. All rights reserved. Pfsense Old snort GUI Copyright (C) 2006 Scott Ullrich. Pfsense snort GUI Copyright (C) 2008-2012 Robert Zelaya. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the pfSense nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ // unset crsf checks if(isset($_POST['__csrf_magic'])) { unset($_POST['__csrf_magic']); } //require_once("pfsense-utils.inc"); require_once("config.inc"); require_once("functions.inc"); // create and cp to tmp db dir if (!file_exists('/var/snort/')) { exec('/bin/mkdir -p /var/snort/'); } if (file_exists('/usr/local/pkg/snort/snortDBtemp')) { exec('/bin/cp /usr/local/pkg/snort/snortDBtemp /var/snort/snortDBtemp'); } // used in snort_rules_ips.php and create sid block map function snortSearchArray($array, $key, $value) { $results = array(); if (is_array($array)) { foreach ($array as $subarray) { if ($subarray[$key] == $value) { $results = $subarray; } } } return $results; } // used in snort_rules_ips.php and create sid block map function getCurrentIpsRuleArray($output) { foreach (array_unique($output) as $line) { $newOutput = explode(' # ', $line); $newLine[] = $newOutput; } return $newLine; } /* * make dir for the new iface, if iface exists or rule dir has changed redo soft link */ function snortRulesCreateSoftlink() { $newSnortDir = 'sn_' . $_POST['uuid']; $pathToSnortDir = '/usr/local/etc/snort'; // change the rule path if (is_dir("{$pathToSnortDir}/{$newSnortDir}")) { $snortCurrentRuleDbName = snortSql_fetchAllSettings('snortDB', 'snortIfaces', 'uuid', $_POST['uuid']); if ($_POST['ruledbname'] !== $snortCurrentRuleDbName['ruledbname'] || !file_exists("{$pathToSnortDir}/{$newSnortDir}/rules")) { // NOTE: use full paths or link rm will not work, Freebsd love exec("/bin/rm {$pathToSnortDir}/{$newSnortDir}/rules"); exec("/bin/ln -s /usr/local/etc/snort/snortDBrules/DB/{$_POST['ruledbname']}/rules {$pathToSnortDir}/{$newSnortDir}/rules"); } } } // Wites selected sig to file function snortSidStringRuleEditGUI() { $workingFile = '/usr/local/etc/snort/sn_' . $_POST['snortSidRuleIface'] . '/rules/' . $_POST['snortSidRuleFile']; $splitcontents = split_rule_file($workingFile); if (!empty($splitcontents)) { $sidLinePosPre = exec('/usr/bin/sed -n /sid:' . $_POST['snortSidNum'] . '\;/= ' . $workingFile); $sidLinePos = $sidLinePosPre - 1; $splitcontents[$sidLinePos] = $_POST['sidstring']; write_rule_file($splitcontents, $workingFile); return true; } return false; } function sendSidStringRuleEditGUI() { $sidCall = exec('sed -n "/alert.*sid:' . $_GET['sid'] . ';.*/p" /usr/local/etc/snort/sn_' . $_GET['snortIface'] . '/rules/' . $_GET['snortRuleFile']); $sidCallJsonFilter = escapeJsonString($sidCall); echo '{"sidstring":' . '"' . $sidCallJsonFilter . '","sid":' . '"' . $_GET['sid'] . '"}'; return true; } // create new Ifac dirs and soft links function createNewIfaceDir($pathToSnortDir, $newSnortDir) { exec("/bin/mkdir -p {$pathToSnortDir}/{$newSnortDir}"); // create rules dir soft link if setting is default if ($_POST['ruledbname'] === 'default' || empty($_POST['ruledbname'])) { if (!file_exists("{$pathToSnortDir}/sn_{$_POST['uuid']}/rules") && file_exists('/usr/local/etc/snort/snortDBrules/DB/default/rules')) { exec("/bin/ln -s {$pathToSnortDir}/snortDBrules/DB/default/rules {$pathToSnortDir}/sn_{$_POST['uuid']}/rules"); } } // create rules dir soft link if setting is not default if ($_POST['ruledbname'] !== 'default' || $_POST['ruledbname'] != '') { if (!file_exists("{$pathToSnortDir}/sn_{$_POST['uuid']}/rules") && file_exists("{$pathToSnortDir}/snortDBrules/DB/{$_POST['ruledbname']}/rules")) { exec("/bin/ln -s {$pathToSnortDir}/snortDBrules/DB/{$_POST['ruledbname']}/rules {$pathToSnortDir}/sn_{$_POST['uuid']}/rules"); } } // cp new rules exec("/bin/cp {$pathToSnortDir}/etc/*.config {$pathToSnortDir}/sn_{$_POST['uuid']}"); exec("/bin/cp {$pathToSnortDir}/etc/*.conf {$pathToSnortDir}/sn_{$_POST['uuid']}"); exec("/bin/cp {$pathToSnortDir}/etc/*.map {$pathToSnortDir}/sn_{$_POST['uuid']}"); exec("/bin/cp {$pathToSnortDir}/etc/generators {$pathToSnortDir}/sn_{$_POST['uuid']}"); exec("/bin/cp {$pathToSnortDir}/etc/sid {$pathToSnortDir}/sn_{$_POST['uuid']}"); } // end of func function escapeJsonString($escapeString) { // NOTE: foward slash has added spaces on each side ie and chrome were giving issues with $search = array('\\', '\n', '\r', '\u', '\t', '\f', '\b', '/', '"'); $replace = array('\\\\', '\\n', '\\r', '\\u', '\\t', '\\f', '\\b', ' \/ ', '\"'); $encoded_string = str_replace($search, $replace, $escapeString); return $encoded_string; } // limit the length of the given string to $MAX_LENGTH char function trimLength($s) { $MAX_LENGTH = 13; $str_to_count = $s; if (strlen($str_to_count) <= $MAX_LENGTH) { return $s; } $s2 = substr($str_to_count, 0, $MAX_LENGTH - 3); $s2 .= "..."; return $s2; } // builds base array with sid etc.... function newFilterRuleSig($baseruleArray) { function get_middle($source, $beginning, $ending, $init_pos) { $beginning_pos = strpos($source, $beginning, $init_pos); $middle_pos = $beginning_pos + strlen($beginning); $ending_pos = strpos($source, $ending, $beginning_pos); $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); return $middle; } $i = 0; $newSigArray[] = array(); foreach ( $baseruleArray as $value ) { if (preg_match('/^# alert/', $value) || preg_match('/^alert/', $value)) { // add sid $newSigArray[$i]['sid'] = get_middle($value, 'sid:', ';', 0); // remove whitespaces $rmWhitespaces = preg_replace('/\s\s+/', ' ', $value); // remove whitespace betwin # aerrt $rmAlertWhitespace = preg_replace('/^# alert/', '#alert', $rmWhitespaces); $splitcontents = explode(' ', $rmAlertWhitespace); // enable or disable if ($splitcontents[0] === '#alert') { $newSigArray[$i]['enable'] = 'off'; }else{ $newSigArray[$i]['enable'] = 'on'; } // proto $newSigArray[$i]['proto'] = $splitcontents[1]; // source $newSigArray[$i]['src'] = trimLength($splitcontents[2]); // source port $newSigArray[$i]['srcport'] = trimLength($splitcontents[3]); // Destination $newSigArray[$i]['dst'] = trimLength($splitcontents[5]); // Destination port $newSigArray[$i]['dstport'] = trimLength($splitcontents[6]); // sig message $newSigArray[$i]['msg'] = get_middle($value, 'msg:"', '";', 0); } $i++; } return $newSigArray; } function split_rule_file($workingFile) { $filehandle = fopen($workingFile, "r"); $contents = fread($filehandle, filesize($workingFile)); fclose ($filehandle); $delimiter = "\n"; $splitcontents = explode($delimiter, $contents); return $splitcontents; } // write rule file to disk function write_rule_file($content_changed, $received_file) { //read snort file with writing enabled $filehandle = fopen($received_file, "w"); //delimiter for each new rule is a new line $delimiter = "\n"; //implode the array back into a string for writing purposes $fullfile = implode($delimiter, $content_changed); //write data to file fwrite($filehandle, $fullfile); //close file handle fclose($filehandle); } // Save ruleSets settings function snortSql_updateRuleSigList() { // selected snort rule file $workingFile = "/usr/local/etc/snort/snortDBrules/DB/{$_SESSION['snort']['tmp']['snort_rules']['rdbuuid']}/rules/{$_SESSION['snort']['tmp']['snort_rules']['rulefile']}"; $splitcontents = split_rule_file($workingFile); // open rule file and change enable/disable sids function read_rule_file($splitcontents, $enableSigsArray, $disableSigsArray) { foreach ($splitcontents as $sigLine) { $replaceChars = array('/sid:/', '/;/'); preg_match('/sid:[0-9]*;/', $sigLine, $matches); $sidLine = preg_replace($replaceChars, '', $matches[0]); if (empty($sidLine)) { $tempstring[] = $sigLine; }else{ if (in_array($sidLine, $enableSigsArray)) { $tempstring[] = str_replace("# alert", "alert", $sigLine); } if (in_array($sidLine, $disableSigsArray)) { $tempstring[] = str_replace("alert", "# alert", $sigLine); } if (!in_array($sidLine, $enableSigsArray) && !in_array($sidLine, $disableSigsArray)) { $tempstring[] = $sigLine; } } } return $tempstring; } // build user selected enbled and disabled arrays $enableSigsArray = array(); $disableSigsArray = array(); if (!isset($_POST['filenamcheckbox2'])) { $_POST['filenamcheckbox2'] = array(); } $newFilterRuleSigArray = newFilterRuleSig($splitcontents); foreach ($newFilterRuleSigArray as $sigArray) { // enable sig if(in_array($sigArray['sid'], $_POST['filenamcheckbox2']) && $sigArray['enable'] == 'off') { $enableSigsArray[] = $sigArray['sid']; } // disable sig if(!in_array($sigArray['sid'], $_POST['filenamcheckbox2']) && $sigArray['enable'] == 'on') { $disableSigsArray[] = $sigArray['sid']; } } // read rule file change disable/enable then write to file if arrays are not empty if (!empty($enableSigsArray) || !empty($disableSigsArray)) { write_rule_file(read_rule_file($splitcontents, $enableSigsArray, $disableSigsArray), $workingFile); } // Insert into the DB for oinkmaster function sql_EnableDisabeSid($SigArray, $OnOff) { $dbname = $_SESSION['snort']['tmp']['snort_rules']['dbName']; $table = $_SESSION['snort']['tmp']['snort_rules']['dbTable']; $rdbuuid = $_SESSION['snort']['tmp']['snort_rules']['rdbuuid']; $rulefile = $_SESSION['snort']['tmp']['snort_rules']['rulefile']; $addDate = date(U); // dont let user pick the DB path $db = sqlite_open("/usr/local/pkg/snort/{$dbname}"); foreach ($SigArray as $mDEanbled) { $resultid = sqlite_query($db, "SELECT id FROM {$table} WHERE signatureid = '{$mDEanbled}' AND signaturefilename = '{$rulefile}'; "); $chktable = sqlite_fetch_all($resultid, SQLITE_ASSOC); if (empty($chktable)) { $query_ck = sqlite_query($db, // @ supress warnings usonly in production "INSERT INTO {$table} (date, rdbuuid, signatureid, signaturefilename, enable) VALUES ('{$addDate}', '{$rdbuuid}', '{$mDEanbled}', '{$rulefile}', '{$OnOff}'); "); }else{ if ($chktable[0]['enable'] != $OnOff) { $query_ck = sqlite_query($db, // @ supress warnings usonly in production "UPDATE {$table} SET date = {$addDate}, enable = '{$OnOff}' WHERE signatureid = '{$mDEanbled}' AND signaturefilename = '{$rulefile}'; "); } } } sqlite_close($db); } // snd of function sql_EnableDisabeSid($enableSigsArray, 'on'); sql_EnableDisabeSid($disableSigsArray, 'off'); return true; } // END Save ruleSets settings // Save rulessigs settings for snort_rules_ips function snortSql_updateRulesSigsIps() { // dont let user pick the DB path $db = sqlite_open("/usr/local/pkg/snort/{$_POST['dbName']}"); function insertUpdateDB($db) { // get default settings $listGenRules = array(); $listGenRules = snortSql_fetchAllSettings('snortDBrules', 'SnortruleGenIps', 'rdbuuid', $_POST['rdbuuid']); // if $listGenRules empty list defaults if (empty($listGenRules)) { $listGenRules[0] = array( 'id' => 1, 'rdbuuid' => $_POST['rdbuuid'], 'enable' => 'on', 'who' => 'src', 'timeamount' => 15, 'timetype' => 'minutes' ); } $addDate = date(U); // checkbox off catch $listGenRulesEnable = $listGenRules[0]['enable']; if ( empty($listGenRules[0]['enable']) || $listGenRules[0]['enable'] === 'off' ) { $listGenRulesEnable = 'off'; } // TODO: inprove this foreach so we only interact with db once foreach ($_POST['snortsam']['db'] as $singleSig) { $resultid = sqlite_query($db, "SELECT id FROM {$_POST['dbTable']} WHERE siguuid = '{$singleSig['siguuid']}' and rdbuuid = '{$_POST['rdbuuid']}'; "); $chktable = sqlite_fetch_all($resultid, SQLITE_ASSOC); // checkbox off catch $singleSigEnable = $singleSig['enable']; if ( empty($singleSig['enable']) ) { $singleSigEnable = 'off'; } // only do this if something change from defauts settings, note: timeamount Not equal $somthingChanged = FALSE; if ( $singleSigEnable !== $listGenRulesEnable || $singleSig['who'] !== $listGenRules[0]['who'] || $singleSig['timeamount'] != $listGenRules[0]['timeamount'] || $singleSig['timetype'] !== $listGenRules[0]['timetype'] ) { $somthingChanged = TRUE; } if ( empty($chktable) && $somthingChanged ) { $rulesetUuid = genAlphaNumMixFast(11, 14); $query_ck = sqlite_query($db, // @ supress warnings usonly in production "INSERT INTO {$_POST['dbTable']} (date, uuid, rdbuuid, enable, siguuid, sigfilename, who, timeamount, timetype) VALUES ('{$addDate}', '{$rulesetUuid}', '{$_POST['rdbuuid']}', '{$singleSigEnable}', '{$singleSig['siguuid']}', '{$singleSig['sigfilename']}', '{$singleSig['who']}', '{$singleSig['timeamount']}', '{$singleSig['timetype']}'); "); } if ( !empty($chktable) && $somthingChanged ) { $query_ck = sqlite_query($db, // @ supress warnings usonly in production "UPDATE {$_POST['dbTable']} SET date ='{$addDate}', enable = '{$singleSigEnable}', who = '{$singleSig['who']}', timeamount = '{$singleSig['timeamount']}', timetype = '{$singleSig['timetype']}' WHERE rdbuuid = '{$_POST['rdbuuid']}' and sigfilename = '{$singleSig['sigfilename']}'; "); } } // END foreach } insertUpdateDB($db); function cleanupDB($db) { // clean database of old names and turn rulesets off $listDir = snortScanDirFilter("/usr/local/etc/snort/snortDBrules/DB/{$_POST['rdbuuid']}/rules/", '\.rules'); $resultAllRulesetname = sqlite_query($db, "SELECT sigfilename FROM {$_POST['dbTable']} WHERE rdbuuid = '{$_POST['rdbuuid']}'; "); $chktable2 = sqlite_fetch_all($resultAllRulesetname, SQLITE_ASSOC); if (!empty($chktable2)) { foreach ($chktable2 as $value) { if(!in_array($value['sigfilename'], $listDir)) { $deleteMissingRuleset = sqlite_query($db, // @ supress warnings use only in production "DELETE FROM {$_POST['dbTable']} WHERE sigfilename = '{$value['sigfilename']}' and rdbuuid = '{$_POST['rdbuuid']}'; "); } } } } cleanupDB($db); sqlite_close($db); return true; } // Save ruleSets settings function snortSql_updateRuleSetList() { function createUpdateRulesetTable() { $addDate = date(U); // dont let user pick the DB path $db = sqlite_open("/usr/local/pkg/snort/{$_POST['dbName']}"); if (empty($_POST['filenamcheckbox'])) { $ruleSetfilenames = array(); } // foreach selected rulesets do this if (!empty($_POST['filenamcheckbox'])) { foreach ($_POST['filenamcheckbox'] as $ruleSetfilename) { $resultid = sqlite_query($db, "SELECT id, enable FROM {$_POST['dbTable']} WHERE rulesetname = '{$ruleSetfilename}' and rdbuuid = '{$_POST['rdbuuid']}'; "); $chktable = sqlite_fetch_all($resultid, SQLITE_ASSOC); if (empty($chktable)) { $rulesetUuid = genAlphaNumMixFast(11, 14); $query_ck = sqlite_query($db, // @ supress warnings usonly in production "INSERT INTO {$_POST['dbTable']} (date, uuid, rdbuuid, rulesetname, enable) VALUES ('{$addDate}', '{$rulesetUuid}', '{$_POST['rdbuuid']}', '{$ruleSetfilename}', 'on'); "); }else{ if ($chktable[0]['enable'] == 'off') { $query_ck = sqlite_query($db, // @ supress warnings usonly in production "UPDATE {$_POST['dbTable']} SET enable = 'on' WHERE id = '{$chktable[0]['id']}'; "); } } } } // end foreach if // clean database of old names and turn rulesets off $listDir = snortScanDirFilter("/usr/local/etc/snort/snortDBrules/DB/{$_POST['rdbuuid']}/rules/", '\.rules'); $resultAllRulesetname = sqlite_query($db, "SELECT rulesetname FROM {$_POST['dbTable']} WHERE rdbuuid = '{$_POST['rdbuuid']}'; "); $chktable2 = sqlite_fetch_all($resultAllRulesetname, SQLITE_ASSOC); if (!empty($chktable2)) { foreach ($chktable2 as $value) { if(!in_array($value['rulesetname'], $listDir)) { $deleteMissingRuleset = sqlite_query($db, // @ supress warnings use only in production "DELETE FROM {$_POST['dbTable']} WHERE rulesetname = '{$value['rulesetname']}' and rdbuuid = '{$_POST['rdbuuid']}'; "); } if(!in_array($value['rulesetname'], $_POST['filenamcheckbox'])) { $ruleSetisOff = sqlite_query($db, // @ supress warnings usonly in production "UPDATE {$_POST['dbTable']} SET enable = 'off' WHERE rulesetname = '{$value['rulesetname']}' and rdbuuid = '{$_POST['rdbuuid']}'; "); } } } sqlite_close($db); } // END createUpdateRulesetTable func createUpdateRulesetTable(); // save gen setting only if on ips tab if ($_POST['dbTable'] === 'SnortruleSetsIps') { function createUpdateRulesetGenTable() { $table = 'SnortruleGenIps'; $rulesetUuid = genAlphaNumMixFast(11, 14); $addDate = date(U); // if enable is empty then set to off if (empty($_POST['snortsam']['db']['gensettings']['enable'])) { $_POST['snortsam']['db']['gensettings']['enable'] = 'off'; } // dont let user pick the DB path $db = sqlite_open("/usr/local/pkg/snort/{$_POST['dbName']}"); $resultid = sqlite_query($db, "SELECT id FROM {$table} WHERE rdbuuid = '{$_POST['rdbuuid']}'; "); $chktable = sqlite_fetch_all($resultid, SQLITE_ASSOC); if (!empty($chktable)) { $query_ck = sqlite_query($db, // @ supress warnings usonly in production "UPDATE {$table} SET enable = '{$_POST['snortsam']['db']['gensettings']['enable']}', who = '{$_POST['snortsam']['db']['gensettings']['who']}', timeamount = '{$_POST['snortsam']['db']['gensettings']['timeamount']}', timetype = '{$_POST['snortsam']['db']['gensettings']['timetype']}' WHERE rdbuuid = '{$_POST['rdbuuid']}'; "); }else{ $query_ck = sqlite_query($db, // @ supress warnings usonly in production "INSERT INTO {$table} (date, uuid, rdbuuid, enable, who, timeamount, timetype) VALUES ('{$addDate}', '{$rulesetUuid}', '{$_POST['rdbuuid']}', '{$_POST['snortsam']['db']['gensettings']['enable']}', '{$_POST['snortsam']['db']['gensettings']['who']}', '{$_POST['snortsam']['db']['gensettings']['timeamount']}', '{$_POST['snortsam']['db']['gensettings']['timetype']}'); "); } sqlite_close($db); } // END createUpdateRulesetGenTable createUpdateRulesetGenTable(); } return true; } // END Save ruleSets settings function snortSql_fetchAllInterfaceRules($table, $dbname) { // do let user pick the DB path $db = sqlite_open("/usr/local/pkg/snort/{$dbname}"); $result = sqlite_query($db, "SELECT * FROM {$table} WHERE id > 0; "); $chktable = sqlite_fetch_all($result, SQLITE_ASSOC); sqlite_close($db); return $chktable; } // fetch db Settings NONE Json function snortSql_fetchAllSettings($dbname, $table, $type, $id_uuid) { if (empty($dbname) || empty($table) || empty($type)) { return false; } $db = sqlite_open("/usr/local/pkg/snort/$dbname"); if ($type == 'All') { $result = sqlite_query($db, "SELECT * FROM {$table} WHERE id > 0; "); }else{ $result = sqlite_query($db, "SELECT * FROM {$table} where {$type} = '{$id_uuid}'; "); } if ($type == 'id' || $type == 'uuid') { $chktable = sqlite_fetch_array($result, SQLITE_ASSOC); } if ($type == 'All' || $type == 'ifaceuuid' || $type == 'ruledbname' || $type == 'rdbuuid' || $type == 'filename') { $chktable = sqlite_fetch_all($result, SQLITE_ASSOC); } sqlite_close($db); return $chktable; } // end func // fetch db list settings NONE Json function snortSql_fetchAllSettingsList($table, $listFilename) { $db = sqlite_open('/usr/local/pkg/snort/snortDB'); $result = sqlite_query($db, "SELECT * FROM {$table} WHERE filename = \"{$listFilename}\"; "); $chktable = sqlite_fetch_all($result, SQLITE_ASSOC); sqlite_close($db); return $chktable; } // Update settings to database function snortSql_updateSettings($type, $id_uuid) { $dbname = $_POST['dbName']; $settings = $_POST; // update date on every save $_POST['date'] = date(U); $db = "/usr/local/pkg/snort/$dbname"; $mydb = sqlite_open("$db"); $table = $settings['dbTable']; // unset POSTs that are markers not in db unset($settings['dbName']); unset($settings['dbTable']); // START add new row if not set if ($type == 'uuid') { $query_ck = sqlite_query($mydb, // @ supress warnings usonly in production "SELECT * FROM {$table} WHERE uuid = '{$id_uuid}'; "); $query_ckFinal = sqlite_fetch_all($query_ck, SQLITE_ASSOC); if (empty($query_ckFinal)) { $query_ck = sqlite_query($mydb, // @ supress warnings usonly in production "INSERT INTO {$table} (date, uuid) VALUES ('{$settings['date']}', '{$settings['uuid']}'); "); if (sqlite_changes($mydb) < 1) { sqlite_close($mydb); return 'Error in query'; } } } // START add values to row $kv = array(); foreach ($settings as $key => $value) { $kv[] = $key; $val[] = $value; } $countKv = count($kv); $i = -1; while ($i < $countKv) { $i++; if (!empty($kv[$i])) { if ($type == 'id') { $query = sqlite_query($mydb, // @ supress warnings usonly in production "UPDATE {$table} SET {$kv[$i]} = '{$val[$i]}' WHERE id = '{$id_uuid}'; "); } if ($type == 'uuid') { $query = sqlite_query($mydb, // @ supress warnings usonly in production "UPDATE {$table} SET {$kv[$i]} = '{$val[$i]}' WHERE uuid = '{$id_uuid}'; "); } if (sqlite_changes($mydb) < 1) { sqlite_close($mydb); return 'Error in query'; } } } // end while sqlite_close($mydb); return true; } // fetch for snort_interfaces_whitelist.php NONE Json // use sqlite_fetch_array for single and sqlite_fetch_all for lists function snortSql_fetchAllWhitelistTypes($table, $table2) { if (empty($table)) { return false; } $db = sqlite_open('/usr/local/pkg/snort/snortDB'); $result = sqlite_query($db, "SELECT * FROM {$table} where id > 0; "); $chktable = sqlite_fetch_all($result, SQLITE_ASSOC); if (empty($chktable)) { return false; } if ($table2 != '') { foreach ($chktable as $value) { $filename2 = $value['filename']; $result2 = sqlite_query($db, "SELECT ip FROM {$table2} WHERE filename = \"{$filename2}\" LIMIT 4; "); $chktable2 = sqlite_fetch_all($result2, SQLITE_ASSOC); $final2 = array('id' => $value['id']); $final2['date'] = $value['date']; $final2['uuid'] = $value['uuid']; $final2['filename'] = $value['filename']; $final2['description'] = $value['description']; $final2['snortlisttype'] = $value['snortlisttype']; $final2['list'] = $chktable2; $final[] = $final2; } // end foreach }else{ $final = $chktable; } sqlite_close($db); return $final; } // end func // Save Whitelistips Settings function snortSql_updateWhitelistIps($newPostListips) { if(empty($newPostListips)) { return true; } $table = $_POST['dbTable']; $filename = $_POST['filename']; $db = '/usr/local/pkg/snort/snortDB'; $mydb = sqlite_open("$db"); $tableips = $table . 'ips'; $date = date(U); // remove list array that has nul ip foreach ($newPostListips as $ipsListEmpty) { if (!empty($ipsListEmpty['ip'])) { $genList[] = $ipsListEmpty; } } unset($newPostListips); // remove everything if nothing is in the post if (empty($genList)) { $query = sqlite_query($mydb, // @ supress warnings use only in production "DELETE FROM {$tableips} WHERE filename = '{$filename}'; "); sqlite_close($mydb); return true; } // START Remove entries from DB $resultUuid = sqlite_query($mydb, "SELECT uuid FROM {$tableips} WHERE filename = '{$filename}'; "); $resultUuidFinal = sqlite_fetch_all($resultUuid, SQLITE_ASSOC); if (!empty($genList) && !empty($resultUuidFinal)) { foreach ($resultUuidFinal as $list3) { $uuidListDB[] = $list3['uuid']; } foreach ($genList as $list2) { $uuidListPOST[] = $list2['uuid']; } // create diff array $uuidDiff = array_diff($uuidListDB, $uuidListPOST); // delet diff list objs if ($uuidDiff != '') { foreach ($uuidDiff as $list4) { // remove everything $query = sqlite_query($mydb, // @ supress warnings use only in production "DELETE FROM {$tableips} WHERE uuid = '{$list4}'; "); } // end foreach } } // START add entries/updates to DB foreach ($genList as $list) { if ($list['uuid'] == 'EmptyUUID') { $uuid = genAlphaNumMixFast(28, 28); $list['uuid'] = $uuid; $query = sqlite_query($mydb, // @ supress warnings use only in production "INSERT INTO {$tableips} (date, uuid, filename) VALUES ('{$date}', '{$uuid}', '{$filename}'); "); if (sqlite_changes($mydb) < 1) { sqlite_close($mydb); return 'Error in query'; } foreach ($list as $key => $value) { if ($key != '') { $query = sqlite_query($mydb, // @ supress warnings usonly in production "UPDATE {$tableips} SET {$key} ='{$value}' WHERE uuid = '{$uuid}'; "); if (sqlite_changes($mydb) < 1) { sqlite_close($mydb); return 'Error in query'; } } } // end foreach }else{ $uuid = $list['uuid']; foreach ($list as $key => $value) { $query = sqlite_query($mydb, // @ supress warnings usonly in production "UPDATE {$tableips} SET {$key} ='{$value}', date = '{$date}' WHERE uuid = '{$uuid}'; "); if (sqlite_changes($mydb) < 1) { sqlite_close($mydb); return 'Error in query'; } } // end foreach } // end main if } // end Main foreach sqlite_close($mydb); return true; } // end of func // RMlist Delete function snortSql_updatelistDelete($databse, $table, $type, $uuid_filename) { $db = "/usr/local/pkg/snort/{$databse}"; $mydb = sqlite_open("$db"); if (!empty($type)) { $query = sqlite_query($mydb, // @ supress warnings usonly in production "DELETE FROM {$table} WHERE {$type} = '{$uuid_filename}'; "); if (sqlite_changes($mydb) < 1) { sqlite_close($mydb); return 'Error in query'; } } sqlite_close($mydb); return true; } // END main func // create dropdown list function snortDropDownList($list, $setting) { foreach ($list as $iday => $iday2) { echo "\n" . "' . htmlspecialchars($iday2) . '' . "\r"; } } // downlod all snort logs function snort_downloadAllLogs() { $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_logs_{$save_date}.tar.gz"; exec('/bin/rm /tmp/snort_logs_*.gz'); // remove old file exec('/bin/rm /tmp/snort_blocked_*.gz'); // remove old file exec('/bin/rm /tmp/snort_block.pf'); // remove old file exec('/bin/rm -r /tmp/snort_blocked'); // remove old file exec("/usr/bin/tar cfz /tmp/snort_logs_{$save_date}.tar.gz /var/log/snort"); if (file_exists("/tmp/snort_logs_{$save_date}.tar.gz")) { echo " { \"snortdownload\": \"success\", \"downloadfilename\": \"{$save_date}\" } "; return true; }else{ return false; } } // send log files to browser GET function function sendFileSnortLogDownload() { //ob_start(); //importanr or other post will fail $file_name_date = $_GET['snortlogfilename']; $file_name1 = "/tmp/snort_logs_{$file_name_date}.tar.gz"; $file_name2 = "/tmp/snort_blocked_{$file_name_date}.tar.gz"; if (file_exists($file_name1)) { $file_name = "snort_logs_{$file_name_date}.tar.gz"; } if (file_exists($file_name2)) { $file_name = "snort_blocked_{$file_name_date}.tar.gz"; } if (empty($file_name)) { echo 'Error no saved file.'; return false; } if(file_exists("/tmp/{$file_name}")) { $file = "/tmp/{$file_name}"; header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); header("Pragma: private"); // needed for IE header("Cache-Control: private, must-revalidate"); // needed for IE header('Content-type: application/force-download'); header('Content-Transfer-Encoding: Binary'); header("Content-length: ".filesize($file)); header("Content-disposition: attachment; filename = {$file_name}"); readfile("$file"); exec("/bin/rm /tmp/{$file_name}"); //od_end_clean(); //importanr or other post will fail }else{ echo 'Error no saved file.'; return false; } } // Warning code not finnish untill rule code is DONE ! // Delete Snort logs function snortDeleteLogs() { if(file_exists('/var/log/snort/alert')) { exec('/bin/echo "" > /var/log/snort/alert'); //post_delete_logs(); exec('/usr/sbin/chown snort:snort /var/log/snort/*'); exec('/bin/chmod 660 /var/log/snort/*'); sleep(2); exec('/usr/bin/killall -HUP snort'); } echo ' { "snortdelete": "success" } '; return true; } // Warning code not finnish untill rule code is DONE ! // code neeed to be worked on when finnished rules code function post_delete_logs() { global $config, $g; $snort_log_dir = '/var/log/snort'; /* do not start config build if rules is empty */ if (!empty($config['installedpackages']['snortglobal']['rule'])) { $rule_array = $config['installedpackages']['snortglobal']['rule']; $id = -1; foreach ($rule_array as $value) { if (empty($id)) { $id = 0; } $id += 1; $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; if ($snort_uuid != '') { if ($config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog'] == 'on') { $snort_log_file_u2 = "{$snort_uuid}.u2."; $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2); if (is_array($snort_list_u2)) { usort($snort_list_u2, "snort_file_sort"); $snort_u2_rm_list = snort_build_order($snort_list_u2); snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]); } }else{ exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}.u2*"); } if ($config['installedpackages']['snortglobal']['rule'][$id]['tcpdumplog'] == 'on') { $snort_log_file_tcpd = "{$snort_uuid}.tcpdump."; $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd); if (is_array($snort_list_tcpd)) { usort($snort_list_tcpd, "snort_file_sort"); $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd); snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]); } }else{ exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}.tcpdump*"); } /* create barnyard2 configuration file */ //if ($config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'] == 'on') //create_barnyard2_conf($id, $if_real, $snort_uuid); if ($config['installedpackages']['snortglobal']['rule'][$id]['perform_stat'] == on) { exec("/bin/echo '' > /var/log/snort/snort_{$snort_uuid}.stats"); } } } } } // END General Functions // downlod all blocked ips to log function snort_downloadBlockedIPs() { exec('/bin/rm /tmp/snort_logs_*.gz'); // remove old file exec('/bin/rm /tmp/snort_blocked_*.gz'); // remove old file exec('/bin/rm /tmp/snort_block.pf'); // remove old file exec('/bin/rm -r /tmp/snort_blocked'); // remove old file $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_blocked_{$save_date}.tar.gz"; exec('/bin/mkdir /tmp/snort_blocked'); exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); if ($blocked_ips_array_save[0] != '') { /* build the list */ $counter = 0; foreach($blocked_ips_array_save as $fileline3) { $counter++; exec("/bin/echo $fileline3 >> /tmp/snort_blocked/snort_block.pf"); } } exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); if (file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) { echo " { \"snortdownload\": \"success\", \"downloadfilename\": \"{$save_date}\" } "; return true; }else{ return false; } } // flush all ips from snort2c table function snortRemoveBlockedIPs() { exec("/sbin/pfctl -t snort2c -T flush"); echo ' { "snortdelete": "success" } '; return true; } /* returns true if $name is a valid name for a whitelist file name or ip */ function is_validFileName($name) { if (empty($name)) { return false; } if (!is_string($name)) { return false; } if (preg_match("/\s+/", $name)) { return false; } if (!preg_match("/[^a-zA-Z0-9\-_]/", $name)) { return true; } return false; } /* gen Alpha Num Mix for uuids or anything random, NEVER USE rand() */ /* mt_rand/mt_srand is insecure way to gen random nums and strings, when posible use /dev/random or /dev/urandom */ function genAlphaNumMixFast($min = 14, $max = 28) { // gen random lenth mt_srand(crc32(microtime())); $num = mt_rand($min, $max); // reseed mt_srand(); // Gen random string $num = $num > 36 ? 30 : $num; $pool = array_merge(range('A', 'Z'), range(0, 9), range('a', 'z')); $rand_keys = array_rand($pool, $num); $randAlpaNum = ''; if (is_array($rand_keys)) { foreach ($rand_keys as $key) { $randAlpaNum .= $pool[$key]; } }else{ $randAlpaNum .= $pool[$rand_keys]; } return str_shuffle($randAlpaNum); } // scan a dir, build array with filetr function snortScanDirFilter($path, $filtername) { // list rules in the default dir $listDir = array(); $listDir = scandir("{$path}"); if (empty($filtername)) { return $listDir; }else{ $pattern = "/{$filtername}/"; foreach ( $listDir as $val ) { if (preg_match($pattern, $val)) { $filterDirList[] = $val; } } unset($listDir); } return $filterDirList; } ?>