PP_Conf_Anshuman

1. #!/usr/bin/perl
2.  
3. ## pulledpork v(whatever it says below!)
4. ## [email protected]
5.  
6. # Copyright (C) 2009-2013 JJ Cummings and the PulledPork Team!
7.  
8. # This program is free software; you can redistribute it and/or
9. # modify it under the terms of the GNU General Public License
10. # as published by the Free Software Foundation; either version 2
11. # of the License, or (at your option) any later version.
12.  
13. # This program is distributed in the hope that it will be useful,
14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16. # GNU General Public License for more details.
17.  
18. # You should have received a copy of the GNU General Public License
19. # along with this program; if not, write to the Free Software
20. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
21.  
22. use strict;
23. use warnings;
24. use File::Copy;
25. use LWP::UserAgent;
26. use HTTP::Request::Common;
27. use HTTP::Status qw (is_success);
28. use Crypt::SSLeay;
29. use Sys::Syslog;
30. use Digest::MD5;
31. use File::Path;
32. use File::Find;
33. use Getopt::Long qw(:config no_ignore_case bundling);
34. use Archive::Tar;
35. use POSIX qw(:errno_h);
36. use Cwd;
37. use Carp;
38. use Data::Dumper;
39.  
40. ### Vars here
41.  
42. # we are gonna need these!
43. my ( $oinkcode, $temp_path, $rule_file, $Syslogging );
44. my $VERSION = "PulledPork v0.7.0 - Swine Flu!";
45. my $ua = LWP::UserAgent->new;
46.  
47. my ( $Hash, $ALogger, $Config_file, $Sorules, $Auto );
48. my ( $Output, $Distro, $Snort, $sid_changelog, $ignore_files );
49. my ( $Snort_config, $Snort_path, $Textonly, $grabonly, $ips_policy, );
50. my ( $pid_path, $SigHup, $NoDownload, $sid_msg_map, @base_url );
51. my ( $local_rules, $arch, $docs, @records, $enonly );
52. my ( $rstate, $keep_rulefiles, $rule_file_path, $prefix, $black_list );
53. my ( $Process, $hmatch, $bmatch , $sid_msg_version);
54. my $Sostubs = 1;
55.  
56. # verbose and quiet control print()
57. # default values if not set otherwise in getopt
58. # $Verbose = 0 is normal output (default behaviour)
59. # $Verbose = 1 is loud output
60. # $Verbose = 2 is troubleshooting output
61. # $Quiet = 0 leaves verbosity as default or otherwise set
62. # $Quiet = 1 suppresses all but FAIL messages, eg, anything preceding an exit
63.  
64. my $Verbose = 0;
65. my $Quiet = 0;
66.  
67. undef($Hash);
68. undef($ALogger);
69.  
70. my %rules_hash = ();
71. my %blacklist = ();
72. my %oldrules_hash = ();
73. my %sid_msg_map = ();
74. my %sidmod = ();
75. my $categories = ();
76. undef %rules_hash;
77. undef %oldrules_hash;
78. undef %sid_msg_map;
79.  
80. ## initialize some vars
81. my $rule_digest = "";
82. my $md5 = "";
83.  
84. # Vars the subroutine to fetch config values
85. my ($Config_key);
86. my %Config_info = ();
87.  
88. ### Subroutines here
89.  
90. ## routine to grab our config from the defined config file
91. sub parse_config_file {
92. my ( $FileConf, $Config_val ) = @_;
93. my ( $config_line, $Name, $Value );
94.  
95. if ( !open( CONFIG, "$FileConf" ) ) {
96. carp "ERROR: Config file not found : $FileConf\n";
97. syslogit( 'err|local0', "FATAL: Config file not found: $FileConf" )
98. if $Syslogging;
99. exit(1);
100. }
101. open( CONFIG, "$FileConf" );
102. while (<CONFIG>) {
103. $config_line = $_;
104. chomp($config_line);
105. $config_line = trim($config_line);
106. if ( ( $config_line !~ /^#/ ) && ( $config_line ne "" ) ) {
107. ( $Name, $Value ) = split( /=/, $config_line );
108. if ( $Value =~ /,/ && $Name eq "rule_url" ) {
109. push( @{ $$Config_val{$Name} }, split( /,/, $Value ) );
110. }
111. elsif ( $Name eq "rule_url" ) {
112. push( @{ $$Config_val{$Name} }, split( /,/, $Value ) )
113. if $Value;
114. }
115. else {
116. $$Config_val{$Name} = $Value;
117. }
118. }
119. }
120.  
121. close(CONFIG);
122.  
123. }
124.  
125. ## Help routine.. display help to stdout then exit
126. sub Help {
127. my $msg = shift;
128. if ($msg) { print "\nERROR: $msg\n"; }
129.  
130. print <<__EOT;
131. Usage: $0 [-dEgHklnRTPVvv? -help] -c <config filename> -o <rule output path>
132. -O <oinkcode> -s <so_rule output directory> -D <Distro> -S <SnortVer>
133. -p <path to your snort binary> -C <path to your snort.conf> -t <sostub output path>
134. -h <changelog path> -I (security|connectivity|balanced) -i <path to disablesid.conf>
135. -b <path to dropsid.conf> -e <path to enablesid.conf> -M <path to modifysid.conf>
136. -r <path to docs folder> -K <directory for separate rules files>
137.  
138. Options:
139. -help/? Print this help info.
140. -b Where the dropsid config file lives.
141. -C Path to your snort.conf
142. -c Where the pulledpork config file lives.
143. -d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations.
144. -D What Distro are you running on, for the so_rules
145. For latest supported options see http://www.snort.org/snort-rules/shared-object-rules
146. Valid Distro Types:
147. Debian-5-0, Debian-6-0, Ubuntu-8.04, Ubuntu-10-4
148. Centos-4-8, Centos-5-4, FC-12, FC-14, RHEL-5-5, RHEL-6-0
149. FreeBSD-7-3, FreeBSD-8-1
150. OpenBSD-4-8
151. Slackware-13-1
152. -e Where the enablesid config file lives.
153. -E Write ONLY the enabled rules to the output files.
154. -g grabonly (download tarball rule file(s) and do NOT process)
155. -h path to the sid_changelog if you want to keep one?
156. -H Send a SIGHUP to the pids listed in the config file
157. -I Specify a base ruleset( -I security,connectivity,or balanced, see README.RULESET)
158. -i Where the disablesid config file lives.
159. -k Keep the rules in separate files (using same file names as found when reading)
160. -K Where (what directory) do you want me to put the separate rules files?
161. -l Log Important Info to Syslog (Errors, Successful run etc, all items logged as WARN or higher)
162. -L Where do you want me to read your local.rules for inclusion in sid-msg.map
163. -m where do you want me to put the sid-msg.map file?
164. -M where the modifysid config file lives.
165. -n Do everything other than download of new files (disablesid, etc)
166. -o Where do you want me to put generic rules file?
167. -p Path to your Snort binary
168. -P Process rules even if no new rules were downloaded
169. -R When processing enablesid, return the rules to their ORIGINAL state
170. -r Where do you want me to put the reference docs (xxxx.txt)
171. -S What version of snort are you using (2.8.6 or 2.9.0) are valid values
172. -s Where do you want me to put the so_rules?
173. -T Process text based rules files only, i.e. DO NOT process so_rules
174. -u Where do you want me to pull the rules tarball from
175. ** E.g., ET, Snort.org. See pulledpork config rule_url option for value ideas
176. -V Print Version and exit
177. -v Verbose mode, you know.. for troubleshooting and such nonsense.
178. -vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense.
179. __EOT
180.  
181. exit(0);
182. }
183.  
184. ## OMG We MUST HAVE FLYING PIGS!
185. sub pulledpork {
186.  
187. print <<__EOT;
188.  
189. http://code.google.com/p/pulledpork/
190. _____ ____
191. `----,\\ )
192. `--==\\\\ / $VERSION
193. `--==\\\\/
194. .-~~~~-.Y|\\\\_ Copyright (C) 2009-2013 JJ Cummings
195. \@_/ / 66\\_ cummingsj\@gmail.com
196. | \\ \\ _(\")
197. \\ /-| ||'--' Rules give me wings!
198. \\_\\ \\_\\\\
199. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
200.  
201. __EOT
202. }
203.  
204. ## subroutine to cleanup the temp rubbish!!!
205. sub temp_cleanup {
206. my $remove = rmtree( $temp_path . "tha_rules" );
207. if ( $Verbose && !$Quiet ) {
208. print "Cleanup....\n";
209. print
210. "\tremoved $remove temporary snort files or directories from $temp_path"
211. . "tha_rules!\n";
212. }
213. }
214.  
215. # subroutine to extract the files to a temp path so that we can do what we need to do..
216. sub rule_extract {
217. my (
218. $rule_file, $temp_path, $Distro, $arch, $Snort,
219. $Sorules, $ignore, $docs, $prefix
220. ) = @_;
221. print "Prepping rules from $rule_file for work....\n" if !$Quiet;
222. print "\textracting contents of $temp_path$rule_file...\n"
223. if ( $Verbose && !$Quiet );
224. mkpath( $temp_path . "tha_rules" );
225. mkpath( $temp_path . "tha_rules/so_rules" );
226. my $tar = Archive::Tar->new();
227. $tar->read( $temp_path . $rule_file );
228. $tar->setcwd( cwd() );
229. local $Archive::Tar::CHOWN = 0;
230. my @ignores = split( /,/, $ignore );
231.  
232. foreach (@ignores) {
233. if ( $_ =~ /\.rules/ ) {
234. print "\tIgnoring plaintext rules: $_\n" if ( $Verbose && !$Quiet );
235. $tar->remove("rules/$_");
236. }
237. elsif ( $_ =~ /\.preproc/ ) {
238. print "\tIgnoring preprocessor rules: $_\n"
239. if ( $Verbose && !$Quiet );
240. my $preprocfile = $_;
241. $preprocfile =~ s/\.preproc/\.rules/;
242. $tar->remove("preproc_rules/$preprocfile");
243. }
244. elsif ( $_ =~ /\.so/ ) {
245. print "\tIgnoring shared object rules: $_\n"
246. if ( $Verbose && !$Quiet );
247. $tar->remove("so_rules/precompiled/$Distro/$arch/$Snort/$_");
248. }
249. else {
250. print "\tIgnoring all rule types in $_ category!\n"
251. if ( $Verbose && !$Quiet );
252. $tar->remove("rules/$_.rules");
253. $tar->remove("preproc_rules/$_.rules");
254. $tar->remove("so_rules/precompiled/$Distro/$arch/$Snort/$_");
255. }
256. }
257. my @files = $tar->get_files();
258. foreach (@files) {
259. my $filename = $_->name;
260. my $singlefile = $filename;
261. if ( $filename =~ /^(community-)?rules\/.*\.rules$/ ) {
262. $singlefile =~ s/^(community-)?rules\///;
263. $tar->extract_file( $filename,
264. $temp_path . "/tha_rules/$prefix" . $singlefile );
265. print "\tExtracted: /tha_rules/$prefix$singlefile\n"
266. if ( $Verbose && !$Quiet );
267. }
268. elsif ( $filename =~ /^preproc_rules\/.*\.rules$/ ) {
269. $singlefile =~ s/^preproc_rules\///;
270. $tar->extract_file( $filename,
271. $temp_path . "/tha_rules/$prefix" . $singlefile );
272. print "\tExtracted: /tha_rules/$prefix$singlefile\n"
273. if ( $Verbose && !$Quiet );
274. }
275. elsif ($Sorules
276. && $filename =~
277. /^so_rules\/precompiled\/($Distro)\/($arch)\/($Snort)\/.*\.so/
278. && -d $Sorules
279. && !$Textonly )
280. {
281. $singlefile =~
282. s/^so_rules\/precompiled\/($Distro)\/($arch)\/($Snort)\///;
283. $tar->extract_file( $filename, $Sorules . $singlefile );
284. print "\tExtracted: $Sorules$singlefile\n"
285. if ( $Verbose && !$Quiet );
286. }
287. elsif ($docs
288. && $filename =~ /^(doc\/signatures\/)?.*\.txt/
289. && -d $docs )
290. {
291. $singlefile =~ s/^doc\/signatures\///;
292. $tar->extract_file( "doc/signatures/$filename",
293. $docs . $singlefile );
294. print "\tExtracted: $docs$singlefile\n"
295. if ( $Verbose == 2 && !$Quiet );
296. }
297. }
298. print "\tDone!\n" if ( !$Verbose && !$Quiet );
299. }
300.  
301. ## subroutine to actually check the md5 values, if they match we move onto file manipulation routines
302. sub compare_md5 {
303. my (
304. $oinkcode, $rule_file, $temp_path, $Hash,
305. $base_url, $md5, $rule_digest, $Distro,
306. $arch, $Snort, $Sorules, $ignore_files,
307. $docs, $prefix, $Process, $hmatch,
308. $fref
309. ) = @_;
310. if ( $rule_digest =~ $md5 && !$Hash) {
311. if ( $Verbose && !$Quiet ) {
312. print
313. "\tThe MD5 for $rule_file matched $md5\n\n";
314. }
315. if ( !$Verbose && !$Quiet ) { print "\tThey Match\n\tDone!\n"; }
316. return(1);
317. }
318. elsif ( $rule_digest !~ $md5 && !$Hash ) {
319. if ( $Verbose && !$Quiet ) {
320. print
321. "\tThe MD5 for $rule_file did not match the latest digest... so I am gonna fetch the latest rules file!\n";
322. }
323. if ( !$Verbose && !$Quiet ) { print "\tNo Match\n\tDone\n"; }
324. rulefetch( $oinkcode, $rule_file, $temp_path, $base_url );
325. $rule_digest = md5sum( $rule_file, $temp_path );
326. $fref->{EXTRACT}=1 if !$grabonly;
327. return(compare_md5(
328. $oinkcode, $rule_file, $temp_path, $Hash,
329. $base_url, $md5, $rule_digest, $Distro,
330. $arch, $Snort, $Sorules, $ignore_files,
331. $docs, $prefix, $Process, $hmatch,
332. $fref
333. ));
334. }
335. elsif ($Hash) {
336. if ( $Verbose && !$Quiet) {
337. print
338. "\tOk, not verifying the digest.. lame, but that's what you specified!\n";
339. print
340. "\tSo if the rules tarball doesn't extract properly and this script croaks.. it's your fault!\n";
341. print "\tNo Verify Set\n\tDone!\n";
342. }
343. $fref->{EXTRACT}=1 if !$grabonly;
344. return(1);
345. } else {
346. return($hmatch);
347. }
348. }
349.  
350. ## mimic LWP::Simple getstore routine - Thx pkthound!
351. sub getstore {
352. my ( $url, $file ) = @_;
353. my $request = HTTP::Request->new( GET => $url );
354. my $response = $ua->request( $request, $file );
355. $response->code;
356. }
357.  
358. ## time to grab the real 0xb33f
359. sub rulefetch {
360. my ( $oinkcode, $rule_file, $temp_path, $base_url ) = @_;
361. print "Rules tarball download of $rule_file....\n" if ( !$Quiet && $rule_file !~/IPBLACKLIST/ );
362. print "IP Blacklist download of $base_url....\n" if ( !$Quiet && $rule_file =~/IPBLACKLIST/ );
363. $base_url = slash( 0, $base_url );
364. my ($getrules_rule);
365. if ( $Verbose && !$Quiet ) {
366. print "\tFetching rules file: $rule_file\n" if $rule_file !~/IPBLACKLIST/;
367. if ($Hash && $rule_file !~/IPBLACKLIST/) { print "But not verifying MD5\n"; }
368. }
369. if ( $base_url =~ /[^labs]\.snort\.org/i ) {
370. $getrules_rule =
371. getstore( "https://www.snort.org/reg-rules/$rule_file/$oinkcode",
372. $temp_path . $rule_file );
373. }
374. elsif ($rule_file =~ /IPBLACKLIST/ && !$NoDownload){
375. my $rand = rand(1000);
376. $getrules_rule =
377. getstore( $base_url, $temp_path . "$rand-black_list.rules");
378. read_iplist(\%blacklist,$temp_path . "$rand-black_list.rules");
379. unlink ($temp_path . "$rand-black_list.rules");
380. }
381. else {
382. $getrules_rule =
383. getstore( $base_url . "/" . $rule_file, $temp_path . $rule_file );
384. }
385. if ( $getrules_rule == 403 ) {
386. print
387. "\tA 403 error occurred, please wait for the 15 minute timeout\n\tto expire before trying again or specify the -n runtime switch\n",
388. "\tYou may also wish to verfiy your oinkcode, tarball name, and other configuration options\n";
389. syslogit( 'emerg|local0', "FATAL: 403 error occured" ) if $Syslogging;
390. exit(1); # For you shirkdog
391. }
392. elsif ( $getrules_rule == 404 ) {
393. print
394. "\tA 404 error occurred, please verify your filenames and urls for your tarball!\n";
395. syslogit( 'emerg|local0', "FATAL: 404 error occured" ) if $Syslogging;
396. exit(1); # For you shirkdog
397. }
398. elsif ( $getrules_rule == 500 ) {
399. print
400. "\tA 500 error occurred, please verify that you have recently updated your root certificates!\n";
401. syslogit( 'emerg|local0', "FATAL: 500 error occured" ) if $Syslogging;
402. exit(1); # Certs bitches!
403. }
404. unless ( is_success($getrules_rule) ) {
405. syslogit( 'emerg|local0',
406. "FATAL: Error $getrules_rule when fetching $rule_file" )
407. if $Syslogging;
408. croak "\tError $getrules_rule when fetching " . $rule_file;
409. }
410.  
411. if ( $Verbose && !$Quiet && $rule_file !~/IPBLACKLIST/) {
412. print("\tstoring file at: $temp_path$rule_file\n\n");
413. }
414. if ( !$Verbose && !$Quiet ) { "\tDone!\n"; }
415. }
416.  
417. ## subroutine to deterine the md5 digest of the current rules file
418. sub md5sum {
419. my ( $rule_file, $temp_path ) = @_;
420. open( MD5FILE, "$temp_path$rule_file" )
421. or croak $!;
422. binmode(MD5FILE);
423. $rule_digest = Digest::MD5->new->addfile(*MD5FILE)->hexdigest;
424. close(MD5FILE);
425. if ($@) {
426. print $@;
427. return "";
428. }
429. if ( $Verbose && !$Quiet ) {
430. print "\tcurrent local rules file digest: $rule_digest\n";
431. }
432. return $rule_digest;
433. }
434.  
435. ## subroutine to fetch the latest md5 digest signature file from snort.org
436. sub md5file {
437. my ( $oinkcode, $rule_file, $temp_path, $base_url ) = @_;
438. my ( $getrules_md5, $md5 );
439. $base_url = slash( 0, $base_url );
440. print "Checking latest MD5 for $rule_file....\n" if !$Quiet;
441. print "\tFetching md5sum for: " . $rule_file . ".md5\n"
442. if ( $Verbose && !$Quiet );
443. if ( $base_url =~ /[^labs]\.snort\.org/i ) {
444. $getrules_md5 =
445. getstore( "https://www.snort.org/reg-rules/$rule_file.md5/$oinkcode",
446. $temp_path . $rule_file . ".md5" );
447. }
448. elsif ( $base_url =~ /(emergingthreats\.net|emergingthreatspro\.com|snort-org.*community)/i ) {
449. $getrules_md5 = getstore(
450. "$base_url/$rule_file" . ".md5",
451. $temp_path . $rule_file . ".md5"
452. );
453. }
454. if ( $getrules_md5 == 403 ) {
455. print
456. "\tA 403 error occurred, please wait for the 15 minute timeout\n\tto expire before trying again or specify the -n runtime switch\n",
457. "\tYou may also wish to verfiy your oinkcode, tarball name, and other configuration options\n";
458. }
459. elsif ( $getrules_md5 == 404 ) {
460. print
461. "\tA 404 error occurred, please verify your filenames and urls for your tarball!\n";
462. }
463. croak "\tError $getrules_md5 when fetching "
464. . $base_url . "/"
465. . $rule_file . ".md5"
466. unless is_success($getrules_md5);
467. open( FILE, "$temp_path$rule_file.md5" )
468. or croak $!;
469. $md5 = <FILE>;
470. chomp($md5);
471. close(FILE);
472. $md5 =~ /\w{32}/
473. ; ## Lets just grab the hash out of the string.. don't care about the rest!
474. $md5 = $&;
475.  
476. if ( $Verbose && !$Quiet ) {
477. print "\tmost recent rules file digest: $md5\n";
478. }
479. return $md5;
480. }
481.  
482. ## This sub allows for ip-reputation list de-duplication and processing:
483. sub read_iplist {
484. my ($href,$path) = @_;
485. print "\t" if ( $Verbose && !$Quiet );
486. print "Reading IP List...\n" if !$Quiet;
487. open (FH,'<',$path) || croak "Couldn't read $path - $!\n";
488. while (<FH>) {
489. chomp();
490. # we only want valid IP addresses, otherwise shiz melts!
491. next unless $_ =~ /(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/;
492. $_ = trim($_);
493. $_ =~ s/,*//;
494. $href->{$_}=1;
495. }
496. close(FH);
497. }
498.  
499. ## This replaces the copy_rules routine and allows for in-memory processing
500. # of disablesid, enablesid, dropsid and other sid functions.. here we place
501. # all of the rules values into a hash as {$gid}{$sid}=$rule
502. sub read_rules {
503. my ( $hashref, $path, $extra_rules ) = @_;
504. my ( $file, $sid, $gid, @elements );
505. print "\t" if ( $Verbose && !$Quiet );
506. print "Reading rules...\n" if !$Quiet;
507. my @local_rules = split( /,/, $extra_rules );
508. foreach (@local_rules) { #First let's read our local rules and assign a gid of 0
509. $extra_rules = slash( 0, $_ );
510. if ( $extra_rules && -f $extra_rules ) {
511. open( DATA, "$extra_rules" )
512. || croak "Couldn't read $extra_rules - $!\n";
513. my @extra_raw = <DATA>;
514. close(DATA);
515. my $trk = 0;
516. my $record;
517. foreach my $row (@extra_raw) {
518. $row = trim($row);
519. chomp($row);
520. if ( $row =~ /^\s*#*\s*(alert|drop|pass)/i || $trk == 1 ) {
521. if ( ( $row !~ /^#/ ) && ( $row ne "" ) ) {
522. if ( $row =~ /\\$/ ) { # handle multiline rules here
523. $row =~ s/\\$//;
524. $record .= $row;
525. $trk = 1;
526. }
527. elsif ( $row !~ /\\$/ && $trk == 1 )
528. { # last line of multiline rule here
529. $record .= $row;
530. if ( $record =~ /sid:\s*\d+\s*;/i ) {
531. $sid = $&;
532. $sid =~ s/sid:\s*//;
533. $sid =~ s/\s*;//;
534. $$hashref{0}{ trim($sid) }{'rule'} = $record;
535. }
536. $trk = 0;
537. undef $record;
538. }
539. else {
540. if ( $row =~ /sid:\s*\d+\s*;/i ) {
541. $sid = $&;
542. $sid =~ s/sid:\s*//;
543. $sid =~ s/\s*;//;
544. $$hashref{0}{ trim($sid) }{'rule'} = $row;
545. }
546. $trk = 0;
547. }
548. }
549. }
550. }
551. undef @extra_raw;
552. }
553. }
554. if ( -d $path ) {
555. opendir( DIR, "$path" );
556. while ( defined( $file = readdir DIR ) ) {
557. open( DATA, "$path$file" ) || croak "Couldn't read $file - $!\n";
558. @elements = <DATA>;
559. close(DATA);
560.  
561. foreach my $rule (@elements) {
562. chomp($rule);
563. $rule = trim($rule);
564. if ( $rule =~ /^\s*#*\s*(alert|drop|pass)/i ) {
565.  
566. if ( $rule =~ /sid:\s*\d+\s*;/i ) {
567. $sid = $&;
568. $sid =~ s/sid:\s*//;
569. $sid =~ s/\s*;//;
570. if ( $rule =~ /gid:\s*\d+/i ) {
571. $gid = $&;
572. $gid =~ s/gid:\s*//;
573. }
574. else { $gid = 1; }
575. if ( $rule =~ /flowbits:\s*((un)?set(x)?|toggle)/i ) {
576.  
577. # There is a much cleaner way to do this, I just don't have the time to do it right now!
578. my ( $header, $options ) =
579. split( /^[^"]* \(/, $rule );
580. my @optarray = split( /(?<!\\);(\t|\s)*/, $options )
581. if $options;
582. foreach my $option ( reverse(@optarray) ) {
583. my ( $kw, $arg ) = split( /:/, $option )
584. if $option;
585. next
586. unless ( $kw && $arg && $kw eq "flowbits" );
587. my ( $flowact, $flowbit ) = split( /,/, $arg );
588. next unless $flowact =~ /^\s*((un)?set(x)?|toggle)/i;
589. $$hashref{ trim($gid) }{ trim($sid) }
590. { trim($flowbit) } = 1;
591. }
592.  
593. }
594. if ( $rule =~ /^\s*\#+/ ) {
595. $$hashref{ trim($gid) }{ trim($sid) }{'state'} = 0;
596. }
597. elsif ( $rule =~ /^\s*(alert|pass|drop)/ ) {
598. $$hashref{ trim($gid) }{ trim($sid) }{'state'} = 1;
599. }
600. $file =~ s/\.rules//;
601. $file = "VRT-SO-$file" if ($gid == 3 && $file !~ /VRT-SO/);
602. $$hashref{ trim($gid) }{ trim($sid) }{'rule'} = $rule;
603. $$hashref{ trim($gid) }{ trim($sid) }{'category'} =
604. $file;
605. push @ {$categories->{$file}{trim($gid)}},($sid);
606. }
607. }
608. }
609. }
610. close(DIR);
611. }
612. elsif ( -f $path ) {
613. open( DATA, "$path" ) || croak "Couldn't read $path - $!";
614. @elements = <DATA>;
615. close(DATA);
616.  
617. foreach my $rule (@elements) {
618. if ( $rule =~ /^\s*#*\s*(alert|drop|pass)/i ) {
619. if ( $rule =~ /sid:\s*\d+/ ) {
620. $sid = $&;
621. $sid =~ s/sid:\s*//;
622. if ( $rule =~ /gid:\s*\d+/i ) {
623. $gid = $&;
624. $gid =~ s/gid:\s*//;
625. }
626. else { $gid = 1; }
627. if ( $rule =~ /flowbits:\s*((un)?set(x)?|toggle)/ ) {
628. my ( $header, $options ) = split( /^[^"]* \(/, $rule );
629.  
630. # There is a much cleaner way to do this, I just don't have the time to do it right now!
631. my @optarray = split( /(?<!\\);(\t|\s)*/, $options )
632. if $options;
633. foreach my $option ( reverse(@optarray) ) {
634. my ( $kw, $arg ) = split( /:/, $option ) if $option;
635. next unless ( $kw && $arg && $kw eq "flowbits" );
636. my ( $flowact, $flowbit ) = split( /,/, $arg );
637. next unless $flowact =~ /^\s*((un)?set(x)?|toggle)/i;
638. $$hashref{ trim($gid) }{ trim($sid) }
639. { trim($flowbit) } = 1;
640. }
641.  
642. }
643. $$hashref{ trim($gid) }{ trim($sid) }{'rule'} = $rule;
644. }
645. }
646. }
647. }
648. undef @elements;
649. }
650.  
651. ## sub to generate stub files using the snort --dump-dynamic-rules option
652. sub gen_stubs {
653. my ( $Snort_path, $Snort_config, $Sostubs ) = @_;
654. print "Generating Stub Rules....\n" if !$Quiet;
655. unless ( -B $Snort_path ) {
656. Help("$Snort_path is not a valid binary file");
657. }
658. if ( -d $Sostubs && -B $Snort_path && -f $Snort_config ) {
659. if ( $Verbose && !$Quiet ) {
660. print(
661. "\tGenerating shared object stubs via:$Snort_path -c $Snort_config --dump-dynamic-rules=$Sostubs\n"
662. );
663. }
664. open( FH,
665. "$Snort_path -c $Snort_config --dump-dynamic-rules=$Sostubs 2>&1|"
666. );
667. while (<FH>) {
668. print "\t$_" if $_ =~ /Dumping/i && ( $Verbose && !$Quiet );
669. next unless $_ =~ /(err|warn|fail)/i;
670. syslogit( 'warning|local0', "FATAL: An error occured: $_" )
671. if $Syslogging;
672. print "\tAn error occurred: $_\n";
673.  
674. # Yes, this is lame error reporting to stdout ...
675. }
676. close(FH);
677. }
678. else {
679. print(
680. "Something failed in the gen_stubs sub, please verify your shared object config!\n"
681. );
682. if ( $Verbose && !$Quiet ) {
683. unless ( -d $Sostubs ) {
684. Help(
685. "The path that you specified: $Sostubs does not exist! Please verify your configuration.\n"
686. );
687. }
688. unless ( -f $Snort_path ) {
689. Help(
690. "The file that you specified: $Snort_path does not exist! Please verify your configuration.\n"
691. );
692. }
693. unless ( -f $Snort_config ) {
694. Help(
695. "The file that you specified: $Snort_config does not exist! Please verify your configuration.\n"
696. );
697. }
698. }
699. }
700. print "\tDone\n" if !$Quiet;
701. }
702.  
703. sub vrt_policy {
704. my ( $ids_policy, $rule ) = @_;
705. my ( $gid, $sid );
706. if ( $rule =~ /policy\s$ids_policy/i && $rule !~ /flowbits\s*:\s*noalert/i )
707. {
708. $rule =~ s/^#*\s*//;
709. }
710. elsif ( $rule !~ /^\s*#/ ) {
711. $rule = "# $rule";
712. }
713. return $rule;
714. }
715.  
716. sub policy_set {
717. my ( $ids_policy, $hashref ) = @_;
718. if ($hashref) {
719. if ( $ids_policy ne "Disabled" && $ids_policy ne "" ) {
720. print "Activating $ids_policy rulesets....\n" if !$Quiet;
721. foreach my $k ( sort keys %$hashref ) {
722. foreach my $k2 ( keys %{ $$hashref{$k} } ) {
723. $$hashref{$k}{$k2}{'rule'} =
724. vrt_policy( $ids_policy, $$hashref{$k}{$k2}{'rule'} );
725. }
726. }
727.  
728. print "\tDone\n" if !$Quiet;
729. }
730. }
731. }
732.  
733. ## this allows the user to use regular expressions to modify rule contents
734. sub modify_sid {
735. my ( $href, $file ) = @_;
736. my @arry;
737. print "Modifying Sids....\n" if !$Quiet;
738. open( FH, "<$file" ) || carp "Unable to open $file\n";
739. while (<FH>) {
740. next if ( ( $_ =~ /^\s*#/ ) || ( $_ eq " " ) );
741. if ( $_ =~ /([\d+|,|\*]*)\s+"(.+)"\s+"(.*)"/ ) {
742. my ( $sids, $from, $to ) = ( $1, $2, $3 );
743. @arry = split( /,/, $sids ) if $sids !~ /\*/;
744. @arry = "*" if $sids =~ /\*/;
745. foreach my $sid (@arry) {
746. $sid = trim($sid);
747. if ( $sid ne "*" && defined $$href{1}{$sid}{'rule'} ) {
748. print "\tModifying SID:$sid from:$from to:$to\n"
749. if ( $Verbose && !$Quiet );
750. $$href{1}{$sid}{'rule'} =~ s/$from/$to/;
751. }
752. elsif ( $sid eq "*" ) {
753. print "\tModifying ALL SIDS from:$from to:$to\n"
754. if ( $Verbose && !$Quiet );
755. foreach my $k ( sort keys %{ $$href{1} } ) {
756. $$href{1}{$k}{'rule'} =~ s/$from/$to/;
757. }
758. }
759. }
760. undef @arry;
761. }
762. }
763. print "\tDone!\n" if !$Quiet;
764. close(FH);
765. }
766.  
767. ## this relaces the enablesid, disablesid and dropsid functions..
768. # speed ftw!
769. sub modify_state {
770. my ( $function, $SID_conf, $hashref, $rstate ) = @_;
771. my ( @sid_mod, $sidlist);
772. print "Processing $SID_conf....\n" if !$Quiet;
773. print "\tSetting rules specified in $SID_conf to their default state!\n"
774. if ( !$Quiet && $function eq 'enable' && $rstate );
775. if ( -f $SID_conf ) {
776. open( DATA, "$SID_conf" ) or carp "unable to open $SID_conf $!";
777. while (<DATA>) {
778. next unless ($_ !~ /^\s*#/ && $_ ne "");
779. $sidlist = (split '#',$_)[0];
780. chomp($sidlist);
781. $sidlist = trim($sidlist);
782. if (!@sid_mod )
783. {
784. @sid_mod = split( /,/, $sidlist );
785. }
786. elsif (@sid_mod)
787. {
788. push( @sid_mod, split( /,/, $sidlist ) );
789. }
790. }
791. close(DATA);
792. if ($hashref) {
793. my $sidcount = 0;
794. foreach (@sid_mod) {
795.  
796. # ranges
797. if ( $_ =~ /^(\d+):\d+-\1:\d+/ ) {
798. my ( $lsid, $usid ) = split( /-/, $& );
799. my $gid = $lsid;
800. $sid_mod[$sidcount] = $lsid;
801. $gid =~ s/:\d+//;
802. $lsid =~ s/\d+://;
803. $usid =~ s/\d+://;
804. while ( $lsid < $usid ) {
805. $lsid++;
806. push( @sid_mod, $gid . ':' . $lsid );
807. }
808. }
809.  
810. # pcres
811. elsif ( $_ =~ /^pcre\:.+/i ) {
812. my ( $pcre, $regex ) = split( /\:/, $& );
813. foreach my $k1 ( keys %$hashref ) {
814. foreach my $k2 ( keys %{ $$hashref{$k1} } ) {
815. next unless defined $$hashref{$k1}{$k2}{'rule'};
816. $sid_mod[$sidcount] = $k1 . ":" . $k2
817. if (
818. ( $$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i )
819. && ( $sid_mod[$sidcount] =~ /[a-xA-X](\w|\W)*/ )
820. );
821. push( @sid_mod, $k1 . ":" . $k2 )
822. if (
823. ( $$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i )
824. && ( $sid_mod[$sidcount] =~ /\d+:\d+/ ) );
825. }
826. }
827. }
828.  
829. # specific sid
830. elsif ( $_ =~ /^[a-xA-X]+\:.+/ ) {
831. my $regex = $&;
832. $regex =~ s/\:/,/;
833. foreach my $k1 ( keys %$hashref ) {
834. foreach my $k2 ( keys %{ $$hashref{$k1} } ) {
835. next unless defined $$hashref{$k1}{$k2}{'rule'};
836. $sid_mod[$sidcount] = $k1 . ":" . $k2
837. if (
838. ( $$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i )
839. && ( $sid_mod[$sidcount] =~ /[a-xA-X](\w|\W)*/ )
840. );
841. push( @sid_mod, $k1 . ":" . $k2 )
842. if (
843. ( $$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i )
844. && ( $sid_mod[$sidcount] =~ /\d+:\d+/ ) );
845. }
846. }
847. }
848.  
849. # MS reference
850. elsif ( $_ =~ /^MS\d+-.+/i ) {
851. my $regex = $&;
852. foreach my $k1 ( keys %$hashref ) {
853. foreach my $k2 ( keys %{ $$hashref{$k1} } ) {
854. next unless defined $$hashref{$k1}{$k2}{'rule'};
855. $sid_mod[$sidcount] = $k1 . ":" . $k2
856. if (
857. ( $$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i )
858. && ( $sid_mod[$sidcount] =~ /[a-xA-X](\w|\W)*/ )
859. );
860. push( @sid_mod, $k1 . ":" . $k2 )
861. if (
862. ( $$hashref{$k1}{$k2}{'rule'} =~ /($regex)/i )
863. && ( $sid_mod[$sidcount] =~ /\d+:\d+/ ) );
864. }
865. }
866. }
867.  
868. # Category
869. elsif ( $_ =~ /[a-xA-X]+(-|\w)*/ ) {
870. my $category = $&;
871. foreach my $k1 ( keys %$hashref ) {
872. foreach my $k2 ( keys %{ $$hashref{$k1} } ) {
873. next
874. unless defined $$hashref{$k1}{$k2}{'category'};
875. next
876. unless $$hashref{$k1}{$k2}{'category'} =~
877. /($category)/;
878. $sid_mod[$sidcount] = $k1 . ":" . $k2;
879. push( @sid_mod, $k1 . ":" . $k2 )
880. if $sid_mod[$sidcount] =~ /\d+:\d+/;
881. }
882. }
883. }
884. $sidcount++;
885. }
886. $sidcount = 0;
887. foreach (@sid_mod) {
888. if ( $_ =~ /^\d+:\d+/ ) {
889. my $gid = $&;
890. my $sid = $gid;
891. if ( $gid && $sid ) {
892. $gid =~ s/:\d+//;
893. $sid =~ s/\d+://;
894. if ($function) {
895. if ($function eq "enable") {
896. if ( exists $$hashref{$gid}{$sid}
897. && $$hashref{$gid}{$sid}{'rule'} =~
898. /^\s*#\s*(alert|drop|pass)/i
899. && !$rstate )
900. {
901. $$hashref{$gid}{$sid}{'rule'} =~
902. s/^\s*#+\s*//;
903. if ( $Verbose && !$Quiet ) {
904. print "\tEnabled $gid:$sid\n";
905. }
906. $sidcount++;
907. }
908.  
909. # Return State!
910. next unless $$hashref{$gid}{$sid};
911. next unless $$hashref{$gid}{$sid}{rule};
912. if ( $$hashref{$gid}{$sid}{'state'} && $$hashref{$gid}{$sid}{'state'} == 0
913. && $$hashref{$gid}{$sid}{'rule'} =~
914. /^\s*(alert|drop|pass)/
915. && $rstate )
916. {
917. $$hashref{$gid}{$sid}{'rule'} =
918. "# " . $$hashref{$gid}{$sid}{'rule'};
919. $sidcount++;
920. if ( $Verbose && !$Quiet ) {
921. print "\tRe-Disabled $gid:$sid\n";
922. }
923. }
924. elsif ( $$hashref{$gid}{$sid}{'state'} && $$hashref{$gid}{$sid}{'state'} == 1
925. && $$hashref{$gid}{$sid}{'rule'} =~
926. /^\s*#+\s*(alert|drop|pass)/
927. && $rstate )
928. {
929. $$hashref{$gid}{$sid}{'rule'} =~
930. s/^\s*#+\s*//;
931. $sidcount++;
932. if ( $Verbose && !$Quiet ) {
933. print "\tRe-Enabled $gid:$sid\n";
934. }
935. }
936. }
937. elsif ($function eq "drop") {
938. if ( exists $$hashref{$gid}{$sid}
939. && $$hashref{$gid}{$sid}{'rule'} =~
940. /^\s*#*\s*alert/i )
941. {
942. $$hashref{$gid}{$sid}{'rule'} =~
943. s/^\s*#*\s*//;
944. $$hashref{$gid}{$sid}{'rule'} =~
945. s/^alert/drop/;
946. if ( $Verbose && !$Quiet ) {
947. print "\tWill drop $gid:$sid\n";
948. }
949. $sidcount++;
950. }
951. }
952. elsif ($function eq "disable") {
953. if ( exists $$hashref{$gid}{$sid}
954. && $$hashref{$gid}{$sid}{'rule'} =~
955. /^\s*(alert|drop|pass)/i )
956. {
957. $$hashref{$gid}{$sid}{'rule'} =
958. "# " . $$hashref{$gid}{$sid}{'rule'};
959. $$hashref{$gid}{$sid}{'disabled'} = 1;
960. if ( $Verbose && !$Quiet ) {
961. print "\tDisabled $gid:$sid\n";
962. }
963. $sidcount++;
964. }
965. elsif ( exists $$hashref{$gid}{$sid}
966. && $$hashref{$gid}{$sid}{'rule'} =~
967. /^\s*#*\s*(alert|drop|pass)/i )
968. {
969. $$hashref{$gid}{$sid}{'disabled'} = 1;
970. }
971. }
972. }
973. }
974. }
975. }
976. print "\tModified $sidcount rules\n" if !$Quiet;
977. }
978. }
979. print "\tDone\n" if !$Quiet;
980. undef @sid_mod;
981. }
982.  
983. ## iprep control socket!
984. sub iprep_control {
985. my ($bin,$path) = @_;
986. return unless -f $bin;
987. my $cmd = "$bin $path 1361";
988. return unless (-f $bin && -f $path);
989. print "Issuing reputation socket reload command\n";
990. print "Command: $cmd\n" if $Verbose;
991. open(FH,"$cmd 2>&1 |");
992. while(<FH>){
993. chomp();
994. next unless $_ =~ /(warn|err|unable)/i;
995. print "$_\n";
996. }
997. close(FH);
998. }
999.  
1000. ## goodbye
1001. sub sig_hup {
1002. my ($pidlist) = @_;
1003. my @pids = split( /,/, $pidlist );
1004. my $pid;
1005. print "HangUP Time....\n";
1006. foreach $pid (@pids) {
1007. open( FILE, "$pid" )
1008. or croak $!;
1009. my $realpid = <FILE>;
1010. chomp($realpid);
1011. close(FILE);
1012. my $hupres = kill 1, $realpid;
1013. if ( $Verbose && !$Quiet ) {
1014. print
1015. "\tSent kill signal to $realpid from $pid with result $hupres\n";
1016. }
1017. }
1018. if ( !$Verbose && !$Quiet ) { print "\tDone!\n"; }
1019. undef @pids;
1020. }
1021.  
1022. ## make the sid-msg.map
1023. sub sid_msg {
1024. my ( $ruleshash, $sidhash, $enonly ) = @_;
1025. my ( $gid, $arg, $msg );
1026. print "Generating sid-msg.map....\n" if !$Quiet;
1027. foreach my $k ( sort keys %$ruleshash ) {
1028. foreach my $k2 ( sort keys %{ $$ruleshash{$k} } ) {
1029. next if ((defined $enonly) && $$ruleshash{$k}{$k2}{'rule'} !~ /^\s*(alert|drop|pass)/);
1030. ( my $header, my $options ) =
1031. split( /^[^"]* \(\s*/, $$ruleshash{$k}{$k2}{'rule'} )
1032. if defined $$ruleshash{$k}{$k2}{'rule'};
1033. my @optarray = split( /(?<!\\);\s*/, $options ) if $options;
1034. foreach my $option ( reverse(@optarray) ) {
1035. my ( $kw, $arg ) = split( /:\s*/, $option ) if $option;
1036. my $gid = $k;
1037. $gid = 1 if $k == 0;
1038. next unless ($kw && $arg && $kw =~ /(reference|msg|rev|classtype|priority)/);
1039. if ( $kw eq "reference" ) {
1040. push( @{ $$sidhash{$gid}{$k2}{refs} }, trim($arg));
1041. } elsif ($kw eq "msg"){
1042. $arg =~ s/"//g;
1043. $$sidhash{$gid}{$k2}{msg} = trim($arg);
1044. } elsif ($kw eq "rev"){
1045. $$sidhash{$gid}{$k2}{rev} = trim($arg);
1046. } elsif ($kw eq "classtype") {
1047. $$sidhash{$gid}{$k2}{classtype} = trim($arg);
1048. } elsif ($kw eq "priority") {
1049. $$sidhash{$gid}{$k2}{priority} = trim($arg);
1050. }
1051. }
1052. }
1053. }
1054. print "\tDone\n" if !$Quiet;
1055. }
1056.  
1057. ## write the rules files to unique output files!
1058. sub rule_category_write {
1059. my ( $hashref, $filepath, $enonly ) = @_;
1060. print "Writing rules to unique destination files....\n" if !$Quiet;
1061. print "\tWriting rules to $filepath\n" if !$Quiet;
1062.  
1063. my %hcategory = ();
1064. my $file;
1065. foreach my $k (sort keys %$categories){
1066. my $file = "$k.rules";
1067. open( WRITE,'>',"$filepath$file" );
1068. print WRITE "\n\n# ----- Begin $k Rules Category ----- #\n";
1069. foreach my $k2 (sort keys %{$categories->{$k}}) {
1070. print WRITE "\n# -- Begin GID:$k2 Based Rules -- #\n\n";
1071. foreach my $k3 (sort @{$categories->{$k}{$k2}}){
1072. next unless defined $$hashref{$k2}{$k3}{'rule'};
1073. if ( $enonly
1074. && $$hashref{$k2}{$k3}{'rule'} =~ /^\s*(alert|drop|pass)/ )
1075. {
1076. print WRITE $$hashref{$k2}{$k3}{'rule'} . "\n";
1077. }
1078. elsif ( !$enonly ) {
1079. print WRITE $$hashref{$k2}{$k3}{'rule'} . "\n";
1080. }
1081. }
1082. }
1083. close(WRITE);
1084. }
1085. print "\tDone\n" if !$Quiet;
1086. }
1087.  
1088. ## write our blacklist and blacklist version file!
1089. sub blacklist_write{
1090. my ($href,$path) = @_;
1091. my $blv = $Config_info{'IPRVersion'}."IPRVersion.dat";
1092. my $blver = 0;
1093.  
1094. # First lets be sure that our data is new, if not skip the rest of it!
1095. # We will MD5 our HREF then convert it to an integer.
1096. my $hobj = Digest::MD5->new;
1097. $hobj->add(%$href);
1098. my $hash = $hobj->hexdigest;
1099. my $ver = unpack ("i",$hash);
1100.  
1101. if (-f $blv){
1102. open(FH,'<',$blv);
1103. while(<FH>){
1104. next unless $_ =~ /\d+/;
1105. $blver = $_;
1106. }
1107. close(FH);
1108. }
1109.  
1110. if ($blver != $ver){
1111. print "Writing Blacklist File $path....\n" if !$Quiet;
1112. open (FH,'>',$path) || croak("Unable to open $path for writing! - $!\n");
1113. foreach (sort keys %$href){
1114. print FH "$_\n";
1115. }
1116. close(FH);
1117.  
1118. print "Writing Blacklist Version $ver to $blv....\n" if !$Quiet;
1119. open (FH,'>',$blv) || croak("Unable to open $blv for writing! - $!\n");
1120. print FH $ver;
1121. close(FH);
1122. return(1);
1123. } else {
1124. print "Blacklist version is unchanged, not updating!\n" if !$Quiet;
1125. return(0);
1126. }
1127.  
1128. }
1129.  
1130. ## write the rules to a single output file!
1131. sub rule_write {
1132. my ( $hashref, $file, $enonly ) = @_;
1133. print "Writing $file....\n" if !$Quiet;
1134. open( WRITE,'>',"$file" ) || croak "Unable to write $file - $!\n";
1135. #if ( $gid == 1 ) {
1136. foreach my $k (sort keys %$categories){
1137. print WRITE "\n\n# ----- Begin $k Rules Category ----- #\n";
1138. foreach my $k2 (sort keys %{$categories->{$k}}) {
1139. print WRITE "\n# -- Begin GID:$k2 Based Rules -- #\n\n";
1140. foreach my $k3 (sort @{$categories->{$k}{$k2}}){
1141. next unless defined $$hashref{$k2}{$k3}{'rule'};
1142. if ( $enonly
1143. && $$hashref{$k2}{$k3}{'rule'} =~ /^\s*(alert|drop|pass)/ )
1144. {
1145. print WRITE $$hashref{$k2}{$k3}{'rule'} . "\n";
1146. }
1147. elsif ( !$enonly ) {
1148. print WRITE $$hashref{$k2}{$k3}{'rule'} . "\n";
1149. }
1150. }
1151. }
1152. }
1153. close(WRITE);
1154. print "\tDone\n" if !$Quiet;
1155. }
1156.  
1157. ## sid file time!
1158. sub sid_write {
1159. my ( $hashref, $file, $sid_msg_version ) = @_;
1160. print "Writing v$sid_msg_version $file....\n" if !$Quiet;
1161. open( WRITE, ">$file" ) || croak "Unable to write $file -$!";
1162. print WRITE "#v$sid_msg_version\n"; # Version biznits!
1163. print WRITE "# sid-msg.map autogenerated by PulledPork - DO NOT MODIFY BY HAND!\n";
1164. foreach my $k ( sort keys %$hashref ) {
1165. foreach my $k2 ( sort keys %{$$hashref{$k}}){
1166. if ($sid_msg_version == 2){
1167. print WRITE "$k || $k2 || $hashref->{$k}{$k2}{rev} || ";
1168. if ($hashref->{$k}{$k2}{classtype}) {
1169. print WRITE "$hashref->{$k}{$k2}{classtype} || ";
1170. }
1171. else { print WRITE "NOCLASS || "; }
1172. if ($hashref->{$k}{$k2}{priority}) {
1173. print WRITE "$hashref->{$k}{$k2}{priority} || ";
1174. }
1175. else { print WRITE "0 || "; }
1176. } else {
1177. print WRITE "$k2 || ";
1178. }
1179. print WRITE "$hashref->{$k}{$k2}{msg}";
1180. foreach (@{$hashref->{$k}{$k2}{refs}}) {
1181. print WRITE " || $_";
1182. }
1183. print WRITE "\n";
1184. }
1185. }
1186. close(WRITE);
1187. print "\tDone\n" if !$Quiet;
1188. }
1189.  
1190. ## Pull the flowbits requirements from the currently enabled rules.
1191. # TODO: add extended functionality for setx, toggle and groups (Q1 of 2013)
1192. sub flowbit_check {
1193. my ( $rule, $aref ) = @_;
1194. my ( $header, $options ) = split( /^[^"]* \(\s*/, $rule );
1195. my @optarray = split( /(?<!\\);\s*/, $options ) if $options;
1196. foreach my $option ( reverse(@optarray) ) {
1197. my ( $kw, $arg ) = split( /:/, $option ) if $option;
1198. next unless ( $kw && $arg && $kw eq "flowbits" );
1199. my ( $flowact, $flowbit ) = split( /,/, $arg );
1200. next unless $flowact =~ /is(not)?set/i;
1201. push( @$aref, trim($flowbit) ) if $flowbit !~ /(&|\|)/;
1202. push( @$aref, split(/(&|\|)/,trim($flowbit))) if $flowbit =~ /(&|\|)/;
1203. }
1204. }
1205.  
1206. ## Enable flowbits if there is a rule that requires them!
1207. sub flowbit_set {
1208. my $href = shift;
1209. my $counter = 0;
1210. my @flowbits;
1211. foreach my $k1 ( keys %$href ) {
1212. foreach my $k2 ( keys %{ $$href{$k1} } ) {
1213. next unless $$href{$k1}{$k2}{'rule'} =~ /^(alert|drop|pass)/;
1214. next
1215. unless $$href{$k1}{$k2}{'rule'} =~
1216. /flowbits:\s*is(not)?set\s*,\s*[^;]+/i;
1217. flowbit_check( $$href{$k1}{$k2}{'rule'}, \@flowbits );
1218. }
1219. }
1220. my %dups;
1221. map { $dups{$_} = 1 } @flowbits;
1222. @flowbits = keys %dups;
1223. undef %dups;
1224. foreach my $k1 ( keys %$href ) {
1225. foreach my $k2 ( keys %{ $$href{$k1} } ) {
1226. foreach my $flowbit (@flowbits) {
1227. next
1228. unless defined $$href{$k1}{$k2}{$flowbit}
1229. && $$href{$k1}{$k2}{'rule'} =~
1230. /^\s*#\s*(alert|drop|pass)/i;
1231. $$href{$k1}{$k2}{'rule'} =~ s/^\s*#\s*//;
1232. if ( defined $$href{$k1}{$k2}{'disabled'} ) {
1233. print "\tWARN - $k1:$k2 is re-enabled by a",
1234. " check of the $flowbit flowbit!\n"
1235. if $Verbose && !$Quiet;
1236. }
1237. $counter++;
1238. }
1239. }
1240. }
1241. undef @flowbits;
1242. print "\tEnabled $counter flowbits\n" if ( $counter > 0 && !$Quiet );
1243. return $counter;
1244. }
1245.  
1246. ## Make some changelog fun!
1247. sub changelog {
1248. my ( $changelog, $hashref, $hashref2, $hashref3, $ips_policy, $enonly, $hmatch ) = @_;
1249.  
1250. print "Writing $changelog....\n" if !$Quiet;
1251. my ( @newsids, @delsids );
1252. undef @newsids;
1253. undef @delsids;
1254. my $rt = 0;
1255. my $dt = 0;
1256. my $dropped = 0;
1257. my $enabled = 0;
1258. my $disabled = 0;
1259. my $ips = 0;
1260.  
1261. foreach my $k1 ( keys %rules_hash ) {
1262.  
1263. foreach my $k2 ( keys %{ $$hashref{$k1} } ) {
1264. next if ( ($enonly) && ( $$hashref{$k1}{$k2}{'rule'} =~ /^\s*#/ ) );
1265. if ( !defined $$hashref2{$k1}{$k2}{'rule'} ) {
1266. my $msg_holder = $$hashref{$k1}{$k2}{'rule'};
1267. if ( $msg_holder =~ /msg:"[^"]+";/i ) {
1268. $msg_holder = $&;
1269. $msg_holder =~ s/msg:"//;
1270. $msg_holder =~ s/";//;
1271. }
1272. else { $msg_holder = "Unknown MSG" }
1273. push( @newsids, "$msg_holder ($k1:$k2)" );
1274. }
1275. $rt++ unless defined $$hashref2{$k1}{$k2}{'rule'};
1276. next unless defined $$hashref{$k1}{$k2}{'rule'};
1277. if ( $$hashref{$k1}{$k2}{'rule'} =~ /^\s*(alert|pass)/ ) {
1278. $enabled++;
1279. }
1280. elsif ( $$hashref{$k1}{$k2}{'rule'} =~ /^\s*drop/ ) {
1281. $dropped++;
1282. }
1283. elsif (
1284. $$hashref{$k1}{$k2}{'rule'} =~ /^\s*#*\s*(alert|drop|pass)/ )
1285. {
1286. $disabled++;
1287. }
1288. }
1289. }
1290. foreach my $k1 ( sort keys %$hashref2 ) {
1291. for my $k2 ( sort keys %{ $$hashref2{$k1} } ) {
1292. next if defined $$hashref{$k1}{$k2}{'rule'};
1293. next
1294. if ( ($enonly) && ( $$hashref2{$k1}{$k2}{'rule'} =~ /^\s*#/ ) );
1295. my $msg_holder = $$hashref2{$k1}{$k2}{'rule'};
1296. if ( $msg_holder =~ /msg:"[^"]+";/ ) {
1297. $msg_holder = $&;
1298. $msg_holder =~ s/msg:"//;
1299. $msg_holder =~ s/";//;
1300. }
1301. else { $msg_holder = "Unknown MSG" }
1302. push( @delsids, "$msg_holder ($k1:$k2)" );
1303. $dt++;
1304. }
1305. }
1306. if (%$hashref3){
1307. $ips = keys(%$hashref3);
1308. }
1309. if ( -f $changelog ) {
1310. open( WRITE,'>>',$changelog ) || croak "$changelog $!\n";
1311. }
1312. else {
1313. open( WRITE,'>',$changelog ) || croak "$changelog $!\n";
1314. print WRITE
1315. "-=BEGIN PULLEDPORK SNORT RULES CHANGELOG, Tracking started on "
1316. . gmtime(time)
1317. . " GMT=-\n\n\n";
1318. }
1319. print WRITE "\n-=Begin Changes Logged for " . gmtime(time) . " GMT=-\n";
1320. if ($Process) {
1321. print WRITE "\nNew Rules\n" if @newsids;
1322. @newsids = sort(@newsids);
1323. @delsids = sort(@delsids);
1324. foreach (@newsids) { print WRITE "\t" . $_ . "\n"; }
1325. print WRITE "\nDeleted Rules\n" if @delsids;
1326. foreach (@delsids) { print WRITE "\t" . $_ . "\n"; }
1327. print WRITE "\nSet Policy: $ips_policy\n" if $ips_policy;
1328. print WRITE "\nRule Totals\n";
1329. print WRITE "\tNew:-------$rt\n";
1330. print WRITE "\tDeleted:---$dt\n";
1331. print WRITE "\tEnabled:---$enabled\n";
1332. print WRITE "\tDropped:---$dropped\n";
1333. print WRITE "\tDisabled:--$disabled\n";
1334. print WRITE "\tTotal:-----" . ( $enabled + $disabled + $dropped ) . "\n";
1335. } else { print WRITE "\nNo Rule Changes\n"; }
1336. if ($bmatch){
1337. print WRITE "\nIP Blacklist Stats\n\tTotal IPs:-----$ips\n" if $ips;
1338. } else { print WRITE "\nNo IP Blacklist Changes\n"; }
1339. print WRITE "\n-=End Changes Logged for " . gmtime(time) . " GMT=-\n";
1340. close(WRITE);
1341.  
1342. if ( !$Quiet ) {
1343. print "\tDone\n";
1344. if ($Process) {
1345. print "Rule Stats...\n";
1346. print "\tNew:-------$rt\n";
1347. print "\tDeleted:---$dt\n";
1348. print "\tEnabled Rules:----$enabled\n";
1349. print "\tDropped Rules:----$dropped\n";
1350. print "\tDisabled Rules:---$disabled\n";
1351. print "\tTotal Rules:------"
1352. . ( $enabled + $dropped + $disabled );
1353. } else { print "\nNo Rule Changes\n"; }
1354. if ($bmatch){
1355. print "\nIP Blacklist Stats...\n\tTotal IPs:-----$ips\n" if $ips;
1356. } else { print "\nNo IP Blacklist Changes\n"; }
1357. print "\nDone\n";
1358. print "Please review $sid_changelog for additional details\n"
1359. if $sid_changelog;
1360. }
1361. undef @newsids;
1362. undef @delsids;
1363. }
1364.  
1365. ## Trim it up, loves the trim!
1366. sub trim {
1367. my ($trimmer) = @_;
1368. if ($trimmer) {
1369. $trimmer =~ s/^\s*//;
1370. $trimmer =~ s/\s*$//;
1371. return $trimmer;
1372. }
1373. }
1374.  
1375. ## Does it hurt when I slash you?
1376. sub slash {
1377. my ( $operation, $string ) = @_;
1378. if ( $operation == 0 && $string =~ /\/$/ && $string ne "" ) {
1379. $string =~ s/\/$//;
1380. }
1381. elsif ( $operation == 1 && $string !~ /\/$/ && $string ne "" ) {
1382. $string = $string . "/";
1383. }
1384. return $string;
1385. }
1386.  
1387. ## uh, yeah
1388. sub Version {
1389. print("$VERSION\n\n");
1390. exit(0);
1391. }
1392.  
1393. ## find the snort version baby!
1394. sub snort_version {
1395. my $cmd = shift;
1396. $cmd .= " -V";
1397. my $version;
1398. open( FH, "$cmd 2>&1 |" );
1399. while (<FH>) {
1400. next unless $_ =~ /Version/;
1401. if ( $_ =~ /\d\.\d\.\d\.\d/ ) {
1402. $version = $&;
1403. }
1404. elsif ( $_ =~ /\d\.\d\.\d/ ) {
1405. $version = $& . ".0";
1406. }
1407. }
1408. close(FH);
1409. return $version;
1410. }
1411.  
1412. ## our arch
1413. sub get_arch {
1414. my $cmd = "uname -a";
1415. open( FH, "$cmd |" );
1416. my $arch;
1417. while (<FH>) {
1418. next unless $_ =~ /(i386|x86-64|x86_64|i686|amd64)/i;
1419. $arch = $&;
1420. $arch =~ s/_/-/;
1421. $arch =~ s/i686/i386/;
1422. $arch =~ s/amd64/x86-64/;
1423. }
1424. close(FH);
1425. return $arch;
1426. }
1427.  
1428. ## log to syslog
1429. sub syslogit {
1430. my ( $level, $msg ) = @_;
1431.  
1432. openlog( 'pulledpork', 'ndelay,pid', 'local0' );
1433. syslog( $level, $msg );
1434. closelog;
1435. }
1436.  
1437. ## Create some backup and archive foo!
1438. sub archive {
1439. my ( $data, $filename ) = @_;
1440. my @records;
1441. my $compression = "COMPRESS_GZIP";
1442. $filename .= "." . time() . ".tgz";
1443. print "Creating backup at: $filename\n" unless $Quiet;
1444. foreach my $record (@$data) {
1445. if ( -f $record ) {
1446. print "\tAdding file: $record\n" if $Verbose && !$Quiet;
1447. push( @records, $record );
1448. }
1449. elsif ( -d $record ) {
1450. print "\tAdding dir: $record\n" if $Verbose && !$Quiet;
1451. find( \&archive_wanted, $record );
1452. }
1453. }
1454. print "\tWriting Archive: $filename - may take several minutes!\n"
1455. if $Verbose && !$Quiet;
1456. Archive::Tar->create_archive( $filename, $compression, @records );
1457. }
1458.  
1459. ## Define what we will find for the archive sub when dir is found!
1460. sub archive_wanted {
1461. return unless -f $_;
1462. print "\tAdding file: $File::Find::name\n" if $Verbose == 2 && !$Quiet;
1463. push( @records, $File::Find::name );
1464. }
1465.  
1466. ###
1467. ### Main here, let's get on with it already
1468. ###
1469.  
1470. if ( $#ARGV == -1 ) {
1471. Help(
1472. "Please read the README for runtime options and configuration documentation"
1473. );
1474. }
1475.  
1476. ## Lets grab any runtime values and insert into our variables using getopt::long
1477. GetOptions(
1478. "a!" => \$Auto,
1479. "b=s" => \$sidmod{drop},
1480. "c=s" => \$Config_file,
1481. "C=s" => \$Snort_config,
1482. "d!" => \$Hash,
1483. "D=s" => \$Distro,
1484. "E!" => \$enonly,
1485. "e=s" => \$sidmod{enable},
1486. "g!" => \$grabonly,
1487. "H!" => \$SigHup,
1488. "h=s" => \$sid_changelog,
1489. "i=s" => \$sidmod{disable},
1490. "I=s" => \$ips_policy,
1491. "k!" => \$keep_rulefiles,
1492. "K=s" => \$rule_file_path,
1493. "l!" => \$Syslogging,
1494. "L=s" => \$local_rules,
1495. "M=s" => \$sidmod{modify},
1496. "m=s" => \$sid_msg_map,
1497. "n!" => \$NoDownload,
1498. "o=s" => \$Output,
1499. "p=s" => \$Snort_path,
1500. "P!" => \$Process,
1501. "q" => \$Quiet,
1502. "R!" => \$rstate,
1503. "r=s" => \$docs,
1504. "S=s" => \$Snort,
1505. "s=s" => \$Sorules,
1506. "T!" => \$Textonly,
1507. "u=s" => \@base_url,
1508. "V!" => sub { Version() },
1509. "v+" => \$Verbose,
1510. "help|?" => sub { Help() }
1511. );
1512.  
1513. ## Fly piggy fly!
1514. pulledpork() if !$Quiet;
1515.  
1516. # Dump our variables for verbose/debug output
1517.  
1518. if ( !$Config_file ) { Help("No configuration file specified"); }
1519.  
1520. # Call the subroutine to fetch config values
1521. parse_config_file( $Config_file, \%Config_info );
1522.  
1523. if ( $Verbose && !$Quiet ) {
1524. print "Config File Variable Debug $Config_file\n";
1525. foreach $Config_key ( keys %Config_info ) {
1526. if ( $Config_info{$Config_key} ) {
1527. print "\t$Config_key = $Config_info{$Config_key}\n";
1528. }
1529. }
1530.  
1531. }
1532.  
1533. if ( exists $Config_info{'version'} ) {
1534. croak "You are not using the current version of pulledpork.conf!\n",
1535. "Please use the version of pulledpork.conf that shipped with $VERSION!\n\n"
1536. if $Config_info{'version'} ne "0.7.0";
1537. }
1538. else {
1539. croak
1540. "You are not using the current version of pulledpork.conf!\nPlease use the version that shipped with $VERSION!\n\n";
1541. }
1542.  
1543. # Check to see if we have command line inputs, if so, they super-seed any config file values!
1544. # We also begin sub execution here
1545.  
1546. $pid_path = ( $Config_info{'pid_path'} ) if exists $Config_info{'pid_path'};
1547. $ignore_files = ( $Config_info{'ignore'} ) if exists $Config_info{'ignore'};
1548.  
1549. if ($rule_file_path) {
1550. $keep_rulefiles = 1;
1551. }
1552.  
1553. $sid_msg_version = $Config_info{'sid_msg_version'};
1554.  
1555. if ( $keep_rulefiles && defined $Config_info{'out_path'} && !$rule_file_path ) {
1556. $rule_file_path = $Config_info{'out_path'};
1557. }
1558.  
1559. if ($rule_file_path) {
1560. $rule_file_path = slash( 1, "$rule_file_path" );
1561. }
1562.  
1563. if ( !$ips_policy && defined $Config_info{'ips_policy'} ) {
1564. $ips_policy = $Config_info{'ips_policy'};
1565. }
1566.  
1567. if ( !$black_list && defined $Config_info{'black_list'} ) {
1568. $black_list = $Config_info{'black_list'};
1569. }
1570.  
1571. if ( !$sidmod{enable} && defined $Config_info{'enablesid'} ) {
1572. $sidmod{enable} = $Config_info{'enablesid'};
1573. }
1574.  
1575. if ( !$sidmod{modify} && defined $Config_info{'modifysid'} ) {
1576. $sidmod{modify} = $Config_info{'modifysid'};
1577. }
1578.  
1579. if ( !$sidmod{drop} && defined $Config_info{'dropsid'} ) {
1580. $sidmod{drop} = $Config_info{'dropsid'};
1581. }
1582.  
1583. if ( !$sidmod{disable} && defined $Config_info{'disablesid'} ) {
1584. $sidmod{disable} = $Config_info{'disablesid'};
1585. }
1586.  
1587. my @sidact = ( 'enable', 'drop', 'disable' );
1588.  
1589. if ( defined $Config_info{'state_order'} ) {
1590. (@sidact) = split( /,/, $Config_info{'state_order'} );
1591. }
1592.  
1593. if ( !@base_url ) {
1594. @base_url = @{ $Config_info{'rule_url'} };
1595. if ( !@base_url ) {
1596. Help(
1597. "You need to specify one rule_url at a minimum to fetch the rules files from!\n"
1598. );
1599. }
1600. }
1601.  
1602. if ( !$Output ) {
1603. $Output = ( $Config_info{'rule_path'} );
1604. if ( !$Output ) { Help("You need to specify an output rules file!"); }
1605. }
1606. $Output = slash( 0, $Output );
1607.  
1608. if ( !$Sorules ) {
1609. $Sorules = ( $Config_info{'sorule_path'} );
1610. }
1611. $Sorules = slash( 1, $Sorules ) if $Sorules;
1612.  
1613. if ( !$docs ) {
1614. $docs = ( $Config_info{'docs'} );
1615. }
1616.  
1617. undef $Sostubs if ($Textonly);
1618. undef $Sorules if ($Textonly);
1619.  
1620. if ( !$Distro ) {
1621. $Distro = ( $Config_info{'distro'} );
1622. }
1623.  
1624. if ( !$Snort ) {
1625. $Snort = ( $Config_info{'snort_version'} );
1626. }
1627.  
1628. if ( !$Snort_path ) {
1629. $Snort_path = ( $Config_info{'snort_path'} );
1630. $Snort = snort_version($Snort_path) if ( -B $Snort_path && !$Snort );
1631. $arch = get_arch();
1632. $Textonly = 1 unless $Snort;
1633. }
1634.  
1635. if ( !$local_rules && ( $Config_info{'local_rules'} ) ) {
1636. $local_rules = ( $Config_info{'local_rules'} );
1637. }
1638. elsif ( !$local_rules && !( $Config_info{'local_rules'} ) ) {
1639. $local_rules = 0;
1640. }
1641.  
1642. if ( !$Snort_config ) {
1643. $Snort_config = ( $Config_info{'config_path'} );
1644. }
1645.  
1646. if ( !$sid_msg_map ) {
1647. $sid_msg_map = ( $Config_info{'sid_msg'} );
1648. }
1649. if ( !$sid_changelog ) {
1650. $sid_changelog = ( $Config_info{'sid_changelog'} );
1651. }
1652.  
1653. if ( !$ips_policy ) {
1654. $ips_policy = "Disabled";
1655. }
1656.  
1657. if ( $Verbose && !$Quiet ) {
1658. print "MISC (CLI and Autovar) Variable Debug:\n";
1659. if ($Process) { print "\tProcess flag specified!\n"; }
1660. if ($arch) { print "\tarch Def is: $arch\n"; }
1661. if ($Config_file) { print "\tConfig Path is: $Config_file\n"; }
1662. if ($Distro) { print "\tDistro Def is: $Distro\n"; }
1663. if ($docs) { print "\tDocs Reference Location is: $docs\n"; }
1664. if ($keep_rulefiles) { print "\tKeep rulefiles flag is Set\n"; }
1665. if ($rule_file_path) { print "\tKeep rulefiles path: $rule_file_path\n"; }
1666. if ($enonly) { print "\tWrite ONLY enabled rules flag is Set\n"; }
1667. if ($grabonly) { print "\tgrabonly Flag is Set, only gonna download!"; }
1668.  
1669. if ($Hash) {
1670. print
1671. "\tNo MD5 Flag is Set, uhm, ok? I'm gonna fetch the latest file no matter what!\n";
1672. }
1673. if ($ips_policy) { print "\t$ips_policy policy specified\n"; }
1674. if ($local_rules) { print "\tlocal.rules path is: $local_rules\n"; }
1675. if ($NoDownload) { print "\tNo Download Flag is Set\n"; }
1676. if ($Output) { print "\tRules file is: $Output\n"; }
1677. if ($rstate) { print "\tReturn State flag is Set\n"; }
1678. if ($rule_file) { print "\tRule File is: $rule_file\n"; }
1679. if ( $sidmod{disable} ) {
1680. print "\tPath to disablesid file: $sidmod{disable}\n";
1681. }
1682. if ( $sidmod{drop} ) { print "\tPath to dropsid file: $sidmod{drop}\n"; }
1683. if ( $sidmod{enable} ) {
1684. print "\tPath to enablesid file: $sidmod{enable}\n";
1685. }
1686. if ( $sidmod{modify} ) {
1687. print "\tPath to modifysid file: $sidmod{modify}\n";
1688. }
1689. if ($sid_changelog) {
1690. print "\tsid changes will be logged to: $sid_changelog\n";
1691. }
1692. if ($sid_msg_map) { print "\tsid-msg.map Output Path is: $sid_msg_map\n"; }
1693. if ($SigHup) { print "\tSIGHUP Flag is Set\n"; }
1694. if ($Snort) { print "\tSnort Version is: $Snort\n"; }
1695. if ($Snort_config) { print "\tSnort Config File: $Snort_config\n"; }
1696. if ($Snort_path) { print "\tSnort Path is: $Snort_path\n"; }
1697. if ($Sorules) { print "\tSO Output Path is: $Sorules\n"; }
1698. if ($Sostubs) { print "\tWill process SO rules\n"; }
1699. if ($Syslogging) { print "\tLogging Flag is Set\n"; }
1700. if ($Textonly) { print "\tText Rules only Flag is Set\n"; }
1701. if ( $Verbose == 2 ) { print "\tExtra Verbose Flag is Set\n"; }
1702. if ($Verbose) { print "\tVerbose Flag is Set\n"; }
1703. if (@base_url) { print "\tBase URL is: @base_url\n"; }
1704. }
1705.  
1706. # We need a temp path to work with the files while we do magics on them.. make sure you have plenty
1707. # of space in this path.. ~200mb is a good starting point
1708. $temp_path = ( $Config_info{'temp_path'} );
1709. if ( !$temp_path ) {
1710. Help("You need to specify a valid temp path, check permissions too!");
1711. }
1712. $temp_path = slash( 1, $temp_path );
1713. if ( !-d $temp_path ) {
1714. Help("Temporary file path $temp_path does not exist.\n");
1715. }
1716.  
1717. # Validate sid_msg_map version
1718. Help("Please specify version 1 or 2 for sid_msg_version in your config file\n") unless $sid_msg_version =~ /(1|2)/;
1719.  
1720. # set some UserAgent and other connection configs
1721. $ua->agent("$VERSION");
1722. $ua->show_progress(1) if ( $Verbose && !$Quiet );
1723.  
1724. # New Settings to allow proxy connections to use proper SSL formating - Thx pkthound!
1725. $ua->timeout(60);
1726. $ua->cookie_jar( {} );
1727. $ua->protocols_allowed( [ 'http', 'https' ] );
1728. $ua->proxy( ['http'], $ENV{http_proxy} ) if $ENV{http_proxy};
1729. $ua->proxy( ['https'], $ENV{https_proxy} ) if $ENV{https_proxy};
1730.  
1731. # Pull in our env vars before we load any of the modules!
1732. BEGIN {
1733. my $proxy = $ENV{http_proxy};
1734. if ($proxy) {
1735. #Let's handle proxy variables with username / passphrase in them!
1736. if ( $proxy =~ /^(http|https):\/\/([^:]+):([^:]+)@(.+)$/i ) {
1737. my $proxytype = $1;
1738. my $proxyuser = $2;
1739. my $proxypass = $3;
1740. my $proxyaddy = $4;
1741.  
1742. $ENV{HTTP_PROXY} = "$proxytype://$proxyaddy";
1743. $ENV{HTTP_PROXY_USERNAME} = $proxyuser;
1744. $ENV{HTTP_PROXY_PASSWORD} = $proxypass;
1745. $ENV{HTTPS_PROXY} = "$proxytype://$proxyaddy";
1746. $ENV{HTTPS_PROXY_USERNAME} = $proxyuser;
1747. $ENV{HTTPS_PROXY_PASSWORD} = $proxypass;
1748. }
1749. else {
1750. $ENV{HTTPS_PROXY} = $proxy;
1751. $ENV{HTTP_PROXY} = $proxy;
1752. }
1753. }
1754. undef $proxy;
1755. $proxy = $ENV{https_proxy}; #check for https_proxy env var
1756. if ($proxy) {
1757.  
1758. #Let's handle proxy variables with username / passphrase in them!
1759. if ( $proxy =~ /^(http|https):\/\/([^:]+):([^:]+)@(.+)$/i ) {
1760. my $proxytype = $1;
1761. my $proxyuser = $2;
1762. my $proxypass = $3;
1763. my $proxyaddy = $4;
1764.  
1765. $ENV{HTTPS_PROXY} = "$proxytype://$proxyaddy";
1766. $ENV{HTTPS_PROXY_USERNAME} = $proxyuser;
1767. $ENV{HTTPS_PROXY_PASSWORD} = $proxypass;
1768. }
1769. else {
1770. $ENV{HTTPS_PROXY} = $proxy;
1771. }
1772. }
1773. }
1774.  
1775. if ( $Verbose == 2 ) {
1776. $ENV{HTTPS_DEBUG} = 1;
1777. $ENV{HTTP_DEBUG} = 1;
1778. print "\n\nMY HTTPS PROXY = $ENV{HTTPS_PROXY}\n" if ( $ENV{HTTPS_PROXY} && !$Quiet );
1779. print "\n\nMY HTTP PROXY = $ENV{HTTP_PROXY}\n" if ( $ENV{HTTP_PROXY} && !$Quiet );
1780. }
1781.  
1782. # let's fetch the most recent md5 file then compare and do our foo
1783. if ( @base_url && -d $temp_path ) {
1784.  
1785. if ( -d $temp_path . "tha_rules" ) {
1786. print
1787. "\tdoh, we need to perform some cleanup ... an unclean run last time?\n"
1788. if ( $Verbose && !$Quiet );
1789. temp_cleanup($temp_path);
1790. }
1791.  
1792. if ( !$NoDownload ) {
1793. # Crate a local hash that we will iterate through later for processing
1794. my $filelist = ();
1795. my $blk=0;
1796. # Iterate through all of our urls and check md5 then process accordingly etc...
1797. foreach (@base_url) {
1798. undef $Hash if ($Hash && $Hash == 2);
1799. #undef $Process if ($Process && $Process ==2);
1800. my ( $base_url, $rule_file, $oinkcode ) = split( /\|/, $_ );
1801. croak
1802. "You need to define an oinkcode, please review the rule_url section of the pulledpork config file!\n"
1803. unless $oinkcode;
1804. croak(
1805. "please define the rule_url correctly in the pulledpork.conf\n")
1806. unless defined $base_url;
1807. croak(
1808. "please define the rule_url correctly in the pulledpork.conf\n")
1809. unless defined $rule_file;
1810.  
1811. if ( $base_url =~ /[^labs]\.snort\.org/i ) {
1812. $prefix = "VRT-";
1813. unless ( $rule_file =~ /snortrules-snapshot-\d{4}\.tar\.gz/
1814. || $rule_file =~ /opensource\.gz/ )
1815. {
1816. croak(
1817. "The specified Snort binary does not exist!\nPlease correct the value or specify the FULL",
1818. " rules tarball name in the pulledpork.conf!\n"
1819. ) unless $Snort;
1820. my $Snortv = $Snort;
1821. $Snortv =~ s/\.//g;
1822. $rule_file = "snortrules-snapshot-$Snortv.tar.gz";
1823. }
1824. }
1825. elsif ( $base_url =~ /(emergingthreats.net|emergingthreatspro.com)/ ) {
1826. $prefix = "ET-";
1827. if ($Snort =~ /(?<=\d\.\d\.\d)\.\d/) {
1828. my $Snortv = $Snort;
1829. $Snortv =~ s/(?<=\d\.\d\.\d)\.\d//;
1830. $base_url .= "$oinkcode/snort-$Snortv/";
1831. } elsif ($Snort =~ /suricata/i) {
1832. $base_url .= "$oinkcode/$Snort/";
1833. }
1834. }
1835. elsif ( $base_url =~ /snort-org.+community/ ){
1836. $prefix = "Snort-Community-"
1837. }
1838.  
1839. $prefix = "Custom-" unless $prefix;
1840.  
1841. $Hash = 2 unless $base_url =~ /(emergingthreats|[^labs]\.snort\.org)|snort-org/;
1842. if ($rule_file =~/IPBLACKLIST/) {
1843. $Hash = 2;
1844. $rule_file.=$blk++;
1845. }
1846.  
1847. if ( !$Hash ) {
1848. $md5 = md5file( $oinkcode, $rule_file, $temp_path, $base_url );
1849. }
1850.  
1851. # and now lets determine the md5 of the last saved rules file if it exists
1852. if ( -f "$temp_path" . "$rule_file" && !$Hash ) {
1853. $rule_digest = md5sum( $rule_file, $temp_path );
1854. }
1855. else { # the file didn't exsist so lets get it
1856. rulefetch( $oinkcode, $rule_file, $temp_path, $base_url );
1857. $Process = 1 unless $rule_file =~ /IPBLACKLIST/;
1858. if ( -f "$temp_path" . "$rule_file" && !$Hash ) {
1859. $rule_digest = md5sum( $rule_file, $temp_path );
1860. }
1861. }
1862.  
1863. # Don't need to perform the following on the IP blacklist stuff...
1864. next if $rule_file =~ /IPBLACKLIST/;
1865.  
1866. # Stuff it all into a hash for use in a bit...
1867. $filelist->{$rule_file} = {
1868. 'oinkcode' => $oinkcode,
1869. 'temp_path' => $temp_path,
1870. 'Hash' => $Hash,
1871. 'base_url' => $base_url,
1872. 'md5' => $md5,
1873. 'rule_digest' => $rule_digest,
1874. 'Distro' => $Distro,
1875. 'arch' => $arch,
1876. 'Snort' => $Snort,
1877. 'Sorules' => $Sorules,
1878. 'ignore_files' => $ignore_files,
1879. 'docs' => $docs,
1880. 'prefix' => $prefix,
1881. 'Process' => $Process,
1882. 'hmatch' => $hmatch
1883. };
1884.  
1885. # compare the online current md5 against against the md5 of the rules file on system
1886. $hmatch = compare_md5(
1887. $oinkcode, $rule_file, $temp_path, $Hash,
1888. $base_url, $md5, $rule_digest, $Distro,
1889. $arch, $Snort, $Sorules, $ignore_files,
1890. $docs, $prefix, $Process, $hmatch,
1891. $filelist
1892. );
1893. }
1894. # If any of our rules tarballs are new or changed then we need to process all of them
1895. if (($filelist->{EXTRACT} && $filelist->{EXTRACT} == 1) || $Process) {
1896. foreach (keys %{$filelist}){
1897. next if $_ eq "EXTRACT";
1898. $Process = 1;
1899. rule_extract(
1900. $_, $filelist->{$_}{temp_path},
1901. $filelist->{$_}{Distro}, $filelist->{$_}{arch},
1902. $filelist->{$_}{Snort}, $filelist->{$_}{Sorules},
1903. $filelist->{$_}{ignore_files}, $filelist->{$_}{docs},
1904. $filelist->{$_}{prefix}
1905. );
1906. }
1907. }
1908. }
1909. # Only process a local rules tarball
1910. if ( $NoDownload && !$grabonly ) {
1911. foreach (@base_url) {
1912. my ( $base_url, $rule_file ) = split( /\|/, $_ );
1913. next if $rule_file =~ /IPBLACKLIST/;
1914. if ( $base_url =~ /[^labs]\.snort\.org/i ) {
1915. $prefix = "VRT-";
1916. unless ( $rule_file =~ /snortrules-snapshot-\d{4}\.tar\.gz/ ) {
1917. croak(
1918. "The specified Snort rules tarball does not exist!\nPlease correct the value or specify the FULL",
1919. " rules tarball name in the pulledpork.conf!\n"
1920. ) unless $Snort;
1921. my $Snortv = $Snort;
1922. $Snortv =~ s/\.//g;
1923. $rule_file = "snortrules-snapshot-$Snortv.tar.gz";
1924. }
1925. }
1926. croak "file $temp_path/$rule_file does not exist!\n"
1927. unless (-f "$temp_path/$rule_file");
1928. $prefix = "ET-" if $base_url =~ /(emergingthreats.net|emergingthreatspro.com)/;
1929. $prefix = "Snort-Community-" if $base_url =~ /snort-org.+community/;
1930. rule_extract(
1931. $rule_file, $temp_path, $Distro,
1932. $arch, $Snort, $Sorules,
1933. $ignore_files, $docs, $prefix
1934. ) if !$grabonly;
1935. }
1936. }
1937. # Read our rules and stuff them into a hash
1938. if ( $Output && !$grabonly && $Process) {
1939. read_rules( \%rules_hash, "$temp_path" . "tha_rules/", $local_rules );
1940. }
1941. # If we are using SO rules, generate the stubs and then stuff them into a hash
1942. if ( $Sorules
1943. && -e $Sorules
1944. && $Distro
1945. && $Snort
1946. && !$Textonly
1947. && !$grabonly
1948. && $Process)
1949. {
1950. gen_stubs( $Snort_path, $Snort_config,
1951. "$temp_path" . "tha_rules/so_rules/" );
1952. read_rules( \%rules_hash, "$temp_path" . "tha_rules/so_rules/",
1953. $local_rules );
1954. }
1955. }
1956. else { Help("Check your oinkcode, temp path and freespace!"); }
1957.  
1958. # Read our old rules so that we can determine what is new / changed / deleted
1959. if ($Output && !$grabonly && $Process) {
1960. if ( $sid_changelog && -f $Output && !$keep_rulefiles ) {
1961. read_rules( \%oldrules_hash, "$Output", $local_rules );
1962. }
1963. if ( $sid_changelog && $keep_rulefiles && -d $rule_file_path ) {
1964. read_rules( \%oldrules_hash, "$rule_file_path", $local_rules );
1965. }
1966. #print Dumper(%oldrules_hash);
1967. }
1968.  
1969. # Clean up temp path
1970. if ( -d $temp_path ) {
1971. temp_cleanup();
1972. }
1973.  
1974. # Process our blacklist data.. need to add a conditional where if we are not linux, we don't
1975. # use the control socket (linux only)
1976. if ($black_list && %blacklist && !$NoDownload){
1977. $bmatch = blacklist_write(\%blacklist,$black_list);
1978. iprep_control($Config_info{'snort_control'},$Config_info{'IPRVersion'}) if $bmatch;
1979. }
1980.  
1981. # Set our rule states, based on config files and specified base policy, also set our flowbit dependencies
1982. if ($Output && !$grabonly && $Process) {
1983. if ( $ips_policy ne "Disabled" ) {
1984. policy_set( $ips_policy, \%rules_hash );
1985. }
1986.  
1987. if ( $sidmod{modify} && -f $sidmod{modify} ) {
1988. modify_sid( \%rules_hash, $sidmod{modify} );
1989. }
1990.  
1991. foreach (@sidact) {
1992. if ( $sidmod{$_} && -f $sidmod{$_} ) {
1993. modify_state( $_, $sidmod{$_}, \%rules_hash, $rstate );
1994. }
1995. elsif ( $sidmod{$_} && !-f $sidmod{$_} ) {
1996. carp "Unable to read: $sidmod{$_} - $!\n";
1997. }
1998. }
1999.  
2000. print "Setting Flowbit State....\n"
2001. if ( !$Quiet );
2002.  
2003. my $fbits = 1;
2004. while ( $fbits > 0 ) {
2005. $fbits = flowbit_set( \%rules_hash );
2006. }
2007. print "\tDone\n"
2008. if ( !$Quiet );
2009.  
2010. if ($Output && $Process) {
2011. rule_write( \%rules_hash, $Output, $enonly ) unless $keep_rulefiles;
2012. rule_category_write( \%rules_hash, $rule_file_path, $enonly )
2013. if $keep_rulefiles;
2014. }
2015.  
2016. if ($sid_msg_map && $Process) {
2017. sid_msg( \%rules_hash, \%sid_msg_map, $enonly );
2018. sid_write( \%sid_msg_map, $sid_msg_map, $sid_msg_version );
2019. }
2020.  
2021. if ( $SigHup && $pid_path ne "" && $Process) {
2022. sig_hup($pid_path) unless $Sostubs;
2023. print "WARNING, cannot send sighup if also processing SO rules\n",
2024. "\tsee README.SHAREDOBJECTS\n", "\tor use -T flag!\n"
2025. if ( $Sostubs && !$Quiet );
2026. }
2027.  
2028. if ( $Config_info{backup} ) {
2029. @records = split( /,/, $Config_info{backup} );
2030. archive( \@records, $Config_info{backup_file} )
2031. if $Config_info{backup_file};
2032. if ($Verbose) {
2033. print
2034. "\tWARN - Unable to create a backup without defining backup_file in config!\n",
2035. unless $Config_info{backup_file};
2036. }
2037. print "\tDone\n" unless $Quiet;
2038. }
2039. }
2040.  
2041. if ( $sid_changelog && -f $Output ) {
2042. changelog(
2043. $sid_changelog, \%rules_hash, \%oldrules_hash,
2044. \%blacklist, $ips_policy, $enonly, $hmatch, $bmatch
2045. );
2046. }
2047.  
2048. print("Fly Piggy Fly!\n") if !$Quiet;
2049. syslogit( 'warning|local0', "INFO: Finished Cleanly" ) if $Syslogging;
2050.  
2051. __END__