pfsense · netgate-git-updates · Jul 28, 2018 · Jul 16, 2018 · Jul 27, 2018 · Jul 27, 2018
diff --git a/security/pfSense-pkg-snort/Makefile b/security/pfSense-pkg-snort/Makefile
@@ -1,8 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	pfSense-pkg-snort
-PORTVERSION=	3.2.9.6
-PORTREVISION=	1
+PORTVERSION=	3.2.9.7
 CATEGORIES=	security
 MASTER_SITES=	# empty
 DISTFILES=	# empty
@@ -61,8 +60,6 @@ do-install:
 		${STAGEDIR}${PREFIX}/www/snort
 	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/snort/snort_define_servers.php \
 		${STAGEDIR}${PREFIX}/www/snort
-	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/snort/snort_download_rules.php \
-		${STAGEDIR}${PREFIX}/www/snort
 	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/snort/snort_download_updates.php \
 		${STAGEDIR}${PREFIX}/www/snort
 	${INSTALL_DATA} ${FILESDIR}${PREFIX}/pkg/snort/snort_check_for_rule_updates.php \

diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort.inc
@@ -5,7 +5,7 @@
  * part of pfSense (https://www.pfsense.org)
  * Copyright (c) 2006-2016 Rubicon Communications, LLC (Netgate)
  * Copyright (c) 2009-2010 Robert Zelaya
- * Copyright (c) 2013-2017 Bill Meeks
+ * Copyright (c) 2013-2018 Bill Meeks
  * All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -39,8 +39,12 @@ global $g, $config, $rebuild_rules;
 /* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */
 $rebuild_rules = false;
 
-if (!is_array($config['installedpackages']['snortglobal']))
+if (!is_array($config['installedpackages'])) {
+	$config['installedpackages'] = array();
+}
+if (!is_array($config['installedpackages']['snortglobal'])) {
 	$config['installedpackages']['snortglobal'] = array();
+}
 
 function snort_is_single_addr_alias($alias) {
 	/***************************************************/
@@ -103,7 +107,7 @@ function snort_expand_port_range($ports, $delim = ',') {
 }
 
 function snort_get_blocked_ips() {
-	$blocked_ips = "";
+	$blocked_ips = array();
 	exec('/sbin/pfctl -t snort2c -T show', $blocked_ips);
 	$blocked_ips_array = array();
 	if (!empty($blocked_ips)) {

diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_check_cron_misc.inc b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_check_cron_misc.inc
@@ -3,9 +3,9 @@
  * snort_check_cron_misc.inc
  *
  * part of pfSense (https://www.pfsense.org)
- * Copyright (c) 2016 Rubicon Communications, LLC (Netgate)
+ * Copyright (c) 2018 Rubicon Communications, LLC (Netgate)
  * Copyright (c) 2009-2010 Robert Zelaya
- * Copyright (c) 2014 Bill Meeks
+ * Copyright (c) 2018 Bill Meeks
  * All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -156,8 +156,15 @@ if ($g['booting'] == true)
 $logs = array ();
 
 // Build an array of files to check and limits to check them against from our saved configuration
+$logs['alert'] = array();
+$logs['alert']['limit'] = $config['installedpackages']['snortglobal']['alert_log_limit_size'];
+$logs['alert']['retention'] = $config['installedpackages']['snortglobal']['alert_log_retention'];
+$logs['sid_changes.log'] = array();
 $logs['sid_changes.log']['limit'] = $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'];
 $logs['sid_changes.log']['retention'] = $config['installedpackages']['snortglobal']['sid_changes_log_retention'];
+$logs['app-stats.log'] = array();
+$logs['app-stats.log']['limit'] = $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'];
+$logs['app-stats.log']['retention'] = $config['installedpackages']['snortglobal']['appid_stats_log_retention'];
 
 // If no interfaces defined, there is nothing to clean up
 if (!is_array($config['installedpackages']['snortglobal']['rule']))

diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_conf_template.inc b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_conf_template.inc
@@ -26,6 +26,7 @@ var RULE_PATH {$snortcfgdir}/rules
 
 # Configure the snort decoder #
 config checksum_mode: {$cksumcheck}
+config snaplen: {$snaplen}
 config disable_decode_alerts
 config disable_tcpopt_experimental_alerts
 config disable_tcpopt_obsolete_alerts

diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_generate_conf.php b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_generate_conf.php
@@ -5,7 +5,7 @@
  * part of pfSense (https://www.pfsense.org)
  * Copyright (c) 2006-2016 Rubicon Communications, LLC (Netgate)
  * Copyright (c) 2009-2010 Robert Zelaya
- * Copyright (c) 2013-2014 Bill Meeks
+ * Copyright (c) 2013-2018 Bill Meeks
  * All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -83,6 +83,14 @@
 	}
 }
 
+/* define interface snaplen */
+if (!empty($snortcfg['snaplen']) && is_numeric($snortcfg['snaplen'])) {
+	$snaplen = $snortcfg['snaplen'];
+}
+else {
+	$snaplen = '1518';
+}
+
 /* define alert log limit */
 if (!empty($config['installedpackages']['snortglobal']['alert_log_limit_size']) && $config['installedpackages']['snortglobal']['alert_log_limit_size'] != "0")
 	$alert_log_limit_size = $config['installedpackages']['snortglobal']['alert_log_limit_size'] . "K";
@@ -301,8 +309,10 @@
 				    "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", 
 				    "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
 
-if (!is_array($snortcfg['ftp_client_engine']['item']))
+if (!is_array($snortcfg['ftp_client_engine']['item'])) {
+	$snortcfg['ftp_client_engine'] = array();
 	$snortcfg['ftp_client_engine']['item'] = array();
+}
 
 // If no FTP client engine is configured, use the default
 // to keep from breaking Snort.
@@ -379,8 +389,10 @@
 				    "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", 
 				    "ignore_data_chan" => "no", "def_max_param_len" => 100 );
 
-if (!is_array($snortcfg['ftp_server_engine']['item']))
+if (!is_array($snortcfg['ftp_server_engine']['item'])) {
+	$snortcfg['ftp_server_engine'] = array();
 	$snortcfg['ftp_server_engine']['item'] = array();
+}
 
 // If no FTP server engine is configured, use the default
 // to keep from breaking Snort.
@@ -686,23 +698,52 @@
 
 /* def ssh_preproc */
 
-$ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports']));
-
 // Make sure we have port numbers or else use defaults
-if (!isset($ssh_ports) || empty($ssh_ports))
+if (isset($snortcfg['ssh_preproc_ports'])) {
+	if (is_alias($snortcfg['ssh_preproc_ports'])) {
+		if (strlen(trim(filter_expand_alias($snortcfg['ssh_preproc_ports']))) > 0) {
+			$ssh_ports = trim(filter_expand_alias($snortcfg['ssh_preproc_ports']));
+			$ssh_ports = preg_replace('/\s+/', ',', trim($ssh_ports));
+		}
+		else {
+			log_error("[snort] WARNING: unable to resolve Alias {$snortcfg['ssh_preproc_ports']} for SSH Preprocessor Ports parameter ... reverting to default value of 22.");
+			$ssh_ports = "22";
+		}
+	} else {
+          		$ssh_ports = $snortcfg['ssh_preproc_ports'];
+        }
+}
+else {
 	$ssh_ports = "22";
+}
 $ssh_preproc = <<<EOD
 # SSH preprocessor #
 preprocessor ssh: \
 	server_ports { {$ssh_ports} } \
-	autodetect \
-	max_client_bytes 19600 \
-	max_encrypted_packets 20 \
-	max_server_version_len 100 \
-	enable_respoverflow enable_ssh1crc32 \
-	enable_srvoverflow enable_protomismatch
-
+	autodetect
 EOD;
+if (isset($snortcfg['ssh_preproc_max_client_bytes']) && $snortcfg['ssh_preproc_max_client_bytes'] > 0) {
+	$ssh_preproc .= " \\\n\tmax_client_bytes {$snortcfg['ssh_preproc_max_client_bytes']}";
+}
+if (isset($snortcfg['ssh_preproc_max_encrypted_packets']) && $snortcfg['ssh_preproc_max_encrypted_packets'] > 0) {
+	$ssh_preproc .= " \\\n\tmax_encrypted_packets {$snortcfg['ssh_preproc_max_encrypted_packets']}";
+}
+if (isset($snortcfg['ssh_preproc_max_server_version_len']) && $snortcfg['ssh_preproc_max_server_version_len'] > 0) {
+	$ssh_preproc .= " \\\n\tmax_server_version_len {$snortcfg['ssh_preproc_max_server_version_len']}";
+}
+if ($snortcfg['ssh_preproc_enable_respoverflow'] == 'on') {
+	$ssh_preproc .= " \\\n\tenable_respoverflow";
+}
+if ($snortcfg['ssh_preproc_enable_srvoverflow'] == 'on') {
+	$ssh_preproc .= " \\\n\tenable_srvoverflow";
+}
+if ($snortcfg['ssh_preproc_enable_ssh1crc32'] == 'on') {
+	$ssh_preproc .= " \\\n\tenable_ssh1crc32";
+}
+if ($snortcfg['ssh_preproc_enable_protomismatch'] == 'on') {
+	$ssh_preproc .= " \\\n\tenable_protomismatch";
+}
+$ssh_preproc .= "\n";
 
 /* def other_preprocs */
 
@@ -1108,8 +1149,10 @@
 
 // Now iterate configured Frag3 engines and write them to a string if enabled
 if ($snortcfg['frag3_detection'] == "on") {
-	if (!is_array($snortcfg['frag3_engine']['item']))
+	if (!is_array($snortcfg['frag3_engine']['item'])) {
+		$snortcfg['frag3_engine'] = array();
 		$snortcfg['frag3_engine']['item'] = array();
+}
 
 	// If no frag3 tcp engine is configured, use the default
 	if (empty($snortcfg['frag3_engine']['item']))
@@ -1205,8 +1248,10 @@
 
 // Now iterate configured Stream5 TCP engines and write them to a string if enabled
 if ($snortcfg['stream5_reassembly'] == "on") {
-	if (!is_array($snortcfg['stream5_tcp_engine']['item']))
+	if (!is_array($snortcfg['stream5_tcp_engine']['item'])) {
+		$snortcfg['stream5_tcp_engine'] = array();
 		$snortcfg['stream5_tcp_engine']['item'] = array();
+}
 
 	// If no stream5 tcp engine is configured, use the default
 	if (empty($snortcfg['stream5_tcp_engine']['item']))
@@ -1371,8 +1416,10 @@
 
 // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled
 if ($snortcfg['http_inspect'] <> "off") {
-	if (!is_array($snortcfg['http_inspect_engine']['item']))
+	if (!is_array($snortcfg['http_inspect_engine']['item'])) {
+		$snortcfg['http_inspect_engine'] = array();
 		$snortcfg['http_inspect_engine']['item'] = array();
+}
 
 	// If no http_inspect_engine is configured, use the default
 	if (empty($snortcfg['http_inspect_engine']['item']))

diff --git a/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_migrate_config.php b/security/pfSense-pkg-snort/files/usr/local/pkg/snort/snort_migrate_config.php
@@ -34,10 +34,15 @@
 
 global $config;
 
-if (!is_array($config['installedpackages']['snortglobal']))
+if (!is_array($config['installedpackages'])) {
+	$config['installedpackages'] = array();
+}
+if (!is_array($config['installedpackages']['snortglobal'])) {
 	$config['installedpackages']['snortglobal'] = array();
-if (!is_array($config['installedpackages']['snortglobal']['rule']))
+}
+if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
 	$config['installedpackages']['snortglobal']['rule'] = array();
+}
 
 // Just exit if this is a clean install with no saved settings
 if (empty($config['installedpackages']['snortglobal']['rule']))
@@ -127,16 +132,36 @@
 /**********************************************************/
 foreach ($rule as &$r) {
 	// Initialize arrays for supported preprocessors if necessary
-	if (!is_array($r['frag3_engine']['item']))
+	if (!is_array($r['frag3_engine'])) {
+		$r['frag3_engine'] = array();
+	}
+	if (!is_array($r['frag3_engine']['item'])) {
 		$r['frag3_engine']['item'] = array();
-	if (!is_array($r['stream5_tcp_engine']['item']))
+	}
+	if (!is_array($r['stream5_tcp_engine'])) {
+		$r['stream5_tcp_engine'] = array();
+	}
+	if (!is_array($r['stream5_tcp_engine']['item'])) {
 		$r['stream5_tcp_engine']['item'] = array();
-	if (!is_array($r['http_inspect_engine']['item']))
+	}
+	if (!is_array($r['http_inspect_engine'])) {
+		$r['http_inspect_engine'] = array();
+	}
+	if (!is_array($r['http_inspect_engine']['item'])) {
 		$r['http_inspect_engine']['item'] = array();
-	if (!is_array($r['ftp_client_engine']['item']))
+	}
+	if (!is_array($r['ftp_client_engine'])) {
+		$r['ftp_client_engine'] = array();
+	}
+	if (!is_array($r['ftp_client_engine']['item'])) {
 		$r['ftp_client_engine']['item'] = array();
-	if (!is_array($r['ftp_server_engine']['item']))
+	}
+	if (!is_array($r['ftp_server_engine'])) {
+		$r['ftp_server_engine'] = array();
+	}
+	if (!is_array($r['ftp_server_engine']['item'])) {
 		$r['ftp_server_engine']['item'] = array();
+	}
 
 	$pconfig = array();
 	$pconfig = $r;
@@ -562,6 +587,47 @@
 		$updated_cfg = true;
 	}
 
+	// Configure a default interface snaplen if not previously configured
+	if (!isset($pconfig['snaplen'])) {
+		$pconfig['snaplen'] = '1518';
+		$updated_cfg = true;
+	}
+
+	// Configure new SSH preprocessor parameter defaults if not already set
+	if (!isset($pconfig['ssh_preproc_ports'])) {
+		$pconfig['ssh_preproc_ports'] = '22';
+		$updated_cfg = true;
+	}
+	if (!isset($pconfig['ssh_preproc_max_encrypted_packets'])) {
+		$pconfig['ssh_preproc_max_encrypted_packets'] = 20;
+		$updated_cfg = true;
+	}
+	if (!isset($pconfig['ssh_preproc_max_client_bytes'])) {
+		$pconfig['ssh_preproc_max_client_bytes'] = 19600;
+		$updated_cfg = true;
+	}
+	if (!isset($pconfig['ssh_preproc_max_server_version_len'])) {
+		$pconfig['ssh_preproc_max_server_version_len'] = 100;
+		$updated_cfg = true;
+	}
+	if (!isset($pconfig['ssh_preproc_enable_respoverflow'])) {
+		$pconfig['ssh_preproc_enable_respoverflow'] = 'on';
+		$updated_cfg = true;
+	}
+	if (!isset($pconfig['ssh_preproc_enable_srvoverflow'])) {
+		$pconfig['ssh_preproc_enable_srvoverflow'] = 'on';
+		$updated_cfg = true;
+	}
+	if (!isset($pconfig['ssh_preproc_enable_ssh1crc32'])) {
+		$pconfig['ssh_preproc_enable_ssh1crc32'] = 'on';
+		$updated_cfg = true;
+	}
+	if (!isset($pconfig['ssh_preproc_enable_protomismatch'])) {
+		$pconfig['ssh_preproc_enable_protomismatch'] = 'on';
+		$updated_cfg = true;
+	}
+	// End new SSH parameters
+
 	// Save the new configuration data into the $config array pointer
 	$r = $pconfig;
 }

diff --git a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_alerts.php b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_alerts.php
@@ -3,10 +3,10 @@
  * snort_alerts.php
  *
  * part of pfSense (https://www.pfsense.org)
- * Copyright (c) 2006-2016 Rubicon Communications, LLC (Netgate)
+ * Copyright (c) 2006-2018 Rubicon Communications, LLC (Netgate)
  * Copyright (c) 2005 Bill Marquette <[email protected]>.
  * Copyright (c) 2003-2004 Manuel Kasper <[email protected]>.
- * Copyright (c) 2015 Bill Meeks
+ * Copyright (c) 2018 Bill Meeks
  * Copyright (c) 2009 Robert Zelaya Sr. Developer
  * All rights reserved.
  *
@@ -26,7 +26,6 @@
 require_once("guiconfig.inc");
 require_once("/usr/local/pkg/snort/snort.inc");
 
-$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype'];
 $supplist = array();
 $snortlogdir = SNORTLOGDIR;
 $filterlogentries = FALSE;
@@ -159,8 +158,9 @@ function snort_match_filter_field($flent, $fields) {
 if (empty($instanceid) || !is_numericint($instanceid))
 	$instanceid = 0;
 
-if (!is_array($config['installedpackages']['snortglobal']['rule']))
+if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
 	$config['installedpackages']['snortglobal']['rule'] = array();
+}
 $a_instance = &$config['installedpackages']['snortglobal']['rule'];
 $snort_uuid = $a_instance[$instanceid]['uuid'];
 $if_real = get_real_interface($a_instance[$instanceid]['interface']);

diff --git a/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_barnyard.php b/security/pfSense-pkg-snort/files/usr/local/www/snort/snort_barnyard.php
@@ -3,7 +3,7 @@
  * snort_barnyard.php
  *
  * part of pfSense (https://www.pfsense.org)
- * Copyright (c) 2016 Rubicon Communications, LLC (Netgate)
+ * Copyright (c) 2018 Rubicon Communications, LLC (Netgate)
  * Copyright (c) 2003-2004 Manuel Kasper <[email protected]>
  * Copyright (c) 2008-2009 Robert Zelaya
  * Copyright (c) 2014-2018 Bill Meeks
@@ -37,8 +37,9 @@
         exit;
 }
 
-if (!is_array($config['installedpackages']['snortglobal']['rule']))
+if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
 	$config['installedpackages']['snortglobal']['rule'] = array();
+}
 $a_nat = &$config['installedpackages']['snortglobal']['rule'];
 
 $pconfig = array();