diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc index 5cdd5a00bac9..ca16b11951f5 100644 --- a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc +++ b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc @@ -34,7 +34,7 @@ require_once("pfsense-utils.inc"); require_once("config.inc"); require_once("functions.inc"); -require_once("service-utils.inc"); +require_once("service-utils.inc"); // Need this to get RCFILEPREFIX definition require_once("pkg-utils.inc"); require_once("filter.inc"); require("/usr/local/pkg/snort/snort_defs.inc"); @@ -3685,11 +3685,11 @@ function snort_remove_dead_rules() { $cats = array(); // If there is no "deprecated_rules" file, then exit - if (!file_exists("{$rulesdir}deprecated_rules")) + if (!file_exists("/usr/local/pkg/snort/deprecated_rules")) return; // Open a SplFileObject to read in deprecated rules - $file = new SplFileObject("{$rulesdir}/deprecated_rules"); + $file = new SplFileObject("/usr/local/pkg/snort/deprecated_rules"); $file->setFlags(SplFileObject::READ_AHEAD | SplFileObject::SKIP_EMPTY | SplFileObject::DROP_NEW_LINE); while (!$file->eof()) { $line = $file->fgets(); diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_check_for_rule_updates.php b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_check_for_rule_updates.php index 929ddad17aff..05ae77859d41 100644 --- a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_check_for_rule_updates.php +++ b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_check_for_rule_updates.php @@ -5,7 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013-2015 Bill Meeks + * Copyright (C) 2013-2016 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -35,7 +35,7 @@ require_once("/usr/local/pkg/snort/snort.inc"); require("/usr/local/pkg/snort/snort_defs.inc"); -global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules, $static_output; +global $g, $config, $rebuild_rules; $snortdir = SNORTDIR; $snortlibdir = SNORT_PBI_BASEDIR . "lib"; @@ -44,13 +44,6 @@ $snortbindir = SNORT_PBI_BINDIR; $mounted_rw = FALSE; -/* Save the state of $pkg_interface so we can restore it */ -$pkg_interface_orig = $pkg_interface; -if ($snort_gui_include) - $pkg_interface = ""; -else - $pkg_interface = "console"; - /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; $etproid = $config['installedpackages']['snortglobal']['etpro_code']; @@ -128,7 +121,7 @@ function snort_download_file_url($url, $file_out) { /* It provides logging of returned CURL errors. */ /************************************************/ - global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; + global $g, $config, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; $rfc2616 = array( 100 => "100 Continue", @@ -190,7 +183,7 @@ function snort_download_file_url($url, $file_out) { // NOTE: required to suppress errors from XMLRPC due to progress bar output // and to prevent useless spam from rules update cron job execution. This // prevents progress bar output during package sync and rules update cron task. - if ($g['snort_sync_in_progress'] || $pkg_interface == "console") + if ($g['snort_sync_in_progress']) curl_setopt($ch, CURLOPT_HEADER, false); else { curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header'); @@ -201,7 +194,7 @@ function snort_download_file_url($url, $file_out) { curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 Chrome/43.0.2357.65 Safari/537.36"); curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, "TLSv1.2, TLSv1"); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); - curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true); + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15); curl_setopt($ch, CURLOPT_TIMEOUT, 0); @@ -266,56 +259,45 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") { /* error occurred. */ /**********************************************************/ - global $last_curl_error, $update_errors, $static_output; + global $last_curl_error, $update_errors; $snortdir = SNORTDIR; $filename_md5 = basename($file_dst); update_status(gettext("Downloading {$desc} md5 file...")); - $static_output .= gettext("Downloading {$desc} md5 file..."); - update_output_window($static_output); error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, SNORT_RULES_UPD_LOGFILE); $rc = snort_download_file_url($file_url, $file_dst); // See if download from URL was successful if ($rc === true) { - update_status(gettext("Done downloading {$filename_md5}.")); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); error_log("\tChecking {$desc} md5 file...\n", 3, SNORT_RULES_UPD_LOGFILE); - $static_output .= gettext("Checking {$desc} md5 file..."); - update_output_window($static_output); + update_status(gettext("Checking {$desc} md5 file...")); // check md5 hash in new file against current file to see if new download is posted if (file_exists("{$snortdir}/{$filename_md5}")) { $md5_check_new = file_get_contents($file_dst); $md5_check_old = file_get_contents("{$snortdir}/{$filename_md5}"); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); if ($md5_check_new == $md5_check_old) { - update_status(gettext("{$desc} are up to date...")); + update_status(gettext("{$desc} are current. No update required.") . "\n"); log_error(gettext("[Snort] {$desc} are up to date...")); error_log(gettext("\t{$desc} are up to date.\n"), 3, SNORT_RULES_UPD_LOGFILE); - $static_output .= gettext("{$desc} are current. No update required.\n"); - update_output_window($static_output); return false; } else { return true; } } - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); return true; } else { error_log(gettext("\t{$desc} md5 download failed.\n"), 3, SNORT_RULES_UPD_LOGFILE); $snort_err_msg = gettext("Server returned error code {$rc}."); - update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); - $static_output .= gettext(" FAILED!\n"); - update_output_window($static_output); - $static_output .= gettext("{$desc} will not be updated.\n{$snort_err_msg}\n"); - update_output_window($static_output); + update_status(gettext(" FAILED!") . "\n"); + update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...") . "\n"); + update_status(gettext("{$desc} will not be updated.\n{$snort_err_msg}") . "\n"); log_error(gettext("[Snort] {$desc} md5 download failed...")); log_error(gettext("[Snort] Server returned error code {$rc}...")); error_log(gettext("\t{$snort_err_msg}\n"), 3, SNORT_RULES_UPD_LOGFILE); @@ -345,31 +327,26 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* FALSE if download was not successful. */ /**********************************************************/ - global $last_curl_error, $update_errors, $static_output; + global $last_curl_error, $update_errors; $snortdir = SNORTDIR; $filename = basename($file_dst); - update_status(gettext("There is a new set of {$desc} posted. Downloading...")); + update_status(gettext("There is a new set of {$desc} posted.\nDownloading {$filename}...")); log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}...")); error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, SNORT_RULES_UPD_LOGFILE); error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, SNORT_RULES_UPD_LOGFILE); - $static_output .= gettext("There is a new set of {$desc} posted.\nDownloading {$filename}..."); - update_output_window($static_output); $rc = snort_download_file_url($file_url, $file_dst); // See if the download from the URL was successful if ($rc === true) { - update_status(gettext("Done downloading {$desc} file.")); + update_status(gettext(" done.") . "\n"); log_error("[Snort] {$desc} file update downloaded successfully"); error_log(gettext("\tDone downloading rules file.\n"),3, SNORT_RULES_UPD_LOGFILE); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); // Test integrity of the rules file. Turn off update if file has wrong md5 hash if ($file_md5 != trim(md5_file($file_dst))){ - $static_output .= gettext("{$desc} file MD5 checksum failed...\n"); - update_output_window($static_output); + update_status(gettext("{$desc} file MD5 checksum failed...") . "\n"); log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum...")); log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst))); log_error(gettext("[Snort] Expected File MD5: {$file_md5}")); @@ -383,20 +360,16 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { return true; } else { - $static_output .= gettext(" FAILED!\n"); - update_output_window($static_output); - $static_output .= gettext("{$desc} file download failed... server returned error '{$rc}'.\n"); - update_output_window($static_output); + update_status(gettext(" FAILED!") . "\n"); + update_status(gettext("{$desc} file download failed... server returned error '{$rc}'.") . "\n"); log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'...")); error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SNORT_RULES_UPD_LOGFILE); error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, SNORT_RULES_UPD_LOGFILE); error_log(gettext("\t{$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE); - $static_output .= gettext("{$desc} will not be updated.\n"); - update_output_window($static_output); + update_status(gettext("{$desc} will not be updated.") . "\n"); $update_errors = true; return false; } - } /**********************/ @@ -479,8 +452,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* Untar Snort rules file to tmp and install the rules */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { - $static_output .= gettext("Installing Sourcefire VRT rules..."); - update_output_window($static_output); + update_status(gettext("Installing Sourcefire VRT rules...")); /* Currently, only FreeBSD-8-1, FreeBSD-9-0 and FreeBSD-10-0 precompiled SO rules exist from Snort.org */ /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x or FreeBSD 10.x */ @@ -491,11 +463,9 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { $freebsd_version_so = 'FreeBSD-10-0'; /* Remove the old Snort rules files */ - update_status(gettext("Removing old Snort VRT rules...")); $vrt_prefix = VRT_FILE_PREFIX; unlink_if_exists("{$snortdir}/rules/{$vrt_prefix}*.rules"); - update_status(gettext("Extracting new Snort VRT rules...")); error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); /* extract snort.org rules and add VRT_FILE_PREFIX prefix to all snort.org files */ safe_mkdir("{$tmpfname}/snortrules"); @@ -513,7 +483,6 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { } rmdir_recursive("{$tmpfname}/snortrules"); /* Extract the Snort preprocessor rules */ - update_status(gettext("Extracting preprocessor rules files...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} preproc_rules/"); $files = glob("{$tmpfname}/preproc_rules/*.rules"); foreach ($files as $file) { @@ -522,7 +491,6 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { } rmdir_recursive("{$tmpfname}/preproc_rules"); /* extract so rules */ - update_status(gettext("Extracting Snort VRT Shared Objects rules...")); error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, SNORT_RULES_UPD_LOGFILE); $snort_arch = php_uname("m"); $nosorules = false; @@ -537,7 +505,6 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { rmdir_recursive("{$tmpfname}/so_rules/"); if ($nosorules == false) { /* extract Shared Object stub rules, rename and copy to the rules folder. */ - update_status(gettext("Copying Snort VRT Shared Objects rules...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} --exclude precompiled/ --exclude src/ so_rules/"); $files = glob("{$tmpfname}/so_rules/*.rules"); foreach ($files as $file) { @@ -547,7 +514,6 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { rmdir_recursive("{$tmpfname}/so_rules/"); } /* extract base etc files */ - update_status(gettext("Extracting Snort VRT config and map files...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { if (file_exists("{$tmpfname}/etc/{$file}")) @@ -558,9 +524,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}"); } - update_status(gettext("Extraction of Snort VRT rules completed...")); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); } } @@ -569,8 +533,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { if ($openappid_detectors == 'on') { // If we have a valid downloaded file, then first cleanup the old directory if (file_exists("{$tmpfname}/{$snort_openappid_filename}")) { - update_status(gettext("Extracting Snort OpenAppID detectors...")); - $static_output .= gettext("Installing Snort OpenAppID detectors..."); + update_status(gettext("Installing Snort OpenAppID detectors...")); $snort_openappid_path = SNORT_APPID_ODP_PATH; rmdir_recursive("{$snort_openappid_path}odp"); error_log(gettext("\tExtracting and installing Snort OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE); @@ -585,9 +548,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { safe_mkdir("{$snort_openappid_path}custom/lua"); touch("{$snort_openappid_path}custom/userappid.conf"); } - update_status(gettext("Extraction of Snort OpenAppID detectors completed...")); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); unlink_if_exists("{$tmpfname}/{$snort_openappid_filename}"); error_log(gettext("\tInstallation of Snort OpenAppID detectors completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); } @@ -597,9 +558,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { if ($snortcommunityrules == 'on') { safe_mkdir("{$tmpfname}/community"); if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { - update_status(gettext("Extracting Snort GPLv2 Community Rules...")); - $static_output .= gettext("Installing Snort GPLv2 Community Rules...\n"); - update_output_window($static_output); + update_status(gettext("Installing Snort GPLv2 Community Rules...")); error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/"); @@ -615,12 +574,9 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { } /* Copy snort community md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { - update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$snort_community_rules_filename_md5}", "{$snortdir}/{$snort_community_rules_filename_md5}"); } - update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/community/"); } @@ -630,23 +586,19 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { if ($emergingthreats == 'on') { safe_mkdir("{$tmpfname}/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Extracting {$et_name} rules...")); - $static_output .= gettext("Installing {$et_name} rules..."); - update_output_window($static_output); + update_status(gettext("Installing {$et_name} rules...")); error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/"); /* Remove the old Emerging Threats rules files */ $eto_prefix = ET_OPEN_FILE_PREFIX; $etpro_prefix = ET_PRO_FILE_PREFIX; - update_status(gettext("Removing old {$et_name} files...")); unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*.rules"); unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*.rules"); unlink_if_exists("{$snortdir}/rules/{$eto_prefix}*ips.txt"); unlink_if_exists("{$snortdir}/rules/{$etpro_prefix}*ips.txt"); $files = glob("{$tmpfname}/emerging/rules/*.rules"); - update_status(gettext("Copying new {$et_name} files...")); foreach ($files as $file) { $newfile = basename($file); if ($etpro == "on") @@ -678,9 +630,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } - update_status(gettext("Extraction of {$et_name} rules completed...")); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/emerging/"); } @@ -719,7 +669,6 @@ function snort_apply_customizations($snortcfg, $if_real) { if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') { - update_status(gettext('Copying new config and map files...')); error_log(gettext("\tCopying new config and map files...\n"), 3, SNORT_RULES_UPD_LOGFILE); /******************************************************************/ @@ -766,8 +715,6 @@ function snort_apply_customizations($snortcfg, $if_real) { $if_real = get_real_interface($value['interface']); $tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ..."; update_status(gettext($tmp)); - $static_output .= gettext($tmp . "..."); - update_output_window($static_output); // Make sure the interface subdirectory and required sub-directories exists. // We need to re-create them during a pkg reinstall for the intial rules set @@ -790,14 +737,11 @@ function snort_apply_customizations($snortcfg, $if_real) { $tmp .= convert_friendly_interface_to_friendly_descr($value['interface']) . "...\n"; } error_log($tmp, 3, SNORT_RULES_UPD_LOGFILE); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); } } else { - $static_output .= gettext("Warning: No interfaces configured for Snort were found...\n"); - $static_output .= gettext("No interfaces currently have Snort configured and enabled on them.\n"); - update_output_window($static_output); + update_status(gettext("Warning: No interfaces configured for Snort were found...") . "\n"); error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, SNORT_RULES_UPD_LOGFILE); } @@ -807,15 +751,12 @@ function snort_apply_customizations($snortcfg, $if_real) { /* Restart snort if running, and not in post-install, so as to pick up the new rules. */ if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) { update_status(gettext('Restarting Snort to activate the new set of rules...')); - $static_output .= gettext("Restarting Snort..."); - update_output_window($static_output); error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, SNORT_RULES_UPD_LOGFILE); touch("{$g['varrun_path']}/snort_pkg_starting.lck"); snort_restart_all_interfaces(TRUE); sleep(3); unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck"); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); log_error(gettext("[Snort] Snort has restarted with your new set of rules...")); error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, SNORT_RULES_UPD_LOGFILE); } @@ -827,15 +768,12 @@ function snort_apply_customizations($snortcfg, $if_real) { /**************************************************************************************/ if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) { update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...')); - $static_output .= gettext("Restarting Snort..."); - update_output_window($static_output); error_log(gettext("\tRestarting Snort to activate the new OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE); touch("{$g['varrun_path']}/snort_pkg_starting.lck"); snort_restart_all_interfaces(TRUE); sleep(2); unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck"); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); log_error(gettext("[Snort] Snort has restarted with your new set of OpenAppID detectors...")); error_log(gettext("\tSnort has restarted with your new set of OpenAppID detectors.\n"), 3, SNORT_RULES_UPD_LOGFILE); } @@ -843,14 +781,12 @@ function snort_apply_customizations($snortcfg, $if_real) { /* remove $tmpfname files */ if (is_dir("{$tmpfname}")) { - $static_output .= gettext("Cleaning up temp dirs and files..."); - update_output_window($static_output); + update_status(gettext("Cleaning up temp dirs and files...")); rmdir_recursive($tmpfname); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); } -update_status(gettext("The Rules update has finished.")); +update_status(gettext("The Rules update has finished.") . "\n"); log_error(gettext("[Snort] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SNORT_RULES_UPD_LOGFILE); @@ -858,9 +794,6 @@ function snort_apply_customizations($snortcfg, $if_real) { if ($mounted_rw == TRUE) conf_mount_ro(); -/* Restore the state of $pkg_interface */ -$pkg_interface = $pkg_interface_orig; - /* Save this update status to the configuration file */ if ($update_errors) $config['installedpackages']['snortglobal']['last_rule_upd_status'] = gettext("failed"); diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_defs.inc b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_defs.inc index 9e3bfe48d4e5..bb1e798f3cb5 100644 --- a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_defs.inc +++ b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_defs.inc @@ -5,7 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009-2010 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013-2015 Bill Meeks + * Copyright (C) 2013-2016 Bill Meeks * part of pfSense * All rights reserved. * @@ -50,7 +50,7 @@ if (!defined("SNORT_BIN_VERSION")) { if (!empty($snortver)) define("SNORT_BIN_VERSION", $snortver); else - define("SNORT_BIN_VERSION", "2.9.7.6"); + define("SNORT_BIN_VERSION", "2.9.8.0"); } if (!defined("SNORT_SID_MODS_PATH")) define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/"); diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_post_install.php b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_post_install.php index 1ce1b4d84c9e..2368bb31c03d 100644 --- a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_post_install.php +++ b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_post_install.php @@ -5,7 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009-2010 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013-2014 Bill Meeks + * Copyright (C) 2013-2016 Bill Meeks * part of pfSense * All rights reserved. * @@ -40,6 +40,7 @@ require_once("config.inc"); require_once("functions.inc"); +require_once("service-utils.inc"); // Need this to get RCFILEPREFIX constant require_once("/usr/local/pkg/snort/snort.inc"); require("/usr/local/pkg/snort/snort_defs.inc"); @@ -67,6 +68,9 @@ unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid"); } +// Remove any LCK files for Snort that might have been left behind +unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck"); + /* Set flag for post-install in progress */ $g['snort_postinstall'] = true; @@ -85,9 +89,6 @@ @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); //@rename("{$snortdir}/attribute_table.dtd-sample", "{$snortdir}/attribute_table.dtd"); -/* Move deprecated_rules file to SNORTDIR/rules directory */ -@rename("/usr/local/pkg/snort/deprecated_rules", "{$snortdir}/rules/deprecated_rules"); - /* fix up the preprocessor rules filenames from a PBI package install */ $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); foreach ($preproc_rules as $file) { @@ -141,8 +142,8 @@ /* remake saved settings */ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { - log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings...")); - update_status(gettext("Saved settings detected...")); + log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings.")); + update_status(gettext("Saved settings detected.") . "\n"); /****************************************************************/ /* Do test and fix for duplicate UUIDs if this install was */ @@ -180,16 +181,12 @@ /****************************************************************/ /* Do one-time settings migration for new multi-engine configurations */ - $static_output .= gettext("\nMigrating settings to new configuration..."); - update_output_window($static_output); + update_status(gettext("Migrating settings to new configuration...")); include('/usr/local/pkg/snort/snort_migrate_config.php'); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); - log_error(gettext("[Snort] Downloading and updating configured rule sets...")); - if ($pkg_interface <> "console") - $snort_gui_include = true; + update_status(gettext(" done.") . "\n"); + log_error(gettext("[Snort] Downloading and updating configured rule sets.")); include('/usr/local/pkg/snort/snort_check_for_rule_updates.php'); - update_status(gettext("Generating snort.conf configuration file from saved settings...")); + update_status(gettext("Generating snort.conf configuration file from saved settings.") . "\n"); $rebuild_rules = true; conf_mount_rw(); @@ -199,8 +196,7 @@ $if_real = get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; - $static_output .= gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "..."); - update_output_window($static_output); + update_status(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "...")); // Pull in the PHP code that generates the snort.conf file // variables that will be substituted further down below. @@ -227,16 +223,13 @@ if ($snortcfg['barnyard_enable'] == 'on') snort_generate_barnyard2_conf($snortcfg, $if_real); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); } /* create snort bootup file snort.sh */ - $static_output .= gettext("Generating snort.sh script in {$rcdir}..."); - update_output_window($static_output); + update_status(gettext("Generating snort.sh script in {$rcdir}...")); snort_create_rc(); - $static_output .= gettext(" done.\n"); - update_output_window($static_output); + update_status(gettext(" done.") . "\n"); /* Set Log Limit, Block Hosts Time and Rules Update Time */ snort_snortloglimit_install_cron(true); @@ -249,22 +242,8 @@ $config['widgets']['sequence'] .= "," . $config['installedpackages']['snortglobal']['dashboard_widget']; $rebuild_rules = false; - if ($pkg_interface <> "console") - update_output_window(gettext("Finished rebuilding Snort configuration files...")); - log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); - - /* Only try to start Snort if not in reboot */ - if (!($g['booting'])) { - if ($pkg_interface <> "console") { - update_status(gettext("Starting Snort using rebuilt configuration...")); - $static_output .= gettext("Starting Snort as a background task using the rebuilt configuration... "); - mwexec_bg("{$rcdir}snort.sh start"); - update_output_window($static_output); - } - else - mwexec_bg("{$rcdir}snort.sh start"); - } - update_status(""); + update_status(gettext("Finished rebuilding Snort configuration files.") . "\n"); + log_error(gettext("[Snort] Finished rebuilding installation from saved settings.")); } /* We're finished with conf partition mods, return to read-only */ diff --git a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_blocked.php b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_blocked.php index 738c6241bc6a..12fc64f6f187 100644 --- a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_blocked.php +++ b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_blocked.php @@ -61,7 +61,7 @@ else $response = array('resolve_ip' => $ip, 'resolve_text' => gettext("Cannot resolve")); - echo json_encode(str_replace("\\","\\\\", $response)); // single escape chars can break JSON decode + print(json_encode(str_replace("\\","\\\\", $response))); // single escape chars can break JSON decode exit; } # --- AJAX REVERSE DNS RESOLVE End --- @@ -148,7 +148,7 @@ /* refresh every 60 secs */ if ($pconfig['brefresh'] == 'on') - echo "\n"; + print('\n'); /* Display Alert message */ if ($input_errors) { @@ -321,29 +321,29 @@ $rdns_link .= ""; - /* use one echo to do the magic*/ - echo " + /* print the table row */ + print(" {$counter} {$tmp_ip}
{$rdns_link} {$blocked_desc} - \n"; + \n"); } } ?> - + 1) - echo "{$counter}" . gettext(" host IP addresses are currently being blocked."); + print($counter . gettext(" host IP addresses are currently being blocked by Snort.")); else - echo "{$counter}" . gettext(" host IP address is currently being blocked."); + print($counter . gettext(" host IP address is currently being blocked Snort.")); } else { - echo gettext("There are currently no hosts being blocked by Snort."); + print(gettext("There are currently no hosts being blocked by Snort.")); } ?> diff --git a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_download_updates.php b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_download_updates.php index 4467dc9e7e31..4c87532081b2 100644 --- a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_download_updates.php +++ b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_download_updates.php @@ -143,33 +143,30 @@ $savemsg = gettext("Snort Rules Update logfile has been cleared."); } -if (isset($_POST['update'])) { - header("Location: /snort/snort_download_rules.php"); - exit; -} +if (isset($_POST['mode'])) { +// header("Location: /snort/snort_download_rules.php"); -if ($_POST['force']) { - // Mount file system R/W since we need to remove files - conf_mount_rw(); + if ($_POST['mode'] == 'force') { + // Mount file system R/W since we need to remove files + conf_mount_rw(); - // Remove the existing MD5 signature files to force a download - unlink_if_exists("{$snortdir}/{$emergingthreats_filename}.md5"); - unlink_if_exists("{$snortdir}/{$snort_community_rules_filename}.md5"); - unlink_if_exists("{$snortdir}/{$snort_rules_file}.md5"); - unlink_if_exists("{$snortdir}/{$snort_openappid_filename}.md5"); + // Remove the existing MD5 signature files to force a download + unlink_if_exists("{$snortdir}/{$emergingthreats_filename}.md5"); + unlink_if_exists("{$snortdir}/{$snort_community_rules_filename}.md5"); + unlink_if_exists("{$snortdir}/{$snort_rules_file}.md5"); + unlink_if_exists("{$snortdir}/{$snort_openappid_filename}.md5"); - // Revert file system to R/O. - conf_mount_ro(); + // Revert file system to R/O. + conf_mount_ro(); + } // Go download the updates - header("Location: /snort/snort_download_rules.php"); + include("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); exit; } $pgtitle = array(gettext("Services"), gettext("Snort"), gettext("Update Rules")); include("head.inc"); -if ($input_errors) - print_input_errors($input_errors); if ($savemsg) { print_info_box($savemsg, 'success'); @@ -192,52 +189,48 @@

-
- - - - - - - - - - - - - - - +
+
+
+ - - - + + + - - - - - - - - - - - -
+ + + + + + + + + + + + + + + + + + + + + + + +
+
add(new Form_StaticText( - '', - $last_rule_upd_time -)); if (stristr('success', $last_rule_upd_status)) { $last_rule_upd_status = '' . $last_rule_upd_status . ''; @@ -248,25 +241,25 @@ $group->add(new Form_StaticText( '', - 'Result: ' . $last_rule_upd_status + $last_rule_upd_time . 'Result: ' . $last_rule_upd_status . '' )); $section->add($group); $group = new Form_Group('Update Rules'); $group->add(new Form_Button( 'update', - ' ' . 'Update Rules', - '/snort/snort_download_rules.php', + 'Update Rules', + '#', 'fa-check' -))->removeClass('btn-primary')->addClass('btn-info')->addClass('btn-sm'); +))->removeClass('btn-primary')->addClass('btn-info')->addClass('btn-sm')->setAttribute('title', gettext("Check for and install only new updates")); $group->add(new Form_Button( 'force', - ' ' . 'Force Update', - null, + 'Force Update', + '#', 'fa-download' ))->removeClass('btn-primary')->addClass('btn-warning')->addClass('btn-sm')->setAttribute('title', gettext("Force an update of all enabled rule sets")); $group->setHelp('Click UPDATE RULES to check for and automatically apply any new posted updates for selected rules packages. Clicking FORCE UPDATE ' . - 'will zero out the MD5 hashes and force the download and application of the latest versions of the enabled rules packages.'); + 'will zero out the MD5 hashes and force the download and application of the latest versions of the enabled rules packages.'); $section->add($group); $form->add($section); @@ -276,14 +269,14 @@ $group->add(new Form_Button( 'view', - ' ' . 'View Log', + 'View Log', '#', 'fa-file-text-o' ))->removeClass('btn-primary')->addClass('btn-info')->addClass('btn-sm')->setAttribute('title', gettext('View rules update log'))->setAttribute('data-target', '#vwupdlog')->setAttribute('data-toggle', 'modal'); $group->add(new Form_Button( 'clear', - ' ' . 'Clear Log', + 'Clear Log', null, 'fa-trash' ))->removeClass('btn-primary')->addClass('btn-danger')->addClass('btn-sm')->setAttribute('title', gettext('Clear rules update log')); @@ -314,6 +307,15 @@ ))->removeClass('form-control')->addClass('row-fluid col-sm-10')->setAttribute('rows', '10')->setAttribute('wrap', 'off'); $form->add($modal); +// Create a Modal Dialog for displaying a spinning icon "please wait" message while +// updating the rule sets +$modal = new Modal('Rules Update Task', 'updrulesdlg', false, 'Close'); +$modal->addInput(new Form_StaticText ( + null, + 'Checking for updated rule sets may take a while ... please wait ' . '' +)); +$form->add($modal); + $form->add($section); print($form); @@ -341,10 +343,42 @@ function getRuleUpdateLog() { }); } + function doRuleUpdates(mode) { + var ajaxRequest; + if (typeof mode == "undefined") { + var mode = "update"; + } + + // Show the "please wait" modal + $('#updrulesdlg').modal('show'); + + ajaxRequest = $.ajax({ + url: "/snort/snort_download_updates.php", + type: "post", + data: { mode: mode } + }); + + // Deal with the results of the above ajax call + ajaxRequest.done(function (response, textStatus, jqXHR) { + + // Close the "please wait" modal + $('#updrulesdlg').modal('hide'); + }); + } + $('#vwupdlog').on('shown.bs.modal', function() { getRuleUpdateLog(); }); + //-- Click handlers --------------------------------- + $('#update').click(function() { + doRuleUpdates('update'); + }); + + $('#force').click(function() { + doRuleUpdates('force'); + }); + }); //]]> diff --git a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_interface_logs.php b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_interface_logs.php index dcda85477989..b56b5b2f8057 100644 --- a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_interface_logs.php +++ b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_interface_logs.php @@ -99,7 +99,7 @@ print_info_box($savemsg); function build_logfile_list() { - global $snortlogdir; + global $snortlogdir, $if_real; $list = array(); @@ -173,7 +173,6 @@ function build_logfile_list() { print($form); ?> -