From 2ddf14eff84f79e584a324d978558f16461df05d Mon Sep 17 00:00:00 2001 From: robiscool Date: Fri, 11 Sep 2009 00:42:24 -0700 Subject: snort-dev, update snort auto update, update snort.inc, add perl depend.. --- config/snort-dev/snort.inc | 2 + config/snort-dev/snort_check_for_rule_updates.php | 651 +++++++++++++++++----- 2 files changed, 528 insertions(+), 125 deletions(-) (limited to 'config') diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 46f28a1a..e84c0e31 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -59,9 +59,11 @@ function sync_package_snort_install() { global $g, $config; /* create a few directories and ensure the sample files are in place */ + exec("/bin/mkdir -p /usr/local/etc/snort_bkup"); exec("/bin/mkdir -p /usr/local/etc/snort"); exec("/bin/mkdir -p /var/log/snort"); exec("/bin/mkdir -p /usr/local/etc/snort/rules"); + exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config"); exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map"); diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php index 90df3bc7..98cb82ae 100644 --- a/config/snort-dev/snort_check_for_rule_updates.php +++ b/config/snort-dev/snort_check_for_rule_updates.php @@ -1,125 +1,526 @@ -#!/usr/local/bin/php -f - $date2ts or !$last_ruleset_download) { - log_error("There is a new set of Snort rules posted. Downloading..."); - if(!$oinkid) { - log_error("Oinkid is not defined. We cannot automatically update the ruleset."); - echo "Oinkid is not defined. We cannot automatically update the ruleset."; - exit; - } - echo "Downloading snort rule updates..."; - /* setup some variables */ - $premium_subscriber = ""; - - /* Snort version */ - $snort_version = "2.8"; - - /* Are we using the premium subscriber subscription? */ - if($config['installedpackages']['snortadvanced']['config'][0]['subscriber']) { - // http://www.snort.org/pub-bin/downloads.cgi/Download/sub_rules/snortrules-snapshot-CURRENT_s.tar.gz.md5 - $premium_subscriber = "_s"; - $snort_download_prefix = "http://www.snort.org/pub-bin/oinkmaster.cgi"; - } else { - // http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_os/snortrules-snapshot-CURRENT.tar.gz.md5 - $premium_subscriber = ""; - $snort_download_prefix = "http://www.snort.org/pub-bin/oinkmaster.cgi"; - } - - /* Set snort rules download filename */ - $snort_filename = "snortrules-snapshot-{$snort_version}{$premium_subscriber}.tar.gz"; - $snort_filename_md5 = "snortrules-snapshot-{$snort_version}{$premium_subscriber}.tar.gz.md5"; - - /* multi user system, request new filename and create directory */ - $tmpfname = tempnam("/tmp", "snortRules"); - exec("/bin/rm -rf {$tmpfname};/bin/mkdir -p {$tmpfname}"); - - /* download snort rules */ - exec("fetch -q -o {$tmpfname}/{$snort_filename} $dl"); - verify_downloaded_file($tmpfname . "/{$snort_filename}"); - - /* download snort rules md5 file */ - $static_output = gettext("Downloading current snort rules md5... "); - exec("fetch -q -o {$tmpfname}/{$snort_filename_md5} $dl_md5"); - verify_downloaded_file($tmpfname . "/{$snort_filename_md5}"); - - /* verify downloaded rules signature */ - verify_snort_rules_md5($tmpfname); - - /* extract rules */ - extract_snort_rules_md5($tmpfname); - - $config['installedpackages']['snort']['last_ruleset_download'] = date("Y-m-d"); - write_config(); - - stop_service("snort"); - sleep(2); - start_service("snort"); - - /* cleanup temporary directory */ - exec("/bin/rm -rf {$tmpfname};"); - echo "Rules are now up to date.\n"; - log_error("Snort rules updated. New version: {$last_update_date}."); -} else { - echo "Rules are up to date.\n"; - log_error("Snort rules are up to date. Not updating."); -} - -?> \ No newline at end of file + + + + filesize("{$tmpfname}/$snort_filename")){ + echo "Error with the snort rules download...\n"; + echo "Snort rules file downloaded failed...\n"; + exit(0); + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + echo "Emergingthreats tar file exists...\n"; +} else { + echo "There is a new set of Emergingthreats rules posted. Downloading...\n"; + echo "May take 4 to 10 min...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); +// $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); + $f = fopen("{$tmpfname}/emerging.rules.tar.gz", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done downloading Emergingthreats rules file.\n"; + } + } + } + +/* download pfsense rules file */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + echo "Snortrule tar file exists...\n"; +} else { + unhide_progress_bar_status(); + echo "There is a new set of Pfsense rules posted. Downloading...\n"; + echo "May take 4 to 10 min...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz"); + $f = fopen("{$tmpfname}/pfsense_rules.tar.gz", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done downloading rules file.\n"; + } +} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + echo "Extracting rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); + exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/bad-traffic.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/chat.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/dos.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/exploit.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/imap.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/multimedia.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/netbios.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/nntp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/p2p.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/smtp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/sql.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/web-client.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/web-misc.rules/"); + echo "Done extracting Rules.\n"; +} else { + echo "The Download rules file missing...\n"; + echo "Error rules extracting failed...\n"; + exit(0); + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + echo "Extracting rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + echo "Extracting Pfsense rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$tmpfname} rules/"); + } +} + +/* Untar snort signatures */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { +$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { + echo "Extracting Signatures...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} doc/signatures/"); + echo "Done extracting Signatures.\n"; + } + } +} + +/* Make Clean Snort Directory */ +if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { +if (file_exists("{$snortdir}/rules")) { + echo "Cleaning the snort Directory...\n"; + echo "removing...\n"; + exec("/bin/rm {$snortdir}/*"); + exec("/bin/rm {$snortdir}/rules/*"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); +} else { + echo "Making Snort Directory...\n"; + echo "should be fast...\n"; + exec("/bin/mkdir {$snortdir}"); + exec("/bin/mkdir {$snortdir}/rules"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); + echo "Done making snort direcory.\n"; + } +} + +/* Copy snort rules and emergingthreats and pfsense dir to snort dir */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/rules")) { + echo "Copying rules...\n"; + echo "May take a while...\n"; + exec("/bin/cp {$tmpfname}/rules/* {$snortdir}/rules"); + echo "Done copping rules.\n"; + /* Write out time of last sucsessful rule install catch */ + $config['installedpackages']['snort']['last_rules_install'] = date("Y-M-jS-h:i-A"); + write_config(); +} else { + echo "Directory rules does not exists...\n"; + echo "Error copying rules direcory...\n"; + exit(0); + } +} + +/* Copy md5 sig to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$snort_filename_md5")) { + echo "Copying md5 sig to snort directory...\n"; + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); +} else { + echo "The md5 file does not exist...\n"; + echo "Error copping config...\n"; + exit(0); + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { + echo "Copying md5 sig to snort directory...\n"; + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); +} else { + echo "The emergingthreats md5 file does not exist...\n"; + echo "Error copping config...\n"; + exit(0); + } + } +} + +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + echo "Copying Pfsense md5 sig to snort directory...\n"; + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); +} else { + echo "The Pfsense md5 file does not exist...\n"; + echo "Error copping config...\n"; + exit(0); + } +} + +/* Copy configs to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/etc/Makefile.am")) { + echo "Copying configs to snort directory...\n"; + exec("/bin/cp {$tmpfname}/etc/* {$snortdir}"); +} else { + echo "The snort configs does not exist...\n"; + echo "Error copping config...\n"; + exit(0); + } +} + +/* Copy signatures dir to snort dir */ +if ($snort_md5_check_ok != on) { +$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { +if (file_exists("{$tmpfname}/doc/signatures")) { + echo "Copying signatures...\n"; + echo "May take a while...\n"; + exec("/bin/mv -f {$tmpfname}/doc/signatures {$snortdir}/signatures"); + echo "Done copying signatures.\n"; +} else { + echo "Directory signatures exist...\n"; + echo "Error copping signature...\n"; + exit(0); + } + } +} + +/* Copy so_rules dir to snort lib dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { + echo "Copying so_rules...\n"; + echo "May take a while...\n"; + sleep(2); + exec("`/bin/cp -f {$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); + exec("/bin/cp {$tmpfname}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules"); + echo "Done copying so_rules.\n"; +} else { + echo "Directory so_rules does not exist...\n"; + echo "Error copping so_rules...\n"; + exit(0); + } +} + +/* double make shure clean up emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*"); +} + +/* php code to flush out cache some people are reportting missing files this might help */ +sleep(5); +apc_clear_cache(); +exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); + + +echo "Updating Alert Messages...\n"; +echo "Please Wait...\n"; +sleep(2); +exec("/usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/gen-msg.map"); + +/* php code finish */ +echo "The Rules update finished...\n"; +echo "You may start snort now...\n"; + +?> -- cgit v1.2.3