From 0b5df72ea1ccb50d917ba7c3e3e41bb0ef6037d6 Mon Sep 17 00:00:00 2001 From: robiscool Date: Tue, 17 Nov 2009 22:56:02 -0800 Subject: snort-dev, almost done with the new gui --- config/snort-dev/NOTES.txt | 23 + config/snort-dev/pfsense_rules/local.rules | 12 +- config/snort-dev/snort.xml | 39 +- config/snort-dev/snort_barnyard.php | 294 ++++ config/snort-dev/snort_base_files.inc | 2025 ---------------------------- config/snort-dev/snort_blocked.php | 174 +++ config/snort-dev/snort_define_servers.php | 494 +++++++ config/snort-dev/snort_interfaces_edit.php | 44 +- config/snort-dev/snort_rules.php | 645 +++++++++ config/snort-dev/snort_rules_edit.php | 439 ++++++ config/snort-dev/snort_rulesets.php | 258 ++++ 11 files changed, 2396 insertions(+), 2051 deletions(-) create mode 100644 config/snort-dev/NOTES.txt create mode 100644 config/snort-dev/snort_barnyard.php delete mode 100644 config/snort-dev/snort_base_files.inc create mode 100644 config/snort-dev/snort_blocked.php create mode 100644 config/snort-dev/snort_define_servers.php create mode 100644 config/snort-dev/snort_rules.php create mode 100644 config/snort-dev/snort_rules_edit.php create mode 100644 config/snort-dev/snort_rulesets.php (limited to 'config/snort-dev') diff --git a/config/snort-dev/NOTES.txt b/config/snort-dev/NOTES.txt new file mode 100644 index 00000000..7b405dab --- /dev/null +++ b/config/snort-dev/NOTES.txt @@ -0,0 +1,23 @@ + + +November 17 2009 + +If you work on this package just comment on every thing you change. + + +Gui is almost done. + +The Gui works just the interface tabs have to be pointed to the right files. + +snort.inc +Must be recoded so that it reads the [snortglobal][rule] options in conf.xml and makes a snort.sh, snort.conf, and barnyard.conf. +This is easy, just cut and paste from the old snort.inc. + +snort_rules_edit.php +Is what Im working on. Just make sure all snort sig options are supported. + +snort_rules.php +Change the way the rules get disabled, by removing the x icon image and replacing it with check boxes. +This should improve the users use of the package. + +Done. \ No newline at end of file diff --git a/config/snort-dev/pfsense_rules/local.rules b/config/snort-dev/pfsense_rules/local.rules index a9072733..83a05f1b 100644 --- a/config/snort-dev/pfsense_rules/local.rules +++ b/config/snort-dev/pfsense_rules/local.rules @@ -1,7 +1,7 @@ -# ---------------- -# LOCAL RULES -# ---------------- -# This file intentionally does not come with signatures. Put your local -# additions here. Pfsense first install rule. Rule edit tabe fails with out this file. -# +# ---------------- +# LOCAL RULES +# ---------------- +# This file intentionally does not come with signatures. Put your local +# additions here. Pfsense first install rule. Rule edit tabe fails with out this file. +# # \ No newline at end of file diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml index 344a01cf..6345ffb7 100644 --- a/config/snort-dev/snort.xml +++ b/config/snort-dev/snort.xml @@ -47,7 +47,7 @@ Currently there are no FAQ items provided. Snort 2.8.4.1_5 - Services: Snort 2.8.4.1_5 pkg v. 1.7 alpha + Services: Snort 2.8.4.1_5 pkg v. 1.8 alpha /usr/local/pkg/snort/snort.inc Snort @@ -66,12 +66,17 @@ /usr/local/pkg/snort/ 077 - http://www.pfsense.com/packages/config/snort-dev/snort_base_files.inc + http://www.pfsense.com/packages/config/snort-dev/snort.inc /usr/local/pkg/snort/ 077 - http://www.pfsense.com/packages/config/snort-dev/snort.inc + http://www.pfsense.com/packages/config/snort-dev/snort_gui.inc + + + /usr/local/www/snort/images/ + 077 + http://www.pfsense.com/packages/config/snort-dev/images/alert.jpg /usr/local/www/snort/ @@ -89,14 +94,34 @@ http://www.pfsense.com/packages/config/snort-dev/snort_interfaces_global.php - /usr/local/pkg/snort/ + /usr/local/www/snort/ 077 - http://www.pfsense.com/packages/config/snort-dev/snort_gui.inc + http://www.pfsense.com/packages/config/snort-dev/snort_barnyard.php - /usr/local/www/snort/images/ + /usr/local/www/snort/ 077 - http://www.pfsense.com/packages/config/snort-dev/images/alert.jpg + http://www.pfsense.com/packages/config/snort-dev/snort_blocked.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_define_servers.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_rules.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_rules_edit.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort-dev/snort_rulesets.php diff --git a/config/snort-dev/snort_barnyard.php b/config/snort-dev/snort_barnyard.php new file mode 100644 index 00000000..d703b5dc --- /dev/null +++ b/config/snort-dev/snort_barnyard.php @@ -0,0 +1,294 @@ +. + Copyright (C) 2008-2009 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* + +TODO: Nov 12 09 +Clean this code up its ugly +Important add error checking + +*/ + +require("guiconfig.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +//nat_rules_sort(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +if (isset($id) && $a_nat[$id]) { + + /* new options */ + $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; + $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; + /* old options */ + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['performance'] = $a_nat[$id]['performance']; + $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; + $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; + $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; + $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + + if (!$pconfig['interface']) + $pconfig['interface'] = "wan"; +} else { + $pconfig['interface'] = "wan"; +} + +if (isset($_GET['dup'])) + unset($id); + +if ($_POST) { + + /* check for overlaps */ + foreach ($a_nat as $natent) { + if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) + continue; + if ($natent['interface'] != $_POST['interface']) + continue; + } + +/* if no errors write to conf */ + if (!$input_errors) { + $natent = array(); + /* repost the options already in conf */ + $natent['enable'] = $pconfig['enable']; + $natent['interface'] = $pconfig['interface']; + $natent['descr'] = $pconfig['descr']; + $natent['performance'] = $pconfig['performance']; + $natent['blockoffenders7'] = $pconfig['blockoffenders7']; + $natent['snortalertlogtype'] = $pconfig['snortalertlogtype']; + $natent['alertsystemlog'] = $pconfig['alertsystemlog']; + $natent['tcpdumplog'] = $pconfig['tcpdumplog']; + $natent['flow_depth'] = $pconfig['flow_depth']; + /* post new options */ + $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? on : off; + $natent['barnyard_mysql'] = $_POST['barnyard_mysql'] ? $_POST['barnyard_mysql'] : $pconfig['barnyard_mysql']; + if ($_POST['barnyard_enable'] == "on") { $natent['snortunifiedlog'] = on; }else{ $natent['snortunifiedlog'] = off; } if ($_POST['barnyard_enable'] == "") { $natent['snortunifiedlog'] = off; } + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + /* enable this if you want the user to aprove changes */ + // touch($d_natconfdirty_path); + + write_config(); + + /* after click go to this page */ + header("Location: snort_barnyard.php?id=$id"); + exit; + } +} + +$pgtitle = "Services: Snort Barnyard2 Edit"; +include("head.inc"); + +?> + + + + + +

+ + + +
+ + + + +
+ +
+ + + .noid { + position:absolute; + top:10px; + left:0px; + width:94%; + background:#FCE9C0; + background-position: 15px; + border-top:2px solid #DBAC48; + border-bottom:2px solid #DBAC48; + padding: 15px 10px 85% 50px; + } + +
You can not edit options without an interface ID.
\n"; + + } + ?> + + + \n\n"; + ?> + + + + + + + + + + + + + + + + + +
  + + // care with spaces + if ($pconfig['barnyard_enable'] == "on") + $checked = checked; + if($id != "") + { + $onclick_enable = "onClick=\"enable_change(false)\">"; + } + echo " + Enable Barnyard2 on this Interface
+ This will enable barnyard2 for this interface. You will also have to set the database credentials.
Interface +
+ Choose which interface this rule applies to.
+ Hint: in most cases, you'll want to use WAN here.
Log to a Mysql Database + +
Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz
  + + + + +
 Note: +
+ Please save your settings befor you click start.
+
+
+ + + + + diff --git a/config/snort-dev/snort_base_files.inc b/config/snort-dev/snort_base_files.inc deleted file mode 100644 index f6832ad8..00000000 --- a/config/snort-dev/snort_base_files.inc +++ /dev/null @@ -1,2025 +0,0 @@ - - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - Snort{$snortIf} - 2.8.4.1_5 - Services: Snort 2.8.4.1_5 pkg v. 1.6 {$snortIf} - /usr/local/pkg/snort.inc - - - Snort Interfaces - /snort_interfaces.php - - - Settings - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 - - - - Categories - snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php - - - Rules - snort/snort_{$snortIf}/snort_rules_{$snortIf}.php - - - Servers - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 - - - Threshold - /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml - - - Barnyard2 - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 - - - - - Interface - iface_array - Select the interface(s) Snort will listen on. - interfaces_selection - 3 - lan - true - - - Memory Performance - performance - Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small -memory,moderate performance, ac-sparsebands: small memory, high performance. - select - - - - - - - - - - - - BPF Buffer size - bpfbufsize - Changing this option adjusts the system BPF buffer size. Leave blank if you do not know what this does. Default is 1024. - input - - - Maximum BPF buffer size - bpfmaxbufsize - Changing this option adjusts the system maximum BPF buffer size. Leave blank if you do not know what this does. Default is 524288. This value should never be set above hardware cache size. The -best (optimal size) is 50% - 80% of the hardware cache size. - input - - - Maximum BPF inserts - bpfmaxinsns - Changing this option adjusts the system maximum BPF insert size. Leave blank if you do not know what this does. Default is 512. - input - - - Advanced configuration pass through - configpassthru - Add items to here will be automatically inserted into the running snort configuration - textarea - 40 - 5 - - - Snort signature info files. - signatureinfo - Snort signature info files will be installed during updates. At leats 500 mb of memory is needed. - checkbox - - - Alerts Tab logging type. - snortalertlogtype - Please choose the type of Alert logging you will like see in the Alerts Tab. The options are Full descriptions or Fast short descriptions - select - - - - - - - Send alerts to main System logs. - alertsystemlog - Snort will send Alerts to the Pfsense system logs. - checkbox - - - Log to a Tcpdump file. - tcpdumplog - Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large. - checkbox - - - - snort_deinstall(); - - - -EOD; - -/* write out snort_xml */ -$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_{$snortIf}.xml", "w"); -if(!$bconf) -{ - log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_{$snortIf}.xml for writing."); - exit; - } - fwrite($bconf, $snort_xml_text); - fclose($bconf); - - conf_mount_ro(); - - } -} - -/* create barnyard2.xml for every interface selected */ -function create_snort_barnyard2_xml() -{ -include("filter.inc"); -include("config.inc"); - - global $bconfig, $bg; - - conf_mount_rw(); - - $first = 0; - $snortInterfaces = array(); /* -gtm */ - - $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; - $if_array = split(',', $if_list); - //print_r($if_array); - if($if_array) { - foreach($if_array as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - - if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { - $if = "ng0"; - } - - /* build a list of user specified interfaces -gtm */ - if($if){ - array_push($snortInterfaces, $if); - $first = 1; - } - } - - if (count($snortInterfaces) < 1) { - log_error("Snort will not start. You must select an interface for it to listen on."); - return; - } - } - - - foreach($snortInterfaces as $snortIf) - { - -$snort_barnyard2_text = << - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - barnyard2{$snortIf} - none - Services: Barnyard2 {$snortIf} - /usr/local/pkg/snort.inc - - - Snort Interfaces - /snort_interfaces.php - - - Settings - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 - - - Categories - snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php - - - Rules - snort/snort_{$snortIf}/snort_rules_{$snortIf}.php - - - Servers - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 - - - Threshold - /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml - - - Barnyard2 - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 - - - - - - Enable Barnyard2. - snortbarnyardlog - This will enable barnyard2 in the snort package. You will also have to set the database credentials. - checkbox - - - Barnyard2 Log Mysql Database. - snortbarnyardlog_database - Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz - input - 101 - - - - Barnyard2 Configure Hostname ID. - snortbarnyardlog_hostname - Example: pfsense.local - input - 25 - - - - Barnyard2 Configure Interface ID - snortbarnyardlog_interface - Example: vr0 - input - 25 - - - - Log Alerts to a snort unified2 file. - snortunifiedlog - Snort will log Alerts to a file in the UNIFIED2 format. This is a requirement for barnyard2. - checkbox - - - - snort_advanced(); - - - -EOD; - -/* write out snort_barnyard2_xml */ -$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml", "w"); -if(!$bconf) -{ - log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml for writing."); - exit; - } - fwrite($bconf, $snort_barnyard2_text); - fclose($bconf); - - conf_mount_ro(); - - } -} - - -/* create snort_define_servers.xml for every interface selected */ -function create_snort_define_servers_xml() -{ -include("filter.inc"); -include("config.inc"); - - global $bconfig, $bg; - - conf_mount_rw(); - - $first = 0; - $snortInterfaces = array(); /* -gtm */ - - $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; - $if_array = split(',', $if_list); - //print_r($if_array); - if($if_array) { - foreach($if_array as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - - if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { - $if = "ng0"; - } - - /* build a list of user specified interfaces -gtm */ - if($if){ - array_push($snortInterfaces, $if); - $first = 1; - } - } - - if (count($snortInterfaces) < 1) { - log_error("Snort will not start. You must select an interface for it to listen on."); - return; - } - } - - - foreach($snortInterfaces as $snortIf) - { - -$snort_define_servers_xml_text = << - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - SnortDefServers{$snortIf} - none - Services: Snort Define Servers {$snortIf} - /usr/local/pkg/snort.inc - - - Snort Interfaces - /snort_interfaces.php - - - Settings - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 - - - Categories - snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php - - - Rules - snort/snort_{$snortIf}/snort_rules_{$snortIf}.php - - - Servers - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 - - - - Threshold - /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml - - - Barnyard2 - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 - - - - - Define DNS_SERVERS - def_dns_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define DNS_PORTS - def_dns_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 53. - input - 43 - - - - Define SMTP_SERVERS - def_smtp_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define SMTP_PORTS - def_smtp_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 25. - input - 43 - - - - Define Mail_Ports - def_mail_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 25,143,465,691. - input - 43 - - - - Define HTTP_SERVERS - def_http_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define WWW_SERVERS - def_www_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define HTTP_PORTS - def_http_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 80. - input - 43 - - - - Define SQL_SERVERS - def_sql_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define ORACLE_PORTS - def_oracle_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 1521. - input - 43 - - - - Define MSSQL_PORTS - def_mssql_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 1433. - input - 43 - - - - Define TELNET_SERVERS - def_telnet_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define TELNET_PORTS - def_telnet_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 23. - input - 43 - - - - Define SNMP_SERVERS - def_snmp_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define SNMP_PORTS - def_snmp_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 161. - input - 43 - - - - Define FTP_SERVERS - def_ftp_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define FTP_PORTS - def_ftp_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 21. - input - 43 - - - - Define SSH_SERVERS - def_ssh_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define SSH_PORTS - def_ssh_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is Pfsense SSH port. - input - 43 - - - - Define POP_SERVERS - def_pop_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define POP2_PORTS - def_pop2_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 109. - input - 43 - - - - Define POP3_PORTS - def_pop3_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 110. - input - 43 - - - - Define IMAP_SERVERS - def_imap_servers - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define IMAP_PORTS - def_imap_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 143. - input - 43 - - - - Define SIP_PROXY_IP - def_sip_proxy_ip - Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. - input - 101 - - - - Define SIP_PROXY_PORTS - def_sip_proxy_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 5060:5090,16384:32768. - input - 43 - - - - Define AUTH_PORTS - def_auth_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 113. - input - 43 - - - - Define FINGER_PORTS - def_finger_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 79. - input - 43 - - - - Define IRC_PORTS - def_irc_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 6665,6666,6667,6668,6669,7000. - input - 43 - - - - Define NNTP_PORTS - def_nntp_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 119. - input - 43 - - - - Define RLOGIN_PORTS - def_rlogin_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 513. - input - 43 - - - - Define RSH_PORTS - def_rsh_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 514. - input - 43 - - - - Define SSL_PORTS - def_ssl_ports - Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 25,443,465,636,993,995. - input - 43 - - - - - snort_define_servers(); - - - -EOD; - -/* write out snort_define_servers_xml */ -$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml", "w"); -if(!$bconf) -{ - log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml for writing."); - exit; - } - fwrite($bconf, $snort_define_servers_xml_text); - fclose($bconf); - - conf_mount_ro(); - - } -} - -/* create snort_threshold.xml for every interface selected */ -function create_snort_threshold_xml() -{ -include("filter.inc"); -include("config.inc"); - - global $bconfig, $bg; - - conf_mount_rw(); - - $first = 0; - $snortInterfaces = array(); /* -gtm */ - - $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; - $if_array = split(',', $if_list); - //print_r($if_array); - if($if_array) { - foreach($if_array as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - - if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { - $if = "ng0"; - } - - /* build a list of user specified interfaces -gtm */ - if($if){ - array_push($snortInterfaces, $if); - $first = 1; - } - } - - if (count($snortInterfaces) < 1) { - log_error("Snort will not start. You must select an interface for it to listen on."); - return; - } - } - - - foreach($snortInterfaces as $snortIf) - { - -$snort_threshold_xml_text = << - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - snort-threshold{$snortIf} - 0.1.0 - Snort: Alert Thresholding and Suppression {$snortIf} - /usr/local/pkg/snort.inc - - - - Snort Interfaces - /snort_interfaces.php - - - Settings - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 - - - Categories - snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php - - - Rules - snort/snort_{$snortIf}/snort_rules_{$snortIf}.php - - - Servers - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 - - - Threshold - /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml - - - - Barnyard2 - /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 - - - - - Thresholding or Suppression Rule - threshrule - - - Description - description - - - - - Thresholding or Suppression Rule - threshrule - Enter the Rule. Example; "suppress gen_id 125, sig_id 4" or "threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60" - input - 40 - - - Description - description - Enter the description for this item - input - 60 - - - - - - - - create_snort_conf(); - - - -EOD; - -/* write out snort_threshold_xml */ -$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml", "w"); -if(!$bconf) -{ - log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml for writing."); - exit; - } - fwrite($bconf, $snort_threshold_xml_text); - fclose($bconf); - - conf_mount_ro(); - - } -} - -/* create snort_rules.php for every interface selected */ -function create_snort_rules_php() -{ -include("filter.inc"); -include("config.inc"); - - global $bconfig, $bg; - - conf_mount_rw(); - - $first = 0; - $snortInterfaces = array(); /* -gtm */ - - $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; - $if_array = split(',', $if_list); - //print_r($if_array); - if($if_array) { - foreach($if_array as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - - if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { - $if = "ng0"; - } - - /* build a list of user specified interfaces -gtm */ - if($if){ - array_push($snortInterfaces, $if); - $first = 1; - } - } - - if (count($snortInterfaces) < 1) { - log_error("Snort will not start. You must select an interface for it to listen on."); - return; - } - } - - - foreach($snortInterfaces as $snortIf) - { - -$snort_rules_php_text = <<"; - -echo "\n -\n -\n - \n - \n - \n - \n - \n - \n -
\n"; - - \$tab_array = array(); - \$tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0"); - \$tab_array[] = array(gettext("Categories"), false, "snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php"); - \$tab_array[] = array(gettext("Rules"), true, "snort/snort_{$snortIf}/snort_rules_{$snortIf}.php"); - \$tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0"); - \$tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml"); - \$tab_array[] = array(gettext("Barnyard2"), false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0"); - display_top_tabs(\$tab_array); - -echo "
\n -
\n - \n - \n - \n - \n -
\n -# The rules directory is empty.\n -
\n -
\n -
\n -\n -\n -\n -

\n\n"; - -echo "Please click on the Update Rules tab to install your selected rule sets."; -include("fend.inc"); - -echo ""; -echo ""; - -exit(0); - -} - -function get_middle(\$source, \$beginning, \$ending, \$init_pos) { - \$beginning_pos = strpos(\$source, \$beginning, \$init_pos); - \$middle_pos = \$beginning_pos + strlen(\$beginning); - \$ending_pos = strpos(\$source, \$ending, \$beginning_pos); - \$middle = substr(\$source, \$middle_pos, \$ending_pos - \$middle_pos); - return \$middle; -} - -function write_rule_file(\$content_changed, \$received_file) -{ - conf_mount_rw(); - - //read snort file with writing enabled - \$filehandle = fopen(\$received_file, "w"); - - //delimiter for each new rule is a new line - \$delimiter = "\n"; - - //implode the array back into a string for writing purposes - \$fullfile = implode(\$delimiter, \$content_changed); - - //write data to file - fwrite(\$filehandle, \$fullfile); - - //close file handle - fclose(\$filehandle); - - conf_mount_rw(); -} - -function load_rule_file(\$incoming_file) -{ - - //read snort file - \$filehandle = fopen(\$incoming_file, "r"); - - //read file into string, and get filesize - \$contents = fread(\$filehandle, filesize(\$incoming_file)); - - //close handler - fclose (\$filehandle); - - //string for populating category select - \$currentruleset = substr(\$file, 27); - - //delimiter for each new rule is a new line - \$delimiter = "\n"; - - //split the contents of the string file into an array using the delimiter - \$splitcontents = explode(\$delimiter, \$contents); - - return \$splitcontents; - -} - -\$ruledir = "/usr/local/etc/snort_{$snortIf}/rules_{$snortIf}/"; -\$dh = opendir(\$ruledir); - -\$message_reload = "The Snort rule configuration has been changed.
You must apply the changes in order for them to take effect."; - -while (false !== (\$filename = readdir(\$dh))) -{ - //only populate this array if its a rule file - \$isrulefile = strstr(\$filename, ".rules"); - if (\$isrulefile !== false) - { - \$files[] = \$filename; - } -} - -sort(\$files); - -if (\$_GET['openruleset']) -{ - \$file = \$_GET['openruleset']; -} -else -{ - \$file = \$ruledir.\$files[0]; - -} - -//Load the rule file -\$splitcontents = load_rule_file(\$file); - -if (\$_POST) -{ - if (!\$_POST['apply']) { - //retrieve POST data - \$post_lineid = \$_POST['lineid']; - \$post_enabled = \$_POST['enabled']; - \$post_src = \$_POST['src']; - \$post_srcport = \$_POST['srcport']; - \$post_dest = \$_POST['dest']; - \$post_destport = \$_POST['destport']; - - //clean up any white spaces insert by accident - \$post_src = str_replace(" ", "", \$post_src); - \$post_srcport = str_replace(" ", "", \$post_srcport); - \$post_dest = str_replace(" ", "", \$post_dest); - \$post_destport = str_replace(" ", "", \$post_destport); - - //copy rule contents from array into string - \$tempstring = \$splitcontents[\$post_lineid]; - - //search string - \$findme = "# alert"; //find string for disabled alerts - - //find if alert is disabled - \$disabled = strstr(\$tempstring, \$findme); - - //if find alert is false, then rule is disabled - if (\$disabled !== false) - { - //has rule been enabled - if (\$post_enabled == "yes") - { - //move counter up 1, so we do not retrieve the # in the rule_content array - \$tempstring = str_replace("# alert", "alert", \$tempstring); - \$counter2 = 1; - } - else - { - //rule is staying disabled - \$counter2 = 2; - } - } - else - { - //has rule been disabled - if (\$post_enabled != "yes") - { - //move counter up 1, so we do not retrieve the # in the rule_content array - \$tempstring = str_replace("alert", "# alert", \$tempstring); - \$counter2 = 2; - } - else - { - //rule is staying enabled - \$counter2 = 1; - } - } - - //explode rule contents into an array, (delimiter is space) - \$rule_content = explode(' ', \$tempstring); - - //insert new values - \$counter2++; - \$rule_content[\$counter2] = \$post_src;//source location - \$counter2++; - \$rule_content[\$counter2] = \$post_srcport;//source port location - \$counter2 = \$counter2+2; - \$rule_content[\$counter2] = \$post_dest;//destination location - \$counter2++; - \$rule_content[\$counter2] = \$post_destport;//destination port location - - //implode the array back into string - \$tempstring = implode(' ', \$rule_content); - - //copy string into file array for writing - \$splitcontents[\$post_lineid] = \$tempstring; - - //write the new .rules file - write_rule_file(\$splitcontents, \$file); - - //once file has been written, reload file - \$splitcontents = load_rule_file(\$file); - - \$stopMsg = true; - } - - if (\$_POST['apply']) { -// stop_service("snort"); -// sleep(2); -// start_service("snort"); - \$savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; - \$stopMsg = false; - } - -} -else if (\$_GET['act'] == "toggle") -{ - \$toggleid = \$_GET['id']; - - //copy rule contents from array into string - \$tempstring = \$splitcontents[\$toggleid]; - - //explode rule contents into an array, (delimiter is space) - \$rule_content = explode(' ', \$tempstring); - - //search string - \$findme = "# alert"; //find string for disabled alerts - - //find if alert is disabled - \$disabled = strstr(\$tempstring, \$findme); - - //if find alert is false, then rule is disabled - if (\$disabled !== false) - { - //rule has been enabled - //move counter up 1, so we do not retrieve the # in the rule_content array - \$tempstring = str_replace("# alert", "alert", \$tempstring); - - } - else - { - //has rule been disabled - //move counter up 1, so we do not retrieve the # in the rule_content array - \$tempstring = str_replace("alert", "# alert", \$tempstring); - - } - - //copy string into array for writing - \$splitcontents[\$toggleid] = \$tempstring; - - //write the new .rules file - write_rule_file(\$splitcontents, \$file); - - //once file has been written, reload file - \$splitcontents = load_rule_file(\$file); - - \$stopMsg = true; - - //write disable/enable sid to config.xml - if (\$disabled == false) { - \$string_sid = strstr(\$tempstring, 'sid:'); - \$sid_pieces = explode(";", \$string_sid); - \$sid_off_cut = \$sid_pieces[0]; - // sid being turned off - \$sid_off = str_replace("sid:", "", \$sid_off_cut); - // rule_sid_on registers - \$sid_on_pieces = \$config['installedpackages']['snort']['rule_sid_on']; - // if off sid is the same as on sid remove it - \$sid_on_old = str_replace("||enablesid \$sid_off", "", "\$sid_on_pieces"); - // write the replace sid back as empty - \$config['installedpackages']['snort']['rule_sid_on'] = \$sid_on_old; - // rule sid off registers - \$sid_off_pieces = \$config['installedpackages']['snort']['rule_sid_off']; - // if off sid is the same as off sid remove it - \$sid_off_old = str_replace("||disablesid \$sid_off", "", "\$sid_off_pieces"); - // write the replace sid back as empty - \$config['installedpackages']['snort']['rule_sid_off'] = \$sid_off_old; - // add sid off registers to new off sid - \$config['installedpackages']['snort']['rule_sid_off'] = "||disablesid \$sid_off" . \$config['installedpackages']['snort']['rule_sid_off']; - write_config(); - } - else - { - \$string_sid = strstr(\$tempstring, 'sid:'); - \$sid_pieces = explode(";", \$string_sid); - \$sid_on_cut = \$sid_pieces[0]; - // sid being turned off - \$sid_on = str_replace("sid:", "", \$sid_on_cut); - // rule_sid_off registers - \$sid_off_pieces = \$config['installedpackages']['snort']['rule_sid_off']; - // if off sid is the same as on sid remove it - \$sid_off_old = str_replace("||disablesid \$sid_on", "", "\$sid_off_pieces"); - // write the replace sid back as empty - \$config['installedpackages']['snort']['rule_sid_off'] = \$sid_off_old; - // rule sid on registers - \$sid_on_pieces = \$config['installedpackages']['snort']['rule_sid_on']; - // if on sid is the same as on sid remove it - \$sid_on_old = str_replace("||enablesid \$sid_on", "", "\$sid_on_pieces"); - // write the replace sid back as empty - \$config['installedpackages']['snort']['rule_sid_on'] = \$sid_on_old; - // add sid on registers to new on sid - \$config['installedpackages']['snort']['rule_sid_on'] = "||enablesid \$sid_on" . \$config['installedpackages']['snort']['rule_sid_on']; - write_config(); - } - -} - - -\$pgtitle = "Snort: Rules"; -require("guiconfig.inc"); -include("head.inc"); -?> - - - -

"; -?> -
- -
-
- - - - - - - - - -
- -
-
- - - - -
- - - - - - - - - - - - - - Category: "; - - //string for populating category select - \$currentruleset = substr(\$file, 27); - ?> - - - - - "; - \$textse = ""; - \$iconb = "icon_block_d.gif"; - } - else - { - \$textss = \$textse = ""; - \$iconb = "icon_block.gif"; - } - - \$rule_content = explode(' ', \$tempstring); - - \$protocol = \$rule_content[\$counter2];//protocol location - \$counter2++; - \$source = \$rule_content[\$counter2];//source location - \$counter2++; - \$source_port = \$rule_content[\$counter2];//source port location - \$counter2 = \$counter2+2; - \$destination = \$rule_content[\$counter2];//destination location - \$counter2++; - \$destination_port = \$rule_content[\$counter2];//destination port location - - \$message = get_middle(\$tempstring, 'msg:"', '";', 0); - - echo ""; - echo ""; - - echo ""; - echo ""; - echo ""; - echo ""; - echo ""; - ?> - -
"; - ?> -
 SIDProtoSourcePortDestinationPortMessage
"; - echo \$textss; - ?> - - "; - - - echo ""; - echo \$textss; - echo \$sid; - echo \$textse; - echo ""; - echo \$textss; - echo \$protocol; - \$printcounter++; - echo \$textse; - echo ""; - echo \$textss; - echo \$source; - echo \$textse; - echo ""; - echo \$textss; - echo \$source_port; - echo \$textse; - echo ""; - echo \$textss; - echo \$destination; - echo \$textse; - echo ""; - echo \$textss; - echo \$destination_port; - echo \$textse; - echo " - "; - ?> - - - - - -
-
-
- - - - - - - - - - - - - -
Rule Enabled
Rule Disabled
-

- -

-
- - - - - - - - - - -EOD; - -/* write out snort_rules_php */ -$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_rules_{$snortIf}.php", "w"); -if(!$bconf) -{ - log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_rules_{$snortIf}.php for writing."); - exit; - } - fwrite($bconf, $snort_rules_php_text); - fclose($bconf); - - conf_mount_ro(); - - } -} - -/* create snort_rules_edit.php for every interface selected */ -function create_snort_rules_edit_php() -{ -include("filter.inc"); -include("config.inc"); - - global $bconfig, $bg; - - conf_mount_rw(); - - $first = 0; - $snortInterfaces = array(); /* -gtm */ - - $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; - $if_array = split(',', $if_list); - //print_r($if_array); - if($if_array) { - foreach($if_array as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - - if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { - $if = "ng0"; - } - - /* build a list of user specified interfaces -gtm */ - if($if){ - array_push($snortInterfaces, $if); - $first = 1; - } - } - - if (count($snortInterfaces) < 1) { - log_error("Snort will not start. You must select an interface for it to listen on."); - return; - } - } - - - foreach($snortInterfaces as $snortIf) - { - -$snort_rules_edit_php_text = << - - - - -

"; -?> - - - - - - - -
- -
-
- - - - -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Enabled: >
SID:
Protocol:
Source:
Source Port:
Direction:
Destination:
Destination Port:
Message:
Content:
Classtype:
Revision:
 
   
-
-
-
- - - - - -EOD; - -/* write out snort_rules_edit_php */ -$bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_rules_edit_{$snortIf}.php", "w"); -if(!$bconf) -{ - log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_rules_edit_{$snortIf}.php for writing."); - exit; - } - fwrite($bconf, $snort_rules_edit_php_text); - fclose($bconf); - - conf_mount_ro(); - - } -} - - -create_snort_xml(); - -create_snort_barnyard2_xml(); - -create_snort_define_servers_xml(); - -create_snort_threshold_xml(); - -create_snort_rules_php(); - -create_snort_rules_edit_php(); - -?> diff --git a/config/snort-dev/snort_blocked.php b/config/snort-dev/snort_blocked.php new file mode 100644 index 00000000..ff158853 --- /dev/null +++ b/config/snort-dev/snort_blocked.php @@ -0,0 +1,174 @@ + + + + + +

"; +?> + +
+ + + + + + + + + + +
+ +
+
+ + + + +
+ + + + + + +"; + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + } + echo "\n"; + if($counter < 1) + echo "\n"; + else + echo "\n"; + +?> + +
RemoveIPAlert Description
"; + echo "\n\"Delete\" {$ww_ip} {$alert_description}
 
There are currently no items being blocked by snort.
{$counter} items listed.
+
+
+
+ +
+ +

+ + + + + + + + + \ No newline at end of file diff --git a/config/snort-dev/snort_define_servers.php b/config/snort-dev/snort_define_servers.php new file mode 100644 index 00000000..243e106f --- /dev/null +++ b/config/snort-dev/snort_define_servers.php @@ -0,0 +1,494 @@ +. + Copyright (C) 2008-2009 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* + +TODO: Nov 12 09 +Clean this code up its ugly +Important add error checking + +*/ + +require("guiconfig.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +//nat_rules_sort(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +if (isset($id) && $a_nat[$id]) { + + /* new options */ + $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; + $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; + $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; + $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; + $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; + $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; + $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; + $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; + $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; + $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; + $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; + $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; + $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; + $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; + $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; + $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; + $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; + $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; + $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; + $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; + $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; + $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; + $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; + $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; + $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; + $pconfig['ip def_sip_proxy_ports'] = $a_nat[$id]['ip def_sip_proxy_ports']; + $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; + $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; + $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; + $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; + $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; + $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; + $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; + /* old options */ + $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; + $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['performance'] = $a_nat[$id]['performance']; + $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; + $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; + $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; + $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + +if (isset($_GET['dup'])) + unset($id); +} + +if ($_POST) { + + /* check for overlaps */ + +/* if no errors write to conf */ + if (!$input_errors) { + $natent = array(); + /* repost the options already in conf */ + $natent['enable'] = $pconfig['enable']; + $natent['interface'] = $pconfig['interface']; + $natent['descr'] = $pconfig['descr']; + $natent['performance'] = $pconfig['performance']; + $natent['blockoffenders7'] = $pconfig['blockoffenders7']; + $natent['snortalertlogtype'] = $pconfig['snortalertlogtype']; + $natent['alertsystemlog'] = $pconfig['alertsystemlog']; + $natent['tcpdumplog'] = $pconfig['tcpdumplog']; + $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; + $natent['flow_depth'] = $pconfig['flow_depth']; + $natent['barnyard_enable'] = $pconfig['barnyard_enable']; + $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; + + /* post new options */ + if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; }else{ $natent['def_dns_servers'] = ""; } + if ($_POST['def_dns_ports'] != "") { $natent['def_dns_ports'] = $_POST['def_dns_ports']; }else{ $natent['def_dns_ports'] = ""; } + if ($_POST['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $_POST['def_smtp_servers']; }else{ $natent['def_smtp_servers'] = ""; } + if ($_POST['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $_POST['def_smtp_ports']; }else{ $natent['def_smtp_ports'] = ""; } + if ($_POST['def_mail_ports'] != "") { $natent['def_mail_ports'] = $_POST['def_mail_ports']; }else{ $natent['def_mail_ports'] = ""; } + if ($_POST['def_http_servers'] != "") { $natent['def_http_servers'] = $_POST['def_http_servers']; }else{ $natent['def_http_servers'] = ""; } + if ($_POST['def_www_servers'] != "") { $natent['def_www_servers'] = $_POST['def_www_servers']; }else{ $natent['def_www_servers'] = ""; } + if ($_POST['def_http_ports'] != "") { $natent['def_http_ports'] = $_POST['def_http_ports']; }else{ $natent['def_http_ports'] = ""; } + if ($_POST['def_sql_servers'] != "") { $natent['def_sql_servers'] = $_POST['def_sql_servers']; }else{ $natent['def_sql_servers'] = ""; } + if ($_POST['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $_POST['def_oracle_ports']; }else{ $natent['def_oracle_ports'] = ""; } + if ($_POST['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $_POST['def_mssql_ports']; }else{ $natent['def_mssql_ports'] = ""; } + if ($_POST['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $_POST['def_telnet_servers']; }else{ $natent['def_telnet_servers'] = ""; } + if ($_POST['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $_POST['def_telnet_ports']; }else{ $natent['def_telnet_ports'] = ""; } + if ($_POST['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $_POST['def_snmp_servers']; }else{ $natent['def_snmp_servers'] = ""; } + if ($_POST['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $_POST['def_snmp_ports']; }else{ $natent['def_snmp_ports'] = ""; } + if ($_POST['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $_POST['def_ftp_servers']; }else{ $natent['def_ftp_servers'] = ""; } + if ($_POST['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $_POST['def_ftp_ports']; }else{ $natent['def_ftp_ports'] = ""; } + if ($_POST['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $_POST['def_ssh_servers']; }else{ $natent['def_ssh_servers'] = ""; } + if ($_POST['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $_POST['def_ssh_ports']; }else{ $natent['def_ssh_ports'] = ""; } + if ($_POST['def_pop_servers'] != "") { $natent['def_pop_servers'] = $_POST['def_pop_servers']; }else{ $natent['def_pop_servers'] = ""; } + if ($_POST['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $_POST['def_pop2_ports']; }else{ $natent['def_pop2_ports'] = ""; } + if ($_POST['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $_POST['def_pop3_ports']; }else{ $natent['def_pop3_ports'] = ""; } + if ($_POST['def_imap_servers'] != "") { $natent['def_imap_servers'] = $_POST['def_imap_servers']; }else{ $natent['def_imap_servers'] = ""; } + if ($_POST['def_imap_ports'] != "") { $natent['def_imap_ports'] = $_POST['def_imap_ports']; }else{ $natent['def_imap_ports'] = ""; } + if ($_POST['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $_POST['def_sip_proxy_ip']; }else{ $natent['def_sip_proxy_ip'] = ""; } + if ($_POST['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $_POST['def_sip_proxy_ports']; }else{ $natent['def_sip_proxy_ports'] = ""; } + if ($_POST['def_auth_ports'] != "") { $natent['def_auth_ports'] = $_POST['def_auth_ports']; }else{ $natent['def_auth_ports'] = ""; } + if ($_POST['def_finger_ports'] != "") { $natent['def_finger_ports'] = $_POST['def_finger_ports']; }else{ $natent['def_finger_ports'] = ""; } + if ($_POST['def_irc_ports'] != "") { $natent['def_irc_ports'] = $_POST['def_irc_ports']; }else{ $natent['def_irc_ports'] = ""; } + if ($_POST['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $_POST['def_nntp_ports']; }else{ $natent['def_nntp_ports'] = ""; } + if ($_POST['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $_POST['def_rlogin_ports']; }else{ $natent['def_rlogin_ports'] = ""; } + if ($_POST['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $_POST['def_rsh_ports']; }else{ $natent['def_rsh_ports'] = ""; } + if ($_POST['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $_POST['def_ssl_ports']; }else{ $natent['def_ssl_ports'] = ""; } + + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + /* enable this if you want the user to aprove changes */ + // touch($d_natconfdirty_path); + + write_config(); + + /* after click go to this page */ + header("Location: snort_define_servers.php?id=$id"); + exit; + } +} + +$pgtitle = "Services: Snort Define Servers"; +include("head.inc"); + +?> + + + +

Please enable JavaScript to view this content
+ +

+ + + +
+ + + + +
+ +
+ + + .noid { + position:absolute; + top:10px; + left:0px; + width:94%; + background:#FCE9C0; + background-position: 15px; + border-top:2px solid #DBAC48; + border-bottom:2px solid #DBAC48; + padding: 15px 10px 85% 50px; + } + +
You can not edit options without an interface ID.
\n"; + + } + ?> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
 Note:
+ Please save your settings befor you click start.
+ Please make sure there are no spaces in your definitions. +
Define DNS_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define DNS_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 53.
Define SMTP_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define SMTP_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25.
Define Mail_Ports + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25,143,465,691.
Define HTTP_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define WWW_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define HTTP_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 80.
Define SQL_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define ORACLE_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 1521.
Define MSSQL_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 1433.
Define TELNET_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define TELNET_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 23.
Define SNMP_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define SNMP_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 161.
Define FTP_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define FTP_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 21.
Define SSH_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define SSH_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is Pfsense SSH port.
Define POP_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define POP2_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 109.
Define POP3_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 110.
Define IMAP_SERVERS + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define IMAP_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 143.
Define SIP_PROXY_IP + +
Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.
Define SIP_PROXY_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 5060:5090,16384:32768.
Define AUTH_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 113.
Define FINGER_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 79.
Define IRC_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 6665,6666,6667,6668,6669,7000.
Define NNTP_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 119.
Define RLOGIN_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 513.
Define RSH_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 514.
Define SSL_PORTS + +
Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25,443,465,636,993,995.
  + + + + +
 Note: +
+ Please save your settings befor you click start.
+
+
+ + + + + diff --git a/config/snort-dev/snort_interfaces_edit.php b/config/snort-dev/snort_interfaces_edit.php index 49f40638..e2ee443d 100644 --- a/config/snort-dev/snort_interfaces_edit.php +++ b/config/snort-dev/snort_interfaces_edit.php @@ -57,7 +57,10 @@ if (isset($id) && $a_nat[$id]) { $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; + $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; + $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; if (!$pconfig['interface']) $pconfig['interface'] = "wan"; @@ -125,16 +128,24 @@ if ($_POST) { /* if no errors write to conf */ if (!$input_errors) { $natent = array(); - $natent['enable'] = $_POST['enable'] ? on : off; - /* if option is diabled add a default answer */ + + /* write to conf for 1st time or rewrite the answer */ $natent['interface'] = $_POST['interface'] ? $_POST['interface'] : $pconfig['interface']; - $natent['descr'] = $_POST['descr']; - $natent['performance'] = $_POST['performance']; - $natent['blockoffenders7'] = $_POST['blockoffenders7'] ? on : off; - $natent['snortalertlogtype'] = $_POST['snortalertlogtype']; - $natent['alertsystemlog'] = $_POST['alertsystemlog'] ? on : off; - $natent['tcpdumplog'] = $_POST['tcpdumplog'] ? on : off; - $natent['flow_depth'] = $_POST['flow_depth']; + /* if post write to conf or rewite the answer */ + $natent['enable'] = $_POST['enable'] ? on : off; + $natent['descr'] = $_POST['descr'] ? $_POST['descr'] : $pconfig['descr']; + $natent['performance'] = $_POST['performance'] ? $_POST['performance'] : $pconfig['performance']; + /* if post = on use on off or rewrite the conf */ + if ($_POST['blockoffenders7'] == "on") { $natent['blockoffenders7'] = on; }else{ $natent['blockoffenders7'] = off; } if ($_POST['enable'] == "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } + $natent['snortalertlogtype'] = $_POST['snortalertlogtype'] ? $_POST['snortalertlogtype'] : $pconfig['snortalertlogtype']; + if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = on; }else{ $natent['alertsystemlog'] = off; } if ($_POST['enable'] == "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } + if ($_POST['tcpdumplog'] == "on") { $natent['tcpdumplog'] = on; }else{ $natent['tcpdumplog'] = off; } if ($_POST['enable'] == "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } + if ($_POST['snortunifiedlog'] == "on") { $natent['snortunifiedlog'] = on; }else{ $natent['snortunifiedlog'] = off; } if ($_POST['enable'] == "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } + /* if optiion = 0 then the old descr way will not work */ + if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = $pconfig['flow_depth']; } + /* rewrite the options that are not in post */ + $natent['barnyard_enable'] = $pconfig['barnyard_enable']; + $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -200,6 +211,7 @@ echo " document.iform.snortalertlogtype.disabled = endis; document.iform.alertsystemlog.disabled = endis; document.iform.tcpdumplog.disabled = endis; + document.iform.snortunifiedlog.disabled = endis; } //--> @@ -300,7 +312,7 @@ if($id != "") $onclick_enable = "onClick=\"enable_change(false)\">"; } echo " - Enable Interface\n\n"; ?> @@ -347,7 +359,7 @@ if($id != "") Block offenders - onClick="enable_change(false)">
+ onClick="enable_change(false)">
Checking this option will automatically block hosts that generate a snort alert. @@ -368,16 +380,22 @@ if($id != "") Send alerts to main System logs - onClick="enable_change(false)">
+ onClick="enable_change(false)">
Snort will send Alerts to the Pfsense system logs. Log to a Tcpdump file - onClick="enable_change(false)">
+ onClick="enable_change(false)">
Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large. + Log Alerts to a snort unified2 file + + onClick="enable_change(false)">
+ Snort will log Alerts to a file in the UNIFIED2 format. This is a requirement for barnyard2. + + HTTP server flow depth diff --git a/config/snort-dev/snort_rules.php b/config/snort-dev/snort_rules.php new file mode 100644 index 00000000..e83e9fc0 --- /dev/null +++ b/config/snort-dev/snort_rules.php @@ -0,0 +1,645 @@ +"; + +echo "\n +\n +
\n + \n + \n + \n + \n + \n + \n +
\n"; + + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); + +echo "
\n +
\n + \n + \n + \n + \n +
\n +# The rules directory is empty.\n +
\n +
\n +
\n +\n +\n +\n +

\n\n"; + +echo "Please click on the Update Rules tab to install your selected rule sets."; +include("fend.inc"); + +echo ""; +echo ""; + +exit(0); + +} + +function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; +} + +function write_rule_file($content_changed, $received_file) +{ + //read snort file with writing enabled + $filehandle = fopen($received_file, "w"); + + //delimiter for each new rule is a new line + $delimiter = "\n"; + + //implode the array back into a string for writing purposes + $fullfile = implode($delimiter, $content_changed); + + //write data to file + fwrite($filehandle, $fullfile); + + //close file handle + fclose($filehandle); + +} + +function load_rule_file($incoming_file) +{ + + //read snort file + $filehandle = fopen($incoming_file, "r"); + + //read file into string, and get filesize + $contents = fread($filehandle, filesize($incoming_file)); + + //close handler + fclose ($filehandle); + + + //string for populating category select + $currentruleset = basename($file); + + //delimiter for each new rule is a new line + $delimiter = "\n"; + + //split the contents of the string file into an array using the delimiter + $splitcontents = explode($delimiter, $contents); + + return $splitcontents; + +} + +$ruledir = "/usr/local/etc/snort/snort_{$id}{$if_real}/rules/"; +$dh = opendir($ruledir); + +$message_reload = "The Snort rule configuration has been changed.
You must apply the changes in order for them to take effect."; + +while (false !== ($filename = readdir($dh))) +{ + //only populate this array if its a rule file + $isrulefile = strstr($filename, ".rules"); + if ($isrulefile !== false) + { + $files[] = $filename; + } +} + +sort($files); + +if ($_GET['openruleset']) +{ + $file = $_GET['openruleset']; +} +else +{ + $file = $ruledir.$files[0]; + +} + +//Load the rule file +$splitcontents = load_rule_file($file); + +if ($_POST) +{ + if (!$_POST['apply']) { + //retrieve POST data + $post_lineid = $_POST['lineid']; + $post_enabled = $_POST['enabled']; + $post_src = $_POST['src']; + $post_srcport = $_POST['srcport']; + $post_dest = $_POST['dest']; + $post_destport = $_POST['destport']; + + //clean up any white spaces insert by accident + $post_src = str_replace(" ", "", $post_src); + $post_srcport = str_replace(" ", "", $post_srcport); + $post_dest = str_replace(" ", "", $post_dest); + $post_destport = str_replace(" ", "", $post_destport); + + //copy rule contents from array into string + $tempstring = $splitcontents[$post_lineid]; + + //search string + $findme = "# alert"; //find string for disabled alerts + + //find if alert is disabled + $disabled = strstr($tempstring, $findme); + + //if find alert is false, then rule is disabled + if ($disabled !== false) + { + //has rule been enabled + if ($post_enabled == "yes") + { + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("# alert", "alert", $tempstring); + $counter2 = 1; + } + else + { + //rule is staying disabled + $counter2 = 2; + } + } + else + { + //has rule been disabled + if ($post_enabled != "yes") + { + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("alert", "# alert", $tempstring); + $counter2 = 2; + } + else + { + //rule is staying enabled + $counter2 = 1; + } + } + + //explode rule contents into an array, (delimiter is space) + $rule_content = explode(' ', $tempstring); + + //insert new values + $counter2++; + $rule_content[$counter2] = $post_src;//source location + $counter2++; + $rule_content[$counter2] = $post_srcport;//source port location + $counter2 = $counter2+2; + $rule_content[$counter2] = $post_dest;//destination location + $counter2++; + $rule_content[$counter2] = $post_destport;//destination port location + + //implode the array back into string + $tempstring = implode(' ', $rule_content); + + //copy string into file array for writing + $splitcontents[$post_lineid] = $tempstring; + + //write the new .rules file + write_rule_file($splitcontents, $file); + + //once file has been written, reload file + $splitcontents = load_rule_file($file); + + $stopMsg = true; + } + + if ($_POST['apply']) { +// stop_service("snort"); +// sleep(2); +// start_service("snort"); + $savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; + $stopMsg = false; + } + +} +else if ($_GET['act'] == "toggle") +{ + $toggleid = $_GET['ids']; + + //copy rule contents from array into string + $tempstring = $splitcontents[$toggleid]; + + //explode rule contents into an array, (delimiter is space) + $rule_content = explode(' ', $tempstring); + + //search string + $findme = "# alert"; //find string for disabled alerts + + //find if alert is disabled + $disabled = strstr($tempstring, $findme); + + //if find alert is false, then rule is disabled + if ($disabled !== false) + { + //rule has been enabled + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("# alert", "alert", $tempstring); + + } + else + { + //has rule been disabled + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("alert", "# alert", $tempstring); + + } + + //copy string into array for writing + $splitcontents[$toggleid] = $tempstring; + + //write the new .rules file + write_rule_file($splitcontents, $file); + + //once file has been written, reload file + $splitcontents = load_rule_file($file); + + $stopMsg = true; + + //write disable/enable sid to config.xml + if ($disabled == false) { + $string_sid = strstr($tempstring, 'sid:'); + $sid_pieces = explode(";", $string_sid); + $sid_off_cut = $sid_pieces[0]; + // sid being turned off + $sid_off = str_replace("sid:", "", $sid_off_cut); + // rule_sid_on registers + $sid_on_pieces = $a_nat[$id]['rule_sid_on']; + // if off sid is the same as on sid remove it + $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); + // write the replace sid back as empty + $a_nat[$id]['rule_sid_on'] = $sid_on_old; + // rule sid off registers + $sid_off_pieces = $a_nat[$id]['rule_sid_off']; + // if off sid is the same as off sid remove it + $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); + // write the replace sid back as empty + $a_nat[$id]['rule_sid_off'] = $sid_off_old; + // add sid off registers to new off sid + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; + write_config(); + } + else + { + $string_sid = strstr($tempstring, 'sid:'); + $sid_pieces = explode(";", $string_sid); + $sid_on_cut = $sid_pieces[0]; + // sid being turned off + $sid_on = str_replace("sid:", "", $sid_on_cut); + // rule_sid_off registers + $sid_off_pieces = $a_nat[$id]['rule_sid_off']; + // if off sid is the same as on sid remove it + $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); + // write the replace sid back as empty + $a_nat[$id]['rule_sid_off'] = $sid_off_old; + // rule sid on registers + $sid_on_pieces = $a_nat[$id]['rule_sid_on']; + // if on sid is the same as on sid remove it + $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); + // write the replace sid back as empty + $a_nat[$id]['rule_sid_on'] = $sid_on_old; + // add sid on registers to new on sid + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; + write_config(); + } + +} + +$currentruleset = basename($file); + +$pgtitle = "Snort: Interface $id$if_real Rule File $currentruleset"; +require("guiconfig.inc"); +include("head.inc"); +?> + + + +

+"; +?> + + + + + + + + + + + +
+ +
+
+ + + + +
+ + + + + + + + + + + + + + Category: "; + + //string for populating category select + $currentruleset = basename($file); + + ?> + + + + + "; + $textse = ""; + $iconb = "icon_block_d.gif"; + } + else + { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + } + + $rule_content = explode(' ', $tempstring); + + $protocol = $rule_content[$counter2];//protocol location + $counter2++; + $source = $rule_content[$counter2];//source location + $counter2++; + $source_port = $rule_content[$counter2];//source port location + $counter2 = $counter2+2; + $destination = $rule_content[$counter2];//destination location + $counter2++; + $destination_port = $rule_content[$counter2];//destination port location + + if (strstr($tempstring, 'msg: "')) + $message = get_middle($tempstring, 'msg: "', '";', 0); + if (strstr($tempstring, 'msg:"')) + $message = get_middle($tempstring, 'msg:"', '";', 0); + + echo ""; + echo ""; + + echo ""; + echo ""; + echo ""; + echo ""; + echo ""; + ?> + +
"; + ?> +
 SIDProtoSourcePortDestinationPortMessage
"; + echo $textss; + ?> + + "; + + + echo ""; + echo $textss; + echo $sid; + echo $textse; + echo ""; + echo $textss; + echo $protocol; + $printcounter++; + echo $textse; + echo ""; + echo $textss; + echo $source; + echo $textse; + echo ""; + echo $textss; + echo $source_port; + echo $textse; + echo ""; + echo $textss; + echo $destination; + echo $textse; + echo ""; + echo $textss; + echo $destination_port; + echo $textse; + echo " + "; + ?> + + + + + +
+
+
+ + + + + + + + + + + + + +
Rule Enabled
Rule Disabled
+

+ +

+
+ + + + + + + + + \ No newline at end of file diff --git a/config/snort-dev/snort_rules_edit.php b/config/snort-dev/snort_rules_edit.php new file mode 100644 index 00000000..69d946a9 --- /dev/null +++ b/config/snort-dev/snort_rules_edit.php @@ -0,0 +1,439 @@ + + + +

+ + + + + + + + +
+ + +
+
+ + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Enabled: >
SID:
Type:
Protocol:
Source:
Source Port:
Direction:
Destination:
Destination Port:
Message:
Flow:
Content:
Metadata:
Reference:
Reference2:
Classtype:
Revision:
 
+
+
+
+ + + + \ No newline at end of file diff --git a/config/snort-dev/snort_rulesets.php b/config/snort-dev/snort_rulesets.php new file mode 100644 index 00000000..ede379b0 --- /dev/null +++ b/config/snort-dev/snort_rulesets.php @@ -0,0 +1,258 @@ +"; + +echo "\n +\n +\n + \n + \n + \n + \n + \n + \n +
\n"; + + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); + +echo "
\n +
\n + \n + \n + \n + \n +
\n +# The rules directory is empty. /usr/local/etc/snort/snort_{$id}{$if_real}/rules \n +
\n +
\n +
\n +\n +\n +\n +

\n\n"; + +echo "Please click on the Update Rules tab to install your selected rule sets. $isrulesfolderempty"; +include("fend.inc"); + +echo ""; +echo ""; + +exit(0); + +} + +if($_POST) { + $enabled_items = ""; + $isfirst = true; + if (is_array($_POST['toenable'])) { + foreach($_POST['toenable'] as $toenable) { + if(!$isfirst) + $enabled_items .= "||"; + $enabled_items .= "{$toenable}"; + $isfirst = false; + } + }else{ + $enabled_items = $_POST['toenable']; + } + $a_nat[$id]['rulesets'] = $enabled_items; + write_config(); +// stop_service("snort"); +// create_snort_conf(); +// sleep(2); +// start_service("snort"); + $savemsg = "The snort ruleset selections have been saved."; +} + +$enabled_rulesets = $a_nat[$id]['rulesets']; +if($enabled_rulesets) + $enabled_rulesets_array = split("\|\|", $enabled_rulesets); + +$pgtitle = "Snort: {$id}{$if_real} Categories"; +include("head.inc"); + +?> + + + + +

"; +?> + +"; + +?> + + + + + + + + + + + +
+ +
+
+ + + + + + + + +
+ + + + + + +"; + echo ""; + echo ""; + //echo ""; + } + +?> +
EnabledRuleset: Rules that end with "so.rules" are shared object rules.
"; + if(is_array($enabled_rulesets_array)) + if(in_array($file, $enabled_rulesets_array)) { + $CHECKED = " checked=\"checked\""; + } else { + $CHECKED = ""; + } + else + $CHECKED = ""; + echo " "; + echo ""; + echo "{$file}"; + echo ""; + //echo "description"; + //echo "
+
 
Check the rulesets that you would like Snort to load at startup.
 
+
+
+ + + +

NOTE: You can click on a ruleset name to edit the ruleset. + + + + + + + \ No newline at end of file -- cgit v1.2.3