Expose the new options of spoink to the GUI

Improve spoink code a lot: - Allow to block by src/dst/both on the packet that generated alert. Default to src to keep backward compatibility - Speedup whitelist search - Create an option that allows to kill states on pf for blocked hosts. This allows to remove all access to the blocked host. TODO: - More fine grained blocking options? - Make whiwhitelist hparsing less sucky and IPv6 compatible
pfsense · Jan 25, 2012 · e4c13a5 · e4c13a5
1 parent 3284c26
commit e4c13a5
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 4 deletions.
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
@@ -1383,7 +1383,11 @@ function generate_snort_conf($id, $if_real, $snort_uuid)
 		else if (file_exists("/usr/local/etc/snort/whitelist/{$snortcfg['whitelistname']}"))
 			$spoink_whitelist_name = $snortcfg['whitelistname'];
 
-		$spoink_type = "output alert_pf: /usr/local/etc/snort/whitelist/{$spoink_whitelist_name},snort2c";
+		$pfkill = "";
+		if ($snortcfg['blockoffenderskill'] == "on")
+			$pfkill = "kill";
+
+		$spoink_type = "output alert_pf: /usr/local/etc/snort/whitelist/{$spoink_whitelist_name},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}";
 	}
 
 	/* define threshold file */

diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
@@ -128,6 +128,8 @@
 		$pconfig['descr'] = $a_nat[$id]['descr'];
 		$pconfig['performance'] = $a_nat[$id]['performance'];
 		$pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7'];
+		$pconfig['blockoffenderskill'] = $a_nat[$id]['blockoffenderskill'];
+		$pconfig['blockoffendersip'] = $a_nat[$id]['blockoffendersip'];
 		$pconfig['whitelistname'] = $a_nat[$id]['whitelistname'];
 		$pconfig['homelistname'] = $a_nat[$id]['homelistname'];
 		$pconfig['externallistname'] = $a_nat[$id]['externallistname'];
@@ -204,6 +206,11 @@
 				$natent['blockoffenders7'] = 'on';
 			else
 				$natent['blockoffenders7'] = 'off';
+			if ($_POST['blockoffenderskill'] == "on")
+				$natent['blockoffenderskill'] = 'on';
+			if ($_POST['blockoffendersip'])
+				$natent['blockoffendersip'] = $_POST['blockoffendersip'];
+
 			$natent['whitelistname'] = $_POST['whitelistname'] ? $_POST['whitelistname'] : $pconfig['whitelistname'];
 			$natent['homelistname'] = $_POST['homelistname'] ? $_POST['homelistname'] : $pconfig['homelistname'];
 			$natent['externallistname'] = $_POST['externallistname'] ? $_POST['externallistname'] : $pconfig['externallistname'];
@@ -340,6 +347,12 @@
 <script language="JavaScript">
 <!--
 
+function enable_blockoffenders() {
+	var endis = !(document.iform.blockoffenders7.checked);
+	document.iform.blockoffenderskill.disabled=endis;
+	document.iform.blockoffendersip.disabled=endis;
+}
+
 function enable_change(enable_change) {
 	endis = !(document.iform.enable.checked || enable_change);
 	// make shure a default answer is called if this is envoked.
@@ -562,13 +575,39 @@ class="formfld" id="externallistname">
 			</tr>
 			<tr>
 				<td width="22%" valign="top" class="vncell2">Block offenders</td>
-				<td width="78%" class="vtable"><input name="blockoffenders7"
-					type="checkbox" value="on"
+				<td width="78%" class="vtable">
+					<input name="blockoffenders7" id="blockoffenders7" type="checkbox" value="on"
 					<?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?>
-					onClick="enable_change(false)"><br>
+					onClick="enable_blockoffenders()"><br>
 				Checking this option will automatically block hosts that generate a
 				Snort alert.</td>
 			</tr>
+			<tr>
+				<td width="22%" valign="top" class="vncell2">Kill states</td>
+				<td width="78%" class="vtable">
+					<input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>>
+					<br/>Should firewall states be killed for the blocked ip
+				</td>
+			</tr>
+			<tr>
+				<td width="22%" valign="top" class="vncell2">Which ip to block</td>
+				<td width="78%" class="vtable">
+					<select name="blockoffendersip" class="formfld" id="blockoffendersip">
+				<?php
+					foreach (array("src", "dst", "both") as $btype) {
+						if ($value['snortlisttype'] == 'whitelist') {
+							if ($btype == $pconfig['blockoffendersip'])
+								echo "<option value='{$btype}' selected>";
+							else
+								echo "<option value='{$btype}'>";
+							echo htmlspecialchars($btype) . '</option>';
+						}
+					}
+				?>
+					</select>
+				<br/> Which ip extracted from the packet you want to block
+				</td>
+			</tr>
 			<tr>
 				<td width="22%" valign="top" class="vncell2">Whitelist</td>
 				<td width="78%" class="vtable">
@@ -687,6 +726,7 @@ class="formpre2"><?=htmlspecialchars($pconfig['configpassthru']);?></textarea>
 <script language="JavaScript">
 <!--
 enable_change(false);
+enable_blockoffenders();
 //-->
 </script>