From d3635ba6e576bac2d6d4fee57a0734d1db2903da Mon Sep 17 00:00:00 2001 From: robiscool Date: Fri, 23 Apr 2010 01:34:48 -0700 Subject: snort, add whightlist.php, add options for homenet, externalnet, and whitelist, misc --- config/snort/NOTES.txt | 13 +- config/snort/snort.inc | 669 +++++++++++++++++------ config/snort/snort.xml | 15 +- config/snort/snort_alerts.php | 24 +- config/snort/snort_barnyard.php | 9 +- config/snort/snort_blocked.php | 4 +- config/snort/snort_check_for_rule_updates.php | 1 - config/snort/snort_define_servers.php | 9 +- config/snort/snort_download_rules.php | 8 +- config/snort/snort_help_info.php | 4 +- config/snort/snort_interfaces.php | 8 +- config/snort/snort_interfaces_edit.php | 106 +++- config/snort/snort_interfaces_global.php | 4 +- config/snort/snort_interfaces_whitelist.php | 179 ++++++ config/snort/snort_interfaces_whitelist_edit.php | 449 +++++++++++++++ config/snort/snort_preprocessors.php | 9 +- config/snort/snort_rules_edit.php | 4 +- config/snort/snort_rulesets.php | 2 - config/snort/snort_whitelist.xml | 117 ---- 19 files changed, 1302 insertions(+), 332 deletions(-) create mode 100644 config/snort/snort_interfaces_whitelist.php create mode 100644 config/snort/snort_interfaces_whitelist_edit.php delete mode 100644 config/snort/snort_whitelist.xml (limited to 'config') diff --git a/config/snort/NOTES.txt b/config/snort/NOTES.txt index 0bfae161..39d93061 100644 --- a/config/snort/NOTES.txt +++ b/config/snort/NOTES.txt @@ -1,14 +1,15 @@ March 26 2019 -Snort-dev 2.8.5.3 pk v. 18 final +Snort-dev 2.8.5.3 pk v. 22 final -Final day. - -Odds and ends left. - -Pierre POMES code needs to be added. +TODO: +Create Threshold GUI +Pf snort block table should survive reboots. Dont know how Im going to do this. +Create Upload GUI. Use Pierre POMES code. +Use Chroot for snort. +Add log rotation and log dir size display Threshold tab needs to be added. diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 104c1a5a..e6b2fa5c 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -48,6 +48,131 @@ if ($pfsense_ver_chk == '1.2.3-RELEASE') /* tell me my theme */ $pfsense_theme_is = $config['theme']; +/* func builds custom whitelests */ +function find_whitelist_key($find_wlist_number) { + global $config, $g; + + $whitelist_array = $config['installedpackages']['snortglobal']['whitelist']['item']; + $w_key = -1; + + foreach ($whitelist_array as $value) { + $w_key += 1; + if ($config['installedpackages']['snortglobal']['whitelist']['item'][$w_key]['uuid'] == $find_wlist_number) { + return $w_key; + } + } +} + +/* func builds custom whitelests */ +function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $userwips) { +global $config, $g; + + /* build an interface array list */ + $int_array = array('lan'); + for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) + if(isset($config['interfaces']['opt' . $j]['enable'])) + if(!$config['interfaces']['opt' . $j]['gateway']) + $int_array[] = "opt{$j}"; + + /* iterate through interface list and write out whitelist items + * and also compile a home_net list for snort. + */ + foreach($int_array as $int) { + /* calculate interface subnet information */ + $ifcfg = &$config['interfaces'][$int]; + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + $subnetmask = gen_subnet_mask($ifcfg['subnet']); + if($subnet == "pppoe" or $subnet == "dhcp") { + $subnet = find_interface_ip("ng0"); + if($subnet) + $home_net .= "{$subnet} "; + } else { + if ($subnet) + if($ifcfg['subnet']) + $home_net .= "{$subnet}/{$ifcfg['subnet']} "; + } + } + + if($wanip == 'yes') { + /* add all WAN ips to the whitelist */ + $wan_if = get_real_wan_interface(); + $ip = find_interface_ip($wan_if); + if($ip) + $home_net .= "{$ip} "; + } + + if($wangw == 'yes') { + /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ + $int = convert_friendly_interface_to_real_interface_name2("WAN"); + $gw = get_interface_gateway($int); + if($gw) + $home_net .= "{$gw} "; + } + + if($wandns == 'yes') { + /* Add DNS server for WAN interface to whitelist */ + $dns_servers = get_dns_servers(); + foreach($dns_servers as $dns) { + if($dns) + $home_net .= "{$dns} "; + } + } + + /* Add loopback to whitelist (ftphelper) */ + $home_net .= "127.0.0.1"; + + if($vips == 'yes') { + /* iterate all vips and add to whitelist */ + if($config['virtualip']) + foreach($config['virtualip']['vip'] as $vip) + if($vip['subnet']) + $home_net .= $vip['subnet'] . " "; + } + + /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ + if($vpns == 'yes') + { + if ($pfsense_stable == 'yes') // chk what pfsense version were on + { + $vpns_list = get_vpns_list(); + } + + if ($pfsense_stable == 'no') // chk what pfsense version were on + { + $vpns_list = filter_get_vpns_list(); + } + + $home_net .= "$vpns_list "; + } + + /* never ever compair numbers to words */ + if($userwips > -1) + { + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + + $home_net .= $config['installedpackages']['snortglobal']['whitelist']['item'][$userwips]['address']; + } + + /* this foe whitelistfile, convert spaces to carriage returns */ + $whitelist_home_net = str_replace(" ", " ", $home_net); + $whitelist_home_net = str_replace(" ", "\n", $home_net); + + /* this is for snort.conf */ + $home_net = trim($home_net); + $home_net = str_replace(" ", ",", $home_net); + $home_net = "[{$home_net}]"; + + if($build_netlist == 'netlist') { + return $home_net; + } + + if($build_netlist == 'whitelist') { + return $whitelist_home_net; + } +} + + /* checks to see if snort is running yes/no and stop/start */ function Running_Ck($snort_uuid, $if_real, $id) { global $config; @@ -113,6 +238,9 @@ $pfsense_theme_is = $config['theme']; function Running_Stop($snort_uuid, $if_real, $id) { global $config; + /* if snort.sh crashed this will remove the pid */ + exec('/bin/rm /tmp/snort.sh.pid'); + $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}{$if_real}\" | awk '{print \$1;}'"); $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); @@ -155,17 +283,20 @@ $pfsense_theme_is = $config['theme']; function Running_Start($snort_uuid, $if_real, $id) { global $config; + + /* if snort.sh crashed this will remove the pid */ + exec('/bin/rm /tmp/snort.sh.pid'); $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; if ($snort_info_chk == 'on') { - exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}{$if_real}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}{$if_real}\" -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); } /* define snortbarnyardlog_chk */ /* top will have trouble if the uuid is to far back */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '' && $snort_info_chk == 'on') { - exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" -u snort -g snort -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"); + exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" -u snort -g snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"); } /* Log Iface stop */ @@ -203,36 +334,138 @@ ini_set('max_input_time', '9999'); /* define oinkid */ if($config['installedpackages']['snortglobal']) $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; + -function snort_postinstall() +/* +this code block is for deleteing logs while keeping the newest file, +snort is linked to these files while running, do not take the easy way out +by touch and rm, snort will lose sync and not log. + +this code needs to be watched. +*/ + +/* list dir files */ +function snort_file_list($snort_log_dir, $snort_log_file) { - global $config; - conf_mount_rw(); + $dir = opendir ("$snort_log_dir"); + while (false !== ($file = readdir($dir))) { + if (strpos($file, "$snort_log_file",1) ) { + $file_list[] = $file; + } + } + return $file_list; +} - if(!file_exists('/var/log/snort/')) { - mwexec('mkdir -p /var/log/snort/'); - mwexec('mkdir -p /var/log/snort/barnyard2'); - } +/* snort dir files */ +function snort_file_sort($snort_file1, $snort_file2) +{ + if ($snort_file1 == $snort_file2) { + return 0; + } + return ($snort_file1 < $snort_file2); // ? -1 : 1; // this flips the array +} - if(!file_exists('/var/log/snort/alert')) { - touch('/var/log/snort/alert'); - }else{ - exec('/bin/rm -rf /var/log/snort/*'); - touch('/var/log/snort/alert'); - } - +/* build files newest first array */ +function snort_build_order($snort_list) +{ + foreach ($snort_list as $value_list) { + $list_order[] = $value_list; + } + return $list_order; +} + +/* keep the newest remove the rest */ +function snort_remove_files($snort_list_rm, $snort_file_safe) +{ + foreach ($snort_list_rm as $value_list) + { + if ($value_list != $snort_file_safe) { + exec("/bin/rm /var/log/snort/$value_list"); + }else{ + exec("/bin/echo '' > /var/log/snort/$snort_file_safe"); + } + } +} + +function post_delete_logs() +{ + global $config, $g; + + + $snort_log_dir = '/var/log/snort'; + + /* do not start config build if rules is empty */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) + { + + + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id = -1; + foreach ($rule_array as $value) + { + + if ($id == '') { + $id = 0; + } + $id += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + + if ($if_real != '' && $snort_uuid != '') + { + if ($config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog'] == 'on') + { + $snort_log_file_u2 = "{$snort_uuid}_{$if_real}.u2."; + $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2); + if (is_array($snort_list_u2)) { + usort($snort_list_u2, "snort_file_sort"); + $snort_u2_rm_list = snort_build_order($snort_list_u2); + snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]); + } + }else{ + exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.u2*"); + } + + if ($config['installedpackages']['snortglobal']['rule'][$id]['tcpdumplog'] == 'on') + { + $snort_log_file_tcpd = "{$snort_uuid}_{$if_real}.tcpdump."; + $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd); + if (is_array($snort_list_tcpd)) { + usort($snort_list_tcpd, "snort_file_sort"); + $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd); + snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]); + } + }else{ + exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.tcpdump*"); + } + + /* create barnyard2 configuration file */ + //if ($config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'] == 'on') + //create_barnyard2_conf($id, $if_real, $snort_uuid); + + if ($config['installedpackages']['snortglobal']['rule'][$id]['perform_stat'] == on) + { + exec("/bin/echo '' > /var/log/snort/snort_{$snort_uuid}_{$if_real}.stats"); + } + } + } + } +} + +function snort_postinstall() +{ + global $config; + conf_mount_rw(); + /* snort -> advanced features */ $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; - - /* create a few directories and ensure the sample files are in place */ - exec('/bin/mkdir -p /usr/local/etc/snort'); - exec('/bin/mkdir -p /var/log/snort'); - exec('/bin/mkdir -p /usr/local/etc/snort/rules'); - + /* cleanup default files */ if(file_exists('/usr/local/etc/snort/snort.conf-sample')) { exec('/bin/rm /usr/local/etc/snort/snort.conf-sample'); @@ -248,31 +481,80 @@ function snort_postinstall() exec('/bin/rm /usr/local/etc/rc.d/bardyard2'); } - if(!file_exists('/usr/local/etc/snort/custom_rules')) + /* remove example files */ + if(file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) { - exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules/'); + exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); } + if(file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) + { + exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + } + + /* add snort user and group note: 920 keep the numbers < 2000, above this is reserved in pfSense 2.0 */ exec('/usr/sbin/pw groupadd snort -g 920'); exec('/usr/sbin/pw useradd snort -u 920 -c "Snort User" -d /nonexistent -g snort -s /sbin/nologin'); - exec('/usr/sbin/chown -R snort:snort /var/log/snort'); - exec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort'); - exec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort'); - exec('/bin/chmod -R 755 /var/log/snort'); - exec('/bin/chmod -R 755 /usr/local/etc/snort'); - exec('/bin/chmod -R 755 /usr/local/lib/snort'); + + + /* create a few directories and ensure the sample files are in place */ + if(!file_exists('/usr/local/etc/snort')) + { + exec('/bin/mkdir -p /usr/local/etc/snort'); + } + + if(!file_exists('/usr/local/etc/snort/custom_rules')) + { + exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules/'); + } + if(!file_exists('/usr/local/etc/snort/whitelist')) + { + exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); + } - /* remove example files */ - if(file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) + if(!file_exists('/var/log/snort/run')) { - exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); + exec('/bin/mkdir -p /var/log/snort/run'); } - if(file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) + if(!file_exists('/var/log/snort/barnyard2')) { - exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + exec('/bin/mkdir -p /var/log/snort/barnyard2/'); + } + + if(!file_exists('/var/db/whitelist')) + { + touch('/var/db/whitelist'); + } + + /* if users have old log files delete them */ + if(!file_exists('/var/log/snort/alert')) { + touch('/var/log/snort/alert'); + }else{ + exec('/bin/rm -rf /var/log/snort/*'); + touch('/var/log/snort/alert'); } + + /* important */ + exec('/usr/sbin/chown -R snort:snort /var/log/snort'); + exec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort'); + exec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort'); + exec('/usr/sbin/chown snort:snort /tmp/snort*'); + exec('/usr/sbin/chown snort:snort /var/db/whitelist'); + exec('/bin/chmod 660 /var/log/snort/alert'); + exec('/bin/chmod 660 /var/db/whitelist'); + exec('/bin/chmod -R 660 /usr/local/etc/snort/*'); + exec('/bin/chmod -R 660 /tmp/snort*'); + exec('/bin/chmod -R 660 /var/run/snort*'); + exec('/bin/chmod -R 660 /var/snort/run/*'); + exec('/bin/chmod 770 /usr/local/lib/snort'); + exec('/bin/chmod 770 /usr/local/etc/snort'); + exec('/bin/chmod 770 /usr/local/etc/whitelist'); + exec('/bin/chmod 770 /var/log/snort'); + exec('/bin/chmod 770 /var/log/snort/run'); + exec('/bin/chmod 770 /var/log/snort/barnyard2'); + /* find out if were in 1.2.3-RELEASE */ $pfsense_ver_chk = exec('/bin/cat /etc/version'); @@ -318,20 +600,19 @@ function snort_postinstall() }else{ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.0.x86/barnyard2'); } - exec('/bin/chmod 077 /usr/local/bin/barnyard2'); + exec('/bin/chmod 755 /usr/local/bin/barnyard2'); /* back to default */ chdir ("/root/"); - /* make sure snort-pld is deinstalled */ + /* make sure snort-old is deinstalled */ /* remove when snort-old is removed */ unset($config['installedpackages']['snort']); unset($config['installedpackages']['snortdefservers']); unset($config['installedpackages']['snortwhitelist']); unset($config['installedpackages']['snortthreshold']); unset($config['installedpackages']['snortadvanced']); - write_config(); - conf_mount_rw(); + write_config(); conf_mount_ro(); @@ -629,18 +910,45 @@ function sync_snort_package() conf_mount_rw(); /* all new files are for the user snort nologin */ - if(!file_exists("/var/log/snort")) + if(!file_exists('/var/log/snort')) { - exec("/bin/mkdir -p /var/log/snort"); + exec('/bin/mkdir -p /var/log/snort'); } - exec("/usr/sbin/chown -R snort:snort /var/log/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); - exec("/bin/chmod -R 755 /var/log/snort"); - exec("/bin/chmod -R 755 /usr/local/etc/snort"); - exec("/bin/chmod -R 755 /usr/local/lib/snort"); - + if(!file_exists('/var/log/snort/run')) + { + exec('/bin/mkdir -p /var/log/snort/run'); + } + + if(!file_exists('/var/log/snort/barnyard2')) + { + exec('/bin/mkdir -p /var/log/snort/barnyard2'); + } + + /* all new files are for the user snort nologin */ + if(!file_exists('/var/log/snort/alert')) + { + exec('/usr/bin/touch /var/log/snort/alert'); + } + + /* important */ + exec('/usr/sbin/chown -R snort:snort /var/log/snort'); + exec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort'); + exec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort'); + exec('/usr/sbin/chown snort:snort /tmp/snort*'); + exec('/usr/sbin/chown snort:snort /var/db/whitelist'); + exec('/bin/chmod 770 /usr/local/lib/snort'); + exec('/bin/chmod 770 /var/log/snort'); + exec('/bin/chmod 770 /var/log/snort/run'); + exec('/bin/chmod 770 /var/log/snort/barnyard2'); + exec('/bin/chmod 660 /var/log/snort/alert'); + exec('/bin/chmod 660 /var/db/whitelist'); + exec('/bin/chmod -R 660 /usr/local/etc/snort/*'); + exec('/bin/chmod -R 660 /tmp/snort*'); + exec('/bin/chmod -R 660 /var/run/snort*'); + exec('/bin/chmod -R 660 /var/snort/run/*'); + exec('/bin/chmod 770 /usr/local/etc/snort/'); + exec('/bin/chmod 770 /usr/local/etc/whitelist/'); conf_mount_ro(); } @@ -670,13 +978,18 @@ if ($id != '' && $if_real != '') //new $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); - + /* create snort configuration file */ create_snort_conf($id, $if_real, $snort_uuid); /* if rules exist cp rules to each iface */ create_rules_iface($id, $if_real, $snort_uuid); - + + /* only build whitelist when needed */ + if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on'){ + create_snort_whitelist($id, $if_real); + } + /* create snort bootup file snort.sh only create once */ create_snort_sh(); @@ -720,11 +1033,17 @@ function sync_snort_package_empty() $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; if ($if_real != '' && $snort_uuid != '') { + /* create snort configuration file */ create_snort_conf($id, $if_real, $snort_uuid); /* if rules exist cp rules to each iface */ create_rules_iface($id, $if_real, $snort_uuid); + + /* only build whitelist when needed */ + if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on'){ + create_snort_whitelist($id, $if_real); + } /* create barnyard2 configuration file */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; @@ -772,8 +1091,14 @@ function sync_snort_package_config() $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; if ($if_real != '' && $snort_uuid != '') { + /* create snort configuration file */ create_snort_conf($id, $if_real, $snort_uuid); + + /* only build whitelist when needed */ + if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on'){ + create_snort_whitelist($id, $if_real); + } /* create barnyard2 configuration file */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; @@ -794,6 +1119,106 @@ function sync_snort_package_config() /* Start of main config files */ /* Start of main config files */ +function create_snort_whitelist($id, $if_real) { + + global $config, $g; + conf_mount_rw(); + + /* make sure dir is there */ + if (!file_exists('/usr/local/etc/snort/whitelist/')) { + exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); + } + + if ($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'] == 'default') { + + /* open snort's whitelist for writing */ + $whitelist_w = fopen("/usr/local/etc/snort/whitelist/defaultwlist", "w"); + if(!$whitelist_w) { + log_error("Could not open /usr/local/etc/snort/whitelist/defaultwlist for writing."); + return; + } + + $w_data = build_base_whitelist('whitelist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); + + }else{ + + preg_match('/^([a-zA-z0-9]+)/', $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $wlist_name_wrt); + preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $wlist_num_wrt); + + $whitelist_key_w = find_whitelist_key($wlist_num_wrt[0]); + + $build_netlist = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['snortlisttype']; + $wanip = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['wanips']; + $wangw = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['wangateips']; + $wandns = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['wandnsips']; + $vips = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['vips']; + $vpns = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]['vpnips']; + + /* open snort's whitelist for writing */ + $whitelist_w = fopen("/usr/local/etc/snort/whitelist/$wlist_name_wrt[0]", "w"); + if(!$whitelist_w) { + log_error("Could not open /usr/local/etc/snort/whitelist/$wlist_name_wrt[0] for writing."); + return; + } + + $w_data = build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $whitelist_key_w); + + } + + fwrite($whitelist_w, $w_data); + fclose($whitelist_w); + conf_mount_ro(); + +} + +function create_snort_homenet($id, $if_real) { + + global $config, $g; + conf_mount_rw(); + + if ($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == 'default' || $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == '') { + return build_base_whitelist('netlist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); + }else{ + preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'], $hlist_num_wrt); + + $whitelist_key_h = find_whitelist_key($hlist_num_wrt[0]); + + $build_netlist_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['snortlisttype']; + $wanip_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wanips']; + $wangw_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wangateips']; + $wandns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wandnsips']; + $vips_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vips']; + $vpns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vpnips']; + + return build_base_whitelist($build_netlist_h, $wanip_h, $wangw_h, $wandns_h, $vips_h, $vpns_h, $whitelist_key_h); + + } + + conf_mount_ro(); + +} + +function create_snort_externalnet($id, $if_real) { + + global $config, $g; + conf_mount_rw(); + + preg_match('/([0-9]+)$/', $config['installedpackages']['snortglobal']['rule'][$id]['externallistname'], $exlist_num_wrt); + + $whitelist_key_ex = find_whitelist_key($exlist_num_wrt[0]); + + $build_netlist_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['snortlisttype']; + $wanip_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wanips']; + $wangw_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wangateips']; + $wandns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wandnsips']; + $vips_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vips']; + $vpns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vpnips']; + + return build_base_whitelist($build_netlist_ex, $wanip_ex, $wangw_ex, $wandns_ex, $vips_ex, $vpns_ex, $whitelist_key_ex); + + conf_mount_ro(); + +} /* open snort.sh for writing" */ function create_snort_sh() @@ -825,7 +1250,7 @@ function create_snort_sh() $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { - $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"; + $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"; } /* Get all interface startup commands ready */ @@ -842,7 +1267,7 @@ $snort_sh_text2[] = <<077 http://www.pfsense.com/packages/config/snort/snort_dynamic_ip_reload.php - - /usr/local/pkg/snort/ - 077 - http://www.pfsense.com/packages/config/snort/snort_whitelist.xml - /usr/local/www/snort/ 077 @@ -178,6 +173,16 @@ 077 http://www.pfsense.com/packages/config/snort/snort_preprocessors.php + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_interfaces_whitelist.php + + + /usr/local/www/snort/ + 077 + http://www.pfsense.com/packages/config/snort/snort_interfaces_whitelist_edit.php + /usr/local/etc/rc.d/ 755 diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 4f0ddb03..c135187a 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -85,21 +85,19 @@ if ($_POST['save']) } - if ($_POST['delete']) { - - exec("killall syslogd"); conf_mount_rw(); - if(file_exists("/var/log/snort/alert")) - { - exec('/bin/rm /var/log/snort/*'); - exec('/usr/bin/touch /var/log/snort/alert'); + if(file_exists('/var/log/snort/alert')) + { + exec('/bin/echo "" > /var/log/snort/alert'); + post_delete_logs(); + exec('/usr/sbin/chown snort:snort /var/log/snort/*'); + exec('/bin/chmod 660 /var/log/snort/*'); + sleep(2); + exec('/usr/bin/killall -HUP snort'); } conf_mount_ro(); - system_syslogd_start(); - //exec("/usr/bin/killall -HUP snort"); - } if ($_POST['download']) @@ -332,8 +330,8 @@ if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '') $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); $tab_array[] = array("Alerts", true, "/snort/snort_alerts.php"); $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + $tab_array[] = array("Whitelists", false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[] = array("Help", false, "/snort/snort_help_info.php"); display_top_tabs($tab_array); ?> @@ -356,7 +354,7 @@ if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '')
All log files will be saved. - + Warning: all log files will be deleted.
diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index 103fba0e..d88b354c 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -110,6 +110,9 @@ if (isset($id) && $a_nat[$id]) { $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; + $pconfig['homelistname'] = $a_nat[$id]['homelistname']; + $pconfig['externallistname'] = $a_nat[$id]['externallistname']; $pconfig['performance'] = $a_nat[$id]['performance']; $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; @@ -120,6 +123,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['rulesets'] = $a_nat[$id]['rulesets']; $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; + if (!$pconfig['interface']) $pconfig['interface'] = "wan"; @@ -225,7 +229,10 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; if ($pconfig['configpassthru'] != "") { $natent['configpassthru'] = $pconfig['configpassthru']; } if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } - if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } + if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } + if ($pconfig['whitelistname'] != "") { $natent['whitelistname'] = $pconfig['whitelistname']; } + if ($pconfig['homelistname'] != "") { $natent['homelistname'] = $pconfig['homelistname']; } + if ($pconfig['externallistname'] != "") { $natent['externallistname'] = $pconfig['externallistname']; } /* post new options */ $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? on : off; diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 293679d9..e09e8928 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -259,8 +259,8 @@ if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '') $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); $tab_array[] = array("Blocked", true, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + $tab_array[] = array("Whitelists", false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[] = array("Help", false, "/snort/snort_help_info.php"); display_top_tabs($tab_array); ?> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 3c4e98eb..e22c1b06 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -40,7 +40,6 @@ $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; $pfsense_rules_filename = "pfsense_rules.tar.gz"; require_once("globals.inc"); -require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); /* define checks */ diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 9641b767..974f9cb4 100644 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -111,6 +111,9 @@ if (isset($id) && $a_nat[$id]) { $pconfig['enable'] = $a_nat[$id]['enable']; $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; + $pconfig['homelistname'] = $a_nat[$id]['homelistname']; + $pconfig['externallistname'] = $a_nat[$id]['externallistname']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; @@ -169,7 +172,11 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } if ($pconfig['configpassthru'] != "") { $natent['configpassthru'] = $pconfig['configpassthru']; } - if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } + if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } + if ($pconfig['whitelistname'] != "") { $natent['whitelistname'] = $pconfig['whitelistname']; } + if ($pconfig['homelistname'] != "") { $natent['homelistname'] = $pconfig['homelistname']; } + if ($pconfig['externallistname'] != "") { $natent['externallistname'] = $pconfig['externallistname']; } + /* post new options */ if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; }else{ $natent['def_dns_servers'] = ""; } diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index b3b20582..f1970910 100644 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -142,8 +142,8 @@ echo "\n $tab_array[] = array("Rule Updates", true, "/snort/snort_download_rules.php"); $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + $tab_array[] = array("Whitelists", false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[] = array("Help", false, "/snort/snort_help_info.php"); display_top_tabs($tab_array); if ($snort_emrging_info == "stop" && $snort_oinkid_info == "stop") { @@ -267,8 +267,8 @@ setTimeout($.unblockUI, 2000); $tab_array[] = array("Rule Updates", true, "/snort/snort_download_rules.php"); $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + $tab_array[] = array("Whitelists", false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[] = array("Help", false, "/snort/snort_help_info.php"); display_top_tabs($tab_array); ?> diff --git a/config/snort/snort_help_info.php b/config/snort/snort_help_info.php index 5355ec77..4c795b6d 100644 --- a/config/snort/snort_help_info.php +++ b/config/snort/snort_help_info.php @@ -86,8 +86,8 @@ clear: both; $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", true, "/snort/snort_help_info.php"); + $tab_array[] = array("Whitelists", false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[] = array("Help", true, "/snort/snort_help_info.php"); display_top_tabs($tab_array); ?> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index 5f42725f..07048276 100644 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -328,8 +328,8 @@ padding: 15px 10px 50% 50px; $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + $tab_array[] = array("Whitelists", false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[] = array("Help", false, "/snort/snort_help_info.php"); display_top_tabs($tab_array); ?> @@ -486,9 +486,9 @@ padding: 15px 10px 50% 50px;
Please edit the Global Settings tab before adding an interface.

- Click on the icon to add a interface.Click on the icon to start snort and barnyard. + Click on the icon to add a interface.                                            Click on the icon to start snort and barnyard2.
- Click on the icon to edit a interface and settings.Click on the icon to stop snort and barnyard. + Click on the icon to edit a interface and settings.                       Click on the icon to stop snort and barnyard2.
Click on the icon to delete a interface and settings. diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index b63bbfbd..8cc97a75 100644 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -134,6 +134,9 @@ if (isset($id) && $a_nat[$id]) { $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; + $pconfig['homelistname'] = $a_nat[$id]['homelistname']; + $pconfig['externallistname'] = $a_nat[$id]['externallistname']; $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; @@ -233,6 +236,9 @@ if ($_POST["Submit"]) { $natent['performance'] = $_POST['performance'] ? $_POST['performance'] : $pconfig['performance']; /* if post = on use on off or rewrite the conf */ if ($_POST['blockoffenders7'] == "on") { $natent['blockoffenders7'] = on; }else{ $natent['blockoffenders7'] = off; } if ($_POST['enable'] == "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } + $natent['whitelistname'] = $_POST['whitelistname'] ? $_POST['whitelistname'] : $pconfig['whitelistname']; + $natent['homelistname'] = $_POST['homelistname'] ? $_POST['homelistname'] : $pconfig['homelistname']; + $natent['externallistname'] = $_POST['externallistname'] ? $_POST['externallistname'] : $pconfig['externallistname']; $natent['snortalertlogtype'] = $_POST['snortalertlogtype'] ? $_POST['snortalertlogtype'] : $pconfig['snortalertlogtype']; if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = on; }else{ $natent['alertsystemlog'] = off; } if ($_POST['enable'] == "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } if ($_POST['tcpdumplog'] == "on") { $natent['tcpdumplog'] = on; }else{ $natent['tcpdumplog'] = off; } if ($_POST['enable'] == "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } @@ -306,6 +312,9 @@ if ($_POST["Submit"]) { touch("$d_snortconfdirty_path"); + /* if snort.sh crashed this will remove the pid */ + exec('/bin/rm /tmp/snort.sh.pid'); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); @@ -338,7 +347,7 @@ if ($_POST["Submit"]) { if ($_POST["Submit3"]) { - Running_Stop($snort_uuid, $if_real, $id); + Running_Stop($snort_uuid, $if_real, $id); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -562,12 +571,107 @@ if ($a_nat[$id]['interface'] != '') { + Home net + +
+ Choose the home net you will like this rule to use. +  Note: Default home net adds only local networks.
+ Hint: Most users add a list of friendly ips that the firewall cant see. + + + External net + +
+ Choose the external net you will like this rule to use. +  Note: Default external net, networks that are not home net.
+ Hint: Most users should leave this setting at default. + + Block offenders onClick="enable_change(false)">
Checking this option will automatically block hosts that generate a Snort alert. + Whitelist + +
+ Choose the whitelist you will like this rule to use. +  Note: Default whitelist adds only local networks. + + Send alerts to main System logs onClick="enable_change(false)">
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 3c487ce0..bad5efd1 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -256,8 +256,8 @@ include("head.inc"); $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + $tab_array[] = array("Whitelists", false, "/snort/snort_interfaces_whitelist.php"); + $tab_array[] = array("Help", false, "/snort/snort_help_info.php"); display_top_tabs($tab_array); ?> diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php new file mode 100644 index 00000000..c55e0352 --- /dev/null +++ b/config/snort/snort_interfaces_whitelist.php @@ -0,0 +1,179 @@ +. + All rights reserved. + + modified for the pfsense snort package + Copyright (C) 2009-2010 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + + +if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + +//aliases_sort(); << what ? +$a_whitelist = &$config['installedpackages']['snortglobal']['whitelist']['item']; + +if (isset($config['installedpackages']['snortglobal']['whitelist']['item'])) { +$id_gen = count($config['installedpackages']['snortglobal']['whitelist']['item']); +}else{ +$id_gen = '0'; +} + +$d_whitelistdirty_path = '/var/run/snort_whitelist.dirty'; + +if ($_POST) { + + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + + if(stristr($retval, "error") <> true) + $savemsg = get_std_save_message($retval); + else + $savemsg = $retval; + if ($retval == 0) { + if (file_exists($d_whitelistdirty_path)) + unlink($d_whitelistdirty_path); + } + } +} + +if ($_GET['act'] == "del") { + if ($a_whitelist[$_GET['id']]) { + /* make sure rule is not being referenced by any nat or filter rules */ + + unset($a_whitelist[$_GET['id']]); + write_config(); + filter_configure(); + touch($d_whitelistdirty_path); + header("Location: /snort/snort_interfaces_whitelist.php"); + exit; + } +} + +$pgtitle = "Services: Snort: Whitelist"; +include("head.inc"); + +?> + + + +

+
+ +

+You must apply the changes in order for them to take effect.");?> + + + + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + +
File NameValuesDescription +
+ + + + + +   + + + + + + +
+
+ + + + + +
 
+
+
+
+ + +
Note: +

Here you can create whitelist files for your snort package rules. Please add all the ips or networks you want to protect against snort block decisions. Remember that the default whitelist only includes local networks. Be careful, it is very easy to get locked out of you system.

+
+

+ + + diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php new file mode 100644 index 00000000..41476c9c --- /dev/null +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -0,0 +1,449 @@ +. + All rights reserved. + + modified for the pfsense snort package + Copyright (C) 2009-2010 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + +aliases_sort(); +$a_whitelist = &$config['installedpackages']['snortglobal']['whitelist']['item']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + + +/* gen uuid for each iface !inportant */ +if ($config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid'] == '') { + //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); +$whitelist_uuid = 0; +while ($whitelist_uuid > 65535 || $whitelist_uuid == 0) { + $whitelist_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $whitelist_uuid; + } +} + +if ($config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid'] != '') { + $whitelist_uuid = $config['installedpackages']['snortglobal']['whitelist']['item'][$id]['uuid']; +} + +$pgtitle = "Services: Snort: Whitelist: Edit $whitelist_uuid"; + +$d_snort_whitelist_dirty_path = '/var/run/snort_whitelist.dirty'; + +/* returns true if $name is a valid name for a whitelist file name or ip */ +function is_validwhitelistname($name) { + if (!is_string($name)) + return false; + + if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + return true; + + return false; +} + + +if (isset($id) && $a_whitelist[$id]) { + + /* old settings */ + $pconfig['name'] = $a_whitelist[$id]['name']; + $pconfig['uuid'] = $a_whitelist[$id]['uuid']; + $pconfig['detail'] = $a_whitelist[$id]['detail']; + $pconfig['snortlisttype'] = $a_whitelist[$id]['snortlisttype']; + $pconfig['address'] = $a_whitelist[$id]['address']; + $pconfig['descr'] = html_entity_decode($a_whitelist[$id]['descr']); + $pconfig['wanips'] = $a_whitelist[$id]['wanips']; + $pconfig['wangateips'] = $a_whitelist[$id]['wangateips']; + $pconfig['wandnsips'] = $a_whitelist[$id]['wandnsips']; + $pconfig['vips'] = $a_whitelist[$id]['vips']; + $pconfig['vpnips'] = $a_whitelist[$id]['vpnips']; + + + $addresses = explode(' ', $pconfig['address']); + $address = explode(" ", $addresses[0]); + if ($address[1]) + $addresssubnettest = true; + else + $addresssubnettest = false; +} + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + $reqdfields = explode(" ", "name address"); + $reqdfieldsn = explode(",", "Name,Address"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if(strtolower($_POST['name']) == "defaultwhitelist") + $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; + + $x = is_validwhitelistname($_POST['name']); + if (!isset($x)) { + $input_errors[] = "Reserved word used for whitelist file name."; + } else { + if (is_validwhitelistname($_POST['name']) == false) + $input_errors[] = "Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."; + } + + if (is_validwhitelistname($_POST['address']) == false) + $input_errors[] = "Whitelist address may only consist of the characters 0-9 and /. Note: No Spaces. Press Cancel to reset."; + + + /* check for name conflicts */ + foreach ($a_whitelist as $w_list) { + if (isset($id) && ($a_whitelist[$id]) && ($a_whitelist[$id] === $w_list)) + continue; + + if ($w_list['name'] == $_POST['name']) { + $input_errors[] = "A whitelist file name with this name already exists."; + break; + } + } + + + $w_list = array(); + /* post user input */ + $w_list['name'] = $_POST['name']; + $w_list['uuid'] = $whitelist_uuid; + $w_list['snortlisttype'] = $_POST['snortlisttype']; + $w_list['address'] = $_POST['address']; + $w_list['wanips'] = $_POST['wanips']? yes : no; + $w_list['wangateips'] = $_POST['wangateips']? yes : no; + $w_list['wandnsips'] = $_POST['wandnsips']? yes : no; + $w_list['vips'] = $_POST['vips']? yes : no; + $w_list['vpnips'] = $_POST['vpnips']? yes : no; + + + $address = $w_list['address']; + $final_address_detail = mb_convert_encoding($_POST['detail'],"HTML-ENTITIES","auto"); + if($final_address_detail <> "") { + $final_address_details .= $final_address_detail; + } else { + $final_address_details .= "Entry added" . " "; + $final_address_details .= date('r'); + } + $final_address_details .= "||"; + $isfirst = 0; + + + /* add another entry code */ + for($x=0; $x<299; $x++) { + $comd = "\$subnet = \$_POST['address" . $x . "'];"; + eval($comd); + $comd = "\$subnet_address = \$_POST['address_subnet" . $x . "'];"; + eval($comd); + if($subnet <> "") { + $address .= " "; + $address .= $subnet; + if($subnet_address <> "") $address .= "" . $subnet_address; + + /* Compress in details to a single key, data separated by pipes. + Pulling details here lets us only pull in details for valid + address entries, saving us from having to track which ones to + process later. */ + $comd = "\$final_address_detail = mb_convert_encoding(\$_POST['detail" . $x . "'],'HTML-ENTITIES','auto');"; + eval($comd); + if($final_address_detail <> "") { + $final_address_details .= $final_address_detail; + } else { + $final_address_details .= "Entry added" . " "; + $final_address_details .= date('r'); + } + $final_address_details .= "||"; + } + } + + if (!$input_errors) { + $w_list['address'] = $address; + $w_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); + $w_list['detail'] = $final_address_details; + + if (isset($id) && $a_whitelist[$id]) + $a_whitelist[$id] = $w_list; + else + $a_whitelist[] = $w_list; + + touch($d_snort_whitelist_dirty_path); + + write_config(); + + header("Location: /snort/snort_interfaces_whitelist_edit.php?id=$id"); + exit; + } + //we received input errors, copy data to prevent retype + else + { + $pconfig['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); + $pconfig['address'] = $address; + $pconfig['detail'] = $final_address_details; + } +} + +include("head.inc"); + + + + +$description_str = gettext("Description"); +$hosts_str = gettext("IP or CIDR items"); +$ip_str = gettext("IP"); + +$update_freq_str = gettext("Update Freq."); + + + +?> + +"> + + + + + + +

+ + +
+ +
+ + + + + + +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Name + +

+ NOTE: This list is in use so the name may not be modified! +

+
Name + +
+ + The list name may only consist of the characters a-z, A-Z and 0-9. Note: No Spaces. + +
Description + +
+ + You may enter a description here for your reference (not parsed). + +
List Type +
+ Choose the type of list you will like see in your Interface Edit Tab. Hint: Best pratice is to test every list you make. +  Note: NETLIST's are only for defining snort.conf's external or home NETS.
WAN IPs + /> + + Add WAN IPs to the list. + +
Wan Gateways + /> + + Add WAN Gateways to the list. + +
Wan DNS servers + /> + + Add WAN DNS servers to the list. + +
Virtual IP Addresses + /> + + Add Virtual IP Addresses to the list. + +
VPNs + /> + + Add VPN Addresses to the list. + +
IP or CIDR items
 + + + + + + + + + + + 0) $tracker = $counter + 1; + ?> + + + + + + + +
+
+ Enter only ips or CIDR notations. Example: 192.168.4.1 or 192.168.1.0/24
+
IP or CIDR
Add a Description or leave blank and a date will be added.
+ + + + + 0) + echo ""; + ?> +
+ + + +
  + + + + + +
+
+
+ + + + + + \ No newline at end of file diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 1d3abf0b..5875ab70 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -104,6 +104,9 @@ if (isset($id) && $a_nat[$id]) { $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; + $pconfig['homelistname'] = $a_nat[$id]['homelistname']; + $pconfig['externallistname'] = $a_nat[$id]['externallistname']; $pconfig['performance'] = $a_nat[$id]['performance']; $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; @@ -202,7 +205,11 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } - + if ($pconfig['whitelistname'] != "") { $natent['whitelistname'] = $pconfig['whitelistname']; } + if ($pconfig['homelistname'] != "") { $natent['homelistname'] = $pconfig['homelistname']; } + if ($pconfig['externallistname'] != "") { $natent['externallistname'] = $pconfig['externallistname']; } + + /* post new options */ $natent['perform_stat'] = $_POST['perform_stat']; if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index 759193c8..d1239d25 100644 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -38,8 +38,8 @@ */ require_once("guiconfig.inc"); -require_once("config.inc"); - +require_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index d232c097..6d5d7332 100644 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -29,8 +29,6 @@ */ require("guiconfig.inc"); -//require_once("filter.inc"); -//require_once("service-utils.inc"); include_once("/usr/local/pkg/snort/snort.inc"); require_once("/usr/local/pkg/snort/snort_gui.inc"); diff --git a/config/snort/snort_whitelist.xml b/config/snort/snort_whitelist.xml deleted file mode 100644 index d98f83fa..00000000 --- a/config/snort/snort_whitelist.xml +++ /dev/null @@ -1,117 +0,0 @@ - - - - - - . - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. - snortglobal - 0.1.0 - Snort: Whitelist - /usr/local/pkg/snort/snort.inc - - - - Snort Interfaces - /snort/snort_interfaces.php - - - Global Settings - /snort/snort_interfaces_global.php - - - Rule Updates - /snort/snort_download_rules.php - - - Alerts - /snort/snort_alerts.php - - - Blocked - /snort/snort_blocked.php - - - Whitelist - /pkg.php?xml=/snort/snort_whitelist.xml - - - - Help Info - /snort/snort_help_info.php - - - - - Whitelisted IP - ip - - - Description - description - - - - - Whitelisted IP - ip - Enter the IP or network to whitelist from snort blocking. Network items should be expressed in CIDR notation. Example: 0.0.0.0/24 or 0.0.0.0/32 - input - 40 - - - Description - description - Enter the description for this item - input - 60 - - - - - - - - sync_snort_package_empty(); - - -- cgit v1.2.3