"; echo "\n \n \n \n \n \n \n \n \n
\n"; $tab_array = array(); $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); $tab_array[] = array("Rules", true, "/snort/snort_rules.php?id={$id}"); $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); echo "
\n
\n \n \n \n \n
\n # The rules directory is empty.\n
\n
\n
\n \n \n \n

\n\n"; echo "Please click on the Update Rules tab to install your selected rule sets."; include("fend.inc"); echo ""; echo ""; exit(0); } function get_middle($source, $beginning, $ending, $init_pos) { $beginning_pos = strpos($source, $beginning, $init_pos); $middle_pos = $beginning_pos + strlen($beginning); $ending_pos = strpos($source, $ending, $beginning_pos); $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); return $middle; } function write_rule_file($content_changed, $received_file) { //read snort file with writing enabled $filehandle = fopen($received_file, "w"); //delimiter for each new rule is a new line $delimiter = "\n"; //implode the array back into a string for writing purposes $fullfile = implode($delimiter, $content_changed); //write data to file fwrite($filehandle, $fullfile); //close file handle fclose($filehandle); } function load_rule_file($incoming_file) { //read snort file $filehandle = fopen($incoming_file, "r"); //read file into string, and get filesize $contents = fread($filehandle, filesize($incoming_file)); //close handler fclose ($filehandle); //string for populating category select $currentruleset = basename($file); //delimiter for each new rule is a new line $delimiter = "\n"; //split the contents of the string file into an array using the delimiter $splitcontents = explode($delimiter, $contents); return $splitcontents; } $ruledir = "/usr/local/etc/snort/snort_{$id}{$if_real}/rules/"; $dh = opendir($ruledir); if ($_GET['openruleset'] != '' && $_GET['ids'] != '') { header("Location: /snort/snort_rules.php?id=$id&openruleset={$_GET['openruleset']}&saved=yes"); } while (false !== ($filename = readdir($dh))) { //only populate this array if its a rule file $isrulefile = strstr($filename, ".rules"); if ($isrulefile !== false) { $files[] = $filename; } } sort($files); if ($_GET['openruleset']) { $file = $_GET['openruleset']; } else { $file = $ruledir.$files[0]; } //Load the rule file $splitcontents = load_rule_file($file); if ($_POST) { conf_mount_rw(); if (!$_POST['apply']) { //retrieve POST data $post_lineid = $_POST['lineid']; $post_enabled = $_POST['enabled']; $post_src = $_POST['src']; $post_srcport = $_POST['srcport']; $post_dest = $_POST['dest']; $post_destport = $_POST['destport']; //clean up any white spaces insert by accident $post_src = str_replace(" ", "", $post_src); $post_srcport = str_replace(" ", "", $post_srcport); $post_dest = str_replace(" ", "", $post_dest); $post_destport = str_replace(" ", "", $post_destport); //copy rule contents from array into string $tempstring = $splitcontents[$post_lineid]; //search string $findme = "# alert"; //find string for disabled alerts //find if alert is disabled $disabled = strstr($tempstring, $findme); //if find alert is false, then rule is disabled if ($disabled !== false) { //has rule been enabled if ($post_enabled == "yes") { //move counter up 1, so we do not retrieve the # in the rule_content array $tempstring = str_replace("# alert", "alert", $tempstring); $counter2 = 1; } else { //rule is staying disabled $counter2 = 2; } } else { //has rule been disabled if ($post_enabled != "yes") { //move counter up 1, so we do not retrieve the # in the rule_content array $tempstring = str_replace("alert", "# alert", $tempstring); $counter2 = 2; } else { //rule is staying enabled $counter2 = 1; } } //explode rule contents into an array, (delimiter is space) $rule_content = explode(' ', $tempstring); //insert new values $counter2++; $rule_content[$counter2] = $post_src;//source location $counter2++; $rule_content[$counter2] = $post_srcport;//source port location $counter2 = $counter2+2; $rule_content[$counter2] = $post_dest;//destination location $counter2++; $rule_content[$counter2] = $post_destport;//destination port location //implode the array back into string $tempstring = implode(' ', $rule_content); //copy string into file array for writing $splitcontents[$post_lineid] = $tempstring; //write the new .rules file write_rule_file($splitcontents, $file); //once file has been written, reload file $splitcontents = load_rule_file($file); $stopMsg = true; } } else if ($_GET['act'] == "toggle") { conf_mount_rw(); $toggleid = $_GET['ids']; //copy rule contents from array into string $tempstring = $splitcontents[$toggleid]; //explode rule contents into an array, (delimiter is space) $rule_content = explode(' ', $tempstring); //search string $findme = "# alert"; //find string for disabled alerts //find if alert is disabled $disabled = strstr($tempstring, $findme); //if find alert is false, then rule is disabled if ($disabled !== false) { //rule has been enabled //move counter up 1, so we do not retrieve the # in the rule_content array $tempstring = str_replace("# alert", "alert", $tempstring); } else { //has rule been disabled //move counter up 1, so we do not retrieve the # in the rule_content array $tempstring = str_replace("alert", "# alert", $tempstring); } //copy string into array for writing $splitcontents[$toggleid] = $tempstring; //write the new .rules file write_rule_file($splitcontents, $file); //once file has been written, reload file $splitcontents = load_rule_file($file); $stopMsg = true; //write disable/enable sid to config.xml if ($disabled == false) { $string_sid = strstr($tempstring, 'sid:'); $sid_pieces = explode(";", $string_sid); $sid_off_cut = $sid_pieces[0]; // sid being turned off $sid_off = str_replace("sid:", "", $sid_off_cut); // rule_sid_on registers $sid_on_pieces = $a_nat[$id]['rule_sid_on']; // if off sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); // write the replace sid back as empty $a_nat[$id]['rule_sid_on'] = $sid_on_old; // rule sid off registers $sid_off_pieces = $a_nat[$id]['rule_sid_off']; // if off sid is the same as off sid remove it $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); // write the replace sid back as empty $a_nat[$id]['rule_sid_off'] = $sid_off_old; // add sid off registers to new off sid $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; write_config(); conf_mount_rw(); } else { $string_sid = strstr($tempstring, 'sid:'); $sid_pieces = explode(";", $string_sid); $sid_on_cut = $sid_pieces[0]; // sid being turned off $sid_on = str_replace("sid:", "", $sid_on_cut); // rule_sid_off registers $sid_off_pieces = $a_nat[$id]['rule_sid_off']; // if off sid is the same as on sid remove it $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); // write the replace sid back as empty $a_nat[$id]['rule_sid_off'] = $sid_off_old; // rule sid on registers $sid_on_pieces = $a_nat[$id]['rule_sid_on']; // if on sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); // write the replace sid back as empty $a_nat[$id]['rule_sid_on'] = $sid_on_old; // add sid on registers to new on sid $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; write_config(); conf_mount_rw(); } } if ($_GET['saved'] == 'yes') { $message = "The Snort rule configuration has been changed.
You must restart this snort interface in order for the changes to take effect."; // stop_service("snort"); // sleep(2); // start_service("snort"); // $savemsg = ""; // $stopMsg = false; } $currentruleset = basename($file); $pgtitle = "Snort: Interface $id$if_real Rule File $currentruleset"; require("guiconfig.inc"); include("head.inc"); ?>

"; ?>
Category: "; //string for populating category select $currentruleset = basename($file); ?> "; $textse = ""; $iconb = "icon_block_d.gif"; } else { $textss = $textse = ""; $iconb = "icon_block.gif"; } if ($disabled_pos !== false){ $ischecked = ""; }else{ $ischecked = "checked"; } $rule_content = explode(' ', $tempstring); $protocol = $rule_content[$counter2];//protocol location $counter2++; $source = $rule_content[$counter2];//source location $counter2++; $source_port = $rule_content[$counter2];//source port location $counter2 = $counter2+2; $destination = $rule_content[$counter2];//destination location $counter2++; $destination_port = $rule_content[$counter2];//destination port location if (strstr($tempstring, 'msg: "')) $message = get_middle($tempstring, 'msg: "', '";', 0); if (strstr($tempstring, 'msg:"')) $message = get_middle($tempstring, 'msg:"', '";', 0); echo ""; ?>
"; ?>
  SID Proto Source Port Destination Port Message
$textss\n"; ?> onClick="enable_change(false)"> $textss $sid $textse $textss $protocol"; ?> $textss $source $textse $textss $source_port $textse $textss $destination $textse $textss $destination_port $textse "; ?>
Rule Enabled
Rule Disabled