From e2368b54a0d454f7521618ae97fc361318bc428d Mon Sep 17 00:00:00 2001
From: Bill Meeks <bmeeks8@bellsouth.net>
Date: Sun, 20 Jan 2013 01:10:38 -0500
Subject: Add IPS policy select, auto-flowbit resolution and bug fixes.

---
 config/snort/snort_rulesets.php | 220 ++++++++++++++++++++++++++++++----------
 1 file changed, 166 insertions(+), 54 deletions(-)
 mode change 100644 => 100755 config/snort/snort_rulesets.php

(limited to 'config/snort/snort_rulesets.php')

diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php
old mode 100644
new mode 100755
index cfaa7d18..b9aa2647
--- a/config/snort/snort_rulesets.php
+++ b/config/snort/snort_rulesets.php
@@ -32,7 +32,7 @@
 require_once("guiconfig.inc");
 require_once("/usr/local/pkg/snort/snort.inc");
 
-global $g;
+global $g, $flowbit_rules_file;
 
 $snortdir = SNORTDIR;
 
@@ -49,44 +49,13 @@ if (is_null($id)) {
 	exit;
 }
 
-function snort_remove_rules($files, $snortdir, $snort_uuid, $if_real) {
-
-        if (empty($files))
-                return;
-
-        conf_mount_rw();
-	foreach ($files as $file) {
-		@unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}");
-		if (substr($file, -9) == ".so.rules") {
-			$slib = substr($file, 6, -6);
-			@unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/dynamicrules/{$slib}");
-		}
-	}
-        conf_mount_ro();
-}
-
-function snort_copy_rules($files, $snortdir, $snort_uuid, $if_real) {
-
-        if (empty($files))
-                return;
-
-        conf_mount_rw();
-        foreach ($files as $file) {
-                if (!file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}"))
-                        @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}");
-		if (substr($file, -9) == ".so.rules") {
-			$slib = substr($enabled_item, 6, -6);
-			if (!file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/dynamicrules/{$slib}"))
-				@copy("/usr/local/lib/snort/dynamicrules/{$file}", "{$snortdir}/snort_{$snort_uuid}_{$if_real}/dynamicrules/{$slib}");
-		}
-        }
-        conf_mount_ro();
-}
-
 if (isset($id) && $a_nat[$id]) {
 	$pconfig['enable'] = $a_nat[$id]['enable'];
 	$pconfig['interface'] = $a_nat[$id]['interface'];
 	$pconfig['rulesets'] = $a_nat[$id]['rulesets'];
+	$pconfig['autoflowbitrules'] = $a_nat[$id]['autoflowbitrules'];
+	$pconfig['ips_policy_enable'] = $a_nat[$id]['ips_policy_enable'];
+	$pconfig['ips_policy'] = $a_nat[$id]['ips_policy'];
 }
 
 $if_real = snort_get_real_interface($pconfig['interface']);
@@ -94,20 +63,60 @@ $snort_uuid = $a_nat[$id]['uuid'];
 $snortdownload = $config['installedpackages']['snortglobal']['snortdownload'];
 $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats'];
 
+if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on'))
+	$policy_select_disable = "disabled";
+
+if ($a_nat[$id]['autoflowbitrules'] == 'on') {
+	if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"))
+		$btn_view_flowb_rules = "";
+	else
+		$btn_view_flowb_rules = " disabled";
+}
+else
+	$btn_view_flowb_rules = " disabled";
+
+// If a Snort VRT policy is enabled and selected, remove all Snort VRT
+// rules from the configured rule sets to allow automatic selection.
+if ($a_nat[$id]['ips_policy_enable'] == 'on') {
+	if (isset($a_nat[$id]['ips_policy'])) {
+		$disable_vrt_rules = "disabled";
+		$enabled_sets = explode("||", $a_nat[$id]['rulesets']);
+
+		foreach ($enabled_sets as $k => $v) {
+			if (substr($v, 0, 6) == "snort_")
+				unset($enabled_sets[$k]);
+		}
+		$a_nat[$id]['rulesets'] = implode("||", $enabled_sets);
+	}
+}
+else
+	$disable_vrt_rules = "";
+
 /* alert file */
 if ($_POST["Submit"]) {
+
+	if ($_POST['ips_policy_enable'] == "on")
+		$a_nat[$id]['ips_policy_enable'] = 'on';
+	else
+		$a_nat[$id]['ips_policy_enable'] = 'off';
+
+	$a_nat[$id]['ips_policy'] = $_POST['ips_policy'];
+
 	$enabled_items = "";
 	if (is_array($_POST['toenable']))
 		$enabled_items = implode("||", $_POST['toenable']);
 	else
 		$enabled_items = $_POST['toenable'];
 
-	$oenabled = explode("||", $a_nat[$id]['rulesets']);
-	$nenabled = explode("||", $enabled_items);
-	$tormv = array_diff($oenabled, $nenabled);
-	snort_remove_rules($tormv, $snortdir, $snort_uuid, $if_real);
 	$a_nat[$id]['rulesets'] = $enabled_items;
-	snort_copy_rules(explode("||", $enabled_items), $snortdir, $snort_uuid, $if_real);
+
+	if ($_POST['autoflowbits'] == "on")
+		$a_nat[$id]['autoflowbitrules'] = 'on';
+	else {
+		$a_nat[$id]['autoflowbitrules'] = 'off';
+		if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"))
+			@unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}");
+	}
 
 	write_config();
 	sync_snort_package_config();
@@ -117,9 +126,6 @@ if ($_POST["Submit"]) {
 }
 
 if ($_POST['unselectall']) {
-	if (!empty($pconfig['rulesets']))
-		snort_remove_rules(explode("||", $pconfig['rulesets']), $snortdir, $snort_uuid, $if_real);
-
 	$a_nat[$id]['rulesets'] = "";
 
 	write_config();
@@ -141,7 +147,6 @@ if ($_POST['selectall']) {
 		foreach ($files as $file)
 			$rulesets[] = basename($file);
 	}
-	snort_copy_rules($rulesets, $snortdir, $snort_uuid, $if_real);
 
 	$a_nat[$id]['rulesets'] = implode("||", $rulesets);
 
@@ -177,6 +182,33 @@ if ($savemsg) {
 
 ?>
 
+<script language="javascript" type="text/javascript">
+function popup(url) 
+{
+ params  = 'width='+screen.width;
+ params += ', height='+screen.height;
+ params += ', top=0, left=0'
+ params += ', fullscreen=yes';
+
+ newwin=window.open(url,'windowname4', params);
+ if (window.focus) {newwin.focus()}
+ return false;
+}
+function enable_change()
+{
+ var endis = !(document.iform.ips_policy_enable.checked);
+ document.iform.ips_policy.disabled=endis;
+
+ for (var i = 0; i < document.iform.elements.length; i++) {
+    if (document.iform.elements[i].type == 'checkbox') {
+       var str = document.iform.elements[i].value;
+       if (str.substr(0,6) == "snort_")
+          document.iform.elements[i].disabled = !(endis);
+    }
+ }
+}
+</script>
+
 <form action="snort_rulesets.php" method="post" name="iform" id="iform">
 <input type="hidden" name="id" id="id" value="<?=$id;?>" />
 <table width="99%" border="0" cellpadding="0" cellspacing="0">
@@ -205,7 +237,7 @@ if ($savemsg) {
 		<tr>
 			<td>
 		<?php printf(gettext("# The rules directory is empty. %s/rules"), $snortdir); ?> <br/>
-		<?php echo gettext("Please go to the updates page to download/fetch the rules configured."); ?>	
+		<?php echo gettext("Please go to the Updates tab to download/fetch the rules configured."); ?>	
 			</td>
 		</tr>
 <?php else: 
@@ -221,18 +253,90 @@ if ($savemsg) {
 			<table id="sortabletable1" class="sortable" width="100%" border="0"
 				cellpadding="0" cellspacing="0">
 			<tr>
-				<td colspan="6" class="listtopic"><?php echo gettext("Check the rulesets that you would like Snort to load at startup."); ?><br/><br/></td>
+				<td colspan="6" class="listtopic"><?php echo gettext("Automatic flowbit resolution"); ?><br/></td>
+			</tr>
+			<tr>
+				<td colspan="6" valign="center" class="listn">
+					<table width="100%" border="0" cellpadding="0" cellspacing="0">
+					   <tr>
+						<td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td>
+						<td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on" <?php if ($a_nat[$id]['autoflowbitrules'] == "on") echo "checked"; ?>/></td>
+					   </tr>
+					   <tr>
+						<td width="15%" class="vncell">&nbsp;</td>
+						<td width="85%" class="vtable">
+						<?php echo gettext("If ticked, Snort will examine the enabled rules in your chosen " .
+						"rule categories for checked flowbits.  Any rules that set these dependent flowbits will " .
+						"be automatically enabled and added to the list of files in the interface rules directory."); ?><br/><br/></td>
+					   </tr>
+					   <tr>
+						<td width="15%" class="listn"><?php echo gettext("Auto Flowbit Rules"); ?></td>
+						<td width="85%"><input type="button" class="formbtn" value="View" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$flowbit_rules_file;?>')" <?php echo $btn_view_flowb_rules; ?>/></td>
+					   </tr>
+					   <tr>
+						<td width="15%">&nbsp;</td>
+						<td width="85%">
+						<?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit " .
+						"dependencies from the selected rule categories below.  Auto-enabled rules generating unwanted alerts " .
+						"should have their GID:SID added to the Suppression List for the interface."); ?><br/><br/></td>
+					   </tr>
+					</table>
+				</td>
+			</tr>
+			<tr>
+				<td colspan="6" class="listtopic"><?php echo gettext("Snort IPS Policy Selection"); ?><br/></td>
+			</tr>
+			<tr>
+				<td colspan="6" valign="center" class="listn">
+					<table width="100%" border="0" cellpadding="0" cellspacing="0">
+					   <tr>
+						<td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td>
+						<td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?>
+						<?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/></td>
+					   </tr>
+					   <tr>
+						<td width="15%" class="vncell">&nbsp;</td>
+						<td width="85%" class="vtable">
+						<?php echo gettext("If ticked, Snort will use rules from the pre-defined IPS policy " .
+						"selected below.  You must be using the Snort VRT rules to use this option."); ?><br/>
+						<?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " .
+						"although Emerging Threats categories may still be selected if enabled on the Global Settings tab.  " .
+						"These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br><br/></td>
+					   </tr>
+					   <tr>
+						<td width="15%" class="listn"><?php echo gettext("IPS Policy"); ?></td>
+						<td width="85%"><select name="ips_policy" class="formselect" <?=$policy_select_disable?> >
+									<option value="connectivity" <?php if ($pconfig['ips_policy'] == "connected") echo "selected"; ?>><?php echo gettext("Connectivity"); ?></option>
+									<option value="balanced" <?php if ($pconfig['ips_policy'] == "balanced") echo "selected"; ?>><?php echo gettext("Balanced"); ?></option>
+									<option value="security" <?php if ($pconfig['ips_policy'] == "security") echo "selected"; ?>><?php echo gettext("Security"); ?></option>
+								</select>
+						</td>
+					   </tr>
+					   <tr>
+						<td width="15%">&nbsp;</td>
+						<td width="85%">
+						<?php echo gettext("Snort IPS policies are:  Connectivity, Balanced or Security.  " .
+						"Connectivity blocks most major threats with few or no false positives.  Balanced is a good starter policy.  It " .
+						"is speedy, has good base coverage level, and covers most threats of the day.  It includes all rules in Connectivity.  " .
+						"Security is a stringent policy.  It contains everything in the first two plus policy-type rules such as Flash in an Excel file."); ?><br/><br/></td>
+					   </tr>
+					</table>
+				</td>
+			</tr>
+			<tr>
+				<td colspan="6" class="listtopic"><?php echo gettext("Check the rulesets that you would like Snort to load at startup."); ?><br/></td>
 			</tr>
 			<tr>
-				<td colspan="2" valign="center"><br/><input value="Save" type="submit" name="Submit" id="Submit" /><br/<br/></td>
-				<td colspan="2" valign="center"><br/><input value="Select All" type="submit" name="selectall" id="selectall" /><br/<br/></td>
-				<td colspan="2" valign="center"><br/><input value="Unselect All" type="submit" name="unselectall" id="selectall" /><br/<br/></td>
+				<td colspan="1" align="middle" valign="center"><br/><input value="Select All" type="submit" name="selectall" id="selectall" /><br/></td>
+				<td colspan="1" align="middle" valign="center"><br/><input value="Unselect All" type="submit" name="unselectall" id="selectall" /><br/></td>
+				<td colspan="1" align="middle" valign="center"><br/><input value="Save" class="formbtn" type="submit" name="Submit" id="Submit" /></td>
+				<td colspan="3" valign="center"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?><br/></td>
 			</tr>
 			<tr>    <td colspan="6">&nbsp;</td> </tr>
 			<tr id="frheader">
 				<?php if ($emergingdownload == 'on'): ?>
 					<td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td>
-					<td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats.');?></td>
+					<td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats');?></td>
 				<?php else: ?>
 					<td colspan="2" width="30%" class="listhdrr"><?php echo gettext("Emerging rules have not been enabled"); ?></td>
 				<?php endif; ?>
@@ -302,7 +406,9 @@ if ($savemsg) {
 						$file = $snortrules[$j];
 						echo "<td class='listr' width='5%' align=\"center\" valign=\"top\">";
 						if(is_array($enabled_rulesets_array)) {
-							if(in_array($file, $enabled_rulesets_array))
+							if (!empty($disable_vrt_rules))
+								$CHECKED = $disable_vrt_rules;
+							elseif(in_array($file, $enabled_rulesets_array))
 								$CHECKED = " checked=\"checked\"";
 							else
 								$CHECKED = "";
@@ -311,7 +417,7 @@ if ($savemsg) {
 						echo "	\n<input type='checkbox' name='toenable[]' value='{$file}' {$CHECKED} />\n";
 						echo "</td>\n";
 						echo "<td class='listr' width='25%' >\n";
-						if (empty($CHECKED))
+						if (empty($CHECKED) || $CHECKED == "disabled")
 							echo $file;
 						else
 							echo "<a href='snort_rules.php?id={$id}&openruleset=" . urlencode($file) . "'>{$file}</a>\n";
@@ -322,7 +428,9 @@ if ($savemsg) {
 						$file = $snortsorules[$j];
 						echo "<td class='listr' width='5%' align=\"center\" valign=\"top\">";
 						if(is_array($enabled_rulesets_array)) {
-							if(in_array($file, $enabled_rulesets_array))
+							if (!empty($disable_vrt_rules))
+								$CHECKED = $disable_vrt_rules;
+							elseif(in_array($file, $enabled_rulesets_array))
 								$CHECKED = " checked=\"checked\"";
 							else
 								$CHECKED = "";
@@ -342,8 +450,12 @@ if ($savemsg) {
 	</td>
 </tr>
 <tr>
-<td colspan="6">&nbsp;</td>
+<td colspan="6" class="vtable">&nbsp;<br/></td>
 </tr>
+			<tr>
+				<td colspan="2" align="middle" valign="center"><br/><input value="Save" type="submit" name="Submit" id="Submit" class="formbtn" /></td>
+				<td colspan="4" valign="center">&nbsp;<br><br/></td>
+			</tr>
 <?php endif; ?>
 </table>
 </div>
-- 
cgit v1.2.3