git-svn-id: http://svn.ipfire.org/svn/ipfire/IPFire/source@16 ea5c0bd1-69bd-2848...
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / ids.cgi
CommitLineData
cd1a2927
MT
1#!/usr/bin/perl\r
2#\r
3# SmoothWall CGIs\r
4#\r
5# This code is distributed under the terms of the GPL\r
6#\r
7# (c) The SmoothWall Team\r
8#\r
9# $Id: ids.cgi,v 1.8.2.18 2005/07/27 21:35:22 franck78 Exp $\r
10#\r
11\r
12use LWP::UserAgent;\r
13use File::Copy;\r
14use File::Temp qw/ tempfile tempdir /;\r
15use strict;\r
16\r
17# enable only the following on debugging purpose\r
18#use warnings;\r
19#use CGI::Carp 'fatalsToBrowser';\r
20\r
21require 'CONFIG_ROOT/general-functions.pl';\r
22require "${General::swroot}/lang.pl";\r
23require "${General::swroot}/header.pl";\r
24\r
25my %snortsettings=();\r
26my %checked=();\r
27my %netsettings=();\r
28our $errormessage = '';\r
29our $md5 = '0';# not '' to avoid displaying the wrong message when INSTALLMD5 not set\r
30our $realmd5 = '';\r
31our $results = '';\r
32our $tempdir = '';\r
33our $url='';\r
34&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);\r
35\r
36&Header::showhttpheaders();\r
37\r
38$snortsettings{'ENABLE_SNORT'} = 'off';\r
39$snortsettings{'ENABLE_SNORT_GREEN'} = 'off';\r
40$snortsettings{'ENABLE_SNORT_BLUE'} = 'off';\r
41$snortsettings{'ENABLE_SNORT_ORANGE'} = 'off';\r
42$snortsettings{'ACTION'} = '';\r
43$snortsettings{'RULESTYPE'} = '';\r
44$snortsettings{'OINKCODE'} = '';\r
45$snortsettings{'INSTALLDATE'} = '';\r
46$snortsettings{'INSTALLMD5'} = '';\r
47\r
48&Header::getcgihash(\%snortsettings, {'wantfile' => 1, 'filevar' => 'FH'});\r
49\r
50if ($snortsettings{'RULESTYPE'} eq 'subscripted') {\r
51 $url="http://www.snort.org/pub-bin/oinkmaster.cgi/$snortsettings{'OINKCODE'}/snortrules-snapshot-2.3_s.tar.gz";\r
52} else {\r
53 $url="http://www.snort.org/pub-bin/oinkmaster.cgi/$snortsettings{'OINKCODE'}/snortrules-snapshot-2.3.tar.gz";\r
54}\r
55\r
56if ($snortsettings{'ACTION'} eq $Lang::tr{'save'})\r
57{\r
58 $errormessage = $Lang::tr{'invalid input for oink code'} unless (\r
59 ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/) ||\r
60 ($snortsettings{'RULESTYPE'} eq 'nothing' ) );\r
61\r
62 &General::writehash("${General::swroot}/snort/settings", \%snortsettings);\r
63 if ($snortsettings{'ENABLE_SNORT'} eq 'on')\r
64 {\r
65 system ('/bin/touch', "${General::swroot}/snort/enable");\r
66 } else {\r
67 unlink "${General::swroot}/snort/enable";\r
68 } \r
69 if ($snortsettings{'ENABLE_SNORT_GREEN'} eq 'on')\r
70 {\r
71 system ('/bin/touch', "${General::swroot}/snort/enable_green");\r
72 } else {\r
73 unlink "${General::swroot}/snort/enable_green";\r
74 } \r
75 if ($snortsettings{'ENABLE_SNORT_BLUE'} eq 'on')\r
76 {\r
77 system ('/bin/touch', "${General::swroot}/snort/enable_blue");\r
78 } else {\r
79 unlink "${General::swroot}/snort/enable_blue";\r
80 } \r
81 if ($snortsettings{'ENABLE_SNORT_ORANGE'} eq 'on')\r
82 {\r
83 system ('/bin/touch', "${General::swroot}/snort/enable_orange");\r
84 } else {\r
85 unlink "${General::swroot}/snort/enable_orange";\r
86 }\r
87\r
88 system('/usr/local/bin/restartsnort','red','orange','blue','green');\r
89} else {\r
90 # INSTALLMD5 is not in the form, so not retrieved by getcgihash\r
91 &General::readhash("${General::swroot}/snort/settings", \%snortsettings);\r
92}\r
93\r
94if ($snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'}) {\r
95 $md5 = &getmd5;\r
96 if (($snortsettings{'INSTALLMD5'} ne $md5) && defined $md5 ) {\r
97 chomp($md5);\r
98 my $filename = &downloadrulesfile();\r
99 if (defined $filename) {\r
100 # Check MD5sum\r
101 $realmd5 = `/usr/bin/md5sum $filename`;\r
102 chomp ($realmd5);\r
103 $realmd5 =~ s/^(\w+)\s.*$/$1/;\r
104 if ($md5 ne $realmd5) {\r
105 $errormessage = "$Lang::tr{'invalid md5sum'}";\r
106 } else {\r
107 $results = "<b>$Lang::tr{'installed updates'}</b>\n<pre>";\r
108 $results .=`/usr/local/bin/oinkmaster.pl -s -u file://$filename -C /var/ipcop/snort/oinkmaster.conf -o /etc/snort 2>&1`;\r
109 $results .= "</pre>";\r
110 }\r
111 unlink ($filename);\r
112 }\r
113 }\r
114}\r
115\r
116$checked{'ENABLE_SNORT'}{'off'} = '';\r
117$checked{'ENABLE_SNORT'}{'on'} = '';\r
118$checked{'ENABLE_SNORT'}{$snortsettings{'ENABLE_SNORT'}} = "checked='checked'";\r
119$checked{'ENABLE_SNORT_GREEN'}{'off'} = '';\r
120$checked{'ENABLE_SNORT_GREEN'}{'on'} = '';\r
121$checked{'ENABLE_SNORT_GREEN'}{$snortsettings{'ENABLE_SNORT_GREEN'}} = "checked='checked'";\r
122$checked{'ENABLE_SNORT_BLUE'}{'off'} = '';\r
123$checked{'ENABLE_SNORT_BLUE'}{'on'} = '';\r
124$checked{'ENABLE_SNORT_BLUE'}{$snortsettings{'ENABLE_SNORT_BLUE'}} = "checked='checked'";\r
125$checked{'ENABLE_SNORT_ORANGE'}{'off'} = '';\r
126$checked{'ENABLE_SNORT_ORANGE'}{'on'} = '';\r
127$checked{'ENABLE_SNORT_ORANGE'}{$snortsettings{'ENABLE_SNORT_ORANGE'}} = "checked='checked'";\r
128$checked{'RULESTYPE'}{'nothing'} = '';\r
129$checked{'RULESTYPE'}{'registered'} = '';\r
130$checked{'RULESTYPE'}{'subscripted'} = '';\r
131$checked{'RULESTYPE'}{$snortsettings{'RULESTYPE'}} = "checked='checked'";\r
132\r
133&Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');\r
134\r
135&Header::openbigbox('100%', 'left', '', $errormessage);\r
136\r
137if ($errormessage) {\r
138 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});\r
139 print "<class name='base'>$errormessage\n";\r
140 print "&nbsp;</class>\n";\r
141 &Header::closebox();\r
142}\r
143\r
144&Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system2'});\r
145print <<END\r
146<form method='post' action='$ENV{'SCRIPT_NAME'}'><table width='100%'>\r
147<tr>\r
148 <td class='base'><input type='checkbox' name='ENABLE_SNORT_GREEN' $checked{'ENABLE_SNORT_GREEN'}{'on'} />\r
149 GREEN Snort</td>\r
150</tr>\r
151END\r
152;\r
153if ($netsettings{'BLUE_DEV'} ne '') {\r
154print <<END\r
155<tr>\r
156 <td class='base'><input type='checkbox' name='ENABLE_SNORT_BLUE' $checked{'ENABLE_SNORT_BLUE'}{'on'} />\r
157 BLUE Snort</td>\r
158</tr>\r
159END\r
160;\r
161}\r
162if ($netsettings{'ORANGE_DEV'} ne '') {\r
163print <<END\r
164<tr>\r
165 <td class='base'><input type='checkbox' name='ENABLE_SNORT_ORANGE' $checked{'ENABLE_SNORT_ORANGE'}{'on'} />\r
166 ORANGE Snort</td>\r
167</tr>\r
168END\r
169;\r
170}\r
171print <<END\r
172<tr>\r
173 <td class='base'><input type='checkbox' name='ENABLE_SNORT' $checked{'ENABLE_SNORT'}{'on'} />\r
174 RED Snort</td>\r
175</tr>\r
176<tr>\r
177 <td><hr /></td>\r
178</tr>\r
179<tr>\r
180 <td><b>$Lang::tr{'ids rules update'}</b></td>\r
181</tr>\r
182<tr>\r
183 <td><input type='radio' name='RULESTYPE' value='nothing' $checked{'RULESTYPE'}{'nothing'} />\r
184 $Lang::tr{'no'}</td>\r
185</tr>\r
186<tr>\r
187 <td><input type='radio' name='RULESTYPE' value='registered' $checked{'RULESTYPE'}{'registered'} />\r
188 $Lang::tr{'registered user rules'}</td>\r
189</tr>\r
190<tr>\r
191 <td><input type='radio' name='RULESTYPE' value='subscripted' $checked{'RULESTYPE'}{'subscripted'} />\r
192 $Lang::tr{'subscripted user rules'}</td>\r
193</tr>\r
194<tr>\r
195 <td><br />\r
196 $Lang::tr{'ids rules license'} <a href='http://www.snort.org/' target='_blank'>http://www.snort.org</a>.<br />\r
197 <br />\r
198 $Lang::tr{'ids rules license2'} <a href='http://www.snort.org/reg-bin/userprefs.cgi' target='_blank'>USER PREFERENCES</a>, $Lang::tr{'ids rules license3'}<br />\r
199 </td>\r
200</tr>\r
201<tr>\r
202 <td nowrap='nowrap'>Oink Code:&nbsp;<input type='text' size='40' name='OINKCODE' value='$snortsettings{'OINKCODE'}' /></td>\r
203</tr>\r
204<tr>\r
205 <td width='30%' align='center'><input type='submit' name='ACTION' value='$Lang::tr{'download new ruleset'}' />\r
206END\r
207;\r
208\r
209if ($snortsettings{'INSTALLMD5'} eq $md5) {\r
210 print "&nbsp;$Lang::tr{'rules already up to date'}</td>";\r
211} else {\r
212 if ( $snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} && $md5 eq $realmd5 ) {\r
213 $snortsettings{'INSTALLMD5'} = $realmd5;\r
214 $snortsettings{'INSTALLDATE'} = `/bin/date +'%Y-%m-%d'`;\r
215 &General::writehash("${General::swroot}/snort/settings", \%snortsettings);\r
216 }\r
217 print "&nbsp;$Lang::tr{'updates installed'}: $snortsettings{'INSTALLDATE'}</td>";\r
218}\r
219print <<END\r
220</tr>\r
221</table>\r
222<hr />\r
223<table width='100%'>\r
224<tr>\r
225 <td width='55%'>&nbsp;</td>\r
226 <td width='40%' align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>\r
227 <td width='5%'>\r
228 &nbsp; <!-- space for future online help link -->\r
229 </td>\r
230</tr>\r
231</table>\r
232</form>\r
233END\r
234;\r
235\r
236if ($results ne '') {\r
237 print "$results";\r
238}\r
239\r
240&Header::closebox();\r
241&Header::closebigbox();\r
242&Header::closepage();\r
243\r
244sub getmd5 {\r
245 # Retrieve MD5 sum from $url.md5 file\r
246 #\r
247 my $md5buf = &geturl("$url.md5");\r
248 return undef unless $md5buf;\r
249\r
250 if (0) { # 1 to debug\r
251 my $filename='';\r
252 my $fh='';\r
253 ($fh, $filename) = tempfile('/tmp/XXXXXXXX',SUFFIX => '.md5' );\r
254 binmode ($fh);\r
255 syswrite ($fh, $md5buf->content);\r
256 close($fh);\r
257 }\r
258 return $md5buf->content;\r
259}\r
260sub downloadrulesfile {\r
261 my $return = &geturl($url);\r
262 return undef unless $return;\r
263\r
264 if (index($return->content, "\037\213") == -1 ) { # \037\213 is .gz beginning\r
265 $errormessage = $Lang::tr{'invalid loaded file'};\r
266 return undef;\r
267 }\r
268\r
269 my $filename='';\r
270 my $fh='';\r
271 ($fh, $filename) = tempfile('/tmp/XXXXXXXX',SUFFIX => '.tar.gz' );#oinkmaster work only with this extension\r
272 binmode ($fh);\r
273 syswrite ($fh, $return->content);\r
274 close($fh);\r
275 return $filename;\r
276}\r
277\r
278sub geturl ($) {\r
279 my $url=$_[0];\r
280\r
281 unless (-e "${General::swroot}/red/active") {\r
282 $errormessage = $Lang::tr{'could not download latest updates'};\r
283 return undef;\r
284 }\r
285\r
286 my $downloader = LWP::UserAgent->new;\r
287 $downloader->timeout(5);\r
288\r
289 my %proxysettings=();\r
290 &General::readhash("${General::swroot}/proxy/settings", \%proxysettings);\r
291\r
292 if ($_=$proxysettings{'UPSTREAM_PROXY'}) {\r
293 my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);\r
294 if ($proxysettings{'UPSTREAM_USER'}) {\r
295 $downloader->proxy("http","http://$proxysettings{'UPSTREAM_USER'}:$proxysettings{'UPSTREAM_PASSWORD'}@"."$peer:$peerport/");\r
296 } else {\r
297 $downloader->proxy("http","http://$peer:$peerport/");\r
298 }\r
299 }\r
300\r
301 my $return = $downloader->get($url,'Cache-Control','no-cache');\r
302\r
303 if ($return->code == 403) {\r
304 $errormessage = $Lang::tr{'access refused with this oinkcode'};\r
305 return undef;\r
306 } elsif (!$return->is_success()) {\r
307 $errormessage = $Lang::tr{'could not download latest updates'};\r
308 return undef;\r
309 }\r
310\r
311 return $return;\r
312\r
313}\r