From 39eda8d18af808aed889f05faa8a54cc2370381d Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 10 Nov 2015 19:32:07 -0500 Subject: Add support for decompress_swf and decompress_pdf HTTP_INSPECT options. --- config/snort/snort_generate_conf.php | 6 +++++- config/snort/snort_httpinspect_engine.php | 28 ++++++++++++++++++++++++++-- config/snort/snort_interfaces_edit.php | 5 +++-- config/snort/snort_migrate_config.php | 3 ++- 4 files changed, 36 insertions(+), 6 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php index 646697bf..6780da0a 100644 --- a/config/snort/snort_generate_conf.php +++ b/config/snort/snort_generate_conf.php @@ -1291,7 +1291,7 @@ $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", " "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, - "max_header_length" => 0, "ports" => "default" ); + "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" ); $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); $http_inspect_servers = ""; @@ -1385,6 +1385,10 @@ if ($snortcfg['http_inspect'] <> "off") { $http_inspect_servers .= " \\\n\tlog_uri"; if ($v['log_hostname'] == "on") $http_inspect_servers .= " \\\n\tlog_hostname"; + if ($v['decompress_swf'] == "on") + $http_inspect_servers .= " \\\n\tdecompress_swf"; + if ($v['decompress_pdf'] == "on") + $http_inspect_servers .= " \\\n\tdecompress_pdf"; // Add a pair of trailing newlines to terminate this server config $http_inspect_servers .= "\n\n"; diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php index c7680892..15d70f09 100644 --- a/config/snort/snort_httpinspect_engine.php +++ b/config/snort/snort_httpinspect_engine.php @@ -1,7 +1,7 @@ "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, - "max_header_length" => 0, "ports" => "default" ); + "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" ); // See if this is initial entry and set to "default" if true if ($eng_id < 1) { $def['name'] = "default"; @@ -124,6 +124,10 @@ else { $pconfig['max_spaces'] = 0; if (empty($pconfig['max_header_length'])) $pconfig['max_header_length'] = 0; + if (empty($pconfig['decompress_swf'])) + $pconfig['decompress_swf'] = "off"; + if (empty($pconfig['decompress_pdf'])) + $pconfig['decompress_pdf'] = "off"; } if ($_POST['Cancel']) { @@ -259,6 +263,8 @@ if ($_POST['save']) { $engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off'; $engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off'; $engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off'; + $engine['decompress_swf'] = $_POST['httpinspect_decompress_swf'] ? 'on' : 'off'; + $engine['decompress_pdf'] = $_POST['httpinspect_decompress_pdf'] ? 'on' : 'off'; // Can only have one "all" Bind_To address if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { @@ -527,6 +533,24 @@ if ($savemsg) . + + + > + + . + + + + > + + . + "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, - "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default", + "decompress_swf" => "off", "decompress_pdf" => "off" ); $ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index edcbb2d5..a0cf24fe 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -254,7 +254,8 @@ foreach ($rule as &$r) { "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, - "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default", + "decompress_swf" => "off", "decompress_pdf" => "off" ); // Ensure sensible default values exist for global HTTP_INSPECT parameters if (empty($pconfig['http_inspect'])) -- cgit v1.2.3 From 3dd4fc9d5d2c916f405e4ea845dc68f7e3f9898e Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 10 Nov 2015 19:35:27 -0500 Subject: Tidy up output messages during package installation and rule updates. --- config/snort/snort_check_for_rule_updates.php | 202 +++++++++++++------------- config/snort/snort_post_install.php | 25 +++- 2 files changed, 117 insertions(+), 110 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 123661e4..e2ec20e3 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -5,7 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013-2014 Bill Meeks + * Copyright (C) 2013-2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -35,7 +35,7 @@ require_once("service-utils.inc"); require_once("/usr/local/pkg/snort/snort.inc"); require("/usr/local/pkg/snort/snort_defs.inc"); -global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules; +global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules, $static_output; $snortdir = SNORTDIR; $snortlibdir = SNORT_PBI_BASEDIR . "lib"; @@ -266,45 +266,56 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") { /* error occurred. */ /**********************************************************/ - global $pkg_interface, $last_curl_error, $update_errors; + global $last_curl_error, $update_errors, $static_output; $snortdir = SNORTDIR; $filename_md5 = basename($file_dst); - if ($pkg_interface <> "console") - update_status(gettext("Downloading {$desc} md5 file...")); + update_status(gettext("Downloading {$desc} md5 file...")); + $static_output .= gettext("Downloading {$desc} md5 file..."); + update_output_window($static_output); error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, SNORT_RULES_UPD_LOGFILE); $rc = snort_download_file_url($file_url, $file_dst); // See if download from URL was successful if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading {$filename_md5}.")); + update_status(gettext("Done downloading {$filename_md5}.")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); error_log("\tChecking {$desc} md5 file...\n", 3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext("Checking {$desc} md5 file..."); + update_output_window($static_output); // check md5 hash in new file against current file to see if new download is posted if (file_exists("{$snortdir}/{$filename_md5}")) { $md5_check_new = file_get_contents($file_dst); $md5_check_old = file_get_contents("{$snortdir}/{$filename_md5}"); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); if ($md5_check_new == $md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("{$desc} are up to date...")); + update_status(gettext("{$desc} are up to date...")); log_error(gettext("[Snort] {$desc} are up to date...")); error_log(gettext("\t{$desc} are up to date.\n"), 3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext("{$desc} are current. No update required.\n"); + update_output_window($static_output); return false; } - else + else { return true; + } } + $static_output .= gettext(" done.\n"); + update_output_window($static_output); return true; } else { error_log(gettext("\t{$desc} md5 download failed.\n"), 3, SNORT_RULES_UPD_LOGFILE); $snort_err_msg = gettext("Server returned error code {$rc}."); - if ($pkg_interface <> "console") { - update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); - update_output_window(gettext("{$desc} will not be updated.\n\t{$snort_err_msg}")); - } + update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); + $static_output .= gettext(" FAILED!\n"); + update_output_window($static_output); + $static_output .= gettext("{$desc} will not be updated.\n{$snort_err_msg}\n"); + update_output_window($static_output); log_error(gettext("[Snort] {$desc} md5 download failed...")); log_error(gettext("[Snort] Server returned error code {$rc}...")); error_log(gettext("\t{$snort_err_msg}\n"), 3, SNORT_RULES_UPD_LOGFILE); @@ -334,29 +345,31 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* FALSE if download was not successful. */ /**********************************************************/ - global $pkg_interface, $last_curl_error, $update_errors; + global $last_curl_error, $update_errors, $static_output; $snortdir = SNORTDIR; $filename = basename($file_dst); - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of {$desc} posted. Downloading...")); + update_status(gettext("There is a new set of {$desc} posted. Downloading...")); log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}...")); error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, SNORT_RULES_UPD_LOGFILE); error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext("There is a new set of {$desc} posted.\nDownloading {$filename}..."); + update_output_window($static_output); $rc = snort_download_file_url($file_url, $file_dst); // See if the download from the URL was successful if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading {$desc} file.")); + update_status(gettext("Done downloading {$desc} file.")); log_error("[Snort] {$desc} file update downloaded successfully"); error_log(gettext("\tDone downloading rules file.\n"),3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); // Test integrity of the rules file. Turn off update if file has wrong md5 hash if ($file_md5 != trim(md5_file($file_dst))){ - if ($pkg_interface <> "console") - update_output_window(gettext("{$desc} file MD5 checksum failed...")); + $static_output .= gettext("{$desc} file MD5 checksum failed...\n"); + update_output_window($static_output); log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum...")); log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst))); log_error(gettext("[Snort] Expected File MD5: {$file_md5}")); @@ -370,12 +383,16 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { return true; } else { - if ($pkg_interface <> "console") - update_output_window(gettext("{$desc} file download failed...")); + $static_output .= gettext(" FAILED!\n"); + update_output_window($static_output); + $static_output .= gettext("{$desc} file download failed... server returned error '{$rc}'.\n"); + update_output_window($static_output); log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'...")); error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SNORT_RULES_UPD_LOGFILE); error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, SNORT_RULES_UPD_LOGFILE); error_log(gettext("\t{$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext("{$desc} will not be updated.\n"); + update_output_window($static_output); $update_errors = true; return false; } @@ -462,6 +479,9 @@ if ($emergingthreats == 'on') { /* Untar Snort rules file to tmp and install the rules */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { + $static_output .= gettext("Installing Sourcefire VRT rules..."); + update_output_window($static_output); + /* Currently, only FreeBSD-8-1, FreeBSD-9-0 and FreeBSD-10-0 precompiled SO rules exist from Snort.org */ /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x or FreeBSD 10.x */ $freebsd_version_so = 'FreeBSD-8-1'; @@ -471,13 +491,11 @@ if ($snortdownload == 'on') { $freebsd_version_so = 'FreeBSD-10-0'; /* Remove the old Snort rules files */ + update_status(gettext("Removing old Snort VRT rules...")); $vrt_prefix = VRT_FILE_PREFIX; unlink_if_exists("{$snortdir}/rules/{$vrt_prefix}*.rules"); - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT rules...")); - update_output_window(gettext("Installing Sourcefire VRT rules...")); - } + update_status(gettext("Extracting new Snort VRT rules...")); error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); /* extract snort.org rules and add VRT_FILE_PREFIX prefix to all snort.org files */ safe_mkdir("{$tmpfname}/snortrules"); @@ -495,8 +513,7 @@ if ($snortdownload == 'on') { } rmdir_recursive("{$tmpfname}/snortrules"); /* Extract the Snort preprocessor rules */ - if ($pkg_interface <> "console") - update_output_window(gettext("Extracting preprocessor rules files...")); + update_status(gettext("Extracting preprocessor rules files...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} preproc_rules/"); $files = glob("{$tmpfname}/preproc_rules/*.rules"); foreach ($files as $file) { @@ -505,10 +522,7 @@ if ($snortdownload == 'on') { } rmdir_recursive("{$tmpfname}/preproc_rules"); /* extract so rules */ - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT Shared Objects rules...")); - update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}...")); - } + update_status(gettext("Extracting Snort VRT Shared Objects rules...")); error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, SNORT_RULES_UPD_LOGFILE); $snort_arch = php_uname("m"); $nosorules = false; @@ -523,8 +537,7 @@ if ($snortdownload == 'on') { rmdir_recursive("{$tmpfname}/so_rules/"); if ($nosorules == false) { /* extract Shared Object stub rules, rename and copy to the rules folder. */ - if ($pkg_interface <> "console") - update_status(gettext("Copying Snort VRT Shared Objects rules...")); + update_status(gettext("Copying Snort VRT Shared Objects rules...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} --exclude precompiled/ --exclude src/ so_rules/"); $files = glob("{$tmpfname}/so_rules/*.rules"); foreach ($files as $file) { @@ -534,10 +547,7 @@ if ($snortdownload == 'on') { rmdir_recursive("{$tmpfname}/so_rules/"); } /* extract base etc files */ - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort VRT config and map files...")); - update_output_window(gettext("Copying config and map files...")); - } + update_status(gettext("Extracting Snort VRT config and map files...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { if (file_exists("{$tmpfname}/etc/{$file}")) @@ -545,14 +555,12 @@ if ($snortdownload == 'on') { } rmdir_recursive("{$tmpfname}/etc"); if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying md5 signature to snort directory...")); + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}"); } - if ($pkg_interface <> "console") { - update_status(gettext("Extraction of Snort VRT rules completed...")); - update_output_window(gettext("Installation of Sourcefire VRT rules completed...")); - } + update_status(gettext("Extraction of Snort VRT rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); } } @@ -561,20 +569,20 @@ if ($snortdownload == 'on') { if ($openappid_detectors == 'on') { // If we have a valid downloaded file, then first cleanup the old directory if (file_exists("{$tmpfname}/{$snort_openappid_filename}")) { + update_status(gettext("Extracting Snort OpenAppID detectors...")); + $static_output .= gettext("Installing Snort OpenAppID detectors..."); $snort_openappid_path = SNORT_APPID_ODP_PATH; rmdir_recursive("{$snort_openappid_path}odp"); error_log(gettext("\tExtracting and installing Snort OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE); safe_mkdir(SNORT_APPID_ODP_PATH); exec("/usr/bin/tar oxzf {$tmpfname}/{$snort_openappid_filename} -C {$snort_openappid_path}"); if (file_exists("{$tmpfname}/{$snort_openappid_filename_md5}")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying md5 signature to snort directory...")); + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_openappid_filename_md5}", "{$snortdir}/{$snort_openappid_filename_md5}"); } - if ($pkg_interface <> "console") { - update_status(gettext("Extraction of Snort OpenAppID detectors completed...")); - update_output_window(gettext("Installation of Snort OpenAppID detectors completed...")); - } + update_status(gettext("Extraction of Snort OpenAppID detectors completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); unlink_if_exists("{$tmpfname}/{$snort_openappid_filename}"); error_log(gettext("\tInstallation of Snort OpenAppID detectors completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); } @@ -584,10 +592,9 @@ if ($openappid_detectors == 'on') { if ($snortcommunityrules == 'on') { safe_mkdir("{$tmpfname}/community"); if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { - if ($pkg_interface <> "console") { - update_status(gettext("Extracting Snort GPLv2 Community Rules...")); - update_output_window(gettext("Installing Snort GPLv2 Community Rules...")); - } + update_status(gettext("Extracting Snort GPLv2 Community Rules...")); + $static_output .= gettext("Installing Snort GPLv2 Community Rules...\n"); + update_output_window($static_output); error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/"); @@ -603,14 +610,12 @@ if ($snortcommunityrules == 'on') { } /* Copy snort community md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying md5 signature to snort directory...")); + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_community_rules_filename_md5}", "{$snortdir}/{$snort_community_rules_filename_md5}"); } - if ($pkg_interface <> "console") { - update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); - update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed...")); - } + update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/community/"); } @@ -620,22 +625,23 @@ if ($snortcommunityrules == 'on') { if ($emergingthreats == 'on') { safe_mkdir("{$tmpfname}/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - if ($pkg_interface <> "console") { - update_status(gettext("Extracting {$et_name} rules...")); - update_output_window(gettext("Installing {$et_name} rules...")); - } + update_status(gettext("Extracting {$et_name} rules...")); + $static_output .= gettext("Installing {$et_name} rules..."); + update_output_window($static_output); error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/"); /* Remove the old Emerging Threats rules files */ $eto_prefix = ET_OPEN_FILE_PREFIX; $etpro_prefix = ET_PRO_FILE_PREFIX; + update_status(gettext("Removing old {$et_name} files...")); unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*.rules"); unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*.rules"); unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*ips.txt"); unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*ips.txt"); $files = glob("{$tmpfname}/emerging/rules/*.rules"); + update_status(gettext("Copying new {$et_name} files...")); foreach ($files as $file) { $newfile = basename($file); if ($etpro == "on") @@ -664,14 +670,12 @@ if ($emergingthreats == 'on') { /* Copy emergingthreats md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$emergingthreats_filename_md5}")) { - if ($pkg_interface <> "console") - update_status(gettext("Copying md5 signature to snort directory...")); + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } - if ($pkg_interface <> "console") { - update_status(gettext("Extraction of {$et_name} rules completed...")); - update_output_window(gettext("Installation of {$et_name} rules completed...")); - } + update_status(gettext("Extraction of {$et_name} rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/emerging/"); } @@ -710,8 +714,7 @@ function snort_apply_customizations($snortcfg, $if_real) { if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') { - if ($pkg_interface <> "console") - update_status(gettext('Copying new config and map files...')); + update_status(gettext('Copying new config and map files...')); error_log(gettext("\tCopying new config and map files...\n"), 3, SNORT_RULES_UPD_LOGFILE); /******************************************************************/ @@ -757,10 +760,9 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { $if_real = get_real_interface($value['interface']); $tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ..."; - if ($pkg_interface <> "console"){ - update_status(gettext($tmp)); - update_output_window(gettext("Please wait while Snort interface files are updated...")); - } + update_status(gettext($tmp)); + $static_output .= gettext($tmp . "..."); + update_output_window($static_output); // Make sure the interface subdirectory and required sub-directories exists. // We need to re-create them during a pkg reinstall for the intial rules set @@ -783,13 +785,14 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = $tmp .= convert_friendly_interface_to_friendly_descr($value['interface']) . "...\n"; } error_log($tmp, 3, SNORT_RULES_UPD_LOGFILE); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } } else { - if ($pkg_interface <> "console") { - update_output_window(gettext("Warning: No interfaces configured for Snort were found...")); - update_output_window(gettext("No interfaces currently have Snort configured and enabled on them...")); - } + $static_output .= gettext("Warning: No interfaces configured for Snort were found...\n"); + $static_output .= gettext("No interfaces currently have Snort configured and enabled on them.\n"); + update_output_window($static_output); error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, SNORT_RULES_UPD_LOGFILE); } @@ -798,24 +801,19 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = /* Restart snort if running, and not in post-install, so as to pick up the new rules. */ if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) { - if ($pkg_interface <> "console") { - update_status(gettext('Restarting Snort to activate the new set of rules...')); - update_output_window(gettext("Please wait ... restarting Snort will take some time...")); - } + update_status(gettext('Restarting Snort to activate the new set of rules...')); + $static_output .= gettext("Restarting Snort..."); + update_output_window($static_output); error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); touch("{$g['varrun_path']}/snort_pkg_starting.lck"); snort_restart_all_interfaces(TRUE); sleep(3); unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck"); - if ($pkg_interface <> "console") - update_output_window(gettext("Snort has restarted with your new set of rules...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); log_error(gettext("[Snort] Snort has restarted with your new set of rules...")); error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, SNORT_RULES_UPD_LOGFILE); } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("The rules update task is complete...")); - } } elseif ($openappid_detectors == 'on') { /**************************************************************************************/ @@ -823,33 +821,31 @@ elseif ($openappid_detectors == 'on') { /* Restart snort if running, and not in post-install, so as to pick up the detectors. */ /**************************************************************************************/ if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) { - if ($pkg_interface <> "console") { - update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...')); - update_output_window(gettext("Please wait ... restarting Snort will take some time...")); - } + update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...')); + $static_output .= gettext("Restarting Snort..."); + update_output_window($static_output); error_log(gettext("\tRestarting Snort to activate the new OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE); touch("{$g['varrun_path']}/snort_pkg_starting.lck"); snort_restart_all_interfaces(TRUE); sleep(2); unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck"); - if ($pkg_interface <> "console") - update_output_window(gettext("Snort has restarted with your new set of OpenAppID detectors...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); log_error(gettext("[Snort] Snort has restarted with your new set of OpenAppID detectors...")); error_log(gettext("\tSnort has restarted with your new set of OpenAppID detectors.\n"), 3, SNORT_RULES_UPD_LOGFILE); } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("The rules update task is complete...")); - } } /* remove $tmpfname files */ if (is_dir("{$tmpfname}")) { + $static_output .= gettext("Cleaning up temp dirs and files..."); + update_output_window($static_output); rmdir_recursive($tmpfname); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } -if ($pkg_interface <> "console") - update_status(gettext("The Rules update has finished...")); +update_status(gettext("The Rules update has finished.")); log_error(gettext("[Snort] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SNORT_RULES_UPD_LOGFILE); diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index bbb2642c..486cd462 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -43,7 +43,7 @@ require_once("functions.inc"); require_once("/usr/local/pkg/snort/snort.inc"); require("/usr/local/pkg/snort/snort_defs.inc"); -global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include; +global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include, $static_output; $snortdir = SNORTDIR; $snortlogdir = SNORTLOGDIR; @@ -180,11 +180,12 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { /****************************************************************/ /* Do one-time settings migration for new multi-engine configurations */ - update_output_window(gettext("Please wait... migrating settings to new configuration...")); + $static_output .= gettext("\nMigrating settings to new configuration..."); + update_output_window($static_output); include('/usr/local/pkg/snort/snort_migrate_config.php'); - update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); - log_error(gettext("[Snort] Downloading and updating configured rule types...")); - update_output_window(gettext("Please wait... downloading and updating configured rule sets...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); + log_error(gettext("[Snort] Downloading and updating configured rule sets...")); if ($pkg_interface <> "console") $snort_gui_include = true; include('/usr/local/pkg/snort/snort_check_for_rule_updates.php'); @@ -198,7 +199,8 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { $if_real = get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; - update_output_window(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "...")); + $static_output .= gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "..."); + update_output_window($static_output); // Pull in the PHP code that generates the snort.conf file // variables that will be substituted further down below. @@ -224,10 +226,17 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { // Create barnyard2.conf file for interface if ($snortcfg['barnyard_enable'] == 'on') snort_generate_barnyard2_conf($snortcfg, $if_real); + + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } /* create snort bootup file snort.sh */ + $static_output .= gettext("Generating snort.sh script in {$rcdir}..."); + update_output_window($static_output); snort_create_rc(); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); /* Set Log Limit, Block Hosts Time and Rules Update Time */ snort_snortloglimit_install_cron(true); @@ -248,12 +257,14 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { if (!($g['booting'])) { if ($pkg_interface <> "console") { update_status(gettext("Starting Snort using rebuilt configuration...")); + $static_output .= gettext("Starting Snort as a background task using the rebuilt configuration... "); mwexec_bg("{$rcdir}snort.sh start"); - update_output_window(gettext("Snort is starting as a background task using the rebuilt configuration...")); + update_output_window($static_output); } else mwexec_bg("{$rcdir}snort.sh start"); } + update_status(""); } /* We're finished with conf partition mods, return to read-only */ -- cgit v1.2.3 From 94ff1d183c480a7ce03041f270209ff237ad4dba Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 10 Nov 2015 20:45:11 -0500 Subject: Enable logging of IPv6 addresses in Unified2 logs as extra-data. --- config/snort/snort_conf_template.inc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'config/snort') diff --git a/config/snort/snort_conf_template.inc b/config/snort/snort_conf_template.inc index 6b362ce5..2ee3e72c 100644 --- a/config/snort/snort_conf_template.inc +++ b/config/snort/snort_conf_template.inc @@ -48,6 +48,9 @@ config event_queue: max_queue 8 log 5 order_events content_length # Configure to show year in timestamps config show_year +# Configure IPv6 address logging in unified2 extra data +config log_ipv6_extra_data + # Configure protocol aware flushing # # For more information see README.stream5 # {$paf_max_pdu_config} -- cgit v1.2.3 From 0ed87a96c2fbc91f124bbd7bb8a2797dd9901e53 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 16 Nov 2015 17:33:35 -0500 Subject: Add reminder to save setting changes to PREPROCESSORS tab. --- config/snort/snort_frag3_engine.php | 3 +++ config/snort/snort_ftp_client_engine.php | 3 +++ config/snort/snort_ftp_server_engine.php | 3 +++ config/snort/snort_httpinspect_engine.php | 3 +++ config/snort/snort_preprocessors.php | 17 ++++++++++++++++- config/snort/snort_stream5_engine.php | 3 +++ 6 files changed, 31 insertions(+), 1 deletion(-) (limited to 'config/snort') diff --git a/config/snort/snort_frag3_engine.php b/config/snort/snort_frag3_engine.php index 9489bf16..33f06a87 100644 --- a/config/snort/snort_frag3_engine.php +++ b/config/snort/snort_frag3_engine.php @@ -187,6 +187,9 @@ if ($_POST['save']) { /* Now write the new engine array to conf */ write_config("Snort pkg: modified frag3 engine settings."); + // We have saved a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row"); exit; } diff --git a/config/snort/snort_ftp_client_engine.php b/config/snort/snort_ftp_client_engine.php index f462efa8..2f3cd1bd 100644 --- a/config/snort/snort_ftp_client_engine.php +++ b/config/snort/snort_ftp_client_engine.php @@ -218,6 +218,9 @@ if ($_POST['save']) { /* Now write the new engine array to conf */ write_config("Snort pkg: modified ftp_telnet_client engine settings."); + // We have saved a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); exit; } diff --git a/config/snort/snort_ftp_server_engine.php b/config/snort/snort_ftp_server_engine.php index cb9abc9c..7f3e5a10 100644 --- a/config/snort/snort_ftp_server_engine.php +++ b/config/snort/snort_ftp_server_engine.php @@ -189,6 +189,9 @@ if ($_POST['save']) { /* Now write the new engine array to conf */ write_config("Snort pkg: modified ftp_telnet_server engine settings."); + // We have saved a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); exit; } diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php index 15d70f09..55bdb5a7 100644 --- a/config/snort/snort_httpinspect_engine.php +++ b/config/snort/snort_httpinspect_engine.php @@ -304,6 +304,9 @@ if ($_POST['save']) { // Now write the new engine array to conf write_config("Snort pkg: modified http_inspect engine settings."); + // We have saved a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); exit; } diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index dd8ec660..76582763 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -263,6 +263,9 @@ if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalu // Now retrieve the "selected alias" returned from SELECT ALIAS page $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); + + // We have made a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); } // Handle deleting of any of the multiple configuration engines @@ -397,7 +400,7 @@ if ($_POST['ResetAll']) { $savemsg = gettext("All preprocessor settings have been reset to their defaults."); } -if ($_POST['save']) { +if ($_POST['save'] || $_POST['apply']) { $natent = array(); $natent = $pconfig; @@ -590,6 +593,9 @@ if ($_POST['save']) { /* Sync to configured CARP slaves if any are enabled */ snort_sync_on_changes(); + // We have saved changes, so clear "dirty" flag + clear_subsystem_dirty('snort_preprocessors'); + /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -619,6 +625,10 @@ if ($_POST['btn_import']) { $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; write_config("Snort pkg: imported Host Attribute Table data for {$a_nat[$id]['interface']}."); } + + // We have made a preproc config change, so set "dirty" flag + mark_subsystem_dirty('snort_preprocessors'); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); @@ -675,6 +685,11 @@ if ($savemsg) {
+ +

+" . gettext("Click SAVE when finished to apply the change to the Snort configuration."));?> + +
Date: Tue, 17 Nov 2015 23:59:35 -0500 Subject: Add fixes for some OpenAppID missing folders and files. --- config/snort/snort_check_for_rule_updates.php | 5 +++++ config/snort/snort_generate_conf.php | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'config/snort') diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index e2ec20e3..929ddad1 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -580,6 +580,11 @@ if ($openappid_detectors == 'on') { update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_openappid_filename_md5}", "{$snortdir}/{$snort_openappid_filename_md5}"); } + if (!is_dir("{$snort_openappid_path}custom")) { + safe_mkdir("{$snort_openappid_path}custom"); + safe_mkdir("{$snort_openappid_path}custom/lua"); + touch("{$snort_openappid_path}custom/userappid.conf"); + } update_status(gettext("Extraction of Snort OpenAppID detectors completed...")); $static_output .= gettext(" done.\n"); update_output_window($static_output); diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php index 6780da0a..a0b5d425 100644 --- a/config/snort/snort_generate_conf.php +++ b/config/snort/snort_generate_conf.php @@ -896,6 +896,9 @@ EOD; $appid_memcap = $snortcfg['sf_appid_mem_cap'] * 1024 * 1024; $appid_params = "app_detector_dir " . rtrim(SNORT_APPID_ODP_PATH, '/') . ", \\\n\tmemcap {$appid_memcap}"; if ($snortcfg['sf_appid_statslog'] == "on") { + if (!file_exists("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/app-stats.log")) { + touch("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/app-stats.log"); + } $appid_params .= ", \\\n\tapp_stats_filename app-stats.log"; $appid_params .= ", \\\n\tapp_stats_period {$snortcfg['sf_appid_stats_period']}"; $appid_params .= ", \\\n\tapp_stats_rollover_size " . strval($config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] * 1024); @@ -1271,7 +1274,7 @@ if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribut $http_inspect_global = "preprocessor http_inspect: global "; if ($snortcfg['http_inspect'] == "off") $http_inspect_global .= "disabled "; -$http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; +$http_inspect_global .= "\\\n\tiis_unicode_map {$snortdir}/unicode.map 1252 \\\n"; $http_inspect_global .= "\tcompress_depth 65535 \\\n"; $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; if (!empty($snortcfg['http_inspect_memcap'])) -- cgit v1.2.3 From 0e16773047fb31d6c9bd86e187a6f8a373f326cf Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 18 Nov 2015 00:02:14 -0500 Subject: Ignore shell script RESTART command when a START is already in progress. --- config/snort/snort.inc | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 60959ad6..5cdd5a00 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -2934,6 +2934,7 @@ rc_start() { ### Remove the lock since we have started all interfaces if [ -f {$g['varrun_path']}/snort_pkg_starting.lck ]; then + sleep 2 /bin/rm {$g['varrun_path']}/snort_pkg_starting.lck fi } @@ -2954,8 +2955,12 @@ case $1 in rc_stop ;; restart) - rc_stop - rc_start + if [ ! -f {$g['varrun_path']}/snort_pkg_starting.lck ]; then + rc_stop + rc_start + else + /usr/bin/logger -p daemon.info -i -t SnortRestart "Ignoring RESTART command since Snort is already starting..." + fi ;; esac -- cgit v1.2.3 From 9142c0a8939680cc73d11ae1f936a54e92e2a6d9 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 18 Nov 2015 00:05:44 -0500 Subject: Bump Snort versions: binary to v2.9.7.6 and GUI pkg to v3.2.9 --- config/snort/snort.xml | 2 +- config/snort/snort_defs.inc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'config/snort') diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 9d20a4ab..e9e43202 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -45,7 +45,7 @@ Snort IDS/IPS Package Snort - 3.2.8.2 + 3.2.9 Services: Snort IDS /usr/local/pkg/snort/snort.inc diff --git a/config/snort/snort_defs.inc b/config/snort/snort_defs.inc index ac09db44..961e8696 100644 --- a/config/snort/snort_defs.inc +++ b/config/snort/snort_defs.inc @@ -54,7 +54,7 @@ if (!defined("SNORT_BIN_VERSION")) { if (!empty($snortver)) define("SNORT_BIN_VERSION", $snortver); else - define("SNORT_BIN_VERSION", "2.9.7.5"); + define("SNORT_BIN_VERSION", "2.9.7.6"); } if (!defined("SNORT_SID_MODS_PATH")) define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/"); -- cgit v1.2.3