From e0c80e78f616b11c327188e8908731d85eb199fe Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 19 Jan 2014 23:05:35 -0500 Subject: Declare $config as global to fix problems on pkg install. --- config/snort/snort_check_for_rule_updates.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/snort') diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 807b7844..0306c90d 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -34,7 +34,7 @@ require_once("functions.inc"); require_once("service-utils.inc"); require_once "/usr/local/pkg/snort/snort.inc"; -global $g, $pkg_interface, $snort_gui_include, $rebuild_rules; +global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules; if (!defined("VRT_DNLD_URL")) define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); -- cgit v1.2.3 From 19016394152847b136ca0a1c02f498fa04ddba51 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 19 Jan 2014 23:06:54 -0500 Subject: Tidy up syntax to match other include file calls. --- config/snort/snort_post_install.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/snort') diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index 003628be..bfb7bb9c 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -1409,7 +1409,7 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_output_window(gettext("Please wait... downloading and updating configured rule types...")); if ($pkg_interface <> "console") $snort_gui_include = true; - include "/usr/local/pkg/snort/snort_check_for_rule_updates.php"; + include("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); update_status(gettext("Generating snort.conf configuration file from saved settings...")); $rebuild_rules = true; -- cgit v1.2.3 From 2dff0d13d21f2a52b9adbeb8bddfdcb179df76cb Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 25 Jan 2014 14:19:50 -0500 Subject: Fix to return to same interface when unblocking a host. --- config/snort/snort_alerts.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index f232f897..7e8c3a6c 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -421,7 +421,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { /* Add icon for auto-removing from Blocked Table if required */ if (isset($tmpblocked[$fields[6]])) { $alert_ip_src .= " "; - $alert_ip_src .= " + $alert_ip_src .= " \"Remove"; } /* IP SRC Port */ @@ -448,7 +448,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { /* Add icon for auto-removing from Blocked Table if required */ if (isset($tmpblocked[$fields[8]])) { $alert_ip_dst .= " "; - $alert_ip_dst .= " + $alert_ip_dst .= " \"Remove"; } /* IP DST Port */ -- cgit v1.2.3 From 3e99c60333f4a1cd5f5c57f1ecc36e857d653485 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 25 Jan 2014 20:53:15 -0500 Subject: Mimic all DNS lookup features of F/W log with Alerts --- config/snort/snort_alerts.php | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 7e8c3a6c..8b00bf00 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -264,16 +264,14 @@ include_once("head.inc"); ?> - + \n"; -?> - -' . $pgtitle . '

';} +if($pfsense_stable == 'yes'){echo '

' . $pgtitle . '

';} /* Display Alert message */ if ($input_errors) { print_input_errors($input_errors); // TODO: add checks @@ -403,8 +401,11 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_src = $fields[6]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":​", $alert_ip_src); - /* Add Reverse DNS lookup icon */ - $alert_ip_src .= "
"; + /* Add Reverse DNS lookup icons */ + $alert_ip_src .= "
"; + $alert_ip_src .= ""; + $alert_ip_src .= " "; $alert_ip_src .= ""; /* Add icons for auto-adding to Suppress List if appropriate */ @@ -430,8 +431,11 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_dst = $fields[8]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); - /* Add Reverse DNS lookup icon */ - $alert_ip_dst .= "
"; + /* Add Reverse DNS lookup icons */ + $alert_ip_dst .= "
"; + $alert_ip_dst .= ""; + $alert_ip_dst .= " "; $alert_ip_dst .= ""; /* Add icons for auto-adding to Suppress List if appropriate */ -- cgit v1.2.3 From 9284e7398d6f6f3a1a3f12748f52fcc51331768c Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 26 Jan 2014 11:46:04 -0500 Subject: Mimic all DNS lookup features of F/W log with Blocked IPs --- config/snort/snort_blocked.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'config/snort') diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 8d106a90..f190413c 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -127,6 +127,7 @@ include_once("head.inc"); ?> + {$counter} - {$tmp_ip}  + {$tmp_ip}
+ + + {$blocked_desc} -- cgit v1.2.3 From 03ac95899a4c7f4e883fbddd29296c442787ac47 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 27 Jan 2014 20:24:52 -0500 Subject: Add enable/disable for decoder & preproc rules --- config/snort/snort.inc | 116 ++++++------- config/snort/snort_migrate_config.php | 38 +++- config/snort/snort_post_install.php | 43 +---- config/snort/snort_rules.php | 318 +++++++++++++++++++++++++--------- config/snort/snort_rules_edit.php | 7 +- 5 files changed, 336 insertions(+), 186 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 52aaed2a..d983d995 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -5,7 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009-2010 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013,2014 Bill Meeks * part of pfSense * All rights reserved. * @@ -1739,34 +1739,32 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) { } } -function snort_load_sid_mods($sids, $value) { +function snort_load_sid_mods($sids) { /*****************************************/ /* This function parses the string of */ - /* SID values in $sids and returns an */ - /* array with the SID as the key and */ - /* value. The SID values in $sids are */ + /* GID:SID values in $sids and returns */ + /* an array with the GID and SID as the */ + /* keys. The values in $sids are */ /* assumed to be delimited by "||". */ /* */ - /* $sids ==> string of SID values from */ - /* saved config file. */ + /* $sids ==> string of GID:SID values */ + /* from the config file. */ /* */ - /* $value ==> type of mod (enable or */ - /* disable). Not currently */ - /* utilized, but maintained */ - /* so as not to break legacy */ - /* code elsewhere. */ + /* Returns ==> a multidimensional array */ + /* with GID and SID as the */ + /* keys ($result[GID][SID]) */ /*****************************************/ $result = array(); - if (empty($sids) || empty($value)) + if (empty($sids)) return $result; $tmp = explode("||", $sids); foreach ($tmp as $v) { - if (preg_match('/\s\d+/', $v, $match)) { - if (!is_array($result[trim($match[0])])) - $result[trim($match[0])] = array(); - $result[trim($match[0])] = trim($match[0]); + if (preg_match('/(\d+)\s*:\s*(\d+)/', $v, $match)) { + if (!is_array($result[$match[1]])) + $result[$match[1]] = array(); + $result[$match[1]][$match[2]] = "{$match[1]}:{$match[2]}"; } } unset($tmp); @@ -1791,15 +1789,15 @@ function snort_modify_sids(&$rule_map, $snortcfg) { /* Load up our enablesid and disablesid */ /* arrays with lists of modified SIDs */ - $enablesid = snort_load_sid_mods($snortcfg['rule_sid_on'], "enablesid"); - $disablesid = snort_load_sid_mods($snortcfg['rule_sid_off'], "disablesid"); + $enablesid = snort_load_sid_mods($snortcfg['rule_sid_on']); + $disablesid = snort_load_sid_mods($snortcfg['rule_sid_off']); /* Turn on any rules that need to be */ /* forced "on" with enablesid mods. */ if (!empty($enablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $enablesid) && $v['disabled'] == 1) { + if (isset($enablesid[$k1][$k2]) && $v['disabled'] == 1) { $rule_map[$k1][$k2]['rule'] = ltrim($v['rule'], " \t#"); $rule_map[$k1][$k2]['disabled'] = 0; } @@ -1812,7 +1810,7 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($disablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $disablesid) && $v['disabled'] == 0) { + if (isset($disablesid[$k1][$k2]) && $v['disabled'] == 0) { $rule_map[$k1][$k2]['rule'] = "# " . $v['rule']; $rule_map[$k1][$k2]['disabled'] = 1; } @@ -2209,12 +2207,13 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* to be written. */ /***********************************************************/ - global $rebuild_rules; + global $g, $rebuild_rules; $snortdir = SNORTDIR; $flowbit_rules_file = FLOWBITS_FILENAME; $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; $no_rules_defined = true; + $enabled_rules = array(); /* If there is no reason to rebuild the rules, exit to save time. */ if (!$rebuild_rules) @@ -2223,14 +2222,37 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Log a message for rules rebuild in progress */ log_error(gettext("[Snort] Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + /* Enable all, some or none of the SDF rules depending on setting. */ + if ($snortcfg['sensitive_data'] == 'on' && $snortcfg['protect_preproc_rules'] != 'on') { + if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")) { + $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; + $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); + $sd_tmp_new_file=""; + foreach ($sd_tmp_file as $sd_tmp_line) + $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; + file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); + } + } + elseif ($snortcfg['sensitive_data'] != 'on' && $snortcfg['protect_preproc_rules'] != 'on') { + /* Setting is "off", so disable all SDF rules. */ + $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; + @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/sensitive-data.rules"); + @unlink("{$g['tmp_path']}/sedcmd"); + } + + /* Load the decoder, preprocessor and sensitive-data */ + /* rules from the interface's preproc_rule directory */ + /* into the $enabled_rules array. */ + $enabled_rules = snort_load_rules_map("{$snortcfgdir}/preproc_rules/"); + /* Only rebuild rules if some are selected or an IPS Policy is enabled */ if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') { - $enabled_rules = array(); $enabled_files = array(); $all_rules = array(); $no_rules_defined = false; - /* Load up all the rules into a Rules Map array. */ + /* Load up all the text rules into a Rules Map array. */ $all_rules = snort_load_rules_map("{$snortdir}/rules/"); /* Create an array with the filenames of the enabled */ @@ -2320,7 +2342,8 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); } else { - snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); + /* No regular rules or policy were selected, so just use the decoder and preproc rules */ + snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); } @@ -2333,7 +2356,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Log a warning if the interface has no rules defined or enabled */ if ($no_rules_defined) - log_error(gettext("[Snort] Warning - no text rules selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + log_error(gettext("[Snort] Warning - no text rules or IPS-Policy selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); /* Build a new sid-msg.map file from the enabled */ /* rules and copy it to the interface directory. */ @@ -3219,43 +3242,9 @@ EOD; $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (is_dir("{$snortcfgdir}/preproc_rules")) { - if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { - $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; - if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){ - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; - #enable only selected sensitive data - if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){ - $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; - $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); - $sd_tmp_new_file=""; - foreach ($sd_tmp_file as $sd_tmp_line) - $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; - file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); - } - } - } else - $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; - if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { - @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); - mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); - mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); - @unlink("{$g['tmp_path']}/sedcmd"); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } - else { - $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); - } - } else { + if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); } /* generate rule sections to load */ @@ -3673,9 +3662,8 @@ EOD; ipvar HOME_NET [{$home_net}] ipvar EXTERNAL_NET [{$external_net}] -# Define Rule Paths # +# Define Rule Path # var RULE_PATH {$snortcfgdir}/rules -var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules # Define Servers # {$ipvardef} diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index 61989e99..1a812b24 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -1,8 +1,8 @@ "console") $snort_gui_include = true; - include("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); + include('/usr/local/pkg/snort/snort_check_for_rule_updates.php'); update_status(gettext("Generating snort.conf configuration file from saved settings...")); $rebuild_rules = true; diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index a82d81d2..4307c8de 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -5,6 +5,7 @@ * Copyright (C) 2004, 2005 Scott Ullrich * Copyright (C) 2008, 2009 Robert Zelaya * Copyright (C) 2011 Ermal Luci + * Copyright (C) 2013, 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -29,7 +30,6 @@ * POSSIBILITY OF SUCH DAMAGE. */ - require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); @@ -51,7 +51,6 @@ if (is_null($id)) { } if (isset($id) && $a_rule[$id]) { - $pconfig['enable'] = $a_rule[$id]['enable']; $pconfig['interface'] = $a_rule[$id]['interface']; $pconfig['rulesets'] = $a_rule[$id]['rulesets']; if (!empty($a_rule[$id]['customrules'])) @@ -109,8 +108,20 @@ $snort_uuid = $a_rule[$id]['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; +$etprodownload = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $categories = explode("||", $pconfig['rulesets']); +// add the standard rules files to the categories list +$categories[] = "custom.rules"; +$categories[] = "decoder.rules"; +$categories[] = "preprocessor.rules"; +$categories[] = "sensitive-data.rules"; +if (!empty($a_rule[$id]['ips_policy'])) + $categories[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); +if ($a_rule[$id]['autoflowbitrules'] == 'on') + $categories[] = "Auto-Flowbit Rules"; +natcasesort($categories); + if ($_GET['openruleset']) $currentruleset = $_GET['openruleset']; else if ($_POST['openruleset']) @@ -118,13 +129,6 @@ else if ($_POST['openruleset']) else $currentruleset = $categories[0]; -if (empty($categories[0]) && ($currentruleset != "custom.rules") && ($currentruleset != "Auto-Flowbit Rules")) { - if (!empty($a_rule[$id]['ips_policy'])) - $currentruleset = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); - else - $currentruleset = "custom.rules"; -} - /* One last sanity check -- if the rules directory is empty, default to loading custom rules */ $tmp = glob("{$snortdir}/rules/*.rules"); if (empty($tmp)) @@ -136,58 +140,72 @@ if ($currentruleset != 'custom.rules') { // Read the current rules file into our rules map array. // If it is the auto-flowbits file, set the full path. if ($currentruleset == "Auto-Flowbit Rules") - $rulefile = "{$snortcfgdir}/rules/" . FLOWBITS_FILENAME; + $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); // Test for the special case of an IPS Policy file. - if (substr($currentruleset, 0, 10) == "IPS Policy") + elseif (substr($currentruleset, 0, 10) == "IPS Policy") $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); - elseif (!file_exists($rulefile)) - $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again."); - else + // Test for preproc_rules file and set the full path. + elseif (file_exists("{$snortdir}/preproc_rules/{$currentruleset}")) + $rules_map = snort_load_rules_map("{$snortdir}/preproc_rules/{$currentruleset}"); + // Test for existence of regular text rules file and load it. + elseif (file_exists($rulefile)) $rules_map = snort_load_rules_map($rulefile); + else + $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again."); } /* Load up our enablesid and disablesid arrays with enabled or disabled SIDs */ -$enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on'], "enablesid"); -$disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off'], "disablesid"); +$enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on']); +$disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off']); if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { + // Get the GID tag embedded in the clicked rule icon. + $gid = $_GET['gid']; + // Get the SID tag embedded in the clicked rule icon. $sid= $_GET['ids']; // See if the target SID is in our list of modified SIDs, // and toggle it if present; otherwise, add it to the // appropriate list. - if (isset($enablesid[$sid])) { - unset($enablesid[$sid]); - if (!isset($disablesid[$sid])) - $disablesid[$sid] = "disablesid"; + if (isset($enablesid[$gid][$sid])) { + unset($enablesid[$gid][$sid]); + if (!isset($disablesid[$gid][$sid])) + $disablesid[$gid][$sid] = "disablesid"; } - elseif (isset($disablesid[$sid])) { - unset($disablesid[$sid]); - if (!isset($enablesid[$sid])) - $enablesid[$sid] = "enablesid"; + elseif (isset($disablesid[$gid][$sid])) { + unset($disablesid[$gid][$sid]); + if (!isset($enablesid[$gid][$sid])) + $enablesid[$gid][$sid] = "enablesid"; } else { - if ($rules_map[1][$sid]['disabled'] == 1) - $enablesid[$sid] = "enablesid"; + if ($rules_map[$gid][$sid]['disabled'] == 1) + $enablesid[$gid][$sid] = "enablesid"; else - $disablesid[$sid] = "disablesid"; + $disablesid[$gid][$sid] = "disablesid"; } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else @@ -197,7 +215,7 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { write_config(); $_GET['openruleset'] = $currentruleset; - $anchor = "rule_{$sid}"; + $anchor = "rule_{$gid}_{$sid}"; } if ($_GET['act'] == "disable_all" && !empty($rules_map)) { @@ -205,28 +223,37 @@ if ($_GET['act'] == "disable_all" && !empty($rules_map)) { // Mark all rules in the currently selected category "disabled". foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { - if (isset($enablesid[$k2])) - unset($enablesid[$k2]); - $disablesid[$k2] = "disablesid"; + if (isset($enablesid[$k1][$k2])) + unset($enablesid[$k1][$k2]); + $disablesid[$k1][$k2] = "disablesid"; } } + // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); + write_config(); $_GET['openruleset'] = $currentruleset; @@ -239,28 +266,36 @@ if ($_GET['act'] == "enable_all" && !empty($rules_map)) { // Mark all rules in the currently selected category "enabled". foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { - if (isset($disablesid[$k2])) - unset($disablesid[$k2]); - $enablesid[$k2] = "enablesid"; + if (isset($disablesid[$k1][$k2])) + unset($disablesid[$k1][$k2]); + $enablesid[$k1][$k2] = "enablesid"; } } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); + write_config(); $_GET['openruleset'] = $currentruleset; @@ -273,30 +308,38 @@ if ($_GET['act'] == "resetcategory" && !empty($rules_map)) { // Reset any modified SIDs in the current rule category to their defaults. foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { - if (isset($enablesid[$k2])) - unset($enablesid[$k2]); - if (isset($disablesid[$k2])) - unset($disablesid[$k2]); + if (isset($enablesid[$k1][$k2])) + unset($enablesid[$k1][$k2]); + if (isset($disablesid[$k1][$k2])) + unset($disablesid[$k1][$k2]); } } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); + write_config(); $_GET['openruleset'] = $currentruleset; @@ -416,15 +459,15 @@ if ($savemsg) { display_top_tabs($tab_array); echo ''; echo ''; - $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");; - $tab_array = array(); - $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?>
@@ -435,19 +478,14 @@ if ($savemsg) {   

" . - gettext("Snort must be restarted to activate any SID enable/disable changes made on this tab."); ?> + gettext("Snort must be restarted to activate any rule enable/disable changes made on this tab."); ?> + + - - + + + @@ -558,6 +599,7 @@ if ($savemsg) { + @@ -579,24 +621,24 @@ if ($savemsg) { $counter = $enable_cnt = $disable_cnt = 0; foreach ($rules_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - $sid = snort_get_sid($v['rule']); - $gid = snort_get_gid($v['rule']); + $sid = $k2; + $gid = $k1; - if (isset($disablesid[$sid])) { + if (isset($disablesid[$gid][$sid])) { $textss = ""; $textse = ""; $iconb = "icon_reject_d.gif"; $disable_cnt++; $title = gettext("Disabled by user. Click to toggle to enabled state"); } - elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) { + elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { $textss = ""; $textse = ""; $iconb = "icon_block_d.gif"; $disable_cnt++; $title = gettext("Disabled by default. Click to toggle to enabled state"); } - elseif (isset($enablesid[$sid])) { + elseif (isset($enablesid[$gid][$sid])) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; @@ -630,12 +672,15 @@ if ($savemsg) { $message = snort_get_msg($v['rule']); echo " + @@ -673,6 +718,119 @@ if ($savemsg) { ?>
 
$textss - + $textse + {$textss}{$gid}{$textse} + {$textss}{$sid}{$textse}
+ + + + + + + + + + + + + + + + + + + + + + + + + + $rulem) { + foreach ($rulem as $k2 => $v) { + $sid = snort_get_sid($v['rule']); + $gid = snort_get_gid($v['rule']); + if (isset($disablesid[$gid][$sid])) { + $textss = ""; + $textse = ""; + $iconb = "icon_reject_d.gif"; + $disable_cnt++; + $title = gettext("Disabled by user. Click to toggle to enabled state"); + } + elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { + $textss = ""; + $textse = ""; + $iconb = "icon_block_d.gif"; + $disable_cnt++; + $title = gettext("Disabled by default. Click to toggle to enabled state"); + } + elseif (isset($enablesid[$gid][$sid])) { + $textss = $textse = ""; + $iconb = "icon_reject.gif"; + $enable_cnt++; + $title = gettext("Enabled by user. Click to toggle to disabled state"); + } + else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + $enable_cnt++; + $title = gettext("Enabled by default. Click to toggle to disabled state"); + } + $message = snort_get_msg($v['rule']); + $matches = array(); + if (preg_match('/(?:classtype\b\s*:)\s*(\S*\s*;)/iU', $v['rule'], $matches)) + $classtype = trim($matches[1], " ;"); + else + $classtype = "No Classtype Defined"; + $matches = array(); + if (preg_match_all('/(\S*-ips)(?:\s*drop|alert)(?:,|\s*|;)/i', $v['rule'], $matches)) + $policy = implode("
", $matches[1]); + else + $policy = "none"; + + echo " + + + + + "; + ?> + + + + +
  + + title="" width="17" height="17" border="0">
$textss + + + $textse + + {$textss}{$gid}{$textse} + + {$textss}{$sid}{$textse} + + {$textss}{$classtype} + + {$textss}{$policy} + + {$textss}{$message}{$textse} + + + " width="17" height="17" border="0"> +
+ diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index c0087464..28deccd5 100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -4,6 +4,7 @@ * * Copyright (C) 2004, 2005 Scott Ullrich * Copyright (C) 2011 Ermal Luci + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Adapted for FreeNAS by Volker Theile (votdev@gmx.de) @@ -97,18 +98,22 @@ elseif (isset($_GET['ids'])) { // If flowbit rule, point to interface-specific file if ($file == "Auto-Flowbit Rules") $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); + elseif (file_exists("{$snortdir}/preproc_rules/{$file}")) + $rules_map = snort_load_rules_map("{$snortdir}/preproc_rules/{$file}"); else $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; $wrap_flag = "soft"; } - // Is it our special flowbit rules file? elseif ($file == "Auto-Flowbit Rules") $contents = file_get_contents("{$snortcfgdir}/rules/{$flowbit_rules_file}"); // Is it a rules file in the ../rules/ directory? elseif (file_exists("{$snortdir}/rules/{$file}")) $contents = file_get_contents("{$snortdir}/rules/{$file}"); +// Is it a rules file in the ../preproc_rules/ directory? +elseif (file_exists("{$snortdir}/preproc_rules/{$file}")) + $contents = file_get_contents("{$snortdir}/preproc_rules/{$file}"); // Is it a fully qualified path and file? elseif (file_exists($file)) $contents = file_get_contents($file); -- cgit v1.2.3 From 7694df7ce3ab4c570e2d9ba1e270d1aa3192d665 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 27 Jan 2014 21:55:53 -0500 Subject: Add disable SID icon for alerts on Alerts tab --- config/snort/snort_alerts.php | 78 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 77 insertions(+), 1 deletion(-) (limited to 'config/snort') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 8b00bf00..eb6190f5 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -7,6 +7,7 @@ * Copyright (C) 2003-2004 Manuel Kasper . * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2012 Ermal Luci + * Copyright (C) 2013,2014 Bill Meeks * All rights reserved. * * Modified for the Pfsense snort package v. 1.8+ @@ -141,6 +142,11 @@ $a_instance = &$config['installedpackages']['snortglobal']['rule']; $snort_uuid = $a_instance[$instanceid]['uuid']; $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); +// Load up the arrays of force-enabled and force-disabled SIDs +$enablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_on']); +$disablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_off']); + +$pconfig = array(); if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; @@ -215,6 +221,64 @@ if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } +if ($_GET['act'] == "togglesid" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + // Get the GID tag embedded in the clicked rule icon. + $gid = $_GET['gen_id']; + + // Get the SID tag embedded in the clicked rule icon. + $sid= $_GET['sidid']; + + // See if the target SID is in our list of modified SIDs, + // and toggle it if present. + if (isset($enablesid[$gid][$sid])) + unset($enablesid[$gid][$sid]); + if (isset($disablesid[$gid][$sid])) + unset($disablesid[$gid][$sid]); + elseif (!isset($disablesid[$gid][$sid])) + $disablesid[$gid][$sid] = "disablesid"; + + // Write the updated enablesid and disablesid values to the config file. + $tmp = ""; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; + } + $tmp = rtrim($tmp, "||"); + + if (!empty($tmp)) + $a_instance[$instanceid]['rule_sid_on'] = $tmp; + else + unset($a_instance[$instanceid]['rule_sid_on']); + + $tmp = ""; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; + } + $tmp = rtrim($tmp, "||"); + + if (!empty($tmp)) + $a_instance[$instanceid]['rule_sid_off'] = $tmp; + else + unset($a_instance[$instanceid]['rule_sid_off']); + + /* Update the config.xml file. */ + write_config(); + + /*************************************************/ + /* Update the snort.conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = true; + snort_generate_conf($a_instance[$instanceid]); + $rebuild_rules = false; + + /* Soft-restart Snort to live-load the new rules */ + snort_reload_config($a_instance[$instanceid]); + + $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Snort is 'live-reloading' the new rules list. Please wait at least 30 secs for the process to complete before toggling additional rules."); +} + if ($_GET['action'] == "clear" || $_POST['delete']) { snort_post_delete_logs($snort_uuid); $fd = @fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w+"); @@ -468,6 +532,18 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $sidsupplink = ""; } + /* Add icon for toggling rule state */ + if (isset($disablesid[$fields[1]][$fields[2]])) { + $sid_dsbl_link = ""; + $sid_dsbl_link .= ""; + } + else { + $sid_dsbl_link = ""; + $sid_dsbl_link .= ""; + } + /* DESCRIPTION */ $alert_class = $fields[11]; echo " @@ -479,7 +555,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { {$alert_src_p} {$alert_ip_dst} {$alert_dst_p} - {$alert_sid_str}
{$sidsupplink} + {$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link} {$alert_descr} \n"; -- cgit v1.2.3 From a9356103959a9aeb0a466cd3c1adcf730e630076 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 28 Jan 2014 11:15:14 -0500 Subject: Tweak new Reverse DNS feature based on pfSense version --- config/snort/snort_alerts.php | 30 ++++++++++++++++++++---------- config/snort/snort_blocked.php | 24 +++++++++++++++--------- 2 files changed, 35 insertions(+), 19 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index eb6190f5..804c6e8a 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -146,6 +146,9 @@ $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); $enablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_on']); $disablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_off']); +// Grab pfSense version so we can refer to it later on this page +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); + $pconfig = array(); if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; @@ -465,13 +468,17 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_src = $fields[6]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":​", $alert_ip_src); - /* Add Reverse DNS lookup icons */ - $alert_ip_src .= "
"; - $alert_ip_src .= ""; - $alert_ip_src .= " "; + /* Add Reverse DNS lookup icons (two different links if pfSense version supports them) */ + $alert_ip_src .= "
"; + if ($pfs_version > 2.0) { + $alert_ip_src .= ""; + $alert_ip_src .= " "; + } + $alert_ip_src .= ""; $alert_ip_src .= ""; + /* Add icons for auto-adding to Suppress List if appropriate */ if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) && !isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) { @@ -495,11 +502,14 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_dst = $fields[8]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); - /* Add Reverse DNS lookup icons */ - $alert_ip_dst .= "
"; - $alert_ip_dst .= ""; - $alert_ip_dst .= " "; + /* Add Reverse DNS lookup icons (two different links if pfSense version supports them) */ + $alert_ip_dst .= "
"; + if ($pfs_version > 2.0) { + $alert_ip_dst .= ""; + $alert_ip_dst .= " "; + } + $alert_ip_dst .= ""; $alert_ip_dst .= ""; /* Add icons for auto-adding to Suppress List if appropriate */ diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index f190413c..4fc470d3 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -7,6 +7,7 @@ * * Modified for the Pfsense snort package v. 1.8+ * Copyright (C) 2009 Robert Zelaya Sr. Developer + * Copyright (C) 2014 Bill Meeks * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -33,6 +34,9 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +// Grab pfSense version so we can refer to it later on this page +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); + if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) $config['installedpackages']['snortglobal']['alertsblocks'] = array(); @@ -261,23 +265,25 @@ if ($pconfig['brefresh'] == 'on') /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $tmp_ip = str_replace(":", ":​", $blocked_ip); - + /* Add reverse DNS lookup icons (two different links if pfSense version supports them) */ + $rdns_link = ""; + if ($pfs_version > 2.0) { + $rdns_link .= ""; + $rdns_link .= " "; + } + $rdns_link .= ""; + $rdns_link .= ""; /* use one echo to do the magic*/ echo " {$counter} - {$tmp_ip}
- - - - + {$tmp_ip}
{$rdns_link} {$blocked_desc} \"Delete \n"; } - } ?> -- cgit v1.2.3 From e1e2edc25cdecd36af6f2bb2d1e75b7857cafaed Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 28 Jan 2014 11:43:56 -0500 Subject: Fix so forced rule toggles back to its default on 2nd click --- config/snort/snort_rules.php | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 4307c8de..71fdbd16 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -167,18 +167,12 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { $sid= $_GET['ids']; // See if the target SID is in our list of modified SIDs, - // and toggle it if present; otherwise, add it to the - // appropriate list. - if (isset($enablesid[$gid][$sid])) { + // and toggle it back to default if present; otherwise, + // add it to the appropriate modified SID list. + if (isset($enablesid[$gid][$sid])) unset($enablesid[$gid][$sid]); - if (!isset($disablesid[$gid][$sid])) - $disablesid[$gid][$sid] = "disablesid"; - } - elseif (isset($disablesid[$gid][$sid])) { + elseif (isset($disablesid[$gid][$sid])) unset($disablesid[$gid][$sid]); - if (!isset($enablesid[$gid][$sid])) - $enablesid[$gid][$sid] = "enablesid"; - } else { if ($rules_map[$gid][$sid]['disabled'] == 1) $enablesid[$gid][$sid] = "enablesid"; @@ -759,7 +753,7 @@ if ($savemsg) { $textse = ""; $iconb = "icon_reject_d.gif"; $disable_cnt++; - $title = gettext("Disabled by user. Click to toggle to enabled state"); + $title = gettext("Disabled by user. Click to toggle to default state"); } elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { $textss = ""; @@ -772,7 +766,7 @@ if ($savemsg) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; - $title = gettext("Enabled by user. Click to toggle to disabled state"); + $title = gettext("Enabled by user. Click to toggle to default state"); } else { $textss = $textse = ""; -- cgit v1.2.3 From c613223747934c62488bb55fb72138bec353ff61 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 28 Jan 2014 16:01:01 -0500 Subject: Fix snort_rules_edit.php to address http://seclist.org/fulldisclosure/2014/Jan/187 --- config/snort/snort_rules_edit.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index 28deccd5..61a9574a 100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -115,8 +115,12 @@ elseif (file_exists("{$snortdir}/rules/{$file}")) elseif (file_exists("{$snortdir}/preproc_rules/{$file}")) $contents = file_get_contents("{$snortdir}/preproc_rules/{$file}"); // Is it a fully qualified path and file? -elseif (file_exists($file)) - $contents = file_get_contents($file); +elseif (file_exists($file)) { + if (substr(realpath($file), 0, strlen(SNORTLOGDIR)) != SNORTLOGDIR) + $contents = gettext("\n\nERROR -- File: {$file} can not be viewed!"); + else + $contents = file_get_contents($file); +} // It is not something we can display, so exit. else $input_errors[] = gettext("Unable to open file: {$displayfile}"); -- cgit v1.2.3 From ec1200d91b3ad257379cf8d267c3098073b78b5d Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 28 Jan 2014 16:19:59 -0500 Subject: Bump Snort package to 2.9.5.6 v3.0.4 --- config/snort/snort.inc | 4 ++-- config/snort/snort.xml | 6 +++--- config/snort/snort_check_for_rule_updates.php | 2 +- config/snort/snort_migrate_config.php | 2 +- config/snort/snort_post_install.php | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index d983d995..777ae9d8 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -51,10 +51,10 @@ $snortver = array(); exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); $snort_version = $snortver[0]; if (empty($snort_version)) - $snort_version = "2.9.5.5"; + $snort_version = "2.9.5.6"; /* package version */ -$pfSense_snort_version = "3.0.2"; +$pfSense_snort_version = "3.0.4"; $snort_package_version = "Snort {$snort_version} pkg v{$pfSense_snort_version}"; // Define SNORTDIR and SNORTLIBDIR constants according to pfSense version diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 9d4f1d61..a2d14bf0 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ None Currently there are no FAQ items provided. Snort - 2.9.5.5 - Services:2.9.5.5 pkg v3.0.2 + 2.9.5.6 + Services:2.9.5.6 pkg v3.0.4 /usr/local/pkg/snort/snort.inc Snort @@ -244,7 +244,7 @@ diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 0306c90d..9a69db1c 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -96,7 +96,7 @@ exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26 // Save the version with decimal delimiters for use in extracting the rules $snort_version = $snortver[0]; if (empty($snort_version)) - $snort_version = "2.9.5.5"; + $snort_version = "2.9.5.6"; // Create a collapsed version string for use in the tarball filename $snortver[0] = str_replace(".", "", $snortver[0]); diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index 1a812b24..218237ab 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -330,7 +330,7 @@ unset($r); // Write out the new configuration to disk if we changed anything if ($updated_cfg) { - $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.2"; + $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.4"; log_error("[Snort] Saving configuration settings in new format..."); write_config(); log_error("[Snort] Settings successfully migrated to new configuration format..."); diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index a3c8eced..945ddd04 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -1417,7 +1417,7 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { } /* Update Snort package version in configuration */ -$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.2"; +$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.4"; write_config(); /* Done with post-install, so clear flag */ -- cgit v1.2.3 From 5689d3b8bda555037f94f9a219f8c5d6c4f99a10 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 29 Jan 2014 12:29:35 -0500 Subject: Update tooltip text for rule enable/disable icon. --- config/snort/snort_rules.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 71fdbd16..86c0eba2 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -623,7 +623,7 @@ if ($savemsg) { $textse = ""; $iconb = "icon_reject_d.gif"; $disable_cnt++; - $title = gettext("Disabled by user. Click to toggle to enabled state"); + $title = gettext("Disabled by user. Click to toggle to default state"); } elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { $textss = ""; @@ -636,7 +636,7 @@ if ($savemsg) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; - $title = gettext("Enabled by user. Click to toggle to disabled state"); + $title = gettext("Enabled by user. Click to toggle to default state"); } else { $textss = $textse = ""; -- cgit v1.2.3 From 3cac08dbc7eec3334cb8a638299c96fc6f014979 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 6 Feb 2014 23:49:28 -0500 Subject: Fix typo in path to file. --- config/snort/snort.priv.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/snort') diff --git a/config/snort/snort.priv.inc b/config/snort/snort.priv.inc index 5e159747..795924ea 100644 --- a/config/snort/snort.priv.inc +++ b/config/snort/snort.priv.inc @@ -38,7 +38,7 @@ $priv_list['page-services-snort']['match'][] = "snort/snort_rulesets.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_select_alias.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_stream5_engine.php*"; $priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=snort_sync.xml*"; -$priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=sort/snort.xml*"; +$priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=snort/snort.xml*"; $priv_list['page-services-snort']['match'][] = "snort/snort_check_cron_misc.inc*"; $priv_list['page-services-snort']['match'][] = "snort/snort.inc*"; -- cgit v1.2.3 From c4ce3c7de5313e77cca2b29b656294208f02c86d Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 9 Feb 2014 15:50:41 -0500 Subject: Remove quotes around string variable -- shouldn't be there anyway. --- config/snort/snort.inc | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 777ae9d8..847a0dba 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -825,11 +825,11 @@ function snort_rm_blocked_install_cron($should_install) { switch($should_install) { case true: $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['minute'] = $snort_rm_blocked_min; + $cron_item['hour'] = $snort_rm_blocked_hr; + $cron_item['mday'] = $snort_rm_blocked_mday; + $cron_item['month'] = $snort_rm_blocked_month; + $cron_item['wday'] = $snort_rm_blocked_wday; $cron_item['who'] = "root"; $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; @@ -927,11 +927,11 @@ function snort_rules_up_install_cron($should_install) { switch($should_install) { case true: $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['minute'] = $snort_rules_up_min; + $cron_item['hour'] = $snort_rules_up_hr; + $cron_item['mday'] = $snort_rules_up_mday; + $cron_item['month'] = $snort_rules_up_month; + $cron_item['wday'] = $snort_rules_up_wday; $cron_item['who'] = "root"; $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php"; -- cgit v1.2.3 From 3e7fcc5bc0ff436c58b42ae3d07c58dbdc55f0c1 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 17 Feb 2014 19:08:02 -0500 Subject: Fix problem with saving empty custom rules element. --- config/snort/snort_rules.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 86c0eba2..afc764fc 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -37,6 +37,7 @@ global $g, $rebuild_rules; $snortdir = SNORTDIR; $rules_map = array(); +$pconfig = array(); if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); @@ -53,8 +54,6 @@ if (is_null($id)) { if (isset($id) && $a_rule[$id]) { $pconfig['interface'] = $a_rule[$id]['interface']; $pconfig['rulesets'] = $a_rule[$id]['rulesets']; - if (!empty($a_rule[$id]['customrules'])) - $pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']); } function truncate($string, $length) { @@ -365,8 +364,11 @@ if ($_POST['clear']) { exit; } -if ($_POST['customrules']) { - $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); +if ($_POST['submit']) { + if ($_POST['customrules']) + $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); + else + unset($a_rule[$id]['customrules']); write_config(); $rebuild_rules = true; snort_generate_conf($a_rule[$id]); @@ -500,12 +502,12 @@ if ($savemsg) { - + - " title=" "/>   + " title=" "/>   " title=""/>   " onclick="return confirm('')" title=""/> -- cgit v1.2.3 From 0e76f85bf6184d6d18830dba474fcd15fc075a03 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Feb 2014 19:15:45 -0500 Subject: Improve the Snort rules download update process. --- config/snort/snort_check_for_rule_updates.php | 355 ++++++++++++-------------- 1 file changed, 170 insertions(+), 185 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 9a69db1c..0aa397e4 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -78,15 +78,14 @@ else /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; $etproid = $config['installedpackages']['snortglobal']['etpro_code']; -$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; -$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; -$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; -$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; -$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; -$et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'] == 'on' ? 'on' : 'off'; +$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'] == 'on' ? 'on' : 'off'; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == 'on' ? 'on' : 'off'; +$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules'] == 'on' ? 'on' : 'off'; +$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'] == 'on' ? 'on' : 'off'; -/* Working directory for downloaded rules tarballs */ -$tmpfname = "{$snortdir}/tmp/snort_rules_up"; +/* Working directory for downloaded rules tarballs and extraction */ +$tmpfname = "/tmp/snort_rules_up"; /* Grab the Snort binary version programmatically and use it to construct */ /* the proper Snort VRT rules tarball and md5 filenames. Fallback to a */ @@ -114,7 +113,6 @@ if ($etpro == "on") { $emergingthreats_url = ETPRO_BASE_DNLD_URL; $emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/"; $emergingthreats = "on"; - $et_enabled= "on"; $et_name = "Emerging Threats Pro"; $et_md5_remove = ET_DNLD_FILENAME . ".md5"; @unlink("{$snortdir}/{$et_md5_remove}"); @@ -371,7 +369,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* Start of main code */ /**********************/ -/* remove old $tmpfname files */ +/* remove any old $tmpfname files */ if (is_dir("{$tmpfname}")) exec("/bin/rm -r {$tmpfname}"); @@ -429,26 +427,123 @@ if ($emergingthreats == 'on') { $emergingthreats = 'off'; } -/* Untar Snort GPLv2 Community rules file to tmp */ +/* Untar Snort rules file to tmp and install the rules */ +if ($snortdownload == 'on') { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + /* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */ + /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x */ + $freebsd_version_so = 'FreeBSD-8-1'; + if (substr(php_uname("r"), 0, 1) == '9') + $freebsd_version_so = 'FreeBSD-9-0'; + + /* Remove the old Snort rules files */ + $vrt_prefix = VRT_FILE_PREFIX; + array_map('unlink', glob("{$snortdir}/rules/{$vrt_prefix}*.rules")); + + if ($pkg_interface <> "console") { + update_status(gettext("Extracting Snort VRT rules...")); + update_output_window(gettext("Installing Sourcefire VRT rules...")); + } + error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log); + /* extract snort.org rules and add VRT_FILE_PREFIX prefix to all snort.org files */ + safe_mkdir("{$tmpfname}/snortrules"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname}/snortrules rules/"); + $files = glob("{$tmpfname}/snortrules/rules/*.rules"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}"); + } + /* Extract any IP lists */ + $files = glob("{$tmpfname}/snortrules/rules/*.txt"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/rules/{$newfile}"); + } + exec("rm -r {$tmpfname}/snortrules"); + /* Extract the Snort preprocessor rules */ + if ($pkg_interface <> "console") + update_output_window(gettext("Extracting preprocessor rules files...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} preproc_rules/"); + $files = glob("{$tmpfname}/preproc_rules/*.rules"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/preproc_rules/{$newfile}"); + } + exec("rm -r {$tmpfname}/preproc_rules"); + /* extract so rules */ + if ($pkg_interface <> "console") { + update_status(gettext("Extracting Snort VRT Shared Objects rules...")); + update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}...")); + } + exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/"); + error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log); + $snort_arch = php_uname("m"); + $nosorules = false; + if ($snort_arch == 'i386'){ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/"); + exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/dynamicrules/"); + } elseif ($snort_arch == 'amd64') { + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/"); + exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/"); + } else + $nosorules = true; + exec("rm -r {$tmpfname}/so_rules"); + if ($nosorules == false) { + /* extract Shared Object stub rules, rename and copy to the rules folder. */ + if ($pkg_interface <> "console") + update_status(gettext("Copying Snort VRT Shared Objects rules...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} --exclude precompiled/ --exclude src/ so_rules/"); + $files = glob("{$tmpfname}/so_rules/*.rules"); + foreach ($files as $file) { + $newfile = basename($file, ".rules"); + @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules"); + } + exec("rm -r {$tmpfname}/so_rules"); + } + /* extract base etc files */ + if ($pkg_interface <> "console") { + update_status(gettext("Extracting Snort VRT config and map files...")); + update_output_window(gettext("Copying config and map files...")); + } + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); + foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { + if (file_exists("{$tmpfname}/etc/{$file}")) + @copy("{$tmpfname}/etc/{$file}", "{$tmpfname}/VRT_{$file}"); + } + exec("rm -r {$tmpfname}/etc"); + if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { + if ($pkg_interface <> "console") + update_status(gettext("Copying md5 signature to snort directory...")); + @copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}"); + } + if ($pkg_interface <> "console") { + update_status(gettext("Extraction of Snort VRT rules completed...")); + update_output_window(gettext("Installation of Sourcefire VRT rules completed...")); + } + error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log); + } +} + +/* Untar Snort GPLv2 Community rules file to tmp and install the rules */ if ($snortcommunityrules == 'on') { - safe_mkdir("{$snortdir}/tmp/community"); + safe_mkdir("{$tmpfname}/community"); if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort GPLv2 Community Rules...")); update_output_window(gettext("Installing Snort GPLv2 Community Rules...")); } error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $snort_rules_upd_log); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$snortdir}/tmp/community/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/"); - $files = glob("{$snortdir}/tmp/community/community-rules/*.rules"); + $files = glob("{$tmpfname}/community/community-rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); @copy($file, "{$snortdir}/rules/" . GPL_FILE_PREFIX . "{$newfile}"); } /* base etc files for Snort GPLv2 Community rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}")) - @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/" . GPL_FILE_PREFIX . "{$file}"); + if (file_exists("{$tmpfname}/community/community-rules/{$file}")) + @copy("{$tmpfname}/community/community-rules/{$file}", "{$tmpfname}/" . GPL_FILE_PREFIX . "{$file}"); } /* Copy snort community md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { @@ -461,20 +556,20 @@ if ($snortcommunityrules == 'on') { update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed...")); } error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log); - exec("rm -r {$snortdir}/tmp/community"); + exec("rm -r {$tmpfname}/community"); } } -/* Untar Emerging Threats rules file to tmp */ +/* Untar Emerging Threats rules file to tmp and install the rules */ if ($emergingthreats == 'on') { - safe_mkdir("{$snortdir}/tmp/emerging"); + safe_mkdir("{$tmpfname}/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if ($pkg_interface <> "console") { update_status(gettext("Extracting {$et_name} rules...")); update_output_window(gettext("Installing {$et_name} rules...")); } error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $snort_rules_upd_log); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/"); /* Remove the old Emerging Threats rules files */ $eto_prefix = ET_OPEN_FILE_PREFIX; @@ -484,7 +579,7 @@ if ($emergingthreats == 'on') { array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*ips.txt")); array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*ips.txt")); - $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); + $files = glob("{$tmpfname}/emerging/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); if ($etpro == "on") @@ -493,7 +588,7 @@ if ($emergingthreats == 'on') { @copy($file, "{$snortdir}/rules/{$newfile}"); } /* IP lists for Emerging Threats rules */ - $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt"); + $files = glob("{$tmpfname}/emerging/rules/*ips.txt"); foreach ($files as $file) { $newfile = basename($file); if ($etpro == "on") @@ -503,8 +598,8 @@ if ($emergingthreats == 'on') { } /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/emerging/rules/{$file}")) - @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/tmp/ET_{$file}"); + if (file_exists("{$tmpfname}/emerging/rules/{$file}")) + @copy("{$tmpfname}/emerging/rules/{$file}", "{$tmpfname}/ET_{$file}"); } /* Copy emergingthreats md5 sig to snort dir */ @@ -518,116 +613,7 @@ if ($emergingthreats == 'on') { update_output_window(gettext("Installation of {$et_name} rules completed...")); } error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log); - exec("rm -r {$snortdir}/tmp/emerging"); - } -} - -/* Untar Snort rules file to tmp */ -if ($snortdownload == 'on') { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - /* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */ - /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x */ - $freebsd_version_so = 'FreeBSD-8-1'; - if (substr(php_uname("r"), 0, 1) == '9') - $freebsd_version_so = 'FreeBSD-9-0'; - - /* Remove the old Snort rules files */ - $vrt_prefix = VRT_FILE_PREFIX; - array_map('unlink', glob("{$snortdir}/rules/{$vrt_prefix}*.rules")); - - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT rules...")); - update_output_window(gettext("Installing Sourcefire VRT rules...")); - } - error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log); - /* extract snort.org rules and add prefix to all snort.org files */ - safe_mkdir("{$snortdir}/tmp/snortrules"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp/snortrules rules/"); - $files = glob("{$snortdir}/tmp/snortrules/rules/*.rules"); - foreach ($files as $file) { - $newfile = basename($file); - @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}"); - } - /* IP lists */ - $files = glob("{$snortdir}/tmp/snortrules/rules/*.txt"); - foreach ($files as $file) { - $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); - } - exec("rm -r {$snortdir}/tmp/snortrules"); - /* extract so rules */ - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT Shared Objects rules...")); - update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}...")); - } - exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/"); - error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log); - $snort_arch = php_uname("m"); - $nosorules = false; - if ($snort_arch == 'i386'){ - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/dynamicrules/"); - } elseif ($snort_arch == 'amd64') { - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/"); - } else - $nosorules = true; - exec("rm -r {$snortdir}/tmp/so_rules"); - if ($nosorules == false) { - /* extract so stub rules, rename and copy to the rules folder. */ - if ($pkg_interface <> "console") - update_status(gettext("Copying Snort VRT Shared Objects rules...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp --exclude precompiled/ --exclude src/ so_rules/"); - $files = glob("{$snortdir}/tmp/so_rules/*.rules"); - foreach ($files as $file) { - $newfile = basename($file, ".rules"); - @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules"); - } - exec("rm -r {$snortdir}/tmp/so_rules"); - } - /* extract base etc files */ - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT config and map files...")); - update_output_window(gettext("Copying config and map files...")); - } - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/"); - foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/etc/{$file}")) - @copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/tmp/VRT_{$file}"); - } - exec("rm -r {$snortdir}/tmp/etc"); - /* Untar snort signatures */ - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Extracting Snort VRT Signatures...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - if ($pkg_interface <> "console") - update_status(gettext("Done extracting Signatures.")); - - if (is_dir("{$snortdir}/doc/signatures")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying Snort VRT signatures...")); - exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures"); - if ($pkg_interface <> "console") - update_status(gettext("Done copying signatures.")); - } - } - /* Extract the Snort preprocessor rules */ - if ($pkg_interface <> "console") - update_output_window(gettext("Extracting preprocessor rules files...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp preproc_rules/"); - - if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying md5 signature to snort directory...")); - @copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}"); - } - if ($pkg_interface <> "console") { - update_status(gettext("Extraction of Snort VRT rules completed...")); - update_output_window(gettext("Installation of Sourcefire VRT rules completed...")); - } - error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log); + exec("rm -r {$tmpfname}/emerging"); } } @@ -636,28 +622,22 @@ function snort_apply_customizations($snortcfg, $if_real) { global $vrt_enabled; $snortdir = SNORTDIR; - /* Update the Preprocessor rules for the master configuration and for the interface if Snort VRT rules are in use. */ - if ($vrt_enabled == 'on') { - exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules"); - $preproc_files = glob("{$snortdir}/tmp/preproc_rules/*.rules"); + /* Update the Preprocessor rules from the master configuration for the interface if Snort */ + /* VRT rules are in use and the interface's preprocessor rules are not protected. */ + if ($vrt_enabled == 'on' && $snortcfg['protect_preproc_rules'] != 'on') { + $preproc_files = glob("{$snortdir}/preproc_rules/*.rules"); foreach ($preproc_files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/preproc_rules/{$newfile}"); - /* Check if customized preprocessor rule protection is enabled for interface before overwriting them. */ - if ($snortcfg['protect_preproc_rules'] <> 'on') - @copy($file, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules/{$newfile}"); + @copy($file, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules/{$newfile}"); } } - else { - exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules"); - } snort_prepare_rule_files($snortcfg, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}"); /* Copy the master config and map files to the interface directory */ @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); - @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); + @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); } @@ -667,45 +647,37 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = update_status(gettext('Copying new config and map files...')); error_log(gettext("\tCopying new config and map files...\n"), 3, $snort_rules_upd_log); - /* Determine which config and map file set to use for the master copy. */ - /* If the Snort VRT rules are not enabled, then use Emerging Threats. */ - if (($vrt_enabled == 'off') && ($et_enabled == 'on')) { - $cfgs = glob("{$snortdir}/tmp/*reference.config"); - $cfgs[] = "{$snortdir}/reference.config"; - snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); - $cfgs = glob("{$snortdir}/tmp/*classification.config"); - $cfgs[] = "{$snortdir}/classification.config"; - snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); - /* Use the unicode.map and gen-msg.map files from ET rules. */ - if (file_exists("{$snortdir}/tmp/ET_unicode.map")) - @copy("{$snortdir}/tmp/ET_unicode.map", "{$snortdir}/unicode.map"); - if (file_exists("{$snortdir}/tmp/ET_gen-msg.map")) - @copy("{$snortdir}/tmp/ET_gen-msg.map", "{$snortdir}/gen-msg.map"); - } - elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) { - foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/VRT_{$file}")) - @copy("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/{$file}"); - } - } - elseif (($vrt_enabled == 'on') && ($et_enabled == 'on')) { - /* Both VRT and ET rules are enabled, so build combined */ - /* reference.config and classification.config files. */ - $cfgs = glob("{$snortdir}/tmp/*reference.config"); - $cfgs[] = "{$snortdir}/reference.config"; - snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); - $cfgs = glob("{$snortdir}/tmp/*classification.config"); - $cfgs[] = "{$snortdir}/classification.config"; - snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); - /* Use the unicode.map and gen-msg.map files from VRT rules. */ - if (file_exists("{$snortdir}/tmp/VRT_unicode.map")) - @copy("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/unicode.map"); - if (file_exists("{$snortdir}/tmp/VRT_gen-msg.map")) - @copy("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/gen-msg.map"); - } + /******************************************************************/ + /* Build the classification.config and reference.config files */ + /* using the ones from all the downloaded rules plus the default */ + /* files installed with Snort. */ + /******************************************************************/ + $cfgs = glob("{$tmpfname}/*reference.config"); + $cfgs[] = "{$snortdir}/reference.config"; + snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); + $cfgs = glob("{$tmpfname}/*classification.config"); + $cfgs[] = "{$snortdir}/classification.config"; + snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); + + /*******************************************************************/ + /* Determine which map files set to use for the master copy. If */ + /* the Snort VRT rules are not enabled, then use Emerging Threats */ + /* or Snort Community Rules, in that order, if either is enabled. */ + /*******************************************************************/ + if ($snortdownload == 'on') + $prefix = "VRT_"; + elseif ($emergingthreats == 'on') + $prefix = "ET_"; + elseif ($snortcommunityrules == 'on') + $prefix = GPL_FILE_PREFIX; + if (file_exists("{$tmpfname}/{$prefix}unicode.map")) + @copy("{$tmpfname}/{$prefix}unicode.map", "{$snortdir}/unicode.map"); + if (file_exists("{$tmpfname}/{$prefix}gen-msg.map")) + @copy("{$tmpfname}/{$prefix}gen-msg.map", "{$snortdir}/gen-msg.map"); /* Start the rules rebuild proccess for each configured interface */ - if (is_array($config['installedpackages']['snortglobal']['rule'])) { + if (is_array($config['installedpackages']['snortglobal']['rule']) && + !empty($config['installedpackages']['snortglobal']['rule'])) { /* Set the flag to force rule rebuilds since we downloaded new rules, */ /* except when in post-install mode. Post-install does its own rebuild. */ @@ -722,6 +694,19 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = update_status(gettext($tmp)); update_output_window(gettext("Please wait while Snort interface files are being updated...")); } + + // Make sure the interface subdirectory and required sub-directories exists. + // We need to re-create them during a pkg reinstall for the intial rules set + // download and configuration done as part of restoring saved settings. + if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}")) + safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}"); + if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/rules")) + safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/rules"); + if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/preproc_rules")) + safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/preproc_rules"); + if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/dynamicpreprocessor")) + safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/dynamicpreprocessor"); + snort_apply_customizations($value, $if_real); /* Log a message in Update Log if protecting customized preprocessor rules. */ @@ -745,10 +730,10 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = $rebuild_rules = false; /* remove old $tmpfname files */ - if (is_dir("{$snortdir}/tmp")) { + if (is_dir("{$tmpfname}")) { if ($pkg_interface <> "console") update_status(gettext("Cleaning up after rules extraction...")); - exec("/bin/rm -r {$snortdir}/tmp"); + exec("/bin/rm -r {$tmpfname}"); } /* Restart snort if already running and we are not rebooting to pick up the new rules. */ -- cgit v1.2.3 From 78106a49b36edd8ca27a1e475b276b5762afdcc9 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Feb 2014 19:28:18 -0500 Subject: Make sure we always prefer VRT gen-msg-map if VRT rules enabled. --- config/snort/snort_check_for_rule_updates.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/snort') diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 0aa397e4..e13c3bef 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -664,7 +664,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = /* the Snort VRT rules are not enabled, then use Emerging Threats */ /* or Snort Community Rules, in that order, if either is enabled. */ /*******************************************************************/ - if ($snortdownload == 'on') + if ($snortdownload == 'on' || $vrt_enabled == 'on') $prefix = "VRT_"; elseif ($emergingthreats == 'on') $prefix = "ET_"; -- cgit v1.2.3