. All rights reserved. */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ ]]> Describe your package here Describe your package requirements here Currently there are no FAQ items provided. Snort{$snortIf} 2.8.4.1_5 Services: Snort 2.8.4.1_5 pkg v. 1.6 {$snortIf} /usr/local/pkg/snort.inc Snort Interfaces /snort_interfaces.php Settings /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 Categories snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php Rules snort/snort_{$snortIf}/snort_rules_{$snortIf}.php Servers /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 Threshold /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml Barnyard2 /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 Interface iface_array Select the interface(s) Snort will listen on. interfaces_selection 3 lan true Memory Performance performance Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small memory,moderate performance, ac-sparsebands: small memory, high performance. select BPF Buffer size bpfbufsize Changing this option adjusts the system BPF buffer size. Leave blank if you do not know what this does. Default is 1024. input Maximum BPF buffer size bpfmaxbufsize Changing this option adjusts the system maximum BPF buffer size. Leave blank if you do not know what this does. Default is 524288. This value should never be set above hardware cache size. The best (optimal size) is 50% - 80% of the hardware cache size. input Maximum BPF inserts bpfmaxinsns Changing this option adjusts the system maximum BPF insert size. Leave blank if you do not know what this does. Default is 512. input Advanced configuration pass through configpassthru Add items to here will be automatically inserted into the running snort configuration textarea 40 5 Snort signature info files. signatureinfo Snort signature info files will be installed during updates. At leats 500 mb of memory is needed. checkbox Alerts Tab logging type. snortalertlogtype Please choose the type of Alert logging you will like see in the Alerts Tab. The options are Full descriptions or Fast short descriptions select Send alerts to main System logs. alertsystemlog Snort will send Alerts to the Pfsense system logs. checkbox Log to a Tcpdump file. tcpdumplog Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large. checkbox snort_deinstall(); EOD; /* write out snort_xml */ $bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_{$snortIf}.xml", "w"); if(!$bconf) { log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_{$snortIf}.xml for writing."); exit; } fwrite($bconf, $snort_xml_text); fclose($bconf); conf_mount_ro(); } } /* create barnyard2.xml for every interface selected */ function create_snort_barnyard2_xml() { include("filter.inc"); include("config.inc"); global $bconfig, $bg; conf_mount_rw(); $first = 0; $snortInterfaces = array(); /* -gtm */ $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; $if_array = split(',', $if_list); //print_r($if_array); if($if_array) { foreach($if_array as $iface) { $if = convert_friendly_interface_to_real_interface_name($iface); if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { $if = "ng0"; } /* build a list of user specified interfaces -gtm */ if($if){ array_push($snortInterfaces, $if); $first = 1; } } if (count($snortInterfaces) < 1) { log_error("Snort will not start. You must select an interface for it to listen on."); return; } } foreach($snortInterfaces as $snortIf) { $snort_barnyard2_text = << . All rights reserved. */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ ]]> Describe your package here Describe your package requirements here Currently there are no FAQ items provided. barnyard2{$snortIf} none Services: Barnyard2 {$snortIf} /usr/local/pkg/snort.inc Snort Interfaces /snort_interfaces.php Settings /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 Categories snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php Rules snort/snort_{$snortIf}/snort_rules_{$snortIf}.php Servers /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 Threshold /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml Barnyard2 /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 Enable Barnyard2. snortbarnyardlog This will enable barnyard2 in the snort package. You will also have to set the database credentials. checkbox Barnyard2 Log Mysql Database. snortbarnyardlog_database Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz input 101 Barnyard2 Configure Hostname ID. snortbarnyardlog_hostname Example: pfsense.local input 25 Barnyard2 Configure Interface ID snortbarnyardlog_interface Example: vr0 input 25 Log Alerts to a snort unified2 file. snortunifiedlog Snort will log Alerts to a file in the UNIFIED2 format. This is a requirement for barnyard2. checkbox snort_advanced(); EOD; /* write out snort_barnyard2_xml */ $bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml", "w"); if(!$bconf) { log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml for writing."); exit; } fwrite($bconf, $snort_barnyard2_text); fclose($bconf); conf_mount_ro(); } } /* create snort_define_servers.xml for every interface selected */ function create_snort_define_servers_xml() { include("filter.inc"); include("config.inc"); global $bconfig, $bg; conf_mount_rw(); $first = 0; $snortInterfaces = array(); /* -gtm */ $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; $if_array = split(',', $if_list); //print_r($if_array); if($if_array) { foreach($if_array as $iface) { $if = convert_friendly_interface_to_real_interface_name($iface); if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { $if = "ng0"; } /* build a list of user specified interfaces -gtm */ if($if){ array_push($snortInterfaces, $if); $first = 1; } } if (count($snortInterfaces) < 1) { log_error("Snort will not start. You must select an interface for it to listen on."); return; } } foreach($snortInterfaces as $snortIf) { $snort_define_servers_xml_text = << . All rights reserved. */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ ]]> Describe your package here Describe your package requirements here Currently there are no FAQ items provided. SnortDefServers{$snortIf} none Services: Snort Define Servers {$snortIf} /usr/local/pkg/snort.inc Snort Interfaces /snort_interfaces.php Settings /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 Categories snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php Rules snort/snort_{$snortIf}/snort_rules_{$snortIf}.php Servers /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 Threshold /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml Barnyard2 /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 Define DNS_SERVERS def_dns_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define DNS_PORTS def_dns_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 53. input 43 Define SMTP_SERVERS def_smtp_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define SMTP_PORTS def_smtp_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 25. input 43 Define Mail_Ports def_mail_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 25,143,465,691. input 43 Define HTTP_SERVERS def_http_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define WWW_SERVERS def_www_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define HTTP_PORTS def_http_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 80. input 43 Define SQL_SERVERS def_sql_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define ORACLE_PORTS def_oracle_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 1521. input 43 Define MSSQL_PORTS def_mssql_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 1433. input 43 Define TELNET_SERVERS def_telnet_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define TELNET_PORTS def_telnet_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 23. input 43 Define SNMP_SERVERS def_snmp_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define SNMP_PORTS def_snmp_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 161. input 43 Define FTP_SERVERS def_ftp_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define FTP_PORTS def_ftp_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 21. input 43 Define SSH_SERVERS def_ssh_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define SSH_PORTS def_ssh_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is Pfsense SSH port. input 43 Define POP_SERVERS def_pop_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define POP2_PORTS def_pop2_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 109. input 43 Define POP3_PORTS def_pop3_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 110. input 43 Define IMAP_SERVERS def_imap_servers Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define IMAP_PORTS def_imap_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 143. input 43 Define SIP_PROXY_IP def_sip_proxy_ip Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks. input 101 Define SIP_PROXY_PORTS def_sip_proxy_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 5060:5090,16384:32768. input 43 Define AUTH_PORTS def_auth_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 113. input 43 Define FINGER_PORTS def_finger_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 79. input 43 Define IRC_PORTS def_irc_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 6665,6666,6667,6668,6669,7000. input 43 Define NNTP_PORTS def_nntp_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 119. input 43 Define RLOGIN_PORTS def_rlogin_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 513. input 43 Define RSH_PORTS def_rsh_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 514. input 43 Define SSL_PORTS def_ssl_ports Example: Specific ports "25,443" or All ports betwen "5060:5090". Default is 25,443,465,636,993,995. input 43 snort_define_servers(); EOD; /* write out snort_define_servers_xml */ $bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml", "w"); if(!$bconf) { log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml for writing."); exit; } fwrite($bconf, $snort_define_servers_xml_text); fclose($bconf); conf_mount_ro(); } } /* create snort_threshold.xml for every interface selected */ function create_snort_threshold_xml() { include("filter.inc"); include("config.inc"); global $bconfig, $bg; conf_mount_rw(); $first = 0; $snortInterfaces = array(); /* -gtm */ $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; $if_array = split(',', $if_list); //print_r($if_array); if($if_array) { foreach($if_array as $iface) { $if = convert_friendly_interface_to_real_interface_name($iface); if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { $if = "ng0"; } /* build a list of user specified interfaces -gtm */ if($if){ array_push($snortInterfaces, $if); $first = 1; } } if (count($snortInterfaces) < 1) { log_error("Snort will not start. You must select an interface for it to listen on."); return; } } foreach($snortInterfaces as $snortIf) { $snort_threshold_xml_text = << . All rights reserved. */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ ]]> Describe your package here Describe your package requirements here Currently there are no FAQ items provided. snort-threshold{$snortIf} 0.1.0 Snort: Alert Thresholding and Suppression {$snortIf} /usr/local/pkg/snort.inc Snort Interfaces /snort_interfaces.php Settings /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0 Categories snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php Rules snort/snort_{$snortIf}/snort_rules_{$snortIf}.php Servers /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0 Threshold /pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml Barnyard2 /pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0 Thresholding or Suppression Rule threshrule Description description Thresholding or Suppression Rule threshrule Enter the Rule. Example; "suppress gen_id 125, sig_id 4" or "threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60" input 40 Description description Enter the description for this item input 60 create_snort_conf(); EOD; /* write out snort_threshold_xml */ $bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml", "w"); if(!$bconf) { log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml for writing."); exit; } fwrite($bconf, $snort_threshold_xml_text); fclose($bconf); conf_mount_ro(); } } /* create snort_rules.php for every interface selected */ function create_snort_rules_php() { include("filter.inc"); include("config.inc"); global $bconfig, $bg; conf_mount_rw(); $first = 0; $snortInterfaces = array(); /* -gtm */ $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; $if_array = split(',', $if_list); //print_r($if_array); if($if_array) { foreach($if_array as $iface) { $if = convert_friendly_interface_to_real_interface_name($iface); if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { $if = "ng0"; } /* build a list of user specified interfaces -gtm */ if($if){ array_push($snortInterfaces, $if); $first = 1; } } if (count($snortInterfaces) < 1) { log_error("Snort will not start. You must select an interface for it to listen on."); return; } } foreach($snortInterfaces as $snortIf) { $snort_rules_php_text = <<"; echo "\n \n \n \n \n \n \n \n \n
\n"; \$tab_array = array(); \$tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0"); \$tab_array[] = array(gettext("Categories"), false, "snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php"); \$tab_array[] = array(gettext("Rules"), true, "snort/snort_{$snortIf}/snort_rules_{$snortIf}.php"); \$tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0"); \$tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml"); \$tab_array[] = array(gettext("Barnyard2"), false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0"); display_top_tabs(\$tab_array); echo "
\n
\n \n \n \n \n
\n # The rules directory is empty.\n
\n
\n
\n \n \n \n

\n\n"; echo "Please click on the Update Rules tab to install your selected rule sets."; include("fend.inc"); echo ""; echo ""; exit(0); } function get_middle(\$source, \$beginning, \$ending, \$init_pos) { \$beginning_pos = strpos(\$source, \$beginning, \$init_pos); \$middle_pos = \$beginning_pos + strlen(\$beginning); \$ending_pos = strpos(\$source, \$ending, \$beginning_pos); \$middle = substr(\$source, \$middle_pos, \$ending_pos - \$middle_pos); return \$middle; } function write_rule_file(\$content_changed, \$received_file) { conf_mount_rw(); //read snort file with writing enabled \$filehandle = fopen(\$received_file, "w"); //delimiter for each new rule is a new line \$delimiter = "\n"; //implode the array back into a string for writing purposes \$fullfile = implode(\$delimiter, \$content_changed); //write data to file fwrite(\$filehandle, \$fullfile); //close file handle fclose(\$filehandle); conf_mount_rw(); } function load_rule_file(\$incoming_file) { //read snort file \$filehandle = fopen(\$incoming_file, "r"); //read file into string, and get filesize \$contents = fread(\$filehandle, filesize(\$incoming_file)); //close handler fclose (\$filehandle); //string for populating category select \$currentruleset = substr(\$file, 27); //delimiter for each new rule is a new line \$delimiter = "\n"; //split the contents of the string file into an array using the delimiter \$splitcontents = explode(\$delimiter, \$contents); return \$splitcontents; } \$ruledir = "/usr/local/etc/snort_{$snortIf}/rules_{$snortIf}/"; \$dh = opendir(\$ruledir); \$message_reload = "The Snort rule configuration has been changed.
You must apply the changes in order for them to take effect."; while (false !== (\$filename = readdir(\$dh))) { //only populate this array if its a rule file \$isrulefile = strstr(\$filename, ".rules"); if (\$isrulefile !== false) { \$files[] = \$filename; } } sort(\$files); if (\$_GET['openruleset']) { \$file = \$_GET['openruleset']; } else { \$file = \$ruledir.\$files[0]; } //Load the rule file \$splitcontents = load_rule_file(\$file); if (\$_POST) { if (!\$_POST['apply']) { //retrieve POST data \$post_lineid = \$_POST['lineid']; \$post_enabled = \$_POST['enabled']; \$post_src = \$_POST['src']; \$post_srcport = \$_POST['srcport']; \$post_dest = \$_POST['dest']; \$post_destport = \$_POST['destport']; //clean up any white spaces insert by accident \$post_src = str_replace(" ", "", \$post_src); \$post_srcport = str_replace(" ", "", \$post_srcport); \$post_dest = str_replace(" ", "", \$post_dest); \$post_destport = str_replace(" ", "", \$post_destport); //copy rule contents from array into string \$tempstring = \$splitcontents[\$post_lineid]; //search string \$findme = "# alert"; //find string for disabled alerts //find if alert is disabled \$disabled = strstr(\$tempstring, \$findme); //if find alert is false, then rule is disabled if (\$disabled !== false) { //has rule been enabled if (\$post_enabled == "yes") { //move counter up 1, so we do not retrieve the # in the rule_content array \$tempstring = str_replace("# alert", "alert", \$tempstring); \$counter2 = 1; } else { //rule is staying disabled \$counter2 = 2; } } else { //has rule been disabled if (\$post_enabled != "yes") { //move counter up 1, so we do not retrieve the # in the rule_content array \$tempstring = str_replace("alert", "# alert", \$tempstring); \$counter2 = 2; } else { //rule is staying enabled \$counter2 = 1; } } //explode rule contents into an array, (delimiter is space) \$rule_content = explode(' ', \$tempstring); //insert new values \$counter2++; \$rule_content[\$counter2] = \$post_src;//source location \$counter2++; \$rule_content[\$counter2] = \$post_srcport;//source port location \$counter2 = \$counter2+2; \$rule_content[\$counter2] = \$post_dest;//destination location \$counter2++; \$rule_content[\$counter2] = \$post_destport;//destination port location //implode the array back into string \$tempstring = implode(' ', \$rule_content); //copy string into file array for writing \$splitcontents[\$post_lineid] = \$tempstring; //write the new .rules file write_rule_file(\$splitcontents, \$file); //once file has been written, reload file \$splitcontents = load_rule_file(\$file); \$stopMsg = true; } if (\$_POST['apply']) { // stop_service("snort"); // sleep(2); // start_service("snort"); \$savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; \$stopMsg = false; } } else if (\$_GET['act'] == "toggle") { \$toggleid = \$_GET['id']; //copy rule contents from array into string \$tempstring = \$splitcontents[\$toggleid]; //explode rule contents into an array, (delimiter is space) \$rule_content = explode(' ', \$tempstring); //search string \$findme = "# alert"; //find string for disabled alerts //find if alert is disabled \$disabled = strstr(\$tempstring, \$findme); //if find alert is false, then rule is disabled if (\$disabled !== false) { //rule has been enabled //move counter up 1, so we do not retrieve the # in the rule_content array \$tempstring = str_replace("# alert", "alert", \$tempstring); } else { //has rule been disabled //move counter up 1, so we do not retrieve the # in the rule_content array \$tempstring = str_replace("alert", "# alert", \$tempstring); } //copy string into array for writing \$splitcontents[\$toggleid] = \$tempstring; //write the new .rules file write_rule_file(\$splitcontents, \$file); //once file has been written, reload file \$splitcontents = load_rule_file(\$file); \$stopMsg = true; //write disable/enable sid to config.xml if (\$disabled == false) { \$string_sid = strstr(\$tempstring, 'sid:'); \$sid_pieces = explode(";", \$string_sid); \$sid_off_cut = \$sid_pieces[0]; // sid being turned off \$sid_off = str_replace("sid:", "", \$sid_off_cut); // rule_sid_on registers \$sid_on_pieces = \$config['installedpackages']['snort']['rule_sid_on']; // if off sid is the same as on sid remove it \$sid_on_old = str_replace("||enablesid \$sid_off", "", "\$sid_on_pieces"); // write the replace sid back as empty \$config['installedpackages']['snort']['rule_sid_on'] = \$sid_on_old; // rule sid off registers \$sid_off_pieces = \$config['installedpackages']['snort']['rule_sid_off']; // if off sid is the same as off sid remove it \$sid_off_old = str_replace("||disablesid \$sid_off", "", "\$sid_off_pieces"); // write the replace sid back as empty \$config['installedpackages']['snort']['rule_sid_off'] = \$sid_off_old; // add sid off registers to new off sid \$config['installedpackages']['snort']['rule_sid_off'] = "||disablesid \$sid_off" . \$config['installedpackages']['snort']['rule_sid_off']; write_config(); } else { \$string_sid = strstr(\$tempstring, 'sid:'); \$sid_pieces = explode(";", \$string_sid); \$sid_on_cut = \$sid_pieces[0]; // sid being turned off \$sid_on = str_replace("sid:", "", \$sid_on_cut); // rule_sid_off registers \$sid_off_pieces = \$config['installedpackages']['snort']['rule_sid_off']; // if off sid is the same as on sid remove it \$sid_off_old = str_replace("||disablesid \$sid_on", "", "\$sid_off_pieces"); // write the replace sid back as empty \$config['installedpackages']['snort']['rule_sid_off'] = \$sid_off_old; // rule sid on registers \$sid_on_pieces = \$config['installedpackages']['snort']['rule_sid_on']; // if on sid is the same as on sid remove it \$sid_on_old = str_replace("||enablesid \$sid_on", "", "\$sid_on_pieces"); // write the replace sid back as empty \$config['installedpackages']['snort']['rule_sid_on'] = \$sid_on_old; // add sid on registers to new on sid \$config['installedpackages']['snort']['rule_sid_on'] = "||enablesid \$sid_on" . \$config['installedpackages']['snort']['rule_sid_on']; write_config(); } } \$pgtitle = "Snort: Rules"; require("guiconfig.inc"); include("head.inc"); ?>

"; ?>

Category: "; //string for populating category select \$currentruleset = substr(\$file, 27); ?> "; \$textse = ""; \$iconb = "icon_block_d.gif"; } else { \$textss = \$textse = ""; \$iconb = "icon_block.gif"; } \$rule_content = explode(' ', \$tempstring); \$protocol = \$rule_content[\$counter2];//protocol location \$counter2++; \$source = \$rule_content[\$counter2];//source location \$counter2++; \$source_port = \$rule_content[\$counter2];//source port location \$counter2 = \$counter2+2; \$destination = \$rule_content[\$counter2];//destination location \$counter2++; \$destination_port = \$rule_content[\$counter2];//destination port location \$message = get_middle(\$tempstring, 'msg:"', '";', 0); echo ""; echo ""; echo ""; echo ""; echo ""; echo ""; echo ""; ?>
"; ?>
  SID Proto Source Port Destination Port Message
"; echo \$textss; ?> "; echo ""; echo \$textss; echo \$sid; echo \$textse; echo ""; echo \$textss; echo \$protocol; \$printcounter++; echo \$textse; echo ""; echo \$textss; echo \$source; echo \$textse; echo ""; echo \$textss; echo \$source_port; echo \$textse; echo ""; echo \$textss; echo \$destination; echo \$textse; echo ""; echo \$textss; echo \$destination_port; echo \$textse; echo " "; ?>
Rule Enabled
Rule Disabled

EOD; /* write out snort_rules_php */ $bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_rules_{$snortIf}.php", "w"); if(!$bconf) { log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_rules_{$snortIf}.php for writing."); exit; } fwrite($bconf, $snort_rules_php_text); fclose($bconf); conf_mount_ro(); } } /* create snort_rules_edit.php for every interface selected */ function create_snort_rules_edit_php() { include("filter.inc"); include("config.inc"); global $bconfig, $bg; conf_mount_rw(); $first = 0; $snortInterfaces = array(); /* -gtm */ $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; $if_array = split(',', $if_list); //print_r($if_array); if($if_array) { foreach($if_array as $iface) { $if = convert_friendly_interface_to_real_interface_name($iface); if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { $if = "ng0"; } /* build a list of user specified interfaces -gtm */ if($if){ array_push($snortInterfaces, $if); $first = 1; } } if (count($snortInterfaces) < 1) { log_error("Snort will not start. You must select an interface for it to listen on."); return; } } foreach($snortInterfaces as $snortIf) { $snort_rules_edit_php_text = <<

"; ?>
Enabled: >
SID:
Protocol:
Source:
Source Port:
Direction:
Destination:
Destination Port:
Message:
Content:
Classtype:
Revision:
 
   
EOD; /* write out snort_rules_edit_php */ $bconf = fopen("/usr/local/pkg/snort/snort_{$snortIf}/snort_rules_edit_{$snortIf}.php", "w"); if(!$bconf) { log_error("Could not open /usr/local/pkg/snort/snort_{$snortIf}/snort_rules_edit_{$snortIf}.php for writing."); exit; } fwrite($bconf, $snort_rules_edit_php_text); fclose($bconf); conf_mount_ro(); } } create_snort_xml(); create_snort_barnyard2_xml(); create_snort_define_servers_xml(); create_snort_threshold_xml(); create_snort_rules_php(); create_snort_rules_edit_php(); ?>