0; "); }else{ $result = sqlite_query($db, "SELECT * FROM {$table} where {$type} = '{$id_uuid}'; "); } if ($type == 'rdbuuid' || $type == 'All') { $chktable = sqlite_fetch_all($result, SQLITE_ASSOC); }else{ $chktable = sqlite_fetch_array($result, SQLITE_ASSOC); } sqlite_close($db); return $chktable; } // end func function snortSql_updateRuleSetList($type, $value, $file_size, $downloaded, $filename) { $dbname = 'snortDBtemp'; $table = 'SnortDownloads'; $addDate = date(U); // do let user pick the DB path $db = sqlite_open("/var/snort/{$dbname}"); if ($type === 'percent2'){ $query_ck = sqlite_query($db, // @ supress warnings usonly in production "UPDATE {$table} SET date = '{$addDate}', percent = '{$value}', filesize = '{$file_size}', downloaded = '{$downloaded}' where filename = '{$filename}'; "); } if ($type === 'percent'){ $query_ck = sqlite_query($db, // @ supress warnings usonly in production "UPDATE {$table} SET date = '{$addDate}', percent = '{$value}' where filename = '{$filename}'; "); } if ($type === 'msg1'){ $query_ck = sqlite_query($db, // @ supress warnings usonly in production "UPDATE SnortDownloadsMsg SET date = '{$addDate}', msg = '{$value}' where id = '1'; "); } if ($type === 'msg2'){ $query_ck = sqlite_query($db, // @ supress warnings usonly in production "UPDATE SnortDownloadsMsg SET date = '{$addDate}', msg = '{$value}' where id = '2'; "); } /* * INPORTANT: * Register worker to prevent loops and ghost process * Needs to be watched, */ if ($type === 'working'){ $getmypid = getmypid(); $getmyfilename = $_SERVER['SCRIPT_NAME']; $resultChk = sqlite_query($db, "SELECT * FROM RegisterWorker WHERE uuid = 'jdjEf!773&h3bhFd6A'; "); $resultChkFinal = sqlite_fetch_all($resultChk, SQLITE_ASSOC); if (!empty($resultChkFinal)) { $query_ck = sqlite_query($db, // @ supress warnings usonly in production "UPDATE RegisterWorker SET date = '{$addDate}', processid = '{$getmypid}', filename = '{$getmyfilename}', working = '{$value}' where uuid = 'jdjEf!773&h3bhFd6A'; "); }else{ $query_ck = sqlite_query($db, // @ supress warnings usonly in production "INSERT INTO RegisterWorker (date, processid, filename, working, uuid) VALUES ('{$addDate}', '{$getmypid}', '{$getmyfilename}', '{$value}', 'jdjEf!773&h3bhFd6A'); "); } } if ($type === 'snortWait'){ $query_ck = sqlite_query($db, // @ supress warnings usonly in production "UPDATE {$table} SET waittime = '{$addDate}' where filename = '{$filename}'; "); } if (sqlite_changes($db) < 1){ sqlite_close($db); return 'Error in query'; } sqlite_close($db); } // reapply rule settings function reapplyRuleSettings_run($sidRule_array) { $sid_array = snortSql_fetchAllSettings2('snortDBrules', 'SnortruleSigs', 'rdbuuid', $sidRule_array); if (!empty($sid_array)) { foreach ($sid_array as $sid) { if (!empty($sid['enable']) && !empty($sid['signatureid']) && !empty($sid['rdbuuid']) && !empty($sid['signaturefilename'])) { if ($sid['enable'] === 'on') { exec('/usr/bin/sed -i \'\' \'s/^# \(.*sid:' . "{$sid['signatureid']}" . ';.*\)/\1/\' /usr/local/etc/snort/snortDBrules/DB/' . "{$sid['rdbuuid']}" . '/rules/' . "{$sid['signaturefilename']}"); } if ($sid['enable'] === 'off') { exec('/usr/bin/sed -i \'\' \'s/^\(alert.*sid:' . "{$sid['signatureid']}" . ';.*\)/# \1/\' /usr/local/etc/snort/snortDBrules/DB/' . "{$sid['rdbuuid']}" . '/rules/' . "{$sid['signaturefilename']}"); } } } } // NOTES: DO NOT REMOVE BELOW COMMENTS // returns file pathe of the sid // $testing = exec("grep -ri 'sid: \?1225; ' /usr/local/etc/snort/snortDBrules/DB/RAjFYOrC04D6/rules | tail -n1 | awk -F: '{print $1}'"); // see if sid is enabled // $testing2 = exec("sed -n '/^alert.*sid:1225;.*/p' /usr/local/etc/snort/snortDBrules/DB/RAjFYOrC04D6/rules/snort_x11.rules"); // enable a sid // sed -i '' "s/^# \(.*sid:1225;.*\)/\1/" /usr/local/etc/snort/snortDBrules/DB/RAjFYOrC04D6/rules/snort_x11.rules // disable a sid // sed -i '' "s/^\(alert.*sid:1225;.*\)/# \1/" /usr/local/etc/snort/snortDBrules/DB/RAjFYOrC04D6/rules/snort_x11.rules } function snortCmpareMD5($type, $path1, $path2, $filename_md5) { update_output_window2('ms2', 'Checking ' . $filename_md5 . ' MD5...'); if (file_exists("{$path1}/{$filename_md5}")){ if ($type == 'string'){ $md5_check_new = @file_get_contents("{$path1}/{$filename_md5}"); $md5_check_old = @file_get_contents("{$path2}/{$filename_md5}"); if ($md5_check_new !== $md5_check_old){ update_output_window2('ms2', "$filename_md5 MD5s do not match..."); return false; } } if ($type == 'md5'){ //md5 snortrules-snapshot-2905.tar.gz | awk '{print $4}' $md5_check_new2 = exec("/sbin/md5 {$path1}/{$filename_md5} | /usr/bin/awk '{print $4}'"); $md5_check_old2 = exec("/sbin/md5 {$path2}/{$filename_md5} | /usr/bin/awk '{print $4}'"); if ($md5_check_new != $md5_check_old){ update_output_window2('ms2', "$filename_md5 MD5s do not match..."); return false; } } if ($type == 'md5FileChk') { //md5 snortrules-snapshot-2905.tar.gz | awk '{print $4}' $md5_check_new = trim(exec("/sbin/md5 {$path1}/{$filename_md5} | /usr/bin/awk '{print $4}'")); $md5_check_old = exec("/bin/cat {$path1}/{$filename_md5}.md5"); $md5_check_old2 = trim(preg_replace('/"/', '', $md5_check_old)); if ($md5_check_new != $md5_check_old2){ update_output_window2('ms2', "$filename_md5 MD5s do not match..."); return false; } } } update_output_window2('ms2', "$filename_md5 MD5 File Check Passed..."); return true; } /* * update_output_window: update bottom textarea dynamically. */ function update_output_window2($type, $text) { if ($type === 'ms1') { $msg = 1; } if ($type === 'ms2') { $msg = 2; } if ($GLOBALS['tmp']['snort']['downloadupdate']['console'] != 'on'){ echo ' '; ob_flush(); apc_clear_cache(); }else{ echo "\n" . $type . ': ' . $text; } } // returns array that matches pattern, option to replace objects in matches function snortScanDirFilter2($arrayList, $pattmatch, $pattreplace, $pattreplacewith) { foreach ( $arrayList as $val ) { if (preg_match($pattmatch, $val, $matches)) { if ($pattreplace != '') { $matches2 = preg_replace($pattreplace, $pattreplacewith, $matches[0]); $filterDirList[] = $matches2; }else{ $filterDirList[] = $matches[0]; } } } return $filterDirList; } // set page vars $generalSettings = snortSql_fetchAllSettings2('snortDB', 'SnortSettings', 'id', '1'); // Setup file names and dir $tmpfname = '/usr/local/etc/snort/snort_download'; $snortdir = '/usr/local/etc/snort'; $snortdir_rules = '/usr/local/etc/snort/snortDBrules/snort_rules'; $emergingdir_rules = '/usr/local/etc/snort/snortDBrules/emerging_rules'; $pfsensedir_rules = '/usr/local/etc/snort/snortDBrules/pfsense_rules'; $customdir_rules = '/usr/local/etc/snort/snortDBrules/custom_rules'; $snort_filename_md5 = 'snortrules-snapshot-2905.tar.gz.md5'; $snort_filename = 'snortrules-snapshot-2905.tar.gz'; $emergingthreats_filename_md5 = 'emerging.rules.tar.gz.md5'; $emergingthreats_filename = 'emerging.rules.tar.gz'; $pfsense_rules_filename_md5 = 'pfsense_rules.tar.gz.md5'; $pfsense_rules_filename = 'pfsense_rules.tar.gz'; // START of MAIN function function sendUpdateSnortLogDownload($console) { if ($console === 'console'){ $GLOBALS['tmp']['snort']['downloadupdate']['console'] = 'on'; } if ($console !== 'console') { echo ' '; } //bring in the global vars global $generalSettings, $tmpfname, $snortdir, $snortdir_rules, $emergingdir_rules, $pfsensedir_rules, $customdir_rules, $snort_filename_md5, $snort_filename, $emergingthreats_filename_md5, $emergingthreats_filename, $pfsense_rules_filename_md5, $pfsense_rules_filename; /* Make shure snortdir exits */ if (!file_exists("{$snortdir}")) { exec("/bin/mkdir -p {$snortdir}"); } if (!file_exists("{$tmpfname}")) { exec("/bin/mkdir -p {$tmpfname}"); } if (!file_exists("{$snortdir_rules}")) { exec("/bin/mkdir -p {$snortdir_rules}"); } if (!file_exists("{$emergingdir_rules}")) { exec("/bin/mkdir -p {$emergingdir_rules}"); } if (!file_exists("{$pfsensedir_rules}")) { exec("/bin/mkdir -p {$pfsensedir_rules}"); } if (!file_exists("{$customdir_rules}")) { exec("/bin/mkdir -p {$customdir_rules}"); } if (!file_exists("{$snortdir}/signatures")) { exec("/bin/mkdir -p {$snortdir}/signatures"); } if (!file_exists('/usr/local/lib/snort/dynamicrules/')) { exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); } /* Set user agent to Mozilla */ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); ini_set("memory_limit","150M"); // Get file that does not use redirects, mostly for none snort.org downloads function snort_file_get_contents($tmpfname, $snort_filename, $snort_UrlGet) { if (!file_exists("{$tmpfname}/{$snort_filename}") || filesize("{$tmpfname}/{$snort_filename}") <= 0){ update_output_window2('ms2', 'Downloading ' . $snort_filename. ' MD5...'); ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); $file = file_get_contents("$snort_UrlGet/{$snort_filename}"); // use a @ infront of file_get_contents when in production $f = fopen("{$tmpfname}/{$snort_filename}", 'w'); fwrite($f, $file); fclose($f); update_output_window2('ms2', 'Finnished Downloading ' . $snort_filename. ' MD5...'); } } function read_header2($ch, $string) { global $file_size, $fout; $length = strlen($string); $regs = ""; ereg("(Content-Length:) (.*)", $string, $regs); if($regs[2] <> "") { $file_size = intval($regs[2]); } ob_flush(); return $length; } function read_body2($ch, $string) { global $fout, $file_size, $downloaded, $sendto, $static_status, $static_output, $lastseen; global $pkg_interface; $length = strlen($string); $downloaded += intval($length); if($file_size > 0) { $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); $downloadProgress = 100 - $downloadProgress; } else $downloadProgress = 0; if($lastseen <> $downloadProgress and $downloadProgress < 101) { if($sendto == "status") { if($pkg_interface == "console") { if(substr($downloadProgress,2,1) == "0" || count($downloadProgress) < 2) { $tostatus = $static_status . $downloadProgress . "%"; update_status($tostatus); } } else { $tostatus = $static_status . $downloadProgress . "%"; update_status($tostatus); } } else { if($pkg_interface == "console") { if(substr($downloadProgress,2,1) == "0" || count($downloadProgress) < 2) { $tooutput = $static_output . $downloadProgress . "%"; update_output_window($tooutput); } } else { $tooutput = $static_output . $downloadProgress . "%"; update_output_window($tooutput); } } update_progress_bar($downloadProgress); $lastseen = $downloadProgress; } if($fout) fwrite($fout, $string); ob_flush(); return $length; } /* * update_progress_bar($percent): updates the javascript driven progress bar. */ function update_progress_bar2($percent, $file_size, $downloaded) { if ($GLOBALS['tmp']['snort']['downloadupdate']['console'] != 'on') { if (!empty($percent)) { echo ' '; } }else{ echo "\n" . 'percent: ' . $percent . ' filesize: ' . $file_size . ' downloaded: ' . $downloaded; } } function read_body_firmware($ch, $string) { global $fout, $file_size, $downloaded, $counter; $length = strlen($string); $downloaded += intval($length); $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); $downloadProgress = 100 - $downloadProgress; $counter++; if($counter > 150) { update_progress_bar2($downloadProgress, $file_size, $downloaded); flush(); $counter = 0; } fwrite($fout, $string); return $length; } function download_file_with_progress_bar2($url_file, $destination, $workingfile, $readbody = 'read_body2') { global $ch, $fout, $file_size, $downloaded; $file_size = 1; $downloaded = 1; $destination_file = $destination . '/' . $workingfile; /* open destination file */ $fout = fopen($destination_file, "wb"); /* * Originally by Author: Keyvan Minoukadeh * Modified by Scott Ullrich to return Content-Length size */ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url_file); curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header2'); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_WRITEFUNCTION, $readbody); curl_setopt($ch, CURLOPT_NOPROGRESS, '1'); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, '5'); curl_setopt($ch, CURLOPT_TIMEOUT, 0); curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); if($fout) fclose($fout); curl_close($ch); return ($http_code == 200) ? true : $http_code; } // ----------------------------------------------------- Begin Code -------------------------------------------- // rm all tmp filea @exec("/bin/rm -r $tmpfname/*"); // Set all downloads to be false, download by default $snort_md5_check_ok = false; $emerg_md5_check_ok = false; $pfsense_md5_check_ok = false; // define checks $oinkid = $generalSettings['oinkmastercode']; $emergingthreatscode = $generalSettings['emergingthreatscode']; // dsable downloads if there settings are off if ($generalSettings['snortdownload'] === 'off') { $snort_md5_check_ok = true; } if ($generalSettings['emergingthreatsdownload'] == 'off') { $emerg_md5_check_ok = true; } if ($oinkid == '' && $generalSettings['snortdownload'] === 'on') { update_output_window2('ms1', 'Snort Error!'); update_output_window2('ms2', 'You must obtain an oinkid from snort.org and set its value in the Snort settings tab.'); exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'You must obtain an oinkid from snort.org and set its value in the Snort settings tab.'"); return false; } if ($emergingthreatscode === '' && $generalSettings['snortdownload'] === 'pro') { update_output_window2('ms1', 'Snort Error!'); update_output_window2('ms2', 'You must obtain an emergingthreat pro id from emergingthreatspro.com and set its value in the Snort settings tab.'); exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'You must obtain an emergingthreat pro id from emergingthreatspro.com and set its value in the Snort settings tab.'"); return false; } if ($generalSettings['snortdownload'] === 'off' && $generalSettings['emergingthreatsdownload'] === 'off') { // note: basic and pro update_output_window2('ms1', 'Snort Error!'); update_output_window2('ms2', 'SnortStartup: No rules have been selected to download.'); exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'No rules have been selected to download.'"); return false; } /* * Check MD5s and MARK * */ update_output_window2('ms1', 'Starting MD5 checks...'); // check is we need to wait update_output_window2('ms2', 'Checking Wait Status for Snort.org...'); $getSnort_filename_Waittime_chk = snortSql_fetchAllSettings2('snortDBtemp', 'SnortDownloads', 'filename', $snort_filename); if (date(U) > $getSnort_filename_Waittime_chk['waittime'] + 900) { update_output_window2('ms2', 'Snort.org Wait Time Status: OK...'); }else{ update_output_window2('ms2', 'Snort.org Wait Time Status: Wait 15 min Please...'); $snort_md5_check_ok = true; $snort_wait = true; } // check is we need to wait update_output_window2('ms2', 'Checking Wait Status for Emergingthreats.net...'); $getEmergingthreats_filename_Waittime_chk = snortSql_fetchAllSettings2('snortDBtemp', 'SnortDownloads', 'filename', $emergingthreats_filename); if (date(U) > $getEmergingthreats_filename_Waittime_chk['waittime'] + 900) { update_output_window2('ms2', 'Emergingthreats.net Wait Time Status: OK...'); }else{ update_output_window2('ms2', 'Emergingthreats.net Wait Time Status: Wait 15 min Please...'); $emerg_md5_check_ok = true; $emerg_wait = true; } // if all rules need wait stop if ($snort_wait === true && $emerg_wait === true) { return false; } // download snort.org md5 and compare if ($snort_md5_check_ok === false) { snort_file_get_contents($tmpfname, $snort_filename_md5, 'http://www.snort.org/pub-bin/oinkmaster.cgi/' . $oinkid); snortSql_updateRuleSetList('percent', '100', '', '', $snort_filename_md5); // finsh percent // if snort.org md5 do not match if(snortCmpareMD5('string', $tmpfname, $snortdir_rules, $snort_filename_md5)) { $snort_md5_check_ok = true; } } // download emergingthreats.net md5 and compare if ($emerg_md5_check_ok === false) { snort_file_get_contents($tmpfname, $emergingthreats_filename_md5, 'http://rules.emergingthreats.net/open/snort-2.9.0'); snortSql_updateRuleSetList('percent', '100', '', '', $emergingthreats_filename_md5); // finsh percent // if emergingthreats.net md5 do not match if(snortCmpareMD5('string', $tmpfname, $emergingdir_rules, $emergingthreats_filename_md5)) { $emerg_md5_check_ok = true; } } // download pfsense.org md5 and compare snort_file_get_contents($tmpfname, $pfsense_rules_filename_md5, 'http://www.pfsense.com/packages/config/snort/pfsense_rules'); snortSql_updateRuleSetList('percent', '100', '', '', $pfsense_rules_filename_md5); // finsh percent // if pfsense.org md5 do not match if(snortCmpareMD5('string', $tmpfname, $pfsensedir_rules, $pfsense_rules_filename_md5)) { $pfsense_md5_check_ok = true; } /* * If all rule type is not check clean up. */ /* Make Clean Snort Directory emergingthreats not checked */ if ($snort_md5_check_ok === false && $emergingthreatsdownload === 'off') { update_output_window2('ms1', 'Cleaning the emergingthreats Directory...'); exec("/bin/rm {$snortdir}/emerging_rules/*.rules"); exec("/bin/rm {$snortdir}/version.txt"); update_output_window2('ms2', 'Done cleaning emrg direcory.'); } /* Make Clean Snort Directory snort.org not checked */ if ($emerg_md5_check_ok === false && $snortdownload !== 'on') { update_output_window2('ms1', 'Cleaning the snort Directory...'); exec("/bin/rm {$snortdir}/snort_rules/*.rules"); exec("/bin/rm {$snortdir}/snortrules-snapshot-2905.tar.gz.md5"); update_output_window2('ms2', 'Done cleaning snort direcory.'); } /* Check if were up to date exits */ if ($snort_md5_check_ok === true && $emerg_md5_check_ok === true && $pfsense_md5_check_ok === true) { update_output_window2('ms1', 'Your rules are up to date...'); return false; } /* You are Not Up to date, always stop snort when updating rules for low end machines */; update_output_window2('ms1', 'You are NOT up to date...'); update_output_window2('ms2', 'Stopping Snort and Barnyard2 service...'); $chk_if_snort_up = exec('pgrep -x snort'); $chk_if_barnyad_up = exec('pgrep -x barnyad2'); if ($chk_if_snort_up != '') { exec('/usr/bin/touch /tmp/snort_download_halt.pid'); // IMPORTANT: incase of script crash or error, Mabe use DB exec('/usr/bin/killall snort'); if ($chk_if_barnyad_up != ''){ exec('/usr/bin/killall barnyad2'); } sleep(2); } /* download snortrules file */ if ($snort_md5_check_ok === false) { $GLOBALS['tmp']['snort']['downloadupdate']['workingfile'] = $snort_filename; update_output_window2('ms1', 'Snort.org: Starting Download...'); update_output_window2('ms2', 'May take a while...'); download_file_with_progress_bar2("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", $tmpfname, $snort_filename, "read_body_firmware"); //download_file_with_progress_bar2("http://theseusnetworking.com/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", $tmpfname, $snort_filename, "read_body_firmware"); update_progress_bar2(100, '', ''); // finsh percent snortSql_updateRuleSetList('percent', '100', '', '', $snort_filename); // finsh percent, add date time finnished update_output_window2('ms2', 'Snort.org: Finished Download...'); // if md5 does not match then the file is bad or snort.org says wait 15 min update_output_window2('ms1', 'Snort.org MD5 File Check ...'); if (!snortCmpareMD5('md5FileChk', $tmpfname, '', $snort_filename)) { $snort_filename_wait_ck = exec("/usr/bin/egrep '\bYou must wait 15\b' {$tmpfname}/{$snort_filename}"); if ($snort_filename_wait_ck != '') { update_output_window2('ms2', 'Snort.org: You must wait 15 min...'); } // disable snort.org download $snort_md5_check_ok = true; $snort_filename_corrupted = true; } } /* download emergingthreats file */ if ($emerg_md5_check_ok === false) { $GLOBALS['tmp']['snort']['downloadupdate']['workingfile'] = $emergingthreats_filename; update_output_window2('ms1', 'Emergingthreats.net: Starting Download...'); update_output_window2('ms2', 'May take a while...'); download_file_with_progress_bar2("http://rules.emergingthreats.net/open/snort-2.9.0/{$emergingthreats_filename}", $tmpfname, $emergingthreats_filename, "read_body_firmware"); update_progress_bar2(100, '', ''); // finsh percent snortSql_updateRuleSetList('percent', '100', '', '', $emergingthreats_filename); // finsh percent update_output_window2('ms2', 'Emergingthreats.net: Finished Download...'); // if md5 does not match then the file is bad or snort.org says wait 15 min update_output_window2('ms1', 'Emergingthreats MD5 File Check ...'); if (!snortCmpareMD5('md5FileChk', $tmpfname, '', $emergingthreats_filename)) { // disable snort.org download $emerg_md5_check_ok = true; $emerg_filename_corrupted = true; } } /* download pfsense rule file */ if ($pfsense_md5_check_ok === false) { $GLOBALS['tmp']['snort']['downloadupdate']['workingfile'] = $pfsense_rules_filename; update_output_window2('ms1', 'pfSense.org: Starting Download...'); update_output_window2('ms2', 'May take a while...'); download_file_with_progress_bar2("http://www.pfsense.com/packages/config/snort/pfsense_rules/{$pfsense_rules_filename}", $tmpfname, $pfsense_rules_filename, "read_body_firmware"); update_progress_bar2(100, '', ''); // finsh percent snortSql_updateRuleSetList('percent', '100', '', '', $pfsense_rules_filename); // finsh percent update_output_window2('ms2', 'pfSense.org: Finished Download...'); // if md5 does not match then the file is bad or snort.org says wait 15 min update_output_window2('ms1', 'pfSense.org MD5 File Check ...'); if (!snortCmpareMD5('md5FileChk', $tmpfname, '', $pfsense_rules_filename)) { // disable snort.org download $pfsense_md5_check_ok = true; } } // if both files are corrupted stop if ($snort_filename_corrupted === true && $emerg_filename_corrupted === true) { update_output_window2('ms1', 'Snort.org and Emergingthreats.net files are corrupted.'); update_output_window2('ms2', 'Stoping Script...'); return false; } /* * START: Untar Files */ // Untar snort rules file individually to help people with low system specs if ($snort_md5_check_ok === false && file_exists("{$tmpfname}/{$snort_filename}")) { update_output_window2('ms1', 'Extracting Snort.org rules...'); update_output_window2('ms2', 'May take a while...'); function build_SnortRuleDir() { global $tmpfname, $snortdir, $snortdir_rules, $snort_filename; // find out if were in 1.2.3-RELEASE $pfsense_ver_chk = exec('/bin/cat /etc/version'); if ($pfsense_ver_chk === '1.2.3-RELEASE') { $pfsense_stable = 'yes'; }else{ $pfsense_stable = 'no'; } // get the system arch $snort_arch_ck = exec('/usr/bin/uname -m'); if ($snort_arch_ck === 'i386') { $snort_arch = 'i386'; }else{ $snort_arch = 'x86-64'; // amd64 } if ($pfsense_stable === 'yes') { $freebsd_version_so = 'FreeBSD-7-3'; }else{ $freebsd_version_so = 'FreeBSD-8-1'; } // extract snort.org rules and add prefix to all snort.org files @exec("/bin/rm -r {$snortdir_rules}/rules"); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir_rules} rules/"); $snort_dirList = scandir("{$snortdir_rules}/rules"); // Waning: only in php 5 $snortrules_filterList = snortscandirfilter2($snort_dirList, '/.*\.rules/', '/\.rules/', ''); if (!empty($snortrules_filterList)) { foreach ($snortrules_filterList as $snort_rule_move) { exec("/bin/mv -f {$snortdir_rules}/rules/{$snort_rule_move}.rules {$snortdir_rules}/rules/snort_{$snort_rule_move}.rules"); } } // extract so rules exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir_rules} so_rules/precompiled/$freebsd_version_so/$snort_arch/2.9.0.5/"); exec("/bin/mv -f {$snortdir_rules}/so_rules/precompiled/$freebsd_version_so/$snort_arch/2.9.0.5/* /usr/local/lib/snort/dynamicrules/"); // list so_rules and exclude dir exec("/usr/bin/tar --exclude='precompiled' --exclude='src' -tf {$tmpfname}/{$snort_filename} so_rules", $so_rules_list); $so_rulesPattr = array('/\//', '/\.rules/'); $so_rulesPattw = array('', ''); // build list of so rules $so_rules_filterList = snortscandirfilter2($so_rules_list, '/\/.*\.rules/', $so_rulesPattr, $so_rulesPattw); if (!empty($so_rules_filterList)) { // cp rule to so tmp dir foreach ($so_rules_filterList as $so_rule) { exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir_rules} so_rules/{$so_rule}.rules"); } // mv and rename so rules foreach ($so_rules_filterList as $so_rule_move) { exec("/bin/mv -f {$snortdir_rules}/so_rules/{$so_rule_move}.rules {$snortdir_rules}/rules/snort_{$so_rule_move}.so.rules"); } } exec("/bin/rm -r {$snortdir_rules}/so_rules"); // extract base etc files exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); } build_SnortRuleDir(); // cp md5 to main snort dir exec("/bin/cp {$tmpfname}/{$snort_filename_md5} {$snortdir_rules}/{$snort_filename_md5}"); update_output_window2('ms2', 'Done extracting Snort.org Rules.'); } /* Untar emergingthreats rules to tmp */ if ($emerg_md5_check_ok === false && file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { update_output_window2('ms1', 'Extracting Emergingthreats Rules...'); update_output_window2('ms2', 'May take a while...'); @exec("/bin/rm -r {$emergingdir_rules}/rules"); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$emergingdir_rules} rules/"); exec("/bin/cp {$tmpfname}/{$emergingthreats_filename_md5} {$emergingdir_rules}/{$emergingthreats_filename_md5}"); update_output_window2('ms2', 'Done extracting Emergingthreats.net Rules.'); } } /* Untar Pfsense rules to tmp */ if ($pfsense_md5_check_ok === false && file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { update_output_window2('ms1', 'Extracting Pfsense rules...'); update_output_window2('ms1', 'May take a while...'); @exec("/bin/rm -r {$pfsensedir_rules}/rules"); exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$pfsensedir_rules} rules/"); exec("/bin/cp {$tmpfname}/{$pfsense_rules_filename_md5} {$pfsensedir_rules}/{$pfsense_rules_filename_md5}"); update_output_window2('ms2', 'Done extracting pfSense.org Rules.'); } } /* double make shure cleanup emerg rules that dont belong */ if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); } // make sure default rules are in the right format update_output_window2('ms1', 'Reformatting Rules To One Standard...'); update_output_window2('ms2', 'Please Wait...'); exec("/usr/bin/sed -i '' 's/^[ \t]*//' {$snortdir_rules}/rules/*.rules"); // remove white spaces from begining of line exec("/usr/bin/sed -i '' 's/^#alert*/\# alert/' {$snortdir_rules}/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^##alert*/\# alert/' {$snortdir_rules}/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^## alert*/\# alert/' {$snortdir_rules}/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^[ \t]*//' {$emergingdir_rules}/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^#alert*/\# alert/' {$emergingdir_rules}/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^##alert*/\# alert/' {$emergingdir_rules}/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^## alert*/\# alert/' {$emergingdir_rules}/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^[ \t]*//' {$pfsensedir_rules}/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^#alert*/\# alert/' {$pfsensedir_rules}/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^##alert*/\# alert/' {$pfsensedir_rules}/rules/*.rules"); exec("/usr/bin/sed -i '' 's/^## alert*/\# alert/' {$pfsensedir_rules}/rules/*.rules"); update_output_window2('ms2', 'Done...'); /* create a msg-map for snort */ update_output_window2('ms1', 'Updating Alert Sid Messages...'); update_output_window2('ms2', 'Please Wait...'); exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl {$snortdir_rules}/rules > /usr/local/etc/snort/etc/sid-msg.map"); exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl {$emergingdir_rules}/rules >> /usr/local/etc/snort/etc/sid-msg.map"); exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl {$pfsensedir_rules}/rules >> /usr/local/etc/snort/etc/sid-msg.map"); update_output_window2('ms2', 'Done...'); // create default dir if (!file_exists('/usr/local/etc/snort/snortDBrules/DB/default/rules')) { exec('/bin/mkdir -p /usr/local/etc/snort/snortDBrules/DB/default/rules'); } // cp new rules to default dir exec('/bin/rm /usr/local/etc/snort/snortDBrules/DB/default/rules/*.rules'); exec("/bin/cp {$snortdir_rules}/rules/*.rules /usr/local/etc/snort/snortDBrules/DB/default/rules"); exec("/bin/cp {$emergingdir_rules}/rules/*.rules /usr/local/etc/snort/snortDBrules/DB/default/rules"); exec("/bin/cp {$pfsensedir_rules}/rules/*.rules /usr/local/etc/snort/snortDBrules/DB/default/rules"); // reapplay rules from DB cp base rules to dirs $sidOnOff_array = snortSql_fetchAllSettings2('snortDBrules', 'Snortrules', 'All', ''); if (!empty($sidOnOff_array)) { update_output_window2('ms1', 'Reapplying User Settings...'); update_output_window2('ms2', 'Please Wait...'); foreach ($sidOnOff_array as $preSid_Array) { if (!file_exists("/usr/local/etc/snort/snortDBrules/DB/{$preSid_Array['uuid']}/rules")) { exec("/bin/mkdir -p /usr/local/etc/snort/snortDBrules/DB/{$preSid_Array['uuid']}/rules"); } exec("/bin/rm /usr/local/etc/snort/snortDBrules/DB/{$preSid_Array['uuid']}/rules/*.rules"); exec("/bin/cp {$snortdir_rules}/rules/*.rules /usr/local/etc/snort/snortDBrules/DB/{$preSid_Array['uuid']}/rules"); exec("/bin/cp {$emergingdir_rules}/rules/*.rules /usr/local/etc/snort/snortDBrules/DB/{$preSid_Array['uuid']}/rules"); exec("/bin/cp {$pfsensedir_rules}/rules/*.rules /usr/local/etc/snort/snortDBrules/DB/{$preSid_Array['uuid']}/rules"); reapplyRuleSettings_run($preSid_Array['uuid']); update_output_window2('ms2', 'Done...'); } } // cp snort conf's to Ifaces $ifaceConfMaps_array = snortSql_fetchAllSettings2('snortDB', 'SnortIfaces', 'All', ''); if (!empty($ifaceConfMaps_array)) { update_output_window2('ms1', 'Reapplying User Settings...'); update_output_window2('ms2', 'Please Wait...'); foreach ($ifaceConfMaps_array as $preIfaceConfMaps_array) { // create iface dir if missing if (!file_exists("/usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}")) { exec("/bin/mkdir -p /usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}"); } // create rules dir soft link if setting is default if ($preIfaceConfMaps_array['ruledbname'] === 'default' || $preIfaceConfMaps_array['ruledbname'] === '') { if (!file_exists("/usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}/rules") && file_exists('/usr/local/etc/snort/snortDBrules/DB/default/rules')) { exec("/bin/ln -s /usr/local/etc/snort/snortDBrules/DB/default/rules /usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}/rules"); } } // create rules dir soft link if setting is not default if ($preIfaceConfMaps_array['ruledbname'] !== 'default' || $preIfaceConfMaps_array['ruledbname'] != '') { if (!file_exists("/usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}/rules") && file_exists("/usr/local/etc/snort/snortDBrules/DB/{$preIfaceConfMaps_array['ruledbname']}/rules")) { exec("/bin/ln -s /usr/local/etc/snort/snortDBrules/DB/{$preIfaceConfMaps_array['ruledbname']}/rules /usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}/rules"); } } exec("/bin/cp {$snortdir}/etc/*.config /usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}"); exec("/bin/cp {$snortdir}/etc/*.conf /usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}"); exec("/bin/cp {$snortdir}/etc/*.map /usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}"); exec("/bin/cp {$snortdir}/etc/generators /usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}"); exec("/bin/cp {$snortdir}/etc/sid /usr/local/etc/snort/sn_{$preIfaceConfMaps_array['uuid']}"); reapplyRuleSettings_run($preSid_Array['uuid']); update_output_window2('ms2', 'Done...'); } } // remove old $tmpfname files */ update_output_window2('ms1', 'Removing old files...'); update_output_window2('ms2', 'Working...'); if (file_exists('/usr/local/etc/snort/tmp')) { exec("/bin/rm -r /usr/local/etc/snort/tmp/snort_rules_up"); exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); apc_clear_cache(); } update_output_window2('ms2', 'Done...'); // php code to flush out cache some people are reportting missing files this might help apc_clear_cache(); exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); // make all dirs snorts exec("/usr/sbin/chown -R snort:snort /var/log/snort"); exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); exec("/bin/chmod -R 755 /var/log/snort"); exec("/bin/chmod -R 755 /usr/local/etc/snort"); exec("/bin/chmod -R 755 /usr/local/lib/snort"); update_output_window2('ms1', 'Finnished Updateing...'); update_output_window2('ms2', 'Finnished Updateing...'); // if snort is running hard restart, if snort is not running do nothing // TODO: Restart Ifaces // ----------------------------------------------------- End Code -------------------------------------------- } // -------------------- END Main function ------------ //$argv[1] = 'console'; //$getWorkerStat = snortSql_fetchAllSettings2('snortDBtemp', 'RegisterWorker', 'uuid', 'jdjEf!773&h3bhFd6A'); //if ($getWorkerStat['working'] !== 'on') { //snortSql_updateRuleSetList2('working', 'on', '', '', ''); // Register Worker on //sendUpdateSnortLogDownload($argv[1]); // start main function //snortSql_updateRuleSetList2('working', 'off', '', '', ''); // Register Worker off //} ?>