From 00dc251878e6fc23402ba8030758e9efa215bb09 Mon Sep 17 00:00:00 2001
From: bmeeks8 <bmeeks8@bellsouth.net>
Date: Tue, 21 May 2013 22:02:49 -0400
Subject: More fixes for new XMLRPC pkg sync routines.

---
 config/snort/snort.inc                        |  18 ++-
 config/snort/snort_check_for_rule_updates.php | 154 +++++++++++++++++---------
 config/snort/snort_sync.xml                   |   2 +-
 3 files changed, 111 insertions(+), 63 deletions(-)

(limited to 'config/snort')

diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 46c66128..fe390a41 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -857,7 +857,7 @@ function sync_snort_package_config() {
 
 	/* do not start config build if rules is empty or there are no Snort settings */
 	if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) {
-		exec('/bin/rm /usr/local/etc/rc.d/snort.sh');
+		exec("/bin/rm /usr/local/etc/rc.d/snort.sh");
 		conf_mount_ro();
 		return;
 	}
@@ -3053,7 +3053,7 @@ function snort_sync_on_changes() {
 	global $config, $g, $is_postinstall;
 
 	/* Do not attempt a package sync while booting up or installing package */
-	if ($g['booting'] || $is_postinstall == true)
+	if ($g['booting'] || $is_postinstall)
 		return;
 
 	if (is_array($config['installedpackages']['snortsync']['config'])){
@@ -3118,7 +3118,7 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw
 	global $config, $g, $is_postinstall;
 
 	/* Do not attempt a package sync while booting up or installing package */
-	if ($g['booting'] || $is_postinstall == true)
+	if ($g['booting'] || $is_postinstall)
 		return;
 
 	if(!$username || !$password || !$sync_to_ip) {
@@ -3161,8 +3161,7 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw
 	$msg = new XML_RPC_Message($method, $params);
 	$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
 	$cli->setCredentials($username, $password);
-	if($g['debug'])
-		$cli->setDebug(1);
+
 	/* send our XMLRPC message and timeout after defined sync timeout value*/
 	$resp = $cli->send($msg, $synctimeout);
 	if(!$resp) {
@@ -3170,8 +3169,6 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw
 		log_error($error);
 		file_notice("sync_settings", $error, "snort Settings Sync", "");
 	} elseif($resp->faultCode()) {
-		$cli->setDebug(1);
-		$resp = $cli->send($msg, $synctimeout);
 		$error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
 		log_error($error);
 		file_notice("sync_settings", $error, "snort Settings Sync", "");
@@ -3181,14 +3178,16 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw
 
 	$downloadrulescmd = "";
 	if ($syncdownloadrules == "yes") {
-		$downloadrulescmd = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested update of downloaded rules files...\"));\n";
+		$downloadrulescmd = "log_error(gettext(\"[snort] XMLRPC pkg sync: Update of downloaded rule sets requested...\"));\n";
 		$downloadrulescmd .= "include_once(\"/usr/local/pkg/snort/snort_check_for_rule_updates.php\");\n";
 	}
 	$snortstart = "";
 	if ($syncstartsnort == "ON") {
-		$snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested restart of Snort...\"));\n";
+		$snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Checking Snort status...\"));\n";
 		$snortstart .= "if (!is_process_running(\"snort\")) {\n";
+		$snortstart .= "log_error(gettext(\"[snort] XMLRPC pkg sync: Snort not running. Sending a start command...\"));\n";
 		$snortstart .= "exec(\"/usr/local/etc/rc.d/snort.sh start 2>&1 &\");\n}\n";
+		$snortstart .= "else {log_error(gettext(\"[snort] XMLRPC pkg sync: Snort is running...\"));\n}\n";
 	}
 
 	/* Build a series of commands for the secondary host to execute that will load the new settings. */
@@ -3224,7 +3223,6 @@ EOD;
 	$msg = new XML_RPC_Message($method, $params);
 	$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
 	$cli->setCredentials($username, $password);
-	$cli->setDebug("1");
 	$resp = $cli->send($msg, $synctimeout);
 	if(!$resp) {
 		$error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index f5810aff..da6f408c 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -32,7 +32,6 @@
 require_once("functions.inc");
 require_once("service-utils.inc");
 require_once "/usr/local/pkg/snort/snort.inc";
-require_once("service-utils.inc");
 
 global $snort_gui_include, $vrt_enabled, $et_enabled, $rebuild_rules, $snort_rules_upd_log;
 global $protect_preproc_rules, $is_postinstall, $snort_community_rules_filename;
@@ -69,6 +68,54 @@ $emergingthreats_filename_md5 = "{$emergingthreats_filename}.md5";
 /* Snort GPLv2 Community Rules MD5 file */
 $snort_community_rules_filename_md5 = "{$snort_community_rules_filename}.md5";
 
+/* Custom function for rules file download via URL */
+function snort_download_file_url($url, $file_out) {
+
+	/************************************************/
+	/* This function downloads the file specified   */
+	/* by $url using the CURL library functions and */
+	/* saves the content to the file specified by   */
+	/* $file.                                       */
+	/*                                              */	
+	/************************************************/
+
+	global $g, $config, $pkg_interface;
+
+	/* If not in console mode, use the built-in progress-bar function */
+	if ($pkg_interface <> "console")
+		return download_file_with_progress_bar($url, $file_out);
+
+	/* Otherwise, use our custom function with no output */
+	/* (Note:  required to suppress errors from XMLRPC)  */
+	$fp = fopen($file_out, "wb");
+	if ($fp) {
+		$ch = curl_init($url);
+		if (!$ch)
+			return false;
+		curl_setopt($ch, CURLOPT_FILE, $fp);
+		curl_setopt($ch, CURLOPT_HEADER, 0);
+		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+		/* Don't verify SSL peers since we don't have the certificates to do so. */
+		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+		curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 60);
+		curl_setopt($ch, CURLOPT_TIMEOUT, 0);
+		$rc = curl_exec($ch);
+		if ($rc === false) {
+			curl_close($ch);
+			fclose($fp);
+			return $rc;
+		}
+		$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+		curl_close($ch);
+		fclose($fp);
+		return ($http_code == 200) ? true : $http_code;
+	}
+	else
+		return false; 
+
+}
+
+
 /* Start of code */
 conf_mount_rw();
 
@@ -101,7 +148,7 @@ if ($snortdownload == 'on') {
         $max_tries = 4;
 	$rc = true;
         while ($max_tries > 0) {
-		$rc = download_file_with_progress_bar("{$snort_rule_url}{$snort_filename_md5}", "{$tmpfname}/{$snort_filename_md5}");
+		$rc = snort_download_file_url("{$snort_rule_url}{$snort_filename_md5}", "{$tmpfname}/{$snort_filename_md5}");
 		if ($rc == true)
 			break;
 		else {
@@ -164,7 +211,7 @@ if ($snortdownload == 'on') {
         $max_tries = 4;
 	$rc = true;
         while ($max_tries > 0) {
-        	$rc = download_file_with_progress_bar("{$snort_rule_url}{$snort_filename}", "{$tmpfname}/{$snort_filename}");
+        	$rc = snort_download_file_url("{$snort_rule_url}{$snort_filename}", "{$tmpfname}/{$snort_filename}");
 		if ($rc == true)
 			break;
 		else {
@@ -221,33 +268,35 @@ if ($snortcommunityrules == 'on') {
 	if ($pkg_interface <> "console")
 		update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file..."));
 	error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file...\n"), 3, $snort_rules_upd_log);
-        $image = file_get_contents("{$snort_community_rules_url}{$snort_community_rules_filename_md5}");
-	if ($pkg_interface <> "console")
-		update_status(gettext("Done downloading Snort GPLv2 Community Rules md5"));
-	error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log);
-	@file_put_contents("{$tmpfname}/{$snort_community_rules_filename_md5}", $image);
 
-	/* See if the file download was successful, and turn off Snort GPLv2 update if it failed. */
-	if (0 == filesize("{$tmpfname}/{$snort_community_rules_filename_md5}")){
+	$rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}");
+
+	if ($rc == true) {
+		if ($pkg_interface <> "console")
+			update_status(gettext("Done downloading Snort GPLv2 Community Rules md5"));
+		error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log);
+		if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") {
+			/* Check if were up to date Snort GPLv2 Community Rules */
+			$snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}");
+			$snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}");
+			if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) {
+				if ($pkg_interface <> "console")
+					update_status(gettext("Snort GPLv2 Community Rules are up to date..."));
+				log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date..."));
+				error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log);
+				$snortcommunityrules = 'off';
+			}
+		}
+	}
+	else {
 		if ($pkg_interface <> "console")
 			update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed.  Community Rules will not be updated."));
-		log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed.  Community Rules will not be updated."));
-		error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed.  Community Rules will not be updated.\n"), 3, $snort_rules_upd_log);
+		log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed.  Server returned error code '{$rc}'."));
+		error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed.  Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log);
+		error_log(gettext("\tSnort GPLv2 Community Rules will not be updated.\n"), 3, $snort_rules_upd_log);
 		$snortcommunityrules = 'off';
 	}
 
-	if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") {
-		/* Check if were up to date Snort GPLv2 Community Rules */
-		$snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}");
-		$snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}");
-		if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) {
-			if ($pkg_interface <> "console")
-				update_status(gettext("Snort GPLv2 Community Rules are up to date..."));
-			log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date..."));
-			error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log);
-			$snortcommunityrules = 'off';
-		}
-	}
 }
 
 /* download Snort GPLv2 Community rules file */
@@ -256,7 +305,7 @@ if ($snortcommunityrules == "on") {
 		update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading..."));
 	log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading..."));
 	error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted. Downloading...\n"), 3, $snort_rules_upd_log);
-	$rc = download_file_with_progress_bar("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}");
+	$rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}");
 
 	/* Test for a valid rules file download.  Turn off Snort Community update if download failed. */
 	if ($rc == true) {
@@ -330,36 +379,36 @@ if ($emergingthreats == 'on') {
 
 	/* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules.  */
 	if ($vrt_enabled == "on")
-	        $image = @file_get_contents("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}");
+		$rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}");
 	else
-	        $image = @file_get_contents("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}");
-
-	if ($pkg_interface <> "console")
-		update_status(gettext("Done downloading EmergingThreats md5"));
-	error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log);
-	@file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image);
+		$rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}");
 
-	/* See if the file download was successful, and turn off ET update if it failed. */
-	if (0 == filesize("{$tmpfname}/{$emergingthreats_filename_md5}")){
+	if ($rc == true) {
+		if ($pkg_interface <> "console")
+			update_status(gettext("Done downloading EmergingThreats md5"));
+		error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log);
+
+		if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") {
+			/* Check if were up to date emergingthreats.net */
+			$emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}");
+			$emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}");
+			if ($emerg_md5_check_new == $emerg_md5_check_old) {
+				if ($pkg_interface <> "console")
+					update_status(gettext("Emerging Threats rules are up to date..."));
+				log_error(gettext("[Snort] Emerging Threat rules are up to date..."));
+				error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log);
+				$emergingthreats = 'off';
+			}
+		}
+	}
+	else {
 		if ($pkg_interface <> "console")
 			update_output_window(gettext("EmergingThreats md5 file download failed.  EmergingThreats rules will not be updated."));
-		log_error(gettext("[Snort] EmergingThreats md5 file download failed.  EmergingThreats rules will not be updated."));
-		error_log(gettext("\tEmergingThreats md5 file download failed.  EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log);
+		log_error(gettext("[Snort] EmergingThreats md5 file download failed.  Server returned error code '{$rc}'."));
+		error_log(gettext("\tEmergingThreats md5 file download failed.  Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log);
+		error_log(gettext("\tEmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log);
 		$emergingthreats = 'off';
 	}
-
-	if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") {
-		/* Check if were up to date emergingthreats.net */
-		$emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}");
-		$emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}");
-		if ($emerg_md5_check_new == $emerg_md5_check_old) {
-			if ($pkg_interface <> "console")
-				update_status(gettext("Emerging Threats rules are up to date..."));
-			log_error(gettext("[Snort] Emerging Threat rules are up to date..."));
-			error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log);
-			$emergingthreats = 'off';
-		}
-	}
 }
 
 /* download emergingthreats rules file */
@@ -371,9 +420,9 @@ if ($emergingthreats == "on") {
 
 	/* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules.  */
 	if ($vrt_enabled == "on")
-		$rc = download_file_with_progress_bar("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}");
+		$rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}");
 	else
-		$rc = download_file_with_progress_bar("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}");
+		$rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}");
 
 	/* Test for a valid rules file download.  Turn off ET update if download failed. */
 	if ($rc == true) {
@@ -434,7 +483,8 @@ if ($emergingthreats == 'on') {
 
 		/*  Copy emergingthreats md5 sig to snort dir */
 		if (file_exists("{$tmpfname}/{$emergingthreats_filename_md5}")) {
-			update_status(gettext("Copying md5 signature to snort directory..."));
+			if ($pkg_interface <> "console")
+				update_status(gettext("Copying md5 signature to snort directory..."));
 			@copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}");
 		}
 		if ($pkg_interface <> "console")
diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml
index 274d3fc9..24cf9cfa 100755
--- a/config/snort/snort_sync.xml
+++ b/config/snort/snort_sync.xml
@@ -175,6 +175,7 @@ POSSIBILITY OF SUCH DAMAGE.
 					<fieldname>varsyncsnortstart</fieldname>
 					<description><![CDATA[Start Snort on target host if not already running.]]></description>
 					<type>checkbox</type>
+					<value>ON</value>
 				</rowhelperfield>
 			</rowhelper>
 		</field>
@@ -184,7 +185,6 @@ POSSIBILITY OF SUCH DAMAGE.
 		</field>
 	</fields>
 	<custom_delete_php_command>
-		write_config();snort_sync_on_changes();
 	</custom_delete_php_command>	
 	<custom_php_resync_config_command>
 		write_config();snort_sync_on_changes();
-- 
cgit v1.2.3