<?php /* $Id$ */ /* edit_snortrule.php Copyright (C) 2004, 2005 Scott Ullrich Copyright (C) 2008, 2009 Robert Zelaya Copyright (C) 2011 Ermal Luci All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort_gui.inc"); require_once("/usr/local/pkg/snort/snort.inc"); global $g; if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; if (isset($id) && $a_nat[$id]) { $pconfig['enable'] = $a_nat[$id]['enable']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['rulesets'] = $a_nat[$id]['rulesets']; } /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); $iface_uuid = $a_nat[$id]['uuid']; /* Check if the rules dir is empy if so warn the user */ /* TODO give the user the option to delete the installed rules rules */ if (!is_dir("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules")) exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules"); $isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); if ($isrulesfolderempty == "") { $isrulesfolderempty = exec("ls -A /usr/local/etc/snort/rules/*.rules"); if ($isrulesfolderempty == "") { include_once("head.inc"); include_once("fbegin.inc"); echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} echo "<table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n <tr>\n <td>\n"; $tab_array = array(); $tabid = 0; $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); $tabid++; $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); $tabid++; $tab_array[$tabid] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); $tabid++; $tab_array[$tabid] = array(gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); $tabid++; $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); $tabid++; $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); $tabid++; $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); echo "</td>\n </tr>\n <tr>\n <td>\n <div id=\"mainarea\">\n <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n <tr>\n <td>\n # The rules directory is empty.\n </td>\n </tr>\n </table>\n </div>\n </td>\n </tr>\n </table>\n \n </form>\n \n <p>\n\n"; echo "Please click on the Update Rules tab to install your selected rule sets."; include("fend.inc"); echo "</body>"; echo "</html>"; exit(0); } else { /* Make sure that we have the rules */ mwexec("/bin/cp /usr/local/etc/snort/rules/*.rules /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules", true); } } function get_middle($source, $beginning, $ending, $init_pos) { $beginning_pos = strpos($source, $beginning, $init_pos); $middle_pos = $beginning_pos + strlen($beginning); $ending_pos = strpos($source, $ending, $beginning_pos); $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); return $middle; } function write_rule_file($content_changed, $received_file) { //read snort file with writing enabled $filehandle = fopen($received_file, "w"); //delimiter for each new rule is a new line $delimiter = "\n"; //implode the array back into a string for writing purposes $fullfile = implode($delimiter, $content_changed); //write data to file fwrite($filehandle, $fullfile); //close file handle fclose($filehandle); } function load_rule_file($incoming_file) { //read snort file $filehandle = fopen($incoming_file, "r"); //read file into string, and get filesize $contents = fread($filehandle, filesize($incoming_file)); //close handler fclose ($filehandle); //string for populating category select $currentruleset = basename($rulefile); //delimiter for each new rule is a new line $delimiter = "\n"; //split the contents of the string file into an array using the delimiter $splitcontents = explode($delimiter, $contents); return $splitcontents; } /* if ($_GET['openruleset'] != '' && $_GET['ids'] != '') { header("Location: /snort/snort_rules.php?id=$id&openruleset={$_GET['openruleset']}&saved=yes"); exit; } */ //$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; $ruledir = "/usr/local/etc/snort/rules/"; $dh = opendir($ruledir); while (false !== ($filename = readdir($dh))) { //only populate this array if its a rule file $isrulefile = strstr($filename, ".rules"); if ($isrulefile !== false) $files[] = $filename; } sort($files); if ($_GET['openruleset']) $rulefile = $_GET['openruleset']; else $rulefile = $ruledir.$files[0]; //Load the rule file $splitcontents = load_rule_file($rulefile); if ($_POST) { conf_mount_rw(); if (!$_POST['apply']) { //retrieve POST data $post_lineid = $_POST['lineid']; $post_enabled = $_POST['enabled']; $post_src = $_POST['src']; $post_srcport = $_POST['srcport']; $post_dest = $_POST['dest']; $post_destport = $_POST['destport']; //clean up any white spaces insert by accident $post_src = str_replace(" ", "", $post_src); $post_srcport = str_replace(" ", "", $post_srcport); $post_dest = str_replace(" ", "", $post_dest); $post_destport = str_replace(" ", "", $post_destport); //copy rule contents from array into string $tempstring = $splitcontents[$post_lineid]; //search string $findme = "# alert"; //find string for disabled alerts //find if alert is disabled $disabled = strstr($tempstring, $findme); //if find alert is false, then rule is disabled if ($disabled !== false) { //has rule been enabled if ($post_enabled == "yes") { //move counter up 1, so we do not retrieve the # in the rule_content array $tempstring = str_replace("# alert", "alert", $tempstring); $counter2 = 1; } else { //rule is staying disabled $counter2 = 2; } } else { //has rule been disabled if ($post_enabled != "yes") { //move counter up 1, so we do not retrieve the # in the rule_content array $tempstring = str_replace("alert", "# alert", $tempstring); $counter2 = 2; } else { //rule is staying enabled $counter2 = 1; } } //explode rule contents into an array, (delimiter is space) $rule_content = explode(' ', $tempstring); //insert new values $counter2++; $rule_content[$counter2] = $post_src;//source location $counter2++; $rule_content[$counter2] = $post_srcport;//source port location $counter2 = $counter2+2; $rule_content[$counter2] = $post_dest;//destination location $counter2++; $rule_content[$counter2] = $post_destport;//destination port location //implode the array back into string $tempstring = implode(' ', $rule_content); //copy string into file array for writing $splitcontents[$post_lineid] = $tempstring; //write the new .rules file write_rule_file($splitcontents, $rulefile); //once file has been written, reload file $splitcontents = load_rule_file($rulefile); $stopMsg = true; } conf_mount_ro(); } else if ($_GET['act'] == "toggle") { conf_mount_rw(); $toggleid = $_GET['ids']; //copy rule contents from array into string $tempstring = $splitcontents[$toggleid]; //explode rule contents into an array, (delimiter is space) $rule_content = explode(' ', $tempstring); //search string $findme = "# alert"; //find string for disabled alerts //find if alert is disabled $disabled = strstr($tempstring, $findme); //if find alert is false, then rule is disabled if ($disabled !== false) { //rule has been enabled //move counter up 1, so we do not retrieve the # in the rule_content array $tempstring = str_replace("# alert", "alert", $tempstring); } else { //has rule been disabled //move counter up 1, so we do not retrieve the # in the rule_content array $tempstring = str_replace("alert", "# alert", $tempstring); } //copy string into array for writing $splitcontents[$toggleid] = $tempstring; //write the new .rules file write_rule_file($splitcontents, $rulefile); //once file has been written, reload file $splitcontents = load_rule_file($rulefile); $stopMsg = true; //write disable/enable sid to config.xml if ($disabled == false) { $string_sid = strstr($tempstring, 'sid:'); $sid_pieces = explode(";", $string_sid); $sid_off_cut = $sid_pieces[0]; // sid being turned off $sid_off = str_replace("sid:", "", $sid_off_cut); // rule_sid_on registers $sid_on_pieces = $a_nat[$id]['rule_sid_on']; // if off sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); // write the replace sid back as empty $a_nat[$id]['rule_sid_on'] = $sid_on_old; // rule sid off registers $sid_off_pieces = $a_nat[$id]['rule_sid_off']; // if off sid is the same as off sid remove it $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); // write the replace sid back as empty $a_nat[$id]['rule_sid_off'] = $sid_off_old; // add sid off registers to new off sid $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; } else { $string_sid = strstr($tempstring, 'sid:'); $sid_pieces = explode(";", $string_sid); $sid_on_cut = $sid_pieces[0]; // sid being turned off $sid_on = str_replace("sid:", "", $sid_on_cut); // rule_sid_off registers $sid_off_pieces = $a_nat[$id]['rule_sid_off']; // if off sid is the same as on sid remove it $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); // write the replace sid back as empty $a_nat[$id]['rule_sid_off'] = $sid_off_old; // rule sid on registers $sid_on_pieces = $a_nat[$id]['rule_sid_on']; // if on sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); // write the replace sid back as empty $a_nat[$id]['rule_sid_on'] = $sid_on_old; // add sid on registers to new on sid $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; } write_config(); conf_mount_ro(); } if ($_GET['saved'] == 'yes') { $message = "The Snort rule configuration has been changed.<br>You must restart this snort interface in order for the changes to take effect."; // stop_service("snort"); // sleep(2); // start_service("snort"); // $savemsg = ""; // $stopMsg = false; } $currentruleset = basename($rulefile); $ifname = strtoupper($pconfig['interface']); require_once("guiconfig.inc"); include_once("head.inc"); $pgtitle = "Snort: $id $iface_uuid $if_real Category: $currentruleset"; ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> <?php echo "{$snort_general_css}\n"; ?> <div class="body2"> <noscript> <div class="alert" ALIGN=CENTER><img src="../themes/<?php echo $g['theme']; ?>/images/icons/icon_alert.gif" /><strong>Please enable JavaScript to view this content </CENTER></div> </noscript> <?php echo "<form action=\"snort_rules.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; ?> <?php if ($_GET['saved'] == 'yes') {print_info_box_np2($message);}?> </form> </script> <script language="javascript" type="text/javascript"> <!-- function go() { var agt=navigator.userAgent.toLowerCase(); if (agt.indexOf("msie") != -1) { box = document.forms.selectbox; } else { box = document.forms[1].selectbox; } destination = box.options[box.selectedIndex].value; if (destination) location.href = destination; } // --> </script> <script type="text/javascript"> <!-- function popup(url) { params = 'width='+screen.width; params += ', height='+screen.height; params += ', top=0, left=0' params += ', fullscreen=yes'; newwin=window.open(url,'windowname4', params); if (window.focus) {newwin.focus()} return false; } // --> </script> <table width="99%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php $tab_array = array(); $tabid = 0; $tab_array[$tabid] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); $tabid++; $tab_array[$tabid] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); $tabid++; $tab_array[$tabid] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); $tabid++; $tab_array[$tabid] = array(gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); $tabid++; $tab_array[$tabid] = array(gettext("Servers"), false, "/snort/snort_define_servers.php?id={$id}"); $tabid++; $tab_array[$tabid] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); $tabid++; $tab_array[$tabid] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); ?> </td></tr> <tr> <td> <div id="mainarea2"> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <table id="ruletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr id="frheader"> <td width="3%" class="list"> </td> <td width="5%" class="listhdr">SID</td> <td width="6%" class="listhdrr">Proto</td> <td width="15%" class="listhdrr">Source</td> <td width="10%" class="listhdrr">Port</td> <td width="15%" class="listhdrr">Destination</td> <td width="10%" class="listhdrr">Port</td> <td width="32%" class="listhdrr">Message</td> </tr> <tr> <?php echo "<br>Category: "; //string for populating category select $currentruleset = basename($rulefile); ?> <form name="forms"><select name="selectbox" class="formfld" onChange="go()"> <?php $i=0; foreach ($files as $value) { $selectedruleset = ""; if ($files[$i] === $currentruleset) $selectedruleset = "selected"; ?> <option value="?id=<?=$id;?>&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option> <?php $i++; } ?> </select></form> </tr> <?php $counter = 0; $printcounter = 0; foreach ( $splitcontents as $value ) { $counter++; $disabled = "False"; $comments = "False"; $tempstring = $splitcontents[$counter]; $findme = "# alert"; //find string for disabled alerts //find alert $disabled_pos = strstr($tempstring, $findme); //do soemthing, this rule is enabled $counter2 = 1; //retrieve sid value $sid = get_middle($tempstring, 'sid:', ';', 0); //check to see if the sid is numberical $is_sid_num = is_numeric($sid); //if SID is numerical, proceed if ($is_sid_num) { //if find alert is false, then rule is disabled if ($disabled_pos !== false){ $counter2 = $counter2+1; $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_block_d.gif"; } else { $textss = $textse = ""; $iconb = "icon_block.gif"; } if ($disabled_pos !== false){ $ischecked = ""; }else{ $ischecked = "checked"; } $rule_content = explode(' ', $tempstring); $protocol = $rule_content[$counter2];//protocol location $counter2++; $source = $rule_content[$counter2];//source location $counter2++; $source_port = $rule_content[$counter2];//source port location $counter2 = $counter2+2; $destination = $rule_content[$counter2];//destination location $counter2++; $destination_port = $rule_content[$counter2];//destination port location if (strstr($tempstring, 'msg: "')) $message = get_middle($tempstring, 'msg: "', '";', 0); if (strstr($tempstring, 'msg:"')) $message = get_middle($tempstring, 'msg:"', '";', 0); echo "<tr> <td class=\"listt\"> $textss\n"; ?> <a href="?id=<?=$id;?>&openruleset=<?=$rulefile;?>&act=toggle&ids=<?=$counter;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="10" height="10" border="0" title="click to toggle enabled/disabled status"></a> <!-- <input name="enable" type="checkbox" value="yes" <?= $ischecked; ?> onClick="enable_change(false)"> --> <!-- TODO: add checkbox and save so that that disabling is nicer --> <?php echo "$textse </td> <td class=\"listlr\"> $textss $sid $textse </td> <td class=\"listlr\"> $textss $protocol"; ?> <?php $printcounter++; echo "$textse </td> <td class=\"listlr\"> $textss $source $textse </td> <td class=\"listlr\"> $textss $source_port $textse </td> <td class=\"listlr\"> $textss $destination $textse </td> <td class=\"listlr\"> $textss $destination_port $textse </td>"; ?> <td class="listbg"><font color="white"> <?php echo "$textss $message $textse </td>"; ?> <td valign="middle" nowrap class="list"> <table border="0" cellspacing="0" cellpadding="1"> <tr> <td><a href="javascript: void(0)" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$rulefile;?>&ids=<?=$counter;?>')"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> <!-- Codes by Quackit.com --> </tr> </table> </td> <?php } } echo " There are $printcounter rules in this category. <br><br>"; ?> </table> </td> </tr> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> <td>Rule Enabled</td> </tr> <tr> <td><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> <td nowrap>Rule Disabled</td> </tr> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <!-- TODO: add save and cancel for checkbox options --> <!-- <td><pre><input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"><pre></td> --> </tr> </table> <tr> <td colspan="10"> <p><!--<strong><span class="red">Warning:<br> </span></strong>Editing these r</p>--> </td> </tr> </table> </table> </td> </tr> </table> </div> <?php include("fend.inc"); echo $snort_custom_rnd_box; ?> </div> </body> </html>