From ede8a5141d24d7a7f72071811bd78de099dc681f Mon Sep 17 00:00:00 2001 From: robiscool Date: Tue, 12 Jun 2012 23:04:39 -0700 Subject: snort-dev2, fixed interface remove dir issue when iface rule stop, changed iface rule log dir --- config/snort-dev2/snort.inc | 42 ++++++++++++++++++++-------------- config/snort-dev2/snort_interfaces.php | 4 ++-- 2 files changed, 27 insertions(+), 19 deletions(-) (limited to 'config/snort-dev2') diff --git a/config/snort-dev2/snort.inc b/config/snort-dev2/snort.inc index 0b595c89..0fafd187 100644 --- a/config/snort-dev2/snort.inc +++ b/config/snort-dev2/snort.inc @@ -270,18 +270,18 @@ function Running_Stop($snort_uuid, $if_real, $id) { $start_up = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'"); $start_upb = exec("/bin/ps -ax | /usr/bin/grep \"snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'"); + if ($start_up != '') { exec("/bin/kill {$start_up}"); exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); - exec("/bin/rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); - @unlink("/var/log/snort/alert_{$snort_uuid}"); - exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + exec("/bin/rm /var/log/snort/snort_{$if_real}{$snort_uuid}/snort_{$snort_uuid}_{$if_real}*"); + @unlink("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert_{$snort_uuid}"); } if ($start_upb != '') { exec("/bin/kill {$start_upb}"); exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); - exec("/bin/rm /var/log/snort/snort.u2_{$snort_uuid}_{$if_real}*"); + exec("/bin/rm /var/log/snort/snort_{$if_real}{$snort_uuid}/snort.u2_{$snort_uuid}_{$if_real}*"); } /* Log Iface stop */ @@ -297,7 +297,7 @@ function Running_Start($snort_uuid, $if_real, $id) { $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; if ($snort_info_chk == 'on') - exec("/usr/local/bin/snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + exec("/usr/local/bin/snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); else return; @@ -306,7 +306,7 @@ function Running_Start($snort_uuid, $if_real, $id) { $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { - exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"); + exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$snort_uuid}_{$if_real}/ -D -q"); } /* Log Iface stop */ @@ -410,6 +410,14 @@ function snort_remove_files($snort_list_rm, $snort_file_safe) } } +/* + * TODO: + * This is called by snort_alerts.php. + * + * This func needs to be made to only clear one interface rule log + * at a time. + * + */ function post_delete_logs() { global $config, $g; @@ -841,14 +849,14 @@ function sync_snort_package_config() create_snort_sh(); /* all new files are for the user snort nologin */ - if (!is_dir('/var/log/snort')) - exec('/bin/mkdir -p /var/log/snort'); + if (!is_dir("/var/log/snort/snort_{$if_real}{$snort_uuid}")) + exec("/bin/mkdir -p /var/log/snort/snort_{$if_real}{$snort_uuid}"); if (!is_dir('/var/log/snort/run')) exec('/bin/mkdir -p /var/log/snort/run'); - if (!is_dir('/var/log/snort/barnyard2')) - exec('/bin/mkdir -p /var/log/snort/barnyard2'); + if (!is_dir("/var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}")) + exec("/bin/mkdir -p /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}"); /* XXX: These are needed if snort is run as snort user mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); @@ -995,7 +1003,7 @@ function create_snort_sh() $snortbarnyardlog_mysql_info_chk = $value['barnyard_mysql']; if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') - $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"; + $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q"; $snort_sh_text3[] = << /tmp/snort.sh.pid /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} $start_barnyard2 /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD START For {$snort_uuid}_{$if_real}..." @@ -1121,10 +1129,10 @@ function create_barnyard2_conf($id, $if_real, $snort_uuid) { exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); if (!file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { - mwexec("/usr/bin/touch /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); + mwexec("/usr/bin/touch /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo", true); /* XXX: This is needed if snort is run as snort user */ //mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); - mwexec("/bin/chmod 770 /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); + mwexec("/bin/chmod 770 /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo", true); } $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); @@ -1166,7 +1174,7 @@ config sid_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid config hostname: $snortbarnyardlog_hostname_info_chk config interface: {$snort_uuid}_{$if_real} config decode_data_link -config waldo_file: /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo +config waldo_file: /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo ## START user pass through ## @@ -1177,7 +1185,7 @@ config waldo_file: /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo # Step 2: setup the input plugins input unified2 -config logdir: /var/log/snort +config logdir: /var/log/snort/snort_{$if_real}{$snort_uuid} # database: log to a variety of databases # output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx @@ -1639,7 +1647,7 @@ function generate_snort_conf($id, $if_real, $snort_uuid) # ########################## -preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$snort_uuid}_{$if_real}.stats pktcnt 10000 +preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$if_real}{$snort_uuid}/snort_{$snort_uuid}_{$if_real}.stats pktcnt 10000 EOD; diff --git a/config/snort-dev2/snort_interfaces.php b/config/snort-dev2/snort_interfaces.php index 86a9aff6..966c115d 100644 --- a/config/snort-dev2/snort_interfaces.php +++ b/config/snort-dev2/snort_interfaces.php @@ -97,12 +97,12 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { /* Log Iface stop */ exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Toggle for {$snort_uuid}_{$if_real}...'"); - sync_snort_package_config(); + // sync_snort_package_config(); $tester2 = Running_Ck($snort_uuid, $if_real, $id); if ($tester2 == 'yes') { - Running_Stop($snort_uuid, $if_real, $id); + Running_Stop($snort_uuid, $if_real, $id); // causeing snort to delete the ifcae rule dir header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); -- cgit v1.2.3