From ad421389225db7840529319149db6f59dee4e8b9 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 20 May 2013 21:55:24 -0400 Subject: More tweaks to new Snort Pkg Sync code. --- config/snort/snort.inc | 95 ++++++++++++++++++++++----------------------- config/snort/snort_sync.xml | 52 ++++++++++++++++++------- 2 files changed, 86 insertions(+), 61 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 3759f7be..46c66128 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -849,7 +849,7 @@ function snort_rules_up_install_cron($should_install) { /* Only run when all ifaces needed to sync. Expects filesystem rw */ function sync_snort_package_config() { global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file; - global $snort_version, $rebuild_rules; + global $snort_version, $rebuild_rules, $is_postinstall; $snortdir = SNORTDIR; @@ -889,7 +889,9 @@ function sync_snort_package_config() { configure_cron(); - snort_sync_on_changes(); + /* Do not attempt package sync if reinstalling package or booting */ + if (!$is_postinstall && !$g['booting']) + snort_sync_on_changes(); conf_mount_ro(); } @@ -2048,6 +2050,7 @@ function snort_deinstall() { if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') { log_error(gettext("Not saving settings... all Snort configuration info and logs deleted...")); unset($config['installedpackages']['snortglobal']); + unset($config['installedpackages']['snortsync']); @unlink("{$snort_rules_upd_log}"); mwexec("/bin/rm -rf {$snortlogdir}"); log_error(gettext("[Snort] The package has been removed from this system...")); @@ -3047,11 +3050,17 @@ EOD; /* Uses XMLRPC to synchronize the changes to a remote node */ function snort_sync_on_changes() { - global $config, $g; + global $config, $g, $is_postinstall; + + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || $is_postinstall == true) + return; + if (is_array($config['installedpackages']['snortsync']['config'])){ $snort_sync=$config['installedpackages']['snortsync']['config'][0]; $synconchanges = $snort_sync['varsynconchanges']; $synctimeout = $snort_sync['varsynctimeout']; + $syncdownloadrules = $snort_sync['vardownloadrules']; switch ($synconchanges){ case "manual": if (is_array($snort_sync[row])){ @@ -3068,6 +3077,7 @@ function snort_sync_on_changes() { $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; $rs[0]['varsyncusername']=$system_carp['username']; $rs[0]['varsyncpassword']=$system_carp['password']; + $rs[0]['varsyncsnortstart']="no"; if ($system_carp['synchronizetoip'] ==""){ log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts configured as replication targets."); return; @@ -3085,6 +3095,10 @@ function snort_sync_on_changes() { if (is_array($rs)){ log_error("[snort] Snort pkg xmlrpc sync is starting."); foreach($rs as $sh){ + if ($sh['varsyncsnortstart']) + $syncstartsnort = $sh['varsyncsnortstart']; + else + $syncstartsnort = "OFF"; $sync_to_ip = $sh['varsyncipaddress']; $password = $sh['varsyncpassword']; if($sh['varsyncusername']) @@ -3092,7 +3106,7 @@ function snort_sync_on_changes() { else $username = 'admin'; if($password && $sync_to_ip) - snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); + snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort); } log_error("[snort] Snort pkg xmlrpc sync completed."); } @@ -3100,17 +3114,22 @@ function snort_sync_on_changes() { } /* Do the actual XMLRPC sync */ -function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { - global $config, $g; +function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort) { + global $config, $g, $is_postinstall; + + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || $is_postinstall == true) + return; if(!$username || !$password || !$sync_to_ip) { log_error("[snort] A required XMLRPC sync parameter (user, host IP or password) is empty ... aborting pkg sync"); return; } + /* Test key variables and set defaults if empty */ if(!$synctimeout) $synctimeout=150; - + $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; @@ -3160,22 +3179,37 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { log_error("[snort] Snort pkg configuration XMLRPC sync successfully completed with {$url}:{$port}."); } - /* Build a series of commands for the secondary host to execute to will reload the new settings. */ + $downloadrulescmd = ""; + if ($syncdownloadrules == "yes") { + $downloadrulescmd = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested update of downloaded rules files...\"));\n"; + $downloadrulescmd .= "include_once(\"/usr/local/pkg/snort/snort_check_for_rule_updates.php\");\n"; + } + $snortstart = ""; + if ($syncstartsnort == "ON") { + $snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested restart of Snort...\"));\n"; + $snortstart .= "if (!is_process_running(\"snort\")) {\n"; + $snortstart .= "exec(\"/usr/local/etc/rc.d/snort.sh start 2>&1 &\");\n}\n"; + } + + /* Build a series of commands for the secondary host to execute that will load the new settings. */ $execcmd = <<faultCode()) { $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); - $value = $resp->value(); - log_error(print_r($value, true)); file_notice("sync_settings", $error, "snort Settings Sync", ""); } else { log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } } -function snort_sync_build_slave_conf() { - - /*************************************************/ - /* This function is called by the XMLRPC package */ - /* sync process on the master host and is used */ - /* to build the initial Snort configuration on */ - /* a slave (or secondary) host after the push */ - /* of the config.xml data. */ - /*************************************************/ - - global $g, $rebuild_rules, $snort_gui_include, $is_postinstall; - - // First download fresh rules if necessary - unset($snort_gui_include); - $is_postinstall = true; - log_error(gettext("[snort] XMLRPC pkg sync: Downloading and updating configured rule types...")); - - // Suppress all PHP output by swallowing it in the output buffer and then discarding it - ob_start(); - - // Now start the actual configuration build on the remote slave - @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); - $is_postinstall = false; - log_error(gettext("[snort] XMLRPC pkg sync: Generating snort.conf file using Master Host's settings...")); - $rebuild_rules = "on"; - sync_snort_package_config(); - $rebuild_rules = "off"; - log_error(gettext("[snort] XMLRPC pkg sync process on this host is complete...")); - - // Finally, discard any buffered PHP output and return - ob_end_clean(); -} - ?> diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml index 5bfeba12..274d3fc9 100755 --- a/config/snort/snort_sync.xml +++ b/config/snort/snort_sync.xml @@ -47,7 +47,7 @@ POSSIBILITY OF SUCH DAMAGE. Currently there are no FAQ items provided. snortsync 1.0 - Proxy server snort: XMLRPC Sync + Snort: XMLRPC Sync (EXPERIMENTAL) /usr/local/pkg/snort/snort.inc @@ -86,17 +86,17 @@ POSSIBILITY OF SUCH DAMAGE. - Snort XMLRPC Sync + Snort Package XMLRPC Sync Settings listtopic Enable Sync varsynconchanges - +
Important: While using "Sync to hosts defined below", only sync from host A to B, A to C but do not enable XMLRPC sync to A. This will result in a loop!]]>
select - auto + disabled @@ -104,26 +104,42 @@ POSSIBILITY OF SUCH DAMAGE.
- XMLRPC timeout + XMLRPC Timeout varsynctimeout input - 150 + 150 5 - Destination Server + Refresh Rule Sets + vardownloadrules +
+ During each Snort package sync operation, ask the target host to check for + a new set of posted rule sets files and refresh the local copies if necessary. The default is + to refresh the files if newer versions have been posted.]]>
+ select + yes + + + + +
+ + + Replication Targets none rowhelper Enable varsyncdestinenable + checkbox - GUI Protocol + Protocol varsyncprotocol http or https]]> select @@ -134,28 +150,38 @@ POSSIBILITY OF SUCH DAMAGE. - GUI IP-Address + IP-Address varsyncipaddress input 15 - GUI Port + Port varsyncport - + input 3 - - GUI Admin Password + + Admin Password varsyncpassword password 20 + + Start Snort + varsyncsnortstart + + checkbox + + + WARNING: This feature is considered experimental and not recommended for production use + listtopic +
write_config();snort_sync_on_changes(); -- cgit v1.2.3