From 6f28da9d753b1538006cfa9c3488a4949c0cdd9d Mon Sep 17 00:00:00 2001 From: robiscool Date: Sat, 17 Oct 2009 16:40:07 -0700 Subject: snort-dev, start snort-inline gui base --- config/snort-dev/bkup/snort.inc | 1620 ++++++++++++++++ config/snort-dev/bkup/snort.xml | 397 ++++ config/snort-dev/bkup/snort_advanced.xml | 196 ++ config/snort-dev/bkup/snort_alerts.php | 122 ++ config/snort-dev/bkup/snort_blocked.php | 174 ++ .../bkup/snort_check_for_rule_updates.php | 629 ++++++ config/snort-dev/bkup/snort_define_servers.xml | 364 ++++ config/snort-dev/bkup/snort_download_rules.php | 782 ++++++++ config/snort-dev/bkup/snort_dynamic_ip_reload.php | 49 + config/snort-dev/bkup/snort_rules.php | 620 ++++++ config/snort-dev/bkup/snort_rules_edit.php | 207 ++ config/snort-dev/bkup/snort_rulesets.php | 227 +++ config/snort-dev/bkup/snort_threshold.xml | 129 ++ config/snort-dev/bkup/snort_whitelist.xml | 129 ++ config/snort-dev/bkup/snort_xmlrpc_sync.php | 114 ++ config/snort-dev/snort.inc | 1620 ---------------- config/snort-dev/snort.xml | 397 ---- config/snort-dev/snort_advanced.xml | 196 -- config/snort-dev/snort_alerts.php | 122 -- config/snort-dev/snort_base_files.php | 2025 ++++++++++++++++++++ config/snort-dev/snort_blocked.php | 174 -- config/snort-dev/snort_check_for_rule_updates.php | 629 ------ config/snort-dev/snort_define_servers.xml | 364 ---- config/snort-dev/snort_download_rules.php | 782 -------- config/snort-dev/snort_dynamic_ip_reload.php | 49 - config/snort-dev/snort_interfaces.php | 296 +++ config/snort-dev/snort_interfaces_edit.php | 402 ++++ config/snort-dev/snort_rules.php | 620 ------ config/snort-dev/snort_rules_edit.php | 207 -- config/snort-dev/snort_rulesets.php | 227 --- config/snort-dev/snort_threshold.xml | 129 -- config/snort-dev/snort_whitelist.xml | 129 -- config/snort-dev/snort_xmlrpc_sync.php | 114 -- 33 files changed, 8482 insertions(+), 5759 deletions(-) create mode 100644 config/snort-dev/bkup/snort.inc create mode 100644 config/snort-dev/bkup/snort.xml create mode 100644 config/snort-dev/bkup/snort_advanced.xml create mode 100644 config/snort-dev/bkup/snort_alerts.php create mode 100644 config/snort-dev/bkup/snort_blocked.php create mode 100644 config/snort-dev/bkup/snort_check_for_rule_updates.php create mode 100644 config/snort-dev/bkup/snort_define_servers.xml create mode 100644 config/snort-dev/bkup/snort_download_rules.php create mode 100644 config/snort-dev/bkup/snort_dynamic_ip_reload.php create mode 100644 config/snort-dev/bkup/snort_rules.php create mode 100644 config/snort-dev/bkup/snort_rules_edit.php create mode 100644 config/snort-dev/bkup/snort_rulesets.php create mode 100644 config/snort-dev/bkup/snort_threshold.xml create mode 100644 config/snort-dev/bkup/snort_whitelist.xml create mode 100644 config/snort-dev/bkup/snort_xmlrpc_sync.php delete mode 100644 config/snort-dev/snort.inc delete mode 100644 config/snort-dev/snort.xml delete mode 100644 config/snort-dev/snort_advanced.xml delete mode 100644 config/snort-dev/snort_alerts.php create mode 100644 config/snort-dev/snort_base_files.php delete mode 100644 config/snort-dev/snort_blocked.php delete mode 100644 config/snort-dev/snort_check_for_rule_updates.php delete mode 100644 config/snort-dev/snort_define_servers.xml delete mode 100644 config/snort-dev/snort_download_rules.php delete mode 100644 config/snort-dev/snort_dynamic_ip_reload.php create mode 100644 config/snort-dev/snort_interfaces.php create mode 100644 config/snort-dev/snort_interfaces_edit.php delete mode 100644 config/snort-dev/snort_rules.php delete mode 100644 config/snort-dev/snort_rules_edit.php delete mode 100644 config/snort-dev/snort_rulesets.php delete mode 100644 config/snort-dev/snort_threshold.xml delete mode 100644 config/snort-dev/snort_whitelist.xml delete mode 100644 config/snort-dev/snort_xmlrpc_sync.php diff --git a/config/snort-dev/bkup/snort.inc b/config/snort-dev/bkup/snort.inc new file mode 100644 index 00000000..575192b9 --- /dev/null +++ b/config/snort-dev/bkup/snort.inc @@ -0,0 +1,1620 @@ + advanced features */ + $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize']; + $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize']; + $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns']; + + /* set the snort performance model */ + if($config['installedpackages']['snort']['config'][0]['performance']) + $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; + else + $snort_performance = "ac-bnfa"; + + conf_mount_rw(); + /* create a few directories and ensure the sample files are in place */ + exec("/bin/mkdir -p /usr/local/etc/snort"); + exec("/bin/mkdir -p /var/log/snort"); + exec("/bin/mkdir -p /usr/local/etc/snort/rules"); + exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); + exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); + exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); + exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); + exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); + exec("/bin/rm /usr/local/etc/snort/generators-sample"); + exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); + exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); + exec("/bin/rm /usr/local/etc/snort/sid"); + exec("/bin/rm -f /usr/local/etc/rc.d/snort"); + + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + + if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { + $if = "ng0"; + } + + /* build a list of user specified interfaces -gtm */ + if($if){ + array_push($snortInterfaces, $if); + $first = 1; + } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; + } + } + //print_r($snortInterfaces); + + /* create log directory */ + $start = "/bin/mkdir -p /var/log/snort\n"; + + /* snort advanced features - bpf tuning */ + if($bpfbufsize) + $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n"; + if($bpfmaxbufsize) + $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n"; + if($bpfmaxinsns) + $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n"; + + /* go ahead and issue bpf changes */ + if($bpfbufsize) + mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}"); + if($bpfmaxbufsize) + mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}"); + if($bpfmaxinsns) + mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); + + /* always stop barnyard2 before starting snort -gtm */ + $start .= "/usr/bin/killall barnyard2\n"; + + /* start a snort process for each interface -gtm */ + /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ + /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */ + /* TODO; get snort to start under nologin shell */ + foreach($snortInterfaces as $snortIf) + { + $start .= "sleep 4\n"; + $start .= "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; + if ($snortbarnyardlog_info_chk == on) + $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; + } + $check_if_snort_runs = "\n\tif [ \"`ls -A /usr/local/etc/snort/rules`\" ] ; then\n\techo \"rules exist\"\n\telse\n\techo \"rules DONT exist\"\n\texit 2\n\tfi \n\n\tif [ \"`pgrep -x snort`\" = \"\" ] ; then\n\t/bin/rm /tmp/snort.sh.pid\n\tfi \n\n\tif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\t/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php\n\texit 1\n\tfi\n\n"; + $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; + $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; + $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; + $del_old_pids = "\nrm -f /var/run/snort_*\n"; + $sample_before = "BEFORE_MEM=`top | grep Wired | awk '{print \$12}'`\n"; + $sample_after = "\n\tAFTER_MEM=`top | grep Wired | awk '{print \$12}'`\n"; + if ($snort_performance == "ac-bnfa") + $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=60\n"; + else + $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=300\n"; + $sleep_before_final .= "while [ \"\$MYSNORTLOG\" = \"\" -a \$WAITSECURE -gt 0 ] ; do\n\tsleep 2\n\tMYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`\n\tWAITSECURE=`expr \$WAITSECURE - 1`\ndone\n"; + $total_used_after = "TOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; + $echo_usage .= $sample_after . "\t" . $total_used_after . "\techo \"Ram free BEFORE starting Snort: \$BEFORE_MEM -- Ram free AFTER starting Snort: \$AFTER_MEM -- Mode " . $snort_performance . " -- Snort memory usage: \$TOTAL_USAGE\" | logger -p daemon.info -i -t SnortStartup\n\n"; + + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "snort.sh", + "start" => "{$check_if_snort_runs}{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$del_old_pids}{$sample_before}{$start}{$sleep_before_final}{$echo_usage}", + "stop" => "/usr/bin/killall snort; killall barnyard2" + ) + ); + + /* create snort configuration file */ + create_snort_conf(); + +/* create barnyard2 configuration file */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + create_barnyard2_conf(); + + /* snort will not start on install untill setting are set */ +if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") { + /* start snort service */ + conf_mount_ro(); + start_service("snort"); + } +} + +/* open barnyard2.conf for writing */ +function create_barnyard2_conf() { + global $bconfig, $bg; + /* write out barnyard2_conf */ + $barnyard2_conf_text = generate_barnyard2_conf(); + $bconf = fopen("/usr/local/etc/barnyard2.conf", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/barnyard2.conf for writing."); + exit; + } + fwrite($bconf, $barnyard2_conf_text); + fclose($bconf); +} +/* open barnyard2.conf for writing" */ +function generate_barnyard2_conf() { + + global $config, $g; + conf_mount_rw(); + +/* define snortbarnyardlog */ +/* TODO add support for the other 5 output plugins */ + +$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database']; +$snortbarnyardlog_hostname_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_hostname']; +$snortbarnyardlog_interface_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_interface']; + +$barnyard2_conf_text = << 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + } + + function snort_rules_up_deinstall_cron($should_install) { + global $config, $g; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + } + +snort_rm_blocked_deinstall_cron(""); +snort_rules_up_deinstall_cron(""); + + + /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ + /* Keep this as a last step */ + unset($config['installedpackages']['snort']['config'][0]['autorulesupdate7']); + unset($config['installedpackages']['snort']['config'][0]['rm_blocked']); + write_config(); + +} + +function generate_snort_conf() { + + global $config, $g; + conf_mount_rw(); + /* obtain external interface */ + /* XXX: make multi wan friendly */ + $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; + + $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru']; + +/* define snortalertlogtype */ +$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype']; +if ($snortalertlogtype == fast) + $snortalertlogtype_type = "output alert_fast: alert"; +else + $snortalertlogtype_type = "output alert_full: alert"; + +/* define alertsystemlog */ +$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog']; +if ($alertsystemlog_info_chk == on) + $alertsystemlog_type = "output alert_syslog: log_alert"; + +/* define tcpdumplog */ +$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog']; +if ($tcpdumplog_info_chk == on) + $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; + +/* define snortbarnyardlog_chk */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D"; + +/* define snortunifiedlog */ +$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; +if ($snortunifiedlog_info_chk == on) + $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; + +/* define spoink */ +$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; +if ($spoink_info_chk == on) + $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; + + /* define servers and ports snortdefservers */ + +/* def DNS_SERVSERS */ +$def_dns_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_servers']; +if ($def_dns_servers_info_chk == "") + $def_dns_servers_type = "\$HOME_NET"; +else + $def_dns_servers_type = "$def_dns_servers_info_chk"; + +/* def DNS_PORTS */ +$def_dns_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_ports']; +if ($def_dns_ports_info_chk == "") + $def_dns_ports_type = "53"; +else + $def_dns_ports_type = "$def_dns_ports_info_chk"; + +/* def SMTP_SERVSERS */ +$def_smtp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_servers']; +if ($def_smtp_servers_info_chk == "") + $def_smtp_servers_type = "\$HOME_NET"; +else + $def_smtp_servers_type = "$def_smtp_servers_info_chk"; + +/* def SMTP_PORTS */ +$def_smtp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_ports']; +if ($def_smtp_ports_info_chk == "") + $def_smtp_ports_type = "25"; +else + $def_smtp_ports_type = "$def_smtp_ports_info_chk"; + +/* def MAIL_PORTS */ +$def_mail_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mail_ports']; +if ($def_mail_ports_info_chk == "") + $def_mail_ports_type = "25,143,465,691"; +else + $def_mail_ports_type = "$def_mail_ports_info_chk"; + +/* def HTTP_SERVSERS */ +$def_http_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_servers']; +if ($def_http_servers_info_chk == "") + $def_http_servers_type = "\$HOME_NET"; +else + $def_http_servers_type = "$def_http_servers_info_chk"; + +/* def WWW_SERVSERS */ +$def_www_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_www_servers']; +if ($def_www_servers_info_chk == "") + $def_www_servers_type = "\$HOME_NET"; +else + $def_www_servers_type = "$def_www_servers_info_chk"; + +/* def HTTP_PORTS */ +$def_http_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_ports']; +if ($def_http_ports_info_chk == "") + $def_http_ports_type = "80"; +else + $def_http_ports_type = "$def_http_ports_info_chk"; + +/* def SQL_SERVSERS */ +$def_sql_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sql_servers']; +if ($def_sql_servers_info_chk == "") + $def_sql_servers_type = "\$HOME_NET"; +else + $def_sql_servers_type = "$def_sql_servers_info_chk"; + +/* def ORACLE_PORTS */ +$def_oracle_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_oracle_ports']; +if ($def_oracle_ports_info_chk == "") + $def_oracle_ports_type = "1521"; +else + $def_oracle_ports_type = "$def_oracle_ports_info_chk"; + +/* def MSSQL_PORTS */ +$def_mssql_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mssql_ports']; +if ($def_mssql_ports_info_chk == "") + $def_mssql_ports_type = "1433"; +else + $def_mssql_ports_type = "$def_mssql_ports_info_chk"; + +/* def TELNET_SERVSERS */ +$def_telnet_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_servers']; +if ($def_telnet_servers_info_chk == "") + $def_telnet_servers_type = "\$HOME_NET"; +else + $def_telnet_servers_type = "$def_telnet_servers_info_chk"; + +/* def TELNET_PORTS */ +$def_telnet_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_ports']; +if ($def_telnet_ports_info_chk == "") + $def_telnet_ports_type = "23"; +else + $def_telnet_ports_type = "$def_telnet_ports_info_chk"; + +/* def SNMP_SERVSERS */ +$def_snmp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_servers']; +if ($def_snmp_servers_info_chk == "") + $def_snmp_servers_type = "\$HOME_NET"; +else + $def_snmp_servers_type = "$def_snmp_servers_info_chk"; + +/* def SNMP_PORTS */ +$def_snmp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_ports']; +if ($def_snmp_ports_info_chk == "") + $def_snmp_ports_type = "161"; +else + $def_snmp_ports_type = "$def_snmp_ports_info_chk"; + +/* def FTP_SERVSERS */ +$def_ftp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_servers']; +if ($def_ftp_servers_info_chk == "") + $def_ftp_servers_type = "\$HOME_NET"; +else + $def_ftp_servers_type = "$def_ftp_servers_info_chk"; + +/* def FTP_PORTS */ +$def_ftp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_ports']; +if ($def_ftp_ports_info_chk == "") + $def_ftp_ports_type = "21"; +else + $def_ftp_ports_type = "$def_ftp_ports_info_chk"; + +/* def SSH_SERVSERS */ +$def_ssh_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_servers']; +if ($def_ssh_servers_info_chk == "") + $def_ssh_servers_type = "\$HOME_NET"; +else + $def_ssh_servers_type = "$def_ssh_servers_info_chk"; + +/* if user has defined a custom ssh port, use it */ +if($config['system']['ssh']['port']) + $ssh_port = $config['system']['ssh']['port']; +else + $ssh_port = "22"; + +/* def SSH_PORTS */ +$def_ssh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_ports']; +if ($def_ssh_ports_info_chk == "") + $def_ssh_ports_type = "{$ssh_port}"; +else + $def_ssh_ports_type = "$def_ssh_ports_info_chk"; + +/* def POP_SERVSERS */ +$def_pop_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop_servers']; +if ($def_pop_servers_info_chk == "") + $def_pop_servers_type = "\$HOME_NET"; +else + $def_pop_servers_type = "$def_pop_servers_info_chk"; + +/* def POP2_PORTS */ +$def_pop2_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop2_ports']; +if ($def_pop2_ports_info_chk == "") + $def_pop2_ports_type = "109"; +else + $def_pop2_ports_type = "$def_pop2_ports_info_chk"; + +/* def POP3_PORTS */ +$def_pop3_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop3_ports']; +if ($def_pop3_ports_info_chk == "") + $def_pop3_ports_type = "110"; +else + $def_pop3_ports_type = "$def_pop3_ports_info_chk"; + +/* def IMAP_SERVSERS */ +$def_imap_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_servers']; +if ($def_imap_servers_info_chk == "") + $def_imap_servers_type = "\$HOME_NET"; +else + $def_imap_servers_type = "$def_imap_servers_info_chk"; + +/* def IMAP_PORTS */ +$def_imap_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_ports']; +if ($def_imap_ports_info_chk == "") + $def_imap_ports_type = "143"; +else + $def_imap_ports_type = "$def_imap_ports_info_chk"; + +/* def SIP_PROXY_IP */ +$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ip']; +if ($def_sip_proxy_ip_info_chk == "") + $def_sip_proxy_ip_type = "\$HOME_NET"; +else + $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; + +/* def SIP_PROXY_PORTS */ +$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ports']; +if ($def_sip_proxy_ports_info_chk == "") + $def_sip_proxy_ports_type = "5060:5090,16384:32768"; +else + $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; + +/* def AUTH_PORTS */ +$def_auth_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_auth_ports']; +if ($def_auth_ports_info_chk == "") + $def_auth_ports_type = "113"; +else + $def_auth_ports_type = "$def_auth_ports_info_chk"; + +/* def FINGER_PORTS */ +$def_finger_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_finger_ports']; +if ($def_finger_ports_info_chk == "") + $def_finger_ports_type = "79"; +else + $def_finger_ports_type = "$def_finger_ports_info_chk"; + +/* def IRC_PORTS */ +$def_irc_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_irc_ports']; +if ($def_irc_ports_info_chk == "") + $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; +else + $def_irc_ports_type = "$def_irc_ports_info_chk"; + +/* def NNTP_PORTS */ +$def_nntp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_nntp_ports']; +if ($def_nntp_ports_info_chk == "") + $def_nntp_ports_type = "119"; +else + $def_nntp_ports_type = "$def_nntp_ports_info_chk"; + +/* def RLOGIN_PORTS */ +$def_rlogin_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rlogin_ports']; +if ($def_rlogin_ports_info_chk == "") + $def_rlogin_ports_type = "513"; +else + $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; + +/* def RSH_PORTS */ +$def_rsh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rsh_ports']; +if ($def_rsh_ports_info_chk == "") + $def_rsh_ports_type = "514"; +else + $def_rsh_ports_type = "$def_rsh_ports_info_chk"; + +/* def SSL_PORTS */ +$def_ssl_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssl_ports']; +if ($def_ssl_ports_info_chk == "") + $def_ssl_ports_type = "25,443,465,636,993,995"; +else + $def_ssl_ports_type = "$def_ssl_ports_info_chk"; + + /* add auto update scripts to /etc/crontab */ +// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; +// $filenamea = "/etc/crontab"; +// remove_text_from_file($filenamea, $text_ww); +// add_text_to_file($filenamea, $text_ww); +// exec("killall -HUP cron"); */ + + /* should we install a automatic update crontab entry? */ + $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate']; + + /* if user is on pppoe, we really want to use ng0 interface */ + if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") + $snort_ext_int = "ng0"; + + /* set the snort performance model */ + if($config['installedpackages']['snort']['config'][0]['performance']) + $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; + else + $snort_performance = "ac-bnfa"; + + /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */ + $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($snort_rm_blocked_info_ck == "never_b") + $snort_rm_blocked_false = ""; + else + $snort_rm_blocked_false = "true"; + +if ($snort_rm_blocked_info_ck != "") { +function snort_rm_blocked_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($snort_rm_blocked_info_ck == "1h_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "3600"; + } + if ($snort_rm_blocked_info_ck == "3h_b") { + $snort_rm_blocked_min = "*/15"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "10800"; + } + if ($snort_rm_blocked_info_ck == "6h_b") { + $snort_rm_blocked_min = "*/30"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "21600"; + } + if ($snort_rm_blocked_info_ck == "12h_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/1"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "43200"; + } + if ($snort_rm_blocked_info_ck == "1d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/2"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "86400"; + } + if ($snort_rm_blocked_info_ck == "4d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/8"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "345600"; + } + if ($snort_rm_blocked_info_ck == "7d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/14"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "604800"; + } + if ($snort_rm_blocked_info_ck == "28d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "0"; + $snort_rm_blocked_mday = "*/2"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "2419200"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + break; + } + } + snort_rm_blocked_install_cron(""); + snort_rm_blocked_install_cron($snort_rm_blocked_false); +} + + /* set the snort rules update time */ + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "never_up") + $snort_rules_up_false = ""; + else + $snort_rules_up_false = "true"; + +if ($snort_rules_up_info_ck != "") { +function snort_rules_up_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + break; + } + } + snort_rules_up_install_cron(""); + snort_rules_up_install_cron($snort_rules_up_false); +} + + /* open snort2c's whitelist for writing */ + $whitelist = fopen("/var/db/whitelist", "w"); + if(!$whitelist) { + log_error("Could not open /var/db/whitelist for writing."); + return; + } + + /* build an interface array list */ + $int_array = array('lan'); + for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) + if(isset($config['interfaces']['opt' . $j]['enable'])) + if(!$config['interfaces']['opt' . $j]['gateway']) + $int_array[] = "opt{$j}"; + + /* iterate through interface list and write out whitelist items + * and also compile a home_net list for snort. + */ + foreach($int_array as $int) { + /* calculate interface subnet information */ + $ifcfg = &$config['interfaces'][$int]; + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + $subnetmask = gen_subnet_mask($ifcfg['subnet']); + if($subnet == "pppoe" or $subnet == "dhcp") { + $subnet = find_interface_ip("ng0"); + if($subnet) + $home_net .= "{$subnet} "; + } else { + if ($subnet) + if($ifcfg['subnet']) + $home_net .= "{$subnet}/{$ifcfg['subnet']} "; + } + } + + /* add all WAN ips to the whitelist */ + $wan_if = get_real_wan_interface(); + $ip = find_interface_ip($wan_if); + if($ip) + $home_net .= "{$ip} "; + + /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ + $int = convert_friendly_interface_to_real_interface_name("WAN"); + $gw = get_interface_gateway($int); + if($gw) + $home_net .= "{$gw} "; + + /* Add DNS server for WAN interface to whitelist */ + $dns_servers = get_dns_servers(); + foreach($dns_servers as $dns) { + if($dns) + $home_net .= "{$dns} "; + } + + /* Add loopback to whitelist (ftphelper) */ + $home_net .= "127.0.0.1 "; + + /* iterate all vips and add to whitelist */ + if($config['virtualip']) + foreach($config['virtualip']['vip'] as $vip) + if($vip['subnet']) + $home_net .= $vip['subnet'] . " "; + + if($config['installedpackages']['snortwhitelist']) + foreach($config['installedpackages']['snortwhitelist']['config'] as $snort) + if($snort['ip']) + $home_net .= $snort['ip'] . " "; + + /* write out whitelist, convert spaces to carriage returns */ + $whitelist_home_net = str_replace(" ", " ", $home_net); + $whitelist_home_net = str_replace(" ", "\n", $home_net); + + /* make $home_net presentable to snort */ + $home_net = trim($home_net); + $home_net = str_replace(" ", ",", $home_net); + $home_net = "[{$home_net}]"; + + /* foreach through whitelist, writing out to file */ + $whitelist_split = split("\n", $whitelist_home_net); + foreach($whitelist_split as $wl) + if(trim($wl)) + fwrite($whitelist, trim($wl) . "\n"); + + /* should we whitelist vpns? */ + $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns']; + + /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ + if($whitelistvpns) { + $vpns_list = get_vpns_list(); + $whitelist_vpns = split(" ", $vpns_list); + foreach($whitelist_vpns as $wl) + if(trim($wl)) + fwrite($whitelist, trim($wl) . "\n"); + } + + /* close file */ + fclose($whitelist); + + /* open snort's threshold.conf for writing */ + $threshlist = fopen("/usr/local/etc/snort/threshold.conf", "w"); + if(!$threshlist) { + log_error("Could not open /usr/local/etc/snort/threshold.conf for writing."); + return; + } + + /* list all entries to new lines */ + if($config['installedpackages']['snortthreshold']) + foreach($config['installedpackages']['snortthreshold']['config'] as $snortthreshlist) + if($snortthreshlist['threshrule']) + $snortthreshlist_r .= $snortthreshlist['threshrule'] . "\n"; + + + /* foreach through threshlist, writing out to file */ + $threshlist_split = split("\n", $snortthreshlist_r); + foreach($threshlist_split as $wl) + if(trim($wl)) + fwrite($threshlist, trim($wl) . "\n"); + + /* close snort's threshold.conf file */ + fclose($threshlist); + + /* generate rule sections to load */ + $enabled_rulesets = $config['installedpackages']['snort']['rulesets']; + if($enabled_rulesets) { + $selected_rules_sections = ""; + $enabled_rulesets_array = split("\|\|", $enabled_rulesets); + foreach($enabled_rulesets_array as $enabled_item) + $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; + } + + conf_mount_ro(); + + /* build snort configuration file */ + /* TODO; feed back from pfsense users to reduce false positives */ + $snort_conf_text = << \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +##################### + # +# SMTP preprocessor # + # +##################### + +preprocessor SMTP: \ + ports { 25 465 691 } \ + inspection_type stateful \ + normalize cmds \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ +CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ +PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } + +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } + +############################ + # +# OLD # +# preprocessor dcerpc: \ # +# autodetect \ # +# max_frag_size 3000 \ # +# memcap 100000 # + # +############################ + +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3 + +#################### + # +# DNS preprocessor # + # +#################### + +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +############################## + # +# NEW # +# Ignore SSL and Encryption # + # +############################## + +preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted + +##################### + # +# Snort Output Logs # + # +##################### + +$snortalertlogtype_type +$alertsystemlog_type +$tcpdumplog_type +$snortmysqllog_info_chk +$snortunifiedlog_type +$spoink_type + +################# + # +# Misc Includes # + # +################# + +include /usr/local/etc/snort/reference.config +include /usr/local/etc/snort/classification.config +include /usr/local/etc/snort/threshold.conf + +# Snort user pass through configuration +{$snort_config_pass_thru} + +################### + # +# Rules Selection # + # +################### + +{$selected_rules_sections} + +EOD; + + return $snort_conf_text; +} + +/* check downloaded text from snort.org to make sure that an error did not occur + * for example, if you are not a premium subscriber you can only download rules + * so often, etc. + */ +function check_for_common_errors($filename) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + $contents = file_get_contents($filename); + if(stristr($contents, "You don't have permission")) { + if(!$console_mode) { + update_all_status("An error occured while downloading {$filename}."); + hide_progress_bar_status(); + } else { + log_error("An error occured. Scroll down to inspect it's contents."); + echo "An error occured. Scroll down to inspect it's contents."; + } + if(!$console_mode) { + update_output_window(strip_tags("$contents")); + } else { + $contents = strip_tags($contents); + log_error("Error downloading snort rules: {$contents}"); + echo "Error downloading snort rules: {$contents}"; + } + scroll_down_to_bottom_of_page(); + exit; + } +} + +/* force browser to scroll all the way down */ +function scroll_down_to_bottom_of_page() { + global $snort_filename, $console_mode; + ob_flush(); + if(!$console_mode) + echo "\n"; +} + +/* ensure downloaded file looks sane */ +function verify_downloaded_file($filename) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(filesize($filename)<9500) { + if(!$console_mode) { + update_all_status("Checking {$filename}..."); + check_for_common_errors($filename); + } + } + update_all_status("Verifying {$filename}..."); + if(!file_exists($filename)) { + if(!$console_mode) { + update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); + hide_progress_bar_status(); + } else { + log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); + echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; + } + exit; + } + update_all_status("Verifyied {$filename}."); +} + +/* extract rules */ +function extract_snort_rules_md5($tmpfname) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) { + $static_output = gettext("Extracting snort rules..."); + update_all_status($static_output); + } + if(!is_dir("/usr/local/etc/snort/rules/")) + mkdir("/usr/local/etc/snort/rules/"); + $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/"; + $handle = popen("{$cmd} 2>&1", 'r'); + while(!feof($handle)) { + $buffer = fgets($handle); + update_output_window($buffer); + } + pclose($handle); + + if(!$console_mode) { + $static_output = gettext("Snort rules extracted."); + update_all_status($static_output); + } else { + log_error("Snort rules extracted."); + echo "Snort rules extracted."; + } +} + +/* verify MD5 against downloaded item */ +function verify_snort_rules_md5($tmpfname) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) { + $static_output = gettext("Verifying md5 signature..."); + update_all_status($static_output); + } + + $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); + $md5 = `/bin/echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; + $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; + if($md5 == $file_md5_ondisk) { + if(!$console_mode) { + $static_output = gettext("snort rules: md5 signature of rules mismatch."); + update_all_status($static_output); + hide_progress_bar_status(); + } else { + log_error("snort rules: md5 signature of rules mismatch."); + echo "snort rules: md5 signature of rules mismatch."; + } + exit; + } +} + +/* hide progress bar */ +function hide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) + echo "\n"; +} + +/* unhide progress bar */ +function unhide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) + echo "\n"; +} + +/* update both top and bottom text box during an operation */ +function update_all_status($status) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) { + update_status($status); + update_output_window($status); + } +} + +/* obtain alert description for an ip address */ +function get_snort_alert($ip) { + global $snort_alert_file_split, $snort_config; + if(!file_exists("/var/log/snort/alert")) + return; + if(!$snort_config) + $snort_config = read_snort_config_cache(); + if($snort_config[$ip]) + return $snort_config[$ip]; + if(!$snort_alert_file_split) + $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); + foreach($snort_alert_file_split as $fileline) { + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + $alert_title = $matches[2]; + if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) + $alert_ip = $matches[0]; + if($alert_ip == $ip) { + if(!$snort_config[$ip]) + $snort_config[$ip] = $alert_title; + return $alert_title; + } + } + return "n/a"; +} + +function make_clickable($buffer) { + global $config, $g; + /* if clickable urls is disabled, simply return buffer back to caller */ + $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + if(!$clickablalerteurls) + return $buffer; + $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); + $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); + $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","\\1", $buffer); + $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); + $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); + + return $buffer; +} + +function read_snort_config_cache() { + global $g, $config, $snort_config; + if($snort_config) + return $snort_config; + if(file_exists($g['tmp_path'] . '/snort_config.cache')) { + $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); + return $snort_config; + } + return; +} + +function write_snort_config_cache($snort_config) { + global $g, $config; + conf_mount_rw(); + $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w"); + if(!$configcache) { + log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing."); + return false; + } + fwrite($configcache, serialize($snort_config)); + fclose($configcache); + conf_mount_ro(); + return true; +} + +function snort_advanced() { + global $g, $config; + sync_package_snort(); +} + +function snort_define_servers() { + global $g, $config; + sync_package_snort(); +} + +?> diff --git a/config/snort-dev/bkup/snort.xml b/config/snort-dev/bkup/snort.xml new file mode 100644 index 00000000..fc32ceb9 --- /dev/null +++ b/config/snort-dev/bkup/snort.xml @@ -0,0 +1,397 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + Snort + 2.8.4.1_5 + Services: Snort 2.8.4.1_5 pkg v. 1.7 alpha + /usr/local/pkg/snort.inc + + Snort + Setup snort specific settings +
Services
+ /pkg_edit.php?xml=snort.xml&id=0 +
+ + snort + snort.sh + snort + Snort is the most widely deployed IDS/IPS technology worldwide.. + + + + Settings + /pkg_edit.php?xml=snort.xml&id=0 + + + + Update Rules + /snort_download_rules.php + + + Categories + /snort_rulesets.php + + + Rules + /snort_rules.php + + + Servers + /pkg_edit.php?xml=snort_define_servers.xml&id=0 + + + Blocked + /snort_blocked.php + + + Whitelist + /pkg.php?xml=snort_whitelist.xml + + + Threshold + /pkg.php?xml=snort_threshold.xml + + + Alerts + /snort_alerts.php + + + Advanced + /pkg_edit.php?xml=snort_advanced.xml&id=0 + + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort.inc + + + /usr/local/bin/ + 077 + http://www.pfsense.com/packages/config/snort-dev/bin/barnyard2 + + + /usr/local/bin/ + 077 + http://www.pfsense.com/packages/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl + + + /usr/local/bin/ + 077 + http://www.pfsense.com/packages/config/snort-dev/bin/oinkmaster_contrib/oinkmaster.pl + + + /usr/local/www/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_download_rules.php + + + /usr/local/www/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_rules.php + + + /usr/local/www/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_rules_edit.php + + + /usr/local/www/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_rulesets.php + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_whitelist.xml + + + /usr/local/www/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_blocked.php + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_check_for_rule_updates.php + + + /usr/local/www/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_alerts.php + + + /usr/local/pkg/pf/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_dynamic_ip_reload.php + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_advanced.xml + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_define_servers.xml + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_threshold.xml + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/snort-dev/pfsense_rules/local.rules + + + + Interface + iface_array + Select the interface(s) Snort will listen on. + interfaces_selection + + 3 + lan + true + + + Memory Performance + performance + Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small memory,moderate performance, ac-sparsebands: small memory, high performance. + select + + + + + + + + + + + + + + + Install Snort.org rules. + installsnortrules + Free Snort.org rules that are maintained by Sourcefire. See the Pfsense Snort FAQ on how to get a subscription. + checkbox + + + + Oinkmaster code + oinkmastercode + Obtain a snort.org Oinkmaster code and paste here. + input + 60 + + + + Snort.org subscriber + subscriber + Check this box if you are a Snort.org subscriber (premium rules). <b>HIGHLY RECOMMENDED!</b> + checkbox + 60 + + + + + Install emergingthreats rules. + emergingthreats + Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules. + checkbox + + + + Install Pfsense rules. + installpfsenserules + Snort rules that Pfsense maintainers have requested for their packages. + checkbox + + + + Block offenders + blockoffenders7 + Checking this option will automatically block hosts that generate a snort alert. + checkbox + 60 + + + Remove blocked hosts every + rm_blocked + Please select the amount of time hosts are blocked + select + + + + + + + + + + + + + + Update rules automatically + autorulesupdate7 + Please select the update times for rules. + select + + + + + + + + + + + + Whitelist VPNs automatically + whitelistvpns + Checking this option will install whitelists for all VPNs. + checkbox + + + Convert Snort alerts urls to clickable links + clickablalerteurls + Checking this option will automatically convert URLs in the Snort alerts tab to clickable links. + checkbox + + + Associate events on Blocked tab + associatealertip + Checking this option will automatically associate the blocked reason from the snort alerts file. + checkbox + + + + sync_package_snort(); + + + + + sync_package_snort_reinstall(); + + + snort_deinstall(); + +
\ No newline at end of file diff --git a/config/snort-dev/bkup/snort_advanced.xml b/config/snort-dev/bkup/snort_advanced.xml new file mode 100644 index 00000000..1fdddda2 --- /dev/null +++ b/config/snort-dev/bkup/snort_advanced.xml @@ -0,0 +1,196 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + SnortAdvanced + none + Services: Snort Advanced + /usr/local/pkg/snort.inc + + + Settings + /pkg_edit.php?xml=snort.xml&id=0 + + + Update Rules + /snort_download_rules.php + + + Categories + /snort_rulesets.php + + + Rules + /snort_rules.php + + + Servers + /pkg_edit.php?xml=snort_define_servers.xml&id=0 + + + Blocked + /snort_blocked.php + + + Whitelist + /pkg.php?xml=snort_whitelist.xml + + + Threshold + /pkg.php?xml=snort_threshold.xml + + + Alerts + /snort_alerts.php + + + Advanced + /pkg_edit.php?xml=snort_advanced.xml&id=0 + + + + + + BPF Buffer size + bpfbufsize + Changing this option adjusts the system BPF buffer size. Leave blank if you do not know what this does. Default is 1024. + input + + + Maximum BPF buffer size + bpfmaxbufsize + Changing this option adjusts the system maximum BPF buffer size. Leave blank if you do not know what this does. Default is 524288. This value should never be set above hardware cache size. The best (optimal size) is 50% - 80% of the hardware cache size. + input + + + Maximum BPF inserts + bpfmaxinsns + Changing this option adjusts the system maximum BPF insert size. Leave blank if you do not know what this does. Default is 512. + input + + + Advanced configuration pass through + configpassthru + Add items to here will be automatically inserted into the running snort configuration + textarea + 40 + 5 + + + Snort signature info files. + signatureinfo + Snort signature info files will be installed during updates. At leats 500 mb of memory is needed. + checkbox + + + Alerts Tab logging type. + snortalertlogtype + Please choose the type of Alert logging you will like see in the Alerts Tab. The options are Full descriptions or Fast short descriptions + select + + + + + + + Send alerts to main System logs. + alertsystemlog + Snort will send Alerts to the Pfsense system logs. + checkbox + + + Log to a Tcpdump file. + tcpdumplog + Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large. + checkbox + + + Enable Barnyard2. + snortbarnyardlog + This will enable barnyard2 in the snort package. You will also have to set the database credentials. + checkbox + + + Barnyard2 Log Mysql Database. + snortbarnyardlog_database + Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz + input + 101 + + + + Barnyard2 Configure Hostname ID. + snortbarnyardlog_hostname + Example: pfsense.local + input + 25 + + + + Barnyard2 Configure Interface ID + snortbarnyardlog_interface + Example: vr0 + input + 25 + + + + Log Alerts to a snort unified2 file. + snortunifiedlog + Snort will log Alerts to a file in the UNIFIED2 format. This is a requirement for barnyard2. + checkbox + + + + snort_advanced(); + + diff --git a/config/snort-dev/bkup/snort_alerts.php b/config/snort-dev/bkup/snort_alerts.php new file mode 100644 index 00000000..f463c0b9 --- /dev/null +++ b/config/snort-dev/bkup/snort_alerts.php @@ -0,0 +1,122 @@ +. + Copyright (C) 2003-2004 Manuel Kasper . + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("globals.inc"); +require("guiconfig.inc"); +require("/usr/local/pkg/snort.inc"); + +$snort_logfile = "{$g['varlog_path']}/snort/alert"; + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("killall syslogd"); + exec("rm {$snort_logfile}; touch {$snort_logfile}"); + system_syslogd_start(); + exec("/usr/bin/killall -HUP snort"); + exec("/usr/bin/killall snort2c"); + if ($config['installedpackages']['snort']['config'][0]['blockoffenders'] == 'on') + exec("/usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert"); +} + +$pgtitle = "Services: Snort: Snort Alerts"; +include("head.inc"); + +?> + + + +

"; +?> + + + + + +
+ +
+
+ + + + + + +
+ Last Snort Alert entries

+
+
+ +
+ + + + + + +\n"; + echo "" . make_clickable($ww_logent) . " \n"; + echo "\n"; + } +} + +?> \ No newline at end of file diff --git a/config/snort-dev/bkup/snort_blocked.php b/config/snort-dev/bkup/snort_blocked.php new file mode 100644 index 00000000..ff158853 --- /dev/null +++ b/config/snort-dev/bkup/snort_blocked.php @@ -0,0 +1,174 @@ + + + + + +

"; +?> + +
+ + + + + + + + + + +
+ +
+
+ + + + +
+ + + + + + +"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + } + echo "\n"; + if($counter < 1) + echo "\n"; + else + echo "\n"; + +?> + +
RemoveIPAlert Description
"; + echo "\n\"Delete\" {$ww_ip} {$alert_description}
 
There are currently no items being blocked by snort.
{$counter} items listed.
+
+
+
+ +
+ +

+ + + + + + + + + \ No newline at end of file diff --git a/config/snort-dev/bkup/snort_check_for_rule_updates.php b/config/snort-dev/bkup/snort_check_for_rule_updates.php new file mode 100644 index 00000000..95adbaa6 --- /dev/null +++ b/config/snort-dev/bkup/snort_check_for_rule_updates.php @@ -0,0 +1,629 @@ + + + + filesize("{$tmpfname}/$snort_filename")){ + echo "Error with the snort rules download...\n"; + echo "Snort rules file downloaded failed...\n"; + exit(0); + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + echo "Emergingthreats tar file exists...\n"; +} else { + echo "There is a new set of Emergingthreats rules posted. Downloading...\n"; + echo "May take 4 to 10 min...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); +// $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); + $f = fopen("{$tmpfname}/emerging.rules.tar.gz", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done downloading Emergingthreats rules file.\n"; + } + } + } + +/* download pfsense rules file */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + echo "Snortrule tar file exists...\n"; +} else { + + echo "There is a new set of Pfsense rules posted. Downloading...\n"; + echo "May take 4 to 10 min...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz"); + $f = fopen("{$tmpfname}/pfsense_rules.tar.gz", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done downloading rules file.\n"; + } +} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + echo "Extracting rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); + exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); + echo "Done extracting Rules.\n"; +} else { + echo "The Download rules file missing...\n"; + echo "Error rules extracting failed...\n"; + exit(0); + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + echo "Extracting rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + echo "Extracting Pfsense rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); + } +} + +/* Untar snort signatures */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { +$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { + echo "Extracting Signatures...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + echo "Done extracting Signatures.\n"; + } + } +} + +/* Make Clean Snort Directory */ +//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { +//if (file_exists("{$snortdir}/rules")) { +// echo "Cleaning the snort Directory...\n"; +// echo "removing...\n"; +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/mkdir -p {$snortdir}/signatures"); +// exec("/bin/rm {$snortdir}/*"); +// exec("/bin/rm {$snortdir}/rules/*"); +// exec("/bin/rm {$snortdir_wan}/*"); +// exec("/bin/rm {$snortdir_wan}/rules/*"); +// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); +//} else { +// echo "Making Snort Directory...\n"; +// echo "should be fast...\n"; +// exec("/bin/mkdir {$snortdir}"); +// exec("/bin/mkdir {$snortdir}/rules"); +// exec("/bin/rm {$snortdir_wan}/\*"); +// exec("/bin/rm {$snortdir_wan}/rules/*"); +// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); +// echo "Done making snort direcory.\n"; +// } +//} + +/* Copy so_rules dir to snort lib dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { + echo "Copying so_rules...\n"; + echo "May take a while...\n"; + sleep(2); + exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); + exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + echo "Done copying so_rules.\n"; +} else { + echo "Directory so_rules does not exist...\n"; + echo "Error copping so_rules...\n"; + exit(0); + } +} + +/* enable disable setting will carry over with updates */ +/* TODO carry signature changes with the updates */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + +if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; +$enabled_sid_on_array = split('\|\|', $enabled_sid_on); +foreach($enabled_sid_on_array as $enabled_item_on) +$selected_sid_on_sections .= "$enabled_item_on\n"; + } + +if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; +$enabled_sid_off_array = split('\|\|', $enabled_sid_off); +foreach($enabled_sid_off_array as $enabled_item_off) +$selected_sid_off_sections .= "$enabled_item_off\n"; + } + +$snort_sid_text = << /usr/local/etc/snort_bkup/sid-msg.map"); + +/* Run oinkmaster to snort_wan and cp configs */ +/* If oinkmaster is not needed cp rules normally */ +/* TODO add per interface settings here */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + + if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { +echo "Your first set of rules are being copied...\n"; +echo "May take a while...\n"; + + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + +} else { + echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; + echo "May take a while...\n"; + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + + /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ + /* might have to add a sleep for 3sec for flash drives or old drives */ + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); + exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + + } +} + +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + echo "Cleaning up...\n"; + exec("/bin/rm -r /tmp/snort_rules_up"); +} + +/* php code to flush out cache some people are reportting missing files this might help */ +sleep(5); +apc_clear_cache(); +exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); + +/* if snort is running hardrestart, if snort is not running do nothing */ +if (file_exists("/tmp/snort_download_halt.pid")) { + start_service("snort"); + echo "The Rules update finished...\n"; + echo "Snort has restarted with your new set of rules...\n"; + exec("/bin/rm /tmp/snort_download_halt.pid"); +} else { + echo "The Rules update finished...\n"; + echo "You may start snort now...\n"; +} + +?> diff --git a/config/snort-dev/bkup/snort_define_servers.xml b/config/snort-dev/bkup/snort_define_servers.xml new file mode 100644 index 00000000..7df880d0 --- /dev/null +++ b/config/snort-dev/bkup/snort_define_servers.xml @@ -0,0 +1,364 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + SnortDefServers + none + Services: Snort Define Servers + /usr/local/pkg/snort.inc + + + Settings + /pkg_edit.php?xml=snort.xml&id=0 + + + Update Rules + /snort_download_rules.php + + + Categories + /snort_rulesets.php + + + Rules + /snort_rules.php + + + Servers + /pkg_edit.php?xml=snort_define_servers.xml&id=0 + + + + Blocked + /snort_blocked.php + + + Whitelist + /pkg.php?xml=snort_whitelist.xml + + + Threshold + /pkg.php?xml=snort_threshold.xml + + + Alerts + /snort_alerts.php + + + Advanced + /pkg_edit.php?xml=snort_advanced.xml&id=0 + + + + + Define DNS_SERVERS + def_dns_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define DNS_PORTS + def_dns_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 53. + input + 43 + + + + Define SMTP_SERVERS + def_smtp_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define SMTP_PORTS + def_smtp_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25. + input + 43 + + + + Define Mail_Ports + def_mail_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25,143,465,691. + input + 43 + + + + Define HTTP_SERVERS + def_http_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define WWW_SERVERS + def_www_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define HTTP_PORTS + def_http_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 80. + input + 43 + + + + Define SQL_SERVERS + def_sql_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define ORACLE_PORTS + def_oracle_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 1521. + input + 43 + + + + Define MSSQL_PORTS + def_mssql_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 1433. + input + 43 + + + + Define TELNET_SERVERS + def_telnet_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define TELNET_PORTS + def_telnet_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 23. + input + 43 + + + + Define SNMP_SERVERS + def_snmp_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define SNMP_PORTS + def_snmp_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 161. + input + 43 + + + + Define FTP_SERVERS + def_ftp_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define FTP_PORTS + def_ftp_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 21. + input + 43 + + + + Define SSH_SERVERS + def_ssh_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define SSH_PORTS + def_ssh_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is Pfsense SSH port. + input + 43 + + + + Define POP_SERVERS + def_pop_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define POP2_PORTS + def_pop2_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 109. + input + 43 + + + + Define POP3_PORTS + def_pop3_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 110. + input + 43 + + + + Define IMAP_SERVERS + def_imap_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define IMAP_PORTS + def_imap_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 143. + input + 43 + + + + Define SIP_PROXY_IP + def_sip_proxy_ip + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define SIP_PROXY_PORTS + def_sip_proxy_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 5060:5090,16384:32768. + input + 43 + + + + Define AUTH_PORTS + def_auth_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 113. + input + 43 + + + + Define FINGER_PORTS + def_finger_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 79. + input + 43 + + + + Define IRC_PORTS + def_irc_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 6665,6666,6667,6668,6669,7000. + input + 43 + + + + Define NNTP_PORTS + def_nntp_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 119. + input + 43 + + + + Define RLOGIN_PORTS + def_rlogin_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 513. + input + 43 + + + + Define RSH_PORTS + def_rsh_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 514. + input + 43 + + + + Define SSL_PORTS + def_ssl_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25,443,465,636,993,995. + input + 43 + + + + + snort_define_servers(); + + diff --git a/config/snort-dev/bkup/snort_download_rules.php b/config/snort-dev/bkup/snort_download_rules.php new file mode 100644 index 00000000..133f2d2a --- /dev/null +++ b/config/snort-dev/bkup/snort_download_rules.php @@ -0,0 +1,782 @@ + + + + + + + + +

"; +?> + +
+
+ + + + + + + + +
+ +
+
+ + + + +
+ + + + + +
+ /images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> +
+
+ + + + +
+
+
+
+ + + +You last checked for updates: {$last_md5_download}

\n"; + echo "\n

You last installed for rules: {$last_rules_install}

\n"; + echo "\n\n\n\n"; + exit(0); +} + +/* If emergingthreats md5 file is empty wait 15min exit not needed */ + +/* If pfsense md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ + update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); + update_output_window(gettext("Rules are released to support Pfsense packages.")); + hide_progress_bar_status(); + /* Display last time of sucsessful md5 check from cache */ + echo "\n

You last checked for updates: {$last_md5_download}

\n"; + echo "\n

You last installed for rules: {$last_rules_install}

\n"; + echo "\n\n\n\n"; + exit(0); +} + +/* Check if were up to date snort.org */ +if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ +$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); +if ($md5_check_new == $md5_check_old) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + /* Timestamps to html */ + echo "\n

You last checked for updates: {$last_md5_download}

\n"; + echo "\n

You last installed for rules: {$last_rules_install}

\n"; +// echo "P is this code {$premium_subscriber}"; + echo "\n\n\n\n"; + $snort_md5_check_ok = on; + } +} + +/* Check if were up to date emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { +if (file_exists("{$snortdir}/version.txt")){ +$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); +$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); +$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); +if ($emerg_md5_check_new == $emerg_md5_check_old) { + update_status(gettext("Your emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + $emerg_md5_check_chk_ok = on; + } + } +} + +/* Check if were up to date pfsense.org */ +if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ +$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +if ($pfsense_md5_check_new == $pfsense_md5_check_old) { + $pfsense_md5_check_ok = on; + } +} + +/* Make Clean Snort Directory emergingthreats not checked */ +if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Cleaning the snort Directory...")); + update_output_window(gettext("removing...")); + exec("/bin/rm {$snortdir}/rules/emerging*"); + exec("/bin/rm {$snortdir}/version.txt"); + exec("/bin/rm {$snortdir_wan}/rules/emerging*"); + exec("/bin/rm {$snortdir_wan}/version.txt"); + update_status(gettext("Done making cleaning emrg direcory.")); +} + +/* Check if were up to date exits */ +if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + exit(0); +} + +if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + exit(0); +} + +/* You are Not Up to date, always stop snort when updating rules for low end machines */; +update_status(gettext("You are NOT up to date...")); +update_output_window(gettext("Stopping Snort service...")); +$chk_if_snort_up = exec("pgrep -x snort"); +if ($chk_if_snort_up != "") { + exec("/usr/bin/touch /tmp/snort_download_halt.pid"); + stop_service("snort"); + sleep(2); +} + +/* download snortrules file */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Snortrule tar file exists...")); +} else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Snort rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + if (150000 > filesize("{$tmpfname}/$snort_filename")){ + update_status(gettext("Error with the snort rules download...")); + update_output_window(gettext("Snort rules file downloaded failed...")); + exit(0); + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Emergingthreats tar file exists...")); +} else { + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading Emergingthreats rules file.")); + } + } + } + +/* download pfsense rules file */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Snortrule tar file exists...")); +} else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + } +} + +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); + exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); + update_status(gettext("Done extracting Rules.")); +} else { + update_status(gettext("The Download rules file missing...")); + update_output_window(gettext("Error rules extracting failed...")); + exit(0); + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Extracting Pfsense rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); + } +} + +/* Untar snort signatures */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { +$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { + update_status(gettext("Extracting Signatures...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + update_status(gettext("Done extracting Signatures.")); + } + } +} + +/* Make Clean Snort Directory */ +//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { +//if (file_exists("{$snortdir}/rules")) { +// update_status(gettext("Cleaning the snort Directory...")); +// update_output_window(gettext("removing...")); +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/mkdir -p {$snortdir}/signatures"); +// exec("/bin/rm {$snortdir}/*"); +// exec("/bin/rm {$snortdir}/rules/*"); +// exec("/bin/rm {$snortdir_wan}/*"); +// exec("/bin/rm {$snortdir_wan}/rules/*"); + +// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); +//} else { +// update_status(gettext("Making Snort Directory...")); +// update_output_window(gettext("should be fast...")); +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/rm {$snortdir_wan}/*"); +// exec("/bin/rm {$snortdir_wan}/rules/*"); +// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); +// update_status(gettext("Done making snort direcory.")); +// } +//} + +/* Copy so_rules dir to snort lib dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { + update_status(gettext("Copying so_rules...")); + update_output_window(gettext("May take a while...")); + exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); + exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + update_status(gettext("Done copying so_rules.")); +} else { + update_status(gettext("Directory so_rules does not exist...")); + update_output_window(gettext("Error copping so_rules...")); + exit(0); + } +} + +/* enable disable setting will carry over with updates */ +/* TODO carry signature changes with the updates */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + +if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; +$enabled_sid_on_array = split('\|\|', $enabled_sid_on); +foreach($enabled_sid_on_array as $enabled_item_on) +$selected_sid_on_sections .= "$enabled_item_on\n"; + } + +if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; +$enabled_sid_off_array = split('\|\|', $enabled_sid_off); +foreach($enabled_sid_off_array as $enabled_item_off) +$selected_sid_off_sections .= "$enabled_item_off\n"; + } + +$snort_sid_text = << /usr/local/etc/snort_bkup/sid-msg.map"); + +/* Run oinkmaster to snort_wan and cp configs */ +/* If oinkmaster is not needed cp rules normally */ +/* TODO add per interface settings here */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + + if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { + update_status(gettext("Your first set of rules are being copied...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + +} else { + update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + + /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ + /* might have to add a sleep for 3sec for flash drives or old drives */ + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); + exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + + + } +} + +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + update_status(gettext("Cleaning up...")); + exec("/bin/rm -r /tmp/snort_rules_up"); +// apc_clear_cache(); +} + +/* php code to flush out cache some people are reportting missing files this might help */ +sleep(2); +apc_clear_cache(); +exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); + +/* if snort is running hardrestart, if snort is not running do nothing */ +if (file_exists("/tmp/snort_download_halt.pid")) { + start_service("snort"); + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("Snort has restarted with your new set of rules...")); + exec("/bin/rm /tmp/snort_download_halt.pid"); +} else { + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("You may start snort now...")); +} + +/* hide progress bar and lets end this party */ +hide_progress_bar_status(); + +?> + + 150) { + update_output_window($text); + update_progress_bar($downloadProgress); + flush(); + $counter = 0; + } + fwrite($fout, $string); + return $length; +} + +?> + + + diff --git a/config/snort-dev/bkup/snort_dynamic_ip_reload.php b/config/snort-dev/bkup/snort_dynamic_ip_reload.php new file mode 100644 index 00000000..0fad085b --- /dev/null +++ b/config/snort-dev/bkup/snort_dynamic_ip_reload.php @@ -0,0 +1,49 @@ + \ No newline at end of file diff --git a/config/snort-dev/bkup/snort_rules.php b/config/snort-dev/bkup/snort_rules.php new file mode 100644 index 00000000..233841b1 --- /dev/null +++ b/config/snort-dev/bkup/snort_rules.php @@ -0,0 +1,620 @@ +"; + +echo "\n +\n +\n + \n + \n + \n + \n + \n + \n +
\n"; + + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); + +echo "
\n +
\n + \n + \n + \n + \n +
\n +# The rules directory is empty.\n +
\n +
\n +
\n +\n +\n +\n +

\n\n"; + +echo "Please click on the Update Rules tab to install your selected rule sets."; +include("fend.inc"); + +echo ""; +echo ""; + +exit(0); + +} + +function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; +} + +function write_rule_file($content_changed, $received_file) +{ + //read snort file with writing enabled + $filehandle = fopen($received_file, "w"); + + //delimiter for each new rule is a new line + $delimiter = "\n"; + + //implode the array back into a string for writing purposes + $fullfile = implode($delimiter, $content_changed); + + //write data to file + fwrite($filehandle, $fullfile); + + //close file handle + fclose($filehandle); + +} + +function load_rule_file($incoming_file) +{ + + //read snort file + $filehandle = fopen($incoming_file, "r"); + + //read file into string, and get filesize + $contents = fread($filehandle, filesize($incoming_file)); + + //close handler + fclose ($filehandle); + + //string for populating category select + $currentruleset = substr($file, 27); + + //delimiter for each new rule is a new line + $delimiter = "\n"; + + //split the contents of the string file into an array using the delimiter + $splitcontents = explode($delimiter, $contents); + + return $splitcontents; + +} + +$ruledir = "/usr/local/etc/snort/rules/"; +$dh = opendir($ruledir); + +$message_reload = "The Snort rule configuration has been changed.
You must apply the changes in order for them to take effect."; + +while (false !== ($filename = readdir($dh))) +{ + //only populate this array if its a rule file + $isrulefile = strstr($filename, ".rules"); + if ($isrulefile !== false) + { + $files[] = $filename; + } +} + +sort($files); + +if ($_GET['openruleset']) +{ + $file = $_GET['openruleset']; +} +else +{ + $file = $ruledir.$files[0]; + +} + +//Load the rule file +$splitcontents = load_rule_file($file); + +if ($_POST) +{ + if (!$_POST['apply']) { + //retrieve POST data + $post_lineid = $_POST['lineid']; + $post_enabled = $_POST['enabled']; + $post_src = $_POST['src']; + $post_srcport = $_POST['srcport']; + $post_dest = $_POST['dest']; + $post_destport = $_POST['destport']; + + //clean up any white spaces insert by accident + $post_src = str_replace(" ", "", $post_src); + $post_srcport = str_replace(" ", "", $post_srcport); + $post_dest = str_replace(" ", "", $post_dest); + $post_destport = str_replace(" ", "", $post_destport); + + //copy rule contents from array into string + $tempstring = $splitcontents[$post_lineid]; + + //search string + $findme = "# alert"; //find string for disabled alerts + + //find if alert is disabled + $disabled = strstr($tempstring, $findme); + + //if find alert is false, then rule is disabled + if ($disabled !== false) + { + //has rule been enabled + if ($post_enabled == "yes") + { + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("# alert", "alert", $tempstring); + $counter2 = 1; + } + else + { + //rule is staying disabled + $counter2 = 2; + } + } + else + { + //has rule been disabled + if ($post_enabled != "yes") + { + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("alert", "# alert", $tempstring); + $counter2 = 2; + } + else + { + //rule is staying enabled + $counter2 = 1; + } + } + + //explode rule contents into an array, (delimiter is space) + $rule_content = explode(' ', $tempstring); + + //insert new values + $counter2++; + $rule_content[$counter2] = $post_src;//source location + $counter2++; + $rule_content[$counter2] = $post_srcport;//source port location + $counter2 = $counter2+2; + $rule_content[$counter2] = $post_dest;//destination location + $counter2++; + $rule_content[$counter2] = $post_destport;//destination port location + + //implode the array back into string + $tempstring = implode(' ', $rule_content); + + //copy string into file array for writing + $splitcontents[$post_lineid] = $tempstring; + + //write the new .rules file + write_rule_file($splitcontents, $file); + + //once file has been written, reload file + $splitcontents = load_rule_file($file); + + $stopMsg = true; + } + + if ($_POST['apply']) { +// stop_service("snort"); +// sleep(2); +// start_service("snort"); + $savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; + $stopMsg = false; + } + +} +else if ($_GET['act'] == "toggle") +{ + $toggleid = $_GET['id']; + + //copy rule contents from array into string + $tempstring = $splitcontents[$toggleid]; + + //explode rule contents into an array, (delimiter is space) + $rule_content = explode(' ', $tempstring); + + //search string + $findme = "# alert"; //find string for disabled alerts + + //find if alert is disabled + $disabled = strstr($tempstring, $findme); + + //if find alert is false, then rule is disabled + if ($disabled !== false) + { + //rule has been enabled + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("# alert", "alert", $tempstring); + + } + else + { + //has rule been disabled + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("alert", "# alert", $tempstring); + + } + + //copy string into array for writing + $splitcontents[$toggleid] = $tempstring; + + //write the new .rules file + write_rule_file($splitcontents, $file); + + //once file has been written, reload file + $splitcontents = load_rule_file($file); + + $stopMsg = true; + + //write disable/enable sid to config.xml + if ($disabled == false) { + $string_sid = strstr($tempstring, 'sid:'); + $sid_pieces = explode(";", $string_sid); + $sid_off_cut = $sid_pieces[0]; + // sid being turned off + $sid_off = str_replace("sid:", "", $sid_off_cut); + // rule_sid_on registers + $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; + // if off sid is the same as on sid remove it + $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); + // write the replace sid back as empty + $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; + // rule sid off registers + $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; + // if off sid is the same as off sid remove it + $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); + // write the replace sid back as empty + $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; + // add sid off registers to new off sid + $config['installedpackages']['snort']['rule_sid_off'] = "||disablesid $sid_off" . $config['installedpackages']['snort']['rule_sid_off']; + write_config(); + } + else + { + $string_sid = strstr($tempstring, 'sid:'); + $sid_pieces = explode(";", $string_sid); + $sid_on_cut = $sid_pieces[0]; + // sid being turned off + $sid_on = str_replace("sid:", "", $sid_on_cut); + // rule_sid_off registers + $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; + // if off sid is the same as on sid remove it + $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); + // write the replace sid back as empty + $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; + // rule sid on registers + $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; + // if on sid is the same as on sid remove it + $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); + // write the replace sid back as empty + $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; + // add sid on registers to new on sid + $config['installedpackages']['snort']['rule_sid_on'] = "||enablesid $sid_on" . $config['installedpackages']['snort']['rule_sid_on']; + write_config(); + } + +} + + +$pgtitle = "Snort: Rules"; +require("guiconfig.inc"); +include("head.inc"); +?> + + + +

"; +?> +
+ +
+
+ + + + + + + + + +
+ +
+
+ + + + +
+ + + + + + + + + + + + + + Category: "; + + //string for populating category select + $currentruleset = substr($file, 27); + ?> + + + + + "; + $textse = ""; + $iconb = "icon_block_d.gif"; + } + else + { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + } + + $rule_content = explode(' ', $tempstring); + + $protocol = $rule_content[$counter2];//protocol location + $counter2++; + $source = $rule_content[$counter2];//source location + $counter2++; + $source_port = $rule_content[$counter2];//source port location + $counter2 = $counter2+2; + $destination = $rule_content[$counter2];//destination location + $counter2++; + $destination_port = $rule_content[$counter2];//destination port location + + $message = get_middle($tempstring, 'msg:"', '";', 0); + + echo ""; + echo ""; + + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + ?> + +
"; + ?> +
 SIDProtoSourcePortDestinationPortMessage
"; + echo $textss; + ?> + + "; + + + echo ""; + echo $textss; + echo $sid; + echo $textse; + echo ""; + echo $textss; + echo $protocol; + $printcounter++; + echo $textse; + echo ""; + echo $textss; + echo $source; + echo $textse; + echo ""; + echo $textss; + echo $source_port; + echo $textse; + echo ""; + echo $textss; + echo $destination; + echo $textse; + echo ""; + echo $textss; + echo $destination_port; + echo $textse; + echo " + "; + ?> + + + + + +
+
+
+ + + + + + + + + + + + + +
Rule Enabled
Rule Disabled
+

+ +

+
+ + + + + + + + + \ No newline at end of file diff --git a/config/snort-dev/bkup/snort_rules_edit.php b/config/snort-dev/bkup/snort_rules_edit.php new file mode 100644 index 00000000..cbabce73 --- /dev/null +++ b/config/snort-dev/bkup/snort_rules_edit.php @@ -0,0 +1,207 @@ + + + + + +

"; +?> + + + + + + + +
+ +
+
+ + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Enabled: >
SID:
Protocol:
Source:
Source Port:
Direction:
Destination:
Destination Port:
Message:
Content:
Classtype:
Revision:
 
   
+
+
+
+ + + + \ No newline at end of file diff --git a/config/snort-dev/bkup/snort_rulesets.php b/config/snort-dev/bkup/snort_rulesets.php new file mode 100644 index 00000000..8e5179d6 --- /dev/null +++ b/config/snort-dev/bkup/snort_rulesets.php @@ -0,0 +1,227 @@ +"; + +echo "\n +\n +\n + \n + \n + \n + \n + \n + \n +
\n"; + + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); + +echo "
\n +
\n + \n + \n + \n + \n +
\n +# The rules directory is empty.\n +
\n +
\n +
\n +\n +\n +\n +

\n\n"; + +echo "Please click on the Update Rules tab to install your selected rule sets."; +include("fend.inc"); + +echo ""; +echo ""; + +exit(0); + +} + +if($_POST) { + $enabled_items = ""; + $isfirst = true; + foreach($_POST['toenable'] as $toenable) { + if(!$isfirst) + $enabled_items .= "||"; + $enabled_items .= "{$toenable}"; + $isfirst = false; + } + $config['installedpackages']['snort']['rulesets'] = $enabled_items; + write_config(); + stop_service("snort"); + create_snort_conf(); + sleep(2); + start_service("snort"); + $savemsg = "The snort ruleset selections have been saved."; +} + +$enabled_rulesets = $config['installedpackages']['snort']['rulesets']; +if($enabled_rulesets) + $enabled_rulesets_array = split("\|\|", $enabled_rulesets); + +$pgtitle = "Snort: Categories"; +include("head.inc"); + +?> + + + + +

"; +?> + +
+ + + + + + + + + + +
+ +
+
+ + + + + + + + +
+ + + + + + +"; + echo ""; + echo ""; + //echo ""; + } + +?> +
EnabledRuleset: Rules that end with "so.rules" are shared object rules.
"; + if(is_array($enabled_rulesets_array)) + if(in_array($file, $enabled_rulesets_array)) { + $CHECKED = " checked=\"checked\""; + } else { + $CHECKED = ""; + } + else + $CHECKED = ""; + echo " "; + echo ""; + echo "{$file}"; + echo ""; + //echo "description"; + //echo "
+
 
Check the rulesets that you would like Snort to load at startup.
 
+
+
+ +
+ +

NOTE: You can click on a ruleset name to edit the ruleset. + + + + + + + \ No newline at end of file diff --git a/config/snort-dev/bkup/snort_threshold.xml b/config/snort-dev/bkup/snort_threshold.xml new file mode 100644 index 00000000..f9075d3d --- /dev/null +++ b/config/snort-dev/bkup/snort_threshold.xml @@ -0,0 +1,129 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + snort-threshold + 0.1.0 + Snort: Alert Thresholding and Suppression + /usr/local/pkg/snort.inc + + + + Settings + /pkg_edit.php?xml=snort.xml&id=0 + + + Update Rules + /snort_download_rules.php + + + Categories + /snort_rulesets.php + + + Rules + /snort_rules.php + + + Servers + /pkg_edit.php?xml=snort_define_servers.xml&id=0 + + + Blocked + /snort_blocked.php + + + Whitelist + /pkg.php?xml=snort_whitelist.xml + + + Threshold + /pkg.php?xml=snort_threshold.xml + + + + Alerts + /snort_alerts.php + + + Advanced + /pkg_edit.php?xml=snort_advanced.xml&id=0 + + + + + Thresholding or Suppression Rule + threshrule + + + Description + description + + + + + Thresholding or Suppression Rule + threshrule + Enter the Rule. Example; "suppress gen_id 125, sig_id 4" or "threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60" + input + 40 + + + Description + description + Enter the description for this item + input + 60 + + + + + + + + create_snort_conf(); + + \ No newline at end of file diff --git a/config/snort-dev/bkup/snort_whitelist.xml b/config/snort-dev/bkup/snort_whitelist.xml new file mode 100644 index 00000000..42769e4e --- /dev/null +++ b/config/snort-dev/bkup/snort_whitelist.xml @@ -0,0 +1,129 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + snort-whitelist + 0.1.0 + Snort: Whitelist + /usr/local/pkg/snort.inc + + + + Settings + /pkg_edit.php?xml=snort.xml&id=0 + + + Update Rules + /snort_download_rules.php + + + Categories + /snort_rulesets.php + + + Rules + /snort_rules.php + + + Servers + /pkg_edit.php?xml=snort_define_servers.xml&id=0 + + + Blocked + /snort_blocked.php + + + Whitelist + /pkg.php?xml=snort_whitelist.xml + + + + Threshold + /pkg.php?xml=snort_threshold.xml + + + Alerts + /snort_alerts.php + + + Advanced + /pkg_edit.php?xml=snort_advanced.xml&id=0 + + + + + Whitelisted IP + ip + + + Description + description + + + + + Whitelisted IP + ip + Enter the IP or network to whitelist from snort blocking. Network items should be expressed in CIDR notation. Example: 0.0.0.0/24 or 0.0.0.0/32 + input + 40 + + + Description + description + Enter the description for this item + input + 60 + + + + + + + + create_snort_conf(); + + \ No newline at end of file diff --git a/config/snort-dev/bkup/snort_xmlrpc_sync.php b/config/snort-dev/bkup/snort_xmlrpc_sync.php new file mode 100644 index 00000000..db8b3f3e --- /dev/null +++ b/config/snort-dev/bkup/snort_xmlrpc_sync.php @@ -0,0 +1,114 @@ +setCredentials('admin', $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 240 seconds */ + $resp = $cli->send($msg, "999"); + if(!$resp) { + $error = "A communications error occured while attempting Snort XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "Snort Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting Snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "Snort Settings Sync", ""); + } else { + log_error("Snort XMLRPC sync successfully completed with {$url}:{$port}."); + } + log_error("[SNORT] snort_xmlrpc_sync.php is ending."); +} + +?> \ No newline at end of file diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc deleted file mode 100644 index 575192b9..00000000 --- a/config/snort-dev/snort.inc +++ /dev/null @@ -1,1620 +0,0 @@ - advanced features */ - $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize']; - $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize']; - $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns']; - - /* set the snort performance model */ - if($config['installedpackages']['snort']['config'][0]['performance']) - $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; - else - $snort_performance = "ac-bnfa"; - - conf_mount_rw(); - /* create a few directories and ensure the sample files are in place */ - exec("/bin/mkdir -p /usr/local/etc/snort"); - exec("/bin/mkdir -p /var/log/snort"); - exec("/bin/mkdir -p /usr/local/etc/snort/rules"); - exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); - exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); - exec("/bin/rm /usr/local/etc/snort/generators-sample"); - exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); - exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/sid"); - exec("/bin/rm -f /usr/local/etc/rc.d/snort"); - - $first = 0; - $snortInterfaces = array(); /* -gtm */ - - $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; - $if_array = split(',', $if_list); - //print_r($if_array); - if($if_array) { - foreach($if_array as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - - if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { - $if = "ng0"; - } - - /* build a list of user specified interfaces -gtm */ - if($if){ - array_push($snortInterfaces, $if); - $first = 1; - } - } - - if (count($snortInterfaces) < 1) { - log_error("Snort will not start. You must select an interface for it to listen on."); - return; - } - } - //print_r($snortInterfaces); - - /* create log directory */ - $start = "/bin/mkdir -p /var/log/snort\n"; - - /* snort advanced features - bpf tuning */ - if($bpfbufsize) - $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n"; - if($bpfmaxbufsize) - $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n"; - if($bpfmaxinsns) - $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n"; - - /* go ahead and issue bpf changes */ - if($bpfbufsize) - mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}"); - if($bpfmaxbufsize) - mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}"); - if($bpfmaxinsns) - mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); - - /* always stop barnyard2 before starting snort -gtm */ - $start .= "/usr/bin/killall barnyard2\n"; - - /* start a snort process for each interface -gtm */ - /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ - /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */ - /* TODO; get snort to start under nologin shell */ - foreach($snortInterfaces as $snortIf) - { - $start .= "sleep 4\n"; - $start .= "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; - /* define snortbarnyardlog_chk */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; - if ($snortbarnyardlog_info_chk == on) - $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; - } - $check_if_snort_runs = "\n\tif [ \"`ls -A /usr/local/etc/snort/rules`\" ] ; then\n\techo \"rules exist\"\n\telse\n\techo \"rules DONT exist\"\n\texit 2\n\tfi \n\n\tif [ \"`pgrep -x snort`\" = \"\" ] ; then\n\t/bin/rm /tmp/snort.sh.pid\n\tfi \n\n\tif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\t/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php\n\texit 1\n\tfi\n\n"; - $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; - $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; - $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; - $del_old_pids = "\nrm -f /var/run/snort_*\n"; - $sample_before = "BEFORE_MEM=`top | grep Wired | awk '{print \$12}'`\n"; - $sample_after = "\n\tAFTER_MEM=`top | grep Wired | awk '{print \$12}'`\n"; - if ($snort_performance == "ac-bnfa") - $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=60\n"; - else - $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=300\n"; - $sleep_before_final .= "while [ \"\$MYSNORTLOG\" = \"\" -a \$WAITSECURE -gt 0 ] ; do\n\tsleep 2\n\tMYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`\n\tWAITSECURE=`expr \$WAITSECURE - 1`\ndone\n"; - $total_used_after = "TOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; - $echo_usage .= $sample_after . "\t" . $total_used_after . "\techo \"Ram free BEFORE starting Snort: \$BEFORE_MEM -- Ram free AFTER starting Snort: \$AFTER_MEM -- Mode " . $snort_performance . " -- Snort memory usage: \$TOTAL_USAGE\" | logger -p daemon.info -i -t SnortStartup\n\n"; - - /* write out rc.d start/stop file */ - write_rcfile(array( - "file" => "snort.sh", - "start" => "{$check_if_snort_runs}{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$del_old_pids}{$sample_before}{$start}{$sleep_before_final}{$echo_usage}", - "stop" => "/usr/bin/killall snort; killall barnyard2" - ) - ); - - /* create snort configuration file */ - create_snort_conf(); - -/* create barnyard2 configuration file */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; -if ($snortbarnyardlog_info_chk == on) - create_barnyard2_conf(); - - /* snort will not start on install untill setting are set */ -if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") { - /* start snort service */ - conf_mount_ro(); - start_service("snort"); - } -} - -/* open barnyard2.conf for writing */ -function create_barnyard2_conf() { - global $bconfig, $bg; - /* write out barnyard2_conf */ - $barnyard2_conf_text = generate_barnyard2_conf(); - $bconf = fopen("/usr/local/etc/barnyard2.conf", "w"); - if(!$bconf) { - log_error("Could not open /usr/local/etc/barnyard2.conf for writing."); - exit; - } - fwrite($bconf, $barnyard2_conf_text); - fclose($bconf); -} -/* open barnyard2.conf for writing" */ -function generate_barnyard2_conf() { - - global $config, $g; - conf_mount_rw(); - -/* define snortbarnyardlog */ -/* TODO add support for the other 5 output plugins */ - -$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database']; -$snortbarnyardlog_hostname_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_hostname']; -$snortbarnyardlog_interface_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_interface']; - -$barnyard2_conf_text = << 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } - } - - function snort_rules_up_deinstall_cron($should_install) { - global $config, $g; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } - } - -snort_rm_blocked_deinstall_cron(""); -snort_rules_up_deinstall_cron(""); - - - /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ - /* Keep this as a last step */ - unset($config['installedpackages']['snort']['config'][0]['autorulesupdate7']); - unset($config['installedpackages']['snort']['config'][0]['rm_blocked']); - write_config(); - -} - -function generate_snort_conf() { - - global $config, $g; - conf_mount_rw(); - /* obtain external interface */ - /* XXX: make multi wan friendly */ - $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; - - $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru']; - -/* define snortalertlogtype */ -$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype']; -if ($snortalertlogtype == fast) - $snortalertlogtype_type = "output alert_fast: alert"; -else - $snortalertlogtype_type = "output alert_full: alert"; - -/* define alertsystemlog */ -$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog']; -if ($alertsystemlog_info_chk == on) - $alertsystemlog_type = "output alert_syslog: log_alert"; - -/* define tcpdumplog */ -$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog']; -if ($tcpdumplog_info_chk == on) - $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; - -/* define snortbarnyardlog_chk */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; -if ($snortbarnyardlog_info_chk == on) - $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D"; - -/* define snortunifiedlog */ -$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; -if ($snortunifiedlog_info_chk == on) - $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; - -/* define spoink */ -$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; -if ($spoink_info_chk == on) - $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; - - /* define servers and ports snortdefservers */ - -/* def DNS_SERVSERS */ -$def_dns_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_servers']; -if ($def_dns_servers_info_chk == "") - $def_dns_servers_type = "\$HOME_NET"; -else - $def_dns_servers_type = "$def_dns_servers_info_chk"; - -/* def DNS_PORTS */ -$def_dns_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_ports']; -if ($def_dns_ports_info_chk == "") - $def_dns_ports_type = "53"; -else - $def_dns_ports_type = "$def_dns_ports_info_chk"; - -/* def SMTP_SERVSERS */ -$def_smtp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_servers']; -if ($def_smtp_servers_info_chk == "") - $def_smtp_servers_type = "\$HOME_NET"; -else - $def_smtp_servers_type = "$def_smtp_servers_info_chk"; - -/* def SMTP_PORTS */ -$def_smtp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_ports']; -if ($def_smtp_ports_info_chk == "") - $def_smtp_ports_type = "25"; -else - $def_smtp_ports_type = "$def_smtp_ports_info_chk"; - -/* def MAIL_PORTS */ -$def_mail_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mail_ports']; -if ($def_mail_ports_info_chk == "") - $def_mail_ports_type = "25,143,465,691"; -else - $def_mail_ports_type = "$def_mail_ports_info_chk"; - -/* def HTTP_SERVSERS */ -$def_http_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_servers']; -if ($def_http_servers_info_chk == "") - $def_http_servers_type = "\$HOME_NET"; -else - $def_http_servers_type = "$def_http_servers_info_chk"; - -/* def WWW_SERVSERS */ -$def_www_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_www_servers']; -if ($def_www_servers_info_chk == "") - $def_www_servers_type = "\$HOME_NET"; -else - $def_www_servers_type = "$def_www_servers_info_chk"; - -/* def HTTP_PORTS */ -$def_http_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_ports']; -if ($def_http_ports_info_chk == "") - $def_http_ports_type = "80"; -else - $def_http_ports_type = "$def_http_ports_info_chk"; - -/* def SQL_SERVSERS */ -$def_sql_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sql_servers']; -if ($def_sql_servers_info_chk == "") - $def_sql_servers_type = "\$HOME_NET"; -else - $def_sql_servers_type = "$def_sql_servers_info_chk"; - -/* def ORACLE_PORTS */ -$def_oracle_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_oracle_ports']; -if ($def_oracle_ports_info_chk == "") - $def_oracle_ports_type = "1521"; -else - $def_oracle_ports_type = "$def_oracle_ports_info_chk"; - -/* def MSSQL_PORTS */ -$def_mssql_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mssql_ports']; -if ($def_mssql_ports_info_chk == "") - $def_mssql_ports_type = "1433"; -else - $def_mssql_ports_type = "$def_mssql_ports_info_chk"; - -/* def TELNET_SERVSERS */ -$def_telnet_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_servers']; -if ($def_telnet_servers_info_chk == "") - $def_telnet_servers_type = "\$HOME_NET"; -else - $def_telnet_servers_type = "$def_telnet_servers_info_chk"; - -/* def TELNET_PORTS */ -$def_telnet_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_ports']; -if ($def_telnet_ports_info_chk == "") - $def_telnet_ports_type = "23"; -else - $def_telnet_ports_type = "$def_telnet_ports_info_chk"; - -/* def SNMP_SERVSERS */ -$def_snmp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_servers']; -if ($def_snmp_servers_info_chk == "") - $def_snmp_servers_type = "\$HOME_NET"; -else - $def_snmp_servers_type = "$def_snmp_servers_info_chk"; - -/* def SNMP_PORTS */ -$def_snmp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_ports']; -if ($def_snmp_ports_info_chk == "") - $def_snmp_ports_type = "161"; -else - $def_snmp_ports_type = "$def_snmp_ports_info_chk"; - -/* def FTP_SERVSERS */ -$def_ftp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_servers']; -if ($def_ftp_servers_info_chk == "") - $def_ftp_servers_type = "\$HOME_NET"; -else - $def_ftp_servers_type = "$def_ftp_servers_info_chk"; - -/* def FTP_PORTS */ -$def_ftp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_ports']; -if ($def_ftp_ports_info_chk == "") - $def_ftp_ports_type = "21"; -else - $def_ftp_ports_type = "$def_ftp_ports_info_chk"; - -/* def SSH_SERVSERS */ -$def_ssh_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_servers']; -if ($def_ssh_servers_info_chk == "") - $def_ssh_servers_type = "\$HOME_NET"; -else - $def_ssh_servers_type = "$def_ssh_servers_info_chk"; - -/* if user has defined a custom ssh port, use it */ -if($config['system']['ssh']['port']) - $ssh_port = $config['system']['ssh']['port']; -else - $ssh_port = "22"; - -/* def SSH_PORTS */ -$def_ssh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_ports']; -if ($def_ssh_ports_info_chk == "") - $def_ssh_ports_type = "{$ssh_port}"; -else - $def_ssh_ports_type = "$def_ssh_ports_info_chk"; - -/* def POP_SERVSERS */ -$def_pop_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop_servers']; -if ($def_pop_servers_info_chk == "") - $def_pop_servers_type = "\$HOME_NET"; -else - $def_pop_servers_type = "$def_pop_servers_info_chk"; - -/* def POP2_PORTS */ -$def_pop2_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop2_ports']; -if ($def_pop2_ports_info_chk == "") - $def_pop2_ports_type = "109"; -else - $def_pop2_ports_type = "$def_pop2_ports_info_chk"; - -/* def POP3_PORTS */ -$def_pop3_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop3_ports']; -if ($def_pop3_ports_info_chk == "") - $def_pop3_ports_type = "110"; -else - $def_pop3_ports_type = "$def_pop3_ports_info_chk"; - -/* def IMAP_SERVSERS */ -$def_imap_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_servers']; -if ($def_imap_servers_info_chk == "") - $def_imap_servers_type = "\$HOME_NET"; -else - $def_imap_servers_type = "$def_imap_servers_info_chk"; - -/* def IMAP_PORTS */ -$def_imap_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_ports']; -if ($def_imap_ports_info_chk == "") - $def_imap_ports_type = "143"; -else - $def_imap_ports_type = "$def_imap_ports_info_chk"; - -/* def SIP_PROXY_IP */ -$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ip']; -if ($def_sip_proxy_ip_info_chk == "") - $def_sip_proxy_ip_type = "\$HOME_NET"; -else - $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; - -/* def SIP_PROXY_PORTS */ -$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ports']; -if ($def_sip_proxy_ports_info_chk == "") - $def_sip_proxy_ports_type = "5060:5090,16384:32768"; -else - $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; - -/* def AUTH_PORTS */ -$def_auth_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_auth_ports']; -if ($def_auth_ports_info_chk == "") - $def_auth_ports_type = "113"; -else - $def_auth_ports_type = "$def_auth_ports_info_chk"; - -/* def FINGER_PORTS */ -$def_finger_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_finger_ports']; -if ($def_finger_ports_info_chk == "") - $def_finger_ports_type = "79"; -else - $def_finger_ports_type = "$def_finger_ports_info_chk"; - -/* def IRC_PORTS */ -$def_irc_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_irc_ports']; -if ($def_irc_ports_info_chk == "") - $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; -else - $def_irc_ports_type = "$def_irc_ports_info_chk"; - -/* def NNTP_PORTS */ -$def_nntp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_nntp_ports']; -if ($def_nntp_ports_info_chk == "") - $def_nntp_ports_type = "119"; -else - $def_nntp_ports_type = "$def_nntp_ports_info_chk"; - -/* def RLOGIN_PORTS */ -$def_rlogin_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rlogin_ports']; -if ($def_rlogin_ports_info_chk == "") - $def_rlogin_ports_type = "513"; -else - $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; - -/* def RSH_PORTS */ -$def_rsh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rsh_ports']; -if ($def_rsh_ports_info_chk == "") - $def_rsh_ports_type = "514"; -else - $def_rsh_ports_type = "$def_rsh_ports_info_chk"; - -/* def SSL_PORTS */ -$def_ssl_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssl_ports']; -if ($def_ssl_ports_info_chk == "") - $def_ssl_ports_type = "25,443,465,636,993,995"; -else - $def_ssl_ports_type = "$def_ssl_ports_info_chk"; - - /* add auto update scripts to /etc/crontab */ -// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; -// $filenamea = "/etc/crontab"; -// remove_text_from_file($filenamea, $text_ww); -// add_text_to_file($filenamea, $text_ww); -// exec("killall -HUP cron"); */ - - /* should we install a automatic update crontab entry? */ - $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate']; - - /* if user is on pppoe, we really want to use ng0 interface */ - if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") - $snort_ext_int = "ng0"; - - /* set the snort performance model */ - if($config['installedpackages']['snort']['config'][0]['performance']) - $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; - else - $snort_performance = "ac-bnfa"; - - /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */ - $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; - if ($snort_rm_blocked_info_ck == "never_b") - $snort_rm_blocked_false = ""; - else - $snort_rm_blocked_false = "true"; - -if ($snort_rm_blocked_info_ck != "") { -function snort_rm_blocked_install_cron($should_install) { - global $config, $g; - - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; - if ($snort_rm_blocked_info_ck == "1h_b") { - $snort_rm_blocked_min = "*/5"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "3600"; - } - if ($snort_rm_blocked_info_ck == "3h_b") { - $snort_rm_blocked_min = "*/15"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "10800"; - } - if ($snort_rm_blocked_info_ck == "6h_b") { - $snort_rm_blocked_min = "*/30"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "21600"; - } - if ($snort_rm_blocked_info_ck == "12h_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/1"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "43200"; - } - if ($snort_rm_blocked_info_ck == "1d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/2"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "86400"; - } - if ($snort_rm_blocked_info_ck == "4d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/8"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "345600"; - } - if ($snort_rm_blocked_info_ck == "7d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/14"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "604800"; - } - if ($snort_rm_blocked_info_ck == "28d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "0"; - $snort_rm_blocked_mday = "*/2"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "2419200"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } - break; - } - } - snort_rm_blocked_install_cron(""); - snort_rm_blocked_install_cron($snort_rm_blocked_false); -} - - /* set the snort rules update time */ - $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; - if ($snort_rules_up_info_ck == "never_up") - $snort_rules_up_false = ""; - else - $snort_rules_up_false = "true"; - -if ($snort_rules_up_info_ck != "") { -function snort_rules_up_install_cron($should_install) { - global $config, $g; - - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; - if ($snort_rules_up_info_ck == "6h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/6"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "12h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/12"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "1d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/1"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "4d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/4"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "7d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/7"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "28d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/28"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } - break; - } - } - snort_rules_up_install_cron(""); - snort_rules_up_install_cron($snort_rules_up_false); -} - - /* open snort2c's whitelist for writing */ - $whitelist = fopen("/var/db/whitelist", "w"); - if(!$whitelist) { - log_error("Could not open /var/db/whitelist for writing."); - return; - } - - /* build an interface array list */ - $int_array = array('lan'); - for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) - if(isset($config['interfaces']['opt' . $j]['enable'])) - if(!$config['interfaces']['opt' . $j]['gateway']) - $int_array[] = "opt{$j}"; - - /* iterate through interface list and write out whitelist items - * and also compile a home_net list for snort. - */ - foreach($int_array as $int) { - /* calculate interface subnet information */ - $ifcfg = &$config['interfaces'][$int]; - $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); - $subnetmask = gen_subnet_mask($ifcfg['subnet']); - if($subnet == "pppoe" or $subnet == "dhcp") { - $subnet = find_interface_ip("ng0"); - if($subnet) - $home_net .= "{$subnet} "; - } else { - if ($subnet) - if($ifcfg['subnet']) - $home_net .= "{$subnet}/{$ifcfg['subnet']} "; - } - } - - /* add all WAN ips to the whitelist */ - $wan_if = get_real_wan_interface(); - $ip = find_interface_ip($wan_if); - if($ip) - $home_net .= "{$ip} "; - - /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ - $int = convert_friendly_interface_to_real_interface_name("WAN"); - $gw = get_interface_gateway($int); - if($gw) - $home_net .= "{$gw} "; - - /* Add DNS server for WAN interface to whitelist */ - $dns_servers = get_dns_servers(); - foreach($dns_servers as $dns) { - if($dns) - $home_net .= "{$dns} "; - } - - /* Add loopback to whitelist (ftphelper) */ - $home_net .= "127.0.0.1 "; - - /* iterate all vips and add to whitelist */ - if($config['virtualip']) - foreach($config['virtualip']['vip'] as $vip) - if($vip['subnet']) - $home_net .= $vip['subnet'] . " "; - - if($config['installedpackages']['snortwhitelist']) - foreach($config['installedpackages']['snortwhitelist']['config'] as $snort) - if($snort['ip']) - $home_net .= $snort['ip'] . " "; - - /* write out whitelist, convert spaces to carriage returns */ - $whitelist_home_net = str_replace(" ", " ", $home_net); - $whitelist_home_net = str_replace(" ", "\n", $home_net); - - /* make $home_net presentable to snort */ - $home_net = trim($home_net); - $home_net = str_replace(" ", ",", $home_net); - $home_net = "[{$home_net}]"; - - /* foreach through whitelist, writing out to file */ - $whitelist_split = split("\n", $whitelist_home_net); - foreach($whitelist_split as $wl) - if(trim($wl)) - fwrite($whitelist, trim($wl) . "\n"); - - /* should we whitelist vpns? */ - $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns']; - - /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ - if($whitelistvpns) { - $vpns_list = get_vpns_list(); - $whitelist_vpns = split(" ", $vpns_list); - foreach($whitelist_vpns as $wl) - if(trim($wl)) - fwrite($whitelist, trim($wl) . "\n"); - } - - /* close file */ - fclose($whitelist); - - /* open snort's threshold.conf for writing */ - $threshlist = fopen("/usr/local/etc/snort/threshold.conf", "w"); - if(!$threshlist) { - log_error("Could not open /usr/local/etc/snort/threshold.conf for writing."); - return; - } - - /* list all entries to new lines */ - if($config['installedpackages']['snortthreshold']) - foreach($config['installedpackages']['snortthreshold']['config'] as $snortthreshlist) - if($snortthreshlist['threshrule']) - $snortthreshlist_r .= $snortthreshlist['threshrule'] . "\n"; - - - /* foreach through threshlist, writing out to file */ - $threshlist_split = split("\n", $snortthreshlist_r); - foreach($threshlist_split as $wl) - if(trim($wl)) - fwrite($threshlist, trim($wl) . "\n"); - - /* close snort's threshold.conf file */ - fclose($threshlist); - - /* generate rule sections to load */ - $enabled_rulesets = $config['installedpackages']['snort']['rulesets']; - if($enabled_rulesets) { - $selected_rules_sections = ""; - $enabled_rulesets_array = split("\|\|", $enabled_rulesets); - foreach($enabled_rulesets_array as $enabled_item) - $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; - } - - conf_mount_ro(); - - /* build snort configuration file */ - /* TODO; feed back from pfsense users to reduce false positives */ - $snort_conf_text = << \ - cmd_validity STRU < char FRP > \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity PORT < host_port > - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - telnet_cmds yes - -##################### - # -# SMTP preprocessor # - # -##################### - -preprocessor SMTP: \ - ports { 25 465 691 } \ - inspection_type stateful \ - normalize cmds \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ -CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ -PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } - -################ - # -# sf Portscan # - # -################ - -preprocessor sfportscan: scan_type { all } \ - proto { all } \ - memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } - -############################ - # -# OLD # -# preprocessor dcerpc: \ # -# autodetect \ # -# max_frag_size 3000 \ # -# memcap 100000 # - # -############################ - -############### - # -# NEW # -# DCE/RPC 2 # - # -############### - -preprocessor dcerpc2: memcap 102400, events [smb, co, cl] -preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3 - -#################### - # -# DNS preprocessor # - # -#################### - -preprocessor dns: \ - ports { 53 } \ - enable_rdata_overflow - -############################## - # -# NEW # -# Ignore SSL and Encryption # - # -############################## - -preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted - -##################### - # -# Snort Output Logs # - # -##################### - -$snortalertlogtype_type -$alertsystemlog_type -$tcpdumplog_type -$snortmysqllog_info_chk -$snortunifiedlog_type -$spoink_type - -################# - # -# Misc Includes # - # -################# - -include /usr/local/etc/snort/reference.config -include /usr/local/etc/snort/classification.config -include /usr/local/etc/snort/threshold.conf - -# Snort user pass through configuration -{$snort_config_pass_thru} - -################### - # -# Rules Selection # - # -################### - -{$selected_rules_sections} - -EOD; - - return $snort_conf_text; -} - -/* check downloaded text from snort.org to make sure that an error did not occur - * for example, if you are not a premium subscriber you can only download rules - * so often, etc. - */ -function check_for_common_errors($filename) { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - $contents = file_get_contents($filename); - if(stristr($contents, "You don't have permission")) { - if(!$console_mode) { - update_all_status("An error occured while downloading {$filename}."); - hide_progress_bar_status(); - } else { - log_error("An error occured. Scroll down to inspect it's contents."); - echo "An error occured. Scroll down to inspect it's contents."; - } - if(!$console_mode) { - update_output_window(strip_tags("$contents")); - } else { - $contents = strip_tags($contents); - log_error("Error downloading snort rules: {$contents}"); - echo "Error downloading snort rules: {$contents}"; - } - scroll_down_to_bottom_of_page(); - exit; - } -} - -/* force browser to scroll all the way down */ -function scroll_down_to_bottom_of_page() { - global $snort_filename, $console_mode; - ob_flush(); - if(!$console_mode) - echo "\n"; -} - -/* ensure downloaded file looks sane */ -function verify_downloaded_file($filename) { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(filesize($filename)<9500) { - if(!$console_mode) { - update_all_status("Checking {$filename}..."); - check_for_common_errors($filename); - } - } - update_all_status("Verifying {$filename}..."); - if(!file_exists($filename)) { - if(!$console_mode) { - update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); - hide_progress_bar_status(); - } else { - log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); - echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; - } - exit; - } - update_all_status("Verifyied {$filename}."); -} - -/* extract rules */ -function extract_snort_rules_md5($tmpfname) { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(!$console_mode) { - $static_output = gettext("Extracting snort rules..."); - update_all_status($static_output); - } - if(!is_dir("/usr/local/etc/snort/rules/")) - mkdir("/usr/local/etc/snort/rules/"); - $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/"; - $handle = popen("{$cmd} 2>&1", 'r'); - while(!feof($handle)) { - $buffer = fgets($handle); - update_output_window($buffer); - } - pclose($handle); - - if(!$console_mode) { - $static_output = gettext("Snort rules extracted."); - update_all_status($static_output); - } else { - log_error("Snort rules extracted."); - echo "Snort rules extracted."; - } -} - -/* verify MD5 against downloaded item */ -function verify_snort_rules_md5($tmpfname) { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(!$console_mode) { - $static_output = gettext("Verifying md5 signature..."); - update_all_status($static_output); - } - - $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5 = `/bin/echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; - $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; - if($md5 == $file_md5_ondisk) { - if(!$console_mode) { - $static_output = gettext("snort rules: md5 signature of rules mismatch."); - update_all_status($static_output); - hide_progress_bar_status(); - } else { - log_error("snort rules: md5 signature of rules mismatch."); - echo "snort rules: md5 signature of rules mismatch."; - } - exit; - } -} - -/* hide progress bar */ -function hide_progress_bar_status() { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(!$console_mode) - echo "\n"; -} - -/* unhide progress bar */ -function unhide_progress_bar_status() { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(!$console_mode) - echo "\n"; -} - -/* update both top and bottom text box during an operation */ -function update_all_status($status) { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(!$console_mode) { - update_status($status); - update_output_window($status); - } -} - -/* obtain alert description for an ip address */ -function get_snort_alert($ip) { - global $snort_alert_file_split, $snort_config; - if(!file_exists("/var/log/snort/alert")) - return; - if(!$snort_config) - $snort_config = read_snort_config_cache(); - if($snort_config[$ip]) - return $snort_config[$ip]; - if(!$snort_alert_file_split) - $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); - foreach($snort_alert_file_split as $fileline) { - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - $alert_title = $matches[2]; - if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) - $alert_ip = $matches[0]; - if($alert_ip == $ip) { - if(!$snort_config[$ip]) - $snort_config[$ip] = $alert_title; - return $alert_title; - } - } - return "n/a"; -} - -function make_clickable($buffer) { - global $config, $g; - /* if clickable urls is disabled, simply return buffer back to caller */ - $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - if(!$clickablalerteurls) - return $buffer; - $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); - $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","\\1", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); - - return $buffer; -} - -function read_snort_config_cache() { - global $g, $config, $snort_config; - if($snort_config) - return $snort_config; - if(file_exists($g['tmp_path'] . '/snort_config.cache')) { - $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); - return $snort_config; - } - return; -} - -function write_snort_config_cache($snort_config) { - global $g, $config; - conf_mount_rw(); - $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w"); - if(!$configcache) { - log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing."); - return false; - } - fwrite($configcache, serialize($snort_config)); - fclose($configcache); - conf_mount_ro(); - return true; -} - -function snort_advanced() { - global $g, $config; - sync_package_snort(); -} - -function snort_define_servers() { - global $g, $config; - sync_package_snort(); -} - -?> diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml deleted file mode 100644 index fc32ceb9..00000000 --- a/config/snort-dev/snort.xml +++ /dev/null @@ -1,397 +0,0 @@ - - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - Snort - 2.8.4.1_5 - Services: Snort 2.8.4.1_5 pkg v. 1.7 alpha - /usr/local/pkg/snort.inc -

- Snort - Setup snort specific settings -
Services
- /pkg_edit.php?xml=snort.xml&id=0 -
- - snort - snort.sh - snort - Snort is the most widely deployed IDS/IPS technology worldwide.. - - - - Settings - /pkg_edit.php?xml=snort.xml&id=0 - - - - Update Rules - /snort_download_rules.php - - - Categories - /snort_rulesets.php - - - Rules - /snort_rules.php - - - Servers - /pkg_edit.php?xml=snort_define_servers.xml&id=0 - - - Blocked - /snort_blocked.php - - - Whitelist - /pkg.php?xml=snort_whitelist.xml - - - Threshold - /pkg.php?xml=snort_threshold.xml - - - Alerts - /snort_alerts.php - - - Advanced - /pkg_edit.php?xml=snort_advanced.xml&id=0 - - - - /usr/local/pkg/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort.inc - - - /usr/local/bin/ - 077 - http://www.pfsense.com/packages/config/snort-dev/bin/barnyard2 - - - /usr/local/bin/ - 077 - http://www.pfsense.com/packages/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl - - - /usr/local/bin/ - 077 - http://www.pfsense.com/packages/config/snort-dev/bin/oinkmaster_contrib/oinkmaster.pl - - - /usr/local/www/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_download_rules.php - - - /usr/local/www/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_rules.php - - - /usr/local/www/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_rules_edit.php - - - /usr/local/www/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_rulesets.php - - - /usr/local/pkg/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_whitelist.xml - - - /usr/local/www/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_blocked.php - - - /usr/local/pkg/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_check_for_rule_updates.php - - - /usr/local/www/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_alerts.php - - - /usr/local/pkg/pf/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_dynamic_ip_reload.php - - - /usr/local/pkg/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_advanced.xml - - - /usr/local/pkg/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_define_servers.xml - - - /usr/local/pkg/ - 077 - http://www.pfsense.com/packages/config/snort-dev/snort_threshold.xml - - - /usr/local/pkg/ - 077 - http://www.pfsense.com/packages/config/snort-dev/pfsense_rules/local.rules - - - - Interface - iface_array - Select the interface(s) Snort will listen on. - interfaces_selection - - 3 - lan - true - - - Memory Performance - performance - Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small memory,moderate performance, ac-sparsebands: small memory, high performance. - select - - - - - - - - - - - - - - - Install Snort.org rules. - installsnortrules - Free Snort.org rules that are maintained by Sourcefire. See the Pfsense Snort FAQ on how to get a subscription. - checkbox - - - - Oinkmaster code - oinkmastercode - Obtain a snort.org Oinkmaster code and paste here. - input - 60 - - - - Snort.org subscriber - subscriber - Check this box if you are a Snort.org subscriber (premium rules). <b>HIGHLY RECOMMENDED!</b> - checkbox - 60 - - - - - Install emergingthreats rules. - emergingthreats - Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules. - checkbox - - - - Install Pfsense rules. - installpfsenserules - Snort rules that Pfsense maintainers have requested for their packages. - checkbox - - - - Block offenders - blockoffenders7 - Checking this option will automatically block hosts that generate a snort alert. - checkbox - 60 - - - Remove blocked hosts every - rm_blocked - Please select the amount of time hosts are blocked - select - - - - - - - - - - - - - - Update rules automatically - autorulesupdate7 - Please select the update times for rules. - select - - - - - - - - - - - - Whitelist VPNs automatically - whitelistvpns - Checking this option will install whitelists for all VPNs. - checkbox - - - Convert Snort alerts urls to clickable links - clickablalerteurls - Checking this option will automatically convert URLs in the Snort alerts tab to clickable links. - checkbox - - - Associate events on Blocked tab - associatealertip - Checking this option will automatically associate the blocked reason from the snort alerts file. - checkbox - - - - sync_package_snort(); - - - - - sync_package_snort_reinstall(); - - - snort_deinstall(); - - \ No newline at end of file diff --git a/config/snort-dev/snort_advanced.xml b/config/snort-dev/snort_advanced.xml deleted file mode 100644 index 1fdddda2..00000000 --- a/config/snort-dev/snort_advanced.xml +++ /dev/null @@ -1,196 +0,0 @@ - - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - SnortAdvanced - none - Services: Snort Advanced - /usr/local/pkg/snort.inc - - - Settings - /pkg_edit.php?xml=snort.xml&id=0 - - - Update Rules - /snort_download_rules.php - - - Categories - /snort_rulesets.php - - - Rules - /snort_rules.php - - - Servers - /pkg_edit.php?xml=snort_define_servers.xml&id=0 - - - Blocked - /snort_blocked.php - - - Whitelist - /pkg.php?xml=snort_whitelist.xml - - - Threshold - /pkg.php?xml=snort_threshold.xml - - - Alerts - /snort_alerts.php - - - Advanced - /pkg_edit.php?xml=snort_advanced.xml&id=0 - - - - - - BPF Buffer size - bpfbufsize - Changing this option adjusts the system BPF buffer size. Leave blank if you do not know what this does. Default is 1024. - input - - - Maximum BPF buffer size - bpfmaxbufsize - Changing this option adjusts the system maximum BPF buffer size. Leave blank if you do not know what this does. Default is 524288. This value should never be set above hardware cache size. The best (optimal size) is 50% - 80% of the hardware cache size. - input - - - Maximum BPF inserts - bpfmaxinsns - Changing this option adjusts the system maximum BPF insert size. Leave blank if you do not know what this does. Default is 512. - input - - - Advanced configuration pass through - configpassthru - Add items to here will be automatically inserted into the running snort configuration - textarea - 40 - 5 - - - Snort signature info files. - signatureinfo - Snort signature info files will be installed during updates. At leats 500 mb of memory is needed. - checkbox - - - Alerts Tab logging type. - snortalertlogtype - Please choose the type of Alert logging you will like see in the Alerts Tab. The options are Full descriptions or Fast short descriptions - select - - - - - - - Send alerts to main System logs. - alertsystemlog - Snort will send Alerts to the Pfsense system logs. - checkbox - - - Log to a Tcpdump file. - tcpdumplog - Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large. - checkbox - - - Enable Barnyard2. - snortbarnyardlog - This will enable barnyard2 in the snort package. You will also have to set the database credentials. - checkbox - - - Barnyard2 Log Mysql Database. - snortbarnyardlog_database - Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz - input - 101 - - - - Barnyard2 Configure Hostname ID. - snortbarnyardlog_hostname - Example: pfsense.local - input - 25 - - - - Barnyard2 Configure Interface ID - snortbarnyardlog_interface - Example: vr0 - input - 25 - - - - Log Alerts to a snort unified2 file. - snortunifiedlog - Snort will log Alerts to a file in the UNIFIED2 format. This is a requirement for barnyard2. - checkbox - - - - snort_advanced(); - - diff --git a/config/snort-dev/snort_alerts.php b/config/snort-dev/snort_alerts.php deleted file mode 100644 index f463c0b9..00000000 --- a/config/snort-dev/snort_alerts.php +++ /dev/null @@ -1,122 +0,0 @@ -. - Copyright (C) 2003-2004 Manuel Kasper . - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("globals.inc"); -require("guiconfig.inc"); -require("/usr/local/pkg/snort.inc"); - -$snort_logfile = "{$g['varlog_path']}/snort/alert"; - -$nentries = $config['syslog']['nentries']; -if (!$nentries) - $nentries = 50; - -if ($_POST['clear']) { - exec("killall syslogd"); - exec("rm {$snort_logfile}; touch {$snort_logfile}"); - system_syslogd_start(); - exec("/usr/bin/killall -HUP snort"); - exec("/usr/bin/killall snort2c"); - if ($config['installedpackages']['snort']['config'][0]['blockoffenders'] == 'on') - exec("/usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert"); -} - -$pgtitle = "Services: Snort: Snort Alerts"; -include("head.inc"); - -?> - - - -

"; -?> - - - - - -
- -
-
- - - - - - -
- Last Snort Alert entries

-
-
- -
- - - - - - -\n"; - echo "" . make_clickable($ww_logent) . " \n"; - echo "\n"; - } -} - -?> \ No newline at end of file diff --git a/config/snort-dev/snort_base_files.php b/config/snort-dev/snort_base_files.php new file mode 100644 index 00000000..1bc9cea0 --- /dev/null +++ b/config/snort-dev/snort_base_files.php @@ -0,0 +1,2025 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + Snort{$snortIf} + 2.8.4.1_5 + Services: Snort 2.8.4.1_5 pkg v. 1.6 {$snortIf} + /usr/local/pkg/snort.inc + + + Snort Interfaces + /snort_interfaces.php + + + Settings + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 + + + + Categories + snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php + + + Rules + snort/snort_{$snortIf}/snort_rules_{$snortIf}.php + + + Servers + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 + + + Threshold + /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml + + + Barnyard2 + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 + + + + + Interface + iface_array + Select the interface(s) Snort will listen on. + interfaces_selection + 3 + lan + true + + + Memory Performance + performance + Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small +memory,moderate performance, ac-sparsebands: small memory, high performance. + select + + + + + + + + + + + + BPF Buffer size + bpfbufsize + Changing this option adjusts the system BPF buffer size. Leave blank if you do not know what this does. Default is 1024. + input + + + Maximum BPF buffer size + bpfmaxbufsize + Changing this option adjusts the system maximum BPF buffer size. Leave blank if you do not know what this does. Default is 524288. This value should never be set above hardware cache size. The +best (optimal size) is 50% - 80% of the hardware cache size. + input + + + Maximum BPF inserts + bpfmaxinsns + Changing this option adjusts the system maximum BPF insert size. Leave blank if you do not know what this does. Default is 512. + input + + + Advanced configuration pass through + configpassthru + Add items to here will be automatically inserted into the running snort configuration + textarea + 40 + 5 + + + Snort signature info files. + signatureinfo + Snort signature info files will be installed during updates. At leats 500 mb of memory is needed. + checkbox + + + Alerts Tab logging type. + snortalertlogtype + Please choose the type of Alert logging you will like see in the Alerts Tab. The options are Full descriptions or Fast short descriptions + select + + + + + + + Send alerts to main System logs. + alertsystemlog + Snort will send Alerts to the Pfsense system logs. + checkbox + + + Log to a Tcpdump file. + tcpdumplog + Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large. + checkbox + + + + snort_deinstall(); + + + +EOD; + +/* write out snort_xml */ +$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_{$snortIf}.xml", "w"); +if(!$bconf) +{ + log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_{$snortIf}.xml for writing."); + exit; + } + fwrite($bconf, $snort_xml_text); + fclose($bconf); + + conf_mount_ro(); + + } +} + +/* create barnyard2.xml for every interface selected */ +function create_snort_barnyard2_xml() +{ +include("filter.inc"); +include("config.inc"); + + global $bconfig, $bg; + + conf_mount_rw(); + + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + + if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { + $if = "ng0"; + } + + /* build a list of user specified interfaces -gtm */ + if($if){ + array_push($snortInterfaces, $if); + $first = 1; + } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; + } + } + + + foreach($snortInterfaces as $snortIf) + { + +$snort_barnyard2_text = << + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + barnyard2{$snortIf} + none + Services: Barnyard2 {$snortIf} + /usr/local/pkg/snort.inc + + + Snort Interfaces + /snort_interfaces.php + + + Settings + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 + + + Categories + snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php + + + Rules + snort/snort_{$snortIf}/snort_rules_{$snortIf}.php + + + Servers + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 + + + Threshold + /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml + + + Barnyard2 + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 + + + + + + Enable Barnyard2. + snortbarnyardlog + This will enable barnyard2 in the snort package. You will also have to set the database credentials. + checkbox + + + Barnyard2 Log Mysql Database. + snortbarnyardlog_database + Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz + input + 101 + + + + Barnyard2 Configure Hostname ID. + snortbarnyardlog_hostname + Example: pfsense.local + input + 25 + + + + Barnyard2 Configure Interface ID + snortbarnyardlog_interface + Example: vr0 + input + 25 + + + + Log Alerts to a snort unified2 file. + snortunifiedlog + Snort will log Alerts to a file in the UNIFIED2 format. This is a requirement for barnyard2. + checkbox + + + + snort_advanced(); + + + +EOD; + +/* write out snort_barnyard2_xml */ +$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml", "w"); +if(!$bconf) +{ + log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml for writing."); + exit; + } + fwrite($bconf, $snort_barnyard2_text); + fclose($bconf); + + conf_mount_ro(); + + } +} + + +/* create snort_define_servers.xml for every interface selected */ +function create_snort_define_servers_xml() +{ +include("filter.inc"); +include("config.inc"); + + global $bconfig, $bg; + + conf_mount_rw(); + + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + + if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { + $if = "ng0"; + } + + /* build a list of user specified interfaces -gtm */ + if($if){ + array_push($snortInterfaces, $if); + $first = 1; + } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; + } + } + + + foreach($snortInterfaces as $snortIf) + { + +$snort_define_servers_xml_text = << + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + SnortDefServers{$snortIf} + none + Services: Snort Define Servers {$snortIf} + /usr/local/pkg/snort.inc + + + Snort Interfaces + /snort_interfaces.php + + + Settings + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 + + + Categories + snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php + + + Rules + snort/snort_{$snortIf}/snort_rules_{$snortIf}.php + + + Servers + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 + + + + Threshold + /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml + + + Barnyard2 + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 + + + + + Define DNS_SERVERS + def_dns_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define DNS_PORTS + def_dns_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 53. + input + 43 + + + + Define SMTP_SERVERS + def_smtp_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define SMTP_PORTS + def_smtp_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 25. + input + 43 + + + + Define Mail_Ports + def_mail_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 25,143,465,691. + input + 43 + + + + Define HTTP_SERVERS + def_http_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define WWW_SERVERS + def_www_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define HTTP_PORTS + def_http_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 80. + input + 43 + + + + Define SQL_SERVERS + def_sql_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define ORACLE_PORTS + def_oracle_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 1521. + input + 43 + + + + Define MSSQL_PORTS + def_mssql_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 1433. + input + 43 + + + + Define TELNET_SERVERS + def_telnet_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define TELNET_PORTS + def_telnet_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 23. + input + 43 + + + + Define SNMP_SERVERS + def_snmp_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define SNMP_PORTS + def_snmp_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 161. + input + 43 + + + + Define FTP_SERVERS + def_ftp_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define FTP_PORTS + def_ftp_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 21. + input + 43 + + + + Define SSH_SERVERS + def_ssh_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define SSH_PORTS + def_ssh_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is Pfsense SSH port. + input + 43 + + + + Define POP_SERVERS + def_pop_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define POP2_PORTS + def_pop2_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 109. + input + 43 + + + + Define POP3_PORTS + def_pop3_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 110. + input + 43 + + + + Define IMAP_SERVERS + def_imap_servers + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define IMAP_PORTS + def_imap_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 143. + input + 43 + + + + Define SIP_PROXY_IP + def_sip_proxy_ip + Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. + input + 101 + + + + Define SIP_PROXY_PORTS + def_sip_proxy_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 5060:5090,16384:32768. + input + 43 + + + + Define AUTH_PORTS + def_auth_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 113. + input + 43 + + + + Define FINGER_PORTS + def_finger_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 79. + input + 43 + + + + Define IRC_PORTS + def_irc_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 6665,6666,6667,6668,6669,7000. + input + 43 + + + + Define NNTP_PORTS + def_nntp_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 119. + input + 43 + + + + Define RLOGIN_PORTS + def_rlogin_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 513. + input + 43 + + + + Define RSH_PORTS + def_rsh_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 514. + input + 43 + + + + Define SSL_PORTS + def_ssl_ports + Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 25,443,465,636,993,995. + input + 43 + + + + + snort_define_servers(); + + + +EOD; + +/* write out snort_define_servers_xml */ +$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml", "w"); +if(!$bconf) +{ + log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml for writing."); + exit; + } + fwrite($bconf, $snort_define_servers_xml_text); + fclose($bconf); + + conf_mount_ro(); + + } +} + +/* create snort_threshold.xml for every interface selected */ +function create_snort_threshold_xml() +{ +include("filter.inc"); +include("config.inc"); + + global $bconfig, $bg; + + conf_mount_rw(); + + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + + if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { + $if = "ng0"; + } + + /* build a list of user specified interfaces -gtm */ + if($if){ + array_push($snortInterfaces, $if); + $first = 1; + } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; + } + } + + + foreach($snortInterfaces as $snortIf) + { + +$snort_threshold_xml_text = << + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + snort-threshold{$snortIf} + 0.1.0 + Snort: Alert Thresholding and Suppression {$snortIf} + /usr/local/pkg/snort.inc + + + + Snort Interfaces + /snort_interfaces.php + + + Settings + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 + + + Categories + snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php + + + Rules + snort/snort_{$snortIf}/snort_rules_{$snortIf}.php + + + Servers + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 + + + Threshold + /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml + + + + Barnyard2 + /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 + + + + + Thresholding or Suppression Rule + threshrule + + + Description + description + + + + + Thresholding or Suppression Rule + threshrule + Enter the Rule. Example; "suppress gen_id 125, sig_id 4" or "threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60" + input + 40 + + + Description + description + Enter the description for this item + input + 60 + + + + + + + + create_snort_conf(); + + + +EOD; + +/* write out snort_threshold_xml */ +$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml", "w"); +if(!$bconf) +{ + log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml for writing."); + exit; + } + fwrite($bconf, $snort_threshold_xml_text); + fclose($bconf); + + conf_mount_ro(); + + } +} + +/* create snort_rules.php for every interface selected */ +function create_snort_rules_php() +{ +include("filter.inc"); +include("config.inc"); + + global $bconfig, $bg; + + conf_mount_rw(); + + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + + if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { + $if = "ng0"; + } + + /* build a list of user specified interfaces -gtm */ + if($if){ + array_push($snortInterfaces, $if); + $first = 1; + } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; + } + } + + + foreach($snortInterfaces as $snortIf) + { + +$snort_rules_php_text = <<"; + +echo "\n +\n +\n + \n + \n + \n + \n + \n + \n +
\n"; + + \$tab_array = array(); + \$tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0"); + \$tab_array[] = array(gettext("Categories"), false, "snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php"); + \$tab_array[] = array(gettext("Rules"), true, "snort/snort_{$snortIf}/snort_rules_{$snortIf}.php"); + \$tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0"); + \$tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml"); + \$tab_array[] = array(gettext("Barnyard2"), false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0"); + display_top_tabs(\$tab_array); + +echo "
\n +
\n + \n + \n + \n + \n +
\n +# The rules directory is empty.\n +
\n +
\n +
\n +\n +\n +\n +

\n\n"; + +echo "Please click on the Update Rules tab to install your selected rule sets."; +include("fend.inc"); + +echo ""; +echo ""; + +exit(0); + +} + +function get_middle(\$source, \$beginning, \$ending, \$init_pos) { + \$beginning_pos = strpos(\$source, \$beginning, \$init_pos); + \$middle_pos = \$beginning_pos + strlen(\$beginning); + \$ending_pos = strpos(\$source, \$ending, \$beginning_pos); + \$middle = substr(\$source, \$middle_pos, \$ending_pos - \$middle_pos); + return \$middle; +} + +function write_rule_file(\$content_changed, \$received_file) +{ + conf_mount_rw(); + + //read snort file with writing enabled + \$filehandle = fopen(\$received_file, "w"); + + //delimiter for each new rule is a new line + \$delimiter = "\n"; + + //implode the array back into a string for writing purposes + \$fullfile = implode(\$delimiter, \$content_changed); + + //write data to file + fwrite(\$filehandle, \$fullfile); + + //close file handle + fclose(\$filehandle); + + conf_mount_rw(); +} + +function load_rule_file(\$incoming_file) +{ + + //read snort file + \$filehandle = fopen(\$incoming_file, "r"); + + //read file into string, and get filesize + \$contents = fread(\$filehandle, filesize(\$incoming_file)); + + //close handler + fclose (\$filehandle); + + //string for populating category select + \$currentruleset = substr(\$file, 27); + + //delimiter for each new rule is a new line + \$delimiter = "\n"; + + //split the contents of the string file into an array using the delimiter + \$splitcontents = explode(\$delimiter, \$contents); + + return \$splitcontents; + +} + +\$ruledir = "/usr/local/etc/snort_{$snortIf}/rules_{$snortIf}/"; +\$dh = opendir(\$ruledir); + +\$message_reload = "The Snort rule configuration has been changed.
You must apply the changes in order for them to take effect."; + +while (false !== (\$filename = readdir(\$dh))) +{ + //only populate this array if its a rule file + \$isrulefile = strstr(\$filename, ".rules"); + if (\$isrulefile !== false) + { + \$files[] = \$filename; + } +} + +sort(\$files); + +if (\$_GET['openruleset']) +{ + \$file = \$_GET['openruleset']; +} +else +{ + \$file = \$ruledir.\$files[0]; + +} + +//Load the rule file +\$splitcontents = load_rule_file(\$file); + +if (\$_POST) +{ + if (!\$_POST['apply']) { + //retrieve POST data + \$post_lineid = \$_POST['lineid']; + \$post_enabled = \$_POST['enabled']; + \$post_src = \$_POST['src']; + \$post_srcport = \$_POST['srcport']; + \$post_dest = \$_POST['dest']; + \$post_destport = \$_POST['destport']; + + //clean up any white spaces insert by accident + \$post_src = str_replace(" ", "", \$post_src); + \$post_srcport = str_replace(" ", "", \$post_srcport); + \$post_dest = str_replace(" ", "", \$post_dest); + \$post_destport = str_replace(" ", "", \$post_destport); + + //copy rule contents from array into string + \$tempstring = \$splitcontents[\$post_lineid]; + + //search string + \$findme = "# alert"; //find string for disabled alerts + + //find if alert is disabled + \$disabled = strstr(\$tempstring, \$findme); + + //if find alert is false, then rule is disabled + if (\$disabled !== false) + { + //has rule been enabled + if (\$post_enabled == "yes") + { + //move counter up 1, so we do not retrieve the # in the rule_content array + \$tempstring = str_replace("# alert", "alert", \$tempstring); + \$counter2 = 1; + } + else + { + //rule is staying disabled + \$counter2 = 2; + } + } + else + { + //has rule been disabled + if (\$post_enabled != "yes") + { + //move counter up 1, so we do not retrieve the # in the rule_content array + \$tempstring = str_replace("alert", "# alert", \$tempstring); + \$counter2 = 2; + } + else + { + //rule is staying enabled + \$counter2 = 1; + } + } + + //explode rule contents into an array, (delimiter is space) + \$rule_content = explode(' ', \$tempstring); + + //insert new values + \$counter2++; + \$rule_content[\$counter2] = \$post_src;//source location + \$counter2++; + \$rule_content[\$counter2] = \$post_srcport;//source port location + \$counter2 = \$counter2+2; + \$rule_content[\$counter2] = \$post_dest;//destination location + \$counter2++; + \$rule_content[\$counter2] = \$post_destport;//destination port location + + //implode the array back into string + \$tempstring = implode(' ', \$rule_content); + + //copy string into file array for writing + \$splitcontents[\$post_lineid] = \$tempstring; + + //write the new .rules file + write_rule_file(\$splitcontents, \$file); + + //once file has been written, reload file + \$splitcontents = load_rule_file(\$file); + + \$stopMsg = true; + } + + if (\$_POST['apply']) { +// stop_service("snort"); +// sleep(2); +// start_service("snort"); + \$savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; + \$stopMsg = false; + } + +} +else if (\$_GET['act'] == "toggle") +{ + \$toggleid = \$_GET['id']; + + //copy rule contents from array into string + \$tempstring = \$splitcontents[\$toggleid]; + + //explode rule contents into an array, (delimiter is space) + \$rule_content = explode(' ', \$tempstring); + + //search string + \$findme = "# alert"; //find string for disabled alerts + + //find if alert is disabled + \$disabled = strstr(\$tempstring, \$findme); + + //if find alert is false, then rule is disabled + if (\$disabled !== false) + { + //rule has been enabled + //move counter up 1, so we do not retrieve the # in the rule_content array + \$tempstring = str_replace("# alert", "alert", \$tempstring); + + } + else + { + //has rule been disabled + //move counter up 1, so we do not retrieve the # in the rule_content array + \$tempstring = str_replace("alert", "# alert", \$tempstring); + + } + + //copy string into array for writing + \$splitcontents[\$toggleid] = \$tempstring; + + //write the new .rules file + write_rule_file(\$splitcontents, \$file); + + //once file has been written, reload file + \$splitcontents = load_rule_file(\$file); + + \$stopMsg = true; + + //write disable/enable sid to config.xml + if (\$disabled == false) { + \$string_sid = strstr(\$tempstring, 'sid:'); + \$sid_pieces = explode(";", \$string_sid); + \$sid_off_cut = \$sid_pieces[0]; + // sid being turned off + \$sid_off = str_replace("sid:", "", \$sid_off_cut); + // rule_sid_on registers + \$sid_on_pieces = \$config['installedpackages']['snort']['rule_sid_on']; + // if off sid is the same as on sid remove it + \$sid_on_old = str_replace("||enablesid \$sid_off", "", "\$sid_on_pieces"); + // write the replace sid back as empty + \$config['installedpackages']['snort']['rule_sid_on'] = \$sid_on_old; + // rule sid off registers + \$sid_off_pieces = \$config['installedpackages']['snort']['rule_sid_off']; + // if off sid is the same as off sid remove it + \$sid_off_old = str_replace("||disablesid \$sid_off", "", "\$sid_off_pieces"); + // write the replace sid back as empty + \$config['installedpackages']['snort']['rule_sid_off'] = \$sid_off_old; + // add sid off registers to new off sid + \$config['installedpackages']['snort']['rule_sid_off'] = "||disablesid \$sid_off" . \$config['installedpackages']['snort']['rule_sid_off']; + write_config(); + } + else + { + \$string_sid = strstr(\$tempstring, 'sid:'); + \$sid_pieces = explode(";", \$string_sid); + \$sid_on_cut = \$sid_pieces[0]; + // sid being turned off + \$sid_on = str_replace("sid:", "", \$sid_on_cut); + // rule_sid_off registers + \$sid_off_pieces = \$config['installedpackages']['snort']['rule_sid_off']; + // if off sid is the same as on sid remove it + \$sid_off_old = str_replace("||disablesid \$sid_on", "", "\$sid_off_pieces"); + // write the replace sid back as empty + \$config['installedpackages']['snort']['rule_sid_off'] = \$sid_off_old; + // rule sid on registers + \$sid_on_pieces = \$config['installedpackages']['snort']['rule_sid_on']; + // if on sid is the same as on sid remove it + \$sid_on_old = str_replace("||enablesid \$sid_on", "", "\$sid_on_pieces"); + // write the replace sid back as empty + \$config['installedpackages']['snort']['rule_sid_on'] = \$sid_on_old; + // add sid on registers to new on sid + \$config['installedpackages']['snort']['rule_sid_on'] = "||enablesid \$sid_on" . \$config['installedpackages']['snort']['rule_sid_on']; + write_config(); + } + +} + + +\$pgtitle = "Snort: Rules"; +require("guiconfig.inc"); +include("head.inc"); +?> + + + +

"; +?> +
+ +
+
+ + + + + + + + + +
+ +
+
+ + + + +
+ + + + + + + + + + + + + + Category: "; + + //string for populating category select + \$currentruleset = substr(\$file, 27); + ?> + + + + + "; + \$textse = ""; + \$iconb = "icon_block_d.gif"; + } + else + { + \$textss = \$textse = ""; + \$iconb = "icon_block.gif"; + } + + \$rule_content = explode(' ', \$tempstring); + + \$protocol = \$rule_content[\$counter2];//protocol location + \$counter2++; + \$source = \$rule_content[\$counter2];//source location + \$counter2++; + \$source_port = \$rule_content[\$counter2];//source port location + \$counter2 = \$counter2+2; + \$destination = \$rule_content[\$counter2];//destination location + \$counter2++; + \$destination_port = \$rule_content[\$counter2];//destination port location + + \$message = get_middle(\$tempstring, 'msg:"', '";', 0); + + echo ""; + echo ""; + + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + ?> + +
"; + ?> +
 SIDProtoSourcePortDestinationPortMessage
"; + echo \$textss; + ?> + + "; + + + echo ""; + echo \$textss; + echo \$sid; + echo \$textse; + echo ""; + echo \$textss; + echo \$protocol; + \$printcounter++; + echo \$textse; + echo ""; + echo \$textss; + echo \$source; + echo \$textse; + echo ""; + echo \$textss; + echo \$source_port; + echo \$textse; + echo ""; + echo \$textss; + echo \$destination; + echo \$textse; + echo ""; + echo \$textss; + echo \$destination_port; + echo \$textse; + echo " + "; + ?> + + + + + +
+
+
+ + + + + + + + + + + + + +
Rule Enabled
Rule Disabled
+

+ +

+
+ + + + + + + + + + +EOD; + +/* write out snort_rules_php */ +$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_rules_{$snortIf}.php", "w"); +if(!$bconf) +{ + log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_rules_{$snortIf}.php for writing."); + exit; + } + fwrite($bconf, $snort_rules_php_text); + fclose($bconf); + + conf_mount_ro(); + + } +} + +/* create snort_rules_edit.php for every interface selected */ +function create_snort_rules_edit_php() +{ +include("filter.inc"); +include("config.inc"); + + global $bconfig, $bg; + + conf_mount_rw(); + + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + + if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { + $if = "ng0"; + } + + /* build a list of user specified interfaces -gtm */ + if($if){ + array_push($snortInterfaces, $if); + $first = 1; + } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; + } + } + + + foreach($snortInterfaces as $snortIf) + { + +$snort_rules_edit_php_text = << + + + + +

"; +?> + + + + + + + +
+ +
+
+ + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Enabled: >
SID:
Protocol:
Source:
Source Port:
Direction:
Destination:
Destination Port:
Message:
Content:
Classtype:
Revision:
 
   
+
+
+
+ + + + + +EOD; + +/* write out snort_rules_edit_php */ +$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_rules_edit_{$snortIf}.php", "w"); +if(!$bconf) +{ + log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_rules_edit_{$snortIf}.php for writing."); + exit; + } + fwrite($bconf, $snort_rules_edit_php_text); + fclose($bconf); + + conf_mount_ro(); + + } +} + + +create_snort_xml(); + +create_snort_barnyard2_xml(); + +create_snort_define_servers_xml(); + +create_snort_threshold_xml(); + +create_snort_rules_php(); + +create_snort_rules_edit_php(); + +?> diff --git a/config/snort-dev/snort_blocked.php b/config/snort-dev/snort_blocked.php deleted file mode 100644 index ff158853..00000000 --- a/config/snort-dev/snort_blocked.php +++ /dev/null @@ -1,174 +0,0 @@ - - - - - -

"; -?> - -
- - - - - - - - - - -
- -
-
- - - - -
- - - - - - -"; - echo "\n"; - echo "\n"; - echo "\n"; - echo "\n"; - } - echo "\n"; - if($counter < 1) - echo "\n"; - else - echo "\n"; - -?> - -
RemoveIPAlert Description
"; - echo "\n\"Delete\" {$ww_ip} {$alert_description}
 
There are currently no items being blocked by snort.
{$counter} items listed.
-
-
-
- -
- -

- - - - - - - - - \ No newline at end of file diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php deleted file mode 100644 index 95adbaa6..00000000 --- a/config/snort-dev/snort_check_for_rule_updates.php +++ /dev/null @@ -1,629 +0,0 @@ - - - - filesize("{$tmpfname}/$snort_filename")){ - echo "Error with the snort rules download...\n"; - echo "Snort rules file downloaded failed...\n"; - exit(0); - } - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - echo "Emergingthreats tar file exists...\n"; -} else { - echo "There is a new set of Emergingthreats rules posted. Downloading...\n"; - echo "May take 4 to 10 min...\n"; - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); -// $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); - $f = fopen("{$tmpfname}/emerging.rules.tar.gz", 'w'); - fwrite($f, $image); - fclose($f); - echo "Done downloading Emergingthreats rules file.\n"; - } - } - } - -/* download pfsense rules file */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - echo "Snortrule tar file exists...\n"; -} else { - - echo "There is a new set of Pfsense rules posted. Downloading...\n"; - echo "May take 4 to 10 min...\n"; - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz"); - $f = fopen("{$tmpfname}/pfsense_rules.tar.gz", 'w'); - fwrite($f, $image); - fclose($f); - echo "Done downloading rules file.\n"; - } -} - -/* Untar snort rules file individually to help people with low system specs */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - echo "Extracting rules...\n"; - echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); - exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); - echo "Done extracting Rules.\n"; -} else { - echo "The Download rules file missing...\n"; - echo "Error rules extracting failed...\n"; - exit(0); - } -} - -/* Untar emergingthreats rules to tmp */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - echo "Extracting rules...\n"; - echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - } -} - -/* Untar Pfsense rules to tmp */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - echo "Extracting Pfsense rules...\n"; - echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); - } -} - -/* Untar snort signatures */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; -if ($premium_url_chk == on) { - echo "Extracting Signatures...\n"; - echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - echo "Done extracting Signatures.\n"; - } - } -} - -/* Make Clean Snort Directory */ -//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { -//if (file_exists("{$snortdir}/rules")) { -// echo "Cleaning the snort Directory...\n"; -// echo "removing...\n"; -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/mkdir -p {$snortdir}/signatures"); -// exec("/bin/rm {$snortdir}/*"); -// exec("/bin/rm {$snortdir}/rules/*"); -// exec("/bin/rm {$snortdir_wan}/*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); -//} else { -// echo "Making Snort Directory...\n"; -// echo "should be fast...\n"; -// exec("/bin/mkdir {$snortdir}"); -// exec("/bin/mkdir {$snortdir}/rules"); -// exec("/bin/rm {$snortdir_wan}/\*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); -// echo "Done making snort direcory.\n"; -// } -//} - -/* Copy so_rules dir to snort lib dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { - echo "Copying so_rules...\n"; - echo "May take a while...\n"; - sleep(2); - exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); - exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - echo "Done copying so_rules.\n"; -} else { - echo "Directory so_rules does not exist...\n"; - echo "Error copping so_rules...\n"; - exit(0); - } -} - -/* enable disable setting will carry over with updates */ -/* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - -if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; -$enabled_sid_on_array = split('\|\|', $enabled_sid_on); -foreach($enabled_sid_on_array as $enabled_item_on) -$selected_sid_on_sections .= "$enabled_item_on\n"; - } - -if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; -$enabled_sid_off_array = split('\|\|', $enabled_sid_off); -foreach($enabled_sid_off_array as $enabled_item_off) -$selected_sid_off_sections .= "$enabled_item_off\n"; - } - -$snort_sid_text = << /usr/local/etc/snort_bkup/sid-msg.map"); - -/* Run oinkmaster to snort_wan and cp configs */ -/* If oinkmaster is not needed cp rules normally */ -/* TODO add per interface settings here */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - - if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { -echo "Your first set of rules are being copied...\n"; -echo "May take a while...\n"; - - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); - -} else { - echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; - echo "May take a while...\n"; - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); - - /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ - /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); - exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - - } -} - -/* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { - echo "Cleaning up...\n"; - exec("/bin/rm -r /tmp/snort_rules_up"); -} - -/* php code to flush out cache some people are reportting missing files this might help */ -sleep(5); -apc_clear_cache(); -exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); - -/* if snort is running hardrestart, if snort is not running do nothing */ -if (file_exists("/tmp/snort_download_halt.pid")) { - start_service("snort"); - echo "The Rules update finished...\n"; - echo "Snort has restarted with your new set of rules...\n"; - exec("/bin/rm /tmp/snort_download_halt.pid"); -} else { - echo "The Rules update finished...\n"; - echo "You may start snort now...\n"; -} - -?> diff --git a/config/snort-dev/snort_define_servers.xml b/config/snort-dev/snort_define_servers.xml deleted file mode 100644 index 7df880d0..00000000 --- a/config/snort-dev/snort_define_servers.xml +++ /dev/null @@ -1,364 +0,0 @@ - - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - SnortDefServers - none - Services: Snort Define Servers - /usr/local/pkg/snort.inc - - - Settings - /pkg_edit.php?xml=snort.xml&id=0 - - - Update Rules - /snort_download_rules.php - - - Categories - /snort_rulesets.php - - - Rules - /snort_rules.php - - - Servers - /pkg_edit.php?xml=snort_define_servers.xml&id=0 - - - - Blocked - /snort_blocked.php - - - Whitelist - /pkg.php?xml=snort_whitelist.xml - - - Threshold - /pkg.php?xml=snort_threshold.xml - - - Alerts - /snort_alerts.php - - - Advanced - /pkg_edit.php?xml=snort_advanced.xml&id=0 - - - - - Define DNS_SERVERS - def_dns_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define DNS_PORTS - def_dns_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 53. - input - 43 - - - - Define SMTP_SERVERS - def_smtp_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define SMTP_PORTS - def_smtp_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25. - input - 43 - - - - Define Mail_Ports - def_mail_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25,143,465,691. - input - 43 - - - - Define HTTP_SERVERS - def_http_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define WWW_SERVERS - def_www_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define HTTP_PORTS - def_http_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 80. - input - 43 - - - - Define SQL_SERVERS - def_sql_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define ORACLE_PORTS - def_oracle_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 1521. - input - 43 - - - - Define MSSQL_PORTS - def_mssql_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 1433. - input - 43 - - - - Define TELNET_SERVERS - def_telnet_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define TELNET_PORTS - def_telnet_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 23. - input - 43 - - - - Define SNMP_SERVERS - def_snmp_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define SNMP_PORTS - def_snmp_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 161. - input - 43 - - - - Define FTP_SERVERS - def_ftp_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define FTP_PORTS - def_ftp_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 21. - input - 43 - - - - Define SSH_SERVERS - def_ssh_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define SSH_PORTS - def_ssh_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is Pfsense SSH port. - input - 43 - - - - Define POP_SERVERS - def_pop_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define POP2_PORTS - def_pop2_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 109. - input - 43 - - - - Define POP3_PORTS - def_pop3_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 110. - input - 43 - - - - Define IMAP_SERVERS - def_imap_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define IMAP_PORTS - def_imap_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 143. - input - 43 - - - - Define SIP_PROXY_IP - def_sip_proxy_ip - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define SIP_PROXY_PORTS - def_sip_proxy_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 5060:5090,16384:32768. - input - 43 - - - - Define AUTH_PORTS - def_auth_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 113. - input - 43 - - - - Define FINGER_PORTS - def_finger_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 79. - input - 43 - - - - Define IRC_PORTS - def_irc_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 6665,6666,6667,6668,6669,7000. - input - 43 - - - - Define NNTP_PORTS - def_nntp_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 119. - input - 43 - - - - Define RLOGIN_PORTS - def_rlogin_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 513. - input - 43 - - - - Define RSH_PORTS - def_rsh_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 514. - input - 43 - - - - Define SSL_PORTS - def_ssl_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25,443,465,636,993,995. - input - 43 - - - - - snort_define_servers(); - - diff --git a/config/snort-dev/snort_download_rules.php b/config/snort-dev/snort_download_rules.php deleted file mode 100644 index 133f2d2a..00000000 --- a/config/snort-dev/snort_download_rules.php +++ /dev/null @@ -1,782 +0,0 @@ - - - - - - - - -

"; -?> - -
-
- - - - - - - - -
- -
-
- - - - -
- - - - - -
- /images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> -
-
- - - - -
-
-
-
- - - -You last checked for updates: {$last_md5_download}

\n"; - echo "\n

You last installed for rules: {$last_rules_install}

\n"; - echo "\n\n\n\n"; - exit(0); -} - -/* If emergingthreats md5 file is empty wait 15min exit not needed */ - -/* If pfsense md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ - update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); - update_output_window(gettext("Rules are released to support Pfsense packages.")); - hide_progress_bar_status(); - /* Display last time of sucsessful md5 check from cache */ - echo "\n

You last checked for updates: {$last_md5_download}

\n"; - echo "\n

You last installed for rules: {$last_rules_install}

\n"; - echo "\n\n\n\n"; - exit(0); -} - -/* Check if were up to date snort.org */ -if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ -$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); -$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -/* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); -write_config(); -if ($md5_check_new == $md5_check_old) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); - hide_progress_bar_status(); - /* Timestamps to html */ - echo "\n

You last checked for updates: {$last_md5_download}

\n"; - echo "\n

You last installed for rules: {$last_rules_install}

\n"; -// echo "P is this code {$premium_subscriber}"; - echo "\n\n\n\n"; - $snort_md5_check_ok = on; - } -} - -/* Check if were up to date emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; -if ($emergingthreats_url_chk == on) { -if (file_exists("{$snortdir}/version.txt")){ -$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); -$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); -$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -/* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); -write_config(); -if ($emerg_md5_check_new == $emerg_md5_check_old) { - update_status(gettext("Your emergingthreats rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); - hide_progress_bar_status(); - $emerg_md5_check_chk_ok = on; - } - } -} - -/* Check if were up to date pfsense.org */ -if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ -$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); -$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -if ($pfsense_md5_check_new == $pfsense_md5_check_old) { - $pfsense_md5_check_ok = on; - } -} - -/* Make Clean Snort Directory emergingthreats not checked */ -if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { - update_status(gettext("Cleaning the snort Directory...")); - update_output_window(gettext("removing...")); - exec("/bin/rm {$snortdir}/rules/emerging*"); - exec("/bin/rm {$snortdir}/version.txt"); - exec("/bin/rm {$snortdir_wan}/rules/emerging*"); - exec("/bin/rm {$snortdir_wan}/version.txt"); - update_status(gettext("Done making cleaning emrg direcory.")); -} - -/* Check if were up to date exits */ -if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - exit(0); -} - -if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - exit(0); -} - -/* You are Not Up to date, always stop snort when updating rules for low end machines */; -update_status(gettext("You are NOT up to date...")); -update_output_window(gettext("Stopping Snort service...")); -$chk_if_snort_up = exec("pgrep -x snort"); -if ($chk_if_snort_up != "") { - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - stop_service("snort"); - sleep(2); -} - -/* download snortrules file */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Snortrule tar file exists...")); -} else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Snort rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - if (150000 > filesize("{$tmpfname}/$snort_filename")){ - update_status(gettext("Error with the snort rules download...")); - update_output_window(gettext("Snort rules file downloaded failed...")); - exit(0); - } - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Emergingthreats tar file exists...")); -} else { - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading Emergingthreats rules file.")); - } - } - } - -/* download pfsense rules file */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Snortrule tar file exists...")); -} else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - } -} - -/* Compair md5 sig to file sig */ - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk == on) { -//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md5 == $file_md5_ondisk) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk != on) { -//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; -//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md55 == $file_md5_ondisk2) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...Not P")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - -/* Untar snort rules file individually to help people with low system specs */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); - exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); - update_status(gettext("Done extracting Rules.")); -} else { - update_status(gettext("The Download rules file missing...")); - update_output_window(gettext("Error rules extracting failed...")); - exit(0); - } -} - -/* Untar emergingthreats rules to tmp */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - } -} - -/* Untar Pfsense rules to tmp */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Extracting Pfsense rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); - } -} - -/* Untar snort signatures */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; -if ($premium_url_chk == on) { - update_status(gettext("Extracting Signatures...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - update_status(gettext("Done extracting Signatures.")); - } - } -} - -/* Make Clean Snort Directory */ -//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { -//if (file_exists("{$snortdir}/rules")) { -// update_status(gettext("Cleaning the snort Directory...")); -// update_output_window(gettext("removing...")); -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/mkdir -p {$snortdir}/signatures"); -// exec("/bin/rm {$snortdir}/*"); -// exec("/bin/rm {$snortdir}/rules/*"); -// exec("/bin/rm {$snortdir_wan}/*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); - -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); -//} else { -// update_status(gettext("Making Snort Directory...")); -// update_output_window(gettext("should be fast...")); -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/rm {$snortdir_wan}/*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); -// update_status(gettext("Done making snort direcory.")); -// } -//} - -/* Copy so_rules dir to snort lib dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { - update_status(gettext("Copying so_rules...")); - update_output_window(gettext("May take a while...")); - exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); - exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - update_status(gettext("Done copying so_rules.")); -} else { - update_status(gettext("Directory so_rules does not exist...")); - update_output_window(gettext("Error copping so_rules...")); - exit(0); - } -} - -/* enable disable setting will carry over with updates */ -/* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - -if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; -$enabled_sid_on_array = split('\|\|', $enabled_sid_on); -foreach($enabled_sid_on_array as $enabled_item_on) -$selected_sid_on_sections .= "$enabled_item_on\n"; - } - -if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; -$enabled_sid_off_array = split('\|\|', $enabled_sid_off); -foreach($enabled_sid_off_array as $enabled_item_off) -$selected_sid_off_sections .= "$enabled_item_off\n"; - } - -$snort_sid_text = << /usr/local/etc/snort_bkup/sid-msg.map"); - -/* Run oinkmaster to snort_wan and cp configs */ -/* If oinkmaster is not needed cp rules normally */ -/* TODO add per interface settings here */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - - if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { - update_status(gettext("Your first set of rules are being copied...")); - update_output_window(gettext("May take a while...")); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); - -} else { - update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); - update_output_window(gettext("May take a while...")); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); - - /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ - /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); - exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - - - } -} - -/* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { - update_status(gettext("Cleaning up...")); - exec("/bin/rm -r /tmp/snort_rules_up"); -// apc_clear_cache(); -} - -/* php code to flush out cache some people are reportting missing files this might help */ -sleep(2); -apc_clear_cache(); -exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); - -/* if snort is running hardrestart, if snort is not running do nothing */ -if (file_exists("/tmp/snort_download_halt.pid")) { - start_service("snort"); - update_status(gettext("The Rules update finished...")); - update_output_window(gettext("Snort has restarted with your new set of rules...")); - exec("/bin/rm /tmp/snort_download_halt.pid"); -} else { - update_status(gettext("The Rules update finished...")); - update_output_window(gettext("You may start snort now...")); -} - -/* hide progress bar and lets end this party */ -hide_progress_bar_status(); - -?> - - 150) { - update_output_window($text); - update_progress_bar($downloadProgress); - flush(); - $counter = 0; - } - fwrite($fout, $string); - return $length; -} - -?> - - - diff --git a/config/snort-dev/snort_dynamic_ip_reload.php b/config/snort-dev/snort_dynamic_ip_reload.php deleted file mode 100644 index 0fad085b..00000000 --- a/config/snort-dev/snort_dynamic_ip_reload.php +++ /dev/null @@ -1,49 +0,0 @@ - \ No newline at end of file diff --git a/config/snort-dev/snort_interfaces.php b/config/snort-dev/snort_interfaces.php new file mode 100644 index 00000000..065ec0dc --- /dev/null +++ b/config/snort-dev/snort_interfaces.php @@ -0,0 +1,296 @@ +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['installedpackages']['snortglobal'])) + $config['installedpackages']['snortglobal'] = array(); + +$a_nat = &$config['installedpackages']['snortglobal']; + +/* if a custom message has been passed along, lets process it */ +if ($_GET['savemsg']) + $savemsg = $_GET['savemsg']; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + + write_config(); + + $retval = 0; + + if(stristr($retval, "error") <> true) + $savemsg = get_std_save_message($retval); + else + $savemsg = $retval; + + unlink_if_exists("/tmp/config.cache"); + $retval |= filter_configure(); + + if ($retval == 0) { + if (file_exists($d_natconfdirty_path)) + unlink($d_natconfdirty_path); + if (file_exists($d_filterconfdirty_path)) + unlink($d_filterconfdirty_path); + } + + } +} + +if (isset($_POST['del_x'])) { + /* delete selected rules */ + if (is_array($_POST['rule']) && count($_POST['rule'])) { + foreach ($_POST['rule'] as $rulei) { + $target = $rule['target']; + $helpers = exec("/bin/ps awwux | grep pftpx | grep \"{$target}\" | grep -v grep | awk '{ print \$2 }'"); + if($helpers) { + /* kill ftp proxy helper */ + mwexec("/bin/kill {$helpers}"); + } + unset($a_nat[$rulei]); + } + write_config(); + touch($d_natconfdirty_path); + header("Services: snort_interfaces.php"); + exit; + } + +} else { + /* yuck - IE won't send value attributes for image buttons, while Mozilla does - so we use .x/.y to find move button clicks instead... */ + unset($movebtn); + foreach ($_POST as $pn => $pd) { + if (preg_match("/move_(\d+)_x/", $pn, $matches)) { + $movebtn = $matches[1]; + break; + } + } + /* move selected rules before this rule */ + if (isset($movebtn) && is_array($_POST['rule']) && count($_POST['rule'])) { + $a_nat_new = array(); + + /* copy all rules < $movebtn and not selected */ + for ($i = 0; $i < $movebtn; $i++) { + if (!in_array($i, $_POST['rule'])) + $a_nat_new[] = $a_nat[$i]; + } + + /* copy all selected rules */ + for ($i = 0; $i < count($a_nat); $i++) { + if ($i == $movebtn) + continue; + if (in_array($i, $_POST['rule'])) + $a_nat_new[] = $a_nat[$i]; + } + + /* copy $movebtn rule */ + if ($movebtn < count($a_nat)) + $a_nat_new[] = $a_nat[$movebtn]; + + /* copy all rules > $movebtn and not selected */ + for ($i = $movebtn+1; $i < count($a_nat); $i++) { + if (!in_array($i, $_POST['rule'])) + $a_nat_new[] = $a_nat[$i]; + } + $a_nat = $a_nat_new; + write_config(); + touch($d_natconfdirty_path); + header("Services: snort_interfaces.php"); + exit; + } +} + +$pgtitle = "Services: Snort 2.8.4.1_5 pkg v. 1.7"; +include("head.inc"); + +?> + + +

+
+ +

+The NAT configuration has been changed.
You must apply the changes in order for them to take effect."); + else + print_info_box_np("The NAT configuration has been changed.
You must apply the changes in order for them to take effect."); +?> + + + + + + +
+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  IfInlineInline portInline port rangeBlock HostsBarnyard2Description + + + + + +
+
+ + + + + + + + (ext.: " . $natent['external-address'] . ")"; + else + echo "
(ext.: " . find_interface_ip(convert_friendly_interface_to_real_interface_name($natent['interface'])) . ")"; + ?> +
+ + + + + +   + + + + + + + + + +
+
+ + + + + + + + +
+
+
+
+ +

Note:
Snort Inline mode is disabled and in private testing. Snort Inline release target is pfSense 2.0.

+ + + + "") { + echo ""; +} +?> + +
+ + + diff --git a/config/snort-dev/snort_interfaces_edit.php b/config/snort-dev/snort_interfaces_edit.php new file mode 100644 index 00000000..4ee9203e --- /dev/null +++ b/config/snort-dev/snort_interfaces_edit.php @@ -0,0 +1,402 @@ +. + Copyright (C) 2003-2004 Robert Zelaya + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +//nat_rules_sort(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +if (isset($id) && $a_nat[$id]) { + $pconfig['proto'] = $a_nat[$id]['protocol']; + list($pconfig['beginport'],$pconfig['endport']) = explode("-", $a_nat[$id]['external-port']); + $pconfig['localip'] = $a_nat[$id]['target']; + $pconfig['localbeginport'] = $a_nat[$id]['local-port']; + $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['block'] = isset($a_nat[$id]['block']); + $pconfig['inline'] = isset($a_nat[$id]['inline']); + if (!$pconfig['interface']) + $pconfig['interface'] = "wan"; +} else { + $pconfig['interface'] = "wan"; +} + +if (isset($_GET['dup'])) + unset($id); + +if ($_POST) { + + if ($_POST['beginport_cust'] && !$_POST['beginport']) + $_POST['beginport'] = $_POST['beginport_cust']; + if ($_POST['endport_cust'] && !$_POST['endport']) + $_POST['endport'] = $_POST['endport_cust']; + if ($_POST['localbeginport_cust'] && !$_POST['localbeginport']) + $_POST['localbeginport'] = $_POST['localbeginport_cust']; + + if (!$_POST['endport']) + $_POST['endport'] = $_POST['beginport']; + /* Make beginning port end port if not defined and endport is */ + if (!$_POST['beginport'] && $_POST['endport']) + $_POST['beginport'] = $_POST['endport']; + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { + $reqdfields = explode(" ", "interface proto beginport endport localip localbeginport"); + $reqdfieldsn = explode(",", "Interface,Protocol,External port from,External port to,NAT IP,Local port"); + } else { + $reqdfields = explode(" ", "interface proto localip"); + $reqdfieldsn = explode(",", "Interface,Protocol,NAT IP"); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + +// if (($_POST['localip'] && !is_ipaddroralias($_POST['localip']))) { +// $input_errors[] = "\"{$_POST['localip']}\" is not valid subnet address."; +// } + + /* only validate the ports if the protocol is TCP, UDP or TCP/UDP */ + if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { + + if (($_POST['beginport'] && !is_ipaddroralias($_POST['beginport']) && !is_port($_POST['beginport']))) { + $input_errors[] = "The start port must be an integer between 1 and 65535."; + } + + if (($_POST['endport'] && !is_ipaddroralias($_POST['endport']) && !is_port($_POST['endport']))) { + $input_errors[] = "The end port must be an integer between 1 and 65535."; + } + + if (($_POST['localbeginport'] && !is_ipaddroralias($_POST['localbeginport']) && !is_port($_POST['localbeginport']))) { + $input_errors[] = "The local port must be an integer between 1 and 65535."; + } + + if ($_POST['beginport'] > $_POST['endport']) { + /* swap */ + $tmp = $_POST['endport']; + $_POST['endport'] = $_POST['beginport']; + $_POST['beginport'] = $tmp; + } + + if (!$input_errors) { + if (($_POST['endport'] - $_POST['beginport'] + $_POST['localbeginport']) > 65535) + $input_errors[] = "The target port range must be an integer between 1 and 65535."; + } + + } + + /* check for overlaps */ + foreach ($a_nat as $natent) { + if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) + continue; + if ($natent['interface'] != $_POST['interface']) + continue; + if ($natent['external-address'] != $_POST['extaddr']) + continue; + if (($natent['proto'] != $_POST['proto']) && ($natent['proto'] != "tcp/udp") && ($_POST['proto'] != "tcp/udp")) + continue; + + list($begp,$endp) = explode("-", $natent['external-port']); + if (!$endp) + $endp = $begp; + + if (!( (($_POST['beginport'] < $begp) && ($_POST['endport'] < $begp)) + || (($_POST['beginport'] > $endp) && ($_POST['endport'] > $endp)))) { + + $input_errors[] = "The external port range overlaps with an existing entry."; + break; + } + } + + if (!$input_errors) { + $natent = array(); + if ($_POST['extaddr']) + $natent['external-address'] = $_POST['extaddr']; + $natent['protocol'] = $_POST['proto']; + + if ($_POST['beginport'] == $_POST['endport']) + $natent['external-port'] = $_POST['beginport']; + else + $natent['external-port'] = $_POST['beginport'] . "-" . $_POST['endport']; + + $natent['target'] = $_POST['localip']; + $natent['local-port'] = $_POST['localbeginport']; + $natent['interface'] = $_POST['interface']; + $natent['descr'] = $_POST['descr']; + + if($_POST['block'] == "yes") + $natent['block'] = true; + else + unset($natent['block']); + + if($_POST['inline'] == "yes") + $natent['inline'] = true; + else + unset($natent['inline']); + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + + header("Location: snort_interfaces.php"); + exit; + } +} + +$pgtitle = "Services: Snort Interfaces"; +include("head.inc"); + +?> + + + +

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Interface +
+ Choose which interface this rule applies to.
+ Hint: in most cases, you'll want to use WAN here.
Block all offenders + >
+ HINT: Block all offenders that trigger an alert on the selected interface. +
Enable Inline Mode + >
+ HINT: This will enable Snort Inline mode on the selected interafce. +
Inline listening port + +
+ Specify the port Snort Inline should lissten on.
+ Hint: Never enter a port that is already being used by the system.
Inline Divert Protocol +
Choose which IP protocol Snort Inline should divert.
+ Hint: in most cases, you should specify All  here.
Inline Divert External port range + + + + + + + + + +
from:  
to:
+
Specify the port or port range Snort Inline should divert on the firewall's external address.
+ Hint: you can leave the 'to' field empty if you only want to divert a single port
+ Hint: you can leave from and to empty to divert all ports.
Inline IP Subnet + +
Enter the internal IP subnet address you wish to sniff. Leave blank for all.
+ e.g. 192.168.1.0/24
Description + +
You may enter a description here + for your reference (not parsed).
  + + + + +
+
+ + "") + foreach($config['aliases']['alias'] as $alias_name) { + if(!stristr($alias_name['address'], ".")) { + if($isfirst == 1) $aliases .= ","; + $aliases .= "'" . $alias_name['name'] . "'"; + $isfirst = 1; + } else { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } + } +?> + + + + diff --git a/config/snort-dev/snort_rules.php b/config/snort-dev/snort_rules.php deleted file mode 100644 index 233841b1..00000000 --- a/config/snort-dev/snort_rules.php +++ /dev/null @@ -1,620 +0,0 @@ -"; - -echo "\n -\n -\n - \n - \n - \n - \n - \n - \n -
\n"; - - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); - -echo "
\n -
\n - \n - \n - \n - \n -
\n -# The rules directory is empty.\n -
\n -
\n -
\n -\n -\n -\n -

\n\n"; - -echo "Please click on the Update Rules tab to install your selected rule sets."; -include("fend.inc"); - -echo ""; -echo ""; - -exit(0); - -} - -function get_middle($source, $beginning, $ending, $init_pos) { - $beginning_pos = strpos($source, $beginning, $init_pos); - $middle_pos = $beginning_pos + strlen($beginning); - $ending_pos = strpos($source, $ending, $beginning_pos); - $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); - return $middle; -} - -function write_rule_file($content_changed, $received_file) -{ - //read snort file with writing enabled - $filehandle = fopen($received_file, "w"); - - //delimiter for each new rule is a new line - $delimiter = "\n"; - - //implode the array back into a string for writing purposes - $fullfile = implode($delimiter, $content_changed); - - //write data to file - fwrite($filehandle, $fullfile); - - //close file handle - fclose($filehandle); - -} - -function load_rule_file($incoming_file) -{ - - //read snort file - $filehandle = fopen($incoming_file, "r"); - - //read file into string, and get filesize - $contents = fread($filehandle, filesize($incoming_file)); - - //close handler - fclose ($filehandle); - - //string for populating category select - $currentruleset = substr($file, 27); - - //delimiter for each new rule is a new line - $delimiter = "\n"; - - //split the contents of the string file into an array using the delimiter - $splitcontents = explode($delimiter, $contents); - - return $splitcontents; - -} - -$ruledir = "/usr/local/etc/snort/rules/"; -$dh = opendir($ruledir); - -$message_reload = "The Snort rule configuration has been changed.
You must apply the changes in order for them to take effect."; - -while (false !== ($filename = readdir($dh))) -{ - //only populate this array if its a rule file - $isrulefile = strstr($filename, ".rules"); - if ($isrulefile !== false) - { - $files[] = $filename; - } -} - -sort($files); - -if ($_GET['openruleset']) -{ - $file = $_GET['openruleset']; -} -else -{ - $file = $ruledir.$files[0]; - -} - -//Load the rule file -$splitcontents = load_rule_file($file); - -if ($_POST) -{ - if (!$_POST['apply']) { - //retrieve POST data - $post_lineid = $_POST['lineid']; - $post_enabled = $_POST['enabled']; - $post_src = $_POST['src']; - $post_srcport = $_POST['srcport']; - $post_dest = $_POST['dest']; - $post_destport = $_POST['destport']; - - //clean up any white spaces insert by accident - $post_src = str_replace(" ", "", $post_src); - $post_srcport = str_replace(" ", "", $post_srcport); - $post_dest = str_replace(" ", "", $post_dest); - $post_destport = str_replace(" ", "", $post_destport); - - //copy rule contents from array into string - $tempstring = $splitcontents[$post_lineid]; - - //search string - $findme = "# alert"; //find string for disabled alerts - - //find if alert is disabled - $disabled = strstr($tempstring, $findme); - - //if find alert is false, then rule is disabled - if ($disabled !== false) - { - //has rule been enabled - if ($post_enabled == "yes") - { - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("# alert", "alert", $tempstring); - $counter2 = 1; - } - else - { - //rule is staying disabled - $counter2 = 2; - } - } - else - { - //has rule been disabled - if ($post_enabled != "yes") - { - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("alert", "# alert", $tempstring); - $counter2 = 2; - } - else - { - //rule is staying enabled - $counter2 = 1; - } - } - - //explode rule contents into an array, (delimiter is space) - $rule_content = explode(' ', $tempstring); - - //insert new values - $counter2++; - $rule_content[$counter2] = $post_src;//source location - $counter2++; - $rule_content[$counter2] = $post_srcport;//source port location - $counter2 = $counter2+2; - $rule_content[$counter2] = $post_dest;//destination location - $counter2++; - $rule_content[$counter2] = $post_destport;//destination port location - - //implode the array back into string - $tempstring = implode(' ', $rule_content); - - //copy string into file array for writing - $splitcontents[$post_lineid] = $tempstring; - - //write the new .rules file - write_rule_file($splitcontents, $file); - - //once file has been written, reload file - $splitcontents = load_rule_file($file); - - $stopMsg = true; - } - - if ($_POST['apply']) { -// stop_service("snort"); -// sleep(2); -// start_service("snort"); - $savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; - $stopMsg = false; - } - -} -else if ($_GET['act'] == "toggle") -{ - $toggleid = $_GET['id']; - - //copy rule contents from array into string - $tempstring = $splitcontents[$toggleid]; - - //explode rule contents into an array, (delimiter is space) - $rule_content = explode(' ', $tempstring); - - //search string - $findme = "# alert"; //find string for disabled alerts - - //find if alert is disabled - $disabled = strstr($tempstring, $findme); - - //if find alert is false, then rule is disabled - if ($disabled !== false) - { - //rule has been enabled - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("# alert", "alert", $tempstring); - - } - else - { - //has rule been disabled - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("alert", "# alert", $tempstring); - - } - - //copy string into array for writing - $splitcontents[$toggleid] = $tempstring; - - //write the new .rules file - write_rule_file($splitcontents, $file); - - //once file has been written, reload file - $splitcontents = load_rule_file($file); - - $stopMsg = true; - - //write disable/enable sid to config.xml - if ($disabled == false) { - $string_sid = strstr($tempstring, 'sid:'); - $sid_pieces = explode(";", $string_sid); - $sid_off_cut = $sid_pieces[0]; - // sid being turned off - $sid_off = str_replace("sid:", "", $sid_off_cut); - // rule_sid_on registers - $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; - // if off sid is the same as on sid remove it - $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); - // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; - // rule sid off registers - $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; - // if off sid is the same as off sid remove it - $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); - // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; - // add sid off registers to new off sid - $config['installedpackages']['snort']['rule_sid_off'] = "||disablesid $sid_off" . $config['installedpackages']['snort']['rule_sid_off']; - write_config(); - } - else - { - $string_sid = strstr($tempstring, 'sid:'); - $sid_pieces = explode(";", $string_sid); - $sid_on_cut = $sid_pieces[0]; - // sid being turned off - $sid_on = str_replace("sid:", "", $sid_on_cut); - // rule_sid_off registers - $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; - // if off sid is the same as on sid remove it - $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); - // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; - // rule sid on registers - $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; - // if on sid is the same as on sid remove it - $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); - // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; - // add sid on registers to new on sid - $config['installedpackages']['snort']['rule_sid_on'] = "||enablesid $sid_on" . $config['installedpackages']['snort']['rule_sid_on']; - write_config(); - } - -} - - -$pgtitle = "Snort: Rules"; -require("guiconfig.inc"); -include("head.inc"); -?> - - - -

"; -?> -
- -
-
- - - - - - - - - -
- -
-
- - - - -
- - - - - - - - - - - - - - Category: "; - - //string for populating category select - $currentruleset = substr($file, 27); - ?> - - - - - "; - $textse = ""; - $iconb = "icon_block_d.gif"; - } - else - { - $textss = $textse = ""; - $iconb = "icon_block.gif"; - } - - $rule_content = explode(' ', $tempstring); - - $protocol = $rule_content[$counter2];//protocol location - $counter2++; - $source = $rule_content[$counter2];//source location - $counter2++; - $source_port = $rule_content[$counter2];//source port location - $counter2 = $counter2+2; - $destination = $rule_content[$counter2];//destination location - $counter2++; - $destination_port = $rule_content[$counter2];//destination port location - - $message = get_middle($tempstring, 'msg:"', '";', 0); - - echo ""; - echo ""; - - echo ""; - echo ""; - echo ""; - echo ""; - echo ""; - ?> - -
"; - ?> -
 SIDProtoSourcePortDestinationPortMessage
"; - echo $textss; - ?> - - "; - - - echo ""; - echo $textss; - echo $sid; - echo $textse; - echo ""; - echo $textss; - echo $protocol; - $printcounter++; - echo $textse; - echo ""; - echo $textss; - echo $source; - echo $textse; - echo ""; - echo $textss; - echo $source_port; - echo $textse; - echo ""; - echo $textss; - echo $destination; - echo $textse; - echo ""; - echo $textss; - echo $destination_port; - echo $textse; - echo " - "; - ?> - - - - - -
-
-
- - - - - - - - - - - - - -
Rule Enabled
Rule Disabled
-

- -

-
- - - - - - - - - \ No newline at end of file diff --git a/config/snort-dev/snort_rules_edit.php b/config/snort-dev/snort_rules_edit.php deleted file mode 100644 index cbabce73..00000000 --- a/config/snort-dev/snort_rules_edit.php +++ /dev/null @@ -1,207 +0,0 @@ - - - - - -

"; -?> - - - - - - - -
- -
-
- - - - -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Enabled: >
SID:
Protocol:
Source:
Source Port:
Direction:
Destination:
Destination Port:
Message:
Content:
Classtype:
Revision:
 
   
-
-
-
- - - - \ No newline at end of file diff --git a/config/snort-dev/snort_rulesets.php b/config/snort-dev/snort_rulesets.php deleted file mode 100644 index 8e5179d6..00000000 --- a/config/snort-dev/snort_rulesets.php +++ /dev/null @@ -1,227 +0,0 @@ -"; - -echo "\n -\n -\n - \n - \n - \n - \n - \n - \n -
\n"; - - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); - -echo "
\n -
\n - \n - \n - \n - \n -
\n -# The rules directory is empty.\n -
\n -
\n -
\n -\n -\n -\n -

\n\n"; - -echo "Please click on the Update Rules tab to install your selected rule sets."; -include("fend.inc"); - -echo ""; -echo ""; - -exit(0); - -} - -if($_POST) { - $enabled_items = ""; - $isfirst = true; - foreach($_POST['toenable'] as $toenable) { - if(!$isfirst) - $enabled_items .= "||"; - $enabled_items .= "{$toenable}"; - $isfirst = false; - } - $config['installedpackages']['snort']['rulesets'] = $enabled_items; - write_config(); - stop_service("snort"); - create_snort_conf(); - sleep(2); - start_service("snort"); - $savemsg = "The snort ruleset selections have been saved."; -} - -$enabled_rulesets = $config['installedpackages']['snort']['rulesets']; -if($enabled_rulesets) - $enabled_rulesets_array = split("\|\|", $enabled_rulesets); - -$pgtitle = "Snort: Categories"; -include("head.inc"); - -?> - - - - -

"; -?> - -
- - - - - - - - - - -
- -
-
- - - - - - - - -
- - - - - - -"; - echo ""; - echo ""; - //echo ""; - } - -?> -
EnabledRuleset: Rules that end with "so.rules" are shared object rules.
"; - if(is_array($enabled_rulesets_array)) - if(in_array($file, $enabled_rulesets_array)) { - $CHECKED = " checked=\"checked\""; - } else { - $CHECKED = ""; - } - else - $CHECKED = ""; - echo " "; - echo ""; - echo "{$file}"; - echo ""; - //echo "description"; - //echo "
-
 
Check the rulesets that you would like Snort to load at startup.
 
-
-
- -
- -

NOTE: You can click on a ruleset name to edit the ruleset. - - - - - - - \ No newline at end of file diff --git a/config/snort-dev/snort_threshold.xml b/config/snort-dev/snort_threshold.xml deleted file mode 100644 index f9075d3d..00000000 --- a/config/snort-dev/snort_threshold.xml +++ /dev/null @@ -1,129 +0,0 @@ - - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - snort-threshold - 0.1.0 - Snort: Alert Thresholding and Suppression - /usr/local/pkg/snort.inc - - - - Settings - /pkg_edit.php?xml=snort.xml&id=0 - - - Update Rules - /snort_download_rules.php - - - Categories - /snort_rulesets.php - - - Rules - /snort_rules.php - - - Servers - /pkg_edit.php?xml=snort_define_servers.xml&id=0 - - - Blocked - /snort_blocked.php - - - Whitelist - /pkg.php?xml=snort_whitelist.xml - - - Threshold - /pkg.php?xml=snort_threshold.xml - - - - Alerts - /snort_alerts.php - - - Advanced - /pkg_edit.php?xml=snort_advanced.xml&id=0 - - - - - Thresholding or Suppression Rule - threshrule - - - Description - description - - - - - Thresholding or Suppression Rule - threshrule - Enter the Rule. Example; "suppress gen_id 125, sig_id 4" or "threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60" - input - 40 - - - Description - description - Enter the description for this item - input - 60 - - - - - - - - create_snort_conf(); - - \ No newline at end of file diff --git a/config/snort-dev/snort_whitelist.xml b/config/snort-dev/snort_whitelist.xml deleted file mode 100644 index 42769e4e..00000000 --- a/config/snort-dev/snort_whitelist.xml +++ /dev/null @@ -1,129 +0,0 @@ - - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - snort-whitelist - 0.1.0 - Snort: Whitelist - /usr/local/pkg/snort.inc - - - - Settings - /pkg_edit.php?xml=snort.xml&id=0 - - - Update Rules - /snort_download_rules.php - - - Categories - /snort_rulesets.php - - - Rules - /snort_rules.php - - - Servers - /pkg_edit.php?xml=snort_define_servers.xml&id=0 - - - Blocked - /snort_blocked.php - - - Whitelist - /pkg.php?xml=snort_whitelist.xml - - - - Threshold - /pkg.php?xml=snort_threshold.xml - - - Alerts - /snort_alerts.php - - - Advanced - /pkg_edit.php?xml=snort_advanced.xml&id=0 - - - - - Whitelisted IP - ip - - - Description - description - - - - - Whitelisted IP - ip - Enter the IP or network to whitelist from snort blocking. Network items should be expressed in CIDR notation. Example: 0.0.0.0/24 or 0.0.0.0/32 - input - 40 - - - Description - description - Enter the description for this item - input - 60 - - - - - - - - create_snort_conf(); - - \ No newline at end of file diff --git a/config/snort-dev/snort_xmlrpc_sync.php b/config/snort-dev/snort_xmlrpc_sync.php deleted file mode 100644 index db8b3f3e..00000000 --- a/config/snort-dev/snort_xmlrpc_sync.php +++ /dev/null @@ -1,114 +0,0 @@ -setCredentials('admin', $password); - if($g['debug']) - $cli->setDebug(1); - /* send our XMLRPC message and timeout after 240 seconds */ - $resp = $cli->send($msg, "999"); - if(!$resp) { - $error = "A communications error occured while attempting Snort XMLRPC sync with {$url}:{$port}."; - log_error($error); - file_notice("sync_settings", $error, "Snort Settings Sync", ""); - } elseif($resp->faultCode()) { - $error = "An error code was received while attempting Snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); - file_notice("sync_settings", $error, "Snort Settings Sync", ""); - } else { - log_error("Snort XMLRPC sync successfully completed with {$url}:{$port}."); - } - log_error("[SNORT] snort_xmlrpc_sync.php is ending."); -} - -?> \ No newline at end of file -- cgit v1.2.3