$ifname) { if(strtolower($ifname) == $lc_interface) return $config['interfaces'][$ifname]['if']; if(strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface) return $config['interfaces'][$ifname]['if']; } return $interface; } $if_real_wan = convert_friendly_interface_to_real_interface_name2($interface_fake); /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); ini_set('max_input_time', '9999'); /* define oinkid */ if($config['installedpackages']['snortglobal']) $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; function snort_postinstall() { global $config; conf_mount_rw(); if(!file_exists("/var/log/snort/")) { mwexec("mkdir -p /var/log/snort/"); mwexec("mkdir -p /var/log/snort/barnyard2"); } if(!file_exists("/var/log/snort/alert")) touch("/var/log/snort/alert"); /* snort -> advanced features */ $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; /* create a few directories and ensure the sample files are in place */ exec("/bin/mkdir -p /usr/local/etc/snort"); exec("/bin/mkdir -p /var/log/snort"); exec("/bin/mkdir -p /usr/local/etc/snort/rules"); if(file_exists("/usr/local/etc/snort/snort.conf-sample")) { exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); exec("/bin/rm /usr/local/etc/snort/generators-sample"); exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); exec("/bin/rm /usr/local/etc/snort/sid"); exec("/bin/rm /usr/local/etc/rc.d/snort"); exec("/bin/rm /usr/local/etc/rc.d/bardyard2"); } if(!file_exists("/usr/local/etc/snort/custom_rules")) { exec("/bin/mkdir -p /usr/local/etc/snort/custom_rules/"); } exec("/usr/sbin/pw groupadd snort"); exec('/usr/sbin/pw useradd snort -c "SNORT USER" -d /nonexistent -g snort -s /sbin/nologin'); exec("/usr/sbin/chown -R snort:snort /var/log/snort"); exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); exec("/bin/chmod -R 755 /var/log/snort"); exec("/bin/chmod -R 755 /usr/local/etc/snort"); exec("/bin/chmod -R 755 /usr/local/lib/snort"); /* remove example files */ if(file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0")) { exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); } if(file_exists("/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so")) { exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); } /* find out if were in 1.2.3-RELEASE */ $pfsense_ver_chk = exec('/bin/cat /etc/version'); if ($pfsense_ver_chk == '1.2.3-RELEASE') { $pfsense_stable = 'yes'; }else{ $pfsense_stable = 'no'; } /* move files around, make it look clean */ exec('/bin/mkdir -p /usr/local/www/snort/css'); exec('/bin/mkdir -p /usr/local/www/snort/images'); exec('/bin/mkdir -p /usr/local/www/snort/javascript'); chdir ("/usr/local/www/snort/css/"); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/css/style.css'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/css/style2.css'); chdir ("/usr/local/www/snort/images/"); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/alert.jpg'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/down.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/down2.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort-asc.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort-desc.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/up.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/up2.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/logo.jpg'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/footer.jpg'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/footer2.jpg'); chdir ("/usr/local/www/snort/javascript/"); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/jquery.blockUI.js'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/jquery-1.3.2.js'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/mootools.js'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/sortableTable.js'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/tabs.js'); /* install barnyard2 for 2.0 and 1.2.3 */ chdir ("/usr/local/bin/"); if ($pfsense_stable == 'yes') { exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/bin/7.2.x86/barnyard2'); }else{ exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/bin/8.0.x86/barnyard2'); } exec('/bin/chmod 077 /usr/local/bin/barnyard2'); /* back to default */ chdir ("/root/"); conf_mount_ro(); } function sync_package_snort_reinstall() { global $config; conf_mount_rw(); if(!$config['installedpackages']['snortglobal']) return; /* create snort configuration file */ create_snort_conf(); /* start snort service */ // start_service("snort"); // do not start, may be needed latter. conf_mount_ro(); } /* func for updating cron */ function snort_rm_blocked_install_cron($should_install) { global $config, $g; if ($g['booting']==true) return; $is_installed = false; if(!$config['cron']['item']) return; $x=0; foreach($config['cron']['item'] as $item) { if (strstr($item['command'], "snort2c")) { $is_installed = true; break; } $x++; } $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; if ($snort_rm_blocked_info_ck == "1h_b") { $snort_rm_blocked_min = "*/5"; $snort_rm_blocked_hr = "*"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "3600"; } if ($snort_rm_blocked_info_ck == "3h_b") { $snort_rm_blocked_min = "*/15"; $snort_rm_blocked_hr = "*"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "10800"; } if ($snort_rm_blocked_info_ck == "6h_b") { $snort_rm_blocked_min = "*/30"; $snort_rm_blocked_hr = "*"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "21600"; } if ($snort_rm_blocked_info_ck == "12h_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/1"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "43200"; } if ($snort_rm_blocked_info_ck == "1d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/2"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "86400"; } if ($snort_rm_blocked_info_ck == "4d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/8"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "345600"; } if ($snort_rm_blocked_info_ck == "7d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/14"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "604800"; } if ($snort_rm_blocked_info_ck == "28d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "0"; $snort_rm_blocked_mday = "*/2"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "2419200"; } switch($should_install) { case true: if(!$is_installed) { $cron_item = array(); $cron_item['minute'] = "$snort_rm_blocked_min"; $cron_item['hour'] = "$snort_rm_blocked_hr"; $cron_item['mday'] = "$snort_rm_blocked_mday"; $cron_item['month'] = "$snort_rm_blocked_month"; $cron_item['wday'] = "$snort_rm_blocked_wday"; $cron_item['who'] = "root"; $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; $config['cron']['item'][] = $cron_item; write_config("Installed $snort_rm_blocked_info_ck minute filter reload for Time Based Rules"); configure_cron(); } break; case false: if($is_installed == true) { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); conf_mount_rw(); } configure_cron(); } break; } } /* func to install snort update */ function snort_rules_up_install_cron($should_install) { global $config, $g; if ($g['booting']==true) return; $is_installed = false; if(!$config['cron']['item']) return; $x=0; foreach($config['cron']['item'] as $item) { if (strstr($item['command'], "snort_check_for_rule_updates.php")) { $is_installed = true; break; } $x++; } $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; if ($snort_rules_up_info_ck == "6h_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "*/6"; $snort_rules_up_mday = "*"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "12h_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "*/12"; $snort_rules_up_mday = "*"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "1d_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "0"; $snort_rules_up_mday = "*/1"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "4d_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "0"; $snort_rules_up_mday = "*/4"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "7d_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "0"; $snort_rules_up_mday = "*/7"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "28d_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "0"; $snort_rules_up_mday = "*/28"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } switch($should_install) { case true: if(!$is_installed) { $cron_item = array(); $cron_item['minute'] = "$snort_rules_up_min"; $cron_item['hour'] = "$snort_rules_up_hr"; $cron_item['mday'] = "$snort_rules_up_mday"; $cron_item['month'] = "$snort_rules_up_month"; $cron_item['wday'] = "$snort_rules_up_wday"; $cron_item['who'] = "root"; $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /usr/local/etc/snort/snort_update.log"; $config['cron']['item'][] = $cron_item; write_config("Installed 15 minute filter reload for Time Based Rules"); configure_cron(); } break; case false: if($is_installed == true) { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); conf_mount_rw(); } configure_cron(); } break; } } function sync_snort_package_remove_old() { global $config, $g; $snort_dir_scan = '/usr/local/etc/snort'; // scan dirm might have to make this into a funtion $dh_scan = opendir($snort_dir_scan); while (false !== ($dir_filename = readdir($dh_scan))) { $list_dir_files[] = $dir_filename; } // find patern in a array, very cool code class array_ereg { function array_ereg($pattern) { $this->pattern = $pattern; } function ereg($string) { return ereg($this->pattern, $string); } } $rule_array2 = $config['installedpackages']['snortglobal']['rule']; $id2 = -1; foreach ($rule_array2 as $value) { $id += 1; $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); $snort_rules_list[] = "snort_$id$if_real"; } $snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg')); $snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list); foreach ($snort_dir_filter_search_result as $value) { exec("rm -r /usr/local/etc/snort/$value"); exec("echo \"rm -r /usr/local/etc/snort/$value\" >> /root/test.log"); } } /* make sure this func on writes to files and does not start snort */ function sync_snort_package() { global $config, $g; conf_mount_rw(); /* all new files are for the user snort nologin */ if(!file_exists("/var/log/snort")) { exec("/bin/mkdir -p /var/log/snort"); } exec("/usr/sbin/chown -R snort:snort /var/log/snort"); exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); exec("/bin/chmod -R 755 /var/log/snort"); exec("/bin/chmod -R 755 /usr/local/etc/snort"); exec("/bin/chmod -R 755 /usr/local/lib/snort"); conf_mount_ro(); } /* make sure this func on writes to files and does not start snort */ function sync_snort_package_all() { global $config, $g, $id, $if_real, $snort_uuid, $interface_fake; /* RedDevil suggested code */ /* TODO: more testing needs to be done */ exec("/sbin/sysctl net.bpf.bufsize=8388608"); exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); exec("/sbin/sysctl net.bpf.maxinsns=512"); exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); # Error checking if ($id != '' && $if_real != '') //new { /* do not start config build if rules is empty */ if (!empty($config['installedpackages']['snortglobal']['rule'])) { conf_mount_rw(); $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $if_real = convert_friendly_interface_to_real_interface_name($result_lan); /* create snort configuration file */ create_snort_conf($id, $if_real, $snort_uuid); /* if rules exist cp rules to each iface */ create_rules_iface($id, $if_real, $snort_uuid); /* create snort bootup file snort.sh only create once */ create_snort_sh(); /* create barnyard2 configuration file */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; if ($snortbarnyardlog_info_chk == 'on') create_barnyard2_conf($id, $if_real, $snort_uuid); sync_snort_package(); exec("echo \"Funtion sync all $id $if_real $snort_uuid....\" >> /root/test.log"); conf_mount_ro(); } } } /* only be run on new iface create, bootup and ip refresh */ function sync_snort_package_empty() { global $config, $g; conf_mount_rw(); /* do not start config build if rules is empty */ if (!empty($config['installedpackages']['snortglobal']['rule'])) { if ($id == "") { $rule_array = $config['installedpackages']['snortglobal']['rule']; $id = -1; foreach ($rule_array as $value) { if ($id == '') { $id = 0; } $id += 1; $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; if ($if_real != '' && $snort_uuid != '') { /* create snort configuration file */ create_snort_conf($id, $if_real, $snort_uuid); /* if rules exist cp rules to each iface */ create_rules_iface($id, $if_real, $snort_uuid); /* create barnyard2 configuration file */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; if ($snortbarnyardlog_info_chk == 'on') create_barnyard2_conf($id, $if_real, $snort_uuid); } } /* create snort bootup file snort.sh only create once */ create_snort_sh(); sync_snort_package(); } } } /* Start of main config files */ /* Start of main config files */ /* open snort.sh for writing" */ function create_snort_sh() { # Don not add $id or this will break global $config, $g; conf_mount_rw(); /* do not start config build if rules is empty */ if (!empty($config['installedpackages']['snortglobal']['rule'])) { if ($id == "") { $rule_array = $config['installedpackages']['snortglobal']['rule']; $id = -1; foreach ($rule_array as $value) { $id += 1; $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $if_real = convert_friendly_interface_to_real_interface_name($result_lan); /* define snortbarnyardlog_chk */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"; } /* Get all interface startup commands ready */ $snort_sh_text2[] = << /tmp/snort.sh.pid # Start snort and barnyard2 /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck /usr/local/bin/snort -u snort -g snort -R {$snort_uuid}_{$if_real} -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} $start_barnyard2 /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For {$snort_uuid}_{$if_real}..." fi EOD; $snort_sh_text3[] = << /tmp/snort.sh.pid /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." /bin/kill \${pid_s} sleep 3 /bin/kill \${pid_b} /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid fi EOF; } } } $start_snort_iface_start = implode("\n\n", $snort_sh_text2); $start_snort_iface_restart = implode("\n\n", $snort_sh_text3); $start_snort_iface_stop = implode("\n\n", $snort_sh_text4); /* open snort.sh for writing" */ conf_mount_rw(); $snort_sh_text = << /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 fi /bin/echo "snort.sh run" > /tmp/snort.sh.pid #### Remake the configs on boot Important! /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." $start_snort_iface_restart /bin/rm /tmp/snort.sh.pid #### If on Fake start snort is NOT running DO a real start. if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}_{$if_real}" | awk '{print $2;}'`" = "" ]; then rc_start_real fi } rc_start_real() { #### Check for double starts, Pfsense has problems with that if /bin/ls /tmp/snort.sh.pid > /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 fi $start_snort_iface_start /bin/rm /tmp/snort.sh.pid } rc_stop() { #### Check for double starts, Pfsense has problems with that if /bin/ls /tmp/snort.sh.pid > /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 fi $start_snort_iface_stop /bin/rm /tmp/snort.sh.pid /bin/rm /var/run/snort* } case $1 in start) rc_start ;; start_real) rc_start_real ;; stop) rc_stop ;; restart) rc_stop rc_start_real ;; esac EOD; /* write out snort.sh */ $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w"); if(!$bconf) { log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); exit; } /* write snort.sh */ fwrite($bconf, $snort_sh_text); fclose($bconf); } ///////////////////////// >>>>>>>>>>>> /* if rules exist copy to new interfaces */ function create_rules_iface($id, $if_real, $snort_uuid) { global $config, $g; conf_mount_rw(); $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"; $folder_chk = (count(glob("$if_rule_dir/*")) === 0) ? 'empty' : 'full'; if ($folder_chk == "empty") { exec("/bin/cp -R /usr/local/etc/snort/rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) { exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules/local_{$snort_uuid}_{$if_real}.rules"); } } } /* open barnyard2.conf for writing */ function create_barnyard2_conf($id, $if_real, $snort_uuid) { global $bconfig, $g; /* write out barnyard2_conf */ if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) { exec("/bin//usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); } $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); if(!$bconf) { log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); exit; } fwrite($bconf, $barnyard2_conf_text); fclose($bconf); } /* open barnyard2.conf for writing" */ function generate_barnyard2_conf($id, $if_real, $snort_uuid) { global $config, $g; conf_mount_rw(); /* define snortbarnyardlog */ /* TODO: add support for the other 5 output plugins */ $snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; $snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); $barnyard2_conf_text = <<> /root/test.log"); /* remove custom sysctl */ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); /* decrease bpf buffers back to 4096, from 20480 */ exec("/sbin/sysctl net.bpf.bufsize=4096"); exec("/usr/usr/bin/killall snort"); sleep(2); exec("/usr/usr/bin/killall -9 snort"); sleep(2); exec("/usr/usr/bin/killall barnyard2"); sleep(2); exec("/usr/usr/bin/killall -9 barnyard2"); sleep(2); exec("/usr/sbin/pw userdel snort"); exec("/usr/sbin/pw groupdel snort"); exec("rm -rf /usr/local/etc/snort*"); //exec("cd /var/db/pkg && pkg_delete `ls | grep barnyard2`"); exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); exec("cd /var/db/pkg && pkg_delete `ls | grep mysql`"); exec("cd /var/db/pkg && pkg_delete `ls | grep pcre`"); exec("cd /var/db/pkg && pkg_delete `ls | grep perl`"); /* Remove snort cron entries Ugly code needs smoothness*/ function snort_rm_blocked_deinstall_cron($should_install) { global $config, $g; conf_mount_rw(); exec("echo \"Deinstall cron block....\" >> /root/test.log"); $is_installed = false; if(!$config['cron']['item']) return; $x=0; foreach($config['cron']['item'] as $item) { if (strstr($item['command'], "snort2c")) { $is_installed = true; break; } $x++; } if($is_installed == true) { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); conf_mount_rw(); } configure_cron(); } conf_mount_ro(); } function snort_rules_up_deinstall_cron($should_install) { global $config, $g; conf_mount_rw(); exec("echo \"Deinstall rules up ....\" >> /root/test.log"); $is_installed = false; if(!$config['cron']['item']) return; $x=0; foreach($config['cron']['item'] as $item) { if (strstr($item['command'], "snort_check_for_rule_updates.php")) { $is_installed = true; break; } $x++; } if($is_installed == true) { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); conf_mount_rw(); } configure_cron(); } } snort_rm_blocked_deinstall_cron(""); snort_rules_up_deinstall_cron(""); /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ /* Keep this as a last step */ unset($config['installedpackages']['snortglobal']); write_config(); conf_mount_rw(); exec("rm -r /usr/local/www/snort"); exec("rm -r /usr/local/pkg/snort"); exec("rm -r /usr/local/lib/snort/"); conf_mount_ro(); } function generate_snort_conf($id, $if_real, $snort_uuid) { global $config, $g; conf_mount_rw(); /* obtain external interface */ /* XXX: make multi wan friendly */ $snort_ext_int = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; /* create basic files */ if(!file_exists("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}")) { exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/"); exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map")) { exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); exec("/bin/cp /usr/local/etc/snort/snort.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); exec("/bin/cp/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); } } /* define snortalertlogtype */ $snortalertlogtype = $config['installedpackages']['snortglobal']['snortalertlogtype']; if ($snortalertlogtype == fast) $snortalertlogtype_type = "output alert_fast: alert"; else $snortalertlogtype_type = "output alert_full: alert"; /* define alertsystemlog */ $alertsystemlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['alertsystemlog']; if ($alertsystemlog_info_chk == on) $alertsystemlog_type = "output alert_syslog: log_alert"; /* define tcpdumplog */ $tcpdumplog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['tcpdumplog']; if ($tcpdumplog_info_chk == on) $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; /* define snortunifiedlog */ $snortunifiedlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog']; if ($snortunifiedlog_info_chk == on) $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; /* define spoink (DISABLED)*/ $spoink_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7']; if ($spoink_info_chk == on) $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; /* define servers and ports snortdefservers */ /* def DNS_SERVSERS */ $def_dns_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_servers']; if ($def_dns_servers_info_chk == "") $def_dns_servers_type = "\$HOME_NET"; else $def_dns_servers_type = "$def_dns_servers_info_chk"; /* def DNS_PORTS */ $def_dns_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_ports']; if ($def_dns_ports_info_chk == "") $def_dns_ports_type = "53"; else $def_dns_ports_type = "$def_dns_ports_info_chk"; /* def SMTP_SERVSERS */ $def_smtp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_servers']; if ($def_smtp_servers_info_chk == "") $def_smtp_servers_type = "\$HOME_NET"; else $def_smtp_servers_type = "$def_smtp_servers_info_chk"; /* def SMTP_PORTS */ $def_smtp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_ports']; if ($def_smtp_ports_info_chk == "") $def_smtp_ports_type = "25"; else $def_smtp_ports_type = "$def_smtp_ports_info_chk"; /* def MAIL_PORTS */ $def_mail_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mail_ports']; if ($def_mail_ports_info_chk == "") $def_mail_ports_type = "25,143,465,691"; else $def_mail_ports_type = "$def_mail_ports_info_chk"; /* def HTTP_SERVSERS */ $def_http_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_servers']; if ($def_http_servers_info_chk == "") $def_http_servers_type = "\$HOME_NET"; else $def_http_servers_type = "$def_http_servers_info_chk"; /* def WWW_SERVSERS */ $def_www_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_www_servers']; if ($def_www_servers_info_chk == "") $def_www_servers_type = "\$HOME_NET"; else $def_www_servers_type = "$def_www_servers_info_chk"; /* def HTTP_PORTS */ $def_http_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_ports']; if ($def_http_ports_info_chk == "") $def_http_ports_type = "80"; else $def_http_ports_type = "$def_http_ports_info_chk"; /* def SQL_SERVSERS */ $def_sql_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sql_servers']; if ($def_sql_servers_info_chk == "") $def_sql_servers_type = "\$HOME_NET"; else $def_sql_servers_type = "$def_sql_servers_info_chk"; /* def ORACLE_PORTS */ $def_oracle_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_oracle_ports']; if ($def_oracle_ports_info_chk == "") $def_oracle_ports_type = "1521"; else $def_oracle_ports_type = "$def_oracle_ports_info_chk"; /* def MSSQL_PORTS */ $def_mssql_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mssql_ports']; if ($def_mssql_ports_info_chk == "") $def_mssql_ports_type = "1433"; else $def_mssql_ports_type = "$def_mssql_ports_info_chk"; /* def TELNET_SERVSERS */ $def_telnet_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_servers']; if ($def_telnet_servers_info_chk == "") $def_telnet_servers_type = "\$HOME_NET"; else $def_telnet_servers_type = "$def_telnet_servers_info_chk"; /* def TELNET_PORTS */ $def_telnet_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_ports']; if ($def_telnet_ports_info_chk == "") $def_telnet_ports_type = "23"; else $def_telnet_ports_type = "$def_telnet_ports_info_chk"; /* def SNMP_SERVSERS */ $def_snmp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_servers']; if ($def_snmp_servers_info_chk == "") $def_snmp_servers_type = "\$HOME_NET"; else $def_snmp_servers_type = "$def_snmp_servers_info_chk"; /* def SNMP_PORTS */ $def_snmp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_ports']; if ($def_snmp_ports_info_chk == "") $def_snmp_ports_type = "161"; else $def_snmp_ports_type = "$def_snmp_ports_info_chk"; /* def FTP_SERVSERS */ $def_ftp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_servers']; if ($def_ftp_servers_info_chk == "") $def_ftp_servers_type = "\$HOME_NET"; else $def_ftp_servers_type = "$def_ftp_servers_info_chk"; /* def FTP_PORTS */ $def_ftp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_ports']; if ($def_ftp_ports_info_chk == "") $def_ftp_ports_type = "21"; else $def_ftp_ports_type = "$def_ftp_ports_info_chk"; /* def SSH_SERVSERS */ $def_ssh_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_servers']; if ($def_ssh_servers_info_chk == "") $def_ssh_servers_type = "\$HOME_NET"; else $def_ssh_servers_type = "$def_ssh_servers_info_chk"; /* if user has defined a custom ssh port, use it */ if($config['system']['ssh']['port']) $ssh_port = $config['system']['ssh']['port']; else $ssh_port = "22"; /* def SSH_PORTS */ $def_ssh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_ports']; if ($def_ssh_ports_info_chk == "") $def_ssh_ports_type = "{$ssh_port}"; else $def_ssh_ports_type = "$def_ssh_ports_info_chk"; /* def POP_SERVSERS */ $def_pop_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop_servers']; if ($def_pop_servers_info_chk == "") $def_pop_servers_type = "\$HOME_NET"; else $def_pop_servers_type = "$def_pop_servers_info_chk"; /* def POP2_PORTS */ $def_pop2_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop2_ports']; if ($def_pop2_ports_info_chk == "") $def_pop2_ports_type = "109"; else $def_pop2_ports_type = "$def_pop2_ports_info_chk"; /* def POP3_PORTS */ $def_pop3_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop3_ports']; if ($def_pop3_ports_info_chk == "") $def_pop3_ports_type = "110"; else $def_pop3_ports_type = "$def_pop3_ports_info_chk"; /* def IMAP_SERVSERS */ $def_imap_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_servers']; if ($def_imap_servers_info_chk == "") $def_imap_servers_type = "\$HOME_NET"; else $def_imap_servers_type = "$def_imap_servers_info_chk"; /* def IMAP_PORTS */ $def_imap_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_ports']; if ($def_imap_ports_info_chk == "") $def_imap_ports_type = "143"; else $def_imap_ports_type = "$def_imap_ports_info_chk"; /* def SIP_PROXY_IP */ $def_sip_proxy_ip_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ip']; if ($def_sip_proxy_ip_info_chk == "") $def_sip_proxy_ip_type = "\$HOME_NET"; else $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; /* def SIP_PROXY_PORTS */ $def_sip_proxy_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ports']; if ($def_sip_proxy_ports_info_chk == "") $def_sip_proxy_ports_type = "5060:5090,16384:32768"; else $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; /* def AUTH_PORTS */ $def_auth_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_auth_ports']; if ($def_auth_ports_info_chk == "") $def_auth_ports_type = "113"; else $def_auth_ports_type = "$def_auth_ports_info_chk"; /* def FINGER_PORTS */ $def_finger_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_finger_ports']; if ($def_finger_ports_info_chk == "") $def_finger_ports_type = "79"; else $def_finger_ports_type = "$def_finger_ports_info_chk"; /* def IRC_PORTS */ $def_irc_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_irc_ports']; if ($def_irc_ports_info_chk == "") $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; else $def_irc_ports_type = "$def_irc_ports_info_chk"; /* def NNTP_PORTS */ $def_nntp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_nntp_ports']; if ($def_nntp_ports_info_chk == "") $def_nntp_ports_type = "119"; else $def_nntp_ports_type = "$def_nntp_ports_info_chk"; /* def RLOGIN_PORTS */ $def_rlogin_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rlogin_ports']; if ($def_rlogin_ports_info_chk == "") $def_rlogin_ports_type = "513"; else $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; /* def RSH_PORTS */ $def_rsh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rsh_ports']; if ($def_rsh_ports_info_chk == "") $def_rsh_ports_type = "514"; else $def_rsh_ports_type = "$def_rsh_ports_info_chk"; /* def SSL_PORTS */ $def_ssl_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports']; if ($def_ssl_ports_info_chk == "") $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995"; else $def_ssl_ports_type = "$def_ssl_ports_info_chk"; /* should we install a automatic update crontab entry? */ $automaticrulesupdate = $config['installedpackages']['snortglobal']['automaticrulesupdate7']; /* if user is on pppoe, we really want to use ng0 interface */ if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") $snort_ext_int = "ng0"; /* set the snort performance model */ if($config['installedpackages']['snortglobal']['rule'][$id]['performance']) $snort_performance = $config['installedpackages']['snortglobal']['rule'][$id]['performance']; else $snort_performance = "ac-bnfa"; /* open snort's whitelist for writing */ $whitelist = fopen("/var/db/whitelist", "w"); if(!$whitelist) { log_error("Could not open /var/db/whitelist for writing."); return; } /* build an interface array list */ $int_array = array('lan'); for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) if(isset($config['interfaces']['opt' . $j]['enable'])) if(!$config['interfaces']['opt' . $j]['gateway']) $int_array[] = "opt{$j}"; /* iterate through interface list and write out whitelist items * and also compile a home_net list for snort. */ foreach($int_array as $int) { /* calculate interface subnet information */ $ifcfg = &$config['interfaces'][$int]; $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); $subnetmask = gen_subnet_mask($ifcfg['subnet']); if($subnet == "pppoe" or $subnet == "dhcp") { $subnet = find_interface_ip("ng0"); if($subnet) $home_net .= "{$subnet} "; } else { if ($subnet) if($ifcfg['subnet']) $home_net .= "{$subnet}/{$ifcfg['subnet']} "; } } /* add all WAN ips to the whitelist */ $wan_if = get_real_wan_interface(); $ip = find_interface_ip($wan_if); if($ip) $home_net .= "{$ip} "; /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ $int = convert_friendly_interface_to_real_interface_name("WAN"); $gw = get_interface_gateway($int); if($gw) $home_net .= "{$gw} "; /* Add DNS server for WAN interface to whitelist */ $dns_servers = get_dns_servers(); foreach($dns_servers as $dns) { if($dns) $home_net .= "{$dns} "; } /* Add loopback to whitelist (ftphelper) */ $home_net .= "127.0.0.1 "; /* iterate all vips and add to whitelist */ if($config['virtualip']) foreach($config['virtualip']['vip'] as $vip) if($vip['subnet']) $home_net .= $vip['subnet'] . " "; if($config['installedpackages']['snortglobal']['config']) foreach($config['installedpackages']['snortglobal']['config'] as $snort) if($snort['ip']) $home_net .= $snort['ip'] . " "; /* write out whitelist, convert spaces to carriage returns */ $whitelist_home_net = str_replace(" ", " ", $home_net); $whitelist_home_net = str_replace(" ", "\n", $home_net); /* make $home_net presentable to snort */ $home_net = trim($home_net); $home_net = str_replace(" ", ",", $home_net); $home_net = "[{$home_net}]"; /* foreach through whitelist, writing out to file */ $whitelist_split = split("\n", $whitelist_home_net); foreach($whitelist_split as $wl) if(trim($wl)) fwrite($whitelist, trim($wl) . "\n"); /* should we whitelist vpns? */ $whitelistvpns = $config['installedpackages']['snortglobal']['whitelistvpns']; /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ if($whitelistvpns) { if ($pfsense_stable == 'yes') // chk what pfsense version were on { $vpns_list = get_vpns_list(); } if ($pfsense_stable == 'no') // chk what pfsense version were on { $vpns_list = filter_get_vpns_list(); } $whitelist_vpns = split(" ", $vpns_list); foreach($whitelist_vpns as $wl) if(trim($wl)) fwrite($whitelist, trim($wl) . "\n"); } /* close file */ fclose($whitelist); /* generate rule sections to load */ $enabled_rulesets = $config['installedpackages']['snortglobal']['rule'][$id]['rulesets']; if($enabled_rulesets) { $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); foreach($enabled_rulesets_array as $enabled_item) $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; } conf_mount_ro(); ///////////////////////////// /* preprocessor code */ /* def perform_stat */ $snort_perform_stat = << \ cmd_validity STRU < char FRP > \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity PORT < host_port > preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes EOD; $def_ftp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['ftp_preprocessor']; if ($def_ftp_preprocessor_info_chk == "on") $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; else $def_ftp_preprocessor_type = ""; /* def smtp_preprocessor */ $snort_smtp_preprocessor = <<parent.scrollTo(0,1500);\n"; } /* ensure downloaded file looks sane */ function verify_downloaded_file($filename) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(filesize($filename)<9500) { if(!$console_mode) { update_all_status("Checking {$filename}..."); check_for_common_errors($filename); } } update_all_status("Verifying {$filename}..."); if(!file_exists($filename)) { if(!$console_mode) { update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); hide_progress_bar_status(); } else { log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; } exit; } update_all_status("Verified {$filename}."); } /* extract rules */ function extract_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) { $static_output = gettext("Extracting snort rules..."); update_all_status($static_output); } if(!is_dir("/usr/local/etc/snort/rules/")) mkdir("/usr/local/etc/snort/rules/"); $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/"; $handle = popen("{$cmd} 2>&1", 'r'); while(!feof($handle)) { $buffer = fgets($handle); update_output_window($buffer); } pclose($handle); if(!$console_mode) { $static_output = gettext("Snort rules extracted."); update_all_status($static_output); } else { log_error("Snort rules extracted."); echo "Snort rules extracted."; } } /* verify MD5 against downloaded item */ function verify_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) { $static_output = gettext("Verifying md5 signature..."); update_all_status($static_output); } $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); $md5 = `echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; if($md5 == $file_md5_ondisk) { if(!$console_mode) { $static_output = gettext("snort rules: md5 signature of rules mismatch."); update_all_status($static_output); hide_progress_bar_status(); } else { log_error("snort rules: md5 signature of rules mismatch."); echo "snort rules: md5 signature of rules mismatch."; } exit; } } /* hide progress bar */ function hide_progress_bar_status() { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) echo "\n"; } /* unhide progress bar */ function unhide_progress_bar_status() { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) echo "\n"; } /* update both top and bottom text box during an operation */ function update_all_status($status) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) { update_status($status); update_output_window($status); } } /* obtain alert description for an ip address */ function get_snort_alert($ip) { global $snort_alert_file_split, $snort_config; if(!file_exists("/var/log/snort/alert")) return; if(!$snort_config) $snort_config = read_snort_config_cache(); if($snort_config[$ip]) return $snort_config[$ip]; if(!$snort_alert_file_split) $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); foreach($snort_alert_file_split as $fileline) { if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) $alert_title = $matches[2]; if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) $alert_ip = $matches[$id]; if($alert_ip == $ip) { if(!$snort_config[$ip]) $snort_config[$ip] = $alert_title; return $alert_title; } } return "n/a"; } function make_clickable($buffer) { global $config, $g; /* if clickable urls is disabled, simply return buffer back to caller */ $clickablalerteurls = $config['installedpackages']['snort']['config'][$id]['oinkmastercode']; if(!$clickablalerteurls) return $buffer; $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","\\1", $buffer); $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); return $buffer; } function read_snort_config_cache() { global $g, $config, $snort_config; if($snort_config) return $snort_config; if(file_exists($g['tmp_path'] . '/snort_config.cache')) { $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); return $snort_config; } return; } function write_snort_config_cache($snort_config) { global $g, $config; conf_mount_rw(); $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w"); if(!$configcache) { log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing."); return false; } fwrite($configcache, serialize($snort_config)); fclose($configcache); conf_mount_ro(); return true; } function snort_advanced() { global $g, $config; sync_package_snort(); } function snort_define_servers() { global $g, $config; sync_package_snort(); } ?>