tag with title $result = ""; } else { // Find the ending ">" for the element tag $pos = strpos($tag, ">"); if ($pos !== false) { // We found the ">" delimter, so add "title" // attribute and close the element tag $result = substr($tag, 0, $pos) . " title=\"" . $title . "\">"; } else { // We did not find the ">" delimiter, so // something is wrong, just return the // tag "as-is" $result = $tag; } } return $result; } /* convert fake interfaces to real */ $if_real = get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules'] == 'on' ? 'on' : 'off'; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; $etprodownload = $config['installedpackages']['snortglobal']['emergingthreats_pro']; // Add any previously saved rules files to the categories array if (!empty($pconfig['rulesets'])) $categories = explode("||", $pconfig['rulesets']); // add the standard rules files to the categories array $categories[] = "custom.rules"; $categories[] = "decoder.rules"; $categories[] = "preprocessor.rules"; $categories[] = "sensitive-data.rules"; // Get any automatic rule category enable/disable modifications // if auto-SID Mgmt is enabled, and adjust the available rulesets // in the CATEGORY drop-down box as necessary. $cat_mods = snort_sid_mgmt_auto_categories($a_rule[$id], FALSE); foreach ($cat_mods as $k => $v) { switch ($v) { case 'disabled': if (($key = array_search($k, $categories)) !== FALSE) unset($categories[$key]); break; case 'enabled': if (!in_array($k, $categories)) $categories[] = $k; break; default: break; } } // Add any enabled IPS-Policy and Auto-Flowbits File if (!empty($a_rule[$id]['ips_policy'])) $categories[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); if ($a_rule[$id]['autoflowbitrules'] == 'on') $categories[] = "Auto-Flowbit Rules"; natcasesort($categories); if (isset($_POST['openruleset'])) $currentruleset = $_POST['openruleset']; elseif (isset($_GET['openruleset'])) $currentruleset = htmlspecialchars($_GET['openruleset']); else $currentruleset = $categories[key($categories)]; /* One last sanity check -- if the rules directory is empty, default to loading custom rules */ $tmp = glob("{$snortdir}/rules/*.rules"); if (empty($tmp)) $currentruleset = "custom.rules"; $rulefile = "{$snortdir}/rules/{$currentruleset}"; if ($currentruleset != 'custom.rules') { // Read the current rules file into our rules map array. // If it is the auto-flowbits file, set the full path. if ($currentruleset == "Auto-Flowbit Rules") $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); // Test for the special case of an IPS Policy file. elseif (substr($currentruleset, 0, 10) == "IPS Policy") $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); // Test for preproc_rules file and set the full path. elseif (file_exists("{$snortdir}/preproc_rules/{$currentruleset}")) $rules_map = snort_load_rules_map("{$snortdir}/preproc_rules/{$currentruleset}"); // Test for existence of regular text rules file and load it. elseif (file_exists($rulefile)) $rules_map = snort_load_rules_map($rulefile); else $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again."); } /* Process the current category rules through any auto SID MGMT changes if enabled */ snort_auto_sid_mgmt($rules_map, $a_rule[$id], FALSE); /* Load up our enablesid and disablesid arrays with enabled or disabled SIDs */ $enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on']); $disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off']); if ($_POST['toggle'] && is_numeric($_POST['sid']) && is_numeric($_POST['gid']) && !empty($rules_map)) { // Get the GID:SID tags embedded in the clicked rule icon. $gid = $_POST['gid']; $sid = $_POST['sid']; // See if the target SID is in our list of modified SIDs, // and toggle if present; otherwise, add it to the // appropriate modified SID list. if (isset($enablesid[$gid][$sid])) { unset($enablesid[$gid][$sid]); $disablesid[$gid][$sid] = "disablesid"; } elseif (isset($disablesid[$gid][$sid])) { unset($disablesid[$gid][$sid]); $enablesid[$gid][$sid] = "enablesid"; } else { if ($rules_map[$gid][$sid]['disabled'] == 1) $enablesid[$gid][$sid] = "enablesid"; else $disablesid[$gid][$sid] = "disablesid"; } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; foreach (array_keys($enablesid) as $k1) { foreach (array_keys($enablesid[$k1]) as $k2) $tmp .= "{$k1}:{$k2}||"; } $tmp = rtrim($tmp, "||"); if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); $tmp = ""; foreach (array_keys($disablesid) as $k1) { foreach (array_keys($disablesid[$k1]) as $k2) $tmp .= "{$k1}:{$k2}||"; } $tmp = rtrim($tmp, "||"); if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); /* Update the config.xml file. */ write_config("Snort pkg: modified state for rule {$gid}:{$sid} on {$a_rule[$id]['interface']}."); // We changed a rule state, remind user to apply the changes mark_subsystem_dirty('snort_rules'); // Set a scroll-to anchor location $anchor = "rule_{$gid}_{$sid}"; } elseif ($_POST['disable_all'] && !empty($rules_map)) { // Mark all rules in the currently selected category "disabled". foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { if (isset($enablesid[$k1][$k2])) unset($enablesid[$k1][$k2]); $disablesid[$k1][$k2] = "disablesid"; } } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; foreach (array_keys($enablesid) as $k1) { foreach (array_keys($enablesid[$k1]) as $k2) $tmp .= "{$k1}:{$k2}||"; } $tmp = rtrim($tmp, "||"); if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); $tmp = ""; foreach (array_keys($disablesid) as $k1) { foreach (array_keys($disablesid[$k1]) as $k2) $tmp .= "{$k1}:{$k2}||"; } $tmp = rtrim($tmp, "||"); if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); write_config("Snort pkg: disabled all rules in category {$currentruleset} for {$a_rule[$id]['interface']}."); // We changed a rule state, remind user to apply the changes mark_subsystem_dirty('snort_rules'); } elseif ($_POST['enable_all'] && !empty($rules_map)) { // Mark all rules in the currently selected category "enabled". foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { if (isset($disablesid[$k1][$k2])) unset($disablesid[$k1][$k2]); $enablesid[$k1][$k2] = "enablesid"; } } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; foreach (array_keys($enablesid) as $k1) { foreach (array_keys($enablesid[$k1]) as $k2) $tmp .= "{$k1}:{$k2}||"; } $tmp = rtrim($tmp, "||"); if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); $tmp = ""; foreach (array_keys($disablesid) as $k1) { foreach (array_keys($disablesid[$k1]) as $k2) $tmp .= "{$k1}:{$k2}||"; } $tmp = rtrim($tmp, "||"); if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); write_config("Snort pkg: enable all rules in category {$currentruleset} for {$a_rule[$id]['interface']}."); // We changed a rule state, remind user to apply the changes mark_subsystem_dirty('snort_rules'); } elseif ($_POST['resetcategory'] && !empty($rules_map)) { // Reset any modified SIDs in the current rule category to their defaults. foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { if (isset($enablesid[$k1][$k2])) unset($enablesid[$k1][$k2]); if (isset($disablesid[$k1][$k2])) unset($disablesid[$k1][$k2]); } } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; foreach (array_keys($enablesid) as $k1) { foreach (array_keys($enablesid[$k1]) as $k2) $tmp .= "{$k1}:{$k2}||"; } $tmp = rtrim($tmp, "||"); if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); $tmp = ""; foreach (array_keys($disablesid) as $k1) { foreach (array_keys($disablesid[$k1]) as $k2) $tmp .= "{$k1}:{$k2}||"; } $tmp = rtrim($tmp, "||"); if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); write_config("Snort pkg: remove enablesid/disablesid changes for category {$currentruleset} on {$a_rule[$id]['interface']}."); // We changed a rule state, remind user to apply the changes mark_subsystem_dirty('snort_rules'); } elseif ($_POST['resetall'] && !empty($rules_map)) { // Remove all modified SIDs from config.xml and save the changes. unset($a_rule[$id]['rule_sid_on']); unset($a_rule[$id]['rule_sid_off']); /* Update the config.xml file. */ write_config("Snort pkg: remove all enablesid/disablesid changes for {$a_rule[$id]['interface']}."); // We changed a rule state, remind user to apply the changes mark_subsystem_dirty('snort_rules'); } else if ($_POST['cancel']) { $pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']); clear_subsystem_dirty('snort_rules'); } elseif ($_POST['clear']) { unset($a_rule[$id]['customrules']); write_config("Snort pkg: clear all custom rules for {$a_rule[$id]['interface']}."); $rebuild_rules = true; conf_mount_rw(); snort_generate_conf($a_rule[$id]); conf_mount_ro(); $rebuild_rules = false; $pconfig['customrules'] = ''; // Sync to configured CARP slaves if any are enabled snort_sync_on_changes(); } elseif ($_POST['save']) { $pconfig['customrules'] = $_POST['customrules']; if ($_POST['customrules']) $a_rule[$id]['customrules'] = base64_encode(str_replace("\r\n", "\n", $_POST['customrules'])); else unset($a_rule[$id]['customrules']); write_config("Snort pkg: save modified custom rules for {$a_rule[$id]['interface']}."); $rebuild_rules = true; conf_mount_rw(); snort_generate_conf($a_rule[$id]); conf_mount_ro(); $rebuild_rules = false; $output = ""; $retcode = ""; exec("{$snortbindir}snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode); if (intval($retcode) != 0) { $error = ""; $start = count($output); $end = $start - 4; for($i = $start; $i > $end; $i--) $error .= $output[$i]; $input_errors[] = "Custom rules have errors:\n {$error}"; } else { /* Soft-restart Snort to live-load new rules */ snort_reload_config($a_rule[$id]); $savemsg = gettext("Custom rules validated successfully and any active Snort process on this interface has been signalled to live-load the new rules."); } clear_subsystem_dirty('snort_rules'); // Sync to configured CARP slaves if any are enabled snort_sync_on_changes(); } else if ($_POST['apply']) { /* Save new configuration */ write_config("Snort pkg: save new rules configuration for {$a_rule[$id]['interface']}."); /*************************************************/ /* Update the snort conf file and rebuild the */ /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; conf_mount_rw(); snort_generate_conf($a_rule[$id]); conf_mount_ro(); $rebuild_rules = false; /* Soft-restart Snort to live-load new rules */ snort_reload_config($a_rule[$id]); // We have saved changes and done a soft restart, so clear "dirty" flag clear_subsystem_dirty('snort_rules'); // Sync to configured CARP slaves if any are enabled snort_sync_on_changes(); if (snort_is_running($snort_uuid, $if_real)) $savemsg = gettext("Snort is 'live-reloading' the new rule set."); } include_once("head.inc"); $if_friendly = convert_friendly_interface_to_friendly_descr($a_rule[$id]['interface']); $pgtitle = gettext("Snort: Interface {$if_friendly} - Rules: {$currentruleset}"); ?>

" . gettext("Click APPLY when finished to send the changes to the running configuration."));?> '; echo '
'; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); $tab_array = array(); $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Logs"), false, "/snort/snort_interface_logs.php?id={$id}"); display_top_tabs($tab_array, true); ?>
     
" title=" "/>   " title=""/>   " onclick="return confirm('')" title=""/>
" class="formbtn" title=""/>

" . gettext("When finished, click APPLY to save and send any SID enable/disable changes made on this tab to Snort."); ?>		 "?>   
"?>   
"?>   
"?>   
title="" width="17" height="17" border="0">   
 
" . gettext("WARNING: ") . "" . gettext("You should not disable flowbit rules! Add Suppress List entries for them instead by ") . "" . gettext("clicking here") . ".";?>
$rulem) { foreach ($rulem as $k2 => $v) { $sid = $k2; $gid = $k1; $ruleset = $currentruleset; $style = ""; if ($v['managed'] == 1) { if ($v['disabled'] == 1) { $textss = ""; $textse = ""; $style= "style=\"opacity: 0.4; filter: alpha(opacity=40);\""; $title = gettext("Auto-disabled by settings on SID Mgmt tab"); } else { $textss = $textse = ""; $ruleset = "suricata.rules"; $title = gettext("Auto-managed by settings on SID Mgmt tab"); } $iconb = "icon_advanced.gif"; $managed_count++; } elseif (isset($disablesid[$gid][$sid])) { $textss = ""; $textse = ""; $iconb = "icon_reject_d.gif"; $disable_cnt++; $user_disable_cnt++; $title = gettext("Disabled by user. Click to toggle to enabled state"); } elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { $textss = ""; $textse = ""; $iconb = "icon_block_d.gif"; $disable_cnt++; $title = gettext("Disabled by default. Click to toggle to enabled state"); } elseif (isset($enablesid[$gid][$sid])) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; $user_enable_cnt++; $title = gettext("Enabled by user. Click to toggle to disabled state"); } else { $textss = $textse = ""; $iconb = "icon_block.gif"; $enable_cnt++; $title = gettext("Enabled by default. Click to toggle to disabled state"); } // Pick off the first section of the rule (prior to the start of the MSG field), // and then use a REGX split to isolate the remaining fields into an array. $tmp = substr($v['rule'], 0, strpos($v['rule'], "(")); $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); $rule_content = preg_split('/[\s]+/', $tmp); // Create custom tags for the fields we truncate so we can // have a "title" attribute for tooltips to show the full string. $srcspan = add_title_attribute($textss, $rule_content[2]); $srcprtspan = add_title_attribute($textss, $rule_content[3]); $dstspan = add_title_attribute($textss, $rule_content[5]); $dstprtspan = add_title_attribute($textss, $rule_content[6]); $protocol = $rule_content[1]; //protocol field $source = $rule_content[2]; //source field $source_port = $rule_content[3]; //source port field $destination = $rule_content[5]; //destination field $destination_port = $rule_content[6]; //destination port field $message = snort_get_msg($v['rule']); // description field $sid_tooltip = gettext("View the raw text for this rule"); echo ""; ?>
 
{$textss}"; if ($v['managed'] == 1) { echo "{$textse}"; } else { echo "{$textse}"; } echo " {$textss}{$gid}{$textse} {$textss}{$sid}{$textse} {$textss}{$protocol}{$textse} {$srcspan}{$source} {$srcprtspan}{$source_port} {$dstspan}{$destination} {$dstprtspan}{$destination_port} {$textss}{$message}{$textse}
$rulem) { foreach ($rulem as $k2 => $v) { $ruleset = $currentruleset; $style = ""; $sid = snort_get_sid($v['rule']); $gid = snort_get_gid($v['rule']); if ($v['managed'] == 1) { if ($v['disabled'] == 1) { $textss = ""; $textse = ""; $style= "style=\"opacity: 0.4; filter: alpha(opacity=40);\""; $title = gettext("Auto-disabled by settings on SID Mgmt tab"); } else { $textss = $textse = ""; $ruleset = "suricata.rules"; $title = gettext("Auto-managed by settings on SID Mgmt tab"); } $iconb = "icon_advanced.gif"; $managed_count++; } elseif (isset($disablesid[$gid][$sid])) { $textss = ""; $textse = ""; $iconb = "icon_reject_d.gif"; $disable_cnt++; $user_disable_cnt++; $title = gettext("Disabled by user. Click to toggle to enabled state"); } elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { $textss = ""; $textse = ""; $iconb = "icon_block_d.gif"; $disable_cnt++; $title = gettext("Disabled by default. Click to toggle to enabled state"); } elseif (isset($enablesid[$gid][$sid])) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; $user_enable_cnt++; $title = gettext("Enabled by user. Click to toggle to disabled state"); } else { $textss = $textse = ""; $iconb = "icon_block.gif"; $enable_cnt++; $title = gettext("Enabled by default. Click to toggle to disabled state"); } $message = snort_get_msg($v['rule']); $matches = array(); if (preg_match('/(?:classtype\b\s*:)\s*(\S*\s*;)/iU', $v['rule'], $matches)) $classtype = trim($matches[1], " ;"); else $classtype = "No Classtype Defined"; $matches = array(); if (preg_match_all('/(\S*-ips)(?:\s*drop|alert)(?:,|\s*|;)/i', $v['rule'], $matches)) $policy = implode("
", $matches[1]); else $policy = "none"; echo ""; ?>
 
{$textss}"; if ($v['managed'] == 1) { echo "{$textse}"; } else { echo "{$textse}"; } echo " {$textss}{$gid}{$textse} {$textss}{$sid}{$textse} {$textss}{$classtype} {$textss}{$policy} {$textss}{$message}{$textse}

" . gettext("Total Rules: {$counter}") . "    " . gettext("Enabled: {$enable_cnt}") . "    " . gettext("Disabled: {$disable_cnt}") . "    " . gettext("User Enabled: {$user_enable_cnt}") . "    " . gettext("User Disabled: {$user_disable_cnt}") . "    " . gettext("Auto-Managed: {$managed_count}"); ?>