advanced features */ //$bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; //$bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; //$bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; // create a few directories and ensure the sample files are in place if(!file_exists('/usr/local/etc/snort')) { exec('/bin/mkdir -p /usr/local/etc/snort'); } if(!file_exists('/usr/local/etc/snort/whitelist')) { exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); } if(!file_exists('/var/log/snort/run')) { exec('/bin/mkdir -p /var/log/snort/run'); } if(!file_exists('/var/log/snort/barnyard2')) { exec('/bin/mkdir -p /var/log/snort/barnyard2/'); } if(!file_exists('/usr/local/lib/snort/dynamicrules/')) { exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); } // for snort2c, remove when snortsam is working if(!file_exists('/var/db/whitelist')) { touch('/var/db/whitelist'); } if (!file_exists('/usr/local/etc/snort/etc')) { exec('/bin/mkdir -p /usr/local/etc/snort/etc'); } if (!file_exists('/usr/local/etc/snort/signatures')) { exec('/bin/mkdir -p /usr/local/etc/snort/signatures'); } if (!file_exists('/usr/local/etc/snort/snort_download')) { exec('/bin/mkdir -p /usr/local/etc/snort/snort_download'); } if (!file_exists('/usr/local/etc/snort/snortDBrules/DB')) { exec('/bin/mkdir -p /usr/local/etc/snort/snortDBrules/DB'); } if (!file_exists('/usr/local/etc/snort/snortDBrules/custom_rules')) { exec('/bin/mkdir -p /usr/local/etc/snort/snortDBrules/custom_rules/rules'); } if (!file_exists('/usr/local/etc/snort/snortDBrules/emerging_rules')) { exec('/bin/mkdir -p /usr/local/etc/snort/snortDBrules/emerging_rules/rules'); } if (!file_exists('/usr/local/etc/snort/snortDBrules/pfsense_rules')) { exec('/bin/mkdir -p /usr/local/etc/snort/snortDBrules/pfsense_rules/rules'); } if (!file_exists('/usr/local/etc/snort/snortDBrules/snort_rules')) { exec('/bin/mkdir -p /usr/local/etc/snort/snortDBrules/snort_rules/rules'); } if (!file_exists('/usr/local/etc/snort/snortDBrules/DB/default/rules')) { exec('/bin/mkdir -p /usr/local/etc/snort/snortDBrules/DB/default/rules'); exec('/usr/bin/touch /usr/local/etc/snort/snortDBrules/DB/default/rules/local.rules'); } // create and cp to tmp db dir if (!file_exists('/var/snort/')) { exec('/bin/mkdir -p /var/snort/'); } if (file_exists('/usr/local/pkg/snort/snortDBtemp')) { exec('/bin/cp /usr/local/pkg/snort/snortDBtemp /var/snort/snortDBtemp'); } // cleanup default files if(file_exists('/usr/local/etc/snort/snort.conf-sample')) { exec('/bin/rm /usr/local/etc/snort/classification.config-sample'); exec('/bin/mv /usr/local/etc/snort/classification.config /usr/local/etc/snort/etc/classification.config'); exec('/bin/rm /usr/local/etc/snort/gen-msg.map-sample'); exec('/bin/mv /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/etc/gen-msg.map'); exec('/bin/rm /usr/local/etc/snort/reference.config-sample'); exec('/bin/mv /usr/local/etc/snort/reference.config /usr/local/etc/snort/etc/reference.config'); exec('/bin/rm /usr/local/etc/snort/sid-msg.map-sample'); exec('/bin/mv /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/etc/sid-msg.map'); exec('/bin/rm /usr/local/etc/snort/snort.conf-sample'); exec('/bin/mv /usr/local/etc/snort/snort.conf /usr/local/etc/snort/etc/snort.conf'); exec('/bin/rm /usr/local/etc/snort/threshold.conf-sample'); exec('/bin/mv /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/etc/threshold.conf'); exec('/bin/rm /usr/local/etc/snort/unicode.map-sample'); exec('/bin/mv /usr/local/etc/snort/unicode.map /usr/local/etc/snort/etc/unicode.map'); exec('/bin/rm /usr/local/etc/snort/generators-sample'); exec('/bin/mv /usr/local/etc/snort/generators /usr/local/etc/snort/etc/generators'); exec('/bin/rm /usr/local/etc/snort/sid'); exec('/bin/rm /usr/local/etc/rc.d/snort'); exec('/bin/rm /usr/local/etc/rc.d/bardyard2'); } // remove example files if(file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) { exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); } if(file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) { exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); } // add snort user and group note: 920 keep the numbers < 2000, above this is reserved in pfSense 2.0 exec('/usr/sbin/pw groupadd snort -g 920'); exec('/usr/sbin/pw useradd snort -u 920 -c "Snort User" -d /nonexistent -g snort -s /sbin/nologin'); // if users have old log files delete them */ if(!file_exists('/var/log/snort/alert')) { touch('/var/log/snort/alert'); }else{ exec('/bin/rm -rf /var/log/snort/*'); touch('/var/log/snort/alert'); } // rm barnyard2 important */ if(!file_exists('/usr/local/bin/barnyard2')) { exec('/bin/rm /usr/local/bin/barnyard2'); } /* important */ exec('/usr/sbin/chown -R snort:snort /var/log/snort'); exec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort'); exec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort'); exec('/usr/sbin/chown -R snort:snort /var/snort'); exec('/usr/sbin/chown snort:snort /tmp/snort*'); exec('/usr/sbin/chown snort:snort /var/db/whitelist'); exec('/bin/chmod 660 /var/log/snort/alert'); exec('/bin/chmod 660 /var/db/whitelist'); exec('/bin/chmod -R 660 /usr/local/etc/snort/*'); exec('/bin/chmod -R 660 /tmp/snort*'); exec('/bin/chmod -R 660 /var/run/snort*'); exec('/bin/chmod -R 660 /var/snort/run/*'); exec('/bin/chmod 770 /usr/local/lib/snort'); exec('/bin/chmod 770 /usr/local/etc/snort'); exec('/bin/chmod 770 /usr/local/etc/whitelist'); exec('/bin/chmod 770 /var/log/snort'); exec('/bin/chmod 770 /var/log/snort/run'); exec('/bin/chmod 770 /var/log/snort/barnyard2'); /* move files around, make it look clean */ exec('/bin/mkdir -p /usr/local/www/snort/css'); exec('/bin/mkdir -p /usr/local/www/snort/images'); exec('/bin/mkdir -p /usr/local/www/snort/javascript'); chdir ("/usr/local/www/snort/css/"); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/css/style_snort2.css'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/css/new_tab_menu.css'); chdir ("/usr/local/www/snort/images/"); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/alert.jpg'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/arrow_down.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/awesome-overlay-sprite.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/controls.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/down.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/down2.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/footer.jpg'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/footer2.jpg'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/icon-table-sort-asc.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/icon-table-sort-desc.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/icon-table-sort.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/icon_excli.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/loading.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/logo.jpg'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/logo22.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/page_white_text.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/transparent.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/transparentbg.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/up.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/up2.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/close_9x9.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/new_tab_menu.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/progress_bar2.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/progressbar.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/images/top_modal_bar_lil.jpg'); chdir ("/usr/local/www/snort/javascript/"); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/javascript/jquery-1.6.2.min.js'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/javascript/jquery.form.js'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/javascript/snort_globalsend.js'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/orionids-dev/javascript/jquery.progressbar.min.js'); /* back to default */ chdir ('/root/'); // make sure snort-old is deinstalled // remove when snort-old is removed unset($config['installedpackages']['snort']); unset($config['installedpackages']['snortdefservers']); unset($config['installedpackages']['snortwhitelist']); unset($config['installedpackages']['snortthreshold']); unset($config['installedpackages']['snortadvanced']); write_config(); conf_mount_rw(); // remake saved settings // TODO: make sre this works in final release /* if($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_status(gettext("Saved settings detected...")); update_output_window(gettext("Please wait... rebuilding files...")); sync_snort_package_empty(); update_output_window(gettext("Finnished Rebuilding files...")); } */ conf_mount_ro(); } // END of Post Install function snort_deinstall() { global $config, $g; conf_mount_rw(); // remove custom sysctl // remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); // decrease bpf buffers back to 4096, from 20480 exec('/sbin/sysctl net.bpf.bufsize=4096'); exec('/usr/usr/bin/killall snort'); sleep(2); exec('/usr/usr/bin/killall -9 snort'); sleep(2); exec('/usr/usr/bin/killall barnyard2'); sleep(2); exec('/usr/usr/bin/killall -9 barnyard2'); sleep(2); exec('/usr/sbin/pw userdel snort'); exec('/usr/sbin/pw groupdel snort'); exec('rm -rf /usr/local/etc/snort*'); exec('rm -rf /usr/local/pkg/snort*'); exec('rm -rf /usr/local/pkg/pf/snort*'); exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); exec("cd /var/db/pkg && pkg_delete `ls | grep perl-threaded`"); exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client-5.1.50_1`"); exec('rm -r /usr/local/bin/barnyard2'); // TODO: figure out how to detect pfsense packages that use the same freebsd pkckages and not deinstall //exec("cd /var/db/pkg && pkg_delete `ls | grep perl`"); //exec("cd /var/db/pkg && pkg_delete `ls | grep barnyard2`"); //exec("cd /var/db/pkg && pkg_delete `ls | grep pcre`"); // Never remove pcre or pfsense will break // Remove snort cron entries Ugly code needs smoothness // TODO: redo code because its a mess function snort_rm_blocked_deinstall_cron($should_install) { global $config, $g; conf_mount_rw(); $is_installed = false; if(!$config['cron']['item']) return; $x=0; foreach($config['cron']['item'] as $item) { if (strstr($item['command'], "snort2c")) { $is_installed = true; break; } $x++; } if($is_installed == true) { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); conf_mount_rw(); } configure_cron(); } conf_mount_ro(); } function snort_rules_up_deinstall_cron($should_install) { global $config, $g; conf_mount_rw(); $is_installed = false; if(!$config['cron']['item']) return; $x=0; foreach($config['cron']['item'] as $item) { if (strstr($item['command'], "snort_check_for_rule_updates.php")) { $is_installed = true; break; } $x++; } if($is_installed == true) { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); conf_mount_rw(); } configure_cron(); } } snort_rm_blocked_deinstall_cron(""); snort_rules_up_deinstall_cron(""); /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ /* Keep this as a last step */ if($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') { unset($config['installedpackages']['snortglobal']); } write_config(); conf_mount_rw(); exec('rm -rf /usr/local/www/snort'); exec('rm -rf /usr/local/lib/snort/'); exec('rm -rf /var/log/snort/'); exec('rm -rf /usr/local/pkg/snort'); exec('rm -rf /var/snort'); conf_mount_ro(); } // make sure this func on writes to files and does not start snort */ function sync_snort_package() { global $config, $g; conf_mount_rw(); conf_mount_ro(); } ?>