From 3ded21fc48a46974795072defc35541dc2f0690b Mon Sep 17 00:00:00 2001
From: bmeeks8 <bmeeks8@bellsouth.net>
Date: Sat, 13 Sep 2014 10:38:02 -0400
Subject: Add handler and install code for new LOG MGMT function.

---
 config/snort/snort_barnyard.php        |   8 +--
 config/snort/snort_check_cron_misc.inc | 110 ++++++++++++++++++++++++++++-----
 config/snort/snort_conf_template.inc   |   2 +-
 config/snort/snort_generate_conf.php   |  14 ++++-
 config/snort/snort_log_mgmt.php        |  44 ++++++++++---
 config/snort/snort_migrate_config.php  |  34 +++++++++-
 config/snort/snort_post_install.php    |  57 ++++++++++++++---
 7 files changed, 229 insertions(+), 40 deletions(-)

diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php
index 1617e869..1e834ff0 100644
--- a/config/snort/snort_barnyard.php
+++ b/config/snort/snort_barnyard.php
@@ -57,8 +57,8 @@ $retentions = array( '0' => gettext('KEEP ALL'), '24' => gettext('1 DAY'), '168'
 		     '720' => gettext('30 DAYS'), '1080' => gettext("45 DAYS"), '2160' => gettext('90 DAYS'), '4320' => gettext('180 DAYS'), 
 		     '8766' => gettext('1 YEAR'), '26298' => gettext("3 YEARS") );
 
-$log_sizes = array( '0' => gettext('NO LIMIT'), '8' => gettext('8 MB'), '16' => gettext('16 MB'), '32' => gettext('32 MB'), 
-		    '64' => gettext('64 MB'), '128' => gettext('128 MB'), '256' => gettext('256 MB') );
+$log_sizes = array( '0' => gettext('NO LIMIT'), '128K' => '128 KB', '256K' => '256 KB', '512K' => '512 KB', '1M' => '1 MB', '4M' => '4 MB', '8M' => gettext('8 MB'), 
+		    '16M' => gettext('16 MB'), '32M' => gettext('32 MB'), '64M' => gettext('64 MB'), '128M' => gettext('128 MB'), '256M' => gettext('256 MB') );
 
 if (isset($id) && $a_nat[$id]) {
 	$pconfig = $a_nat[$id];
@@ -69,7 +69,7 @@ if (isset($id) && $a_nat[$id]) {
 	if (empty($a_nat[$id]['barnyard_show_year']))
 		$pconfig['barnyard_show_year'] = "on";
 	if (empty($a_nat[$id]['unified2_log_limit']))
-		$pconfig['unified2_log_limit'] = "32";
+		$pconfig['unified2_log_limit'] = "128K";
 	if (empty($a_nat[$id]['barnyard_archive_enable']))
 		$pconfig['barnyard_archive_enable'] = "on";
 	if (empty($a_nat[$id]['u2_archived_log_retention']))
@@ -284,7 +284,7 @@ include_once("head.inc");
 						<?php if ($k == $pconfig['unified2_log_limit']) echo "selected"; ?>>
 							<?=htmlspecialchars($p);?></option>
 					<?php endforeach; ?>
-					</select>&nbsp;<?php echo gettext("Choose a Unified2 Log file size limit in megabytes (MB). Default is "); ?><strong><?=gettext("32 MB.");?></strong><br/><br/>
+					</select>&nbsp;<?php echo gettext("Choose a Unified2 Log file size limit. Default is "); ?><strong><?=gettext("128 KB.");?></strong><br/><br/>
 					<?php echo gettext("This sets the maximum size for a Unified2 Log file before it is rotated and a new one created."); ?>
 				</td>
 			</tr>
diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc
index 9a1c7833..0f9b80ab 100644
--- a/config/snort/snort_check_cron_misc.inc
+++ b/config/snort/snort_check_cron_misc.inc
@@ -33,6 +33,7 @@
 require_once("/usr/local/pkg/snort/snort.inc");
 
 $snortlogdir = SNORTLOGDIR;
+global $g, $config;
 
 function snort_check_dir_size_limit($snortloglimitsize) {
 
@@ -88,6 +89,56 @@ function snort_check_dir_size_limit($snortloglimitsize) {
 	}
 }
 
+function snort_check_rotate_log($log_file, $log_limit, $retention) {
+
+	/********************************************************
+	 * This function checks the passed log file against     *
+	 * the passed size limit and rotates the log file if    *
+	 * necessary.  It also checks the age of previously     *
+	 * rotated logs and removes those older than the        *
+	 * rentention  parameter.                               *
+	 *                                                      *
+	 * On Entry: $log_file  -> full pathname/filename of    *
+	 *                         log file to check            *
+	 *           $log_limit -> size of file in bytes to     *
+	 *                         trigger rotation. Zero       *
+	 *                         means no rotation.           *
+	 *           $retention -> retention period in hours    *
+	 *                         for rotated logs. Zero       *
+	 *                         means never remove.          *
+	 ********************************************************/
+
+	// Check the current log to see if it needs rotating.
+	// If it does, rotate it and put the current time
+	// on the end of the filename as UNIX timestamp.
+	if (!file_exists($log_file))
+		return;
+	if (($log_limit > 0) && (filesize($log_file) >= $log_limit)) {
+		$newfile = $log_file . "." . strval(time());
+		try {
+			copy($log_file, $newfile);
+			file_put_contents($log_file, "");
+		} catch (Exception $e) {
+			log_error("[Snort] Failed to rotate file '{$log_file}' -- error was {$e->getMessage()}");
+		}
+	}
+
+	// Check previously rotated logs to see if time to
+	// delete any older than the retention period.
+	// Rotated logs have a UNIX timestamp appended to
+	// filename.
+	if ($retention > 0) {
+		$now = time();
+		$rotated_files = glob("{$log_file}.*");
+		foreach ($rotated_files as $file) {
+			if (($now - filemtime($file)) > ($retention * 3600))
+				unlink_if_exists($file);
+		}
+		unset($rotated_files);
+	}
+}
+
+
 /*************************
  * Start of main code    *
  *************************/
@@ -96,27 +147,56 @@ function snort_check_dir_size_limit($snortloglimitsize) {
 if ($g['booting'] == true)
 	return;
 
+$logs = array ();
+
+// Build an array of files to check and limits to check them against from our saved configuration
+$logs['sid_changes.log']['limit'] = $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'];
+$logs['sid_changes.log']['retention'] = $config['installedpackages']['snortglobal']['sid_changes_log_retention'];
+
 // If no interfaces defined, there is nothing to clean up
 if (!is_array($config['installedpackages']['snortglobal']['rule']))
 	return;
 
-// Check unified2 archived log retention in the interface logging directories if enabled
-foreach ($config['installedpackages']['snortglobal']['rule'] as $value) {
-	$if_real = get_real_interface($value['interface']);
-	$snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$value['uuid']}";
-	if (is_dir("{$snort_log_dir}/barnyard2/archive") && $value['u2_archived_log_retention'] > 0) {
-		$now = time();
-		$files = glob("{$snort_log_dir}/barnyard2/archive/snort_{$value['uuid']}_{$if_real}.u2.*");
-		$prune_count = 0;
-		foreach ($files as $f) {
-			if (($now - filemtime($f)) > ($value['u2_archived_log_retention'] * 3600)) {
-				$prune_count++;
-				unlink_if_exists($f);
+// Check log limits and retention in the interface logging directories if enabled
+if ($config['installedpackages']['snortglobal']['enable_log_mgmt'] == 'on') {
+	foreach ($config['installedpackages']['snortglobal']['rule'] as $value) {
+		$if_real = get_real_interface($value['interface']);
+		$snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$value['uuid']}";
+		foreach ($logs as $k => $p) {
+			snort_check_rotate_log("{$snort_log_dir}/{$k}", $p['limit']*1024, $p['retention']);
+		}
+
+		// Prune aged-out event packet capture files if any exist
+		if ($config['installedpackages']['snortglobal']['event_pkts_log_retention'] > 0) {
+			$now = time();
+			$rotated_files = glob("{$snort_log_dir}/snort.log.*");
+			$prune_count = 0;
+			foreach ($rotated_files as $file) {
+				if (($now - filemtime($file)) > ($config['installedpackages']['snortglobal']['event_pkts_log_retention'] * 3600)) {
+					$prune_count++;
+					unlink_if_exists($file);
+				}
+			}
+			unset($rotated_files);
+			if ($prune_count > 0)
+				log_error(gettext("[Snort] Alert pcap file cleanup job removed {$prune_count} pcap file(s) from {$snort_log_dir}/..."));
+		}
+
+		// Prune any aged-out Barnyard2 archived logs if any exist
+		if (is_dir("{$snort_log_dir}/barnyard2/archive") && $value['u2_archived_log_retention'] > 0) {
+			$now = time();
+			$files = glob("{$snort_log_dir}/barnyard2/archive/snort_{$value['uuid']}_{$if_real}.u2.*");
+			$prune_count = 0;
+			foreach ($files as $f) {
+				if (($now - filemtime($f)) > ($value['u2_archived_log_retention'] * 3600)) {
+					$prune_count++;
+					unlink_if_exists($f);
+				}
 			}
+			unset($files);
+			if ($prune_count > 0)
+				log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/barnyard2/archive/..."));
 		}
-		unset($files);
-		if ($prune_count > 0)
-			log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/barnyard2/archive/..."));
 	}
 }
 
diff --git a/config/snort/snort_conf_template.inc b/config/snort/snort_conf_template.inc
index be4791af..e1b11acc 100644
--- a/config/snort/snort_conf_template.inc
+++ b/config/snort/snort_conf_template.inc
@@ -89,7 +89,7 @@ dynamicdetection directory {$snort_dirs['dynamicrules']}
 {$host_attrib_config}
 
 # Snort Output Logs #
-output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
+output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority {$alert_log_limit_size}
 {$alertsystemlog_type}
 {$snortunifiedlog_type}
 {$spoink_type}
diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php
index e65f4836..a5cc08d0 100644
--- a/config/snort/snort_generate_conf.php
+++ b/config/snort/snort_generate_conf.php
@@ -87,6 +87,12 @@ foreach ($snort_files as $file) {
 	}
 }
 
+/* define alert log limit */
+if (!empty($config['installedpackages']['snortglobal']['alert_log_limit_size']) && $config['installedpackages']['snortglobal']['alert_log_limit_size'] != "0")
+	$alert_log_limit_size = $config['installedpackages']['snortglobal']['alert_log_limit_size'] . "K";
+else
+	$alert_log_limit_size = "";
+
 /* define alertsystemlog */
 $alertsystemlog_type = "";
 if ($snortcfg['alertsystemlog'] == "on") {
@@ -107,7 +113,7 @@ if ($snortcfg['barnyard_enable'] == "on") {
 	if (isset($snortcfg['unified2_log_limit']))
 		$u2_log_limit = "limit {$snortcfg['unified2_log_limit']}";
 	else
-		$u2_log_limit = "limit 128";
+		$u2_log_limit = "limit 128K";
 
 	$snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}";
 	if ($snortcfg['barnyard_log_vlan_events'] == 'on')
@@ -201,9 +207,13 @@ $stream5_ports_both .= "\t           55555 56712";
 
 /* def perform_stat */
 
+if (!empty($config['installedpackages']['snortglobal']['stats_log_limit_size']) && $config['installedpackages']['snortglobal']['stats_log_limit_size'] != "0")
+	$stats_log_limit = "max_file_size " . $config['installedpackages']['snortglobal']['stats_log_limit_size'] * 1000;
+else
+	$stats_log_limit = "";
 $perform_stat = <<<EOD
 # Performance Statistics #
-preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000
+preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000 {$stats_log_limit}
 	
 EOD;
 
diff --git a/config/snort/snort_log_mgmt.php b/config/snort/snort_log_mgmt.php
index aee98a99..4415863b 100644
--- a/config/snort/snort_log_mgmt.php
+++ b/config/snort/snort_log_mgmt.php
@@ -55,6 +55,8 @@ $pconfig['stats_log_limit_size'] = $config['installedpackages']['snortglobal']['
 $pconfig['stats_log_retention'] = $config['installedpackages']['snortglobal']['stats_log_retention'];
 $pconfig['sid_changes_log_limit_size'] = $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'];
 $pconfig['sid_changes_log_retention'] = $config['installedpackages']['snortglobal']['sid_changes_log_retention'];
+$pconfig['event_pkts_log_limit_size'] = '0';
+$pconfig['event_pkts_log_retention'] = $config['installedpackages']['snortglobal']['event_pkts_log_retention'];
 
 // Load up some arrays with selection values (we use these later).
 // The keys in the $retentions array are the retention period
@@ -80,18 +82,16 @@ if (!isset($pconfig['alert_log_retention']))
 	$pconfig['alert_log_retention'] = "336";
 if (!isset($pconfig['stats_log_retention']))
 	$pconfig['stats_log_retention'] = "168";
-if (!isset($pconfig['u2_archive_log_retention']))
-	$pconfig['u2_archive_log_retention'] = "168";
 if (!isset($pconfig['sid_changes_log_retention']))
 	$pconfig['sid_changes_log_retention'] = "336";
+if (!isset($pconfig['event_pkts_log_retention']))
+	$pconfig['event_pkts_log_retention'] = "336";
 
 // Set default log file size limits
 if (!isset($pconfig['alert_log_limit_size']))
 	$pconfig['alert_log_limit_size'] = "500";
 if (!isset($pconfig['stats_log_limit_size']))
 	$pconfig['stats_log_limit_size'] = "500";
-if (!isset($pconfig['unified2_log_limit']))
-	$pconfig['unified2_log_limit'] = "32";
 if (!isset($pconfig['sid_changes_log_limit_size']))
 	$pconfig['sid_changes_log_limit_size'] = "250";
 
@@ -101,10 +101,12 @@ if ($_POST['ResetAll']) {
 	$pconfig['alert_log_retention'] = "336";
 	$pconfig['stats_log_retention'] = "168";
 	$pconfig['sid_changes_log_retention'] = "336";
+	$pconfig['event_pkts_log_retention'] = "336";
 
 	$pconfig['alert_log_limit_size'] = "500";
 	$pconfig['stats_log_limit_size'] = "500";
 	$pconfig['sid_changes_log_limit_size'] = "250";
+	$pconfig['event_pkts_log_limit_size'] = "0";
 
 	/* Log a message at the top of the page to inform the user */
 	$savemsg = gettext("All log management settings on this page have been reset to their defaults.  Click APPLY if you wish to keep these new settings.");
@@ -142,6 +144,8 @@ if ($_POST["save"] || $_POST['apply']) {
 		$config['installedpackages']['snortglobal']['stats_log_retention'] = $_POST['stats_log_retention'];
 		$config['installedpackages']['snortglobal']['sid_changes_log_limit_size'] = $_POST['sid_changes_log_limit_size'];
 		$config['installedpackages']['snortglobal']['sid_changes_log_retention'] = $_POST['sid_changes_log_retention'];
+		$config['installedpackages']['snortglobal']['event_pkts_log_limit_size'] = $_POST['event_pkts_log_limit_size'];
+		$config['installedpackages']['snortglobal']['event_pkts_log_retention'] = $_POST['event_pkts_log_retention'];
 
 		write_config("Snort pkg: saved updated configuration for LOGS MGMT.");
 		sync_snort_package_config();
@@ -194,7 +198,7 @@ if ($savemsg) {
 	$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
 	$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
 	$tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
-	$tab_array[9] = array(gettext("Log Mgmt"), true, "/snort/snort_logs_mgmt.php");
+	$tab_array[9] = array(gettext("Log Mgmt"), true, "/snort/snort_log_mgmt.php");
 	$tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
 	display_top_tabs($tab_array, true);
 ?>
@@ -284,7 +288,7 @@ if ($savemsg) {
 					<td class="listr" align="center"><select name="alert_log_limit_size" class="formselect" id="alert_log_limit_size">
 						<?php foreach ($log_sizes as $k => $l): ?>
 							<option value="<?=$k;?>"
-							<?php if ($k == $pconfig['alert_log_limit_size']) echo "selected"; ?>>
+							<?php if ($k == $pconfig['alert_log_limit_size']) echo " selected"; ?>>
 								<?=htmlspecialchars($l);?></option>
 						<?php endforeach; ?>
 						</select>
@@ -292,13 +296,31 @@ if ($savemsg) {
 					<td class="listr" align="center"><select name="alert_log_retention" class="formselect" id="alert_log_retention">
 						<?php foreach ($retentions as $k => $p): ?>
 							<option value="<?=$k;?>"
-							<?php if ($k == $pconfig['alert_log_retention']) echo "selected"; ?>>
+							<?php if ($k == $pconfig['alert_log_retention']) echo " selected"; ?>>
 								<?=htmlspecialchars($p);?></option>
 						<?php endforeach; ?>
 						</select>
 					</td>
 					<td class="listbg"><?=gettext("Snort alerts and event details");?></td>
 				</tr>
+
+				<tr>
+					<td class="listbg">event pcaps</td>
+					<td class="listr" align="center"><select name="event_pkts_log_limit_size" class="formselect" id="event_pkts_log_limit_size">
+							<option value="0" selected>NO LIMIT</option>
+						</select>
+					</td>
+					<td class="listr" align="center"><select name="event_pkts_log_retention" class="formselect" id="event_pkts_log_retention">
+						<?php foreach ($retentions as $k => $p): ?>
+							<option value="<?=$k;?>"
+							<?php if ($k == $pconfig['event_pkts_log_retention']) echo " selected"; ?>>
+								<?=htmlspecialchars($p);?></option>
+						<?php endforeach; ?>
+						</select>
+					</td>
+					<td class="listbg"><?=gettext("Snort alert related packet captures");?></td>
+				</tr>
+
 				<tr>
 					<td class="listbg">sid_changes</td>
 					<td class="listr" align="center"><select name="sid_changes_log_limit_size" class="formselect" id="sid_changes_log_limit_size">
@@ -312,7 +334,7 @@ if ($savemsg) {
 					<td class="listr" align="center"><select name="sid_changes_log_retention" class="formselect" id="sid_changes_log_retention">
 						<?php foreach ($retentions as $k => $p): ?>
 							<option value="<?=$k;?>"
-							<?php if ($k == $pconfig['sid_changes_log_retention']) echo "selected"; ?>>
+							<?php if ($k == $pconfig['sid_changes_log_retention']) echo " selected"; ?>>
 								<?=htmlspecialchars($p);?></option>
 						<?php endforeach; ?>
 						</select>
@@ -324,7 +346,7 @@ if ($savemsg) {
 					<td class="listr" align="center"><select name="stats_log_limit_size" class="formselect" id="stats_log_limit_size">
 						<?php foreach ($log_sizes as $k => $l): ?>
 							<option value="<?=$k;?>"
-							<?php if ($k == $pconfig['stats_log_limit_size']) echo "selected"; ?>>
+							<?php if ($k == $pconfig['stats_log_limit_size']) echo " selected"; ?>>
 								<?=htmlspecialchars($l);?></option>
 						<?php endforeach; ?>
 						</select>
@@ -332,7 +354,7 @@ if ($savemsg) {
 					<td class="listr" align="center"><select name="stats_log_retention" class="formselect" id="stats_log_retention">
 						<?php foreach ($retentions as $k => $p): ?>
 							<option value="<?=$k;?>"
-							<?php if ($k == $pconfig['stats_log_retention']) echo "selected"; ?>>
+							<?php if ($k == $pconfig['stats_log_retention']) echo " selected"; ?>>
 								<?=htmlspecialchars($p);?></option>
 						<?php endforeach; ?>
 						</select>
@@ -371,6 +393,8 @@ function enable_change() {
 	document.iform.stats_log_retention.disabled = endis;
 	document.iform.sid_changes_log_retention.disabled = endis;
 	document.iform.sid_changes_log_limit_size.disabled = endis;
+	document.iform.event_pkts_log_limit_size.disabled = endis;
+	document.iform.event_pkts_log_retention.disabled = endis;
 }
 
 function enable_change_dirSize() {
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
index af02261f..2cef217a 100644
--- a/config/snort/snort_migrate_config.php
+++ b/config/snort/snort_migrate_config.php
@@ -70,6 +70,30 @@ if (empty($config['installedpackages']['snortglobal']['snort_config_ver']) &&
 	$updated_cfg = true;
 }
 
+/**********************************************************/
+/* Create new Auto SID Mgmt settings if not set           */
+/**********************************************************/
+	if (empty($config['installedpackages']['snortglobal']['auto_manage_sids'])) {
+		$config['installedpackages']['snortglobal']['auto_manage_sids'] = "off";
+		$config['installedpackages']['snortglobal']['sid_changes_log_limit_size'] = "250";
+		$config['installedpackages']['snortglobal']['sid_changes_log_retention'] = "336";
+		$updated_cfg = true;
+	}
+
+/**********************************************************/
+/* Create new LOG MGMT settings if not set                */
+/**********************************************************/
+	if (empty($config['installedpackages']['snortglobal']['enable_log_mgmt'])) {
+		$config['installedpackages']['snortglobal']['enable_log_mgmt'] = "on";
+		$config['installedpackages']['snortglobal']['alert_log_limit_size'] = "500";
+		$config['installedpackages']['snortglobal']['alert_log_retention'] = "336";
+		$config['installedpackages']['snortglobal']['stats_log_limit_size'] = "500";
+		$config['installedpackages']['snortglobal']['stats_log_retention'] = "168";
+		$config['installedpackages']['snortglobal']['event_pkts_log_limit_size'] = "0";
+		$config['installedpackages']['snortglobal']['event_pkts_log_retention'] = "336";
+		$updated_cfg = true;
+}
+
 foreach ($rule as &$r) {
 	// Initialize arrays for supported preprocessors if necessary
 	if (!is_array($r['frag3_engine']['item']))
@@ -344,7 +368,7 @@ foreach ($rule as &$r) {
 		// Since Barnyard2 was enabled, configure the new archived log settings
 		$pconfig['u2_archived_log_retention'] = '168';
 		$pconfig['barnyard_archive_enable'] = 'on';
-		$pconfig['unified2_log_limit'] = '32';
+		$pconfig['unified2_log_limit'] = '32M';
 		$updated_cfg = true;
 	}
 
@@ -451,6 +475,14 @@ foreach ($rule as &$r) {
 		$updated_cfg = true;
 	}
 
+
+	// Migrate any BY2 limit for unified2 logs to new format
+	if (!empty($pconfig['unified2_log_limit']) && 
+	    !preg_match('/^\d+[g|k|m|G|K|M]/', $pconfig['unified2_log_limit'])) {
+		$pconfig['unified2_log_limit'] .= "M";
+		$updated_cfg = true;
+	}
+
 	// Save the new configuration data into the $config array pointer
 	$r = $pconfig;
 }
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
index 0650d187..addb6329 100644
--- a/config/snort/snort_post_install.php
+++ b/config/snort/snort_post_install.php
@@ -44,10 +44,32 @@ require_once("/usr/local/pkg/snort/snort.inc");
 
 global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include;
 
+/****************************************
+ * Define any new constants here that   *
+ * may not be yet defined in the old    *
+ * "snort.inc" include file that might  *
+ * be cached and used by the package    *
+ * manager installation code.           *
+ *                                      *
+ * This is a hack to work around the    *
+ * fact the old version of suricata.inc *
+ * is cached and used instead of the    *
+ * updated version icluded with the     *
+ * updated GUI package.                 *
+ ****************************************/
+if (!defined('SID_MODS_PATH'))
+	define('SID_MODS_PATH', '/var/db/snort/sidmods/');
+
+/****************************************
+ * End of PHP caching workaround        *
+ ****************************************/
+
 $snortdir = SNORTDIR;
 $snortlogdir = SNORTLOGDIR;
 $snortlibdir = SNORTLIBDIR;
 $rcdir = RCFILEPREFIX;
+$flowbit_rules_file = FLOWBITS_FILENAME;
+$snort_enforcing_rules_file = ENFORCING_RULES_FILENAME;
 
 /* Hard kill any running Snort processes that may have been started by any   */
 /* of the pfSense scripts such as check_reload_status() or rc.start_packages */
@@ -97,6 +119,7 @@ foreach ($preproc_rules as $file) {
 /* Create required log and db directories in /var */
 safe_mkdir(SNORTLOGDIR);
 safe_mkdir(IPREP_PATH);
+safe_mkdir(SID_MODS_PATH);
 
 /* If installed, absorb the Snort Dashboard Widget into this package */
 /* by removing it as a separately installed package.                 */
@@ -164,15 +187,35 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
 
 	/* Create the snort.conf files for each enabled interface */
 	$snortconf = $config['installedpackages']['snortglobal']['rule'];
-	foreach ($snortconf as $value) {
-		$if_real = get_real_interface($value['interface']);
+	foreach ($snortconf as $snortcfg) {
+		$if_real = get_real_interface($snortcfg['interface']);
+		$snort_uuid = $snortcfg['uuid'];
+		$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
+
+		// Pull in the PHP code that generates the snort.conf file
+		// variables that will be substituted further down below.
+		include("/usr/local/pkg/snort/snort_generate_conf.php");
+
+		// Pull in the boilerplate template for the snort.conf
+		// configuration file.  The contents of the template along
+		// with substituted variables are stored in $snort_conf_text
+		// (which is defined in the included file).
+		include("/usr/local/pkg/snort/snort_conf_template.inc");
+
+		// Now write out the conf file using $snort_conf_text contents
+		@file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text); 
+		unset($snort_conf_text);
+
+		// Create the actual rules files and save them in the interface directory
+		snort_prepare_rule_files($snortcfg, $snortcfgdir);
 
-		/* create a snort.conf file for interface */
-		snort_generate_conf($value);
+		// Clean up variables we no longer need and free memory
+		unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type);
+		unset($home_net, $external_net, $ipvardef, $portvardef);
 
-		/* create barnyard2.conf file for interface */
-		if ($value['barnyard_enable'] == 'on')
-			snort_generate_barnyard2_conf($value, $if_real);
+		// create barnyard2.conf file for interface
+		if ($snortcfg['barnyard_enable'] == 'on')
+			snort_generate_barnyard2_conf($snortcfg, $if_real);
 	}
 
 	/* create snort bootup file snort.sh */
-- 
cgit v1.2.3