From 2dff0d13d21f2a52b9adbeb8bddfdcb179df76cb Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 25 Jan 2014 14:19:50 -0500 Subject: Fix to return to same interface when unblocking a host. --- config/snort/snort_alerts.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config/snort/snort_alerts.php') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index f232f897..7e8c3a6c 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -421,7 +421,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { /* Add icon for auto-removing from Blocked Table if required */ if (isset($tmpblocked[$fields[6]])) { $alert_ip_src .= " "; - $alert_ip_src .= " + $alert_ip_src .= " $\"Remove$ "; } /* IP SRC Port */ @@ -448,7 +448,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { /* Add icon for auto-removing from Blocked Table if required */ if (isset($tmpblocked[$fields[8]])) { $alert_ip_dst .= " "; - $alert_ip_dst .= " + $alert_ip_dst .= " $\"Remove$ "; } /* IP DST Port */ -- cgit v1.2.3 From 3e99c60333f4a1cd5f5c57f1ecc36e857d653485 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 25 Jan 2014 20:53:15 -0500 Subject: Mimic all DNS lookup features of F/W log with Alerts --- config/snort/snort_alerts.php | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'config/snort/snort_alerts.php') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 7e8c3a6c..8b00bf00 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -264,16 +264,14 @@ include_once("head.inc"); ?> - + \n"; -?> - -' . $pgtitle . '

';} +if($pfsense_stable == 'yes'){echo '

' . $pgtitle . '

';} /* Display Alert message */ if ($input_errors) { print_input_errors($input_errors); // TODO: add checks @@ -403,8 +401,11 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_src = $fields[6]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":", $alert_ip_src); - /* Add Reverse DNS lookup icon */ - $alert_ip_src .= "
"; + /* Add Reverse DNS lookup icons */ + $alert_ip_src .= "
"; + $alert_ip_src .= "

"; + $alert_ip_src .= " "; $alert_ip_src .= "

"; /* Add icons for auto-adding to Suppress List if appropriate */ @@ -430,8 +431,11 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_dst = $fields[8]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":", $alert_ip_dst); - /* Add Reverse DNS lookup icon */ - $alert_ip_dst .= "
"; + /* Add Reverse DNS lookup icons */ + $alert_ip_dst .= "
"; + $alert_ip_dst .= "

"; + $alert_ip_dst .= " "; $alert_ip_dst .= "

"; /* Add icons for auto-adding to Suppress List if appropriate */ -- cgit v1.2.3 From 7694df7ce3ab4c570e2d9ba1e270d1aa3192d665 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 27 Jan 2014 21:55:53 -0500 Subject: Add disable SID icon for alerts on Alerts tab --- config/snort/snort_alerts.php | 78 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) (limited to 'config/snort/snort_alerts.php') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 8b00bf00..eb6190f5 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -7,6 +7,7 @@ * Copyright (C) 2003-2004 Manuel Kasper . * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2012 Ermal Luci + * Copyright (C) 2013,2014 Bill Meeks * All rights reserved. * * Modified for the Pfsense snort package v. 1.8+ @@ -141,6 +142,11 @@ $a_instance = &$config['installedpackages']['snortglobal']['rule']; $snort_uuid = $a_instance[$instanceid]['uuid']; $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); +// Load up the arrays of force-enabled and force-disabled SIDs +$enablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_on']); +$disablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_off']); + +$pconfig = array(); if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; @@ -215,6 +221,64 @@ if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } +if ($_GET['act'] == "togglesid" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + // Get the GID tag embedded in the clicked rule icon. + $gid = $_GET['gen_id']; + + // Get the SID tag embedded in the clicked rule icon. + $sid= $_GET['sidid']; + + // See if the target SID is in our list of modified SIDs, + // and toggle it if present. + if (isset($enablesid[$gid][$sid])) + unset($enablesid[$gid][$sid]); + if (isset($disablesid[$gid][$sid])) + unset($disablesid[$gid][$sid]); + elseif (!isset($disablesid[$gid][$sid])) + $disablesid[$gid][$sid] = "disablesid"; + + // Write the updated enablesid and disablesid values to the config file. + $tmp = ""; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; + } + $tmp = rtrim($tmp, "||"); + + if (!empty($tmp)) + $a_instance[$instanceid]['rule_sid_on'] = $tmp; + else + unset($a_instance[$instanceid]['rule_sid_on']); + + $tmp = ""; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; + } + $tmp = rtrim($tmp, "||"); + + if (!empty($tmp)) + $a_instance[$instanceid]['rule_sid_off'] = $tmp; + else + unset($a_instance[$instanceid]['rule_sid_off']); + + /* Update the config.xml file. */ + write_config(); + + /*************************************************/ + /* Update the snort.conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = true; + snort_generate_conf($a_instance[$instanceid]); + $rebuild_rules = false; + + /* Soft-restart Snort to live-load the new rules */ + snort_reload_config($a_instance[$instanceid]); + + $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Snort is 'live-reloading' the new rules list. Please wait at least 30 secs for the process to complete before toggling additional rules."); +} + if ($_GET['action'] == "clear" || $_POST['delete']) { snort_post_delete_logs($snort_uuid); $fd = @fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w+"); @@ -468,6 +532,18 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $sidsupplink = "

"; } + /* Add icon for toggling rule state */ + if (isset($disablesid[$fields[1]][$fields[2]])) { + $sid_dsbl_link = ""; + $sid_dsbl_link .= "

"; + } + else { + $sid_dsbl_link = ""; + $sid_dsbl_link .= "

"; + } + /* DESCRIPTION */ $alert_class = $fields[11]; echo " @@ -479,7 +555,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { {$alert_src_p} {$alert_ip_dst} {$alert_dst_p} - {$alert_sid_str}
{$sidsupplink} + {$alert_sid_str}
{$sidsupplink} {$sid_dsbl_link} {$alert_descr} \n"; -- cgit v1.2.3 From a9356103959a9aeb0a466cd3c1adcf730e630076 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 28 Jan 2014 11:15:14 -0500 Subject: Tweak new Reverse DNS feature based on pfSense version --- config/snort/snort_alerts.php | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) (limited to 'config/snort/snort_alerts.php') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index eb6190f5..804c6e8a 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -146,6 +146,9 @@ $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); $enablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_on']); $disablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_off']); +// Grab pfSense version so we can refer to it later on this page +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); + $pconfig = array(); if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; @@ -465,13 +468,17 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_src = $fields[6]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":", $alert_ip_src); - /* Add Reverse DNS lookup icons */ - $alert_ip_src .= "
"; - $alert_ip_src .= "

"; - $alert_ip_src .= " "; + /* Add Reverse DNS lookup icons (two different links if pfSense version supports them) */ + $alert_ip_src .= "
"; + if ($pfs_version > 2.0) { + $alert_ip_src .= ""; + $alert_ip_src .= "

"; + } + $alert_ip_src .= ""; $alert_ip_src .= "

"; + /* Add icons for auto-adding to Suppress List if appropriate */ if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) && !isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) { @@ -495,11 +502,14 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_dst = $fields[8]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":", $alert_ip_dst); - /* Add Reverse DNS lookup icons */ - $alert_ip_dst .= "
"; - $alert_ip_dst .= "

"; - $alert_ip_dst .= " "; + /* Add Reverse DNS lookup icons (two different links if pfSense version supports them) */ + $alert_ip_dst .= "
"; + if ($pfs_version > 2.0) { + $alert_ip_dst .= ""; + $alert_ip_dst .= "

"; + } + $alert_ip_dst .= ""; $alert_ip_dst .= "

"; /* Add icons for auto-adding to Suppress List if appropriate */ -- cgit v1.2.3