From 080fb922c15c959be4f0bd101d0cf3f529f0e866 Mon Sep 17 00:00:00 2001
From: bmeeks8
Date: Mon, 13 May 2013 16:58:53 -0400
Subject: Snort Pkg 2.5.8 Update - bug fixes and new features
---
config/snort/snort_rules_flowbits.php | 265 ++++++++++++++++++++++++++++++++++
1 file changed, 265 insertions(+)
create mode 100644 config/snort/snort_rules_flowbits.php
(limited to 'config/snort/snort_rules_flowbits.php')
diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php
new file mode 100644
index 00000000..104163f2
--- /dev/null
+++ b/config/snort/snort_rules_flowbits.php
@@ -0,0 +1,265 @@
+.
+ * All rights reserved.
+ *
+ * modified for the pfsense snort package
+ * Copyright (C) 2009-2010 Robert Zelaya.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g, $flowbit_rules_file, $rebuild_rules;
+
+$snortdir = SNORTDIR;
+$rules_map = array();
+$supplist = array();
+
+if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
+ $config['installedpackages']['snortglobal']['rule'] = array();
+}
+$a_nat = &$config['installedpackages']['snortglobal']['rule'];
+
+$id = $_GET['id'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (is_null($id)) {
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+$if_real = snort_get_real_interface($a_nat[$id]['interface']);
+$snort_uuid = $a_nat[$id]['uuid'];
+
+/* We should normally never get to this page if Auto-Flowbits are disabled, but just in case... */
+if ($a_nat[$id]['autoflowbitrules'] == 'on') {
+ if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") &&
+ filesize("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) {
+ $rules_map = snort_load_rules_map("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}");
+ }
+ else
+ $savemsg = "There are no flowbit-required rules necessary for the current enforcing rule set.";
+}
+else
+ $input_errors[] = "Auto-Flowbit rule generation is disabled for this interface!";
+
+if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) {
+ $descr = snort_get_msg($rules_map[$_GET['gen_id']][$_GET['sidid']]['rule']);
+ if (empty($descr))
+ $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n";
+ else
+ $suppress = "# {$descr}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}";
+ if (!is_array($config['installedpackages']['snortglobal']['suppress']))
+ $config['installedpackages']['snortglobal']['suppress'] = array();
+ if (!is_array($config['installedpackages']['snortglobal']['suppress']['item']))
+ $config['installedpackages']['snortglobal']['suppress']['item'] = array();
+ $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item'];
+
+ if (empty($a_nat[$id]['suppresslistname']) || $a_nat[$id]['suppresslistname'] == 'default') {
+ $s_list = array();
+ $s_list['name'] = $a_nat[$id]['interface'] . "suppress";
+ $s_list['uuid'] = uniqid();
+ $s_list['descr'] = "Auto-generated list for alert suppression";
+ $s_list['suppresspassthru'] = base64_encode($suppress);
+ $a_suppress[] = $s_list;
+ $a_nat[$id]['suppresslistname'] = $s_list['name'];
+ } else {
+ foreach ($a_suppress as $a_id => $alist) {
+ if ($alist['name'] == $a_nat[$id]['suppresslistname']) {
+ if (!empty($alist['suppresspassthru'])) {
+ $tmplist = base64_decode($alist['suppresspassthru']);
+ $tmplist .= "\n{$suppress}";
+ $alist['suppresspassthru'] = base64_encode($tmplist);
+ $a_suppress[$a_id] = $alist;
+ }
+ }
+ }
+ }
+ write_config();
+ $rebuild_rules = "off";
+ sync_snort_package_config();
+ $savemsg = "Wrote suppress rule for gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']} to the {$a_nat[$id]['suppresslistname']} Suppression List.";
+}
+
+function truncate($string, $length) {
+
+ /********************************
+ * This function truncates the *
+ * passed string to the length *
+ * specified adding ellipsis if *
+ * truncation was necessary. *
+ ********************************/
+ if (strlen($string) > $length)
+ $string = substr($string, 0, ($length - 3)) . "...";
+ return $string;
+}
+
+/* Load up an array with the current Suppression List GID,SID values */
+$supplist = snort_load_suppress_sigs($a_nat[$id]);
+
+$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']);
+$pgtitle = "Services: Snort: {$if_friendly} Flowbit Rules";
+include_once("head.inc");
+
+?>
+
+
+
+' . $pgtitle . '
';}
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+
+
+