From 8b2f1c7498469af7ca5926ff8025e1a93fd3579d Mon Sep 17 00:00:00 2001 From: robiscool Date: Thu, 9 Sep 2010 21:31:10 -0700 Subject: snort, add log rotation, fix bugs --- config/snort/snort.inc | 94 ++++++++++++++++++- config/snort/snort.xml | 5 + config/snort/snort_check_cron_misc.inc | 80 ++++++++++++++++ config/snort/snort_download_updates.php | 17 ++-- config/snort/snort_gui.inc | 11 +++ config/snort/snort_interfaces.php | 18 ++-- config/snort/snort_interfaces_edit.php | 2 +- config/snort/snort_interfaces_global.php | 155 ++++++++++++++++++++++--------- config/snort/snort_rules.php | 2 + 9 files changed, 318 insertions(+), 66 deletions(-) create mode 100644 config/snort/snort_check_cron_misc.inc (limited to 'config/snort') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 3123a8e1..21f06c21 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -3,7 +3,7 @@ /* snort.inc Copyright (C) 2006 Scott Ullrich - Copyright (C) 2009 Robert Zelaya + Copyright (C) 2009-2010 Robert Zelaya part of pfSense All rights reserved. @@ -195,7 +195,8 @@ global $config, $g; /* this is for snort.conf */ $home_net = trim($home_net); - $home_net = str_replace(" ", ",", $home_net); + // $home_net = str_replace(" ", ",", $home_net); // old code + $home_net = str_replace(",,", ",", $home_net); // by Thrae, helps people with more than one gateway $home_net = "[{$home_net}]"; if($build_netlist == 'netlist') { @@ -362,7 +363,6 @@ function convert_friendly_interface_to_real_interface_name2($interface) return $interface; } -//$if_real_wan = convert_friendly_interface_to_real_interface_name2($interface_fake); /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); @@ -679,6 +679,7 @@ if($snort_arch_ck[0] == 'i386') { /* install perl-threaded */ + /* TODO: invoke this through pkg_util.inc */ if(!file_exists('/tmp/pkg_s')) { exec('/bin/mkdir -p /tmp/pkg_s'); @@ -754,6 +755,72 @@ function sync_package_snort_reinstall() conf_mount_ro(); } +function snort_Getdirsize($node) { + if(!is_readable($node)) + return false; + + $blah = exec( "/usr/bin/du -kd $node" ); + return substr( $blah, 0, strpos($blah, 9) ); +} + +/* func for log dir size limit cron */ +function snort_snortloglimit_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], '/usr/local/pkg/snort/snort_check_cron_misc.inc')) { + $is_installed = true; + break; + } + $x++; + } + + $snort_snortloglimit_info_ck = $config['installedpackages']['snortglobal']['snortloglimit']; + $snort_snortloglimitsize_info_ck = $config['installedpackages']['snortglobal']['snortloglimitsize']; + + switch($should_install) { + case true: + if(!$is_installed) { + + $cron_item = array(); + $cron_item['minute'] = "*/5"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc"; + $config['cron']['item'][] = $cron_item; + write_config('Installed snort log limit size'); + configure_cron(); + exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable + } + break; + case false: + if($is_installed == true) { + if($x > 0) + { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + configure_cron(); + exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable + } + break; + } +} + + /* func for updating cron */ function snort_rm_blocked_install_cron($should_install) { @@ -867,6 +934,7 @@ function snort_rm_blocked_install_cron($should_install) $config['cron']['item'][] = $cron_item; write_config("Installed $snort_rm_blocked_info_ck minute filter reload for Time Based Rules"); configure_cron(); + exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable } break; case false: @@ -879,6 +947,7 @@ function snort_rm_blocked_install_cron($should_install) conf_mount_rw(); } configure_cron(); + exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable } break; } @@ -961,6 +1030,7 @@ function snort_rules_up_install_cron($should_install) { $config['cron']['item'][] = $cron_item; write_config("Installed 15 minute filter reload for Time Based Rules"); configure_cron(); + exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable } break; case false: @@ -971,6 +1041,7 @@ function snort_rules_up_install_cron($should_install) { conf_mount_rw(); } configure_cron(); + exec('/usr/bin/killall -HUP cron'); // TODO: remove when 2.0 is stable } break; } @@ -1063,6 +1134,23 @@ function sync_snort_package() exec('/bin/chmod -R 770 /var/log/snort'); exec('/bin/chmod -R 770 /usr/local/lib/snort'); exec('/bin/chmod -R 770 /usr/local/etc/snort/'); + + /* auto install loglimit dfault if value not set */ + $snortloglimitsize = $config['installedpackages']['snortglobal']['snortloglimitsize']; + + if ($snortloglimitsize == '') { + /* code will set limit to 21% of slice that is unused */ + $snortloglimitDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') * .21 / 1024); + $config['installedpackages']['snortglobal']['snortloglimitsize'] = $snortloglimitDSKsize; + write_config(); + conf_mount_rw(); + } + + $snort_snortloglimit_info_ck = $config['installedpackages']['snortglobal']['snortloglimit']; + if ($snort_snortloglimit_info_ck == '') { + snort_snortloglimit_install_cron(''); + snort_snortloglimit_install_cron('true'); + } conf_mount_ro(); } diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 2c4e45e1..98e970ed 100644 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -78,6 +78,11 @@ 077 http://www.pfsense.com/packages/config/snort/snort_head.inc + + /usr/local/pkg/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_check_cron_misc.php + /usr/local/bin/ 077 diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc new file mode 100644 index 00000000..d5d5e095 --- /dev/null +++ b/config/snort/snort_check_cron_misc.inc @@ -0,0 +1,80 @@ + 1, +// 'KB' => 1024, +// 'MB' => 1024 * 1024, +// 'GB' => 1024 * 1024 * 1024, +// 'TB' => 1024 * 1024 * 1024 * 1024, +// 'PB' => 1024 * 1024 * 1024 * 1024 * 1024, + + +/* chk if snort log dir is full if so clear it */ +$snortloglimit = $config['installedpackages']['snortglobal']['snortloglimit']; +$snortloglimitsize = $config['installedpackages']['snortglobal']['snortloglimitsize']; + +if ($g['booting']==true) { + exit(0); +} + +if ($snortloglimit == 'off') { + exit(0); +} + +$snortloglimitDSKsize = exec('df -k /var | grep -v "Filesystem" | awk \'{print \$4}\''); + +$snortlogAlertsizeKB = snort_Getdirsize('/var/log/snort/alert'); +$snortloglimitAlertsizeKB = round($snortlogAlertsizeKB * .70); +$snortloglimitsizeKB = round($snortloglimitsize * 1024); + +/* do I need HUP kill ? */ +if (snort_Getdirsize('/var/log/snort/') >= $snortloglimitsizeKB ) { + + conf_mount_rw(); + if(file_exists('/var/log/snort/alert')) { + if ($snortlogAlertsizeKB >= $snortloglimitAlertsizeKB) { + exec('/bin/echo "" > /var/log/snort/alert'); + } + post_delete_logs(); + exec('/usr/sbin/chown snort:snort /var/log/snort/*'); + exec('/bin/chmod 660 /var/log/snort/*'); + //sleep(2); + //exec('/usr/bin/killall -HUP snort'); + } + conf_mount_ro(); + +} + + +?> \ No newline at end of file diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 37d1546a..d87f905f 100644 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -113,27 +113,24 @@ include_once("/usr/local/pkg/snort/snort_head.inc"); jQuery(document).ready(function(){ //Examples of how to assign the ColorBox event to elements - jQuery(".example7").colorbox({width:"900px", height:"400px", iframe:true, overlayClose:false}); jQuery(".example8").colorbox({width:"820px", height:"700px", iframe:true, overlayClose:false}); - jQuery(".example9").colorbox({width:"90%", height:"65%", iframe:true, overlayClose:false}); }); - -' . $pgtitle . '

';}?> - + + +
+
-
+' . $pgtitle . '

';}?> diff --git a/config/snort/snort_gui.inc b/config/snort/snort_gui.inc index 9a3f1377..66f9c148 100644 --- a/config/snort/snort_gui.inc +++ b/config/snort/snort_gui.inc @@ -145,6 +145,17 @@ padding-bottom: 12px; border-bottom: 1px solid #999999; } +/* global tab, white lil box */ +.vncell3 { + width: 50px; + background-color: #eeeeee; + padding-right: 2px; + padding-left: 2px; + border-bottom-width: 1px; + border-bottom-style: solid; + border-bottom-color: #999999; +} + .vncellreq2 { background-color: #eeeeee; padding-right: 20px; diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index d43c1e63..eae518dd 100644 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -255,23 +255,24 @@ include_once("/usr/local/pkg/snort/snort_head.inc"); }); - - -
- -' . $pgtitle . '

';}?> - + +
+ +
+ +' . $pgtitle . '

';}?> + -
+ - +
+
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 455a6d01..c47baad5 100644 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -432,7 +432,7 @@ echo " } //--> -

+' . $pgtitle . '

';}?> " method="post" enctype="multipart/form-data" name="iform" id="iform"> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index daa50cbf..d4c07456 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -37,34 +37,40 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort_gui.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +$d_snort_global_dirty_path = '/var/run/snort_global.dirty'; + /* make things short */ $pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; $pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; $pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; +$pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; +$pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; $pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7']; -$pconfig['whitelistvpns'] = $config['installedpackages']['snortglobal']['whitelistvpns']; -$pconfig['clickablalerteurls'] = $config['installedpackages']['snortglobal']['clickablalerteurls']; -$pconfig['associatealertip'] = $config['installedpackages']['snortglobal']['associatealertip']; $pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype']; $pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings']; + /* this will exec when alert says apply */ + if ($_POST['apply']) { + + if (file_exists("$d_snort_global_dirty_path")) { + conf_mount_rw(); + + /* create whitelist and homenet file then sync files */ + sync_snort_package_empty(); + sync_snort_package(); - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - - /* input validation */ - if ($_POST['enable']) - { - -/* TODO:a dd check user input code. */ - + unlink("$d_snort_global_dirty_path"); + + write_config(); + conf_mount_ro(); + } } + - if (!$input_errors) { + +/* if no errors move foward */ +if (!$input_errors) { if ($_POST["Submit"]) { @@ -72,10 +78,9 @@ if ($_POST) { $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? on : off; $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; + $config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit']; + $config['installedpackages']['snortglobal']['snortloglimitsize'] = $_POST['snortloglimitsize']; $config['installedpackages']['snortglobal']['autorulesupdate7'] = $_POST['autorulesupdate7']; - $config['installedpackages']['snortglobal']['whitelistvpns'] = $_POST['whitelistvpns'] ? on : off; - $config['installedpackages']['snortglobal']['clickablalerteurls'] = $_POST['clickablalerteurls'] ? on : off; - $config['installedpackages']['snortglobal']['associatealertip'] = $_POST['associatealertip'] ? on : off; $config['installedpackages']['snortglobal']['snortalertlogtype'] = $_POST['snortalertlogtype']; $config['installedpackages']['snortglobal']['forcekeepsettings'] = $_POST['forcekeepsettings'] ? on : off; @@ -84,6 +89,18 @@ if ($_POST) { $retval = 0; + + $snort_snortloglimit_info_ck = $config['installedpackages']['snortglobal']['snortloglimit']; + if ($snort_snortloglimit_info_ck == 'on') { + snort_snortloglimit_install_cron(''); + snort_snortloglimit_install_cron('true'); + } + + if ($snort_snortloglimit_info_ck == 'off') { + snort_snortloglimit_install_cron(''); + } + + /* set the snort block hosts time IMPORTANT */ $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; if ($snort_rm_blocked_info_ck == "never_b") @@ -111,22 +128,27 @@ if ($_POST) { } - + touch($d_snort_global_dirty_path); $savemsg = get_std_save_message($retval); + write_config(); - } - sync_snort_package(); + /* forces page to reload new settings */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces_global.php"); + + } } - if ($_POST["Reset"]) { - -//////>>>>>>>>> +if ($_POST["Reset"]) { - function snort_deinstall_settings() -{ + function snort_deinstall_settings() { global $config, $g, $id, $if_real; conf_mount_rw(); @@ -142,8 +164,8 @@ if ($_POST) { sleep(2); /* Remove snort cron entries Ugly code needs smoothness*/ -function snort_rm_blocked_deinstall_cron($should_install) -{ + function snort_rm_blocked_deinstall_cron($should_install) + { global $config, $g; conf_mount_rw(); @@ -208,8 +230,8 @@ function snort_rm_blocked_deinstall_cron($should_install) } } -snort_rm_blocked_deinstall_cron(""); -snort_rules_up_deinstall_cron(""); + snort_rm_blocked_deinstall_cron(""); + snort_rules_up_deinstall_cron(""); /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ @@ -228,7 +250,7 @@ snort_rules_up_deinstall_cron(""); snort_deinstall_settings(); - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); @@ -237,12 +259,10 @@ snort_rules_up_deinstall_cron(""); header("Location: /snort/snort_interfaces_global.php"); exit; - -//////>>>>>>>>> - } } -$pgtitle = "Services: Snort: Global Settings"; + +$pgtitle = 'Services: Snort: Global Settings'; include_once("/usr/local/pkg/snort/snort_head.inc"); ?> @@ -258,24 +278,45 @@ include_once("/usr/local/pkg/snort/snort_head.inc"); }); - - -
+
+ +
+ ' . $pgtitle . '

';}?> - - + + + + + + You must apply the changes in order for them to take effect.
+ '); + } + } +?> + - + + + + +
+
@@ -353,6 +394,32 @@ echo $snort_general_css;
General Settings
Log Directory Size Limit + + + + + + + + + + +
> + Enable directory size limit (Default)
> + Disable directory size limit

Warning: Pfsense Nanobsd should use no more than 10MB of space. +
 
+ + + + +
Size in MB + Default is 20% of available space.
+
Remove blocked hosts every diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 7a3f5b03..73de553b 100644 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -69,6 +69,8 @@ include("fbegin.inc"); echo ""; +if($pfsense_stable == 'yes'){echo '

' . $pgtitle . '

';} + echo "\n \n \n -- cgit v1.2.3