From a30da99a24575ba9554ace7bdf1c8e6a0119b4d0 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Jun 2013 18:35:32 -0400 Subject: Add Host Attribute Table support to Preprocessors tab. --- config/snort/snort_edit_hat_data.php | 126 ++++++++++++ config/snort/snort_preprocessors.php | 375 ++++++++++++++++++++++++----------- 2 files changed, 390 insertions(+), 111 deletions(-) create mode 100644 config/snort/snort_edit_hat_data.php (limited to 'config') diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php new file mode 100644 index 00000000..f0562046 --- /dev/null +++ b/config/snort/snort_edit_hat_data.php @@ -0,0 +1,126 @@ +. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g, $rebuild_rules; + +$snortdir = SNORTDIR; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!empty($a_nat[$id]['host_attribute_data'])) + $pconfig['host_attribute_data'] = base64_decode($a_nat[$id]['host_attribute_data']); +else + $pconfig['host_attribute_data'] = ""; + +if ($_POST['clear']) { + unset($a_nat[$id]['host_attribute_data']); + write_config(); + $rebuild_rules = false; + snort_generate_conf($a_nat[$id]); + header("Location: /snort/snort_edit_hat_data.php?id={$id}"); + exit; +} + +if ($_POST['host_attribute_data']) { + $a_nat[$id]['host_attribute_data'] = base64_encode($_POST['host_attribute_data']); + write_config(); + $rebuild_rules = false; + snort_generate_conf($a_nat[$id]); + header("Location: /snort/snort_preprocessors.php?id={$id}"); + exit; +} + + +$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); +$pgtitle = "Services: Snort: {$if_friendly} Host Attribute Table Data"; +include_once("head.inc"); + +?> + + + +' . $pgtitle . '

';} +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> +
+
+ + + + +
+ + + + + + + + + + +
+ +
+ " title=" "/>   + " onclick="parent.location='snort_preprocessors.php?id='" title=""/>   + " onclick="return confirm('')" title=""/> +
+
+
+
+ + + diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 12981398..8a741d4e 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -61,6 +61,11 @@ if (isset($id) && $a_nat[$id]) { /* Get current values from config for page form fields */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['host_attribute_table'] = $a_nat[$id]['host_attribute_table']; + $pconfig['host_attribute_data'] = $a_nat[$id]['host_attribute_data']; + $pconfig['max_attribute_hosts'] = $a_nat[$id]['max_attribute_hosts']; + $pconfig['max_attribute_services_per_host'] = $a_nat[$id]['max_attribute_services_per_host']; + $pconfig['max_paf'] = $a_nat[$id]['max_paf']; $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; @@ -124,6 +129,12 @@ if (isset($id) && $a_nat[$id]) { /* enable the most common required preprocessors by default */ /* and set reasonable values for any options. */ /************************************************************/ + if (empty($pconfig['max_attribute_hosts'])) + $pconfig['max_attribute_hosts'] = '10000'; + if (empty($pconfig['max_attribute_services_per_host'])) + $pconfig['max_attribute_services_per_host'] = '10'; + if (empty($pconfig['max_paf'])) + $pconfig['max_paf'] = '16000'; if (empty($pconfig['ftp_preprocessor'])) $pconfig['ftp_preprocessor'] = 'on'; if (empty($pconfig['smtp_preprocessor'])) @@ -200,6 +211,10 @@ if ($_POST['ResetAll']) { /* Reset all the preprocessor settings to defaults */ $pconfig['perform_stat'] = "off"; + $pconfig['host_attribute_table'] = "off"; + $pconfig['max_attribute_hosts'] = '10000'; + $pconfig['max_attribute_services_per_host'] = '10'; + $pconfig['max_paf'] = '16000'; $pconfig['server_flow_depth'] = "300"; $pconfig['http_server_profile'] = "all"; $pconfig['client_flow_depth'] = "300"; @@ -266,6 +281,9 @@ elseif ($_POST['Submit']) { /* if no errors write to conf */ if (!$input_errors) { /* post new options */ + if ($_POST['max_attribute_hosts'] != "") { $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts']; }else{ $natent['max_attribute_hosts'] = "10000"; } + if ($_POST['max_attribute_services_per_host'] != "") { $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host']; }else{ $natent['max_attribute_services_per_host'] = "10"; } + if ($_POST['max_paf'] != "") { $natent['max_paf'] = $_POST['max_paf']; }else{ $natent['max_paf'] = "16000"; } if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = "300"; } if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = "300"; } @@ -295,6 +313,7 @@ elseif ($_POST['Submit']) { unset($natent['pscan_ignore_scanners']); $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; + $natent['host_attribute_table'] = $_POST['host_attribute_table'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; $natent['http_inspect_enable_xff'] = $_POST['http_inspect_enable_xff'] ? 'on' : 'off'; $natent['http_inspect_log_uri'] = $_POST['http_inspect_log_uri'] ? 'on' : 'off'; @@ -342,14 +361,22 @@ elseif ($_POST['Submit']) { write_config(); /* Set flag to rebuild rules for this interface */ - $rebuild_rules = "on"; + $rebuild_rules = true; /*************************************************/ - /* Update the snort conf file and rebuild the */ + /* Update the snort.conf file and rebuild the */ /* rules for this interface. */ /*************************************************/ snort_generate_conf($natent); - $rebuild_rules = "off"; + $rebuild_rules = false; + + /*******************************************************/ + /* Signal Snort to reload Host Attribute Table if one */ + /* is configured and saved. */ + /*******************************************************/ + if ($natent['host_attribute_table'] == "on" && + !empty($natent['host_attribute_data'])) + snort_reload_config($natent, "SIGURG"); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -361,6 +388,47 @@ elseif ($_POST['Submit']) { exit; } } +elseif ($_POST['btn_import']) { + if (is_uploaded_file($_FILES['host_attribute_file']['tmp_name'])) { + $data = file_get_contents($_FILES['host_attribute_file']['tmp_name']); + if ($data === false) + $input_errors[] = gettext("Error uploading file {$_FILES['host_attribute_file']}!"); + else { + if (isset($id) && $a_nat[$id]) { + $a_nat[$id]['host_attribute_table'] = "on"; + $a_nat[$id]['host_attribute_data'] = base64_encode($data); + $pconfig['host_attribute_data'] = $a_nat[$id]['host_attribute_data']; + $a_nat[$id]['max_attribute_hosts'] = $pconfig['max_attribute_hosts']; + $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; + write_config(); + } + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: snort_preprocessors.php?id=$id"); + exit; + } + } + else + $input_errors[] = gettext("No filename specified for import!"); +} +elseif ($_POST['btn_edit_hat']) { + if (isset($id) && $a_nat[$id]) { + $a_nat[$id]['host_attribute_table'] = "on"; + $a_nat[$id]['max_attribute_hosts'] = $pconfig['max_attribute_hosts']; + $a_nat[$id]['max_attribute_services_per_host'] = $pconfig['max_attribute_services_per_host']; + write_config(); + header("Location: snort_edit_hat_data.php?id=$id"); + exit; + } +} + +/* If Host Attribute Table option is enabled, but */ +/* no Host Attribute data exists, flag an error. */ +if ($pconfig['host_attribute_table'] == 'on' && empty($pconfig['host_attribute_data'])) + $input_errors[] = gettext("The Host Attribute Table option is enabled, but no Host Attribute data has been loaded. Data may be entered manually or imported from a suitable file."); $if_friendly = snort_get_friendly_interface($pconfig['interface']); $pgtitle = "Snort: Interface {$if_friendly}: Preprocessors and Flow"; @@ -480,13 +548,106 @@ include_once("head.inc"); + + + + + + > + . + + + +
+ "on") echo "disabled"; ?>>   + "on") echo "disabled"; ?>>
+

+ + + + + +

+ " + class="formbtn" + "on") echo "disabled"; ?>>   +
" . gettext("Warning: ") . "" . + gettext("No Host Attribute Data loaded - import from a file or enter it manually."); + } ?> + + + + + + + + +
"on") echo "disabled"; ?>>   + " . gettext("32") . "" . gettext(" and Max is ") . "" . + gettext("524288") . ""; ?>.
+ " . gettext("10000") . ""; ?>.
+ + + + + + + + + +
"on") echo "disabled"; ?>>   + " . gettext("1") . "" . gettext(" and Max is ") . "" . + gettext("65535") . ""; ?>.
+ " . gettext("10") . ". " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.
+ + + + + + + + + + + + +
   + " . gettext("0") . "" . gettext(" (off) and Max is ") . "" . + gettext("63780") . ""; ?>.
+ " . gettext("16000") . ". " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.
+ + - > @@ -578,7 +739,7 @@ include_once("head.inc"); -
-1 " . "to 1460 (-1 disables HTTP " . @@ -586,17 +747,17 @@ include_once("head.inc");

+ "performance may increase by adjusting this value."); ?>
300"); ?>
- - onClick="enable_change(false)"> . @@ -606,7 +767,7 @@ include_once("head.inc"); - onClick="enable_change(false)"> 8192."; ?>
+ "8192."; ?>
@@ -654,7 +815,7 @@ include_once("head.inc"); 0" . gettext(" (unlimited)."); ?>
+ "0" . gettext(" (unlimited)."); ?>
@@ -669,7 +830,7 @@ include_once("head.inc"); 0" . gettext(" (check is disabled)."); ?>
+ "0" . gettext(" (check is disabled)."); ?>
@@ -694,13 +855,13 @@ include_once("head.inc"); -   " . gettext("BSD") . ""; ?>.
-
+
@@ -708,8 +869,8 @@ include_once("head.inc"); - "> + > " . gettext("Checked") . ""; ?>. @@ -750,7 +911,7 @@ include_once("head.inc"); > + > " . gettext("Not Checked") . ""; ?>.
" . gettext("Warning: ") . "" . @@ -761,7 +922,7 @@ include_once("head.inc"); -
1024, Maximum is 1073741824 " . @@ -770,7 +931,7 @@ include_once("head.inc");
1048576"); ?>.
+ "memory. Default value is 1048576"); ?>.
@@ -778,7 +939,7 @@ include_once("head.inc"); -
2, Maximum is 1073741824 " . @@ -787,7 +948,7 @@ include_once("head.inc");
2621"); ?>.
+ "in memory. Default value is 2621"); ?>.
@@ -795,7 +956,7 @@ include_once("head.inc"); -
32768, Maximum is 1073741824 " . @@ -803,7 +964,7 @@ include_once("head.inc");
8388608 (8 MB)"); ?>.
+ "in RAM. Default value is 8388608 (8 MB)"); ?>.
@@ -811,7 +972,7 @@ include_once("head.inc"); -
0" . gettext(" (unlimited), and the maximum is ") . @@ -819,7 +980,7 @@ include_once("head.inc");
0" . gettext(" (unlimited)."); ?>
+ "0" . gettext(" (unlimited)."); ?>
@@ -827,7 +988,7 @@ include_once("head.inc"); -
1" . gettext(" and the maximum is ") . @@ -835,7 +996,7 @@ include_once("head.inc");
30" . gettext(" seconds."); ?>
+ "30" . gettext(" seconds."); ?>
@@ -843,7 +1004,7 @@ include_once("head.inc"); -
1" . gettext(" and the maximum is ") . @@ -851,7 +1012,7 @@ include_once("head.inc");
30" . gettext(" seconds."); ?>
+ "30" . gettext(" seconds."); ?>
@@ -859,7 +1020,7 @@ include_once("head.inc"); -
1" . gettext(" and the maximum is ") . @@ -867,33 +1028,32 @@ include_once("head.inc");
30" . gettext(" seconds."); ?>
+ "30" . gettext(" seconds."); ?>
- + - -   " . gettext("BSD") . ""; ?>.
-
+
-
- - + > -    -    -    - - - + - - + - - + - - + - - + - - + - - + - - + - - + - + - + - + - + - - - - - - + + + + + +
10,000,000" . gettext(" bytes. (10 MB)"); ?>
+ "10,000,000" . gettext(" bytes. (10 MB)"); ?>
-   " . gettext("\$HOME_NET") . ""; ?>.

@@ -1006,97 +1166,79 @@ include_once("head.inc");

- 		> " . gettext("Checked") . ""; ?>.

- 		> " . gettext("Checked") . ""; ?>.

- 		> " . gettext("Checked") . ""; ?>.

- 		> " . gettext("Checked") . ""; ?>.

- 		> " . gettext("Checked") . ""; ?>.

- 		> " . gettext("Checked") . ""; ?>.

- 		> " . gettext("Checked") . ""; ?>.

- 		>

- 		> " . gettext("Checked") . ""; ?>.

- > " . gettext("Checked") . ""; ?>.

- >
- +

- > " . - gettext("If your network does not contain Modbus-enabled devices, you should leave this preprocessor disabled."); ?> + "" . gettext("Note: ") . "" . + gettext("If your network does not contain Modbus-enabled devices, you can leave this preprocessor disabled."); ?>

- > " . - gettext("If your network does not contain DNP3-enabled devices, you should leave this preprocessor disabled."); ?> + "" . gettext("Note: ") . "" . + gettext("If your network does not contain DNP3-enabled devices, you can leave this preprocessor disabled."); ?>
  - "/> -      - />
  - -
+ "> +      + >
  + +
@@ -1201,6 +1345,15 @@ function frag3_enable_change() { document.iform.frag3_timeout.disabled=endis; } +function host_attribute_table_enable_change() { + var endis = !(document.iform.host_attribute_table.checked); + document.iform.host_attribute_file.disabled=endis; + document.iform.btn_import.disabled=endis; + document.iform.btn_edit_hat.disabled=endis; + document.iform.max_attribute_hosts.disabled=endis; + document.iform.max_attribute_services_per_host.disabled=endis; +} + function http_inspect_enable_change() { var endis = !(document.iform.http_inspect.checked); document.iform.http_inspect_enable_xff.disabled=endis; -- cgit v1.2.3 From bc45f34c6e0ad58d6286da338e4962a86fbc9415 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Jun 2013 18:36:55 -0400 Subject: Add option to configure rule update start time. --- config/snort/snort_interfaces_global.php | 85 ++++++++++++++++++++++---------- 1 file changed, 60 insertions(+), 25 deletions(-) (limited to 'config') diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 0b9c5f2d..d28ec2b4 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -49,15 +49,22 @@ $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; $pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; $pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7']; +$pconfig['rule_update_starttime'] = $config['installedpackages']['snortglobal']['rule_update_starttime']; $pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings']; $pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules']; if (empty($pconfig['snortloglimit'])) $pconfig['snortloglimit'] = 'on'; +if (empty($pconfig['rule_update_starttime'])) + $pconfig['rule_update_starttime'] = '00:03'; + +if ($_POST['rule_update_starttime']) { + if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['rule_update_starttime'])) + $input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'."; +} /* if no errors move foward */ if (!$input_errors) { - if ($_POST["Submit"]) { $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; @@ -77,6 +84,14 @@ if (!$input_errors) { $config['installedpackages']['snortglobal']['snortloglimitsize'] = $snortloglimitDSKsize; } $config['installedpackages']['snortglobal']['autorulesupdate7'] = $_POST['autorulesupdate7']; + + /* Check and adjust format of Rule Update Starttime string to add colon and leading zero if necessary */ + $pos = strpos($_POST['rule_update_starttime'], ":"); + if ($pos === false) { + $tmp = str_pad($_POST['rule_update_starttime'], 4, "0", STR_PAD_LEFT); + $_POST['rule_update_starttime'] = substr($tmp, 0, 2) . ":" . substr($tmp, -2); + } + $config['installedpackages']['snortglobal']['rule_update_starttime'] = str_pad($_POST['rule_update_starttime'], 4, "0", STR_PAD_LEFT); $config['installedpackages']['snortglobal']['forcekeepsettings'] = $_POST['forcekeepsettings'] ? 'on' : 'off'; $retval = 0; @@ -116,20 +131,6 @@ if ($input_errors) ?> - - -
+ -- cgit v1.2.3 From 469ed2647ad8b373b15cffc2917def5f90b13e53 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Jun 2013 18:46:51 -0400 Subject: Remove any zero-length spaces in data when saving. --- config/snort/snort_interfaces_suppress_edit.php | 51 +++++++++++-------------- config/snort/snort_interfaces_whitelist.php | 4 +- 2 files changed, 24 insertions(+), 31 deletions(-) (limited to 'config') diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 5e12f656..1eb16260 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -52,7 +52,6 @@ $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; - /* returns true if $name is a valid name for a whitelist file name or ip */ function is_validwhitelistname($name) { if (!is_string($name)) @@ -70,8 +69,10 @@ if (isset($id) && $a_suppress[$id]) { $pconfig['name'] = $a_suppress[$id]['name']; $pconfig['uuid'] = $a_suppress[$id]['uuid']; $pconfig['descr'] = $a_suppress[$id]['descr']; - if (!empty($a_suppress[$id]['suppresspassthru'])); + if (!empty($a_suppress[$id]['suppresspassthru'])) { $pconfig['suppresspassthru'] = base64_decode($a_suppress[$id]['suppresspassthru']); + $pconfig['suppresspassthru'] = str_replace("​", "", $pconfig['suppresspassthru']); + } if (empty($a_suppress[$id]['uuid'])) $pconfig['uuid'] = uniqid(); } @@ -107,8 +108,10 @@ if ($_POST['submit']) { $s_list['name'] = $_POST['name']; $s_list['uuid'] = uniqid(); $s_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); - if ($_POST['suppresspassthru']) + if ($_POST['suppresspassthru']) { + $s_list['suppresspassthru'] = str_replace("​", "", $s_list['suppresspassthru']); $s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']); + } if (isset($id) && $a_suppress[$id]) $a_suppress[$id] = $s_list; @@ -162,7 +165,7 @@ if ($savemsg) - - - + "filters to rules. Valid keywords are 'suppress', 'event_filter' and 'rate_filter'."); ?> - - - -
@@ -154,6 +155,7 @@ function enable_snort_vrt(btn) {
' , ''); ?> @@ -181,7 +183,7 @@ function enable_snort_vrt(btn) { - + - + + + + +   " . gettext("NEVER") . "" . gettext(" disables auto-updates."); ?>

+ " . gettext("Hint: ") . "" . gettext("in most cases, every 12 hours is a good choice."); ?> + + + + -
+
- gettext('NEVER'), '6h_up' => gettext('6 HOURS'), '12h_up' => gettext('12 HOURS'), '1d_up' => gettext('1 DAY'), '4d_up' => gettext('4 DAYS'), '7d_up' => gettext('7 DAYS'), '28d_up' => gettext('28 DAYS')); foreach ($interfaces3 as $iface3 => $ifacename3): ?> @@ -230,21 +235,29 @@ function enable_snort_vrt(btn) { > -   

- - ',''); ?>
>   + " . + gettext("Default") . " " . gettext("is ") . "" . gettext("00:03") . ""; ?>.

+



- :
+
 MB		 @@ -258,7 +271,7 @@ function enable_snort_vrt(btn) { >

- :
@@ -314,5 +327,27 @@ function enable_snort_vrt(btn) {
+ + + -- cgit v1.2.3 From 37dffd2c06a524c120d445783bccdbf9b1119c00 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Jun 2013 18:40:40 -0400 Subject: Fix various HTML validation errors in markup. --- config/snort/snort_barnyard.php | 23 +++++++----------- config/snort/snort_blocked.php | 2 ++ config/snort/snort_define_servers.php | 2 +- config/snort/snort_interfaces.php | 6 ++--- config/snort/snort_interfaces_suppress.php | 8 +++---- config/snort/snort_list_view.php | 6 ++++- config/snort/snort_rules_flowbits.php | 38 ++++++++++++++++++++---------- config/snort/snort_rulesets.php | 7 +++--- 8 files changed, 53 insertions(+), 39 deletions(-) (limited to 'config') diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index 2773fe95..a5c1ffec 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -89,7 +89,7 @@ if ($_POST) { write_config(); /* No need to rebuild rules if just toggling Barnyard2 on or off */ - $rebuild_rules = "off"; + $rebuild_rules = false; sync_snort_package_config(); /* after click go to this page */ @@ -108,16 +108,11 @@ $pgtitle = "Snort: Interface: {$if_friendly} Barnyard2 Edit"; include_once("head.inc"); ?> - - + ' . $pgtitle . '

';}?> - - -- cgit v1.2.3 From 06b1d1718f17c915600585cb2c21c37388e338b1 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Jun 2013 18:45:18 -0400 Subject: Remove dependence on global vars and use constants instead. --- config/snort/snort_check_for_rule_updates.php | 91 +++++++++++++++++---------- config/snort/snort_download_updates.php | 15 +++-- 2 files changed, 67 insertions(+), 39 deletions(-) (limited to 'config') diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 2b60b6ce..c40d6ff4 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -33,13 +33,33 @@ require_once("functions.inc"); require_once("service-utils.inc"); require_once "/usr/local/pkg/snort/snort.inc"; -global $snort_gui_include, $vrt_enabled, $et_enabled, $rebuild_rules, $snort_rules_upd_log; -global $protect_preproc_rules, $is_postinstall, $snort_community_rules_filename; -global $snort_community_rules_url, $snort_rules_file, $emergingthreats_filename, $g, $pkg_interface; +global $g, $pkg_interface, $snort_gui_include, $rebuild_rules; + + +if (!defined("VRT_DNLD_FILENAME")) + define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); +if (!defined("VRT_DNLD_URL")) + define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); +if (!defined("ET_VERSION")) + define("ET_VERSION", "2.9.0"); +if (!defined("ET_DNLD_FILENAME")) + define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +if (!defined("GPLV2_DNLD_FILENAME")) + define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); +if (!defined("GPLV2_DNLD_URL")) + define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); +if (!defined("FLOWBITS_FILENAME")) + define("FLOWBITS_FILENAME", "flowbit-required.rules"); +if (!defined("ENFORCING_RULES_FILENAME")) + define("ENFORCING_RULES_FILENAME", "snort.rules"); +if (!defined("RULES_UPD_LOGFILE")) + define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); + $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; +$snort_rules_upd_log = RULES_UPD_LOGFILE; /* Save the state of $pkg_interface so we can restore it */ $pkg_interface_orig = $pkg_interface; @@ -56,21 +76,23 @@ $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommuni $vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; -/* Directory where we download rule tarballs */ +/* Working directory for downloaded rules tarballs */ $tmpfname = "{$snortdir}/tmp/snort_rules_up"; -/* Snort VRT rules files and URL */ -$snort_filename_md5 = "{$snort_rules_file}.md5"; -$snort_filename = "{$snort_rules_file}"; -//$snort_rule_url = "http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/"; -/* Use current Sourcefire VRT download URL and abandon the old CGI one */ -$snort_rule_url = "https://www.snort.org/reg-rules/"; +/* Snort VRT rules filenames and URL */ +$snort_filename = VRT_DNLD_FILENAME; +$snort_filename_md5 = VRT_DNLD_FILENAME . ".md5"; +$snort_rule_url = VRT_DNLD_URL; -/* Emerging Threats rules MD5 file */ -$emergingthreats_filename_md5 = "{$emergingthreats_filename}.md5"; +/* Emerging Threats rules filenames and URL */ +$emergingthreats_filename = ET_DNLD_FILENAME; +$emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; +$emerging_threats_version = ET_VERSION; -/* Snort GPLv2 Community Rules MD5 file */ -$snort_community_rules_filename_md5 = "{$snort_community_rules_filename}.md5"; +/* Snort GPLv2 Community Rules filenames and URL */ +$snort_community_rules_filename = GPLV2_DNLD_FILENAME; +$snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5"; +$snort_community_rules_url = GPLV2_DNLD_URL; /* Custom function for rules file download via URL */ function snort_download_file_url($url, $file_out) { @@ -80,10 +102,11 @@ function snort_download_file_url($url, $file_out) { /* by $url using the CURL library functions and */ /* saves the content to the file specified by */ /* $file. */ - /* */ + /* */ + /* It provides logging of returned CURL errors. */ /************************************************/ - global $g, $config, $pkg_interface, $last_curl_error; + global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded; /* Array of message strings for HTTP Response Codes */ $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", @@ -97,19 +120,21 @@ function snort_download_file_url($url, $file_out) { $last_curl_error = ""; - /* If not in console mode, use the built-in progress-bar function */ - if ($pkg_interface <> "console") - return download_file_with_progress_bar($url, $file_out); - - /* Otherwise, use our custom function with no output */ - /* (Note: required to suppress errors from XMLRPC) */ - $fp = fopen($file_out, "wb"); - if ($fp) { + $fout = fopen($file_out, "wb"); + if ($fout) { $ch = curl_init($url); if (!$ch) return false; - curl_setopt($ch, CURLOPT_FILE, $fp); - curl_setopt($ch, CURLOPT_HEADER, false); + curl_setopt($ch, CURLOPT_FILE, $fout); + + /* NOTE: required to suppress errors from XMLRPC due to progress bar output */ + if ($g['snort_sync_in_progress']) + curl_setopt($ch, CURLOPT_HEADER, false); + else { + curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header'); + curl_setopt($ch, CURLOPT_WRITEFUNCTION, 'read_body'); + } + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)"); /* Don't verify SSL peers since we don't have the certificates to do so. */ @@ -134,7 +159,7 @@ function snort_download_file_url($url, $file_out) { if (isset($http_resp_msg[$http_code])) $last_curl_error = $http_resp_msg[$http_code]; curl_close($ch); - fclose($fp); + fclose($fout); /* If we had to try more than once, log it */ if ($counter > 1) log_error(gettext("File '" . basename($file_out) . "' download attempts: {$counter} ...")); @@ -417,9 +442,9 @@ if ($emergingthreats == "on") { /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ if ($vrt_enabled == "on") - $rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); + $rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); else - $rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); + $rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); /* Test for a valid rules file download. Turn off ET update if download failed. */ if ($rc === true) { @@ -675,10 +700,10 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = /* Set the flag to force rule rebuilds since we downloaded new rules, */ /* except when in post-install mode. Post-install does its own rebuild. */ - if ($is_postinstall) - $rebuild_rules = 'off'; + if ($g['snort_postinstall']) + $rebuild_rules = false; else - $rebuild_rules = 'on'; + $rebuild_rules = true; /* Create configuration for each active Snort interface */ foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { @@ -708,7 +733,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = } /* Clear the rebuild rules flag. */ - $rebuild_rules = 'off'; + $rebuild_rules = false; /* remove old $tmpfname files */ if (is_dir("{$snortdir}/tmp")) { diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index c6e24532..1f87fbbc 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -36,11 +36,13 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g, $snort_rules_upd_log, $snort_rules_file, $emergingthreats_filename; - +/* Define some locally required variables from Snort constants */ $snortdir = SNORTDIR; - +$snort_rules_upd_log = RULES_UPD_LOGFILE; $log = $snort_rules_upd_log; +$snort_rules_file = VRT_DNLD_FILENAME; +$emergingthreats_filename = ET_DNLD_FILENAME; +$snort_community_rules_filename = GPLV2_DNLD_FILENAME; /* load only javascript that is needed */ $snort_load_jquery = 'yes'; @@ -133,8 +135,8 @@ h += 96;
-

+

SNORT.ORG  -->   
@@ -213,8 +215,9 @@ h += 96;

-    +   " . + gettext(" and ") . "" . gettext("EmergingThreats.net") . "" . + gettext(" will go down from time to time. Please be patient."); ?>

   @@ -170,52 +173,42 @@ if ($savemsg)

-
- - - - - -
    -    + +  
-
+ "instead."); ?>
- suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
+ suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
event_filter gen_id 1, sig_id 1851, type limit, - track by_src, count 1, seconds 60
+ track by_src, count 1, seconds 60
rate_filter gen_id 135, sig_id 1, track by_src, count 100, seconds 1, new_action log, timeout 10
  +
  - +    +
diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php index 73c9efda..ab22103e 100644 --- a/config/snort/snort_interfaces_whitelist.php +++ b/config/snort/snort_interfaces_whitelist.php @@ -160,12 +160,12 @@ if ($savemsg) print_info_box($savemsg); cellspacing="1"> -




-

+

-- cgit v1.2.3 From 4c5a6da63e0c4ee0078ff250d1799dab9e1325c8 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Jun 2013 18:47:35 -0400 Subject: Remove need for most globals, change sync to background task, fix bugs. --- config/snort/snort.inc | 459 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 305 insertions(+), 154 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 44dd133e..f1f5ad9b 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -42,14 +42,12 @@ require_once("filter.inc"); // Snort GUI needs some extra PHP memory space to manipulate large rules arrays ini_set("memory_limit", "192M"); -// Explicitly declare these as global so they work through function call includes -global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log; -global $all_rules, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall; -global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename; +// Explicitly declare this as global so it works through function call includes +global $rebuild_rules; /* package version */ -$snort_version = "2.9.4.1"; -$pfSense_snort_version = "2.5.8"; +$snort_version = "2.9.4.6"; +$pfSense_snort_version = "2.5.9"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; // Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) @@ -67,24 +65,20 @@ else { define("SNORTLIBDIR", "/usr/local/lib/snort"); } +/* Define some useful constants for Snort */ define("SNORTLOGDIR", "/var/log/snort"); - -/* Important file definitions */ -$snort_rules_file = "snortrules-snapshot-2941.tar.gz"; -$emerging_threats_version = "2.9.0"; -$emergingthreats_filename = "emerging.rules.tar.gz"; -$snort_community_rules_url = "https://s3.amazonaws.com/snort-org/www/rules/community/"; -$snort_community_rules_filename = "community-rules.tar.gz"; -$flowbit_rules_file = "flowbit-required.rules"; -$snort_enforcing_rules_file = "snort.rules"; -$snort_rules_upd_log = SNORTLOGDIR; -$snort_rules_upd_log .= "/snort_rules_update.log"; - -/* Rebuild Rules Flag -- if "on", rebuild enforcing rules and flowbit-rules files */ -$rebuild_rules = "off"; - -/* Post-install Flag -- normally "false" except during post-install of package */ -$is_postinstall = false; +define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); +define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); +define("ET_VERSION", "2.9.0"); +define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); +define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); +define("FLOWBITS_FILENAME", "flowbit-required.rules"); +define("ENFORCING_RULES_FILENAME", "snort.rules"); +define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); + +/* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */ +$rebuild_rules = false; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); @@ -107,19 +101,6 @@ function snort_get_blocked_ips() { return $blocked_ips_array; } -function snort_get_rule_part($source, $beginning, $ending, $start_pos) { - - $beginning_pos = strpos($source, $beginning, $start_pos); - if (!$beginning_pos) - return false; - $middle_pos = $beginning_pos + strlen($beginning); - $source = substr($source, $middle_pos); - $ending_pos = strpos($source, $ending, 0); - if (!$ending_pos) - return false; - return substr($source, 0, $ending_pos); -} - function snort_generate_id() { global $config; @@ -136,7 +117,7 @@ function snort_generate_id() { return $snort_uuid; } -function snort_load_suppress_sigs($snortcfg) { +function snort_load_suppress_sigs($snortcfg, $track_by=false) { global $config; @@ -144,7 +125,17 @@ function snort_load_suppress_sigs($snortcfg) { /* This function loads the GEN_ID and SIG_ID for all the */ /* suppressed alert entries from the Suppression List of */ /* the passed Snort interface. The results are returned */ - /* in an array with GEN_ID and SIG_ID as the keys. */ + /* in an array with GEN_ID and SIG_ID as the primary */ + /* keys. Any "track by_src" or "track by_dst" entries */ + /* in the Suppression List are tacked on as additional */ + /* keys in the array along with the IP address in either */ + /* IPv4 or IPv6 format when $track_by is passed as true. */ + /* */ + /* Sample returned array: */ + /* $suppress[1][2069] = "suppress" */ + /* $suppress[1][2070]['by_src']['10.1.1.5'] = "suppress" */ + /* $suppress[1][2070]['by_dst']['10.1.1.6'] = "suppress" */ + /* */ /**********************************************************/ $suppress = array(); @@ -169,12 +160,35 @@ function snort_load_suppress_sigs($snortcfg) { // Skip any comment lines if (preg_match('/^\s*#/', $line)) continue; - if (preg_match('/gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+)/i', $line, $matches)) { + /* See if entry suppresses GID:SID for all hosts */ + if (preg_match('/\s*suppress\s*gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+)\s*$/i', $line, $matches)) { $genid = $matches[1]; $sigid = $matches[2]; if (!empty($genid) && !empty($sigid)) $suppress[$genid][$sigid] = "suppress"; } + + /* Get "track by IP" entries if requested */ + if ($track_by) { + /* See if entry suppresses only by SRC or DST IPv4 address */ + if (preg_match('/\s*suppress\s*gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+),\s*track\s*(by_src|by_dst),\s*ip\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/i', $line, $matches)) { + $genid = $matches[1]; + $sigid = $matches[2]; + $whichip = trim($matches[3]); + $ip = $matches[4]; + if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip)) + $suppress[$genid][$sigid][$whichip][$ip] = "suppress"; + } + /* See if entry suppresses only by SRC or DST IPv6 address */ + if (preg_match('/\s*suppress\s*gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+),\s*track\s*(by_src|by_dst),\s*ip\s*([0-9a-f\.:]+)\s*$/i', $line, $matches)) { + $genid = $matches[1]; + $sigid = $matches[2]; + $whichip = trim($matches[3]); + $ip = trim($matches[4]); + if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip)) + $suppress[$genid][$sigid][$whichip][$ip] = "suppress"; + } + } } unset($tmp); } @@ -205,8 +219,13 @@ function snort_find_list($find_name, $type = 'whitelist') { /* func builds custom whitelists and the HOME_NET variable */ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { - global $config, $g; - global $aliastable, $filterdns; + + /***********************************************************/ + /* The default is to build a HOME_NET variable unless */ + /* '$whitelist' is set to 'true' when calling. */ + /***********************************************************/ + + global $config, $g, $aliastable, $filterdns; $home_net = array(); if ($listname == 'default' || empty($listname)) { @@ -233,35 +252,56 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { /********************************************************************/ /* Always put the interface running Snort in HOME_NET and whitelist */ /* unless it's the WAN. WAN options are handled further down. */ + /* If the user specifically chose not to include LOCAL_NETS in the */ + /* WHITELIST, then do not include the Snort interface subnet in the */ + /* WHITELIST. We do include the actual LAN interface IP for Snort, */ + /* though, to prevent locking out the firewall itself. */ /********************************************************************/ $snortip = get_interface_ip($snortcfg['interface']); - if (is_ipaddr($snortip)) { - if ($snortcfg['interface'] <> "wan") { - $sn = get_interface_subnet($snortcfg['interface']); - $ip = gen_subnet($snortip, $sn) . "/{$sn}"; - if (!in_array($ip, $home_net)) - $home_net[] = $ip; + if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + if (is_ipaddr($snortip)) { + if ($snortcfg['interface'] <> "wan") { + $sn = get_interface_subnet($snortcfg['interface']); + $ip = gen_subnet($snortip, $sn) . "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + } + } + else { + if (is_ipaddr($snortip)) { + if (!in_array($snortip, $home_net)) + $home_net[] = $snortip; } } + /* Handle IPv6 if available (2.1 and higher) */ if (function_exists('get_interface_ipv6')) { $snortip = get_interface_ipv6($snortcfg['interface']); - if (is_ipaddrv6($snortip)) { - if ($snortcfg['interface'] <> "wan") { - $sn = get_interface_subnetv6($snortcfg['interface']); - $ip = gen_subnetv6($snortip, $sn). "/{$sn}"; - if (!in_array($ip, $home_net)) - $home_net[] = $ip; + if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + if (is_ipaddrv6($snortip)) { + if ($snortcfg['interface'] <> "wan") { + $sn = get_interface_subnetv6($snortcfg['interface']); + $ip = gen_subnetv6($snortip, $sn). "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + } + } + else { + if (is_ipaddrv6($snortip)) { + if (!in_array($snortip, $home_net)) + $home_net[] = $snortip; } } } - if ($localnet == 'yes') { + if (!$whitelist || $localnet == 'yes' || empty($localnet)) { /*************************************************************************/ /* Iterate through the interface list and write out whitelist items and */ /* also compile a HOME_NET list of all the local interfaces for snort. */ /* Skip the WAN interface as we do not typically want that whole subnet */ - /* whitelisted (just the interface IP itself). */ + /* whitelisted (just the i/f IP itself which was handled earlier). */ /*************************************************************************/ $int_array = get_configured_interface_list(); foreach ($int_array as $int) { @@ -433,17 +473,22 @@ function snort_start($snortcfg, $if_real) { } /**************************************************************/ -/* This function sends a SIGHUP to the Snort instance on the */ -/* passed interface to cause Snort to reload and parse the */ -/* running configuration without stopping packet processing. */ -/* It also executes the reload as a background process and */ -/* returns control immediately to the caller. */ +/* This function sends the passed SIGNAL to the Snort */ +/* instance on the passed interface to cause Snort to reload */ +/* and parse the running configuration without stopping */ +/* packet processing. It also executes the reload as a */ +/* background process and returns control immediately to the */ +/* caller. */ +/* */ +/* $signal = SIGHUP (default) parses and reloads config. */ +/* SIGURG updates Host Attribute Table. */ /**************************************************************/ -function snort_reload_config($snortcfg, $if_real) { +function snort_reload_config($snortcfg, $signal="SIGHUP") { global $config, $g; $snortdir = SNORTDIR; $snort_uuid = $snortcfg['uuid']; + $if_real = snort_get_real_interface($snortcfg['interface']); /******************************************************/ /* Only send the SIGHUP if Snort is running and we */ @@ -451,7 +496,7 @@ function snort_reload_config($snortcfg, $if_real) { /******************************************************/ if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']}({$if_real})..."); - exec("/bin/pkill -SIGHUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &"); + exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &"); } } @@ -539,15 +584,14 @@ function snort_post_delete_logs($snort_uuid = 0) { } function snort_postinstall() { - global $config, $g, $snort_rules_file, $emerging_threats_version; - global $snort_version, $rebuild_rules, $is_postinstall; + global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include; $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $rcdir = RCFILEPREFIX; /* Set flag for post-install in progress */ - $is_postinstall = true; + $g['snort_postinstall'] = true; /* cleanup default files */ @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); @@ -586,11 +630,13 @@ function snort_postinstall() { update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); log_error(gettext("[Snort] Downloading and updating configured rule types...")); update_output_window(gettext("Please wait... downloading and updating configured rule types...")); + if ($pkg_interface <> "console") + $snort_gui_include = true; @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); update_status(gettext("Generating snort.conf configuration file from saved settings...")); - $rebuild_rules = "on"; + $rebuild_rules = true; sync_snort_package_config(); - $rebuild_rules = "off"; + $rebuild_rules = false; update_output_window(gettext("Finished rebuilding files...")); log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); @@ -605,7 +651,7 @@ function snort_postinstall() { } /* Done with post-install, so clear flag */ - $is_postinstall = false; + unset($g['snort_postinstall']); log_error(gettext("[Snort] Package post-installation tasks completed...")); } @@ -779,44 +825,63 @@ function snort_rules_up_install_cron($should_install) { $x++; } $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; + + /* See if a customized start time has been set for rule file updates */ + if (!empty($config['installedpackages']['snortglobal']['rule_update_starttime'])) + $snort_rules_upd_time = $config['installedpackages']['snortglobal']['rule_update_starttime']; + else + $snort_rules_upd_time = "00:03"; + if ($snort_rules_up_info_ck == "6h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/6"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $hour = intval(substr($snort_rules_upd_time, 0, 2)); + $snort_rules_up_hr = strval($hour); + for ($i=0; $i<3; $i++) { + $hour += 6; + if ($hour > 24) + $hour -= 24; + $snort_rules_up_hr .= "," . strval($hour); + } $snort_rules_up_mday = "*"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "12h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/12"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $hour = intval(substr($snort_rules_upd_time, 0, 2)); + $snort_rules_up_hr = strval($hour) . ","; + $hour += 12; + if ($hour > 24) + $hour -= 24; + $snort_rules_up_hr .= strval($hour); $snort_rules_up_mday = "*"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "1d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $snort_rules_up_hr = intval(substr($snort_rules_upd_time, 0, 2)); $snort_rules_up_mday = "*/1"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "4d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $snort_rules_up_hr = intval(substr($snort_rules_upd_time, 0, 2)); $snort_rules_up_mday = "*/4"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "7d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $snort_rules_up_hr = intval(substr($snort_rules_upd_time, 0, 2)); $snort_rules_up_mday = "*/7"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "28d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; + $snort_rules_up_min = intval(substr($snort_rules_upd_time, -2)); + $snort_rules_up_hr = intval(substr($snort_rules_upd_time, 0, 2)); $snort_rules_up_mday = "*/28"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; @@ -847,8 +912,8 @@ function snort_rules_up_install_cron($should_install) { /* Only run when all ifaces needed to sync. Expects filesystem rw */ function sync_snort_package_config() { - global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file; - global $snort_version, $rebuild_rules, $is_postinstall; + global $config, $g; + global $rebuild_rules; $snortdir = SNORTDIR; $rcdir = RCFILEPREFIX; @@ -890,7 +955,7 @@ function sync_snort_package_config() { configure_cron(); /* Do not attempt package sync if reinstalling package or booting */ - if (!$is_postinstall && !$g['booting']) + if (!$g['snort_postinstall'] && !$g['booting']) snort_sync_on_changes(); conf_mount_ro(); @@ -1372,7 +1437,7 @@ function snort_get_set_flowbits($rules_map) { return $set_flowbits; } -function snort_find_flowbit_required_rules($all_rules, $unchecked_flowbits) { +function snort_find_flowbit_required_rules($rules, $unchecked_flowbits) { /********************************************************/ /* This function finds all rules that must be enabled */ @@ -1382,7 +1447,7 @@ function snort_find_flowbit_required_rules($all_rules, $unchecked_flowbits) { /********************************************************/ $required_flowbits_rules = array(); - foreach ($all_rules as $k1 => $rule) { + foreach ($rules as $k1 => $rule) { if (!is_array($rule)) continue; foreach ($rule as $k2 => $rule2) { @@ -1420,7 +1485,7 @@ function snort_find_flowbit_required_rules($all_rules, $unchecked_flowbits) { return $required_flowbits_rules; } -function snort_resolve_flowbits($active_rules) { +function snort_resolve_flowbits($rules, $active_rules) { /******************************************************/ /* This function auto-resolves flowbit requirements */ @@ -1435,16 +1500,14 @@ function snort_resolve_flowbits($active_rules) { /* interface to resolve flowbit */ /* dependencies for. */ /* */ - /* NOTE: this function assumes the global variable */ - /* $all_rules is populated with all the rules */ - /* currently downloaded. */ + /* $rules --> Rules Map array containing */ + /* all the available rules. */ /******************************************************/ - global $all_rules; $snortdir = SNORTDIR; /* Check $all_rules array to be sure it is filled. */ - if (empty($all_rules)) { + if (empty($rules)) { log_error(gettext("[Snort] WARNING: Flowbit resolution not done - no rules in {$snortdir}/rules/ ...")); return array(); } @@ -1463,7 +1526,7 @@ function snort_resolve_flowbits($active_rules) { /* Now find all the needed "set flowbit" rules from */ /* the master list of all rules. */ - $required_rules = snort_find_flowbit_required_rules($all_rules, $delta_flowbits); + $required_rules = snort_find_flowbit_required_rules($rules, $delta_flowbits); /* Cleanup and release memory we no longer need. */ unset($delta_flowbits); @@ -1477,9 +1540,16 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { /* This function takes an array of rules in the */ /* rules_map format and writes them to the file */ /* given. */ + /* */ + /* $flowbit_rules --> array of flowbit-required */ + /* rules. */ + /* */ + /* $rule_file --> filename to write the */ + /* flowbit-required rules */ + /* to. */ /************************************************/ - global $flowbit_rules_file; + $flowbit_rules_file = FLOWBITS_FILENAME; /* See if we were passed a directory or full */ /* filename to write the rules to, and adjust */ @@ -1511,39 +1581,37 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { } } -function snort_load_vrt_policy($policy, $load_rules_map=true) { +function snort_load_vrt_policy($policy, $all_rules=null) { /************************************************/ /* This function returns an array of all rules */ /* marked with the passed in $policy metadata. */ /* */ - /* $policy --> desired VRT security policy */ - /* 1. connectivity */ - /* 2. balanced */ - /* 3. security */ + /* $policy --> desired VRT security policy */ + /* 1. connectivity */ + /* 2. balanced */ + /* 3. security */ /* */ - /* $load_rules --> load a local copy of all */ - /* the rules if true. If */ - /* false, assume the global */ - /* $all_rules array is valid. */ + /* $all_rules --> optional Rules Map array of */ + /* rules to scan for policy. */ + /* If not provided, then an */ + /* array will be created. */ /************************************************/ - global $all_rules; $snortdir = SNORTDIR; $vrt_policy_rules = array(); - /* Refresh the map of all the rules if flag */ - /* is set. */ - if ($load_rules_map) { + /* Load a map of all the VRT rules if we were */ + /* not passed a pre-loaded one to use. */ + if (is_null($all_rules)) { /* Since only Snort VRT rules have IPS Policy metadata, */ /* limit our search to just those files. */ $snort_vrt_files = glob("{$snortdir}/rules/snort_*.rules"); - $all_rules = array(); $all_rules = snort_load_rules_map($snort_vrt_files); } - /* Now walk the rules list and find all those that are defined */ - /* defined as active for the chosen security policy. */ + /* Now walk the rules list and find all those that are */ + /* defined as active for the chosen security policy. */ foreach ($all_rules as $k1 => $arulem) { foreach ($arulem as $k2 => $arulem2) { if (strripos($arulem2['rule'], "policy {$policy}-ips") !== false) { @@ -1567,11 +1635,6 @@ function snort_load_vrt_policy($policy, $load_rules_map=true) { /* Release memory we no longer need. */ unset($arulem, $arulem2); - /* If we loaded the ALL_RULES map, */ - /* then release the global memory. */ - if ($load_rules_map == true) - unset($GLOBALS['all_rules']); - /* Return all the rules that match the policy. */ return $vrt_policy_rules; } @@ -1582,11 +1645,15 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) { /* This function takes a rules map array of */ /* the rules chosen for the active rule set */ /* and writes them out to the passed path. */ + /* */ + /* $rule_map --> Rules Map array of rules to */ + /* write to disk. */ + /* */ + /* $rule_path --> filename or directory where */ + /* rules file will be written. */ /************************************************/ - global $snort_enforcing_rules_file; - - $rule_file = "/{$snort_enforcing_rules_file}"; + $rule_file = "/" . ENFORCING_RULES_FILENAME; /* See if we were passed a directory or full */ /* filename to write the rules to, and adjust */ @@ -1968,12 +2035,13 @@ EOD; function snort_deinstall() { - global $config, $g, $snort_rules_upd_log; + global $config, $g; $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; $rcdir = RCFILEPREFIX; + $snort_rules_upd_log = RULES_UPD_LOGFILE; log_error(gettext("[Snort] Snort package uninstall in progress...")); @@ -2060,13 +2128,28 @@ function snort_deinstall() { function snort_prepare_rule_files($snortcfg, $snortcfgdir) { - global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules, $all_rules; + /***********************************************************/ + /* This function builds a new set of enforcing rules for */ + /* Snort and writes them to disk. */ + /* */ + /* $snortcfg --> pointer to applicable section of */ + /* config.xml containing settings for */ + /* the interface. */ + /* */ + /* $snortcfgdir --> pointer to physical directory on */ + /* disk where Snort configuration is */ + /* to be written. */ + /***********************************************************/ + + global $rebuild_rules; $snortdir = SNORTDIR; + $flowbit_rules_file = FLOWBITS_FILENAME; + $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; $no_rules_defined = true; /* If there is no reason to rebuild the rules, exit to save time. */ - if ($rebuild_rules == "off") + if (!$rebuild_rules) return; /* Log a message for rules rebuild in progress */ @@ -2076,10 +2159,10 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') { $enabled_rules = array(); $enabled_files = array(); + $all_rules = array(); $no_rules_defined = false; /* Load up all the rules into a Rules Map array. */ - $all_rules = array(); $all_rules = snort_load_rules_map("{$snortdir}/rules/"); /* Create an array with the filenames of the enabled */ @@ -2119,7 +2202,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Check if a pre-defined Snort VRT policy is selected. If so, */ /* add all the VRT policy rules to our enforcing rule set. */ if (!empty($snortcfg['ips_policy'])) { - $policy_rules = snort_load_vrt_policy($snortcfg['ips_policy'], false); + $policy_rules = snort_load_vrt_policy($snortcfg['ips_policy'], $all_rules); foreach ($policy_rules as $k1 => $policy) { foreach ($policy as $k2 => $p) { if (!is_array($enabled_rules[$k1])) @@ -2151,7 +2234,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */ if ($snortcfg['autoflowbitrules'] == 'on') { log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); - $fbits = snort_resolve_flowbits($enabled_rules); + $fbits = snort_resolve_flowbits($all_rules, $enabled_rules); /* Check for and disable any flowbit-required rules dependent upon */ /* disabled preprocessors if this option is enabled for the interface. */ @@ -2164,8 +2247,6 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { } else /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); - - unset($GLOBALS['all_rules']); } else { snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); @@ -2197,10 +2278,16 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa /* non-enabled preprocessors are disabled to stop */ /* start-up errors from unknown rule options. */ /* */ - /* $snortcfg -> config parameters array for */ - /* the interface */ - /* $active_rules -> rules_map array of enabled */ - /* rules for the interface */ + /* $snortcfg --> config parameters array for */ + /* the interface. */ + /* */ + /* $active_rules --> rules_map array of enabled */ + /* rules for the interface. */ + /* */ + /* $persist_log --> flag indicating if new log */ + /* file should be created or */ + /* the existing one appended */ + /* to. */ /* */ /* NOTE: This feature must be enabled in the GUI */ /* by the user. Use of this feature can */ @@ -2350,11 +2437,13 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa function snort_generate_conf($snortcfg) { - global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules; + global $config, $g, $rebuild_rules; $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; + $flowbit_rules_file = FLOWBITS_FILENAME; + $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; @@ -2432,7 +2521,7 @@ function snort_generate_conf($snortcfg) { $pfkill = ""; if ($snortcfg['blockoffenderskill'] == "on") $pfkill = "kill"; - $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname']); + $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); /* write whitelist */ @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; @@ -2878,6 +2967,15 @@ EOD; if ($snortcfg['cksumcheck'] == 'on') $cksumcheck = "none"; + /* Pull in user-configurable detection config options */ + $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; + if ($snortcfg['fpm_split_any_any'] == "on") + $cfg_detect_settings .= " split-any-any"; + if ($snortcfg['fpm_search_optimize'] == "on") + $cfg_detect_settings .= " search-optimize"; + if ($snortcfg['fpm_no_stream_inserts'] == "on") + $cfg_detect_settings .= " no_stream_inserts"; + /* Pull in user-configurable options for Frag3 preprocessor settings */ $frag3_disabled = ""; if ($snortcfg['frag3_detection'] == "off") @@ -2901,6 +2999,13 @@ EOD; if (!empty($snortcfg['frag3_policy'])) $frag3_policy = "policy {$snortcfg['frag3_policy']}"; + /* Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs */ + $paf_max_pdu_config = "config paf_max: "; + if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == "0") + $paf_max_pdu_config .= "0"; + else + $paf_max_pdu_config .= $snortcfg['max_paf']; + /* Pull in user-configurable options for Stream5 preprocessor settings */ $stream5_reassembly = ""; if ($snortcfg['stream5_reassembly'] == "off") @@ -2948,7 +3053,19 @@ EOD; if (!empty($snortcfg['stream5_icmp_timeout'])) $stream5_icmp_timeout = "timeout {$snortcfg['stream5_icmp_timeout']}"; - /* build snort configuration file */ + /* Check for and configure Host Attribute Table if enabled */ + $host_attrib_config = ""; + if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { + file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); + $host_attrib_config = "# Host Attribute Table #\n"; + $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; + if (!empty($snortcfg['max_attribute_hosts'])) + $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; + if (!empty($snortcfg['max_attribute_services_per_host'])) + $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; + } + + /* Finally, build the Snort configuration file */ $snort_conf_text = << EOD; + /* First, have the target host write the commands to a PHP file in the /tmp directory */ + $execcmd = "file_put_contents('/tmp/snort_sync_cmds.php', '{$snort_sync_cmd}');"; + /* assemble xmlrpc payload */ $method = 'pfsense.exec_php'; $params = array( @@ -3221,7 +3351,7 @@ EOD; XML_RPC_encode($execcmd) ); - log_error("[snort] Snort XMLRPC sending reload configuration cmd to {$url}:{$port}."); + log_error("[snort] Snort XMLRPC sending reload configuration cmd set as a file to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); @@ -3237,6 +3367,27 @@ EOD; } else { log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } + + /* Now assemble a command to execute the previously sent PHP file in the background */ + $execcmd = "exec(\"/usr/local/bin/php -f '/tmp/snort_sync_cmds.php' > /dev/null 2>&1 &\");"; + $params2 = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + log_error("[snort] Snort XMLRPC sending {$url}:{$port} cmd to execute configuration reload."); + $msg2 = new XML_RPC_Message($method, $params2); + $resp = $cli->send($msg2, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "snort Settings Sync", ""); + } else { + log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + } } ?> -- cgit v1.2.3 From 8c5840439b815474d2a39434147b7892590198f3 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Jun 2013 18:48:40 -0400 Subject: Update package to 2.5.9 and binary to 2.9.4.6 --- config/snort/snort.xml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 1066b75c..ed731f74 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ Describe your package requirements here Currently there are no FAQ items provided. Snort - 2.9.4.1 - Services:2.9.4.1 pkg v. 2.5.8 + 2.9.4.6 + Services:2.9.4.6 pkg v. 2.5.9 /usr/local/pkg/snort/snort.inc Snort @@ -183,6 +183,11 @@ 077 http://www.pfsense.com/packages/config/snort/snort_rules_flowbits.php + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_edit_hat_data.php + -- cgit v1.2.3