From 3d6508062e1067ad3d64d2bd3874aa76620c8028 Mon Sep 17 00:00:00 2001 From: robiscool Date: Fri, 15 Jun 2012 13:11:49 -0700 Subject: snort-dev, remove win line ends that git auto adds, fix major startup issues, fix stop issues, add new log options --- config/snort-dev/css/sexybuttons.css | 684 +-- config/snort-dev/css/style.css | 412 +- config/snort-dev/help_and_info.php | 494 +- config/snort-dev/snort.inc | 5034 ++++++++++---------- config/snort-dev/snort.xml | 410 +- config/snort-dev/snort_alerts.php | 1164 ++--- config/snort-dev/snort_barnyard.php | 538 +-- config/snort-dev/snort_blocked.php | 852 ++-- config/snort-dev/snort_check_for_rule_updates.php | 1380 +++--- config/snort-dev/snort_define_servers.php | 1082 ++--- config/snort-dev/snort_download_rules.php | 1338 +++--- config/snort-dev/snort_download_updates.php | 644 +-- config/snort-dev/snort_interfaces.php | 885 ++-- config/snort-dev/snort_interfaces_edit.php | 1488 +++--- config/snort-dev/snort_interfaces_global.php | 874 ++-- config/snort-dev/snort_interfaces_suppress.php | 342 +- .../snort-dev/snort_interfaces_suppress_edit.php | 590 +-- config/snort-dev/snort_interfaces_whitelist.php | 378 +- .../snort-dev/snort_interfaces_whitelist_edit.php | 828 ++-- config/snort-dev/snort_preprocessors.php | 782 +-- config/snort-dev/snort_rules.php | 916 ++-- config/snort-dev/snort_rules_edit.php | 376 +- config/snort-dev/snort_rulesets.php | 626 +-- 23 files changed, 11082 insertions(+), 11035 deletions(-) (limited to 'config/snort-dev') diff --git a/config/snort-dev/css/sexybuttons.css b/config/snort-dev/css/sexybuttons.css index c3834b44..db36a287 100644 --- a/config/snort-dev/css/sexybuttons.css +++ b/config/snort-dev/css/sexybuttons.css @@ -1,342 +1,342 @@ -/* - * Sexy Buttons - * - * DESCRIPTION: - * Sexy, skinnable HTML/CSS buttons with icons. - * - * PROJECT URL: - * http://code.google.com/p/sexybuttons/ - * - * AUTHOR: - * Richard Davies - * http://www.richarddavies.us - * Richard@richarddavies.us - * - * VERSION: - * 1.1 - * - * LICENSE: - * Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0) - * Creative Commons 3.0 Attribution (http://creativecommons.org/licenses/by/3.0/) - * - * CREDITS: - * Inspired by, derived from, and thanks to: - * http://www.p51labs.com/simply-buttons-v2/ - * http://www.oscaralexander.com/tutorials/how-to-make-sexy-buttons-with-css.html - * http://www.zurb.com/article/266/super-awesome-buttons-with-css3-and-rgba - * http://www.elctech.com/snippets/make-your-buttons-look-super-awesome - * - * USAGE: - * Simply add class="sexybutton [skin]" to a - */ - - -/* - * Generic styles for all Sexy Buttons - */ - -.sexybutton { - display: inline-block; - margin: 0; - padding: 0; - font: bold 13px "Helvetica Neue", Helvetica, Arial !important; - text-decoration: none !important; - text-shadow: 1px 1px 2px rgba(0,0,0,0.20); - background: none; - border: none; - white-space: nowrap; - cursor: pointer; - user-select: none; - -moz-user-select: none; - - /* Fix extra width padding in IE */ - _width: 0; - overflow: visible; -} - -.sexybutton span { - display: block; /* Prevents :active from working in IE--oh well! */ - height: 24px; - padding-right: 12px; - background-repeat: no-repeat; - background-position: right top; -} - -.sexybutton span span { - padding-right: 0; - padding-left: 12px; - line-height: 24px; - background-position: left top; -} - -.sexybutton span span span { - padding-left: 21px; - background-image: none; - background-repeat: no-repeat; - background-position: left center; - /* IE6 still requires a PNG transparency fix */ - /* _background-image: none; Or just hide icons from the undeserving IE6 */ - /* _padding-left: 0; Or just hide icons from the undeserving IE6 */ -} - -.sexybutton span span span.after { - padding-left: 0px; - padding-right: 21px; - background-position: right center; - /* IE6 still requires a PNG transparency fix */ - /* _padding-right: 0; Or just hide icons from the undeserving IE6 */ -} - -.sexybutton[disabled], -.sexybutton[disabled]:hover, -.sexybutton[disabled]:focus, -.sexybutton[disabled]:active, -.sexybutton.disabled, -.sexybutton.disabled:hover, -.sexybutton.disabled:focus, -.sexybutton.disabled:active { - color: #333 !important; - cursor: inherit; - text-shadow: none; - opacity: 0.33; -} - -.sexybutton:hover span, -.sexybutton:focus span { - background-position: 100% -24px; -} - -.sexybutton:hover span span, -.sexybutton:focus span span { - background-position: 0% -24px; -} - -.sexybutton:active span { - background-position: 100% -48px; -} - -.sexybutton:active span span { - background-position: 0% -48px; -} - -.sexybutton[disabled] span, -.sexybutton.disabled span { - background-position: 100% -72px; -} - -.sexybutton[disabled] span span, -.sexybutton.disabled span span { - background-position: 0% -72px; -} - -.sexybutton:hover span span span, -.sexybutton:focus span span span, -.sexybutton:active span span span, -.sexybutton[disabled] span span span, -.sexybutton.disabled span span span { - background-position: left center; -} - -.sexybutton:hover span span span.after, -.sexybutton:focus span span span.after, -.sexybutton:active span span span.after, -.sexybutton[disabled] span span span.after, -.sexybutton.disabled span span span.after { - background-position: right center; -} - -.sexybutton img { - margin-right: 5px; - vertical-align: text-top; - /* IE6 Hack */ - _margin-top: 4px; - _vertical-align: text-bottom; - /* IE6 still requires a PNG transparency fix */ - /* _display: none; Or just hide icons from the undeserving IE6 */ -} - -.sexybutton img.after { - margin-right: 0; - margin-left: 5px; - /* IE6 still requires a PNG transparency fix */ - /* _margin-left: 0; Or just hide icons from the undeserving IE6 */ -} - -.sexybutton.sexysmalls { font-size:.8em !important; } -.sexybutton.sexymedium { font-size: 15px !important; } -.sexybutton.sexylarge { font-size: 18px !important; } - - -/* - * Button Skins - * - * .PNG background images with alpha transparency are also supplied if you'd rather use them instead of the - * default .GIF images. (Just beware of IE6's lack of support.) - * - * Additional skins can be added below. The images/skins/ButtonTemplate.psd can be used to create new skins. - * Prefix the skin name with "sexy" to avoid any potential conflicts with other class names. - */ - -/* - * Simple Skin Buttons - */ - -.sexybutton.sexysimple { - position: relative; - padding: 5px 10px 5px; - font: inherit; - font-size: .85em !important; - font-style: normal !important; - font-weight: bold !important; - color: #fff !important; - line-height: 1; - background-image: url(/snort/images//awesome-overlay-sprite.png); - background-repeat: repeat-x; - background-position: 0 0; - - /* Special effects */ - text-shadow: 0 -1px 1px rgba(0,0,0,0.25), -2px 0 1px rgba(0,0,0,0.25); - border-radius: 5px; - -moz-border-radius: 5px; - -webkit-border-radius: 5px; - -moz-box-shadow: 0 1px 2px rgba(0,0,0,0.5); - -webkit-box-shadow: 0 1px 2px rgba(0,0,0,0.5); - - /* IE only stuff */ - border-bottom: 1px solid transparent\9; - _background-image: none; - - /* Cross browser inline block hack - http://blog.mozilla.com/webdev/2009/02/20/cross-browser-inline-block/ */ - display: -moz-inline-stack; - display: inline-block; - vertical-align: middle; - *display: inline !important; - position: relative; - - /* Force hasLayout in IE */ - zoom: 1; - - /* Disable text selection (Firefox only)*/ - -moz-user-select: none; -} - -.sexybutton.sexysimple::selection { - background: transparent; -} - -.sexybutton.sexysimple:hover, -.sexybutton.sexysimple:focus { - background-position: 0 -50px; - color: #fff !important; -} - -.sexybutton.sexysimple:active { - background-position: 0 -100px; - -moz-box-shadow: inset 0 1px 2px rgba(0,0,0,0.7); - /* Unfortunately, Safari doesn't support inset yet */ - -webkit-box-shadow: none; - - /* IE only stuff */ - border-bottom: 0\9; - border-top: 1px solid #666\9; -} - -.sexybutton.sexysimple[disabled], -.sexybutton.sexysimple.disabled { - background-position: 0 -150px; - color: #333 !important; - text-shadow: none; -} - -.sexybutton.sexysimple[disabled]:hover, -.sexybutton.sexysimple[disabled]:focus, -.sexybutton.sexysimple[disabled]:active, -.sexybutton.sexysimple.disabled:hover, -.sexybutton.sexysimple.disabled:focus, -.sexybutton.sexysimple.disabled:active { - -moz-box-shadow: 0 1px 2px rgba(0,0,0,0.5); - -webkit-box-shadow: 0 1px 2px rgba(0,0,0,0.5); -} - -.sexybutton.sexysimple span { - height: auto; - padding-left: 24px; - padding-right: 0; - background-position: left center; - background-repeat: no-repeat; - /* IE6 still requires a PNG transparency fix */ - /* _padding-left: 0; Or just hide icons from the undeserving IE6 */ -} - -.sexybutton.sexysimple span.after { - padding-left: 0; - padding-right: 24px; - background-position: right center; - /* IE6 still requires a PNG transparency fix */ - /* _padding-right: 0; Or just hide icons from the undeserving IE6 */ -} - -/* Simple button colors */ -.sexybutton.sexysimple { background-color: #333; } /* Default */ -.sexybutton.sexysimple.sexyblack { background-color: #333; } -.sexybutton.sexysimple.sexyred { background-color: #a90118; } -.sexybutton.sexysimple.sexyorange { background-color: #ff8a00; } -.sexybutton.sexysimple.sexyyellow { background-color: #ffb515; } -.sexybutton.sexysimple.sexygreen { background-color: #59a901; } -.sexybutton.sexysimple.sexyblue { background-color: #015ea9; } -.sexybutton.sexysimple.sexyteal { background-color: #2daebf; } -.sexybutton.sexysimple.sexymagenta { background-color: #a9014b; } -.sexybutton.sexysimple.sexypurple { background-color: #9d01a9; } - -/* Simple button sizes */ -.sexybutton.sexysimple.sexysmall { padding: 4px 7px 5px; font-size: 10px !important; } -.sexybutton.sexysimple.sexysmall:active { padding: 5px 7px 4px; } -.sexybutton.sexysimple { /* default */ } -.sexybutton.sexysimple:active { padding: 6px 10px 4px; } -.sexybutton.sexysimple.sexymedium { /* default */ } -.sexybutton.sexysimple.sexymedium:active { padding: 6px 10px 4px; } -.sexybutton.sexysimple.sexylarge { padding: 8px 14px 8px; font-size: 14px !important; } -.sexybutton.sexysimple.sexylarge:active { padding: 9px 14px 7px; } -.sexybutton.sexysimple.sexyxl { padding: 8px 14px 8px; font-size: 16px !important; } -.sexybutton.sexysimple.sexyxl:active { padding: 9px 14px 7px; } -.sexybutton.sexysimple.sexyxxl { padding: 8px 14px 8px; font-size: 20px !important; } -.sexybutton.sexysimple.sexyxxl:active { padding: 9px 14px 7px; } -.sexybutton.sexysimple.sexyxxxl { padding: 8px 14px 8px; font-size: 26px !important; } -.sexybutton.sexysimple.sexyxxxl:active { padding: 9px 14px 7px; } - -.sexybutton.sexysimple.sexysmall[disabled]:active, -.sexybutton.sexysimple.sexysmall.disabled:active { padding: 4px 7px 5px; } -.sexybutton.sexysimple[disabled]:active, -.sexybutton.sexysimple.disabled:active { padding: 5px 10px 5px; } -.sexybutton.sexysimple.sexymedium[disabled]:active, -.sexybutton.sexysimple.sexymedium.disabled:active { padding: 6px 10px 4px; } -.sexybutton.sexysimple.sexylarge[disabled]:active, -.sexybutton.sexysimple.sexylarge.disabled:active { padding: 8px 14px 8px; } -.sexybutton.sexysimple.sexyxl[disabled]:active, -.sexybutton.sexysimple.sexyxl.disabled:active { padding: 8px 14px 8px; } -.sexybutton.sexysimple.sexyxxl[disabled]:active, -.sexybutton.sexysimple.sexyxxl.disabled:active { padding: 8px 14px 8px; } -.sexybutton.sexysimple.sexyxxxl[disabled]:active, -.sexybutton.sexysimple.sexyxxxl.disabled:active { padding: 8px 14px 8px; } - - -/* - * Icon Definitions - */ - -/* Silk Icons - http://www.famfamfam.com/lab/icons/silk/ */ -/* (Obviously not all Silk icons are defined here. Feel free to define any other icons that you may need.) */ - -.sexybutton span.ok { background-image: url(/snort/images//tick.png) !important; } -.sexybutton span.cancel { background-image: url(/snort/images//cross.png) !important; } -.sexybutton span.add { background-image: url(/snort/images//add.png) !important; } -.sexybutton span.delete { background-image: url(/snort/images//delete.png) !important; } -.sexybutton span.download { background-image: url(/snort/images//arrow_down.png) !important; } -.sexybutton span.pwhitetxt { background-image: url(/snort/images//page_white_text.png) !important; } - +/* + * Sexy Buttons + * + * DESCRIPTION: + * Sexy, skinnable HTML/CSS buttons with icons. + * + * PROJECT URL: + * http://code.google.com/p/sexybuttons/ + * + * AUTHOR: + * Richard Davies + * http://www.richarddavies.us + * Richard@richarddavies.us + * + * VERSION: + * 1.1 + * + * LICENSE: + * Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0) + * Creative Commons 3.0 Attribution (http://creativecommons.org/licenses/by/3.0/) + * + * CREDITS: + * Inspired by, derived from, and thanks to: + * http://www.p51labs.com/simply-buttons-v2/ + * http://www.oscaralexander.com/tutorials/how-to-make-sexy-buttons-with-css.html + * http://www.zurb.com/article/266/super-awesome-buttons-with-css3-and-rgba + * http://www.elctech.com/snippets/make-your-buttons-look-super-awesome + * + * USAGE: + * Simply add class="sexybutton [skin]" to a + */ + + +/* + * Generic styles for all Sexy Buttons + */ + +.sexybutton { + display: inline-block; + margin: 0; + padding: 0; + font: bold 13px "Helvetica Neue", Helvetica, Arial !important; + text-decoration: none !important; + text-shadow: 1px 1px 2px rgba(0,0,0,0.20); + background: none; + border: none; + white-space: nowrap; + cursor: pointer; + user-select: none; + -moz-user-select: none; + + /* Fix extra width padding in IE */ + _width: 0; + overflow: visible; +} + +.sexybutton span { + display: block; /* Prevents :active from working in IE--oh well! */ + height: 24px; + padding-right: 12px; + background-repeat: no-repeat; + background-position: right top; +} + +.sexybutton span span { + padding-right: 0; + padding-left: 12px; + line-height: 24px; + background-position: left top; +} + +.sexybutton span span span { + padding-left: 21px; + background-image: none; + background-repeat: no-repeat; + background-position: left center; + /* IE6 still requires a PNG transparency fix */ + /* _background-image: none; Or just hide icons from the undeserving IE6 */ + /* _padding-left: 0; Or just hide icons from the undeserving IE6 */ +} + +.sexybutton span span span.after { + padding-left: 0px; + padding-right: 21px; + background-position: right center; + /* IE6 still requires a PNG transparency fix */ + /* _padding-right: 0; Or just hide icons from the undeserving IE6 */ +} + +.sexybutton[disabled], +.sexybutton[disabled]:hover, +.sexybutton[disabled]:focus, +.sexybutton[disabled]:active, +.sexybutton.disabled, +.sexybutton.disabled:hover, +.sexybutton.disabled:focus, +.sexybutton.disabled:active { + color: #333 !important; + cursor: inherit; + text-shadow: none; + opacity: 0.33; +} + +.sexybutton:hover span, +.sexybutton:focus span { + background-position: 100% -24px; +} + +.sexybutton:hover span span, +.sexybutton:focus span span { + background-position: 0% -24px; +} + +.sexybutton:active span { + background-position: 100% -48px; +} + +.sexybutton:active span span { + background-position: 0% -48px; +} + +.sexybutton[disabled] span, +.sexybutton.disabled span { + background-position: 100% -72px; +} + +.sexybutton[disabled] span span, +.sexybutton.disabled span span { + background-position: 0% -72px; +} + +.sexybutton:hover span span span, +.sexybutton:focus span span span, +.sexybutton:active span span span, +.sexybutton[disabled] span span span, +.sexybutton.disabled span span span { + background-position: left center; +} + +.sexybutton:hover span span span.after, +.sexybutton:focus span span span.after, +.sexybutton:active span span span.after, +.sexybutton[disabled] span span span.after, +.sexybutton.disabled span span span.after { + background-position: right center; +} + +.sexybutton img { + margin-right: 5px; + vertical-align: text-top; + /* IE6 Hack */ + _margin-top: 4px; + _vertical-align: text-bottom; + /* IE6 still requires a PNG transparency fix */ + /* _display: none; Or just hide icons from the undeserving IE6 */ +} + +.sexybutton img.after { + margin-right: 0; + margin-left: 5px; + /* IE6 still requires a PNG transparency fix */ + /* _margin-left: 0; Or just hide icons from the undeserving IE6 */ +} + +.sexybutton.sexysmalls { font-size:.8em !important; } +.sexybutton.sexymedium { font-size: 15px !important; } +.sexybutton.sexylarge { font-size: 18px !important; } + + +/* + * Button Skins + * + * .PNG background images with alpha transparency are also supplied if you'd rather use them instead of the + * default .GIF images. (Just beware of IE6's lack of support.) + * + * Additional skins can be added below. The images/skins/ButtonTemplate.psd can be used to create new skins. + * Prefix the skin name with "sexy" to avoid any potential conflicts with other class names. + */ + +/* + * Simple Skin Buttons + */ + +.sexybutton.sexysimple { + position: relative; + padding: 5px 10px 5px; + font: inherit; + font-size: .85em !important; + font-style: normal !important; + font-weight: bold !important; + color: #fff !important; + line-height: 1; + background-image: url(/snort/images//awesome-overlay-sprite.png); + background-repeat: repeat-x; + background-position: 0 0; + + /* Special effects */ + text-shadow: 0 -1px 1px rgba(0,0,0,0.25), -2px 0 1px rgba(0,0,0,0.25); + border-radius: 5px; + -moz-border-radius: 5px; + -webkit-border-radius: 5px; + -moz-box-shadow: 0 1px 2px rgba(0,0,0,0.5); + -webkit-box-shadow: 0 1px 2px rgba(0,0,0,0.5); + + /* IE only stuff */ + border-bottom: 1px solid transparent\9; + _background-image: none; + + /* Cross browser inline block hack - http://blog.mozilla.com/webdev/2009/02/20/cross-browser-inline-block/ */ + display: -moz-inline-stack; + display: inline-block; + vertical-align: middle; + *display: inline !important; + position: relative; + + /* Force hasLayout in IE */ + zoom: 1; + + /* Disable text selection (Firefox only)*/ + -moz-user-select: none; +} + +.sexybutton.sexysimple::selection { + background: transparent; +} + +.sexybutton.sexysimple:hover, +.sexybutton.sexysimple:focus { + background-position: 0 -50px; + color: #fff !important; +} + +.sexybutton.sexysimple:active { + background-position: 0 -100px; + -moz-box-shadow: inset 0 1px 2px rgba(0,0,0,0.7); + /* Unfortunately, Safari doesn't support inset yet */ + -webkit-box-shadow: none; + + /* IE only stuff */ + border-bottom: 0\9; + border-top: 1px solid #666\9; +} + +.sexybutton.sexysimple[disabled], +.sexybutton.sexysimple.disabled { + background-position: 0 -150px; + color: #333 !important; + text-shadow: none; +} + +.sexybutton.sexysimple[disabled]:hover, +.sexybutton.sexysimple[disabled]:focus, +.sexybutton.sexysimple[disabled]:active, +.sexybutton.sexysimple.disabled:hover, +.sexybutton.sexysimple.disabled:focus, +.sexybutton.sexysimple.disabled:active { + -moz-box-shadow: 0 1px 2px rgba(0,0,0,0.5); + -webkit-box-shadow: 0 1px 2px rgba(0,0,0,0.5); +} + +.sexybutton.sexysimple span { + height: auto; + padding-left: 24px; + padding-right: 0; + background-position: left center; + background-repeat: no-repeat; + /* IE6 still requires a PNG transparency fix */ + /* _padding-left: 0; Or just hide icons from the undeserving IE6 */ +} + +.sexybutton.sexysimple span.after { + padding-left: 0; + padding-right: 24px; + background-position: right center; + /* IE6 still requires a PNG transparency fix */ + /* _padding-right: 0; Or just hide icons from the undeserving IE6 */ +} + +/* Simple button colors */ +.sexybutton.sexysimple { background-color: #333; } /* Default */ +.sexybutton.sexysimple.sexyblack { background-color: #333; } +.sexybutton.sexysimple.sexyred { background-color: #a90118; } +.sexybutton.sexysimple.sexyorange { background-color: #ff8a00; } +.sexybutton.sexysimple.sexyyellow { background-color: #ffb515; } +.sexybutton.sexysimple.sexygreen { background-color: #59a901; } +.sexybutton.sexysimple.sexyblue { background-color: #015ea9; } +.sexybutton.sexysimple.sexyteal { background-color: #2daebf; } +.sexybutton.sexysimple.sexymagenta { background-color: #a9014b; } +.sexybutton.sexysimple.sexypurple { background-color: #9d01a9; } + +/* Simple button sizes */ +.sexybutton.sexysimple.sexysmall { padding: 4px 7px 5px; font-size: 10px !important; } +.sexybutton.sexysimple.sexysmall:active { padding: 5px 7px 4px; } +.sexybutton.sexysimple { /* default */ } +.sexybutton.sexysimple:active { padding: 6px 10px 4px; } +.sexybutton.sexysimple.sexymedium { /* default */ } +.sexybutton.sexysimple.sexymedium:active { padding: 6px 10px 4px; } +.sexybutton.sexysimple.sexylarge { padding: 8px 14px 8px; font-size: 14px !important; } +.sexybutton.sexysimple.sexylarge:active { padding: 9px 14px 7px; } +.sexybutton.sexysimple.sexyxl { padding: 8px 14px 8px; font-size: 16px !important; } +.sexybutton.sexysimple.sexyxl:active { padding: 9px 14px 7px; } +.sexybutton.sexysimple.sexyxxl { padding: 8px 14px 8px; font-size: 20px !important; } +.sexybutton.sexysimple.sexyxxl:active { padding: 9px 14px 7px; } +.sexybutton.sexysimple.sexyxxxl { padding: 8px 14px 8px; font-size: 26px !important; } +.sexybutton.sexysimple.sexyxxxl:active { padding: 9px 14px 7px; } + +.sexybutton.sexysimple.sexysmall[disabled]:active, +.sexybutton.sexysimple.sexysmall.disabled:active { padding: 4px 7px 5px; } +.sexybutton.sexysimple[disabled]:active, +.sexybutton.sexysimple.disabled:active { padding: 5px 10px 5px; } +.sexybutton.sexysimple.sexymedium[disabled]:active, +.sexybutton.sexysimple.sexymedium.disabled:active { padding: 6px 10px 4px; } +.sexybutton.sexysimple.sexylarge[disabled]:active, +.sexybutton.sexysimple.sexylarge.disabled:active { padding: 8px 14px 8px; } +.sexybutton.sexysimple.sexyxl[disabled]:active, +.sexybutton.sexysimple.sexyxl.disabled:active { padding: 8px 14px 8px; } +.sexybutton.sexysimple.sexyxxl[disabled]:active, +.sexybutton.sexysimple.sexyxxl.disabled:active { padding: 8px 14px 8px; } +.sexybutton.sexysimple.sexyxxxl[disabled]:active, +.sexybutton.sexysimple.sexyxxxl.disabled:active { padding: 8px 14px 8px; } + + +/* + * Icon Definitions + */ + +/* Silk Icons - http://www.famfamfam.com/lab/icons/silk/ */ +/* (Obviously not all Silk icons are defined here. Feel free to define any other icons that you may need.) */ + +.sexybutton span.ok { background-image: url(/snort/images//tick.png) !important; } +.sexybutton span.cancel { background-image: url(/snort/images//cross.png) !important; } +.sexybutton span.add { background-image: url(/snort/images//add.png) !important; } +.sexybutton span.delete { background-image: url(/snort/images//delete.png) !important; } +.sexybutton span.download { background-image: url(/snort/images//arrow_down.png) !important; } +.sexybutton span.pwhitetxt { background-image: url(/snort/images//page_white_text.png) !important; } + diff --git a/config/snort-dev/css/style.css b/config/snort-dev/css/style.css index b484966c..7fca38f3 100644 --- a/config/snort-dev/css/style.css +++ b/config/snort-dev/css/style.css @@ -1,206 +1,206 @@ -.alert { - position:absolute; - top:10px; - left:0px; - width:94%; -background:#FCE9C0; -background-position: 15px; -border-top:2px solid #DBAC48; -border-bottom:2px solid #DBAC48; -padding: 15px 10px 85% 50px; -} - -.formpre { -font-family:arial; -font-size: 1.1em; -} - -#download_rules { -font-family: arial; -font-size: 13px; -font-weight: bold; -text-align: center -} - -#download_rules_td { -font-family: arial; -font-size: 13px; -font-weight: bold; -text-align: center -} - -/* hack fix the hard coded fbegin link */ -#header-left2 { -position: absolute; -background-position: center center; -height: 67px; -width: 147px; -top: -77px; -left: 8px; -float: left; -z-index:999; -} -#header-left2 #status-link2 { - position: relative; - top: 3px; - left: 2px; -} -/* end of fbegin hack */ - -.body2 { -font-family:arial; -font-size:12px; -} - - - - -/* Start of main css Pfsense */ -/* Start of main css Pfsense */ - -@charset "utf-8"; -.textstyle { - font-family: Arial, Helvetica, sans-serif; - font-size: 12px; - font-style: normal; - background-color: #666; - color: #CCC; -} -.textstyle p2 a { - font-family: Arial, Helvetica, sans-serif; - font-size: 12px; - font-style: normal; - color: #CCC; -} - -.textstyle p { - font-family: Arial, Helvetica, sans-serif; - font-size: 24px; - font-weight: bold; - color: #FFF; - text-decoration: underline; -} -.textstyle p2 { - font-family: Arial, Helvetica, sans-serif; - font-size: 12px; - color: #CCC; -} - -/* Start of main css for table sort */ -/* Start of main css for table sort */ - -table { - margin: 0; - padding: 0; - border: 0; - font-weight: inherit; - font-style: inherit; - font-size: 9; - font-family: Arial, Helvetica, sans-serif; - vertical-align: baseline; -} - -/* Tables still need 'cellspacing="0"' in the markup. */ -table { border-collapse: separate; border-spacing: 0; } -caption, th, td { text-align: left; font-weight:400; } - -/* Remove possible quote marks (") from ,
. */ -blockquote:before, blockquote:after, q:before, q:after { content: ""; } -blockquote, q { quotes: "" ""; } - -#container { - width: auto; - margin: 0px; - padding-top: 10px; - padding-bottom: 10px; -} - - - -/************************************************************** - - Sortable Table - v 1.4 - -**************************************************************/ - - - -th { - background-color: #eee; - background: #eee url(/snort/images/icon-table-sort.png) no-repeat 2px 8px; - padding: 4px 4px 4px 14px; -} - -.allRow { - background-color: #eee; - padding: 4px; -} - -tr.altRow { - background-color: #fff; -} - -.leftAlign { - text-align: left; -} - -.centerAlign { - text-align: center; -} - -.rightAlign { - text-align: right; -} - -.sortedASC { - background: url(/snort/images/icon-table-sort-asc.png) no-repeat 2px 4px #eee; -} - -.sortedDESC { - background: url(/snort/images/icon-table-sort-desc.png) no-repeat 2px 10px #eee; -} - -.tableHeaderOver { - cursor: pointer; - color: #354158; -} - - -tr.selected { - background-color: 9999ff; - color: #000000; -} - -tr.over { - background-color: #993333; - color: #fff; - cursor: pointer; -} - -tr.hide { - display: none; -} -/***************************/ - -.mainTableFilter { - position: absolute; - top: 0; - left: -10px; - width: auto; -} - -.tableFilter { - border: 1px solid #ccc; - padding: 2px; - margin: 5px 0 10px 0; -} - -.tableFilter input { - border: 1px solid #ccc; -} - -.tableFilter select { - border: 1px solid #ccc; -} - +.alert { + position:absolute; + top:10px; + left:0px; + width:94%; +background:#FCE9C0; +background-position: 15px; +border-top:2px solid #DBAC48; +border-bottom:2px solid #DBAC48; +padding: 15px 10px 85% 50px; +} + +.formpre { +font-family:arial; +font-size: 1.1em; +} + +#download_rules { +font-family: arial; +font-size: 13px; +font-weight: bold; +text-align: center +} + +#download_rules_td { +font-family: arial; +font-size: 13px; +font-weight: bold; +text-align: center +} + +/* hack fix the hard coded fbegin link */ +#header-left2 { +position: absolute; +background-position: center center; +height: 67px; +width: 147px; +top: -77px; +left: 8px; +float: left; +z-index:999; +} +#header-left2 #status-link2 { + position: relative; + top: 3px; + left: 2px; +} +/* end of fbegin hack */ + +.body2 { +font-family:arial; +font-size:12px; +} + + + + +/* Start of main css Pfsense */ +/* Start of main css Pfsense */ + +@charset "utf-8"; +.textstyle { + font-family: Arial, Helvetica, sans-serif; + font-size: 12px; + font-style: normal; + background-color: #666; + color: #CCC; +} +.textstyle p2 a { + font-family: Arial, Helvetica, sans-serif; + font-size: 12px; + font-style: normal; + color: #CCC; +} + +.textstyle p { + font-family: Arial, Helvetica, sans-serif; + font-size: 24px; + font-weight: bold; + color: #FFF; + text-decoration: underline; +} +.textstyle p2 { + font-family: Arial, Helvetica, sans-serif; + font-size: 12px; + color: #CCC; +} + +/* Start of main css for table sort */ +/* Start of main css for table sort */ + +table { + margin: 0; + padding: 0; + border: 0; + font-weight: inherit; + font-style: inherit; + font-size: 9; + font-family: Arial, Helvetica, sans-serif; + vertical-align: baseline; +} + +/* Tables still need 'cellspacing="0"' in the markup. */ +table { border-collapse: separate; border-spacing: 0; } +caption, th, td { text-align: left; font-weight:400; } + +/* Remove possible quote marks (") from ,
. */ +blockquote:before, blockquote:after, q:before, q:after { content: ""; } +blockquote, q { quotes: "" ""; } + +#container { + width: auto; + margin: 0px; + padding-top: 10px; + padding-bottom: 10px; +} + + + +/************************************************************** + + Sortable Table + v 1.4 + +**************************************************************/ + + + +th { + background-color: #eee; + background: #eee url(/snort/images/icon-table-sort.png) no-repeat 2px 8px; + padding: 4px 4px 4px 14px; +} + +.allRow { + background-color: #eee; + padding: 4px; +} + +tr.altRow { + background-color: #fff; +} + +.leftAlign { + text-align: left; +} + +.centerAlign { + text-align: center; +} + +.rightAlign { + text-align: right; +} + +.sortedASC { + background: url(/snort/images/icon-table-sort-asc.png) no-repeat 2px 4px #eee; +} + +.sortedDESC { + background: url(/snort/images/icon-table-sort-desc.png) no-repeat 2px 10px #eee; +} + +.tableHeaderOver { + cursor: pointer; + color: #354158; +} + + +tr.selected { + background-color: 9999ff; + color: #000000; +} + +tr.over { + background-color: #993333; + color: #fff; + cursor: pointer; +} + +tr.hide { + display: none; +} +/***************************/ + +.mainTableFilter { + position: absolute; + top: 0; + left: -10px; + width: auto; +} + +.tableFilter { + border: 1px solid #ccc; + padding: 2px; + margin: 5px 0 10px 0; +} + +.tableFilter input { + border: 1px solid #ccc; +} + +.tableFilter select { + border: 1px solid #ccc; +} + diff --git a/config/snort-dev/help_and_info.php b/config/snort-dev/help_and_info.php index af8eb4ae..95693ef4 100644 --- a/config/snort-dev/help_and_info.php +++ b/config/snort-dev/help_and_info.php @@ -1,247 +1,247 @@ - - - - -The Snort Package Help Page - - - - - - - - - - -
- -
-
-

Snort Package

- -

- Snort Package is a GUI based front-end for Sourcefire\'s Snort ® IDS/IPS software. The Snort Package goal is to be - the best open-source GUI to manage multiple snort sensors and multiple rule snapshots. The project other goal is to be a highly competitive GUI for - network monitoring for both private and enterprise use. Lastly, this project software development should bring programmers and users together to create - software. -

-

- What is Snort ? Used by fortune 500 companies and goverments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and - can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port - scans, CGI attacks, SMB probes, and much more. -

-

- Requirements :
- Minimum requirement 256 mb ram, 500 MHz CPU.
- Recommended 500 mb ram, 1 Ghz CPU.
- The more rules you run the more memory you need.
- The more interfaces you select the more memory you need.

- Development is done on a Alix 2D3 system (500 MHz AMD Geode LX800 CPU 256MB DDR DRAM). -

- -
- -
-

Snort Package

- -

Change Log

- -

Changes to this package can be viewed by following packages repository

-
- -
-

Snort Package

- -

Getting Help

- -

-Obtaining Support
- -We provide several means of obtaining support for pfSense. -

- -

-Free Options
-Our free options include our forum, mailing list , and IRC channel. Before using any of these resources, please review the Project Rules below. -

- -

-Commercial Support
- -Commercial support is available from the company founded by the founders of the pfSense project, BSD Perimeter. Phone and email support is available for support subscribers only. -

- -

-Project Rules
-To keep things orderly, and be fair to everyone, we must enforce these rules. -

- -

-Please do not post support questions to the blog comments. The comments are for discussion of the post, and letting people ask questions there would make a mess of the purpose of those comments. Any support questions will not be moderator approved. -

- -

-Please do not cross post questions between the forum and mailing list, unless your inquiry has gone unanswered for at least 24 hours. Do not bump your mailing list or forum posts for at least 24 hours. If you have not received a reply after more than 24 hours, you are welcome to bump your thread. -

- -

-Please do not email individuals, the coreteam address, or private message people on the forum to ask questions. We provide a wide variety of means for obtaining help in a public forum, where it helps others who have the same questions in the future. We don\'t have enough time to answer all the questions our users post in the public forums, much less via email and private messages. Since we cannot possibly reply to everyone\'s email and private messages, to be fair we will not reply to anyone. Individual attention via phone and email support is available for commercial support customers. -

-
- -
-

Snort Package

- -

Heros

- -

Pfsense Snort Package users who have cared enough to donate to this project. I can\'t thank you enough for all your help. With-out your support I would have stoped long time ago.

- -

If your not on this list PM me and I will add you. If you would like to be removed pm me and I will remove you.

- -

Names

- -

sandro tavella

-

Joćo Kemp Filho

-

Julio Fumoso

-

Rolland Hart

-

DiMarco Technology Solutions Inc.

-

Brett Burley

-

Tomasz Iskra

-

Bruno Buchschacher

-

Marco Pannetto

-

Christopher Weakland

-

Antonio Riveros

-

DigitalJer

-

Serialdie

-

Dlawley

-

Onhel

-

Jerrygoldsmith

- - -
-
-
- - - - -'; - -?> + + + + +The Snort Package Help Page + + + + + + + + + + +
+ +
+
+

Snort Package

+ +

+ Snort Package is a GUI based front-end for Sourcefire\'s Snort ® IDS/IPS software. The Snort Package goal is to be + the best open-source GUI to manage multiple snort sensors and multiple rule snapshots. The project other goal is to be a highly competitive GUI for + network monitoring for both private and enterprise use. Lastly, this project software development should bring programmers and users together to create + software. +

+

+ What is Snort ? Used by fortune 500 companies and goverments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and + can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port + scans, CGI attacks, SMB probes, and much more. +

+

+ Requirements :
+ Minimum requirement 256 mb ram, 500 MHz CPU.
+ Recommended 500 mb ram, 1 Ghz CPU.
+ The more rules you run the more memory you need.
+ The more interfaces you select the more memory you need.

+ Development is done on a Alix 2D3 system (500 MHz AMD Geode LX800 CPU 256MB DDR DRAM). +

+ +
+ +
+

Snort Package

+ +

Change Log

+ +

Changes to this package can be viewed by following packages repository

+
+ +
+

Snort Package

+ +

Getting Help

+ +

+Obtaining Support
+ +We provide several means of obtaining support for pfSense. +

+ +

+Free Options
+Our free options include our forum, mailing list , and IRC channel. Before using any of these resources, please review the Project Rules below. +

+ +

+Commercial Support
+ +Commercial support is available from the company founded by the founders of the pfSense project, BSD Perimeter. Phone and email support is available for support subscribers only. +

+ +

+Project Rules
+To keep things orderly, and be fair to everyone, we must enforce these rules. +

+ +

+Please do not post support questions to the blog comments. The comments are for discussion of the post, and letting people ask questions there would make a mess of the purpose of those comments. Any support questions will not be moderator approved. +

+ +

+Please do not cross post questions between the forum and mailing list, unless your inquiry has gone unanswered for at least 24 hours. Do not bump your mailing list or forum posts for at least 24 hours. If you have not received a reply after more than 24 hours, you are welcome to bump your thread. +

+ +

+Please do not email individuals, the coreteam address, or private message people on the forum to ask questions. We provide a wide variety of means for obtaining help in a public forum, where it helps others who have the same questions in the future. We don\'t have enough time to answer all the questions our users post in the public forums, much less via email and private messages. Since we cannot possibly reply to everyone\'s email and private messages, to be fair we will not reply to anyone. Individual attention via phone and email support is available for commercial support customers. +

+
+ +
+

Snort Package

+ +

Heros

+ +

Pfsense Snort Package users who have cared enough to donate to this project. I can\'t thank you enough for all your help. With-out your support I would have stoped long time ago.

+ +

If your not on this list PM me and I will add you. If you would like to be removed pm me and I will remove you.

+ +

Names

+ +

sandro tavella

+

Joćo Kemp Filho

+

Julio Fumoso

+

Rolland Hart

+

DiMarco Technology Solutions Inc.

+

Brett Burley

+

Tomasz Iskra

+

Bruno Buchschacher

+

Marco Pannetto

+

Christopher Weakland

+

Antonio Riveros

+

DigitalJer

+

Serialdie

+

Dlawley

+

Onhel

+

Jerrygoldsmith

+ + +
+
+
+ + + + +'; + +?> diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 49439149..afb46018 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -1,2510 +1,2524 @@ - 6) - $snort_pfsense_basever = 'no'; -else - $snort_pfsense_basever = 'yes'; - -/* find out what arch where in x86 , x64 */ -global $snort_arch; -$snort_arch = 'x86'; -$snort_arch_ck = php_uname("m"); -if ($snort_arch_ck == 'i386') - $snort_arch = 'x86'; -else if ($snort_arch_ck == "amd64") - $snort_arch = 'x64'; -else - $snort_arch = "Unknown"; - -/* tell me my theme */ -$pfsense_theme_is = $config['theme']; - -/* func builds custom white lists */ -function find_whitelist_key($find_wlist_number) { - global $config, $g; - - if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) - $config['installedpackages']['snortglobal']['whitelist'] = array(); - if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) - return 0; /* XXX */ - - foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $w_key => $value) { - if ($value['name'] == $find_wlist_number) - return $w_key; - } -} - -/* func builds custom suppress lists */ -function find_suppress_key($find_slist_number) { - global $config, $g; - - if (!is_array($config['installedpackages']['snortglobal']['suppress'])) - $config['installedpackages']['snortglobal']['suppress'] = array(); - if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) - return 0; /* XXX */ - - foreach ($config['installedpackages']['snortglobal']['suppress']['item'] as $s_key => $value) { - if ($value['name'] == $find_slist_number) - return $s_key; - } -} - -/* func builds custom whitelests */ -function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $userwips) { - global $config, $g, $snort_pfsense_basever; - - /* build an interface array list */ - if (function_exists('get_configured_interface_list')) - $int_array = get_configured_interface_list(); - else { - $int_array = array('lan'); - for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) - if(isset($config['interfaces']['opt' . $j]['enable'])) - if(isset($config['interfaces']['opt' . $j]['gateway'])) - $int_array[] = "opt{$j}"; - } - - $home_net = ""; - - /* iterate through interface list and write out whitelist items - * and also compile a home_net list for snort. - */ - foreach ($int_array as $int) { - /* calculate interface subnet information */ - if (function_exists('get_interface_ip')) { - $subnet = get_interface_ip($int); - if (is_ipaddr($subnet)) { - $sn = get_interface_subnet($int); - $home_net .= "{$subnet}/{$sn} "; - } - } else { - $ifcfg = $config['interfaces'][$int]; - switch ($ifcfg['ipaddr']) { - case "pppoe": - case "pptp": - case "l2tp": - if (function_exists('get_interface_ip')) - $subnet = get_interface_ip($int); - else - $subnet = find_interface_ip("ng0"); - - if (is_ipaddr($subnet)) - $home_net .= "{$subnet} "; - break; - case "dhcp": - $subnet = find_interface_ip(snort_get_real_interface($int)); - if (is_ipaddr($subnet)) - $home_net .= "{$subnet} "; - break; - default: - if (is_ipaddr($ifcfg['ipaddr'])) { - $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); - if ($ifcfg['subnet']) - $home_net .= "{$subnet}/{$ifcfg['subnet']} "; - } - break; - } - } - } - - if ($snort_pfsense_basever == 'yes' && $wanip == 'yes') { - /* add all WAN ips to the whitelist */ - $wan_if = get_real_wan_interface(); - $ip = find_interface_ip($wan_if); - if (is_ipaddr($ip)) - $home_net .= "{$ip} "; - } - - if ($wangw == 'yes') { - /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ - $gw = get_interface_gateway('wan'); - if($gw) - $home_net .= "{$gw} "; - } - - if($wandns == 'yes') { - /* Add DNS server for WAN interface to whitelist */ - $dns_servers = get_dns_servers(); - foreach ($dns_servers as $dns) { - if($dns) - $home_net .= "{$dns} "; - } - } - - if($vips == 'yes') { - /* iterate all vips and add to whitelist */ - if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { - foreach($config['virtualip']['vip'] as $vip) - if($vip['subnet']) - $home_net .= "{$vip['subnet']} "; - } - } - - /* Add loopback to whitelist (ftphelper) */ - $home_net .= "127.0.0.1 "; - - /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ - if ($vpns == 'yes') { - if ($snort_pfsense_basever == 'yes') // chk what pfsense version were on - $vpns_list = get_vpns_list(); - else if ($snort_pfsense_basever == 'no') // chk what pfsense version were on - $vpns_list = filter_get_vpns_list(); - - if (!empty($vpns_list)) - $home_net .= "{$vpns_list} "; - } - - /* never ever compair numbers to words */ - if ($userwips > -1) { - if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) - $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); - - $home_net .= $config['installedpackages']['snortglobal']['whitelist']['item'][$userwips]['address']; - } - - $home_net = trim($home_net); - - /* this foe whitelistfile, convert spaces to carriage returns */ - if ($build_netlist == 'whitelist') { - $whitelist_home_net = str_replace(" ", "\n", $home_net); - $whitelist_home_net = str_replace(" ", "\n", $home_net); - return $whitelist_home_net; - } - - /* this is for snort.conf */ - $validator = explode(" ", $home_net); - $valresult = array(); - foreach ($validator as $vald) { - if (empty($vald)) - continue; - $valresult[] = $vald; - } - $home_net = implode(",", $valresult); - $home_net = "[{$home_net}]"; - - return $home_net; -} - - -/* checks to see if snort is running yes/no and stop/start */ -function Running_Ck($snort_uuid, $if_real, $id) { - global $config; - - $snort_uph = 'no'; - $snort_up_prell = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'"); - if ($snort_up_prell != '') - $snort_uph = 'yes'; - - return $snort_uph; -} - -/* checks to see if barnyard2 is running yes/no */ -function Running_Ck_b($snort_uuid, $if_real, $id) { - global $config; - - $snort_up_b = 'no'; - $snort_up_pre_b = exec("/bin/ps -ax | /usr/bin/grep barnyard2 | /usr/bin/grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'"); - if ($snort_up_pre_b != '') - $snort_up_b = 'yes'; - - return $snort_up_b; -} - -function Running_Stop($snort_uuid, $if_real, $id) { - global $config, $g; - - /* if snort.sh crashed this will remove the pid */ - @unlink("{$g['tmp_path']}/snort.sh.pid"); - - $start_up = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'"); - $start_upb = exec("/bin/ps -ax | /usr/bin/grep \"snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'"); - - - if ($start_up != '') { - exec("/bin/kill {$start_up}"); - exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); - exec("/bin/rm /var/log/snort/snort_{$if_real}{$snort_uuid}/snort_{$snort_uuid}_{$if_real}*"); - @unlink("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert_{$snort_uuid}"); - } - - if ($start_upb != '') { - exec("/bin/kill {$start_upb}"); - exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); - exec("/bin/rm /var/log/snort/snort_{$if_real}{$snort_uuid}/snort.u2_{$snort_uuid}_{$if_real}*"); - } - - /* Log Iface stop */ - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); - sleep(2); // Give time so GUI displays correctly -} - -function Running_Start($snort_uuid, $if_real, $id) { - global $config; - - /* if snort.sh crashed this will remove the pid */ - @unlink("{$g['tmp_path']}/snort.sh.pid"); - - $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; - if ($snort_info_chk == 'on') - exec("/usr/local/bin/snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); - else - return; - - /* define snortbarnyardlog_chk */ - /* top will have trouble if the uuid is to far back */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; - if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { - exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$snort_uuid}_{$if_real}/ -D -q"); - } - - /* Log Iface stop */ - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'"); - sleep(2); // Give time so GUI displays correctly -} - -function snort_get_friendly_interface($interface) { - - if (function_exists('convert_friendly_interface_to_friendly_descr')) - $iface = convert_friendly_interface_to_friendly_descr($interface); - else { - if (!$interface || ($interface == "wan")) - $iface = "WAN"; - else if(strtolower($interface) == "lan") - $iface = "LAN"; - else if(strtolower($interface) == "pppoe") - $iface = "PPPoE"; - else if(strtolower($interface) == "pptp") - $iface = "PPTP"; - else - $iface = strtoupper($interface); - } - - return $iface; -} - -/* get the real iface name of wan */ -function snort_get_real_interface($interface) { - global $config; - - $lc_interface = strtolower($interface); - if (function_exists('get_real_interface')) - return get_real_interface($lc_interface); - else { - if ($lc_interface == "lan") { - if ($config['inerfaces']['lan']) - return $config['interfaces']['lan']['if']; - return $interface; - } - if ($lc_interface == "wan") - return $config['interfaces']['wan']['if']; - $ifdescrs = array(); - for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { - $ifname = "opt{$j}"; - if(strtolower($ifname) == $lc_interface) - return $config['interfaces'][$ifname]['if']; - if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface)) - return $config['interfaces'][$ifname]['if']; - } - } - - return $interface; -} - -/* - this code block is for deleteing logs while keeping the newest file, - snort is linked to these files while running, do not take the easy way out - by touch and rm, snort will lose sync and not log. - - this code needs to be watched. - */ - -/* list dir files */ -function snort_file_list($snort_log_dir, $snort_log_file) -{ - $dir = opendir ("$snort_log_dir"); - while (false !== ($file = readdir($dir))) { - if (strpos($file, "$snort_log_file",1) ) - $file_list[] = basename($file); - } - return $file_list; -} - -/* snort dir files */ -function snort_file_sort($snort_file1, $snort_file2) -{ - if ($snort_file1 == $snort_file2) - return 0; - - return ($snort_file1 < $snort_file2); // ? -1 : 1; // this flips the array -} - -/* build files newest first array */ -function snort_build_order($snort_list) -{ - foreach ($snort_list as $value_list) - $list_order[] = $value_list; - - return $list_order; -} - -/* keep the newest remove the rest */ -function snort_remove_files($snort_list_rm, $snort_file_safe) -{ - foreach ($snort_list_rm as $value_list) { - if ($value_list != $snort_file_safe) - @unlink("/var/log/snort/$value_list"); - else - file_put_contents("/var/log/snort/$snort_file_safe", ""); - } -} - -/* - * TODO: - * This is called by snort_alerts.php. - * - * This func needs to be made to only clear one interface rule log - * at a time. - * - */ -function post_delete_logs() -{ - global $config, $g; - - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - - $snort_log_dir = '/var/log/snort'; - - foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - $snort_uuid = $value['uuid']; - - if ($if_real != '' && $snort_uuid != '') { - if ($value['snortunifiedlog'] == 'on') { - $snort_log_file_u2 = "{$snort_uuid}_{$if_real}.u2."; - $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2); - if (is_array($snort_list_u2)) { - usort($snort_list_u2, "snort_file_sort"); - $snort_u2_rm_list = snort_build_order($snort_list_u2); - snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]); - } - } else - exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.u2*"); - - if ($value['tcpdumplog'] == 'on') { - $snort_log_file_tcpd = "{$snort_uuid}_{$if_real}.tcpdump."; - $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd); - if (is_array($snort_list_tcpd)) { - usort($snort_list_tcpd, "snort_file_sort"); - $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd); - snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]); - } - } else - exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.tcpdump*"); - - /* create barnyard2 configuration file */ - //if ($value['barnyard_enable'] == 'on') - //create_barnyard2_conf($id, $if_real, $snort_uuid); - - if ($value['perform_stat'] == 'on') - @file_put_contents("/var/log/snort/snort_{$snort_uuid}_{$if_real}.stats", ""); - } - } -} - -function snort_postinstall() -{ - global $config, $g, $snort_pfsense_basever, $snort_arch; - - /* snort -> advanced features */ - if (is_array($config['installedpackages']['snortglobal'])) { - $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; - $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; - $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; - } - - /* cleanup default files */ - @rename('/usr/local/etc/snort/snort.conf-sample', '/usr/local/etc/snort/snort.conf'); - @rename('/usr/local/etc/snort/threshold.conf-sample', '/usr/local/etc/snort/threshold.conf'); - @rename('/usr/local/etc/snort/sid-msg.map-sample', '/usr/local/etc/snort/sid-msg.map'); - @rename('/usr/local/etc/snort/unicode.map-sample', '/usr/local/etc/snort/unicode.map'); - @rename('/usr/local/etc/snort/classification.config-sample', '/usr/local/etc/snort/classification.config'); - @rename('/usr/local/etc/snort/generators-sample', '/usr/local/etc/snort/generators'); - @rename('/usr/local/etc/snort/reference.config-sample', '/usr/local/etc/snort/reference.config'); - @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map'); - @unlink('/usr/local/etc/snort/sid'); - @unlink('/usr/local/etc/rc.d/snort'); - @unlink('/usr/local/etc/rc.d/bardyard2'); - - /* remove example files */ - if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) - exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); - - if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) - exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); - - /* create a few directories and ensure the sample files are in place */ - if (!is_dir('/usr/local/etc/snort')) - exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules'); - if (!is_dir('/usr/local/etc/snort/whitelist')) - exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); - /* NOTE: the diff between the if check and the exec() extra run is by design */ - if (!is_dir('/var/log/snort')) - exec('/bin/mkdir -p /var/log/snort/run'); - else - exec('/bin/rm -r /var/log/snort/*; /bin/mkdir -p /var/log/snort/run'); - - if (!is_dir('/var/log/snort/barnyard2')) - exec('/bin/mkdir -p /var/log/snort/barnyard2'); - if (!is_dir('/usr/local/lib/snort/dynamicrules/')) - exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); - if (!file_exists('/var/db/whitelist')) - touch('/var/db/whitelist'); - - /* XXX: These are needed if you run snort as snort user - mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); - mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); - mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); - */ - /* important */ - mwexec('/bin/chmod 660 /var/db/whitelist', true); - mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true); - mwexec('/bin/chmod -R 660 /tmp/snort*', true); - mwexec('/bin/chmod -R 660 /var/run/snort*', true); - mwexec('/bin/chmod -R 660 /var/snort/run/*', true); - mwexec('/bin/chmod 770 /usr/local/lib/snort', true); - mwexec('/bin/chmod 770 /usr/local/etc/snort', true); - mwexec('/bin/chmod 770 /usr/local/etc/whitelist', true); - mwexec('/bin/chmod 770 /var/log/snort', true); - mwexec('/bin/chmod 770 /var/log/snort/run', true); - mwexec('/bin/chmod 770 /var/log/snort/barnyard2', true); - - /* move files around, make it look clean */ - mwexec('/bin/mkdir -p /usr/local/www/snort/css'); - mwexec('/bin/mkdir -p /usr/local/www/snort/images'); - - chdir ("/usr/local/www/snort/css/"); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/style.css'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/sexybuttons.css'); - chdir("/usr/local/www/snort/images/"); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/alert.jpg'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down2.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-asc.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-desc.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up2.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo.jpg'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon_excli.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/arrow_down.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/awesome-overlay-sprite.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo22.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/page_white_text.png'); - - /* remake saved settings */ - if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { - update_status(gettext("Saved settings detected...")); - update_output_window(gettext("Please wait... rebuilding files...")); - sync_snort_package_config(); - update_output_window(gettext("Finnished Rebuilding files...")); - } -} - -function snort_Getdirsize($node) { - if(!is_readable($node)) - return false; - - $blah = exec( "/usr/bin/du -kd $node" ); - return substr( $blah, 0, strpos($blah, 9) ); -} - -/* func for log dir size limit cron */ -function snort_snortloglimit_install_cron($should_install) { - global $config, $g; - - if (!is_array($config['cron']['item'])) - $config['cron']['item'] = array(); - - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], '/usr/local/pkg/snort/snort_check_cron_misc.inc')) { - $is_installed = true; - break; - } - $x++; - } - - switch($should_install) { - case true: - if(!$is_installed) { - - $cron_item = array(); - $cron_item['minute'] = "*/5"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc"; - $config['cron']['item'][] = $cron_item; - } - break; - case false: - if($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } -} - -/* func for updating cron */ -function snort_rm_blocked_install_cron($should_install) { - global $config, $g; - - if (!is_array($config['cron']['item'])) - $config['cron']['item'] = array(); - - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { - $is_installed = true; - break; - } - $x++; - } - - $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; - if ($snort_rm_blocked_info_ck == "1h_b") { - $snort_rm_blocked_min = "*/5"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "3600"; - } - if ($snort_rm_blocked_info_ck == "3h_b") { - $snort_rm_blocked_min = "*/15"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "10800"; - } - if ($snort_rm_blocked_info_ck == "6h_b") { - $snort_rm_blocked_min = "*/30"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "21600"; - } - if ($snort_rm_blocked_info_ck == "12h_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/1"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "43200"; - } - if ($snort_rm_blocked_info_ck == "1d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/2"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "86400"; - } - if ($snort_rm_blocked_info_ck == "4d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/8"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "345600"; - } - if ($snort_rm_blocked_info_ck == "7d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/14"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "604800"; - } - if ($snort_rm_blocked_info_ck == "28d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "0"; - $snort_rm_blocked_mday = "*/2"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "2419200"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; - $config['cron']['item'][] = $cron_item; - } - break; - case false: - if ($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } -} - -/* func to install snort update */ -function snort_rules_up_install_cron($should_install) { - global $config, $g; - - if(!$config['cron']['item']) - $config['cron']['item'] = array(); - - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; - if ($snort_rules_up_info_ck == "6h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/6"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "12h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/12"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "1d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/1"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "4d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/4"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "7d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/7"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "28d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/28"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; - $config['cron']['item'][] = $cron_item; - } - break; - case false: - if($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } -} - -/* Only run when all ifaces needed to sync. Expects filesystem rw */ -function sync_snort_package_config() -{ - global $config, $g; - - /* RedDevil suggested code */ - /* TODO: more testing needs to be done */ - /* may cause voip to fail */ - //exec("/sbin/sysctl net.bpf.bufsize=8388608"); - //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); - //exec("/sbin/sysctl net.bpf.maxinsns=512"); - //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - - conf_mount_rw(); - - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); - conf_mount_ro(); - return; - } - - foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { - $if_real = snort_get_real_interface($value['interface']); - $snort_uuid = $value['uuid']; - - if ($if_real != '' && $snort_uuid != '') { - - /* only build whitelist when needed */ - if ($value['blockoffenders7'] == 'on') - create_snort_whitelist($id, $if_real); - - /* only build threshold when needed */ - if ($value['suppresslistname'] != 'default') - create_snort_suppress($id, $if_real); - - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); - - /* if rules exist cp rules to each iface */ - create_rules_iface($id, $if_real, $snort_uuid); - - /* create barnyard2 configuration file */ - if ($value['barnyard_enable'] == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - } - } - - /* create snort bootup file snort.sh only create once */ - create_snort_sh(); - - /* all new files are for the user snort nologin */ - if (!is_dir("/var/log/snort/snort_{$if_real}{$snort_uuid}")) - exec("/bin/mkdir -p /var/log/snort/snort_{$if_real}{$snort_uuid}"); - - if (!is_dir('/var/log/snort/run')) - exec('/bin/mkdir -p /var/log/snort/run'); - - if (!is_dir("/var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}")) - exec("/bin/mkdir -p /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}"); - - /* XXX: These are needed if snort is run as snort user - mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); - mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); - mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); - */ - - /* important */ - mwexec('/bin/chmod 770 /var/db/whitelist', true); - mwexec('/bin/chmod 770 /var/run/snort*', true); - mwexec('/bin/chmod 770 /tmp/snort*', true); - mwexec('/bin/chmod -R 770 /var/log/snort', true); - mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); - mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); - - conf_mount_ro(); -} - -/* Start of main config files */ - -/* create threshold file */ -function create_snort_suppress($id, $if_real) { - global $config, $g; - - /* make sure dir is there */ - if (!is_dir('/usr/local/etc/snort/suppress')) - exec('/bin/mkdir -p /usr/local/etc/snort/suppress'); - - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - - if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') { - $whitelist_key_s = find_suppress_key($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname']); - - /* file name */ - $suppress_file_name = $config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['name']; - - /* Message */ - $s_data = '# This file is auto generated by the snort package. Please do not edit this file by hand.' . "\n\n"; - - /* user added arguments */ - $s_data .= str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['suppresspassthru'])); - - /* open snort's whitelist for writing */ - @file_put_contents("/usr/local/etc/snort/suppress/$suppress_file_name", $s_data); - } -} - -function create_snort_whitelist($id, $if_real) { - global $config, $g; - - /* make sure dir is there */ - if (!is_dir('/usr/local/etc/snort/whitelist')) - exec('/bin/mkdir -p /usr/local/etc/snort/whitelist'); - - if ($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'] == 'default') { - - $w_data = build_base_whitelist('whitelist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); - - /* open snort's whitelist for writing */ - @file_put_contents("/usr/local/etc/snort/whitelist/defaultwlist", $w_data); - - } else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'])) { - $whitelist_key_w = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname']); - - if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) - return; - - $whitelist = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]; - $w_data = build_base_whitelist($whitelist['snortlisttype'], $whitelist['wanips'], $whitelist['wangateips'], - $whitelist['wandnsips'], $whitelist['vips'], $whitelist['vpnips'], $whitelist_key_w); - - /* open snort's whitelist for writing */ - @file_put_contents("/usr/local/etc/snort/whitelist/" . $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $w_data); - } -} - -function create_snort_homenet($id, $if_real) { - global $config, $g; - - if ($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == 'default' || $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == '') - return build_base_whitelist('netlist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); - else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'])) { - $whitelist_key_h = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['homelistname']); - - if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) - return; - - $build_netlist_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['snortlisttype']; - $wanip_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wanips']; - $wangw_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wangateips']; - $wandns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wandnsips']; - $vips_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vips']; - $vpns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vpnips']; - - return build_base_whitelist($build_netlist_h, $wanip_h, $wangw_h, $wandns_h, $vips_h, $vpns_h, $whitelist_key_h); - } -} - -function create_snort_externalnet($id, $if_real) { - global $config, $g; - - if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['externallistname'])) { - $whitelist_key_ex = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['externallistname']); - - if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) - return; - - $build_netlist_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['snortlisttype']; - $wanip_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wanips']; - $wangw_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wangateips']; - $wandns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wandnsips']; - $vips_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vips']; - $vpns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vpnips']; - - return build_base_whitelist($build_netlist_ex, $wanip_ex, $wangw_ex, $wandns_ex, $vips_ex, $vpns_ex, $whitelist_key_ex); - } -} - -/* open snort.sh for writing" */ -function create_snort_sh() -{ - global $config, $g; - - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - - $snortconf =& $config['installedpackages']['snortglobal']['rule']; - - $snort_sh_text3 = array(); - $snort_sh_text4 = array(); - - /* do not start config build if rules is empty */ - if (!empty($snortconf)) { - foreach ($snortconf as $value) { - $snort_uuid = $value['uuid']; - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - - /* define snortbarnyardlog_chk */ - $snortbarnyardlog_info_chk = $value['barnyard_enable']; - $snortbarnyardlog_mysql_info_chk = $value['barnyard_mysql']; - - if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') - $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q"; - - $snort_sh_text3[] = << /tmp/snort.sh.pid - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - - /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} - $start_barnyard2 - - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD START For {$snort_uuid}_{$if_real}..." -fi - -EOE; - - $snort_sh_text4[] = << /tmp/snort.sh.pid - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." - - /bin/kill \${pid_s} - sleep 3 - /bin/kill \${pid_b} - - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid -fi - -EOF; - } - } - - - $start_snort_iface_start = implode("\n\n", $snort_sh_text3); - $start_snort_iface_stop = implode("\n\n", $snort_sh_text4); - - $snort_sh_text = << /tmp/snort.sh.pid - $start_snort_iface_start - /bin/rm /tmp/snort.sh.pid -} - -rc_stop() { - - $start_snort_iface_stop - /bin/rm /tmp/snort.sh.pid - /bin/rm /var/run/snort* - -} - -case $1 in - start) - rc_start - ;; - stop) - rc_stop - ;; - restart) - rc_start - ;; -esac - -EOD; - - /* write out snort.sh */ - $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w"); - if(!$bconf) { - log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); - return; - } - fwrite($bconf, $snort_sh_text); - fclose($bconf); - @chmod("/usr/local/etc/rc.d/snort.sh", 0755); -} - -/* if rules exist copy to new interfaces */ -function create_rules_iface($id, $if_real, $snort_uuid) -{ - global $config, $g; - - $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"; - $folder_chk = (count(glob("{$if_rule_dir}/rules/*")) === 0) ? 'empty' : 'full'; - - if ($folder_chk == "empty") { - if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) - exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); - exec("/bin/cp /usr/local/etc/snort/rules/* {$if_rule_dir}/rules"); - if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) - exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules"); - } -} - -/* open barnyard2.conf for writing */ -function create_barnyard2_conf($id, $if_real, $snort_uuid) { - global $config, $g; - - if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) - exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); - - if (!file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { - mwexec("/usr/bin/touch /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo", true); - /* XXX: This is needed if snort is run as snort user */ - //mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); - mwexec("/bin/chmod 770 /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo", true); - } - - $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); - - /* write out barnyard2_conf */ - $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); - if(!$bconf) { - log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); - return; - } - fwrite($bconf, $barnyard2_conf_text); - fclose($bconf); -} - -/* open barnyard2.conf for writing" */ -function generate_barnyard2_conf($id, $if_real, $snort_uuid) { - global $config, $g; - - /* define snortbarnyardlog */ - /* TODO: add support for the other 5 output plugins */ - - $snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; - $snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); - /* user add arguments */ - $snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['rule'][$id]['barnconfigpassthru'])); - - $barnyard2_conf_text = << \ - cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ - cmd_validity MACB < string > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity PORT < host_port > \ - cmd_validity PROT < char CSEP > \ - cmd_validity STRU < char FRPO [ string ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - telnet_cmds yes - -EOD; - - $def_ftp_preprocessor_info_chk = $snortcfg['ftp_preprocessor']; - if ($def_ftp_preprocessor_info_chk == "on") - $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; - else - $def_ftp_preprocessor_type = ""; - - /* def smtp_preprocessor */ - $snort_smtp_preprocessor = << -# config daq_dir: -# config daq_mode: -# config daq_var: -# -# ::= pcap | afpacket | dump | nfq | ipq | ipfw -# ::= read-file | passive | inline -# ::= arbitrary = ::= path as to where to look for DAQ module so's - -## gui needed for pfsense ## -# config daq: afpacket - -############################################################# - -######################################## -# Configure specific UID and GID -# to run snort as after dropping privs -# -# config set_gid: -# config set_uid: -######################################## - -######################################## -# -# Configure default snaplen. Snort -# defaults to MTU of in use interface -# -# config snaplen: -# -# TODO: gui needed for pfsense -# -######################################## - -################################################################ -# -# Configure default bpf_file to use for filtering what traffic -# reaches snort. options (-F) -# -# config bpf_file: -# -# TODO: gui needed for pfsense -# -############################################################### - -##################################################################### -# -# Configure default log directory for snort to log to. options (-l) -# -# config logdir: -# -##################################################################### - -################################### - # -# Configure the detection engine # -# Use lower memory models # - # -################################### - -# TODO: gui needed for pfsense -# Configure PCRE match limitations -config pcre_match_limit: 3500 -config pcre_match_limit_recursion: 1500 - -############################################################################# -# # -# Configure the detection engine # -# Use lower memory models for pfsense # -# # -# # -# Notes # -# # -# ac, ac-q, ac-bnfa, ac-bnfa-q, lowmem, lowmem-q # -# ac-split shorthand for search-method ac, split-any-any, intel-cpm,ac-nq, # -# ac-bnfa-nq This is the default search method if none is specified. # -# lowmem-nq, ac-std, acs, ac-banded, ac-sparsebands # -# # -############################################################################# - -config detection: search-method {$snort_performance} search-optimize max-pattern-len 20 -config event_queue: max_queue 8 log 3 order_events content_length - -################################################### -# Configure GTP if it is to be used -#################################################### - -# TODO: gui needed for pfsense -# config enable_gtp - -################################################### -# Per packet and rule latency enforcement, README.ppm -################################################### - -# Per Packet latency configuration -#config ppm: max-pkt-time 250, \ -# fastpath-expensive-packets, \ -# pkt-log - -# Per Rule latency configuration -#config ppm: max-rule-time 200, \ -# threshold 3, \ -# suspend-expensive-rules, \ -# suspend-timeout 20, \ -# rule-log alert - -################################################### -# Configure Perf Profiling for debugging, README.PerfProfiling -################################################### - -#config profile_rules: print all, sort avg_ticks -#config profile_preprocs: print all, sort avg_ticks - -################################################### -# Configure protocol aware flushing. README.stream5 -################################################### -config paf_max: 16000 - -################################################## -# Configure dynamic loaded libraries -################################################## - -dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor -dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so -dynamicdetection directory /usr/local/lib/snort/dynamicrules - -################### - # -# Flow and stream # - # -################### - -# TODO: gui needed for pfsense -# GTP Control Channle Preprocessor, README.GTP -preprocessor gtp: ports { 2123 3386 2152 } - -#################################################### -# Inline packet normalization, README.normalize -# Does nothing in IDS mode -# -# preprocessor normalize_ip4 -# preprocessor normalize_tcp: ips ecn stream -# preprocessor normalize_icmp4 -# preprocessor normalize_ip6 -# preprocessor normalize_icmp6 -#################################################### - -# this tuning ,may need testing -preprocessor frag3_global: max_frags 65536 -preprocessor frag3_engine: policy bsd detect_anomalies - -preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5 - -preprocessor stream5_tcp: policy BSD, ports both all, timeout 180, {$def_max_queued_bytes_type}{$def_max_queued_segs_type} -preprocessor stream5_udp: timeout 180 -preprocessor stream5_icmp: - - {$def_perform_stat_type} - - {$def_http_inspect_type} - - {$def_other_preprocs_type} - - {$def_ftp_preprocessor_type} - - {$def_smtp_preprocessor_type} - - {$def_sf_portscan_type} - -######################## - # -# ARP spoof detection. # - # -######################## - -# preprocessor arpspoof -# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 - -########################## - # -# SSH anomaly detection # - # -########################## - -preprocessor ssh: server_ports { 22 } \ - autodetect \ - max_client_bytes 19600 \ - max_encrypted_packets 20 \ - max_server_version_len 100 \ - enable_respoverflow enable_ssh1crc32 \ - enable_srvoverflow enable_protomismatch - - - {$def_dce_rpc_2_type} - - {$def_dns_preprocessor_type} - -############################## - # -# NEW # -# Ignore SSL and Encryption # - # -############################## - -preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspect_encrypted - - -########################################################### - # -# SDF sensitive data preprocessor, README.sensitive_data # - # -########################################################### - -# TODO: add pfsense GUI -preprocessor sensitive_data: alert_threshold 20 - -############################################################# - # -# SIP Session Initiation Protocol preprocessor, README.sip # - # -############################################################# - -# TODO: add pfsense GUI -preprocessor sip: max_sessions 40000, \ - ports { 5060 5061 5600 }, \ - methods { invite \ - cancel \ - ack \ - bye \ - register \ - options \ - refer \ - subscribe \ - update \ - join \ - info \ - message \ - notify \ - benotify \ - do \ - qauth \ - sprack \ - publish \ - service \ - unsubscribe \ - prack }, \ - max_uri_len 512, \ - max_call_id_len 80, \ - max_requestName_len 20, \ - max_from_len 256, \ - max_to_len 256, \ - max_via_len 1024, \ - max_contact_len 512, \ - max_content_len 2048 - -################################## - # -# IMAP preprocessor, README.imap # - # -################################## - -# TODO: add pfsense GUI -preprocessor imap: \ - ports { 143 } \ - b64_decode_depth 0 \ - qp_decode_depth 0 \ - bitenc_decode_depth 0 \ - uu_decode_depth 0 - -################################## - # -# POP preprocessor, README.pop # - # -################################## - -# TODO: add pfsense GUI -preprocessor pop: \ - ports { 110 } \ - b64_decode_depth 0 \ - qp_decode_depth 0 \ - bitenc_decode_depth 0 \ - uu_decode_depth 0 - -####################################### - # -# Modbus preprocessor, README.modbus # -# Used for SCADA # - # -####################################### - -# TODO: add pfsense GUI -preprocessor modbus: ports { 502 } - - -############################################### - # -# DNP3 preprocessor, EADME.dnp3 # - # -############################################### - -# TODO: add pfsense GUI -preprocessor dnp3: ports { 20000 } \ - memcap 262144 \ - check_crc - -############################################### - # -# Reputation preprocessor, README.reputation # - # -############################################### - -#preprocessor reputation: \ -# memcap 500, \ -# priority whitelist, \ -# nested_ip inner, \ -# whitelist $WHITE_LIST_PATH/white_list.rules, \ -# blacklist $BLACK_LIST_PATH/black_list.rules - - -##################### - # -# Snort Output Logs # - # -##################### - -$snortunifiedlogbasic_type -$snortalertlogtype_type -$alertsystemlog_type -$tcpdumplog_type -$snortmysqllog_info_chk -$snortunifiedlog_type -$spoink_type - -################# - # -# Misc Includes # - # -################# - -include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config -include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config -{$snort_preprocessor_decoder_rules} - -$threshold_file_name - -# Snort user pass through configuration -{$snort_config_pass_thru} - -################### - # -# Rules Selection # - # -################### - - {$selected_rules_sections} - -EOD; - - return $snort_conf_text; -} - -/* hide progress bar */ -function hide_progress_bar_status() { - global $snort_filename, $snort_filename_md5, $console_mode; - - ob_flush(); - if(!$console_mode) - echo "\n"; -} - -/* unhide progress bar */ -function unhide_progress_bar_status() { - global $snort_filename, $snort_filename_md5, $console_mode; - - ob_flush(); - if(!$console_mode) - echo "\n"; -} - -/* update both top and bottom text box during an operation */ -function update_all_status($status) { - global $snort_filename, $snort_filename_md5, $console_mode; - - ob_flush(); - if(!$console_mode) { - update_status($status); - update_output_window($status); - } -} - -######## new - -// returns array that matches pattern, option to replace objects in matches -function snortScanDirFilter($arrayList, $pattmatch, $pattreplace, $pattreplacewith) -{ - foreach ( $arrayList as $val ) - { - if (preg_match($pattmatch, $val, $matches)) { - if ($pattreplace != '') { - $matches2 = preg_replace($pattreplace, $pattreplacewith, $matches[0]); - $filterDirList[] = $matches2; - }else{ - $filterDirList[] = $matches[0]; - } - } - } - return $filterDirList; -} - -?> + 6) + $snort_pfsense_basever = 'no'; +else + $snort_pfsense_basever = 'yes'; + +/* find out what arch where in x86 , x64 */ +global $snort_arch; +$snort_arch = 'x86'; +$snort_arch_ck = php_uname("m"); +if ($snort_arch_ck == 'i386') + $snort_arch = 'x86'; +else if ($snort_arch_ck == "amd64") + $snort_arch = 'x64'; +else + $snort_arch = "Unknown"; + +/* tell me my theme */ +$pfsense_theme_is = $config['theme']; + +/* func builds custom white lists */ +function find_whitelist_key($find_wlist_number) { + global $config, $g; + + if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) + $config['installedpackages']['snortglobal']['whitelist'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return 0; /* XXX */ + + foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $w_key => $value) { + if ($value['name'] == $find_wlist_number) + return $w_key; + } +} + +/* func builds custom suppress lists */ +function find_suppress_key($find_slist_number) { + global $config, $g; + + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + return 0; /* XXX */ + + foreach ($config['installedpackages']['snortglobal']['suppress']['item'] as $s_key => $value) { + if ($value['name'] == $find_slist_number) + return $s_key; + } +} + +/* func builds custom whitelests */ +function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $userwips) { + global $config, $g, $snort_pfsense_basever; + + /* build an interface array list */ + if (function_exists('get_configured_interface_list')) + $int_array = get_configured_interface_list(); + else { + $int_array = array('lan'); + for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) + if(isset($config['interfaces']['opt' . $j]['enable'])) + if(isset($config['interfaces']['opt' . $j]['gateway'])) + $int_array[] = "opt{$j}"; + } + + $home_net = ""; + + /* iterate through interface list and write out whitelist items + * and also compile a home_net list for snort. + */ + foreach ($int_array as $int) { + /* calculate interface subnet information */ + if (function_exists('get_interface_ip')) { + $subnet = get_interface_ip($int); + if (is_ipaddr($subnet)) { + $sn = get_interface_subnet($int); + $home_net .= "{$subnet}/{$sn} "; + } + } else { + $ifcfg = $config['interfaces'][$int]; + switch ($ifcfg['ipaddr']) { + case "pppoe": + case "pptp": + case "l2tp": + if (function_exists('get_interface_ip')) + $subnet = get_interface_ip($int); + else + $subnet = find_interface_ip("ng0"); + + if (is_ipaddr($subnet)) + $home_net .= "{$subnet} "; + break; + case "dhcp": + $subnet = find_interface_ip(snort_get_real_interface($int)); + if (is_ipaddr($subnet)) + $home_net .= "{$subnet} "; + break; + default: + if (is_ipaddr($ifcfg['ipaddr'])) { + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + if ($ifcfg['subnet']) + $home_net .= "{$subnet}/{$ifcfg['subnet']} "; + } + break; + } + } + } + + if ($snort_pfsense_basever == 'yes' && $wanip == 'yes') { + /* add all WAN ips to the whitelist */ + $wan_if = get_real_wan_interface(); + $ip = find_interface_ip($wan_if); + if (is_ipaddr($ip)) + $home_net .= "{$ip} "; + } + + if ($wangw == 'yes') { + /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ + $gw = get_interface_gateway('wan'); + if($gw) + $home_net .= "{$gw} "; + } + + if($wandns == 'yes') { + /* Add DNS server for WAN interface to whitelist */ + $dns_servers = get_dns_servers(); + foreach ($dns_servers as $dns) { + if($dns) + $home_net .= "{$dns} "; + } + } + + if($vips == 'yes') { + /* iterate all vips and add to whitelist */ + if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { + foreach($config['virtualip']['vip'] as $vip) + if($vip['subnet']) + $home_net .= "{$vip['subnet']} "; + } + } + + /* Add loopback to whitelist (ftphelper) */ + $home_net .= "127.0.0.1 "; + + /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ + if ($vpns == 'yes') { + if ($snort_pfsense_basever == 'yes') // chk what pfsense version were on + $vpns_list = get_vpns_list(); + else if ($snort_pfsense_basever == 'no') // chk what pfsense version were on + $vpns_list = filter_get_vpns_list(); + + if (!empty($vpns_list)) + $home_net .= "{$vpns_list} "; + } + + /* never ever compair numbers to words */ + if ($userwips > -1) { + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + + $home_net .= $config['installedpackages']['snortglobal']['whitelist']['item'][$userwips]['address']; + } + + $home_net = trim($home_net); + + /* this foe whitelistfile, convert spaces to carriage returns */ + if ($build_netlist == 'whitelist') { + $whitelist_home_net = str_replace(" ", "\n", $home_net); + $whitelist_home_net = str_replace(" ", "\n", $home_net); + return $whitelist_home_net; + } + + /* this is for snort.conf */ + $validator = explode(" ", $home_net); + $valresult = array(); + foreach ($validator as $vald) { + if (empty($vald)) + continue; + $valresult[] = $vald; + } + $home_net = implode(",", $valresult); + $home_net = "[{$home_net}]"; + + return $home_net; +} + + +/* checks to see if snort is running yes/no and stop/start */ +function Running_Ck($snort_uuid, $if_real, $id) { + global $config; + + $snort_uph = 'no'; + $snort_up_prell = exec("/bin/pgrep -f 'snort.*R {$snort_uuid}'"); + if ($snort_up_prell != '') + $snort_uph = 'yes'; + + return $snort_uph; +} + +/* checks to see if barnyard2 is running yes/no */ +function Running_Ck_b($snort_uuid, $if_real, $id) { + global $config; + + $snort_up_b = 'no'; + $snort_up_pre_b = exec("/bin/pgrep -f 'barnyard2.*{$snort_uuid}_{$if_real}'"); + if ($snort_up_pre_b != '') + $snort_up_b = 'yes'; + + return $snort_up_b; +} + +function Running_Stop($snort_uuid, $if_real, $id) { + global $config, $g; + + /* if snort.sh crashed this will remove the pid */ + @unlink("{$g['tmp_path']}/snort.sh.pid"); + + $start_up = exec("/bin/pgrep -f 'snort.*R {$snort_uuid}'"); + $start_upb = exec("/bin/pgrep -f 'barnyard2.*{$snort_uuid}_{$if_real}'"); + + + /* + * TODO: Add a GUI option that lets the user keep full logs + */ + if ($start_up != '') { + @exec("/bin/kill {$start_up}"); + @exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); + @exec("/bin/rm /var/log/snort/{$snort_uuid}_{$if_real}/snort.u1*"); + @exec("/bin/rm /var/log/snort/{$snort_uuid}_{$if_real}/snort.u2*"); + } + + if ($start_upb != '') { + @exec("/bin/kill {$start_upb}"); + @exec("/bin/rm /var/log/snort/run/barnyard2_{$snort_uuid}_{$if_real}*"); + @exec("/bin/rm /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}/snort.u1*"); + @exec("/bin/rm /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}/snort.u2*"); + } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); + sleep(2); // Give time so GUI displays correctly +} + +function Running_Start($snort_uuid, $if_real, $id) { + global $config; + + /* if snort.sh crashed this will remove the pid */ + @unlink("{$g['tmp_path']}/snort.sh.pid"); + + $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; + if ($snort_info_chk == 'on') + exec("/usr/local/bin/snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort/{$snort_uuid}_{$if_real} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + else + return; + + /* define snortbarnyardlog_chk */ + /* top will have trouble if the uuid is to far back */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == 'on') { + exec("/usr/local/bin/barnyard2 -f \"snort.u2\" --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/{$snort_uuid}_{$if_real} -D -q"); + } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'"); + sleep(2); // Give time so GUI displays correctly +} + +function snort_get_friendly_interface($interface) { + + if (function_exists('convert_friendly_interface_to_friendly_descr')) + $iface = convert_friendly_interface_to_friendly_descr($interface); + else { + if (!$interface || ($interface == "wan")) + $iface = "WAN"; + else if(strtolower($interface) == "lan") + $iface = "LAN"; + else if(strtolower($interface) == "pppoe") + $iface = "PPPoE"; + else if(strtolower($interface) == "pptp") + $iface = "PPTP"; + else + $iface = strtoupper($interface); + } + + return $iface; +} + +/* get the real iface name of wan */ +function snort_get_real_interface($interface) { + global $config; + + $lc_interface = strtolower($interface); + if (function_exists('get_real_interface')) + return get_real_interface($lc_interface); + else { + if ($lc_interface == "lan") { + if ($config['inerfaces']['lan']) + return $config['interfaces']['lan']['if']; + return $interface; + } + if ($lc_interface == "wan") + return $config['interfaces']['wan']['if']; + $ifdescrs = array(); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { + $ifname = "opt{$j}"; + if(strtolower($ifname) == $lc_interface) + return $config['interfaces'][$ifname]['if']; + if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface)) + return $config['interfaces'][$ifname]['if']; + } + } + + return $interface; +} + +/* + this code block is for deleteing logs while keeping the newest file, + snort is linked to these files while running, do not take the easy way out + by touch and rm, snort will lose sync and not log. + + this code needs to be watched. + */ + +/* list dir files */ +function snort_file_list($snort_log_dir, $snort_log_file) +{ + $dir = opendir ("$snort_log_dir"); + while (false !== ($file = readdir($dir))) { + if (strpos($file, "$snort_log_file",1) ) + $file_list[] = basename($file); + } + return $file_list; +} + +/* snort dir files */ +function snort_file_sort($snort_file1, $snort_file2) +{ + if ($snort_file1 == $snort_file2) + return 0; + + return ($snort_file1 < $snort_file2); // ? -1 : 1; // this flips the array +} + +/* build files newest first array */ +function snort_build_order($snort_list) +{ + foreach ($snort_list as $value_list) + $list_order[] = $value_list; + + return $list_order; +} + +/* keep the newest remove the rest */ +function snort_remove_files($snort_list_rm, $snort_file_safe) +{ + foreach ($snort_list_rm as $value_list) { + if ($value_list != $snort_file_safe) + @unlink("/var/log/snort/$value_list"); + else + file_put_contents("/var/log/snort/$snort_file_safe", ""); + } +} + +/* + * TODO: + * This is called by snort_alerts.php. + * + * This func needs to be made to only clear one interface rule log + * at a time. + * + */ +function post_delete_logs() +{ + global $config, $g; + + /* do not start config build if rules is empty */ + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + $snort_log_dir = '/var/log/snort'; + + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + $snort_uuid = $value['uuid']; + + if ($if_real != '' && $snort_uuid != '') { + if ($value['snortunifiedlog'] == 'on') { + $snort_log_file_u2 = "snort.u2."; + $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2); + if (is_array($snort_list_u2)) { + usort($snort_list_u2, "snort_file_sort"); + $snort_u2_rm_list = snort_build_order($snort_list_u2); + snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]); + } + } else + exec("/bin/rm $snort_log_dir/{$snort_uuid}_{$if_real}/snort.u2*"); + + if ($value['tcpdumplog'] == 'on') { + $snort_log_file_tcpd = "snort.tcpdump."; + $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd); + if (is_array($snort_list_tcpd)) { + usort($snort_list_tcpd, "snort_file_sort"); + $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd); + snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]); + } + } else + exec("/bin/rm $snort_log_dir/{$snort_uuid}_{$if_real}/snort.tcpdump*"); + + /* create barnyard2 configuration file */ + //if ($value['barnyard_enable'] == 'on') + //create_barnyard2_conf($id, $if_real, $snort_uuid); + + if ($value['perform_stat'] == 'on') + @file_put_contents("$snort_log_dirt/{$snort_uuid}_{$if_real}/snort.stats", ""); + } + } +} + +function snort_postinstall() +{ + global $config, $g, $snort_pfsense_basever, $snort_arch; + + /* snort -> advanced features */ + if (is_array($config['installedpackages']['snortglobal'])) { + $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; + $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; + $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; + } + + /* cleanup default files */ + @rename('/usr/local/etc/snort/snort.conf-sample', '/usr/local/etc/snort/snort.conf'); + @rename('/usr/local/etc/snort/threshold.conf-sample', '/usr/local/etc/snort/threshold.conf'); + @rename('/usr/local/etc/snort/sid-msg.map-sample', '/usr/local/etc/snort/sid-msg.map'); + @rename('/usr/local/etc/snort/unicode.map-sample', '/usr/local/etc/snort/unicode.map'); + @rename('/usr/local/etc/snort/classification.config-sample', '/usr/local/etc/snort/classification.config'); + @rename('/usr/local/etc/snort/generators-sample', '/usr/local/etc/snort/generators'); + @rename('/usr/local/etc/snort/reference.config-sample', '/usr/local/etc/snort/reference.config'); + @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map'); + @unlink('/usr/local/etc/snort/sid'); + @unlink('/usr/local/etc/rc.d/snort'); + @unlink('/usr/local/etc/rc.d/bardyard2'); + + /* remove example files */ + if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) + exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); + + if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) + exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + + /* create a few directories and ensure the sample files are in place */ + if (!is_dir('/usr/local/etc/snort')) + exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules'); + if (!is_dir('/usr/local/etc/snort/whitelist')) + exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); + /* NOTE: the diff between the if check and the exec() extra run is by design */ + if (!is_dir('/var/log/snort')) + exec('/bin/mkdir -p /var/log/snort/run'); + else + exec('/bin/rm -r /var/log/snort/*; /bin/mkdir -p /var/log/snort/run'); + + if (!is_dir('/var/log/snort/barnyard2')) + exec('/bin/mkdir -p /var/log/snort/barnyard2'); + if (!is_dir('/usr/local/lib/snort/dynamicrules/')) + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); + if (!file_exists('/var/db/whitelist')) + touch('/var/db/whitelist'); + + /* XXX: These are needed if you run snort as snort user + mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); + mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); + mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ + /* important */ + mwexec('/bin/chmod 660 /var/db/whitelist', true); + mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true); + mwexec('/bin/chmod -R 660 /tmp/snort*', true); + mwexec('/bin/chmod -R 660 /var/run/snort*', true); + mwexec('/bin/chmod -R 660 /var/snort/run/*', true); + mwexec('/bin/chmod 770 /usr/local/lib/snort', true); + mwexec('/bin/chmod 770 /usr/local/etc/snort', true); + mwexec('/bin/chmod 770 /usr/local/etc/whitelist', true); + mwexec('/bin/chmod 770 /var/log/snort', true); + mwexec('/bin/chmod 770 /var/log/snort/run', true); + mwexec('/bin/chmod 770 /var/log/snort/barnyard2', true); + + /* move files around, make it look clean */ + mwexec('/bin/mkdir -p /usr/local/www/snort/css'); + mwexec('/bin/mkdir -p /usr/local/www/snort/images'); + + chdir ("/usr/local/www/snort/css/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/style.css'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/sexybuttons.css'); + chdir("/usr/local/www/snort/images/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/alert.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down2.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-asc.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-desc.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up2.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon_excli.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/arrow_down.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/awesome-overlay-sprite.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo22.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/page_white_text.png'); + + /* remake saved settings */ + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { + update_status(gettext("Saved settings detected...")); + update_output_window(gettext("Please wait... rebuilding files...")); + sync_snort_package_config(); + update_output_window(gettext("Finnished Rebuilding files...")); + } +} + +function snort_Getdirsize($node) { + if(!is_readable($node)) + return false; + + $blah = exec( "/usr/bin/du -kd $node" ); + return substr( $blah, 0, strpos($blah, 9) ); +} + +/* func for log dir size limit cron */ +function snort_snortloglimit_install_cron($should_install) { + global $config, $g; + + if (!is_array($config['cron']['item'])) + $config['cron']['item'] = array(); + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], '/usr/local/pkg/snort/snort_check_cron_misc.inc')) { + $is_installed = true; + break; + } + $x++; + } + + switch($should_install) { + case true: + if(!$is_installed) { + + $cron_item = array(); + $cron_item['minute'] = "*/5"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc"; + $config['cron']['item'][] = $cron_item; + } + break; + case false: + if($is_installed == true) + unset($config['cron']['item'][$x]); + break; + } +} + +/* func for updating cron */ +function snort_rm_blocked_install_cron($should_install) { + global $config, $g; + + if (!is_array($config['cron']['item'])) + $config['cron']['item'] = array(); + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + + $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "1h_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "3600"; + } + if ($snort_rm_blocked_info_ck == "3h_b") { + $snort_rm_blocked_min = "*/15"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "10800"; + } + if ($snort_rm_blocked_info_ck == "6h_b") { + $snort_rm_blocked_min = "*/30"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "21600"; + } + if ($snort_rm_blocked_info_ck == "12h_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/1"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "43200"; + } + if ($snort_rm_blocked_info_ck == "1d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/2"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "86400"; + } + if ($snort_rm_blocked_info_ck == "4d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/8"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "345600"; + } + if ($snort_rm_blocked_info_ck == "7d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/14"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "604800"; + } + if ($snort_rm_blocked_info_ck == "28d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "0"; + $snort_rm_blocked_mday = "*/2"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "2419200"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + } + break; + case false: + if ($is_installed == true) + unset($config['cron']['item'][$x]); + break; + } +} + +/* func to install snort update */ +function snort_rules_up_install_cron($should_install) { + global $config, $g; + + if(!$config['cron']['item']) + $config['cron']['item'] = array(); + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; + $config['cron']['item'][] = $cron_item; + } + break; + case false: + if($is_installed == true) + unset($config['cron']['item'][$x]); + break; + } +} + +/* Only run when all ifaces needed to sync. Expects filesystem rw */ +function sync_snort_package_config() +{ + global $config, $g; + + /* RedDevil suggested code */ + /* TODO: more testing needs to be done */ + /* may cause voip to fail */ + //exec("/sbin/sysctl net.bpf.bufsize=8388608"); + //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); + //exec("/sbin/sysctl net.bpf.maxinsns=512"); + //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); + + conf_mount_rw(); + + /* do not start config build if rules is empty */ + if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); + conf_mount_ro(); + return; + } + + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { + $if_real = snort_get_real_interface($value['interface']); + $snort_uuid = $value['uuid']; + + if ($if_real != '' && $snort_uuid != '') { + + /* only build whitelist when needed */ + if ($value['blockoffenders7'] == 'on') + create_snort_whitelist($id, $if_real); + + /* only build threshold when needed */ + if ($value['suppresslistname'] != 'default') + create_snort_suppress($id, $if_real); + + /* create snort configuration file */ + create_snort_conf($id, $if_real, $snort_uuid); + + /* if rules exist cp rules to each iface */ + create_rules_iface($id, $if_real, $snort_uuid); + + /* create barnyard2 configuration file */ + if ($value['barnyard_enable'] == 'on') + create_barnyard2_conf($id, $if_real, $snort_uuid); + } + } + + /* create snort bootup file snort.sh only create once */ + create_snort_sh(); + + /* all new files are for the user snort nologin */ + if (!is_dir("/var/log/snort/{$snort_uuid}_{$if_real}")) + exec("/bin/mkdir -p /var/log/snort/{$snort_uuid}_{$if_real}"); + + if (!is_dir('/var/log/snort/run')) + exec('/bin/mkdir -p /var/log/snort/run'); + + if (!is_dir("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}")) + exec("/bin/mkdir -p /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}"); + + /* XXX: These are needed if snort is run as snort user + mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); + mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); + mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ + + /* important */ + mwexec('/bin/chmod 770 /var/db/whitelist', true); + mwexec('/bin/chmod 770 /var/run/snort*', true); + mwexec('/bin/chmod 770 /tmp/snort*', true); + mwexec('/bin/chmod -R 770 /var/log/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); + + conf_mount_ro(); +} + +/* Start of main config files */ + +/* create threshold file */ +function create_snort_suppress($id, $if_real) { + global $config, $g; + + /* make sure dir is there */ + if (!is_dir('/usr/local/etc/snort/suppress')) + exec('/bin/mkdir -p /usr/local/etc/snort/suppress'); + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') { + $whitelist_key_s = find_suppress_key($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname']); + + /* file name */ + $suppress_file_name = $config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['name']; + + /* Message */ + $s_data = '# This file is auto generated by the snort package. Please do not edit this file by hand.' . "\n\n"; + + /* user added arguments */ + $s_data .= str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['suppresspassthru'])); + + /* open snort's whitelist for writing */ + @file_put_contents("/usr/local/etc/snort/suppress/$suppress_file_name", $s_data); + } +} + +function create_snort_whitelist($id, $if_real) { + global $config, $g; + + /* make sure dir is there */ + if (!is_dir('/usr/local/etc/snort/whitelist')) + exec('/bin/mkdir -p /usr/local/etc/snort/whitelist'); + + if ($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'] == 'default') { + + $w_data = build_base_whitelist('whitelist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); + + /* open snort's whitelist for writing */ + @file_put_contents("/usr/local/etc/snort/whitelist/defaultwlist", $w_data); + + } else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'])) { + $whitelist_key_w = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname']); + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + + $whitelist = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]; + $w_data = build_base_whitelist($whitelist['snortlisttype'], $whitelist['wanips'], $whitelist['wangateips'], + $whitelist['wandnsips'], $whitelist['vips'], $whitelist['vpnips'], $whitelist_key_w); + + /* open snort's whitelist for writing */ + @file_put_contents("/usr/local/etc/snort/whitelist/" . $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $w_data); + } +} + +function create_snort_homenet($id, $if_real) { + global $config, $g; + + if ($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == 'default' || $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == '') + return build_base_whitelist('netlist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); + else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'])) { + $whitelist_key_h = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['homelistname']); + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + + $build_netlist_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['snortlisttype']; + $wanip_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wanips']; + $wangw_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wangateips']; + $wandns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wandnsips']; + $vips_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vips']; + $vpns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vpnips']; + + return build_base_whitelist($build_netlist_h, $wanip_h, $wangw_h, $wandns_h, $vips_h, $vpns_h, $whitelist_key_h); + } +} + +function create_snort_externalnet($id, $if_real) { + global $config, $g; + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['externallistname'])) { + $whitelist_key_ex = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['externallistname']); + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + + $build_netlist_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['snortlisttype']; + $wanip_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wanips']; + $wangw_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wangateips']; + $wandns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wandnsips']; + $vips_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vips']; + $vpns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vpnips']; + + return build_base_whitelist($build_netlist_ex, $wanip_ex, $wangw_ex, $wandns_ex, $vips_ex, $vpns_ex, $whitelist_key_ex); + } +} + +/* open snort.sh for writing" */ +function create_snort_sh() +{ + global $config, $g; + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + $snortconf =& $config['installedpackages']['snortglobal']['rule']; + + $snort_sh_text3 = array(); + $snort_sh_text4 = array(); + + /* do not start config build if rules is empty */ + if (!empty($snortconf)) { + foreach ($snortconf as $value) { + $snort_uuid = $value['uuid']; + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $value['barnyard_enable']; + + if ($snortbarnyardlog_info_chk == 'on') + $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort.u2 --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/{$snort_uuid}_{$if_real} -D -q"; + + $snort_sh_text3[] = << /tmp/snort.sh.pid + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + + /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/{$snort_uuid}_{$if_real} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + $start_barnyard2 + + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD START For {$snort_uuid}_{$if_real}..." +fi + +EOE; + + $snort_sh_text4[] = << /tmp/snort.sh.pid + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." + + /bin/kill \${pid_s} + sleep 3 + /bin/kill \${pid_b} + + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid +fi + +EOF; + } + } + + + $start_snort_iface_start = implode("\n\n", $snort_sh_text3); + $start_snort_iface_stop = implode("\n\n", $snort_sh_text4); + + $snort_sh_text = << /tmp/snort.sh.pid + $start_snort_iface_start + /bin/rm /tmp/snort.sh.pid +} + +rc_stop() { + + $start_snort_iface_stop + /bin/rm /tmp/snort.sh.pid + /bin/rm /var/run/snort* + +} + +case $1 in + start) + rc_start + ;; + stop) + rc_stop + ;; + restart) + rc_start + ;; +esac + +EOD; + + /* write out snort.sh */ + $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); + return; + } + fwrite($bconf, $snort_sh_text); + fclose($bconf); + @chmod("/usr/local/etc/rc.d/snort.sh", 0755); +} + +/* if rules exist copy to new interfaces */ +function create_rules_iface($id, $if_real, $snort_uuid) +{ + global $config, $g; + + $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"; + $folder_chk = (count(glob("{$if_rule_dir}/rules/*")) === 0) ? 'empty' : 'full'; + + if ($folder_chk == "empty") { + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + exec("/bin/cp /usr/local/etc/snort/rules/* {$if_rule_dir}/rules"); + if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) + exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules"); + } +} + +/* open barnyard2.conf for writing */ +function create_barnyard2_conf($id, $if_real, $snort_uuid) { + global $config, $g; + + if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) + exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + + if (!file_exists("/var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo")) { + mwexec("/usr/bin/touch /var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo", true); + /* XXX: This is needed if snort is run as snort user */ + //mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); + mwexec("/bin/chmod 770 /var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo", true); + } + + $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); + + /* write out barnyard2_conf */ + $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); + return; + } + fwrite($bconf, $barnyard2_conf_text); + fclose($bconf); +} + +/* open barnyard2.conf for writing" */ +function generate_barnyard2_conf($id, $if_real, $snort_uuid) { + global $config, $g; + + /* define snortbarnyardlog */ + /* TODO: add support for the other 5 output plugins */ + + $snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; + $snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); + /* user add arguments */ + $snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['rule'][$id]['barnconfigpassthru'])); + + $barnyard2_conf_text = << \ + cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ + cmd_validity MACB < string > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity PORT < host_port > \ + cmd_validity PROT < char CSEP > \ + cmd_validity STRU < char FRPO [ string ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +EOD; + + $def_ftp_preprocessor_info_chk = $snortcfg['ftp_preprocessor']; + if ($def_ftp_preprocessor_info_chk == "on") + $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; + else + $def_ftp_preprocessor_type = ""; + + /* def smtp_preprocessor */ + $snort_smtp_preprocessor = << +# config daq_dir: +# config daq_mode: +# config daq_var: +# +# ::= pcap | afpacket | dump | nfq | ipq | ipfw +# ::= read-file | passive | inline +# ::= arbitrary = ::= path as to where to look for DAQ module so's + +## gui needed for pfsense ## +# config daq: afpacket + +############################################################# + +######################################## +# Configure specific UID and GID +# to run snort as after dropping privs +# +# config set_gid: +# config set_uid: +######################################## + +######################################## +# +# Configure default snaplen. Snort +# defaults to MTU of in use interface +# +# config snaplen: +# +# TODO: gui needed for pfsense +# +######################################## + +################################################################ +# +# Configure default bpf_file to use for filtering what traffic +# reaches snort. options (-F) +# +# config bpf_file: +# +# TODO: gui needed for pfsense +# +############################################################### + +##################################################################### +# +# Configure default log directory for snort to log to. options (-l) +# +# config logdir: +# +##################################################################### + +################################### + # +# Configure the detection engine # +# Use lower memory models # + # +################################### + +# TODO: gui needed for pfsense +# Configure PCRE match limitations +config pcre_match_limit: 3500 +config pcre_match_limit_recursion: 1500 + +############################################################################# +# # +# Configure the detection engine # +# Use lower memory models for pfsense # +# # +# # +# Notes # +# # +# ac, ac-q, ac-bnfa, ac-bnfa-q, lowmem, lowmem-q # +# ac-split shorthand for search-method ac, split-any-any, intel-cpm,ac-nq, # +# ac-bnfa-nq This is the default search method if none is specified. # +# lowmem-nq, ac-std, acs, ac-banded, ac-sparsebands # +# # +############################################################################# + +config detection: search-method {$snort_performance} search-optimize max-pattern-len 20 +config event_queue: max_queue 8 log 3 order_events content_length + +################################################### +# Configure GTP if it is to be used +#################################################### + +# TODO: gui needed for pfsense +# config enable_gtp + +################################################### +# Per packet and rule latency enforcement, README.ppm +################################################### + +# Per Packet latency configuration +#config ppm: max-pkt-time 250, \ +# fastpath-expensive-packets, \ +# pkt-log + +# Per Rule latency configuration +#config ppm: max-rule-time 200, \ +# threshold 3, \ +# suspend-expensive-rules, \ +# suspend-timeout 20, \ +# rule-log alert + +################################################### +# Configure Perf Profiling for debugging, README.PerfProfiling +################################################### + +#config profile_rules: print all, sort avg_ticks +#config profile_preprocs: print all, sort avg_ticks + +################################################### +# Configure protocol aware flushing. README.stream5 +################################################### +config paf_max: 16000 + +################################################## +# Configure dynamic loaded libraries +################################################## + +dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor +dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so +dynamicdetection directory /usr/local/lib/snort/dynamicrules + +################### + # +# Flow and stream # + # +################### + +# TODO: gui needed for pfsense +# GTP Control Channle Preprocessor, README.GTP +preprocessor gtp: ports { 2123 3386 2152 } + +#################################################### +# Inline packet normalization, README.normalize +# Does nothing in IDS mode +# +# preprocessor normalize_ip4 +# preprocessor normalize_tcp: ips ecn stream +# preprocessor normalize_icmp4 +# preprocessor normalize_ip6 +# preprocessor normalize_icmp6 +#################################################### + +# this tuning ,may need testing +preprocessor frag3_global: max_frags 65536 +preprocessor frag3_engine: policy bsd detect_anomalies + +preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5 + +preprocessor stream5_tcp: policy BSD, ports both all, timeout 180, {$def_max_queued_bytes_type}{$def_max_queued_segs_type} +preprocessor stream5_udp: timeout 180 +preprocessor stream5_icmp: + + {$def_perform_stat_type} + + {$def_http_inspect_type} + + {$def_other_preprocs_type} + + {$def_ftp_preprocessor_type} + + {$def_smtp_preprocessor_type} + + {$def_sf_portscan_type} + +######################## + # +# ARP spoof detection. # + # +######################## + +# preprocessor arpspoof +# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 + +########################## + # +# SSH anomaly detection # + # +########################## + +preprocessor ssh: server_ports { 22 } \ + autodetect \ + max_client_bytes 19600 \ + max_encrypted_packets 20 \ + max_server_version_len 100 \ + enable_respoverflow enable_ssh1crc32 \ + enable_srvoverflow enable_protomismatch + + + {$def_dce_rpc_2_type} + + {$def_dns_preprocessor_type} + +############################## + # +# NEW # +# Ignore SSL and Encryption # + # +############################## + +preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspect_encrypted + + +########################################################### + # +# SDF sensitive data preprocessor, README.sensitive_data # + # +########################################################### + +# TODO: add pfsense GUI +preprocessor sensitive_data: alert_threshold 20 + +############################################################# + # +# SIP Session Initiation Protocol preprocessor, README.sip # + # +############################################################# + +# TODO: add pfsense GUI +preprocessor sip: max_sessions 40000, \ + ports { 5060 5061 5600 }, \ + methods { invite \ + cancel \ + ack \ + bye \ + register \ + options \ + refer \ + subscribe \ + update \ + join \ + info \ + message \ + notify \ + benotify \ + do \ + qauth \ + sprack \ + publish \ + service \ + unsubscribe \ + prack }, \ + max_uri_len 512, \ + max_call_id_len 80, \ + max_requestName_len 20, \ + max_from_len 256, \ + max_to_len 256, \ + max_via_len 1024, \ + max_contact_len 512, \ + max_content_len 2048 + +################################## + # +# IMAP preprocessor, README.imap # + # +################################## + +# TODO: add pfsense GUI +preprocessor imap: \ + ports { 143 } \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + +################################## + # +# POP preprocessor, README.pop # + # +################################## + +# TODO: add pfsense GUI +preprocessor pop: \ + ports { 110 } \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + +####################################### + # +# Modbus preprocessor, README.modbus # +# Used for SCADA # + # +####################################### + +# TODO: add pfsense GUI +preprocessor modbus: ports { 502 } + + +############################################### + # +# DNP3 preprocessor, EADME.dnp3 # + # +############################################### + +# TODO: add pfsense GUI +preprocessor dnp3: ports { 20000 } \ + memcap 262144 \ + check_crc + +############################################### + # +# Reputation preprocessor, README.reputation # + # +############################################### + +#preprocessor reputation: \ +# memcap 500, \ +# priority whitelist, \ +# nested_ip inner, \ +# whitelist \$WHITE_LIST_PATH/white_list.rules, \ +# blacklist \$BLACK_LIST_PATH/black_list.rules + + +##################### + # +# Snort Output Logs # + # +##################### + +$snortalertlogtype_type +$alertsystemlog_type +$tcpdumplog_type +$snortunifiedlogbasic_type +$snortunifiedlog_type +$snortalertcvs_type +$spoink_type + +################# + # +# Misc Includes # + # +################# + +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config +{$snort_preprocessor_decoder_rules} + +$threshold_file_name + +# Snort user pass through configuration +{$snort_config_pass_thru} + +################### + # +# Rules Selection # + # +################### + + {$selected_rules_sections} + +EOD; + + return $snort_conf_text; +} + +/* hide progress bar */ +function hide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + + ob_flush(); + if(!$console_mode) + echo "\n"; +} + +/* unhide progress bar */ +function unhide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + + ob_flush(); + if(!$console_mode) + echo "\n"; +} + +/* update both top and bottom text box during an operation */ +function update_all_status($status) { + global $snort_filename, $snort_filename_md5, $console_mode; + + ob_flush(); + if(!$console_mode) { + update_status($status); + update_output_window($status); + } +} + +######## new + +// returns array that matches pattern, option to replace objects in matches +function snortScanDirFilter($arrayList, $pattmatch, $pattreplace, $pattreplacewith) +{ + foreach ( $arrayList as $val ) + { + if (preg_match($pattmatch, $val, $matches)) { + if ($pattreplace != '') { + $matches2 = preg_replace($pattreplace, $pattreplacewith, $matches[0]); + $filterDirList[] = $matches2; + }else{ + $filterDirList[] = $matches[0]; + } + } + } + return $filterDirList; +} + +?> diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml index 2365bbea..6ebf50be 100644 --- a/config/snort-dev/snort.xml +++ b/config/snort-dev/snort.xml @@ -1,205 +1,205 @@ - - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - Snort - 2.9.0.5 - Services:2.9.0.5 pkg v. 2.0 - /usr/local/pkg/snort/snort.inc - - Snort - Setup snort specific settings -
Services
- /snort/snort_interfaces.php -
- - snort - snort.sh - snort - Snort is the most widely deployed IDS/IPS technology - worldwide. - - - - - /usr/local/pkg/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort.inc - - - /usr/local/pkg/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_gui.inc - - - /usr/local/pkg/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_check_cron_misc.inc - - - /usr/local/bin/ - 077 - http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/create-sidmap.pl - - - /usr/local/bin/ - 077 - http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/oinkmaster.pl - - - /usr/local/bin/ - 077 - http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/snort_rename.pl - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_alerts.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_barnyard.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_blocked.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_define_servers.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_download_rules.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_download_updates.php - - - /usr/local/pkg/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_check_for_rule_updates.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/help_and_info.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_interfaces.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_interfaces_edit.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_interfaces_global.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_rules.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_rules_edit.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_rulesets.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_preprocessors.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_interfaces_whitelist.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_interfaces_whitelist_edit.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress.php - - - /usr/local/www/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress_edit.php - - - - - - - sync_snort_package_config(); - - - snort_postinstall(); - - - snort_deinstall(); - -
+ + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + Snort + 2.9.0.5 + Services:2.9.0.5 pkg v. 2.0 + /usr/local/pkg/snort/snort.inc + + Snort + Setup snort specific settings +
Services
+ /snort/snort_interfaces.php +
+ + snort + snort.sh + snort + Snort is the most widely deployed IDS/IPS technology + worldwide. + + + + + /usr/local/pkg/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort.inc + + + /usr/local/pkg/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_gui.inc + + + /usr/local/pkg/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_check_cron_misc.inc + + + /usr/local/bin/ + 077 + http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/create-sidmap.pl + + + /usr/local/bin/ + 077 + http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/oinkmaster.pl + + + /usr/local/bin/ + 077 + http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/snort_rename.pl + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_alerts.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_barnyard.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_blocked.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_define_servers.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_download_rules.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_download_updates.php + + + /usr/local/pkg/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_check_for_rule_updates.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/help_and_info.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_interfaces.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_interfaces_edit.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_interfaces_global.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_rules.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_rules_edit.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_rulesets.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_preprocessors.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_interfaces_whitelist.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_interfaces_whitelist_edit.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress_edit.php + + + + + + + sync_snort_package_config(); + + + snort_postinstall(); + + + snort_deinstall(); + +
diff --git a/config/snort-dev/snort_alerts.php b/config/snort-dev/snort_alerts.php index 3094d1a7..354c89f4 100644 --- a/config/snort-dev/snort_alerts.php +++ b/config/snort-dev/snort_alerts.php @@ -1,582 +1,582 @@ -. - Copyright (C) 2003-2004 Manuel Kasper . - Copyright (C) 2006 Scott Ullrich - All rights reserved. - - Modified for the Pfsense snort package v. 1.8+ - Copyright (C) 2009 Robert Zelaya Sr. Developer - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -/* load only javascript that is needed */ -$snort_load_sortabletable = 'yes'; -$snort_load_mootools = 'yes'; - -$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) - $config['installedpackages']['snortglobal']['rule'] = array(); -$a_instance = &$config['installedpackages']['snortglobal']['rule']; -$snort_uuid = $a_instance[0]['uuid']; -if ($_POST['instance']) - $snort_uuid = $a_instance[$_POST['instance']]['uuid']; - -if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { - $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; - $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; - $anentries = $pconfig['alertnumber']; -} else { - $anentries = '250'; - $pconfig['alertnumber'] = '250'; - $pconfig['arefresh'] = 'off'; -} - -if ($_POST['save']) -{ - //unset($input_errors); - //$pconfig = $_POST; - - /* input validation */ - if ($_POST['save']) - { - - // if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { - // $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; - // } - - } - - /* no errors */ - if (!$input_errors) { - if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) - $config['installedpackages']['snortglobal']['alertsblocks'] = array(); - $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off'; - $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; - - write_config(); - - header("Location: /snort/snort_alerts.php"); - exit; - } - -} - -if ($_GET['action'] == "clear" || $_POST['clear']) -{ - if (file_exists("/var/log/snort/alert_{$snort_uuid}")) - { - conf_mount_rw(); - @file_put_contents("/var/log/snort/alert_{$snort_uuid}", ""); - post_delete_logs(); - /* XXX: This is needed is snort is run as snort user */ - //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); - mwexec('/bin/chmod 660 /var/log/snort/*', true); - mwexec('/usr/bin/killall -HUP snort', true); - conf_mount_ro(); - } - header("Location: /snort/snort_alerts.php"); - exit; -} - -if ($_POST['download']) -{ - - $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); - $file_name = "snort_logs_{$save_date}.tar.gz"; - exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort"); - - if (file_exists("/tmp/{$file_name}")) { - $file = "/tmp/snort_logs_{$save_date}.tar.gz"; - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); - header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); - exec("/bin/rm /tmp/{$file_name}"); - } - - header("Location: /snort/snort_alerts.php"); - exit; -} - - -/* WARNING: took me forever to figure reg expression, dont lose */ -// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; -function get_snort_alert_date($fileline) -{ - /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */ - if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1)) - $alert_date = "$matches1[0]"; - - return $alert_date; -} - -function get_snort_alert_disc($fileline) -{ - /* disc */ - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - $alert_disc = "$matches[2]"; - - return $alert_disc; -} - -function get_snort_alert_class($fileline) -{ - /* class */ - if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2)) - $alert_class = "$matches2[0]"; - - return $alert_class; -} - -function get_snort_alert_priority($fileline) -{ - /* Priority */ - if (preg_match('/Priority:\s\d/', $fileline, $matches3)) - $alert_priority = "$matches3[0]"; - - return $alert_priority; -} - -function get_snort_alert_proto($fileline) -{ - /* Priority */ - if (preg_match('/\{.+\}/', $fileline, $matches3)) - $alert_proto = "$matches3[0]"; - - return $alert_proto; -} - -function get_snort_alert_proto_full($fileline) -{ - /* Protocal full */ - if (preg_match('/.+\sTTL/', $fileline, $matches2)) - $alert_proto_full = "$matches2[0]"; - - return $alert_proto_full; -} - -function get_snort_alert_ip_src($fileline) -{ - /* SRC IP */ - $re1='.*?'; # Non-greedy match on filler - $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - $alert_ip_src = $matches4[1][0]; - - return $alert_ip_src; -} - -function get_snort_alert_src_p($fileline) -{ - /* source port */ - if (preg_match('/:\d+\s-/', $fileline, $matches5)) - $alert_src_p = "$matches5[0]"; - - return $alert_src_p; -} - -function get_snort_alert_flow($fileline) -{ - /* source port */ - if (preg_match('/(->|<-)/', $fileline, $matches5)) - $alert_flow = "$matches5[0]"; - - return $alert_flow; -} - -function get_snort_alert_ip_dst($fileline) -{ - /* DST IP */ - $re1dp='.*?'; # Non-greedy match on filler - $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress - $re3dp='.*?'; # Non-greedy match on filler - $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6)) - $alert_ip_dst = $matches6[1][0]; - - return $alert_ip_dst; -} - -function get_snort_alert_dst_p($fileline) -{ - /* dst port */ - if (preg_match('/:\d+$/', $fileline, $matches7)) - $alert_dst_p = "$matches7[0]"; - - return $alert_dst_p; -} - -function get_snort_alert_dst_p_full($fileline) -{ - /* dst port full */ - if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7)) - $alert_dst_p = "$matches7[0]"; - - return $alert_dst_p; -} - -function get_snort_alert_sid($fileline) -{ - /* SID */ - if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8)) - $alert_sid = "$matches8[0]"; - - return $alert_sid; -} - -$pgtitle = "Services: Snort: Snort Alerts"; -include_once("head.inc"); - -?> - - - -\n"; -?> - -
' . $pgtitle . '

';}?> - - - - - - -
- -
-
- - - - - - - - - - - - - - - - - - -
Last Alert Entries.Latest Alert Entries Are Listed First.
Instance to inspect -

Choose which instance alerts you want to inspect. -
Save or Remove Logs - All - log files will be saved. - - Warning: all log files will be deleted. -
Auto Refresh and Log View - - Refresh > - Default is ON. - - Enter the number of log entries to view. Default is 250. -
-
-
- - -

-
-
Filter:
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \n"; - } - - // - - } - } - - ?> - -
#PRIPROTODESCRIPTIONCLASSSRCSPORTFLOWDSTDPORTSIDDate
{$counter}{$alert_priority}{$alert_proto}{$alert_disc}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_flow}{$alert_ip_dst}{$alert_dst_p}{$alert_sid}{$alert_date}
-
- -
- - - - +. + Copyright (C) 2003-2004 Manuel Kasper . + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Modified for the Pfsense snort package v. 1.8+ + Copyright (C) 2009 Robert Zelaya Sr. Developer + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +/* load only javascript that is needed */ +$snort_load_sortabletable = 'yes'; +$snort_load_mootools = 'yes'; + +$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_instance = &$config['installedpackages']['snortglobal']['rule']; +$snort_uuid = $a_instance[0]['uuid']; +if ($_POST['instance']) + $snort_uuid = $a_instance[$_POST['instance']]['uuid']; + +if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { + $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; + $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; + $anentries = $pconfig['alertnumber']; +} else { + $anentries = '250'; + $pconfig['alertnumber'] = '250'; + $pconfig['arefresh'] = 'off'; +} + +if ($_POST['save']) +{ + //unset($input_errors); + //$pconfig = $_POST; + + /* input validation */ + if ($_POST['save']) + { + + // if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { + // $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; + // } + + } + + /* no errors */ + if (!$input_errors) { + if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) + $config['installedpackages']['snortglobal']['alertsblocks'] = array(); + $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; + + write_config(); + + header("Location: /snort/snort_alerts.php"); + exit; + } + +} + +if ($_GET['action'] == "clear" || $_POST['clear']) +{ + if (file_exists("/var/log/snort/alert_{$snort_uuid}")) + { + conf_mount_rw(); + @file_put_contents("/var/log/snort/alert_{$snort_uuid}", ""); + post_delete_logs(); + /* XXX: This is needed is snort is run as snort user */ + //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); + mwexec('/bin/chmod 660 /var/log/snort/*', true); + mwexec('/usr/bin/killall -HUP snort', true); + conf_mount_ro(); + } + header("Location: /snort/snort_alerts.php"); + exit; +} + +if ($_POST['download']) +{ + + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_logs_{$save_date}.tar.gz"; + exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort"); + + if (file_exists("/tmp/{$file_name}")) { + $file = "/tmp/snort_logs_{$save_date}.tar.gz"; + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: ".filesize($file)); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("$file"); + exec("/bin/rm /tmp/{$file_name}"); + } + + header("Location: /snort/snort_alerts.php"); + exit; +} + + +/* WARNING: took me forever to figure reg expression, dont lose */ +// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; +function get_snort_alert_date($fileline) +{ + /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */ + if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1)) + $alert_date = "$matches1[0]"; + + return $alert_date; +} + +function get_snort_alert_disc($fileline) +{ + /* disc */ + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + $alert_disc = "$matches[2]"; + + return $alert_disc; +} + +function get_snort_alert_class($fileline) +{ + /* class */ + if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2)) + $alert_class = "$matches2[0]"; + + return $alert_class; +} + +function get_snort_alert_priority($fileline) +{ + /* Priority */ + if (preg_match('/Priority:\s\d/', $fileline, $matches3)) + $alert_priority = "$matches3[0]"; + + return $alert_priority; +} + +function get_snort_alert_proto($fileline) +{ + /* Priority */ + if (preg_match('/\{.+\}/', $fileline, $matches3)) + $alert_proto = "$matches3[0]"; + + return $alert_proto; +} + +function get_snort_alert_proto_full($fileline) +{ + /* Protocal full */ + if (preg_match('/.+\sTTL/', $fileline, $matches2)) + $alert_proto_full = "$matches2[0]"; + + return $alert_proto_full; +} + +function get_snort_alert_ip_src($fileline) +{ + /* SRC IP */ + $re1='.*?'; # Non-greedy match on filler + $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) + $alert_ip_src = $matches4[1][0]; + + return $alert_ip_src; +} + +function get_snort_alert_src_p($fileline) +{ + /* source port */ + if (preg_match('/:\d+\s-/', $fileline, $matches5)) + $alert_src_p = "$matches5[0]"; + + return $alert_src_p; +} + +function get_snort_alert_flow($fileline) +{ + /* source port */ + if (preg_match('/(->|<-)/', $fileline, $matches5)) + $alert_flow = "$matches5[0]"; + + return $alert_flow; +} + +function get_snort_alert_ip_dst($fileline) +{ + /* DST IP */ + $re1dp='.*?'; # Non-greedy match on filler + $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress + $re3dp='.*?'; # Non-greedy match on filler + $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6)) + $alert_ip_dst = $matches6[1][0]; + + return $alert_ip_dst; +} + +function get_snort_alert_dst_p($fileline) +{ + /* dst port */ + if (preg_match('/:\d+$/', $fileline, $matches7)) + $alert_dst_p = "$matches7[0]"; + + return $alert_dst_p; +} + +function get_snort_alert_dst_p_full($fileline) +{ + /* dst port full */ + if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7)) + $alert_dst_p = "$matches7[0]"; + + return $alert_dst_p; +} + +function get_snort_alert_sid($fileline) +{ + /* SID */ + if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8)) + $alert_sid = "$matches8[0]"; + + return $alert_sid; +} + +$pgtitle = "Services: Snort: Snort Alerts"; +include_once("head.inc"); + +?> + + + +\n"; +?> + +
' . $pgtitle . '

';}?> + + + + + + +
+ +
+
+ + + + + + + + + + + + + + + + + + +
Last Alert Entries.Latest Alert Entries Are Listed First.
Instance to inspect +

Choose which instance alerts you want to inspect. +
Save or Remove Logs + All + log files will be saved. + + Warning: all log files will be deleted. +
Auto Refresh and Log View + + Refresh > + Default is ON. + + Enter the number of log entries to view. Default is 250. +
+
+
+ + +

+
+
Filter:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \n"; + } + + // + + } + } + + ?> + +
#PRIPROTODESCRIPTIONCLASSSRCSPORTFLOWDSTDPORTSIDDate
{$counter}{$alert_priority}{$alert_proto}{$alert_disc}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_flow}{$alert_ip_dst}{$alert_dst_p}{$alert_sid}{$alert_date}
+
+ +
+ + + + diff --git a/config/snort-dev/snort_barnyard.php b/config/snort-dev/snort_barnyard.php index b647c007..39008284 100644 --- a/config/snort-dev/snort_barnyard.php +++ b/config/snort-dev/snort_barnyard.php @@ -1,269 +1,269 @@ -. - Copyright (C) 2008-2009 Robert Zelaya. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -/* - -TODO: Nov 12 09 -Clean this code up its ugly -Important add error checking - -*/ - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -global $g; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; -if (is_null($id)) { - header("Location: /snort/snort_interfaces.php"); - exit; -} - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) - $config['installedpackages']['snortglobal']['rule'] = array(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -if (isset($_GET['dup'])) { - $id = $_GET['dup']; - $after = $_GET['dup']; -} - -$pconfig = array(); -if (isset($id) && $a_nat[$id]) { - /* old options */ - $pconfig = $a_nat[$id]; - $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; - $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; - $pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']); -} - -if (isset($_GET['dup'])) - unset($id); - -$if_real = snort_get_real_interface($pconfig['interface']); -$snort_uuid = $pconfig['uuid']; - -/* alert file */ -$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; - -if ($_POST) { - - /* XXX: Mising error reporting?! - * check for overlaps - foreach ($a_nat as $natent) { - if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) - continue; - if ($natent['interface'] != $_POST['interface']) - continue; - } - */ - - /* if no errors write to conf */ - if (!$input_errors) { - $natent = array(); - /* repost the options already in conf */ - $natent = $pconfig; - - $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? 'on' : 'off'; - $natent['barnyard_mysql'] = $_POST['barnyard_mysql'] ? $_POST['barnyard_mysql'] : $pconfig['barnyard_mysql']; - $natent['barnconfigpassthru'] = $_POST['barnconfigpassthru'] ? base64_encode($_POST['barnconfigpassthru']) : $pconfig['barnconfigpassthru']; - if ($_POST['barnyard_enable'] == "on") - $natent['snortunifiedlog'] = 'on'; - else - $natent['snortunifiedlog'] = 'off'; - - if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; - else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); - else - $a_nat[] = $natent; - } - - write_config(); - sync_snort_package_config(); - - /* after click go to this page */ - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: snort_barnyard.php?id=$id"); - exit; - } -} - -$pgtitle = "Snort: Interface: $id$if_real Barnyard2 Edit"; -include_once("head.inc"); - -?> - - - - -' . $pgtitle . '

';}?> - - - -
- - - - - -
- - - - -
- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
General Barnyard2 - Settings
Enable - onClick="enable_change(false)"> - Enable Barnyard2
- This will enable barnyard2 for this interface. You will also have to set the database credentials.
Mysql Settings
Log to a Mysql Database
- Example: output database: alert, mysql, - dbname=snort user=snort host=localhost password=xyz
- Example: output database: log, mysql, dbname=snort user=snort - host=localhost password=xyz
Advanced Settings
Advanced configuration - pass through -
- Arguments here will be automatically inserted into the running - barnyard2 configuration.
  - -
 Note: -
- Please save your settings befor you click start.
- -
-
- -
- - - - - +. + Copyright (C) 2008-2009 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +/* + +TODO: Nov 12 09 +Clean this code up its ugly +Important add error checking + +*/ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +$pconfig = array(); +if (isset($id) && $a_nat[$id]) { + /* old options */ + $pconfig = $a_nat[$id]; + $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; + $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; + $pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']); +} + +if (isset($_GET['dup'])) + unset($id); + +$if_real = snort_get_real_interface($pconfig['interface']); +$snort_uuid = $pconfig['uuid']; + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + +if ($_POST) { + + /* XXX: Mising error reporting?! + * check for overlaps + foreach ($a_nat as $natent) { + if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) + continue; + if ($natent['interface'] != $_POST['interface']) + continue; + } + */ + + /* if no errors write to conf */ + if (!$input_errors) { + $natent = array(); + /* repost the options already in conf */ + $natent = $pconfig; + + $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? 'on' : 'off'; + $natent['barnyard_mysql'] = $_POST['barnyard_mysql'] ? $_POST['barnyard_mysql'] : $pconfig['barnyard_mysql']; + $natent['barnconfigpassthru'] = $_POST['barnconfigpassthru'] ? base64_encode($_POST['barnconfigpassthru']) : $pconfig['barnconfigpassthru']; + if ($_POST['barnyard_enable'] == "on") + $natent['snortunifiedlog'] = 'on'; + else + $natent['snortunifiedlog'] = 'off'; + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + sync_snort_package_config(); + + /* after click go to this page */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_barnyard.php?id=$id"); + exit; + } +} + +$pgtitle = "Snort: Interface: $id$if_real Barnyard2 Edit"; +include_once("head.inc"); + +?> + + + + +' . $pgtitle . '

';}?> + + + +
+ + + + + +
+ + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
General Barnyard2 + Settings
Enable + onClick="enable_change(false)"> + Enable Barnyard2
+ This will enable barnyard2 for this interface. You will also have to set the database credentials.
Mysql Settings
Log to a Mysql Database
+ Example: output database: alert, mysql, + dbname=snort user=snort host=localhost password=xyz
+ Example: output database: log, mysql, dbname=snort user=snort + host=localhost password=xyz
Advanced Settings
Advanced configuration + pass through +
+ Arguments here will be automatically inserted into the running + barnyard2 configuration.
  + +
 Note: +
+ Please save your settings befor you click start.
+ +
+
+ +
+ + + + + diff --git a/config/snort-dev/snort_blocked.php b/config/snort-dev/snort_blocked.php index 932e0983..d81f561f 100644 --- a/config/snort-dev/snort_blocked.php +++ b/config/snort-dev/snort_blocked.php @@ -1,426 +1,426 @@ - /tmp/snort_block.pf'); - - $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); - - if ($blocked_ips_array_save[0] != '') { - /* build the list */ - file_put_contents("/tmp/snort_blocked/snort_block.pf", ""); - foreach($blocked_ips_array_save as $counter => $fileline3) - file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline3}\n", FILE_APPEND); - } - - exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); - - if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) { - $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); - header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); - exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz"); - exec("/bin/rm /tmp/snort_block.pf"); - exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); - od_end_clean(); //importanr or other post will fail - } else - echo 'Error no saved file.'; - -} - -if ($_POST['save']) -{ - - /* input validation */ - if ($_POST['save']) - { - - - } - - /* no errors */ - if (!$input_errors) - { - $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off'; - $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; - - write_config(); - - header("Location: /snort/snort_blocked.php"); - - } - -} - -/* build filter funcs */ -function get_snort_alert_ip_src($fileline) -{ - /* SRC IP */ - $re1='.*?'; # Non-greedy match on filler - $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - $alert_ip_src = $matches4[1][0]; - - return $alert_ip_src; -} - -function get_snort_alert_disc($fileline) -{ - /* disc */ - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - $alert_disc = "$matches[2]"; - - return $alert_disc; -} - -/* build sec filters */ -function get_snort_block_ip($fileline) -{ - /* ip */ - if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) - $alert_block_ip = "$matches[0]"; - - return $alert_block_ip; -} - -function get_snort_block_disc($fileline) -{ - /* disc */ - if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) - $alert_block_disc = "$matches[0]"; - - return $alert_block_disc; -} - -/* tell the user what settings they have */ -$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked']; -if ($blockedtab_msg_chk == "1h_b") { - $blocked_msg = "hour"; -} -if ($blockedtab_msg_chk == "3h_b") { - $blocked_msg = "3 hours"; -} -if ($blockedtab_msg_chk == "6h_b") { - $blocked_msg = "6 hours"; -} -if ($blockedtab_msg_chk == "12h_b") { - $blocked_msg = "12 hours"; -} -if ($blockedtab_msg_chk == "1d_b") { - $blocked_msg = "day"; -} -if ($blockedtab_msg_chk == "4d_b") { - $blocked_msg = "4 days"; -} -if ($blockedtab_msg_chk == "7d_b") { - $blocked_msg = "7 days"; -} -if ($blockedtab_msg_chk == "28d_b") { - $blocked_msg = "28 days"; -} - -if ($blockedtab_msg_chk != "never_b") -{ - $blocked_msg_txt = "Hosts are removed every $blocked_msg."; -}else{ - $blocked_msg_txt = "Settings are set to never remove hosts."; -} - -$pgtitle = "Services: Snort Blocked Hosts"; -include_once("head.inc"); - -?> - - - -\n"; -?> - -
' . $pgtitle . '

';}?> - - - - - - - - -
- -
-
- - - - - - - - - - - - - - -
Last - Blocked.This page lists hosts that have - been blocked by Snort.  
Save or Remove Hosts -
All - blocked hosts will be saved. Warning: - all hosts will be removed.
-
Auto Refresh and Log View -
Refresh > - Default is ON. Enter the - number of blocked entries to view. Default is 500. -
-
-
-
-
- - "; - else - echo "\n"; - - ?> - - -
- - - - - - - - /tmp/snort_block.cache'); - $blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); - foreach (glob("/var/log/snort/alert_*") as $alert) { - $alerts_array = array_reverse(explode("\n\n", file_get_contents("{$alert}"))); - - $logent = $bnentries; - - if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') - { - - /* build the list and compare blocks to alerts */ - $counter = 0; - foreach($alerts_array as $fileline) - { - - $counter++; - - $alert_ip_src = get_snort_alert_ip_src($fileline); - $alert_ip_disc = get_snort_alert_disc($fileline); - $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); - - if (in_array("$alert_ip_src", $blocked_ips_array)) - $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; - } - - foreach($blocked_ips_array as $alert_block_ip) - { - - if (!in_array($alert_block_ip, $alert_ip_src_array)) - { - $input[] = "[$alert_block_ip] " . "[N\A]\n"; - } - } - - /* reduce double occurrences */ - $result = array_unique($input); - - /* buil final list, preg_match, buld html */ - $counter2 = 0; - - foreach($result as $fileline2) - { - if($logent <= $counter2) - continue; - - $counter2++; - - $alert_block_ip_str = get_snort_block_ip($fileline2); - - if($alert_block_ip_str != '') - { - $alert_block_ip_match = array('[',']'); - $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); - }else{ - $alert_block_ip = 'empty'; - } - - $alert_block_disc_str = get_snort_block_disc($fileline2); - - if($alert_block_disc_str != '') - { - $alert_block_disc_match = array('] [',']'); - $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); - }else{ - $alert_block_disc = 'empty'; - } - - /* use one echo to do the magic*/ - echo " - - - - - \n"; - - } - - }else{ - - /* if alerts file is empty and blocked table is not empty */ - $counter2 = 0; - - foreach($blocked_ips_array as $alert_block_ip) - { - if($logent <= $counter2) - continue; - - $counter2++; - - $alert_block_disc = 'N/A'; - - /* use one echo to do the magic*/ - echo " - - - - - \n"; - } - } - } - - echo '
Remove#IPAlert Description
- \"Delete\" {$counter2} {$alert_block_ip} {$alert_block_disc}
- \"Delete\" {$counter2} {$alert_block_ip} {$alert_block_disc}
' . "\n"; - - if (empty($blocked_ips_array[0])) - echo "\n

There are currently no items being blocked by snort.
{$counter2} items listed.
- - - -
- - - - - + /tmp/snort_block.pf'); + + $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); + + if ($blocked_ips_array_save[0] != '') { + /* build the list */ + file_put_contents("/tmp/snort_blocked/snort_block.pf", ""); + foreach($blocked_ips_array_save as $counter => $fileline3) + file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline3}\n", FILE_APPEND); + } + + exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); + + if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) { + $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: ".filesize($file)); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("$file"); + exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz"); + exec("/bin/rm /tmp/snort_block.pf"); + exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); + od_end_clean(); //importanr or other post will fail + } else + echo 'Error no saved file.'; + +} + +if ($_POST['save']) +{ + + /* input validation */ + if ($_POST['save']) + { + + + } + + /* no errors */ + if (!$input_errors) + { + $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; + + write_config(); + + header("Location: /snort/snort_blocked.php"); + + } + +} + +/* build filter funcs */ +function get_snort_alert_ip_src($fileline) +{ + /* SRC IP */ + $re1='.*?'; # Non-greedy match on filler + $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) + $alert_ip_src = $matches4[1][0]; + + return $alert_ip_src; +} + +function get_snort_alert_disc($fileline) +{ + /* disc */ + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + $alert_disc = "$matches[2]"; + + return $alert_disc; +} + +/* build sec filters */ +function get_snort_block_ip($fileline) +{ + /* ip */ + if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) + $alert_block_ip = "$matches[0]"; + + return $alert_block_ip; +} + +function get_snort_block_disc($fileline) +{ + /* disc */ + if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) + $alert_block_disc = "$matches[0]"; + + return $alert_block_disc; +} + +/* tell the user what settings they have */ +$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked']; +if ($blockedtab_msg_chk == "1h_b") { + $blocked_msg = "hour"; +} +if ($blockedtab_msg_chk == "3h_b") { + $blocked_msg = "3 hours"; +} +if ($blockedtab_msg_chk == "6h_b") { + $blocked_msg = "6 hours"; +} +if ($blockedtab_msg_chk == "12h_b") { + $blocked_msg = "12 hours"; +} +if ($blockedtab_msg_chk == "1d_b") { + $blocked_msg = "day"; +} +if ($blockedtab_msg_chk == "4d_b") { + $blocked_msg = "4 days"; +} +if ($blockedtab_msg_chk == "7d_b") { + $blocked_msg = "7 days"; +} +if ($blockedtab_msg_chk == "28d_b") { + $blocked_msg = "28 days"; +} + +if ($blockedtab_msg_chk != "never_b") +{ + $blocked_msg_txt = "Hosts are removed every $blocked_msg."; +}else{ + $blocked_msg_txt = "Settings are set to never remove hosts."; +} + +$pgtitle = "Services: Snort Blocked Hosts"; +include_once("head.inc"); + +?> + + + +\n"; +?> + +
' . $pgtitle . '

';}?> + + + + + + + + +
+ +
+
+ + + + + + + + + + + + + + +
Last + Blocked.This page lists hosts that have + been blocked by Snort.  
Save or Remove Hosts +
All + blocked hosts will be saved. Warning: + all hosts will be removed.
+
Auto Refresh and Log View +
Refresh > + Default is ON. Enter the + number of blocked entries to view. Default is 500. +
+
+
+
+
+ + "; + else + echo "\n"; + + ?> + + +
+ + + + + + + + /tmp/snort_block.cache'); + $blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); + foreach (glob("/var/log/snort/alert_*") as $alert) { + $alerts_array = array_reverse(explode("\n\n", file_get_contents("{$alert}"))); + + $logent = $bnentries; + + if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') + { + + /* build the list and compare blocks to alerts */ + $counter = 0; + foreach($alerts_array as $fileline) + { + + $counter++; + + $alert_ip_src = get_snort_alert_ip_src($fileline); + $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); + + if (in_array("$alert_ip_src", $blocked_ips_array)) + $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + } + + foreach($blocked_ips_array as $alert_block_ip) + { + + if (!in_array($alert_block_ip, $alert_ip_src_array)) + { + $input[] = "[$alert_block_ip] " . "[N\A]\n"; + } + } + + /* reduce double occurrences */ + $result = array_unique($input); + + /* buil final list, preg_match, buld html */ + $counter2 = 0; + + foreach($result as $fileline2) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_ip_str = get_snort_block_ip($fileline2); + + if($alert_block_ip_str != '') + { + $alert_block_ip_match = array('[',']'); + $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); + }else{ + $alert_block_ip = 'empty'; + } + + $alert_block_disc_str = get_snort_block_disc($fileline2); + + if($alert_block_disc_str != '') + { + $alert_block_disc_match = array('] [',']'); + $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); + }else{ + $alert_block_disc = 'empty'; + } + + /* use one echo to do the magic*/ + echo " + + + + + \n"; + + } + + }else{ + + /* if alerts file is empty and blocked table is not empty */ + $counter2 = 0; + + foreach($blocked_ips_array as $alert_block_ip) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_disc = 'N/A'; + + /* use one echo to do the magic*/ + echo " + + + + + \n"; + } + } + } + + echo '
Remove#IPAlert Description
+ \"Delete\" {$counter2} {$alert_block_ip} {$alert_block_disc}
+ \"Delete\" {$counter2} {$alert_block_ip} {$alert_block_disc}
' . "\n"; + + if (empty($blocked_ips_array[0])) + echo "\n

There are currently no items being blocked by snort.
{$counter2} items listed.
+ + + +
+ + + + + diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php index 41995e9d..d959a1d5 100644 --- a/config/snort-dev/snort_check_for_rule_updates.php +++ b/config/snort-dev/snort_check_for_rule_updates.php @@ -1,690 +1,690 @@ - 0) { - update_status(gettext("snort.org md5 temp file exists...")); - } else { - update_status(gettext("Downloading snort.org md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - - //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); - $image = @file_get_contents("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); - @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); - update_status(gettext("Done downloading snort.org md5")); - } -} - -/* download md5 sig from emergingthreats.net */ -if ($emergingthreats == 'on') -{ - update_status(gettext("Downloading emergingthreats md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5'); - @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); - update_status(gettext("Done downloading emergingthreats md5")); -} - -/* download md5 sig from pfsense.org */ -if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { - update_status(gettext("pfsense md5 temp file exists...")); -} else { - update_status(gettext("Downloading pfsense md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); - $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); - @file_put_contents("{$tmpfname}/pfsense_rules.tar.gz.md5", $image); - update_status(gettext("Done downloading pfsense md5.")); -} - -/* If md5 file is empty wait 15min exit */ -if ($snortdownload == 'on') -{ - if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) - { - update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); - update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); - $snortdownload = 'off'; - } -} - -/* If pfsense md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ - update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); - update_output_window(gettext("Rules are released to support Pfsense packages.")); - $pfsensedownload = 'off'; -} - -/* Check if were up to date snort.org */ -if ($snortdownload == 'on') -{ - if (file_exists("{$snortdir}/{$snort_filename_md5}")) - { - $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); - $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - if ($md5_check_new == $md5_check_old) - { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); - $snort_md5_check_ok = 'on'; - } else { - update_status(gettext("Your rules are not up to date...")); - $snort_md5_check_ok = 'off'; - } - } -} - -/* Check if were up to date emergingthreats.net */ -if ($emergingthreats == 'on') -{ - if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}")) - { - $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); - $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); - $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - if ($emerg_md5_check_new == $emerg_md5_check_old) - { - $emerg_md5_check_ok = 'on'; - } else - $emerg_md5_check_ok = 'off'; - } -} - -/* Check if were up to date pfsense.org */ -if ($pfsensedownload == 'on' && file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) -{ - $pfsense_check_new_parse = file_get_contents("{$tmpfname}/pfsense_rules.tar.gz.md5"); - $pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); - $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - if ($pfsense_md5_check_new == $pfsense_md5_check_old) - { - $pfsense_md5_check_ok = 'on'; - } else - $pfsense_md5_check_ok = 'off'; -} - -if ($snortdownload == 'on') { - if ($snort_md5_check_ok == 'on') - { - update_status(gettext("Your snort.org rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - $snortdownload = 'off'; - } -} -if ($emergingthreats == 'on') { - if ($emerg_md5_check_ok == 'on') - { - update_status(gettext("Your Emergingthreats rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - $emergingthreats = 'off'; - } -} - -/* download snortrules file */ -if ($snortdownload == 'on') -{ - if ($snort_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Snortrule tar file exists...")); - } else { - update_status(gettext("There is a new set of Snort.org rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); - download_file_with_progress_bar("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", "{$tmpfname}/{$snort_filename}"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - if (300000 > filesize("{$tmpfname}/$snort_filename")){ - update_status(gettext("Error with the snort rules download...")); - update_output_window(gettext("Snort rules file downloaded failed...")); - $snortdownload = 'off'; - } - } - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats == "on") -{ - if ($emerg_md5_check_ok != 'on') - { - if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) - { - update_status(gettext('Emergingthreats tar file exists...')); - }else{ - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); - download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); - update_status(gettext('Done downloading Emergingthreats rules file.')); - } - } -} - -/* download pfsense rules file */ -if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Snortrule tar file exists...")); - } else { - update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); - download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - } -} - -/* Compair md5 sig to file sig */ - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk == on) { -//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md5 == $file_md5_ondisk) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); -// update_output_window(gettext("Error md5 Mismatch...")); -// return; -// } -//} - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk != on) { -//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; -//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md55 == $file_md5_ondisk2) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...Not P")); -// update_output_window(gettext("Error md5 Mismatch...")); -// return; -// } -//} - -/* Untar snort rules file individually to help people with low system specs */ -if ($snortdownload == 'on') -{ - if ($snort_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - - if ($pfsense_stable == 'yes') - $freebsd_version_so = 'FreeBSD-7-2'; - else - $freebsd_version_so = 'FreeBSD-8-1'; - - update_status(gettext("Extracting Snort.org rules...")); - update_output_window(gettext("May take a while...")); - /* extract snort.org rules and add prefix to all snort.org files*/ - exec("/bin/rm -r {$snortdir}/rules"); - sleep(2); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); - chdir ("/usr/local/etc/snort/rules"); - sleep(2); - exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); - - /* extract so rules */ - exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); - if($snort_arch == 'x86'){ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/"); - exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); - } else if ($snort_arch == 'x64') { - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/"); - exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); - } - /* extract so rules none bin and rename */ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . - " so_rules/chat.rules/" . - " so_rules/dos.rules/" . - " so_rules/exploit.rules/" . - " so_rules/icmp.rules/" . - " so_rules/imap.rules/" . - " so_rules/misc.rules/" . - " so_rules/multimedia.rules/" . - " so_rules/netbios.rules/" . - " so_rules/nntp.rules/" . - " so_rules/p2p.rules/" . - " so_rules/smtp.rules/" . - " so_rules/sql.rules/" . - " so_rules/web-activex.rules/" . - " so_rules/web-client.rules/" . - " so_rules/web-iis.rules/" . - " so_rules/web-misc.rules/"); - - exec("/bin/mv -f {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/snort_bad-traffic.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/chat.rules {$snortdir}/rules/snort_chat.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/dos.rules {$snortdir}/rules/snort_dos.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/snort_exploit.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/icmp.rules {$snortdir}/rules/snort_icmp.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/imap.rules {$snortdir}/rules/snort_imap.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/misc.rules {$snortdir}/rules/snort_misc.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/snort_multimedia.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/snort_netbios.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/snort_nntp.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/snort_p2p.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/snort_smtp.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/sql.rules {$snortdir}/rules/snort_sql.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/web-activex.rules {$snortdir}/rules/snort_web-activex.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/snort_web-client.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/web-iis.rules {$snortdir}/rules/snort_web-iis.so.rules"); - exec("/bin/mv -f {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/snort_web-misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - } - - /* extract base etc files */ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); - exec("/bin/mv -f {$snortdir}/etc/* {$snortdir}"); - exec("/bin/rm -r {$snortdir}/etc"); - - update_status(gettext("Done extracting Snort.org Rules.")); - }else{ - update_status(gettext("Error extracting Snort.org Rules...")); - update_output_window(gettext("Error Line 755")); - $snortdownload = 'off'; - } -} - -/* Untar emergingthreats rules to tmp */ -if ($emergingthreats == 'on') -{ - if ($emerg_md5_check_ok != 'on') - { - if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) - { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - } -} - -/* Untar Pfsense rules to tmp */ -if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Extracting Pfsense rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); - } -} - -/* Untar snort signatures */ -if ($snortdownload == 'on' && $snort_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == 'on') { - update_status(gettext("Extracting Signatures...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - update_status(gettext("Done extracting Signatures.")); - } - } -} - -/* Copy md5 sig to snort dir */ -if ($snortdownload == 'on') -{ - if ($snort_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/$snort_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); - }else{ - update_status(gettext("The md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - $snortdownload = 'off'; - } - } -} - -/* Copy emergingthreats md5 sig to snort dir */ -if ($emergingthreats == "on") -{ - if ($emerg_md5_check_ok != 'on') - { - if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) - { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); - }else{ - update_status(gettext("The emergingthreats md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - $emergingthreats = 'off'; - } - } -} - -/* Copy Pfsense md5 sig to snort dir */ -if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { - update_status(gettext("Copying Pfsense md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); - } else { - update_status(gettext("The Pfsense md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - $pfsensedownload = 'off'; - } -} - -/* Copy signatures dir to snort dir */ -if ($snortdownload == 'on') -{ - if ($snort_md5_check_ok != 'on') - { - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == 'on') - { - if (file_exists("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying signatures...")); - update_output_window(gettext("May take a while...")); - exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); - exec("/bin/rm -r {$snortdir}/doc/signatures"); - update_status(gettext("Done copying signatures.")); - }else{ - update_status(gettext("Directory signatures exist...")); - update_output_window(gettext("Error copying signature...")); - $snortdownload = 'off'; - } - } - } -} - -/* double make shure cleanup emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { - apc_clear_cache(); - @unlink("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-botcc.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); -} - -if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); -} - -/* make shure default rules are in the right format */ -exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - -/* create a msg-map for snort */ -update_status(gettext("Updating Alert Messages...")); -update_output_window(gettext("Please Wait...")); -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); - - -////////////////// -/* open oinkmaster_conf for writing" function */ -function oinkmaster_conf($id, $if_real, $iface_uuid) -{ - global $config, $g, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - - @unlink("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf"); - - /* enable disable setting will carry over with updates */ - /* TODO carry signature changes with the updates */ - if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { - - $selected_sid_on_section = ""; - $selected_sid_off_sections = ""; - - if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { - $enabled_sid_on = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']); - $enabled_sid_on_array = split('\|\|', $enabled_sid_on); - foreach($enabled_sid_on_array as $enabled_item_on) - $selected_sid_on_sections .= "$enabled_item_on\n"; - } - - if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { - $enabled_sid_off = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']); - $enabled_sid_off_array = split('\|\|', $enabled_sid_off); - foreach($enabled_sid_off_array as $enabled_item_off) - $selected_sid_off_sections .= "$enabled_item_off\n"; - } - - if (!empty($selected_sid_off_sections) || !empty($selected_sid_on_section)) { - $snort_sid_text = << /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); - - } - } -} - -/* Start the proccess for every interface rule */ -/* TODO: try to make the code smother */ -if (is_array($config['installedpackages']['snortglobal']['rule'])) -{ - foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - $iface_uuid = $value['uuid']; - - /* make oinkmaster.conf for each interface rule */ - oinkmaster_conf($id, $if_real, $iface_uuid); - - /* run oinkmaster for each interface rule */ - oinkmaster_run($id, $if_real, $iface_uuid); - } -} - -////////////// - -/* mark the time update finnished */ -$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); - -/* remove old $tmpfname files */ -if (is_dir('/usr/local/etc/snort/tmp')) { - update_status(gettext("Cleaning up...")); - exec("/bin/rm -r /usr/local/etc/snort/tmp/snort_rules_up"); - sleep(2); - exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); -} - -/* XXX: These are needed if snort is run as snort user -mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); -mwexec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort", true); -mwexec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort", true); -*/ -/* make all dirs snorts */ -mwexec("/bin/chmod -R 755 /var/log/snort", true); -mwexec("/bin/chmod -R 755 /usr/local/etc/snort", true); -mwexec("/bin/chmod -R 755 /usr/local/lib/snort", true); - -if ($snortdownload == 'off' && $emergingthreats == 'off' && $pfsensedownload == 'off') - update_output_window(gettext("Finished...")); -else if ($snort_md5_check_ok == 'on' && $emerg_md5_check_ok == 'on' && $pfsense_md5_check_ok == 'on') - update_output_window(gettext("Finished...")); -else { - /* You are Not Up to date, always stop snort when updating rules for low end machines */; - update_status(gettext("You are NOT up to date...")); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); - update_status(gettext("The Rules update finished...")); - update_output_window(gettext("Snort has restarted with your new set of rules...")); - exec("/bin/rm /tmp/snort_download_halt.pid"); -} - -update_status(gettext("The Rules update finished...")); -conf_mount_ro(); - -?> + 0) { + update_status(gettext("snort.org md5 temp file exists...")); + } else { + update_status(gettext("Downloading snort.org md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + + //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); + $image = @file_get_contents("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); + @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); + update_status(gettext("Done downloading snort.org md5")); + } +} + +/* download md5 sig from emergingthreats.net */ +if ($emergingthreats == 'on') +{ + update_status(gettext("Downloading emergingthreats md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); + $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5'); + @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); + update_status(gettext("Done downloading emergingthreats md5")); +} + +/* download md5 sig from pfsense.org */ +if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { + update_status(gettext("pfsense md5 temp file exists...")); +} else { + update_status(gettext("Downloading pfsense md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); + @file_put_contents("{$tmpfname}/pfsense_rules.tar.gz.md5", $image); + update_status(gettext("Done downloading pfsense md5.")); +} + +/* If md5 file is empty wait 15min exit */ +if ($snortdownload == 'on') +{ + if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) + { + update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + $snortdownload = 'off'; + } +} + +/* If pfsense md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ + update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); + update_output_window(gettext("Rules are released to support Pfsense packages.")); + $pfsensedownload = 'off'; +} + +/* Check if were up to date snort.org */ +if ($snortdownload == 'on') +{ + if (file_exists("{$snortdir}/{$snort_filename_md5}")) + { + $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); + $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); + $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($md5_check_new == $md5_check_old) + { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + $snort_md5_check_ok = 'on'; + } else { + update_status(gettext("Your rules are not up to date...")); + $snort_md5_check_ok = 'off'; + } + } +} + +/* Check if were up to date emergingthreats.net */ +if ($emergingthreats == 'on') +{ + if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}")) + { + $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); + $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); + $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($emerg_md5_check_new == $emerg_md5_check_old) + { + $emerg_md5_check_ok = 'on'; + } else + $emerg_md5_check_ok = 'off'; + } +} + +/* Check if were up to date pfsense.org */ +if ($pfsensedownload == 'on' && file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) +{ + $pfsense_check_new_parse = file_get_contents("{$tmpfname}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($pfsense_md5_check_new == $pfsense_md5_check_old) + { + $pfsense_md5_check_ok = 'on'; + } else + $pfsense_md5_check_ok = 'off'; +} + +if ($snortdownload == 'on') { + if ($snort_md5_check_ok == 'on') + { + update_status(gettext("Your snort.org rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + $snortdownload = 'off'; + } +} +if ($emergingthreats == 'on') { + if ($emerg_md5_check_ok == 'on') + { + update_status(gettext("Your Emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + $emergingthreats = 'off'; + } +} + +/* download snortrules file */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Snortrule tar file exists...")); + } else { + update_status(gettext("There is a new set of Snort.org rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", "{$tmpfname}/{$snort_filename}"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + if (300000 > filesize("{$tmpfname}/$snort_filename")){ + update_status(gettext("Error with the snort rules download...")); + update_output_window(gettext("Snort rules file downloaded failed...")); + $snortdownload = 'off'; + } + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext('Emergingthreats tar file exists...')); + }else{ + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); + update_status(gettext('Done downloading Emergingthreats rules file.')); + } + } +} + +/* download pfsense rules file */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Snortrule tar file exists...")); + } else { + update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + } +} + +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// return; +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// return; +// } +//} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + + if ($pfsense_stable == 'yes') + $freebsd_version_so = 'FreeBSD-7-2'; + else + $freebsd_version_so = 'FreeBSD-8-1'; + + update_status(gettext("Extracting Snort.org rules...")); + update_output_window(gettext("May take a while...")); + /* extract snort.org rules and add prefix to all snort.org files*/ + exec("/bin/rm -r {$snortdir}/rules"); + sleep(2); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); + chdir ("/usr/local/etc/snort/rules"); + sleep(2); + exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); + + /* extract so rules */ + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); + if($snort_arch == 'x86'){ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/i386/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } else if ($snort_arch == 'x64') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/"); + exec("/bin/mv -f {$snortdir}/so_rules/precompiled/$freebsd_version_so/x86-64/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); + } + /* extract so rules none bin and rename */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/" . + " so_rules/chat.rules/" . + " so_rules/dos.rules/" . + " so_rules/exploit.rules/" . + " so_rules/icmp.rules/" . + " so_rules/imap.rules/" . + " so_rules/misc.rules/" . + " so_rules/multimedia.rules/" . + " so_rules/netbios.rules/" . + " so_rules/nntp.rules/" . + " so_rules/p2p.rules/" . + " so_rules/smtp.rules/" . + " so_rules/sql.rules/" . + " so_rules/web-activex.rules/" . + " so_rules/web-client.rules/" . + " so_rules/web-iis.rules/" . + " so_rules/web-misc.rules/"); + + exec("/bin/mv -f {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/snort_bad-traffic.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/chat.rules {$snortdir}/rules/snort_chat.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/dos.rules {$snortdir}/rules/snort_dos.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/snort_exploit.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/icmp.rules {$snortdir}/rules/snort_icmp.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/imap.rules {$snortdir}/rules/snort_imap.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/misc.rules {$snortdir}/rules/snort_misc.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/snort_multimedia.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/snort_netbios.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/snort_nntp.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/snort_p2p.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/snort_smtp.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/sql.rules {$snortdir}/rules/snort_sql.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-activex.rules {$snortdir}/rules/snort_web-activex.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/snort_web-client.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-iis.rules {$snortdir}/rules/snort_web-iis.so.rules"); + exec("/bin/mv -f {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/snort_web-misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + } + + /* extract base etc files */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); + exec("/bin/mv -f {$snortdir}/etc/* {$snortdir}"); + exec("/bin/rm -r {$snortdir}/etc"); + + update_status(gettext("Done extracting Snort.org Rules.")); + }else{ + update_status(gettext("Error extracting Snort.org Rules...")); + update_output_window(gettext("Error Line 755")); + $snortdownload = 'off'; + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats == 'on') +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Extracting Pfsense rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); + } +} + +/* Untar snort signatures */ +if ($snortdownload == 'on' && $snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') { + update_status(gettext("Extracting Signatures...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + update_status(gettext("Done extracting Signatures.")); + } + } +} + +/* Copy md5 sig to snort dir */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/$snort_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); + }else{ + update_status(gettext("The md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $snortdownload = 'off'; + } + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) + { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); + }else{ + update_status(gettext("The emergingthreats md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $emergingthreats = 'off'; + } + } +} + +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + update_status(gettext("Copying Pfsense md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); + } else { + update_status(gettext("The Pfsense md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $pfsensedownload = 'off'; + } +} + +/* Copy signatures dir to snort dir */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') + { + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') + { + if (file_exists("{$snortdir}/doc/signatures")) { + update_status(gettext("Copying signatures...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); + exec("/bin/rm -r {$snortdir}/doc/signatures"); + update_status(gettext("Done copying signatures.")); + }else{ + update_status(gettext("Directory signatures exist...")); + update_output_window(gettext("Error copying signature...")); + $snortdownload = 'off'; + } + } + } +} + +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + @unlink("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-botcc.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); +} + +/* make shure default rules are in the right format */ +exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + +/* create a msg-map for snort */ +update_status(gettext("Updating Alert Messages...")); +update_output_window(gettext("Please Wait...")); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); + + +////////////////// +/* open oinkmaster_conf for writing" function */ +function oinkmaster_conf($id, $if_real, $iface_uuid) +{ + global $config, $g, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + + @unlink("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf"); + + /* enable disable setting will carry over with updates */ + /* TODO carry signature changes with the updates */ + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { + + $selected_sid_on_section = ""; + $selected_sid_off_sections = ""; + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { + $enabled_sid_on = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']); + $enabled_sid_on_array = split('\|\|', $enabled_sid_on); + foreach($enabled_sid_on_array as $enabled_item_on) + $selected_sid_on_sections .= "$enabled_item_on\n"; + } + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { + $enabled_sid_off = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']); + $enabled_sid_off_array = split('\|\|', $enabled_sid_off); + foreach($enabled_sid_off_array as $enabled_item_off) + $selected_sid_off_sections .= "$enabled_item_off\n"; + } + + if (!empty($selected_sid_off_sections) || !empty($selected_sid_on_section)) { + $snort_sid_text = << /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); + + } + } +} + +/* Start the proccess for every interface rule */ +/* TODO: try to make the code smother */ +if (is_array($config['installedpackages']['snortglobal']['rule'])) +{ + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + $iface_uuid = $value['uuid']; + + /* make oinkmaster.conf for each interface rule */ + oinkmaster_conf($id, $if_real, $iface_uuid); + + /* run oinkmaster for each interface rule */ + oinkmaster_run($id, $if_real, $iface_uuid); + } +} + +////////////// + +/* mark the time update finnished */ +$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); + +/* remove old $tmpfname files */ +if (is_dir('/usr/local/etc/snort/tmp')) { + update_status(gettext("Cleaning up...")); + exec("/bin/rm -r /usr/local/etc/snort/tmp/snort_rules_up"); + sleep(2); + exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); +} + +/* XXX: These are needed if snort is run as snort user +mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); +mwexec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort", true); +mwexec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort", true); +*/ +/* make all dirs snorts */ +mwexec("/bin/chmod -R 755 /var/log/snort", true); +mwexec("/bin/chmod -R 755 /usr/local/etc/snort", true); +mwexec("/bin/chmod -R 755 /usr/local/lib/snort", true); + +if ($snortdownload == 'off' && $emergingthreats == 'off' && $pfsensedownload == 'off') + update_output_window(gettext("Finished...")); +else if ($snort_md5_check_ok == 'on' && $emerg_md5_check_ok == 'on' && $pfsense_md5_check_ok == 'on') + update_output_window(gettext("Finished...")); +else { + /* You are Not Up to date, always stop snort when updating rules for low end machines */; + update_status(gettext("You are NOT up to date...")); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("Snort has restarted with your new set of rules...")); + exec("/bin/rm /tmp/snort_download_halt.pid"); +} + +update_status(gettext("The Rules update finished...")); +conf_mount_ro(); + +?> diff --git a/config/snort-dev/snort_define_servers.php b/config/snort-dev/snort_define_servers.php index 497f0a79..853d2a9b 100644 --- a/config/snort-dev/snort_define_servers.php +++ b/config/snort-dev/snort_define_servers.php @@ -1,541 +1,541 @@ -. - Copyright (C) 2008-2009 Robert Zelaya. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -/* - -TODO: Nov 12 09 -Clean this code up its ugly -Important add error checking - -*/ - -//require_once("globals.inc"); -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -global $g; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; -if (is_null($id)) { - header("Location: /snort/snort_interfaces.php"); - exit; -} - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -$pconfig = array(); -if (isset($id) && $a_nat[$id]) { - $pconfig = $a_nat[$id]; - - /* old options */ - $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; - $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; - $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; - $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; - $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; - $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; - $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; - $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; - $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; - $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; - $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; - $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; - $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; - $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; - $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; - $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; - $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; - $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; - $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; - $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; - $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; - $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; - $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; - $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; - $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['def_sip_servers'] = $a_nat[$id]['def_sip_servers']; - $pconfig['def_sip_ports'] = $a_nat[$id]['def_sip_ports']; - $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; - $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; - $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; - $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; - $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; - $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; - $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; - $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; -} - -/* convert fake interfaces to real */ -$if_real = snort_get_real_interface($pconfig['interface']); -$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - -/* alert file */ -$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; - -if ($_POST) { - - $natent = array(); - $natent = $pconfig; - - /* if no errors write to conf */ - if (!$input_errors) { - /* post new options */ - if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; }else{ $natent['def_dns_servers'] = ""; } - if ($_POST['def_dns_ports'] != "") { $natent['def_dns_ports'] = $_POST['def_dns_ports']; }else{ $natent['def_dns_ports'] = ""; } - if ($_POST['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $_POST['def_smtp_servers']; }else{ $natent['def_smtp_servers'] = ""; } - if ($_POST['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $_POST['def_smtp_ports']; }else{ $natent['def_smtp_ports'] = ""; } - if ($_POST['def_mail_ports'] != "") { $natent['def_mail_ports'] = $_POST['def_mail_ports']; }else{ $natent['def_mail_ports'] = ""; } - if ($_POST['def_http_servers'] != "") { $natent['def_http_servers'] = $_POST['def_http_servers']; }else{ $natent['def_http_servers'] = ""; } - if ($_POST['def_www_servers'] != "") { $natent['def_www_servers'] = $_POST['def_www_servers']; }else{ $natent['def_www_servers'] = ""; } - if ($_POST['def_http_ports'] != "") { $natent['def_http_ports'] = $_POST['def_http_ports']; }else{ $natent['def_http_ports'] = ""; } - if ($_POST['def_sql_servers'] != "") { $natent['def_sql_servers'] = $_POST['def_sql_servers']; }else{ $natent['def_sql_servers'] = ""; } - if ($_POST['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $_POST['def_oracle_ports']; }else{ $natent['def_oracle_ports'] = ""; } - if ($_POST['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $_POST['def_mssql_ports']; }else{ $natent['def_mssql_ports'] = ""; } - if ($_POST['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $_POST['def_telnet_servers']; }else{ $natent['def_telnet_servers'] = ""; } - if ($_POST['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $_POST['def_telnet_ports']; }else{ $natent['def_telnet_ports'] = ""; } - if ($_POST['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $_POST['def_snmp_servers']; }else{ $natent['def_snmp_servers'] = ""; } - if ($_POST['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $_POST['def_snmp_ports']; }else{ $natent['def_snmp_ports'] = ""; } - if ($_POST['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $_POST['def_ftp_servers']; }else{ $natent['def_ftp_servers'] = ""; } - if ($_POST['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $_POST['def_ftp_ports']; }else{ $natent['def_ftp_ports'] = ""; } - if ($_POST['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $_POST['def_ssh_servers']; }else{ $natent['def_ssh_servers'] = ""; } - if ($_POST['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $_POST['def_ssh_ports']; }else{ $natent['def_ssh_ports'] = ""; } - if ($_POST['def_pop_servers'] != "") { $natent['def_pop_servers'] = $_POST['def_pop_servers']; }else{ $natent['def_pop_servers'] = ""; } - if ($_POST['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $_POST['def_pop2_ports']; }else{ $natent['def_pop2_ports'] = ""; } - if ($_POST['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $_POST['def_pop3_ports']; }else{ $natent['def_pop3_ports'] = ""; } - if ($_POST['def_imap_servers'] != "") { $natent['def_imap_servers'] = $_POST['def_imap_servers']; }else{ $natent['def_imap_servers'] = ""; } - if ($_POST['def_imap_ports'] != "") { $natent['def_imap_ports'] = $_POST['def_imap_ports']; }else{ $natent['def_imap_ports'] = ""; } - if ($_POST['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $_POST['def_sip_proxy_ip']; }else{ $natent['def_sip_proxy_ip'] = ""; } - if ($_POST['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $_POST['def_sip_proxy_ports']; }else{ $natent['def_sip_proxy_ports'] = ""; } - if ($_POST['def_sip_servers'] != "") { $natent['def_sip_servers'] = $_POST['def_sip_servers']; }else{ $natent['def_sip_servers'] = ""; } - if ($_POST['def_sip_ports'] != "") { $natent['def_sip_ports'] = $_POST['def_sip_ports']; }else{ $natent['def_sip_ports'] = ""; } - if ($_POST['def_auth_ports'] != "") { $natent['def_auth_ports'] = $_POST['def_auth_ports']; }else{ $natent['def_auth_ports'] = ""; } - if ($_POST['def_finger_ports'] != "") { $natent['def_finger_ports'] = $_POST['def_finger_ports']; }else{ $natent['def_finger_ports'] = ""; } - if ($_POST['def_irc_ports'] != "") { $natent['def_irc_ports'] = $_POST['def_irc_ports']; }else{ $natent['def_irc_ports'] = ""; } - if ($_POST['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $_POST['def_nntp_ports']; }else{ $natent['def_nntp_ports'] = ""; } - if ($_POST['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $_POST['def_rlogin_ports']; }else{ $natent['def_rlogin_ports'] = ""; } - if ($_POST['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $_POST['def_rsh_ports']; }else{ $natent['def_rsh_ports'] = ""; } - if ($_POST['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $_POST['def_ssl_ports']; }else{ $natent['def_ssl_ports'] = ""; } - - - if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; - else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); - else - $a_nat[] = $natent; - } - - write_config(); - - sync_snort_package_config(); - - /* after click go to this page */ - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: snort_define_servers.php?id=$id"); - exit; - } -} - -$pgtitle = "Snort: Interface $id$if_real Define Servers"; -include_once("head.inc"); - -?> - - -' . $pgtitle . '

';} - -echo "{$snort_general_css}\n"; -?> - -
- - - - -
- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Note:
- Please save your settings before you click start.
- Please make sure there are no spaces in your - definitions.
Define Servers
Define DNS_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define DNS_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 53.
Define SMTP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define SMTP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 25.
Define Mail_Ports
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 25,143,465,691.
Define HTTP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define WWW_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define HTTP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 80.
Define SQL_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define ORACLE_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 1521.
Define MSSQL_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 1433.
Define TELNET_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define TELNET_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 23.
Define SNMP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define SNMP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 161.
Define FTP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define FTP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 21.
Define SSH_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define SSH_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is the firewall's SSH port.
Define POP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define POP2_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 109.
Define POP3_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 110.
Define IMAP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define IMAP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 143.
Define SIP_PROXY_IP
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define SIP_PROXY_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 5060:5090,16384:32768.
Define SIP_SERVERS
- Example: "192.168.1.3/24,192.168.1.4/24". Leave - blank to scan all networks.
Define SIP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 5060:5090,16384:32768.
Define AUTH_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 113.
Define FINGER_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 79.
Define IRC_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 6665,6666,6667,6668,6669,7000.
Define NNTP_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 119.
Define RLOGIN_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 513.
Define RSH_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 514.
Define SSL_PORTS
- Example: Specific ports "25,443" or All ports - betwen "5060:5090 . Default is 25,443,465,636,993,995.
  - - -
 Note: -
- Please save your settings before you click start.
- -
-
- - - +. + Copyright (C) 2008-2009 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +/* + +TODO: Nov 12 09 +Clean this code up its ugly +Important add error checking + +*/ + +//require_once("globals.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$pconfig = array(); +if (isset($id) && $a_nat[$id]) { + $pconfig = $a_nat[$id]; + + /* old options */ + $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; + $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; + $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; + $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; + $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; + $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; + $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; + $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; + $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; + $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; + $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; + $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; + $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; + $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; + $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; + $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; + $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; + $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; + $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; + $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; + $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; + $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; + $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; + $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; + $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; + $pconfig['def_sip_servers'] = $a_nat[$id]['def_sip_servers']; + $pconfig['def_sip_ports'] = $a_nat[$id]['def_sip_ports']; + $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; + $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; + $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; + $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; + $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; + $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; + $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; + $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; +} + +/* convert fake interfaces to real */ +$if_real = snort_get_real_interface($pconfig['interface']); +$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + +if ($_POST) { + + $natent = array(); + $natent = $pconfig; + + /* if no errors write to conf */ + if (!$input_errors) { + /* post new options */ + if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; }else{ $natent['def_dns_servers'] = ""; } + if ($_POST['def_dns_ports'] != "") { $natent['def_dns_ports'] = $_POST['def_dns_ports']; }else{ $natent['def_dns_ports'] = ""; } + if ($_POST['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $_POST['def_smtp_servers']; }else{ $natent['def_smtp_servers'] = ""; } + if ($_POST['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $_POST['def_smtp_ports']; }else{ $natent['def_smtp_ports'] = ""; } + if ($_POST['def_mail_ports'] != "") { $natent['def_mail_ports'] = $_POST['def_mail_ports']; }else{ $natent['def_mail_ports'] = ""; } + if ($_POST['def_http_servers'] != "") { $natent['def_http_servers'] = $_POST['def_http_servers']; }else{ $natent['def_http_servers'] = ""; } + if ($_POST['def_www_servers'] != "") { $natent['def_www_servers'] = $_POST['def_www_servers']; }else{ $natent['def_www_servers'] = ""; } + if ($_POST['def_http_ports'] != "") { $natent['def_http_ports'] = $_POST['def_http_ports']; }else{ $natent['def_http_ports'] = ""; } + if ($_POST['def_sql_servers'] != "") { $natent['def_sql_servers'] = $_POST['def_sql_servers']; }else{ $natent['def_sql_servers'] = ""; } + if ($_POST['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $_POST['def_oracle_ports']; }else{ $natent['def_oracle_ports'] = ""; } + if ($_POST['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $_POST['def_mssql_ports']; }else{ $natent['def_mssql_ports'] = ""; } + if ($_POST['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $_POST['def_telnet_servers']; }else{ $natent['def_telnet_servers'] = ""; } + if ($_POST['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $_POST['def_telnet_ports']; }else{ $natent['def_telnet_ports'] = ""; } + if ($_POST['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $_POST['def_snmp_servers']; }else{ $natent['def_snmp_servers'] = ""; } + if ($_POST['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $_POST['def_snmp_ports']; }else{ $natent['def_snmp_ports'] = ""; } + if ($_POST['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $_POST['def_ftp_servers']; }else{ $natent['def_ftp_servers'] = ""; } + if ($_POST['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $_POST['def_ftp_ports']; }else{ $natent['def_ftp_ports'] = ""; } + if ($_POST['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $_POST['def_ssh_servers']; }else{ $natent['def_ssh_servers'] = ""; } + if ($_POST['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $_POST['def_ssh_ports']; }else{ $natent['def_ssh_ports'] = ""; } + if ($_POST['def_pop_servers'] != "") { $natent['def_pop_servers'] = $_POST['def_pop_servers']; }else{ $natent['def_pop_servers'] = ""; } + if ($_POST['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $_POST['def_pop2_ports']; }else{ $natent['def_pop2_ports'] = ""; } + if ($_POST['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $_POST['def_pop3_ports']; }else{ $natent['def_pop3_ports'] = ""; } + if ($_POST['def_imap_servers'] != "") { $natent['def_imap_servers'] = $_POST['def_imap_servers']; }else{ $natent['def_imap_servers'] = ""; } + if ($_POST['def_imap_ports'] != "") { $natent['def_imap_ports'] = $_POST['def_imap_ports']; }else{ $natent['def_imap_ports'] = ""; } + if ($_POST['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $_POST['def_sip_proxy_ip']; }else{ $natent['def_sip_proxy_ip'] = ""; } + if ($_POST['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $_POST['def_sip_proxy_ports']; }else{ $natent['def_sip_proxy_ports'] = ""; } + if ($_POST['def_sip_servers'] != "") { $natent['def_sip_servers'] = $_POST['def_sip_servers']; }else{ $natent['def_sip_servers'] = ""; } + if ($_POST['def_sip_ports'] != "") { $natent['def_sip_ports'] = $_POST['def_sip_ports']; }else{ $natent['def_sip_ports'] = ""; } + if ($_POST['def_auth_ports'] != "") { $natent['def_auth_ports'] = $_POST['def_auth_ports']; }else{ $natent['def_auth_ports'] = ""; } + if ($_POST['def_finger_ports'] != "") { $natent['def_finger_ports'] = $_POST['def_finger_ports']; }else{ $natent['def_finger_ports'] = ""; } + if ($_POST['def_irc_ports'] != "") { $natent['def_irc_ports'] = $_POST['def_irc_ports']; }else{ $natent['def_irc_ports'] = ""; } + if ($_POST['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $_POST['def_nntp_ports']; }else{ $natent['def_nntp_ports'] = ""; } + if ($_POST['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $_POST['def_rlogin_ports']; }else{ $natent['def_rlogin_ports'] = ""; } + if ($_POST['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $_POST['def_rsh_ports']; }else{ $natent['def_rsh_ports'] = ""; } + if ($_POST['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $_POST['def_ssl_ports']; }else{ $natent['def_ssl_ports'] = ""; } + + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + + sync_snort_package_config(); + + /* after click go to this page */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_define_servers.php?id=$id"); + exit; + } +} + +$pgtitle = "Snort: Interface $id$if_real Define Servers"; +include_once("head.inc"); + +?> + + +' . $pgtitle . '

';} + +echo "{$snort_general_css}\n"; +?> + +
+ + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
 Note:
+ Please save your settings before you click start.
+ Please make sure there are no spaces in your + definitions.
Define Servers
Define DNS_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define DNS_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 53.
Define SMTP_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define SMTP_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 25.
Define Mail_Ports
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 25,143,465,691.
Define HTTP_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define WWW_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define HTTP_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 80.
Define SQL_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define ORACLE_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 1521.
Define MSSQL_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 1433.
Define TELNET_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define TELNET_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 23.
Define SNMP_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define SNMP_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 161.
Define FTP_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define FTP_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 21.
Define SSH_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define SSH_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is the firewall's SSH port.
Define POP_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define POP2_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 109.
Define POP3_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 110.
Define IMAP_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define IMAP_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 143.
Define SIP_PROXY_IP
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define SIP_PROXY_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 5060:5090,16384:32768.
Define SIP_SERVERS
+ Example: "192.168.1.3/24,192.168.1.4/24". Leave + blank to scan all networks.
Define SIP_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 5060:5090,16384:32768.
Define AUTH_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 113.
Define FINGER_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 79.
Define IRC_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 6665,6666,6667,6668,6669,7000.
Define NNTP_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 119.
Define RLOGIN_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 513.
Define RSH_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 514.
Define SSL_PORTS
+ Example: Specific ports "25,443" or All ports + betwen "5060:5090 . Default is 25,443,465,636,993,995.
  + + +
 Note: +
+ Please save your settings before you click start.
+ +
+
+ + + diff --git a/config/snort-dev/snort_download_rules.php b/config/snort-dev/snort_download_rules.php index 7c6ff65c..dd4ca524 100644 --- a/config/snort-dev/snort_download_rules.php +++ b/config/snort-dev/snort_download_rules.php @@ -1,387 +1,387 @@ - - - - - -' . $pgtitle . '

';}?> - -
- - - - - -
-
- - - - -
- - - - -
/images/misc/progress_bar.gif' - width='280' height='23' name='progressbar' id='progressbar' - alt='' /> -
-
- - -
-
-
-
- - - - - 0) { - update_status(gettext("snort.org md5 temp file exists...")); - } else { - update_status(gettext("Downloading snort.org md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - - //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); - $image = @file_get_contents("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); - @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); - update_status(gettext("Done downloading snort.org md5")); - } -} - -/* download md5 sig from emergingthreats.net */ -if ($emergingthreats == 'on') -{ - update_status(gettext("Downloading emergingthreats md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5'); - @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); - update_status(gettext("Done downloading emergingthreats md5")); -} - -/* download md5 sig from pfsense.org */ -if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { - update_status(gettext("pfsense md5 temp file exists...")); -} else { - update_status(gettext("Downloading pfsense md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); - $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); - @file_put_contents("{$tmpfname}/pfsense_rules.tar.gz.md5", $image); - update_status(gettext("Done downloading pfsense md5.")); -} - -/* If md5 file is empty wait 15min exit */ -if ($snortdownload == 'on') -{ - if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) - { - update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); - update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); - hide_progress_bar_status(); - $snortdownload = 'off'; - } -} - -/* If pfsense md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ - update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); - update_output_window(gettext("Rules are released to support Pfsense packages.")); - hide_progress_bar_status(); - $pfsensedownload = 'off'; -} - -/* Check if were up to date snort.org */ -if ($snortdownload == 'on') -{ - if (file_exists("{$snortdir}/{$snort_filename_md5}")) - { - $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); - $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - if ($md5_check_new == $md5_check_old) - { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); - hide_progress_bar_status(); - $snort_md5_check_ok = 'on'; - } else { - update_status(gettext("Your rules are not up to date...")); - $snort_md5_check_ok = 'off'; - } - } -} - -/* Check if were up to date emergingthreats.net */ -if ($emergingthreats == 'on') -{ - if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}")) - { - $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); - $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); - $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - if ($emerg_md5_check_new == $emerg_md5_check_old) - { - hide_progress_bar_status(); - $emerg_md5_check_ok = 'on'; - } else - $emerg_md5_check_ok = 'off'; - } -} - -/* Check if were up to date pfsense.org */ -if ($pfsensedownload == 'on' && file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) -{ - $pfsense_check_new_parse = file_get_contents("{$tmpfname}/pfsense_rules.tar.gz.md5"); - $pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); - $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - if ($pfsense_md5_check_new == $pfsense_md5_check_old) - { - hide_progress_bar_status(); - $pfsense_md5_check_ok = 'on'; - } else - $pfsense_md5_check_ok = 'off'; -} - -if ($snortdownload == 'on') { - if ($snort_md5_check_ok == 'on') - { - update_status(gettext("Your snort.org rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - $snortdownload = 'off'; - } -} -if ($emergingthreats == 'on') { - if ($emerg_md5_check_ok == 'on') - { - update_status(gettext("Your Emergingthreats rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - $emergingthreats = 'off'; - } -} - -/* download snortrules file */ -if ($snortdownload == 'on') -{ - if ($snort_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Snortrule tar file exists...")); - } else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Snort.org rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); - download_file_with_progress_bar("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", "{$tmpfname}/{$snort_filename}"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - if (150000 > filesize("{$tmpfname}/$snort_filename")){ - update_status(gettext("Error with the snort rules download...")); - - update_output_window(gettext("Snort rules file downloaded failed...")); - $snortdownload = 'off'; - } - } - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats == "on") -{ - if ($emerg_md5_check_ok != 'on') - { - if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) - { - update_status(gettext('Emergingthreats tar file exists...')); - }else{ - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); - download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); - update_status(gettext('Done downloading Emergingthreats rules file.')); - } - } -} - -/* download pfsense rules file */ -if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Snortrule tar file exists...")); - } else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); - download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - } -} - -/* Compair md5 sig to file sig */ - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk == on) { -//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md5 == $file_md5_ondisk) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); -// update_output_window(gettext("Error md5 Mismatch...")); -// return; -// } -//} - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk != on) { -//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; -//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md55 == $file_md5_ondisk2) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...Not P")); -// update_output_window(gettext("Error md5 Mismatch...")); -// return; -// } -//} - + + + + + +' . $pgtitle . '

';}?> + +
+ + + + + +
+
+ + + + +
+ + + + +
/images/misc/progress_bar.gif' + width='280' height='23' name='progressbar' id='progressbar' + alt='' /> +
+
+ + +
+
+
+
+ + + + + 0) { + update_status(gettext("snort.org md5 temp file exists...")); + } else { + update_status(gettext("Downloading snort.org md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + + //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); + $image = @file_get_contents("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); + @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); + update_status(gettext("Done downloading snort.org md5")); + } +} + +/* download md5 sig from emergingthreats.net */ +if ($emergingthreats == 'on') +{ + update_status(gettext("Downloading emergingthreats md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); + $image = @file_get_contents('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz.md5'); + @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); + update_status(gettext("Done downloading emergingthreats md5")); +} + +/* download md5 sig from pfsense.org */ +if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { + update_status(gettext("pfsense md5 temp file exists...")); +} else { + update_status(gettext("Downloading pfsense md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + //$image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); + @file_put_contents("{$tmpfname}/pfsense_rules.tar.gz.md5", $image); + update_status(gettext("Done downloading pfsense md5.")); +} + +/* If md5 file is empty wait 15min exit */ +if ($snortdownload == 'on') +{ + if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) + { + update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + hide_progress_bar_status(); + $snortdownload = 'off'; + } +} + +/* If pfsense md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ + update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); + update_output_window(gettext("Rules are released to support Pfsense packages.")); + hide_progress_bar_status(); + $pfsensedownload = 'off'; +} + +/* Check if were up to date snort.org */ +if ($snortdownload == 'on') +{ + if (file_exists("{$snortdir}/{$snort_filename_md5}")) + { + $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); + $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); + $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($md5_check_new == $md5_check_old) + { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + $snort_md5_check_ok = 'on'; + } else { + update_status(gettext("Your rules are not up to date...")); + $snort_md5_check_ok = 'off'; + } + } +} + +/* Check if were up to date emergingthreats.net */ +if ($emergingthreats == 'on') +{ + if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}")) + { + $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); + $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); + $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($emerg_md5_check_new == $emerg_md5_check_old) + { + hide_progress_bar_status(); + $emerg_md5_check_ok = 'on'; + } else + $emerg_md5_check_ok = 'off'; + } +} + +/* Check if were up to date pfsense.org */ +if ($pfsensedownload == 'on' && file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) +{ + $pfsense_check_new_parse = file_get_contents("{$tmpfname}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + if ($pfsense_md5_check_new == $pfsense_md5_check_old) + { + hide_progress_bar_status(); + $pfsense_md5_check_ok = 'on'; + } else + $pfsense_md5_check_ok = 'off'; +} + +if ($snortdownload == 'on') { + if ($snort_md5_check_ok == 'on') + { + update_status(gettext("Your snort.org rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + $snortdownload = 'off'; + } +} +if ($emergingthreats == 'on') { + if ($emerg_md5_check_ok == 'on') + { + update_status(gettext("Your Emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + $emergingthreats = 'off'; + } +} + +/* download snortrules file */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Snortrule tar file exists...")); + } else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Snort.org rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", "{$tmpfname}/{$snort_filename}"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + if (150000 > filesize("{$tmpfname}/$snort_filename")){ + update_status(gettext("Error with the snort rules download...")); + + update_output_window(gettext("Snort rules file downloaded failed...")); + $snortdownload = 'off'; + } + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext('Emergingthreats tar file exists...')); + }else{ + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar('http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz', "{$tmpfname}/{$emergingthreats_filename}"); + update_status(gettext('Done downloading Emergingthreats rules file.')); + } + } +} + +/* download pfsense rules file */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Snortrule tar file exists...")); + } else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); + download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + } +} + +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// return; +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// return; +// } +//} + /* Untar snort rules file individually to help people with low system specs */ if ($snortdownload == 'on' && $snort_md5_check_ok != 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { @@ -486,291 +486,291 @@ if ($snortdownload == 'on' && $snort_md5_check_ok != 'on') { update_output_window(gettext("Error Line 755")); $snortdownload = 'off'; } -} - -/* Untar emergingthreats rules to tmp */ -if ($emergingthreats == 'on') -{ - if ($emerg_md5_check_ok != 'on') - { - if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) - { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - } -} - -/* Untar Pfsense rules to tmp */ -if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Extracting Pfsense rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); - } -} - -/* Untar snort signatures */ -if ($snortdownload == 'on' && $snort_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == 'on') { - update_status(gettext("Extracting Signatures...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - update_status(gettext("Done extracting Signatures.")); - } - } -} - -/* Copy md5 sig to snort dir */ -if ($snortdownload == 'on') -{ - if ($snort_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/$snort_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); - }else{ - update_status(gettext("The md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - $snortdownload = 'off'; - } - } -} - -/* Copy emergingthreats md5 sig to snort dir */ -if ($emergingthreats == "on") -{ - if ($emerg_md5_check_ok != 'on') - { - if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) - { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); - }else{ - update_status(gettext("The emergingthreats md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - $emergingthreats = 'off'; - } - } -} - -/* Copy Pfsense md5 sig to snort dir */ -if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { - if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { - update_status(gettext("Copying Pfsense md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); - } else { - update_status(gettext("The Pfsense md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - $pfsensedownload = 'off'; - } -} - -/* Copy signatures dir to snort dir */ -if ($snortdownload == 'on') -{ - if ($snort_md5_check_ok != 'on') - { - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == 'on') - { - if (file_exists("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying signatures...")); - update_output_window(gettext("May take a while...")); - exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); - exec("/bin/rm -r {$snortdir}/doc/signatures"); - update_status(gettext("Done copying signatures.")); - }else{ - update_status(gettext("Directory signatures exist...")); - update_output_window(gettext("Error copying signature...")); - $snortdownload = 'off'; - } - } - } -} - -/* double make shure cleanup emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { - apc_clear_cache(); - @unlink("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-botcc.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); - @unlink("/usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); -} - -if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); -} - -/* make shure default rules are in the right format */ +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats == 'on') +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Extracting Pfsense rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); + } +} + +/* Untar snort signatures */ +if ($snortdownload == 'on' && $snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') { + update_status(gettext("Extracting Signatures...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + update_status(gettext("Done extracting Signatures.")); + } + } +} + +/* Copy md5 sig to snort dir */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/$snort_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); + }else{ + update_status(gettext("The md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $snortdownload = 'off'; + } + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != 'on') + { + if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) + { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); + }else{ + update_status(gettext("The emergingthreats md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $emergingthreats = 'off'; + } + } +} + +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsensedownload == 'on' && $pfsense_md5_check_ok != 'on') { + if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + update_status(gettext("Copying Pfsense md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); + } else { + update_status(gettext("The Pfsense md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + $pfsensedownload = 'off'; + } +} + +/* Copy signatures dir to snort dir */ +if ($snortdownload == 'on') +{ + if ($snort_md5_check_ok != 'on') + { + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') + { + if (file_exists("{$snortdir}/doc/signatures")) { + update_status(gettext("Copying signatures...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); + exec("/bin/rm -r {$snortdir}/doc/signatures"); + update_status(gettext("Done copying signatures.")); + }else{ + update_status(gettext("Directory signatures exist...")); + update_output_window(gettext("Error copying signature...")); + $snortdownload = 'off'; + } + } + } +} + +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + @unlink("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-botcc.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + @unlink("/usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); +} + +/* make shure default rules are in the right format */ exec("/usr/bin/sed -i '' 's/^[ \t]*//' /usr/local/etc/snort/rules/*.rules"); // remove white spaces from begining of line exec("/usr/bin/sed -i '' 's/^#alert*/\# alert/' /usr/local/etc/snort/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^##alert*/\# alert/' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/bin/sed -i '' 's/^## alert*/\# alert/' /usr/local/etc/snort/rules/*.rules"); - -/* create a msg-map for snort */ -update_status(gettext("Updating Alert Messages...")); -update_output_window(gettext("Please Wait...")); -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); - - -////////////////// - -/* open oinkmaster_conf for writing" function */ -function oinkmaster_conf($id, $if_real, $iface_uuid) -{ - global $config, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - - @unlink("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf"); - - /* enable disable setting will carry over with updates */ - /* TODO carry signature changes with the updates */ - if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { - - $selected_sid_on_sections = ""; - $selected_sid_off_sections = ""; - - if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { - $enabled_sid_on = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']); - $enabled_sid_on_array = split('\|\|', $enabled_sid_on); - foreach($enabled_sid_on_array as $enabled_item_on) - $selected_sid_on_sections .= "$enabled_item_on\n"; - } - - if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { - $enabled_sid_off = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']); - $enabled_sid_off_array = split('\|\|', $enabled_sid_off); - foreach($enabled_sid_off_array as $enabled_item_off) - $selected_sid_off_sections .= "$enabled_item_off\n"; - } - - if (!empty($selected_sid_on_sections) || !empty($selected_sid_off_sections)) { - $snort_sid_text = << /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); - } - } -} - -/* Start the proccess for every interface rule */ -/* TODO: try to make the code smother */ -if (is_array($config['installedpackages']['snortglobal']['rule'])) -{ - foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - $iface_uuid = $value['uuid']; - - /* make oinkmaster.conf for each interface rule */ - oinkmaster_conf($id, $if_real, $iface_uuid); - - /* run oinkmaster for each interface rule */ - oinkmaster_run($id, $if_real, $iface_uuid); - } -} - -////////////// - -/* mark the time update finnished */ -$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); - -/* remove old $tmpfname files */ -if (is_dir('/usr/local/etc/snort/tmp')) { - update_status(gettext("Cleaning up...")); - exec("/bin/rm -r /usr/local/etc/snort/tmp/snort_rules_up"); - sleep(2); - exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); -} - -/* XXX: These are needed if snort is run as snort user -mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); -mwexec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort", true); -mwexec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort", true); -*/ -/* make all dirs snorts */ -mwexec("/bin/chmod -R 755 /var/log/snort", true); -mwexec("/bin/chmod -R 755 /usr/local/etc/snort", true); -mwexec("/bin/chmod -R 755 /usr/local/lib/snort", true); - -/* hide progress bar and lets end this party */ -hide_progress_bar_status(); - -if ($snortdownload == 'off' && $emergingthreats == 'off' && $pfsensedownload == 'off') - update_output_window(gettext("Finished...")); -else if ($snort_md5_check_ok == 'on' && $emerg_md5_check_ok == 'on' && $pfsense_md5_check_ok == 'on') - update_output_window(gettext("Finished...")); -else { - /* You are Not Up to date, always stop snort when updating rules for low end machines */; - update_status(gettext("You are NOT up to date...")); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); - update_status(gettext("The Rules update finished...")); - update_output_window(gettext("Snort has restarted with your new set of rules...")); - exec("/bin/rm /tmp/snort_download_halt.pid"); -} - -update_status(gettext("The Rules update finished...")); -conf_mount_ro(); - -?> +exec("/usr/bin/sed -i '' 's/^## alert*/\# alert/' /usr/local/etc/snort/rules/*.rules"); + +/* create a msg-map for snort */ +update_status(gettext("Updating Alert Messages...")); +update_output_window(gettext("Please Wait...")); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); + + +////////////////// + +/* open oinkmaster_conf for writing" function */ +function oinkmaster_conf($id, $if_real, $iface_uuid) +{ + global $config, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + + @unlink("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf"); + + /* enable disable setting will carry over with updates */ + /* TODO carry signature changes with the updates */ + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { + + $selected_sid_on_sections = ""; + $selected_sid_off_sections = ""; + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { + $enabled_sid_on = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']); + $enabled_sid_on_array = split('\|\|', $enabled_sid_on); + foreach($enabled_sid_on_array as $enabled_item_on) + $selected_sid_on_sections .= "$enabled_item_on\n"; + } + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { + $enabled_sid_off = trim($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']); + $enabled_sid_off_array = split('\|\|', $enabled_sid_off); + foreach($enabled_sid_off_array as $enabled_item_off) + $selected_sid_off_sections .= "$enabled_item_off\n"; + } + + if (!empty($selected_sid_on_sections) || !empty($selected_sid_off_sections)) { + $snort_sid_text = << /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); + } + } +} + +/* Start the proccess for every interface rule */ +/* TODO: try to make the code smother */ +if (is_array($config['installedpackages']['snortglobal']['rule'])) +{ + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + $iface_uuid = $value['uuid']; + + /* make oinkmaster.conf for each interface rule */ + oinkmaster_conf($id, $if_real, $iface_uuid); + + /* run oinkmaster for each interface rule */ + oinkmaster_run($id, $if_real, $iface_uuid); + } +} + +////////////// + +/* mark the time update finnished */ +$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); + +/* remove old $tmpfname files */ +if (is_dir('/usr/local/etc/snort/tmp')) { + update_status(gettext("Cleaning up...")); + exec("/bin/rm -r /usr/local/etc/snort/tmp/snort_rules_up"); + sleep(2); + exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); +} + +/* XXX: These are needed if snort is run as snort user +mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); +mwexec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort", true); +mwexec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort", true); +*/ +/* make all dirs snorts */ +mwexec("/bin/chmod -R 755 /var/log/snort", true); +mwexec("/bin/chmod -R 755 /usr/local/etc/snort", true); +mwexec("/bin/chmod -R 755 /usr/local/lib/snort", true); + +/* hide progress bar and lets end this party */ +hide_progress_bar_status(); + +if ($snortdownload == 'off' && $emergingthreats == 'off' && $pfsensedownload == 'off') + update_output_window(gettext("Finished...")); +else if ($snort_md5_check_ok == 'on' && $emerg_md5_check_ok == 'on' && $pfsense_md5_check_ok == 'on') + update_output_window(gettext("Finished...")); +else { + /* You are Not Up to date, always stop snort when updating rules for low end machines */; + update_status(gettext("You are NOT up to date...")); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("Snort has restarted with your new set of rules...")); + exec("/bin/rm /tmp/snort_download_halt.pid"); +} + +update_status(gettext("The Rules update finished...")); +conf_mount_ro(); + +?> diff --git a/config/snort-dev/snort_download_updates.php b/config/snort-dev/snort_download_updates.php index e902cd64..22b8fcba 100644 --- a/config/snort-dev/snort_download_updates.php +++ b/config/snort-dev/snort_download_updates.php @@ -1,322 +1,322 @@ -. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -global $g; - -/* load only javascript that is needed */ -$snort_load_jquery = 'yes'; -$snort_load_jquery_colorbox = 'yes'; - - -/* quick md5s chk */ -$snort_org_sig_chk_local = 'N/A'; -if (file_exists("/usr/local/etc/snort/{$snort_rules_file}.md5")) - $snort_org_sig_chk_local = exec("/bin/cat /usr/local/etc/snort/{$snort_rules_file}.md5"); - -$emergingt_net_sig_chk_local = 'N/A'; -if(file_exists('/usr/local/etc/snort/emerging.rules.tar.gz.md5')) - $emergingt_net_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/emerging.rules.tar.gz.md5'); - -$pfsense_org_sig_chk_local = 'N/A'; -if(file_exists('/usr/local/etc/snort/pfsense_rules.tar.gz.md5')) - $pfsense_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/pfsense_rules.tar.gz.md5'); - -/* define checks */ -$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; -$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; -$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; - -if ($snortdownload != 'on' && $emergingthreats != 'on') - $snort_emrging_info = 'stop'; - -if ($oinkid == '' && $snortdownload != 'off') - $snort_oinkid_info = 'stop'; - -if ($snort_emrging_info == 'stop' || $snort_oinkid_info == 'stop') - $error_stop = 'true'; - -/* check if main rule directory is empty */ -$if_mrule_dir = "/usr/local/etc/snort/rules"; -$mfolder_chk = (count(glob("$if_mrule_dir/*")) === 0) ? 'empty' : 'full'; - -/* check for logfile */ -$update_logfile_chk = 'no'; -if (file_exists('/usr/local/etc/snort/snort_update.log')) - $update_logfile_chk = 'yes'; - -header("snort_help_info.php"); -header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" ); -header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" ); -header( "Cache-Control: no-cache, must-revalidate" ); -header( "Pragma: no-cache" ); - - -$pgtitle = "Services: Snort: Updates"; -include_once("head.inc"); - -?> - - - - - - - -' . $pgtitle . '

';}?> - - - - - - - - -
- -
-
- - - - -
- - - - -
-
-
-
- -
- - - - - -
-
- - INSTALLED SIGNATURE RULESET
-
-

SNORT.ORG >>>  
- EMERGINGTHREATS.NET >>>  
- PFSENSE.ORG >>>  
-

- -
-
- -
- - - - - - -
-
-
-
- -
- - - - - -
-
- - UPDATE YOUR RULES
-
- - Update Rules    
-

- WARNING:  No rule types have been selected for download. "Global Settings Tab"
'; - - if ($mfolder_chk == 'empty') { - - echo ' - WARNING:  The main rules directory is empty. /usr/local/etc/snort/rules' ."\n"; - } - - echo '

' . "\n"; - - }else{ - - echo ' - -
' . "\n"; - - if ($mfolder_chk == 'empty') { - - echo ' -

- WARNING:  The main rules directory is empty. /usr/local/etc/snort/rules -

'; - } - - } - - ?>
- -
-
- -
- - - - - -
-
- - VIEW UPDATE LOG
-
- - Update Log    ' . "\n"; - }else{ - echo ' - ' . "\n"; - } - - ?>
-
- -
-
- -
- - - - - -
-
-
-
- -
- - - - - -
-
- - NOTE:  Snort.org and Emergingthreats.net - will go down from time to time. Please be patient.
-
- -
- - - - - -
-
-
-
- -
-
- - - - - -
-
- - - - - - - - +. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +/* load only javascript that is needed */ +$snort_load_jquery = 'yes'; +$snort_load_jquery_colorbox = 'yes'; + + +/* quick md5s chk */ +$snort_org_sig_chk_local = 'N/A'; +if (file_exists("/usr/local/etc/snort/{$snort_rules_file}.md5")) + $snort_org_sig_chk_local = exec("/bin/cat /usr/local/etc/snort/{$snort_rules_file}.md5"); + +$emergingt_net_sig_chk_local = 'N/A'; +if(file_exists('/usr/local/etc/snort/emerging.rules.tar.gz.md5')) + $emergingt_net_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/emerging.rules.tar.gz.md5'); + +$pfsense_org_sig_chk_local = 'N/A'; +if(file_exists('/usr/local/etc/snort/pfsense_rules.tar.gz.md5')) + $pfsense_org_sig_chk_local = exec('/bin/cat /usr/local/etc/snort/pfsense_rules.tar.gz.md5'); + +/* define checks */ +$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; + +if ($snortdownload != 'on' && $emergingthreats != 'on') + $snort_emrging_info = 'stop'; + +if ($oinkid == '' && $snortdownload != 'off') + $snort_oinkid_info = 'stop'; + +if ($snort_emrging_info == 'stop' || $snort_oinkid_info == 'stop') + $error_stop = 'true'; + +/* check if main rule directory is empty */ +$if_mrule_dir = "/usr/local/etc/snort/rules"; +$mfolder_chk = (count(glob("$if_mrule_dir/*")) === 0) ? 'empty' : 'full'; + +/* check for logfile */ +$update_logfile_chk = 'no'; +if (file_exists('/usr/local/etc/snort/snort_update.log')) + $update_logfile_chk = 'yes'; + +header("snort_help_info.php"); +header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" ); +header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" ); +header( "Cache-Control: no-cache, must-revalidate" ); +header( "Pragma: no-cache" ); + + +$pgtitle = "Services: Snort: Updates"; +include_once("head.inc"); + +?> + + + + + + + +' . $pgtitle . '

';}?> + + + + + + + + +
+ +
+
+ + + + +
+ + + + +
+
+
+
+ +
+ + + + + +
+
+ + INSTALLED SIGNATURE RULESET
+
+

SNORT.ORG >>>  
+ EMERGINGTHREATS.NET >>>  
+ PFSENSE.ORG >>>  
+

+ +
+
+ +
+ + + + + + +
+
+
+
+ +
+ + + + + +
+
+ + UPDATE YOUR RULES
+
+ + Update Rules    
+

+ WARNING:  No rule types have been selected for download. "Global Settings Tab"
'; + + if ($mfolder_chk == 'empty') { + + echo ' + WARNING:  The main rules directory is empty. /usr/local/etc/snort/rules' ."\n"; + } + + echo '

' . "\n"; + + }else{ + + echo ' + +
' . "\n"; + + if ($mfolder_chk == 'empty') { + + echo ' +

+ WARNING:  The main rules directory is empty. /usr/local/etc/snort/rules +

'; + } + + } + + ?>
+ +
+
+ +
+ + + + + +
+
+ + VIEW UPDATE LOG
+
+ + Update Log    ' . "\n"; + }else{ + echo ' + ' . "\n"; + } + + ?>
+
+ +
+
+ +
+ + + + + +
+
+
+
+ +
+ + + + + +
+
+ + NOTE:  Snort.org and Emergingthreats.net + will go down from time to time. Please be patient.
+
+ +
+ + + + + +
+
+
+
+ +
+
+ + + + + +
+
+ + + + + + + + diff --git a/config/snort-dev/snort_interfaces.php b/config/snort-dev/snort_interfaces.php index 86a9aff6..a9d9f99b 100644 --- a/config/snort-dev/snort_interfaces.php +++ b/config/snort-dev/snort_interfaces.php @@ -1,437 +1,448 @@ -. -Copyright (C) 2008-2009 Robert Zelaya. -Copyright (C) 2011 Ermal Luci -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -1. Redistributions of source code must retain the above copyright notice, -this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. -*/ - -$nocsrf = true; -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -global $g; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) - $config['installedpackages']['snortglobal']['rule'] = array(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; -$id_gen = count($config['installedpackages']['snortglobal']['rule']); - -if (isset($_POST['del_x'])) { - /* delete selected rules */ - if (is_array($_POST['rule'])) { - conf_mount_rw(); - foreach ($_POST['rule'] as $rulei) { - - /* convert fake interfaces to real */ - $if_real = snort_get_real_interface($a_nat[$rulei]['interface']); - $snort_uuid = $a_nat[$rulei]['uuid']; - - Running_Stop($snort_uuid,$if_real, $rulei); - - unset($a_nat[$rulei]); - } - conf_mount_ro(); - - write_config(); - sleep(2); - - /* if there are no ifaces do not create snort.sh */ - if (!empty($config['installedpackages']['snortglobal']['rule'])) - create_snort_sh(); - else { - conf_mount_rw(); - exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); - conf_mount_ro(); - } - - sync_snort_package_config(); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: /snort/snort_interfaces.php"); - exit; - } - -} - - -/* start/stop snort */ -if ($_GET['act'] == 'toggle' && is_numeric($id)) { - - $if_real = snort_get_real_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - - /* Log Iface stop */ - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Toggle for {$snort_uuid}_{$if_real}...'"); - - sync_snort_package_config(); - - $tester2 = Running_Ck($snort_uuid, $if_real, $id); - - if ($tester2 == 'yes') { - Running_Stop($snort_uuid, $if_real, $id); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - - } else { - Running_Start($snort_uuid, $if_real, $id); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - } - sleep(4); // So the GUI reports correctly - header("Location: /snort/snort_interfaces.php"); - exit; -} - - -$pgtitle = "Services: $snort_package_version"; -include_once("head.inc"); - -?> - - -' . $pgtitle . '

'; -?> - - - -
-'; - - if($savemsg) - print_info_box_np2("{$savemsg}"); - else { - print_info_box_np2(' - The Snort configuration has changed for one or more interfaces.
- You must apply the changes in order for them to take effect.
- '); - } - } -?> - - - - - - -
- -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  IfSnortPerformanceBlockBarnyard2Description - - - - - -
-
- - - - - - - - -   - - - - - -
- -
- - - - -
-
-
-
- -
- - - - -
-
- - - - -
Note:
- This is the Snort Menu where you can see an over - view of all your interface settings.
- Please edit the Global Settings tab before adding - an interface.
-
- Warning:
- New settings will not take effect until interface restart. -
-
- Click on the icon to add a - interface.                                            Click - on the icon to start - snort and barnyard2.
- Click on the icon to edit a - interface and settings.                       Click - on the icon to stop - snort and barnyard2.
- Click on the icon to - delete a interface and settings.
-
- -
- - "") { - echo ""; - } - ?>
- - -
-
-
- - - -
SNORT registered ļæ½ by Sourcefire, Inc, Barnyard2 -registered ļæ½ by securixlive.com, Orion registered ļæ½ by Robert Zelaya, -Emergingthreats registered ļæ½ by emergingthreats.net, Mysql registered ļæ½ -by Mysql.com
- - - - - - - - +. +Copyright (C) 2008-2009 Robert Zelaya. +Copyright (C) 2011 Ermal Luci +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, +this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. +*/ + +$nocsrf = true; +require_once("/usr/local/www/guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; +$id_gen = count($config['installedpackages']['snortglobal']['rule']); + +if (isset($_POST['del_x'])) { + /* delete selected rules */ + if (is_array($_POST['rule'])) { + conf_mount_rw(); + foreach ($_POST['rule'] as $rulei) { + + /* convert fake interfaces to real */ + $if_real = snort_get_real_interface($a_nat[$rulei]['interface']); + $snort_uuid = $a_nat[$rulei]['uuid']; + + Running_Stop($snort_uuid,$if_real, $rulei); + + /* delete iface rule dirs */ + if (file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}")) { + exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + } + if (file_exists("/var/log/snort/{$snort_uuid}_{$if_real}")) { + exec("/bin/rm -r /var/log/snort/{$snort_uuid}_{$if_real}"); + } + if (file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}")) { + exec("/bin/rm -r /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}"); + } + + unset($a_nat[$rulei]); + } + conf_mount_ro(); + + write_config(); + sleep(2); + + /* if there are no ifaces do not create snort.sh */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) + create_snort_sh(); + else { + conf_mount_rw(); + exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); + conf_mount_ro(); + } + + sync_snort_package_config(); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces.php"); + exit; + } + +} + + +/* start/stop snort */ +if ($_GET['act'] == 'toggle' && is_numeric($id)) { + + $if_real = snort_get_real_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Toggle for {$snort_uuid}_{$if_real}...'"); + + sync_snort_package_config(); + + $tester2 = Running_Ck($snort_uuid, $if_real, $id); + + if ($tester2 == 'yes') { + Running_Stop($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + + } else { + Running_Start($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + } + sleep(4); // So the GUI reports correctly + header("Location: /snort/snort_interfaces.php"); + exit; +} + + +$pgtitle = "Services: $snort_package_version"; +include_once("head.inc"); + +?> + + +' . $pgtitle . '

'; +?> + + + +
+'; + + if($savemsg) + print_info_box_np2("{$savemsg}"); + else { + print_info_box_np2(' + The Snort configuration has changed for one or more interfaces.
+ You must apply the changes in order for them to take effect.
+ '); + } + } +?> + + + + + + +
+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
  IfSnortPerformanceBlockBarnyard2Description + + + + + +
+
+ + + + + + + + +   + + + + + +
+ +
+ + + + +
+
+
+
+ +
+ + + + +
+
+ + + + +
Note:
+ This is the Snort Menu where you can see an over + view of all your interface settings.
+ Please edit the Global Settings tab before adding + an interface.
+
+ Warning:
+ New settings will not take effect until interface restart. +
+
+ Click on the icon to add a + interface.                                            Click + on the icon to start + snort and barnyard2.
+ Click on the icon to edit a + interface and settings.                       Click + on the icon to stop + snort and barnyard2.
+ Click on the icon to + delete a interface and settings.
+
+ +
+ + "") { + echo ""; + } + ?>
+ + +
+
+
+ + + +
SNORT registered ļæ½ by Sourcefire, Inc, Barnyard2 +registered ļæ½ by securixlive.com, Orion registered ļæ½ by Robert Zelaya, +Emergingthreats registered ļæ½ by emergingthreats.net, Mysql registered ļæ½ +by Mysql.com
+ + + + + + + + diff --git a/config/snort-dev/snort_interfaces_edit.php b/config/snort-dev/snort_interfaces_edit.php index f3d96848..01eed2e7 100644 --- a/config/snort-dev/snort_interfaces_edit.php +++ b/config/snort-dev/snort_interfaces_edit.php @@ -1,733 +1,755 @@ -. - Copyright (C) 2008-2009 Robert Zelaya. - Copyright (C) 2011 Ermal Luci - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -global $g; - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) - $config['installedpackages']['snortglobal']['rule'] = array(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; -if (is_null($id)) { - header("Location: /snort/snort_interfaces.php"); - exit; -} - -if (isset($_GET['dup'])) { - $id = $_GET['dup']; - $after = $_GET['dup']; -} - - -/* always have a limit of (65535) numbers only or snort will not start do to id limits */ -/* TODO: When inline gets added make the uuid the port number lisstening */ -$pconfig = array(); - -/* gen uuid for each iface !inportant */ -if (empty($config['installedpackages']['snortglobal']['rule'][$id]['uuid'])) { - //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); - $snort_uuid = 0; - while ($snort_uuid > 65535 || $snort_uuid == 0) { - $snort_uuid = mt_rand(1, 65535); - $pconfig['uuid'] = $snort_uuid; - } -} else { - $snort_uuid = $a_nat[$id]['uuid']; - $pconfig['uuid'] = $snort_uuid; -} - -if (isset($id) && $a_nat[$id]) { - - /* old options */ - $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; - $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; - $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; - $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; - $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; - $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; - $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; - $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; - $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; - $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; - $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; - $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; - $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; - $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; - $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; - $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; - $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; - $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; - $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; - $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; - $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; - $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; - $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; - $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; - $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; - $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; - $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; - $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; - $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; - $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; - $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; - $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; - $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; - $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; - $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['def_sip_servers'] = $a_nat[$id]['def_sip_servers']; - $pconfig['def_sip_ports'] = $a_nat[$id]['def_sip_ports']; - $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; - $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; - $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; - $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; - $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; - $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; - $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; - $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; - $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; - $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['descr'] = $a_nat[$id]['descr']; - $pconfig['performance'] = $a_nat[$id]['performance']; - $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; - $pconfig['blockoffenderskill'] = $a_nat[$id]['blockoffenderskill']; - $pconfig['blockoffendersip'] = $a_nat[$id]['blockoffendersip']; - $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; - $pconfig['homelistname'] = $a_nat[$id]['homelistname']; - $pconfig['externallistname'] = $a_nat[$id]['externallistname']; - $pconfig['suppresslistname'] = $a_nat[$id]['suppresslistname']; - $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; - $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; - $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; - $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; - $pconfig['configpassthru'] = base64_decode($a_nat[$id]['configpassthru']); - $pconfig['barnconfigpassthru'] = $a_nat[$id]['barnconfigpassthru']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; - $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; - $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; - - - if (!$pconfig['interface']) - $pconfig['interface'] = "wan"; - } else - $pconfig['interface'] = "wan"; - -/* convert fake interfaces to real */ -$if_real = snort_get_real_interface($pconfig['interface']); - -if (isset($_GET['dup'])) - unset($id); - - /* alert file */ - $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; - - if ($_POST["Submit"]) { - - if ($_POST['descr'] == '' && $pconfig['descr'] == '') { - $input_errors[] = "Please enter a description for your reference."; - } - - if ($id == "" && $config['installedpackages']['snortglobal']['rule'][0]['interface'] != "") { - - $rule_array = $config['installedpackages']['snortglobal']['rule']; - foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { - - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - - if ($_POST['interface'] == $result_lan) - $input_errors[] = "Interface $result_lan is in use. Please select another interface."; - } - } - - /* XXX: Void code - * check for overlaps - foreach ($a_nat as $natent) { - if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) - continue; - if ($natent['interface'] != $_POST['interface']) - continue; - } - */ - - /* if no errors write to conf */ - if (!$input_errors) { - $natent = array(); - - /* write to conf for 1st time or rewrite the answer */ - if ($_POST['interface']) - $natent['interface'] = $_POST['interface']; - - /* if post write to conf or rewite the answer */ - $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; - $natent['uuid'] = $pconfig['uuid']; - $natent['descr'] = $_POST['descr'] ? $_POST['descr'] : $pconfig['descr']; - $natent['performance'] = $_POST['performance'] ? $_POST['performance'] : $pconfig['performance']; - /* if post = on use on off or rewrite the conf */ - if ($_POST['blockoffenders7'] == "on") - $natent['blockoffenders7'] = 'on'; - else - $natent['blockoffenders7'] = 'off'; - if ($_POST['blockoffenderskill'] == "on") - $natent['blockoffenderskill'] = 'on'; - if ($_POST['blockoffendersip']) - $natent['blockoffendersip'] = $_POST['blockoffendersip']; - - $natent['whitelistname'] = $_POST['whitelistname'] ? $_POST['whitelistname'] : $pconfig['whitelistname']; - $natent['homelistname'] = $_POST['homelistname'] ? $_POST['homelistname'] : $pconfig['homelistname']; - $natent['externallistname'] = $_POST['externallistname'] ? $_POST['externallistname'] : $pconfig['externallistname']; - $natent['suppresslistname'] = $_POST['suppresslistname'] ? $_POST['suppresslistname'] : $pconfig['suppresslistname']; - $natent['snortalertlogtype'] = $_POST['snortalertlogtype'] ? $_POST['snortalertlogtype'] : $pconfig['snortalertlogtype']; - if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = 'on'; }else{ $natent['alertsystemlog'] = 'off'; } - if ($_POST['enable']) { $natent['enable'] = 'on'; } else unset($natent['enable']); - if ($_POST['tcpdumplog'] == "on") { $natent['tcpdumplog'] = 'on'; }else{ $natent['tcpdumplog'] = 'off'; } - if ($_POST['snortunifiedlog'] == "on") { $natent['snortunifiedlog'] = 'on'; }else{ $natent['snortunifiedlog'] = 'off'; } - $natent['configpassthru'] = $_POST['configpassthru'] ? base64_encode($_POST['configpassthru']) : $pconfig['configpassthru']; - /* if optiion = 0 then the old descr way will not work */ - - /* rewrite the options that are not in post */ - /* make shure values are set befor repost or conf.xml will be broken */ - if ($pconfig['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $pconfig['def_ssl_ports_ignore']; } - if ($pconfig['flow_depth'] != "") { $natent['flow_depth'] = $pconfig['flow_depth']; } - if ($pconfig['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $pconfig['max_queued_bytes']; } - if ($pconfig['max_queued_segs'] != "") { $natent['max_queued_segs'] = $pconfig['max_queued_segs']; } - if ($pconfig['perform_stat'] != "") { $natent['perform_stat'] = $pconfig['perform_stat']; } - if ($pconfig['http_inspect'] != "") { $natent['http_inspect'] = $pconfig['http_inspect']; } - if ($pconfig['other_preprocs'] != "") { $natent['other_preprocs'] = $pconfig['other_preprocs']; } - if ($pconfig['ftp_preprocessor'] != "") { $natent['ftp_preprocessor'] = $pconfig['ftp_preprocessor']; } - if ($pconfig['smtp_preprocessor'] != "") { $natent['smtp_preprocessor'] = $pconfig['smtp_preprocessor']; } - if ($pconfig['sf_portscan'] != "") { $natent['sf_portscan'] = $pconfig['sf_portscan']; } - if ($pconfig['dce_rpc_2'] != "") { $natent['dce_rpc_2'] = $pconfig['dce_rpc_2']; } - if ($pconfig['dns_preprocessor'] != "") { $natent['dns_preprocessor'] = $pconfig['dns_preprocessor']; } - if ($pconfig['def_dns_servers'] != "") { $natent['def_dns_servers'] = $pconfig['def_dns_servers']; } - if ($pconfig['def_dns_ports'] != "") { $natent['def_dns_ports'] = $pconfig['def_dns_ports']; } - if ($pconfig['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $pconfig['def_smtp_servers']; } - if ($pconfig['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $pconfig['def_smtp_ports']; } - if ($pconfig['def_mail_ports'] != "") { $natent['def_mail_ports'] = $pconfig['def_mail_ports']; } - if ($pconfig['def_http_servers'] != "") { $natent['def_http_servers'] = $pconfig['def_http_servers']; } - if ($pconfig['def_www_servers'] != "") { $natent['def_www_servers'] = $pconfig['def_www_servers']; } - if ($pconfig['def_http_ports'] != "") { $natent['def_http_ports'] = $pconfig['def_http_ports']; } - if ($pconfig['def_sql_servers'] != "") { $natent['def_sql_servers'] = $pconfig['def_sql_servers']; } - if ($pconfig['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $pconfig['def_oracle_ports']; } - if ($pconfig['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $pconfig['def_mssql_ports']; } - if ($pconfig['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $pconfig['def_telnet_servers']; } - if ($pconfig['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $pconfig['def_telnet_ports']; } - if ($pconfig['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $pconfig['def_snmp_servers']; } - if ($pconfig['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $pconfig['def_snmp_ports']; } - if ($pconfig['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $pconfig['def_ftp_servers']; } - if ($pconfig['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $pconfig['def_ftp_ports']; } - if ($pconfig['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $pconfig['def_ssh_servers']; } - if ($pconfig['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $pconfig['def_ssh_ports']; } - if ($pconfig['def_pop_servers'] != "") { $natent['def_pop_servers'] = $pconfig['def_pop_servers']; } - if ($pconfig['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $pconfig['def_pop2_ports']; } - if ($pconfig['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $pconfig['def_pop3_ports']; } - if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; } - if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; } - if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; } - if ($pconfig['def_sip_servers'] != "") { $natent['def_sip_servers'] = $pconfig['def_sip_servers']; }else{ $natent['def_sip_servers'] = ""; } - if ($pconfig['def_sip_ports'] != "") { $natent['def_sip_ports'] = $pconfig['def_sip_ports']; }else{ $natent['def_sip_ports'] = ""; } - if ($pconfig['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; } - if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; } - if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; } - if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; } - if ($pconfig['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $pconfig['def_nntp_ports']; } - if ($pconfig['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; } - if ($pconfig['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; } - if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; } - if ($pconfig['barnyard_enable'] != "") { $natent['barnyard_enable'] = $pconfig['barnyard_enable']; } - if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; } - if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } - if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } - if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } - if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } - - - $if_real = snort_get_real_interface($natent['interface']); - - if (isset($id) && $a_nat[$id]) { - if ($natent['interface'] != $a_nat[$id]['interface']) - Running_Stop($snort_uuid, $if_real, $id); - $a_nat[$id] = $natent; - } else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); - else - $a_nat[] = $natent; - } - - write_config(); - - sync_snort_package_config(); - sleep(1); - - /* if snort.sh crashed this will remove the pid */ - exec('/bin/rm /tmp/snort.sh.pid'); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: /snort/snort_interfaces.php"); - - exit; - } - } - - if ($_POST["Submit2"]) { - - sync_snort_package_config(); - sleep(1); - - Running_Start($snort_uuid, $if_real, $id); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: /snort/snort_interfaces_edit.php?id=$id"); - exit; - } - -$pgtitle = "Snort: Interface Edit: $id $snort_uuid $if_real"; -include_once("head.inc"); - -?> - - - - - - -' . $pgtitle . '

';}?> - - - -
" method="post" enctype="multipart/form-data" name="iform" id="iform"> -'; - - if($savemsg) - print_info_box_np2("{$savemsg}"); - else { - print_info_box_np2(' - The Snort configuration has changed and snort needs to be restarted on this interface.
- You must apply the changes in order for them to take effect.
- '); - } - } -?> - - - - - - - -
- -
- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
General Settings
Enable  - // care with spaces - if ($pconfig['enable'] == "on") - $checked = checked; - - $onclick_enable = "onClick=\"enable_change(false)\">"; - - echo " - \n\n"; - ?>
Interface -
- Choose which interface this rule applies to.
- Hint: in most cases, you'll want to use WAN here.
Description
- You may enter a description here for your - reference (not parsed).
Memory Performance
- Lowmem and ac-bnfa are recommended for low end - systems, Ac: high memory, best performance, ac-std: moderate - memory,high performance, acs: small memory, moderateperformance, - ac-banded: small memory,moderate performance, ac-sparsebands: small - memory, high performance.
-
Choose the networks - snort should inspect and whitelist.
Home net
- Choose the home net you will like this rule to - use.  
Note: Default home - net adds only local networks.
- Hint: Most users add a list of - friendly ips that the firewall cant see.
External net
- Choose the external net you will like this rule - to use.  
Note: Default - external net, networks that are not home net.
- Hint: Most users should leave this - setting at default.
Block offenders - - onClick="enable_blockoffenders()">
- Checking this option will automatically block hosts that generate a - Snort alert.
Kill states - > -
Should firewall states be killed for the blocked ip -
Which ip to block - -
Which ip extracted from the packet you want to block -
Whitelist -
- Choose the whitelist you will like this rule to - use.  
Note: Default - whitelist adds only local networks.
- Note: This option will only be used when block offenders is on. -
Suppression and - filtering -
- Choose the suppression or filtering file you - will like this rule to use.  
Note: Default - option disables suppression and filtering.
Choose the types of - logs snort should create.
Send alerts to main - System logs - onClick="enable_change(false)">
- Snort will send Alerts to the firewall's system logs.
Log to a Tcpdump file - onClick="enable_change(false)">
- Snort will log packets to a tcpdump-formatted file. The file then - can be analyzed by an application such as Wireshark which - understands pcap file formats. WARNING: - File may become large.
Log Alerts to a snort - unified2 file - onClick="enable_change(false)">
- Snort will log Alerts to a file in the UNIFIED2 format. This is a - requirement for barnyard2.
Arguments here will - be automatically inserted into the snort configuration.
Advanced configuration - pass through -
- - -
 Note: -
- Please save your settings before you click start.
- -
-
- - - - - - +. + Copyright (C) 2008-2009 Robert Zelaya. + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("/usr/local/www/guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + + +/* always have a limit of (65535) numbers only or snort will not start do to id limits */ +/* TODO: When inline gets added make the uuid the port number lisstening */ +$pconfig = array(); + +/* gen uuid for each iface !inportant */ +if (empty($config['installedpackages']['snortglobal']['rule'][$id]['uuid'])) { + //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); + $snort_uuid = 0; + while ($snort_uuid > 65535 || $snort_uuid == 0) { + $snort_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $snort_uuid; + } +} else { + $snort_uuid = $a_nat[$id]['uuid']; + $pconfig['uuid'] = $snort_uuid; +} + +if (isset($id) && $a_nat[$id]) { + + /* old options */ + $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; + $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; + $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; + $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; + $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; + $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; + $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; + $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; + $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; + $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; + $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; + $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; + $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; + $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; + $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; + $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; + $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; + $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; + $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; + $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; + $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; + $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; + $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; + $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; + $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; + $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; + $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; + $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; + $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; + $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; + $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; + $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; + $pconfig['def_sip_servers'] = $a_nat[$id]['def_sip_servers']; + $pconfig['def_sip_ports'] = $a_nat[$id]['def_sip_ports']; + $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; + $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; + $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; + $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; + $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; + $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; + $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; + $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; + $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; + $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['performance'] = $a_nat[$id]['performance']; + $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['blockoffenderskill'] = $a_nat[$id]['blockoffenderskill']; + $pconfig['blockoffendersip'] = $a_nat[$id]['blockoffendersip']; + $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; + $pconfig['homelistname'] = $a_nat[$id]['homelistname']; + $pconfig['externallistname'] = $a_nat[$id]['externallistname']; + $pconfig['suppresslistname'] = $a_nat[$id]['suppresslistname']; + $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; + $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; + $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; + $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; + $pconfig['snortalertcvs'] = $a_nat[$id]['snortalertcvs']; + $pconfig['snortunifiedlogbasic'] = $a_nat[$id]['snortunifiedlogbasic']; + $pconfig['configpassthru'] = base64_decode($a_nat[$id]['configpassthru']); + $pconfig['barnconfigpassthru'] = $a_nat[$id]['barnconfigpassthru']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; + $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; + $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; + + + if (!$pconfig['interface']) + $pconfig['interface'] = "wan"; + } else + $pconfig['interface'] = "wan"; + +/* convert fake interfaces to real */ +$if_real = snort_get_real_interface($pconfig['interface']); + +if (isset($_GET['dup'])) + unset($id); + + /* alert file */ + $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + + if ($_POST["Submit"]) { + + if ($_POST['descr'] == '' && $pconfig['descr'] == '') { + $input_errors[] = "Please enter a description for your reference."; + } + + if ($id == "" && $config['installedpackages']['snortglobal']['rule'][0]['interface'] != "") { + + $rule_array = $config['installedpackages']['snortglobal']['rule']; + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + + if ($_POST['interface'] == $result_lan) + $input_errors[] = "Interface $result_lan is in use. Please select another interface."; + } + } + + /* XXX: Void code + * check for overlaps + foreach ($a_nat as $natent) { + if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) + continue; + if ($natent['interface'] != $_POST['interface']) + continue; + } + */ + + /* if no errors write to conf */ + if (!$input_errors) { + $natent = array(); + + /* write to conf for 1st time or rewrite the answer */ + if ($_POST['interface']) + $natent['interface'] = $_POST['interface']; + + /* if post write to conf or rewite the answer */ + $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; + $natent['uuid'] = $pconfig['uuid']; + $natent['descr'] = $_POST['descr'] ? $_POST['descr'] : $pconfig['descr']; + $natent['performance'] = $_POST['performance'] ? $_POST['performance'] : $pconfig['performance']; + /* if post = on use on off or rewrite the conf */ + if ($_POST['blockoffenders7'] == "on") + $natent['blockoffenders7'] = 'on'; + else + $natent['blockoffenders7'] = 'off'; + if ($_POST['blockoffenderskill'] == "on") + $natent['blockoffenderskill'] = 'on'; + if ($_POST['blockoffendersip']) + $natent['blockoffendersip'] = $_POST['blockoffendersip']; + + $natent['whitelistname'] = $_POST['whitelistname'] ? $_POST['whitelistname'] : $pconfig['whitelistname']; + $natent['homelistname'] = $_POST['homelistname'] ? $_POST['homelistname'] : $pconfig['homelistname']; + $natent['externallistname'] = $_POST['externallistname'] ? $_POST['externallistname'] : $pconfig['externallistname']; + $natent['suppresslistname'] = $_POST['suppresslistname'] ? $_POST['suppresslistname'] : $pconfig['suppresslistname']; + $natent['snortalertlogtype'] = $_POST['snortalertlogtype'] ? $_POST['snortalertlogtype'] : $pconfig['snortalertlogtype']; + if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = 'on'; }else{ $natent['alertsystemlog'] = 'off'; } + if ($_POST['enable']) { $natent['enable'] = 'on'; } else unset($natent['enable']); + if ($_POST['tcpdumplog'] == "on") { $natent['tcpdumplog'] = 'on'; }else{ $natent['tcpdumplog'] = 'off'; } + if ($_POST['snortunifiedlog'] == "on") { $natent['snortunifiedlog'] = 'on'; }else{ $natent['snortunifiedlog'] = 'off'; } + if ($_POST['snortalertcvs'] == "on") { $natent['snortalertcvs'] = 'on'; }else{ $natent['snortalertcvs'] = 'off'; } + if ($_POST['snortunifiedlogbasic'] == "on") { $natent['snortunifiedlogbasic'] = 'on'; }else{ $natent['snortunifiedlogbasic'] = 'off'; } + $natent['configpassthru'] = $_POST['configpassthru'] ? base64_encode($_POST['configpassthru']) : $pconfig['configpassthru']; + /* if optiion = 0 then the old descr way will not work */ + + /* rewrite the options that are not in post */ + /* make shure values are set befor repost or conf.xml will be broken */ + if ($pconfig['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $pconfig['def_ssl_ports_ignore']; } + if ($pconfig['flow_depth'] != "") { $natent['flow_depth'] = $pconfig['flow_depth']; } + if ($pconfig['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $pconfig['max_queued_bytes']; } + if ($pconfig['max_queued_segs'] != "") { $natent['max_queued_segs'] = $pconfig['max_queued_segs']; } + if ($pconfig['perform_stat'] != "") { $natent['perform_stat'] = $pconfig['perform_stat']; } + if ($pconfig['http_inspect'] != "") { $natent['http_inspect'] = $pconfig['http_inspect']; } + if ($pconfig['other_preprocs'] != "") { $natent['other_preprocs'] = $pconfig['other_preprocs']; } + if ($pconfig['ftp_preprocessor'] != "") { $natent['ftp_preprocessor'] = $pconfig['ftp_preprocessor']; } + if ($pconfig['smtp_preprocessor'] != "") { $natent['smtp_preprocessor'] = $pconfig['smtp_preprocessor']; } + if ($pconfig['sf_portscan'] != "") { $natent['sf_portscan'] = $pconfig['sf_portscan']; } + if ($pconfig['dce_rpc_2'] != "") { $natent['dce_rpc_2'] = $pconfig['dce_rpc_2']; } + if ($pconfig['dns_preprocessor'] != "") { $natent['dns_preprocessor'] = $pconfig['dns_preprocessor']; } + if ($pconfig['def_dns_servers'] != "") { $natent['def_dns_servers'] = $pconfig['def_dns_servers']; } + if ($pconfig['def_dns_ports'] != "") { $natent['def_dns_ports'] = $pconfig['def_dns_ports']; } + if ($pconfig['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $pconfig['def_smtp_servers']; } + if ($pconfig['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $pconfig['def_smtp_ports']; } + if ($pconfig['def_mail_ports'] != "") { $natent['def_mail_ports'] = $pconfig['def_mail_ports']; } + if ($pconfig['def_http_servers'] != "") { $natent['def_http_servers'] = $pconfig['def_http_servers']; } + if ($pconfig['def_www_servers'] != "") { $natent['def_www_servers'] = $pconfig['def_www_servers']; } + if ($pconfig['def_http_ports'] != "") { $natent['def_http_ports'] = $pconfig['def_http_ports']; } + if ($pconfig['def_sql_servers'] != "") { $natent['def_sql_servers'] = $pconfig['def_sql_servers']; } + if ($pconfig['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $pconfig['def_oracle_ports']; } + if ($pconfig['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $pconfig['def_mssql_ports']; } + if ($pconfig['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $pconfig['def_telnet_servers']; } + if ($pconfig['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $pconfig['def_telnet_ports']; } + if ($pconfig['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $pconfig['def_snmp_servers']; } + if ($pconfig['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $pconfig['def_snmp_ports']; } + if ($pconfig['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $pconfig['def_ftp_servers']; } + if ($pconfig['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $pconfig['def_ftp_ports']; } + if ($pconfig['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $pconfig['def_ssh_servers']; } + if ($pconfig['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $pconfig['def_ssh_ports']; } + if ($pconfig['def_pop_servers'] != "") { $natent['def_pop_servers'] = $pconfig['def_pop_servers']; } + if ($pconfig['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $pconfig['def_pop2_ports']; } + if ($pconfig['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $pconfig['def_pop3_ports']; } + if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; } + if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; } + if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; } + if ($pconfig['def_sip_servers'] != "") { $natent['def_sip_servers'] = $pconfig['def_sip_servers']; }else{ $natent['def_sip_servers'] = ""; } + if ($pconfig['def_sip_ports'] != "") { $natent['def_sip_ports'] = $pconfig['def_sip_ports']; }else{ $natent['def_sip_ports'] = ""; } + if ($pconfig['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; } + if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; } + if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; } + if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; } + if ($pconfig['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $pconfig['def_nntp_ports']; } + if ($pconfig['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; } + if ($pconfig['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; } + if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; } + if ($pconfig['barnyard_enable'] != "") { $natent['barnyard_enable'] = $pconfig['barnyard_enable']; } + if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; } + if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } + if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } + if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } + if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } + + + $if_real = snort_get_real_interface($natent['interface']); + + if (isset($id) && $a_nat[$id]) { + if ($natent['interface'] != $a_nat[$id]['interface']) + Running_Stop($snort_uuid, $if_real, $id); + $a_nat[$id] = $natent; + } else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + + sync_snort_package_config(); + sleep(1); + + /* if snort.sh crashed this will remove the pid */ + exec('/bin/rm /tmp/snort.sh.pid'); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces.php"); + + exit; + } + } + + if ($_POST["Submit2"]) { + + sync_snort_package_config(); + sleep(1); + + Running_Start($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces_edit.php?id=$id"); + exit; + } + +$pgtitle = "Snort: Interface Edit: $id $snort_uuid $if_real"; +include_once("head.inc"); + +?> + + + + + + +' . $pgtitle . '

';}?> + + + +
" method="post" enctype="multipart/form-data" name="iform" id="iform"> +'; + + if($savemsg) + print_info_box_np2("{$savemsg}"); + else { + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.
+ You must apply the changes in order for them to take effect.
+ '); + } + } +?> + + + + + + + +
+ +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
General Settings
Enable  + // care with spaces + if ($pconfig['enable'] == "on") + $checked = checked; + + $onclick_enable = "onClick=\"enable_change(false)\">"; + + echo " + \n\n"; + ?>
Interface +
+ Choose which interface this rule applies to.
+ Hint: in most cases, you'll want to use WAN here.
Description
+ You may enter a description here for your + reference (not parsed).
Memory Performance
+ Lowmem and ac-bnfa are recommended for low end + systems, Ac: high memory, best performance, ac-std: moderate + memory,high performance, acs: small memory, moderateperformance, + ac-banded: small memory,moderate performance, ac-sparsebands: small + memory, high performance.
+
Choose the networks + snort should inspect and whitelist.
Home net
+ Choose the home net you will like this rule to + use.  
Note: Default home + net adds only local networks.
+ Hint: Most users add a list of + friendly ips that the firewall cant see.
External net
+ Choose the external net you will like this rule + to use.  
Note: Default + external net, networks that are not home net.
+ Hint: Most users should leave this + setting at default.
Block offenders + + onClick="enable_blockoffenders()">
+ Checking this option will automatically block hosts that generate a + Snort alert.
Kill states + > +
Should firewall states be killed for the blocked ip +
Which ip to block + +
Which ip extracted from the packet you want to block +
Whitelist +
+ Choose the whitelist you will like this rule to + use.  
Note: Default + whitelist adds only local networks.
+ Note: This option will only be used when block offenders is on. +
Suppression and + filtering +
+ Choose the suppression or filtering file you + will like this rule to use.  
Note: Default + option disables suppression and filtering.
Choose the types of + logs snort should create.
Send alerts to main + System logs + onClick="enable_change(false)">
+ Snort will send Alerts to the firewall's system logs.
Log to a Tcpdump file + onClick="enable_change(false)">
+ Snort will log packets to a tcpdump-formatted file. The file then + can be analyzed by an application such as Wireshark which + understands pcap file formats. WARNING: + File may become large.
Log Alerts to a snort unified file + onClick="enable_change(false)"> +
+ Snort will log Alerts to a file in the UNIFIED format. +
Log Alerts to a snort + unified2 file + onClick="enable_change(false)">
+ Snort will log Alerts to a file in the UNIFIED2 format. This is a + requirement for barnyard2.
Log Alerts to a snort cvs file + onClick="enable_change(false)"> +
+ Snort will log Alerts to a file in the CVS format. +
Arguments here will + be automatically inserted into the snort configuration.
Advanced configuration + pass through +
+ + +
 Note: +
+ Please save your settings before you click start.
+ +
+
+ + + + + + diff --git a/config/snort-dev/snort_interfaces_global.php b/config/snort-dev/snort_interfaces_global.php index a267f561..1ad9016a 100644 --- a/config/snort-dev/snort_interfaces_global.php +++ b/config/snort-dev/snort_interfaces_global.php @@ -1,437 +1,437 @@ -. - Copyright (C) 2011 Ermal Luci - All rights reserved. - - Copyright (C) 2008-2009 Robert Zelaya - Modified for the Pfsense snort package. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -global $g; - -$d_snort_global_dirty_path = '/var/run/snort_global.dirty'; - -/* make things short */ -$pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; -$pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; -$pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; -$pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; -$pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; -$pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; -$pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7']; -$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; -$pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings']; - -/* if no errors move foward */ -if (!$input_errors) { - - if ($_POST["Submit"]) { - - $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; - $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; - $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; - $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; - if ($_POST['snortloglimitsize']) { - $config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit']; - $config['installedpackages']['snortglobal']['snortloglimitsize'] = $_POST['snortloglimitsize']; - } else { - $config['installedpackages']['snortglobal']['snortloglimit'] = 'on'; - - /* code will set limit to 21% of slice that is unused */ - $snortloglimitDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') * .22 / 1024); - $config['installedpackages']['snortglobal']['snortloglimitsize'] = $snortloglimitDSKsize; - } - $config['installedpackages']['snortglobal']['autorulesupdate7'] = $_POST['autorulesupdate7']; - $config['installedpackages']['snortglobal']['snortalertlogtype'] = $_POST['snortalertlogtype']; - $config['installedpackages']['snortglobal']['forcekeepsettings'] = $_POST['forcekeepsettings'] ? 'on' : 'off'; - - $retval = 0; - - $snort_snortloglimit_info_ck = $config['installedpackages']['snortglobal']['snortloglimit']; - snort_snortloglimit_install_cron($snort_snortloglimit_info_ck == 'ok' ? true : false); - - /* set the snort block hosts time IMPORTANT */ - $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; - if ($snort_rm_blocked_info_ck == "never_b") - $snort_rm_blocked_false = false; - else - $snort_rm_blocked_false = true; - - snort_rm_blocked_install_cron($snort_rm_blocked_false); - - /* set the snort rules update time */ - $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; - if ($snort_rules_up_info_ck == "never_up") - $snort_rules_up_false = false; - else - $snort_rules_up_false = true; - - snort_rules_up_install_cron($snort_rules_up_false); - - configure_cron(); - write_config(); - - /* create whitelist and homenet file then sync files */ - sync_snort_package_config(); - - /* forces page to reload new settings */ - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: /snort/snort_interfaces_global.php"); - exit; - } -} - - -if ($_POST["Reset"]) { - - function snort_deinstall_settings() { - global $config, $g, $id, $if_real; - - exec("/usr/usr/bin/killall snort"); - sleep(2); - exec("/usr/usr/bin/killall -9 snort"); - sleep(2); - exec("/usr/usr/bin/killall barnyard2"); - sleep(2); - exec("/usr/usr/bin/killall -9 barnyard2"); - sleep(2); - - /* Remove snort cron entries Ugly code needs smoothness*/ - if (!function_exists('snort_deinstall_cron')) { - function snort_deinstall_cron($cronmatch) { - global $config, $g; - - - if(!$config['cron']['item']) - return; - - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], $cronmatch)) { - $is_installed = true; - break; - } - $x++; - } - if($is_installed == true) - unset($config['cron']['item'][$x]); - - configure_cron(); - } - } - - snort_deinstall_cron("snort2c"); - snort_deinstall_cron("snort_check_for_rule_updates.php"); - - - /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ - /* Keep this as a last step */ - unset($config['installedpackages']['snortglobal']); - - /* remove all snort iface dir */ - exec('rm -r /usr/local/etc/snort/snort_*'); - exec('rm /var/log/snort/*'); - } - - snort_deinstall_settings(); - write_config(); /* XXX */ - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: /snort/snort_interfaces_global.php"); - exit; -} - -$pgtitle = 'Services: Snort: Global Settings'; -include_once("head.inc"); - -?> - - - -' . $pgtitle . '

'; -?> - - - -
- - You must apply the changes in order for them to take effect.
- '); - } - } -?> - - - - - - -
- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please Choose The - Type Of Rules You Wish To Download
Install Snort.org rules - - - - - - - - - - -
> - Do NOT Install
> Install - Basic Rules or Premium rules
-          Sign Up for a - Basic Rule Account
-          Sign Up for Sourcefire VRT Certified Premium - Rules. This Is Highly Recommended
 
- - - - - - - - -
Oinkmaster code
Code
- Obtain a snort.org Oinkmaster code and paste here.
- -
Install Emergingthreats - rules - onClick="enable_change(false)">
- Emerging Threats is an open source community that produces fastest - moving and diverse Snort Rules.
Update rules - automatically
- Please select the update times for rules.
- Hint: in most cases, every 12 hours is a good choice.
General Settings
Log Directory Size - Limit
-
-
-
-
-
- Note:
- Available space is MB
- - - - - - - - - - -
> - Enable directory size limit (Default)
> Disable - directory size limit
-
- Warning: Nanobsd - should use no more than 10MB of space.
 
- - - - - -
Size in MB - Default is 20% of available space.
- -
Remove blocked hosts - every
- Please select the amount of time you would like - hosts to be blocked for.
- Hint: in most cases, 1 hour is a good choice.
Alerts file description - type
- Please choose the type of Alert logging you will - like see in your alert file.
- Hint: Best pratice is to chose full logging.
 WARNING: On - change, alert file will be cleared.
Keep snort settings - after deinstall - onClick="enable_change(false)">
- Settings will not be removed during deinstall.
 WARNING:
- This will reset all global and interface settings.
-
 Note:
-
Changing any settings on this page will affect all - interfaces. Please, double check if your oink code is correct and - the type of snort.org account you hold.
-
-
- - - - - - - - - +. + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Copyright (C) 2008-2009 Robert Zelaya + Modified for the Pfsense snort package. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$d_snort_global_dirty_path = '/var/run/snort_global.dirty'; + +/* make things short */ +$pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; +$pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; +$pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; +$pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; +$pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; +$pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; +$pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7']; +$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; +$pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings']; + +/* if no errors move foward */ +if (!$input_errors) { + + if ($_POST["Submit"]) { + + $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; + $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; + $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; + if ($_POST['snortloglimitsize']) { + $config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit']; + $config['installedpackages']['snortglobal']['snortloglimitsize'] = $_POST['snortloglimitsize']; + } else { + $config['installedpackages']['snortglobal']['snortloglimit'] = 'on'; + + /* code will set limit to 21% of slice that is unused */ + $snortloglimitDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') * .22 / 1024); + $config['installedpackages']['snortglobal']['snortloglimitsize'] = $snortloglimitDSKsize; + } + $config['installedpackages']['snortglobal']['autorulesupdate7'] = $_POST['autorulesupdate7']; + $config['installedpackages']['snortglobal']['snortalertlogtype'] = $_POST['snortalertlogtype']; + $config['installedpackages']['snortglobal']['forcekeepsettings'] = $_POST['forcekeepsettings'] ? 'on' : 'off'; + + $retval = 0; + + $snort_snortloglimit_info_ck = $config['installedpackages']['snortglobal']['snortloglimit']; + snort_snortloglimit_install_cron($snort_snortloglimit_info_ck == 'ok' ? true : false); + + /* set the snort block hosts time IMPORTANT */ + $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "never_b") + $snort_rm_blocked_false = false; + else + $snort_rm_blocked_false = true; + + snort_rm_blocked_install_cron($snort_rm_blocked_false); + + /* set the snort rules update time */ + $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; + if ($snort_rules_up_info_ck == "never_up") + $snort_rules_up_false = false; + else + $snort_rules_up_false = true; + + snort_rules_up_install_cron($snort_rules_up_false); + + configure_cron(); + write_config(); + + /* create whitelist and homenet file then sync files */ + sync_snort_package_config(); + + /* forces page to reload new settings */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces_global.php"); + exit; + } +} + + +if ($_POST["Reset"]) { + + function snort_deinstall_settings() { + global $config, $g, $id, $if_real; + + exec("/usr/usr/bin/killall snort"); + sleep(2); + exec("/usr/usr/bin/killall -9 snort"); + sleep(2); + exec("/usr/usr/bin/killall barnyard2"); + sleep(2); + exec("/usr/usr/bin/killall -9 barnyard2"); + sleep(2); + + /* Remove snort cron entries Ugly code needs smoothness*/ + if (!function_exists('snort_deinstall_cron')) { + function snort_deinstall_cron($cronmatch) { + global $config, $g; + + + if(!$config['cron']['item']) + return; + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], $cronmatch)) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) + unset($config['cron']['item'][$x]); + + configure_cron(); + } + } + + snort_deinstall_cron("snort2c"); + snort_deinstall_cron("snort_check_for_rule_updates.php"); + + + /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ + /* Keep this as a last step */ + unset($config['installedpackages']['snortglobal']); + + /* remove all snort iface dir */ + exec('rm -r /usr/local/etc/snort/snort_*'); + exec('rm /var/log/snort/*'); + } + + snort_deinstall_settings(); + write_config(); /* XXX */ + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces_global.php"); + exit; +} + +$pgtitle = 'Services: Snort: Global Settings'; +include_once("head.inc"); + +?> + + + +' . $pgtitle . '

'; +?> + + + +
+ + You must apply the changes in order for them to take effect.
+ '); + } + } +?> + + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Please Choose The + Type Of Rules You Wish To Download
Install Snort.org rules + + + + + + + + + + +
> + Do NOT Install
> Install + Basic Rules or Premium rules
+          Sign Up for a + Basic Rule Account
+          Sign Up for Sourcefire VRT Certified Premium + Rules. This Is Highly Recommended
 
+ + + + + + + + +
Oinkmaster code
Code
+ Obtain a snort.org Oinkmaster code and paste here.
+ +
Install Emergingthreats + rules + onClick="enable_change(false)">
+ Emerging Threats is an open source community that produces fastest + moving and diverse Snort Rules.
Update rules + automatically
+ Please select the update times for rules.
+ Hint: in most cases, every 12 hours is a good choice.
General Settings
Log Directory Size + Limit
+
+
+
+
+
+ Note:
+ Available space is MB
+ + + + + + + + + + +
> + Enable directory size limit (Default)
> Disable + directory size limit
+
+ Warning: Nanobsd + should use no more than 10MB of space.
 
+ + + + + +
Size in MB + Default is 20% of available space.
+ +
Remove blocked hosts + every
+ Please select the amount of time you would like + hosts to be blocked for.
+ Hint: in most cases, 1 hour is a good choice.
Alerts file description + type
+ Please choose the type of Alert logging you will + like see in your alert file.
+ Hint: Best pratice is to chose full logging.
 WARNING: On + change, alert file will be cleared.
Keep snort settings + after deinstall + onClick="enable_change(false)">
+ Settings will not be removed during deinstall.
 WARNING:
+ This will reset all global and interface settings.
+
 Note:
+
Changing any settings on this page will affect all + interfaces. Please, double check if your oink code is correct and + the type of snort.org account you hold.
+
+
+ + + + + + + + + diff --git a/config/snort-dev/snort_interfaces_suppress.php b/config/snort-dev/snort_interfaces_suppress.php index 4eeed42d..cde6d3eb 100644 --- a/config/snort-dev/snort_interfaces_suppress.php +++ b/config/snort-dev/snort_interfaces_suppress.php @@ -1,171 +1,171 @@ -. - All rights reserved. - - modified for the pfsense snort package - Copyright (C) 2009-2010 Robert Zelaya. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - - -if (!is_array($config['installedpackages']['snortglobal']['suppress'])) - $config['installedpackages']['snortglobal']['suppress'] = array(); -if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) - $config['installedpackages']['snortglobal']['suppress']['item'] = array(); -$a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; -$id_gen = count($config['installedpackages']['snortglobal']['suppress']['item']); - -$d_suppresslistdirty_path = '/var/run/snort_suppress.dirty'; - -if ($_GET['act'] == "del") { - if ($a_suppress[$_GET['id']]) { - /* make sure rule is not being referenced by any nat or filter rules */ - - unset($a_suppress[$_GET['id']]); - write_config(); - filter_configure(); - header("Location: /snort/snort_interfaces_suppress.php"); - exit; - } -} - -$pgtitle = "Services: Snort: Suppression"; -include_once("head.inc"); - -?> - - - - - -
' . $pgtitle . '

';}?> - -
- -

You must apply the changes in order for them to take effect.");?> - - - - - - - - -
- -
- - - - - - - - - - - - - - - - - - - - - -
File NameDescription
- -   - - - - - - -
-
- - - - - -
 
-
-
-
- - -
Note: -

Here you can create event filtering and - suppression for your snort package rules.
- Please note that you must restart a running rule so that changes can - take effect.

- -

- -
- - - - +. + All rights reserved. + + modified for the pfsense snort package + Copyright (C) 2009-2010 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + + +if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); +$a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; +$id_gen = count($config['installedpackages']['snortglobal']['suppress']['item']); + +$d_suppresslistdirty_path = '/var/run/snort_suppress.dirty'; + +if ($_GET['act'] == "del") { + if ($a_suppress[$_GET['id']]) { + /* make sure rule is not being referenced by any nat or filter rules */ + + unset($a_suppress[$_GET['id']]); + write_config(); + filter_configure(); + header("Location: /snort/snort_interfaces_suppress.php"); + exit; + } +} + +$pgtitle = "Services: Snort: Suppression"; +include_once("head.inc"); + +?> + + + + + +
' . $pgtitle . '

';}?> + +
+ +

You must apply the changes in order for them to take effect.");?> + + + + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + +
File NameDescription
+ +   + + + + + + +
+
+ + + + + +
 
+
+
+
+ + +
Note: +

Here you can create event filtering and + suppression for your snort package rules.
+ Please note that you must restart a running rule so that changes can + take effect.

+ +

+ +
+ + + + diff --git a/config/snort-dev/snort_interfaces_suppress_edit.php b/config/snort-dev/snort_interfaces_suppress_edit.php index 7303349f..559ea76c 100644 --- a/config/snort-dev/snort_interfaces_suppress_edit.php +++ b/config/snort-dev/snort_interfaces_suppress_edit.php @@ -1,295 +1,295 @@ -. - All rights reserved. - - modified for the pfsense snort package - Copyright (C) 2009-2010 Robert Zelaya. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -if (!is_array($config['installedpackages']['snortglobal']['suppress'])) - $config['installedpackages']['snortglobal']['suppress'] = array(); -if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) - $config['installedpackages']['snortglobal']['suppress']['item'] = array(); -$a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; -if (!is_numeric($id)) - $id = 0; // XXX: safety belt - - -/* gen uuid for each iface */ -if (is_array($config['installedpackages']['snortglobal']['suppress']['item'][$id])) { - if ($config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid'] == '') { - //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); - $suppress_uuid = 0; - while ($suppress_uuid > 65535 || $suppress_uuid == 0) { - $suppress_uuid = mt_rand(1, 65535); - $pconfig['uuid'] = $suppress_uuid; - } - } else if ($config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid'] != '') { - $suppress_uuid = $config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid']; - } -} - -$d_snort_suppress_dirty_path = '/var/run/snort_suppress.dirty'; - -/* returns true if $name is a valid name for a whitelist file name or ip */ -function is_validwhitelistname($name) { - if (!is_string($name)) - return false; - - if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) - return true; - - return false; -} - -if (isset($id) && $a_suppress[$id]) { - - /* old settings */ - $pconfig['name'] = $a_suppress[$id]['name']; - $pconfig['uuid'] = $a_suppress[$id]['uuid']; - $pconfig['descr'] = $a_suppress[$id]['descr']; - $pconfig['suppresspassthru'] = base64_decode($a_suppress[$id]['suppresspassthru']); -} - -if ($_POST['submit']) { - - unset($input_errors); - $pconfig = $_POST; - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if(strtolower($_POST['name']) == "defaultwhitelist") - $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; - - $x = is_validwhitelistname($_POST['name']); - if (!isset($x)) { - $input_errors[] = "Reserved word used for whitelist file name."; - } else { - if (is_validwhitelistname($_POST['name']) == false) - $input_errors[] = "Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."; - } - - - /* check for name conflicts */ - foreach ($a_suppress as $s_list) { - if (isset($id) && ($a_suppress[$id]) && ($a_suppress[$id] === $s_list)) - continue; - - if ($s_list['name'] == $_POST['name']) { - $input_errors[] = "A whitelist file name with this name already exists."; - break; - } - } - - - if (!$input_errors) { - $s_list = array(); - $s_list['name'] = $_POST['name']; - $s_list['uuid'] = $suppress_uuid; - $s_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); - $s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']); - - if (isset($id) && $a_suppress[$id]) - $a_suppress[$id] = $s_list; - else - $a_suppress[] = $s_list; - - write_config(); - - sync_snort_package_config(); - - header("Location: /snort/snort_interfaces_suppress.php"); - exit; - } - -} - -$pgtitle = "Services: Snort: Suppression: Edit $suppress_uuid"; -include_once("head.inc"); - -?> - - - - - -
' . $pgtitle . '

';}?> - - -
- -
'; - - if($savemsg) { - print_info_box_np2("{$savemsg}"); - }else{ - print_info_box_np2(' - The Snort configuration has changed and snort needs to be restarted on this interface.
- You must apply the changes in order for them to take effect.
- '); - } - } - ?> - - - - - - - -
- - - -
- - - - - - - - - - - - -
Add the name and - description of the file.
Name
- The list name may only consist of the - characters a-z, A-Z and 0-9. Note: No - Spaces.
Description
- You may enter a description here for your - reference (not parsed).
- -
- - - - - - - - - - - - - - - - -
-
- - - - - -
   NOTE: -   The threshold keyword - is deprecated as of version 2.8.5. Use the event_filter keyword - instead.
-
-
Apply suppression or - filters to rules. Valid keywords are 'suppress', 'event_filter' and - 'rate_filter'.
Example 1; - suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
- Example 2; event_filter gen_id 1, sig_id 1851, type limit, - track by_src, count 1, seconds 60
- Example 3; rate_filter gen_id 135, sig_id 1, track by_src, - count 100, seconds 1, new_action log, timeout 10
-
- -
-
- - - -
- -
- - - - - +. + All rights reserved. + + modified for the pfsense snort package + Copyright (C) 2009-2010 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); +$a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (!is_numeric($id)) + $id = 0; // XXX: safety belt + + +/* gen uuid for each iface */ +if (is_array($config['installedpackages']['snortglobal']['suppress']['item'][$id])) { + if ($config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid'] == '') { + //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); + $suppress_uuid = 0; + while ($suppress_uuid > 65535 || $suppress_uuid == 0) { + $suppress_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $suppress_uuid; + } + } else if ($config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid'] != '') { + $suppress_uuid = $config['installedpackages']['snortglobal']['suppress']['item'][$id]['uuid']; + } +} + +$d_snort_suppress_dirty_path = '/var/run/snort_suppress.dirty'; + +/* returns true if $name is a valid name for a whitelist file name or ip */ +function is_validwhitelistname($name) { + if (!is_string($name)) + return false; + + if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + return true; + + return false; +} + +if (isset($id) && $a_suppress[$id]) { + + /* old settings */ + $pconfig['name'] = $a_suppress[$id]['name']; + $pconfig['uuid'] = $a_suppress[$id]['uuid']; + $pconfig['descr'] = $a_suppress[$id]['descr']; + $pconfig['suppresspassthru'] = base64_decode($a_suppress[$id]['suppresspassthru']); +} + +if ($_POST['submit']) { + + unset($input_errors); + $pconfig = $_POST; + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if(strtolower($_POST['name']) == "defaultwhitelist") + $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; + + $x = is_validwhitelistname($_POST['name']); + if (!isset($x)) { + $input_errors[] = "Reserved word used for whitelist file name."; + } else { + if (is_validwhitelistname($_POST['name']) == false) + $input_errors[] = "Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."; + } + + + /* check for name conflicts */ + foreach ($a_suppress as $s_list) { + if (isset($id) && ($a_suppress[$id]) && ($a_suppress[$id] === $s_list)) + continue; + + if ($s_list['name'] == $_POST['name']) { + $input_errors[] = "A whitelist file name with this name already exists."; + break; + } + } + + + if (!$input_errors) { + $s_list = array(); + $s_list['name'] = $_POST['name']; + $s_list['uuid'] = $suppress_uuid; + $s_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); + $s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']); + + if (isset($id) && $a_suppress[$id]) + $a_suppress[$id] = $s_list; + else + $a_suppress[] = $s_list; + + write_config(); + + sync_snort_package_config(); + + header("Location: /snort/snort_interfaces_suppress.php"); + exit; + } + +} + +$pgtitle = "Services: Snort: Suppression: Edit $suppress_uuid"; +include_once("head.inc"); + +?> + + + + + +
' . $pgtitle . '

';}?> + + +
+ +
'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.
+ You must apply the changes in order for them to take effect.
+ '); + } + } + ?> + + + + + + + +
+ + + +
+ + + + + + + + + + + + +
Add the name and + description of the file.
Name
+ The list name may only consist of the + characters a-z, A-Z and 0-9. Note: No + Spaces.
Description
+ You may enter a description here for your + reference (not parsed).
+ +
+ + + + + + + + + + + + + + + + +
+
+ + + + + +
   NOTE: +   The threshold keyword + is deprecated as of version 2.8.5. Use the event_filter keyword + instead.
+
+
Apply suppression or + filters to rules. Valid keywords are 'suppress', 'event_filter' and + 'rate_filter'.
Example 1; + suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
+ Example 2; event_filter gen_id 1, sig_id 1851, type limit, + track by_src, count 1, seconds 60
+ Example 3; rate_filter gen_id 135, sig_id 1, track by_src, + count 100, seconds 1, new_action log, timeout 10
+
+ +
+
+ + + +
+ +
+ + + + + diff --git a/config/snort-dev/snort_interfaces_whitelist.php b/config/snort-dev/snort_interfaces_whitelist.php index 2dc2d491..72a08629 100644 --- a/config/snort-dev/snort_interfaces_whitelist.php +++ b/config/snort-dev/snort_interfaces_whitelist.php @@ -1,189 +1,189 @@ -. - All rights reserved. - - modified for the pfsense snort package - Copyright (C) 2009-2010 Robert Zelaya. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - - -if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) -$config['installedpackages']['snortglobal']['whitelist']['item'] = array(); - -//aliases_sort(); << what ? -$a_whitelist = &$config['installedpackages']['snortglobal']['whitelist']['item']; - -if (isset($config['installedpackages']['snortglobal']['whitelist']['item'])) { - $id_gen = count($config['installedpackages']['snortglobal']['whitelist']['item']); -}else{ - $id_gen = '0'; -} - -$d_whitelistdirty_path = '/var/run/snort_whitelist.dirty'; - -if ($_GET['act'] == "del") { - if ($a_whitelist[$_GET['id']]) { - /* make sure rule is not being referenced by any nat or filter rules */ - - unset($a_whitelist[$_GET['id']]); - write_config(); - filter_configure(); - header("Location: /snort/snort_interfaces_whitelist.php"); - exit; - } -} - -$pgtitle = "Services: Snort: Whitelist"; -include_once("head.inc"); - -?> - - - - - -
' . $pgtitle . '

';}?> - -
- -

You must apply the changes in order for them to take effect.");?> - - - - - - - - -
- -
- - - - - - - - - - - - - - - - - - - - - -
File NameValuesDescription
- - -   - - - - - - -
-
- - - - - -
 
-
-
-
- - -
Note: -

Here you can create whitelist files for your - snort package rules.
- Please add all the ips or networks you want to protect against snort - block decisions.
- Remember that the default whitelist only includes local networks.
- Be careful, it is very easy to get locked out of you system.

- -

- -
- - - - +. + All rights reserved. + + modified for the pfsense snort package + Copyright (C) 2009-2010 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + + +if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) +$config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + +//aliases_sort(); << what ? +$a_whitelist = &$config['installedpackages']['snortglobal']['whitelist']['item']; + +if (isset($config['installedpackages']['snortglobal']['whitelist']['item'])) { + $id_gen = count($config['installedpackages']['snortglobal']['whitelist']['item']); +}else{ + $id_gen = '0'; +} + +$d_whitelistdirty_path = '/var/run/snort_whitelist.dirty'; + +if ($_GET['act'] == "del") { + if ($a_whitelist[$_GET['id']]) { + /* make sure rule is not being referenced by any nat or filter rules */ + + unset($a_whitelist[$_GET['id']]); + write_config(); + filter_configure(); + header("Location: /snort/snort_interfaces_whitelist.php"); + exit; + } +} + +$pgtitle = "Services: Snort: Whitelist"; +include_once("head.inc"); + +?> + + + + + +
' . $pgtitle . '

';}?> + +
+ +

You must apply the changes in order for them to take effect.");?> + + + + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + +
File NameValuesDescription
+ + +   + + + + + + +
+
+ + + + + +
 
+
+
+
+ + +
Note: +

Here you can create whitelist files for your + snort package rules.
+ Please add all the ips or networks you want to protect against snort + block decisions.
+ Remember that the default whitelist only includes local networks.
+ Be careful, it is very easy to get locked out of you system.

+ +

+ +
+ + + + diff --git a/config/snort-dev/snort_interfaces_whitelist_edit.php b/config/snort-dev/snort_interfaces_whitelist_edit.php index fe3c54a5..854c2a9a 100644 --- a/config/snort-dev/snort_interfaces_whitelist_edit.php +++ b/config/snort-dev/snort_interfaces_whitelist_edit.php @@ -1,414 +1,414 @@ -. - All rights reserved. - - modified for the pfsense snort package - Copyright (C) 2009-2010 Robert Zelaya. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) - $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); - -$a_whitelist = &$config['installedpackages']['snortglobal']['whitelist']['item']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; -if (is_null($id)) { - header("Location: /snort/snort_interfaces_whitelist.php"); - exit; -} - -/* gen uuid for each iface !inportant */ -if ($config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid'] == '') { - $whitelist_uuid = 0; - while ($whitelist_uuid > 65535 || $whitelist_uuid == 0) { - $whitelist_uuid = mt_rand(1, 65535); - $pconfig['uuid'] = $whitelist_uuid; - } -} else if ($config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid'] != '') { - $whitelist_uuid = $config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid']; -} - -$d_snort_whitelist_dirty_path = '/var/run/snort_whitelist.dirty'; - -/* returns true if $name is a valid name for a whitelist file name or ip */ -function is_validwhitelistname($name) { - if (!is_string($name)) - return false; - - if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) - return true; - - return false; -} - - -if (isset($id) && $a_whitelist[$id]) { - - /* old settings */ - $pconfig = array(); - $pconfig['name'] = $a_whitelist[$id]['name']; - $pconfig['uuid'] = $a_whitelist[$id]['uuid']; - $pconfig['detail'] = $a_whitelist[$id]['detail']; - $pconfig['snortlisttype'] = $a_whitelist[$id]['snortlisttype']; - $pconfig['address'] = $a_whitelist[$id]['address']; - $pconfig['descr'] = html_entity_decode($a_whitelist[$id]['descr']); - $pconfig['wanips'] = $a_whitelist[$id]['wanips']; - $pconfig['wangateips'] = $a_whitelist[$id]['wangateips']; - $pconfig['wandnsips'] = $a_whitelist[$id]['wandnsips']; - $pconfig['vips'] = $a_whitelist[$id]['vips']; - $pconfig['vpnips'] = $a_whitelist[$id]['vpnips']; - $addresses = explode(' ', $pconfig['address']); - $address = explode(" ", $addresses[0]); -} - -if ($_POST['submit']) { - - conf_mount_rw(); - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - $reqdfields = explode(" ", "name"); - $reqdfieldsn = explode(",", "Name"); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - if(strtolower($_POST['name']) == "defaultwhitelist") - $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; - - $x = is_validwhitelistname($_POST['name']); - if (!isset($x)) { - $input_errors[] = "Reserved word used for whitelist file name."; - } else { - if (is_validwhitelistname($_POST['name']) == false) - $input_errors[] = "Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."; - } - - /* check for name conflicts */ - foreach ($a_whitelist as $w_list) { - if (isset($id) && ($a_whitelist[$id]) && ($a_whitelist[$id] === $w_list)) - continue; - - if ($w_list['name'] == $_POST['name']) { - $input_errors[] = "A whitelist file name with this name already exists."; - break; - } - } - - $isfirst = 0; - $address = ""; - $final_address_details .= ""; - /* add another entry code */ - for($x=0; $x<499; $x++) { - if (!empty($_POST["address{$x}"])) { - if ($is_first > 0) - $address .= " "; - $address .= $_POST["address{$x}"]; - if ($_POST["address_subnet{$x}"] <> "") - $address .= "" . $_POST["address_subnet{$x}"]; - - /* Compress in details to a single key, data separated by pipes. - Pulling details here lets us only pull in details for valid - address entries, saving us from having to track which ones to - process later. */ - $final_address_detail = mb_convert_encoding($_POST["detail{$x}"],'HTML-ENTITIES','auto'); - if ($final_address_detail <> "") - $final_address_details .= $final_address_detail; - else { - $final_address_details .= "Entry added" . " "; - $final_address_details .= date('r'); - } - $final_address_details .= "||"; - $is_first++; - } - } - - if (!$input_errors) { - $w_list = array(); - /* post user input */ - $w_list['name'] = $_POST['name']; - $w_list['uuid'] = $whitelist_uuid; - $w_list['snortlisttype'] = $_POST['snortlisttype']; - $w_list['wanips'] = $_POST['wanips']? 'yes' : 'no'; - $w_list['wangateips'] = $_POST['wangateips']? 'yes' : 'no'; - $w_list['wandnsips'] = $_POST['wandnsips']? 'yes' : 'no'; - $w_list['vips'] = $_POST['vips']? 'yes' : 'no'; - $w_list['vpnips'] = $_POST['vpnips']? 'yes' : 'no'; - - $w_list['address'] = $address; - $w_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); - $w_list['detail'] = $final_address_details; - - if (isset($id) && $a_whitelist[$id]) - $a_whitelist[$id] = $w_list; - else - $a_whitelist[] = $w_list; - - write_config(); - - /* create whitelist and homenet file then sync files */ - sync_snort_package_config(); - - header("Location: /snort/snort_interfaces_whitelist.php"); - exit; - } else { - $pconfig['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); - $pconfig['address'] = $address; - $pconfig['detail'] = $final_address_details; - } - -} - -$pgtitle = "Services: Snort: Whitelist: Edit $whitelist_uuid"; -include_once("head.inc"); - -?> - - - - - - - - -' . $pgtitle . '

';}?> - - -
- -
- - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Add the name and - description of the file.
Name
- The list name may only consist of the - characters a-z, A-Z and 0-9. Note: No - Spaces.
Description
- You may enter a description here for your - reference (not parsed).
List Type - -
WHITELIST:   This - list specifies addresses that Snort Package should not block.
-
- NETLIST:   This list is for defining - addresses as $HOME_NET or $EXTERNAL_NET in the snort.conf file.
- -    Choose the type of - list you will like see in your Interface Edit Tab. -
Add auto generated - ips.
WAN IPs /> - Add WAN IPs to the list.
Wan Gateways /> - Add WAN Gateways to the list.
Wan DNS servers /> - Add WAN DNS servers to the list.
Virtual IP Addresses /> - Add Virtual IP Addresses to the list.
VPNs /> - Add VPN Addresses to the list.
Add your own custom - ips.
-
IP or CIDR items
-
- - - - - - - - - - - ""): - $item = explode(" ", $address); - $item3 = explode("||", $pconfig['detail']); - foreach($item as $ww): - $address = $item[$counter]; - $item4 = $item3[$counter]; - ?> - - - - - - - -
-
For WHITELIST's enter ONLY - IPs not CIDRs. Example: 192.168.4.1
-
- For NETLIST's you may enter IPs and - CIDRs. Example: 192.168.4.1 or 192.168.4.0/24
-
-
IP or CIDR
-
-
Add a Description or leave blank and a date - will be added.
-
- "; ?> -
-
  - - - -
-
-
- - - - - - +. + All rights reserved. + + modified for the pfsense snort package + Copyright (C) 2009-2010 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + +$a_whitelist = &$config['installedpackages']['snortglobal']['whitelist']['item']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces_whitelist.php"); + exit; +} + +/* gen uuid for each iface !inportant */ +if ($config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid'] == '') { + $whitelist_uuid = 0; + while ($whitelist_uuid > 65535 || $whitelist_uuid == 0) { + $whitelist_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $whitelist_uuid; + } +} else if ($config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid'] != '') { + $whitelist_uuid = $config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid']; +} + +$d_snort_whitelist_dirty_path = '/var/run/snort_whitelist.dirty'; + +/* returns true if $name is a valid name for a whitelist file name or ip */ +function is_validwhitelistname($name) { + if (!is_string($name)) + return false; + + if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + return true; + + return false; +} + + +if (isset($id) && $a_whitelist[$id]) { + + /* old settings */ + $pconfig = array(); + $pconfig['name'] = $a_whitelist[$id]['name']; + $pconfig['uuid'] = $a_whitelist[$id]['uuid']; + $pconfig['detail'] = $a_whitelist[$id]['detail']; + $pconfig['snortlisttype'] = $a_whitelist[$id]['snortlisttype']; + $pconfig['address'] = $a_whitelist[$id]['address']; + $pconfig['descr'] = html_entity_decode($a_whitelist[$id]['descr']); + $pconfig['wanips'] = $a_whitelist[$id]['wanips']; + $pconfig['wangateips'] = $a_whitelist[$id]['wangateips']; + $pconfig['wandnsips'] = $a_whitelist[$id]['wandnsips']; + $pconfig['vips'] = $a_whitelist[$id]['vips']; + $pconfig['vpnips'] = $a_whitelist[$id]['vpnips']; + $addresses = explode(' ', $pconfig['address']); + $address = explode(" ", $addresses[0]); +} + +if ($_POST['submit']) { + + conf_mount_rw(); + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "name"); + $reqdfieldsn = explode(",", "Name"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if(strtolower($_POST['name']) == "defaultwhitelist") + $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; + + $x = is_validwhitelistname($_POST['name']); + if (!isset($x)) { + $input_errors[] = "Reserved word used for whitelist file name."; + } else { + if (is_validwhitelistname($_POST['name']) == false) + $input_errors[] = "Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."; + } + + /* check for name conflicts */ + foreach ($a_whitelist as $w_list) { + if (isset($id) && ($a_whitelist[$id]) && ($a_whitelist[$id] === $w_list)) + continue; + + if ($w_list['name'] == $_POST['name']) { + $input_errors[] = "A whitelist file name with this name already exists."; + break; + } + } + + $isfirst = 0; + $address = ""; + $final_address_details .= ""; + /* add another entry code */ + for($x=0; $x<499; $x++) { + if (!empty($_POST["address{$x}"])) { + if ($is_first > 0) + $address .= " "; + $address .= $_POST["address{$x}"]; + if ($_POST["address_subnet{$x}"] <> "") + $address .= "" . $_POST["address_subnet{$x}"]; + + /* Compress in details to a single key, data separated by pipes. + Pulling details here lets us only pull in details for valid + address entries, saving us from having to track which ones to + process later. */ + $final_address_detail = mb_convert_encoding($_POST["detail{$x}"],'HTML-ENTITIES','auto'); + if ($final_address_detail <> "") + $final_address_details .= $final_address_detail; + else { + $final_address_details .= "Entry added" . " "; + $final_address_details .= date('r'); + } + $final_address_details .= "||"; + $is_first++; + } + } + + if (!$input_errors) { + $w_list = array(); + /* post user input */ + $w_list['name'] = $_POST['name']; + $w_list['uuid'] = $whitelist_uuid; + $w_list['snortlisttype'] = $_POST['snortlisttype']; + $w_list['wanips'] = $_POST['wanips']? 'yes' : 'no'; + $w_list['wangateips'] = $_POST['wangateips']? 'yes' : 'no'; + $w_list['wandnsips'] = $_POST['wandnsips']? 'yes' : 'no'; + $w_list['vips'] = $_POST['vips']? 'yes' : 'no'; + $w_list['vpnips'] = $_POST['vpnips']? 'yes' : 'no'; + + $w_list['address'] = $address; + $w_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); + $w_list['detail'] = $final_address_details; + + if (isset($id) && $a_whitelist[$id]) + $a_whitelist[$id] = $w_list; + else + $a_whitelist[] = $w_list; + + write_config(); + + /* create whitelist and homenet file then sync files */ + sync_snort_package_config(); + + header("Location: /snort/snort_interfaces_whitelist.php"); + exit; + } else { + $pconfig['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); + $pconfig['address'] = $address; + $pconfig['detail'] = $final_address_details; + } + +} + +$pgtitle = "Services: Snort: Whitelist: Edit $whitelist_uuid"; +include_once("head.inc"); + +?> + + + + + + + + +' . $pgtitle . '

';}?> + + +
+ +
+ + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Add the name and + description of the file.
Name
+ The list name may only consist of the + characters a-z, A-Z and 0-9. Note: No + Spaces.
Description
+ You may enter a description here for your + reference (not parsed).
List Type + +
WHITELIST:   This + list specifies addresses that Snort Package should not block.
+
+ NETLIST:   This list is for defining + addresses as $HOME_NET or $EXTERNAL_NET in the snort.conf file.
+ +    Choose the type of + list you will like see in your Interface Edit Tab. +
Add auto generated + ips.
WAN IPs /> + Add WAN IPs to the list.
Wan Gateways /> + Add WAN Gateways to the list.
Wan DNS servers /> + Add WAN DNS servers to the list.
Virtual IP Addresses /> + Add Virtual IP Addresses to the list.
VPNs /> + Add VPN Addresses to the list.
Add your own custom + ips.
+
IP or CIDR items
+
+ + + + + + + + + + + ""): + $item = explode(" ", $address); + $item3 = explode("||", $pconfig['detail']); + foreach($item as $ww): + $address = $item[$counter]; + $item4 = $item3[$counter]; + ?> + + + + + + + +
+
For WHITELIST's enter ONLY + IPs not CIDRs. Example: 192.168.4.1
+
+ For NETLIST's you may enter IPs and + CIDRs. Example: 192.168.4.1 or 192.168.4.0/24
+
+
IP or CIDR
+
+
Add a Description or leave blank and a date + will be added.
+
+ "; ?> +
+
  + + + +
+
+
+ + + + + + diff --git a/config/snort-dev/snort_preprocessors.php b/config/snort-dev/snort_preprocessors.php index 7f89d433..0faf4257 100644 --- a/config/snort-dev/snort_preprocessors.php +++ b/config/snort-dev/snort_preprocessors.php @@ -1,391 +1,391 @@ -. - Copyright (C) 2008-2009 Robert Zelaya. - Copyright (C) 2011 Ermal Luci - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -global $g; - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; -if (is_null($id)) { - header("Location: /snort/snort_interfaces.php"); - exit; -} - -$pconfig = array(); -if (isset($id) && $a_nat[$id]) { - $pconfig = $a_nat[$id]; - - /* new options */ - $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; - $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; - $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; - $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; - $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; - $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; - $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; - $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; - $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; - $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; -} - -/* convert fake interfaces to real */ -$if_real = snort_get_real_interface($pconfig['interface']); -$snort_uuid = $pconfig['uuid']; - -/* alert file */ -$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; - -if ($_POST) { - - $natent = array(); - $natent = $pconfig; - - /* if no errors write to conf */ - if (!$input_errors) { - /* post new options */ - $natent['perform_stat'] = $_POST['perform_stat']; - if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } - if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; } - if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } - if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } - - $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; - $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; - $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; - $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; - $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; - $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; - $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; - $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; - - if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; - else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); - else - $a_nat[] = $natent; - } - - write_config(); - - $if_real = snort_get_real_interface($pconfig['interface']); - sync_snort_package_config(); - - /* after click go to this page */ - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: snort_preprocessors.php?id=$id"); - exit; - } -} - -$pgtitle = "Snort: Interface $id$if_real Preprocessors and Flow"; -include_once("head.inc"); - -?> - - - -' . $pgtitle . '

';}?> - - - -
- - - - -
- - - - -
- -
- - - .noid { - position:absolute; - top:10px; - left:0px; - width:94%; - background:#FCE9C0; - background-position: 15px; - border-top:2px solid #DBAC48; - border-bottom:2px solid #DBAC48; - padding: 15px 10px 85% 50px; - } - -
You can not edit options without an interface ID.
\n"; - - } - ?> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Note: -
- Rules may be dependent on preprocessors!
- Defaults will be used when there is no user input.
Performance - Statistics
Enable - onClick="enable_change(false)"> Performance Statistics for this - interface.
HTTP Inspect Settings
Enable - onClick="enable_change(false)"> Use HTTP Inspect to - Normalize/Decode and detect HTTP traffic and protocol anomalies.
HTTP server flow depth - - - - -
-1 - to 1460 (-1 disables HTTP - inspect, 0 enables all HTTP inspect)
- Amount of HTTP server response payload to inspect. Snort's - performance may increase by adjusting this value.
- Setting this value too low may cause false negatives. Values above 0 - are specified in bytes. Default value is 0
-
Stream5 Settings
Max Queued Bytes - - - - -
- Minimum is 1024, Maximum is 1073741824 - ( default value is 1048576, 0 - means Maximum )
- The number of bytes to be queued for reassembly for TCP sessions in - memory. Default value is 1048576
-
Max Queued Segs - - - - -
- Minimum is 2, Maximum is 1073741824 - ( default value is 2621, 0 means - Maximum )
- The number of segments to be queued for reassembly for TCP sessions - in memory. Default value is 2621
-
General Preprocessor - Settings
Enable
- RPC Decode and Back Orifice detector
- onClick="enable_change(false)">
- Normalize/Decode RPC traffic and detects Back Orifice traffic on the - network.
Enable
- FTP and Telnet Normalizer
- onClick="enable_change(false)">
- Normalize/Decode FTP and Telnet traffic and protocol anomalies.
Enable
- SMTP Normalizer
- onClick="enable_change(false)">
- Normalize/Decode SMTP protocol for enforcement and buffer overflows.
Enable
- Portscan Detection
- onClick="enable_change(false)">
- Detects various types of portscans and portsweeps.
Enable
- DCE/RPC2 Detection
- onClick="enable_change(false)">
- The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC - traffic.
Enable
- DNS Detection
- onClick="enable_change(false)">
- The DNS preprocessor decodes DNS Response traffic and detects some - vulnerabilities.
Define SSL_IGNORE
- Encrypted traffic should be ignored by Snort - for both performance reasons and to reduce false positives.
- Default: "443 465 563 636 989 990 992 993 994 995".
Please - use spaces and not commas.
  - -
 Note: -
- Please save your settings before you click Start.
- -
-
- -
- - - - +. + Copyright (C) 2008-2009 Robert Zelaya. + Copyright (C) 2011 Ermal Luci + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +$pconfig = array(); +if (isset($id) && $a_nat[$id]) { + $pconfig = $a_nat[$id]; + + /* new options */ + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; + $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; + $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; + $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; + $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; + $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; + $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; +} + +/* convert fake interfaces to real */ +$if_real = snort_get_real_interface($pconfig['interface']); +$snort_uuid = $pconfig['uuid']; + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + +if ($_POST) { + + $natent = array(); + $natent = $pconfig; + + /* if no errors write to conf */ + if (!$input_errors) { + /* post new options */ + $natent['perform_stat'] = $_POST['perform_stat']; + if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } + if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; } + if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } + if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } + + $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; + $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; + $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; + $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; + $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; + $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; + $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; + $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + + $if_real = snort_get_real_interface($pconfig['interface']); + sync_snort_package_config(); + + /* after click go to this page */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_preprocessors.php?id=$id"); + exit; + } +} + +$pgtitle = "Snort: Interface $id$if_real Preprocessors and Flow"; +include_once("head.inc"); + +?> + + + +' . $pgtitle . '

';}?> + + + +
+ + + + +
+ + + + +
+ +
+ + + .noid { + position:absolute; + top:10px; + left:0px; + width:94%; + background:#FCE9C0; + background-position: 15px; + border-top:2px solid #DBAC48; + border-bottom:2px solid #DBAC48; + padding: 15px 10px 85% 50px; + } + +
You can not edit options without an interface ID.
\n"; + + } + ?> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
 Note: +
+ Rules may be dependent on preprocessors!
+ Defaults will be used when there is no user input.
Performance + Statistics
Enable + onClick="enable_change(false)"> Performance Statistics for this + interface.
HTTP Inspect Settings
Enable + onClick="enable_change(false)"> Use HTTP Inspect to + Normalize/Decode and detect HTTP traffic and protocol anomalies.
HTTP server flow depth + + + + +
-1 + to 1460 (-1 disables HTTP + inspect, 0 enables all HTTP inspect)
+ Amount of HTTP server response payload to inspect. Snort's + performance may increase by adjusting this value.
+ Setting this value too low may cause false negatives. Values above 0 + are specified in bytes. Default value is 0
+
Stream5 Settings
Max Queued Bytes + + + + +
+ Minimum is 1024, Maximum is 1073741824 + ( default value is 1048576, 0 + means Maximum )
+ The number of bytes to be queued for reassembly for TCP sessions in + memory. Default value is 1048576
+
Max Queued Segs + + + + +
+ Minimum is 2, Maximum is 1073741824 + ( default value is 2621, 0 means + Maximum )
+ The number of segments to be queued for reassembly for TCP sessions + in memory. Default value is 2621
+
General Preprocessor + Settings
Enable
+ RPC Decode and Back Orifice detector
+ onClick="enable_change(false)">
+ Normalize/Decode RPC traffic and detects Back Orifice traffic on the + network.
Enable
+ FTP and Telnet Normalizer
+ onClick="enable_change(false)">
+ Normalize/Decode FTP and Telnet traffic and protocol anomalies.
Enable
+ SMTP Normalizer
+ onClick="enable_change(false)">
+ Normalize/Decode SMTP protocol for enforcement and buffer overflows.
Enable
+ Portscan Detection
+ onClick="enable_change(false)">
+ Detects various types of portscans and portsweeps.
Enable
+ DCE/RPC2 Detection
+ onClick="enable_change(false)">
+ The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC + traffic.
Enable
+ DNS Detection
+ onClick="enable_change(false)">
+ The DNS preprocessor decodes DNS Response traffic and detects some + vulnerabilities.
Define SSL_IGNORE
+ Encrypted traffic should be ignored by Snort + for both performance reasons and to reduce false positives.
+ Default: "443 465 563 636 989 990 992 993 994 995".
Please + use spaces and not commas.
  + +
 Note: +
+ Please save your settings before you click Start.
+ +
+
+ +
+ + + + diff --git a/config/snort-dev/snort_rules.php b/config/snort-dev/snort_rules.php index 871eb39e..bfb9da81 100644 --- a/config/snort-dev/snort_rules.php +++ b/config/snort-dev/snort_rules.php @@ -1,458 +1,458 @@ -"; - - if($pfsense_stable == 'yes'){echo '

' . $pgtitle . '

';} - - echo "\n - \n - \n - \n - \n - \n - \n -
\n"; - - $tab_array = array(); - $tabid = 0; - $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tabid++; - $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tabid++; - $tab_array[$tabid] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tabid++; - $tab_array[$tabid] = array(gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); - $tabid++; - $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); - $tabid++; - $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tabid++; - $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); - echo "
\n -
\n - \n - \n - \n - \n -
\n - # The rules directory is empty.\n -
\n -
\n -
\n - \n - \n - \n -

\n\n"; - - echo "Please click on the Update Rules tab to install your selected rule sets."; - include("fend.inc"); - - echo ""; - echo ""; - - exit(0); - } else { - /* Make sure that we have the rules */ - mwexec("/bin/cp /usr/local/etc/snort/rules/*.rules /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules", true); - } -} - -function get_middle($source, $beginning, $ending, $init_pos) { - $beginning_pos = strpos($source, $beginning, $init_pos); - $middle_pos = $beginning_pos + strlen($beginning); - $ending_pos = strpos($source, $ending, $beginning_pos); - $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); - return $middle; -} - -function write_rule_file($content_changed, $received_file) -{ - @file_put_contents($received_file, implode("\n", $content_changed)); -} - -function load_rule_file($incoming_file) -{ - //read file into string, and get filesize - $contents = @file_get_contents($incoming_file); - - //split the contents of the string file into an array using the delimiter - return explode("\n", $contents); -} - -$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; -//$ruledir = "/usr/local/etc/snort/rules/"; -$dh = opendir($ruledir); -while (false !== ($filename = readdir($dh))) -{ - //only populate this array if its a rule file - $isrulefile = strstr($filename, ".rules"); - if ($isrulefile !== false) - $files[] = basename($filename); -} -sort($files); - -if ($_GET['openruleset']) - $rulefile = $_GET['openruleset']; -else - $rulefile = $ruledir.$files[0]; - -//Load the rule file -$splitcontents = load_rule_file($rulefile); - -if ($_GET['act'] == "toggle" && $_GET['ids']) { - - $lineid= $_GET['ids']; - - //copy rule contents from array into string - $tempstring = $splitcontents[$lineid]; - - //explode rule contents into an array, (delimiter is space) - $rule_content = explode(' ', $tempstring); - - $findme = "# alert"; //find string for disabled alerts - $disabled = strstr($tempstring, $findme); - - //if find alert is false, then rule is disabled - if ($disabled !== false) { - //rule has been enabled - $tempstring = substr($tempstring, 2); - } else - $tempstring = "# ". $tempstring; - - //copy string into array for writing - $splitcontents[$lineid] = $tempstring; - - //write the new .rules file - write_rule_file($splitcontents, $rulefile); - - //write disable/enable sid to config.xml - $sid = get_middle($tempstring, 'sid:', ';', 0); - if (is_numeric($sid)) { - // rule_sid_on registers - if (!empty($a_nat[$id]['rule_sid_on'])) - $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); - if (!empty($a_nat[$id]['rule_sid_on'])) - $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); - if ($disabled === false) - $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; - else - $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; - } - - write_config(); - - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$rulefile}"); - exit; -} - -$currentruleset = basename($rulefile); - -$ifname = strtoupper($pconfig['interface']); - -require_once("guiconfig.inc"); -include_once("head.inc"); - -$pgtitle = "Snort: $id $iface_uuid $if_real Category: $currentruleset"; -?> - - -' . $pgtitle . '

';} - -echo "{$snort_general_css}\n"; -?> -
- - - - - - - - - - - - - - -
- -
-
- - - - - - - - - - - - - - - $value ) - { - $disabled = "False"; - $comments = "False"; - $findme = "# alert"; //find string for disabled alerts - $disabled_pos = strstr($value, $findme); - - $counter2 = 1; - $sid = get_middle($value, 'sid:', ';', 0); - //check to see if the sid is numberical - if (!is_numeric($sid)) - continue; - - //if find alert is false, then rule is disabled - if ($disabled_pos !== false){ - $counter2 = $counter2+1; - $textss = ""; - $textse = ""; - $iconb = "icon_block_d.gif"; - - $ischecked = ""; - } else { - $textss = $textse = ""; - $iconb = "icon_block.gif"; - - $ischecked = "checked"; - } - - $rule_content = explode(' ', $value); - - $protocol = $rule_content[$counter2];//protocol location - $counter2++; - $source = substr($rule_content[$counter2], 0, 20) . "...";//source location - $counter2++; - $source_port = $rule_content[$counter2];//source port location - $counter2 = $counter2+2; - $destination = substr($rule_content[$counter2], 0, 20) . "...";//destination location - $counter2++; - $destination_port = $rule_content[$counter2];//destination port location - - if (strstr($value, 'msg: "')) - $message = get_middle($value, 'msg: "', '";', 0); - else if (strstr($value, 'msg:"')) - $message = get_middle($value, 'msg:"', '";', 0); - - echo " - - - - - - "; - ?> - - - -
-
Category: - -
 SIDProtoSourcePortDestinationPortMessage
$textss\n"; - ?> - - - - - - $textss - $sid - $textse - - $textss - $protocol"; - echo "$textse - - $textss - $source - $textse - - $textss - $source_port - $textse - - $textss - $destination - $textse - - $textss - $destination_port - $textse - - $textss - $message - $textse - - - - - - -
-
-
- There are {$counter} rules in this category.

"; ?> -
- - - - - - - - - - - - - - - - -
Rule Enabled
Rule Disabled
-

-

-
- - - -
- - - +"; + + if($pfsense_stable == 'yes'){echo '

' . $pgtitle . '

';} + + echo "\n + \n + \n + \n + \n + \n + \n +
\n"; + + $tab_array = array(); + $tabid = 0; + $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tabid++; + $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); + echo "
\n +
\n + \n + \n + \n + \n +
\n + # The rules directory is empty.\n +
\n +
\n +
\n + \n + \n + \n +

\n\n"; + + echo "Please click on the Update Rules tab to install your selected rule sets."; + include("fend.inc"); + + echo ""; + echo ""; + + exit(0); + } else { + /* Make sure that we have the rules */ + mwexec("/bin/cp /usr/local/etc/snort/rules/*.rules /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules", true); + } +} + +function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; +} + +function write_rule_file($content_changed, $received_file) +{ + @file_put_contents($received_file, implode("\n", $content_changed)); +} + +function load_rule_file($incoming_file) +{ + //read file into string, and get filesize + $contents = @file_get_contents($incoming_file); + + //split the contents of the string file into an array using the delimiter + return explode("\n", $contents); +} + +$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; +//$ruledir = "/usr/local/etc/snort/rules/"; +$dh = opendir($ruledir); +while (false !== ($filename = readdir($dh))) +{ + //only populate this array if its a rule file + $isrulefile = strstr($filename, ".rules"); + if ($isrulefile !== false) + $files[] = basename($filename); +} +sort($files); + +if ($_GET['openruleset']) + $rulefile = $_GET['openruleset']; +else + $rulefile = $ruledir.$files[0]; + +//Load the rule file +$splitcontents = load_rule_file($rulefile); + +if ($_GET['act'] == "toggle" && $_GET['ids']) { + + $lineid= $_GET['ids']; + + //copy rule contents from array into string + $tempstring = $splitcontents[$lineid]; + + //explode rule contents into an array, (delimiter is space) + $rule_content = explode(' ', $tempstring); + + $findme = "# alert"; //find string for disabled alerts + $disabled = strstr($tempstring, $findme); + + //if find alert is false, then rule is disabled + if ($disabled !== false) { + //rule has been enabled + $tempstring = substr($tempstring, 2); + } else + $tempstring = "# ". $tempstring; + + //copy string into array for writing + $splitcontents[$lineid] = $tempstring; + + //write the new .rules file + write_rule_file($splitcontents, $rulefile); + + //write disable/enable sid to config.xml + $sid = get_middle($tempstring, 'sid:', ';', 0); + if (is_numeric($sid)) { + // rule_sid_on registers + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); + if ($disabled === false) + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; + else + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; + } + + write_config(); + + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$rulefile}"); + exit; +} + +$currentruleset = basename($rulefile); + +$ifname = strtoupper($pconfig['interface']); + +require_once("guiconfig.inc"); +include_once("head.inc"); + +$pgtitle = "Snort: $id $iface_uuid $if_real Category: $currentruleset"; +?> + + +' . $pgtitle . '

';} + +echo "{$snort_general_css}\n"; +?> +
+ + + + + + + + + + + + + + +
+ +
+
+ + + + + + + + + + + + + + + $value ) + { + $disabled = "False"; + $comments = "False"; + $findme = "# alert"; //find string for disabled alerts + $disabled_pos = strstr($value, $findme); + + $counter2 = 1; + $sid = get_middle($value, 'sid:', ';', 0); + //check to see if the sid is numberical + if (!is_numeric($sid)) + continue; + + //if find alert is false, then rule is disabled + if ($disabled_pos !== false){ + $counter2 = $counter2+1; + $textss = ""; + $textse = ""; + $iconb = "icon_block_d.gif"; + + $ischecked = ""; + } else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + + $ischecked = "checked"; + } + + $rule_content = explode(' ', $value); + + $protocol = $rule_content[$counter2];//protocol location + $counter2++; + $source = substr($rule_content[$counter2], 0, 20) . "...";//source location + $counter2++; + $source_port = $rule_content[$counter2];//source port location + $counter2 = $counter2+2; + $destination = substr($rule_content[$counter2], 0, 20) . "...";//destination location + $counter2++; + $destination_port = $rule_content[$counter2];//destination port location + + if (strstr($value, 'msg: "')) + $message = get_middle($value, 'msg: "', '";', 0); + else if (strstr($value, 'msg:"')) + $message = get_middle($value, 'msg:"', '";', 0); + + echo " + + + + + + "; + ?> + + + +
+
Category: + +
 SIDProtoSourcePortDestinationPortMessage
$textss\n"; + ?> + + + + + + $textss + $sid + $textse + + $textss + $protocol"; + echo "$textse + + $textss + $source + $textse + + $textss + $source_port + $textse + + $textss + $destination + $textse + + $textss + $destination_port + $textse + + $textss + $message + $textse + + + + + + +
+
+
+ There are {$counter} rules in this category.

"; ?> +
+ + + + + + + + + + + + + + + + +
Rule Enabled
Rule Disabled
+

+

+
+ + + +
+ + + diff --git a/config/snort-dev/snort_rules_edit.php b/config/snort-dev/snort_rules_edit.php index 330630f4..6edc88c2 100644 --- a/config/snort-dev/snort_rules_edit.php +++ b/config/snort-dev/snort_rules_edit.php @@ -1,188 +1,188 @@ - 0 ) - $contents = file_get_contents($file); - -//delimiter for each new rule is a new line -$delimiter = "\n"; - -//split the contents of the string file into an array using the delimiter -$splitcontents = explode($delimiter, $contents); -$findme = "# alert"; //find string for disabled alerts -$highlight = "yes"; -if (strstr($splitcontents[$lineid], $findme)) - $highlight = "no"; -if ($highlight == "no") - $splitcontents[$lineid] = substr($splitcontents[$lineid], 2); - -if (!function_exists('get_middle')) { - function get_middle($source, $beginning, $ending, $init_pos) { - $beginning_pos = strpos($source, $beginning, $init_pos); - $middle_pos = $beginning_pos + strlen($beginning); - $ending_pos = strpos($source, $ending, $beginning_pos); - $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); - return $middle; - } -} - -if ($_POST) { - if ($_POST['save']) { - - //copy string into file array for writing - if ($_POST['highlight'] == "yes") - $splitcontents[$lineid] = $_POST['code']; - else - $splitcontents[$lineid] = "# " . $_POST['code']; - - //write disable/enable sid to config.xml - $sid = get_middle($splitcontents[$lineid], 'sid:', ';', 0); - if (is_numeric($sid)) { - // rule_sid_on registers - if (!empty($a_nat[$id]['rule_sid_on'])) - $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); - if (!empty($a_nat[$id]['rule_sid_on'])) - $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); - if ($_POST['highlight'] == "yes") - $a_nat[$id]['rule_sid_on'] = "||enablesid $sid" . $a_nat[$id]['rule_sid_on']; - else - $a_nat[$id]['rule_sid_off'] = "||disablesid $sid" . $a_nat[$id]['rule_sid_off']; - } - - //write the new .rules file - @file_put_contents($file, implode($delimiter, $splitcontents)); - - write_config(); - - echo ""; - exit; - } -} - -$pgtitle = array(gettext("Advanced"), gettext("File Editor")); - -?> - - - - -
- - - - - -
- - - - - - - - - - - - -
- - - - - -
- Disable original rule :
- - /> - - /> - -
- - -
-
- -
-
-
-
- - - + 0 ) + $contents = file_get_contents($file); + +//delimiter for each new rule is a new line +$delimiter = "\n"; + +//split the contents of the string file into an array using the delimiter +$splitcontents = explode($delimiter, $contents); +$findme = "# alert"; //find string for disabled alerts +$highlight = "yes"; +if (strstr($splitcontents[$lineid], $findme)) + $highlight = "no"; +if ($highlight == "no") + $splitcontents[$lineid] = substr($splitcontents[$lineid], 2); + +if (!function_exists('get_middle')) { + function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; + } +} + +if ($_POST) { + if ($_POST['save']) { + + //copy string into file array for writing + if ($_POST['highlight'] == "yes") + $splitcontents[$lineid] = $_POST['code']; + else + $splitcontents[$lineid] = "# " . $_POST['code']; + + //write disable/enable sid to config.xml + $sid = get_middle($splitcontents[$lineid], 'sid:', ';', 0); + if (is_numeric($sid)) { + // rule_sid_on registers + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_on'] = str_replace("||enablesid $sid", "", $a_nat[$id]['rule_sid_on']); + if (!empty($a_nat[$id]['rule_sid_on'])) + $a_nat[$id]['rule_sid_off'] = str_replace("||disablesid $sid", "", $a_nat[$id]['rule_sid_off']); + if ($_POST['highlight'] == "yes") + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid" . $a_nat[$id]['rule_sid_on']; + else + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid" . $a_nat[$id]['rule_sid_off']; + } + + //write the new .rules file + @file_put_contents($file, implode($delimiter, $splitcontents)); + + write_config(); + + echo ""; + exit; + } +} + +$pgtitle = array(gettext("Advanced"), gettext("File Editor")); + +?> + + + + +
+ + + + + +
+ + + + + + + + + + + + +
+ + + + + +
+ Disable original rule :
+ + /> + + /> + +
+ + +
+
+ +
+
+
+
+ + + diff --git a/config/snort-dev/snort_rulesets.php b/config/snort-dev/snort_rulesets.php index 313daea2..3d55f773 100644 --- a/config/snort-dev/snort_rulesets.php +++ b/config/snort-dev/snort_rulesets.php @@ -1,313 +1,313 @@ -"; - if($pfsense_stable == 'yes'){echo $pgtitle;} - echo "

\n"; - - echo ""; - - echo " - \n - - \n - \n - \n -
\n"; - - $tab_array = array(); - $tabid = 0; - $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tabid++; - $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tabid++; - $tab_array[$tabid] = array(gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); - $tabid++; - $tab_array[$tabid] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tabid++; - $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); - $tabid++; - $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tabid++; - $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); - echo " -
\n -
\n - \n - \n - \n - \n -
\n - # The rules directory is empty. /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules \n -
\n -
\n -
\n - \n - \n - \n -

\n\n"; - - echo "Please click on the Update Rules tab to install your selected rule sets. $isrulesfolderempty"; - include("fend.inc"); - - echo ""; - echo ""; - - exit(0); - } else { - /* Make sure that we have the rules */ - mwexec("/bin/cp /usr/local/etc/snort/rules/*.rules /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules", true); - } -} - -/* alert file */ -$d_snortconfdirty_path = "/var/run/snort_conf_{$iface_uuid}_{$if_real}.dirty"; -if ($_POST["Submit"]) { - $enabled_items = ""; - $isfirst = true; - if (is_array($_POST['toenable'])) - $enabled_items = implode("||", $_POST['toenable']); - else - $enabled_items = $_POST['toenable']; - $a_nat[$id]['rulesets'] = $enabled_items; - - write_config(); - sync_snort_package_config(); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: /snort/snort_rulesets.php?id=$id"); - exit; -} - -$enabled_rulesets = $a_nat[$id]['rulesets']; -if($enabled_rulesets) - $enabled_rulesets_array = split("\|\|", $enabled_rulesets); - -include_once("head.inc"); - -?> - - - - -' . $pgtitle . '

';}?> - - - -
- - - -"; - -?> '; - - if($savemsg) { - print_info_box_np2("{$savemsg}"); - }else{ - print_info_box_np2(' - The Snort configuration has changed and snort needs to be restarted on this interface.
- You must apply the changes in order for them to take effect.
- '); - } -} - -?> - - - - - - -
- -
-
- - - - - - - - - - - - - - - - -
- - - - - - - \n"; - echo "\n"; - echo "\n\n\n"; - //echo ""; - } - - ?> -
Enabled
"; - if(is_array($enabled_rulesets_array)) - if(in_array($file, $enabled_rulesets_array)) { - $CHECKED = " checked=\"checked\""; - } else { - $CHECKED = ""; - } - else - $CHECKED = ""; - echo " \n\n"; - echo "\n"; - echo "{$file}\n"; - echo "
"; - //echo "description"; - //echo "
-
 
Check the rulesets that you would like Snort to load at startup.
 
-
-
- - - -

NOTE: You can click on a ruleset name to edit the ruleset.

- -
- - - - - +"; + if($pfsense_stable == 'yes'){echo $pgtitle;} + echo "

\n"; + + echo ""; + + echo " + \n + + \n + \n + \n +
\n"; + + $tab_array = array(); + $tabid = 0; + $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tabid++; + $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tabid++; + $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); + echo " +
\n +
\n + \n + \n + \n + \n +
\n + # The rules directory is empty. /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules \n +
\n +
\n +
\n + \n + \n + \n +

\n\n"; + + echo "Please click on the Update Rules tab to install your selected rule sets. $isrulesfolderempty"; + include("fend.inc"); + + echo ""; + echo ""; + + exit(0); + } else { + /* Make sure that we have the rules */ + mwexec("/bin/cp /usr/local/etc/snort/rules/*.rules /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules", true); + } +} + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$iface_uuid}_{$if_real}.dirty"; +if ($_POST["Submit"]) { + $enabled_items = ""; + $isfirst = true; + if (is_array($_POST['toenable'])) + $enabled_items = implode("||", $_POST['toenable']); + else + $enabled_items = $_POST['toenable']; + $a_nat[$id]['rulesets'] = $enabled_items; + + write_config(); + sync_snort_package_config(); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_rulesets.php?id=$id"); + exit; +} + +$enabled_rulesets = $a_nat[$id]['rulesets']; +if($enabled_rulesets) + $enabled_rulesets_array = split("\|\|", $enabled_rulesets); + +include_once("head.inc"); + +?> + + + + +' . $pgtitle . '

';}?> + + + +
+ + + +"; + +?> '; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.
+ You must apply the changes in order for them to take effect.
+ '); + } +} + +?> + + + + + + +
+ +
+
+ + + + + + + + + + + + + + + + +
+ + + + + + + \n"; + echo "\n"; + echo "\n\n\n"; + //echo ""; + } + + ?> +
Enabled
"; + if(is_array($enabled_rulesets_array)) + if(in_array($file, $enabled_rulesets_array)) { + $CHECKED = " checked=\"checked\""; + } else { + $CHECKED = ""; + } + else + $CHECKED = ""; + echo " \n\n"; + echo "\n"; + echo "{$file}\n"; + echo "
"; + //echo "description"; + //echo "
+
 
Check the rulesets that you would like Snort to load at startup.
 
+
+
+ + + +

NOTE: You can click on a ruleset name to edit the ruleset.

+ +
+ + + + + -- cgit v1.2.3