Location: PHPKode > projects > SnortCenter 2.x > snortcenter-release/sensor.inc.php
<?php
    /*
    ** SnortCenter Copyright (C) 2001,2002,2003 Stefan Dens
    **
    ** Author: Stefan Dens <hide@address.com>
    **
    ** This program is free software; you can redistribute it and/or modify
    ** it under the terms of the GNU General Public License as published by
    ** the Free Software Foundation; either version 2 of the License, or
    ** (at your option) any later version.
    **
    ** This program is distributed in the hope that it will be useful,
        ** but WITHOUT ANY WARRANTY; without even the implied warranty of
    ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    ** GNU General Public License for more details.
    **
    ** You should have received a copy of the GNU General Public License
    ** along with this program; if not, write to the Free Software
    ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
    */
     
    global $senstmpfnam;
    
    function find_interface_pid($sensor_id, $db) {
        $result = $db->acidExecute("select cmd_line, interface from sensor where id ='$sensor_id'");
        $myrow = $result->acidFetchRow();
        $result->acidFreeRows();
        $sensor_cmd_file = $myrow[0];
        if (strpos($sensor_cmd_file, '-R')  !== false) {
            list($rest, $r_option) = explode('-R', $sensor_cmd_file, 2);
            $r_option = trim($r_option);
            list($r_option, $rest) = explode(' ', $r_option, 2);
        }
        return trim($r_option, '"');
    }
     
    function get_curl_option() {
        global $curl_path;
	$curl_option = '';
	if (strpos($_SERVER["SERVER_SOFTWARE"], "Win")  !== false) {
            if ($curl_path  != '') {
                $curl_path = rtrim($curl_path, '\\') . '\\';
            }
        } else {
            if ($curl_path  != '') {
                $curl_path = rtrim($curl_path, '/') . '/';
            }
        }
	exec($curl_path."curl -V", $return_string);
	list ($tmp, $curl_ver, $tmp) = explode (' ',$return_string[0],3);
	list ($curl_vera, $curl_verb, $curl_verc) = explode ('.', $curl_ver,3);
	if ($curl_vera >= '7' && $curl_verb > '9') {
	    $curl_option = '-k';
	}
	return $curl_option;
    }

    function get_curl_url($target, $sensor_id, $db) {
        $result = $db->acidExecute("select sensor_ip, sensor_port, sensor_user, sensor_passw, net_proto from sensor where id ='$sensor_id'");
        $myrow = $result->acidFetchRow();
        $result->acidFreeRows();
        if ($myrow['net_proto'] == 'snortcenter_v1_ssl') {
            $url = 'https://';
                $target .= ".cgi";
                }
                elseif ($myrow['net_proto'] == 'snortcenter_v1_nossl'){
                $url = 'http://';
            $target  .= ".cgi";
        }
        elseif ($myrow['net_proto'] == 'snortcenter_v1_windows_ssl') {
            $url = 'https://';
                $target .= ".php";
                }
                elseif ($myrow['net_proto'] == 'snortcenter_v1_windows_nossl'){
                $url = 'http://';
            $target  .= ".php";
        }
        $url  .= $myrow['sensor_user'] .':'. $myrow['sensor_passw'] .'@'. $myrow['sensor_ip'] .':'. $myrow['sensor_port'] .'/'.$target;
        return $url;
    }
     
    function push_cmd_line($sensor_id, $db) {
        global $curl_timeout, $curl_path;
        $result = $db->acidExecute("select cmd_line, interface, net_proto from sensor where id ='$sensor_id'");
        $myrow = $result->acidFetchRow();
        $result->acidFreeRows();
        $sensor_cmd_file = $myrow[0];
        $url = get_curl_url("index", $sensor_id, $db);
        if (strpos($_SERVER["SERVER_SOFTWARE"], "Win")  !== false) {
            if ($curl_path  != '') {
                $curl_path = rtrim($curl_path, '\\') . '\\';
            }
        } else {
            if ($curl_path  != '') {
                $curl_path = rtrim($curl_path, '/') . '/';
            }
        }
        $r_option = find_interface_pid($sensor_id, $db);
        if ($r_option  != "") {
            $r_option_cmd = $r_option;
        }
        if (strpos($sensor_cmd_file, '-D')  !== false) {
            $sensor_cmd_file = str_replace('-D', '', $sensor_cmd_file);
        }
	$curl_option = get_curl_option();
        if (strpos($sensor_cmd_file, '-c ') === false) {
            exec($curl_path."curl $curl_option -s -S --connect-timeout $curl_timeout -d \"get_rule_path=1\" $url 2>&1", $return_string);
            foreach ($return_string as $tmp_path) {
                $path = $tmp_path;
            }
	    if (strpos($myrow['net_proto'], "windows")  !== false) {
                $path = rtrim($path, '\\') . '\\';
                $sensor_cmd_file  .= " -c $path"."snort.conf ";
            } else {
                $path = rtrim($path, '/') . '/';
                $path = trim($path);
                $sensor_cmd_file  .= " -c $path"."snort.$myrow[interface]".$r_option_cmd.".conf ";
            }
        }
#echo "<BR>$sensor_cmd_file";
        exec($curl_path."curl $curl_option -s -S --connect-timeout $curl_timeout -d \"sensor_cmd_file=$sensor_cmd_file&interface=$myrow[interface]&r_option=$r_option\" $url 2>&1", $return_string);
        foreach ($return_string as $tmp_line) {
            $linea  .= "$tmp_line<BR>";
        }
        return $line;
    }
     
    function show_snort_version($sensor_id, $db) {
        global $curl_timeout, $curl_path;
        $url = get_curl_url("index", $sensor_id, $db);
        if (strpos($_SERVER["SERVER_SOFTWARE"], "Win")  !== false) {
            if ($curl_path  != '') {
                $curl_path = rtrim($curl_path, '\\') . '\\';
            }
        } else {
            if ($curl_path  != '') {
                $curl_path = rtrim($curl_path, '/') . '/';
            }
        }
        $curl_option = get_curl_option();
	exec($curl_path."curl $curl_option -s -S --connect-timeout $curl_timeout -d \"sensor_control=snort%20version\" $url 2>&1", $return_string);
        foreach ($return_string as $tmp_line) {
            $line  .= $tmp_line;
        }
        return $line;
    }
     
     
    function check_status ($sensor_id, $db) {
        global $curl_timeout, $curl_path;
	$result = $db->acidExecute("select interface from sensor where id ='$sensor_id'");
        $myrow = $result->acidFetchRow();
        $url = get_curl_url("index", $sensor_id, $db);
        if (strpos($_SERVER["SERVER_SOFTWARE"], "Win")  !== false) {
            if ($curl_path  != '') {
                $curl_path = rtrim($curl_path, '\\') . '\\';
            }
        } else {
            if ($curl_path  != '') {
                $curl_path = rtrim($curl_path, '/') . '/';
            }
        }
        $r_option = find_interface_pid($sensor_id, $db);
	$curl_option = get_curl_option();
        exec($curl_path."curl $curl_option -s -S --connect-timeout $curl_timeout -d \"sensor_control=status&interface=$myrow[interface]&r_option=$r_option\" $url 2>&1 ", $return_string);
        foreach ($return_string as $tmp_line) {
            $line  .= $tmp_line;
        }
        if ($line == "Snort not Running") {
            return $line;
        } else {
            return $line;
        }
    }
     
    function create_config($sensor_export, $sensor_id, $db) {
        global $senstmpfnam;
	include_once('list.inc.php');
         
        global $snortcenter_ver;
        $class_found = array();
        $class_value_array = array();
        $vars_array = array();
        $result = $db->acidExecute("select sensor_name from sensor where id='$sensor_id'");
        $myrow = $result->acidFetchRow();
        $sensor_name = $myrow[0];
        if ($sensor_export  != 'download') {
            echo "<FONT size=1>";
        }
        $result_id = $db->acidExecute("SELECT sid from rulechange where sensor_id='$sensor_id'");
        while ($myrow = $result_id->acidFetchRow()) {
            $rule_change[] = $myrow[0];
        }
        $result_id->acidFreeRows();
         
        if (($sensor_export == 'download') || ($sensor_export == 'push')) {
            if (strpos($_SERVER["SERVER_SOFTWARE"], "Win")  !== false) {
                $senstmpfnam = tempnam("c:/temp", $sensor_name);
                $fp = fopen ($senstmpfnam, "w");
            } else {
                $senstmpfnam = tempnam("/tmp", $sensor_name);
                $fp = fopen ($senstmpfnam, "w");
            }
        }
         
        if ($fp || $sensor_export == 'view') {
            if ($sensor_export == 'view') {
                echo "#-------------------------------------------------------------------------------<BR>";
                echo "# Snort Configuration file for &lt; $sensor_name &gt;<BR>";
                echo "# Created with $snortcenter_ver &lt; http://users.pandora.be/larc/ &gt;<BR>";
                $date = date("l dS of F Y h:i:s A");
                echo '# $';
		echo 'Id: snort.conf, '."$date<BR>";
                echo "#-------------------------------------------------------------------------------<BR>";
            } else {
                fputs($fp, "#-------------------------------------------------------------------------------\n");
                fputs($fp, "# Snort Configuration file for < $sensor_name >\n");
                fputs($fp, "# Created with $snortcenter_ver < http://users.pandora.be/larc/ >\n");
                $date = date("l dS of F Y h:i:s A");
                fputs($fp, '# $');
		fputs($fp, 'Id: snort.conf, '."$date\n");
                fputs($fp, "#-------------------------------------------------------------------------------\n");
            }
            #      if ($sensor_default_vars)
            # {
            $bad = array();
            $good_var_name = array();
            $good_var = array();
            $vars = array();
            $var_changed = array();
            $var_name_array = array();
            $rule_var_array = array();
            $rule_act = get_active('vars', $sensor_id, $db);
            $result_id->acidFreeRows();
            $result = $db->acidExecute("SELECT id, var_name,var_value FROM vars");
            while ($myrow = $result->acidFetchRow()) {
                list($var_id, $var_name, $var_value) = $myrow;
                if (in_array ("|$var_id|", $rule_act)) {
                    if (strpos(trim($var_value), '$') === false) {
                        $good_var[$var_name] = $var_value;
                        $good_var_name[] = $var_name;
                    } else {
                        $vars[$var_name] = $var_value;
                        $var_name_array[] = $var_name;
                        $bad['bad'] = 1;
                    }
                }
            }
            while (array_key_exists('bad', $bad) === true) {
                $bad = array();
                $vars = array_reverse ($vars, TRUE);
                foreach($vars as $name => $key) {
                    $key = trim($key);
                    if (strpos($key, '$')  !== false) {
                        $pos = strpos($key, '$');
                        if ($pos === 0) {
                            if (in_array (substr($key, 1), $good_var_name)) {
                                $good_var_name[] = $name;
                                $good_var[$name] = $key;
                                array_shift($vars);
                                $bad['good'] = 0;
                            } elseif( ereg( "_ADDRESS$", $key ) ) {
                                $good_var_name[] = $name;
                                 $good_var[$name] = $key;
                                array_shift($vars);
                                $bad['good'] = 0;
			    } else {
                                array_shift($vars);
                                if (!in_array (substr($key, 1), $var_name_array)) {
                                    $good_var_name[] = $name;
                                    $good_var[$name] = 'any';
                                    $var_changed[] = $name;
                                    $bad['good'] = 0;
                                } else {
                                    $vars[$name] = $key;
                                    $bad['bad'] = 1;
                                }
                            }
                        }
                        elseif(($pos > 0) && ((strpos($key, '!') === 0) || (strpos($key, '[') === 0))) {
                            if ((strpos($key, '!') === 0) && ($pos === 1)) {
                                if (in_array (substr($key, $pos+1), $good_var_name)) {
                                    $good_var_name[] = $name;
                                    $good_var[$name] = $key;
                                    array_shift($vars);
                                    $bad['good'] = 0;
                                } else {
                                    array_shift($vars);
                                    if (!in_array (substr($key, 1), $var_name_array)) {
                                        $good_var_name[] = $name;
                                        $good_var[$name] = 'any';
                                        $var_changed[] = $name;
                                        $bad['good'] = 0;
                                    } else {
                                        $vars[$name] = $key;
                                        $bad['bad'] = 1;
                                    }
                                }
                            }
                            elseif(strpos($key, '[') === 0) {
                                $key_temp = substr (trim($key), 0, -1);
                                $key_temp = substr ($key_temp, 1);
                                $key_array = explode(',', $key_temp);
                                 
                                foreach($key_array as $key_tmp) {
                                    $key_tmp = trim($key_tmp);
                                    if (strpos($key_tmp, '$')  !== false) {
                                        $pos_tmp = strpos($key_tmp, '$');
                                        if ($pos_tmp === 0) {
                                            if (in_array (substr($key_tmp, 1), $good_var_name)) {
                                                $good_var_name[] = $name;
                                                $good_var[$name] = $key;
                                                array_shift($vars);
                                                $bad['good'] = 0;
                                            } else {
                                                array_shift($vars);
                                                if (!in_array (substr($key, 1), $var_name_array)) {
                                                    $good_var_name[] = $name;
                                                    $good_var[$name] = 'any';
                                                    $var_changed[] = $name;
                                                    $bad['good'] = 0;
                                                } else {
                                                    $vars[$name] = $key;
                                                    $bad['bad'] = 1;
                                                }
                                            }
                                        }
                                        elseif((strpos($key_tmp, '!') === 0) && ($pos_tmp === 1)) {
                                            if (in_array (substr($key_tmp, $pos_tmp+1), $good_var_name)) {
                                                $good_var_name[] = $name;
                                                $good_var[$name] = $key;
                                                array_shift($vars);
                                                $bad['good'] = 0;
                                            } else {
                                                array_shift($vars);
                                                if (!in_array (substr($key, 1), $var_name_array)) {
                                                    $good_var_name[] = $name;
                                                    $good_var[$name] = 'any';
                                                    $var_changed[] = $name;
                                                    $bad['good'] = 0;
                                                } else {
                                                    $vars[$name] = $key;
                                                    $bad['bad'] = 1;
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
            foreach($good_var as $name => $key) {
                $vars = "var $name $key";
                if ($sensor_export == 'view') {
                    if (in_array($name, $var_changed)) echo "<font color='red'># Next variable has been changed to 'any', couldn't find another variable match</font><BR>";
                    echo "$vars<BR>";
                } else {
                    if (in_array($name, $var_changed)) fputs($fp, "# Next variable has been changed to 'any', couldn't find another variable match\n");
                        fputs($fp, "$vars\n");
                }
                $vars_array[] = $name;
            }
             
            $result_id = $db->acidExecute("SELECT sid from rulechange where sensor_id='$sensor_id'");
            while ($myrow = $result_id->acidFetchRow()) {
                $rule_change[] = $myrow[0];
            }
            $rule_act = get_active('rules', $sensor_id, $db);
            $result_id->acidFreeRows();
            $result = $db->acidExecute("SELECT sid, src_ip,src_port, dst_ip, dst_port FROM rules");
            while ($myrow = $result->acidFetchRow()) {
                list($sid, $src_ip, $src_port, $dst_ip, $dst_port) = $myrow;
                if (in_array ("|$sid|", $rule_act)) {
                    if ($rule_change) {
                        if (in_array ("$sid", $rule_change)) {
                            $result_change = $db->acidExecute("SELECT src_ip, src_port, dst_ip, dst_port FROM rulechange where sid='$sid' and sensor_id='$sensor_id'");
                            $myrow_change = $result_change->acidFetchRow();
                            if ($myrow_change  != 0) {
                                list($src_ip, $src_port, $dst_ip, $dst_port) = $myrow_change;
                            }
                        }
                    }
                    $src_ip = trim($src_ip);
                    $src_port = trim($src_port);
                    $dst_ip = trim($dst_ip);
                    $dst_port = trim($dst_port);
                    $rule_var_array[$src_ip][0] = $sid;
                    $rule_var_array[$src_port][0] = $sid;
                    $rule_var_array[$dst_ip][0] = $sid;
                    $rule_var_array[$dst_port][0] = $sid;
                }
            }
            foreach($rule_var_array as $key => $sid) {
                $key = trim($key);
                if (strpos($key, '$')  !== false) {
                    $pos = strpos($key, '$');
                    if ($pos === 0) {
                        if (in_array (substr($key, 1), $vars_array)) {
                            //echo "The '$key' var is in the array pos: $pos<BR>";
                        } else {
                            //echo "$key is NOT in array pos: $pos<BR>";
                            $in_rule_var_error[$key] = $sid;
                        }
                    }
                    elseif(($pos > 0) && ((strpos($key, '!') === 0) || (strpos($key, '[') === 0))) {
                        if ((strpos($key, '!') === 0) && ($pos === 1)) {
                            if (in_array (substr($key, $pos+1), $vars_array)) {
                                //echo "The '$key' var is in the array pos: $pos<BR>";
                            } else {
                                //echo "$key is NOT in array pos: $pos<BR>";
                                $in_rule_var_error[$key] = $sid;
                            }
                        }
                        elseif(strpos($key, '[') === 0) {
                            $key_temp = substr (trim($key), 0, -1);
                            $key_temp = substr ($key_temp, 1);
                            $key_array = explode(',', $key_temp);
                            foreach($key_array as $key_tmp) {
                                $key_tmp = trim($key_tmp);
                                if (strpos($key_tmp, '$')  !== false) {
                                    $pos_tmp = strpos($key_tmp, '$');
                                    if ($pos_tmp === 0) {
                                        if (in_array (substr($key_tmp, 1), $vars_array)) {
                                            //echo " The '$key_tmp' var is in the array pos: $pos_tmp<BR>";
                                        } else {
                                            //echo "'$key_tmp' is NOT in array pos: $pos_tmp<BR>";
                                            $in_rule_var_error[$key_tmp] = $sid;
                                        }
                                    }
                                    elseif((strpos($key_tmp, '!') === 0) && ($pos_tmp === 1)) {
                                        if (in_array (substr($key_tmp, $pos_tmp+1), $vars_array)) {
                                            //echo " The '$key_tmp' var is in the array pos: $pos_tmp<BR>";
                                        } else {
                                            //echo " '$key_tmp' is NOT in array pos: $pos_tmp<BR>";
                                            $in_rule_var_error[$key_tmp] = $sid;
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
            if (is_array($in_rule_var_error)) {
                foreach($in_rule_var_error as $src => $sid_array) {
                    $src = substr($src, 1);
                    if ($sensor_export == 'view') {
                        echo "<font color='red'># Next variable automatic added by SnortCenter, used in some rule(s).</font><BR>";
                        echo "var $src any<BR>";
                    } else {
                        fputs($fp, "# Next variable automatic added by SnortCenter, used in some rule(s).\n");
                        fputs($fp, "var $src any\n");
                    }
                }
            }
             
            if ($sensor_export == 'view') {
                echo "#<BR>";
            } else {
                fputs($fp, "#\n");
            }
            # }
            # if ($sensor_default_spp)
            # {
            $portscan_check = '';
            $conversation_check = '';
            $rule_act = get_active('preprocessor', $sensor_id, $db);
            $result = $db->acidExecute("SELECT id, spp_name,spp_value FROM preprocessor");

	    $spp_adapt = Array ( "spade-adapt", "spade-adapt:", "spade-adapt2", "spade-adapt2:", "spade-adapt3", "spade-adapt3:");

            while ($myrow = $result->acidFetchRow()) {
                list($spp_id, $spp_name, $spp_value) = $myrow;
                if (in_array ("|$spp_id|", $rule_act)) {
                    if ($spp_name == "conversation:" || $spp_name == "conversation") {
                        $conversation_check = "ok";
                        $spp = "preprocessor $spp_name $spp_value";
                        if ($sensor_export == 'view') {
                            echo "$spp<BR>";
                        } else {
                            fputs($fp, "$spp\n");
                        }
                        if ($portscan_check == "ok") {
                            if ($sensor_export == 'view') {
                                echo "$portscan2_line<BR>";
                            } else {
                                fputs($fp, "$portscan2_line\n");
                            }
			    if ($portscan_ignorehosts_check == "ok") {
                        	if ($sensor_export == 'view') {
                            	    echo "$portscan_ignorehosts_line<BR>";
                        	} else {
                            	    fputs($fp, "$portscan_ignorehosts_line\n");
                        	}
                    	    }
                        }
                    }
                    elseif ($spp_name == "portscan2:" || $spp_name == "portscan2") {
                        $portscan_check = "ok";
                        $portscan2_line = "preprocessor $spp_name $spp_value";
                        if ($conversation_check == "ok") {
                            if ($sensor_export == 'view') {
                                echo "$portscan2_line<BR>";
                            } else {
                                fputs($fp, "$portscan2_line\n");
                            }
                    	    if ($portscan_ignorehosts_check == "ok") {
                        	if ($sensor_export == 'view') {
                            	    echo "$portscan_ignorehosts_line<BR>";
                        	} else {
                            	    fputs($fp, "$portscan_ignorehosts_line\n");
                        	}
                    	    }
			}
                    }
		    elseif ($spp_name == "portscan-ignorehosts:" || $spp_name == "portscan2-ignorehosts") {
                        $portscan_ignorehosts_check = "ok";
                        $portscan_ignorehosts_line = "preprocessor $spp_name $spp_value";
                        if ($conversation_check == "ok" && $portscan_check == "ok") {
                            if ($sensor_export == 'view') {
                                echo "$portscan_ignorehosts_line<BR>";
                            } else {
                                fputs($fp, "$portscan_ignorehosts_line\n");
                            }
                        }
                    }
                    elseif ($spp_name == "stream4:" || $spp_name == "stream4") {
                        $stream4_check = "ok";
                        $spp = "preprocessor $spp_name $spp_value";
                        if ($sensor_export == 'view') {
                            echo "$spp<BR>";
                        } else {
                            fputs($fp, "$spp\n");
                        }
                        if ($stream4_reassemble_check == "ok") {
                            if ($sensor_export == 'view') {
                                echo "$stream4_reassemble_line<BR>";
                            } else {
                                fputs($fp, "$stream4_reassemble_line\n");
                            }
                        }
                    }
                    elseif ($spp_name == "stream4_reassemble:" || $spp_name == "stream4_reassemble") {
                        $stream4_reassemble_check = "ok";
                        $stream4_reassemble_line = "preprocessor $spp_name $spp_value";
                        if ($stream4_check == "ok") {
                            if ($sensor_export == 'view') {
                                echo "$stream4_reassemble_line<BR>";
                            } else {
                                fputs($fp, "$stream4_reassemble_line\n");
                            }
                        }
                    }
                    elseif ($spp_name == "spade:" || $spp_name == "spade") {
                        $spade_check = "ok";
                        $spade = "preprocessor $spp_name $spp_value";
                        if ($sensor_export == 'view') {
                            $spade .= "<BR>";
                        } else {
                            $spade .= "\n";
                        }
                    } 
		    elseif ($spp_name == "spade-homenet:" || $spp_name == "spade-homenet") {
                        $spade_homenet_check = "ok";
                        $spade_homenet = "preprocessor $spp_name $spp_value";
                        if ($sensor_export == 'view') {
                            $spade_homenet .= "<BR>";
                        } else {
                            $spade_homenet .= "\n";
                        }
                    } 
		    elseif ($spp_name == "spade-detect:" || $spp_name == "spade-detect") {
                        $spade_detect_check = "ok";
                        $spade_detect .= "preprocessor $spp_name $spp_value";
                        if ($sensor_export == 'view') {
                            $spade_detect .= "<BR>";
                        } else {
                            $spade_detect .= "\n";
                        }
                    } 
		    elseif (in_array($spp_name, $spp_adapt)) {
                        $spade_adapt_check = "ok";
                        $spade_adapt .= "preprocessor $spp_name $spp_value";
                        if ($sensor_export == 'view') {
                            $spade_adapt .= "<BR>";
                        } else {
                            $spade_adapt .= "\n";
                        }
                    } 
		    elseif ($spp_name == "spade-threshadvise:" || $spp_name == "spade-threshadvise") {
                        $spade_thresh_check = "ok";
                        $spade_thresh .= "preprocessor $spp_name $spp_value";
                        if ($sensor_export == 'view') {
                            $spade_thresh .= "<BR>";
                        } else {
                            $spade_thresh .= "\n";
                        }
                    } 
		    elseif ($spp_name == "spade-survey:" || $spp_name == "spade-survey") {
                        $spade_survey_check = "ok";
                        $spade_survey .= "preprocessor $spp_name $spp_value";
                        if ($sensor_export == 'view') {
                            $spade_survey .= "<BR>";
                        } else {
                            $spade_survey .= "\n";
                        }
                    } 
		    elseif ($spp_name == "spade-stats:" || $spp_name == "spade-stats") {
                        $spade_stats_check = "ok";
                        $spade_stats .= "preprocessor $spp_name $spp_value";
                        if ($sensor_export == 'view') {
                            $spade_stats .= "<BR>";
                        } else {
                            $spade_stats .= "\n";
                        }
                    } else {
                        $spp = "preprocessor $spp_name $spp_value";
                        if ($sensor_export == 'view') {
                            echo "$spp<BR>";
                        } else {
                            fputs($fp, "$spp\n");
                        }
                    }
                }
            }
            if ($sensor_export == 'view') {
                if ( $spade_check ) echo $spade;
                if ( $spade_homenet_check ) echo $spade_homenet;
                if ( $spade_detect_check ) echo $spade_detect;
                if ( $spade_adapt_check ) echo $spade_adapt;
                if ( $spade_thresh_check ) echo $spade_thresh;
                if ( $spade_survey_check ) echo $spade_survey;
                if ( $spade_stats_check ) echo $spade_stats;
                echo "#<BR>";
            } else {
                if ( $spade_check ) fputs($fp, $spade);
                if ( $spade_homenet_check ) fputs($fp, $spade_homenet);
                if ( $spade_detect_check ) fputs($fp, $spade_detect);
                if ( $spade_adapt_check ) fputs($fp, $spade_adapt);
                if ( $spade_thresh_check ) fputs($fp, $spade_thresh);
                if ( $spade_survey_check ) fputs($fp, $spade_survey);
                if ( $spade_stats_check ) fputs($fp, $spade_stats);
                fputs($fp, "#\n");
            }
            # }
            # if ($sensor_default_spo)
            # {
            $rule_act = get_active('output', $sensor_id, $db);
            $result = $db->acidExecute("SELECT id, spo_name,spo_value FROM output");
            while ($myrow = $result->acidFetchRow()) {
                list($spo_id, $spo_name, $spo_value) = $myrow;
                if (in_array ("|$spo_id|", $rule_act)) {
		    if ($spo_name == "database:") {
			if (strpos($spo_value, '[AUTO]') !== false) {
			    $spo_value = str_replace('[AUTO]', $sensor_name, $spo_value);
			}
			if (strpos($spo_value, '[auto]') !== false) {
			    $spo_value = str_replace('[auto]', $sensor_name, $spo_value);
			}
		    }
                    $spo = "output $spo_name $spo_value";
                    if ($sensor_export == 'view') {
                        echo "$spo<BR>";
                    } else {
                        fputs($fp, "$spo\n");
                    }
                }
            }
            if ($sensor_export == 'view') {
                echo "#<BR>";
            } else {
                fputs($fp, "#\n");
            }
            # }
            # if ($sensor_default_ruletype)
            # {
	    $rule_act = get_active('ruletype', $sensor_id, $db);
            $result = $db->acidExecute("SELECT id, ruletype_name,ruletype_value FROM ruletype");
            while ($myrow = $result->acidFetchRow()) {
                list($ruletype_id, $ruletype_name, $ruletype_value) = $myrow;
                if (in_array ("|$ruletype_id|", $rule_act)) {
                    $ruletype = "ruletype $ruletype_name $ruletype_value";
                    if ($sensor_export == 'view') {
                        echo "$ruletype<BR>";
                    } else {
                        fputs($fp, "$ruletype\n");
                    }
                }
            }
            if ($sensor_export == 'view') {
                echo "#<BR>";
            } else {
                fputs($fp, "#\n");
            }
            # }
            # if ($sensor_default_config_directives)
            # {
	    $rule_act = get_active('config', $sensor_id, $db);
            $result = $db->acidExecute("SELECT id, config_name,config_value FROM config where config_name != 'reference:' AND config_name != 'classification:' AND config_name != 'config:'");
            while ($myrow = $result->acidFetchRow()) {
                list($config_id, $config_name, $config_value) = $myrow;
                if (in_array ("|$config_id|", $rule_act)) {
                    list($short_class, $rest) = explode(',', trim($config_value), 2);
                    $class_found[] = $short_class;
                    $config = "config $config_name $config_value";
                    if ($sensor_export == 'view') {
                        echo "$config<BR>";
                    } else {
                        fputs($fp, "$config\n");
                    }
                }
            }
            if ($sensor_export == 'view') {
                echo "#<BR>";
            } else {
                fputs($fp, "#\n");
            }
            # }
            # if ($sensor_default_reference)
            # {
	    $rule_act = get_active('config', $sensor_id, $db);
            $result = $db->acidExecute("SELECT id, config_name,config_value FROM config where config_name = 'reference:'");
            while ($myrow = $result->acidFetchRow()) {
                list($reference_id, $config_name, $config_value) = $myrow;
                if (in_array ("|$reference_id|", $rule_act)) {
                    list($short_class, $rest) = explode(',', trim($config_value), 2);
                    $class_found[] = $short_class;
                    $config = "config $config_name $config_value";
                    if ($sensor_export == 'view') {
                        echo "$config<BR>";
                    } else {
                        fputs($fp, "$config\n");
                    }
                }
            }
            if ($sensor_export == 'view') {
                echo "#<BR>";
            } else {
                fputs($fp, "#\n");
            }
            # }
            # if ($sensor_default_decode)
            # {
            $rule_act = get_active('config', $sensor_id, $db);
            $result = $db->acidExecute("SELECT id, config_name,config_value FROM config where config_name = 'config:'");
            while ($myrow = $result->acidFetchRow()) {
                list($reference_id, $config_name, $config_value) = $myrow;
                if (in_array ("|$reference_id|", $rule_act)) {
                    list($short_class, $rest) = explode(',', trim($config_value), 2);
                    $class_found[] = $short_class;
                    $config = "config $config_value";
                    if ($sensor_export == 'view') {
                        echo "$config<BR>";
                    } else {
                        fputs($fp, "$config\n");
                    }
                }
            }
            if ($sensor_export == 'view') {
                echo "#<BR>";
            } else {
                fputs($fp, "#\n");
            }
            # }
            # if ($sensor_default_class)
            # {
            if ($sensor_export == 'view') {
                echo "#-------------------------------------------------------------------------------<BR>";
                echo '# $';
		echo 'Id: classification.config, '."$date<BR>";
                echo "#-------------------------------------------------------------------------------<BR>";
            } else {
                fputs($fp, "#-------------------------------------------------------------------------------\n");
                fputs($fp, '# $');
		fputs($fp, 'Id: classification.config, '."$date\n");
                fputs($fp, "#-------------------------------------------------------------------------------\n");
            }
	    $rule_act = get_active('config', $sensor_id, $db);
            $result = $db->acidExecute("SELECT id, config_name,config_value FROM config where config_name = 'classification:'");
            while ($myrow = $result->acidFetchRow()) {
                list($class_id, $config_name, $config_value) = $myrow;
                // <!-- for rule checking
                if ($config_name == 'classification:') {
                    list($short_class, $rest) = explode(',', trim($config_value), 2);
                    $short_class = trim($short_class);
                    $class_value_array[$short_class] = trim($rest);
                }
                //-->
                if (in_array ("|$class_id|", $rule_act)) {
                    list($short_class, $rest) = explode(',', trim($config_value), 2);
                    $class_found[] = $short_class;
                    $config = "config $config_name $config_value";
                    if ($sensor_export == 'view') {
                        echo "$config<BR>";
                    } else {
                        fputs($fp, "$config\n");
                    }
                }
            }
            // <!-- add classification if exist in rule but not activated
	    $rule_act = get_active('rules', $sensor_id, $db);
            $result_id->acidFreeRows();
            $result = $db->acidExecute("SELECT sid, classtype FROM rules");
            while ($myrow = $result->acidFetchRow()) {
                list($sid, $classtype) = $myrow;
                if ((in_array ("|$sid|", $rule_act)) && (!in_array(trim($classtype), $class_found)) && ($classtype  != '')) {
                    $class_found[] = $classtype;
                    if ($class_value_array[$classtype] == '') {
                        $config = "config classification: $classtype,Unknow classification,1";
                    } else {
                        $config = "config classification: $classtype,".$class_value_array[$classtype];
                    }
                    if ($sensor_export == 'view') {
                        echo "<font color='red'># Next classification automatic added by SnortCenter, used in some rule(s).</font><BR>";
                        echo "$config<BR>";
                    } else {
                        fputs($fp, "# Next classification automatic added by SnortCenter, used in some rule(s).\n");
                        fputs($fp, "$config\n");
                    }
                }
            }
            //-->
            if ($sensor_export == 'view') {
                echo "#<BR>";
            } else {
                fputs($fp, "#\n");
            }
            # }
             
            # if ($sensor_default_rules)
            # {
            $print_category = '';
#            $result_id = $db->acidExecute("SELECT rules from sensor where id='$sensor_id'");
#            $myrow_id = $result_id->acidFetchRow();
#            $rule_act = explode(";", $myrow_id[0]);
	    $rule_act = get_active('rules', $sensor_id, $db);
            $result_id->acidFreeRows();
            $result = $db->acidExecute("SELECT action, proto ,src_ip, src_port, operator, dst_ip, dst_port, msg, ttl, tos, id, ipoption, ip_proto, fragbits, dsize, flags, window, seq, ack, itype, icode, icmp_id, icmp_seq, content_list, session, rpc, resp, react, classtype, priority, tag, sameip, stateless, sid, rev, activates,  activates_by, count, logto, category, flow, fragoffset, pcre, flowbits, threshold, snortsam, multiple_rest FROM rules order by category");
            while ($myrow = $result->acidFetchRow()) {
                list($action, $proto , $src_ip, $src_port, $operator, $dst_ip, $dst_port, $msg, $ttl, $tos, $n_id, $ipoption, $ip_proto, $fragbits, $dsize, $flags, $window, $seq, $ack, $itype, $icode, $icmp_id, $icmp_seq, $content_list, $session, $rpc, $resp, $react, $classtype, $priority, $tag, $sameip, $stateless, $sid, $rev, $activates, $activates_by, $count, $logto, $category, $flow, $fragoffset, $pcre, $flowbits, $threshold, $snortsam, $multiple_rest) = $myrow;
                if (in_array ("|$sid|", $rule_act)) {
                    $content = '';
                    $uricontent = '';
                    $reference = '';
                    $result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test, isdataat, asn1  FROM content WHERE sid='$sid' ORDER BY sequence");
                    while ($myrow_content = $result_content->acidFetchRow()) {
                        list($content_tmp, $off_set, $depth, $nocase, $regex, $rawbytes, $distance, $within, $byte_jump, $byte_test, $isdataati, $asn1) = $myrow_content;
                        if ($content_tmp) {
			    $content  .= " content: $content_tmp;";
	    		}
                        if ($off_set >= '0') {
                            $content  .= " offset: $off_set;";
                        }
                        if ($depth >= '0') {
                            $content  .= " depth: $depth;";
                        }
                        if ($distance >= '0') {
                            $content  .= " distance: $distance;";
                        }
			if ($within >= '0') {
                            $content  .= " within: $within;";
                        }
			if ($byte_jump) {
                            $content  .= " byte_jump: $byte_jump;";
                        }
                        if ($byte_test) {
                            $content  .= " byte_test: $byte_test;";
                        }
                        if ($isdataat) {
			    $content  .= " isdataat: $isdataat;";
			}
                        if ($asn1)  {
                            $content  .= " asn1: $asn1;";
                        }
			if ($nocase) {
                            $content  .= " nocase;";
                        }
                        if ($regex) {
                            $content  .= " regex;";
                        }
                    }
                    $result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'");
                    while ($myrow_uricontent = $result_uricontent->acidFetchRow()) {
                        list($uricontent_tmp, $off_set, $depth, $nocase, $regex, $distance, $within, $byte_jump, $byte_test) = $myrow_uricontent;
                        $uricontent  .= " uricontent: $uricontent_tmp;";
                        if ($off_set >= '0') {
                            $uricontent  .= " offset: $off_set;";
                        }
                        if ($depth >= '0') {
                            $uricontent  .= " depth: $depth;";
                        }
			if ($distance >= '0') {
                            $uricontent  .= " distance: $distance;";
                        }
			if ($within >= '0') {
                            $uricontent  .= " within: $within;";
                        }
			if ($byte_jump) {
                            $uricontent  .= " byte_jump: $byte_jump;";
                        }
                        if ($byte_test) {
                            $uricontent  .= " byte_test: $byte_test;";
                        }
                        if ($nocase) {
                            $uricontent  .= " nocase;";
                        }
                        if ($regex) {
                            $uricontent  .= " regex;";
                        }
                    }
                    $result_reference = $db->acidExecute("SELECT reference FROM reference WHERE sid='$sid'");
                    while ($myrow_reference = $result_reference->acidFetchRow()) {
                        list($reference_tmp) = $myrow_reference;
                        $reference  .= " reference: $reference_tmp;";
                    }
                     
                    if ($rule_change) {
                        if (in_array ("$sid", $rule_change)) {
                            $result_change = $db->acidExecute("SELECT action, src_ip, src_port, dst_ip, dst_port FROM rulechange where sid='$sid' and sensor_id='$sensor_id'");
                            $myrow_change = $result_change->acidFetchRow();
                            if ($myrow_change  != 0) {
                                list($action, $src_ip, $src_port, $dst_ip, $dst_port) = $myrow_change;
                            }
                        }
                    }
                    $rule = "$action $proto $src_ip $src_port $operator $dst_ip $dst_port (";
                    if ($sid) {
                        $rule  .= " sid: $sid;";
                    }
                    if ($rev) {
                        $rule  .= " rev: $rev;";
                    }
                    if ($msg) {
                        $rule  .= " msg: $msg;";
                    }
                    if ($flow) {
                        $rule  .= " flow: $flow;";
                    }
                    if ($flobits) {
                        $rule .= " flowbits: $flowbits;";
                    }
                    if ($content) {
                        $rule  .= $content;
                    }
                    if ($content_list) {
                        $rule  .= " content-list: $content_list;";
                    }
                    if ($uricontent) {
                        $rule  .= $uricontent;
                    }
                    if ($ttl || $ttl == '0') {
                        $rule  .= " ttl: $ttl;";
                    }
                    if ($n_id || $n_id == '0') {
                        $rule  .= " id: $n_id;";
                    }
                    if ($ipoption || $ipoption == '0') {
                        $rule  .= " ipopts: $ipoption;";
                    }
                    if ($ip_proto || $ip_proto == '0') {
                        $rule  .= " ip_proto: $ip_proto;";
                    }
                    if ($fragbits) {
                        $rule  .= " fragbits: $fragbits;";
                    }
                    if ($fragoffset || $fragoffset == '0') {
                        $rule  .= " fragoffset: $fragoffset;";
                    }
                    if ($dsize || $dsize == '0') {
                        $rule  .= " dsize: $dsize;";
                    }
                    if ($flags || $flags == '0') {
                        $rule  .= " flags: $flags;";
                    }
                    if ($window || $window == '0') {
                        $rule  .= " window: $window;";
                    }
                    if ($seq || $seq == '0') {
                        $rule  .= " seq: $seq;";
                    }
                    if ($ack || $ack == '0') {
                        $rule  .= " ack: $ack;";
                    }
                    if ($itype || $itype == '0') {
                        $rule  .= " itype: $itype;";
                    }
                    if ($icode || $icode == '0') {
                        $rule  .= " icode: $icode;";
                    }
                    if ($icmp_id || $icmp_id == '0') {
                        $rule  .= " icmp_id: $icmp_id;";
                    }
                    if ($icmp_seq || $icmp_seq == '0') {
                        $rule  .= " icmp_seq: $icmp_seq;";
                    }
                    if ($pcre) {
                        $rule  .= " pcre: $pcre;";
                    }
                    if ($session) {
                        $rule  .= " session: $session;";
                    }
                    if ($rpc) {
                        $rule  .= " rpc: $rpc;";
                    }
                    if ($resp) {
                        $rule  .= "resp: $resp;";
                    }
                    if ($react) {
                        $rule  .= " react: $react;";
                    }
                    if ($reference) {
                        $rule  .= $reference;
                    }
                    if ($snortsam) {
			$rule  .= " fwsam: $snortsam;";
		    }
                    if ($threshold) {
                        $rule .= " threshold: $threshold;";
                    }
		    if ($classtype) {
                        $rule  .= " classtype: $classtype;";
                    }
                    if ($priority || $priority == '0') {
                        $rule  .= " priority: $priority;";
                    }
                    if ($tag) {
                        $rule  .= " tag: $tag;";
                    }
                    if ($sameip) {
                        $rule  .= " sameip;";
                    }
                    if ($stateless) {
                        $rule  .= " stateless;";
                    }
                    if ($activates) {
                        $rule  .= " activates: $activates;";
                    }
                    if ($activates_by) {
                        $rule  .= " activates_by: $activates_by;";
                    }
                    if ($count || $count == '0') {
                        $rule  .= " count: $count;";
                    }
                    if ($logto) {
                        $rule  .= " logto: $logto;";
                    }
		    if ($multiple_rest) {
                        $rule  .= " $multiple_rest";
                    }
		    
                     
                    $rule  .= ")";
                    if ($print_category  !== $category) {
                        $print_category = $category;
                        if ($sensor_export == 'view') {
                            echo "#<BR>#-------------------------------------------------------------------------------<BR>";
                            echo '# $';
			    echo 'Id: '."$category, $date<BR>";
                            echo "#-------------------------------------------------------------------------------<BR>";
                        } else {
                            fputs($fp, "#\n#-------------------------------------------------------------------------------\n");
                            fputs($fp, '# $');
			    fputs($fp, 'Id: '."$category, $date\n");
                            fputs($fp, "#-------------------------------------------------------------------------------\n");
                        }
                    }
                    if ($sensor_export == 'view') {
                        echo htmlspecialchars($rule)."<BR>";
                    } else {
                        fputs($fp, "$rule\n");
                    }
                }
            }
            if ($sensor_export == 'view') {
                echo "<BR>";
            }
            # }
            if ($sensor_export  != 'download') {
                echo "</FONT>";
            }
        }
        return $sensor_name;
    }

?>
Return current item: SnortCenter 2.x