X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fids.cgi;h=4d66d22d76bee20635896603b64031b50c78ef52;hb=73231650c16d34d8333518acab6a41b8701caa7d;hp=56c9c77f65d4b2f1fb0e2ec5e4b3d0e97a07d521;hpb=cd1a2927226c734d96478e12bb768256fb64a06a;p=people%2Fpmueller%2Fipfire-2.x.git diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 56c9c77f65..4d66d22d76 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1,313 +1,774 @@ -#!/usr/bin/perl -# -# SmoothWall CGIs -# -# This code is distributed under the terms of the GPL -# -# (c) The SmoothWall Team -# -# $Id: ids.cgi,v 1.8.2.18 2005/07/27 21:35:22 franck78 Exp $ -# - -use LWP::UserAgent; -use File::Copy; -use File::Temp qw/ tempfile tempdir /; -use strict; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require 'CONFIG_ROOT/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -my %snortsettings=(); -my %checked=(); -my %netsettings=(); -our $errormessage = ''; -our $md5 = '0';# not '' to avoid displaying the wrong message when INSTALLMD5 not set -our $realmd5 = ''; -our $results = ''; -our $tempdir = ''; -our $url=''; -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -&Header::showhttpheaders(); - -$snortsettings{'ENABLE_SNORT'} = 'off'; -$snortsettings{'ENABLE_SNORT_GREEN'} = 'off'; -$snortsettings{'ENABLE_SNORT_BLUE'} = 'off'; -$snortsettings{'ENABLE_SNORT_ORANGE'} = 'off'; -$snortsettings{'ACTION'} = ''; -$snortsettings{'RULESTYPE'} = ''; -$snortsettings{'OINKCODE'} = ''; -$snortsettings{'INSTALLDATE'} = ''; -$snortsettings{'INSTALLMD5'} = ''; - -&Header::getcgihash(\%snortsettings, {'wantfile' => 1, 'filevar' => 'FH'}); - -if ($snortsettings{'RULESTYPE'} eq 'subscripted') { - $url="http://www.snort.org/pub-bin/oinkmaster.cgi/$snortsettings{'OINKCODE'}/snortrules-snapshot-2.3_s.tar.gz"; -} else { - $url="http://www.snort.org/pub-bin/oinkmaster.cgi/$snortsettings{'OINKCODE'}/snortrules-snapshot-2.3.tar.gz"; -} - -if ($snortsettings{'ACTION'} eq $Lang::tr{'save'}) -{ - $errormessage = $Lang::tr{'invalid input for oink code'} unless ( - ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/) || - ($snortsettings{'RULESTYPE'} eq 'nothing' ) ); - - &General::writehash("${General::swroot}/snort/settings", \%snortsettings); - if ($snortsettings{'ENABLE_SNORT'} eq 'on') - { - system ('/bin/touch', "${General::swroot}/snort/enable"); - } else { - unlink "${General::swroot}/snort/enable"; - } - if ($snortsettings{'ENABLE_SNORT_GREEN'} eq 'on') - { - system ('/bin/touch', "${General::swroot}/snort/enable_green"); - } else { - unlink "${General::swroot}/snort/enable_green"; - } - if ($snortsettings{'ENABLE_SNORT_BLUE'} eq 'on') - { - system ('/bin/touch', "${General::swroot}/snort/enable_blue"); - } else { - unlink "${General::swroot}/snort/enable_blue"; - } - if ($snortsettings{'ENABLE_SNORT_ORANGE'} eq 'on') - { - system ('/bin/touch', "${General::swroot}/snort/enable_orange"); - } else { - unlink "${General::swroot}/snort/enable_orange"; - } - - system('/usr/local/bin/restartsnort','red','orange','blue','green'); -} else { - # INSTALLMD5 is not in the form, so not retrieved by getcgihash - &General::readhash("${General::swroot}/snort/settings", \%snortsettings); -} - -if ($snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'}) { - $md5 = &getmd5; - if (($snortsettings{'INSTALLMD5'} ne $md5) && defined $md5 ) { - chomp($md5); - my $filename = &downloadrulesfile(); - if (defined $filename) { - # Check MD5sum - $realmd5 = `/usr/bin/md5sum $filename`; - chomp ($realmd5); - $realmd5 =~ s/^(\w+)\s.*$/$1/; - if ($md5 ne $realmd5) { - $errormessage = "$Lang::tr{'invalid md5sum'}"; - } else { - $results = "$Lang::tr{'installed updates'}\n
"; - $results .=`/usr/local/bin/oinkmaster.pl -s -u file://$filename -C /var/ipcop/snort/oinkmaster.conf -o /etc/snort 2>&1`; - $results .= ""; - } - unlink ($filename); - } - } -} - -$checked{'ENABLE_SNORT'}{'off'} = ''; -$checked{'ENABLE_SNORT'}{'on'} = ''; -$checked{'ENABLE_SNORT'}{$snortsettings{'ENABLE_SNORT'}} = "checked='checked'"; -$checked{'ENABLE_SNORT_GREEN'}{'off'} = ''; -$checked{'ENABLE_SNORT_GREEN'}{'on'} = ''; -$checked{'ENABLE_SNORT_GREEN'}{$snortsettings{'ENABLE_SNORT_GREEN'}} = "checked='checked'"; -$checked{'ENABLE_SNORT_BLUE'}{'off'} = ''; -$checked{'ENABLE_SNORT_BLUE'}{'on'} = ''; -$checked{'ENABLE_SNORT_BLUE'}{$snortsettings{'ENABLE_SNORT_BLUE'}} = "checked='checked'"; -$checked{'ENABLE_SNORT_ORANGE'}{'off'} = ''; -$checked{'ENABLE_SNORT_ORANGE'}{'on'} = ''; -$checked{'ENABLE_SNORT_ORANGE'}{$snortsettings{'ENABLE_SNORT_ORANGE'}} = "checked='checked'"; -$checked{'RULESTYPE'}{'nothing'} = ''; -$checked{'RULESTYPE'}{'registered'} = ''; -$checked{'RULESTYPE'}{'subscripted'} = ''; -$checked{'RULESTYPE'}{$snortsettings{'RULESTYPE'}} = "checked='checked'"; - -&Header::openpage($Lang::tr{'intrusion detection system'}, 1, ''); - -&Header::openbigbox('100%', 'left', '', $errormessage); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "
- GREEN Snort | -- BLUE Snort | - -END -; -} -if ($netsettings{'ORANGE_DEV'} ne '') { -print <- ORANGE Snort | - -END -; -} -print <- RED Snort | - -
$Lang::tr{'ids rules update'} | -
- $Lang::tr{'no'} | -
- $Lang::tr{'registered user rules'} | -
- $Lang::tr{'subscripted user rules'} | -
- $Lang::tr{'ids rules license'} http://www.snort.org. - - $Lang::tr{'ids rules license2'} USER PREFERENCES, $Lang::tr{'ids rules license3'} - |
-
Oink Code: | -
-END -; - -if ($snortsettings{'INSTALLMD5'} eq $md5) { - print " $Lang::tr{'rules already up to date'} | "; -} else { - if ( $snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} && $md5 eq $realmd5 ) { - $snortsettings{'INSTALLMD5'} = $realmd5; - $snortsettings{'INSTALLDATE'} = `/bin/date +'%Y-%m-%d'`; - &General::writehash("${General::swroot}/snort/settings", \%snortsettings); - } - print " $Lang::tr{'updates installed'}: $snortsettings{'INSTALLDATE'}"; -} -print <
- | - | - - | -
".$return.""; + } else { + system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules >>/var/tmp/log 2>&1 &"); + sleep(2); + } + } + } + } +} + +$checked{'ENABLE_SNORT'}{'off'} = ''; +$checked{'ENABLE_SNORT'}{'on'} = ''; +$checked{'ENABLE_SNORT'}{$snortsettings{'ENABLE_SNORT'}} = "checked='checked'"; +$checked{'ENABLE_SNORT_GREEN'}{'off'} = ''; +$checked{'ENABLE_SNORT_GREEN'}{'on'} = ''; +$checked{'ENABLE_SNORT_GREEN'}{$snortsettings{'ENABLE_SNORT_GREEN'}} = "checked='checked'"; +$checked{'ENABLE_SNORT_BLUE'}{'off'} = ''; +$checked{'ENABLE_SNORT_BLUE'}{'on'} = ''; +$checked{'ENABLE_SNORT_BLUE'}{$snortsettings{'ENABLE_SNORT_BLUE'}} = "checked='checked'"; +$checked{'ENABLE_SNORT_ORANGE'}{'off'} = ''; +$checked{'ENABLE_SNORT_ORANGE'}{'on'} = ''; +$checked{'ENABLE_SNORT_ORANGE'}{$snortsettings{'ENABLE_SNORT_ORANGE'}} = "checked='checked'"; +$checked{'ENABLE_GUARDIAN'}{'off'} = ''; +$checked{'ENABLE_GUARDIAN'}{'on'} = ''; +$checked{'ENABLE_GUARDIAN'}{$snortsettings{'ENABLE_GUARDIAN'}} = "checked='checked'"; +$selected{'RULES'}{'nothing'} = ''; +$selected{'RULES'}{'community'} = ''; +$selected{'RULES'}{'registered'} = ''; +$selected{'RULES'}{'subscripted'} = ''; +$selected{'RULES'}{$snortsettings{'RULES'}} = "selected='selected'"; + +&Header::openpage($Lang::tr{'intrusion detection system'}, 1, ''); + +####################### Added for snort rules control ################################# +print ""; +print <
+END + my @output = `tail -20 /var/tmp/log`; + foreach (@output) { + print "$_"; + } + print <+ +END + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit; + refreshpage(); +} + +&Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system2'}); +print < +
++ GREEN Snort +END +; +if ($netsettings{'BLUE_DEV'} ne '') { + print " BLUE Snort"; +} +if ($netsettings{'ORANGE_DEV'} ne '') { + print " ORANGE Snort"; +} + print " RED Snort"; +if ( -e "/var/ipfire/guardian/guardian.conf" ) { + print " Guardian"; +} + +print < + ++ + +$Lang::tr{'ids rules update'} ++ ++ ++ ++
+ $Lang::tr{'ids rules license'} www.snort.org$Lang::tr{'ids rules license1'}
+ $Lang::tr{'ids rules license2'} Get an Oinkcode, $Lang::tr{'ids rules license3'} ++ +Oinkcode: ++ +END +; + +if ( $snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} ) { + $snortsettings{'INSTALLDATE'} = `/bin/date +'%Y-%m-%d'`; + &General::writehash("${General::swroot}/snort/settings", \%snortsettings); +} +print " $Lang::tr{'updates installed'}: $snortsettings{'INSTALLDATE'} "; + +print <+
++
+ +END +; + +if ($results ne '') { + print "$results"; +} + +&Header::closebox(); + +####################### Added for guardian control #################################### +if ( -e "/var/ipfire/guardian/guardian.conf" ) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'guardian configuration'}); +print <+ ++ +
+ +END +; + &Header::closebox(); +} + + + + +####################### Added for snort rules control ################################# +if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable_green" || -e "${General::swroot}/snort/enable_blue" || -e "${General::swroot}/snort/enable_orange" ) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'}); + # Output display table for rule files + print "+ $Lang::tr{'guardian interface'} + $Lang::tr{'guardian timelimit'} + $Lang::tr{'guardian logfile'} + $Lang::tr{'guardian alertfile'} + $Lang::tr{'guardian ignorefile'} + + +END +; + &Header::closebox(); +} + +####################### End added for snort rules control ################################# +&Header::closebigbox(); +&Header::closepage(); + +sub downloadrulesfile { + my $peer; + my $peerport; + + unlink("/var/tmp/log"); + + unless (-e "${General::swroot}/red/active") { + $errormessage = $Lang::tr{'could not download latest updates'}; + return undef; + } + + my %proxysettings=(); + &General::readhash("${General::swroot}/proxy/settings", \%proxysettings); + + if ($_=$proxysettings{'UPSTREAM_PROXY'}) { + ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/); + } + + if ($peer) { + system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -o /var/tmp/log --no-check-certificate --output-document=/var/tmp/snortrules.tar.gz $url"); + } else { + system("wget -r --no-check-certificate -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); + } +}
"; + + print "
"; + $ruledisplaycnt = 0; + } + + # Check if rule file is enabled + if ($snortrules{$rulefile}{"State"} eq 'Enabled') { + $rulechecked = 'CHECKED'; + } + + # Create rule file link, vars array, and display flag + my $rulefilelink = "?RULEFILE=$rulefile"; + my $rulefiletoclose = ''; + my @queryvars = (); + my $displayrulefilerules = 0; + + # Check for passed in query string + if ($ENV{'QUERY_STRING'}) { + # Split out vars + @queryvars = split(/\&/, $ENV{'QUERY_STRING'}); + + # Loop over values + foreach $value (@queryvars) { + # Split out var pairs + ($var, $linkedrulefile) = split(/=/, $value); + + # Check if var is 'RULEFILE' + if ($var eq 'RULEFILE') { + # Check if rulefile equals linkedrulefile + if ($rulefile eq $linkedrulefile) { + # Set display flag + $displayrulefilerules = 1; + + # Strip out rulefile from rulefilelink + $rulefilelink =~ s/RULEFILE=$linkedrulefile//g; + } else { + # Add linked rule file to rulefilelink + $rulefilelink .= "&RULEFILE=$linkedrulefile"; + } + } + } + } + + # Strip out extra & & ? from rulefilelink + $rulefilelink =~ s/^\?\&/\?/i; + + # Check for a single '?' and replace with page for proper link display + if ($rulefilelink eq '?') { + $rulefilelink = "ids.cgi"; + } + + # Output rule file name and checkbox + print "
"; + print <"; + print " $rulefile "; + + # Check for empty 'Description' + if ($snortrules{$rulefile}{'Description'} eq '') { + print "
"; + } else { + # Output rule file 'Description' + print " No description available "; + + # Increment ruledisplaycnt + $ruledisplaycnt++; + } + print "
"; + } + + # Check for display flag + if ($displayrulefilerules) { + # Rule file definition rule display + print " $snortrules{$rulefile}{'Description'} "; + } + + # Close display table + print "
"; + + # Local vars + my $ruledefdisplaycnt = 0; + my $ruledefcnt = keys %{$snortrules{$rulefile}{"Definition"}}; + $ruledefcnt++; + $ruledefcnt = $ruledefcnt / 2; + + # Loop over rule file rules + foreach my $ruledef (sort {$a <=> $b} keys(%{$snortrules{$rulefile}{"Definition"}})) { + # Local vars + my $ruledefchecked = ''; + + # If have display 2 rules, start new row + if (($ruledefdisplaycnt % 2) == 0) { + print " "; + $ruledefdisplaycnt = 0; + } + + # Check for rules state + if ($snortrules{$rulefile}{'Definition'}{$ruledef}{'State'} eq 'Enabled') { + $ruledefchecked = 'CHECKED'; + } + + # Create rule file rule's checkbox + $checkboxname = "SNORT_RULE_$rulefile"; + $checkboxname .= "_$ruledef"; + print " $snortrules{$rulefile}{'Definition'}{$ruledef}{'Description'} "; + + # Increment count + $ruledefdisplaycnt++; + } + + # If do not have second rule for row, create empty cell + if (($ruledefdisplaycnt % 2) != 0) { + print ""; + } + + # Close display table + print " + + ++ + + + +