From 5180182c8975d4630cbc22174cc41f8e2c6d2b55 Mon Sep 17 00:00:00 2001 From: Ermal Date: Thu, 12 Jul 2012 18:29:33 +0000 Subject: Fix the issues with rules pages and the ones rpeorted on the forum --- config/snort/snort.inc | 2 +- config/snort/snort_barnyard.php | 10 +- config/snort/snort_interfaces.php | 26 +- config/snort/snort_interfaces_suppress_edit.php | 10 +- config/snort/snort_rules.php | 422 +++++++++++------------- config/snort/snort_rulesets.php | 392 +++++++++++----------- 6 files changed, 399 insertions(+), 463 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index a44b4bac..756740fe 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -208,7 +208,7 @@ function snort_build_list($listname = "") { function snort_is_running($snort_uuid, $if_real, $type = 'snort') { global $config, $g; - if (file_exists("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) + if (file_exists("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$snort_uuid}.pid")) return 'yes'; return 'no'; diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index 17769ca8..914bcead 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -46,11 +46,6 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; -if (isset($_GET['dup'])) { - $id = $_GET['dup']; - $after = $_GET['dup']; -} - $pconfig = array(); if (isset($id) && $a_nat[$id]) { /* old options */ @@ -87,10 +82,7 @@ if ($_POST) { if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); - else - $a_nat[] = $natent; + $a_nat[] = $natent; } write_config(); diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index d55e8bd9..67a7257d 100644 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -219,30 +219,26 @@ if ($pfsense_stable == 'yes') /* There has to be a smarter way to do this */ $if_real = snort_get_real_interface($natent['interface']); $snort_uuid = $natent['uuid']; - if (snort_is_running($snort_uuid, $if_real) == 'no') { + if (snort_is_running($snort_uuid, $if_real) == 'no') $iconfn = 'pass'; - $class_color_up = 'listbg'; - }else{ - $class_color_up = 'listbg2'; + else $iconfn = 'block'; - } - if (snort_is_running($snort_uuid, $if_real, 'barnyard2') == 'no') { + if (snort_is_running($snort_uuid, $if_real, 'barnyard2') == 'no') $biconfn = 'pass'; - } else { + else $biconfn = 'block'; - } ?> - - - - - "; + title='click to toggle start/stop barnyard'>"; } else echo strtoupper("disabled"); ?> -   diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 45340f21..8a7e29ef 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -70,7 +70,8 @@ if (isset($id) && $a_suppress[$id]) { $pconfig['name'] = $a_suppress[$id]['name']; $pconfig['uuid'] = $a_suppress[$id]['uuid']; $pconfig['descr'] = $a_suppress[$id]['descr']; - $pconfig['suppresspassthru'] = base64_decode($a_suppress[$id]['suppresspassthru']); + if (!empty($a_suppress[$id]['suppresspassthru'])); + $pconfig['suppresspassthru'] = base64_decode($a_suppress[$id]['suppresspassthru']); if (empty($a_suppress[$id]['uuid'])) $pconfig['uuid'] = uniqid(); } @@ -106,7 +107,8 @@ if ($_POST['submit']) { $s_list['name'] = $_POST['name']; $s_list['uuid'] = $suppress_uuid; $s_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); - $s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']); + if ($_POST['suppresspassthru']) + $s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']); if (isset($id) && $a_suppress[$id]) $a_suppress[$id] = $s_list; @@ -190,7 +192,7 @@ if ($savemsg)  Advanced pass through + name="suppresspassthru" cols="90" rows="28" id="suppresspassthru" class="formpre"> @@ -199,7 +201,7 @@ if ($savemsg) class="formbtn" value="Save" /> - + diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 5a13cf7b..a171dc06 100644 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -55,73 +55,6 @@ if (isset($id) && $a_rule[$id]) { $pconfig['rulesets'] = $a_rule[$id]['rulesets']; } -/* convert fake interfaces to real */ -$if_real = snort_get_real_interface($pconfig['interface']); -$iface_uuid = $a_rule[$id]['uuid']; - -/* Check if the rules dir is empy if so warn the user */ -/* TODO give the user the option to delete the installed rules rules */ -if (!is_dir("{$snortdir}/snort_{$iface_uuid}_{$if_real}/rules")) - exec("/bin/mkdir -p {$snortdir}/snort_{$iface_uuid}_{$if_real}/rules"); - -$isrulesfolderempty = exec("ls -A {$snortdir}/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); -if ($isrulesfolderempty == "" || empty($pconfig['rulesets'])) { - $isrulesfolderempty = exec("ls -A {$snortdir}/rules/*.rules"); - if ($isrulesfolderempty == "" || empty($pconfig['rulesets'])) { - include_once("head.inc"); - include_once("fbegin.inc"); - - echo ""; - - if($pfsense_stable == 'yes'){echo '

' . $pgtitle . '

';} - - echo "\n - \n - \n - \n - \n - \n - \n -
\n"; - - $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); - echo "
\n -
\n - \n - \n - \n - \n -
\n - # The rules directory is empty or you have not selected any rules in the Categories tab.\n -
\n -
\n -
\n - \n - \n - \n -

\n\n"; - - echo "Please click on the Update Rules tab to install your selected rule sets."; - include("fend.inc"); - - echo ""; - echo ""; - - exit(0); - } else { - /* Make sure that we have the rules */ - mwexec("/bin/cp {$snortdir}/rules/*.rules {$snortdir}/snort_{$iface_uuid}_{$if_real}/rules", true); - } -} - function get_middle($source, $beginning, $ending, $init_pos) { $beginning_pos = strpos($source, $beginning, $init_pos); if (!$beginning_pos) @@ -143,27 +76,28 @@ function load_rule_file($incoming_file) return explode("\n", $contents); } -$ruledir = "{$snortdir}/snort_{$iface_uuid}_{$if_real}/rules/"; -$dh = opendir($ruledir); -while (false !== ($filename = readdir($dh))) -{ - //only populate this array if its a rule file - $isrulefile = strstr($filename, ".rules"); - if ($isrulefile !== false) - $files[] = basename($filename); -} -sort($files); +/* convert fake interfaces to real */ +$if_real = snort_get_real_interface($pconfig['interface']); +$snort_uuid = $a_rule[$id]['uuid']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; $categories = explode("||", $pconfig['rulesets']); if ($_GET['openruleset']) - $rulefile = $_GET['openruleset']; + $currentruleset = $_GET['openruleset']; else - $rulefile = $ruledir.$categories[0]; + $currentruleset = $categories[0]; -//Load the rule file -$splitcontents = load_rule_file($rulefile); +$ruledir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules"; +$rulefile = "{$ruledir}/{$currentruleset}"; +if (!file_exists($rulefile)) { + $input_errors[] = "{$currentruleset} seems to be missing!!! Please go to the Category tab and save again the rule to regenerate it."; + $splitcontents = array(); +} else + //Load the rule file + $splitcontents = load_rule_file($rulefile); -if ($_GET['act'] == "toggle" && $_GET['ids']) { +if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($splitcontents)) { $lineid= $_GET['ids']; @@ -212,27 +146,32 @@ if ($_GET['act'] == "toggle" && $_GET['ids']) { write_config(); } - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$rulefile}"); + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); exit; } -$currentruleset = basename($rulefile); - -$ifname = strtoupper($pconfig['interface']); - require_once("guiconfig.inc"); include_once("head.inc"); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: $id $iface_uuid {$if_friendly} Category: $currentruleset"; +$pgtitle = "Snort: {$if_friendly} Category: $currentruleset"; ?> ' . $pgtitle . '

';} + +/* Display message */ +if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks +} + +if ($savemsg) { + print_info_box($savemsg); +} + ?> -
+ + + + + +
- - - - - - - - - - - - - - - - + + + + + + + + - - - - - - - "; - ?> - - - {$value}\n"; } ?> - + +
+ + + + + + < + + + + + + + + + + + + + + $value ) + { + $disabled = "False"; + $comments = "False"; + $findme = "# alert"; //find string for disabled alerts + $disabled_pos = strstr($value, $findme); + + $counter2 = 1; + $sid = get_middle($value, 'sid:', ';', 0); + //check to see if the sid is numberical + if (!is_numeric($sid)) + continue; + + //if find alert is false, then rule is disabled + if ($disabled_pos !== false){ + $counter2 = $counter2+1; + $textss = ""; + $textse = ""; + $iconb = "icon_block_d.gif"; + + $ischecked = ""; + } else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + + $ischecked = "checked"; + } + + $rule_content = explode(' ', $value); + + $protocol = $rule_content[$counter2];//protocol location + $counter2++; + $source = substr($rule_content[$counter2], 0, 20) . "...";//source location + $counter2++; + $source_port = $rule_content[$counter2];//source port location + $counter2 = $counter2+2; + $destination = substr($rule_content[$counter2], 0, 20) . "...";//destination location + $counter2++; + $destination_port = $rule_content[$counter2];//destination port location + + if (strstr($value, 'msg: "')) + $message = get_middle($value, 'msg: "', '";', 0); + else if (strstr($value, 'msg:"')) + $message = get_middle($value, 'msg:"', '";', 0); + + echo " + + + + + + + "; + ?> + + + +
  -
Category: - -
- 		 
 SIDProtoSourcePortDestinationPortMessage 
+ # You have not selected any rules in the Categories tab. +
  +
Category: +
$textss - - - $textse - - $textss $sid $textse - - $textss $protocol $textse - - $textss $source $textse - - $textss $source_port $textse - - $textss $destination $textse - - $textss $destination_port $textse - - $textss $message $textse - - - - - - -
-
 
   
 SIDProtoSourcePortDestinationPortMessage 
$textss + + + $textse + + $textss $sid $textse + + $textss $protocol $textse + + $textss $source $textse + + $textss $source_port $textse + + $textss $destination $textse + + $textss $destination_port $textse + + $textss $message $textse + + + + + +
+
+ + + + + - + + + + + + + +
Rule Enabled
- - - - - - - - - - - - - - - - -
Rule Enabled
Rule Disabled
-

-

+ 		Rule Disabled
+

+ +
diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 050ec2ce..34bba9e5 100644 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -49,92 +49,39 @@ if (is_null($id)) { exit; } +function snort_copy_rules($files, $snortdir, $snort_uuid, $if_real) { + + if (empty($files)) + return; + + conf_mount_rw(); + foreach ($files as $file) { + if (!file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}")) + @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}"); + } + conf_mount_ro(); +} + if (isset($id) && $a_nat[$id]) { $pconfig['enable'] = $a_nat[$id]['enable']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['rulesets'] = $a_nat[$id]['rulesets']; - - /* convert fake interfaces to real */ - $if_real = snort_get_real_interface($pconfig['interface']); - - $iface_uuid = $a_nat[$id]['uuid']; } -$if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly} Categories"; - - -/* Check if the rules dir is empy if so warn the user */ -/* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec("ls -A {$snortdir}/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); -if ($isrulesfolderempty == "") { - $isrulesfolderempty = exec("ls -A {$snortdir}/rules/*.rules"); - if ($isrulesfolderempty == "") { - include_once("head.inc"); - include("fbegin.inc"); - - echo "

"; - if($pfsense_stable == 'yes'){echo $pgtitle;} - echo "

\n"; - - echo ""; - - echo " - \n - - \n - \n - \n -
\n"; - - $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); - echo " -
\n -
\n - \n - \n - \n - \n -
\n - # The rules directory is empty. {$snortdir}/snort_{$iface_uuid}_{$if_real}/rules \n -
\n -
\n -
\n - \n - \n - \n -

\n\n"; - - echo "Please click on the Update Rules tab to install your selected rule sets. $isrulesfolderempty"; - include("fend.inc"); - - echo ""; - echo ""; - - exit(0); - } else { - /* Make sure that we have the rules */ - mwexec("/bin/cp {$snortdir}/rules/*.rules {$snortdir}/snort_{$iface_uuid}_{$if_real}/rules", true); - } -} +$if_real = snort_get_real_interface($pconfig['interface']); +$snort_uuid = $a_nat[$id]['uuid']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; /* alert file */ if ($_POST["Submit"]) { $enabled_items = ""; - $isfirst = true; if (is_array($_POST['toenable'])) $enabled_items = implode("||", $_POST['toenable']); else $enabled_items = $_POST['toenable']; $a_nat[$id]['rulesets'] = $enabled_items; + snort_copy_rules(explode("||", $enabled_items), $snortdir, $snort_uuid, $if_real); write_config(); sync_snort_package_config(); @@ -144,6 +91,13 @@ if ($_POST["Submit"]) { } if ($_POST['unselectall']) { + if (!empty($pconfig['rulesets'])) { + conf_mount_rw(); + foreach (explode("||", $pconfig['rulesets']) as $file) + @unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}"); + conf_mount_ro(); + } + $a_nat[$id]['rulesets'] = ""; write_config(); @@ -154,10 +108,18 @@ if ($_POST['unselectall']) { } if ($_POST['selectall']) { - $files = glob("{$snortdir}/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); $rulesets = array(); - foreach ($files as $file) - $rulesets[] = basename($file); + if ($emergingdownload == 'on') { + $files = glob("{$snortdir}/rules/emerging*.rules"); + foreach ($files as $file) + $rulesets[] = basename($file); + } + if ($snortdownload == 'on') { + $files = glob("{$snortdir}/rules/snort*.rules"); + foreach ($files as $file) + $rulesets[] = basename($file); + } + snort_copy_rules($rulesets, $snortdir, $snort_uuid, $if_real); $a_nat[$id]['rulesets'] = implode("||", $rulesets); @@ -168,21 +130,18 @@ if ($_POST['selectall']) { exit; } -$enabled_rulesets = $a_nat[$id]['rulesets']; -if($enabled_rulesets) - $enabled_rulesets_array = explode("||", $enabled_rulesets); - +$enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']); include_once("head.inc"); - ?> - -' . $pgtitle . '

';}?> +"; - +if($pfsense_stable == 'yes'){echo '

' . $pgtitle . '

';}?> +
+ - - +
-
- + + + + + + + +
+
+ + + + + + + + - + $CHECKED = ""; + echo " \n\n"; + echo "\n"; + echo "\n"; + } else + echo "\n"; + echo "\n"; + } + ?> +
+ # The rules directory is empty. /rules
+ Please go to the updates page to download/fetch the rules configured. +
+ - - - - - -
- - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - \n"; - if (!empty($emergingrules[$j])) { - $file = $emergingrules[$j]; - echo "\n"; - echo "\n"; + if (!empty($emergingrules[$j])) { + $file = $emergingrules[$j]; + echo "\n"; - } else - echo "\n"; - if (!empty($snortrules[$j])) { - $file = $snortrules[$j]; - echo "\n"; - echo "\n"; } else - echo "\n"; - if (!empty($snortsorules[$j])) { - $file = $snortsorules[$j]; - echo "\n"; + echo "\n"; + } else + echo "\n"; + + if (!empty($snortrules[$j])) { + $file = $snortrules[$j]; + echo "\n"; - echo "\n"; + echo "\n"; + } else + echo "\n"; + if (!empty($snortsorules[$j])) { + $file = $snortsorules[$j]; + echo "\n"; + $CHECKED = ""; } else - echo "\n"; - echo "\n"; - } - ?> -
Check the rulesets that you would like Snort to load at startup.







Check the rulesets that you would like Snort to load at startup.







 
EnabledEmerging rules have not been enabledEnabledEnabledSnort rules have not been enabled
 
EnabledEnabledEnabled
"; - if(is_array($enabled_rulesets_array)) { - if(in_array($file, $enabled_rulesets_array)) - $CHECKED = " checked=\"checked\""; - else - $CHECKED = ""; - } else - $CHECKED = ""; - echo " \n\n"; - echo "\n"; - if (empty($CHECKED)) - echo $file; + } + sort($emergingrules); + sort($snortsorules); + sort($snortrules); + $i = count($emergingrules); + if ($i < count($snortsorules)) + $i = count(snortsorules); + if ($i < count($snortrules)) + $i = count($snortrules); + + for ($j = 0; $j < $i; $j++) { + echo "
"; + if(is_array($enabled_rulesets_array)) { + if(in_array($file, $enabled_rulesets_array)) + $CHECKED = " checked=\"checked\""; else - echo "{$file}\n"; - echo "
"; - if(is_array($enabled_rulesets_array)) { - if(in_array($file, $enabled_rulesets_array)) - $CHECKED = " checked=\"checked\""; - else - $CHECKED = ""; - } else $CHECKED = ""; - echo " \n\n"; - echo "\n"; - if (empty($CHECKED)) - echo $file; - else - echo "{$file}\n"; - echo "
"; - if(is_array($enabled_rulesets_array)) { - if(in_array($file, $enabled_rulesets_array)) - $CHECKED = " checked=\"checked\""; - else - $CHECKED = ""; - } else + $CHECKED = ""; + echo " \n\n"; + echo "\n"; + if (empty($CHECKED)) + echo $file; + else + echo "{$file}\n"; + echo "
"; + if(is_array($enabled_rulesets_array)) { + if(in_array($file, $enabled_rulesets_array)) + $CHECKED = " checked=\"checked\""; + else $CHECKED = ""; - echo " \n\n"; - echo "\n"; - if (empty($CHECKED)) - echo $file; + } else + $CHECKED = ""; + echo " \n\n"; + echo "\n"; + if (empty($CHECKED)) + echo $file; + else + echo "{$file}\n"; + echo "
"; + if(is_array($enabled_rulesets_array)) { + if(in_array($file, $enabled_rulesets_array)) + $CHECKED = " checked=\"checked\""; else - echo "{$file}\n"; - echo "
-
 
- -
\n"; + if (empty($CHECKED)) + echo $file; + else + echo "{$file}\n"; + echo "
+
 
+
+