X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fids.cgi;h=5a3f4c31433f5453fec12769dc6d159f2d84368a;hb=d50a78220d220d755d5d86fe0dcfc249f8dd2afb;hp=ff72b7894b2457754a55021124a0d78e396599b5;hpb=aa7f55b2dfab3194bbb41bfee671b122eda26da4;p=ipfire-2.x.git diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index ff72b7894b..5a3f4c3143 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team # +# Copyright (C) 2007-2015 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -55,16 +55,7 @@ $snortsettings{'ENABLE_SNORT'} = 'off'; $snortsettings{'ENABLE_SNORT_GREEN'} = 'off'; $snortsettings{'ENABLE_SNORT_BLUE'} = 'off'; $snortsettings{'ENABLE_SNORT_ORANGE'} = 'off'; -$snortsettings{'ENABLE_GUARDIAN'} = 'off'; -$snortsettings{'GUARDIAN_INTERFACE'} = `cat /var/ipfire/red/iface`; -$snortsettings{'GUARDIAN_HOSTGATEWAYBYTE'} = '1'; -$snortsettings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log'; -$snortsettings{'GUARDIAN_ALERTFILE'} = '/var/log/snort/alert'; -$snortsettings{'GUARDIAN_IGNOREFILE'} = '/var/ipfire/guardian/guardian.ignore'; -$snortsettings{'GUARDIAN_TARGETFILE'} = '/var/ipfire/guardian/guardian.target'; -$snortsettings{'GUARDIAN_TIMELIMIT'} = '86400'; $snortsettings{'ACTION'} = ''; -$snortsettings{'ACTION2'} = ''; $snortsettings{'RULES'} = ''; $snortsettings{'OINKCODE'} = ''; $snortsettings{'INSTALLDATE'} = ''; @@ -262,127 +253,94 @@ if (-e "/etc/snort/snort.conf") { ####################### End added for snort rules control ################################# -if ($snortsettings{'RULES'} eq 'subscripted') { - $url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}"; -} elsif ($snortsettings{'RULES'} eq 'registered') { - $url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}"; -} elsif ($snortsettings{'RULES'} eq 'community') { - $url=" https://www.snort.org/rules/community"; -} else { - $url="http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz"; +if ($snortsettings{'OINKCODE'} ne "") { + $errormessage = $Lang::tr{'invalid input for oink code'} unless ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/); } -if ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} eq "snort" ) -{ - $errormessage = $Lang::tr{'invalid input for oink code'} unless ( - ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/) || - ($snortsettings{'RULES'} eq 'nothing' ) || - ($snortsettings{'RULES'} eq 'emerging' ) || - ($snortsettings{'RULES'} eq 'community' )); - - &General::writehash("${General::swroot}/snort/settings", \%snortsettings); - if ($snortsettings{'ENABLE_SNORT'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/snort/enable"); +if (!$errormessage) { + if ($snortsettings{'RULES'} eq 'subscripted') { + $url=" https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=$snortsettings{'OINKCODE'}"; + } elsif ($snortsettings{'RULES'} eq 'registered') { + $url=" https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=$snortsettings{'OINKCODE'}"; + } elsif ($snortsettings{'RULES'} eq 'community') { + $url=" https://www.snort.org/rules/community"; } else { - unlink "${General::swroot}/snort/enable"; + $url="https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz"; } - if ($snortsettings{'ENABLE_SNORT_GREEN'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/snort/enable_green"); - } else { - unlink "${General::swroot}/snort/enable_green"; - } - if ($snortsettings{'ENABLE_SNORT_BLUE'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/snort/enable_blue"); - } else { - unlink "${General::swroot}/snort/enable_blue"; - } - if ($snortsettings{'ENABLE_SNORT_ORANGE'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/snort/enable_orange"); - } else { - unlink "${General::swroot}/snort/enable_orange"; - } - if ($snortsettings{'ENABLE_PREPROCESSOR_HTTP_INSPECT'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/snort/enable_preprocessor_http_inspect"); - } else { - unlink "${General::swroot}/snort/enable_preprocessor_http_inspect"; - } - if ($snortsettings{'ENABLE_GUARDIAN'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/guardian/enable"); - } else { - unlink "${General::swroot}/guardian/enable"; - } - - system('/usr/local/bin/snortctrl restart >/dev/null'); -} elsif ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} eq "guardian" ){ - foreach my $key (keys %snortsettings){ - if ( $key !~ /^GUARDIAN/ ){ - delete $snortsettings{$key}; - } - } - &General::writehashpart("${General::swroot}/snort/settings", \%snortsettings); - open(IGNOREFILE, ">$snortsettings{'GUARDIAN_IGNOREFILE'}") or die "Unable to write guardian ignore file $snortsettings{'GUARDIAN_IGNOREFILE'}"; - print IGNOREFILE $snortsettings{'GUARDIAN_IGNOREFILE_CONTENT'}; - close(IGNOREFILE); - open(GUARDIAN, ">/var/ipfire/guardian/guardian.conf") or die "Unable to write guardian conf /var/ipfire/guardian/guardian.conf"; - print GUARDIAN </dev/null'); -} - # INSTALLMD5 is not in the form, so not retrieved by getcgihash - &General::readhash("${General::swroot}/snort/settings", \%snortsettings); - -if ($snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} || $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'}) { - - my @df = `/bin/df -B M /var`; - foreach my $line (@df) { - next if $line =~ m/^Filesystem/; - my $return; - - if ($line =~ m/dev/ ) { - $line =~ m/^.* (\d+)M.*$/; - my @temp = split(/ +/,$line); - if ($1<300) { - $errormessage = "$Lang::tr{'not enough disk space'} < 300MB, /var $1MB"; - } else { + if ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} eq "snort" ) { + &General::writehash("${General::swroot}/snort/settings", \%snortsettings); + if ($snortsettings{'ENABLE_SNORT'} eq 'on') + { + system ('/usr/bin/touch', "${General::swroot}/snort/enable"); + } else { + unlink "${General::swroot}/snort/enable"; + } + if ($snortsettings{'ENABLE_SNORT_GREEN'} eq 'on') + { + system ('/usr/bin/touch', "${General::swroot}/snort/enable_green"); + } else { + unlink "${General::swroot}/snort/enable_green"; + } + if ($snortsettings{'ENABLE_SNORT_BLUE'} eq 'on') + { + system ('/usr/bin/touch', "${General::swroot}/snort/enable_blue"); + } else { + unlink "${General::swroot}/snort/enable_blue"; + } + if ($snortsettings{'ENABLE_SNORT_ORANGE'} eq 'on') + { + system ('/usr/bin/touch', "${General::swroot}/snort/enable_orange"); + } else { + unlink "${General::swroot}/snort/enable_orange"; + } + if ($snortsettings{'ENABLE_PREPROCESSOR_HTTP_INSPECT'} eq 'on') + { + system ('/usr/bin/touch', "${General::swroot}/snort/enable_preprocessor_http_inspect"); + } else { + unlink "${General::swroot}/snort/enable_preprocessor_http_inspect"; + } - if ( $snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} ){ + system('/usr/local/bin/snortctrl restart >/dev/null'); + } - &downloadrulesfile(); - sleep(3); - $return = `cat /var/tmp/log 2>/dev/null`; + # INSTALLMD5 is not in the form, so not retrieved by getcgihash + &General::readhash("${General::swroot}/snort/settings", \%snortsettings); - } elsif ( $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'} ) { - my $upload = $a->param("UPLOAD"); - open UPLOADFILE, ">/var/tmp/snortrules.tar.gz"; - binmode $upload; - while ( <$upload> ) { - print UPLOADFILE; + if ($snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} || $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'}) { + my @df = `/bin/df -B M /var`; + foreach my $line (@df) { + next if $line =~ m/^Filesystem/; + my $return; + + if ($line =~ m/dev/ ) { + $line =~ m/^.* (\d+)M.*$/; + my @temp = split(/ +/,$line); + if ($1<300) { + $errormessage = "$Lang::tr{'not enough disk space'} < 300MB, /var $1MB"; + } else { + if ( $snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'}) { + &downloadrulesfile(); + sleep(3); + $return = `cat /var/tmp/log 2>/dev/null`; + + } elsif ( $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'}) { + my $upload = $a->param("UPLOAD"); + open UPLOADFILE, ">/var/tmp/snortrules.tar.gz"; + binmode $upload; + while ( <$upload> ) { + print UPLOADFILE; + } + close UPLOADFILE; } - close UPLOADFILE; - } - if ($return =~ "ERROR"){ + if ($return =~ "ERROR") { $errormessage = "
".$return."
"; } else { system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules >>/var/tmp/log 2>&1 &"); sleep(2); } + } } } } @@ -400,9 +358,6 @@ $checked{'ENABLE_SNORT_BLUE'}{$snortsettings{'ENABLE_SNORT_BLUE'}} = "checked='c $checked{'ENABLE_SNORT_ORANGE'}{'off'} = ''; $checked{'ENABLE_SNORT_ORANGE'}{'on'} = ''; $checked{'ENABLE_SNORT_ORANGE'}{$snortsettings{'ENABLE_SNORT_ORANGE'}} = "checked='checked'"; -$checked{'ENABLE_GUARDIAN'}{'off'} = ''; -$checked{'ENABLE_GUARDIAN'}{'on'} = ''; -$checked{'ENABLE_GUARDIAN'}{$snortsettings{'ENABLE_GUARDIAN'}} = "checked='checked'"; $selected{'RULES'}{'nothing'} = ''; $selected{'RULES'}{'community'} = ''; $selected{'RULES'}{'emerging'} = ''; @@ -504,9 +459,6 @@ if ($netsettings{'ORANGE_DEV'} ne '') { print "       ORANGE Snort"; } print "       RED Snort"; -if ( -e "/var/ipfire/guardian/guardian.conf" ) { - print "       Guardian"; -} print < @@ -528,7 +480,7 @@ print <
- $Lang::tr{'ids rules license'} www.snort.org$Lang::tr{'ids rules license1'}

+ $Lang::tr{'ids rules license'} www.snort.org$Lang::tr{'ids rules license1'}

$Lang::tr{'ids rules license2'} Get an Oinkcode, $Lang::tr{'ids rules license3'} @@ -564,32 +516,6 @@ if ($results ne '') { &Header::closebox(); -####################### Added for guardian control #################################### -if ( -e "/var/ipfire/guardian/guardian.conf" ) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'guardian configuration'}); -print < - - - - - - -
$Lang::tr{'guardian interface'}
$Lang::tr{'guardian timelimit'}
$Lang::tr{'guardian logfile'}
$Lang::tr{'guardian alertfile'}
$Lang::tr{'guardian ignorefile'}
- -END -; - &Header::closebox(); -} - - - - ####################### Added for snort rules control ################################# if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable_green" || -e "${General::swroot}/snort/enable_blue" || -e "${General::swroot}/snort/enable_orange" ) { &Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'}); @@ -766,8 +692,8 @@ sub downloadrulesfile { } if ($peer) { - system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -o /var/tmp/log --no-check-certificate --output-document=/var/tmp/snortrules.tar.gz $url"); + system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -e https_proxy=http://$peer:$peerport/ -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); } else { - system("wget -r --no-check-certificate -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); + system("wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); } }