Location: PHPKode > projects > SnortCenter 2.x > snortcenter-release/parser.php
<?php
    /*
    ** SnortCenter Copyright (C) 2001,2002,2003 Stefan Dens
    **
    ** Author: Stefan Dens <hide@address.com>
    **
    ** This program is free software; you can redistribute it and/or modify
    ** it under the terms of the GNU General Public License as published by
    ** the Free Software Foundation; either version 2 of the License, or
    ** (at your option) any later version.
    **
    ** This program is distributed in the hope that it will be useful,
        ** but WITHOUT ANY WARRANTY; without even the implied warranty of
    ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    ** GNU General Public License for more details.
    **
    ** You should have received a copy of the GNU General Public License
    ** along with this program; if not, write to the Free Software
    ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
    */
?>
<?php
    include_once("list.inc.php");
     
    function pars_rule($rule_line) {
        list ($rule['action'], $rule['proto'], $rule['src_ip'], $rule['src_port'], $rule['operator'], $rule['dst_ip'], $rule['dst_port'], $rule_options) = explode(' ', ltrim($rule_line), 8); //split rule into 7 vars and the rule options in var 8
        if ($rule['action']  != '' and (strpos($rule['action'], '#') === false))// don't process blank lines or if they start with '#'
        {
            if ($rule['action'] == "include") {
		if (strpos($rule_line, '/') !== false) {
		    list ($tmp, $rule['rule_options']) = explode('/', ltrim($rule_line), 2);
		} else {
		    list ($tmp, $rule['rule_options']) = explode(' ', ltrim($rule_line), 2);
		}
		return $rule;
	    } elseif ($rule['action'] == "var" OR $rule['action'] == "preprocessor" OR $rule['action'] == "output" OR $rule['action'] == "ruletype" OR $rule['action'] == "config") {
                list ($rule['action'], $rule['rule_options']) = explode(' ', ltrim($rule_line), 2);
                return $rule;
            } else {
                $content_nr = 0;
                $rule_options = substr (ltrim($rule_options), 1); // strip left "("
                $rule_options = substr (rtrim($rule_options), 0, -1); // strip right ")"
                $rule_option = preg_split('/(?<!\\\);/', $rule_options); /* split the rule options in a array (on ; but not on \; */
                foreach($rule_option as $type) {
                    
                    list($what, $val) = explode(':', trim($type), 2); // split every rule option into name end value
                    $val = addslashes(ltrim($val)); // addslashes for valid database queries
                    if ($what == "msg") {
                        $rule['msg'] = $val;
                    }
                    elseif ($what == "logto") {
			if ($rule['logto']) $rule['multiple_rest'] .= " logto: $val;";
                        else $rule['logto'] = $val;
                    }
                    elseif ($what == "ttl") {
			if ($rule['ttl']) $rule['multiple_rest'] .= " ttl: $val;";
                        else $rule['ttl'] = $val;
                    }
                    elseif ($what == "tos") {
			if ($rule['tos']) $rule['multiple_rest'] .= " tos: $val;";
                        else $rule['tos'] = $val;
                    }
                    elseif ($what == "id") {
			if ($rule['id']) $rule['multiple_rest'] .= " id: $val;";
                        else $rule['id'] = $val;
                    }
                    elseif ($what == "ipopts") {
			if ($rule['ipoption']) $rule['multiple_rest'] .= " ipopts: $val;";
                        else $rule['ipoption'] = $val;
                    }
                    elseif ($what == "fragbits") {
			if ($rule['fragbits']) $rule['multiple_rest'] .= " fragbits: $val;";
                        else $rule['fragbits'] = $val;
                    }
                    elseif ($what == "dsize") {
			if ($rule['dsize']) $rule['multiple_rest'] .= " dsize: $val;";
                        else $rule['dsize'] = $val;
                    }
                    elseif ($what == "flags") {
			if ($rule['flags']) $rule['multiple_rest'] .= " flags: $val;";
                        else $rule['flags'] = $val;
                    }
                    elseif ($what == "window") {
			if ($rule['window']) $rule['multiple_rest'] .= " window: $val;";
                        else $rule['window'] = $val;
                    }
                    elseif ($what == "seq") {
			if ($rule['seq']) $rule['multiple_rest'] .= " seq: $val;";
                        else $rule['seq'] = $val;
                    }
                    elseif ($what == "ack") {
			if ($rule['ack']) $rule['multiple_rest'] .= " ack: $val;";
                        else $rule['ack'] = $val;
                    }
                    elseif ($what == "itype") {
			if ($rule['itype']) $rule['multiple_rest'] .= " itype: $val;";
                        else $rule['itype'] = $val;
                    }
                    elseif ($what == "icode") {
			if ($rule['icode']) $rule['multiple_rest'] .= " icode: $val;";
                        else $rule['icode'] = $val;
                    }
                    elseif ($what == "icmp_id") {
			if ($rule['icmp_id']) $rule['multiple_rest'] .= " icmp_id: $val;";
                        else $rule['icmp_id'] = $val;
                    }
                    elseif ($what == "icmp_seq") {
			if ($rule['icmp_seq']) $rule['multiple_rest'] .= " icmp_seq: $val;";
                        else $rule['icmp_seq'] = $val;
                    }
                    elseif ($what == "content") {
                        $content_nr++;
                        $rule['content'][$content_nr] = $val;
                    }
                    elseif ($what == "uricontent") {
                        $content_nr++;
                        $rule['uricontent'][$content_nr] = $val;
                    }
                    elseif ($what == "offset") {
                        $rule['off_set'][$content_nr] = $val;
                    }
                    elseif ($what == "depth") {
                        $rule['depth'][$content_nr] = $val;
                    }
                    elseif ($what == "nocase") {
                        $rule['nocase'][$content_nr] = 'nocase';
                    }
                    elseif ($what == "regex") {
                        $rule['regex'][$content_nr] = 'regex';
                    }
                    elseif ($what == "rawbytes") {
                        $rule['rawbytes'][$content_nr] = 'rawbytes';
                    }
                    elseif ($what == "distance") {
                        $rule['distance'][$content_nr] = $val;
                    }
                    elseif ($what == "within") {
                        $rule['within'][$content_nr] = $val;
                    }
		    elseif ($what == "byte_jump") {
			$content_nr++;
                        $rule['byte_jump'][$content_nr] = $val;
                    }
		    elseif ($what == "byte_test") {
			$content_nr++;
                        $rule['byte_test'][$content_nr] = $val;
                    }
//Added for SnortCenter 2.x
                    elseif ($what == "asn1") {
                        $content_nr++;
                        $rule['asn1'][$content_nr] = $val;
                    }

                    elseif ($what == "isdataat") {
                      $rule['isdataat'][$content_nr] = $val;
                    }
//End Extra
                    elseif ($what == "reference") {
                        $rule['reference'][] = $val;
                    }
                     
                    elseif ($what == "content-list") {
			if ($rule['content_list']) $rule['multiple_rest'] .= " content-list: $val;";
                        else $rule['content_list'] = $val;
                    }
                    elseif ($what == "session") {
			if ($rule['session']) $rule['multiple_rest'] .= " session: $val;";
                        else $rule['session'] = $val;
                    }
                    elseif ($what == "rpc") {
			if ($rule['rpc']) $rule['multiple_rest'] .= " rpc: $val;";
                        else $rule['rpc'] = $val;
                    }
                    elseif ($what == "resp") {
			if ($rule['resp']) $rule['multiple_rest'] .= " resp: $val;";
                        else $rule['resp'] = $val;
                    }
                    elseif ($what == "react") {
			if ($rule['react']) $rule['multiple_rest'] .= " react: $val;";
                        else $rule['react'] = $val;
                    }
		    elseif ($what == "fwsam") {
			if ($rule['fwsam']) $rule['multiple_rest'] .= " fwsam: $val;";
                        else $rule['fwsam'] = $val;
                    }
                    elseif ($what == "classtype") {
			if ($rule['classtype']) $rule['multiple_rest'] .= " classtype: $val;";
                        else $rule['classtype'] = $val;
                    }
                    elseif ($what == "priority") {
			if ($rule['priority']) $rule['multiple_rest'] .= " priority: $val;";
                        else $rule['priority'] = $val;
                    }
                    elseif ($what == "tag") {
			if ($rule['tag']) $rule['multiple_rest'] .= " tag: $val;";
                        else $rule['tag'] = $val;
                    }
                    elseif ($what == "ip_proto") {
			if ($rule['ip_proto']) $rule['multiple_rest'] .= " ip_proto: $val;";
                        else $rule['ip_proto'] = $val;
                    }
                    elseif ($what == "sameip") {
                        $rule['sameip'] = 'sameip';
                    }
                    elseif ($what == "stateless") {
                        $rule['stateless'] = 'stateless';
                    }
                    elseif ($what == "sid") {
                        $rule['sid'] = $val;
                    }
                    elseif ($what == "rev") {
                        $rule['rev'] = $val;
                    }
                    elseif ($what == "activates") {
			if ($rule['activates']) $rule['multiple_rest'] .= " activates: $val;";
                        else $rule['activates'] = $val;
                    }
                    elseif ($what == "activates_by") {
			if ($rule['activates_by']) $rule['multiple_rest'] .= " activates_by: $val;";
                        else $rule['activates_by'] = $val;
                    }
                    elseif ($what == "count") {
			if ($rule['count']) $rule['multiple_rest'] .= " count: $val;";
                        else $rule['count'] = $val;
                    }
                    elseif ($what == "flow") {
			if ($rule['flow']) $rule['multiple_rest'] .= " flow: $val;";
                        else $rule['flow'] = $val;
		    }
                    elseif ($what == "fragoffset") {
			if ($rule['fragoffset']) $rule['multiple_rest'] .= " fragoffset: $val;";
                        $rule['fragoffset'] = $val;
                    }
//New Variables Added for Snort 2.x
                  elseif ($what == "pcre") {
                        if ($rule['pcre']) $rule['multiple_rest'] .= " pcre: $val;";
                        $rule['pcre'] = $val;
                    }
                  elseif ($what == "window") {
                      $rule['window'] = $val;
                    }
                  elseif ($what == "flowbits") {
                        if ($rule['flowbits']) $rule['multiple_rest'] .= " flowbits: $val;";
                        else $rule['flowbits'] = $val;
                    }
                  elseif ($what == "threshold") {
                        if ($rule['threshold']) $rule['multiple_rest'] .= " threshold: $val;";
                        else $rule['threshold'] = $val;
                    }
//End New Variables






                    elseif ($what  != '') {
                        echo "Unknown Rule option: $rule_options<BR>-> $what<BR>";
                    }
                }
                return $rule;
            }
        }
        else return;
    }
     
     
    function write_rule($rule, $file, $auto, $db) {
        $update_rule_count = '';
        if ($rule) {
            $default = "no";
            if ($auto == 1) {
                $default = "yes";
            } 
            if ($rule['action'] == "var") {
                $update_rule_count[0] = 'Variable(s)';
		list ($var['var_name'], $var['var_value']) = explode(' ', trim($rule['rule_options']), 2);
	        $sql = "SELECT * FROM vars WHERE var_name = '". $var['var_name'] ."' AND snort_default = '$default'";
                $result = $db->acidExecute($sql);
                $myrow = $result->acidFetchRow();
                if ($myrow == 0) {
                    $sql = "INSERT INTO vars (var_name, var_value, snort_default)";
                    $sql  .= " VALUES ( '". $var['var_name'] ."', '" . $var['var_value']."', '$default' )";
		    //echo "$sql<BR>";
                    $result = $db->acidExecute($sql);
		    $result_a = $db->acidExecute("SELECT max(id) FROM vars");
    		    $myrow = $result_a->acidFetchRow();
		    $update_rule_count[1] = 'add-var';
		    $update_rule_count[2] = $myrow[0];
                }
		elseif ($myrow['var_value'] != $var['var_value']) { 
		    $sql = "UPDATE vars SET var_value = '". $var['var_value'] ."' where id = '". $myrow['id'] ."'";
		    $result = $db->acidExecute($sql);
		    $update_rule_count[1] = 'update-var';
		    $update_rule_count[2] = $myrow['id'];
		}
		else {
		    $update_rule_count[1] = 'nochange-var';
		    $update_rule_count[2] = $myrow['id'];
		}
            }
            elseif ($rule['action'] == "preprocessor") {
	        $update_rule_count[0] = 'Preprocessor(s)';
                list ($spp['spp_name'], $spp['spp_value']) = explode(' ', trim($rule['rule_options']), 2);
		$sql = "SELECT * FROM preprocessor WHERE spp_name = '". $spp['spp_name'] ."' AND snort_default = '$default'";
		//echo "$sql<BR>";
                $result = $db->acidExecute($sql);
                $myrow = $result->acidFetchRow();
                if ($myrow == 0) {
		    $sql = "INSERT INTO preprocessor (spp_name, spp_value, snort_default)";
                    $sql  .= " VALUES ( '". $spp['spp_name'] ."', '" . $spp['spp_value']."', '$default' )";
                    //echo "$sql<BR>";
                    $result = $db->acidExecute($sql);
		    $result_a = $db->acidExecute("SELECT max(id) FROM preprocessor");
    		    $myrow = $result_a->acidFetchRow();
		    $update_rule_count[1] = 'add-spp';
		    $update_rule_count[2] = $myrow[0];
                }
		elseif ($myrow['spp_value'] != $spp['spp_value']) { 
		    $sql = "UPDATE preprocessor SET spp_value = '". $spp['spp_value'] ."' where id = '". $myrow['id'] ."'";
		    $result = $db->acidExecute($sql);
		    $update_rule_count[1] = 'update-spp';
		    $update_rule_count[2] = $myrow['id'];
		}
		else {
		    $update_rule_count[1] = 'nochange-spp';
		    $update_rule_count[2] = $myrow['id'];
		}
            }
            elseif ($rule['action'] == "output") {
	        $update_rule_count[0] = 'Output Plugin(s)';
                list ($spo['spo_name'], $spo['spo_value']) = explode(' ', trim($rule['rule_options']), 2);
		$sql = "SELECT * FROM output WHERE spo_name = '". $spo['spo_name'] ."' AND snort_default = '$default'";
                $result = $db->acidExecute($sql);
                $myrow = $result->acidFetchRow();
                if ($myrow == 0) {
		    $sql = "INSERT INTO output (spo_name, spo_value, snort_default)";
                    $sql  .= " VALUES ( '". $spo['spo_name'] ."', '" . $spo['spo_value']."', '$default' )";
                    //echo "$sql<BR>";
                    $result = $db->acidExecute($sql);
		    $result_a = $db->acidExecute("SELECT max(id) FROM output");
    		    $myrow = $result_a->acidFetchRow();
		    $update_rule_count[1] = 'add-spo';
		    $update_rule_count[2] = $myrow[0];
                }
		elseif ($myrow['spo_value'] != $spo['spo_value']) { 
		    $sql = "UPDATE output SET spo_value = '". $spo['spo_value'] ."' where id = '". $myrow['id'] ."'";
		    $result = $db->acidExecute($sql);
		    $update_rule_count[1] = 'update-spo';
		    $update_rule_count[2] = $myrow['id'];
		}
		else {
		    $update_rule_count[1] = 'nochange-spo';
		    $update_rule_count[2] = $myrow['id'];
		}
            }
            elseif ($rule['action'] == "ruletype") {
		$update_rule_count[0] = 'Ruletype(s)';
                list ($ruletype['ruletype_name'], $ruletype['ruletype_value']) = explode(' ', trim($rule['rule_options']), 2);
                $pos_start = strpos ($ruletype['ruletype_value'], '{');
                $pos_end = strpos ($ruletype['ruletype_value'], '}');
                if (($pos_start === false AND $pos_end === false) OR $pos_end === false) {
                    while (!feof ($fd) AND strpos ($rule['ruleoptions'], '}') === false) {
                        $rule['ruleoptions'] = fgets($fd, 4096);
                        $ruletype['ruletype_value']  .= '\n'.trim($rule['ruleoptions']);
                    }
                }
                $sql = "SELECT * FROM ruletype WHERE ruletype_name = '". $ruletype['ruletype_name'] ."' AND snort_default = '$default'";
                $result = $db->acidExecute($sql);
                $myrow = $result->acidFetchRow();
                if ($myrow == 0) {
	            $sql = "INSERT INTO ruletype (ruletype_name, ruletype_value, snort_default)";
    	            $sql  .= " VALUES ( '". $ruletype['ruletype_name'] ."', '" . $ruletype['ruletype_value']."', '$default' )";		
                    //echo "$sql<BR>";
                    $result = $db->acidExecute($sql);
		    $result_a = $db->acidExecute("SELECT max(id) FROM ruletype");
    		    $myrow = $result_a->acidFetchRow();
		    $update_rule_count[1] = 'add-ruletype';
		    $update_rule_count[2] = $myrow[0];
                }
		elseif ($myrow['rule_type_value'] != $ruletype['ruletype_value']) { 
		    $sql = "UPDATE ruletype SET ruletype_value = '". $ruletype['ruletype_value'] ."' where id = '". $myrow['id'] ."'";
		    $result = $db->acidExecute($sql);
		    $update_rule_count[1] = 'update-ruletype';
		    $update_rule_count[2] = $myrow['id'];
		}
		else {
		    $update_rule_count[1] = 'nochange-ruletype';
		    $update_rule_count[2] = $myrow['id'];
		}
            }
            elseif ($rule['action'] == "config") {
                list ($config['config_name'], $config['config_value']) = explode(' ', trim($rule['rule_options']), 2);
                if ($config['config_name'] == 'classification:') {
		    list($short_name, $rest) = explode (',', $config['config_value'], 2);
		    $update_rule_count[0] = 'Classification(s)';
		}
		elseif ($config['config_name'] == 'reference:') {
		    list($short_name, $rest) = explode (' ', $config['config_value'], 2);
		    $update_rule_count[0] = 'Reference(s)';
		}
		else {
		    $short_name = $config['config_value'];
		} 
	        $sql = "SELECT * FROM config WHERE config_value like '$short_name%' AND config_name = '". $config['config_name'] ."' AND snort_default = '$default'";		
                $result = $db->acidExecute($sql);
                $myrow = $result->acidFetchRow();
                if ($myrow == 0) {
		    $sql = "INSERT INTO config (config_name, config_value, snort_default)";
                    $sql  .= " VALUES ( '". $config['config_name'] ."', '" . $config['config_value']."', '$default' )";
                    //echo "$sql<BR>";
                    $result = $db->acidExecute($sql);
		    $result_a = $db->acidExecute("SELECT max(id) FROM config");
    		    $myrow = $result_a->acidFetchRow();
		    $update_rule_count[1] = 'add-config';
		    $update_rule_count[2] = $myrow[0];
                }
		elseif ($myrow['config_value'] != $config['config_value']) { 
		    $sql = "UPDATE config SET config_value = '". $config['config_value'] ."' where id = '". $myrow['id'] ."'";
		    $result = $db->acidExecute($sql);
		    $update_rule_count[1] = 'update-config';
		    $update_rule_count[2] = $myrow['id'];
		}
		else {
		    $update_rule_count[1] = 'nochange-config';
		    $update_rule_count[2] = $myrow['id'];
		}
            }
            elseif ($rule['action'] == "include") {
            
	    }
             
            else // action should be a rule
            {
                $update_rule_count[0] = $file;
		$sql = "SELECT * FROM rules WHERE sid = '". $rule['sid'] ."'";
                $result = $db->acidExecute($sql);
                $myrow = $result->acidFetchRow();
                if ($myrow == 0) {
                    if ($rule['content']) {
                        foreach($rule['content'] as $content_nr => $content) {
                            $sql_content = "INSERT INTO content (sid, sequence, content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test, asn1, isdataat) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $content ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]. "', '" . $rule['$rawbytes'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]."', '" . $rule['isdataat'][$content_nr]."')";
                            $result = $db->acidExecute($sql_content);
                        }
                    }
                    if ($rule['uricontent']) {
                        foreach($rule['uricontent'] as $content_nr => $uricontent) {
                            $sql_uricontent = "INSERT INTO uricontent (sid, uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $uricontent ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
                            $result = $db->acidExecute($sql_uricontent);
                        }
                    }
		    if ($rule['byte_test']) {
                        foreach($rule['byte_test'] as $content_nr => $byte_test) {
                            $sql_byte_test = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]. "', '" . $rule['$rawbytes'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr] ."')";
                            $result = $db->acidExecute($sql_byte_test);
                        }
                    }
                    if ($rule['byte_jump']) {
                        foreach($rule['byte_jump'] as $content_nr => $byte_jump) {
                            $sql_byte_jump = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
                            $result = $db->acidExecute($sql_byte_jump);
                        }
                    }
                    if ($rule['asn1']) {
                        foreach($rule['asn1'] as $content_nr => $asn1) {
                            $sql_asn1 = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
                            $result = $db->acidExecute($sql_asn1);
                        }
                    }
                     if ($rule['reference']) {
                        foreach($rule['reference'] as $reference) {
                            $sql_reference = "INSERT INTO reference (sid, reference) VALUES ('". $rule['sid'] ."', '" . $reference . "')";
                            $result = $db->acidExecute($sql_reference);
                        }
                    }
                    $sql = "INSERT INTO rules (action, proto, src_ip, src_port, operator, dst_ip, dst_port, msg, logto, ttl, tos, id, ipoption, fragbits, dsize, flags, window, seq, ack, itype, icode, icmp_id, icmp_seq, content_list, session, rpc, resp, react, classtype, priority, tag, ip_proto, sameip, stateless, sid, rev, activates, activates_by, count, category, flow, fragoffset, pcre, flowbits, threshold, snortsam, multiple_rest)";
                    $sql  .= " VALUES ( '". $rule['action'] ."', '" . $rule['proto'] ."', '" . $rule['src_ip'] ."', '" . $rule['src_port'] ."', '" . $rule['operator'] ."', '" . $rule['dst_ip'] ."', '" . $rule['dst_port'] ."', '" . $rule['msg'] ."', '" . $rule['logto'] ."', '" . $rule['ttl'] ."', '" . $rule['tos'] ."', '" . $rule['id'] ."', '" . $rule['ipoption'] ."', '" . $rule['fragbits'] ."', '" . $rule['dsize'] ."', '" . $rule['flags'] ."', '" . $rule['window'] ."', '" . $rule['seq'] ."', '" . $rule['ack'] ."', '" . $rule['itype'] ."', '" . $rule['icode'] ."', '" . $rule['icmp_id'] ."', '" . $rule['icmp_seq'] ."', '" . $rule['content_list'] ."', '" . $rule['session'] ."', '" . $rule['rpc'] ."', '" . $rule['resp'] ."', '" . $rule['react'] ."', '" . $rule['classtype'] ."', '" . $rule['priority'] ."', '" . $rule['tag'] ."', '" . $rule['ip_proto'] ."', '" . $rule['sameip'] ."', '" . $rule['stateless'] ."', '" . $rule['sid'] ."', '" . $rule['rev'] ."', '" . $rule['activates'] ."', '" . $rule['activates_by'] ."', '" . $rule['count'] ."', '$file', '" . $rule['flow'] ."', '" . $rule['fragoffset'] ."', '" . $rule['pcre'] ."', '" . $rule['flowbits'] ."', '" . $rule['threshold'] ."', '" . $rule['snortsam'] ."', '" . $rule['multiple_rest'] ."')";
                    //echo "$sql<BR>";
                    $result = $db->acidExecute($sql);
                    $update_rule_count[1] = 'add-rule';
                } else {
		    $result = $db->acidExecute("DELETE FROM content WHERE sid='".$rule['sid']."'");
                    if ($rule['content']) {
                        foreach($rule['content'] as $content_nr => $content) {
			    $sql_content = "INSERT INTO content (sid, sequence, content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test, asn1, isdataat) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $content ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]. "', '" . $rule['$rawbytes'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr] ."', '" . $rule['asn1'][$content_nr] ."', '" . $rule['isdataat'][$content_nr]."')";
                            $result = $db->acidExecute($sql_content);
                        }
                    }
		    if ($rule['byte_test']) {
                        foreach($rule['byte_test'] as $content_nr => $byte_test) {
                            $sql_byte_test = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]. "', '" . $rule['$rawbytes'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr] ."')";
                            $result = $db->acidExecute($sql_byte_test);
                        }
                    }
                    if ($rule['byte_jump']) {
                        foreach($rule['byte_jump'] as $content_nr => $byte_jump) {
                            $sql_byte_jump = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
                            $result = $db->acidExecute($sql_byte_jump);
                        }
                    }
                    if ($rule['asn1']) {
                        foreach($rule['asn1'] as $content_nr => $asn1) {
                            $sql_asn1 = "INSERT INTO content (sid, sequence, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $content_nr ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
                            $result = $db->acidExecute($sql_asn1);
                        }
                    }

                    $result = $db->acidExecute("DELETE FROM uricontent WHERE sid='".$rule['sid']."'");
                    if ($rule['uricontent']) {
                        foreach($rule['uricontent'] as $content_nr => $uricontent) {
                            $sql_uricontent = "INSERT INTO uricontent (sid, uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test, asn1) VALUES ('". $rule['sid'] ."', '" . $uricontent ."', '" . $rule['off_set'][$content_nr] ."', '" . $rule['depth'][$content_nr] ."', '" . $rule['nocase'][$content_nr] ."', '" . $rule['regex'][$content_nr]."', '" . $rule['distance'][$content_nr]."', '" . $rule['within'][$content_nr]."', '" . $rule['byte_jump'][$content_nr]."', '" . $rule['byte_test'][$content_nr]."', '" . $rule['asn1'][$content_nr]. "')";
                            $result = $db->acidExecute($sql_uricontent);
                        }
                    }
                    $result = $db->acidExecute("DELETE FROM reference WHERE sid='".$rule['sid']."'");
                    if ($rule['reference']) {
                        foreach($rule['reference'] as $reference) {
                            $sql_reference = "INSERT INTO reference (sid, reference) VALUES ('". $rule['sid'] ."', '" . $reference . "')";
                            $result = $db->acidExecute($sql_reference);
                        }
                    }
                    $sql = "SELECT * FROM rules WHERE sid = '". $rule['sid'] ."' AND ( rev < '". $rule['rev'] ."' OR rule_mark = 'del')";
                    $result = $db->acidExecute($sql);
                    $myrow = $result->acidFetchRow();
                    if (!$myrow == 0) {
                        $sql = "UPDATE rules SET action = '". $rule['action'] ."', proto = '" . $rule['proto'] ."', src_ip = '" . $rule['src_ip'] ."', src_port = '" . $rule['src_port'] ."', operator = '" . $rule['operator'] ."', dst_ip = '" . $rule['dst_ip'] ."', dst_port = '" . $rule['dst_port'] ."', msg = '" . $rule['msg'] ."', logto = '" . $rule['logto'] ."', ttl = '" . $rule['ttl'] ."', tos = '" . $rule['tos'] ."', id = '" . $rule['id'] ."', ipoption = '" . $rule['ipoption'] ."', fragbits = '" . $rule['fragbits'] ."', dsize = '" . $rule['dsize'] ."', flags = '" . $rule['flags'] ."', window = '" . $rule['window'] ."', seq = '" . $rule['seq'] ."', ack = '" . $rule['ack'] ."', itype = '" . $rule['itype'] ."', icode = '" . $rule['icode'] ."', icmp_id = '" . $rule['icmp_id'] ."', icmp_seq = '" . $rule['icmp_seq'] ."', content_list = '" . $rule['content_list'] ."', session = '" . $rule['session'] ."', rpc = '" . $rule['rpc'] ."', resp = '" . $rule['resp'] ."', react = '" . $rule['react'] ."', classtype = '" . $rule['classtype'] ."', priority = '" . $rule['priority'] ."', tag = '" . $rule['tag'] ."', ip_proto = '" . $rule['ip_proto'] ."', sameip = '" . $rule['sameip'] ."', stateless = '" . $rule['stateless'] ."', sid = '" . $rule['sid'] ."', rev = '" . $rule['rev'] ."', activates = '" . $rule['activates'] ."', activates_by = '" . $rule['activates_by'] ."', count = '" . $rule['count'] ."', category = '$file', flow = '" . $rule['flow'] ."', fragoffset = '" . $rule['fragoffset'] ."', snortsam = '" . $myrow['snortsam']."', multiple_rest = '" . $rule['multiple_rest'] . "', rule_mark='' WHERE sid = '". $rule['sid'] ."'";
                        //echo "$sql<BR>";
                        $result = $db->acidExecute($sql);
                        $update_rule_count[1] = 'update-rule';
                    }
                }
            }
        }
        return $update_rule_count;
    }
?>
Return current item: SnortCenter 2.x