From 2b7e84819d7ff6af65ecf52f81ec02924c40ef8e Mon Sep 17 00:00:00 2001 From: robiscool Date: Sun, 27 Sep 2009 22:41:32 -0700 Subject: snort-dev, update to RC5, update snort_download to restart if snort is running, update snort.inc code for failers, dynamic ip reload update --- config/snort-dev/snort.inc | 6 +- config/snort-dev/snort.xml | 4 +- config/snort-dev/snort_check_for_rule_updates.php | 62 +++++++++---------- config/snort-dev/snort_download_rules.php | 75 ++++++++++------------- config/snort-dev/snort_dynamic_ip_reload.php | 5 +- 5 files changed, 74 insertions(+), 78 deletions(-) (limited to 'config') diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 38a91616..3b13ba14 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -88,7 +88,9 @@ function sync_package_snort() exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf"); exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); exec("/bin/rm -f /usr/local/etc/rc.d/snort"); - + exec("/bin/rm /tmp/snort_download_halt.pid"); + exec("/bin/rm /tmp/snort.sh.pid"); + $first = 0; $snortInterfaces = array(); /* -gtm */ @@ -152,7 +154,7 @@ function sync_package_snort() if ($snortbarnyardlog_info_chk == on) $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; } - $check_if_snort_runs = "\nif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\texit 1\nfi\n\n"; + $check_if_snort_runs = "\nif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php\n\texit 1\nfi\n\n"; $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml index 7a61d8c1..4f039a97 100644 --- a/config/snort-dev/snort.xml +++ b/config/snort-dev/snort.xml @@ -47,7 +47,7 @@ Currently there are no FAQ items provided. Snort 2.8.4.1_1 - Services: Snort 2.8.4.1_1 pkg v. 1.6 RC4 + Services: Snort 2.8.4.1_2 pkg v. 1.6 RC5 /usr/local/pkg/snort.inc Snort @@ -164,7 +164,7 @@ http://www.pfsense.com/packages/config/snort-dev/snort_alerts.php - /usr/local/pkg/ + /usr/local/pkg/pf/ 077 http://www.pfsense.com/packages/config/snort-dev/snort_dynamic_ip_reload.php diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php index 8a6aedc9..4430c4a2 100644 --- a/config/snort-dev/snort_check_for_rule_updates.php +++ b/config/snort-dev/snort_check_for_rule_updates.php @@ -237,12 +237,15 @@ if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats exit(0); } -/* "You are Not Up to date */; - echo "You are NOT up to date...\n"; - echo "Stopping Snort service...\n"; -stop_service("snort"); -sleep(2); -// start_service("snort"); +/* You are Not Up to date, always stop snort when updating rules for low end machines */; +echo "You are NOT up to date...\n"; +echo "Stopping Snort service...\n"; +$chk_if_snort_up = exec("pgrep -x snort"); +if ($chk_if_snort_up != "") { + exec("/usr/bin/touch /tmp/snort_download_halt.pid"); + stop_service("snort"); + sleep(2); +} /* download snortrules file */ if ($snort_md5_check_ok != on) { @@ -539,23 +542,6 @@ if (file_exists("{$snortdir}/doc/signatures")) { } } -/* Copy snort rules and emergingthreats and pfsense dir to snort dir */ -//if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { -//if (file_exists("{$tmpfname}/rules")) { -// echo "Copying rules...\n"; -// echo "May take a while...\n"; -// exec("/bin/cp {$tmpfname}/rules/* {$snortdir}/rules"); -// echo "Done copping rules.\n"; - /* Write out time of last sucsessful rule install catch */ -// $config['installedpackages']['snort']['last_rules_install'] = date("Y-M-jS-h:i-A"); -// write_config(); -//} else { -// echo "Directory rules does not exists...\n"; -// echo "Error copying rules direcory...\n"; -// exit(0); -// } -//} - /* double make shure clean up emerg rules that dont belong */ if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { apc_clear_cache(); @@ -584,7 +570,7 @@ exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_b if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { -echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; +echo "Your first set of rules are being copied...\n"; echo "May take a while...\n"; exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); @@ -599,15 +585,16 @@ echo "May take a while...\n"; exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); } else { - + echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; + echo "May take a while...\n"; exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); +// exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/snort.conf {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/threshold.conf {$snortdir_wan}"); +// exec("/bin/cp {$snortdir}/snort.conf {$snortdir_wan}"); +// exec("/bin/cp {$snortdir}/threshold.conf {$snortdir_wan}"); exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ @@ -620,13 +607,26 @@ echo "May take a while...\n"; } } +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + echo "Cleaning up...\n"; + exec("/bin/rm -r /tmp/snort_rules_up"); +} + /* php code to flush out cache some people are reportting missing files this might help */ sleep(5); apc_clear_cache(); exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); -/* php code finish */ -echo "The Rules update finished...\n"; -echo "You may start snort now...\n"; +/* if snort is running hardrestart, if snort is not running do nothing */ +if (file_exists("/tmp/snort_download_halt.pid")) { + start_service("snort"); + echo "The Rules update finished...\n"; + echo "Snort has restarted with your new set of rules...\n"; + exec("/bin/rm /tmp/snort_download_halt.pid"); +} else { + echo "The Rules update finished...\n"; + echo "You may start snort now...\n"; +} ?> diff --git a/config/snort-dev/snort_download_rules.php b/config/snort-dev/snort_download_rules.php index 73618dd7..8eca3d34 100644 --- a/config/snort-dev/snort_download_rules.php +++ b/config/snort-dev/snort_download_rules.php @@ -296,9 +296,6 @@ if ($emerg_md5_check_new == $emerg_md5_check_old) { update_output_window(gettext("You may start Snort now, check update.")); hide_progress_bar_status(); $emerg_md5_check_chk_ok = on; - /* Timestamps to html */ -// echo "\n

You last checked for updates: {$last_md5_download}

\n"; -// echo "\n

You last installed for rules: {$last_rules_install}

\n"; } } } @@ -338,12 +335,15 @@ if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats exit(0); } -/* "You are Not Up to date */; +/* You are Not Up to date, always stop snort when updating rules for low end machines */; update_status(gettext("You are NOT up to date...")); - update_output_window(gettext("Stopping Snort service...")); -stop_service("snort"); -sleep(2); -// start_service("snort"); +update_output_window(gettext("Stopping Snort service...")); +$chk_if_snort_up = exec("pgrep -x snort"); +if ($chk_if_snort_up != "") { + exec("/usr/bin/touch /tmp/snort_download_halt.pid"); + stop_service("snort"); + sleep(2); +} /* download snortrules file */ if ($snort_md5_check_ok != on) { @@ -660,23 +660,6 @@ if (file_exists("{$snortdir}/doc/signatures")) { } } -/* Copy snort rules and emergingthreats and pfsense dir to snort dir */ -// if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { -// if (file_exists("{$tmpfname}/rules")) { -// update_status(gettext("Copying rules...")); -// update_output_window(gettext("May take a while...")); -// exec("/bin/cp {$tmpfname}/rules/* {$snortdir}/rules"); -// update_status(gettext("Done copping rules.")); -// /* Write out time of last sucsessful rule install catch */ -// $config['installedpackages']['snort']['last_rules_install'] = date("Y-M-jS-h:i-A"); -// write_config(); -// } else { -// update_status(gettext("Directory rules does not exists...")); -// update_output_window(gettext("Error copying rules direcory...")); -// exit(0); -// } -// } - /* double make shure cleanup emerg rules that dont belong */ if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { apc_clear_cache(); @@ -705,9 +688,8 @@ exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_b if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { -update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); -update_output_window(gettext("May take a while...")); - + update_status(gettext("Your first set of rules are being copied...")); + update_output_window(gettext("May take a while...")); exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); @@ -720,15 +702,17 @@ update_output_window(gettext("May take a while...")); exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); } else { + update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); + update_output_window(gettext("May take a while...")); exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); +// exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/snort.conf {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/threshold.conf {$snortdir_wan}"); +// exec("/bin/cp {$snortdir}/snort.conf {$snortdir_wan}"); +// exec("/bin/cp {$snortdir}/threshold.conf {$snortdir_wan}"); exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ @@ -742,21 +726,28 @@ update_output_window(gettext("May take a while...")); } } +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + update_status(gettext("Cleaning up...")); + exec("/bin/rm -r /tmp/snort_rules_up"); +// apc_clear_cache(); +} + /* php code to flush out cache some people are reportting missing files this might help */ -sleep(5); +sleep(2); apc_clear_cache(); exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); -/* remove old $tmpfname files */ -//if (file_exists("{$tmpfname}")) { -// update_status(gettext("Cleaning up...")); -// exec("/bin/rm -r {$tmpfname}"); -// apc_clear_cache(); -//} - -/* php code finish */ -update_status(gettext("The Rules update finished...")); -update_output_window(gettext("You may start snort now...")); +/* if snort is running hardrestart, if snort is not running do nothing */ +if (file_exists("/tmp/snort_download_halt.pid")) { + start_service("snort"); + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("Snort has restarted with your new set of rules...")); + exec("/bin/rm /tmp/snort_download_halt.pid"); +} else { + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("You may start snort now...")); +} /* hide progress bar and lets end this party */ hide_progress_bar_status(); diff --git a/config/snort-dev/snort_dynamic_ip_reload.php b/config/snort-dev/snort_dynamic_ip_reload.php index dbd6d015..7933ba16 100644 --- a/config/snort-dev/snort_dynamic_ip_reload.php +++ b/config/snort-dev/snort_dynamic_ip_reload.php @@ -40,7 +40,10 @@ if($config['interfaces']['wan']['ipaddr'] == "pppoe" or create_snort_conf(); mwexec("/sbin/pfctl -t snort2c -T flush"); exec("killall -HUP snort"); - exec("/usr/bin/killall snort2c; snort2c -w /var/db/whitelist -a /var/log/snort/alert"); + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; + if ($snortbarnyardlog_info_chk == on) + exec("/usr/bin/killall barnyard2; /usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"); } ?> \ No newline at end of file -- cgit v1.2.3