<?php
/*
** SnortCenter Copyright (C) 2001,2002,2003 Stefan Dens
**
** Author: Stefan Dens <hide@address.com>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
global $senstmpfnam;
function find_interface_pid($sensor_id, $db) {
$result = $db->acidExecute("select cmd_line, interface from sensor where id ='$sensor_id'");
$myrow = $result->acidFetchRow();
$result->acidFreeRows();
$sensor_cmd_file = $myrow[0];
if (strpos($sensor_cmd_file, '-R') !== false) {
list($rest, $r_option) = explode('-R', $sensor_cmd_file, 2);
$r_option = trim($r_option);
list($r_option, $rest) = explode(' ', $r_option, 2);
}
return trim($r_option, '"');
}
function get_curl_option() {
global $curl_path;
$curl_option = '';
if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
if ($curl_path != '') {
$curl_path = rtrim($curl_path, '\\') . '\\';
}
} else {
if ($curl_path != '') {
$curl_path = rtrim($curl_path, '/') . '/';
}
}
exec($curl_path."curl -V", $return_string);
list ($tmp, $curl_ver, $tmp) = explode (' ',$return_string[0],3);
list ($curl_vera, $curl_verb, $curl_verc) = explode ('.', $curl_ver,3);
if ($curl_vera >= '7' && $curl_verb > '9') {
$curl_option = '-k';
}
return $curl_option;
}
function get_curl_url($target, $sensor_id, $db) {
$result = $db->acidExecute("select sensor_ip, sensor_port, sensor_user, sensor_passw, net_proto from sensor where id ='$sensor_id'");
$myrow = $result->acidFetchRow();
$result->acidFreeRows();
if ($myrow['net_proto'] == 'snortcenter_v1_ssl') {
$url = 'https://';
$target .= ".cgi";
}
elseif ($myrow['net_proto'] == 'snortcenter_v1_nossl'){
$url = 'http://';
$target .= ".cgi";
}
elseif ($myrow['net_proto'] == 'snortcenter_v1_windows_ssl') {
$url = 'https://';
$target .= ".php";
}
elseif ($myrow['net_proto'] == 'snortcenter_v1_windows_nossl'){
$url = 'http://';
$target .= ".php";
}
$url .= $myrow['sensor_user'] .':'. $myrow['sensor_passw'] .'@'. $myrow['sensor_ip'] .':'. $myrow['sensor_port'] .'/'.$target;
return $url;
}
function push_cmd_line($sensor_id, $db) {
global $curl_timeout, $curl_path;
$result = $db->acidExecute("select cmd_line, interface, net_proto from sensor where id ='$sensor_id'");
$myrow = $result->acidFetchRow();
$result->acidFreeRows();
$sensor_cmd_file = $myrow[0];
$url = get_curl_url("index", $sensor_id, $db);
if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
if ($curl_path != '') {
$curl_path = rtrim($curl_path, '\\') . '\\';
}
} else {
if ($curl_path != '') {
$curl_path = rtrim($curl_path, '/') . '/';
}
}
$r_option = find_interface_pid($sensor_id, $db);
if ($r_option != "") {
$r_option_cmd = $r_option;
}
if (strpos($sensor_cmd_file, '-D') !== false) {
$sensor_cmd_file = str_replace('-D', '', $sensor_cmd_file);
}
$curl_option = get_curl_option();
if (strpos($sensor_cmd_file, '-c ') === false) {
exec($curl_path."curl $curl_option -s -S --connect-timeout $curl_timeout -d \"get_rule_path=1\" $url 2>&1", $return_string);
foreach ($return_string as $tmp_path) {
$path = $tmp_path;
}
if (strpos($myrow['net_proto'], "windows") !== false) {
$path = rtrim($path, '\\') . '\\';
$sensor_cmd_file .= " -c $path"."snort.conf ";
} else {
$path = rtrim($path, '/') . '/';
$path = trim($path);
$sensor_cmd_file .= " -c $path"."snort.$myrow[interface]".$r_option_cmd.".conf ";
}
}
#echo "<BR>$sensor_cmd_file";
exec($curl_path."curl $curl_option -s -S --connect-timeout $curl_timeout -d \"sensor_cmd_file=$sensor_cmd_file&interface=$myrow[interface]&r_option=$r_option\" $url 2>&1", $return_string);
foreach ($return_string as $tmp_line) {
$linea .= "$tmp_line<BR>";
}
return $line;
}
function show_snort_version($sensor_id, $db) {
global $curl_timeout, $curl_path;
$url = get_curl_url("index", $sensor_id, $db);
if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
if ($curl_path != '') {
$curl_path = rtrim($curl_path, '\\') . '\\';
}
} else {
if ($curl_path != '') {
$curl_path = rtrim($curl_path, '/') . '/';
}
}
$curl_option = get_curl_option();
exec($curl_path."curl $curl_option -s -S --connect-timeout $curl_timeout -d \"sensor_control=snort%20version\" $url 2>&1", $return_string);
foreach ($return_string as $tmp_line) {
$line .= $tmp_line;
}
return $line;
}
function check_status ($sensor_id, $db) {
global $curl_timeout, $curl_path;
$result = $db->acidExecute("select interface from sensor where id ='$sensor_id'");
$myrow = $result->acidFetchRow();
$url = get_curl_url("index", $sensor_id, $db);
if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
if ($curl_path != '') {
$curl_path = rtrim($curl_path, '\\') . '\\';
}
} else {
if ($curl_path != '') {
$curl_path = rtrim($curl_path, '/') . '/';
}
}
$r_option = find_interface_pid($sensor_id, $db);
$curl_option = get_curl_option();
exec($curl_path."curl $curl_option -s -S --connect-timeout $curl_timeout -d \"sensor_control=status&interface=$myrow[interface]&r_option=$r_option\" $url 2>&1 ", $return_string);
foreach ($return_string as $tmp_line) {
$line .= $tmp_line;
}
if ($line == "Snort not Running") {
return $line;
} else {
return $line;
}
}
function create_config($sensor_export, $sensor_id, $db) {
global $senstmpfnam;
include_once('list.inc.php');
global $snortcenter_ver;
$class_found = array();
$class_value_array = array();
$vars_array = array();
$result = $db->acidExecute("select sensor_name from sensor where id='$sensor_id'");
$myrow = $result->acidFetchRow();
$sensor_name = $myrow[0];
if ($sensor_export != 'download') {
echo "<FONT size=1>";
}
$result_id = $db->acidExecute("SELECT sid from rulechange where sensor_id='$sensor_id'");
while ($myrow = $result_id->acidFetchRow()) {
$rule_change[] = $myrow[0];
}
$result_id->acidFreeRows();
if (($sensor_export == 'download') || ($sensor_export == 'push')) {
if (strpos($_SERVER["SERVER_SOFTWARE"], "Win") !== false) {
$senstmpfnam = tempnam("c:/temp", $sensor_name);
$fp = fopen ($senstmpfnam, "w");
} else {
$senstmpfnam = tempnam("/tmp", $sensor_name);
$fp = fopen ($senstmpfnam, "w");
}
}
if ($fp || $sensor_export == 'view') {
if ($sensor_export == 'view') {
echo "#-------------------------------------------------------------------------------<BR>";
echo "# Snort Configuration file for < $sensor_name ><BR>";
echo "# Created with $snortcenter_ver < http://users.pandora.be/larc/ ><BR>";
$date = date("l dS of F Y h:i:s A");
echo '# $';
echo 'Id: snort.conf, '."$date<BR>";
echo "#-------------------------------------------------------------------------------<BR>";
} else {
fputs($fp, "#-------------------------------------------------------------------------------\n");
fputs($fp, "# Snort Configuration file for < $sensor_name >\n");
fputs($fp, "# Created with $snortcenter_ver < http://users.pandora.be/larc/ >\n");
$date = date("l dS of F Y h:i:s A");
fputs($fp, '# $');
fputs($fp, 'Id: snort.conf, '."$date\n");
fputs($fp, "#-------------------------------------------------------------------------------\n");
}
# if ($sensor_default_vars)
# {
$bad = array();
$good_var_name = array();
$good_var = array();
$vars = array();
$var_changed = array();
$var_name_array = array();
$rule_var_array = array();
$rule_act = get_active('vars', $sensor_id, $db);
$result_id->acidFreeRows();
$result = $db->acidExecute("SELECT id, var_name,var_value FROM vars");
while ($myrow = $result->acidFetchRow()) {
list($var_id, $var_name, $var_value) = $myrow;
if (in_array ("|$var_id|", $rule_act)) {
if (strpos(trim($var_value), '$') === false) {
$good_var[$var_name] = $var_value;
$good_var_name[] = $var_name;
} else {
$vars[$var_name] = $var_value;
$var_name_array[] = $var_name;
$bad['bad'] = 1;
}
}
}
while (array_key_exists('bad', $bad) === true) {
$bad = array();
$vars = array_reverse ($vars, TRUE);
foreach($vars as $name => $key) {
$key = trim($key);
if (strpos($key, '$') !== false) {
$pos = strpos($key, '$');
if ($pos === 0) {
if (in_array (substr($key, 1), $good_var_name)) {
$good_var_name[] = $name;
$good_var[$name] = $key;
array_shift($vars);
$bad['good'] = 0;
} elseif( ereg( "_ADDRESS$", $key ) ) {
$good_var_name[] = $name;
$good_var[$name] = $key;
array_shift($vars);
$bad['good'] = 0;
} else {
array_shift($vars);
if (!in_array (substr($key, 1), $var_name_array)) {
$good_var_name[] = $name;
$good_var[$name] = 'any';
$var_changed[] = $name;
$bad['good'] = 0;
} else {
$vars[$name] = $key;
$bad['bad'] = 1;
}
}
}
elseif(($pos > 0) && ((strpos($key, '!') === 0) || (strpos($key, '[') === 0))) {
if ((strpos($key, '!') === 0) && ($pos === 1)) {
if (in_array (substr($key, $pos+1), $good_var_name)) {
$good_var_name[] = $name;
$good_var[$name] = $key;
array_shift($vars);
$bad['good'] = 0;
} else {
array_shift($vars);
if (!in_array (substr($key, 1), $var_name_array)) {
$good_var_name[] = $name;
$good_var[$name] = 'any';
$var_changed[] = $name;
$bad['good'] = 0;
} else {
$vars[$name] = $key;
$bad['bad'] = 1;
}
}
}
elseif(strpos($key, '[') === 0) {
$key_temp = substr (trim($key), 0, -1);
$key_temp = substr ($key_temp, 1);
$key_array = explode(',', $key_temp);
foreach($key_array as $key_tmp) {
$key_tmp = trim($key_tmp);
if (strpos($key_tmp, '$') !== false) {
$pos_tmp = strpos($key_tmp, '$');
if ($pos_tmp === 0) {
if (in_array (substr($key_tmp, 1), $good_var_name)) {
$good_var_name[] = $name;
$good_var[$name] = $key;
array_shift($vars);
$bad['good'] = 0;
} else {
array_shift($vars);
if (!in_array (substr($key, 1), $var_name_array)) {
$good_var_name[] = $name;
$good_var[$name] = 'any';
$var_changed[] = $name;
$bad['good'] = 0;
} else {
$vars[$name] = $key;
$bad['bad'] = 1;
}
}
}
elseif((strpos($key_tmp, '!') === 0) && ($pos_tmp === 1)) {
if (in_array (substr($key_tmp, $pos_tmp+1), $good_var_name)) {
$good_var_name[] = $name;
$good_var[$name] = $key;
array_shift($vars);
$bad['good'] = 0;
} else {
array_shift($vars);
if (!in_array (substr($key, 1), $var_name_array)) {
$good_var_name[] = $name;
$good_var[$name] = 'any';
$var_changed[] = $name;
$bad['good'] = 0;
} else {
$vars[$name] = $key;
$bad['bad'] = 1;
}
}
}
}
}
}
}
}
}
}
foreach($good_var as $name => $key) {
$vars = "var $name $key";
if ($sensor_export == 'view') {
if (in_array($name, $var_changed)) echo "<font color='red'># Next variable has been changed to 'any', couldn't find another variable match</font><BR>";
echo "$vars<BR>";
} else {
if (in_array($name, $var_changed)) fputs($fp, "# Next variable has been changed to 'any', couldn't find another variable match\n");
fputs($fp, "$vars\n");
}
$vars_array[] = $name;
}
$result_id = $db->acidExecute("SELECT sid from rulechange where sensor_id='$sensor_id'");
while ($myrow = $result_id->acidFetchRow()) {
$rule_change[] = $myrow[0];
}
$rule_act = get_active('rules', $sensor_id, $db);
$result_id->acidFreeRows();
$result = $db->acidExecute("SELECT sid, src_ip,src_port, dst_ip, dst_port FROM rules");
while ($myrow = $result->acidFetchRow()) {
list($sid, $src_ip, $src_port, $dst_ip, $dst_port) = $myrow;
if (in_array ("|$sid|", $rule_act)) {
if ($rule_change) {
if (in_array ("$sid", $rule_change)) {
$result_change = $db->acidExecute("SELECT src_ip, src_port, dst_ip, dst_port FROM rulechange where sid='$sid' and sensor_id='$sensor_id'");
$myrow_change = $result_change->acidFetchRow();
if ($myrow_change != 0) {
list($src_ip, $src_port, $dst_ip, $dst_port) = $myrow_change;
}
}
}
$src_ip = trim($src_ip);
$src_port = trim($src_port);
$dst_ip = trim($dst_ip);
$dst_port = trim($dst_port);
$rule_var_array[$src_ip][0] = $sid;
$rule_var_array[$src_port][0] = $sid;
$rule_var_array[$dst_ip][0] = $sid;
$rule_var_array[$dst_port][0] = $sid;
}
}
foreach($rule_var_array as $key => $sid) {
$key = trim($key);
if (strpos($key, '$') !== false) {
$pos = strpos($key, '$');
if ($pos === 0) {
if (in_array (substr($key, 1), $vars_array)) {
//echo "The '$key' var is in the array pos: $pos<BR>";
} else {
//echo "$key is NOT in array pos: $pos<BR>";
$in_rule_var_error[$key] = $sid;
}
}
elseif(($pos > 0) && ((strpos($key, '!') === 0) || (strpos($key, '[') === 0))) {
if ((strpos($key, '!') === 0) && ($pos === 1)) {
if (in_array (substr($key, $pos+1), $vars_array)) {
//echo "The '$key' var is in the array pos: $pos<BR>";
} else {
//echo "$key is NOT in array pos: $pos<BR>";
$in_rule_var_error[$key] = $sid;
}
}
elseif(strpos($key, '[') === 0) {
$key_temp = substr (trim($key), 0, -1);
$key_temp = substr ($key_temp, 1);
$key_array = explode(',', $key_temp);
foreach($key_array as $key_tmp) {
$key_tmp = trim($key_tmp);
if (strpos($key_tmp, '$') !== false) {
$pos_tmp = strpos($key_tmp, '$');
if ($pos_tmp === 0) {
if (in_array (substr($key_tmp, 1), $vars_array)) {
//echo " The '$key_tmp' var is in the array pos: $pos_tmp<BR>";
} else {
//echo "'$key_tmp' is NOT in array pos: $pos_tmp<BR>";
$in_rule_var_error[$key_tmp] = $sid;
}
}
elseif((strpos($key_tmp, '!') === 0) && ($pos_tmp === 1)) {
if (in_array (substr($key_tmp, $pos_tmp+1), $vars_array)) {
//echo " The '$key_tmp' var is in the array pos: $pos_tmp<BR>";
} else {
//echo " '$key_tmp' is NOT in array pos: $pos_tmp<BR>";
$in_rule_var_error[$key_tmp] = $sid;
}
}
}
}
}
}
}
}
if (is_array($in_rule_var_error)) {
foreach($in_rule_var_error as $src => $sid_array) {
$src = substr($src, 1);
if ($sensor_export == 'view') {
echo "<font color='red'># Next variable automatic added by SnortCenter, used in some rule(s).</font><BR>";
echo "var $src any<BR>";
} else {
fputs($fp, "# Next variable automatic added by SnortCenter, used in some rule(s).\n");
fputs($fp, "var $src any\n");
}
}
}
if ($sensor_export == 'view') {
echo "#<BR>";
} else {
fputs($fp, "#\n");
}
# }
# if ($sensor_default_spp)
# {
$portscan_check = '';
$conversation_check = '';
$rule_act = get_active('preprocessor', $sensor_id, $db);
$result = $db->acidExecute("SELECT id, spp_name,spp_value FROM preprocessor");
$spp_adapt = Array ( "spade-adapt", "spade-adapt:", "spade-adapt2", "spade-adapt2:", "spade-adapt3", "spade-adapt3:");
while ($myrow = $result->acidFetchRow()) {
list($spp_id, $spp_name, $spp_value) = $myrow;
if (in_array ("|$spp_id|", $rule_act)) {
if ($spp_name == "conversation:" || $spp_name == "conversation") {
$conversation_check = "ok";
$spp = "preprocessor $spp_name $spp_value";
if ($sensor_export == 'view') {
echo "$spp<BR>";
} else {
fputs($fp, "$spp\n");
}
if ($portscan_check == "ok") {
if ($sensor_export == 'view') {
echo "$portscan2_line<BR>";
} else {
fputs($fp, "$portscan2_line\n");
}
if ($portscan_ignorehosts_check == "ok") {
if ($sensor_export == 'view') {
echo "$portscan_ignorehosts_line<BR>";
} else {
fputs($fp, "$portscan_ignorehosts_line\n");
}
}
}
}
elseif ($spp_name == "portscan2:" || $spp_name == "portscan2") {
$portscan_check = "ok";
$portscan2_line = "preprocessor $spp_name $spp_value";
if ($conversation_check == "ok") {
if ($sensor_export == 'view') {
echo "$portscan2_line<BR>";
} else {
fputs($fp, "$portscan2_line\n");
}
if ($portscan_ignorehosts_check == "ok") {
if ($sensor_export == 'view') {
echo "$portscan_ignorehosts_line<BR>";
} else {
fputs($fp, "$portscan_ignorehosts_line\n");
}
}
}
}
elseif ($spp_name == "portscan-ignorehosts:" || $spp_name == "portscan2-ignorehosts") {
$portscan_ignorehosts_check = "ok";
$portscan_ignorehosts_line = "preprocessor $spp_name $spp_value";
if ($conversation_check == "ok" && $portscan_check == "ok") {
if ($sensor_export == 'view') {
echo "$portscan_ignorehosts_line<BR>";
} else {
fputs($fp, "$portscan_ignorehosts_line\n");
}
}
}
elseif ($spp_name == "stream4:" || $spp_name == "stream4") {
$stream4_check = "ok";
$spp = "preprocessor $spp_name $spp_value";
if ($sensor_export == 'view') {
echo "$spp<BR>";
} else {
fputs($fp, "$spp\n");
}
if ($stream4_reassemble_check == "ok") {
if ($sensor_export == 'view') {
echo "$stream4_reassemble_line<BR>";
} else {
fputs($fp, "$stream4_reassemble_line\n");
}
}
}
elseif ($spp_name == "stream4_reassemble:" || $spp_name == "stream4_reassemble") {
$stream4_reassemble_check = "ok";
$stream4_reassemble_line = "preprocessor $spp_name $spp_value";
if ($stream4_check == "ok") {
if ($sensor_export == 'view') {
echo "$stream4_reassemble_line<BR>";
} else {
fputs($fp, "$stream4_reassemble_line\n");
}
}
}
elseif ($spp_name == "spade:" || $spp_name == "spade") {
$spade_check = "ok";
$spade = "preprocessor $spp_name $spp_value";
if ($sensor_export == 'view') {
$spade .= "<BR>";
} else {
$spade .= "\n";
}
}
elseif ($spp_name == "spade-homenet:" || $spp_name == "spade-homenet") {
$spade_homenet_check = "ok";
$spade_homenet = "preprocessor $spp_name $spp_value";
if ($sensor_export == 'view') {
$spade_homenet .= "<BR>";
} else {
$spade_homenet .= "\n";
}
}
elseif ($spp_name == "spade-detect:" || $spp_name == "spade-detect") {
$spade_detect_check = "ok";
$spade_detect .= "preprocessor $spp_name $spp_value";
if ($sensor_export == 'view') {
$spade_detect .= "<BR>";
} else {
$spade_detect .= "\n";
}
}
elseif (in_array($spp_name, $spp_adapt)) {
$spade_adapt_check = "ok";
$spade_adapt .= "preprocessor $spp_name $spp_value";
if ($sensor_export == 'view') {
$spade_adapt .= "<BR>";
} else {
$spade_adapt .= "\n";
}
}
elseif ($spp_name == "spade-threshadvise:" || $spp_name == "spade-threshadvise") {
$spade_thresh_check = "ok";
$spade_thresh .= "preprocessor $spp_name $spp_value";
if ($sensor_export == 'view') {
$spade_thresh .= "<BR>";
} else {
$spade_thresh .= "\n";
}
}
elseif ($spp_name == "spade-survey:" || $spp_name == "spade-survey") {
$spade_survey_check = "ok";
$spade_survey .= "preprocessor $spp_name $spp_value";
if ($sensor_export == 'view') {
$spade_survey .= "<BR>";
} else {
$spade_survey .= "\n";
}
}
elseif ($spp_name == "spade-stats:" || $spp_name == "spade-stats") {
$spade_stats_check = "ok";
$spade_stats .= "preprocessor $spp_name $spp_value";
if ($sensor_export == 'view') {
$spade_stats .= "<BR>";
} else {
$spade_stats .= "\n";
}
} else {
$spp = "preprocessor $spp_name $spp_value";
if ($sensor_export == 'view') {
echo "$spp<BR>";
} else {
fputs($fp, "$spp\n");
}
}
}
}
if ($sensor_export == 'view') {
if ( $spade_check ) echo $spade;
if ( $spade_homenet_check ) echo $spade_homenet;
if ( $spade_detect_check ) echo $spade_detect;
if ( $spade_adapt_check ) echo $spade_adapt;
if ( $spade_thresh_check ) echo $spade_thresh;
if ( $spade_survey_check ) echo $spade_survey;
if ( $spade_stats_check ) echo $spade_stats;
echo "#<BR>";
} else {
if ( $spade_check ) fputs($fp, $spade);
if ( $spade_homenet_check ) fputs($fp, $spade_homenet);
if ( $spade_detect_check ) fputs($fp, $spade_detect);
if ( $spade_adapt_check ) fputs($fp, $spade_adapt);
if ( $spade_thresh_check ) fputs($fp, $spade_thresh);
if ( $spade_survey_check ) fputs($fp, $spade_survey);
if ( $spade_stats_check ) fputs($fp, $spade_stats);
fputs($fp, "#\n");
}
# }
# if ($sensor_default_spo)
# {
$rule_act = get_active('output', $sensor_id, $db);
$result = $db->acidExecute("SELECT id, spo_name,spo_value FROM output");
while ($myrow = $result->acidFetchRow()) {
list($spo_id, $spo_name, $spo_value) = $myrow;
if (in_array ("|$spo_id|", $rule_act)) {
if ($spo_name == "database:") {
if (strpos($spo_value, '[AUTO]') !== false) {
$spo_value = str_replace('[AUTO]', $sensor_name, $spo_value);
}
if (strpos($spo_value, '[auto]') !== false) {
$spo_value = str_replace('[auto]', $sensor_name, $spo_value);
}
}
$spo = "output $spo_name $spo_value";
if ($sensor_export == 'view') {
echo "$spo<BR>";
} else {
fputs($fp, "$spo\n");
}
}
}
if ($sensor_export == 'view') {
echo "#<BR>";
} else {
fputs($fp, "#\n");
}
# }
# if ($sensor_default_ruletype)
# {
$rule_act = get_active('ruletype', $sensor_id, $db);
$result = $db->acidExecute("SELECT id, ruletype_name,ruletype_value FROM ruletype");
while ($myrow = $result->acidFetchRow()) {
list($ruletype_id, $ruletype_name, $ruletype_value) = $myrow;
if (in_array ("|$ruletype_id|", $rule_act)) {
$ruletype = "ruletype $ruletype_name $ruletype_value";
if ($sensor_export == 'view') {
echo "$ruletype<BR>";
} else {
fputs($fp, "$ruletype\n");
}
}
}
if ($sensor_export == 'view') {
echo "#<BR>";
} else {
fputs($fp, "#\n");
}
# }
# if ($sensor_default_config_directives)
# {
$rule_act = get_active('config', $sensor_id, $db);
$result = $db->acidExecute("SELECT id, config_name,config_value FROM config where config_name != 'reference:' AND config_name != 'classification:' AND config_name != 'config:'");
while ($myrow = $result->acidFetchRow()) {
list($config_id, $config_name, $config_value) = $myrow;
if (in_array ("|$config_id|", $rule_act)) {
list($short_class, $rest) = explode(',', trim($config_value), 2);
$class_found[] = $short_class;
$config = "config $config_name $config_value";
if ($sensor_export == 'view') {
echo "$config<BR>";
} else {
fputs($fp, "$config\n");
}
}
}
if ($sensor_export == 'view') {
echo "#<BR>";
} else {
fputs($fp, "#\n");
}
# }
# if ($sensor_default_reference)
# {
$rule_act = get_active('config', $sensor_id, $db);
$result = $db->acidExecute("SELECT id, config_name,config_value FROM config where config_name = 'reference:'");
while ($myrow = $result->acidFetchRow()) {
list($reference_id, $config_name, $config_value) = $myrow;
if (in_array ("|$reference_id|", $rule_act)) {
list($short_class, $rest) = explode(',', trim($config_value), 2);
$class_found[] = $short_class;
$config = "config $config_name $config_value";
if ($sensor_export == 'view') {
echo "$config<BR>";
} else {
fputs($fp, "$config\n");
}
}
}
if ($sensor_export == 'view') {
echo "#<BR>";
} else {
fputs($fp, "#\n");
}
# }
# if ($sensor_default_decode)
# {
$rule_act = get_active('config', $sensor_id, $db);
$result = $db->acidExecute("SELECT id, config_name,config_value FROM config where config_name = 'config:'");
while ($myrow = $result->acidFetchRow()) {
list($reference_id, $config_name, $config_value) = $myrow;
if (in_array ("|$reference_id|", $rule_act)) {
list($short_class, $rest) = explode(',', trim($config_value), 2);
$class_found[] = $short_class;
$config = "config $config_value";
if ($sensor_export == 'view') {
echo "$config<BR>";
} else {
fputs($fp, "$config\n");
}
}
}
if ($sensor_export == 'view') {
echo "#<BR>";
} else {
fputs($fp, "#\n");
}
# }
# if ($sensor_default_class)
# {
if ($sensor_export == 'view') {
echo "#-------------------------------------------------------------------------------<BR>";
echo '# $';
echo 'Id: classification.config, '."$date<BR>";
echo "#-------------------------------------------------------------------------------<BR>";
} else {
fputs($fp, "#-------------------------------------------------------------------------------\n");
fputs($fp, '# $');
fputs($fp, 'Id: classification.config, '."$date\n");
fputs($fp, "#-------------------------------------------------------------------------------\n");
}
$rule_act = get_active('config', $sensor_id, $db);
$result = $db->acidExecute("SELECT id, config_name,config_value FROM config where config_name = 'classification:'");
while ($myrow = $result->acidFetchRow()) {
list($class_id, $config_name, $config_value) = $myrow;
// <!-- for rule checking
if ($config_name == 'classification:') {
list($short_class, $rest) = explode(',', trim($config_value), 2);
$short_class = trim($short_class);
$class_value_array[$short_class] = trim($rest);
}
//-->
if (in_array ("|$class_id|", $rule_act)) {
list($short_class, $rest) = explode(',', trim($config_value), 2);
$class_found[] = $short_class;
$config = "config $config_name $config_value";
if ($sensor_export == 'view') {
echo "$config<BR>";
} else {
fputs($fp, "$config\n");
}
}
}
// <!-- add classification if exist in rule but not activated
$rule_act = get_active('rules', $sensor_id, $db);
$result_id->acidFreeRows();
$result = $db->acidExecute("SELECT sid, classtype FROM rules");
while ($myrow = $result->acidFetchRow()) {
list($sid, $classtype) = $myrow;
if ((in_array ("|$sid|", $rule_act)) && (!in_array(trim($classtype), $class_found)) && ($classtype != '')) {
$class_found[] = $classtype;
if ($class_value_array[$classtype] == '') {
$config = "config classification: $classtype,Unknow classification,1";
} else {
$config = "config classification: $classtype,".$class_value_array[$classtype];
}
if ($sensor_export == 'view') {
echo "<font color='red'># Next classification automatic added by SnortCenter, used in some rule(s).</font><BR>";
echo "$config<BR>";
} else {
fputs($fp, "# Next classification automatic added by SnortCenter, used in some rule(s).\n");
fputs($fp, "$config\n");
}
}
}
//-->
if ($sensor_export == 'view') {
echo "#<BR>";
} else {
fputs($fp, "#\n");
}
# }
# if ($sensor_default_rules)
# {
$print_category = '';
# $result_id = $db->acidExecute("SELECT rules from sensor where id='$sensor_id'");
# $myrow_id = $result_id->acidFetchRow();
# $rule_act = explode(";", $myrow_id[0]);
$rule_act = get_active('rules', $sensor_id, $db);
$result_id->acidFreeRows();
$result = $db->acidExecute("SELECT action, proto ,src_ip, src_port, operator, dst_ip, dst_port, msg, ttl, tos, id, ipoption, ip_proto, fragbits, dsize, flags, window, seq, ack, itype, icode, icmp_id, icmp_seq, content_list, session, rpc, resp, react, classtype, priority, tag, sameip, stateless, sid, rev, activates, activates_by, count, logto, category, flow, fragoffset, pcre, flowbits, threshold, snortsam, multiple_rest FROM rules order by category");
while ($myrow = $result->acidFetchRow()) {
list($action, $proto , $src_ip, $src_port, $operator, $dst_ip, $dst_port, $msg, $ttl, $tos, $n_id, $ipoption, $ip_proto, $fragbits, $dsize, $flags, $window, $seq, $ack, $itype, $icode, $icmp_id, $icmp_seq, $content_list, $session, $rpc, $resp, $react, $classtype, $priority, $tag, $sameip, $stateless, $sid, $rev, $activates, $activates_by, $count, $logto, $category, $flow, $fragoffset, $pcre, $flowbits, $threshold, $snortsam, $multiple_rest) = $myrow;
if (in_array ("|$sid|", $rule_act)) {
$content = '';
$uricontent = '';
$reference = '';
$result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test, isdataat, asn1 FROM content WHERE sid='$sid' ORDER BY sequence");
while ($myrow_content = $result_content->acidFetchRow()) {
list($content_tmp, $off_set, $depth, $nocase, $regex, $rawbytes, $distance, $within, $byte_jump, $byte_test, $isdataati, $asn1) = $myrow_content;
if ($content_tmp) {
$content .= " content: $content_tmp;";
}
if ($off_set >= '0') {
$content .= " offset: $off_set;";
}
if ($depth >= '0') {
$content .= " depth: $depth;";
}
if ($distance >= '0') {
$content .= " distance: $distance;";
}
if ($within >= '0') {
$content .= " within: $within;";
}
if ($byte_jump) {
$content .= " byte_jump: $byte_jump;";
}
if ($byte_test) {
$content .= " byte_test: $byte_test;";
}
if ($isdataat) {
$content .= " isdataat: $isdataat;";
}
if ($asn1) {
$content .= " asn1: $asn1;";
}
if ($nocase) {
$content .= " nocase;";
}
if ($regex) {
$content .= " regex;";
}
}
$result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'");
while ($myrow_uricontent = $result_uricontent->acidFetchRow()) {
list($uricontent_tmp, $off_set, $depth, $nocase, $regex, $distance, $within, $byte_jump, $byte_test) = $myrow_uricontent;
$uricontent .= " uricontent: $uricontent_tmp;";
if ($off_set >= '0') {
$uricontent .= " offset: $off_set;";
}
if ($depth >= '0') {
$uricontent .= " depth: $depth;";
}
if ($distance >= '0') {
$uricontent .= " distance: $distance;";
}
if ($within >= '0') {
$uricontent .= " within: $within;";
}
if ($byte_jump) {
$uricontent .= " byte_jump: $byte_jump;";
}
if ($byte_test) {
$uricontent .= " byte_test: $byte_test;";
}
if ($nocase) {
$uricontent .= " nocase;";
}
if ($regex) {
$uricontent .= " regex;";
}
}
$result_reference = $db->acidExecute("SELECT reference FROM reference WHERE sid='$sid'");
while ($myrow_reference = $result_reference->acidFetchRow()) {
list($reference_tmp) = $myrow_reference;
$reference .= " reference: $reference_tmp;";
}
if ($rule_change) {
if (in_array ("$sid", $rule_change)) {
$result_change = $db->acidExecute("SELECT action, src_ip, src_port, dst_ip, dst_port FROM rulechange where sid='$sid' and sensor_id='$sensor_id'");
$myrow_change = $result_change->acidFetchRow();
if ($myrow_change != 0) {
list($action, $src_ip, $src_port, $dst_ip, $dst_port) = $myrow_change;
}
}
}
$rule = "$action $proto $src_ip $src_port $operator $dst_ip $dst_port (";
if ($sid) {
$rule .= " sid: $sid;";
}
if ($rev) {
$rule .= " rev: $rev;";
}
if ($msg) {
$rule .= " msg: $msg;";
}
if ($flow) {
$rule .= " flow: $flow;";
}
if ($flobits) {
$rule .= " flowbits: $flowbits;";
}
if ($content) {
$rule .= $content;
}
if ($content_list) {
$rule .= " content-list: $content_list;";
}
if ($uricontent) {
$rule .= $uricontent;
}
if ($ttl || $ttl == '0') {
$rule .= " ttl: $ttl;";
}
if ($n_id || $n_id == '0') {
$rule .= " id: $n_id;";
}
if ($ipoption || $ipoption == '0') {
$rule .= " ipopts: $ipoption;";
}
if ($ip_proto || $ip_proto == '0') {
$rule .= " ip_proto: $ip_proto;";
}
if ($fragbits) {
$rule .= " fragbits: $fragbits;";
}
if ($fragoffset || $fragoffset == '0') {
$rule .= " fragoffset: $fragoffset;";
}
if ($dsize || $dsize == '0') {
$rule .= " dsize: $dsize;";
}
if ($flags || $flags == '0') {
$rule .= " flags: $flags;";
}
if ($window || $window == '0') {
$rule .= " window: $window;";
}
if ($seq || $seq == '0') {
$rule .= " seq: $seq;";
}
if ($ack || $ack == '0') {
$rule .= " ack: $ack;";
}
if ($itype || $itype == '0') {
$rule .= " itype: $itype;";
}
if ($icode || $icode == '0') {
$rule .= " icode: $icode;";
}
if ($icmp_id || $icmp_id == '0') {
$rule .= " icmp_id: $icmp_id;";
}
if ($icmp_seq || $icmp_seq == '0') {
$rule .= " icmp_seq: $icmp_seq;";
}
if ($pcre) {
$rule .= " pcre: $pcre;";
}
if ($session) {
$rule .= " session: $session;";
}
if ($rpc) {
$rule .= " rpc: $rpc;";
}
if ($resp) {
$rule .= "resp: $resp;";
}
if ($react) {
$rule .= " react: $react;";
}
if ($reference) {
$rule .= $reference;
}
if ($snortsam) {
$rule .= " fwsam: $snortsam;";
}
if ($threshold) {
$rule .= " threshold: $threshold;";
}
if ($classtype) {
$rule .= " classtype: $classtype;";
}
if ($priority || $priority == '0') {
$rule .= " priority: $priority;";
}
if ($tag) {
$rule .= " tag: $tag;";
}
if ($sameip) {
$rule .= " sameip;";
}
if ($stateless) {
$rule .= " stateless;";
}
if ($activates) {
$rule .= " activates: $activates;";
}
if ($activates_by) {
$rule .= " activates_by: $activates_by;";
}
if ($count || $count == '0') {
$rule .= " count: $count;";
}
if ($logto) {
$rule .= " logto: $logto;";
}
if ($multiple_rest) {
$rule .= " $multiple_rest";
}
$rule .= ")";
if ($print_category !== $category) {
$print_category = $category;
if ($sensor_export == 'view') {
echo "#<BR>#-------------------------------------------------------------------------------<BR>";
echo '# $';
echo 'Id: '."$category, $date<BR>";
echo "#-------------------------------------------------------------------------------<BR>";
} else {
fputs($fp, "#\n#-------------------------------------------------------------------------------\n");
fputs($fp, '# $');
fputs($fp, 'Id: '."$category, $date\n");
fputs($fp, "#-------------------------------------------------------------------------------\n");
}
}
if ($sensor_export == 'view') {
echo htmlspecialchars($rule)."<BR>";
} else {
fputs($fp, "$rule\n");
}
}
}
if ($sensor_export == 'view') {
echo "<BR>";
}
# }
if ($sensor_export != 'download') {
echo "</FONT>";
}
}
return $sensor_name;
}
?>