From ad421389225db7840529319149db6f59dee4e8b9 Mon Sep 17 00:00:00 2001
From: bmeeks8 <bmeeks8@bellsouth.net>
Date: Mon, 20 May 2013 21:55:24 -0400
Subject: More tweaks to new Snort Pkg Sync code.

---
 config/snort/snort.inc      | 95 ++++++++++++++++++++++-----------------------
 config/snort/snort_sync.xml | 52 ++++++++++++++++++-------
 2 files changed, 86 insertions(+), 61 deletions(-)

(limited to 'config/snort')

diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 3759f7be..46c66128 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -849,7 +849,7 @@ function snort_rules_up_install_cron($should_install) {
 /* Only run when all ifaces needed to sync. Expects filesystem rw */
 function sync_snort_package_config() {
 	global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file;
-	global $snort_version, $rebuild_rules;
+	global $snort_version, $rebuild_rules, $is_postinstall;
 
 	$snortdir = SNORTDIR;
 
@@ -889,7 +889,9 @@ function sync_snort_package_config() {
 
 	configure_cron();
 	
-	snort_sync_on_changes();
+	/* Do not attempt package sync if reinstalling package or booting */
+	if (!$is_postinstall && !$g['booting'])
+		snort_sync_on_changes();
 	
 	conf_mount_ro();
 }
@@ -2048,6 +2050,7 @@ function snort_deinstall() {
 	if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') {
 		log_error(gettext("Not saving settings... all Snort configuration info and logs deleted..."));
 		unset($config['installedpackages']['snortglobal']);
+		unset($config['installedpackages']['snortsync']);
 		@unlink("{$snort_rules_upd_log}");
 		mwexec("/bin/rm -rf {$snortlogdir}");
 		log_error(gettext("[Snort] The package has been removed from this system..."));
@@ -3047,11 +3050,17 @@ EOD;
 
 /* Uses XMLRPC to synchronize the changes to a remote node */
 function snort_sync_on_changes() {
-	global $config, $g;
+	global $config, $g, $is_postinstall;
+
+	/* Do not attempt a package sync while booting up or installing package */
+	if ($g['booting'] || $is_postinstall == true)
+		return;
+
 	if (is_array($config['installedpackages']['snortsync']['config'])){
 		$snort_sync=$config['installedpackages']['snortsync']['config'][0];
 		$synconchanges = $snort_sync['varsynconchanges'];
 		$synctimeout = $snort_sync['varsynctimeout'];
+		$syncdownloadrules = $snort_sync['vardownloadrules'];
 		switch ($synconchanges){
 			case "manual":
 				if (is_array($snort_sync[row])){
@@ -3068,6 +3077,7 @@ function snort_sync_on_changes() {
 						$rs[0]['varsyncipaddress']=$system_carp['synchronizetoip'];
 						$rs[0]['varsyncusername']=$system_carp['username'];
 						$rs[0]['varsyncpassword']=$system_carp['password'];
+						$rs[0]['varsyncsnortstart']="no";
 						if ($system_carp['synchronizetoip'] ==""){
 							log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts configured as replication targets.");
 							return;
@@ -3085,6 +3095,10 @@ function snort_sync_on_changes() {
 		if (is_array($rs)){
 			log_error("[snort] Snort pkg xmlrpc sync is starting.");
 			foreach($rs as $sh){
+				if ($sh['varsyncsnortstart'])
+					$syncstartsnort = $sh['varsyncsnortstart'];
+				else
+					$syncstartsnort = "OFF";
 				$sync_to_ip = $sh['varsyncipaddress'];
 				$password = $sh['varsyncpassword'];
 				if($sh['varsyncusername'])
@@ -3092,7 +3106,7 @@ function snort_sync_on_changes() {
 				else
 					$username = 'admin';
 				if($password && $sync_to_ip)
-					snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout);
+					snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort);
 			}
 			log_error("[snort] Snort pkg xmlrpc sync completed.");
 		}
@@ -3100,17 +3114,22 @@ function snort_sync_on_changes() {
 }
 
 /* Do the actual XMLRPC sync */
-function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) {
-	global $config, $g;
+function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort) {
+	global $config, $g, $is_postinstall;
+
+	/* Do not attempt a package sync while booting up or installing package */
+	if ($g['booting'] || $is_postinstall == true)
+		return;
 
 	if(!$username || !$password || !$sync_to_ip) {
 		log_error("[snort] A required XMLRPC sync parameter (user, host IP or password) is empty ... aborting pkg sync");
 		return;
 	}
 
+	/* Test key variables and set defaults if empty */
 	if(!$synctimeout)
 		$synctimeout=150;
-		
+
 	$xmlrpc_sync_neighbor = $sync_to_ip;
 	if($config['system']['webgui']['protocol'] != "") {
 		$synchronizetoip = $config['system']['webgui']['protocol'];
@@ -3160,22 +3179,37 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) {
 		log_error("[snort] Snort pkg configuration XMLRPC sync successfully completed with {$url}:{$port}.");
 	}
 
-	/* Build a series of commands for the secondary host to execute to will reload the new settings. */
+	$downloadrulescmd = "";
+	if ($syncdownloadrules == "yes") {
+		$downloadrulescmd = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested update of downloaded rules files...\"));\n";
+		$downloadrulescmd .= "include_once(\"/usr/local/pkg/snort/snort_check_for_rule_updates.php\");\n";
+	}
+	$snortstart = "";
+	if ($syncstartsnort == "ON") {
+		$snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested restart of Snort...\"));\n";
+		$snortstart .= "if (!is_process_running(\"snort\")) {\n";
+		$snortstart .= "exec(\"/usr/local/etc/rc.d/snort.sh start 2>&1 &\");\n}\n";
+	}
+
+	/* Build a series of commands for the secondary host to execute that will load the new settings. */
 	$execcmd = <<<EOD
-	include_once("/usr/local/pkg/snort/snort.inc");
+	require_once("/usr/local/pkg/snort/snort.inc");
+	require_once("service-utils.inc");
 	global \$g, \$rebuild_rules, \$snort_gui_include, \$is_postinstall, \$pkg_interface;
+	\$orig_pkg_interface = \$pkg_interface;
 	\$is_postinstall = true;
 	\$snort_gui_include = false;
-	log_error(gettext("[snort] XMLRPC pkg sync: Downloading and updating configured rule types..."));
-	ob_start();
-	include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php");
+	\$pkg_interface = "console";
+	{$downloadrulescmd}
 	\$is_postinstall = false;
-	ob_end_clean();
 	log_error(gettext("[snort] XMLRPC pkg sync: Generating snort.conf file using Master Host's settings..."));
 	\$rebuild_rules = "on";
 	sync_snort_package_config();
 	\$rebuild_rules = "off";
+	{$snortstart}
 	log_error(gettext("[snort] XMLRPC pkg sync process on this host is complete..."));
+	\$pkg_interface = \$orig_pkg_interface;
+	return true;
 
 EOD;
 
@@ -3199,45 +3233,10 @@ EOD;
 	} elseif($resp->faultCode()) {
 		$error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
 		log_error($error);
-		$value = $resp->value();
-		log_error(print_r($value, true));
 		file_notice("sync_settings", $error, "snort Settings Sync", "");
 	} else {
 		log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php).");
 	}
 }
 
-function snort_sync_build_slave_conf() {
-
-	/*************************************************/
-	/* This function is called by the XMLRPC package */
-	/* sync process on the master host and is used   */
-	/* to build the initial Snort configuration on   */
-	/* a slave (or secondary) host after the push    */
-	/* of the config.xml data.                       */
-	/*************************************************/
-
-	global $g, $rebuild_rules, $snort_gui_include, $is_postinstall;
-
-	// First download fresh rules if necessary
-	unset($snort_gui_include);
-	$is_postinstall = true;
-	log_error(gettext("[snort] XMLRPC pkg sync: Downloading and updating configured rule types..."));
-
-	// Suppress all PHP output by swallowing it in the output buffer and then discarding it
-	ob_start();
-
-	// Now start the actual configuration build on the remote slave
-	@include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php");
-	$is_postinstall = false;
-	log_error(gettext("[snort] XMLRPC pkg sync: Generating snort.conf file using Master Host's settings..."));
-	$rebuild_rules = "on";
-	sync_snort_package_config();
-	$rebuild_rules = "off";
-	log_error(gettext("[snort] XMLRPC pkg sync process on this host is complete..."));
-
-	// Finally, discard any buffered PHP output and return
-	ob_end_clean();
-}
-
 ?>
diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml
index 5bfeba12..274d3fc9 100755
--- a/config/snort/snort_sync.xml
+++ b/config/snort/snort_sync.xml
@@ -47,7 +47,7 @@ POSSIBILITY OF SUCH DAMAGE.
 	<faq>Currently there are no FAQ items provided.</faq>
 	<name>snortsync</name>
 	<version>1.0</version>
-	<title>Proxy server snort: XMLRPC Sync</title>
+	<title>Snort: XMLRPC Sync (EXPERIMENTAL)</title>
 	<include_file>/usr/local/pkg/snort/snort.inc</include_file>
 	<tabs>
 		<tab>
@@ -86,17 +86,17 @@ POSSIBILITY OF SUCH DAMAGE.
 	</tabs>
 	<fields>
 		<field>
-			<name>Snort XMLRPC Sync</name>
+			<name>Snort Package XMLRPC Sync Settings</name>
 			<type>listtopic</type>
 		</field>
 		<field>
 			<fielddescr>Enable Sync</fielddescr>
 			<fieldname>varsynconchanges</fieldname>
-			<description><![CDATA[All changes will be synced with apply config to the IPs listed below if this option is checked.<br>
+			<description><![CDATA[All changes will be synced with apply config to the IPs listed below if this option is checked.<br/><br/>
 						<b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description>
 			<type>select</type>
 			<required/>
-			<default_value>auto</default_value>
+			<default_value>disabled</default_value>
 			<options>
 				<option><name>Sync to configured system backup server</name><value>auto</value></option>
 				<option><name>Sync to host(s) defined below</name><value>manual</value></option>
@@ -104,26 +104,42 @@ POSSIBILITY OF SUCH DAMAGE.
 			</options>
 		</field>
 		<field>
-						<fielddescr>XMLRPC timeout</fielddescr>
+			<fielddescr>XMLRPC Timeout</fielddescr>
 			<fieldname>varsynctimeout</fieldname>
 			<description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description>
 			<type>input</type>
-						<default_value>150</default_value>
+			<default_value>150</default_value>
 			<size>5</size>
 		</field>
 
 		<field>
-			<fielddescr>Destination Server</fielddescr>
+			<fielddescr>Refresh Rule Sets</fielddescr>
+			<fieldname>vardownloadrules</fieldname>
+			<description><![CDATA[Ask target hosts to refresh rule sets files on each sync operation.<br/><br/>
+					During each Snort package sync operation, ask the target host to check for 
+					a new set of posted rule sets files and refresh the local copies if necessary.  The default is 
+					to refresh the files if newer versions have been posted.]]></description>
+			<type>select</type>
+			<default_value>yes</default_value>
+			<options>
+				<option><name>Signal target hosts to refresh rules files</name><value>yes</value></option>
+				<option><name>Do NOT ask target host to refresh rules files</name><value>no</value></option>
+			</options>
+		</field>
+
+		<field>
+			<fielddescr>Replication Targets</fielddescr>
 			<fieldname>none</fieldname>
 			<type>rowhelper</type>
 			<rowhelper>
 				<rowhelperfield>
 					<fielddescr>Enable</fielddescr>
 					<fieldname>varsyncdestinenable</fieldname>
+					<description><![CDATA[Enable this host as a replication target]]></description>
 					<type>checkbox</type>
 				</rowhelperfield>
 				<rowhelperfield>
-					<fielddescr>GUI Protocol</fielddescr>
+					<fielddescr>Protocol</fielddescr>
 					<fieldname>varsyncprotocol</fieldname>
 					<description><![CDATA[Choose the protocol of the destination host. Probably <b>http</b> or <b>https</b>]]></description>
 					<type>select</type>
@@ -134,28 +150,38 @@ POSSIBILITY OF SUCH DAMAGE.
 					</options>
 				</rowhelperfield>
 				<rowhelperfield>
-					<fielddescr>GUI IP-Address</fielddescr>
+					<fielddescr>IP-Address</fielddescr>
 					<fieldname>varsyncipaddress</fieldname>
 					<description><![CDATA[IP Address of the destination host.]]></description>
 					<type>input</type>
 					<size>15</size>
 				</rowhelperfield>
 				<rowhelperfield>
-					<fielddescr>GUI Port</fielddescr>
+					<fielddescr>Port</fielddescr>
 					<fieldname>varsyncport</fieldname>
-					<description><![CDATA[Choose the port of the destination host.]]></description>
+					<description><![CDATA[Choose the sync port of the destination host.]]></description>
 					<type>input</type>
 					<size>3</size>
 				</rowhelperfield>
-								<rowhelperfield>
-					<fielddescr>GUI Admin Password</fielddescr>
+				<rowhelperfield>
+					<fielddescr>Admin Password</fielddescr>
 					<fieldname>varsyncpassword</fieldname>
 					<description><![CDATA[Password of the user "admin" on the destination host.]]></description>
 					<type>password</type>
 					<size>20</size>
 				</rowhelperfield>
+				<rowhelperfield>
+					<fielddescr>Start Snort</fielddescr>
+					<fieldname>varsyncsnortstart</fieldname>
+					<description><![CDATA[Start Snort on target host if not already running.]]></description>
+					<type>checkbox</type>
+				</rowhelperfield>
 			</rowhelper>
 		</field>
+		<field>
+			<name>WARNING:  This feature is considered experimental and not recommended for production use</name>
+			<type>listtopic</type>
+		</field>
 	</fields>
 	<custom_delete_php_command>
 		write_config();snort_sync_on_changes();
-- 
cgit v1.2.3