From 38568b846709678742d736aee55483b32e9ab677 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 8 Oct 2013 16:31:18 -0400 Subject: Add support for Emerging Threats Pro ruleset --- config/snort/snort.inc | 5 +- config/snort/snort_check_for_rule_updates.php | 135 ++++++++++++++++---------- config/snort/snort_download_updates.php | 26 ++++- config/snort/snort_interfaces_global.php | 98 ++++++++++++++----- config/snort/snort_rulesets.php | 25 ++++- 5 files changed, 200 insertions(+), 89 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index bce9c2a3..e6039510 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -67,12 +67,9 @@ else { /* Define some useful constants for Snort */ define("SNORTLOGDIR", "/var/log/snort"); -define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); -define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); -define("ET_VERSION", "2.9.0"); define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); -define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); define("FLOWBITS_FILENAME", "flowbit-required.rules"); define("ENFORCING_RULES_FILENAME", "snort.rules"); define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 30da4b74..21eb7bd2 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -35,29 +35,25 @@ require_once "/usr/local/pkg/snort/snort.inc"; global $g, $pkg_interface, $snort_gui_include, $rebuild_rules; - -if (!defined("VRT_DNLD_FILENAME")) - define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); if (!defined("VRT_DNLD_URL")) define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); if (!defined("ET_VERSION")) define("ET_VERSION", "2.9.0"); if (!defined("ET_BASE_DNLD_URL")) define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/"); +if (!defined("ETPRO_BASE_DNLD_URL")) + define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/"); if (!defined("ET_DNLD_FILENAME")) define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +if (!defined("ETPRO_DNLD_FILENAME")) + define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); if (!defined("GPLV2_DNLD_FILENAME")) define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); if (!defined("GPLV2_DNLD_URL")) define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); -if (!defined("FLOWBITS_FILENAME")) - define("FLOWBITS_FILENAME", "flowbit-required.rules"); -if (!defined("ENFORCING_RULES_FILENAME")) - define("ENFORCING_RULES_FILENAME", "snort.rules"); if (!defined("RULES_UPD_LOGFILE")) define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); - $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; @@ -72,8 +68,10 @@ else /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$etproid = $config['installedpackages']['snortglobal']['etpro_code']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; $vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; @@ -81,19 +79,39 @@ $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; /* Working directory for downloaded rules tarballs */ $tmpfname = "{$snortdir}/tmp/snort_rules_up"; -/* Snort VRT rules filenames and URL */ -$snort_filename = VRT_DNLD_FILENAME; -$snort_filename_md5 = VRT_DNLD_FILENAME . ".md5"; +/* Grab the Snort binary version programmatically and use it to construct */ +/* the proper Snort VRT rules tarball and md5 filenames. */ +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +// Save the version with decimal delimiters for use in extracting the rules +$snort_version = $snortver[0]; +// Create a collapsed version string for use in the tarball filename +$snortver[0] = str_replace(".", "", $snortver[0]); +$snort_filename = "snortrules-snapshot-{$snortver[0]}.tar.gz"; +$snort_filename_md5 = "{$snort_filename}.md5"; $snort_rule_url = VRT_DNLD_URL; -/* Emerging Threats rules filenames and URL */ -$emergingthreats_filename = ET_DNLD_FILENAME; -$emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; -$emerging_threats_version = ET_VERSION; -$emergingthreats_url = ET_BASE_DNLD_URL; -// If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules -$emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/"; -$emergingthreats_url .= "snort-" . ET_VERSION . "/"; +/* Set up Emerging Threats rules filenames and URL */ +if ($etpro == "on") { + $emergingthreats_filename = ETPRO_DNLD_FILENAME; + $emergingthreats_filename_md5 = ETPRO_DNLD_FILENAME . ".md5"; + $emergingthreats_url = ETPRO_BASE_DNLD_URL; + $emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/"; + $emergingthreats = "on"; + $et_name = "Emerging Threats Pro"; + $et_md5_remove = ET_DNLD_FILENAME . ".md5"; + @unlink("{$snortdir}/{$et_md5_remove}"); +} +else { + $emergingthreats_filename = ET_DNLD_FILENAME; + $emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; + $emergingthreats_url = ET_BASE_DNLD_URL; + // If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules + $emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/"; + $emergingthreats_url .= "snort-" . ET_VERSION . "/"; + $et_name = "Emerging Threats Open"; + $et_md5_remove = ETPRO_DNLD_FILENAME . ".md5"; + @unlink("{$snortdir}/{$et_md5_remove}"); +} /* Snort GPLv2 Community Rules filenames and URL */ $snort_community_rules_filename = GPLV2_DNLD_FILENAME; @@ -418,34 +436,34 @@ if ($snortcommunityrules == 'on') { /* download md5 sig from emergingthreats.net */ if ($emergingthreats == 'on') { if ($pkg_interface <> "console") - update_status(gettext("Downloading EmergingThreats md5 file...")); - error_log(gettext("\tDownloading EmergingThreats md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log); + update_status(gettext("Downloading {$et_name} md5 file...")); + error_log(gettext("\tDownloading {$et_name} md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log); $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); if ($rc === true) { if ($pkg_interface <> "console") - update_status(gettext("Done downloading EmergingThreats md5 file {$emergingthreats_filename_md5}")); - error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); + update_status(gettext("Done downloading {$et_name} md5 file {$emergingthreats_filename_md5}")); + error_log(gettext("\tChecking {$et_name} md5.\n"), 3, $snort_rules_upd_log); if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { /* Check if were up to date emergingthreats.net */ $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); if ($emerg_md5_check_new == $emerg_md5_check_old) { if ($pkg_interface <> "console") - update_status(gettext("Emerging Threats rules are up to date...")); - log_error(gettext("[Snort] Emerging Threat rules are up to date...")); - error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); + update_status(gettext("{$et_name} rules are up to date...")); + log_error(gettext("[Snort] {$et_name} rules are up to date...")); + error_log(gettext("\t{$et_name} rules are up to date.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } } } else { if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); - log_error(gettext("[Snort] EmergingThreats md5 file download failed. Server returned error code '{$rc}'.")); - error_log(gettext("\tEmergingThreats md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); + update_output_window(gettext("{$et_name} md5 file download failed. {$et_name} rules will not be updated.")); + log_error(gettext("[Snort] {$et_name} md5 file download failed. Server returned error code '{$rc}'.")); + error_log(gettext("\t{$et_name} md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); if ($pkg_interface == "console") error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tEmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } } @@ -453,9 +471,9 @@ if ($emergingthreats == 'on') { /* download emergingthreats rules file */ if ($emergingthreats == "on") { if ($pkg_interface <> "console") - update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading {$emergingthreats_filename}...")); - log_error(gettext("[Snort] There is a new set of EmergingThreats rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of EmergingThreats rules posted.\n"), 3, $snort_rules_upd_log); + update_status(gettext("There is a new set of {$et_name} rules posted. Downloading {$emergingthreats_filename}...")); + log_error(gettext("[Snort] There is a new set of {$et_name} rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of {$et_name} rules posted.\n"), 3, $snort_rules_upd_log); error_log(gettext("\tDownloading file '{$emergingthreats_filename}'...\n"), 3, $snort_rules_upd_log); $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); @@ -463,29 +481,29 @@ if ($emergingthreats == "on") { if ($rc === true) { if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats rules file MD5 checksum failed...")); - log_error(gettext("[Snort] EmergingThreats rules file download failed. Bad MD5 checksum...")); + update_output_window(gettext("{$et_name} rules file MD5 checksum failed...")); + log_error(gettext("[Snort] {$et_name} rules file download failed. Bad MD5 checksum...")); log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); - error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$et_name} rules file download failed. {$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } else { if ($pkg_interface <> "console") - update_status(gettext('Done downloading EmergingThreats rules file.')); - log_error("[Snort] EmergingThreats rules file update downloaded successfully"); - error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); + update_status(gettext('Done downloading {$et_name} rules file.')); + log_error("[Snort] {$et_name} rules file update downloaded successfully"); + error_log(gettext("\tDone downloading {$et_name} rules file.\n"), 3, $snort_rules_upd_log); } } else { if ($pkg_interface <> "console") { - update_status(gettext("The server returned error code {$rc} ... skipping EmergingThreats update...")); - update_output_window(gettext("EmergingThreats rules file download failed...")); + update_status(gettext("The server returned error code {$rc} ... skipping {$et_name} update...")); + update_output_window(gettext("{$et_name} rules file download failed...")); } - log_error(gettext("[Snort] EmergingThreats rules file download failed. Server returned error '{$rc}'...")); - error_log(gettext("\tEmergingThreats rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); + log_error(gettext("[Snort] {$et_name} rules file download failed. Server returned error '{$rc}'...")); + error_log(gettext("\t{$et_name} rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); if ($pkg_interface == "console") error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; @@ -497,22 +515,34 @@ if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if ($pkg_interface <> "console") { - update_status(gettext("Extracting EmergingThreats.org rules...")); - update_output_window(gettext("Installing EmergingThreats rules...")); + update_status(gettext("Extracting {$et_name} rules...")); + update_output_window(gettext("Installing {$et_name} rules...")); } - error_log(gettext("\tExtracting and installing EmergingThreats.org rules...\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $snort_rules_upd_log); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); + /* Remove the old Emerging Threats rules files */ + array_map('unlink', glob("{$snortdir}/rules/emerging-*.rules")); + array_map('unlink', glob("{$snortdir}/rules/etpro-*.rules")); + array_map('unlink', glob("{$snortdir}/rules/emerging-*ips.txt")); + array_map('unlink', glob("{$snortdir}/rules/etpro-*ips.txt")); + $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); + if ($etpro == "on") + @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + else + @copy($file, "{$snortdir}/rules/{$newfile}"); } /* IP lists for Emerging Threats rules */ $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); + if ($etpro == "on") + @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + else + @copy($file, "{$snortdir}/rules/emerging-{$newfile}"); } /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { @@ -527,10 +557,10 @@ if ($emergingthreats == 'on') { @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } if ($pkg_interface <> "console") { - update_status(gettext("Extraction of EmergingThreats.org rules completed...")); - update_output_window(gettext("Installation of EmergingThreats rules completed...")); + update_status(gettext("Extraction of {$et_name} rules completed...")); + update_output_window(gettext("Installation of {$et_name} rules completed...")); } - error_log(gettext("\tInstallation of EmergingThreats.org rules completed.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log); exec("rm -r {$snortdir}/tmp/emerging"); } } @@ -544,6 +574,9 @@ if ($snortdownload == 'on') { if (substr(php_uname("r"), 0, 1) == '9') $freebsd_version_so = 'FreeBSD-9-0'; + /* Remove the old Snort rules files */ + array_map('unlink', glob("{$snortdir}/rules/snort_*.rules")); + if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); update_output_window(gettext("Installing Sourcefire VRT rules...")); diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 1f87fbbc..09ab646a 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -40,8 +40,14 @@ require_once("/usr/local/pkg/snort/snort.inc"); $snortdir = SNORTDIR; $snort_rules_upd_log = RULES_UPD_LOGFILE; $log = $snort_rules_upd_log; -$snort_rules_file = VRT_DNLD_FILENAME; -$emergingthreats_filename = ET_DNLD_FILENAME; + +/* Grab the Snort binary version programmatically and */ +/* use it to construct the proper Snort VRT rules */ +/* tarball filename. */ +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +$snortver[0] = str_replace(".", "", $snortver[0]); +$snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz"; +//$snort_rules_file = VRT_DNLD_FILENAME; $snort_community_rules_filename = GPLV2_DNLD_FILENAME; /* load only javascript that is needed */ @@ -49,8 +55,18 @@ $snort_load_jquery = 'yes'; $snort_load_jquery_colorbox = 'yes'; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; +if ($etpro == "on") { + $emergingthreats_filename = ETPRO_DNLD_FILENAME; + $et_name = "EMERGING THREATS PRO RULES"; +} +else { + $emergingthreats_filename = ET_DNLD_FILENAME; + $et_name = "EMERGING THREATS RULES"; +} + /* quick md5s chk */ $snort_org_sig_chk_local = 'N/A'; if (file_exists("{$snortdir}/{$snort_rules_file}.md5")) @@ -138,9 +154,9 @@ h += 96;



- SNORT.ORG  --> + SNORT VRT RULES  -->   
- EMERGINGTHREATS.NET  --> +   -->   
SNORT GPLv2 COMMUNITY RULES  -->   
@@ -160,7 +176,7 @@ h += 96; ' . gettext("Update Rules") . '

diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index d28ec2b4..089255b6 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -44,7 +44,9 @@ $snortdir = SNORTDIR; /* make things short */ $pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; $pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; +$pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code']; $pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; +$pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; $pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; @@ -63,14 +65,22 @@ if ($_POST['rule_update_starttime']) { $input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'."; } +if ($_POST['snortdownload'] == "on" && empty($_POST['oinkmastercode'])) + $input_errors[] = "You must supply an Oinkmaster code in the box provided in order to enable Snort VRT rules!"; + +if ($_POST['emergingthreats_pro'] == "on" && empty($_POST['etpro_code'])) + $input_errors[] = "You must supply a subscription code in the box provided in order to enable Emerging Threats Pro rules!"; + /* if no errors move foward */ if (!$input_errors) { if ($_POST["Submit"]) { - $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; + $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code']; $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; if ($_POST['snortloglimitsize']) { @@ -160,19 +170,14 @@ if ($input_errors) - - - - - - + - + @@ -180,17 +185,17 @@ if ($input_errors)
>  ', ''); ?>
>
 
+
-
 
- + - + -
'on') echo 'disabled'; ?>>
+ - @@ -330,13 +365,28 @@ if ($input_errors)
> @@ -212,11 +217,41 @@ if ($input_errors) - + + + + + + + + + + + + + + + + + +
> - >
>
 
 " . gettext("Note:") . "" . " " . + gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?>
 
+ + + + + + + +
'on') echo 'disabled'; ?>>
+