6) $snort_pfsense_basever = 'no'; else $snort_pfsense_basever = 'yes'; /* find out what arch where in x86 , x64 */ $snort_arch_ck = php_uname("m"); if ($snort_arch_ck == 'i386') $snort_arch = 'x86'; else if ($snort_arch_ck = "amd64") $snort_arch = 'x64'; else $snort_arch = "Unknown"; /* tell me my theme */ $pfsense_theme_is = $config['theme']; /* func builds custom white lists */ function find_whitelist_key($find_wlist_number) { global $config, $g; if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) $config['installedpackages']['snortglobal']['whitelist'] = array(); if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) return 0; /* XXX */ foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $w_key => $value) { if ($value['name'] == $find_wlist_number) return $w_key; } } /* func builds custom suppress lists */ function find_suppress_key($find_slist_number) { global $config, $g; if (!is_array($config['installedpackages']['snortglobal']['suppress'])) $config['installedpackages']['snortglobal']['suppress'] = array(); if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) return 0; /* XXX */ foreach ($config['installedpackages']['snortglobal']['suppress']['item'] as $s_key => $value) { if ($value['name'] == $find_slist_number) return $s_key; } } /* func builds custom whitelests */ function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $userwips) { global $config, $g, $snort_pfsense_basever; /* build an interface array list */ if (function_exists('get_configured_interface_list')) $int_array = get_configured_interface_list(); else { $int_array = array('lan'); for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) if(isset($config['interfaces']['opt' . $j]['enable'])) if(isset($config['interfaces']['opt' . $j]['gateway'])) $int_array[] = "opt{$j}"; } $home_net = ""; /* iterate through interface list and write out whitelist items * and also compile a home_net list for snort. */ foreach ($int_array as $int) { /* calculate interface subnet information */ if (function_exists('get_interface_ip')) { $subnet = get_interface_ip($int); if (is_ipaddr($subnet)) { $sn = get_interface_subnet($int); $home_net .= "{$subnet}/{$sn} "; } } else { $ifcfg = $config['interfaces'][$int]; switch ($ifcfg['ipaddr']) { case "pppoe": case "pptp": case "l2tp": if (function_exists('get_interface_ip')) $subnet = get_interface_ip($int); else $subnet = find_interface_ip("ng0"); if (is_ipaddr($subnet)) $home_net .= "{$subnet} "; break; case "dhcp": $subnet = find_interface_ip(snort_get_real_interface($int)); if (is_ipaddr($subnet)) $home_net .= "{$subnet} "; break; default: if (is_ipaddr($ifcfg['ipaddr'])) { $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); if ($ifcfg['subnet']) $home_net .= "{$subnet}/{$ifcfg['subnet']} "; } break; } } } if ($snort_pfsense_basever == 'yes' && $wanip == 'yes') { /* add all WAN ips to the whitelist */ $wan_if = get_real_wan_interface(); $ip = find_interface_ip($wan_if); if (is_ipaddr($ip)) $home_net .= "{$ip} "; } if ($wangw == 'yes') { /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ $gw = get_interface_gateway('wan'); if($gw) $home_net .= "{$gw} "; } if($wandns == 'yes') { /* Add DNS server for WAN interface to whitelist */ $dns_servers = get_dns_servers(); foreach ($dns_servers as $dns) { if($dns) $home_net .= "{$dns} "; } } if($vips == 'yes') { /* iterate all vips and add to whitelist */ if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { foreach($config['virtualip']['vip'] as $vip) if($vip['subnet']) $home_net .= "{$vip['subnet']} "; } } /* Add loopback to whitelist (ftphelper) */ $home_net .= "127.0.0.1 "; /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ if ($vpns == 'yes') { if ($snort_pfsense_basever == 'yes') // chk what pfsense version were on $vpns_list = get_vpns_list(); else if ($snort_pfsense_basever == 'no') // chk what pfsense version were on $vpns_list = filter_get_vpns_list(); if (!empty($vpns_list)) $home_net .= "{$vpns_list} "; } /* never ever compair numbers to words */ if ($userwips > -1) { if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); $home_net .= $config['installedpackages']['snortglobal']['whitelist']['item'][$userwips]['address']; } $home_net = trim($home_net); /* this foe whitelistfile, convert spaces to carriage returns */ if ($build_netlist == 'whitelist') { $whitelist_home_net = str_replace(" ", "\n", $home_net); $whitelist_home_net = str_replace(" ", "\n", $home_net); return $whitelist_home_net; } /* this is for snort.conf */ $validator = explode(" ", $home_net); $valresult = array(); foreach ($validator as $vald) { if (empty($vald)) continue; $valresult[] = $vald; } $home_net = implode(",", $valresult); $home_net = "[{$home_net}]"; return $home_net; } /* checks to see if snort is running yes/no and stop/start */ function Running_Ck($snort_uuid, $if_real, $id) { global $config; $snort_up_ck = exec("/bin/ps -U snort | /usr/bin/grep snort | /usr/bin/awk '{print \$1;}'"); if(snort_up_ck == '') { $snort_up = 'no'; return $snort_up; } if(snort_up_ck != ''){ /* use ob_clean to clear output buffer, this code needs to be watched */ ob_clean(); $snort_up_prell = exec("/bin/ps -U snort | /usr/bin/grep \"\-R {$snort_uuid}\" | /usr/bin/awk '{print \$1;}'"); if ($snort_up_prell != '') { $snort_uph = 'yes'; }else{ $snort_uph = 'no'; } } return $snort_uph; } /* checks to see if barnyard2 is running yes/no */ function Running_Ck_b($snort_uuid, $if_real, $id) { global $config; $snort_up_ck_b = exec("/bin/ps -U snort | /usr/bin/grep barnyard2 | /usr/bin/awk '{print \$1;}'"); if($snort_up_ck_b == ''){ $snort_up_b = 'no'; return $snort_up_b; } if(snort_up_ck_b != '') { ob_clean(); $snort_up_pre_b = exec("/bin/ps -U snort | grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); if ($snort_up_pre_b != '') { $snort_up_b = 'yes'; }else{ $snort_up_b = 'no'; } } return $snort_up_b; } function Running_Stop($snort_uuid, $if_real, $id) { global $config; /* if snort.sh crashed this will remove the pid */ exec('/bin/rm /tmp/snort.sh.pid'); $start_up_s = exec("/bin/ps -U snort | grep \"\-R {$snort_uuid}\" | awk '{ print \$1; }'"); $start_up_r = exec("/bin/ps -U root | grep \"\-R {$snort_uuid}\" | awk '{ print \$1; }'"); $start2_upb_s = exec("/bin/ps -U snort | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{ print \$1; }'"); $start2_upb_r = exec("/bin/ps -U root | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{ print \$1; }'"); if ($start_up_s != '' || $start_up_r != '' || $start2_upb_s != '' || $start2_upb_r != '') { if ($start_up_s != '') { exec("/bin/kill {$start_up_s}"); exec("rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); exec("rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); } if ($start2_upb_s != '') { exec("/bin/kill {$start2_upb_s}"); exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); } if ($start_up_r != '') { exec("/bin/kill {$start_up_r}"); exec("rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); exec("rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); } if ($start2_upb_r != '') { exec("/bin/kill {$start2_upb_r}"); exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); } /* Log Iface stop */ exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); sleep(2); // Give time so GUI displays correctly } } function Running_Start($snort_uuid, $if_real, $id) { global $config; /* if snort.sh crashed this will remove the pid */ @unlink('/tmp/snort.sh.pid'); $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; if ($snort_info_chk == 'on') exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); /* define snortbarnyardlog_chk */ /* top will have trouble if the uuid is to far back */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '' && $snort_info_chk == 'on') { exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" -u snort -g snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"); } /* Log Iface stop */ exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'"); sleep(2); // Give time so GUI displays correctly } /* get the real iface name of wan */ function snort_get_real_interface($interface) { global $config; $lc_interface = strtolower($interface); if (function_exists('get_real_interface')) return get_real_interface($lc_interface); else { if ($lc_interface == "lan") { if ($config['inerfaces']['lan']) return $config['interfaces']['lan']['if']; return $interface; } if ($lc_interface == "wan") return $config['interfaces']['wan']['if']; $ifdescrs = array(); for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { $ifname = "opt{$j}"; if(strtolower($ifname) == $lc_interface) return $config['interfaces'][$ifname]['if']; if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface)) return $config['interfaces'][$ifname]['if']; } } return $interface; } /* this code block is for deleteing logs while keeping the newest file, snort is linked to these files while running, do not take the easy way out by touch and rm, snort will lose sync and not log. this code needs to be watched. */ /* list dir files */ function snort_file_list($snort_log_dir, $snort_log_file) { $dir = opendir ("$snort_log_dir"); while (false !== ($file = readdir($dir))) { if (strpos($file, "$snort_log_file",1) ) $file_list[] = $file; } return $file_list; } /* snort dir files */ function snort_file_sort($snort_file1, $snort_file2) { if ($snort_file1 == $snort_file2) return 0; return ($snort_file1 < $snort_file2); // ? -1 : 1; // this flips the array } /* build files newest first array */ function snort_build_order($snort_list) { foreach ($snort_list as $value_list) $list_order[] = $value_list; return $list_order; } /* keep the newest remove the rest */ function snort_remove_files($snort_list_rm, $snort_file_safe) { foreach ($snort_list_rm as $value_list) { if ($value_list != $snort_file_safe) @unlink("/var/log/snort/$value_list"); else file_put_contents("/var/log/snort/$snort_file_safe", ""); } } function post_delete_logs() { global $config, $g; /* do not start config build if rules is empty */ if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; $snort_log_dir = '/var/log/snort'; foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { $result_lan = $value['interface']; $if_real = snort_get_real_interface($result_lan); $snort_uuid = $value['uuid']; if ($if_real != '' && $snort_uuid != '') { if ($value['snortunifiedlog'] == 'on') { $snort_log_file_u2 = "{$snort_uuid}_{$if_real}.u2."; $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2); if (is_array($snort_list_u2)) { usort($snort_list_u2, "snort_file_sort"); $snort_u2_rm_list = snort_build_order($snort_list_u2); snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]); } } else exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.u2*"); if ($value['tcpdumplog'] == 'on') { $snort_log_file_tcpd = "{$snort_uuid}_{$if_real}.tcpdump."; $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd); if (is_array($snort_list_tcpd)) { usort($snort_list_tcpd, "snort_file_sort"); $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd); snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]); } } else exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.tcpdump*"); /* create barnyard2 configuration file */ //if ($value['barnyard_enable'] == 'on') //create_barnyard2_conf($id, $if_real, $snort_uuid); if ($value['perform_stat'] == 'on') file_put_contents("/var/log/snort/snort_{$snort_uuid}_{$if_real}.stats", ""); } } } function snort_postinstall() { global $config, $g, $snort_pfsense_basever, $snort_arch; /* snort -> advanced features */ if (is_array($config['installedpackages']['snortglobal'])) { $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; } /* cleanup default files */ @unlink('/usr/local/etc/snort/snort.conf-sample'); @unlink('/usr/local/etc/snort/threshold.conf-sample'); @unlink('/usr/local/etc/snort/sid-msg.map-sample'); @unlink('/usr/local/etc/snort/unicode.map-sample'); @unlink('/usr/local/etc/snort/classification.config-sample'); @unlink('/usr/local/etc/snort/generators-sample'); @unlink('/usr/local/etc/snort/reference.config-sample'); @unlink('/usr/local/etc/snort/gen-msg.map-sample'); @unlink('/usr/local/etc/snort/sid'); @unlink('/usr/local/etc/rc.d/snort'); @unlink('/usr/local/etc/rc.d/bardyard2'); /* remove example files */ if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); /* add snort user and group note: 920 keep the numbers < 2000, above this is reserved in pfSense 2.0 */ exec('/usr/sbin/pw groupadd snort -g 920'); exec('/usr/sbin/pw useradd snort -u 920 -c "Snort User" -d /nonexistent -g snort -s /sbin/nologin'); /* create a few directories and ensure the sample files are in place */ if (!is_dir('/usr/local/etc/snort')) exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules'); if (!is_dir('/usr/local/etc/snort/whitelist')) exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); if (!is_dir('/var/log/snort/run')) exec('/bin/mkdir -p /var/log/snort/run'); if (!is_dir('/var/log/snort/barnyard2')) exec('/bin/mkdir -p /var/log/snort/barnyard2'); if (!is_dir('/usr/local/lib/snort/dynamicrules/')) exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); if (!file_exists('/var/db/whitelist')) touch('/var/db/whitelist'); /* if users have old log files delete them */ if(!file_exists('/var/log/snort/alert')) touch('/var/log/snort/alert'); else { exec('/bin/rm -rf /var/log/snort/*'); touch('/var/log/snort/alert'); } /* rm barnyard2 important */ if (!file_exists('/usr/local/bin/barnyard2')) @unlink('/usr/local/bin/barnyard2'); /* important */ exec('/usr/sbin/chown -R snort:snort /var/log/snort'); exec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort'); exec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort'); exec('/usr/sbin/chown snort:snort /tmp/snort*'); exec('/usr/sbin/chown snort:snort /var/db/whitelist'); exec('/bin/chmod 660 /var/log/snort/alert'); exec('/bin/chmod 660 /var/db/whitelist'); exec('/bin/chmod -R 660 /usr/local/etc/snort/*'); exec('/bin/chmod -R 660 /tmp/snort*'); exec('/bin/chmod -R 660 /var/run/snort*'); exec('/bin/chmod -R 660 /var/snort/run/*'); exec('/bin/chmod 770 /usr/local/lib/snort'); exec('/bin/chmod 770 /usr/local/etc/snort'); exec('/bin/chmod 770 /usr/local/etc/whitelist'); exec('/bin/chmod 770 /var/log/snort'); exec('/bin/chmod 770 /var/log/snort/run'); exec('/bin/chmod 770 /var/log/snort/barnyard2'); /* move files around, make it look clean */ exec('/bin/mkdir -p /usr/local/www/snort/css'); exec('/bin/mkdir -p /usr/local/www/snort/images'); chdir ("/usr/local/www/snort/css/"); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/style.css'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/sexybuttons.css'); chdir("/usr/local/www/snort/images/"); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/alert.jpg'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down2.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-asc.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-desc.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up2.gif'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo.jpg'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon_excli.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/arrow_down.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/awesome-overlay-sprite.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo22.png'); exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/page_white_text.png'); /* install barnyard2 for 2.0 x86 x64 and 1.2.3 x86 */ chdir("/usr/local/bin/"); update_status(gettext("Installing Barnyard2 for $snort_arch...")); update_output_window(gettext("Please wait...")); if ($snort_pfsense_basever == 'yes') exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/7.3.x86/barnyard2'); else if ($snort_pfsense_basever == 'no') exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.1{$snort_arch}/barnyard2'); update_output_window(gettext("Finnished Installing Barnyard2...")); exec('/bin/chmod 755 /usr/local/bin/barnyard2'); /* XXX: remove compeletely? */ if ($snort_pfsense_basever == 'yes') { if (!is_dir('/tmp/pkg_s')) exec('/bin/mkdir -p /tmp/pkg_s'); $snort_tmp_pkg_dir = "{$g['tmp_path']}/pkg_s"; chdir('$snort_tmp_pkg_dir'); /* install perl-threaded */ update_status(gettext("Installing perl-threaded for {$snort_arch}...")); update_output_window(gettext("Please wait downloading...")); exec("/usr/bin/fetch http://files.pfsense.org/packages/snort/7.3x86/perl-threaded-5.12.1_1.tbz"); update_output_window(gettext("Please wait Installing...")); if (file_exists("{$snort_tmp_pkg_dir}/perl-threaded-5.12.1_1.tbz")) exec("/usr/sbin/pkg_add -f {$snort_tmp_pkg_dir}/perl-threaded-5.12.1_1.tbz"); update_output_window(gettext("Finnished Installing perl-threaded...")); update_output_window(gettext("Please wait Cleaning Up...")); if (is_dir($snort_tmp_pkg_dir)) exec("/bin/rm -r {$snort_tmp_pkg_dir}"); /* back to default */ chdir('/root/'); } /* remake saved settings */ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_status(gettext("Saved settings detected...")); update_output_window(gettext("Please wait... rebuilding files...")); sync_snort_package_empty(); update_output_window(gettext("Finnished Rebuilding files...")); } } function sync_package_snort_reinstall() { global $config; conf_mount_rw(); if (!$config['installedpackages']['snortglobal']) return; /* create snort configuration file */ create_snort_conf(); /* start snort service */ // start_service("snort"); // do not start, may be needed latter. conf_mount_ro(); } function snort_Getdirsize($node) { if(!is_readable($node)) return false; $blah = exec( "/usr/bin/du -kd $node" ); return substr( $blah, 0, strpos($blah, 9) ); } /* func for log dir size limit cron */ function snort_snortloglimit_install_cron($should_install) { global $config, $g; if ($g['booting']==true) return; if (!is_array($config['cron']['item'])) $config['cron']['item'] = array(); $x=0; $is_installed = false; foreach($config['cron']['item'] as $item) { if (strstr($item['command'], '/usr/local/pkg/snort/snort_check_cron_misc.inc')) { $is_installed = true; break; } $x++; } $snort_snortloglimit_info_ck = $config['installedpackages']['snortglobal']['snortloglimit']; $snort_snortloglimitsize_info_ck = $config['installedpackages']['snortglobal']['snortloglimitsize']; switch($should_install) { case true: if(!$is_installed) { $cron_item = array(); $cron_item['minute'] = "*/5"; $cron_item['hour'] = "*"; $cron_item['mday'] = "*"; $cron_item['month'] = "*"; $cron_item['wday'] = "*"; $cron_item['who'] = "root"; $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc"; $config['cron']['item'][] = $cron_item; } break; case false: if($is_installed == true) unset($config['cron']['item'][$x]); break; } configure_cron(); } /* func for updating cron */ function snort_rm_blocked_install_cron($should_install) { global $config, $g; if ($g['booting']==true) return; if (!is_array($config['cron']['item'])) $config['cron']['item'] = array(); $x=0; $is_installed = false; foreach($config['cron']['item'] as $item) { if (strstr($item['command'], "snort2c")) { $is_installed = true; break; } $x++; } $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; if ($snort_rm_blocked_info_ck == "1h_b") { $snort_rm_blocked_min = "*/5"; $snort_rm_blocked_hr = "*"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "3600"; } if ($snort_rm_blocked_info_ck == "3h_b") { $snort_rm_blocked_min = "*/15"; $snort_rm_blocked_hr = "*"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "10800"; } if ($snort_rm_blocked_info_ck == "6h_b") { $snort_rm_blocked_min = "*/30"; $snort_rm_blocked_hr = "*"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "21600"; } if ($snort_rm_blocked_info_ck == "12h_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/1"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "43200"; } if ($snort_rm_blocked_info_ck == "1d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/2"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "86400"; } if ($snort_rm_blocked_info_ck == "4d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/8"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "345600"; } if ($snort_rm_blocked_info_ck == "7d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "*/14"; $snort_rm_blocked_mday = "*"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "604800"; } if ($snort_rm_blocked_info_ck == "28d_b") { $snort_rm_blocked_min = "2"; $snort_rm_blocked_hr = "0"; $snort_rm_blocked_mday = "*/2"; $snort_rm_blocked_month = "*"; $snort_rm_blocked_wday = "*"; $snort_rm_blocked_expire = "2419200"; } switch($should_install) { case true: if(!$is_installed) { $cron_item = array(); $cron_item['minute'] = "$snort_rm_blocked_min"; $cron_item['hour'] = "$snort_rm_blocked_hr"; $cron_item['mday'] = "$snort_rm_blocked_mday"; $cron_item['month'] = "$snort_rm_blocked_month"; $cron_item['wday'] = "$snort_rm_blocked_wday"; $cron_item['who'] = "root"; $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; $config['cron']['item'][] = $cron_item; } break; case false: if ($is_installed == true) unset($config['cron']['item'][$x]); break; } configure_cron(); } /* func to install snort update */ function snort_rules_up_install_cron($should_install) { global $config, $g; if ($g['booting']==true) return; if(!$config['cron']['item']) $config['cron']['item'] = array(); $x=0; $is_installed = false; foreach($config['cron']['item'] as $item) { if (strstr($item['command'], "snort_check_for_rule_updates.php")) { $is_installed = true; break; } $x++; } $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; if ($snort_rules_up_info_ck == "6h_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "*/6"; $snort_rules_up_mday = "*"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "12h_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "*/12"; $snort_rules_up_mday = "*"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "1d_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "0"; $snort_rules_up_mday = "*/1"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "4d_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "0"; $snort_rules_up_mday = "*/4"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "7d_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "0"; $snort_rules_up_mday = "*/7"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } if ($snort_rules_up_info_ck == "28d_up") { $snort_rules_up_min = "3"; $snort_rules_up_hr = "0"; $snort_rules_up_mday = "*/28"; $snort_rules_up_month = "*"; $snort_rules_up_wday = "*"; } switch($should_install) { case true: if(!$is_installed) { $cron_item = array(); $cron_item['minute'] = "$snort_rules_up_min"; $cron_item['hour'] = "$snort_rules_up_hr"; $cron_item['mday'] = "$snort_rules_up_mday"; $cron_item['month'] = "$snort_rules_up_month"; $cron_item['wday'] = "$snort_rules_up_wday"; $cron_item['who'] = "root"; $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; $config['cron']['item'][] = $cron_item; } break; case false: if($is_installed == true) unset($config['cron']['item'][$x]); break; } configure_cron(); } function sync_snort_package_remove_old() { global $config, $g; $snort_dir_scan = '/usr/local/etc/snort'; // scan dirm might have to make this into a funtion $dh_scan = opendir($snort_dir_scan); while (false !== ($dir_filename = readdir($dh_scan))) { $list_dir_files[] = $dir_filename; } // find patern in a array, very cool code class array_ereg { function array_ereg($pattern) { $this->pattern = $pattern; } function ereg($string) { return ereg($this->pattern, $string); } } $rule_array2 = $config['installedpackages']['snortglobal']['rule']; foreach ($rule_array2 as $id => $value) { $result_lan = $value['interface']; $if_real = snort_get_real_interface($result_lan); $snort_rules_list[] = "snort_{$id}{$if_real}"; } $snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg')); $snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list); foreach ($snort_dir_filter_search_result as $value) exec("/bin/rm -r /usr/local/etc/snort/$value"); } /* make sure this func on writes to files and does not start snort */ function sync_snort_package() { global $config, $g; /* all new files are for the user snort nologin */ if (!is_dir('/var/log/snort')) exec('/bin/mkdir -p /var/log/snort'); if (!is_dir('/var/log/snort/run')) exec('/bin/mkdir -p /var/log/snort/run'); if (!is_dir('/var/log/snort/barnyard2')) exec('/bin/mkdir -p /var/log/snort/barnyard2'); /* all new files are for the user snort nologin */ if (!file_exists('/var/log/snort/alert')) exec('/usr/bin/touch /var/log/snort/alert'); /* important */ exec('/usr/sbin/chown -R snort:snort /var/log/snort'); exec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort'); exec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort'); exec('/usr/sbin/chown snort:snort /tmp/snort*'); exec('/usr/sbin/chown snort:snort /var/db/whitelist'); exec('/bin/chmod 770 /var/db/whitelist'); exec('/bin/chmod 770 /var/run/snort*'); exec('/bin/chmod 770 /tmp/snort*'); exec('/bin/chmod -R 770 /var/log/snort'); exec('/bin/chmod -R 770 /usr/local/lib/snort'); exec('/bin/chmod -R 770 /usr/local/etc/snort/'); /* auto install loglimit dfault if value not set */ $snortloglimitsize = $config['installedpackages']['snortglobal']['snortloglimitsize']; $snortloglimit = $config['installedpackages']['snortglobal']['snortloglimit']; snort_snortloglimit_install_cron($config['installedpackages']['snortglobal']['snortloglimit'] == 'on' ? true : false); } /* only run when a single iface needs to sync */ function sync_snort_package_all($id, $if_real, $snort_uuid) { global $config, $g; /* RedDevil suggested code */ /* TODO: more testing needs to be done */ /* may cause voip to fail */ //exec("/sbin/sysctl net.bpf.bufsize=8388608"); //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); //exec("/sbin/sysctl net.bpf.maxinsns=512"); //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); /* do not start config build if rules is empty */ if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; if (!is_array($config['installedpackages']['snortglobal']['rule'][$id])) return; conf_mount_rw(); $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $if_real = snort_get_real_interface($result_lan); /* only build whitelist when needed */ if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on') create_snort_whitelist($id, $if_real); /* only build threshold when needed */ if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') create_snort_suppress($id, $if_real); /* create snort configuration file */ create_snort_conf($id, $if_real, $snort_uuid); /* if rules exist cp rules to each iface */ create_rules_iface($id, $if_real, $snort_uuid); /* create snort bootup file snort.sh only create once */ create_snort_sh(); /* create barnyard2 configuration file */ if ($config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'] == 'on') create_barnyard2_conf($id, $if_real, $snort_uuid); sync_snort_package(); conf_mount_ro(); } /* Only run when all ifaces needed to sync. Expects filesystem rw */ function sync_snort_package_empty() { global $config, $g; /* RedDevil suggested code */ /* TODO: more testing needs to be done */ /* may cause voip to fail */ //exec("/sbin/sysctl net.bpf.bufsize=8388608"); //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); //exec("/sbin/sysctl net.bpf.maxinsns=512"); //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); /* do not start config build if rules is empty */ if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; conf_mount_rw(); foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { $if_real = snort_get_real_interface($value['interface']); $snort_uuid = $value['uuid']; if ($if_real != '' && $snort_uuid != '') { /* only build whitelist when needed */ if ($value['blockoffenders7'] == 'on') create_snort_whitelist($id, $if_real); /* only build threshold when needed */ if ($value['suppresslistname'] != 'default') create_snort_suppress($id, $if_real); /* create snort configuration file */ create_snort_conf($id, $if_real, $snort_uuid); /* if rules exist cp rules to each iface */ create_rules_iface($id, $if_real, $snort_uuid); /* create barnyard2 configuration file */ $snortbarnyardlog_info_chk = $value['barnyard_enable']; if ($snortbarnyardlog_info_chk == 'on') create_barnyard2_conf($id, $if_real, $snort_uuid); } } /* create snort bootup file snort.sh only create once */ create_snort_sh(); sync_snort_package(); conf_mount_ro(); } /* only bootup and ip refresh */ function sync_snort_package_config() { global $config, $g; /* RedDevil suggested code */ /* TODO: more testing needs to be done */ /* may cause voip to fail */ //exec("/sbin/sysctl net.bpf.bufsize=8388608"); //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); //exec("/sbin/sysctl net.bpf.maxinsns=512"); //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); /* do not start config build if rules is empty */ if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; conf_mount_rw(); foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { $result_lan = $value['interface']; $if_real = snort_get_real_interface($result_lan); $snort_uuid = $value['uuid']; if (!empty($if_real) && !empty($snort_uuid)) { /* only build whitelist when needed */ if ($value['blockoffenders7'] == 'on') create_snort_whitelist($id, $if_real); /* only build threshold when needed */ if ($value['suppresslistname'] != 'default') create_snort_suppress($id, $if_real); /* create snort configuration file */ create_snort_conf($id, $if_real, $snort_uuid); /* create barnyard2 configuration file */ if ($value['barnyard_enable'] == 'on') create_barnyard2_conf($id, $if_real, $snort_uuid); } } sync_snort_package(); conf_mount_ro(); } /* Start of main config files */ /* create threshold file */ function create_snort_suppress($id, $if_real) { global $config, $g; /* make sure dir is there */ if (!is_dir('/usr/local/etc/snort/suppress')) exec('/bin/mkdir -p /usr/local/etc/snort/suppress'); if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') { $whitelist_key_s = find_suppress_key($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname']); /* file name */ $suppress_file_name = $config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['name']; /* Message */ $s_data .= '# This file is auto generated by the snort package. Please do not edit this file by hand.' . "\n\n"; /* user added arguments */ $s_data .= str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['suppresspassthru'])); /* open snort's whitelist for writing */ @file_put_contents("/usr/local/etc/snort/suppress/$suppress_file_name", $s_data); } } function create_snort_whitelist($id, $if_real) { global $config, $g; /* make sure dir is there */ if (!is_dir('/usr/local/etc/snort/whitelist')) exec('/bin/mkdir -p /usr/local/etc/snort/whitelist'); if ($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'] == 'default') { $w_data = build_base_whitelist('whitelist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); /* open snort's whitelist for writing */ @file_put_contents("/usr/local/etc/snort/whitelist/defaultwlist", $w_data); } else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'])) { $whitelist_key_w = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname']); if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) return; $whitelist = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]; $w_data = build_base_whitelist($whitelist['snortlisttype'], $whitelist['wanips'], $whitelist['wangateips'], $whitelist['wandnsips'], $whitelist['vips'], $whitelist['vpnips'], $whitelist_key_w); /* open snort's whitelist for writing */ @file_put_contents("/usr/local/etc/snort/whitelist/" . $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $w_data); } } function create_snort_homenet($id, $if_real) { global $config, $g; if ($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == 'default' || $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == '') return build_base_whitelist('netlist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'])) { $whitelist_key_h = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['homelistname']); if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) return; $build_netlist_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['snortlisttype']; $wanip_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wanips']; $wangw_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wangateips']; $wandns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wandnsips']; $vips_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vips']; $vpns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vpnips']; return build_base_whitelist($build_netlist_h, $wanip_h, $wangw_h, $wandns_h, $vips_h, $vpns_h, $whitelist_key_h); } } function create_snort_externalnet($id, $if_real) { global $config, $g; if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['externallistname'])) { $whitelist_key_ex = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['externallistname']); if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) return; $build_netlist_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['snortlisttype']; $wanip_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wanips']; $wangw_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wangateips']; $wandns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wandnsips']; $vips_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vips']; $vpns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vpnips']; return build_base_whitelist($build_netlist_ex, $wanip_ex, $wangw_ex, $wandns_ex, $vips_ex, $vpns_ex, $whitelist_key_ex); } } /* open snort.sh for writing" */ function create_snort_sh() { global $config, $g; if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; $snortconf =& $config['installedpackages']['snortglobal']['rule']; $snort_sh_text2 = array(); $snort_sh_text3 = array(); $snort_sh_text4 = array(); /* do not start config build if rules is empty */ if (!empty($snortconf)) { foreach ($snortconf as $value) { $snort_uuid = $value['uuid']; $result_lan = $value['interface']; $if_real = snort_get_real_interface($result_lan); /* define snortbarnyardlog_chk */ $snortbarnyardlog_info_chk = $value['barnyard_enable']; $snortbarnyardlog_mysql_info_chk = $value['barnyard_mysql']; if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"; /* Get all interface startup commands ready */ $snort_sh_text2[] = << /tmp/snort.sh.pid # Start snort and barnyard2 /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck /usr/local/bin/snort -u snort -g snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} $start_barnyard2 /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For {$snort_uuid}_{$if_real}..." fi EOD; $snort_sh_text3[] = << /tmp/snort.sh.pid /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." /bin/kill \${pid_s} sleep 3 /bin/kill \${pid_b} /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid fi EOF; } } $start_snort_iface_start = implode("\n\n", $snort_sh_text2); $start_snort_iface_restart = implode("\n\n", $snort_sh_text3); $start_snort_iface_stop = implode("\n\n", $snort_sh_text4); $snort_sh_text = << /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 fi /bin/echo "snort.sh run" > /tmp/snort.sh.pid #### Remake the configs on boot Important! /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php & /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." $start_snort_iface_restart /bin/rm /tmp/snort.sh.pid #### If on Fake start snort is NOT running DO a real start. if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}{$if_real}" | awk '{print $2;}'`" = "" ]; then rc_start_real fi } rc_start_real() { #### Check for double starts, Pfsense has problems with that if /bin/ls /tmp/snort.sh.pid > /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 fi $start_snort_iface_start /bin/rm /tmp/snort.sh.pid } rc_stop() { #### Check for double starts, Pfsense has problems with that if /bin/ls /tmp/snort.sh.pid > /dev/null ; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" exit 0 fi $start_snort_iface_stop /bin/rm /tmp/snort.sh.pid /bin/rm /var/run/snort* } case $1 in start) rc_start ;; start_real) rc_start_real ;; stop) rc_stop ;; restart) rc_stop rc_start_real ;; esac EOD; /* write out snort.sh */ $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w"); if(!$bconf) { log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); return; } fwrite($bconf, $snort_sh_text); fclose($bconf); @chmod("/usr/local/etc/rc.d/snort.sh", 0755); } ///////////////////////// >>>>>>>>>>>> /* if rules exist copy to new interfaces */ function create_rules_iface($id, $if_real, $snort_uuid) { global $config, $g; $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"; $folder_chk = (count(glob("{$if_rule_dir}/rules/*")) === 0) ? 'empty' : 'full'; if ($folder_chk == "empty") { exec("/bin/cp -R /usr/local/etc/snort/rules {$if_rule_dir}/rules"); if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules"); } } /* open barnyard2.conf for writing */ function create_barnyard2_conf($id, $if_real, $snort_uuid) { global $bconfig, $g; if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); if (!file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { exec("/usr/bin/touch /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo"); exec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo"); exec("/bin/chmod 770 /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo"); } $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); /* write out barnyard2_conf */ $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); if(!$bconf) { log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); exit; } fwrite($bconf, $barnyard2_conf_text); fclose($bconf); } /* open barnyard2.conf for writing" */ function generate_barnyard2_conf($id, $if_real, $snort_uuid) { global $config, $g; /* define snortbarnyardlog */ /* TODO: add support for the other 5 output plugins */ $snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; $snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); /* user add arguments */ $snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['rule'][$id]['barnconfigpassthru'])); $barnyard2_conf_text = << \ cmd_validity STRU < char FRP > \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity PORT < host_port > preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes EOD; $def_ftp_preprocessor_info_chk = $snortcfg['ftp_preprocessor']; if ($def_ftp_preprocessor_info_chk == "on") $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; else $def_ftp_preprocessor_type = ""; /* def smtp_preprocessor */ $snort_smtp_preprocessor = <<parent.scrollTo(0,1500);\n"; } /* ensure downloaded file looks sane */ function verify_downloaded_file($filename) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if (filesize($filename) < 9500) { if(!$console_mode) { update_all_status("Checking {$filename}..."); check_for_common_errors($filename); } } update_all_status("Verifying {$filename}..."); if(!file_exists($filename)) { if(!$console_mode) { update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); hide_progress_bar_status(); } else { log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; } return; } update_all_status("Verified {$filename}."); } /* extract rules */ function extract_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) { $static_output = gettext("Extracting snort rules..."); update_all_status($static_output); } if(!is_dir("/usr/local/etc/snort/rules/")) @mkdir("/usr/local/etc/snort/rules/"); $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/"; $handle = popen("{$cmd} 2>&1", 'r'); while(!feof($handle)) { $buffer = fgets($handle); update_output_window($buffer); } pclose($handle); if(!$console_mode) { $static_output = gettext("Snort rules extracted."); update_all_status($static_output); } else { log_error("Snort rules extracted."); echo "Snort rules extracted."; } } /* verify MD5 against downloaded item */ function verify_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) { $static_output = gettext("Verifying md5 signature..."); update_all_status($static_output); } $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); $md5 = `echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; if($md5 == $file_md5_ondisk) { if(!$console_mode) { $static_output = gettext("snort rules: md5 signature of rules mismatch."); update_all_status($static_output); hide_progress_bar_status(); } else { log_error("snort rules: md5 signature of rules mismatch."); echo "snort rules: md5 signature of rules mismatch."; } return; } } /* hide progress bar */ function hide_progress_bar_status() { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) echo "\n"; } /* unhide progress bar */ function unhide_progress_bar_status() { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) echo "\n"; } /* update both top and bottom text box during an operation */ function update_all_status($status) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) { update_status($status); update_output_window($status); } } /* obtain alert description for an ip address */ function get_snort_alert($ip) { global $snort_alert_file_split, $snort_config; if(!file_exists("/var/log/snort/alert")) return; if(!$snort_config) $snort_config = read_snort_config_cache(); if($snort_config[$ip]) return $snort_config[$ip]; if(!$snort_alert_file_split) $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); foreach($snort_alert_file_split as $fileline) { if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) $alert_title = $matches[2]; if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) $alert_ip = $matches[$id]; if($alert_ip == $ip) { if(!$snort_config[$ip]) $snort_config[$ip] = $alert_title; return $alert_title; } } return "n/a"; } function make_clickable($buffer) { global $config, $g; /* if clickable urls is disabled, simply return buffer back to caller */ $clickablalerteurls = $config['installedpackages']['snort']['config'][$id]['oinkmastercode']; if(!$clickablalerteurls) return $buffer; $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","\\1", $buffer); $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); return $buffer; } function read_snort_config_cache() { global $g, $config, $snort_config; if($snort_config) return $snort_config; if(file_exists($g['tmp_path'] . '/snort_config.cache')) $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); return $snort_config; } function write_snort_config_cache($snort_config) { global $g, $config; $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w"); if(!$configcache) { log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing."); return false; } fwrite($configcache, serialize($snort_config)); fclose($configcache); return true; } function snort_advanced() { global $g, $config; sync_package_snort(); } function snort_define_servers() { global $g, $config; sync_package_snort(); } ?>