X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fids.cgi;h=984e795e72bf002446ee150166a174ef56c114e5;hp=011878381bcbfe611eb9e59a5dd6ae1adafb6da9;hb=e6d8a42109651b5054eec7a9b613f732bf8d323f;hpb=4f5519009dc9d58576e3e888d926babff600b066 diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 011878381..984e795e7 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2013 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -19,20 +19,21 @@ # # ############################################################################### - -use LWP::UserAgent; -use File::Copy; -use File::Temp qw/ tempfile tempdir /; use strict; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; +use File::Copy; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; +sub refreshpage{&Header::openbox( 'Waiting', 1, "" );print "

$Lang::tr{'pagerefresh'}
";&Header::closebox();} + +$a = new CGI; + my %color = (); my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); @@ -43,8 +44,6 @@ my %checked=(); my %selected=(); my %netsettings=(); our $errormessage = ''; -our $md5 = '0';# not '' to avoid displaying the wrong message when INSTALLMD5 not set -our $realmd5 = ''; our $results = ''; our $tempdir = ''; our $url=''; @@ -69,7 +68,8 @@ $snortsettings{'ACTION2'} = ''; $snortsettings{'RULES'} = ''; $snortsettings{'OINKCODE'} = ''; $snortsettings{'INSTALLDATE'} = ''; -$snortsettings{'INSTALLMD5'} = ''; +$snortsettings{'FILE'} = ''; +$snortsettings{'UPLOAD'} = ''; &Header::getcgihash(\%snortsettings, {'wantfile' => 1, 'filevar' => 'FH'}); @@ -97,7 +97,7 @@ if (-e "/etc/snort/snort.conf") { close(FILE); open(FILE, ">/etc/snort/snort.conf") or die 'Unable to write snort config file.'; - my @rules = `cd /etc/snort/rules/ && ls *.rules`; # With this loop the rule might be display with correct rulepath set + my @rules = `cd /etc/snort/rules/ && ls *.rules 2>/dev/null`; # With this loop the rule might be display with correct rulepath set foreach (@rules) { chomp $_; my $temp = join(";",@snortconfig); @@ -146,7 +146,7 @@ if (-e "/etc/snort/snort.conf") { # If see more than one dashed line, (start to) create rule file description if ($dashlinecnt > 1) { # Check for a line starting with a # - if ($ruleline =~ /^\#/) { + if ($ruleline =~ /^\#/ and $ruleline !~ /^\#alert/) { # Create tempruleline my $tempruleline = $ruleline; @@ -263,20 +263,22 @@ if (-e "/etc/snort/snort.conf") { ####################### End added for snort rules control ################################# if ($snortsettings{'RULES'} eq 'subscripted') { - $url="http://dl.snort.org/sub-rules/snortrules-snapshot-2.8_s.tar.gz?oink_code=$snortsettings{'OINKCODE'}"; - #$url="http://www.snort.org/pub-bin/oinkmaster.cgi/$snortsettings{'OINKCODE'}/snortrules-snapshot-2.8_s.tar.gz"; + $url=" http://www.snort.org/sub-rules/snortrules-snapshot-2953.tar.gz/$snortsettings{'OINKCODE'}"; } elsif ($snortsettings{'RULES'} eq 'registered') { - $url="http://dl.snort.org/reg-rules/snortrules-snapshot-2.8.tar.gz?oink_code=$snortsettings{'OINKCODE'}"; - #$url="http://www.snort.org/pub-bin/oinkmaster.cgi/$snortsettings{'OINKCODE'}/snortrules-snapshot-2.8.tar.gz"; + $url=" http://www.snort.org/reg-rules/snortrules-snapshot-2950.tar.gz/$snortsettings{'OINKCODE'}"; +} elsif ($snortsettings{'RULES'} eq 'community') { + $url=" http://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz"; } else { - $url="http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz"; + $url="http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz"; } if ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} eq "snort" ) { $errormessage = $Lang::tr{'invalid input for oink code'} unless ( ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/) || - ($snortsettings{'RULESTYPE'} eq 'nothing' ) ); + ($snortsettings{'RULES'} eq 'nothing' ) || + ($snortsettings{'RULES'} eq 'emerging' ) || + ($snortsettings{'RULES'} eq 'community' )); &General::writehash("${General::swroot}/snort/settings", \%snortsettings); if ($snortsettings{'ENABLE_SNORT'} eq 'on') @@ -319,8 +321,14 @@ if ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} e system('/usr/local/bin/snortctrl restart >/dev/null'); } elsif ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} eq "guardian" ){ + foreach my $key (keys %snortsettings){ + if ( $key !~ /^GUARDIAN/ ){ + delete $snortsettings{$key}; + } + } + &General::writehashpart("${General::swroot}/snort/settings", \%snortsettings); open(IGNOREFILE, ">$snortsettings{'GUARDIAN_IGNOREFILE'}") or die "Unable to write guardian ignore file $snortsettings{'GUARDIAN_IGNOREFILE'}"; - print IGNOREFILE $snortsettings{'IGNOREFILE_CONTENT'}; + print IGNOREFILE $snortsettings{'GUARDIAN_IGNOREFILE_CONTENT'}; close(IGNOREFILE); open(GUARDIAN, ">/var/ipfire/guardian/guardian.conf") or die "Unable to write guardian conf /var/ipfire/guardian/guardian.conf"; print GUARDIAN <&1`; - $results .= ""; + + if ( $snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} ){ + + &downloadrulesfile(); + sleep(3); + $return = `cat /var/tmp/log 2>/dev/null`; + + } elsif ( $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'} ) { + my $upload = $a->param("UPLOAD"); + open UPLOADFILE, ">/var/tmp/snortrules.tar.gz"; + binmode $upload; + while ( <$upload> ) { + print UPLOADFILE; + } + close UPLOADFILE; + } + + if ($return =~ "ERROR"){ + $errormessage = "
".$return."
"; + } else { + system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules >>/var/tmp/log 2>&1 &"); + sleep(2); + } } - unlink ($filename); } } } @@ -378,6 +405,7 @@ $checked{'ENABLE_GUARDIAN'}{'on'} = ''; $checked{'ENABLE_GUARDIAN'}{$snortsettings{'ENABLE_GUARDIAN'}} = "checked='checked'"; $selected{'RULES'}{'nothing'} = ''; $selected{'RULES'}{'community'} = ''; +$selected{'RULES'}{'emerging'} = ''; $selected{'RULES'}{'registered'} = ''; $selected{'RULES'}{'subscripted'} = ''; $selected{'RULES'}{$snortsettings{'RULES'}} = "selected='selected'"; @@ -385,9 +413,9 @@ $selected{'RULES'}{$snortsettings{'RULES'}} = "selected='selected'"; &Header::openpage($Lang::tr{'intrusion detection system'}, 1, ''); ####################### Added for snort rules control ################################# -print ""; +print ""; print < + + END ; ####################### End added for snort rules control ################################# &Header::openbigbox('100%', 'left', '', $errormessage); +############### +# DEBUG DEBUG +# &Header::openbox('100%', 'left', 'DEBUG'); +# my $debugCount = 0; +# foreach my $line (sort keys %snortsettings) { +# print "$line = $snortsettings{$line}
\n"; +# $debugCount++; +# } +# print " Count: $debugCount\n"; +# &Header::closebox(); +# DEBUG DEBUG +############### + if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); print "$errormessage\n"; @@ -419,7 +460,38 @@ if ($errormessage) { &Header::closebox(); } -&Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system2'}); +my $return = `pidof oinkmaster.pl -x`; +chomp($return); +if ($return) { + &Header::openbox( 'Waiting', 1, "" ); + print < + + $Lang::tr{  + + $Lang::tr{'snort working'} + +
+ +
+ 
+END
+	my @output = `tail -20 /var/tmp/log`;
+	foreach (@output) {
+		print "$_";
+	}
+	print <
+		
+END
+	&Header::closebox();
+	&Header::closebigbox();
+	&Header::closepage();
+	exit;
+	refreshpage();
+}
+
+&Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'});
 print <
-	
+	
@@ -447,6 +519,7 @@ print <
 	
-	";
-} else {
-	if ( $snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} && $md5 eq $realmd5 ) {
-		$snortsettings{'INSTALLMD5'} = $realmd5;
-		$snortsettings{'INSTALLDATE'} = `/bin/date +'%Y-%m-%d'`;
-		&General::writehash("${General::swroot}/snort/settings", \%snortsettings);
-	}
-	print " $Lang::tr{'updates installed'}: $snortsettings{'INSTALLDATE'}";
+if ( -e "/var/tmp/snortrules.tar.gz"){
+	my @Info = stat("/var/tmp/snortrules.tar.gz");
+	$snortsettings{'INSTALLDATE'} = localtime($Info[9]);
 }
+print " $Lang::tr{'updates installed'}: $snortsettings{'INSTALLDATE'}";
+
 print <
 

 
GREEN Snort
@@ -439,7 +511,7 @@ if ( -e "/var/ipfire/guardian/guardian.conf" ) {
 print <

 



 

 

 	$Lang::tr{'ids rules update'}
 

 

+	

 END
 ;
-
-if ($snortsettings{'INSTALLMD5'} eq $md5) {
-	print " $Lang::tr{'rules already up to date'}

-

+


 
-	
+	

 

 

 

 
@@ -501,17 +569,17 @@ if ( -e "/var/ipfire/guardian/guardian.conf" ) {
 	&Header::openbox('100%', 'LEFT', $Lang::tr{'guardian configuration'});
 print <
-
-
-
-
-
-
+
$Lang::tr{'guardian interface'}
$Lang::tr{'guardian timelimit'}
$Lang::tr{'guardian logfile'}
$Lang::tr{'guardian alertfile'}
$Lang::tr{'guardian ignorefile'}

 

 
 END
@@ -526,7 +594,7 @@ END
 if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable_green" || -e "${General::swroot}/snort/enable_blue" || -e "${General::swroot}/snort/enable_orange" ) {
 	&Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'});
 		# Output display table for rule files
-		print "
";
+		print "
";
 
 		print "";
 
@@ -540,9 +608,14 @@ if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable
 		foreach my $rulefile (sort keys(%snortrules)) {
 			my $rulechecked = '';
 
+			# Hide inkompatible Block rules
+			if ($rulefile =~'-BLOCK.rules') {
+				next;
+			}
+
 			# Check if reached half-way through rule file rules to start new column
  		if ($ruledisplaycnt > $rulecnt) {
-				print "
";
+				print "
";
 				$ruledisplaycnt = 0;
 			}
 
@@ -593,21 +666,21 @@ if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable
 			}
 
 			# Output rule file name and checkbox
-			print "";
-			print "";
+			print "
 $rulefile
";
+			print "
 $rulefile
";
 
 			# Check for empty 'Description'
 			if ($snortrules{$rulefile}{'Description'} eq '') {
-				print "";
+				print "
No description available
";
 			} else {
 				# Output rule file 'Description'
-				print "
No description available
";
+				print "
$snortrules{$rulefile}{'Description'}
";
 			}
 
 			# Check for display flag
 			if ($displayrulefilerules) {
 				# Rule file definition rule display
-				print "";
 		}
 
 			# Close display table
-			print "
$snortrules{$rulefile}{'Description'}
";
+				print "";
+				print "
";
 
 				# Local vars
 			 	my $ruledefdisplaycnt = 0;
@@ -622,7 +695,7 @@ if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable
 
 					# If have display 2 rules, start new row
 					if (($ruledefdisplaycnt % 2) == 0) {
-						print "";
+						print "";
 						$ruledefdisplaycnt = 0;
 					}
 
@@ -634,7 +707,7 @@ if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable
 					# Create rule file rule's checkbox
 					$checkboxname = "SNORT_RULE_$rulefile";
 					$checkboxname .= "_$ruledef";
-					print "";
+					print "";
 
 					# Increment count
 					$ruledefdisplaycnt++;
@@ -642,26 +715,24 @@ if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable
 
 				# If do not have second rule for row, create empty cell
 				if (($ruledefdisplaycnt % 2) != 0) {
-					print "";
+					print "";
 				}
 
 				# Close display table
-				print "
 $snortrules{$rulefile}{'Definition'}{$ruledef}{'Description'} $snortrules{$rulefile}{'Definition'}{$ruledef}{'Description'}
";
+			print "
";
 
 			# Increment ruledisplaycnt
 		$ruledisplaycnt++;
 		}
-	print "
";
+	print "";
 	print <
 
-	 
-	
-	
+	
 		  
 	
 
@@ -676,82 +747,27 @@ END
 &Header::closebigbox();
 &Header::closepage();
 
-sub getmd5 {
-	# Retrieve MD5 sum from $url.md5 file
-
-	my $md5buf;
-	if ($snortsettings{'RULES'} eq 'subscripted') {
-		$md5buf = &geturl("http://dl.snort.org/reg-rules/snortrules-snapshot-2.8_s.tar.gz.md5?oink_code=$snortsettings{'OINKCODE'}");
-	} elsif ($snortsettings{'RULES'} eq 'registered') {
-		$md5buf = &geturl("http://dl.snort.org/reg-rules/snortrules-snapshot-2.8.tar.gz.md5?oink_code=$snortsettings{'OINKCODE'}");
-	} else {
-		$md5buf = &geturl("http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz.md5");
-	}
-
-	return undef unless $md5buf;
-
-	if (0) { # 1 to debug
-		my $filename='';
-		my $fh='';
-		($fh, $filename) = tempfile('/var/tmp/XXXXXXXX',SUFFIX => '.md5' );
-		binmode ($fh);
-		syswrite ($fh, $md5buf->content);
-		close($fh);
-	}
-
-	return $md5buf->content;
-}
 sub downloadrulesfile {
-	my $return = &geturl($url);
-	return undef unless $return;
-
-	if (index($return->content, "\037\213") == -1 ) { # \037\213 is .gz beginning
-		$errormessage = $Lang::tr{'invalid loaded file'};
-		return undef;
-	}
-
-	my $filename='';
-	my $fh='';
-	($fh, $filename) = tempfile('/var/tmp/XXXXXXXX',SUFFIX => '.tar.gz' );#oinkmaster work only with this extension
-	binmode ($fh);
-	syswrite ($fh, $return->content);
-	close($fh);
-	return $filename;
-}
+	my $peer;
+	my $peerport;
 
-sub geturl ($) {
-	my $url=$_[0];
+	unlink("/var/tmp/log");
 
 	unless (-e "${General::swroot}/red/active") {
 		$errormessage = $Lang::tr{'could not download latest updates'};
 		return undef;
 	}
 
-	my $downloader = LWP::UserAgent->new;
-	$downloader->timeout(5);
-
 	my %proxysettings=();
 	&General::readhash("${General::swroot}/proxy/settings", \%proxysettings);
 
 	if ($_=$proxysettings{'UPSTREAM_PROXY'}) {
-		my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
-		if ($proxysettings{'UPSTREAM_USER'}) {
-			$downloader->proxy("http","http://$proxysettings{'UPSTREAM_USER'}:$proxysettings{'UPSTREAM_PASSWORD'}@"."$peer:$peerport/");
-		} else {
-			$downloader->proxy("http","http://$peer:$peerport/");
-		}
+		($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
 	}
 
-	my $return = $downloader->get($url,'Cache-Control','no-cache');
-
-	if ($return->code == 403) {
-		$errormessage = $Lang::tr{'access refused with this oinkcode'};
-		return undef;
-	} elsif (!$return->is_success()) {
-		$errormessage = $Lang::tr{'could not download latest updates'};
-		return undef;
+	if ($peer) {
+		system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -o /var/tmp/log --no-check-certificate --output-document=/var/tmp/snortrules.tar.gz $url");
+	} else {
+		system("wget -r --no-check-certificate -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url");
 	}
-
-	return $return;
-
 }