From 10cab278e653f00bd8ec0ee0e82d30e5c7798042 Mon Sep 17 00:00:00 2001
From: bmeeks8 <bmeeks8@bellsouth.net>
Date: Wed, 19 Feb 2014 14:08:14 -0500
Subject: BETA version of Suricata 1.4.6 IDS package v0.1 for pfSense.

---
 .../suricata/suricata_check_for_rule_updates.php   | 683 +++++++++++++++++++++
 1 file changed, 683 insertions(+)
 create mode 100644 config/suricata/suricata_check_for_rule_updates.php

(limited to 'config/suricata/suricata_check_for_rule_updates.php')

diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php
new file mode 100644
index 00000000..ec39c203
--- /dev/null
+++ b/config/suricata/suricata_check_for_rule_updates.php
@@ -0,0 +1,683 @@
+<?php
+/*
+ * suricata_check_for_rule_updates.php
+ *
+ * Copyright (C) 2014 Bill Meeks
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("functions.inc");
+require_once("service-utils.inc");
+require_once("/usr/local/pkg/suricata/suricata.inc");
+
+global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules;
+
+if (!defined("VRT_DNLD_URL"))
+	define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");
+if (!defined("ET_VERSION"))
+	define("ET_VERSION", "2.9.0");
+if (!defined("ET_BASE_DNLD_URL"))
+	define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/"); 
+if (!defined("ETPRO_BASE_DNLD_URL"))
+	define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/"); 
+if (!defined("ET_DNLD_FILENAME"))
+	define("ET_DNLD_FILENAME", "emerging.rules.tar.gz");
+if (!defined("ETPRO_DNLD_FILENAME"))
+	define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
+if (!defined("VRT_DNLD_FILENAME"))
+	define("VRT_DNLD_FILENAME", "snortrules-snapshot-edge.tar.gz");
+if (!defined("GPLV2_DNLD_FILENAME"))
+	define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
+if (!defined("GPLV2_DNLD_URL"))
+	define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/");
+if (!defined("RULES_UPD_LOGFILE"))
+	define("RULES_UPD_LOGFILE", SURICATALOGDIR . "/suricata_rules_update.log");
+if (!defined("VRT_FILE_PREFIX"))
+	define("VRT_FILE_PREFIX", "snort_");
+if (!defined("GPL_FILE_PREFIX"))
+	define("GPL_FILE_PREFIX", "GPLv2_");
+if (!defined("ET_OPEN_FILE_PREFIX"))
+	define("ET_OPEN_FILE_PREFIX", "emerging-");
+if (!defined("ET_PRO_FILE_PREFIX"))
+	define("ET_PRO_FILE_PREFIX", "etpro-");
+
+$suricatadir = SURICATADIR;
+$suricatalogdir = SURICATALOGDIR;
+$suricata_rules_upd_log = RULES_UPD_LOGFILE;
+
+/* Save the state of $pkg_interface so we can restore it */
+$pkg_interface_orig = $pkg_interface;
+if ($suricata_gui_include)
+	$pkg_interface = "";
+else
+	$pkg_interface = "console";
+
+/* define checks */
+$oinkid = $config['installedpackages']['suricata']['config'][0]['oinkcode'];
+$etproid = $config['installedpackages']['suricata']['config'][0]['etprocode'];
+$snortdownload = $config['installedpackages']['suricata']['config'][0]['enable_vrt_rules'] == 'on' ? 'on' : 'off';
+$etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules'] == 'on' ? 'on' : 'off';
+$eto = $config['installedpackages']['suricata']['config'][0]['enable_etopen_rules'] == 'on' ? 'on' : 'off';
+$vrt_enabled = $config['installedpackages']['suricata']['config'][0]['enable_vrt_rules'] == 'on' ? 'on' : 'off';
+$snortcommunityrules = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules'] == 'on' ? 'on' : 'off';
+
+/* Working directory for downloaded rules tarballs */
+$tmpfname = "/tmp/suricata_rules_up";
+
+/* Snort Edge VRT Rules filenames and URL */
+$snort_filename = VRT_DNLD_FILENAME;
+$snort_filename_md5 = "{$snort_filename}.md5";
+$snort_rule_url = VRT_DNLD_URL;
+
+/* Snort GPLv2 Community Rules filenames and URL */
+$snort_community_rules_filename = GPLV2_DNLD_FILENAME;
+$snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5";
+$snort_community_rules_url = GPLV2_DNLD_URL;
+
+/* Set up Emerging Threats rules filenames and URL */
+if ($etpro == "on") {
+	$emergingthreats_filename = ETPRO_DNLD_FILENAME;
+	$emergingthreats_filename_md5 = ETPRO_DNLD_FILENAME . ".md5";
+	$emergingthreats_url = ETPRO_BASE_DNLD_URL;
+	$emergingthreats_url .= "{$etproid}/suricata/";
+	$et_name = "Emerging Threats Pro";
+	$et_md5_remove = ET_DNLD_FILENAME . ".md5";
+	@unlink("{$suricatadir}{$et_md5_remove}");
+}
+else {
+	$emergingthreats_filename = ET_DNLD_FILENAME;
+	$emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5";
+	$emergingthreats_url = ET_BASE_DNLD_URL;
+	// If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules
+	$emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/";
+	$emergingthreats_url .= "suricata/";
+	$et_name = "Emerging Threats Open";
+	$et_md5_remove = ETPRO_DNLD_FILENAME . ".md5";
+	@unlink("{$suricatadir}{$et_md5_remove}");
+}
+
+// Set a common flag for all Emerging Threats rules (open and pro).
+if ($etpro == 'on' || $eto == 'on')
+	$emergingthreats = 'on';
+else
+	$emergingthreats = 'off';
+
+function suricata_download_file_url($url, $file_out) {
+
+	/************************************************/
+	/* This function downloads the file specified   */
+	/* by $url using the CURL library functions and */
+	/* saves the content to the file specified by   */
+	/* $file.                                       */
+	/*                                              */
+	/* This is needed so console output can be      */
+	/* suppressed to prevent XMLRPC sync errors.    */
+	/*                                              */
+	/* It provides logging of returned CURL errors. */
+	/************************************************/
+
+	global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update;
+
+	// Initialize required variables for the pfSense "read_body()" function
+	$file_size  = 1;
+	$downloaded = 1;
+	$first_progress_update = TRUE;
+
+
+	// Array of message strings for HTTP Response Codes
+	$http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", 
+				206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found", 
+				305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request", 
+				401 => "Unauthorized", 402 => "Payment Required", 403 => "Forbidden", 
+				404 => "Not Found", 405 => "Method Not Allowed", 407 => "Proxy Authentication Required", 
+				408 => "Request Timeout", 410 => "Gone", 500 => "Internal Server Error", 
+				501 => "Not Implemented", 502 => "Bad Gateway", 503 => "Service Unavailable", 
+				504 => "Gateway Timeout", 505 => "HTTP Version Not Supported" );
+
+	$last_curl_error = "";
+
+	$fout = fopen($file_out, "wb");
+	if ($fout) {
+		$ch = curl_init($url);
+		if (!$ch)
+			return false;
+		curl_setopt($ch, CURLOPT_FILE, $fout);
+
+		// NOTE: required to suppress errors from XMLRPC due to progress bar output
+		if ($g['suricata_sync_in_progress'])
+			curl_setopt($ch, CURLOPT_HEADER, false);
+		else {
+			curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header');
+			curl_setopt($ch, CURLOPT_WRITEFUNCTION, 'read_body');
+		}
+
+		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+		curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)");
+		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+		curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
+		curl_setopt($ch, CURLOPT_TIMEOUT, 0);
+
+		// Use the system proxy server setttings if configured
+		if (!empty($config['system']['proxyurl'])) {
+			curl_setopt($ch, CURLOPT_PROXY, $config['system']['proxyurl']);
+			if (!empty($config['system']['proxyport']))
+				curl_setopt($ch, CURLOPT_PROXYPORT, $config['system']['proxyport']);
+			if (!empty($config['system']['proxyuser']) && !empty($config['system']['proxypass'])) {
+				@curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_ANY | CURLAUTH_ANYSAFE);
+				curl_setopt($ch, CURLOPT_PROXYUSERPWD, "{$config['system']['proxyuser']}:{$config['system']['proxypass']}");
+			}
+		}
+
+		$counter = 0;
+		$rc = true;
+		// Try up to 4 times to download the file before giving up
+		while ($counter < 4) {
+			$counter++;
+			$rc = curl_exec($ch);
+			if ($rc === true)
+				break;
+			log_error(gettext("[Suricata] Rules download error: " . curl_error($ch)));
+			log_error(gettext("[Suricata] Will retry in 15 seconds..."));
+			sleep(15);
+		}
+		if ($rc === false)
+			$last_curl_error = curl_error($ch);
+		$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+		if (isset($http_resp_msg[$http_code]))
+			$last_curl_error = $http_resp_msg[$http_code];
+		curl_close($ch);
+		fclose($fout);
+
+		// If we had to try more than once, log it
+		if ($counter > 1)
+			log_error(gettext("File '" . basename($file_out) . "' download attempts: {$counter} ..."));
+		return ($http_code == 200) ? true : $http_code;
+	}
+	else {
+		$last_curl_error = gettext("Failed to create file " . $file_out);
+		log_error(gettext("[Suricata] Failed to create file {$file_out} ..."));
+		return false;
+	}
+}
+
+function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
+
+	/**********************************************************/
+	/* This function attempts to download the passed MD5 hash */
+	/* file and compare its contents to the currently stored  */
+	/* hash file to see if a new rules file has been posted.  */
+	/*                                                        */
+	/* On Entry: $file_url = URL for md5 hash file            */
+	/*           $file_dst = Temp destination to store the    */
+	/*                       downloaded hash file             */
+	/*           $desc     = Short text string used to label  */
+	/*                       log messages with rules type     */
+	/*                                                        */
+	/*  Returns: TRUE if new rule file download required.     */
+	/*           FALSE if rule download not required or an    */
+	/*           error occurred.                              */
+	/**********************************************************/
+
+	global $pkg_interface, $suricata_rules_upd_log, $last_curl_error;
+
+	$suricatadir = SURICATADIR;
+	$filename_md5 = basename($file_dst);
+
+	if ($pkg_interface <> "console")
+		update_status(gettext("Downloading {$desc} md5 file..."));
+	error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, $suricata_rules_upd_log);
+	$rc = suricata_download_file_url($file_url, $file_dst);
+
+	// See if download from URL was successful
+	if ($rc === true) {
+		if ($pkg_interface <> "console")
+			update_status(gettext("Done downloading {$filename_md5}."));
+		error_log("\tChecking {$desc} md5 file...\n", 3, $suricata_rules_upd_log);
+
+		// check md5 hash in new file against current file to see if new download is posted
+		if (file_exists("{$suricatadir}{$filename_md5}")) {
+			$md5_check_new = file_get_contents($file_dst);
+			$md5_check_old = file_get_contents("{$suricatadir}{$filename_md5}");
+			if ($md5_check_new == $md5_check_old) {
+				if ($pkg_interface <> "console")
+					update_status(gettext("{$desc} are up to date..."));
+				log_error(gettext("[Suricata] {$desc} are up to date..."));
+				error_log(gettext("\t{$desc} are up to date.\n"), 3, $suricata_rules_upd_log);
+				return false;
+			}
+			else
+				return true;
+		}
+		return true;
+	}
+	else {
+		error_log(gettext("\t{$desc} md5 download failed.\n"), 3, $suricata_rules_upd_log);
+		$suricata_err_msg = gettext("Server returned error code {$rc}.");
+		if ($pkg_interface <> "console") {
+			update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
+			update_output_window(gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}")); 
+		}
+		log_error(gettext("[Suricata] {$desc} md5 download failed..."));
+		log_error(gettext("[Suricata] Server returned error code {$rc}..."));
+		error_log(gettext("\t{$suricata_err_msg}\n"), 3, $suricata_rules_upd_log);
+		if ($pkg_interface == "console")
+			error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $suricata_rules_upd_log);
+		error_log(gettext("\t{$desc} will not be updated.\n"), 3, $suricata_rules_upd_log);
+		return false;
+	}
+}
+
+function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
+
+	/**********************************************************/
+	/* This function downloads the passed rules file and      */
+	/* compares its computed md5 hash to the passed md5 hash  */
+	/* to verify the file's integrity.                        */
+	/*                                                        */
+	/* On Entry: $file_url = URL of rules file                */
+	/*           $file_dst = Temp destination to store the    */
+	/*                       downloaded rules file            */
+	/*           $file_md5 = Expected md5 hash for the new    */
+	/*                       downloaded rules file            */
+	/*           $desc     = Short text string for use in     */
+	/*                       log messages                     */
+	/*                                                        */
+	/*  Returns: TRUE if download was successful.             */
+	/*           FALSE if download was not successful.        */
+	/**********************************************************/
+
+	global $pkg_interface, $suricata_rules_upd_log, $last_curl_error;
+
+	$suricatadir = SURICATADIR;
+	$filename = basename($file_dst);
+
+	if ($pkg_interface <> "console")
+		update_status(gettext("There is a new set of {$desc} posted. Downloading..."));
+	log_error(gettext("[Suricata] There is a new set of {$desc} posted. Downloading {$filename}..."));
+	error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, $suricata_rules_upd_log);
+	error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, $suricata_rules_upd_log);
+       	$rc = suricata_download_file_url($file_url, $file_dst);
+
+	// See if the download from the URL was successful
+	if ($rc === true) {
+		if ($pkg_interface <> "console")
+			update_status(gettext("Done downloading {$desc} file."));
+		log_error("[Suricata] {$desc} file update downloaded successfully");
+		error_log(gettext("\tDone downloading rules file.\n"),3, $suricata_rules_upd_log);
+	
+		// Test integrity of the rules file.  Turn off update if file has wrong md5 hash
+		if ($file_md5 != trim(md5_file($file_dst))){
+			if ($pkg_interface <> "console")
+				update_output_window(gettext("{$desc} file MD5 checksum failed..."));
+			log_error(gettext("[Suricata] {$desc} file download failed.  Bad MD5 checksum..."));
+        	        log_error(gettext("[Suricata] Downloaded File MD5: " . md5_file($file_dst)));
+			log_error(gettext("[Suricata] Expected File MD5: {$file_md5}"));
+			error_log(gettext("\t{$desc} file download failed.  Bad MD5 checksum.\n"), 3, $suricata_rules_upd_log);
+			error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $suricata_rules_upd_log);
+			error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $suricata_rules_upd_log);
+			error_log(gettext("\t{$desc} file download failed.  {$desc} will not be updated.\n"), 3, $suricata_rules_upd_log);
+			return false;
+		}
+		return true;
+	}
+	else {
+		if ($pkg_interface <> "console")
+			update_output_window(gettext("{$desc} file download failed..."));
+		log_error(gettext("[Suricata] {$desc} file download failed... server returned error '{$rc}'..."));
+		error_log(gettext("\t{$desc} file download failed.  Server returned error {$rc}.\n"), 3, $suricata_rules_upd_log);
+		if ($pkg_interface == "console")
+			error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $suricata_rules_upd_log);
+		error_log(gettext("\t{$desc} will not be updated.\n"), 3, $suricata_rules_upd_log);
+		return false;
+	}
+
+}
+
+/* Start of main code */
+conf_mount_rw();
+
+/*  remove old $tmpfname files if present */
+if (is_dir("{$tmpfname}"))
+	exec("/bin/rm -r {$tmpfname}");
+
+/*  Make sure required suricatadirs exsist */
+exec("/bin/mkdir -p {$suricatadir}rules");
+exec("/bin/mkdir -p {$tmpfname}");
+exec("/bin/mkdir -p {$suricatalogdir}");
+
+/* See if we need to automatically clear the Update Log based on 1024K size limit */
+if (file_exists($suricata_rules_upd_log)) {
+	if (1048576 < filesize($suricata_rules_upd_log))
+		exec("/bin/rm -r {$suricata_rules_upd_log}");
+}
+
+/* Log start time for this rules update */
+error_log(gettext("Starting rules update...  Time: " . date("Y-m-d H:i:s") . "\n"), 3, $suricata_rules_upd_log);
+$last_curl_error = "";
+
+/*  Check for and download any new Emerging Threats Rules sigs */
+if ($emergingthreats == 'on') {
+	if (suricata_check_rule_md5("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}", "{$et_name} rules")) {
+		/* download Emerging Threats rules file */
+		$file_md5 = trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"));
+		if (!suricata_fetch_new_rules("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}", $file_md5, "{$et_name} rules"))
+			$emergingthreats = 'off';
+	}
+	else
+		$emergingthreats = 'off';
+}
+
+/*  Check for and download any new Snort VRT sigs */
+if ($snortdownload == 'on') {
+	if (suricata_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) {
+		/* download snortrules file */
+		$file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}"));
+		if (!suricata_fetch_new_rules("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules"))
+			$snortdownload = 'off';
+	}
+	else
+		$snortdownload = 'off';
+}
+
+/*  Check for and download any new Snort GPLv2 Community Rules sigs */
+if ($snortcommunityrules == 'on') {
+	if (suricata_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) {
+		/* download Snort GPLv2 Community Rules file */
+		$file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"));
+		if (!suricata_fetch_new_rules("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}", $file_md5, "Snort GPLv2 Community Rules"))
+			$snortcommunityrules = 'off';
+	}
+	else
+		$snortcommunityrules = 'off';
+}
+
+/* Untar Emerging Threats rules file to tmp if downloaded */
+if ($emergingthreats == 'on') {
+	safe_mkdir("{$tmpfname}/emerging");
+	if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
+		if ($pkg_interface <> "console") {
+			update_status(gettext("Extracting {$et_name} rules..."));
+			update_output_window(gettext("Installing {$et_name} rules..."));
+		}
+		error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $suricata_rules_upd_log);
+		exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/");
+
+		/* Remove the old Emerging Threats rules files */
+		$eto_prefix = ET_OPEN_FILE_PREFIX;
+		$etpro_prefix = ET_PRO_FILE_PREFIX;
+		array_map('unlink', glob("{$suricatadir}rules/{$eto_prefix}*.rules"));
+		array_map('unlink', glob("{$suricatadir}rules/{$etpro_prefix}*.rules"));
+		array_map('unlink', glob("{$suricatadir}rules/{$eto_prefix}*ips.txt"));
+		array_map('unlink', glob("{$suricatadir}rules/{$etpro_prefix}*ips.txt"));
+
+		// The code below renames ET-Pro files with a prefix, so we
+		// skip renaming the Suricata default events rule files
+		// that are also bundled in the ET-Pro rules.
+		$default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules" );
+		$files = glob("{$tmpfname}/emerging/rules/*.rules");
+		foreach ($files as $file) {
+			$newfile = basename($file);
+			if ($etpro == "on" && !in_array($newfile, $default_rules))
+				@copy($file, "{$suricatadir}rules/" . ET_PRO_FILE_PREFIX . "{$newfile}");
+			else
+				@copy($file, "{$suricatadir}rules/{$newfile}");
+		}
+		/* IP lists for Emerging Threats rules */
+		$files = glob("{$tmpfname}/emerging/rules/*ips.txt");
+		foreach ($files as $file) {
+			$newfile = basename($file);
+			if ($etpro == "on")
+				@copy($file, "{$suricatadir}rules/" . ET_PRO_FILE_PREFIX . "{$newfile}");
+			else
+				@copy($file, "{$suricatadir}rules/" . ET_OPEN_FILE_PREFIX . "{$newfile}");
+		}
+                /* base etc files for Emerging Threats rules */
+		foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
+			if (file_exists("{$tmpfname}/emerging/rules/{$file}"))
+				@copy("{$tmpfname}/emerging/rules/{$file}", "{$tmpfname}/ET_{$file}");
+		}
+
+		/*  Copy emergingthreats md5 sig to Suricata dir */
+		if (file_exists("{$tmpfname}/{$emergingthreats_filename_md5}")) {
+			if ($pkg_interface <> "console")
+				update_status(gettext("Copying md5 signature to Suricata directory..."));
+			@copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$suricatadir}{$emergingthreats_filename_md5}");
+		}
+		if ($pkg_interface <> "console") {
+			update_status(gettext("Extraction of {$et_name} rules completed..."));
+			update_output_window(gettext("Installation of {$et_name} rules completed..."));
+		}
+		error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $suricata_rules_upd_log);
+		exec("rm -r {$tmpfname}/emerging");
+	}
+}
+
+/* Untar Snort rules file to tmp */
+if ($snortdownload == 'on') {
+	if (file_exists("{$tmpfname}/{$snort_filename}")) {
+		/* Remove the old Snort rules files */
+		$vrt_prefix = VRT_FILE_PREFIX;
+		array_map('unlink', glob("{$suricatadir}rules/{$vrt_prefix}*.rules"));
+
+		if ($pkg_interface <> "console") {
+			update_status(gettext("Extracting Snort VRT rules..."));
+			update_output_window(gettext("Installing Sourcefire VRT rules..."));
+		}
+		error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $suricata_rules_upd_log);
+
+		/* extract snort.org rules and add prefix to all snort.org files */
+		safe_mkdir("{$tmpfname}/snortrules");
+		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname}/snortrules rules/");
+		$files = glob("{$tmpfname}/snortrules/rules/*.rules");
+		foreach ($files as $file) {
+			$newfile = basename($file);
+			@copy($file, "{$suricatadir}rules/" . VRT_FILE_PREFIX . "{$newfile}");
+		}
+
+		/* IP lists */
+		$files = glob("{$tmpfname}/snortrules/rules/*.txt");
+		foreach ($files as $file) {
+			$newfile = basename($file);
+			@copy($file, "{$suricatadir}rules/{$newfile}");
+		}
+		exec("rm -r {$tmpfname}/snortrules");
+
+		/* extract base etc files */
+		if ($pkg_interface <> "console") {
+		        update_status(gettext("Extracting Snort VRT config and map files..."));
+			update_output_window(gettext("Copying config and map files..."));
+		}
+		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/");
+		foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
+			if (file_exists("{$tmpfname}/etc/{$file}"))
+				@copy("{$tmpfname}/etc/{$file}", "{$tmpfname}/VRT_{$file}");
+		}
+		exec("rm -r {$tmpfname}/etc");
+		if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
+			if ($pkg_interface <> "console")
+				update_status(gettext("Copying md5 signature to Suricata directory..."));
+			@copy("{$tmpfname}/{$snort_filename_md5}", "{$suricatadir}{$snort_filename_md5}");
+		}
+		if ($pkg_interface <> "console") {
+			update_status(gettext("Extraction of Snort VRT rules completed..."));
+			update_output_window(gettext("Installation of Sourcefire VRT rules completed..."));
+		}
+		error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $suricata_rules_upd_log);
+	}
+}
+
+/* Untar Snort GPLv2 Community rules file to tmp */
+if ($snortcommunityrules == 'on') {
+	safe_mkdir("{$tmpfname}/community");
+	if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) {
+		if ($pkg_interface <> "console") {
+			update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
+			update_output_window(gettext("Installing Snort GPLv2 Community Rules..."));
+		}
+		error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $suricata_rules_upd_log);
+		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/");
+
+		$files = glob("{$tmpfname}/community/community-rules/*.rules");
+		foreach ($files as $file) {
+			$newfile = basename($file);
+			@copy($file, "{$suricatadir}rules/" . GPL_FILE_PREFIX . "{$newfile}");
+		}
+                /* base etc files for Snort GPLv2 Community rules */
+		foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
+			if (file_exists("{$tmpfname}/community/community-rules/{$file}"))
+				@copy("{$tmpfname}/community/community-rules/{$file}", "{$tmpfname}/" . GPL_FILE_PREFIX . "{$file}");
+		}
+		/*  Copy snort community md5 sig to suricata dir */
+		if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) {
+			if ($pkg_interface <> "console")
+				update_status(gettext("Copying md5 signature to suricata directory..."));
+			@copy("{$tmpfname}/{$snort_community_rules_filename_md5}", "{$suricatadir}{$snort_community_rules_filename_md5}");
+		}
+		if ($pkg_interface <> "console") {
+			update_status(gettext("Extraction of Snort GPLv2 Community Rules completed..."));
+			update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed..."));
+		}
+		error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $suricata_rules_upd_log);
+		exec("rm -r {$tmpfname}/community");
+	}
+}
+
+function suricata_apply_customizations($suricatacfg, $if_real) {
+
+	global $vrt_enabled, $rebuild_rules;
+	$suricatadir = SURICATADIR;
+
+	suricata_prepare_rule_files($suricatacfg, "{$suricatadir}suricata_{$suricatacfg['uuid']}_{$if_real}");
+
+	/* Copy the master config and map files to the interface directory */
+	@copy("{$suricatadir}classification.config", "{$suricatadir}suricata_{$suricatacfg['uuid']}_{$if_real}/classification.config");
+	@copy("{$suricatadir}reference.config", "{$suricatadir}suricata_{$suricatacfg['uuid']}_{$if_real}/reference.config");
+	@copy("{$suricatadir}gen-msg.map", "{$suricatadir}suricata_{$suricatacfg['uuid']}_{$if_real}/gen-msg.map");
+	@copy("{$suricatadir}unicode.map", "{$suricatadir}suricata_{$suricatacfg['uuid']}_{$if_real}/unicode.map");
+}
+
+if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') {
+
+	if ($pkg_interface <> "console")
+		update_status(gettext('Copying new config and map files...'));
+	error_log(gettext("\tCopying new config and map files...\n"), 3, $suricata_rules_upd_log);
+
+	/******************************************************************/
+	/* Build the classification.config and reference.config files     */
+	/* using the ones from all the downloaded rules plus the default  */
+	/* files installed with Suricata.                                 */
+	/******************************************************************/
+	$cfgs = glob("{$tmpfname}/*reference.config");
+	$cfgs[] = "{$suricatadir}reference.config";
+	suricata_merge_reference_configs($cfgs, "{$suricatadir}reference.config");
+	$cfgs = glob("{$tmpfname}/*classification.config");
+	$cfgs[] = "{$suricatadir}classification.config";
+	suricata_merge_classification_configs($cfgs, "{$suricatadir}classification.config");
+
+	/* Determine which map files to use for the master copy. */
+	/* The Snort VRT ones are preferred, if available.       */
+	if ($snortdownload == 'on')
+		$prefix = "VRT_";
+	elseif ($emergingthreats == 'on')
+		$prefix = "ET_";
+	elseif ($snortcommunityrules == 'on')
+		$prefix = GPL_FILE_PREFIX;
+	if (file_exists("{$tmpfname}/{$prefix}unicode.map"))
+		@copy("{$tmpfname}/{$prefix}unicode.map", "{$suricatadir}unicode.map");
+	if (file_exists("{$tmpfname}/{$prefix}gen-msg.map"))
+		@copy("{$tmpfname}/{$prefix}gen-msg.map", "{$suricatadir}gen-msg.map");
+
+	/* Start the rules rebuild proccess for each configured interface */
+	if (is_array($config['installedpackages']['suricata']['rule']) &&
+	    !empty($config['installedpackages']['suricata']['rule'])) {
+
+		/* Set the flag to force rule rebuilds since we downloaded new rules */
+		$rebuild_rules = true;
+
+		/* Create configuration for each active Suricata interface */
+		foreach ($config['installedpackages']['suricata']['rule'] as $value) {
+			$if_real = suricata_get_real_interface($value['interface']);
+			// Make sure the interface subdirectory exists.  We need to re-create
+			// it during a pkg reinstall on the intial rules set download.
+			if (!is_dir("{$suricatadir}suricata_{$value['uuid']}_{$if_real}"))
+				safe_mkdir("{$suricatadir}suricata_{$value['uuid']}_{$if_real}");
+			if (!is_dir("{$suricatadir}suricata_{$value['uuid']}_{$if_real}/rules"))
+				safe_mkdir("{$suricatadir}suricata_{$value['uuid']}_{$if_real}/rules");
+			$tmp = "Updating rules configuration for: " . suricata_get_friendly_interface($value['interface']) . " ...";
+			if ($pkg_interface <> "console"){
+				update_status(gettext($tmp));
+				update_output_window(gettext("Please wait while Suricata interface files are being updated..."));
+			}
+			suricata_apply_customizations($value, $if_real);
+			$tmp = "\t" . $tmp . "\n";
+			error_log($tmp, 3, $suricata_rules_upd_log);
+		}
+	}
+	else {
+		if ($pkg_interface <> "console") {
+		        update_output_window(gettext("Warning:  No interfaces configured for Suricata were found..."));
+			update_output_window(gettext("No interfaces currently have Suricata configured and enabled on them..."));
+		}
+		error_log(gettext("\tWarning:  No interfaces configured for Suricata were found...\n"), 3, $suricata_rules_upd_log);
+	}
+
+	/* Clear the rebuild rules flag.  */
+	$rebuild_rules = false;
+
+	/* Restart Suricata if already running and we are not rebooting to pick up the new rules. */
+       	if (is_process_running("suricata") && !$g['booting']) {
+		if ($pkg_interface <> "console") {
+			update_status(gettext('Restarting Suricata to activate the new set of rules...'));
+			update_output_window(gettext("Please wait ... restarting Suricata will take some time..."));
+		}
+		error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, $suricata_rules_upd_log);
+       		restart_service("suricata");
+		if ($pkg_interface <> "console")
+		        update_output_window(gettext("Suricata has restarted with your new set of rules..."));
+       		log_error(gettext("[Suricata] Suricata has restarted with your new set of rules..."));
+		error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, $suricata_rules_upd_log);
+	}
+	else {
+		if ($pkg_interface <> "console")
+			update_output_window(gettext("The rules update task is complete..."));
+	}
+}
+
+// Remove old $tmpfname files
+if (is_dir("{$tmpfname}")) {
+	if ($pkg_interface <> "console")
+		update_status(gettext("Cleaning up after rules extraction..."));
+	exec("/bin/rm -r {$tmpfname}");
+}
+
+if ($pkg_interface <> "console")
+	update_status(gettext("The Rules update has finished..."));
+log_error(gettext("[Suricata] The Rules update has finished."));
+error_log(gettext("The Rules update has finished.  Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $suricata_rules_upd_log);
+conf_mount_ro();
+
+// Restore the state of $pkg_interface
+$pkg_interface = $pkg_interface_orig;
+
+?>
-- 
cgit v1.2.3