From 3c8526293f20bf9d0a472be7c3003834551871cd Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Mon, 25 Sep 2006 20:26:56 +0000
Subject: Snort now starts out of the box.

---
 packages/snort/snort.inc | 182 ++++++++++++++++++++++++++---------------------
 1 file changed, 101 insertions(+), 81 deletions(-)

(limited to 'packages/snort/snort.inc')

diff --git a/packages/snort/snort.inc b/packages/snort/snort.inc
index 159866c6..ec4bf8e5 100644
--- a/packages/snort/snort.inc
+++ b/packages/snort/snort.inc
@@ -4,6 +4,17 @@ function sync_package_snort() {
 	global $config, $g;
 	exec("mkdir -p /usr/local/etc/snort");
 	exec("mkdir -p /var/log/snort");
+	exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
+	exec("cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config");
+	exec("cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map");
+	exec("cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators");
+	exec("cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config");
+	exec("cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map");
+	exec("cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid");
+	exec("cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf");
+	exec("cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
+	exec("rm -f /usr/local/etc/rc.d/snort");
+
 	$first = 0;
 	/* if list */
 	$iflist = array("lan" => "LAN");
@@ -25,7 +36,7 @@ function sync_package_snort() {
 			$first = 1;
 		}
 	}
-	$start  = "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort " . $ifaces_final . " -D";
+	$start  = "/bin/mkdir -p /var/log/snort;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort " . $ifaces_final . " -D";
 	$start .= ";snort2c -s -w /var/db/whitelist -a /var/log/snort/alert";
 	write_rcfile(array(
 			"file" => "snort.sh",
@@ -46,12 +57,20 @@ function sync_package_snort() {
 }
 
 function generate_snort_conf() {
-	global $config, $g;
+	global $config, $g, $config;
+
+	/* obtain external interface */
+	$snort_ext_int = $config['installedpackages']['snort']['config'][0]['interface_array'][0];
+
+	/* calculate lan subnet information */
+	$ifcfg = &$config['interfaces']['lan'];
+	$subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']);
+	$subnetmask = gen_subnet_mask($ifcfg['subnet']);
 
 	/* XXX: set SSH port from config variable */
 	$ssh_port = "22";
-	/* XXX: generate home net */
-	$home_net = "";
+	$home_net = "{$subnet}/{$ifcfg['subnet']}";
+	/* XXX: add home net for all interfaces */
 
 	/* XXX: generate rule section */
 	$selected_rules_sections = "";
@@ -60,20 +79,23 @@ function generate_snort_conf() {
 
 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
 var HTTP_PORTS 80
-var SHELLCODE_PORTS !$HTTP_PORTS
+var SHELLCODE_PORTS !\$HTTP_PORTS
 var ORACLE_PORTS 1521
 var HOME_NET {$home_net}
-var TELNET_SERVERS $HOME_NET
-var SQL_SERVERS $HOME_NET
-var HTTP_SERVERS $HOME_NET
-var SMTP_SERVERS $HOME_NET
-var DNS_SERVERS $HOME_NET
-var RULE_PATH .
-var EXTERNAL_NET !$HOME_NET
+var TELNET_SERVERS \$HOME_NET
+var SQL_SERVERS \$HOME_NET
+var HTTP_SERVERS \$HOME_NET
+var SMTP_SERVERS \$HOME_NET
+var DNS_SERVERS \$HOME_NET
+var EXTERNAL_NET !\$HOME_NET
 var SSH_PORTS {$ssh_port}
+var RULE_PATH /usr/local/etc/snort/rules
+
+# Use lower memory models
+config detection: search-method lowmem
 
 #Output plugins
-output database: alert
+#output database: alert
 output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID
 
 #Flow and stream
@@ -84,7 +106,7 @@ preprocessor stream4: disable_evasion_alerts,detect_scans
 preprocessor stream4_reassemble: both, ports all
 
 #XLink2State mini proc
-preprocessor xlink2state: ports { 25 691 }
+#preprocessor xlink2state: ports { 25 691 }
 
 #HTTP Inspect
 preprocessor http_inspect: global iis_unicode_map unicode.map 1252
@@ -120,7 +142,7 @@ preprocessor flow-portscan: \
         talker-sliding-window 20 \
         talker-fixed-window 30 \
         scoreboard-rows-talker 30000 \
-        server-watchnet $HOME_NET \
+        server-watchnet \$HOME_NET \
         server-ignore-limit 200 \
         server-rows 65535 \
         server-learning-time 14400 \
@@ -147,107 +169,105 @@ include reference.config
 # XXX: axe below, use $selected_rules_sections
 
 #General
-include $RULE_PATH/bleeding.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/tftp.rules
-include $RULE_PATH/x11.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/other-ids.rules
+#include \$RULE_PATH/bleeding.rules
+include \$RULE_PATH/ftp.rules
+include \$RULE_PATH/telnet.rules
+include \$RULE_PATH/dns.rules
+include \$RULE_PATH/tftp.rules
+include \$RULE_PATH/x11.rules
+include \$RULE_PATH/misc.rules
+include \$RULE_PATH/nntp.rules
+include \$RULE_PATH/other-ids.rules
 # include $RULE_PATH/shellcode.rules
-include $RULE_PATH/community-ftp.rules
-include $RULE_PATH/community-misc.rules
+#include \$RULE_PATH/community-ftp.rules
+#include \$RULE_PATH/community-misc.rules
 
 #Mostly Spyware
-include $RULE_PATH/bleeding-malware.rules
+#include \$RULE_PATH/bleeding-malware.rules
 
 #Network issues
-include $RULE_PATH/bad-traffic.rules
-include $RULE_PATH/snmp.rules
+include \$RULE_PATH/bad-traffic.rules
+include \$RULE_PATH/snmp.rules
 
 #Exploits and direct attacks
-include $RULE_PATH/exploit.rules
-include $RULE_PATH/bleeding-exploit.rules
-include $RULE_PATH/community-exploit.rules
+include \$RULE_PATH/exploit.rules
 
 #Scans and recon
-include $RULE_PATH/scan.rules
-include $RULE_PATH/bleeding-scan.rules
+include \$RULE_PATH/scan.rules
+#include \$RULE_PATH/bleeding-scan.rules
 
 #Unusual stuff
-include $RULE_PATH/finger.rules
+include \$RULE_PATH/finger.rules
 
 #R-services, etc
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
+include \$RULE_PATH/rpc.rules
+include \$RULE_PATH/rservices.rules
 
 #DOS
-include $RULE_PATH/dos.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/bleeding-dos.rules
+include \$RULE_PATH/dos.rules
+include \$RULE_PATH/ddos.rules
+#include \$RULE_PATH/bleeding-dos.rules
 
 #Web issues
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-php.rules
-include $RULE_PATH/web-attacks.rules
-include $RULE_PATH/bleeding-web.rules
-include $RULE_PATH/community-web-cgi.rules
-include $RULE_PATH/community-web-client.rules
-include $RULE_PATH/community-web-dos.rules
-include $RULE_PATH/community-web-misc.rules
+include \$RULE_PATH/web-cgi.rules
+include \$RULE_PATH/web-coldfusion.rules
+include \$RULE_PATH/web-iis.rules
+include \$RULE_PATH/web-frontpage.rules
+include \$RULE_PATH/web-misc.rules
+include \$RULE_PATH/web-client.rules
+include \$RULE_PATH/web-php.rules
+include \$RULE_PATH/web-attacks.rules
+#include \$RULE_PATH/bleeding-web.rules
+#include \$RULE_PATH/community-web-cgi.rules
+#include \$RULE_PATH/community-web-client.rules
+#include \$RULE_PATH/community-web-dos.rules
+#include \$RULE_PATH/community-web-misc.rules
 
 #SQL and DB sigs
-include $RULE_PATH/sql.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/community-sql-injection.rules
+include \$RULE_PATH/sql.rules
+include \$RULE_PATH/oracle.rules
+include \$RULE_PATH/mysql.rules
+#include \$RULE_PATH/community-sql-injection.rules
 
 #Informational stuff
 #include $RULE_PATH/icmp.rules
-include $RULE_PATH/info.rules
+include \$RULE_PATH/info.rules
 # include $RULE_PATH/icmp-info.rules
 
 #Windows stuff
-include $RULE_PATH/netbios.rules
+include \$RULE_PATH/netbios.rules
 
 #Compromise responses
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/bleeding-attack_response.rules
+include \$RULE_PATH/attack-responses.rules
+#include \$RULE_PATH/bleeding-attack_response.rules
 
 #Mail sigs
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
-include $RULE_PATH/community-mail-client.rules
+include \$RULE_PATH/smtp.rules
+include \$RULE_PATH/imap.rules
+include \$RULE_PATH/pop2.rules
+include \$RULE_PATH/pop3.rules
+#include \$RULE_PATH/community-mail-client.rules
 
 #Trojans, Viruses, and spyware
-include $RULE_PATH/backdoor.rules
-include $RULE_PATH/virus.rules
-include $RULE_PATH/bleeding-virus.rules
-include $RULE_PATH/community-virus.rules
+include \$RULE_PATH/backdoor.rules
+include \$RULE_PATH/virus.rules
+#include \$RULE_PATH/bleeding-virus.rules
+#include \$RULE_PATH/community-virus.rules
 
 #Policy Sigs
-include $RULE_PATH/policy.rules
-include $RULE_PATH/porn.rules
-include $RULE_PATH/chat.rules
-include $RULE_PATH/p2p.rules
-include $RULE_PATH/multimedia.rules
-include $RULE_PATH/bleeding-policy.rules
-include $RULE_PATH/bleeding-p2p.rules
-include $RULE_PATH/bleeding-inappropriate.rules
-include $RULE_PATH/community-game.rules
-include $RULE_PATH/community-inappropriate.rules
+include \$RULE_PATH/policy.rules
+include \$RULE_PATH/porn.rules
+include \$RULE_PATH/chat.rules
+include \$RULE_PATH/p2p.rules
+include \$RULE_PATH/multimedia.rules
+#include \$RULE_PATH/bleeding-policy.rules
+#include \$RULE_PATH/bleeding-p2p.rules
+#include \$RULE_PATH/bleeding-inappropriate.rules
+#include \$RULE_PATH/community-game.rules
+#include \$RULE_PATH/community-inappropriate.rules
 
 #Experimental
-include $RULE_PATH/experimental.rules
+include \$RULE_PATH/experimental.rules
 
 EOD;
 
-- 
cgit v1.2.3