From 080fb922c15c959be4f0bd101d0cf3f529f0e866 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 13 May 2013 16:58:53 -0400 Subject: Snort Pkg 2.5.8 Update - bug fixes and new features --- config/snort/snort.inc | 744 +++++++++++++------- config/snort/snort.xml | 12 +- config/snort/snort_alerts.php | 107 +-- config/snort/snort_blocked.php | 73 +- config/snort/snort_check_for_rule_updates.php | 6 +- config/snort/snort_download_updates.php | 12 - config/snort/snort_interfaces.php | 15 +- config/snort/snort_interfaces_edit.php | 284 +++++--- config/snort/snort_interfaces_suppress_edit.php | 8 +- config/snort/snort_interfaces_whitelist_edit.php | 31 +- config/snort/snort_list_view.php | 103 +++ config/snort/snort_preprocessors.php | 856 +++++++++++++++++++---- config/snort/snort_rules.php | 466 ++++++------ config/snort/snort_rules_flowbits.php | 265 +++++++ config/snort/snort_rulesets.php | 4 +- 15 files changed, 2161 insertions(+), 825 deletions(-) create mode 100644 config/snort/snort_list_view.php create mode 100644 config/snort/snort_rules_flowbits.php (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 7ecc40e7..236cb107 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -40,12 +40,12 @@ require_once("filter.inc"); // Explicitly declare these as global so they work through function call includes global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log; -global $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall; +global $all_rules, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall; global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename; /* package version */ $snort_version = "2.9.4.1"; -$pfSense_snort_version = "2.5.7"; +$pfSense_snort_version = "2.5.8"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; // Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) @@ -132,6 +132,53 @@ function snort_generate_id() { return $snort_uuid; } +function snort_load_suppress_sigs($snortcfg) { + + global $config; + + /**********************************************************/ + /* This function loads the GEN_ID and SIG_ID for all the */ + /* suppressed alert entries from the Suppression List of */ + /* the passed Snort interface. The results are returned */ + /* in an array with GEN_ID and SIG_ID as the keys. */ + /**********************************************************/ + + $suppress = array(); + + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + return; + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + return; + $a_suppress = $config['installedpackages']['snortglobal']['suppress']['item']; + + foreach ($a_suppress as $a_id => $alist) { + if ($alist['name'] == $snortcfg['suppresslistname']) { + if (!empty($alist['suppresspassthru'])) { + $tmplist = str_replace("\r", "", base64_decode($alist['suppresspassthru'])); + $tmp = explode("\n", $tmplist); + foreach ($tmp as $line) { + // Skip any blank lines + if (trim($line, " \n") == "") + continue; + // Skip any comment lines + if (preg_match('/^\s*#/', $line)) + continue; + if (preg_match('/gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+)/i', $line, $matches)) { + $genid = $matches[1]; + $sigid = $matches[2]; + if (!empty($genid) && !empty($sigid)) + $suppress[$genid][$sigid] = "suppress"; + } + } + unset($tmp); + } + break; + } + } + unset($alist); + return $suppress; +} + /* func builds custom white lists */ function snort_find_list($find_name, $type = 'whitelist') { global $config; @@ -150,117 +197,129 @@ function snort_find_list($find_name, $type = 'whitelist') { return array(); } -/* func builds custom whitelests */ +/* func builds custom whitelists and the HOME_NET variable */ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { global $config, $g; - - /* Add loopback to whitelist (ftphelper) */ - $home_net = "127.0.0.1 "; + global $aliastable, $filterdns; + $home_net = array(); if ($listname == 'default' || empty($listname)) { - $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; + $localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; } else { $list = snort_find_list($listname); if (empty($list)) return $list; + $localnet = $list['localnets']; $wanip = $list['wanips']; $wangw = $list['wangateips']; $wandns = $list['wandnsips']; $vips = $list['vips']; $vpns = $list['vpnips']; if (!empty($list['address']) && is_alias($list['address'])) { - $home_net .= trim(filter_expand_alias($list['address'])); - $home_net .= " "; + $home_net = explode(" ", trim(filter_expand_alias($list['address']))); } } - /* Always put snort running interface in the list */ + /* Always add loopback to HOME_NET and whitelist (ftphelper) */ + if (!in_array("127.0.0.1", $home_net)) + $home_net[] = "127.0.0.1"; + + /********************************************************************/ + /* Always put the interface running Snort in HOME_NET and whitelist */ + /* unless it's the WAN. WAN options are handled further down. */ + /********************************************************************/ $snortip = get_interface_ip($snortcfg['interface']); - if (is_ipaddr($snortip)) - $home_net .= "{$snortip} "; + if (is_ipaddr($snortip)) { + if ($snortcfg['interface'] <> "wan") { + $sn = get_interface_subnet($snortcfg['interface']); + $ip = gen_subnet($snortip, $sn) . "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + } + if (function_exists('get_interface_ipv6')) { $snortip = get_interface_ipv6($snortcfg['interface']); if (is_ipaddrv6($snortip)) { - if ($whitelist === false) { + if ($snortcfg['interface'] <> "wan") { $sn = get_interface_subnetv6($snortcfg['interface']); - $home_net .= "{$snortip}/{$sn} "; - } else - $home_net .= "{$snortip} "; + $ip = gen_subnetv6($snortip, $sn). "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } } } - - /* iterate through interface list and write out whitelist items - * and also compile a home_net list for snort. - */ - if ($wanip == 'yes') { - /* build an interface array list */ + + if ($localnet == 'yes') { + /*************************************************************************/ + /* Iterate through the interface list and write out whitelist items and */ + /* also compile a HOME_NET list of all the local interfaces for snort. */ + /* Skip the WAN interface as we do not typically want that whole subnet */ + /* whitelisted (just the interface IP itself). */ + /*************************************************************************/ if (function_exists('get_configured_interface_list')) $int_array = get_configured_interface_list(); else { $int_array = array('wan', 'lan'); - for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) + for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) { if(isset($config['interfaces']['opt' . $j]['enable'])) $int_array[] = "opt{$j}"; + } } - foreach ($int_array as $int) { - /* calculate interface subnet information */ - if (function_exists('get_interface_ip')) { - if (!interface_has_gateway($int)) + if ($int == "wan") + continue; + $subnet = get_interface_ip($int); + if (is_ipaddr($subnet)) { + $sn = get_interface_subnet($int); + $ip = gen_subnet($subnet, $sn) . "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + if (function_exists("get_interface_ipv6")) { + if ($int == "wan") continue; - $subnet = get_interface_ip($int); - if (is_ipaddr($subnet)) { - if ($whitelist === false) { - $sn = get_interface_subnet($int); - $home_net .= "{$subnet}/{$sn} "; - } else - $home_net .= "{$subnet} "; - } - if (function_exists("get_interface_ipv6")) { - if (!interface_has_gatewayv6($int)) - continue;; - $subnet = get_interface_ipv6($int); - if (is_ipaddrv6($subnet)) { - if ($whitelist === false) { - $sn = get_interface_subnetv6($int); - $home_net .= "{$subnet}/{$sn} "; - } else - $home_net .= "{$subnet} "; - } - } - } else { - $ifcfg = $config['interfaces'][$int]; - switch ($ifcfg['ipaddr']) { - case "pppoe": - case "pptp": - case "l2tp": - $subnet = find_interface_ip("ng0"); - if (is_ipaddr($subnet)) - $home_net .= "{$subnet} "; - break; - case "dhcp": - $subnet = find_interface_ip(snort_get_real_interface($int)); - if (is_ipaddr($subnet)) - $home_net .= "{$subnet} "; - break; - default: - if (is_ipaddr($ifcfg['ipaddr'])) { - $home_net .= "{$ifcfg['ipaddr']} "; - } - break; + $subnet = get_interface_ipv6($int); + if (is_ipaddrv6($subnet)) { + $sn = get_interface_subnetv6($int); + $ip = gen_subnetv6($subnet, $sn). "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; } } } } + /* Grab the default gateway if set */ + $default_gw = exec("/sbin/route -n get default |grep 'gateway:' | /usr/bin/awk '{ print $2 }'"); + + if ($wanip == 'yes') { + $ip = get_interface_ip("wan"); + if (is_ipaddr($ip)) { + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + if (function_exists("get_interface_ipv6")) { + $ip = get_interface_ipv6("wan"); + if (is_ipaddrv6($ip)) { + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + } + } + if ($wangw == 'yes') { + if (is_ipaddr($default_gw) && !in_array($default_gw, $home_net)) + $home_net[] = $default_gw; + + /* Get any other interface gateway and put in $HOME_NET if not there already */ $gw = get_interface_gateway($snortcfg['interface']); - if (is_ipaddr($gw)) - $home_net .= "{$gw} "; + if (is_ipaddr($gw) && !in_array($gw, $home_net)) + $home_net[] = $gw; if (function_exists("get_interface_gatewayv6")) { $gw = get_interface_gatewayv6($snortcfg['interface']); - if (is_ipaddrv6($gw)) - $home_net .= "{$gw} "; + if (is_ipaddrv6($gw) && !in_array($gw, $home_net)) + $home_net[] = $gw; } } @@ -268,8 +327,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { /* Add DNS server for WAN interface to whitelist */ $dns_servers = get_dns_servers(); foreach ($dns_servers as $dns) { - if ($dns) - $home_net .= "{$dns} "; + if ($dns && !in_array($dns, $home_net)) + $home_net[] = $dns; } } @@ -278,10 +337,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { foreach($config['virtualip']['vip'] as $vip) { if ($vip['subnet'] && $vip['mode'] != 'proxyarp') { - if ($whitelist === false) - $home_net .= "{$vip['subnet']}/{$vip['subnet_bits']} "; - else - $home_net .= "{$vip['subnet']} "; + if (!in_array("{$vip['subnet']}/{$vip['subnet_bits']}", $home_net)) + $home_net[] = "{$vip['subnet']}/{$vip['subnet_bits']}"; } } } @@ -289,27 +346,31 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ if ($vpns == 'yes') { - if ($config['version'] <= 6) // chk what pfsense version were on - $vpns_list = get_vpns_list(); - else - $vpns_list = filter_get_vpns_list(); - - if (!empty($vpns_list)) - $home_net .= "{$vpns_list} "; + $vpns_list = filter_get_vpns_list(); + if (!empty($vpns_list)) { + /* Convert the returned space-delimited string to an array */ + /* and then add each VPN address to our HOME_NET array. */ + $vpns = explode(" ", $vpns_list); + foreach ($vpns as $vpn) + $home_net[] = trim($vpn); + unset($vpns, $vpns_list); + } } - $home_net = trim($home_net); - $validator = explode(" ", $home_net); $valresult = array(); - foreach ($validator as $vald) { + foreach ($home_net as $vald) { if (empty($vald)) continue; $vald = trim($vald); if (empty($valresult[$vald])) $valresult[$vald] = $vald; } - unset($home_net, $validator); + /* Release memory no longer required */ + unset($home_net); + + /* Sort the list and return it */ + natsort($valresult); return $valresult; } @@ -328,6 +389,7 @@ function snort_barnyard_stop($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; if (file_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Barnyard2 STOP for {$snortcfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); } } @@ -337,12 +399,11 @@ function snort_stop($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Snort STOP for {$snortcfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); } snort_barnyard_stop($snortcfg, $if_real); - - log_error("Snort STOP for {$snortcfg['descr']}({$if_real})..."); } function snort_barnyard_start($snortcfg, $if_real) { @@ -352,9 +413,10 @@ function snort_barnyard_start($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; /* define snortbarnyardlog_chk */ - if ($snortcfg['barnyard_enable'] == 'on' && !empty($snortcfg['barnyard_mysql'])) + if ($snortcfg['barnyard_enable'] == 'on' && !empty($snortcfg['barnyard_mysql'])) { + log_error("[Snort] Barnyard2 START for {$snortcfg['descr']}({$if_real})..."); exec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q"); - + } } function snort_start($snortcfg, $if_real) { @@ -363,14 +425,37 @@ function snort_start($snortcfg, $if_real) { $snortdir = SNORTDIR; $snort_uuid = $snortcfg['uuid']; - if ($snortcfg['enable'] == 'on') + if ($snortcfg['enable'] == 'on') { + log_error("[Snort] Snort START for {$snortcfg['descr']}({$if_real})..."); exec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + } else return; snort_barnyard_start($snortcfg, $if_real); +} + +/**************************************************************/ +/* This function sends a SIGHUP to the Snort instance on the */ +/* passed interface to cause Snort to reload and parse the */ +/* running configuration without stopping packet processing. */ +/* It also executes the reload as a background process and */ +/* returns control immediately to the caller. */ +/**************************************************************/ +function snort_reload_config($snortcfg, $if_real) { + global $config, $g; + + $snortdir = SNORTDIR; + $snort_uuid = $snortcfg['uuid']; - log_error("Snort START for {$snortcfg['descr']}({$if_real})..."); + /******************************************************/ + /* Only send the SIGHUP if Snort is running and we */ + /* can find a valid PID for the process. */ + /******************************************************/ + if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']}({$if_real})..."); + exec("/bin/pkill -SIGHUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &"); + } } function snort_get_friendly_interface($interface) { @@ -425,8 +510,7 @@ function snort_get_real_interface($interface) { this code block is for deleteing logs while keeping the newest file, snort is linked to these files while running, do not take the easy way out by touch and rm, snort will lose sync and not log. - - */ +*/ function snort_post_delete_logs($snort_uuid = 0) { global $config, $g; @@ -511,10 +595,13 @@ function snort_postinstall() { $rebuild_rules = "off"; update_output_window(gettext("Finished rebuilding files...")); log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); - update_status(gettext("Starting Snort using rebuilt configuration...")); - log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); - if (!$g['booting']) + + /* Only try to start Snort if not in reboot */ + if (!$g['booting']) { + update_status(gettext("Starting Snort using rebuilt configuration...")); + log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); start_service("snort"); + } } /* Done with post-install, so clear flag */ @@ -743,7 +830,7 @@ function snort_rules_up_install_cron($should_install) { $cron_item['month'] = "$snort_rules_up_month"; $cron_item['wday'] = "$snort_rules_up_wday"; $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php"; /* Add cron job if not already installed, else just update the existing one */ if (!$is_installed) @@ -1099,8 +1186,13 @@ function snort_load_rules_map($rules_path) { } $gid = snort_get_gid($rule); + if (!is_array($map_ref[$gid])) + $map_ref[$gid] = array(); + if (!is_array($map_ref[$gid][$sid])) + $map_ref[$gid][$sid] = array(); $map_ref[$gid][$sid]['rule'] = $rule; $map_ref[$gid][$sid]['category'] = basename($file, ".rules"); + if (preg_match('/^\s*\#+/', $rule)) $map_ref[$gid][$sid]['disabled'] = 1; else @@ -1163,16 +1255,31 @@ function snort_get_flowbits($rule) { /*************************************************************/ /* This will pull out "flowbits:" options from the rule text */ - /* and return them in an array. */ + /* and return them in an array (minus the "flowbits:" part). */ /*************************************************************/ $flowbits = array(); - if (preg_match_all('/flowbits\b:\s*(set|setx|unset|toggle|isset|isnotset)\s*,([^;]+)/i', $rule, $matches)) { + + /* Grab any "flowbits:set, setx, unset, isset or toggle" options first. */ + /* Examine flowbits targets for logical operators to capture all targets */ + if (preg_match_all('/flowbits\b\s*:\s*(set|setx|unset|toggle|isset|isnotset)\s*,([^;]+)/i', $rule, $matches)) { + $i = -1; + while (++$i < count($matches[1])) { + $action = trim($matches[1][$i]) . ","; + $target = preg_split('/[&|]/', $matches[2][$i]); + foreach ($target as $t) + $flowbits[] = $action . trim($t); + } + } + + /* Include the "flowbits:noalert or reset" options, if present. */ + if (preg_match_all('/flowbits\b\s*:\s*(noalert|reset)\b/i', $rule, $matches)) { $i = -1; while (++$i < count($matches[1])) { - $flowbits[] = trim($matches[1][$i]) ."," . trim($matches[2][$i]); + $flowbits[] = trim($matches[1][$i]); } } + return $flowbits; } @@ -1200,11 +1307,15 @@ function snort_get_checked_flowbits(&$rules_map) { foreach ($rulem2['flowbits'] as $flowbit) { if (empty($flowbit)) continue; - $action = substr($flowbit, 0, strpos($flowbit, ",")); - if (preg_match('/is(not)?set/i', $action)) { - $tmp = substr($flowbit, strpos($flowbit, ",") +1 ); - if (!empty($tmp) && !in_array($tmp, $checked_flowbits)) - $checked_flowbits[] = $tmp; + /* If no comma in flowbits option, then skip it. */ + $pos = strpos($flowbit, ","); + if ($pos === false) + continue; + $action = substr(strtolower($flowbit), 0, $pos); + if ($action == "isset" || $action == "isnotset") { + $tmp = substr($flowbit, strpos($flowbit, ",") + 1 ); + if (!empty($tmp)) + $checked_flowbits[$tmp] = $action; } } } @@ -1236,11 +1347,15 @@ function snort_get_set_flowbits(&$rules_map) { foreach ($rulem2['flowbits'] as $flowbit) { if (empty($flowbit)) continue; - $action = substr($flowbit, 0, strpos($flowbit, ",")); - if (preg_match('/^set/i', $action)) { - $tmp = substr($flowbit, strpos($flowbit, ",") +1 ); - if (!empty($tmp) && !in_array($tmp, $set_flowbits)) - $set_flowbits[] = $tmp; + /* If no comma in flowbits option, then skip it. */ + $pos = strpos($flowbit, ","); + if ($pos === false) + continue; + $action = substr(strtolower($flowbit), 0, $pos); + if ($action == "set" || $action == "toggle" || $action == "setx") { + $tmp = substr($flowbit, strpos($flowbit, ",") + 1 ); + if (!empty($tmp)) + $set_flowbits[$tmp] = $action; } } } @@ -1274,7 +1389,7 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) { $action = substr($flowbit, 0, strpos($flowbit, ",")); if (!strcasecmp(substr($action, 0, 3), "set")) { $tmp = substr($flowbit, strpos($flowbit, ",") +1 ); - if (!empty($tmp) && in_array($tmp, $unchecked_flowbits)) { + if (!empty($tmp) && isset($unchecked_flowbits[$tmp])) { if (!is_array($required_flowbits_rules[$k1])) $required_flowbits_rules[$k1] = array(); if (!is_array($required_flowbits_rules[$k1][$k2])) @@ -1298,7 +1413,7 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) { return $required_flowbits_rules; } -function snort_resolve_flowbits($rule_path) { +function snort_resolve_flowbits(&$active_rules) { /******************************************************/ /* This function auto-resolves flowbit requirements */ @@ -1308,31 +1423,32 @@ function snort_resolve_flowbits($rule_path) { /* enabled. For any that are not enabled, they are */ /* copied to an array, enabled, and returned. */ /* */ - /* $rule_path --> rules files of the interface */ - /* to resolve flowbit dependencies */ - /* for. This can be either of the */ - /* following: */ - /* - directory of *.rules files */ - /* - array of *.rules filenames */ - /* - a single *.rules filename */ + /* $active_rules --> Rules Map array containing */ + /* the current rules for the */ + /* interface to resolve flowbit */ + /* dependencies for. */ + /* */ + /* NOTE: this function assumes the global variable */ + /* $all_rules is populated with all the rules */ + /* currently downloaded. */ /******************************************************/ + global $all_rules; $snortdir = SNORTDIR; - /* First, load up all the enabled rules. */ - $rules_map = snort_load_rules_map($rule_path); - - /* Next, find all the "checked" and "set" flowbits. */ - $checked_flowbits = snort_get_checked_flowbits($rules_map); - $set_flowbits = snort_get_set_flowbits($rules_map); + /* Check $all_rules array to be sure it is filled. */ + if (empty($all_rules)) { + log_error(gettext("[Snort] WARNING: Flowbit resolution not done - no rules in {$snortdir}/rules/ ...")); + return array(); + } - /* We're done with the first rules array, so cleanup */ - /* to conserve memory. */ - unset($rules_map); + /* First, find all the "checked" and "set" flowbits. */ + $checked_flowbits = snort_get_checked_flowbits($active_rules); + $set_flowbits = snort_get_set_flowbits($active_rules); /* Next find any "checked" flowbits without matching */ /* "set" flowbit rules in the enabled rule set. */ - $delta_flowbits = array_diff($checked_flowbits, $set_flowbits); + $delta_flowbits = array_diff_key($checked_flowbits, $set_flowbits); /* Cleanup and release the memory we no longer need. */ unset($checked_flowbits); @@ -1340,11 +1456,9 @@ function snort_resolve_flowbits($rule_path) { /* Now find all the needed "set flowbit" rules from */ /* the master list of all rules. */ - $all_rules_map = snort_load_rules_map("{$snortdir}/rules/"); - $required_rules = snort_find_flowbit_required_rules($all_rules_map, $delta_flowbits); + $required_rules = snort_find_flowbit_required_rules($all_rules, $delta_flowbits); /* Cleanup and release memory we no longer need. */ - unset($all_rules_map); unset($delta_flowbits); return $required_rules; @@ -1390,7 +1504,7 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { } } -function snort_load_vrt_policy($policy) { +function snort_load_vrt_policy($policy, $load_rules_map=true) { /************************************************/ /* This function returns an array of all rules */ @@ -1400,21 +1514,29 @@ function snort_load_vrt_policy($policy) { /* 1. connectivity */ /* 2. balanced */ /* 3. security */ + /* */ + /* $load_rules --> load a local copy of all */ + /* the rules if true. If */ + /* false, assume the global */ + /* $all_rules array is valid. */ /************************************************/ + global $all_rules; $snortdir = SNORTDIR; $vrt_policy_rules = array(); /* Create regular expression for searching. */ $policy_pcre = "/policy\\s" . $policy . "/i"; - /* First, load up all the rules we have. */ - $all_rules_map = snort_load_rules_map("{$snortdir}/rules/"); + /* Refresh the map of all the rules if flag */ + /* is set. */ + if ($load_rules_map == true) + $all_rules = snort_load_rules_map("{$snortdir}/rules/"); /* Now walk the rules list and find all those */ /* that are defined as active for the chosen */ /* security policy. */ - foreach ($all_rules_map as $k1 => $arulem) { + foreach ($all_rules as $k1 => $arulem) { foreach ($arulem as $k2 => $arulem2) { if (preg_match($policy_pcre, $arulem2['rule'])) { if (!preg_match('/flowbits\s*:\s*noalert/i', $arulem2['rule'])) { @@ -1435,7 +1557,12 @@ function snort_load_vrt_policy($policy) { } /* Release memory we no longer need. */ - unset($all_rules_map, $arulem, $arulem2); + unset($arulem, $arulem2); + + /* If we loaded the ALL_RULES map, */ + /* then release the memory. */ + if ($load_rules_map == true) + unset($all_rules); /* Return all the rules that match the policy. */ return $vrt_policy_rules; @@ -1477,6 +1604,9 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) { @fwrite($fp, "# to the rules in this file.\n\n"); foreach ($rule_map as $rulem) { foreach ($rulem as $rulem2) { + /* No reason to write disabled rules to enforcing file, so skip them. */ + if ($rulem2['disabled'] == 1) + continue; @fwrite($fp, $rulem2['rule']); } } @@ -1589,20 +1719,33 @@ function snort_create_rc() { $start_barnyard = << {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid + pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' > {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` else - /bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid + pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` fi - if [ $? = 0 ]; then - /bin/pkill -HUP -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid -a - else - /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q + if [ ! -z \$pid ]; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill $pid -a + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then + /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid + fi fi + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..." + /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q EOE; $stop_barnyard2 = <</dev/null; do - sleep 1 - time=\$((time+1)) - if [ \$time -gt \$timeout ]; then - break - fi - done + if [ ! -z \$pid ]; then + /bin/pkill -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + fi fi EOE; @@ -1644,12 +1789,12 @@ EOE; else pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid` fi - if [ $? = 0 ]; then - /bin/pkill -HUP \$pid + if [ ! -z \$pid ]; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill -HUP \$pid else - /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..." + /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} fi sleep 2 @@ -1659,9 +1804,9 @@ EOE; $start_snort_iface_stop[] = <</dev/null; do @@ -1676,15 +1821,18 @@ EOE; fi else pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'` - /bin/pkill -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' - time=0 timeout=30 - while kill -0 \$pid 2>/dev/null; do - sleep 1 - time=\$((time+1)) - if [ \$time -gt \$timeout ]; then - break - fi - done + if [ ! -z \$pid ]; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + fi fi sleep 2 @@ -1819,11 +1967,21 @@ function snort_deinstall() { $snortlogdir = SNORTLOGDIR; $rcdir = RCFILEPREFIX; + log_error(gettext("[Snort] Snort package uninstall in progress...")); + /* Make sure all active Snort processes are terminated */ + /* Log a message only if a running process is detected */ + if (is_service_running("snort")) + log_error(gettext("[Snort] Snort STOP for all interfaces...")); mwexec('/usr/bin/killall snort', true); sleep(2); mwexec('/usr/bin/killall -9 snort', true); sleep(2); + + /* Make sure all active Barnyard2 processes are terminated */ + /* Log a message only if a running process is detected */ + if (is_service_running("barnyard2")) + log_error(gettext("[Snort] Barnyard2 STOP for all interfaces...")); mwexec('/usr/bin/killall barnyard2', true); sleep(2); mwexec('/usr/bin/killall -9 barnyard2', true); @@ -1893,7 +2051,7 @@ function snort_deinstall() { function snort_prepare_rule_files($snortcfg, $snortcfgdir) { - global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules; + global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules, $all_rules; $snortdir = SNORTDIR; $no_rules_defined = true; @@ -1911,22 +2069,47 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_files = array(); $no_rules_defined = false; - /* Create an array with the full path filenames of the enabled */ - /* rule category files if we have any. */ + /* Load up all the rules into a Rules Map array. */ + $all_rules = snort_load_rules_map("{$snortdir}/rules/"); + + /* Create an array with the filenames of the enabled */ + /* rule category files if we have any. */ if (!empty($snortcfg['rulesets'])) { - foreach (explode("||", $snortcfg['rulesets']) as $file) { - if (file_exists("{$snortdir}/rules/{$file}")) - $enabled_files[] = "{$snortdir}/rules/{$file}"; + foreach (explode("||", $snortcfg['rulesets']) as $file){ + $category = basename($file, ".rules"); + if (!is_array($enabled_files[$category])) + $enabled_files[$category] = array(); + $enabled_files[$category] = $file; + } + + /****************************************************/ + /* Walk the ALL_RULES map array and copy the rules */ + /* matching our selected file categories to the */ + /* ENABLED_RULES map array. */ + /****************************************************/ + foreach ($all_rules as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if (isset($enabled_files[$v['category']])) { + if (!is_array($enabled_rules[$k1])) + $enabled_rules[$k1] = array(); + if (!is_array($enabled_rules[$k1][$k2])) + $enabled_rules[$k1][$k2] = array(); + $enabled_rules[$k1][$k2]['rule'] = $v['rule']; + $enabled_rules[$k1][$k2]['category'] = $v['category']; + $enabled_rules[$k1][$k2]['disabled'] = $v['disabled']; + $enabled_rules[$k1][$k2]['flowbits'] = $v['flowbits']; + } + } } - /* Load our rules map in preparation for writing the enforcing rules file. */ - $enabled_rules = snort_load_rules_map($enabled_files); + /* Release memory we no longer need. */ + unset($enabled_files, $rulem, $v); } /* Check if a pre-defined Snort VRT policy is selected. If so, */ /* add all the VRT policy rules to our enforcing rule set. */ if (!empty($snortcfg['ips_policy'])) { - $policy_rules = snort_load_vrt_policy($snortcfg['ips_policy']); + $policy_rules = snort_load_vrt_policy($snortcfg['ips_policy'], false); foreach ($policy_rules as $k1 => $policy) { foreach ($policy as $k2 => $p) { if (!is_array($enabled_rules[$k1])) @@ -1939,7 +2122,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_rules[$k1][$k2]['flowbits'] = $p['flowbits']; } } - unset($policy_rules); + unset($policy_rules, $policy, $p); } /* Process any enablesid or disablesid modifications for the selected rules. */ @@ -1954,13 +2137,11 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Write the enforcing rules file to the Snort interface's "rules" directory. */ snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); - unset($enabled_rules); /* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */ if ($snortcfg['autoflowbitrules'] == 'on') { log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); - $enabled_files[] = "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"; - $fbits = snort_resolve_flowbits($enabled_files); + $fbits = snort_resolve_flowbits($enabled_rules); /* Check for and disable any flowbit-required rules dependent upon */ /* disabled preprocessors if this option is enabled for the interface. */ @@ -1968,14 +2149,13 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); snort_filter_preproc_rules($snortcfg, $fbits, true); } - snort_filter_preproc_rules($snortcfg, $fbits, true); snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}"); unset($fbits); } else /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); - unset($enabled_files); + unset($enabled_rules, $all_rules); } else { snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); @@ -2101,6 +2281,9 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa } } + /* Release memory we no longer need. */ + unset($rulem, $v, $preproc); + /***************************************************************/ /* If we are persisting the log from the last pass, then open */ /* the log file in append mode. Otherwise open in overwrite */ @@ -2239,8 +2422,7 @@ function snort_generate_conf($snortcfg) { $pfkill = ""; if ($snortcfg['blockoffenderskill'] == "on") $pfkill = "kill"; - /* No subnets to default addresses */ - $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); + $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname']); /* write whitelist */ @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; @@ -2271,7 +2453,7 @@ function snort_generate_conf($snortcfg) { "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", - "sip_ports" => "5060, 5061", "auth_ports" => "113", "finger_ports" => "79", + "sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", "ssl_ports" => "443,465,563,636,989,990,992,993,994,995", @@ -2288,7 +2470,7 @@ function snort_generate_conf($snortcfg) { foreach ($snort_ports as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]); - $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias])); + $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; } @@ -2302,41 +2484,53 @@ preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_u EOD; - $def_server_flow_depth_type = '300'; - if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) - $def_server_flow_depth_type = $snortcfg['server_flow_depth']; + /* Pull in the user-configurable HTTP_INSPECT global preprocessor options */ + $http_inspect_memcap = "150994944"; + if (!empty($snortcfg['http_inspect_memcap'])) + $http_inspect_memcap = $snortcfg['http_inspect_memcap']; + /* Pull in the user-configurable HTTP_INSPECT server preprocessor options */ + $server_flow_depth = '300'; + if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) + $server_flow_depth = $snortcfg['server_flow_depth']; $http_server_profile = "all"; if (!empty($snortcfg['http_server_profile'])) $http_server_profile = $snortcfg['http_server_profile']; - - $def_client_flow_depth_type = '300'; + $client_flow_depth = '300'; if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) - $def_client_flow_depth_type = $snortcfg['client_flow_depth']; - + $client_flow_depth = $snortcfg['client_flow_depth']; if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect'])) - $noalert_http_inspect = "no_alerts "; + $noalert_http_inspect = "no_alerts"; else $noalert_http_inspect = ""; + $http_inspect_server_opts = "enable_cookie \\\n\textended_response_inspection \\\n\tnormalize_javascript \\\n"; + $http_inspect_server_opts .= "\tinspect_gzip \\\n\tnormalize_utf \\\n\tunlimited_decompress \\\n"; + $http_inspect_server_opts .= "\tnormalize_headers \\\n\tnormalize_cookies"; + if ($snortcfg['http_inspect_enable_xff'] == "on") + $http_inspect_server_opts .= " \\\n\tenable_xff"; + + /* If Stream5 is enabled, then we can enable the "log_uri" and "log_hostname" options */ + if ($snortcfg['stream5_reassembly'] == "on") { + if ($snortcfg['http_inspect_log_uri'] == "on") + $http_inspect_server_opts .= " \\\n\tlog_uri"; + if ($snortcfg['http_inspect_log_hostname'] == "on") + $http_inspect_server_opts .= " \\\n\tlog_hostname"; + } $http_ports = str_replace(",", " ", $snort_ports['http_ports']); + /* def http_inspect */ $http_inspect = <<Currently there are no FAQ items provided. Snort 2.9.4.1 - Services:2.9.4.1 pkg v. 2.5.7 + Services:2.9.4.1 pkg v. 2.5.8 /usr/local/pkg/snort/snort.inc Snort @@ -168,6 +168,16 @@ 077 http://www.pfsense.com/packages/config/snort/snort_log_view.php + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_list_view.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_rules_flowbits.php + diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 3fcbe6b7..eb0912c8 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -38,6 +38,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; +$supplist = array(); if ($_GET['instance']) $instanceid = $_GET['instance']; @@ -80,8 +81,10 @@ if ($_POST['todelete'] || $_GET['todelete']) { $ip = $_POST['todelete']; else if($_GET['todelete']) $ip = $_GET['todelete']; - if (is_ipaddr($ip)) + if (is_ipaddr($ip)) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); + $savemsg = "Host IP address {$ip} has been removed from the Bocked Hosts table."; + } } if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { @@ -99,7 +102,7 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ $s_list = array(); $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress"; $s_list['uuid'] = uniqid(); - $s_list['descr'] = "Auto generted list for suppress"; + $s_list['descr'] = "Auto-generated list for suppress"; $s_list['suppresspassthru'] = base64_encode($suppress); $a_suppress[] = $s_list; $a_instance[$instanceid]['suppresslistname'] = $s_list['name']; @@ -115,6 +118,7 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ } } } + $savemsg = "GID:SID '{$_GET['gen_id']}:{$_GET['sidid']}' has been added to the Suppress List."; write_config(); sync_snort_package_config(); } @@ -157,6 +161,9 @@ if ($_POST['download']) { exit; } +/* Load up an array with the current Suppression List GID,SID values */ +$supplist = snort_load_suppress_sigs($a_instance[$instanceid]); + $pgtitle = "Services: Snort: Snort Alerts"; include_once("head.inc"); @@ -177,6 +184,9 @@ if ($pconfig['arefresh'] == 'on') if ($input_errors) { print_input_errors($input_errors); // TODO: add checks } + if ($savemsg) { + print_info_box($savemsg); + } ?>
@@ -195,15 +205,14 @@ if ($pconfig['arefresh'] == 'on') @@ -244,8 +238,7 @@ function enable_change(enable_change) { +
@@ -256,7 +249,7 @@ function enable_change(enable_change) { @@ -264,7 +257,7 @@ function enable_change(enable_change) { @@ -272,11 +265,11 @@ function enable_change(enable_change) { - + @@ -308,7 +301,8 @@ function enable_change(enable_change) { > -
+    +
+ "Snort should inspect and whitelist."); ?> - + + ?> + +      "/> +
+ +

+  
+  
+ - + + ?> +    +  

+  
+  
+ @@ -424,10 +431,14 @@ function enable_change(enable_change) { } } ?> -
+ +      "/> +

 

  + "want this interface to use."); ?>
 
" . + gettext("Default option disables suppression and filtering."); ?> + - -
- +
- - + @@ -227,31 +236,32 @@ if ($pconfig['arefresh'] == 'on') - +
-
$instance) { $selected = ""; @@ -212,14 +221,14 @@ if ($pconfig['arefresh'] == 'on') echo "\n"; } ?> -
+   
- -    +
- + > - ', '', '', ''); ?> + ', '', '', ''); ?>   - ', '', '', ''); ?> + ', '', '', ''); ?>


   +
- - - - - - - - - - + + + + + + + + + + - \"Delete\""; + $alert_ip_src .= "
+ \"Remove"; } /* IP SRC Port */ $alert_src_p = $fields[7]; /* IP Destination */ $alert_ip_dst = $fields[8]; if (isset($tmpblocked[$fields[8]])) { - $alert_ip_dst .= " - \"Delete\""; + $alert_ip_dst .= "
+ \"Remove"; } /* IP DST Port */ $alert_dst_p = $fields[9]; /* SID */ - $alert_sid_str = "{$fields[1]}:{$fields[2]}:{$fields[3]}"; + $alert_sid_str = "{$fields[1]}:{$fields[2]}"; + if (!isset($supplist[$fields[1]][$fields[2]])) { + $sidsupplink = ""; + $sidsupplink .= ""; + } + else { + $sidsupplink = ""; + } $alert_class = $fields[11]; echo " - - - - - - - - - - + + + + + + + + + + \n"; $counter++; diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 295218f6..bd7cabbc 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -134,7 +134,7 @@ if ($pconfig['brefresh'] == 'on') -
{$alert_date}{$alert_priority}{$alert_proto}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p} - {$alert_sid_str} - - - {$alert_descr}{$alert_date}
{$alert_time}		{$alert_priority}{$alert_proto}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p}{$alert_sid_str}
{$sidsupplink}		{$alert_descr}
+
+ + +
- +
- - + + + + -
  
- +    
- > - ', '', '', ''); ?> ', '', '', ''); ?>   ', '', '', ''); ?>
- - - - - - - +
#
+ + + + + + + $blocked_msg) { - $blocked_desc = "
" . implode("
", $blocked_msg); + $blocked_desc = implode("
", $blocked_msg); if($counter > $bnentries) break; else @@ -244,22 +244,35 @@ if ($pconfig['brefresh'] == 'on') /* use one echo to do the magic*/ echo " - - - - + + + \n"; } - echo "\n"; - } else - echo "\n"; - ?> + } + ?> +
#
 {$counter} {$blocked_ip} {$blocked_desc} + {$counter}{$blocked_ip}{$blocked_desc} \"Delete\"
{$counter} items listed.

There are currently no items being blocked by snort.
+
+ 1) + echo "{$counter}" . gettext(" host IP addresses are currently being blocked."); + else + echo "{$counter}" . gettext(" host IP address is currently being blocked."); + } + else { + echo gettext("There are currently no hosts being blocked by Snort."); + } + ?> +
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index f69c3b98..c1c9ce46 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -36,7 +36,7 @@ require_once("service-utils.inc"); global $snort_gui_include, $vrt_enabled, $et_enabled, $rebuild_rules, $snort_rules_upd_log; global $protect_preproc_rules, $is_postinstall, $snort_community_rules_filename; -global $snort_community_rules_url, $snort_rules_file, $emergingthreats_filename; +global $snort_community_rules_url, $snort_rules_file, $emergingthreats_filename, $g; $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; @@ -558,8 +558,8 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = exec("/bin/rm -r {$snortdir}/tmp"); } - /* Restart snort if already running to pick up the new rules. */ - if (is_process_running("snort")) { + /* Restart snort if already running and we are not rebooting to pick up the new rules. */ + if (is_process_running("snort") && !$g['booting']) { update_status(gettext('Restarting Snort to activate the new set of rules...')); error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, $snort_rules_upd_log); restart_service("snort"); diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 36319977..f2250236 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -88,18 +88,6 @@ include_once("head.inc"); ' . $pgtitle . '

';}?> ' . $pgtitle . '

';}?> 		- > -
-
+    +


-
- onClick="enable_change(false)">
+ onClick="enable_change(false)">
- onClick="enable_blockoffenders()">
+ onClick="enable_blockoffenders()">
> -
+
-
+    +
> -
-
+ +
" . + gettext("Most of this is already done at the firewall/filter level, so it is usually safe to check this box."); ?>
+
-
 
 
-  

-  
 
-  

-
 

 
-
  + ?> + +      "/> +
+
 
 
+  
-
- + "/> +
 
- + 		" . + gettext("Please save your settings before you attempt to start Snort."); ?>
@@ -458,8 +469,61 @@ function enable_change(enable_change) {
diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 782b9784..1d2ad225 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -58,7 +58,7 @@ function is_validwhitelistname($name) { if (!is_string($name)) return false; - if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + if (!preg_match("/[^a-zA-Z0-9\_\.\/]/", $name)) return true; return false; @@ -88,7 +88,7 @@ if ($_POST['submit']) { $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; if (is_validwhitelistname($_POST['name']) == false) - $input_errors[] = "Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."; + $input_errors[] = "Whitelist file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset."; /* check for name conflicts */ foreach ($a_suppress as $s_list) { @@ -151,8 +151,8 @@ if ($savemsg)
- + "characters \"a-z, A-Z, 0-9 and _\"."); ?>   + diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index 378530ba..2f2afdad 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -66,7 +66,7 @@ function is_validwhitelistname($name) { if (!is_string($name)) return false; - if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + if (!preg_match("/[^a-zA-Z0-9\_\.\/]/", $name)) return true; return false; @@ -80,6 +80,7 @@ if (isset($id) && $a_whitelist[$id]) { $pconfig['detail'] = $a_whitelist[$id]['detail']; $pconfig['address'] = $a_whitelist[$id]['address']; $pconfig['descr'] = html_entity_decode($a_whitelist[$id]['descr']); + $pconfig['localnets'] = $a_whitelist[$id]['localnets']; $pconfig['wanips'] = $a_whitelist[$id]['wanips']; $pconfig['wangateips'] = $a_whitelist[$id]['wangateips']; $pconfig['wandnsips'] = $a_whitelist[$id]['wandnsips']; @@ -102,7 +103,7 @@ if ($_POST['submit']) { $input_errors[] = gettext("Whitelist file names may not be named defaultwhitelist."); if (is_validwhitelistname($_POST['name']) == false) - $input_errors[] = gettext("Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."); + $input_errors[] = gettext("Whitelist file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset."); /* check for name conflicts */ foreach ($a_whitelist as $w_list) { @@ -124,6 +125,7 @@ if ($_POST['submit']) { /* post user input */ $w_list['name'] = $_POST['name']; $w_list['uuid'] = $whitelist_uuid; + $w_list['localnets'] = $_POST['localnets']? 'yes' : 'no'; $w_list['wanips'] = $_POST['wanips']? 'yes' : 'no'; $w_list['wangateips'] = $_POST['wangateips']? 'yes' : 'no'; $w_list['wandnsips'] = $_POST['wandnsips']? 'yes' : 'no'; @@ -179,8 +181,8 @@ if ($savemsg)
- + "characters \"a-z, A-Z, 0-9 and _\"."); ?>   + @@ -190,24 +192,33 @@ if ($savemsg) "reference (not parsed)."); ?> - + + + + + /> + + + /> - + - + /> - + /> @@ -228,11 +239,11 @@ if ($savemsg) - + -
+
diff --git a/config/snort/snort_list_view.php b/config/snort/snort_list_view.php new file mode 100644 index 00000000..b7de064b --- /dev/null +++ b/config/snort/snort_list_view.php @@ -0,0 +1,103 @@ + + + + + + + + +
+ + + + +
+ + + + + + + + + + + +
Snort:
+ + +  ' . $_GET['wlist']; ?>     +
+
+ +
+
+
+
+ + + diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index cf6146cf..705dfe24 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -59,20 +59,41 @@ $pconfig = array(); if (isset($id) && $a_nat[$id]) { $pconfig = $a_nat[$id]; - /* new options */ + /* Get current values from config for page form fields */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; + $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly']; + $pconfig['stream5_require_3whs'] = $a_nat[$id]['stream5_require_3whs']; + $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp']; + $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp']; + $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; + $pconfig['stream5_overlap_limit'] = $a_nat[$id]['stream5_overlap_limit']; + $pconfig['stream5_policy'] = $a_nat[$id]['stream5_policy']; $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap']; + $pconfig['stream5_tcp_timeout'] = $a_nat[$id]['stream5_tcp_timeout']; + $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout']; + $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout']; + $pconfig['stream5_no_reassemble_async'] = $a_nat[$id]['stream5_no_reassemble_async']; + $pconfig['stream5_dont_store_lg_pkts'] = $a_nat[$id]['stream5_dont_store_lg_pkts']; $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap']; + $pconfig['http_inspect_enable_xff'] = $a_nat[$id]['http_inspect_enable_xff']; + $pconfig['http_inspect_log_uri'] = $a_nat[$id]['http_inspect_log_uri']; + $pconfig['http_inspect_log_hostname'] = $a_nat[$id]['http_inspect_log_hostname']; $pconfig['noalert_http_inspect'] = $a_nat[$id]['noalert_http_inspect']; $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; + $pconfig['pscan_protocol'] = $a_nat[$id]['pscan_protocol']; + $pconfig['pscan_type'] = $a_nat[$id]['pscan_type']; + $pconfig['pscan_sense_level'] = $a_nat[$id]['pscan_sense_level']; + $pconfig['pscan_memcap'] = $a_nat[$id]['pscan_memcap']; + $pconfig['pscan_ignore_scanners'] = $a_nat[$id]['pscan_ignore_scanners']; $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; @@ -85,17 +106,24 @@ if (isset($id) && $a_nat[$id]) { $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable']; $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules']; + $pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection']; + $pconfig['frag3_overlap_limit'] = $a_nat[$id]['frag3_overlap_limit']; + $pconfig['frag3_min_frag_len'] = $a_nat[$id]['frag3_min_frag_len']; + $pconfig['frag3_policy'] = $a_nat[$id]['frag3_policy']; + $pconfig['frag3_max_frags'] = $a_nat[$id]['frag3_max_frags']; + $pconfig['frag3_memcap'] = $a_nat[$id]['frag3_memcap']; + $pconfig['frag3_timeout'] = $a_nat[$id]['frag3_timeout']; /* If not using the Snort VRT rules, then disable */ /* the Sensitive Data (sdf) preprocessor. */ if ($vrt_enabled == "off") $pconfig['sensitive_data'] = "off"; - /**********************************************************/ - /* To keep new users from shooting themselves in the foot */ - /* enable the most common and necessary preprocessors by */ - /* default. */ - /**********************************************************/ + /************************************************************/ + /* To keep new users from shooting themselves in the foot */ + /* enable the most common required preprocessors by default */ + /* and set reasonable values for any options. */ + /************************************************************/ if (empty($pconfig['ftp_preprocessor'])) $pconfig['ftp_preprocessor'] = 'on'; if (empty($pconfig['smtp_preprocessor'])) @@ -114,29 +142,152 @@ if (isset($id) && $a_nat[$id]) { $pconfig['sip_preproc'] = 'on'; if (empty($pconfig['other_preprocs'])) $pconfig['other_preprocs'] = 'on'; + if (empty($pconfig['http_inspect_memcap'])) + $pconfig['http_inspect_memcap'] = "150994944"; + if (empty($pconfig['frag3_overlap_limit'])) + $pconfig['frag3_overlap_limit'] = '0'; + if (empty($pconfig['frag3_min_frag_len'])) + $pconfig['frag3_min_frag_len'] = '0'; + if (empty($pconfig['frag3_max_frags'])) + $pconfig['frag3_max_frags'] = '8192'; + if (empty($pconfig['frag3_policy'])) + $pconfig['frag3_policy'] = 'bsd'; + if (empty($pconfig['frag3_memcap'])) + $pconfig['frag3_memcap'] = '4194304'; + if (empty($pconfig['frag3_timeout'])) + $pconfig['frag3_timeout'] = '60'; + if (empty($pconfig['frag3_detection'])) + $pconfig['frag3_detection'] = 'on'; + if (empty($pconfig['stream5_reassembly'])) + $pconfig['stream5_reassembly'] = 'on'; + if (empty($pconfig['stream5_track_tcp'])) + $pconfig['stream5_track_tcp'] = 'on'; + if (empty($pconfig['stream5_track_udp'])) + $pconfig['stream5_track_udp'] = 'on'; + if (empty($pconfig['stream5_track_icmp'])) + $pconfig['stream5_track_icmp'] = 'off'; + if (empty($pconfig['stream5_require_3whs'])) + $pconfig['stream5_require_3whs'] = 'off'; + if (empty($pconfig['stream5_overlap_limit'])) + $pconfig['stream5_overlap_limit'] = '0'; + if (empty($pconfig['stream5_tcp_timeout'])) + $pconfig['stream5_tcp_timeout'] = '30'; + if (empty($pconfig['stream5_udp_timeout'])) + $pconfig['stream5_udp_timeout'] = '30'; + if (empty($pconfig['stream5_icmp_timeout'])) + $pconfig['stream5_icmp_timeout'] = '30'; + if (empty($pconfig['stream5_no_reassemble_async'])) + $pconfig['stream5_no_reassemble_async'] = 'off'; + if (empty($pconfig['stream5_dont_store_lg_pkts'])) + $pconfig['stream5_dont_store_lg_pkts'] = 'off'; + if (empty($pconfig['stream5_policy'])) + $pconfig['stream5_policy'] = 'bsd'; + if (empty($pconfig['pscan_protocol'])) + $pconfig['pscan_protocol'] = 'all'; + if (empty($pconfig['pscan_type'])) + $pconfig['pscan_type'] = 'all'; + if (empty($pconfig['pscan_memcap'])) + $pconfig['pscan_memcap'] = '10000000'; + if (empty($pconfig['pscan_sense_level'])) + $pconfig['pscan_sense_level'] = 'medium'; } /* Define the "disabled_preproc_rules.log" file for this interface */ $iface = snort_get_friendly_interface($pconfig['interface']); $disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; -if ($_POST) { +if ($_POST['ResetAll']) { + + /* Reset all the preprocessor settings to defaults */ + $pconfig['perform_stat'] = "off"; + $pconfig['server_flow_depth'] = "300"; + $pconfig['http_server_profile'] = "all"; + $pconfig['client_flow_depth'] = "300"; + $pconfig['stream5_reassembly'] = "on"; + $pconfig['stream5_require_3whs'] = "off"; + $pconfig['stream5_track_tcp'] = "on"; + $pconfig['stream5_track_udp'] = "on"; + $pconfig['stream5_track_icmp'] = "off"; + $pconfig['max_queued_bytes'] = "1048576"; + $pconfig['max_queued_segs'] = "2621"; + $pconfig['stream5_overlap_limit'] = "0"; + $pconfig['stream5_policy'] = "bsd"; + $pconfig['stream5_mem_cap'] = "8388608"; + $pconfig['stream5_tcp_timeout'] = "30"; + $pconfig['stream5_udp_timeout'] = "30"; + $pconfig['stream5_icmp_timeout'] = "30"; + $pconfig['stream5_no_reassemble_async'] = "off"; + $pconfig['stream5_dont_store_lg_pkts'] = "off"; + $pconfig['http_inspect'] = "on"; + $pconfig['http_inspect_enable_xff'] = "off"; + $pconfig['http_inspect_log_uri'] = "off"; + $pconfig['http_inspect_log_hostname'] = "off"; + $pconfig['noalert_http_inspect'] = "on"; + $pconfig['http_inspect_memcap'] = "150994944"; + $pconfig['other_preprocs'] = "on"; + $pconfig['ftp_preprocessor'] = "on"; + $pconfig['smtp_preprocessor'] = "on"; + $pconfig['sf_portscan'] = "off"; + $pconfig['pscan_protocol'] = "all"; + $pconfig['pscan_type'] = "all"; + $pconfig['pscan_sense_level'] = "medium"; + $pconfig['pscan_ignore_scanners'] = ""; + $pconfig['pscan_memcap'] = '10000000'; + $pconfig['dce_rpc_2'] = "on"; + $pconfig['dns_preprocessor'] = "on"; + $pconfig['sensitive_data'] = "off"; + $pconfig['ssl_preproc'] = "on"; + $pconfig['pop_preproc'] = "on"; + $pconfig['imap_preproc'] = "on"; + $pconfig['sip_preproc'] = "on"; + $pconfig['dnp3_preproc'] = "off"; + $pconfig['modbus_preproc'] = "off"; + $pconfig['gtp_preproc'] = "off"; + $pconfig['preproc_auto_rule_disable'] = "off"; + $pconfig['protect_preproc_rules'] = "off"; + $pconfig['frag3_detection'] = "on"; + $pconfig['frag3_overlap_limit'] = "0"; + $pconfig['frag3_min_frag_len'] = "0"; + $pconfig['frag3_policy'] = "bsd"; + $pconfig['frag3_max_frags'] = "8192"; + $pconfig['frag3_memcap'] = "4194304"; + $pconfig['frag3_timeout'] = "60"; + + /* Log a message at the top of the page to inform the user */ + $savemsg = "All preprocessor settings have been reset to the defaults."; +} +elseif ($_POST['Submit']) { $natent = array(); $natent = $pconfig; if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners'])) - $input_errors[] = "Only aliases are allowed"; + $input_errors[] = "Only aliases are allowed for the Portscan IGNORE_SCANNERS option."; /* if no errors write to conf */ if (!$input_errors) { /* post new options */ - if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = ""; } + if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = "300"; } if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } - if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = ""; } - if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } - if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } - if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = ""; } + if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = "300"; } + if ($_POST['http_inspect_memcap'] != "") { $natent['http_inspect_memcap'] = $_POST['http_inspect_memcap']; }else{ $natent['http_inspect_memcap'] = "150994944"; } + if ($_POST['stream5_overlap_limit'] != "") { $natent['stream5_overlap_limit'] = $_POST['stream5_overlap_limit']; }else{ $natent['stream5_overlap_limit'] = "0"; } + if ($_POST['stream5_policy'] != "") { $natent['stream5_policy'] = $_POST['stream5_policy']; }else{ $natent['stream5_policy'] = "bsd"; } + if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = "8388608"; } + if ($_POST['stream5_tcp_timeout'] != "") { $natent['stream5_tcp_timeout'] = $_POST['stream5_tcp_timeout']; }else{ $natent['stream5_tcp_timeout'] = "30"; } + if ($_POST['stream5_udp_timeout'] != "") { $natent['stream5_udp_timeout'] = $_POST['stream5_udp_timeout']; }else{ $natent['stream5_udp_timeout'] = "30"; } + if ($_POST['stream5_icmp_timeout'] != "") { $natent['stream5_icmp_timeout'] = $_POST['stream5_icmp_timeout']; }else{ $natent['stream5_icmp_timeout'] = "30"; } + if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = "1048576"; } + if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = "2621"; } + if ($_POST['pscan_protocol'] != "") { $natent['pscan_protocol'] = $_POST['pscan_protocol']; }else{ $natent['pscan_protocol'] = "all"; } + if ($_POST['pscan_type'] != "") { $natent['pscan_type'] = $_POST['pscan_type']; }else{ $natent['pscan_type'] = "all"; } + if ($_POST['pscan_memcap'] != "") { $natent['pscan_memcap'] = $_POST['pscan_memcap']; }else{ $natent['pscan_memcap'] = "10000000"; } if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; } + if ($_POST['frag3_overlap_limit'] != "") { $natent['frag3_overlap_limit'] = $_POST['frag3_overlap_limit']; }else{ $natent['frag3_overlap_limit'] = "0"; } + if ($_POST['frag3_min_frag_len'] != "") { $natent['frag3_min_frag_len'] = $_POST['frag3_min_frag_len']; }else{ $natent['frag3_min_frag_len'] = "0"; } + if ($_POST['frag3_policy'] != "") { $natent['frag3_policy'] = $_POST['frag3_policy']; }else{ $natent['frag3_policy'] = "bsd"; } + if ($_POST['frag3_max_frags'] != "") { $natent['frag3_max_frags'] = $_POST['frag3_max_frags']; }else{ $natent['frag3_max_frags'] = "8192"; } + if ($_POST['frag3_memcap'] != "") { $natent['frag3_memcap'] = $_POST['frag3_memcap']; }else{ $natent['frag3_memcap'] = "4194304"; } + if ($_POST['frag3_timeout'] != "") { $natent['frag3_timeout'] = $_POST['frag3_timeout']; }else{ $natent['frag3_timeout'] = "60"; } if ($_POST['pscan_ignore_scanners']) $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; @@ -145,6 +296,9 @@ if ($_POST) { $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; + $natent['http_inspect_enable_xff'] = $_POST['http_inspect_enable_xff'] ? 'on' : 'off'; + $natent['http_inspect_log_uri'] = $_POST['http_inspect_log_uri'] ? 'on' : 'off'; + $natent['http_inspect_log_hostname'] = $_POST['http_inspect_log_hostname'] ? 'on' : 'off'; $natent['noalert_http_inspect'] = $_POST['noalert_http_inspect'] ? 'on' : 'off'; $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; @@ -163,6 +317,14 @@ if ($_POST) { $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; $natent['preproc_auto_rule_disable'] = $_POST['preproc_auto_rule_disable'] ? 'on' : 'off'; $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off'; + $natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off'; + $natent['stream5_reassembly'] = $_POST['stream5_reassembly'] ? 'on' : 'off'; + $natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off'; + $natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off'; + $natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off'; + $natent['stream5_require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off'; + $natent['stream5_no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off'; + $natent['stream5_dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off'; /* If 'preproc_auto_rule_disable' is off, then clear log file */ if ($natent['preproc_auto_rule_disable'] == 'off') @@ -201,10 +363,10 @@ if ($_POST) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_real} Preprocessors and Flow"; +$pgtitle = "Snort: Interface {$if_friendly}: Preprocessors and Flow"; include_once("head.inc"); ?> - + ' . $pgtitle . '

';} @@ -227,24 +389,6 @@ include_once("head.inc"); - -
@@ -275,24 +419,25 @@ h += 96; - + + > + @@ -300,9 +445,9 @@ h += 96; @@ -364,10 +555,10 @@ h += 96; > -   
- All. "); ?> - -
+   " . gettext("All") . ""; ?>
+
@@ -376,7 +567,7 @@ h += 96;
- onClick="enable_change(false)">
'on') echo "disabled"; ?> - onClick="enable_change(false)"> + if ($vrt_enabled <> 'on') echo "disabled"; ?>> + + " . gettext("Hint: ") . "" . + gettext("Most users should leave this unchecked."); ?>
 

- ', ''); ?>
- onClick="enable_change(false)"> ' . gettext("Not Checked."); ?>
+ > + ' . gettext("Not Checked"); ?>.
@@ -329,11 +474,57 @@ h += 96; + . + + + + + + + + + + + + + + + + @@ -341,16 +532,16 @@ h += 96;
 
- onClick="enable_change(false)"> > + -
> + + .
> + + .
> + + .
+ + + + +
   + " . gettext("2304") . "" . gettext(" and Max is ") . "" . + gettext("603979776") . "" . gettext(" (576 MB)"); ?>.
+ " . gettext("150,994,944") . "" . gettext(" (144 MB)."); ?> + .
+
  -1 " . "to 65535 (-1 disables HTTP " . "inspect, 0 enables all HTTP inspect)"); ?>

+ "performance may increase by adjusting this value."); ?>
300"); ?>
+ "are specified in bytes. Recommended setting is maximum (65535). Default value is 300"); ?>
@@ -385,21 +576,174 @@ h += 96;
300"); ?>
+ "are specified in bytes. Recommended setting is maximum (1460). Default value is 300"); ?>
+ . + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + "means Maximum )"); ?>.
-1 " . "to 1460 (-1 disables HTTP " . "inspect, 0 enables all HTTP inspect)"); ?>
onClick="enable_change(false)"> -
+ onClick="enable_change(false)"> + " . gettext("Checked") . ""; ?>.
+ + + + +
+ .
+ " . gettext("4MB") . ""; ?>.
+
+ + + + +
+
+ 8192."; ?>
+
+ + + + +
+ 0" . gettext(" (unlimited), values greater than zero set the overlapped fragments per packet limit."); ?>
+ 0" . gettext(" (unlimited)."); ?>
+
+ + + + +
+ 0" . gettext(" (check is disabled). Fragments smaller than or equal to this limit are considered malicious."); ?>
+ 0" . gettext(" (check is disabled)."); ?>
+
+ + + + +
+
+ " . gettext("60 ") . "" . gettext("seconds."); ?>
+
+   " . gettext("BSD") . ""; ?>.
+
"> + " . gettext("Checked") . ""; ?>.
+ > + " . gettext("Checked") . "."; ?> +
+ > + " . gettext("Checked") . "."; ?> +
+ > + " . gettext("Not Checked") . "."; ?> +
> + " . gettext("Not Checked") . ""; ?>.
> + " . gettext("Not Checked") . ""; ?>.
+ > + " . gettext("Not Checked") . ""; ?>.
+ " . gettext("Warning: ") . "" . + gettext("Enabing this option could result in missed packets. Recommended setting is not checked."); ?>
@@ -410,11 +754,11 @@ h += 96; value=""> 1024, Maximum is 1073741824 " . "( default value is 1048576, 0 " . - "means Maximum )"); ?>
1048576"); ?>
+ "memory. Default value is 1048576"); ?>.
@@ -427,11 +771,11 @@ h += 96; value=""> 2, Maximum is 1073741824 " . "( default value is 2621, 0 means " . - "Maximum )"); ?> + "Maximum )"); ?>. 2621"); ?>
+ "in memory. Default value is 2621"); ?>.
@@ -443,25 +787,152 @@ h += 96; id="stream5_mem_cap" size="6" value=""> 32768, Maximum is 1073741824 " . - "( default value is 8388608) "); ?> + "( default value is 8388608) "); ?>. 8388608 (8 MB)"); ?>
+ "in RAM. Default value is 8388608 (8 MB)"); ?>.
+ + + + + + + + + +
+ 0" . gettext(" (unlimited), and the maximum is ") . + "255."; ?>
+ 0" . gettext(" (unlimited)."); ?>
+ + + + + + + + + +
+ 1" . gettext(" and the maximum is ") . + "86400" . gettext(" (approximately 1 day)"); ?>.
+ 30" . gettext(" seconds."); ?>
+ + + + + + + + + +
+ 1" . gettext(" and the maximum is ") . + "86400" . gettext(" (approximately 1 day)"); ?>.
+ 30" . gettext(" seconds."); ?>
+ + + + + + + + + +
+ 1" . gettext(" and the maximum is ") . + "86400" . gettext(" (approximately 1 day)"); ?>.
+ 30" . gettext(" seconds."); ?>
+ + + + + +   " . gettext("BSD") . ""; ?>.
+
-
- - onClick="enable_change(false)">
- + > + " . gettext("Not Checked") . ""; ?>. + + + + +   " . gettext("all") . "."; ?>
+ + + + + +   " . gettext("all") . "."; ?>
+ + + + + + + + + + + + + + + + +
one scan; one host scans multiple ports on another host."); ?>
many scan; one host scans a single port on multiple hosts."); ?>
one scan; attacker has spoofed source address inter-mixed with real scanning address."); ?>
one scan; multiple hosts query one host for open services."); ?>
+ @@ -474,22 +945,51 @@ h += 96; > -
- -
- -
- -
+   " . gettext("Medium") . "."; ?>
+ + + + + + + + + + +
+
+
+
+ + + + + + + + + +
+ " . gettext("10000000") . "" . + gettext(" (10 MB)"); ?>.
+ 10,000,000" . gettext(" bytes. (10 MB)"); ?>
- + +

- + value="">  " . gettext("\$HOME_NET") . ""; ?>.
+
+ @@ -498,78 +998,70 @@ h += 96; - onClick="enable_change(false)">
+ > " . gettext("Checked") . ""; ?> + "" . gettext("Checked") . ""; ?>.
- onClick="enable_change(false)">
+ > " . gettext("Checked") . ""; ?> + "" . gettext("Checked") . ""; ?>.
- onClick="enable_change(false)">
+ > " . gettext("Checked") . ""; ?> + "" . gettext("Checked") . ""; ?>.
- onClick="enable_change(false)">
+ > " . gettext("Checked") . ""; ?> + "" . gettext("Checked") . ""; ?>.
- onClick="enable_change(false)">
+ > " . gettext("Checked") . ""; ?> + "" . gettext("Checked") . ""; ?>.
- onClick="enable_change(false)">
+ > " . gettext("Checked") . ""; ?> + "" . gettext("Checked") . ""; ?>.
- onClick="enable_change(false)">
+ > " . gettext("Checked") . ""; ?> + "" . gettext("Checked") . ""; ?>.
- onClick="enable_change(false)">
+ > @@ -577,20 +1069,17 @@ h += 96; - onClick="enable_change(false)">
- " . gettext("Checked") . ""; ?> + > + " . gettext("Checked") . ""; ?>.
- onClick="enable_change(false)">
+ > " . gettext("Checked") . ""; ?> - + "" . gettext("Checked") . ""; ?>.
@@ -600,9 +1089,9 @@ h += 96; echo "checked"; elseif ($vrt_enabled == "off") echo "disabled"; - ?> - onClick="enable_change(false)">
-
+ ?>> + +
@@ -613,32 +1102,34 @@ h += 96;
- onClick="enable_change(false)">
- + > + " . + gettext("If your network does not contain Modbus-enabled devices, you should leave this preprocessor disabled."); ?>
- onClick="enable_change(false)">
- + > + " . + gettext("If your network does not contain DNP3-enabled devices, you should leave this preprocessor disabled."); ?>   - - + "/> +      + />   - -
+
@@ -678,6 +1169,119 @@ function createAutoSuggest() { setTimeout("createAutoSuggest();", 500); +function frag3_enable_change() { + if (!document.iform.frag3_detection.checked) { + var msg = "WARNING: Disabling the Frag3 preprocessor is not recommended!\n\n"; + msg = msg + "Snort may fail to start because of other dependent preprocessors or "; + msg = msg + "rule options. Are you sure you want to disable it?\n\n"; + msg = msg + "Click OK to disable Frag3, or CANCEL to quit."; + if (!confirm(msg)) { + document.iform.frag3_detection.checked=true; + } + } + var endis = !(document.iform.frag3_detection.checked); + document.iform.frag3_overlap_limit.disabled=endis; + document.iform.frag3_min_frag_len.disabled=endis; + document.iform.frag3_policy.disabled=endis; + document.iform.frag3_max_frags.disabled=endis; + document.iform.frag3_memcap.disabled=endis; + document.iform.frag3_timeout.disabled=endis; +} + +function http_inspect_enable_change() { + var endis = !(document.iform.http_inspect.checked); + document.iform.http_inspect_enable_xff.disabled=endis; + document.iform.server_flow_depth.disabled=endis; + document.iform.client_flow_depth.disabled=endis; + document.iform.http_server_profile.disabled=endis; + document.iform.http_inspect_memcap.disabled=endis; + document.iform.http_inspect_log_uri.disabled=endis; + document.iform.http_inspect_log_hostname.disabled=endis; +} + +function sf_portscan_enable_change() { + var endis = !(document.iform.sf_portscan.checked); + document.iform.pscan_protocol.disabled=endis; + document.iform.pscan_type.disabled=endis; + document.iform.pscan_memcap.disabled=endis; + document.iform.pscan_sense_level.disabled=endis; + document.iform.pscan_ignore_scanners.disabled=endis; +} + +function stream5_enable_change() { + if (!document.iform.stream5_reassembly.checked) { + var msg = "WARNING: Stream5 is a critical preprocessor, and disabling it is not recommended! "; + msg = msg + "The following preprocessors require Stream5 and will be automatically disabled if currently enabled:\n\n"; + msg = msg + " SMTP\t\tPOP\t\tSIP\n"; + msg = msg + " SENSITIVE_DATA\tSF_PORTSCAN\tDCE/RPC 2\n"; + msg = msg + " IMAP\t\tDNS\t\tSSL\n"; + msg = msg + " GTP\t\tDNP3\t\tMODBUS\n\n"; + msg = msg + "Snort may fail to start because of other preprocessors or rule options dependent on Stream5. "; + msg = msg + "Are you sure you want to disable it?\n\n"; + msg = msg + "Click OK to disable Stream5, or CANCEL to quit."; + if (!confirm(msg)) { + document.iform.stream5_reassembly.checked=true; + } + else { + alert("If Snort fails to start with Stream5 disabled, examine the system log for clues."); + document.iform.smtp_preprocessor.checked=false; + document.iform.dce_rpc_2.checked=false; + document.iform.sip_preproc.checked=false; + document.iform.sensitive_data.checked=false; + document.iform.imap_preproc.checked=false; + document.iform.pop_preproc.checked=false; + document.iform.ssl_preproc.checked=false; + document.iform.dns_preprocessor.checked=false; + document.iform.modbus_preproc.checked=false; + document.iform.dnp3_preproc.checked=false; + document.iform.sf_portscan.checked=false; + sf_portscan_enable_change(); + } + } + + var endis = !(document.iform.stream5_reassembly.checked); + document.iform.max_queued_bytes.disabled=endis; + document.iform.max_queued_segs.disabled=endis; + document.iform.stream5_mem_cap.disabled=endis; + document.iform.stream5_policy.disabled=endis; + document.iform.stream5_overlap_limit.disabled=endis; + document.iform.stream5_no_reassemble_async.disabled=endis; + document.iform.stream5_dont_store_lg_pkts.disabled=endis; + document.iform.stream5_tcp_timeout.disabled=endis; + document.iform.stream5_udp_timeout.disabled=endis; + document.iform.stream5_icmp_timeout.disabled=endis; +} + +function enable_change_all() { + http_inspect_enable_change(); + sf_portscan_enable_change(); + + // Enable/Disable Frag3 settings + var endis = !(document.iform.frag3_detection.checked); + document.iform.frag3_overlap_limit.disabled=endis; + document.iform.frag3_min_frag_len.disabled=endis; + document.iform.frag3_policy.disabled=endis; + document.iform.frag3_max_frags.disabled=endis; + document.iform.frag3_memcap.disabled=endis; + document.iform.frag3_timeout.disabled=endis; + + // Enable/Disable Stream5 settings + endis = !(document.iform.stream5_reassembly.checked); + document.iform.max_queued_bytes.disabled=endis; + document.iform.max_queued_segs.disabled=endis; + document.iform.stream5_mem_cap.disabled=endis; + document.iform.stream5_policy.disabled=endis; + document.iform.stream5_overlap_limit.disabled=endis; + document.iform.stream5_no_reassemble_async.disabled=endis; + document.iform.stream5_dont_store_lg_pkts.disabled=endis; + document.iform.stream5_tcp_timeout.disabled=endis; + document.iform.stream5_udp_timeout.disabled=endis; + document.iform.stream5_icmp_timeout.disabled=endis; +} + +// Set initial state of form controls +enable_change_all(); + diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 46c3c264..609eb052 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -67,7 +67,7 @@ function truncate($string, $length) { * truncation was necessary. * ********************************/ if (strlen($string) > $length) - $string = substr($string, 0, ($length - 3)) . "..."; + $string = substr($string, 0, ($length - 2)) . "..."; return $string; } @@ -300,17 +300,6 @@ function go() if (destination) location.href = destination; } -function popup(url) -{ - params = 'width='+screen.width; - params += ', height='+screen.height; - params += ', top=0, left=0' - params += ', fullscreen=yes'; - - newwin=window.open(url,'windowname4', params); - if (window.focus) {newwin.focus()} - return false; -} function wopen(url, name, w, h) { @@ -331,232 +320,237 @@ h += 96; - - - - - - - + - -
- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -"; - $textse = ""; - $iconb = "icon_reject_d.gif"; - } - elseif (($rules_map[$k1][$k2]['disabled'] == 1) && (!isset($enablesid[$sid]))) { - $textss = ""; - $textse = ""; - $iconb = "icon_block_d.gif"; - } - elseif (isset($enablesid[$sid])) { - $textss = $textse = ""; - $iconb = "icon_reject.gif"; - } - else { - $textss = $textse = ""; - $iconb = "icon_block.gif"; - } - - // Pick off the first section of the rule (prior to the start of the MSG field), - // and then use a REGX split to isolate the remaining fields into an array. - $tmp = substr($rules_map[$k1][$k2]['rule'], 0, strpos($rules_map[$k1][$k2]['rule'], "(")); - $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); - $rule_content = preg_split('/[\s]+/', $tmp); - - $protocol = truncate($rule_content[1], 5); //protocol location - $source = truncate($rule_content[2], 13); //source location - $source_port = truncate($rule_content[3], 11); //source port location - $destination = truncate($rule_content[5], 13); //destination location - $destination_port = truncate($rule_content[6], 11); //destination port location - $message = snort_get_msg($rules_map[$k1][$k2]['rule']); - - echo " - - - - - - - "; + - - - -
  -
Category: - -
- 		- - - "?> -  
- - "?> -   - -  		 
  - - - - -  
 
  -    -    - -  
  -     - - - title="" width="17" height="17" border="0">
  
$textss - - - $textse - - $textss $sid $textse - - $textss $protocol $textse - - $textss $source $textse - - $textss $source_port $textse - - $textss $destination $textse - - $textss $destination_port $textse - - $textss $message $textse -
+ - - " width="17" height="17" border="0"> - -
-
- - - - - - - - - - - - - - - - - - -
- +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      +
+ + + +
+ " title=" "/>   + " onclick="history.back()" title=""/>   + " onclick="return confirm('')" title=""/> +
+ + + + + + + + + + + +
" class="formbtn" + title=""/> + + "?> +   
+ "?> +   
" . + gettext("Snort must be restarted to activate any SID enable/disable changes."); ?>
+
+ + + + + + + + + + + + + + $rulem) { + foreach ($rulem as $k2 => $v) { + $sid = snort_get_sid($v['rule']); + $gid = snort_get_gid($v['rule']); + if (isset($disablesid[$sid])) { + $textss = ""; + $textse = ""; + $iconb = "icon_reject_d.gif"; + } + elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) { + $textss = ""; + $textse = ""; + $iconb = "icon_block_d.gif"; + } + elseif (isset($enablesid[$sid])) { + $textss = $textse = ""; + $iconb = "icon_reject.gif"; + } + else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + } + + // Pick off the first section of the rule (prior to the start of the MSG field), + // and then use a REGX split to isolate the remaining fields into an array. + $tmp = substr($v['rule'], 0, strpos($v['rule'], "(")); + $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); + $rule_content = preg_split('/[\s]+/', $tmp); + + $protocol = truncate($rule_content[1], 5); //protocol location + $source = truncate($rule_content[2], 13); //source location + $source_port = truncate($rule_content[3], 12); //source port location + $destination = truncate($rule_content[5], 13); //destination location + $destination_port = truncate($rule_content[6], 12); //destination port location + $message = snort_get_msg($v['rule']); + + echo " + + + + + + + "; + ?> + + + +
  + + title="" width="17" height="17" border="0">
$textss + + + $textse + + $textss $sid $textse + + $textss $protocol $textse + + $textss $source $textse + + $textss $source_port $textse + + $textss $destination $textse + + $textss $destination_port $textse + + $textss $message $textse + + " width="17" height="17" border="0"> +
+
+ + + + + + + + + + + + + + + + + +
+
- - + diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php new file mode 100644 index 00000000..104163f2 --- /dev/null +++ b/config/snort/snort_rules_flowbits.php @@ -0,0 +1,265 @@ +. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g, $flowbit_rules_file, $rebuild_rules; + +$snortdir = SNORTDIR; +$rules_map = array(); +$supplist = array(); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +$if_real = snort_get_real_interface($a_nat[$id]['interface']); +$snort_uuid = $a_nat[$id]['uuid']; + +/* We should normally never get to this page if Auto-Flowbits are disabled, but just in case... */ +if ($a_nat[$id]['autoflowbitrules'] == 'on') { + if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") && + filesize("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) { + $rules_map = snort_load_rules_map("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); + } + else + $savemsg = "There are no flowbit-required rules necessary for the current enforcing rule set."; +} +else + $input_errors[] = "Auto-Flowbit rule generation is disabled for this interface!"; + +if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + $descr = snort_get_msg($rules_map[$_GET['gen_id']][$_GET['sidid']]['rule']); + if (empty($descr)) + $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; + else + $suppress = "# {$descr}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}"; + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); + $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; + + if (empty($a_nat[$id]['suppresslistname']) || $a_nat[$id]['suppresslistname'] == 'default') { + $s_list = array(); + $s_list['name'] = $a_nat[$id]['interface'] . "suppress"; + $s_list['uuid'] = uniqid(); + $s_list['descr'] = "Auto-generated list for alert suppression"; + $s_list['suppresspassthru'] = base64_encode($suppress); + $a_suppress[] = $s_list; + $a_nat[$id]['suppresslistname'] = $s_list['name']; + } else { + foreach ($a_suppress as $a_id => $alist) { + if ($alist['name'] == $a_nat[$id]['suppresslistname']) { + if (!empty($alist['suppresspassthru'])) { + $tmplist = base64_decode($alist['suppresspassthru']); + $tmplist .= "\n{$suppress}"; + $alist['suppresspassthru'] = base64_encode($tmplist); + $a_suppress[$a_id] = $alist; + } + } + } + } + write_config(); + $rebuild_rules = "off"; + sync_snort_package_config(); + $savemsg = "Wrote suppress rule for gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']} to the {$a_nat[$id]['suppresslistname']} Suppression List."; +} + +function truncate($string, $length) { + + /******************************** + * This function truncates the * + * passed string to the length * + * specified adding ellipsis if * + * truncation was necessary. * + ********************************/ + if (strlen($string) > $length) + $string = substr($string, 0, ($length - 3)) . "..."; + return $string; +} + +/* Load up an array with the current Suppression List GID,SID values */ +$supplist = snort_load_suppress_sigs($a_nat[$id]); + +$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); +$pgtitle = "Services: Snort: {$if_friendly} Flowbit Rules"; +include_once("head.inc"); + +?> + + + +' . $pgtitle . '

';} +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> +
+ + +
+ + + + + + + + + + + + + + + + + 20): ?> + + + + +
+
+ + + + + + + + + + + + + + +
/>
" . + gettext("Note: ") . "". gettext("the icon is only ") . + gettext("displayed for flowbit rules without the \"noalert\" option."); ?>
+
+ + + + + + + + + + $rulem) { + foreach ($rulem as $k2 => $v) { + $sid = snort_get_sid($v['rule']); + $gid = snort_get_gid($v['rule']); + + // Pick off the first section of the rule (prior to the start of the MSG field), + // and then use a REGX split to isolate the remaining fields into an array. + $tmp = substr($v['rule'], 0, strpos($v['rule'], "(")); + $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); + $rule_content = preg_split('/[\s]+/', $tmp); + + $protocol = $rule_content[1]; //protocol + $source = truncate($rule_content[2], 14); //source + $destination = truncate($rule_content[5], 14); //destination + $message = snort_get_msg($v['rule']); + $flowbits = implode("; ", snort_get_flowbits($v['rule'])); + if (strstr($flowbits, "noalert")) + $supplink = ""; + else { + if (!isset($supplist[$gid][$sid])) { + $supplink = ""; + $supplink .= ""; + } + else { + $supplink .= ""; + } + } + + // Use "echo" to write the table HTML row-by-row. + echo "" . + "" . + "" . + "" . + "" . + "" . + "" . + ""; + $count++; + } + } + unset($rulem, $v); + ?> + +
+
{$sid} {$supplink}{$protocol}{$source}{$destination}{$flowbits}{$message}
+
+ /> + +
+
+
+ + + diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 64998810..4a7380b1 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -299,7 +299,7 @@ function enable_change() ?> - @@ -323,7 +323,7 @@ function enable_change() - -- cgit v1.2.3 From 1ef295d754f838935412ddefc8d5fa00c51bcc1c Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Tue, 14 May 2013 00:38:49 -0300 Subject: snort - (re)include two level menu and change start stop icons to toggle status as well show current snort status --- config/snort/snort_alerts.php | 1 + config/snort/snort_barnyard.php | 26 +++- config/snort/snort_blocked.php | 1 + config/snort/snort_define_servers.php | 26 +++- config/snort/snort_download_updates.php | 1 + config/snort/snort_interfaces.php | 45 ++++-- config/snort/snort_interfaces_edit.php | 30 ++-- config/snort/snort_interfaces_global.php | 1 + config/snort/snort_interfaces_suppress.php | 1 + config/snort/snort_interfaces_suppress_edit.php | 14 ++ config/snort/snort_interfaces_whitelist.php | 1 + config/snort/snort_interfaces_whitelist_edit.php | 15 ++ config/snort/snort_preprocessors.php | 26 +++- config/snort/snort_rules.php | 30 ++-- config/snort/snort_rulesets.php | 32 +++-- config/snort/snort_sync.xml | 166 +++++++++++++++++++++++ 16 files changed, 352 insertions(+), 64 deletions(-) create mode 100755 config/snort/snort_sync.xml (limited to 'config') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index eb0912c8..7919b1f2 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -200,6 +200,7 @@ if ($pconfig['arefresh'] == 'on') $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?> diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index e1de3efd..cf9fb4bd 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -150,14 +150,26 @@ function enable_change(enable_change) {

/> + />   
'; + echo ' diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index bd7cabbc..40ef61a1 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -146,6 +146,7 @@ if ($pconfig['brefresh'] == 'on') $tab_array[4] = array(gettext("Blocked"), true, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?> diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index b1d71631..307dd8a8 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -166,14 +166,26 @@ if ($savemsg)
'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); ?>
'; + echo ' diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index f2250236..4e312f22 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -118,6 +118,7 @@ h += 96; $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index 4c21cdd9..a2523872 100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -184,6 +184,7 @@ if ($pfsense_stable == 'yes')
'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Variables"), true, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext(" Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), true, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); ?>
@@ -240,15 +242,28 @@ foreach ($a_nat as $natent): ?> /* convert fake interfaces to real and check if iface is up */ /* There has to be a smarter way to do this */ $if_real = snort_get_real_interface($natent['interface']); + $natend_friendly= snort_get_friendly_interface($natent['interface']); $snort_uuid = $natent['uuid']; - if (snort_is_running($snort_uuid, $if_real) == 'no') - $iconfn = 'pass'; - else + if (snort_is_running($snort_uuid, $if_real) == 'no'){ $iconfn = 'block'; - if (snort_is_running($snort_uuid, $if_real, 'barnyard2') == 'no') - $biconfn = 'pass'; - else + $iconfn_msg1 = 'Snort is not running on '; + $iconfn_msg2 = '. Click to start.'; + } + else{ + $iconfn = 'pass'; + $iconfn_msg1 = 'Snort is running on '; + $iconfn_msg = '. Click to stop.'; + } + if (snort_is_running($snort_uuid, $if_real, 'barnyard2') == 'no'){ $biconfn = 'block'; + $biconfn_msg1 = 'Barnyard2 is not running on '; + $biconfn_msg2 = '. Click to start.'; + } + else{ + $biconfn = 'pass'; + $biconfn_msg1 = 'Barnyard2 is running on '; + $biconfn_msg2 = '. Click to stop.'; + } /* See if interface has any rules defined and set boolean flag */ $no_rules = true; @@ -271,7 +286,7 @@ foreach ($a_nat as $natent): ?> id="frd" ondblclick="document.location='snort_interfaces_edit.php?id=';"> - @@ -417,9 +434,7 @@ foreach ($a_nat as $natent): ?> an interface and settings. - diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 71cdc185..36bc628d 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -182,15 +182,27 @@ include_once("head.inc");
echo " "; + title='" . gettext($iconfn_msg1.$natend_friendly.$iconfn_msg2) . "'>"; echo ($no_rules) ? " " : ""; } else echo strtoupper("disabled"); @@ -325,7 +340,7 @@ foreach ($a_nat as $natent): ?> echo " "; + title='" . gettext($biconfn_msg1.$natend_friendly.$biconfn_msg2) . "'>"; } else echo strtoupper("disabled"); ?> @@ -406,9 +421,11 @@ foreach ($a_nat as $natent): ?>   Click on the "> icon to start - snort and barnyard2. + "> + "> icons will show current + snort and barnyard2 status.
  Click on the "> icon to stop - snort and barnyard2. + Click on the status icons to toggle snort and barnyard2 status.
'; + echo ' diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php index 32f2f6ba..30c5c2c0 100644 --- a/config/snort/snort_interfaces_suppress.php +++ b/config/snort/snort_interfaces_suppress.php @@ -79,6 +79,7 @@ if($pfsense_stable == 'yes'){echo '

' . $pgtitle . '

';} $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), true, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?> diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 1d2ad225..0042863c 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -141,6 +141,20 @@ if ($savemsg) ?>
'; + $tab_array = array(); + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); + $tab_array[] = array($menu_iface . gettext("Settings"), true, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?>
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 3c544436..29217604 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -142,6 +142,7 @@ function enable_snort_vrt(btn) { $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), false, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?>
+
+ +
diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php index a925ad45..27f48e16 100644 --- a/config/snort/snort_interfaces_whitelist.php +++ b/config/snort/snort_interfaces_whitelist.php @@ -85,6 +85,7 @@ if ($savemsg) print_info_box($savemsg); $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php"); $tab_array[5] = array(gettext("Whitelists"), true, "/snort/snort_interfaces_whitelist.php"); $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); + $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); ?> diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index 2f2afdad..4559f1b5 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -170,6 +170,21 @@ if ($savemsg)
+ +
+ +
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 705dfe24..14e51ed3 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -394,14 +394,26 @@ include_once("head.inc");
'; + echo ' diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 609eb052..cbb1fe50 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -322,15 +322,27 @@ h += 96;
'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), true, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), true, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); ?>
'; + echo ' @@ -248,8 +267,7 @@ include_once("head.inc"); -- cgit v1.2.3 From 717af69c8a12e258c61c9fa410b642c80042cfc5 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 16 May 2013 20:25:54 -0400 Subject: Extend SRC and DST columns just a bit to hold long IP addresses. --- config/snort/snort_alerts.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 796e1587..65ebffc1 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -257,9 +257,9 @@ if ($pconfig['arefresh'] == 'on') - + - + -- cgit v1.2.3 From a8b382566cb6bcfee7fdaeba24c770dbf649c05f Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 19 May 2013 22:22:28 -0400 Subject: Add code to honor $pkg_interface flag for console mode. --- config/snort/snort_check_for_rule_updates.php | 179 ++++++++++++++++++-------- 1 file changed, 125 insertions(+), 54 deletions(-) (limited to 'config') diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index c1c9ce46..2c8e39eb 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -36,13 +36,16 @@ require_once("service-utils.inc"); global $snort_gui_include, $vrt_enabled, $et_enabled, $rebuild_rules, $snort_rules_upd_log; global $protect_preproc_rules, $is_postinstall, $snort_community_rules_filename; -global $snort_community_rules_url, $snort_rules_file, $emergingthreats_filename, $g; +global $snort_community_rules_url, $snort_rules_file, $emergingthreats_filename, $g, $pkg_interface; $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; -if (!isset($snort_gui_include)) +$orig_pkg_interface = $pkg_interface; +if ($snort_gui_include) + $pkg_interface = ""; +else $pkg_interface = "console"; /* define checks */ @@ -93,7 +96,8 @@ error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n /* download md5 sig from snort.org */ if ($snortdownload == 'on') { - update_status(gettext("Downloading Snort VRT md5 file...")); + if ($pkg_interface <> "console") + update_status(gettext("Downloading Snort VRT md5 file...")); error_log(gettext("\tDownloading Snort VRT md5 file...\n"), 3, $snort_rules_upd_log); $max_tries = 4; while ($max_tries > 0) { @@ -110,13 +114,17 @@ if ($snortdownload == 'on') { error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log); @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) { - update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + if ($pkg_interface <> "console") { + update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + } log_error(gettext("[Snort] Please wait... You may only check for New Rules every 15 minutes...")); - update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); $snortdownload = 'off'; error_log(gettext("\tSnort VRT md5 download failed. Site may be offline or Oinkcode is not authorized for this level or version.\n"), 3, $snort_rules_upd_log); - } else - update_status(gettext("Done downloading snort.org md5.")); + } else { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading snort.org md5.")); + } } /* Check if were up to date snort.org */ @@ -125,7 +133,8 @@ if ($snortdownload == 'on') { $md5_check_new = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); $md5_check_old = file_get_contents("{$snortdir}/{$snort_filename_md5}"); if ($md5_check_new == $md5_check_old) { - update_status(gettext("Snort VRT rules are up to date...")); + if ($pkg_interface <> "console") + update_status(gettext("Snort VRT rules are up to date...")); log_error(gettext("[Snort] Snort VRT rules are up to date...")); error_log(gettext("\tSnort VRT rules are up to date.\n"), 3, $snort_rules_upd_log); $snortdownload = 'off'; @@ -135,33 +144,59 @@ if ($snortdownload == 'on') { /* download snortrules file */ if ($snortdownload == 'on') { - update_status(gettext("There is a new set of Snort VRT rules posted. Downloading...")); + if ($pkg_interface <> "console") + update_status(gettext("There is a new set of Snort VRT rules posted. Downloading...")); log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading...")); error_log(gettext("\tThere is a new set of Snort VRT rules posted. Downloading...\n"), 3, $snort_rules_upd_log); $max_tries = 4; while ($max_tries > 0) { - download_file_with_progress_bar("{$snort_rule_url}{$snort_filename}", "{$tmpfname}/{$snort_filename}"); - if (5000 > filesize("{$tmpfname}/{$snort_filename}")){ + $rc = download_file_with_progress_bar("{$snort_rule_url}{$snort_filename}", "{$tmpfname}/{$snort_filename}"); + if ($rc == true) + break; + else { + if ($rc >= 500) { + if ($pkg_interface <> "console") + update_status(gettext("Server returned error code {$rc} ... retrying in 30 seconds...")); + log_error(gettext("[Snort] Server returned error code {$rc} ... will retry in 30 seconds...")); + error_log(gettext("\tThe server returned error code {$rc} ... will retry in 30 seconds\n"), 3, $snort_rules_upd_log); + $max_tries--; + if ($max_tries > 0) + sleep(30); + continue; + } + else { + if ($pkg_interface <> "console") + update_status(gettext("Server returned error code {$rc} ... try again in 15 minutes...")); + log_error(gettext("[Snort] Server returned error code {$rc} .. try again in 15 minutes...")); + error_log(gettext("\tThe server returned error code {$rc} ... try again in 15 minutes\n"), 3, $snort_rules_upd_log); + } + } +/* if (5000 > filesize("{$tmpfname}/{$snort_filename}")){ $max_tries--; if ($max_tries > 0) sleep(30); continue; } else break; +*/ + } if (filesize("{$tmpfname}/{$snort_filename}") == 0) { - update_output_window(gettext("Snort VRT rules file download failed...")); + if ($pkg_interface <> "console") + update_output_window(gettext("Snort VRT rules file download failed...")); log_error(gettext("[Snort] Snort VRT rules file download failed...")); error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); $snortdownload = 'off'; } else { - update_status(gettext("Done downloading Snort VRT rules file.")); + if ($pkg_interface <> "console") + update_status(gettext("Done downloading Snort VRT rules file.")); log_error("[Snort] Snort VRT Rules Attempts: " . (4 - $max_tries + 1)); error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); if (trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_filename}"))){ - update_output_window(gettext("Snort VRT rules file download failed...")); - log_error(gettext("[Snort] Snort VRT rules file download failed...")); + if ($pkg_interface <> "console") + update_output_window(gettext("Snort VRT rules file MD5 checksum failed...")); + log_error(gettext("[Snort] Snort VRT rules file download failed. Bad MD5 checksum...")); log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_filename}"))); log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}"))); error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); @@ -174,16 +209,19 @@ if ($snortdownload == 'on') { /* download md5 sig from Snort GPLv2 Community Rules */ if ($snortcommunityrules == 'on') { - update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file...")); + if ($pkg_interface <> "console") + update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file...")); error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file...\n"), 3, $snort_rules_upd_log); $image = file_get_contents("{$snort_community_rules_url}{$snort_community_rules_filename_md5}"); - update_status(gettext("Done downloading Snort GPLv2 Community Rules md5")); + if ($pkg_interface <> "console") + update_status(gettext("Done downloading Snort GPLv2 Community Rules md5")); error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log); @file_put_contents("{$tmpfname}/{$snort_community_rules_filename_md5}", $image); /* See if the file download was successful, and turn off Snort GPLv2 update if it failed. */ if (0 == filesize("{$tmpfname}/{$snort_community_rules_filename_md5}")){ - update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); + if ($pkg_interface <> "console") + update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); $snortcommunityrules = 'off'; @@ -194,7 +232,8 @@ if ($snortcommunityrules == 'on') { $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"); $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}"); if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) { - update_status(gettext("Snort GPLv2 Community Rules are up to date...")); + if ($pkg_interface <> "console") + update_status(gettext("Snort GPLv2 Community Rules are up to date...")); log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date...")); error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log); $snortcommunityrules = 'off'; @@ -204,15 +243,17 @@ if ($snortcommunityrules == 'on') { /* download Snort GPLv2 Community rules file */ if ($snortcommunityrules == "on") { - update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); + if ($pkg_interface <> "console") + update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted. Downloading...\n"), 3, $snort_rules_upd_log); download_file_with_progress_bar("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); /* Test for a valid rules file download. Turn off Snort Community update if download failed. */ if (trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_community_rules_filename}"))){ - update_output_window(gettext("Snort GPLv2 Community Rules file download failed...")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed...")); + if ($pkg_interface <> "console") + update_output_window(gettext("Snort GPLv2 Community Rules file MD5 checksum failed...")); + log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Bad MD5 checksum...")); log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}"))); log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"))); error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); @@ -221,7 +262,8 @@ if ($snortcommunityrules == "on") { $snortcommunityrules = 'off'; } else { - update_status(gettext('Done downloading Snort GPLv2 Community Rules file.')); + if ($pkg_interface <> "console") + update_status(gettext('Done downloading Snort GPLv2 Community Rules file.')); log_error("[Snort] Snort GPLv2 Community Rules file update downloaded successfully"); error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log); } @@ -231,7 +273,8 @@ if ($snortcommunityrules == "on") { if ($snortcommunityrules == 'on') { safe_mkdir("{$snortdir}/tmp/community"); if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { - update_status(gettext("Extracting Snort GPLv2 Community Rules...")); + if ($pkg_interface <> "console") + update_status(gettext("Extracting Snort GPLv2 Community Rules...")); error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $snort_rules_upd_log); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$snortdir}/tmp/community/"); @@ -248,10 +291,12 @@ if ($snortcommunityrules == 'on') { /* Copy snort community md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { - update_status(gettext("Copying md5 signature to snort directory...")); + if ($pkg_interface <> "console") + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_community_rules_filename_md5}", "{$snortdir}/{$snort_community_rules_filename_md5}"); } - update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); + if ($pkg_interface <> "console") + update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log); exec("rm -r {$snortdir}/tmp/community"); } @@ -259,7 +304,8 @@ if ($snortcommunityrules == 'on') { /* download md5 sig from emergingthreats.net */ if ($emergingthreats == 'on') { - update_status(gettext("Downloading EmergingThreats md5 file...")); + if ($pkg_interface <> "console") + update_status(gettext("Downloading EmergingThreats md5 file...")); error_log(gettext("\tDownloading EmergingThreats md5 file...\n"), 3, $snort_rules_upd_log); /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ @@ -268,13 +314,15 @@ if ($emergingthreats == 'on') { else $image = @file_get_contents("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}"); - update_status(gettext("Done downloading EmergingThreats md5")); + if ($pkg_interface <> "console") + update_status(gettext("Done downloading EmergingThreats md5")); error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); /* See if the file download was successful, and turn off ET update if it failed. */ if (0 == filesize("{$tmpfname}/{$emergingthreats_filename_md5}")){ - update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); + if ($pkg_interface <> "console") + update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); log_error(gettext("[Snort] EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); error_log(gettext("\tEmergingThreats md5 file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; @@ -285,7 +333,8 @@ if ($emergingthreats == 'on') { $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); if ($emerg_md5_check_new == $emerg_md5_check_old) { - update_status(gettext("Emerging Threats rules are up to date...")); + if ($pkg_interface <> "console") + update_status(gettext("Emerging Threats rules are up to date...")); log_error(gettext("[Snort] Emerging Threat rules are up to date...")); error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; @@ -295,7 +344,8 @@ if ($emergingthreats == 'on') { /* download emergingthreats rules file */ if ($emergingthreats == "on") { - update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading...")); + if ($pkg_interface <> "console") + update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading...")); log_error(gettext("[Snort] There is a new set of EmergingThreats rules posted. Downloading...")); error_log(gettext("\tThere is a new set of EmergingThreats rules posted. Downloading...\n"), 3, $snort_rules_upd_log); @@ -308,8 +358,9 @@ if ($emergingthreats == "on") { /* Test for a valid rules file download. Turn off ET update if download failed. */ if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ - update_output_window(gettext("EmergingThreats rules file download failed...")); - log_error(gettext("[Snort] EmergingThreats rules file download failed...")); + if ($pkg_interface <> "console") + update_output_window(gettext("EmergingThreats rules file MD5 checksum failed...")); + log_error(gettext("[Snort] EmergingThreats rules file download failed. Bad MD5 checksum...")); log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); @@ -318,7 +369,8 @@ if ($emergingthreats == "on") { $emergingthreats = 'off'; } else { - update_status(gettext('Done downloading EmergingThreats rules file.')); + if ($pkg_interface <> "console") + update_status(gettext('Done downloading EmergingThreats rules file.')); log_error("[Snort] EmergingThreats rules file update downloaded successfully"); error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); } @@ -328,7 +380,8 @@ if ($emergingthreats == "on") { if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Extracting EmergingThreats.org rules...")); + if ($pkg_interface <> "console") + update_status(gettext("Extracting EmergingThreats.org rules...")); error_log(gettext("\tExtracting and installing EmergingThreats.org rules...\n"), 3, $snort_rules_upd_log); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); @@ -354,7 +407,8 @@ if ($emergingthreats == 'on') { update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } - update_status(gettext("Extraction of EmergingThreats.org rules completed...")); + if ($pkg_interface <> "console") + update_status(gettext("Extraction of EmergingThreats.org rules completed...")); error_log(gettext("\tInstallation of EmergingThreats.org rules completed.\n"), 3, $snort_rules_upd_log); exec("rm -r {$snortdir}/tmp/emerging"); } @@ -370,7 +424,8 @@ if ($snortdownload == 'on') { if (substr(php_uname("r"), 0, 1) == '9') $freebsd_version_so = 'FreeBSD-9-0'; - update_status(gettext("Extracting Snort VRT rules...")); + if ($pkg_interface <> "console") + update_status(gettext("Extracting Snort VRT rules...")); error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log); /* extract snort.org rules and add prefix to all snort.org files */ safe_mkdir("{$snortdir}/tmp/snortrules"); @@ -389,7 +444,8 @@ if ($snortdownload == 'on') { exec("rm -r {$snortdir}/tmp/snortrules"); /* extract so rules */ - update_status(gettext("Extracting Snort VRT Shared Objects rules...")); + if ($pkg_interface <> "console") + update_status(gettext("Extracting Snort VRT Shared Objects rules...")); exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/"); error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log); $snort_arch = php_uname("m"); @@ -406,7 +462,8 @@ if ($snortdownload == 'on') { if ($nosorules == false) { /* extract so stub rules, rename and copy to the rules folder. */ - update_status(gettext("Copying Snort VRT Shared Objects rules...")); + if ($pkg_interface <> "console") + update_status(gettext("Copying Snort VRT Shared Objects rules...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp --exclude precompiled/ --exclude src/ so_rules/"); $files = glob("{$snortdir}/tmp/so_rules/*.rules"); foreach ($files as $file) { @@ -417,7 +474,8 @@ if ($snortdownload == 'on') { } /* extract base etc files */ - update_status(gettext("Extracting Snort VRT config and map files...")); + if ($pkg_interface <> "console") + update_status(gettext("Extracting Snort VRT config and map files...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/"); foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { if (file_exists("{$snortdir}/tmp/etc/{$file}")) @@ -428,14 +486,18 @@ if ($snortdownload == 'on') { /* Untar snort signatures */ $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; if ($premium_url_chk == 'on') { - update_status(gettext("Extracting Snort VRT Signatures...")); + if ($pkg_interface <> "console") + update_status(gettext("Extracting Snort VRT Signatures...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - update_status(gettext("Done extracting Signatures.")); + if ($pkg_interface <> "console") + update_status(gettext("Done extracting Signatures.")); if (is_dir("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying Snort VRT signatures...")); + if ($pkg_interface <> "console") + update_status(gettext("Copying Snort VRT signatures...")); exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures"); - update_status(gettext("Done copying signatures.")); + if ($pkg_interface <> "console") + update_status(gettext("Done copying signatures.")); } } @@ -443,10 +505,12 @@ if ($snortdownload == 'on') { exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp preproc_rules/"); if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - update_status(gettext("Copying md5 signature to snort directory...")); + if ($pkg_interface <> "console") + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}"); } - update_status(gettext("Extraction of Snort VRT rules completed...")); + if ($pkg_interface <> "console") + update_status(gettext("Extraction of Snort VRT rules completed...")); error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log); } } @@ -483,7 +547,8 @@ function snort_apply_customizations($snortcfg, $if_real) { if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') { - update_status(gettext('Copying new config and map files...')); + if ($pkg_interface <> "console") + update_status(gettext('Copying new config and map files...')); error_log(gettext("\tCopying new config and map files...\n"), 3, $snort_rules_upd_log); /* Determine which config and map file set to use for the master copy. */ @@ -532,7 +597,8 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { $if_real = snort_get_real_interface($value['interface']); $tmp = "Updating rules configuration for: " . snort_get_friendly_interface($value['interface']) . " ..."; - update_status(gettext($tmp)); + if ($pkg_interface <> "console") + update_status(gettext($tmp)); snort_apply_customizations($value, $if_real); /* Log a message in Update Log if protecting customized preprocessor rules. */ @@ -545,7 +611,8 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = } } else { - update_output_window(gettext("Warning: No interfaces configured for Snort were found...")); + if ($pkg_interface <> "console") + update_output_window(gettext("Warning: No interfaces configured for Snort were found...")); error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, $snort_rules_upd_log); } @@ -554,24 +621,28 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = /* remove old $tmpfname files */ if (is_dir("{$snortdir}/tmp")) { - update_status(gettext("Cleaning up after rules extraction...")); + if ($pkg_interface <> "console") + update_status(gettext("Cleaning up after rules extraction...")); exec("/bin/rm -r {$snortdir}/tmp"); } /* Restart snort if already running and we are not rebooting to pick up the new rules. */ if (is_process_running("snort") && !$g['booting']) { - update_status(gettext('Restarting Snort to activate the new set of rules...')); + if ($pkg_interface <> "console") + update_status(gettext('Restarting Snort to activate the new set of rules...')); error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, $snort_rules_upd_log); restart_service("snort"); - update_output_window(gettext("Snort has restarted with your new set of rules...")); + if ($pkg_interface <> "console") + update_output_window(gettext("Snort has restarted with your new set of rules...")); log_error(gettext("[Snort] Snort has restarted with your new set of rules...")); error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, $snort_rules_upd_log); } } -update_status(gettext("The Rules update has finished...")); +if ($pkg_interface <> "console") + update_status(gettext("The Rules update has finished...")); log_error(gettext("[Snort] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $snort_rules_upd_log); conf_mount_ro(); - +$pkg_interface = $orig_pkg_interface; ?> -- cgit v1.2.3 From c6c504576a516824d9b4cf9010b5d7bc6c3fafd8 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 19 May 2013 22:23:10 -0400 Subject: Fix XMLRPC Sync code to prevent errors from bad return value. --- config/snort/snort.inc | 43 ++++++++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 13 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 726d7846..3759f7be 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -3058,7 +3058,7 @@ function snort_sync_on_changes() { $rs=$snort_sync[row]; } else{ - log_error("[snort] xmlrpc sync is enabled but there are no hosts to push snort config."); + log_error("[snort] xmlrpc sync is enabled but there are no hosts configured as replication targets."); return; } break; @@ -3069,12 +3069,12 @@ function snort_sync_on_changes() { $rs[0]['varsyncusername']=$system_carp['username']; $rs[0]['varsyncpassword']=$system_carp['password']; if ($system_carp['synchronizetoip'] ==""){ - log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts to push snort config."); + log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts configured as replication targets."); return; } } else{ - log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts to push snort config."); + log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts configured as replication targets."); return; } break; @@ -3137,7 +3137,7 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { /* set a few variables needed for sync code borrowed from filter.inc */ $url = $synchronizetoip; - log_error("[snort] Beginning Snort pkg XMLRPC sync to {$url}:{$port}."); + log_error("[snort] Beginning Snort pkg configuration XMLRPC sync to {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -3157,33 +3157,50 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); } else { - log_error("[snort] Snort pkg XMLRPC sync successfully completed with {$url}:{$port}."); + log_error("[snort] Snort pkg configuration XMLRPC sync successfully completed with {$url}:{$port}."); } - - /* tell snort to reload our settings on the destination sync host. */ - $method = 'pfsense.exec_php'; - $execcmd = "require_once('/usr/local/pkg/snort/snort.inc');\n"; - $execcmd .= "snort_sync_build_slave_conf();"; + + /* Build a series of commands for the secondary host to execute to will reload the new settings. */ + $execcmd = <<setCredentials($username, $password); + $cli->setDebug("1"); $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); + $value = $resp->value(); + log_error(print_r($value, true)); file_notice("sync_settings", $error, "snort Settings Sync", ""); } else { log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); -- cgit v1.2.3 From 2c2b79f0f2d91cc4417dbcf6018dca81df537ab1 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 20 May 2013 21:54:27 -0400 Subject: Add better error checking and more descriptive messages. --- config/snort/snort_check_for_rule_updates.php | 190 +++++++++++++++----------- 1 file changed, 110 insertions(+), 80 deletions(-) (limited to 'config') diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 2c8e39eb..f5810aff 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -42,7 +42,6 @@ $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; -$orig_pkg_interface = $pkg_interface; if ($snort_gui_include) $pkg_interface = ""; else @@ -100,30 +99,44 @@ if ($snortdownload == 'on') { update_status(gettext("Downloading Snort VRT md5 file...")); error_log(gettext("\tDownloading Snort VRT md5 file...\n"), 3, $snort_rules_upd_log); $max_tries = 4; + $rc = true; while ($max_tries > 0) { - $image = @file_get_contents("{$snort_rule_url}{$snort_filename_md5}"); - if (false === $image) { - $max_tries--; - if ($max_tries > 0) - sleep(30); - continue; - } else - break; - } - log_error("[Snort] Snort MD5 Attempts: " . (4 - $max_tries + 1)); - error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log); - @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); - if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) { + $rc = download_file_with_progress_bar("{$snort_rule_url}{$snort_filename_md5}", "{$tmpfname}/{$snort_filename_md5}"); + if ($rc == true) + break; + else { + /* If "forbidden" error, no need to retry so just exit */ + if ($rc == 403) + break; + $max_tries--; + if ($max_tries > 0) { + if ($pkg_interface <> "console") + update_status(gettext("Server returned error code '{$rc}' ... retrying in 15 seconds...")); + log_error(gettext("[Snort] Snort VRT md5 download server returned error '{$rc}' ... retry in 15 seconds...")); + error_log(gettext("\tSnort VRT md5 download server returned error '{$rc}' ... retry in 15 secs...\n"), 3, $snort_rules_upd_log); + sleep(15); + } + continue; + } + } + log_error("[Snort] Snort MD5 Attempts: " . (4 - $max_tries + 1)); + if ($rc == true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading snort.org md5.")); + error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log); + } + else { + if ($rc == 403) + $snort_err_msg = gettext("Too many attempts or Oinkcode not authorized for this level or version."); + else + $snort_err_msg = gettext("Server returned error code '{$rc}'."); if ($pkg_interface <> "console") { - update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); - update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + update_status(gettext("Snort VRT md5 error ... {$snort_err_msg}...")); + update_output_window(gettext("You may download Snort VRT Rules once every 15 minutes.")); } - log_error(gettext("[Snort] Please wait... You may only check for New Rules every 15 minutes...")); + log_error(gettext("[Snort] Snort VRT md5 download failed. {snort_err_msg}...")); $snortdownload = 'off'; - error_log(gettext("\tSnort VRT md5 download failed. Site may be offline or Oinkcode is not authorized for this level or version.\n"), 3, $snort_rules_upd_log); - } else { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading snort.org md5.")); + error_log(gettext("\tSnort VRT md5 download failed. {snort_err_msg}\n"), 3, $snort_rules_upd_log); } } @@ -149,46 +162,33 @@ if ($snortdownload == 'on') { log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading...")); error_log(gettext("\tThere is a new set of Snort VRT rules posted. Downloading...\n"), 3, $snort_rules_upd_log); $max_tries = 4; + $rc = true; while ($max_tries > 0) { $rc = download_file_with_progress_bar("{$snort_rule_url}{$snort_filename}", "{$tmpfname}/{$snort_filename}"); if ($rc == true) break; else { if ($rc >= 500) { - if ($pkg_interface <> "console") - update_status(gettext("Server returned error code {$rc} ... retrying in 30 seconds...")); - log_error(gettext("[Snort] Server returned error code {$rc} ... will retry in 30 seconds...")); - error_log(gettext("\tThe server returned error code {$rc} ... will retry in 30 seconds\n"), 3, $snort_rules_upd_log); $max_tries--; - if ($max_tries > 0) - sleep(30); + if ($max_tries > 0) { + if ($pkg_interface <> "console") + update_status(gettext("Server returned error code '{$rc}' ... retrying in 15 seconds...")); + log_error(gettext("[Snort] Server returned error code '{$rc}' ... will retry in 15 seconds...")); + error_log(gettext("\tThe server returned error code '{$rc}' ... will retry in 15 seconds\n"), 3, $snort_rules_upd_log); + sleep(15); + } continue; } else { if ($pkg_interface <> "console") - update_status(gettext("Server returned error code {$rc} ... try again in 15 minutes...")); - log_error(gettext("[Snort] Server returned error code {$rc} .. try again in 15 minutes...")); - error_log(gettext("\tThe server returned error code {$rc} ... try again in 15 minutes\n"), 3, $snort_rules_upd_log); + update_status(gettext("Server returned error code '{$rc}' ... try again in 15 minutes...")); + log_error(gettext("[Snort] Server returned error code '{$rc}' .. try again in 15 minutes...")); + error_log(gettext("\tThe server returned error code '{$rc}' ... try again in 15 minutes\n"), 3, $snort_rules_upd_log); + break; } } -/* if (5000 > filesize("{$tmpfname}/{$snort_filename}")){ - $max_tries--; - if ($max_tries > 0) - sleep(30); - continue; - } else - break; -*/ - } - if (filesize("{$tmpfname}/{$snort_filename}") == 0) { - if ($pkg_interface <> "console") - update_output_window(gettext("Snort VRT rules file download failed...")); - log_error(gettext("[Snort] Snort VRT rules file download failed...")); - error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); - $snortdownload = 'off'; - } - else { + if ($rc == true) { if ($pkg_interface <> "console") update_status(gettext("Done downloading Snort VRT rules file.")); log_error("[Snort] Snort VRT Rules Attempts: " . (4 - $max_tries + 1)); @@ -205,6 +205,15 @@ if ($snortdownload == 'on') { $snortdownload = 'off'; } } + else { + if ($pkg_interface <> "console") + update_output_window(gettext("Snort VRT rules file download failed...")); + log_error(gettext("[Snort] Snort VRT rules file download failed... server returned error '{$rc}'...")); + error_log(gettext("\tSnort VRT rules file download failed. Server returned error '{$rc}'.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); + $snortdownload = 'off'; + } + } /* download md5 sig from Snort GPLv2 Community Rules */ @@ -247,25 +256,36 @@ if ($snortcommunityrules == "on") { update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted. Downloading...\n"), 3, $snort_rules_upd_log); - download_file_with_progress_bar("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); + $rc = download_file_with_progress_bar("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); /* Test for a valid rules file download. Turn off Snort Community update if download failed. */ - if (trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_community_rules_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("Snort GPLv2 Community Rules file MD5 checksum failed...")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"))); - error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded Snort GPLv2 file MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected Snort GPLv2 file MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; + if ($rc == true) { + if (trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_community_rules_filename}"))){ + if ($pkg_interface <> "console") + update_output_window(gettext("Snort GPLv2 Community Rules file MD5 checksum failed...")); + log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Bad MD5 checksum...")); + log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}"))); + log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"))); + error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded Snort GPLv2 file MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}") . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected Snort GPLv2 file MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}") . "\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } + else { + if ($pkg_interface <> "console") + update_status(gettext('Done downloading Snort GPLv2 Community Rules file.')); + log_error("[Snort] Snort GPLv2 Community Rules file update downloaded successfully"); + error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log); + } } else { - if ($pkg_interface <> "console") - update_status(gettext('Done downloading Snort GPLv2 Community Rules file.')); - log_error("[Snort] Snort GPLv2 Community Rules file update downloaded successfully"); - error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log); + if ($pkg_interface <> "console") { + update_status(gettext("The server returned error code '{$rc}' ... skipping GPLv2 Community Rules...")); + update_output_window(gettext("Snort GPLv2 Community Rules file download failed...")); + } + log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Server returned error '{$rc}'...")); + error_log(gettext("\tSnort GPLv2 Community Rules download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; } } @@ -351,28 +371,38 @@ if ($emergingthreats == "on") { /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ if ($vrt_enabled == "on") - download_file_with_progress_bar("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); + $rc = download_file_with_progress_bar("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); else - download_file_with_progress_bar("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); + $rc = download_file_with_progress_bar("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); /* Test for a valid rules file download. Turn off ET update if download failed. */ - - if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats rules file MD5 checksum failed...")); - log_error(gettext("[Snort] EmergingThreats rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); - error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; + if ($rc == true) { + if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ + if ($pkg_interface <> "console") + update_output_window(gettext("EmergingThreats rules file MD5 checksum failed...")); + log_error(gettext("[Snort] EmergingThreats rules file download failed. Bad MD5 checksum...")); + log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); + log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); + error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; + } + else { + if ($pkg_interface <> "console") + update_status(gettext('Done downloading EmergingThreats rules file.')); + log_error("[Snort] EmergingThreats rules file update downloaded successfully"); + error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); + } } else { - if ($pkg_interface <> "console") - update_status(gettext('Done downloading EmergingThreats rules file.')); - log_error("[Snort] EmergingThreats rules file update downloaded successfully"); - error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); + if ($pkg_interface <> "console") { + update_status(gettext("The server returned error code '{$rc}' ... skipping EmergingThreats update...")); + update_output_window(gettext("EmergingThreats rules file download failed...")); + } + log_error(gettext("[Snort] EmergingThreats rules file download failed. Server returned error '{$rc}'...")); + error_log(gettext("\tEmergingThreats rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; } } @@ -644,5 +674,5 @@ if ($pkg_interface <> "console") log_error(gettext("[Snort] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $snort_rules_upd_log); conf_mount_ro(); -$pkg_interface = $orig_pkg_interface; + ?> -- cgit v1.2.3 From ad421389225db7840529319149db6f59dee4e8b9 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 20 May 2013 21:55:24 -0400 Subject: More tweaks to new Snort Pkg Sync code. --- config/snort/snort.inc | 95 ++++++++++++++++++++++----------------------- config/snort/snort_sync.xml | 52 ++++++++++++++++++------- 2 files changed, 86 insertions(+), 61 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 3759f7be..46c66128 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -849,7 +849,7 @@ function snort_rules_up_install_cron($should_install) { /* Only run when all ifaces needed to sync. Expects filesystem rw */ function sync_snort_package_config() { global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file; - global $snort_version, $rebuild_rules; + global $snort_version, $rebuild_rules, $is_postinstall; $snortdir = SNORTDIR; @@ -889,7 +889,9 @@ function sync_snort_package_config() { configure_cron(); - snort_sync_on_changes(); + /* Do not attempt package sync if reinstalling package or booting */ + if (!$is_postinstall && !$g['booting']) + snort_sync_on_changes(); conf_mount_ro(); } @@ -2048,6 +2050,7 @@ function snort_deinstall() { if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') { log_error(gettext("Not saving settings... all Snort configuration info and logs deleted...")); unset($config['installedpackages']['snortglobal']); + unset($config['installedpackages']['snortsync']); @unlink("{$snort_rules_upd_log}"); mwexec("/bin/rm -rf {$snortlogdir}"); log_error(gettext("[Snort] The package has been removed from this system...")); @@ -3047,11 +3050,17 @@ EOD; /* Uses XMLRPC to synchronize the changes to a remote node */ function snort_sync_on_changes() { - global $config, $g; + global $config, $g, $is_postinstall; + + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || $is_postinstall == true) + return; + if (is_array($config['installedpackages']['snortsync']['config'])){ $snort_sync=$config['installedpackages']['snortsync']['config'][0]; $synconchanges = $snort_sync['varsynconchanges']; $synctimeout = $snort_sync['varsynctimeout']; + $syncdownloadrules = $snort_sync['vardownloadrules']; switch ($synconchanges){ case "manual": if (is_array($snort_sync[row])){ @@ -3068,6 +3077,7 @@ function snort_sync_on_changes() { $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; $rs[0]['varsyncusername']=$system_carp['username']; $rs[0]['varsyncpassword']=$system_carp['password']; + $rs[0]['varsyncsnortstart']="no"; if ($system_carp['synchronizetoip'] ==""){ log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts configured as replication targets."); return; @@ -3085,6 +3095,10 @@ function snort_sync_on_changes() { if (is_array($rs)){ log_error("[snort] Snort pkg xmlrpc sync is starting."); foreach($rs as $sh){ + if ($sh['varsyncsnortstart']) + $syncstartsnort = $sh['varsyncsnortstart']; + else + $syncstartsnort = "OFF"; $sync_to_ip = $sh['varsyncipaddress']; $password = $sh['varsyncpassword']; if($sh['varsyncusername']) @@ -3092,7 +3106,7 @@ function snort_sync_on_changes() { else $username = 'admin'; if($password && $sync_to_ip) - snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); + snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort); } log_error("[snort] Snort pkg xmlrpc sync completed."); } @@ -3100,17 +3114,22 @@ function snort_sync_on_changes() { } /* Do the actual XMLRPC sync */ -function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { - global $config, $g; +function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort) { + global $config, $g, $is_postinstall; + + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || $is_postinstall == true) + return; if(!$username || !$password || !$sync_to_ip) { log_error("[snort] A required XMLRPC sync parameter (user, host IP or password) is empty ... aborting pkg sync"); return; } + /* Test key variables and set defaults if empty */ if(!$synctimeout) $synctimeout=150; - + $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; @@ -3160,22 +3179,37 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { log_error("[snort] Snort pkg configuration XMLRPC sync successfully completed with {$url}:{$port}."); } - /* Build a series of commands for the secondary host to execute to will reload the new settings. */ + $downloadrulescmd = ""; + if ($syncdownloadrules == "yes") { + $downloadrulescmd = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested update of downloaded rules files...\"));\n"; + $downloadrulescmd .= "include_once(\"/usr/local/pkg/snort/snort_check_for_rule_updates.php\");\n"; + } + $snortstart = ""; + if ($syncstartsnort == "ON") { + $snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested restart of Snort...\"));\n"; + $snortstart .= "if (!is_process_running(\"snort\")) {\n"; + $snortstart .= "exec(\"/usr/local/etc/rc.d/snort.sh start 2>&1 &\");\n}\n"; + } + + /* Build a series of commands for the secondary host to execute that will load the new settings. */ $execcmd = <<faultCode()) { $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); - $value = $resp->value(); - log_error(print_r($value, true)); file_notice("sync_settings", $error, "snort Settings Sync", ""); } else { log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } } -function snort_sync_build_slave_conf() { - - /*************************************************/ - /* This function is called by the XMLRPC package */ - /* sync process on the master host and is used */ - /* to build the initial Snort configuration on */ - /* a slave (or secondary) host after the push */ - /* of the config.xml data. */ - /*************************************************/ - - global $g, $rebuild_rules, $snort_gui_include, $is_postinstall; - - // First download fresh rules if necessary - unset($snort_gui_include); - $is_postinstall = true; - log_error(gettext("[snort] XMLRPC pkg sync: Downloading and updating configured rule types...")); - - // Suppress all PHP output by swallowing it in the output buffer and then discarding it - ob_start(); - - // Now start the actual configuration build on the remote slave - @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); - $is_postinstall = false; - log_error(gettext("[snort] XMLRPC pkg sync: Generating snort.conf file using Master Host's settings...")); - $rebuild_rules = "on"; - sync_snort_package_config(); - $rebuild_rules = "off"; - log_error(gettext("[snort] XMLRPC pkg sync process on this host is complete...")); - - // Finally, discard any buffered PHP output and return - ob_end_clean(); -} - ?> diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml index 5bfeba12..274d3fc9 100755 --- a/config/snort/snort_sync.xml +++ b/config/snort/snort_sync.xml @@ -47,7 +47,7 @@ POSSIBILITY OF SUCH DAMAGE. Currently there are no FAQ items provided. snortsync 1.0 - Proxy server snort: XMLRPC Sync + Snort: XMLRPC Sync (EXPERIMENTAL) /usr/local/pkg/snort/snort.inc @@ -86,17 +86,17 @@ POSSIBILITY OF SUCH DAMAGE. - Snort XMLRPC Sync + Snort Package XMLRPC Sync Settings listtopic Enable Sync varsynconchanges - +
Important: While using "Sync to hosts defined below", only sync from host A to B, A to C but do not enable XMLRPC sync to A. This will result in a loop!]]> select - auto + disabled @@ -104,26 +104,42 @@ POSSIBILITY OF SUCH DAMAGE. - XMLRPC timeout + XMLRPC Timeout varsynctimeout input - 150 + 150 5 - Destination Server + Refresh Rule Sets + vardownloadrules +
+ During each Snort package sync operation, ask the target host to check for + a new set of posted rule sets files and refresh the local copies if necessary. The default is + to refresh the files if newer versions have been posted.]]> + select + yes + + + + + + + + Replication Targets none rowhelper Enable varsyncdestinenable + checkbox - GUI Protocol + Protocol varsyncprotocol http or https]]> select @@ -134,28 +150,38 @@ POSSIBILITY OF SUCH DAMAGE. - GUI IP-Address + IP-Address varsyncipaddress input 15 - GUI Port + Port varsyncport - + input 3 - - GUI Admin Password + + Admin Password varsyncpassword password 20 + + Start Snort + varsyncsnortstart + + checkbox + + + WARNING: This feature is considered experimental and not recommended for production use + listtopic + write_config();snort_sync_on_changes(); -- cgit v1.2.3 From e80695def53d0c55a0c79108f3d207a938249786 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 21 May 2013 22:00:03 -0400 Subject: HTML edits to fix table layout in Firefox and Chrome. --- config/snort/snort_alerts.php | 54 +++++++++++++++++++++++---------------- config/snort/snort_blocked.php | 22 ++++++++++------ config/snort/snort_rules.php | 57 ++++++++++++++++++++++++++---------------- 3 files changed, 82 insertions(+), 51 deletions(-) (limited to 'config') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 65ebffc1..98a58863 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -252,18 +252,30 @@ if ($pconfig['arefresh'] == 'on')
'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");; + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?>
diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 4a7380b1..f9fb6aa8 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -257,16 +257,28 @@ function enable_change() '; + echo ' diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml new file mode 100755 index 00000000..30d935ee --- /dev/null +++ b/config/snort/snort_sync.xml @@ -0,0 +1,166 @@ + + + + + +. +All rights reserved. +*/ +/* ========================================================================== */ +/* +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code MUST retain the above copyright notice, +this list of conditions and the following disclaimer. + +2. Redistributions in binary form MUST reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]> + + Describe your package requirements here + Currently there are no FAQ items provided. + snortsync + 1.3_1 pkg v.1.9 + Proxy server snort: XMLRPC Sync + + + + Snort Interfaces + /snort/snort_interfaces.php + + + Global Settings + /snort/snort_interfaces_global.php + + + Updates + /snort/snort_download_updates.php + + + Alerts + /snort/snort_alerts.php + + + Blocked + /snort/snort_blocked.php + + + Whitelists + /snort/snort_interfaces_whitelist.php + + + Suppress + /snort/snort_interfaces_suppress.php + + + Sync + /pkg_edit.php?xml=snort_sync.xml&id=0 + + + + + + Snort XMLRPC Sync + listtopic + + + Enable Sync + varsyncenablexmlrpc + + Important: While using "Sync to hosts defined below", only sync from host A to B, A to C but do not enable XMLRPC sync to A. This will result in a loop!]]> + select + + auto + + + + + + + + XMLRPC timeout + varsynctimeout + + input + 150 + 5 + + + + Destination Server + none + rowhelper + + + Enable + varsyncdestinenable + checkbox + + + GUI Protocol + varsyncprotocol + http or https]]> + select + HTTP + + + + + + + GUI IP-Address + varsyncipaddress + + input + 15 + + + GUI Port + varsyncport + + input + 3 + + + GUI Admin Password + varsyncpassword + + password + 20 + + + + + + snort_resync(); + + + snort_resync(); + + -- cgit v1.2.3 From 68970450506e68d97398e0f39709e175434cd55b Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Tue, 14 May 2013 01:48:53 -0300 Subject: snort - include sync code Current status: it replicates xml config, but It's not calling all snort functions after config save. --- config/snort/snort.inc | 154 +++++++++++++++++++++++++++++++++++++++++++- config/snort/snort_sync.xml | 12 ++-- 2 files changed, 159 insertions(+), 7 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 236cb107..430e5a95 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -34,6 +34,7 @@ require_once("pfsense-utils.inc"); require_once("config.inc"); require_once("functions.inc"); require_once("service-utils.inc"); +require_once("pkg-utils.inc"); // Needed on 2.0 because of filter_get_vpns_list() require_once("filter.inc"); @@ -887,7 +888,9 @@ function sync_snort_package_config() { snort_rules_up_install_cron($snortglob['autorulesupdate7'] != "never_up" ? true : false); configure_cron(); - + + snort_sync_on_changes(); + conf_mount_ro(); } @@ -3040,4 +3043,153 @@ EOD; unset($home_net, $external_net, $vardef, $portvardef); } +/* Uses XMLRPC to synchronize the changes to a remote node */ +function snort_sync_on_changes() { + global $config, $g; + if (is_array($config['installedpackages']['snortsync']['config'])){ + $snort_sync=$config['installedpackages']['snortsync']['config'][0]; + $synconchanges = $snort_sync['varsynconchanges']; + $synctimeout = $snort_sync['varsynctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($snort_sync[row])){ + $rs=$snort_sync[row]; + } + else{ + log_error("[snort] xmlrpc sync is enabled but there is no hosts to push snort config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; + $rs[0]['varsyncusername']=$system_carp['username']; + $rs[0]['varsyncpassword']=$system_carp['password']; + if ($system_carp['synchronizetoip'] ==""){ + log_error("[snort] xmlrpc sync is enabled but there is no system backup hosts to push snort config."); + return; + } + } + else{ + log_error("[snort] xmlrpc sync is enabled but there is no system backup hosts to push snort config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[snort] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['varsyncipaddress']; + $password = $sh['varsyncpassword']; + if($sh['varsyncusername']) + $username = $sh['varsyncusername']; + else + $username = 'admin'; + if($password && $sync_to_ip) + snort_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + } + log_error("[snort] xmlrpc sync is ending."); + } + } +} +/* Do the actual XMLRPC sync */ +function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$synctimeout) + $synctimeout=150; + + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['snortglobal'] = $config['installedpackages']['snortglobal']; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("Beginning snort XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } else { + log_error("snort XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell squid to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/snort/snort.inc');\n"; + $execcmd .= "sync_snort_package_config();"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("snort XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } else { + log_error("snort XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} ?> diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml index 30d935ee..5bfeba12 100755 --- a/config/snort/snort_sync.xml +++ b/config/snort/snort_sync.xml @@ -46,9 +46,9 @@ POSSIBILITY OF SUCH DAMAGE. Describe your package requirements here Currently there are no FAQ items provided. snortsync - 1.3_1 pkg v.1.9 + 1.0 Proxy server snort: XMLRPC Sync - + /usr/local/pkg/snort/snort.inc Snort Interfaces @@ -80,7 +80,7 @@ POSSIBILITY OF SUCH DAMAGE. Sync - /pkg_edit.php?xml=snort_sync.xml&id=0 + /pkg_edit.php?xml=snort/snort_sync.xml @@ -91,7 +91,7 @@ POSSIBILITY OF SUCH DAMAGE. Enable Sync - varsyncenablexmlrpc + varsynconchanges Important: While using "Sync to hosts defined below", only sync from host A to B, A to C but do not enable XMLRPC sync to A. This will result in a loop!]]> select @@ -158,9 +158,9 @@ POSSIBILITY OF SUCH DAMAGE. - snort_resync(); + write_config();snort_sync_on_changes(); - snort_resync(); + write_config();snort_sync_on_changes(); -- cgit v1.2.3 From 2ac73febaa378f102c7192f3d401b4f153acd45b Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Tue, 14 May 2013 01:52:55 -0300 Subject: snort - fix small typo --- config/snort/snort_interfaces.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index a2523872..c2a66f98 100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -252,7 +252,7 @@ foreach ($a_nat as $natent): ?> else{ $iconfn = 'pass'; $iconfn_msg1 = 'Snort is running on '; - $iconfn_msg = '. Click to stop.'; + $iconfn_msg2 = '. Click to stop.'; } if (snort_is_running($snort_uuid, $if_real, 'barnyard2') == 'no'){ $biconfn = 'block'; -- cgit v1.2.3 From 19276999956536a5aac6defb1cad931e121bc041 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 14 May 2013 18:52:12 -0400 Subject: Add code file for new Snort pkg sync functionality. --- config/snort/snort.xml | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'config') diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 8abb4865..1066b75c 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -73,6 +73,11 @@ 077 http://www.pfsense.com/packages/config/snort/snort_check_cron_misc.inc + + /usr/local/pkg/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_sync.xml + /usr/local/www/snort/ 077 -- cgit v1.2.3 From 3de5c81b8c8ea9c4357b70f5aed33b8a6aad8e68 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 14 May 2013 18:53:23 -0400 Subject: Add table layout style to fix word-wrapping in long cells. --- config/snort/snort_rules.php | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) (limited to 'config') diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index cbb1fe50..f737bc1d 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -431,18 +431,17 @@ h += 96; - @@ -396,9 +410,12 @@ foreach ($a_nat as $natent): ?>
-
'; + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?>
- +
- - - + + + - + - + - - - - - "; ?> -- cgit v1.2.3 From 86b9d0fc9c53fc10ee6a37630b609fb4a5656ba5 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 14 May 2013 18:54:14 -0400 Subject: Improve flowbits logic to include bitwise logical operators. --- config/snort/snort.inc | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 430e5a95..a191d941 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1268,10 +1268,10 @@ function snort_get_flowbits($rule) { if (preg_match_all('/flowbits\b\s*:\s*(set|setx|unset|toggle|isset|isnotset)\s*,([^;]+)/i', $rule, $matches)) { $i = -1; while (++$i < count($matches[1])) { - $action = trim($matches[1][$i]) . ","; + $action = trim($matches[1][$i]); $target = preg_split('/[&|]/', $matches[2][$i]); foreach ($target as $t) - $flowbits[] = $action . trim($t); + $flowbits[] = "{$action}," . trim($t); } } @@ -1316,9 +1316,10 @@ function snort_get_checked_flowbits(&$rules_map) { continue; $action = substr(strtolower($flowbit), 0, $pos); if ($action == "isset" || $action == "isnotset") { - $tmp = substr($flowbit, strpos($flowbit, ",") + 1 ); - if (!empty($tmp)) - $checked_flowbits[$tmp] = $action; + $target = preg_split('/[&|]/', substr($flowbit, $pos + 1)); + foreach ($target as $t) + if (!empty($t) && !isset($checked_flowbits[$t])) + $checked_flowbits[$t] = $action; } } } @@ -1356,9 +1357,10 @@ function snort_get_set_flowbits(&$rules_map) { continue; $action = substr(strtolower($flowbit), 0, $pos); if ($action == "set" || $action == "toggle" || $action == "setx") { - $tmp = substr($flowbit, strpos($flowbit, ",") + 1 ); - if (!empty($tmp)) - $set_flowbits[$tmp] = $action; + $target = preg_split('/[&|]/', substr($flowbit, $pos + 1)); + foreach ($target as $t) + if (!empty($t) && !isset($set_flowbits[$t])) + $set_flowbits[$t] = $action; } } } @@ -3162,7 +3164,7 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { log_error("snort XMLRPC sync successfully completed with {$url}:{$port}."); } - /* tell squid to reload our settings on the destination sync host. */ + /* tell snort to reload our settings on the destination sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/snort/snort.inc');\n"; $execcmd .= "sync_snort_package_config();"; -- cgit v1.2.3 From 943ba5d5bf0f0c0fedfcea7a1b5498d4d1d75a8a Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Tue, 14 May 2013 22:21:14 -0300 Subject: snort - add code to run only on backup system after xmlrpc sync --- config/snort/snort.inc | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index a191d941..c3381c66 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -847,7 +847,7 @@ function snort_rules_up_install_cron($should_install) { } /* Only run when all ifaces needed to sync. Expects filesystem rw */ -function sync_snort_package_config() { +function sync_snort_package_config($via_rpc=false) { global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file; global $snort_version, $rebuild_rules; @@ -891,6 +891,11 @@ function sync_snort_package_config() { snort_sync_on_changes(); + if ($via_rpc==true){ + + // include here all function calls snort need after xml rpc sync code on backup server + + } conf_mount_ro(); } @@ -3167,7 +3172,7 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { /* tell snort to reload our settings on the destination sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/snort/snort.inc');\n"; - $execcmd .= "sync_snort_package_config();"; + $execcmd .= "sync_snort_package_config(true);"; /* assemble xmlrpc payload */ $params = array( XML_RPC_encode($password), -- cgit v1.2.3 From 0f5d0864bde099ef8e1e4163c65b3baa8852e7f1 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 16 May 2013 19:38:49 -0400 Subject: Refine new Snort XMLRPC pkg sync functions. --- config/snort/snort.inc | 96 +++++++++++++++++++++++++++++++------------------- 1 file changed, 60 insertions(+), 36 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index c3381c66..726d7846 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -847,7 +847,7 @@ function snort_rules_up_install_cron($should_install) { } /* Only run when all ifaces needed to sync. Expects filesystem rw */ -function sync_snort_package_config($via_rpc=false) { +function sync_snort_package_config() { global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file; global $snort_version, $rebuild_rules; @@ -891,11 +891,6 @@ function sync_snort_package_config($via_rpc=false) { snort_sync_on_changes(); - if ($via_rpc==true){ - - // include here all function calls snort need after xml rpc sync code on backup server - - } conf_mount_ro(); } @@ -3061,11 +3056,11 @@ function snort_sync_on_changes() { case "manual": if (is_array($snort_sync[row])){ $rs=$snort_sync[row]; - } + } else{ - log_error("[snort] xmlrpc sync is enabled but there is no hosts to push snort config."); + log_error("[snort] xmlrpc sync is enabled but there are no hosts to push snort config."); return; - } + } break; case "auto": if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ @@ -3074,12 +3069,12 @@ function snort_sync_on_changes() { $rs[0]['varsyncusername']=$system_carp['username']; $rs[0]['varsyncpassword']=$system_carp['password']; if ($system_carp['synchronizetoip'] ==""){ - log_error("[snort] xmlrpc sync is enabled but there is no system backup hosts to push snort config."); + log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts to push snort config."); return; } } else{ - log_error("[snort] xmlrpc sync is enabled but there is no system backup hosts to push snort config."); + log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts to push snort config."); return; } break; @@ -3088,7 +3083,7 @@ function snort_sync_on_changes() { break; } if (is_array($rs)){ - log_error("[snort] xmlrpc sync is starting."); + log_error("[snort] Snort pkg xmlrpc sync is starting."); foreach($rs as $sh){ $sync_to_ip = $sh['varsyncipaddress']; $password = $sh['varsyncpassword']; @@ -3097,42 +3092,38 @@ function snort_sync_on_changes() { else $username = 'admin'; if($password && $sync_to_ip) - snort_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); - } - log_error("[snort] xmlrpc sync is ending."); + snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); } - } + log_error("[snort] Snort pkg xmlrpc sync completed."); + } + } } + /* Do the actual XMLRPC sync */ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { global $config, $g; - if(!$username) - return; - - if(!$password) - return; - - if(!$sync_to_ip) + if(!$username || !$password || !$sync_to_ip) { + log_error("[snort] A required XMLRPC sync parameter (user, host IP or password) is empty ... aborting pkg sync"); return; + } if(!$synctimeout) $synctimeout=150; - $xmlrpc_sync_neighbor = $sync_to_ip; - if($config['system']['webgui']['protocol'] != "") { + if($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ - if($port == "") { + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { if($config['system']['webgui']['protocol'] == "http") $port = "80"; else $port = "443"; - } + } $synchronizetoip .= $sync_to_ip; /* xml will hold the sections to sync */ @@ -3146,7 +3137,7 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { /* set a few variables needed for sync code borrowed from filter.inc */ $url = $synchronizetoip; - log_error("Beginning snort XMLRPC sync to {$url}:{$port}."); + log_error("[snort] Beginning Snort pkg XMLRPC sync to {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -3166,20 +3157,20 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); } else { - log_error("snort XMLRPC sync successfully completed with {$url}:{$port}."); + log_error("[snort] Snort pkg XMLRPC sync successfully completed with {$url}:{$port}."); } /* tell snort to reload our settings on the destination sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/snort/snort.inc');\n"; - $execcmd .= "sync_snort_package_config(true);"; + $execcmd .= "snort_sync_build_slave_conf();"; /* assemble xmlrpc payload */ $params = array( XML_RPC_encode($password), XML_RPC_encode($execcmd) ); - log_error("snort XMLRPC reload data {$url}:{$port}."); + log_error("[snort] Snort XMLRPC sending reload configuration cmds to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); @@ -3195,8 +3186,41 @@ function snort_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); } else { - log_error("snort XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } - } + +function snort_sync_build_slave_conf() { + + /*************************************************/ + /* This function is called by the XMLRPC package */ + /* sync process on the master host and is used */ + /* to build the initial Snort configuration on */ + /* a slave (or secondary) host after the push */ + /* of the config.xml data. */ + /*************************************************/ + + global $g, $rebuild_rules, $snort_gui_include, $is_postinstall; + + // First download fresh rules if necessary + unset($snort_gui_include); + $is_postinstall = true; + log_error(gettext("[snort] XMLRPC pkg sync: Downloading and updating configured rule types...")); + + // Suppress all PHP output by swallowing it in the output buffer and then discarding it + ob_start(); + + // Now start the actual configuration build on the remote slave + @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); + $is_postinstall = false; + log_error(gettext("[snort] XMLRPC pkg sync: Generating snort.conf file using Master Host's settings...")); + $rebuild_rules = "on"; + sync_snort_package_config(); + $rebuild_rules = "off"; + log_error(gettext("[snort] XMLRPC pkg sync process on this host is complete...")); + + // Finally, discard any buffered PHP output and return + ob_end_clean(); +} + ?> -- cgit v1.2.3 From 95074b228255ad3105cd7de8ea159d0015af5daf Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 16 May 2013 19:41:12 -0400 Subject: Tweak HTML for tables to improve word-wrapping and column layouts. --- config/snort/snort_alerts.php | 48 ++++++++++++------------ config/snort/snort_blocked.php | 10 ++--- config/snort/snort_rules.php | 81 ++++++++++++++++++++++++++++++----------- config/snort/snort_rulesets.php | 31 ++++++---------- 4 files changed, 100 insertions(+), 70 deletions(-) (limited to 'config') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 7919b1f2..796e1587 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -83,7 +83,7 @@ if ($_POST['todelete'] || $_GET['todelete']) { $ip = $_GET['todelete']; if (is_ipaddr($ip)) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); - $savemsg = "Host IP address {$ip} has been removed from the Bocked Hosts table."; + $savemsg = "Host IP address {$ip} has been removed from the Blocked Table."; } } @@ -118,7 +118,7 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ } } } - $savemsg = "GID:SID '{$_GET['gen_id']}:{$_GET['sidid']}' has been added to the Suppress List."; + $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."; write_config(); sync_snort_package_config(); } @@ -250,18 +250,18 @@ if ($pconfig['arefresh'] == 'on') - + width="17" height="17" title="" + onclick="return intf_del()"> +
   @@ -482,39 +481,39 @@ h += 96; $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); $rule_content = preg_split('/[\s]+/', $tmp); - $protocol = truncate($rule_content[1], 5); //protocol location - $source = truncate($rule_content[2], 13); //source location - $source_port = truncate($rule_content[3], 12); //source port location - $destination = truncate($rule_content[5], 13); //destination location - $destination_port = truncate($rule_content[6], 12); //destination port location + $protocol = truncate($rule_content[1], 6); //protocol location + $source = truncate($rule_content[2], 14); //source location + $source_port = truncate($rule_content[3], 10); //source port location + $destination = truncate($rule_content[5], 14); //destination location + $destination_port = truncate($rule_content[6], 10); //destination port location $message = snort_get_msg($v['rule']); - echo "
$textss + echo "
$textss $textse + $textss $sid $textse + $textss $protocol $textse $textss $source $textse + $textss $source_port $textse $textss $destination $textse + $textss $destination_port $textse + $textss $message $textse
- + @@ -354,7 +366,7 @@ foreach ($a_nat as $natent): ?>
+ - - - + + + - - - - - + + + + + @@ -295,7 +295,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_src = $fields[6]; if (isset($tmpblocked[$fields[6]])) { $alert_ip_src .= "
- \"Remove"; + \"Remove"; } /* IP SRC Port */ $alert_src_p = $fields[7]; @@ -303,7 +303,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_dst = $fields[8]; if (isset($tmpblocked[$fields[8]])) { $alert_ip_dst .= "
- \"Remove"; + \"Remove"; } /* IP DST Port */ $alert_dst_p = $fields[9]; @@ -312,24 +312,24 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { if (!isset($supplist[$fields[1]][$fields[2]])) { $sidsupplink = ""; $sidsupplink .= ""; + $sidsupplink .= "title='" . gettext("Add this gen_id:sig_id to Suppress List") . "'>"; } else { $sidsupplink = ""; + $sidsupplink .= "title='" . gettext("This gen_id:sig_id already in Suppress List") . "'/>"; } $alert_class = $fields[11]; echo " - - - + + + - - - - - + + + + + \n"; diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 40ef61a1..a726e9ad 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -183,12 +183,12 @@ if ($pconfig['brefresh'] == 'on') + width="17" height="17" border="0" title="">
{$alert_date}
{$alert_time}		{$alert_priority}{$alert_proto}{$alert_date}
{$alert_time}		{$alert_priority}{$alert_proto} {$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p}{$alert_sid_str}
{$sidsupplink}		{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p}{$alert_sid_str}
{$sidsupplink}		 {$alert_descr}
- +
- + {$counter} - + \n"; } @@ -260,7 +260,7 @@ if ($pconfig['brefresh'] == 'on') -
#
{$blocked_ip} {$blocked_desc} - \"Delete\" + \"Delete
+ 1) echo "{$counter}" . gettext(" host IP addresses are currently being blocked."); diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index f737bc1d..bd31473c 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -71,6 +71,38 @@ function truncate($string, $length) { return $string; } +function add_title_attribute($tag, $title) { + + /******************************** + * This function adds a "title" * + * attribute to the passed tag * + * and sets the value to the * + * value specified by "$title". * + ********************************/ + $result = ""; + if (empty($tag)) { + // If passed an empty element tag, then + // just create a tag with title + $result = ""; + } + else { + // Find the ending ">" for the element tag + $pos = strpos($tag, ">"); + if ($pos !== false) { + // We found the ">" delimter, so add "title" + // attribute and close the element tag + $result = substr($tag, 0, $pos) . " title=\"" . $title . "\">"; + } + else { + // We did not find the ">" delimiter, so + // something is wrong, just return the + // tag "as-is" + $result = $tag; + } + } + return $result; +} + /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; @@ -348,7 +380,7 @@ h += 96;
- + @@ -396,7 +428,7 @@ h += 96; - + - + + +
@@ -429,19 +461,19 @@ h += 96;
- + - + - + - - - "; ?> - @@ -389,24 +389,19 @@ function enable_change() - + - - - - - - - - - - + - - +
  @@ -481,11 +513,18 @@ h += 96; $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); $rule_content = preg_split('/[\s]+/', $tmp); - $protocol = truncate($rule_content[1], 6); //protocol location - $source = truncate($rule_content[2], 14); //source location - $source_port = truncate($rule_content[3], 10); //source port location - $destination = truncate($rule_content[5], 14); //destination location - $destination_port = truncate($rule_content[6], 10); //destination port location + // Create custom tags for the fields we truncate so we can + // have a "title" attribute for tooltips to show the full string. + $srcspan = add_title_attribute($textss, $rule_content[2]); + $srcprtspan = add_title_attribute($textss, $rule_content[3]); + $dstspan = add_title_attribute($textss, $rule_content[5]); + $dstprtspan = add_title_attribute($textss, $rule_content[6]); + + $protocol = $rule_content[1]; //protocol field + $source = truncate($rule_content[2], 14); //source field + $source_port = truncate($rule_content[3], 10); //source port field + $destination = truncate($rule_content[5], 14); //destination field + $destination_port = truncate($rule_content[6], 10); //destination port field $message = snort_get_msg($v['rule']); echo "
$textss @@ -495,26 +534,26 @@ h += 96; title='" . gettext("Click to toggle enabled/disabled state") . "'> $textse - $textss $sid $textse + + {$textss}{$sid}{$textse} - $textss $protocol $textse + {$textss}{$protocol}{$textse} - $textss $source $textse + {$srcspan}{$source}{$textse} - $textss $source_port $textse + + {$srcprtspan}{$source_port}{$textse} - $textss $destination $textse + {$dstspan}{$destination}{$textse} - $textss $destination_port $textse + + {$dstprtspan}{$destination_port}{$textse} - $textss $message $textse + {$textss}{$message}{$textse} diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index f9fb6aa8..3005a9eb 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -84,7 +84,7 @@ if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on')) if ($a_nat[$id]['autoflowbitrules'] == 'on') { if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") && filesize("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) { - $btn_view_flowb_rules = ""; + $btn_view_flowb_rules = " title=\"" . gettext("View flowbit-required rules") . "\""; } else $btn_view_flowb_rules = " disabled"; @@ -335,7 +335,7 @@ function enable_change()
/> + />   


 
- - - - - +
+ + + +
"/>"/>"/>
 
 
 
 

 

 + "/>
-- cgit v1.2.3 From 22ac2fcf01952441d6ecc6bd0aed8ead35f2b3df Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 16 May 2013 19:45:10 -0400 Subject: Minor edits to text on page and Tooltips text. --- config/snort/snort_preprocessors.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 14e51ed3..e3b84854 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -1142,8 +1142,8 @@ include_once("head.inc");
  - -
-- cgit v1.2.3 From f4e899011f9312f79d7f5448ebb99ec59590537d Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 16 May 2013 19:47:54 -0400 Subject: Add error trapping for Snort interface adds and deletes. --- config/snort/snort_interfaces.php | 53 +++++++++++++++++++++++++++++----- config/snort/snort_interfaces_edit.php | 46 ++++++++++++++++++++--------- 2 files changed, 77 insertions(+), 22 deletions(-) (limited to 'config') diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index c2a66f98..4f7eaebf 100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -57,6 +57,18 @@ if (isset($_POST['del_x'])) { exec("/bin/rm -r /var/log/snort/snort_{$if_real}{$snort_uuid}"); exec("/bin/rm -r {$snortdir}/snort_{$snort_uuid}_{$if_real}"); + // If interface had auto-generated Suppress List, then + // delete that along with the interface + $autolist = "{$a_nat[$rulei]['interface']}" . "suppress"; + $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; + foreach ($a_suppress as $k => $i) { + if ($i['name'] == $autolist) { + unset($config['installedpackages']['snortglobal']['suppress']['item'][$k]); + break; + } + } + + // Finally delete the interface's config entry entirely unset($a_nat[$rulei]); } conf_mount_ro(); @@ -215,7 +227,7 @@ if ($pfsense_stable == 'yes')
+ width="17" height="17" border="0" title="">
@@ -374,11 +386,13 @@ foreach ($a_nat as $natent): ?>
" border="0"> + width="17" height="17" " border="0"> + " - onclick="return confirm('Do you really want to delete the selected Snort mapping?')">
@@ -448,6 +465,26 @@ foreach ($a_nat as $natent): ?>

- Snort Menu where you can see an over ' . - 'view of all your interface settings. ' . - 'Please visit the Global Settings tab before adding ' . 'an interface.'); ?> + " . gettext("Snort Menu ") . + "" . gettext("where you can see an overview of all your interface settings."); + if (empty($a_nat)) { + echo gettext("Please visit the ") . "" . gettext("Global Settings") . + "" . gettext(" tab before adding an interface."); + }?>
+ + + diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 36bc628d..0010ec40 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -57,10 +57,21 @@ if (empty($snortglob['rule'][$id]['uuid'])) { } else { $pconfig['uuid'] = $a_rule[$id]['uuid']; + $pconfig['descr'] = $a_rule[$id]['descr']; $rebuild_rules = "off"; } $snort_uuid = $pconfig['uuid']; +// Get the physical configured interfaces on the firewall +if (function_exists('get_configured_interface_with_descr')) + $interfaces = get_configured_interface_with_descr(); +else { + $interfaces = array('wan' => 'WAN', 'lan' => 'LAN'); + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) + $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; +} + +// See if interface is already configured, and use its values if (isset($id) && $a_rule[$id]) { /* old options */ $pconfig = $a_rule[$id]; @@ -68,8 +79,24 @@ if (isset($id) && $a_rule[$id]) { $pconfig['configpassthru'] = base64_decode($pconfig['configpassthru']); if (empty($pconfig['uuid'])) $pconfig['uuid'] = $snort_uuid; - if (!$pconfig['interface']) - $pconfig['interface'] = "wan"; +} +// Must be a new interface, so try to pick next available physical interface to use +elseif (isset($id) && !isset($a_rule[$id])) { + $ifaces = get_configured_interface_list(); + $ifrules = array(); + foreach($a_rule as $r) + $ifrules[] = $r['interface']; + foreach ($ifaces as $i) { + if (!in_array($i, $ifrules)) { + $pconfig['interface'] = $i; + break; + } + } + if (count($ifrules) == count($ifaces)) { + $input_errors[] = "No more available interfaces to configure for Snort!"; + $interfaces = array(); + $pconfig = array(); + } } if (isset($_GET['dup'])) @@ -228,19 +255,11 @@ include_once("head.inc"); 		  


+ class="formfld" id="descr" size="40" value="">

- - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - + + + + + + + + + \n"; diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index a726e9ad..6feca97b 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -184,11 +184,17 @@ if ($pconfig['brefresh'] == 'on') -- cgit v1.2.3 From e8f8b0ab273baa1d772ec914c51e242c3ff22f56 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 22 May 2013 12:20:35 -0400 Subject: Fix various HTML style issues to tidy up GUI. --- config/snort/snort_alerts.php | 5 +- config/snort/snort_barnyard.php | 10 +- config/snort/snort_blocked.php | 5 +- config/snort/snort_define_servers.php | 5 +- config/snort/snort_download_rules.php | 8 +- config/snort/snort_download_updates.php | 2 +- config/snort/snort_interfaces.php | 280 ++++++++++++----------- config/snort/snort_interfaces_edit.php | 7 +- config/snort/snort_interfaces_global.php | 11 +- config/snort/snort_interfaces_suppress.php | 5 +- config/snort/snort_interfaces_suppress_edit.php | 5 +- config/snort/snort_interfaces_whitelist.php | 5 +- config/snort/snort_interfaces_whitelist_edit.php | 5 +- config/snort/snort_preprocessors.php | 7 +- config/snort/snort_rules.php | 7 +- config/snort/snort_rules_flowbits.php | 36 ++- config/snort/snort_rulesets.php | 2 +- 17 files changed, 216 insertions(+), 189 deletions(-) (limited to 'config') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 98a58863..607fba54 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -205,8 +205,8 @@ if ($pconfig['arefresh'] == 'on') ?> - '; - echo ' -
{$alert_date}
{$alert_time}		{$alert_priority}{$alert_proto}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p}{$alert_sid_str}
{$sidsupplink}		{$alert_date}
{$alert_time}		{$alert_priority}{$alert_proto}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p}{$alert_sid_str}
{$sidsupplink}		 {$alert_descr}
+ + + + + + - - - - + + + + - - - - + + + \n"; } diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index bd31473c..c5ccb018 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -465,23 +465,35 @@ h += 96; -- cgit v1.2.3 From f169f0b0724a39ac3dd35c46b90515751c2955ed Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 21 May 2013 22:01:34 -0400 Subject: Modernize the GUI interface (new progress bar). --- config/snort/snort_download_rules.php | 60 +++++++++++++++++++++-------------- 1 file changed, 36 insertions(+), 24 deletions(-) (limited to 'config') diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index bbbf689c..4f88f1c2 100755 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -34,6 +34,8 @@ require_once("functions.inc"); require_once("service-utils.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +global $g; + $pgtitle = "Services: Snort: Update Rules"; include("head.inc"); ?> @@ -44,35 +46,45 @@ include("head.inc"); ' . $pgtitle . '

';}?>
-
##
{$counter}{$blocked_ip}{$blocked_desc} + {$counter}{$blocked_ip}{$blocked_desc} \"Delete
- - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + title="" width="17" height="17" border="0"> + + $rulem) { @@ -527,37 +539,37 @@ h += 96; $destination_port = truncate($rule_content[6], 10); //destination port field $message = snort_get_msg($v['rule']); - echo " - - - - - - "; ?> -
  +
  - title="" width="17" height="17" border="0"> -
$textss + echo "
$textss $textse + {$textss}{$sid}{$textse} + {$textss}{$protocol}{$textse} + {$srcspan}{$source}{$textse} + {$srcprtspan}{$source_port}{$textse} + {$dstspan}{$destination}{$textse} + {$dstprtspan}{$destination_port}{$textse} {$textss}{$message}{$textse} - + " width="17" height="17" border="0"> @@ -568,6 +580,7 @@ h += 96; } unset($rulem, $v); ?> +
- - - - +
-
- - - - - + +
- +
+
+ + - + + +
+ + + + - -
+ + + + + + +
+ + + +
/images/misc/bar_blue.gif' + width='0' height='15' name='progressbar' id='progressbar' alt='' />
+
+
- /images/misc/progress_bar.gif' - width='280' height='23' name='progressbar' id='progressbar' alt='' /> + + + + +
-
- - -
- -
+
-- cgit v1.2.3 From 00dc251878e6fc23402ba8030758e9efa215bb09 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 21 May 2013 22:02:49 -0400 Subject: More fixes for new XMLRPC pkg sync routines. --- config/snort/snort.inc | 18 ++- config/snort/snort_check_for_rule_updates.php | 154 +++++++++++++++++--------- config/snort/snort_sync.xml | 2 +- 3 files changed, 111 insertions(+), 63 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 46c66128..fe390a41 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -857,7 +857,7 @@ function sync_snort_package_config() { /* do not start config build if rules is empty or there are no Snort settings */ if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) { - exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); + exec("/bin/rm /usr/local/etc/rc.d/snort.sh"); conf_mount_ro(); return; } @@ -3053,7 +3053,7 @@ function snort_sync_on_changes() { global $config, $g, $is_postinstall; /* Do not attempt a package sync while booting up or installing package */ - if ($g['booting'] || $is_postinstall == true) + if ($g['booting'] || $is_postinstall) return; if (is_array($config['installedpackages']['snortsync']['config'])){ @@ -3118,7 +3118,7 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw global $config, $g, $is_postinstall; /* Do not attempt a package sync while booting up or installing package */ - if ($g['booting'] || $is_postinstall == true) + if ($g['booting'] || $is_postinstall) return; if(!$username || !$password || !$sync_to_ip) { @@ -3161,8 +3161,7 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - if($g['debug']) - $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ $resp = $cli->send($msg, $synctimeout); if(!$resp) { @@ -3170,8 +3169,6 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); @@ -3181,14 +3178,16 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw $downloadrulescmd = ""; if ($syncdownloadrules == "yes") { - $downloadrulescmd = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested update of downloaded rules files...\"));\n"; + $downloadrulescmd = "log_error(gettext(\"[snort] XMLRPC pkg sync: Update of downloaded rule sets requested...\"));\n"; $downloadrulescmd .= "include_once(\"/usr/local/pkg/snort/snort_check_for_rule_updates.php\");\n"; } $snortstart = ""; if ($syncstartsnort == "ON") { - $snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Requested restart of Snort...\"));\n"; + $snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Checking Snort status...\"));\n"; $snortstart .= "if (!is_process_running(\"snort\")) {\n"; + $snortstart .= "log_error(gettext(\"[snort] XMLRPC pkg sync: Snort not running. Sending a start command...\"));\n"; $snortstart .= "exec(\"/usr/local/etc/rc.d/snort.sh start 2>&1 &\");\n}\n"; + $snortstart .= "else {log_error(gettext(\"[snort] XMLRPC pkg sync: Snort is running...\"));\n}\n"; } /* Build a series of commands for the secondary host to execute that will load the new settings. */ @@ -3224,7 +3223,6 @@ EOD; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - $cli->setDebug("1"); $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index f5810aff..da6f408c 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -32,7 +32,6 @@ require_once("functions.inc"); require_once("service-utils.inc"); require_once "/usr/local/pkg/snort/snort.inc"; -require_once("service-utils.inc"); global $snort_gui_include, $vrt_enabled, $et_enabled, $rebuild_rules, $snort_rules_upd_log; global $protect_preproc_rules, $is_postinstall, $snort_community_rules_filename; @@ -69,6 +68,54 @@ $emergingthreats_filename_md5 = "{$emergingthreats_filename}.md5"; /* Snort GPLv2 Community Rules MD5 file */ $snort_community_rules_filename_md5 = "{$snort_community_rules_filename}.md5"; +/* Custom function for rules file download via URL */ +function snort_download_file_url($url, $file_out) { + + /************************************************/ + /* This function downloads the file specified */ + /* by $url using the CURL library functions and */ + /* saves the content to the file specified by */ + /* $file. */ + /* */ + /************************************************/ + + global $g, $config, $pkg_interface; + + /* If not in console mode, use the built-in progress-bar function */ + if ($pkg_interface <> "console") + return download_file_with_progress_bar($url, $file_out); + + /* Otherwise, use our custom function with no output */ + /* (Note: required to suppress errors from XMLRPC) */ + $fp = fopen($file_out, "wb"); + if ($fp) { + $ch = curl_init($url); + if (!$ch) + return false; + curl_setopt($ch, CURLOPT_FILE, $fp); + curl_setopt($ch, CURLOPT_HEADER, 0); + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); + /* Don't verify SSL peers since we don't have the certificates to do so. */ + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 60); + curl_setopt($ch, CURLOPT_TIMEOUT, 0); + $rc = curl_exec($ch); + if ($rc === false) { + curl_close($ch); + fclose($fp); + return $rc; + } + $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); + curl_close($ch); + fclose($fp); + return ($http_code == 200) ? true : $http_code; + } + else + return false; + +} + + /* Start of code */ conf_mount_rw(); @@ -101,7 +148,7 @@ if ($snortdownload == 'on') { $max_tries = 4; $rc = true; while ($max_tries > 0) { - $rc = download_file_with_progress_bar("{$snort_rule_url}{$snort_filename_md5}", "{$tmpfname}/{$snort_filename_md5}"); + $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename_md5}", "{$tmpfname}/{$snort_filename_md5}"); if ($rc == true) break; else { @@ -164,7 +211,7 @@ if ($snortdownload == 'on') { $max_tries = 4; $rc = true; while ($max_tries > 0) { - $rc = download_file_with_progress_bar("{$snort_rule_url}{$snort_filename}", "{$tmpfname}/{$snort_filename}"); + $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename}", "{$tmpfname}/{$snort_filename}"); if ($rc == true) break; else { @@ -221,33 +268,35 @@ if ($snortcommunityrules == 'on') { if ($pkg_interface <> "console") update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file...")); error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file...\n"), 3, $snort_rules_upd_log); - $image = file_get_contents("{$snort_community_rules_url}{$snort_community_rules_filename_md5}"); - if ($pkg_interface <> "console") - update_status(gettext("Done downloading Snort GPLv2 Community Rules md5")); - error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log); - @file_put_contents("{$tmpfname}/{$snort_community_rules_filename_md5}", $image); - /* See if the file download was successful, and turn off Snort GPLv2 update if it failed. */ - if (0 == filesize("{$tmpfname}/{$snort_community_rules_filename_md5}")){ + $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}"); + + if ($rc == true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading Snort GPLv2 Community Rules md5")); + error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log); + if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") { + /* Check if were up to date Snort GPLv2 Community Rules */ + $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"); + $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}"); + if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) { + if ($pkg_interface <> "console") + update_status(gettext("Snort GPLv2 Community Rules are up to date...")); + log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date...")); + error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } + } + } + else { if ($pkg_interface <> "console") update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); - error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.")); + error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tSnort GPLv2 Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); $snortcommunityrules = 'off'; } - if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") { - /* Check if were up to date Snort GPLv2 Community Rules */ - $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"); - $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}"); - if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("Snort GPLv2 Community Rules are up to date...")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date...")); - error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; - } - } } /* download Snort GPLv2 Community rules file */ @@ -256,7 +305,7 @@ if ($snortcommunityrules == "on") { update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted. Downloading...\n"), 3, $snort_rules_upd_log); - $rc = download_file_with_progress_bar("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); + $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); /* Test for a valid rules file download. Turn off Snort Community update if download failed. */ if ($rc == true) { @@ -330,36 +379,36 @@ if ($emergingthreats == 'on') { /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ if ($vrt_enabled == "on") - $image = @file_get_contents("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}"); + $rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); else - $image = @file_get_contents("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}"); - - if ($pkg_interface <> "console") - update_status(gettext("Done downloading EmergingThreats md5")); - error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); - @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); + $rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); - /* See if the file download was successful, and turn off ET update if it failed. */ - if (0 == filesize("{$tmpfname}/{$emergingthreats_filename_md5}")){ + if ($rc == true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading EmergingThreats md5")); + error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); + + if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { + /* Check if were up to date emergingthreats.net */ + $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); + $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); + if ($emerg_md5_check_new == $emerg_md5_check_old) { + if ($pkg_interface <> "console") + update_status(gettext("Emerging Threats rules are up to date...")); + log_error(gettext("[Snort] Emerging Threat rules are up to date...")); + error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; + } + } + } + else { if ($pkg_interface <> "console") update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); - log_error(gettext("[Snort] EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); - error_log(gettext("\tEmergingThreats md5 file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + log_error(gettext("[Snort] EmergingThreats md5 file download failed. Server returned error code '{$rc}'.")); + error_log(gettext("\tEmergingThreats md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tEmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } - - if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { - /* Check if were up to date emergingthreats.net */ - $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); - $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); - if ($emerg_md5_check_new == $emerg_md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("Emerging Threats rules are up to date...")); - log_error(gettext("[Snort] Emerging Threat rules are up to date...")); - error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } - } } /* download emergingthreats rules file */ @@ -371,9 +420,9 @@ if ($emergingthreats == "on") { /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ if ($vrt_enabled == "on") - $rc = download_file_with_progress_bar("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); + $rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); else - $rc = download_file_with_progress_bar("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); + $rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); /* Test for a valid rules file download. Turn off ET update if download failed. */ if ($rc == true) { @@ -434,7 +483,8 @@ if ($emergingthreats == 'on') { /* Copy emergingthreats md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$emergingthreats_filename_md5}")) { - update_status(gettext("Copying md5 signature to snort directory...")); + if ($pkg_interface <> "console") + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } if ($pkg_interface <> "console") diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml index 274d3fc9..24cf9cfa 100755 --- a/config/snort/snort_sync.xml +++ b/config/snort/snort_sync.xml @@ -175,6 +175,7 @@ POSSIBILITY OF SUCH DAMAGE. varsyncsnortstart checkbox + ON @@ -184,7 +185,6 @@ POSSIBILITY OF SUCH DAMAGE. - write_config();snort_sync_on_changes(); write_config();snort_sync_on_changes(); -- cgit v1.2.3 From e977391528edbf2d27841f2458b2e72e8bb29747 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 21 May 2013 22:48:47 -0400 Subject: Fix-up missing align left HTML attribute. --- config/snort/snort_download_rules.php | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'config') diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index 4f88f1c2..f9fca057 100755 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -52,33 +52,32 @@ include("head.inc"); 		-
+ +
- -
/images/misc/bar_blue.gif' + /images/misc/bar_blue.gif' width='0' height='15' name='progressbar' id='progressbar' alt='' />
-
+ - +
- +
+ @@ -357,6 +357,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
+
diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index cf9fb4bd..a7f04e39 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -161,7 +161,7 @@ function enable_change(enable_change) { $tab_array[7] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml"); display_top_tabs($tab_array); echo '
'; + echo '
'; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); $tab_array = array(); $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); @@ -174,8 +174,8 @@ function enable_change(enable_change) { ?>
- + +
+ @@ -225,7 +225,9 @@ function enable_change(enable_change) {
- +
+