From dc541ec6cf6e12726f3c9a51156670d408275097 Mon Sep 17 00:00:00 2001 From: Ermal Date: Wed, 11 Jul 2012 22:13:23 +0000 Subject: Use sed for normalizing rules. Snort and emerging ones --- config/snort/snort_check_for_rule_updates.php | 16 +++++-- config/snort/snort_rules.php | 61 +++++++++++++++------------ 2 files changed, 46 insertions(+), 31 deletions(-) diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index b8e9a653..153278eb 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -155,6 +155,14 @@ if ($emergingthreats == "on") { // } //} +/* Normalize rulesets */ +$sedcmd = "s/^#alert/# alert/g\n"; +$sedcmd = "s/^##alert/# alert/g\n"; +$sedcmd = "s/^# alert/# alert/g\n"; +$sedcmd = "s/^#\talert/# alert/g\n"; +$sedcmd = "s/^##\talert/# alert/g\n"; +@file_put_contents("{$snortdir}/tmp/sedcmd", $sedcmd); + /* Untar snort rules file individually to help people with low system specs */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { @@ -251,11 +259,8 @@ if ($snortdownload == 'on') { exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); } - /* XXX: Convert this to sed? */ /* make shure default rules are in the right format */ - exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' {$snortdir}/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' {$snortdir}/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' {$snortdir}/rules/*.rules"); + exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/*.rules"); /* create a msg-map for snort */ update_status(gettext("Updating Alert Messages...")); @@ -276,6 +281,9 @@ if ($emergingthreats == 'on') { exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); } + /* make shure default rules are in the right format */ + exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/*.rules"); + /* Copy emergingthreats md5 sig to snort dir */ if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { update_status(gettext("Copying md5 sig to snort directory...")); diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 2db3237f..100134c7 100644 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -39,7 +39,7 @@ $snortdir = SNORTDIR; if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; +$a_rule = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) @@ -49,15 +49,15 @@ if (is_null($id)) { exit; } -if (isset($id) && $a_nat[$id]) { - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; +if (isset($id) && $a_rule[$id]) { + $pconfig['enable'] = $a_rule[$id]['enable']; + $pconfig['interface'] = $a_rule[$id]['interface']; + $pconfig['rulesets'] = $a_rule[$id]['rulesets']; } /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); -$iface_uuid = $a_nat[$id]['uuid']; +$iface_uuid = $a_rule[$id]['uuid']; /* Check if the rules dir is empy if so warn the user */ /* TODO give the user the option to delete the installed rules rules */ @@ -124,15 +124,14 @@ if ($isrulesfolderempty == "") { function get_middle($source, $beginning, $ending, $init_pos) { $beginning_pos = strpos($source, $beginning, $init_pos); + if (!$beginning_pos) + return false; $middle_pos = $beginning_pos + strlen($beginning); - $ending_pos = strpos($source, $ending, $beginning_pos); - $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); - return $middle; -} - -function write_rule_file($content_changed, $received_file) -{ - @file_put_contents($received_file, implode("\n", $content_changed)); + $source = substr($source, $middle_pos); + $ending_pos = strpos($source, $ending, 0); + if (!$ending_pos) + return false; + return substr($source, 0, $ending_pos); } function load_rule_file($incoming_file) @@ -187,24 +186,31 @@ if ($_GET['act'] == "toggle" && $_GET['ids']) { $splitcontents[$lineid] = $tempstring; //write the new .rules file - write_rule_file($splitcontents, $rulefile); + @file_put_contents($rulefile, implode("\n", $splitcontents)); //write disable/enable sid to config.xml - $sid = get_middle($tempstring, 'sid:', ';', 0); + $sid = get_middle($tempstring, 'sid:', ";", 0); if (is_numeric($sid)) { // rule_sid_on registers - if (!empty($a_nat[$id]['rule_sid_on'])) - $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); - if (!empty($a_nat[$id]['rule_sid_on'])) - $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); - if ($disabled === false) - $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; - else - $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; + $sidon = explode("||", $a_rule[$id]['rule_sid_on']); + if (!empty($sidon)) + $sidon = @array_flip($sidon); + $sidoff = explode("||", $a_rule[$id]['rule_sid_off']); + if (!empty($sidoff)) + $sidoff = @array_flip($sidoff); + if ($disabled) { + unset($sidoff["disablesid {$sid}"]); + $sidon["enablesid {$sid}"] = count($sidon); + } else { + unset($sidon["enablesid {$sid}"]); + $sidoff["disablesid {$sid}"] = count($sidoff); + } + + $a_rule[$id]['rule_sid_on'] = implode("||", array_flip($sidon)); + $a_rule[$id]['rule_sid_off'] = implode("||", array_flip($sidoff)); + write_config(); } - write_config(); - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$rulefile}"); exit; } @@ -248,7 +254,7 @@ function popup(url) } - +
-- cgit v1.2.3