"LAN"); for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) $iflist['opt' . $i] = "opt{$i}"; foreach($_POST['iface_array'] as $iface) { $if = convert_friendly_interface_to_real_interface_name($iface); if($config['interfaces'][$iface]['ipaddr'] == "pppoe") $if = "ng0"; if($if) { $ifaces_final .= " -i " . $if; $first = 1; } } /* create log directory */ $start = "/bin/mkdir -p /var/log/snort"; /* start snort */ $start .= ";snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort {$ifaces_final} -A full -D"; /* if block offenders is checked, start snort2c */ if($_POST['blockoffenders']) $start .= ";/usr/bin/killall snort2c; snort2c -w /var/db/whitelist -a /var/log/snort/alert"; /* write out rc.d start/stop file */ write_rcfile(array( "file" => "snort.sh", "start" => $start, "stop" => "/usr/bin/killall snort; killall snort2c" ) ); /* create snort configuration file */ create_snort_conf(); /* start snort service */ conf_mount_ro(); start_service("snort"); } function create_snort_conf() { global $config, $g; /* write out snort.conf */ $snort_conf_text = generate_snort_conf(); conf_mount_rw(); $conf = fopen("/usr/local/etc/snort/snort.conf", "w"); if(!$conf) { log_error("Could not open /usr/local/etc/snort/snort.conf for writing."); exit; } fwrite($conf, $snort_conf_text); fclose($conf); conf_mount_ro(); } function snort_deinstall() { $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; $filenamea = "/etc/crontab"; /* remove auto rules update helper */ remove_text_from_file($filenamea, $text_ww); /* remove custom sysctl */ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); /* decrease bpf buffers back to 4096, from 20480 */ exec("/sbin/sysctl net.bpf.bufsize=4096"); } function generate_snort_conf() { global $config, $g; conf_mount_rw(); /* obtain external interface */ /* XXX: make multi wan friendly */ $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; /* add auto update scripts to /etc/crontab */ $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; $filenamea = "/etc/crontab"; remove_text_from_file($filenamea, $text_ww); add_text_to_file($filenamea, $text_ww); exec("killall -HUP cron"); /* increase bpf buffers to 20480, 5 times the normal 4096 */ add_text_to_file("/etc/sysctl.conf", "net.bpf.bufsize=20480"); exec("/sbin/sysctl net.bpf.bufsize=20480"); /* should we install a automatic update crontab entry? */ $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate']; /* if user is on pppoe, we really want to use ng0 interface */ if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") $snort_ext_int = "ng0"; /* set the snort performance model */ if($config['installedpackages']['snort']['config'][0]['performance']) $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; else $snort_performance = "lowmem"; /* open snort2c's whitelist for writing */ $whitelist = fopen("/var/db/whitelist", "w"); if(!$whitelist) { log_error("Could not open /var/db/whitelist for writing."); return; } /* build an interface array list */ $int_array = array('lan'); for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) if(isset($config['interfaces']['opt' . $j]['enable'])) if(!$config['interfaces']['opt' . $j]['gateway']) $int_array[] = "opt{$j}"; /* if user has defined a custom ssh port, use it */ if($config['system']['ssh']['port']) $ssh_port = $config['system']['ssh']['port']; else $ssh_port = "22"; /* iterate through interface list and write out whitelist items * and also compile a home_net list for snort. */ foreach($int_array as $int) { /* calculate interface subnet information */ $ifcfg = &$config['interfaces'][$int]; $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); $subnetmask = gen_subnet_mask($ifcfg['subnet']); if($subnet == "pppoe" or $subnet = "dhcp") { $subnet = find_interface_ip("ng0"); if($subnet) $home_net .= "{$subnet} "; } else { $home_net .= "{$subnet}/{$ifcfg['subnet']} "; } } /* add all local ips to the whitelist */ $wan_if = get_real_wan_interface(); $ip = find_interface_ip($wan_if); $home_net .= "{$ip} "; /* iterate all interfaces and add to whitelist */ foreach($config['interfaces'] as $interface) if($interface['ipaddr'] <> "pppoe" and $interface['ipaddr'] <> "dhcp") $home_net .= "{$interface['ipaddr']} "; /* iterate all vips and add to whitelist */ if($config['virtualip']) foreach($config['virtualip']['vip'] as $vip) $home_net .= $vip['subnet'] . " "; if($config['installedpackages']['snortwhitelist']) foreach($config['installedpackages']['snortwhitelist']['config'] as $snort) $home_net .= $snort['ip'] . " "; /* write out whitelist, convert spaces to carriage returns */ $whitelist_home_net = str_replace(" ", "\n", $home_net); /* foreach through whitelist, writing out to file */ $whitelist_split = split("\n", $whitelist_home_net); foreach($whitelist_split as $wl) if(trim($wl)) fwrite($whitelist, trim($wl) . "\n"); /* should we whitelist vpns? */ $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns']; /* grab a list of vpns and whitelist if user desires */ if($whitelistvpns) { $vpns_list = get_vpns_list(); $whitelist_vpns = split(" ", $vpns_list); foreach($whitelist_split as $wl) if(trim($wl)) fwrite($whitelist, trim($wl) . "\n"); } /* close file */ fclose($whitelist); /* generate rule sections to load */ $enabled_rulesets = $config['installedpackages']['snort']['rulesets']; if($enabled_rulesets) { $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); foreach($enabled_rulesets_array as $enabled_item) $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; } conf_mount_ro(); /* build snort configuration file */ $snort_conf_text = <<

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The following error occured while downloading the snort rules file from snort.org:

{$contents}

 

 

 

 

 

 

 

"; } else { $contents = strip_tags($contents); log_error("Error downloading snort rules: {$contents}"); echo "Error downloading snort rules: {$contents}"; } scroll_down_to_bottom_of_page(); exit; } } /* force browser to scroll all the way down */ function scroll_down_to_bottom_of_page() { global $snort_filename, $console_mode; ob_flush(); if(!$console_mode) echo "\n"; } /* ensure downloaded file looks sane */ function verify_downloaded_file($filename) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(filesize($filename)<9500) { if(!$console_mode) { update_all_status("Checking {$filename}..."); check_for_common_errors($filename); } } update_all_status("Verifying {$filename}..."); if(!file_exists($filename)) { if(!$console_mode) { update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); hide_progress_bar_status(); } else { log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; } exit; } update_all_status("Verifyied {$filename}."); } /* extract rules */ function extract_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) { $static_output = gettext("Extracting snort rules..."); update_all_status($static_output); } exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/"); if(!$console_mode) { $static_output = gettext("Snort rules extracted."); update_all_status($static_output); } else { log_error("Snort rules extracted."); echo "Snort rules extracted."; } } /* verify MD5 against downloaded item */ function verify_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) { $static_output = gettext("Verifying md5 signature..."); update_all_status($static_output); } $md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; if($md5 <> $file_md5_ondisk) { if(!$console_mode) { $static_output = gettext("snort rules: md5 signature of rules mismatch."); update_all_status($static_output); hide_progress_bar_status(); } else { log_error("snort rules: md5 signature of rules mismatch."); echo "snort rules: md5 signature of rules mismatch."; } exit; } } /* hide progress bar */ function hide_progress_bar_status() { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) echo "\n"; } /* update both top and bottom text box during an operation */ function update_all_status($status) { global $snort_filename, $snort_filename_md5, $console_mode; ob_flush(); if(!$console_mode) { update_status($status); update_output_window($status); } } $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); /* obtain alert description for an ip address */ function get_snort_alert($ip) { global $snort_alert_file_split; if(!$snort_alert_file_split) $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); foreach($snort_alert_file_split as $fileline) { if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) $alert_title = $matches[2]; if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) $alert_ip = $matches[0]; if($alert_ip == $ip) return $alert_title; } return "n/a"; } function make_clickable($buffer) { $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","\\1", $buffer); $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1\\2", $buffer); return $buffer; } ?>