From 88fb21ea3a3400acccde81630d9790e561b3a8de Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 2 Apr 2014 15:18:25 -0400 Subject: Add new task to watch Barnyard2 archived logs folder. --- config/snort/snort_check_cron_misc.inc | 135 ++++++++++++++++++++------------- 1 file changed, 83 insertions(+), 52 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc index 038a11cd..7b0cfe34 100644 --- a/config/snort/snort_check_cron_misc.inc +++ b/config/snort/snort_check_cron_misc.inc @@ -1,10 +1,11 @@ 1, -// 'KB' => 1024, -// 'MB' => 1024 * 1024, -// 'GB' => 1024 * 1024 * 1024, -// 'TB' => 1024 * 1024 * 1024 * 1024, -// 'PB' => 1024 * 1024 * 1024 * 1024 * 1024, +$snortlogdir = SNORTLOGDIR; +function snort_check_dir_size_limit($snortloglimitsize) { -/* chk if snort log dir is full if so clear it */ -$snortloglimit = $config['installedpackages']['snortglobal']['snortloglimit']; -$snortloglimitsize = $config['installedpackages']['snortglobal']['snortloglimitsize']; + /******************************************************** + * This function checks the total size of the Snort * + * logging sub-directory structure and prunes the files * + * for all Snort interfaces if the size exceeds the * + * passed limit. * + * * + * On Entry: $snortloglimitsize = dir size limit in * + * in megabytes * + ********************************************************/ -if ($g['booting']==true) - return; + global $g, $config; -if ($snortloglimit == 'off') - return; + // Convert Log Limit Size setting from MB to KB + $snortloglimitsizeKB = round($snortloglimitsize * 1024); + $snortlogdirsizeKB = snort_Getdirsize(SNORTLOGDIR); + if ($snortlogdirsizeKB > 0 && $snortlogdirsizeKB > $snortloglimitsizeKB) { + log_error(gettext("[Snort] Log directory size exceeds configured limit of " . number_format($snortloglimitsize) . " MB set on Global Settings tab. All Snort log files will be truncated.")); + conf_mount_rw(); -if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; + // Truncate the Rules Update Log file if it exists + if (file_exists(RULES_UPD_LOGFILE)) { + log_error(gettext("[Snort] Truncating the Rules Update Log file...")); + file_put_contents(RULES_UPD_LOGFILE, ""); + } -/* Convert Log Limit Size setting from MB to KB */ -$snortloglimitsizeKB = round($snortloglimitsize * 1024); -$snortlogdirsizeKB = snort_Getdirsize(SNORTLOGDIR); -if ($snortlogdirsizeKB > 0 && $snortlogdirsizeKB > $snortloglimitsizeKB) { - log_error(gettext("[Snort] Log directory size exceeds configured limit of " . number_format($snortloglimitsize) . " MB set on Global Settings tab. All Snort log files will be truncated.")); - conf_mount_rw(); - - /* Truncate the Rules Update Log file if it exists */ - if (file_exists(RULES_UPD_LOGFILE)) { - log_error(gettext("[Snort] Truncating the Rules Update Log file...")); - $fd = @fopen(RULES_UPD_LOGFILE, "w+"); - if ($fd) - fclose($fd); - } + // Clean-up the logs for each configured Snort instance + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $if_real = get_real_interface($value['interface']); + $snort_uuid = $value['uuid']; + $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; + log_error(gettext("[Snort] Truncating logs for {$value['descr']} ({$if_real})...")); + snort_post_delete_logs($snort_uuid); + + // Truncate the alert log file if it exists + if (file_exists("{$snort_log_dir}/alert")) { + file_put_contents("{$snort_log_dir}/alert", ""); + } - /* Clean-up the logs for each configured Snort instance */ - foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { - $if_real = snort_get_real_interface($value['interface']); - $snort_uuid = $value['uuid']; - $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}"; - log_error(gettext("[Snort] Truncating logs for {$value['descr']} ({$if_real})...")); - snort_post_delete_logs($snort_uuid); - - /* Truncate the alert log file if it exists */ - if (file_exists("{$snort_log_dir}/alert")) { - $fd = @fopen("{$snort_log_dir}/alert", "w+"); - if ($fd) - fclose($fd); + // This is needed if snort is run as snort user + mwexec('/bin/chmod 660 {$snort_log_dir}/*', true); + + // Soft-restart Snort process to resync logging + if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + log_error(gettext("[Snort] Restarting logging on {$value['descr']} ({$if_real})...")); + mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); + } } + conf_mount_ro(); + log_error(gettext("[Snort] Automatic clean-up of Snort logs completed.")); + } +} + +/************************* + * Start of main code * + *************************/ + +// If firewall is booting, do nothing +if ($g['booting'] == true) + return; - /* This is needed if snort is run as snort user */ - mwexec('/bin/chmod 660 /var/log/snort/*', true); +// If no interfaces defined, there is nothing to clean up +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; - /* Soft-restart Snort process to resync logging */ - if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { - log_error(gettext("[Snort] Restarting logging on {$value['descr']} ({$if_real})...")); - mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); +// Check unified2 archived log retention in the interface logging directories if enabled +foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $if_real = get_real_interface($value['interface']); + $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$value['uuid']}"; + if (is_dir("{$snort_log_dir}/barnyard2/archive") && $value['u2_archived_log_retention'] > 0) { + $now = time(); + $files = glob("{$snort_log_dir}/barnyard2/archive/snort_{$value['uuid']}_{$if_real}.u2.*"); + $prune_count = 0; + foreach ($files as $f) { + if (($now - filemtime($f)) > ($value['u2_archived_log_retention'] * 3600)) { + $prune_count++; + unlink_if_exists($f); + } } + unset($files); + if ($prune_count > 0) + log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s)...")); } - conf_mount_ro(); - log_error(gettext("[Snort] Automatic clean-up of Snort logs completed.")); } +// Check the overall log directory limit (if enabled) and prune if necessary +if ($config['installedpackages']['snortglobal']['snortloglimit'] == 'on') + snort_check_dir_size_limit($config['installedpackages']['snortglobal']['snortloglimitsize']); + +return; + ?> -- cgit v1.2.3