.
* Copyright (C) 2003-2004 Manuel Kasper .
* Copyright (C) 2006 Scott Ullrich
* Copyright (C) 2012 Ermal Luci
* All rights reserved.
*
* Modified for the Pfsense snort package v. 1.8+
* Copyright (C) 2009 Robert Zelaya Sr. Developer
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype'];
$supplist = array();
function snort_is_alert_globally_suppressed($list, $gid, $sid) {
/************************************************/
/* Checks the passed $gid:$sid to see if it has */
/* been globally suppressed. If true, then any */
/* "track by_src" or "track by_dst" options are */
/* disabled since they are overridden by the */
/* global suppression of the $gid:$sid. */
/************************************************/
/* If entry has a child array, then it's by src or dst ip. */
/* So if there is a child array or the keys are not set, */
/* then this gid:sid is not globally suppressed. */
if (is_array($list[$gid][$sid]))
return false;
elseif (!isset($list[$gid][$sid]))
return false;
else
return true;
}
function snort_add_supplist_entry($suppress) {
/************************************************/
/* Adds the passed entry to the Suppress List */
/* for the active interface. If a Suppress */
/* List is defined for the interface, it is */
/* used. If no list is defined, a new default */
/* list is created using the interface name. */
/* */
/* On Entry: */
/* $suppress --> suppression entry text */
/* */
/* Returns: */
/* TRUE if successful or FALSE on failure */
/************************************************/
global $config, $a_instance, $instanceid;
if (!is_array($config['installedpackages']['snortglobal']['suppress']))
$config['installedpackages']['snortglobal']['suppress'] = array();
if (!is_array($config['installedpackages']['snortglobal']['suppress']['item']))
$config['installedpackages']['snortglobal']['suppress']['item'] = array();
$a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item'];
$found_list = false;
/* If no Suppress List is set for the interface, then create one with the interface name */
if (empty($a_instance[$instanceid]['suppresslistname']) || $a_instance[$instanceid]['suppresslistname'] == 'default') {
$s_list = array();
$s_list['uuid'] = uniqid();
$s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress" . "_" . $s_list['uuid'];
$s_list['descr'] = "Auto-generated list for Alert suppression";
$s_list['suppresspassthru'] = base64_encode($suppress);
$a_suppress[] = $s_list;
$a_instance[$instanceid]['suppresslistname'] = $s_list['name'];
$found_list = true;
} else {
/* If we get here, a Suppress List is defined for the interface so see if we can find it */
foreach ($a_suppress as $a_id => $alist) {
if ($alist['name'] == $a_instance[$instanceid]['suppresslistname']) {
$found_list = true;
if (!empty($alist['suppresspassthru'])) {
$tmplist = base64_decode($alist['suppresspassthru']);
$tmplist .= "\n{$suppress}";
$alist['suppresspassthru'] = base64_encode($tmplist);
$a_suppress[$a_id] = $alist;
}
else {
$alist['suppresspassthru'] = base64_encode($suppress);
$a_suppress[$a_id] = $alist;
}
}
}
}
/* If we created a new list or updated an existing one, save the change, */
/* tell Snort to load it, and return true; otherwise return false. */
if ($found_list) {
write_config();
sync_snort_package_config();
snort_reload_config($a_instance[$instanceid]);
return true;
}
else
return false;
}
if ($_GET['instance'])
$instanceid = $_GET['instance'];
if ($_POST['instance'])
$instanceid = $_POST['instance'];
if (empty($instanceid))
$instanceid = 0;
if (!is_array($config['installedpackages']['snortglobal']['rule']))
$config['installedpackages']['snortglobal']['rule'] = array();
$a_instance = &$config['installedpackages']['snortglobal']['rule'];
$snort_uuid = $a_instance[$instanceid]['uuid'];
$if_real = snort_get_real_interface($a_instance[$instanceid]['interface']);
if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) {
$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'];
$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'];
$anentries = $pconfig['alertnumber'];
} else {
$anentries = '250';
$pconfig['alertnumber'] = '250';
$pconfig['arefresh'] = 'off';
}
if ($_POST['save']) {
if (!is_array($config['installedpackages']['snortglobal']['alertsblocks']))
$config['installedpackages']['snortglobal']['alertsblocks'] = array();
$config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber'];
write_config();
header("Location: /snort/snort_alerts.php?instance={$instanceid}");
exit;
}
if ($_POST['todelete'] || $_GET['todelete']) {
$ip = "";
if($_POST['todelete'])
$ip = $_POST['todelete'];
else if($_GET['todelete'])
$ip = $_GET['todelete'];
if (is_ipaddr($ip)) {
exec("/sbin/pfctl -t snort2c -T delete {$ip}");
$savemsg = gettext("Host IP address {$ip} has been removed from the Blocked Table.");
}
}
if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) {
if (empty($_GET['descr']))
$suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n";
else
$suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}";
/* Add the new entry to the Suppress List */
if (snort_add_supplist_entry($suppress))
$savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List.");
else
$input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!");
}
if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) {
if ($_GET['act'] == "addsuppress_srcip")
$method = "by_src";
else
$method = "by_dst";
/* Check for valid IP addresses, exit if not valid */
if (is_ipaddr($_GET['ip']) || is_ipaddrv6($_GET['ip'])) {
if (empty($_GET['descr']))
$suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}\n";
else
$suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}\n";
}
else {
header("Location: /snort/snort_alerts.php?instance={$instanceid}");
exit;
}
/* Add the new entry to the Suppress List */
if (snort_add_supplist_entry($suppress))
$savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List.");
else
/* We did not find the defined list, so notify the user with an error */
$input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!");
}
if ($_GET['action'] == "clear" || $_POST['delete']) {
conf_mount_rw();
snort_post_delete_logs($snort_uuid);
$fd = @fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w+");
if ($fd)
fclose($fd);
conf_mount_ro();
/* XXX: This is needed if snort is run as snort user */
mwexec('/bin/chmod 660 /var/log/snort/*', true);
if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"))
mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a");
header("Location: /snort/snort_alerts.php?instance={$instanceid}");
exit;
}
if ($_POST['download']) {
$save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
$file_name = "snort_logs_{$save_date}_{$if_real}.tar.gz";
exec("cd /var/log/snort/snort_{$if_real}{$snort_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *");
if (file_exists("/tmp/{$file_name}")) {
ob_start(); //important or other posts will fail
if (isset($_SERVER['HTTPS'])) {
header('Pragma: ');
header('Cache-Control: ');
} else {
header("Pragma: private");
header("Cache-Control: private, must-revalidate");
}
header("Content-Type: application/octet-stream");
header("Content-length: " . filesize("/tmp/{$file_name}"));
header("Content-disposition: attachment; filename = {$file_name}");
ob_end_clean(); //important or other post will fail
readfile("/tmp/{$file_name}");
// Clean up the temp file
@unlink("/tmp/{$file_name}");
}
else
$savemsg = gettext("An error occurred while creating archive");
}
/* Load up an array with the current Suppression List GID,SID values */
$supplist = snort_load_suppress_sigs($a_instance[$instanceid], true);
$pgtitle = "Services: Snort: Snort Alerts";
include_once("head.inc");
?>
\n";
?>
' . $pgtitle . '
';}
/* Display Alert message */
if ($input_errors) {
print_input_errors($input_errors); // TODO: add checks
}
if ($savemsg) {
print_info_box($savemsg);
}
?>