From 31905aef52131b7067441f8f7902b343a4588f72 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 9 Apr 2013 20:10:36 -0400 Subject: Update Snort to 2.5.5 - New features and bug fixes --- config/snort/snort.inc | 331 ++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 270 insertions(+), 61 deletions(-) (limited to 'config/snort/snort.inc') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 27d0b7e5..d8a7cc19 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -37,17 +37,46 @@ require_once("functions.inc"); // Needed on 2.0 because of filter_get_vpns_list() require_once("filter.inc"); +// Explicitly declare these as global so they work through function call includes +global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log; +global $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall; +global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename; + /* package version */ $snort_version = "2.9.4.1"; -$pfSense_snort_version = "2.5.4"; +$pfSense_snort_version = "2.5.5"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; + +// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) +if (floatval(php_uname("r")) >= 8.3) { + exec("/usr/local/sbin/pbi_info | grep 'snort-{$snort_version}' | xargs /usr/local/sbin/pbi_info | awk '/Prefix/ {print $2}'",$pbidirarray); + $snort_pbidir = "{$pbidirarray[0]}"; + define("SNORTDIR", "{$snort_pbidir}/etc/snort"); + define("SNORTLIBDIR", "{$snort_pbidir}/lib/snort"); +} +else { + define("SNORTDIR", "/usr/local/etc/snort"); + define("SNORTLIBDIR", "/usr/local/lib/snort"); +} + +define("SNORTLOGDIR", "/var/log/snort"); + +/* Important file definitions */ $snort_rules_file = "snortrules-snapshot-2941.tar.gz"; $emerging_threats_version = "2.9.0"; +$emergingthreats_filename = "emerging.rules.tar.gz"; +$snort_community_rules_url = "https://s3.amazonaws.com/snort-org/www/rules/community/"; +$snort_community_rules_filename = "community-rules.tar.gz"; $flowbit_rules_file = "flowbit-required.rules"; $snort_enforcing_rules_file = "snort.rules"; +$snort_rules_upd_log = SNORTLOGDIR; +$snort_rules_upd_log .= "/snort_rules_update.log"; -define("SNORTDIR", "/usr/local/etc/snort"); -define("SNORTLOGDIR", "/var/log/snort"); +/* Rebuild Rules Flag -- if "on", rebuild enforcing rules and flowbit-rules files */ +$rebuild_rules = "off"; + +/* Post-install Flag -- normally "false" except during post-install of package */ +$is_postinstall = false; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); @@ -427,9 +456,14 @@ function snort_post_delete_logs($snort_uuid = 0) { } function snort_postinstall() { - global $config, $g; + global $config, $g, $snort_rules_file, $emerging_threats_version; + global $snort_version, $rebuild_rules, $is_postinstall; $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; + + /* Set flag for post-install in progress */ + $is_postinstall = true; /* cleanup default files */ @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); @@ -440,25 +474,41 @@ function snort_postinstall() { @rename("{$snortdir}/generators-sample", "{$snortdir}/generators"); @rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config"); @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); + + /* fix up the preprocessor rules filenames from a PBI package install */ + $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); + foreach ($preproc_rules as $file) { + if (file_exists("{$snortdir}/preproc_rules/{$file}-sample")) + @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}"); + } + + /* Remove any previously installed scripts since we rebuild them */ @unlink("{$snortdir}/sid"); @unlink("/usr/local/etc/rc.d/snort"); @unlink("/usr/local/etc/rc.d/barnyard2"); - /* remove example files */ - if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) - exec('rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); - - if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) - exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + /* remove example library files */ + $files = glob("{$snortlibdir}/dynamicrules/*_example*"); + foreach ($files as $f) + @unlink($f); + $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*"); + foreach ($files as $f) + @unlink($f); /* remake saved settings */ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_status(gettext("Saved settings detected...")); - update_output_window(gettext("Please wait... rebuilding files...")); + update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); + update_status(gettext("Generating snort.conf configuration file from saved settings...")); + $rebuild_rules = "on"; sync_snort_package_config(); - update_output_window(gettext("Finnished Rebuilding files...")); + $rebuild_rules = "off"; + update_output_window(gettext("Finished rebuilding files...")); } + + /* Done with post-install, so clear flag */ + $is_postinstall = false; } function snort_Getdirsize($node) { @@ -693,12 +743,15 @@ function snort_rules_up_install_cron($should_install) { /* Only run when all ifaces needed to sync. Expects filesystem rw */ function sync_snort_package_config() { - global $config, $g; + global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file; + global $snort_version, $rebuild_rules; + + $snortdir = SNORTDIR; conf_mount_rw(); - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']) && !is_array($config['installedpackages']['snortglobal']['rule'])) { + /* do not start config build if rules is empty or there are no Snort settings */ + if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) { exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); conf_mount_ro(); return; @@ -708,10 +761,10 @@ function sync_snort_package_config() { foreach ($snortconf as $value) { $if_real = snort_get_real_interface($value['interface']); - /* create snort configuration file */ + /* create a snort.conf file for interface */ snort_generate_conf($value); - /* create barnyard2 configuration file */ + /* create barnyard2.conf file for interface */ if ($value['barnyard_enable'] == 'on') snort_create_barnyard2_conf($value, $if_real); } @@ -748,7 +801,7 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { /* First check if we were passed a directory, a single file */ /* or an array of filenames to read. Set our $rule_files */ /* variable accordingly. If we can't figure it out, return */ - /* an empty rules map array. */ + /* and don't write a sid_msg_map file. */ if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -1272,11 +1325,13 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { /* given. */ /************************************************/ + global $flowbit_rules_file; + /* See if we were passed a directory or full */ /* filename to write the rules to, and adjust */ /* the destination argument accordingly. */ if (is_dir($rule_file)) - $rule_file = rtrim($rule_file, '/').'/flowbit-required.rules'; + $rule_file = rtrim($rule_file, '/')."/{$flowbit_rules_file}"; if (empty($flowbit_rules)) { @file_put_contents($rule_file, ""); @@ -1363,7 +1418,7 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) { global $snort_enforcing_rules_file; - $rule_file = "/snort.rules"; + $rule_file = "/{$snort_enforcing_rules_file}"; /* See if we were passed a directory or full */ /* filename to write the rules to, and adjust */ @@ -1584,6 +1639,7 @@ case $1 in rc_stop ;; restart) + rc_stop rc_start ;; esac @@ -1642,7 +1698,7 @@ function snort_generate_barnyard2_conf($snortcfg, $if_real) { config reference_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/reference.config config classification_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/classification.config config gen_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/gen-msg.map -config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map +config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map config hostname: $snortbarnyardlog_hostname_info_chk config interface: {$if_real} @@ -1671,12 +1727,13 @@ EOD; } function snort_deinstall() { - global $config, $g; + + global $config, $g, $snort_rules_upd_log; $snortdir = SNORTDIR; - $snortlogdir = SNORTLOGDIR; + $snortlibdir = SNORTLIBDIR; - /* decrease bpf buffers back to 4096, from 20480 */ + /* Make sure all active Snort processes are terminated */ mwexec('/usr/bin/killall snort', true); sleep(2); mwexec('/usr/bin/killall -9 snort', true); @@ -1685,9 +1742,11 @@ function snort_deinstall() { sleep(2); mwexec('/usr/bin/killall -9 barnyard2', true); sleep(2); + + /* Remove the snort user and group */ mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); - /* Remove snort cron entries Ugly code needs smoothness*/ + /* Remove snort cron entries Ugly code needs smoothness */ if (!function_exists('snort_deinstall_cron')) { function snort_deinstall_cron($crontask) { global $config, $g; @@ -1709,22 +1768,49 @@ function snort_deinstall() { } } - mwexec("/bin/rm {$snortdir}/*.md5; /bin/rm -r {$snortdir}/snort_*"); + /* Remove all the Snort cron jobs. */ snort_deinstall_cron("snort2c"); snort_deinstall_cron("snort_check_for_rule_updates.php"); snort_deinstall_cron("snort_check_cron_misc.inc"); configure_cron(); + /**********************************************************/ + /* Test for existence of library backup tarballs in /tmp. */ + /* If these are present, then a package "delete" */ + /* operation is in progress and we need to wipe out the */ + /* configuration files. Otherwise we leave the binary- */ + /* side configuration intact since only a GUI files */ + /* deinstall and reinstall operation is in progress. */ + /* */ + /* XXX: hopefully a better method presents itself in */ + /* future versions of pfSense. */ + /**********************************************************/ + if (file_exists("/tmp/pkg_libs.tgz") || file_exists("/tmp/pkg_bins.tgz")) { + mwexec("/bin/rm -rf {$snortdir}"); + mwexec("/bin/rm -rf {$snortlibdir}/dynamicrules"); + } + /* Keep this as a last step */ - if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') { unset($config['installedpackages']['snortglobal']); + @unlink("{$snort_rules_upd_log}"); + } } function snort_prepare_rule_files($snortcfg, $snortcfgdir) { - global $snort_enforcing_rules_file, $flowbit_rules_file; + + global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules; $snortdir = SNORTDIR; + /* If there is no reason to rebuild the rules, exit to save time. */ + if ($rebuild_rules == "off") + return; + + /* Log a message for rules rebuild in progress */ + log_error(gettext("Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + + /* Only rebuild rules if some are selected or an IPS Policy is enabled */ if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') { $enabled_rules = array(); $enabled_files = array(); @@ -1741,16 +1827,6 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_rules = snort_load_rules_map($enabled_files); } - /* Remove any existing rules files (except custom rules) prior to building a new set. */ - foreach (glob("{$snortcfgdir}/rules/*.rules") as $file) { - $tmpfile = basename($file); - if (in_array("{$snortdir}/rules/{$tmpfile}", $enabled_files)) - continue; - if ($tmpfile != "custom.rules" && $tmpfile != $flowbit_rules_file && - $tmpfile != $snort_enforcing_rules_file) - @unlink($file); - } - /* Check if a pre-defined Snort VRT policy is selected. If so, */ /* add all the VRT policy rules to our enforcing rule set. */ if (!empty($snortcfg['ips_policy'])) { @@ -1773,9 +1849,12 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Process any enablesid or disablesid modifications for the selected rules. */ snort_modify_sids($enabled_rules, $snortcfg); - /* Check for and disable any rules dependent upon disabled preprocessors. */ - log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); - snort_filter_preproc_rules($snortcfg, $enabled_rules); + /* Check for and disable any rules dependent upon disabled preprocessors if */ + /* this option is enabled for the interface. */ + if ($snortcfg['preproc_auto_rule_disable'] == "on") { + log_error('Auto-disabling rules dependent on disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $enabled_rules); + } /* Write the enforcing rules file to the Snort interface's "rules" directory. */ snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); @@ -1783,9 +1862,19 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */ if ($snortcfg['autoflowbitrules'] == 'on') { - log_error('Resolving and auto-enabling flowbit required rules for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + log_error('Resolving and auto-enabling any flowbit-required rules for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); $enabled_files[] = "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"; - snort_write_flowbit_rules_file(snort_resolve_flowbits($enabled_files), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); + $fbits = snort_resolve_flowbits($enabled_files); + + /* Check for and disable any flowbit-required rules dependent upon */ + /* disabled preprocessors if this option is enabled for the interface. */ + if ($snortcfg['preproc_auto_rule_disable'] == "on") { + log_error('Auto-disabling flowbit-required rules dependent on disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $fbits, true); + } + snort_filter_preproc_rules($snortcfg, $fbits, true); + snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}"); + unset($fbits); } else /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); @@ -1803,10 +1892,11 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Build a new sid-msg.map file from the enabled */ /* rules and copy it to the interface directory. */ + log_error(gettext("Building new sig-msg.map file for " . snort_get_friendly_interface($snortcfg['interface']) . "...")); snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map"); } -function snort_filter_preproc_rules($snortcfg, &$active_rules) { +function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = false) { /**************************************************/ /* This function checks the $active_rules array */ @@ -1819,11 +1909,22 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { /* the interface */ /* $active_rules -> rules_map array of enabled */ /* rules for the interface */ + /* */ + /* NOTE: This feature must be enabled in the GUI */ + /* by the user. Use of this feature can */ + /* severely degrade Snort's ability to */ + /* detect threats by disabling potentially */ + /* crucial detection rules. */ /**************************************************/ global $config; - if (empty($active_rules)) + $snortlogdir = SNORTLOGDIR; + $disabled_count = 0; + $log_msg = array(); + + /* Check if no rules or if this option is disabled */ + if (empty($active_rules) || $snortcfg['preproc_auto_rule_disable'] <> 'on') return; /*************************************************** @@ -1833,8 +1934,20 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { * IMPORTANT -- Keep this part of the code current * * with changes to preprocessor rule options in * * Snort VRT rules. * + * * + * * + * Format of array is: * + * "rule_option" => "dependent_preprocessor" * + * * + * Last Update: 04/05/2013 * + * * + * Added: http_inspect content modifiers and * + * various "service" metadata values. * + * * ***************************************************/ $rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc", + "service ssl" => "ssl_preproc", "service ftp" => "ftp_preprocessor", + "service telnet" => "ftp_preprocessor", "service dns" => "dns_preprocessor", "dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2", "dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data", "sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc", @@ -1843,7 +1956,16 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { "gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc", "modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc", "dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc", - "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc"); + "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc", + "http_client_body;" => "http_inspect", "http_cookie;" => "http_inspect", + "http_raw_cookie;" => "http_inspect", "http_header;" => "http_inspect", + "http_raw_header;" => "http_inspect", "http_method;" => "http_inspect", + "http_uri;" => "http_inspect", "http_raw_uri;" => "http_inspect", + "http_stat_code;" => "http_inspect", "http_stat_msg;" => "http_inspect", + "uricontent:" => "http_inspect", "urilen:" => "http_inspect", + "http_encode;" => "http_inspect", "service http" => "http_inspect", + "service imap" => "imap_preproc", "service pop2" => "pop_preproc", + "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor"); /*************************************************** * Iterate the enabled rules, and check for rule * @@ -1855,32 +1977,94 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { ***************************************************/ foreach ($active_rules as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { + /* If rule is already disabled, skip it. */ if ($v['disabled'] == 1) continue; + foreach ($rule_opts_preprocs as $opt => $preproc) { - $pcre = "/\s*\b" . $opt . "/i"; + $pcre = "/\s*\b" . preg_quote($opt) . "/i"; if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) { $active_rules[$k1][$k2]['rule'] = "# " . $v['rule']; $active_rules[$k1][$k2]['disabled'] = 1; + $disabled_count++; + + /* Accumulate auto-disabled rules for logging */ + $tmp = $active_rules[$k1][$k2]['category'] . " "; + $tmp .= "{$k1}:{$k2} Preproc: {$preproc} Param: {$opt}"; + $log_msg[] = $tmp; break; } } } } + + /***************************************************************/ + /* If we are persisting the log from the last pass, then open */ + /* the log file in append mode. Otherwise open in overwrite */ + /* to clear the log in case we have zero disabled rules. */ + /* */ + /* Typically "persist log" mode is used on the second pass */ + /* when flowbit-required rules are being assessed after the */ + /* primary enforcing rules have been evaluated. */ + /***************************************************************/ + $iface = snort_get_friendly_interface($snortcfg['interface']); + $file = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; + if ($persist_log) + $fp = fopen($file, 'a'); + else + $fp = fopen($file, 'w'); + + /***************************************************/ + /* Log a warning if we auto-disabled any rules */ + /* just so the user is aware protection is less */ + /* than optimal with the preprocessors disabled. */ + /***************************************************/ + if ($disabled_count > 0) { + log_error(gettext("Warning: auto-disabled {$disabled_count} rules due to disabled preprocessor dependencies.")); + natcasesort($log_msg); + if ($fp) { + /* Only write the header when not persisting the log */ + if (!$persist_log) { + @fwrite($fp, "#\n# Run Time: " . date("Y-m-d H:i:s") . "\n#\n"); + @fwrite($fp, "#\n# These rules were auto-disabled because they contain options or operators\n"); + @fwrite($fp, "# dependent on preprocessors that are currently NOT ENABLED on the Preprocessors\n"); + @fwrite($fp, "# tab. Without these dependent preprocessors enabled, Snort would fail to start\n"); + @fwrite($fp, "# if the rules listed below were enabled. Therefore the listed rules have been\n"); + @fwrite($fp, "# automatically disabled. This behavior is controlled by the Auto-Rule Disable\n"); + @fwrite($fp, "# feature on the Preprocessors tab.\n#\n"); + @fwrite($fp, "# WARNING: Using the auto-disable rule feature is not recommended because it can\n"); + @fwrite($fp, "# significantly reduce the threat detection capabilities of Snort!\n#\n"); + @fwrite($fp, "# Log Format is: RULE CATEGORY GID:SID PREPROC METADATA/CONTENT PARAMETER\n#\n"); + } + foreach ($log_msg as $m) { + @fwrite($fp, $m . "\n"); + } + } + log_error(gettext("See '{$file}' for list of auto-disabled rules.")); + unset($log_msg); + } + if ($fp) + fclose($fp); } function snort_generate_conf($snortcfg) { - global $config, $g; + + global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules; $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; - $flowbit_rules_file = "flowbit-required.rules"; - $snort_enforcing_rules_file = "snort.rules"; if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; + /* See if we should protect and not modify the preprocessor rules files */ + if (!empty($snortcfg['protect_preproc_rules'])) + $protect_preproc_rules = $snortcfg['protect_preproc_rules']; + else + $protect_preproc_rules = "off"; + $if_real = snort_get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; @@ -1903,8 +2087,8 @@ function snort_generate_conf($snortcfg) { "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "/usr/local/lib/snort/dynamicrules", - "dynamicengine" => "/usr/local/lib/snort/dynamicengine", + "dynamicrules" => "{$snortlibdir}/dynamicrules", + "dynamicengine" => "{$snortlibdir}/dynamicengine", "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" ); foreach ($snort_dirs as $dir) { @@ -1912,13 +2096,24 @@ function snort_generate_conf($snortcfg) { safe_mkdir($dir); } + /********************************************************************/ + /* For fail-safe on an initial startup following installation, and */ + /* before a rules update has occurred, copy the default config */ + /* files to the interface directory. If files already exist in */ + /* the interface directory, or they are newer, that means a rule */ + /* update has been done and we should leave the customized files */ + /* put in place by the rules update process. */ + /********************************************************************/ $snort_files = array("gen-msg.map", "classification.config", "reference.config", "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" ); foreach ($snort_files as $file) { - if (file_exists("{$snortdir}/{$file}")) - @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + if (file_exists("{$snortdir}/{$file}")) { + $ftime = filemtime("{$snortdir}/{$file}"); + if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) + @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + } } /* define alertsystemlog */ @@ -2012,7 +2207,7 @@ EOD; if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) $def_client_flow_depth_type = $snortcfg['client_flow_depth']; - if ($snortcfg['noalert_http_inspect'] == 'on') + if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect'])) $noalert_http_inspect = "no_alerts "; else $noalert_http_inspect = ""; @@ -2257,6 +2452,16 @@ EOD; if (!empty($snortcfg['stream5_mem_cap'])) $def_stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}"; + /* Default the HTTP_INSPECT preprocessor to "on" if not set. */ + /* The preprocessor is required by hundreds of Snort rules, */ + /* and without it Snort may not start and/or the number of */ + /* rules required to be disabled reduces Snort's capability. */ + /* Alerts from the HTTP_INSPECT preprocessor default to "off" */ + /* unless a specific value has been set by the user. */ + /**************************************************************/ + if (empty($snortcfg['http_inspect'])) + $snortcfg['http_inspect'] = 'on'; + /* define servers and ports snortdefservers */ $snort_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", @@ -2295,8 +2500,8 @@ EOD; if (!empty($snort_preproc_libs[$preproc])) { $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { - if (file_exists("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so")) { - @copy("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); + if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { + @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); $snort_preprocessors .= $$preproc; $snort_preprocessors .= "\n"; } else @@ -2318,22 +2523,26 @@ EOD; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; if (is_dir("{$snortcfgdir}/preproc_rules")) { - if ($snortcfg['sensitive_data'] == 'on') { + if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")) $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; } else $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); @unlink("{$g['tmp_path']}/sedcmd"); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } else { + } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } + else { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); } -- cgit v1.2.3