<?php
/*
** SnortCenter Copyright (C) 2001,2002,2003 Stefan Dens
**
** Author: Stefan Dens <hide@address.com>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
?>
<?php
include_once("list.inc.php");
function pars_rule($rule_line) {
list ($rule['action'], $rule['proto'], $rule['src_ip'], $rule['src_port'], $rule['operator'], $rule['dst_ip'], $rule['dst_port'], $rule_options) = explode(' ', ltrim($rule_line), 8); //split rule into 7 vars and the rule options in var 8
if ($rule['action'] != '' and (strpos($rule['action'], '#') === false))// don't process blank lines or if they start with '#'
{
if ($rule['action'] == "include") {
if (strpos($rule_line, '/') !== false) {
list ($tmp, $rule['rule_options']) = explode('/', ltrim($rule_line), 2);
} else {
list ($tmp, $rule['rule_options']) = explode(' ', ltrim($rule_line), 2);
}
return $rule;
} elseif ($rule['action'] == "var" OR $rule['action'] == "preprocessor" OR $rule['action'] == "output" OR $rule['action'] == "ruletype" OR $rule['action'] == "config") {
list ($rule['action'], $rule['rule_options']) = explode(' ', ltrim($rule_line), 2);
return $rule;
} else {
$content_nr = 0;
$rule_options = substr (ltrim($rule_options), 1); // strip left "("
$rule_options = substr (rtrim($rule_options), 0, -1); // strip right ")"
$rule_option = preg_split('/(?<!\\\);/', $rule_options); /* split the rule options in a array (on ; but not on \; */
foreach($rule_option as $type) {
list($what, $val) = explode(':', trim($type), 2); // split every rule option into name end value
$val = addslashes(ltrim($val)); // addslashes for valid database queries
if ($what == "msg") {
$rule['msg'] = $val;
}
elseif ($what == "logto") {
if ($rule['logto']) $rule['multiple_rest'] .= " logto: $val;";
else $rule['logto'] = $val;
}
elseif ($what == "ttl") {
if ($rule['ttl']) $rule['multiple_rest'] .= " ttl: $val;";
else $rule['ttl'] = $val;
}
elseif ($what == "tos") {
if ($rule['tos']) $rule['multiple_rest'] .= " tos: $val;";
else $rule['tos'] = $val;
}
elseif ($what == "id") {
if ($rule['id']) $rule['multiple_rest'] .= " id: $val;";
else $rule['id'] = $val;
}
elseif ($what == "ipopts") {
if ($rule['ipoption']) $rule['multiple_rest'] .= " ipopts: $val;";
else $rule['ipoption'] = $val;
}
elseif ($what == "fragbits") {
if ($rule['fragbits']) $rule['multiple_rest'] .= " fragbits: $val;";
else $rule['fragbits'] = $val;
}
elseif ($what == "dsize") {
if ($rule['dsize']) $rule['multiple_rest'] .= " dsize: $val;";
else $rule['dsize'] = $val;
}
elseif ($what == "flags") {
if ($rule['flags']) $rule['multiple_rest'] .= " flags: $val;";
else $rule['flags'] = $val;
}
elseif ($what == "window") {
if ($rule['window']) $rule['multiple_rest'] .= " window: $val;";
else $rule['window'] = $val;
}
elseif ($what == "seq") {
if ($rule['seq']) $rule['multiple_rest'] .= " seq: $val;";
else $rule['seq'] = $val;
}
elseif ($what == "ack") {
if ($rule['ack']) $rule['multiple_rest'] .= " ack: $val;";
else $rule['ack'] = $val;
}
elseif ($what == "itype") {
if ($rule['itype']) $rule['multiple_rest'] .= " itype: $val;";
else $rule['itype'] = $val;
}
elseif ($what == "icode") {
if ($rule['icode']) $rule['multiple_rest'] .= " icode: $val;";
else $rule['icode'] = $val;
}
elseif ($what == "icmp_id") {
if ($rule['icmp_id']) $rule['multiple_rest'] .= " icmp_id: $val;";
else $rule['icmp_id'] = $val;
}
elseif ($what == "icmp_seq") {
if ($rule['icmp_seq']) $rule['multiple_rest'] .= " icmp_seq: $val;";
else $rule['icmp_seq'] = $val;
}
elseif ($what == "content") {
$content_nr++;
$rule['content'][$content_nr] = $val;
}
elseif ($what == "uricontent") {
$content_nr++;
$rule['uricontent'][$content_nr] = $val;
}
elseif ($what == "offset") {
$rule['off_set'][$content_nr] = $val;
}
elseif ($what == "depth") {
$rule['depth'][$content_nr] = $val;
}
elseif ($what == "nocase") {
$rule['nocase'][$content_nr] = 'nocase';
}
elseif ($what == "regex") {
$rule['regex'][$content_nr] = 'regex';
}
elseif ($what == "rawbytes") {
$rule['rawbytes'][$content_nr] = 'rawbytes';
}
elseif ($what == "distance") {
$rule['distance'][$content_nr] = $val;
}
elseif ($what == "within") {
$rule['within'][$content_nr] = $val;
}
elseif ($what == "byte_jump") {
$content_nr++;
$rule['byte_jump'][$content_nr] = $val;
}
elseif ($what == "byte_test") {
$content_nr++;
$rule['byte_test'][$content_nr] = $val;
}
//Added for SnortCenter 2.x
elseif ($what == "asn1") {
$content_nr++;
$rule['asn1'][$content_nr] = $val;
}
elseif ($what == "isdataat") {
$rule['isdataat'][$content_nr] = $val;
}
//End Extra
elseif ($what == "reference") {
$rule['reference'][] = $val;
}
elseif ($what == "content-list") {
if ($rule['content_list']) $rule['multiple_rest'] .= " content-list: $val;";
else $rule['content_list'] = $val;
}
elseif ($what == "session") {
if ($rule['session']) $rule['multiple_rest'] .= " session: $val;";
else $rule['session'] = $val;
}
elseif ($what == "rpc") {
if ($rule['rpc']) $rule['multiple_rest'] .= " rpc: $val;";
else $rule['rpc'] = $val;
}
elseif ($what == "resp") {
if ($rule['resp']) $rule['multiple_rest'] .= " resp: $val;";
else $rule['resp'] = $val;
}
elseif ($what == "react") {
if ($rule['react']) $rule['multiple_rest'] .= " react: $val;";
else $rule['react'] = $val;
}
elseif ($what == "fwsam") {
if ($rule['fwsam']) $rule['multiple_rest'] .= " fwsam: $val;";
else $rule['fwsam'] = $val;
}
elseif ($what == "classtype") {
if ($rule['classtype']) $rule['multiple_rest'] .= " classtype: $val;";
else $rule['classtype'] = $val;
}
elseif ($what == "priority") {
if ($rule['priority']) $rule['multiple_rest'] .= " priority: $val;";
else $rule['priority'] = $val;
}
elseif ($what == "tag") {
if ($rule['tag']) $rule['multiple_rest'] .= " tag: $val;";
else $rule['tag'] = $val;
}
elseif ($what == "ip_proto") {
if ($rule['ip_proto']) $rule['multiple_rest'] .= " ip_proto: $val;";
else $rule['ip_proto'] = $val;
}
elseif ($what == "sameip") {
$rule['sameip'] = 'sameip';
}
elseif ($what == "stateless") {
$rule['stateless'] = 'stateless';
}
elseif ($what == "sid") {
$rule['sid'] = $val;
}
elseif ($what == "rev") {
$rule['rev'] = $val;
}
elseif ($what == "activates") {
if ($rule['activates']) $rule['multiple_rest'] .= " activates: $val;";
else $rule['activates'] = $val;
}
elseif ($what == "activates_by") {
if ($rule['activates_by']) $rule['multiple_rest'] .= " activates_by: $val;";
else $rule['activates_by'] = $val;
}
elseif ($what == "count") {
if ($rule['count']) $rule['multiple_rest'] .= " count: $val;";
else $rule['count'] = $val;
}
elseif ($what == "flow") {
if ($rule['flow']) $rule['multiple_rest'] .= " flow: $val;";
else $rule['flow'] = $val;
}
elseif ($what == "fragoffset") {
if ($rule['fragoffset']) $rule['multiple_rest'] .= " fragoffset: $val;";
$rule['fragoffset'] = $val;
}
//New Variables Added for Snort 2.x
elseif ($what == "pcre") {
if ($rule['pcre']) $rule['multiple_rest'] .= " pcre: $val;";
$rule['pcre'] = $val;
}
elseif ($what == "window") {
$rule['window'] = $val;
}
elseif ($what == "flowbits") {
if ($rule['flowbits']) $rule['multiple_rest'] .= " flowbits: $val;";
else $rule['flowbits'] = $val;
}
elseif ($what == "threshold") {
if ($rule['threshold']) $rule['multiple_rest'] .= " threshold: $val;";
else $rule['threshold'] = $val;
}
//End New Variables
elseif ($what != '') {
echo "Unknown Rule option: $rule_options<BR>-> $what<BR>";
}
}
return $rule;
}
}
else return;
}
function write_rule($rule, $file, $auto, $db) {
$update_rule_count = '';
if ($rule) {
$default = "no";
if ($auto == 1) {
$default = "yes";
}
if ($rule['action'] == "var") {
$update_rule_count[0] = 'Variable(s)';
list ($var['var_name'], $var['var_value']) = explode(' ', trim($rule['rule_options']), 2);
$sql = "SELECT * FROM vars WHERE var_name = '". $var['var_name'] ."' AND snort_default = '$default'";
$result = $db->acidExecute($sql);
$myrow = $result->acidFetchRow();
if ($myrow == 0) {
$sql = "INSERT INTO vars (var_name, var_value, snort_default)";
$sql .= " VALUES ( '". $var['var_name'] ."', '" . $var['var_value']."', '$default' )";
//echo "$sql<BR>";
$result = $db->acidExecute($sql);
$result_a = $db->acidExecute("SELECT max(id) FROM vars");
$myrow = $result_a->acidFetchRow();
$update_rule_count[1] = 'add-var';
$update_rule_count[2] = $myrow[0];
}
elseif ($myrow['var_value'] != $var['var_value']) {
$sql = "UPDATE vars SET var_value = '". $var['var_value'] ."' where id = '". $myrow['id'] ."'";
$result = $db->acidExecute($sql);
$update_rule_count[1] = 'update-var';
$update_rule_count[2] = $myrow['id'];
}
else {
$update_rule_count[1] = 'nochange-var';
$update_rule_count[2] = $myrow['id'];
}
}
elseif ($rule['action'] == "preprocessor") {
$update_rule_count[0] = 'Preprocessor(s)';
list ($spp['spp_name'], $spp['spp_value']) = explode(' ', trim($rule['rule_options']), 2);
$sql = "SELECT * FROM preprocessor WHERE spp_name = '". $spp['spp_name'] ."' AND snort_default = '$default'";
//echo "$sql<BR>";
$result = $db->acidExecute($sql);
$myrow = $result->acidFetchRow();
if ($myrow == 0) {
$sql = "INSERT INTO preprocessor (spp_name, spp_value, snort_default)";
$sql .= " VALUES ( '". $spp['spp_name'] ."', '" . $spp['spp_value']."', '$default' )";
//echo "$sql<BR>";
$result = $db->acidExecute($sql);
$result_a = $db->acidExecute("SELECT max(id) FROM preprocessor");
$myrow = $result_a->acidFetchRow();
$update_rule_count[1] = 'add-spp';
$update_rule_count[2] = $myrow[0];
}
elseif ($myrow['spp_value'] != $spp['spp_value']) {
$sql = "UPDATE preprocessor SET spp_value = '". $spp['spp_value'] ."' where id = '". $myrow['id'] ."'";
$result = $db->acidExecute($sql);
$update_rule_count[1] = 'update-spp';
$update_rule_count[2] = $myrow['id'];
}
else {
$update_rule_count[1] = 'nochange-spp';
$update_rule_count[2] = $myrow['id'];
}
}
elseif ($rule['action'] == "output") {
$update_rule_count[0] = 'Output Plugin(s)';
list ($spo['spo_name'], $spo['spo_value']) = explode(' ', trim($rule['rule_options']), 2);
$sql = "SELECT * FROM output WHERE spo_name = '". $spo['spo_name'] ."' AND snort_default = '$default'";
$result = $db->acidExecute($sql);
$myrow = $result->acidFetchRow();
if ($myrow == 0) {
$sql = "INSERT INTO output (spo_name, spo_value, snort_default)";
$sql .= " VALUES ( '". $spo['spo_name'] ."', '" . $spo['spo_value']."', '$default' )";
//echo "$sql<BR>";
$result = $db->acidExecute($sql);
$result_a = $db->acidExecute("SELECT max(id) FROM output");
$myrow = $result_a->acidFetchRow();
$update_rule_count[1] = 'add-spo';
$update_rule_count[2] = $myrow[0];
}
elseif ($myrow['spo_value'] != $spo['spo_value']) {
$sql = "UPDATE output SET spo_value = '". $spo['spo_value'] ."' where id = '". $myrow['id'] ."'";
$result = $db->acidExecute($sql);
$update_rule_count[1] = 'update-spo';
$update_rule_count[2] = $myrow['id'];
}
else {
$update_rule_count[1] = 'nochange-spo';
$update_rule_count[2] = $myrow['id'];
}
}
elseif ($rule['action'] == "ruletype") {
$update_rule_count[0] = 'Ruletype(s)';
list ($ruletype['ruletype_name'], $ruletype['ruletype_value']) = explode(' ', trim($rule['rule_options']), 2);
$pos_start = strpos ($ruletype['ruletype_value'], '{');
$pos_end = strpos ($ruletype['ruletype_value'], '}');
if (($pos_start === false AND $pos_end === false) OR $pos_end === false) {
while (!feof ($fd) AND strpos ($rule['ruleoptions'], '}') === false) {
$rule['ruleoptions'] = fgets($fd, 4096);
$ruletype['ruletype_value'] .= '\n'.trim($rule['ruleoptions']);
}
}
$sql = "SELECT * FROM ruletype WHERE ruletype_name = '". $ruletype['ruletype_name'] ."' AND snort_default = '$default'";
$result = $db->acidExecute($sql);
$myrow = $result->acidFetchRow();
if ($myrow == 0) {
$sql = "INSERT INTO ruletype (ruletype_name, ruletype_value, snort_default)";
$sql .= " VALUES ( '". $ruletype['ruletype_name'] ."', '" . $ruletype['ruletype_value']."', '$default' )";
//echo "$sql<BR>";
$result = $db->acidExecute($sql);
$result_a = $db->acidExecute("SELECT max(id) FROM ruletype");
$myrow = $result_a->acidFetchRow();
$update_rule_count[1] = 'add-ruletype';
$update_rule_count[2] = $myrow[0];
}
elseif ($myrow['rule_type_value'] != $ruletype['ruletype_value']) {
$sql = "UPDATE ruletype SET ruletype_value = '". $ruletype['ruletype_value'] ."' where id = '". $myrow['id'] ."'";
$result = $db->acidExecute($sql);
$update_rule_count[1] = 'update-ruletype';
$update_rule_count[2] = $myrow['id'];
}
else {
$update_rule_count[1] = 'nochange-ruletype';
$update_rule_count[2] = $myrow['id'];
}
}
elseif ($rule['action'] == "config") {
list ($config['config_name'], $config['config_value']) = explode(' ', trim($rule['rule_options']), 2);
if ($config['config_name'] == 'classification:') {
list($short_name, $rest) = explode (',', $config['config_value'], 2);
$update_rule_count[0] = 'Classification(s)';
}
elseif ($config['config_name'] == 'reference:') {
list($short_name, $rest) = explode (' ', $config['config_value'], 2);
$update_rule_count[0] = 'Reference(s)';
}
else {
$short_name = $config['config_value'];
}
$sql = "SELECT * FROM config WHERE config_value like '$short_name%' AND config_name = '". $config['config_name'] ."' AND snort_default = '$default'";
$result = $db->acidExecute($sql);
$myrow = $result->acidFetchRow();
if ($myrow == 0) {
$sql = "INSERT INTO config (config_name, config_value, snort_default)";
$sql .= " VALUES ( '". $config['config_name'] ."', '" . $config['config_value']."', '$default' )";
//echo "$sql<BR>";
$result = $db->acidExecute($sql);
$result_a = $db->acidExecute("SELECT max(id) FROM config");
$myrow = $result_a->acidFetchRow();
$update_rule_count[1] = 'add-config';
$update_rule_count[2] = $myrow[0];
}
elseif ($myrow['config_value'] != $config['config_value']) {
$sql = "UPDATE config SET config_value = '". $config['config_value'] ."' where id = '". $myrow['id'] ."'";
$result = $db->acidExecute($sql);
$update_rule_count[1] = 'update-config';
$update_rule_count[2] = $myrow['id'];
}
else {
$update_rule_count[1] = 'nochange-config';
$update_rule_count[2] = $myrow['id'];
}
}
elseif ($rule['action'] == "include") {
}
else // action should be a rule
{
$update_rule_count[0] = $file;
$sql = "SELECT * FROM rules WHERE sid = '". $rule['sid'] ."'";
$result = $db->acidExecute($sql);
$myrow = $result->acidFetchRow();
if ($myrow == 0) {
if ($rule['content']) {
foreach($rule['content'] as $content_nr => $content) {
$sql_content = "INSERT INTO content (sid, sequence, content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test, asn1, isdataat) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $content ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]. "', '" . $rule['$rawbytes'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]."', '" . $rule['isdataat'][$content_nr]."')";
$result = $db->acidExecute($sql_content);
}
}
if ($rule['uricontent']) {
foreach($rule['uricontent'] as $content_nr => $uricontent) {
$sql_uricontent = "INSERT INTO uricontent (sid, uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $uricontent ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
$result = $db->acidExecute($sql_uricontent);
}
}
if ($rule['byte_test']) {
foreach($rule['byte_test'] as $content_nr => $byte_test) {
$sql_byte_test = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]. "', '" . $rule['$rawbytes'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr] ."')";
$result = $db->acidExecute($sql_byte_test);
}
}
if ($rule['byte_jump']) {
foreach($rule['byte_jump'] as $content_nr => $byte_jump) {
$sql_byte_jump = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
$result = $db->acidExecute($sql_byte_jump);
}
}
if ($rule['asn1']) {
foreach($rule['asn1'] as $content_nr => $asn1) {
$sql_asn1 = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
$result = $db->acidExecute($sql_asn1);
}
}
if ($rule['reference']) {
foreach($rule['reference'] as $reference) {
$sql_reference = "INSERT INTO reference (sid, reference) VALUES ('". $rule['sid'] ."', '" . $reference . "')";
$result = $db->acidExecute($sql_reference);
}
}
$sql = "INSERT INTO rules (action, proto, src_ip, src_port, operator, dst_ip, dst_port, msg, logto, ttl, tos, id, ipoption, fragbits, dsize, flags, window, seq, ack, itype, icode, icmp_id, icmp_seq, content_list, session, rpc, resp, react, classtype, priority, tag, ip_proto, sameip, stateless, sid, rev, activates, activates_by, count, category, flow, fragoffset, pcre, flowbits, threshold, snortsam, multiple_rest)";
$sql .= " VALUES ( '". $rule['action'] ."', '" . $rule['proto'] ."', '" . $rule['src_ip'] ."', '" . $rule['src_port'] ."', '" . $rule['operator'] ."', '" . $rule['dst_ip'] ."', '" . $rule['dst_port'] ."', '" . $rule['msg'] ."', '" . $rule['logto'] ."', '" . $rule['ttl'] ."', '" . $rule['tos'] ."', '" . $rule['id'] ."', '" . $rule['ipoption'] ."', '" . $rule['fragbits'] ."', '" . $rule['dsize'] ."', '" . $rule['flags'] ."', '" . $rule['window'] ."', '" . $rule['seq'] ."', '" . $rule['ack'] ."', '" . $rule['itype'] ."', '" . $rule['icode'] ."', '" . $rule['icmp_id'] ."', '" . $rule['icmp_seq'] ."', '" . $rule['content_list'] ."', '" . $rule['session'] ."', '" . $rule['rpc'] ."', '" . $rule['resp'] ."', '" . $rule['react'] ."', '" . $rule['classtype'] ."', '" . $rule['priority'] ."', '" . $rule['tag'] ."', '" . $rule['ip_proto'] ."', '" . $rule['sameip'] ."', '" . $rule['stateless'] ."', '" . $rule['sid'] ."', '" . $rule['rev'] ."', '" . $rule['activates'] ."', '" . $rule['activates_by'] ."', '" . $rule['count'] ."', '$file', '" . $rule['flow'] ."', '" . $rule['fragoffset'] ."', '" . $rule['pcre'] ."', '" . $rule['flowbits'] ."', '" . $rule['threshold'] ."', '" . $rule['snortsam'] ."', '" . $rule['multiple_rest'] ."')";
//echo "$sql<BR>";
$result = $db->acidExecute($sql);
$update_rule_count[1] = 'add-rule';
} else {
$result = $db->acidExecute("DELETE FROM content WHERE sid='".$rule['sid']."'");
if ($rule['content']) {
foreach($rule['content'] as $content_nr => $content) {
$sql_content = "INSERT INTO content (sid, sequence, content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test, asn1, isdataat) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $content ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]. "', '" . $rule['$rawbytes'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr] ."', '" . $rule['asn1'][$content_nr] ."', '" . $rule['isdataat'][$content_nr]."')";
$result = $db->acidExecute($sql_content);
}
}
if ($rule['byte_test']) {
foreach($rule['byte_test'] as $content_nr => $byte_test) {
$sql_byte_test = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]. "', '" . $rule['$rawbytes'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr] ."')";
$result = $db->acidExecute($sql_byte_test);
}
}
if ($rule['byte_jump']) {
foreach($rule['byte_jump'] as $content_nr => $byte_jump) {
$sql_byte_jump = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
$result = $db->acidExecute($sql_byte_jump);
}
}
if ($rule['asn1']) {
foreach($rule['asn1'] as $content_nr => $asn1) {
$sql_asn1 = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
$result = $db->acidExecute($sql_asn1);
}
}
$result = $db->acidExecute("DELETE FROM uricontent WHERE sid='".$rule['sid']."'");
if ($rule['uricontent']) {
foreach($rule['uricontent'] as $content_nr => $uricontent) {
$sql_uricontent = "INSERT INTO uricontent (sid, uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $uricontent ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
$result = $db->acidExecute($sql_uricontent);
}
}
$result = $db->acidExecute("DELETE FROM reference WHERE sid='".$rule['sid']."'");
if ($rule['reference']) {
foreach($rule['reference'] as $reference) {
$sql_reference = "INSERT INTO reference (sid, reference) VALUES ('". $rule['sid'] ."', '" . $reference . "')";
$result = $db->acidExecute($sql_reference);
}
}
$sql = "SELECT * FROM rules WHERE sid = '". $rule['sid'] ."' AND ( rev < '". $rule['rev'] ."' OR rule_mark = 'del')";
$result = $db->acidExecute($sql);
$myrow = $result->acidFetchRow();
if (!$myrow == 0) {
$sql = "UPDATE rules SET action = '". $rule['action'] ."', proto = '" . $rule['proto'] ."', src_ip = '" . $rule['src_ip'] ."', src_port = '" . $rule['src_port'] ."', operator = '" . $rule['operator'] ."', dst_ip = '" . $rule['dst_ip'] ."', dst_port = '" . $rule['dst_port'] ."', msg = '" . $rule['msg'] ."', logto = '" . $rule['logto'] ."', ttl = '" . $rule['ttl'] ."', tos = '" . $rule['tos'] ."', id = '" . $rule['id'] ."', ipoption = '" . $rule['ipoption'] ."', fragbits = '" . $rule['fragbits'] ."', dsize = '" . $rule['dsize'] ."', flags = '" . $rule['flags'] ."', window = '" . $rule['window'] ."', seq = '" . $rule['seq'] ."', ack = '" . $rule['ack'] ."', itype = '" . $rule['itype'] ."', icode = '" . $rule['icode'] ."', icmp_id = '" . $rule['icmp_id'] ."', icmp_seq = '" . $rule['icmp_seq'] ."', content_list = '" . $rule['content_list'] ."', session = '" . $rule['session'] ."', rpc = '" . $rule['rpc'] ."', resp = '" . $rule['resp'] ."', react = '" . $rule['react'] ."', classtype = '" . $rule['classtype'] ."', priority = '" . $rule['priority'] ."', tag = '" . $rule['tag'] ."', ip_proto = '" . $rule['ip_proto'] ."', sameip = '" . $rule['sameip'] ."', stateless = '" . $rule['stateless'] ."', sid = '" . $rule['sid'] ."', rev = '" . $rule['rev'] ."', activates = '" . $rule['activates'] ."', activates_by = '" . $rule['activates_by'] ."', count = '" . $rule['count'] ."', category = '$file', flow = '" . $rule['flow'] ."', fragoffset = '" . $rule['fragoffset'] ."', snortsam = '" . $myrow['snortsam']."', multiple_rest = '" . $rule['multiple_rest'] . "', rule_mark='' WHERE sid = '". $rule['sid'] ."'";
//echo "$sql<BR>";
$result = $db->acidExecute($sql);
$update_rule_count[1] = 'update-rule';
}
}
}
}
return $update_rule_count;
}
?>