diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc
index 5cdd5a00bac9..ca16b11951f5 100644
--- a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc
+++ b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc
@@ -34,7 +34,7 @@
require_once("pfsense-utils.inc");
require_once("config.inc");
require_once("functions.inc");
-require_once("service-utils.inc");
+require_once("service-utils.inc"); // Need this to get RCFILEPREFIX definition
require_once("pkg-utils.inc");
require_once("filter.inc");
require("/usr/local/pkg/snort/snort_defs.inc");
@@ -3685,11 +3685,11 @@ function snort_remove_dead_rules() {
$cats = array();
// If there is no "deprecated_rules" file, then exit
- if (!file_exists("{$rulesdir}deprecated_rules"))
+ if (!file_exists("/usr/local/pkg/snort/deprecated_rules"))
return;
// Open a SplFileObject to read in deprecated rules
- $file = new SplFileObject("{$rulesdir}/deprecated_rules");
+ $file = new SplFileObject("/usr/local/pkg/snort/deprecated_rules");
$file->setFlags(SplFileObject::READ_AHEAD | SplFileObject::SKIP_EMPTY | SplFileObject::DROP_NEW_LINE);
while (!$file->eof()) {
$line = $file->fgets();
diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_check_for_rule_updates.php b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_check_for_rule_updates.php
index 929ddad17aff..05ae77859d41 100644
--- a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_check_for_rule_updates.php
+++ b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_check_for_rule_updates.php
@@ -5,7 +5,7 @@
* Copyright (C) 2006 Scott Ullrich
* Copyright (C) 2009 Robert Zelaya
* Copyright (C) 2011-2012 Ermal Luci
- * Copyright (C) 2013-2015 Bill Meeks
+ * Copyright (C) 2013-2016 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -35,7 +35,7 @@
require_once("/usr/local/pkg/snort/snort.inc");
require("/usr/local/pkg/snort/snort_defs.inc");
-global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules, $static_output;
+global $g, $config, $rebuild_rules;
$snortdir = SNORTDIR;
$snortlibdir = SNORT_PBI_BASEDIR . "lib";
@@ -44,13 +44,6 @@
$snortbindir = SNORT_PBI_BINDIR;
$mounted_rw = FALSE;
-/* Save the state of $pkg_interface so we can restore it */
-$pkg_interface_orig = $pkg_interface;
-if ($snort_gui_include)
- $pkg_interface = "";
-else
- $pkg_interface = "console";
-
/* define checks */
$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode'];
$etproid = $config['installedpackages']['snortglobal']['etpro_code'];
@@ -128,7 +121,7 @@ function snort_download_file_url($url, $file_out) {
/* It provides logging of returned CURL errors. */
/************************************************/
- global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update;
+ global $g, $config, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update;
$rfc2616 = array(
100 => "100 Continue",
@@ -190,7 +183,7 @@ function snort_download_file_url($url, $file_out) {
// NOTE: required to suppress errors from XMLRPC due to progress bar output
// and to prevent useless spam from rules update cron job execution. This
// prevents progress bar output during package sync and rules update cron task.
- if ($g['snort_sync_in_progress'] || $pkg_interface == "console")
+ if ($g['snort_sync_in_progress'])
curl_setopt($ch, CURLOPT_HEADER, false);
else {
curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header');
@@ -201,7 +194,7 @@ function snort_download_file_url($url, $file_out) {
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 Chrome/43.0.2357.65 Safari/537.36");
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, "TLSv1.2, TLSv1");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15);
curl_setopt($ch, CURLOPT_TIMEOUT, 0);
@@ -266,56 +259,45 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
/* error occurred. */
/**********************************************************/
- global $last_curl_error, $update_errors, $static_output;
+ global $last_curl_error, $update_errors;
$snortdir = SNORTDIR;
$filename_md5 = basename($file_dst);
update_status(gettext("Downloading {$desc} md5 file..."));
- $static_output .= gettext("Downloading {$desc} md5 file...");
- update_output_window($static_output);
error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, SNORT_RULES_UPD_LOGFILE);
$rc = snort_download_file_url($file_url, $file_dst);
// See if download from URL was successful
if ($rc === true) {
- update_status(gettext("Done downloading {$filename_md5}."));
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
error_log("\tChecking {$desc} md5 file...\n", 3, SNORT_RULES_UPD_LOGFILE);
- $static_output .= gettext("Checking {$desc} md5 file...");
- update_output_window($static_output);
+ update_status(gettext("Checking {$desc} md5 file..."));
// check md5 hash in new file against current file to see if new download is posted
if (file_exists("{$snortdir}/{$filename_md5}")) {
$md5_check_new = file_get_contents($file_dst);
$md5_check_old = file_get_contents("{$snortdir}/{$filename_md5}");
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
if ($md5_check_new == $md5_check_old) {
- update_status(gettext("{$desc} are up to date..."));
+ update_status(gettext("{$desc} are current. No update required.") . "\n");
log_error(gettext("[Snort] {$desc} are up to date..."));
error_log(gettext("\t{$desc} are up to date.\n"), 3, SNORT_RULES_UPD_LOGFILE);
- $static_output .= gettext("{$desc} are current. No update required.\n");
- update_output_window($static_output);
return false;
}
else {
return true;
}
}
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
return true;
}
else {
error_log(gettext("\t{$desc} md5 download failed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
$snort_err_msg = gettext("Server returned error code {$rc}.");
- update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
- $static_output .= gettext(" FAILED!\n");
- update_output_window($static_output);
- $static_output .= gettext("{$desc} will not be updated.\n{$snort_err_msg}\n");
- update_output_window($static_output);
+ update_status(gettext(" FAILED!") . "\n");
+ update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...") . "\n");
+ update_status(gettext("{$desc} will not be updated.\n{$snort_err_msg}") . "\n");
log_error(gettext("[Snort] {$desc} md5 download failed..."));
log_error(gettext("[Snort] Server returned error code {$rc}..."));
error_log(gettext("\t{$snort_err_msg}\n"), 3, SNORT_RULES_UPD_LOGFILE);
@@ -345,31 +327,26 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* FALSE if download was not successful. */
/**********************************************************/
- global $last_curl_error, $update_errors, $static_output;
+ global $last_curl_error, $update_errors;
$snortdir = SNORTDIR;
$filename = basename($file_dst);
- update_status(gettext("There is a new set of {$desc} posted. Downloading..."));
+ update_status(gettext("There is a new set of {$desc} posted.\nDownloading {$filename}..."));
log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}..."));
error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, SNORT_RULES_UPD_LOGFILE);
error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, SNORT_RULES_UPD_LOGFILE);
- $static_output .= gettext("There is a new set of {$desc} posted.\nDownloading {$filename}...");
- update_output_window($static_output);
$rc = snort_download_file_url($file_url, $file_dst);
// See if the download from the URL was successful
if ($rc === true) {
- update_status(gettext("Done downloading {$desc} file."));
+ update_status(gettext(" done.") . "\n");
log_error("[Snort] {$desc} file update downloaded successfully");
error_log(gettext("\tDone downloading rules file.\n"),3, SNORT_RULES_UPD_LOGFILE);
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
// Test integrity of the rules file. Turn off update if file has wrong md5 hash
if ($file_md5 != trim(md5_file($file_dst))){
- $static_output .= gettext("{$desc} file MD5 checksum failed...\n");
- update_output_window($static_output);
+ update_status(gettext("{$desc} file MD5 checksum failed...") . "\n");
log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum..."));
log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst)));
log_error(gettext("[Snort] Expected File MD5: {$file_md5}"));
@@ -383,20 +360,16 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
return true;
}
else {
- $static_output .= gettext(" FAILED!\n");
- update_output_window($static_output);
- $static_output .= gettext("{$desc} file download failed... server returned error '{$rc}'.\n");
- update_output_window($static_output);
+ update_status(gettext(" FAILED!") . "\n");
+ update_status(gettext("{$desc} file download failed... server returned error '{$rc}'.") . "\n");
log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'..."));
error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SNORT_RULES_UPD_LOGFILE);
error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, SNORT_RULES_UPD_LOGFILE);
error_log(gettext("\t{$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE);
- $static_output .= gettext("{$desc} will not be updated.\n");
- update_output_window($static_output);
+ update_status(gettext("{$desc} will not be updated.") . "\n");
$update_errors = true;
return false;
}
-
}
/**********************/
@@ -479,8 +452,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* Untar Snort rules file to tmp and install the rules */
if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/{$snort_filename}")) {
- $static_output .= gettext("Installing Sourcefire VRT rules...");
- update_output_window($static_output);
+ update_status(gettext("Installing Sourcefire VRT rules..."));
/* Currently, only FreeBSD-8-1, FreeBSD-9-0 and FreeBSD-10-0 precompiled SO rules exist from Snort.org */
/* Default to FreeBSD 8.1, and then test for FreeBSD 9.x or FreeBSD 10.x */
@@ -491,11 +463,9 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
$freebsd_version_so = 'FreeBSD-10-0';
/* Remove the old Snort rules files */
- update_status(gettext("Removing old Snort VRT rules..."));
$vrt_prefix = VRT_FILE_PREFIX;
unlink_if_exists("{$snortdir}/rules/{$vrt_prefix}*.rules");
- update_status(gettext("Extracting new Snort VRT rules..."));
error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
/* extract snort.org rules and add VRT_FILE_PREFIX prefix to all snort.org files */
safe_mkdir("{$tmpfname}/snortrules");
@@ -513,7 +483,6 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
}
rmdir_recursive("{$tmpfname}/snortrules");
/* Extract the Snort preprocessor rules */
- update_status(gettext("Extracting preprocessor rules files..."));
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} preproc_rules/");
$files = glob("{$tmpfname}/preproc_rules/*.rules");
foreach ($files as $file) {
@@ -522,7 +491,6 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
}
rmdir_recursive("{$tmpfname}/preproc_rules");
/* extract so rules */
- update_status(gettext("Extracting Snort VRT Shared Objects rules..."));
error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, SNORT_RULES_UPD_LOGFILE);
$snort_arch = php_uname("m");
$nosorules = false;
@@ -537,7 +505,6 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
rmdir_recursive("{$tmpfname}/so_rules/");
if ($nosorules == false) {
/* extract Shared Object stub rules, rename and copy to the rules folder. */
- update_status(gettext("Copying Snort VRT Shared Objects rules..."));
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} --exclude precompiled/ --exclude src/ so_rules/");
$files = glob("{$tmpfname}/so_rules/*.rules");
foreach ($files as $file) {
@@ -547,7 +514,6 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
rmdir_recursive("{$tmpfname}/so_rules/");
}
/* extract base etc files */
- update_status(gettext("Extracting Snort VRT config and map files..."));
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/");
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
if (file_exists("{$tmpfname}/etc/{$file}"))
@@ -558,9 +524,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
update_status(gettext("Copying md5 signature to snort directory..."));
@copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}");
}
- update_status(gettext("Extraction of Snort VRT rules completed..."));
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
}
@@ -569,8 +533,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($openappid_detectors == 'on') {
// If we have a valid downloaded file, then first cleanup the old directory
if (file_exists("{$tmpfname}/{$snort_openappid_filename}")) {
- update_status(gettext("Extracting Snort OpenAppID detectors..."));
- $static_output .= gettext("Installing Snort OpenAppID detectors...");
+ update_status(gettext("Installing Snort OpenAppID detectors..."));
$snort_openappid_path = SNORT_APPID_ODP_PATH;
rmdir_recursive("{$snort_openappid_path}odp");
error_log(gettext("\tExtracting and installing Snort OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE);
@@ -585,9 +548,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
safe_mkdir("{$snort_openappid_path}custom/lua");
touch("{$snort_openappid_path}custom/userappid.conf");
}
- update_status(gettext("Extraction of Snort OpenAppID detectors completed..."));
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
unlink_if_exists("{$tmpfname}/{$snort_openappid_filename}");
error_log(gettext("\tInstallation of Snort OpenAppID detectors completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
@@ -597,9 +558,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($snortcommunityrules == 'on') {
safe_mkdir("{$tmpfname}/community");
if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) {
- update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
- $static_output .= gettext("Installing Snort GPLv2 Community Rules...\n");
- update_output_window($static_output);
+ update_status(gettext("Installing Snort GPLv2 Community Rules..."));
error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/");
@@ -615,12 +574,9 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
}
/* Copy snort community md5 sig to snort dir */
if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) {
- update_status(gettext("Copying md5 signature to snort directory..."));
@copy("{$tmpfname}/{$snort_community_rules_filename_md5}", "{$snortdir}/{$snort_community_rules_filename_md5}");
}
- update_status(gettext("Extraction of Snort GPLv2 Community Rules completed..."));
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/community/");
}
@@ -630,23 +586,19 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($emergingthreats == 'on') {
safe_mkdir("{$tmpfname}/emerging");
if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
- update_status(gettext("Extracting {$et_name} rules..."));
- $static_output .= gettext("Installing {$et_name} rules...");
- update_output_window($static_output);
+ update_status(gettext("Installing {$et_name} rules..."));
error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/");
/* Remove the old Emerging Threats rules files */
$eto_prefix = ET_OPEN_FILE_PREFIX;
$etpro_prefix = ET_PRO_FILE_PREFIX;
- update_status(gettext("Removing old {$et_name} files..."));
unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*.rules");
unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*.rules");
unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*ips.txt");
unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*ips.txt");
$files = glob("{$tmpfname}/emerging/rules/*.rules");
- update_status(gettext("Copying new {$et_name} files..."));
foreach ($files as $file) {
$newfile = basename($file);
if ($etpro == "on")
@@ -678,9 +630,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
update_status(gettext("Copying md5 signature to snort directory..."));
@copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}");
}
- update_status(gettext("Extraction of {$et_name} rules completed..."));
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/emerging/");
}
@@ -719,7 +669,6 @@ function snort_apply_customizations($snortcfg, $if_real) {
if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') {
- update_status(gettext('Copying new config and map files...'));
error_log(gettext("\tCopying new config and map files...\n"), 3, SNORT_RULES_UPD_LOGFILE);
/******************************************************************/
@@ -766,8 +715,6 @@ function snort_apply_customizations($snortcfg, $if_real) {
$if_real = get_real_interface($value['interface']);
$tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ...";
update_status(gettext($tmp));
- $static_output .= gettext($tmp . "...");
- update_output_window($static_output);
// Make sure the interface subdirectory and required sub-directories exists.
// We need to re-create them during a pkg reinstall for the intial rules set
@@ -790,14 +737,11 @@ function snort_apply_customizations($snortcfg, $if_real) {
$tmp .= convert_friendly_interface_to_friendly_descr($value['interface']) . "...\n";
}
error_log($tmp, 3, SNORT_RULES_UPD_LOGFILE);
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
}
}
else {
- $static_output .= gettext("Warning: No interfaces configured for Snort were found...\n");
- $static_output .= gettext("No interfaces currently have Snort configured and enabled on them.\n");
- update_output_window($static_output);
+ update_status(gettext("Warning: No interfaces configured for Snort were found...") . "\n");
error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
@@ -807,15 +751,12 @@ function snort_apply_customizations($snortcfg, $if_real) {
/* Restart snort if running, and not in post-install, so as to pick up the new rules. */
if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) {
update_status(gettext('Restarting Snort to activate the new set of rules...'));
- $static_output .= gettext("Restarting Snort...");
- update_output_window($static_output);
error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
touch("{$g['varrun_path']}/snort_pkg_starting.lck");
snort_restart_all_interfaces(TRUE);
sleep(3);
unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck");
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
log_error(gettext("[Snort] Snort has restarted with your new set of rules..."));
error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
@@ -827,15 +768,12 @@ function snort_apply_customizations($snortcfg, $if_real) {
/**************************************************************************************/
if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) {
update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...'));
- $static_output .= gettext("Restarting Snort...");
- update_output_window($static_output);
error_log(gettext("\tRestarting Snort to activate the new OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE);
touch("{$g['varrun_path']}/snort_pkg_starting.lck");
snort_restart_all_interfaces(TRUE);
sleep(2);
unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck");
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
log_error(gettext("[Snort] Snort has restarted with your new set of OpenAppID detectors..."));
error_log(gettext("\tSnort has restarted with your new set of OpenAppID detectors.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
@@ -843,14 +781,12 @@ function snort_apply_customizations($snortcfg, $if_real) {
/* remove $tmpfname files */
if (is_dir("{$tmpfname}")) {
- $static_output .= gettext("Cleaning up temp dirs and files...");
- update_output_window($static_output);
+ update_status(gettext("Cleaning up temp dirs and files..."));
rmdir_recursive($tmpfname);
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
}
-update_status(gettext("The Rules update has finished."));
+update_status(gettext("The Rules update has finished.") . "\n");
log_error(gettext("[Snort] The Rules update has finished."));
error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SNORT_RULES_UPD_LOGFILE);
@@ -858,9 +794,6 @@ function snort_apply_customizations($snortcfg, $if_real) {
if ($mounted_rw == TRUE)
conf_mount_ro();
-/* Restore the state of $pkg_interface */
-$pkg_interface = $pkg_interface_orig;
-
/* Save this update status to the configuration file */
if ($update_errors)
$config['installedpackages']['snortglobal']['last_rule_upd_status'] = gettext("failed");
diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_defs.inc b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_defs.inc
index 9e3bfe48d4e5..bb1e798f3cb5 100644
--- a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_defs.inc
+++ b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_defs.inc
@@ -5,7 +5,7 @@
* Copyright (C) 2006 Scott Ullrich
* Copyright (C) 2009-2010 Robert Zelaya
* Copyright (C) 2011-2012 Ermal Luci
- * Copyright (C) 2013-2015 Bill Meeks
+ * Copyright (C) 2013-2016 Bill Meeks
* part of pfSense
* All rights reserved.
*
@@ -50,7 +50,7 @@ if (!defined("SNORT_BIN_VERSION")) {
if (!empty($snortver))
define("SNORT_BIN_VERSION", $snortver);
else
- define("SNORT_BIN_VERSION", "2.9.7.6");
+ define("SNORT_BIN_VERSION", "2.9.8.0");
}
if (!defined("SNORT_SID_MODS_PATH"))
define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_post_install.php b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_post_install.php
index 1ce1b4d84c9e..2368bb31c03d 100644
--- a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_post_install.php
+++ b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_post_install.php
@@ -5,7 +5,7 @@
* Copyright (C) 2006 Scott Ullrich
* Copyright (C) 2009-2010 Robert Zelaya
* Copyright (C) 2011-2012 Ermal Luci
- * Copyright (C) 2013-2014 Bill Meeks
+ * Copyright (C) 2013-2016 Bill Meeks
* part of pfSense
* All rights reserved.
*
@@ -40,6 +40,7 @@
require_once("config.inc");
require_once("functions.inc");
+require_once("service-utils.inc"); // Need this to get RCFILEPREFIX constant
require_once("/usr/local/pkg/snort/snort.inc");
require("/usr/local/pkg/snort/snort_defs.inc");
@@ -67,6 +68,9 @@
unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid");
}
+// Remove any LCK files for Snort that might have been left behind
+unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck");
+
/* Set flag for post-install in progress */
$g['snort_postinstall'] = true;
@@ -85,9 +89,6 @@
@rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map");
//@rename("{$snortdir}/attribute_table.dtd-sample", "{$snortdir}/attribute_table.dtd");
-/* Move deprecated_rules file to SNORTDIR/rules directory */
-@rename("/usr/local/pkg/snort/deprecated_rules", "{$snortdir}/rules/deprecated_rules");
-
/* fix up the preprocessor rules filenames from a PBI package install */
$preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules");
foreach ($preproc_rules as $file) {
@@ -141,8 +142,8 @@
/* remake saved settings */
if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
- log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings..."));
- update_status(gettext("Saved settings detected..."));
+ log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings."));
+ update_status(gettext("Saved settings detected.") . "\n");
/****************************************************************/
/* Do test and fix for duplicate UUIDs if this install was */
@@ -180,16 +181,12 @@
/****************************************************************/
/* Do one-time settings migration for new multi-engine configurations */
- $static_output .= gettext("\nMigrating settings to new configuration...");
- update_output_window($static_output);
+ update_status(gettext("Migrating settings to new configuration..."));
include('/usr/local/pkg/snort/snort_migrate_config.php');
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
- log_error(gettext("[Snort] Downloading and updating configured rule sets..."));
- if ($pkg_interface <> "console")
- $snort_gui_include = true;
+ update_status(gettext(" done.") . "\n");
+ log_error(gettext("[Snort] Downloading and updating configured rule sets."));
include('/usr/local/pkg/snort/snort_check_for_rule_updates.php');
- update_status(gettext("Generating snort.conf configuration file from saved settings..."));
+ update_status(gettext("Generating snort.conf configuration file from saved settings.") . "\n");
$rebuild_rules = true;
conf_mount_rw();
@@ -199,8 +196,7 @@
$if_real = get_real_interface($snortcfg['interface']);
$snort_uuid = $snortcfg['uuid'];
$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
- $static_output .= gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "...");
- update_output_window($static_output);
+ update_status(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "..."));
// Pull in the PHP code that generates the snort.conf file
// variables that will be substituted further down below.
@@ -227,16 +223,13 @@
if ($snortcfg['barnyard_enable'] == 'on')
snort_generate_barnyard2_conf($snortcfg, $if_real);
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
}
/* create snort bootup file snort.sh */
- $static_output .= gettext("Generating snort.sh script in {$rcdir}...");
- update_output_window($static_output);
+ update_status(gettext("Generating snort.sh script in {$rcdir}..."));
snort_create_rc();
- $static_output .= gettext(" done.\n");
- update_output_window($static_output);
+ update_status(gettext(" done.") . "\n");
/* Set Log Limit, Block Hosts Time and Rules Update Time */
snort_snortloglimit_install_cron(true);
@@ -249,22 +242,8 @@
$config['widgets']['sequence'] .= "," . $config['installedpackages']['snortglobal']['dashboard_widget'];
$rebuild_rules = false;
- if ($pkg_interface <> "console")
- update_output_window(gettext("Finished rebuilding Snort configuration files..."));
- log_error(gettext("[Snort] Finished rebuilding installation from saved settings..."));
-
- /* Only try to start Snort if not in reboot */
- if (!($g['booting'])) {
- if ($pkg_interface <> "console") {
- update_status(gettext("Starting Snort using rebuilt configuration..."));
- $static_output .= gettext("Starting Snort as a background task using the rebuilt configuration... ");
- mwexec_bg("{$rcdir}snort.sh start");
- update_output_window($static_output);
- }
- else
- mwexec_bg("{$rcdir}snort.sh start");
- }
- update_status("");
+ update_status(gettext("Finished rebuilding Snort configuration files.") . "\n");
+ log_error(gettext("[Snort] Finished rebuilding installation from saved settings."));
}
/* We're finished with conf partition mods, return to read-only */
diff --git a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_blocked.php b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_blocked.php
index 738c6241bc6a..12fc64f6f187 100644
--- a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_blocked.php
+++ b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_blocked.php
@@ -61,7 +61,7 @@
else
$response = array('resolve_ip' => $ip, 'resolve_text' => gettext("Cannot resolve"));
- echo json_encode(str_replace("\\","\\\\", $response)); // single escape chars can break JSON decode
+ print(json_encode(str_replace("\\","\\\\", $response))); // single escape chars can break JSON decode
exit;
}
# --- AJAX REVERSE DNS RESOLVE End ---
@@ -148,7 +148,7 @@
/* refresh every 60 secs */
if ($pconfig['brefresh'] == 'on')
- echo "\n";
+ print('\n');
/* Display Alert message */
if ($input_errors) {
@@ -321,29 +321,29 @@
$rdns_link .= "";
- /* use one echo to do the magic*/
- echo "
+ /* print the table row */
+ print("
{$counter} |
{$tmp_ip} {$rdns_link} |
{$blocked_desc} |
|
-
\n";
+ \n");
}
}
?>
-
+ |
1)
- echo "{$counter}" . gettext(" host IP addresses are currently being blocked.");
+ print($counter . gettext(" host IP addresses are currently being blocked by Snort."));
else
- echo "{$counter}" . gettext(" host IP address is currently being blocked.");
+ print($counter . gettext(" host IP address is currently being blocked Snort."));
}
else {
- echo gettext("There are currently no hosts being blocked by Snort.");
+ print(gettext("There are currently no hosts being blocked by Snort."));
}
?>
|
diff --git a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_download_updates.php b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_download_updates.php
index 4467dc9e7e31..4c87532081b2 100644
--- a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_download_updates.php
+++ b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_download_updates.php
@@ -143,33 +143,30 @@
$savemsg = gettext("Snort Rules Update logfile has been cleared.");
}
-if (isset($_POST['update'])) {
- header("Location: /snort/snort_download_rules.php");
- exit;
-}
+if (isset($_POST['mode'])) {
+// header("Location: /snort/snort_download_rules.php");
-if ($_POST['force']) {
- // Mount file system R/W since we need to remove files
- conf_mount_rw();
+ if ($_POST['mode'] == 'force') {
+ // Mount file system R/W since we need to remove files
+ conf_mount_rw();
- // Remove the existing MD5 signature files to force a download
- unlink_if_exists("{$snortdir}/{$emergingthreats_filename}.md5");
- unlink_if_exists("{$snortdir}/{$snort_community_rules_filename}.md5");
- unlink_if_exists("{$snortdir}/{$snort_rules_file}.md5");
- unlink_if_exists("{$snortdir}/{$snort_openappid_filename}.md5");
+ // Remove the existing MD5 signature files to force a download
+ unlink_if_exists("{$snortdir}/{$emergingthreats_filename}.md5");
+ unlink_if_exists("{$snortdir}/{$snort_community_rules_filename}.md5");
+ unlink_if_exists("{$snortdir}/{$snort_rules_file}.md5");
+ unlink_if_exists("{$snortdir}/{$snort_openappid_filename}.md5");
- // Revert file system to R/O.
- conf_mount_ro();
+ // Revert file system to R/O.
+ conf_mount_ro();
+ }
// Go download the updates
- header("Location: /snort/snort_download_rules.php");
+ include("/usr/local/pkg/snort/snort_check_for_rule_updates.php");
exit;
}
$pgtitle = array(gettext("Services"), gettext("Snort"), gettext("Update Rules"));
include("head.inc");
-if ($input_errors)
- print_input_errors($input_errors);
if ($savemsg) {
print_info_box($savemsg, 'success');
@@ -192,52 +189,48 @@
=gettext("Installed Rule Set MD5 Signature")?>
-
-
-
-
-
- =gettext("Rule Set Name/Publisher");?> |
- =gettext("MD5 Signature Hash");?> |
- =gettext("MD5 Signature Date");?> |
-
-
-
-
- =gettext("Snort VRT Rules");?> |
- echo trim($snort_org_sig_chk_local);?> |
- |
-
+
+
+
+
- =gettext("Snort GPLv2 Community Rules");?> |
- echo trim($snort_community_sig_chk_local);?> |
- |
+ =gettext("Rule Set Name/Publisher");?> |
+ =gettext("MD5 Signature Hash");?> |
+ =gettext("MD5 Signature Date");?> |
-
- =$et_name;?> |
- echo trim($emergingt_net_sig_chk_local);?> |
- |
-
-
- =gettext("Snort OpenAppID Detectors");?> |
- echo trim($openappid_detectors_sig_chk_local);?> |
- |
-
-
-
+
+
+
+ =gettext("Snort VRT Rules");?> |
+ =trim($snort_org_sig_chk_local);?> |
+ =gettext($snort_org_sig_date);?> |
+
+
+ =gettext("Snort GPLv2 Community Rules");?> |
+ =trim($snort_community_sig_chk_local);?> |
+ =gettext($snort_community_sig_date);?> |
+
+
+ =$et_name;?> |
+ =trim($emergingt_net_sig_chk_local);?> |
+ =gettext($emergingt_net_sig_date);?> |
+
+
+ =gettext("Snort OpenAppID Detectors");?> |
+ =trim($openappid_detectors_sig_chk_local);?> |
+ =gettext($openappid_detectors_sig_date);?> |
+
+
+
+
add(new Form_StaticText(
- '',
- $last_rule_upd_time
-));
if (stristr('success', $last_rule_upd_status)) {
$last_rule_upd_status = '' . $last_rule_upd_status . '';
@@ -248,25 +241,25 @@
$group->add(new Form_StaticText(
'',
- 'Result: ' . $last_rule_upd_status
+ $last_rule_upd_time . 'Result: ' . $last_rule_upd_status . ''
));
$section->add($group);
$group = new Form_Group('Update Rules');
$group->add(new Form_Button(
'update',
- ' ' . 'Update Rules',
- '/snort/snort_download_rules.php',
+ 'Update Rules',
+ '#',
'fa-check'
-))->removeClass('btn-primary')->addClass('btn-info')->addClass('btn-sm');
+))->removeClass('btn-primary')->addClass('btn-info')->addClass('btn-sm')->setAttribute('title', gettext("Check for and install only new updates"));
$group->add(new Form_Button(
'force',
- ' ' . 'Force Update',
- null,
+ 'Force Update',
+ '#',
'fa-download'
))->removeClass('btn-primary')->addClass('btn-warning')->addClass('btn-sm')->setAttribute('title', gettext("Force an update of all enabled rule sets"));
$group->setHelp('Click UPDATE RULES to check for and automatically apply any new posted updates for selected rules packages. Clicking FORCE UPDATE ' .
- 'will zero out the MD5 hashes and force the download and application of the latest versions of the enabled rules packages.');
+ 'will zero out the MD5 hashes and force the download and application of the latest versions of the enabled rules packages.');
$section->add($group);
$form->add($section);
@@ -276,14 +269,14 @@
$group->add(new Form_Button(
'view',
- ' ' . 'View Log',
+ 'View Log',
'#',
'fa-file-text-o'
))->removeClass('btn-primary')->addClass('btn-info')->addClass('btn-sm')->setAttribute('title', gettext('View rules update log'))->setAttribute('data-target', '#vwupdlog')->setAttribute('data-toggle', 'modal');
$group->add(new Form_Button(
'clear',
- ' ' . 'Clear Log',
+ 'Clear Log',
null,
'fa-trash'
))->removeClass('btn-primary')->addClass('btn-danger')->addClass('btn-sm')->setAttribute('title', gettext('Clear rules update log'));
@@ -314,6 +307,15 @@
))->removeClass('form-control')->addClass('row-fluid col-sm-10')->setAttribute('rows', '10')->setAttribute('wrap', 'off');
$form->add($modal);
+// Create a Modal Dialog for displaying a spinning icon "please wait" message while
+// updating the rule sets
+$modal = new Modal('Rules Update Task', 'updrulesdlg', false, 'Close');
+$modal->addInput(new Form_StaticText (
+ null,
+ 'Checking for updated rule sets may take a while ... please wait ' . ''
+));
+$form->add($modal);
+
$form->add($section);
print($form);
@@ -341,10 +343,42 @@ function getRuleUpdateLog() {
});
}
+ function doRuleUpdates(mode) {
+ var ajaxRequest;
+ if (typeof mode == "undefined") {
+ var mode = "update";
+ }
+
+ // Show the "please wait" modal
+ $('#updrulesdlg').modal('show');
+
+ ajaxRequest = $.ajax({
+ url: "/snort/snort_download_updates.php",
+ type: "post",
+ data: { mode: mode }
+ });
+
+ // Deal with the results of the above ajax call
+ ajaxRequest.done(function (response, textStatus, jqXHR) {
+
+ // Close the "please wait" modal
+ $('#updrulesdlg').modal('hide');
+ });
+ }
+
$('#vwupdlog').on('shown.bs.modal', function() {
getRuleUpdateLog();
});
+ //-- Click handlers ---------------------------------
+ $('#update').click(function() {
+ doRuleUpdates('update');
+ });
+
+ $('#force').click(function() {
+ doRuleUpdates('force');
+ });
+
});
//]]>
diff --git a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_interface_logs.php b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_interface_logs.php
index dcda85477989..b56b5b2f8057 100644
--- a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_interface_logs.php
+++ b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_interface_logs.php
@@ -99,7 +99,7 @@
print_info_box($savemsg);
function build_logfile_list() {
- global $snortlogdir;
+ global $snortlogdir, $if_real;
$list = array();
@@ -173,7 +173,6 @@ function build_logfile_list() {
print($form);
?>
-