($_POST['stream5_ports_both']) { + if (is_alias($_POST['stream5_ports_both'])) + $engine['ports_both'] = $_POST['stream5_ports_both']; + elseif (strtolower(trim($_POST['stream5_ports_both'])) == "default") + $engine['ports_both'] = "default"; + elseif (strtolower(trim($_POST['stream5_ports_both'])) == "all") + $engine['ports_both'] = "all"; + elseif (strtolower(trim($_POST['stream5_ports_both'])) == "none") + $engine['ports_both'] = "none"; + else + $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_both' value."); + } + if ($_POST['stream5_ports_server']) { + if (is_alias($_POST['stream5_ports_server'])) + $engine['ports_server'] = $_POST['stream5_ports_server']; + elseif (strtolower(trim($_POST['stream5_ports_server'])) == "default") + $engine['ports_server'] = "default"; + elseif (strtolower(trim($_POST['stream5_ports_server'])) == "all") + $engine['ports_server'] = "all"; + elseif (strtolower(trim($_POST['stream5_ports_server'])) == "none") + $engine['ports_server'] = "none"; + else + $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_server' value."); + } + + if (!empty($_POST['stream5_timeout']) || $_POST['stream5_timeout'] == 0) { + $engine['timeout'] = $_POST['stream5_timeout']; + if ($engine['timeout'] < 1 || $engine['timeout'] > 86400) + $input_errors[] = gettext("The value for Timeout must be between 1 and 86400."); + } + else + $engine['timeout'] = 60; + + if (!empty($_POST['stream5_max_queued_bytes']) || $_POST['stream5_max_queued_bytes'] == 0) { + $engine['max_queued_bytes'] = $_POST['stream5_max_queued_bytes']; + if ($engine['max_queued_bytes'] <> 0) { + if ($engine['max_queued_bytes'] < 1024 || $engine['max_queued_bytes'] > 1073741824) + $input_errors[] = gettext("The value for Max_Queued_Bytes must either be 0, or between 1024 and 1073741824."); + } + } + else + $engine['max_queued_bytes'] = 1048576; + + if (!empty($_POST['stream5_max_queued_segs']) || $_POST['stream5_max_queued_segs'] == 0) { + $engine['max_queued_segs'] = $_POST['stream5_max_queued_segs']; + if ($engine['max_queued_segs'] <> 0) { + if ($engine['max_queued_segs'] < 2 || $engine['max_queued_segs'] > 1073741824) + $input_errors[] = gettext("The value for Max_Queued_Segs must either be 0, or between 2 and 1073741824."); + } + } + else + $engine['max_queued_segs'] = 2621; + + if (!empty($_POST['stream5_overlap_limit']) || $_POST['stream5_overlap_limit'] == 0) { + $engine['overlap_limit'] = $_POST['stream5_overlap_limit']; + if ($engine['overlap_limit'] < 0 || $engine['overlap_limit'] > 255) + $input_errors[] = gettext("The value for Overlap_Limit must be between 0 and 255."); + } + else + $engine['overlap_limit'] = 0; + + if (!empty($_POST['stream5_max_window']) || $_POST['stream5_max_window'] == 0) { + $engine['max_window'] = $_POST['stream5_max_window']; + if ($engine['max_window'] < 0 || $engine['max_window'] > 1073725440) + $input_errors[] = gettext("The value for Max_Window must be between 0 and 1073725440."); + } + else + $engine['max_window'] = 0; + + if (!empty($_POST['stream5_3whs_startup_timeout']) || $_POST['stream5_3whs_startup_timeout'] == 0) { + $engine['startup_3whs_timeout'] = $_POST['stream5_3whs_startup_timeout']; + if ($engine['startup_3whs_timeout'] < 0 || $engine['startup_3whs_timeout'] > 86400) + $input_errors[] = gettext("The value for 3whs_Startup_Timeout must be between 0 and 86400."); + } + else + $engine['startup_3whs_timeout'] = 0; + + if ($_POST['stream5_policy']) { $engine['policy'] = $_POST['stream5_policy']; } else { $engine['policy'] = "bsd"; } + if ($_POST['stream5_ports']) { $engine['ports'] = $_POST['stream5_ports']; } else { $engine['ports'] = "both"; } + + $engine['detect_anomalies'] = $_POST['stream5_detect_anomalies'] ? 'on' : 'off'; + $engine['require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off'; + $engine['no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off'; + $engine['dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off'; + $engine['use_static_footprint_sizes'] = $_POST['stream5_use_static_footprint_sizes'] ? 'on' : 'off'; + $engine['check_session_hijacking'] = $_POST['stream5_check_session_hijacking'] ? 'on' : 'off'; + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") + $input_errors[] = gettext("Only one default Stream5 Engine can be bound to all addresses."); + $pconfig = $engine; + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} - Stream5 Preprocessor TCP Engine"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_stream5_engine.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id?>"> +<input name="eng_id" type="hidden" value="<?=$eng_id?>"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Stream5 Target-Based TCP Stream Reassembly Engine Configuration"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Engine Name"); ?></td> + <td class="vtable"> + <input name="stream5_name" type="text" class="formfld unknown" id="stream5_name" size="25" maxlength="25" + value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>> + <?php if (htmlspecialchars($pconfig['name']) <> "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/> + <?php echo gettext("Unique name or description for this engine configuration. Default value is ") . + "<strong>" . gettext("default") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address"); ?></td> + <td class="vtable"> + <?php if ($pconfig['name'] <> "default") : ?> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="stream5_bind_to" type="text" class="formfldalias" id="stream5_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off"> + <?php echo gettext("IP address or network to bind this engine to."); ?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=no&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with the destination IP address specified. Default value is ") . + "<strong>" . gettext("all") . "</strong>" . gettext(". Only a single IP address or single network in CIDR form may be specified. ") . + gettext("IP Lists are not allowed.");?></td> + </tr> + </table><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'. ");?> + <?php else : ?> + <input name="stream5_bind_to" type="text" class="formfldalias" id="stream5_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly> + <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/> + <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/> + <?php endif ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Target Policy"); ?></td> + <td width="78%" class="vtable"> + <select name="stream5_policy" class="formselect" id="stream5_policy"> + <?php + $profile = array( 'BSD', 'First', 'HPUX', 'HPUX10', 'Irix', 'Last', 'Linux', 'MacOS', 'Old-Linux', + 'Solaris', 'Vista', 'Windows', 'Win2003' ); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['policy']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the TCP target policy appropriate for the protected hosts. The default is ") . + "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/><br/> + <?php echo gettext("Available OS targets are BSD, First, HPUX, HPUX10, Irix, Last, Linux, MacOS, Old Linux, Solaris, Vista, Windows, and Win2003 Server."); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Target Ports"); ?></td> + <td width="78%" class="vtable"> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><strong><?php echo gettext("Client:"); ?></strong></td> + <td class="vexpl"><input name="stream5_ports_client" type="text" class="formfldalias" id="stream5_ports_client" size="32" + value="<?=htmlspecialchars($pconfig['ports_client']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_client']));?>" autocomplete="off"><span class="vexpl"> + <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("default") . "</strong>.";?></span> + </td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_client&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing port alias");?>"/> + </td> + </tr> + <tr> + <td class="vexpl"><strong><?php echo gettext("Server:"); ?></strong></td> + <td class="vexpl"><input name="stream5_ports_server" type="text" class="formfldalias" id="stream5_ports_server" size="32" + value="<?=htmlspecialchars($pconfig['ports_server']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_server']));?>" autocomplete="off"><span class="vexpl"> + <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("none") . "</strong>.";?></span> + </td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_server&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing port alias");?>"/> + </td> + </tr> + <tr> + <td class="vexpl"><strong><?php echo gettext("Both:"); ?></strong></td> + <td class="vexpl"><input name="stream5_ports_both" type="text" class="formfldalias" id="stream5_ports_both" size="32" + value="<?=htmlspecialchars($pconfig['ports_both']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_both']));?>" autocomplete="off"><span class="vexpl"> + <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("default") . "</strong>.";?></span> + </td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_both&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" + title="<?php echo gettext("Select an existing port alias");?>"/> + </td> + </tr> + </table> + <br/><?php echo gettext("Configures which side of the connection packets should be reassembled for based on the configured destination ports. See ");?> + <a href="http://www.snort.org/vrt/snort-conf-configurations/" target="_blank"><?php echo gettext("www.snort.org/vrt/snort-conf-configurations");?></a> + <?php echo gettext(" for the default configuration port values.");?><br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("Supplied value must be a pre-configured Alias or the keyword 'default', 'all' or 'none'.");?><br/> + <span class="red"><?php echo gettext("Hint: ") . "</span>" . gettext("Most users should leave these settings at their default values.");?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Max Window"); ?></td> + <td class="vtable"> + <input name="stream5_max_window" type="text" class="formfld unknown" id="stream5_max_window" size="9" + value="<?=htmlspecialchars($pconfig['max_window']);?>" maxlength="10"> + <?php echo gettext("Maximum allowed TCP window. Min is ") . "<strong>0</strong>" . gettext(" and max is ") . + "<strong>1073725440</strong>" . gettext(" (65535 left shift 14)"); ?>.<br/><br/> + <?php echo gettext("Sets the TCP max window size. Default value is ") . + "<strong>0</strong>" . gettext(" (unlimited). This option is intended to prevent a DoS against Stream5 by " . + "attacker using an abnormally large window, so using a value near the maximum is discouraged."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Timeout"); ?></td> + <td class="vtable"> + <input name="stream5_timeout" type="text" class="formfld unknown" id="stream5_timeout" size="9" + value="<?=htmlspecialchars($pconfig['timeout']);?>" maxlength="5"> + <?php echo gettext("TCP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and max is ") . + "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.<br/><br/> + <?php echo gettext("Sets the session reassembly timeout period for TCP packets. Default value is ") . + "<strong>30</strong>" . gettext(" seconds."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Max Queued Bytes"); ?></td> + <td class="vtable"> + <input name="stream5_max_queued_bytes" type="text" class="formfld unknown" id="stream5_max_queued_bytes" size="9" + value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>" maxlength="10"> + <?php echo gettext("Minimum is ") . "<strong>" . gettext("1024") . "</strong>" . gettext(" and Maximum is ") . + "<strong>" . gettext("1073741824") . "</strong>" . gettext(" (") . + "<strong>" . gettext("0") . "</strong>" . gettext(" means Maximum)."); ?><br/><br/> + + <?php echo gettext("The number of bytes to be queued for reassembly of TCP sessions in " . + "memory. Default value is <strong>1048576</strong>"); ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Max Queued Segs"); ?></td> + <td class="vtable"> + <input name="stream5_max_queued_segs" type="text" class="formfld unknown" id="stream5_max_queued_segs" size="9" + value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>" maxlength="10"> + <?php echo gettext("Minimum is ") . "<strong>" . gettext("2") . "</strong>" . gettext(" and Maximum is ") . + "<strong>" . gettext("1073741824") . "</strong>" . gettext(" (") . + "<strong>" . gettext("0") . "</strong>" . gettext(" means Maximum)");?>.<br/><br/> + <?php echo gettext("The number of segments to be queued for reassembly of TCP sessions " . + "in memory. Default value is <strong>2621</strong>"); ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Overlap Limit"); ?></td> + <td class="vtable"> + <input name="stream5_overlap_limit" type="text" class="formfld unknown" id="stream5_overlap_limit" size="9" + value="<?=htmlspecialchars($pconfig['overlap_limit']);?>" maxlength="3"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited) and Maximum is ") . "<strong>" . + gettext("255") . "</strong>"; ?>.<br/><br/> + <?php echo gettext("Sets the limit for the number of overlapping packets. Default value is ") . + "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect TCP Anomalies"); ?></td> + <td width="78%" class="vtable"><input name="stream5_detect_anomalies" id="stream5_detect_anomalies" type="checkbox" value="on" + <?php if ($pconfig['detect_anomalies']=="on") echo "checked"; ?>> + <?php echo gettext("Detect TCP protocol anomalies. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Check Session Hijacking"); ?></td> + <td width="78%" class="vtable"><input name="stream5_check_session_hijacking" id="stream5_check_session_hijacking" type="checkbox" value="on" + <?php if ($pconfig['check_session_hijacking']=="on") echo "checked"; ?>> + <?php echo gettext("Check for TCP session hijacking. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/> + <?php echo gettext("This check validates the hardware (MAC) address from both sides of the connection -- " . + "as established on the 3-way handshake -- against subsequent packets received on the session.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Require 3-Way Handshake"); ?></td> + <td width="78%" class="vtable"><input name="stream5_require_3whs" type="checkbox" value="on" + <?php if ($pconfig['require_3whs']=="on") echo "checked"; ?> onclick="stream5_3whs_enable_change();"> + <?php echo gettext("Establish sessions only on completion of SYN/SYN-ACK/ACK handshake. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr id="stream5_3whs_startuptimeout_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("3-Way Handshake Startup Timeout"); ?></td> + <td width="78%" class="vtable"> + <input name="stream5_3whs_startup_timeout" type="text" class="formfld unknown" id="stream5_3whs_startup_timeout" size="9" + value="<?=htmlspecialchars($pconfig['startup_3whs_timeout']);?>" maxlength="5"> + <?php echo gettext("3-Way Handshake Startup Timeout in seconds. Min is ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" and Max is ") . "<strong>" . gettext("86400") . "</strong>" . gettext(" (1 day).");?><br/><br/> + <?php echo gettext("This allows a grace period for existing sessions to be considered established during that " . + "interval immediately after Snort is started. The default is ") . "<strong>" . gettext("0") . + "</strong>" . gettext(", (don't consider existing sessions established).");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Reassemble Async"); ?></td> + <td width="78%" class="vtable"><input name="stream5_no_reassemble_async" type="checkbox" value="on" + <?php if ($pconfig['no_reassemble_async']=="on") echo "checked "; ?>> + <?php echo gettext("Do not queue packets for reassembly if traffic has not been seen in both directions. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Use Static Footprint Sizes"); ?></td> + <td width="78%" class="vtable"><input name="stream5_use_static_footprint_sizes" id="stream5_use_static_footprint_sizes" type="checkbox" value="on" + <?php if ($pconfig['use_static_footprint_sizes']=="on") echo "checked "; ?>> + <?php echo gettext("Emulate Stream4 behavior for flushing reassembled packets. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Store Large TCP Packets"); ?></td> + <td width="78%" class="vtable"> + <input name="stream5_dont_store_lg_pkts" type="checkbox" value="on" + <?php if ($pconfig['dont_store_lg_pkts']=="on") echo "checked"; ?>> + <?php echo gettext("Do not queue large packets in reassembly buffer to increase performance. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/> + <?php echo "<span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" . + gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="bottom"> </td> + <td width="78%" valign="bottom"> + <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + gettext("Save Stream5 engine settings and return to Preprocessors tab"); ?>"> + + <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo + gettext("Cancel changes and return to Preprocessors tab"); ?>"></td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> +<script type="text/javascript"> + +function stream5_3whs_enable_change() { + var endis = !(document.iform.stream5_require_3whs.checked); + + // Hide the "3whs_startup_timeout" row if stream5_require_3whs disabled + if (endis) + document.getElementById("stream5_3whs_startuptimeout_row").style.display="none"; + else + document.getElementById("stream5_3whs_startuptimeout_row").style.display="table-row"; +} + +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesport = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } + elseif ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesport .= ","; + $aliasesport .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } + +?> + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portarray=new Array(<?php echo $aliasesport; ?>); + +function createAutoSuggest() { +<?php + echo "objAlias = new AutoSuggestControl(document.getElementById('stream5_bind_to'), new StateSuggestions(addressarray));\n"; + echo "objAliasPortsClient = new AutoSuggestControl(document.getElementById('stream5_ports_client'), new StateSuggestions(portarray));\n"; + echo "objAliasPortsServer = new AutoSuggestControl(document.getElementById('stream5_ports_server'), new StateSuggestions(portarray));\n"; + echo "objAliasPortsBoth = new AutoSuggestControl(document.getElementById('stream5_ports_both'), new StateSuggestions(portarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); +stream5_3whs_enable_change(); + +</script> + +</html> diff --git a/config/squid/squid.inc b/config/squid/squid.inc index 34186407..e136d9f8 100644 --- a/config/squid/squid.inc +++ b/config/squid/squid.inc @@ -447,12 +447,13 @@ function squid_validate_nac($post, $input_errors) { $input_errors[] = "The time range '$time' is not a valid time range"; } - if(!empty($post['ext_cachemanager'])) { - $extmgr = explode(";", ($post['ext_cachemanager'])); - foreach ($extmgr as $mgr) { - if (!is_ipaddr($mgr)) - $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; - }} + if(!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!empty($mgr) && !is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + } + } } function squid_validate_traffic($post, $input_errors) { diff --git a/config/syslog-ng/syslog-ng.inc b/config/syslog-ng/syslog-ng.inc index 75d5bb4d..e1b4d35e 100644 --- a/config/syslog-ng/syslog-ng.inc +++ b/config/syslog-ng/syslog-ng.inc @@ -235,7 +235,7 @@ function syslogng_get_log_files($objects) { foreach($objects as $object) { if($object['objecttype'] == 'destination') { - preg_match("/file\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match); + preg_match("/\bfile\b\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match); if($match) { $log_file = $match[1]; array_push($log_files, $log_file); @@ -433,4 +433,4 @@ EOD; conf_mount_rw(); write_rcfile($rc); } -?>
\ No newline at end of file +?> diff --git a/config/tinc/tinc.inc b/config/tinc/tinc.inc index cdfb23e5..944cb846 100644 --- a/config/tinc/tinc.inc +++ b/config/tinc/tinc.inc @@ -42,6 +42,22 @@ function tinc_save() { } fwrite($fout, base64_decode($tincconf['extra'])."\n"); fclose($fout); + + // Check if we need to generate a new RSA key pair. + if ($tincconf['gen_rsa']) + { + safe_mkdir("/usr/local/etc/tinc/tmp"); + exec("/usr/local/sbin/tincd -c /usr/local/etc/tinc/tmp -K"); + $tincconf['cert_pub'] = base64_encode(file_get_contents('/usr/local/etc/tinc/tmp/rsa_key.pub')); + $tincconf['cert_key'] = base64_encode(file_get_contents('/usr/local/etc/tinc/tmp/rsa_key.priv')); + $tincconf['gen_rsa'] = false; + $config['installedpackages']['tinc']['config'][0]['cert_pub'] = $tincconf['cert_pub']; + $config['installedpackages']['tinc']['config'][0]['cert_key'] = $tincconf['cert_key']; + $config['installedpackages']['tinc']['config'][0]['gen_rsa'] = $tincconf['gen_rsa']; + rmdir_recursive("/usr/local/etc/tinc/tmp"); + write_config(); + } + $_output = "Subnet=" . $tincconf['localsubnet'] . "\n"; $_output .= base64_decode($tincconf['host_extra']) . "\n"; $_output .= base64_decode($tincconf['cert_pub']) . "\n"; @@ -86,6 +102,7 @@ function tinc_save() { } system("/usr/local/etc/rc.d/tinc.sh restart 2>/dev/null"); rmdir_recursive("/usr/local/etc/tinc.old"); + conf_mount_ro(); config_unlock(); } diff --git a/config/tinc/tinc_config.xml b/config/tinc/tinc_config.xml index 3878450f..d6ee9c26 100644 --- a/config/tinc/tinc_config.xml +++ b/config/tinc/tinc_config.xml @@ -122,6 +122,12 @@ <cols>65</cols> </field> <field> + <fielddescr>Generate RSA key pair</fielddescr> + <fieldname>gen_rsa</fieldname> + <description>This will generate a new RSA key pair in the fields above.</description> + <type>checkbox</type> + </field> + <field> <fielddescr>Extra Tinc Parameters</fielddescr> <fieldname>extra</fieldname> <description>Anything entered here will be added at the end of the tinc.conf configuration file. <br></description> diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index 3e7588ea..6e55d577 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -118,7 +118,6 @@ function unbound_keys_setup() { function unbound_rc_setup() { global $config; - // Startup process and idea taken from TinyDNS package (author sullrich@gmail.com) $filename = "unbound.sh"; $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP @@ -198,7 +197,7 @@ function unbound_control($action) { case "start": //Start unbound - if($unbound_config['unbound_status'] == "on") { + if($unbound_config['enable'] == "on") { if(!is_service_running("unbound")) unbound_ctl_exec("start"); /* Link dnsmasq.pid to prevent dhcpleases logging error */ @@ -213,7 +212,7 @@ function unbound_control($action) { case "stop": //Stop unbound and unmount the file system - if($unbound_config['unbound_status'] == "on") { + if($unbound_config['enable'] == "on") { mwexec_bg("/usr/local/bin/unbound_monitor.sh stop"); unbound_ctl_exec("stop"); } @@ -240,7 +239,9 @@ function unbound_control($action) { break; case "anchor_update": //Update the Root Trust Anchor + conf_mount_rw(); mwexec(UNBOUND_BASE . "/sbin/unbound-anchor -a " . UNBOUND_BASE . "/etc/unbound/root-trust-anchor", true); + conf_mount_ro(); break; default: break; @@ -697,7 +698,7 @@ function fetch_root_hints() { function unbound_validate($post, $type=null) { global $config, $input_errors; - if($post['unbound_status'] == "on" && isset($config['dnsmasq']['enable'])) + if($post['enable'] == "on" && isset($config['dnsmasq']['enable'])) $input_errors[] = "The system dns-forwarder is still active. Disable it before enabling the Unbound service."; /* Validate the access lists */ @@ -744,7 +745,7 @@ function unbound_reconfigure() { $unbound_config = $config['installedpackages']['unbound']['config'][0]; - if ($unbound_config['unbound_status'] != "on") { + if ($unbound_config['enable'] != "on") { if(is_service_running("unbound")) unbound_control("termstop"); } else { @@ -823,30 +824,49 @@ function unbound_add_host_entries() { $unbound_entries .= "local-data: \"localhost.{$syscfg['domain']} AAAA ::1\"\n"; } + $added_item_v4 = array(); + $added_item_v6 = array(); if ($config['interfaces']['lan']) { + $current_host = $syscfg['hostname'].".".$syscfg['domain']; $cfgip = get_interface_ip("lan"); if (is_ipaddr($cfgip)) { - $unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n"; - $unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n"; + $unbound_entries .= "local-data-ptr: \"{$cfgip} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} A {$cfgip}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n"; + $added_item_v4[$current_host] = true; + } + $cfgip6 = get_interface_ipv6("lan"); + if (is_ipaddrv6($cfgip6)) { + $unbound_entries .= "local-data-ptr: \"{$cfgip6} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} AAAA {$cfgip6}\"\n"; + $unbound_entries .= "local-data: \"{$syscfg['hostname']} AAAA {$cfgip6}\"\n"; + $added_item_v6[$current_host] = true; } } else { $sysiflist = get_configured_interface_list(); foreach ($sysiflist as $sysif) { if (!interface_has_gateway($sysif)) { + $current_host = $syscfg['hostname'].".".$syscfg['domain']; $cfgip = get_interface_ip($sysif); if (is_ipaddr($cfgip)) { - $unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n"; - $unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n"; + $unbound_entries .= "local-data-ptr: \"{$cfgip} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} A {$cfgip}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n"; - break; + $added_item_v4[$current_host] = true; } + $cfgip6 = get_interface_ipv6($sysif); + if (is_ipaddr($cfgip6)) { + $unbound_entries .= "local-data-ptr: \"{$cfgip6} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} AAAA {$cfgip6}\"\n"; + $unbound_entries .= "local-data: \"{$syscfg['hostname']} AAAA {$cfgip6}\"\n"; + $added_item_v6[$current_host] = true; + } + if (is_ipaddr($cfgip) || is_ipaddr($cfgip6)) + break; } } } - $added_item_v4 = array(); - $added_item_v6 = array(); // DNSMasq entries static host entries if (isset($dnsmasqcfg['hosts'])) { $hosts = $dnsmasqcfg['hosts']; diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml index 10de1f97..20f3d250 100644 --- a/config/unbound/unbound.xml +++ b/config/unbound/unbound.xml @@ -80,6 +80,9 @@ <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/unbound/unbound_monitor.sh</item> </additional_files_needed> + <system_services> + <dns/> + </system_services> <tabs> <tab> <text>Unbound DNS Settings</text> @@ -106,7 +109,7 @@ <type>listtopic</type> </field> <field> - <fieldname>unbound_status</fieldname> + <fieldname>enable</fieldname> <fielddescr>Enable Unbound</fielddescr> <description>Enable the use of Unbound as your DNS forwarder.</description> <type>checkbox</type> diff --git a/config/varnish3/pkg_varnish.inc b/config/varnish3/pkg_varnish.inc new file mode 100755 index 00000000..509f24e5 --- /dev/null +++ b/config/varnish3/pkg_varnish.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['varnish'] = array(); +$shortcuts['varnish']['main'] = "pkg.php?xml=varnish_backends.xml"; +$shortcuts['varnish']['log'] = "diag_logs.php"; +$shortcuts['varnish']['status'] = "status_services.php"; +$shortcuts['varnish']['service'] = "varnish"; + +?>
\ No newline at end of file diff --git a/config/varnish3/varnish.inc b/config/varnish3/varnish.inc index 4adf0575..1895d214 100644 --- a/config/varnish3/varnish.inc +++ b/config/varnish3/varnish.inc @@ -4,7 +4,7 @@ varnish.inc part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho Copyright (C) 2012 Marcio Carlos Antao All rights reserved. */ @@ -32,6 +32,14 @@ POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ +$shortcut_section = "varnish"; + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('VARNISH_LOCALBASE', '/usr/pbi/varnish-' . php_uname("m")); +else + define('VARNISH_LOCALBASE','/usr/local'); + function varnish_settings_post_validate($post, $input_errors) { if( !is_numeric($post['storagesize'])) @@ -57,8 +65,13 @@ function varnish_settings_post_validate($post, $input_errors) { } function varnish_lb_directors_post_validate($post, $input_errors) { - if (preg_match("/[^a-zA-Z0-9]/", $post['directorname'])) + if (preg_match("/[^a-zA-Z0-9]/", $post['directorname'])){ $input_errors[] = "The directorname name must only contain the characters a-Z or 0-9"; + } + else{ + if(empty($post['failover'])) + $_POST['failover'] = $post['directorname']; + } if(stristr($post['directorurl'], 'http')) $input_errors[] = "You do not need to include the http:// string in the director URL"; if($post['grace'] && ! preg_match("/^\d+(h|m|s)$/",$post['grace'])) @@ -244,7 +257,6 @@ mkdir -p /var/varnish rm /var/varnish/storage.bin 2>/dev/null killall varnishd 2>/dev/null sleep 1 -sysctl kern.ipc.nmbclusters=65536 sysctl kern.ipc.somaxconn=16384 sysctl kern.maxfiles=131072 sysctl kern.maxfilesperproc=104856 @@ -641,7 +653,15 @@ sub vcl_fini { } EOF; - + file_put_contents("/var/etc/default.vcl",$varnish_config_file,LOCK_EX); + $cc_file="/usr/local/bin/cc"; + foreach (glob(VARNISH_LOCALBASE."/bin/gcc*") as $bin_file) { + $gcc_file=$bin_file; + } + if (!file_exists($cc_file) && file_exists($gcc_file)){ + symlink($gcc_file,$cc_file); + } + $fd = fopen("/var/etc/default.vcl", "w"); fwrite($fd, $varnish_config_file); fclose($fd); @@ -652,29 +672,67 @@ EOF; /* Uses XMLRPC to synchronize the changes to a remote node */ function varnish_sync_on_changes() { global $config, $g; - log_error("[varnish] varnish_xmlrpc_sync.php is starting."); - $synconchanges = $config['installedpackages']['varnishsync']['config'][0]['synconchanges']; - if(!$synconchanges) - return; - foreach ($config['installedpackages']['varnishsync']['config'] as $rs ){ - foreach($rs['row'] as $sh){ - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if($password && $sync_to_ip) - varnish_do_xmlrpc_sync($sync_to_ip, $password); + if (is_array($config['installedpackages']['varnishsync']['config'])){ + $varnish_sync=$config['installedpackages']['varnishsync']['config'][0]; + $synconchanges = $varnish_sync['synconchanges']; + $synctimeout = $varnish_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($varnish_sync[row])){ + $rs=$varnish_sync[row]; + } + else{ + log_error("[varnish] xmlrpc sync is enabled but there is no hosts to push on varnish config."); + return; + } + break; + case "auto": + if (is_array($config['hasync'])){ + $hasync=$config['hasync'][0]; + $rs[0]['ipaddress']=$hasync['synchronizetoip']; + $rs[0]['username']=$hasync['username']; + $rs[0]['password']=$hasync['password']; + } + else{ + log_error("[varnish] xmlrpc sync is enabled but there is no system backup hosts to push varnish config."); + return; + } + break; + default: + return; + break; } - } - log_error("[varnish] varnish_xmlrpc_sync.php is ending."); + if (is_array($rs)){ + log_error("[varnish] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + } + log_error("[varnish] xmlrpc sync is ending."); + } + } } /* Do the actual XMLRPC sync */ -function varnish_do_xmlrpc_sync($sync_to_ip, $password) { +function varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) { global $config, $g; - + + if(!$username) + return; + if(!$password) return; if(!$sync_to_ip) return; + + if(!$synctimeout) + $synctimeout=25; $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { @@ -710,18 +768,18 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $password) { $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); if($g['debug']) $cli->setDebug(1); - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); + /* send our XMLRPC message and timeout after $synctimeout seconds */ + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting varnish XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting varnish XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); @@ -742,15 +800,15 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $password) { log_error("varnish XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "250"); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting varnish XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting varnish XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); diff --git a/config/varnish3/varnish_backends.xml b/config/varnish3/varnish_backends.xml index e480a8d6..58216279 100644 --- a/config/varnish3/varnish_backends.xml +++ b/config/varnish3/varnish_backends.xml @@ -9,7 +9,7 @@ varnish_backends.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. /*/ /* ========================================================================== */ @@ -85,6 +85,11 @@ <chmod>0755</chmod> <item>http://www.pfsense.com/packages/config/varnish3/varnishstat.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/varnish3/pkg_varnish.inc</item> + </additional_files_needed> <menu> <name>Varnish</name> <tooltiptext>Varnish</tooltiptext> @@ -129,19 +134,27 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>IPAddress</fielddescr> <fieldname>ipaddress</fieldname> </columnitem> <columnitem> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + </columnitem> + <columnitem> <fielddescr>Name</fielddescr> <fieldname>backendname</fieldname> - </columnitem> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> </adddeleteeditpagefields> <fields> <field> <fielddescr>BackendSettings</fielddescr> - <fieldname>BackendSettings</fieldname> <type>listtopic</type> <name>Backend settings</name> </field> @@ -163,11 +176,18 @@ <fieldname>port</fieldname> <description>Enter the TCP/IP port of the webserver.</description> <type>input</type> + <size>6</size> <validate>^[0-9]+$</validate> </field> <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this Backend.</description> + <type>input</type> + <size>40</size> + </field> + <field> <fielddescr>PerformanceMetrics</fielddescr> - <fieldname>PerformanceMetrics</fieldname> <type>listtopic</type> <name>Performance metrics</name> </field> @@ -185,7 +205,6 @@ </field> <field> <fielddescr>ProbeInfo</fielddescr> - <fieldname>ProbeInfo</fieldname> <type>listtopic</type> <name>Probe settings</name> </field> @@ -228,7 +247,6 @@ </field> <field> <fielddescr>Mappings</fielddescr> - <fieldname>Mappings</fieldname> <type>listtopic</type> <name>Backend Mappings</name> </field> diff --git a/config/varnish3/varnish_custom_vcl.xml b/config/varnish3/varnish_custom_vcl.xml index 86a9cdca..c0bb0e80 100644 --- a/config/varnish3/varnish_custom_vcl.xml +++ b/config/varnish3/varnish_custom_vcl.xml @@ -9,6 +9,7 @@ varnish_settings.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -78,56 +79,92 @@ </tabs> <fields> <field> + <type>listtopic</type> + <name>vcl_recv_early</name> + </field> + <field> <fielddescr>vcl_recv_early</fielddescr> <fieldname>vcl_recv_early</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_recv</a>]]> code here. This code will be included at the beginning of the vcl_recv function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_recv_late</name> + </field> + <field> <fielddescr>vcl_recv_late</fielddescr> <fieldname>vcl_recv_late</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_recv</a>]]> code here. This code will be included at the end of the vcl_recv function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_fetch_early</name> + </field> + <field> <fielddescr>vcl_fetch_early</fielddescr> <fieldname>vcl_fetch_early</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_fetch</a>]]> code here. This code will be included at the beginning of the vcl_fetch function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_fetch_late</name> + </field> + <field> <fielddescr>vcl_fetch_late</fielddescr> <fieldname>vcl_fetch_late</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_fetch</a>]]> code here. This code will be included at the end of the vcl_fetch function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_pipe_early</name> + </field> + <field> <fielddescr>vcl_pipe_early</fielddescr> <fieldname>vcl_pipe_early</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_pipe</a>]]> code here. This code will be included at the beginning of the vcl_pipe function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_pipe_late</name> + </field> + <field> <fielddescr>vcl_pipe_late</fielddescr> <fieldname>vcl_pipe_late</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_pipe</a>]]> code here. This code will be included at the end of the vcl_pipe function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> diff --git a/config/varnish3/varnish_lb_directors.xml b/config/varnish3/varnish_lb_directors.xml index 0912e267..99a945d5 100644 --- a/config/varnish3/varnish_lb_directors.xml +++ b/config/varnish3/varnish_lb_directors.xml @@ -9,7 +9,7 @@ varnish_lb_directors.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ @@ -99,6 +99,7 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Director name</fielddescr> <fieldname>directorname</fieldname> @@ -136,7 +137,6 @@ <fields> <field> <fielddescr>DirectorSettings</fielddescr> - <fieldname>Director Settings</fieldname> <type>listtopic</type> <name>Director settings</name> </field> @@ -208,7 +208,6 @@ </field> <field> <fielddescr>Backendlist</fielddescr> - <fieldname>Backendlist</fieldname> <type>listtopic</type> <name>Backend Settings</name> </field> @@ -248,7 +247,6 @@ </field> <field> <fielddescr>FailoverSettings</fielddescr> - <fieldname>FailoverSettings</fieldname> <type>listtopic</type> <name>Failover Settings</name> </field> diff --git a/config/varnish3/varnish_settings.xml b/config/varnish3/varnish_settings.xml index 38c68a03..bbb8d321 100644 --- a/config/varnish3/varnish_settings.xml +++ b/config/varnish3/varnish_settings.xml @@ -80,7 +80,6 @@ <fields> <field> <fielddescr>Listening</fielddescr> - <fieldname>Listening</fieldname> <type>listtopic</type> <name>Daemon options</name> </field> @@ -112,7 +111,6 @@ </field> <field> <fielddescr>StorageTypeLT</fielddescr> - <fieldname>StorageTypeLT</fieldname> <type>listtopic</type> <name>Storage type</name> </field> @@ -135,7 +133,6 @@ <field> <fielddescr>WorkerThreadLT</fielddescr> - <fieldname>WorkerThreadLT</fieldname> <type>listtopic</type> <name>Worker thread configuration</name> </field> @@ -159,7 +156,6 @@ </field> <field> <fielddescr>BasicVCLLT</fielddescr> - <fieldname>BasicVCLLT</fieldname> <type>listtopic</type> <name>General VCL Settings</name> </field> @@ -245,7 +241,6 @@ </field> <field> <fielddescr>ErrorVCLLT</fielddescr> - <fieldname>ErrorVCLLT</fieldname> <type>listtopic</type> <name>Error Settings</name> </field> diff --git a/config/varnish3/varnish_sync.xml b/config/varnish3/varnish_sync.xml index 02434389..d81851b1 100644 --- a/config/varnish3/varnish_sync.xml +++ b/config/varnish3/varnish_sync.xml @@ -9,7 +9,7 @@ varnish_sync.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2008 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -80,14 +80,35 @@ <fields> <field> <type>listtopic</type> - <fieldname>temp</fieldname> <name>Enable Varnish configuration sync</name> - </field> + </field> <field> <fielddescr>Automatically sync Varnish configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>pfSense will automatically sync changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for bind.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>25</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>250 seconds</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> @@ -111,8 +132,7 @@ </rowhelper> </field> </fields> - <custom_php_resync_config_command> - varnish_sync_on_changes(); + <custom_php_resync_config_command> </custom_php_resync_config_command> <custom_php_command_before_form> unset($_POST['temp']); diff --git a/config/widget-snort/snort_alerts.js b/config/widget-snort/snort_alerts.js index 0c2d9ca6..c5c743df 100644 --- a/config/widget-snort/snort_alerts.js +++ b/config/widget-snort/snort_alerts.js @@ -1,7 +1,7 @@ var snortlines = Array(); var snorttimer; -var snortupdateDelay = 25500; +var snortupdateDelay = 22000; var snortisBusy = false; var snortisPaused = false; diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php index e488bc49..ddf8ac59 100644 --- a/config/widget-snort/snort_alerts.widget.php +++ b/config/widget-snort/snort_alerts.widget.php @@ -25,15 +25,17 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +require_once("guiconfig.inc"); +require_once("/usr/local/www/widgets/include/widget-snort.inc"); + global $config, $g; /* array sorting */ function sksort(&$array, $subkey="id", $sort_ascending=false) { /* an empty array causes sksort to fail - this test alleviates the error */ if(empty($array)) - { - return false; - } + return false; if (count($array)) { $temp_array[key($array)] = array_shift($array); }; @@ -58,7 +60,14 @@ function sksort(&$array, $subkey="id", $sort_ascending=false) { }; /* check if firewall widget variable is set */ -if (!isset($nentries)) $nentries = 5; +$nentries = $config['widgets']['widget_snort_display_lines']; +if (!isset($nentries) || $nentries < 0) $nentries = 5; + +if(isset($_POST['widget_snort_display_lines'])) { + $config['widgets']['widget_snort_display_lines'] = $_POST['widget_snort_display_lines']; + write_config("Saved Snort Alerts Widget Displayed Lines Parameter via Dashboard"); + header("Location: ../../index.php"); +} /* check if Snort include file exists before we use it */ if (file_exists("/usr/local/pkg/snort/snort.inc")) { @@ -89,7 +98,9 @@ if (file_exists("/usr/local/pkg/snort/snort.inc")) { continue; $snort_alerts[$counter]['instanceid'] = $a_instance[$instanceid]['interface']; - $snort_alerts[$counter]['timestamp'] = $fields[0]; + // fields[0] is the timestamp. Reverse its date order to YY/MM/DD for proper sorting + $tmp = substr($fields[0],6,2) . '/' . substr($fields[0],0,2) . '/' . substr($fields[0],3,2); + $snort_alerts[$counter]['timestamp'] = str_replace(substr($fields[0],0,8),$tmp,$fields[0]); $snort_alerts[$counter]['timeonly'] = substr($fields[0], strpos($fields[0], '-')+1, -8); $snort_alerts[$counter]['dateonly'] = substr($fields[0], 0, strpos($fields[0], '-')); $snort_alerts[$counter]['src'] = $fields[6]; @@ -118,6 +129,16 @@ if (file_exists("/usr/local/pkg/snort/snort.inc")) { /* display the result */ ?> + +<input type="hidden" id="snort_alerts-config" name="snort_alerts-config" value="" /> +<div id="snort_alerts-settings" class="widgetconfigdiv" style="display:none;"> + <form action="/widgets/widgets/snort_alerts.widget.php" method="post" name="iformd"> + Enter number of recent alerts to display (default is 5)<br/> + <input type="text" size="5" name="widget_snort_display_lines" class="formfld unknown" id="widget_snort_display_lines" value="<?= $config['widgets']['widget_snort_display_lines'] ?>" /> + <input id="submitd" name="submitd" type="submit" class="formbtn" value="Save" /> + </form> +</div> + <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tbody> <tr class="snort-alert-header"> @@ -147,3 +168,13 @@ if (is_array($snort_alerts)) { ?> </tbody> </table> + +<!-- needed to display the widget settings menu --> +<script type="text/javascript"> +//<![CDATA[ + selectIntLink = "snort_alerts-configure"; + textlink = document.getElementById(selectIntLink); + textlink.style.display = "inline"; +//]]> +</script> + diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc index 105dd1e7..b9cfbeac 100644 --- a/config/widget-snort/widget-snort.inc +++ b/config/widget-snort/widget-snort.inc @@ -1,5 +1,10 @@ <?php require_once("config.inc"); + +//set variable for custom title +$snort_alerts_title = "Snort Alerts"; +$snort_alerts_title_link = "snort/snort_alerts.php"; + function widget_snort_uninstall() { global $config; diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml index a6ea7f88..1a371ca5 100644 --- a/config/widget-snort/widget-snort.xml +++ b/config/widget-snort/widget-snort.xml @@ -46,7 +46,7 @@ <requirements>Dashboard package and Snort</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>widget-snort</name> - <version>0.3.4</version> + <version>0.3.6</version> <title>Widget - Snort</title> <include_file>/usr/local/www/widgets/include/widget-snort.inc</include_file> <additional_files_needed> diff --git a/config/zabbix2/zabbix2-agent.xml b/config/zabbix2/zabbix2-agent.xml index 61e0f52f..3f8e84db 100644 --- a/config/zabbix2/zabbix2-agent.xml +++ b/config/zabbix2/zabbix2-agent.xml @@ -41,7 +41,7 @@ <name>zabbixagent</name> <title>Services: Zabbix-2 Agent</title> <category>Monitoring</category> - <version>0.7_1</version> + <version>0.8_0</version> <include_file>/usr/local/pkg/zabbix2.inc</include_file> <addedit_string>Zabbix Agent has been created/modified.</addedit_string> <delete_string>Zabbix Agent has been deleted.</delete_string> @@ -85,7 +85,6 @@ <fielddescr>Server</fielddescr> <fieldname>server</fieldname> <description>List of comma delimited IP addresses (or hostnames) of ZABBIX servers</description> - <value>127.0.0.1</value> <type>input</type> <size>60</size> </field> @@ -93,7 +92,6 @@ <fielddescr>Server Active</fielddescr> <fieldname>serveractive</fieldname> <description>List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks</description> - <value></value> <type>input</type> <size>60</size> </field> @@ -101,30 +99,29 @@ <fielddescr>Hostname</fielddescr> <fieldname>hostname</fieldname> <description>Unique hostname. Required for active checks and must match hostname as configured on the Zabbix server (case sensitive).</description> - <value>localhost</value> <type>input</type> <size>60</size> </field> <field> <fielddescr>Listen IP</fielddescr> <fieldname>listenip</fieldname> - <value>0.0.0.0</value> + <default_value>0.0.0.0</default_value> <type>input</type> <size>60</size> - <description>Listen IP for connections from the server (generally 0.0.0.0 for all interfaces)</description> + <description>Listen IP for connections from the server (default 0.0.0.0 for all interfaces)</description> </field> <field> <fielddescr>Listen Port</fielddescr> <fieldname>listenport</fieldname> - <value>10050</value> + <default_value>10050</default_value> <type>input</type> <size>5</size> - <description>Listen port for connections from the server (generally 10050)</description> + <description>Listen port for connections from the server (default 10050)</description> </field> <field> <fielddescr>Refresh Active Checks</fielddescr> <fieldname>refreshactchecks</fieldname> - <value>120</value> + <default_value>120</default_value> <type>input</type> <size>5</size> <description>The agent will refresh list of active checks once per 120 (default) seconds.</description> @@ -132,15 +129,15 @@ <field> <fielddescr>Timeout</fielddescr> <fieldname>timeout</fieldname> - <value>3</value> + <default_value>3</default_value> <type>input</type> <size>5</size> - <description>Timeout (default 3). Do not spend more that Timeout seconds on getting requested value (1-255). The agent does not kill timeouted User Parameters processes!</description> + <description>Timeout (default 3). Do not spend more that Timeout seconds on getting requested value (1-30). The agent does not kill timeouted User Parameters processes!</description> </field> <field> <fielddescr>Buffer Send</fielddescr> <fieldname>buffersend</fieldname> - <value>5</value> + <default_value>5</default_value> <type>input</type> <size>5</size> <description>Buffer Send (default 5). Do not keep data longer than N seconds in buffer (1-3600).</description> @@ -148,7 +145,7 @@ <field> <fielddescr>Buffer Size</fielddescr> <fieldname>buffersize</fieldname> - <value>100</value> + <default_value>100</default_value> <type>input</type> <size>5</size> <description>Buffer Size (default 100). Maximum number of values in a memory buffer (2-65535). The agent will send all collected data to Zabbix server or proxy if the buffer is full.</description> @@ -156,7 +153,7 @@ <field> <fielddescr>Start Agents</fielddescr> <fieldname>startagents</fieldname> - <value>3</value> + <default_value>3</default_value> <type>input</type> <size>5</size> <description>Start Agents (default 3). Number of pre-forked instances of zabbix_agentd that process passive checks (0-100).If set to 0, disables passive checks and the agent will not listen on any TCP port.</description> @@ -165,7 +162,6 @@ <fielddescr>User Parameters</fielddescr> <fieldname>userparams</fieldname> <encoding>base64</encoding> - <value></value> <type>textarea</type> <rows>5</rows> <cols>50</cols> diff --git a/config/zabbix2/zabbix2-proxy.xml b/config/zabbix2/zabbix2-proxy.xml index d9402bac..c857bec1 100644 --- a/config/zabbix2/zabbix2-proxy.xml +++ b/config/zabbix2/zabbix2-proxy.xml @@ -41,7 +41,7 @@ <name>zabbixproxy</name> <title>Services: Zabbix-2 Proxy</title> <category>Monitoring</category> - <version>0.7_1</version> + <version>0.8_0</version> <include_file>/usr/local/pkg/zabbix2.inc</include_file> <addedit_string>Zabbix Proxy has been created/modified.</addedit_string> <delete_string>Zabbix Proxy has been deleted.</delete_string> @@ -58,7 +58,7 @@ <url>/pkg_edit.php?xml=zabbix2-proxy.xml&id=0</url> </menu> <service> - <name>zabbix-proxy</name> + <name>zabbix_proxy</name> <rcfile>zabbix2_proxy.sh</rcfile> <executable>zabbix_proxy</executable> <description>Zabbix proxy collection daemon</description> diff --git a/config/zabbix2/zabbix2.inc b/config/zabbix2/zabbix2.inc index 34777387..92aad309 100644 --- a/config/zabbix2/zabbix2.inc +++ b/config/zabbix2/zabbix2.inc @@ -48,14 +48,14 @@ function php_deinstall_zabbix2_agent(){ conf_mount_rw(); $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); if ($pfs_version > 2.0){ - define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m")); + define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix22-agent-' . php_uname("m")); } else { define('ZABBIX_AGENT_BASE', '/usr/local'); } exec("/usr/bin/killall zabbix_agentd"); unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix2_agentd.sh"); - unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf"); unlink_if_exists("/var/log/zabbix2/zabbix2_agentd.log"); unlink_if_exists("/var/run/zabbix2/zabbix2_agentd.pid"); @@ -75,14 +75,14 @@ function php_deinstall_zabbix2_proxy(){ conf_mount_rw(); $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); if ($pfs_version > 2.0){ - define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m")); + define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix22-proxy-' . php_uname("m")); } else { define('ZABBIX_PROXY_BASE', '/usr/local'); } exec("/usr/bin/killall zabbix_proxy"); unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix2_proxy.sh"); - unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf"); unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log"); unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid"); @@ -118,14 +118,18 @@ function validate_input_zabbix2($post,&$input_errors){ if (!preg_match("/\w+/", $post['hostname'])) { $input_errors[]='Hostname field is required.'; } - - if (!is_ipaddr_configured($post['listenip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['listenip'])) { - $input_errors[]='Listen IP is not a configured IP address.'; + + if ($post['listenip'] != '') { + if (!is_ipaddr_configured($post['listenip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['listenip'])) { + $input_errors[]='Listen IP is not a configured IP address.'; } + } - if (!preg_match("/^\d+$/", $post['listenport'])) { - $input_errors[]='Listen Port is not numeric.'; + if ($post['listenport'] != '') { + if (!preg_match("/^\d+$/", $post['listenport'])) { + $input_errors[]='Listen Port is not numeric.'; } + } if ($post['refreshactchecks'] != '') { if (!preg_match("/^\d+$/", $post['refreshactchecks'])) { @@ -134,11 +138,13 @@ function validate_input_zabbix2($post,&$input_errors){ $input_errors[]='You must enter a valid value for \'Refresh Active Checks\''; } } - - if (!is_numericint($post['timeout'])) { - $input_errors[]='Timeout is not numeric.'; - } elseif ( $post['timeout'] < 1 || $post['timeout'] > 255 ) { - $input_errors[]='You must enter a valid value for \'Timeout\''; + + if ($post['timeout'] != '') { + if (!is_numericint($post['timeout'])) { + $input_errors[]='Timeout is not numeric.'; + } elseif ( $post['timeout'] < 1 || $post['timeout'] > 30 ) { + $input_errors[]='You must enter a valid value for \'Timeout\''; + } } if ($post['buffersend'] != '') { @@ -174,8 +180,8 @@ function sync_package_zabbix2(){ #check pfsense version $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); if ($pfs_version > 2.0){ - define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m")); - define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m")); + define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix22-agent-' . php_uname("m")); + define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix22-proxy-' . php_uname("m")); } else { define('ZABBIX_AGENT_BASE', '/usr/local'); @@ -202,7 +208,7 @@ Fping6Location=/usr/local/sbin/fping6 ProxyMode={$Mode} EOF; - file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => ""))); + file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => ""))); } } /* check zabbix agent settings*/ @@ -214,26 +220,29 @@ EOF; $BufferSize=(preg_match("/(\d+)/",$zbagent_config['buffersize'],$matches)? $matches[1] : "100"); $StartAgents=(preg_match("/(\d+)/",$zbagent_config['startagents'],$matches)? $matches[1] :"3" ); $UserParams=base64_decode($zbagent_config['userparams']); - + $ListenIp=($zbagent_config['listenip'] != ''? $zbagent_config['listenip'] : "0.0.0.0"); + $ListenPort=($zbagent_config['listenport'] != ''? $zbagent_config['listenport'] : "10050"); + $TimeOut=($zbagent_config['timeout'] != ''? $zbagent_config['timeout'] : "3"); + $zbagent_conf_file = <<< EOF Server={$zbagent_config['server']} ServerActive={$zbagent_config['serveractive']} Hostname={$zbagent_config['hostname']} -ListenIP={$zbagent_config['listenip']} -ListenPort={$zbagent_config['listenport']} +ListenIP={$ListenIp} +ListenPort={$ListenPort} RefreshActiveChecks={$RefreshActChecks} DebugLevel=3 PidFile=/var/run/zabbix2/zabbix2_agentd.pid LogFile=/var/log/zabbix2/zabbix2_agentd.log LogFileSize=1 -Timeout={$zbagent_config['timeout']} +Timeout={$TimeOut} BufferSend={$BufferSend} BufferSize={$BufferSize} StartAgents={$StartAgents} {$UserParams} EOF; - file_put_contents(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf", strtr($zbagent_conf_file, array("\r" => ""))); + file_put_contents(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf", strtr($zbagent_conf_file, array("\r" => ""))); } } $want_sysctls = array( @@ -282,8 +291,8 @@ EOF; /*check startup script files*/ /* create a few directories and ensure the sample files are in place */ - if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix2")) - exec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix2"); + if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix22")) + exec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix22"); $dir_checks = <<< EOF if [ ! -d /var/log/zabbix2 ] |