From c84ef2aac594ebe04e2f8eabf1b3407bb4c79d2e Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 1 Feb 2013 08:32:58 -0500 Subject: Make sure we update ['disabled'] flag in rule map when commenting/un-commenting rule. --- config/snort/snort.inc | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 24242bcd..17c3a19a 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1197,9 +1197,11 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) { if ($rule2['disabled'] == 0) /* If not disabled, just return the rule text "as is" */ $required_flowbits_rules[$k1][$k2]['rule'] = ltrim($rule2['rule']); - else + else { /* If rule is disabled, remove leading '#' to enable it */ $required_flowbits_rules[$k1][$k2]['rule'] = ltrim(substr($rule2['rule'], strpos($rule2['rule'], "#") + 1)); + $required_flowbits_rules[$k1][$k2]['disabled'] = 1; + } } } } @@ -1335,8 +1337,10 @@ function snort_load_vrt_policy($policy) { $vrt_policy_rules[$k1][$k2] = $arulem2; /* Enable the policy rule if disabled */ - if ($arulem2['disabled'] == 1) + if ($arulem2['disabled'] == 1) { $vrt_policy_rules[$k1][$k2]['rule'] = ltrim(substr($arulem2['rule'], strpos($arulem2['rule'], "#") + 1)); + $vrt_policy_rules[$k1][$k2]['disabled'] = 0; + } } } } @@ -1441,8 +1445,10 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($enablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $enablesid) && $v['disabled'] == 1) + if (in_array($k2, $enablesid) && $v['disabled'] == 1) { $rule_map[$k1][$k2]['rule'] = ltrim($v['rule'], " \t#"); + $rule_map[$k1][$k2]['disabled'] = 0; + } } } } @@ -1806,7 +1812,7 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { /* This function checks the $active_rules array */ /* for rule options dependent upon preprocessors. */ /* Rules with rule options dependent upon any */ - /* non-enabled preprocessors are disabled to */ + /* non-enabled preprocessors are disabled to stop */ /* start-up errors from unknown rule options. */ /* */ /* $snortcfg -> config parameters array for */ @@ -1849,6 +1855,8 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { ***************************************************/ foreach ($active_rules as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { + if ($v['disabled'] == 0) + continue; foreach ($rule_opts_preprocs as $opt => $preproc) { $pcre = "/\s*\b" . $opt . "/i"; if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) { -- cgit v1.2.3 From 9dbe2671f9797eadd21f5d506932f9dd51c8fbdf Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 1 Feb 2013 08:50:39 -0500 Subject: Oops! Fix an error with setting ['disabled'] to 1 when should be 0. --- config/snort/snort.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 17c3a19a..869e040e 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1200,7 +1200,7 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) { else { /* If rule is disabled, remove leading '#' to enable it */ $required_flowbits_rules[$k1][$k2]['rule'] = ltrim(substr($rule2['rule'], strpos($rule2['rule'], "#") + 1)); - $required_flowbits_rules[$k1][$k2]['disabled'] = 1; + $required_flowbits_rules[$k1][$k2]['disabled'] = 0; } } } -- cgit v1.2.3