DaveA-W · August 17, 2019 14:46 · DaveA-W · Aug 14, 2019 · DaveA-W · Aug 16, 2019
diff --git a/\etc\snort\rules\emerging-threats.rules b/\etc\snort\rules\emerging-threats.rules
 # Uncommented rules/*.rules files below are included as DROPs within your snort.rules
 # updaterules.sh extracts them selectively from https://rules.emergingthreats.net/open/snort-edge/emerging.rules.tar.gz

 # Emerging Threats FAQ https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ

 # BotCC: Detect hosts communicating with a known and active Bot or Malware command and control server.
 rules/emerging-botcc.portgrouped.rules
 rules/emerging-botcc.rules

 # CIArmy: Subset of CINS Active Threat Intelligence rules, where an IP's 'Rogue Packet' score is poor or it has tripped a number of trusted alerts around the world.
 rules/emerging-ciarmy.rules

 # Compromised: Hosts compromised by bots, phishing sites, or spewing hostile traffic. These are not your everyday infected and sending a bit of spam hosts, these are significantly infected and hostile hosts.
 rules/emerging-compromised.rules

 # Current Events 
 # Most often simple sigs for the Storm binary URL of the day, sigs to catch CLSIDs of newly found vulnerable apps where we don't have detail on the exploit.
 # Useful sigs but not for the long term until they have been properly tested.
 rules/emerging-current_events.rules

 # Don't Route or Peer (DROP): Daily updated list of the Spamhaus Don't Route or Peer list. Primarily known professional spammers. More info at http://www.spamhaus.org
 rules/emerging-drop.rules

 # Dshield: Daily updated list of the DShield top attackers list. Reliable. More info at http://www.dshield.org
 rules/emerging-dshield.rules

 # Exploits: Detect direct exploits including Windows exploits, Veritas, etc.
 rules/emerging-exploit.rules

 # Malware: Spyware and other things you don't want running on your network. URL hooks for known update schemes, User-Agent strings of known malware, and a load of other goodies.
 rules/emerging-malware.rules
 rules/emerging-mobile_malware.rules

 # Scan: Things to detect reconnaissance and probing. Nessus, Nikto, portscanning, etc. Early warning stuff.
 rules/emerging-scan.rules

 rules/emerging-trojan.rules
 rules/emerging-user_agents.rules

 # Web clients: Some SQL Injection, web server overflows, vulnerable web apps, that kind of thing. Very important if you're running web servers, and pretty reasonable load.
 rules/emerging-web_client.rules
 rules/emerging-worm.rules

 # Optionally uncomment others below, depending on what you're running on your network
 # Descriptions at https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#What_is_the_general_intent_of_ea
 # rules/emerging-activex.rules
 # rules/emerging-attack_response.rules
 # rules/emerging-chat.rules
 # rules/emerging-deleted.rules
 # rules/emerging-dns.rules
 # rules/emerging-dos.rules
 # rules/emerging-ftp.rules
 # rules/emerging-games.rules
 # rules/emerging-icmp.rules
 # rules/emerging-icmp_info.rules
 # rules/emerging-imap.rules
 # rules/emerging-inappropriate.rules
 # rules/emerging-info.rules
 # rules/emerging-misc.rules
 # rules/emerging-netbios.rules
 # rules/emerging-p2p.rules
 # rules/emerging-policy.rules
 # rules/emerging-pop3.rules
 # rules/emerging-rpc.rules
 # rules/emerging-scada.rules
 # rules/emerging-shellcode.rules
 # rules/emerging-smtp.rules
 # rules/emerging-snmp.rules
 # rules/emerging-sql.rules
 # rules/emerging-telnet.rules
 # rules/emerging-tftp.rules
 # rules/emerging-tor.rules
 # rules/emerging-voip.rules
 # rules/emerging-web_server.rules
 # rules/emerging-web_specific_apps.rules
diff --git a/\etc\snort\updaterules.sh b/\etc\snort\updaterules.sh
 #!/bin/sh

 # Wrapper to handle downloads
 download () {
 	# try  
 	{
 		local ruleset=$1
 		local url=$2
 		local followRedirect=$3
 		local timeout=$4
 		
 		if [ -z "$timeout" ] ; then timeout=120 ; fi
 		
 		echo " "
 		echo "Downloading $ruleset"
 		echo "  $url"

 		if [ "$followRedirect" == "true" ]
 		then
 			curl -k -1 -m $timeout -o $ruleset -L $url		
 		else
 			curl -k -1 -m $timeout -o $ruleset $url
 		fi
 	} || {		
 		echo "Unable to download rules '$1' from $2"
 		echo "*error*	 $1" >> rule_counter.log
 		return 1
 	}
 }

 # Ingests files conforming to a specified filespec, appending lines from each to alert.list
 ingest () {	
 	# try  
 	{
 		for filename in $(ls $1)
 		do
 			# Extract rules to alert.tmp
 			cat $filename | sed '/^\#/d' | sed '/^$/d' > alert.tmp &&
 			# Append to alert.list
 			cat alert.tmp >> alert.list	&&
 			# Output count to rule_counter.log
 			local count=$(wc -l alert.tmp | awk '{print $1}')
 			printf "%7d\t%s\n" $count "$filename" >> rule_counter.log
 		done
 		return 0		
 	} || {
 		echo "Unable to ingest rules '$1'"
 		echo "*error*	 $1" >> rule_counter.log
 		return 1
 	}
 }

 # Downloads and ingests rules from an url
 # (gzips will be unpacked, resultant $filenames spec should be provided as the last argument)
 downloadAndIngest() {
 	local ruleset=$1
 	local url=$2
 	local followRedirect=$3
 	local filenames=$4
 	if [ -n "$url" ]
 	then
 		if [ -z "$filenames" ] ; then
 			filenames=$ruleset
 		fi
 		download "$ruleset" "$url" $followRedirect &&
 		(
 			(file "$ruleset" | grep -q gzip  &&
 			 mv "$ruleset" "$ruleset.tar.gz" &&
 			 tar -zxf "$ruleset.tar.gz") ||
 			touch "$ruleset" # null op - no unzip required
 		) &&
 		ingest "$filenames" && 
 		return 0
 	fi
 	return 1
 }

 # Prepare /tmp/snort/ and cumulative output files
 echo " "
 echo "Preparing working directory for rule download and ingestion"
 echo "/tmp/snort"
 if [ ! -d "/tmp/snort" ] ; then	mkdir /tmp/snort ; else	rm -rf /tmp/snort/* ; fi
 cd /tmp/snort
 touch alert.list
 touch ip.list

 # Prepare rule_counter.log
 echo "# Rules  Set processed by etc/snort/updaterules.sh"  > rule_counter.log
 echo "-------- -----------------------------------------" >> rule_counter.log

 # NOTE: Snort Community Rules ~1.7MB (`true` below flags that 302 redirects should be followed -> actual file is in an Amazon S3 bucket)
 downloadAndIngest community-rules    https://www.snort.org/downloads/community/community-rules.tar.gz  true  community-rules/*.rules

 # SSL Blacklist: Bad SSL certificates identified by abuse.ch to be associated with malware or botnet activities in the past 30 days.
 downloadAndIngest abuse-sslbl.rules  https://sslbl.abuse.ch/blacklist/sslipblacklist.rules

 # SSL Aggressive: Bad SSL certificates *ever* identified by abuse.ch to be associated with malware or botnet activities.
 # Since IP addresses can change, may contain false positives - comment out by default
 # downloadAndIngest abuse-dyre.rules https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist_aggressive.rules

 # ZeuS servers: DISCONTINUED 2019-07 https://zeustracker.abuse.ch/byebye.php?download=snort
 # downloadAndIngest zeus.rules       https://zeustracker.abuse.ch/blocklist.php?download=snort

 # Emerging Threats zip ~2.3MB        https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ
 download emerging-threats.tar.gz     https://rules.emergingthreats.net/open/snort-edge/emerging.rules.tar.gz  &&
 (
 	# Extract emerging-threats.tar.gz, assumed it will unzip to folder "rules"
 	echo " "

 	# Look for pre-defined subset of rules to extract
 	if [ -f "/etc/snort/rules/emerging-threats.rules" ]; then
 		echo "Extracting subset listed in /etc/snort/rules/emerging-threats.rules"
 		# Expect errors due to commented lines, so send error output to null
 		tar -zxvf "emerging-threats.tar.gz" -T "/etc/snort/rules/emerging-threats.rules" 2>/dev/null
 		# Also extract IP blacklist and sid-msg.map for later use
 		tar -zxvf "emerging-threats.tar.gz" "rules/compromised-ips.txt" "rules/sid-msg.map"

 	else # unzip the lot
 		echo "Extracting:"
 		tar -zxvf "emerging-threats.tar.gz"
 	fi

 	# Now ingest *.rules
 	ingest "rules/*.rules"
 )

 echo " "
 echo "Changing rules that only alert to drop instead"
 sed -i 's/alert /drop /' alert.list
 # wc -l alert.list
 sed '/^\#/d' alert.list >> drop.list
 # wc -l drop.list
 sed '/^$/d' drop.list | sort | uniq > drop.sorted
 # wc -l drop.sorted

 # Snort only allows one sid number, so we have to delete where rules contain multiple revisions
 echo "Removing rules with extra sid revision numbers"
 cat drop.sorted | awk -F"sid:" '{print $2}' | awk -F";" '{print $1}' | sort | uniq -d > duplicate.sids
 touch duplicate.sed
 for i in $(cat duplicate.sids)
 do
 	echo "0,/$i/{/$i/d}" >> duplicate.sed
 done
 cat drop.sorted | awk -F"sid:" '{print $2 $1}' | sort > drop.tmp
 sed -i -f duplicate.sed  drop.tmp
 sed -i 's/^/sid:/' drop.tmp
 cat drop.tmp | awk -F";)" '{print $2 $1}' | sort > drop.sorted
 sed -i 's/$/;\)/' drop.sorted

 # Exclude rules determined by ITUS Networks to cause web site issues
 # Searching and removing ~100 rules takes a couple of minutes
 # (note: as of August 2019 though, none seem to be present in default sets above)
 if [ -f "/etc/snort/rules/exclude.rules" ]; then
 	echo "-------- -----------------------------------------" >> rule_counter.log
 	count=$(wc -l drop.sorted | awk '{print $1}')
 	printf "%7d\t%s\n" $count "unique rules before applying exclude.rules" >> rule_counter.log
 	original=$(wc -l drop.sorted | awk '{print $1}')
 	total=$(wc -l /etc/snort/rules/exclude.rules | awk '{print $1}')
 	pattern=0
 	for sid in $(cat /etc/snort/rules/exclude.rules)
 	do
 		if [ "$sid" -eq "$sid" ] 2>/dev/null
 		then # it's an integer sid
 			percent=$((++pattern*100/total))
 			printf "\rExcluding rules that can cause web site issues: %3d%%" $percent;
 			sed -i "/sid:$sid/s/^/#/" drop.sorted
 		fi
 	done
 	printf "\rExcluding rules that can cause web site issues: 100%%\n";
 	final=$(wc -l drop.sorted | awk '{print $1}')
 	if [ "$final" -eq "$original" ] 2>/dev/null
 	then
 		echo "No rules excluded - consider removing old sids from /etc/snort/rules/exclude.rules"
 	else
 		removed=$((final-original))
 		echo "$removed rules removed"
 	fi
 fi

 # Remove carriage return characters and blank lines
 tr -d '\r' < drop.sorted | awk 'NF' > snort.rules

 # Cleanup working files
 echo "Cleaning up working files"
 rm -f ip.list alert.* duplicate.* drop.*

 # Update IP blacklists ---------------------------------
 echo " "
 echo "Updating IP blacklists"
 echo "-------- -----------------------------------------" >> rule_counter.log

 # rules/compromised-ips.txt comes from emerging-threats.tar.gz downloaded above
 if [ -f "rules/compromised-ips.txt" ]; then
 	cat rules/compromised-ips.txt >> ip.list
 	count=$(wc -l rules/compromised-ips.txt | awk '{print $1}')
 	printf "%7d\t%s\n" $count "rules/compromised-ips.txt" >> rule_counter.log
 fi

 # Snort Community blacklist url found via https://blog.snort.org/2015/09/ip-blacklist-feed-has-moved-locations.html
 # Note other potentially useful urls within https://github.com/shirkdog/pulledpork/blob/master/etc/pulledpork.conf
 download talos-ip-blacklist.txt https://talosintelligence.com/documents/ip-blacklist true  # follow url 302 redirects
 if [ -f "talos-ip-blacklist.txt" ]; then
 	cat talos-ip-blacklist.txt >> ip.list
 	count=$(wc -l talos-ip-blacklist.txt | awk '{print $1}')
 	printf "%7d\t%s\n" $count "talos-ip-blacklist.txt" >> rule_counter.log
 fi

 # Output unique IPs from our downloaded blacklist(s) to L2.blacklist
 awk '!seen[$0]++' ip.list > L2.blacklist

 # Update rule_counter.log with final results
 echo "-------- -----------------------------------------" >> rule_counter.log
 count=$(wc -l snort.rules | awk '{print $1}')
 printf "%7d\t%s\n" $count "snort.rules" >> rule_counter.log
 count=$(wc -l L2.blacklist | awk '{print $1}')
 printf "%7d\t%s\n" $count "L2.blacklist" >> rule_counter.log
 echo \ >> rule_counter.log
 echo " "
 echo "Displaying rule_counter.log"
 echo " "
 cat rule_counter.log

 # Replace snort files and restart ----------------------
 if [ -s "snort.rules" ]; then
 	echo "Replacing /etc/snort/rules/snort.rules"
 	mv /etc/snort/rules/snort.rules /etc/snort/rules/snort.rules.bak
 	mv snort.rules /etc/snort/rules/snort.rules
 else
 	echo "No snort rules downloaded"
 fi
 if [ -s "L2.blacklist" ]; then
 	echo "Replacing /etc/snort/rules/iplists/L2.blacklist"
 	mv /etc/snort/rules/iplists/L2.blacklist /etc/snort/rules/iplists/L2.blacklist.bak
 	mv L2.blacklist /etc/snort/rules/iplists/L2.blacklist
 else
 	echo "No IP blacklists downloaded"
 fi
 cp -f rule_counter.log /var/log/snort/rule_counter.log

 echo "Restarting SNORT service"
 # service snort restart
 /etc/init.d/snort restart
 sleep 1
 echo " "
 cd /etc/snort
 exit 0
diff --git a/\usr\lib\lua\luci\model\cbi\snort.lua b/\usr\lib\lua\luci\model\cbi\snort.lua
 --[[

 LuCI Snort module

 Copyright (C) 2015, Itus Networks, Inc.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

 	http://www.apache.org/licenses/LICENSE-2.0

 Author: Luka Perkov <[email protected]>

 Version 4:
 Redo some of the system calls and file paths for the updated Firmware

 version 3
 Modified by Roadrunnere42 added if then statement to choose which mode the shield's in and display in >>services >> intrusion prevention window
 either one snort config file or 2 snort config files if running in router mode.

 version 2
 Modified by Roadrunnere42 to include a tab called priority 1 logs in intrusion prevention window, which displays any IPS rules that has trigger a priority 1 log in the IPS log.
 /usr/lib/lua/luci/model/cbi/snort.lua - changed
 /tmp/snort/priority1 - added to hold priority 1 logs

 version 1
 Modified by Roadrunnere42 to include a tab called rule counter in intrusion prevention window, which displays the number of rules that each rule set has.
 This requires the following files to be changed or added
 /tmp/rule_counter.log                 - created when run
 /sbin/fw_upgrade.sh                   - changed
 /usr/lib/lua/luci/model/cbi/snort.lua - changed

 ]]--

 local fs = require "nixio.fs"
 local sys = require "luci.sys"
 require "ubus"

 m = Map("snort", translate("Intrusion Prevention"), translate("<p>Changes may take a couple of minutes to take effect, service may be interrupted during that time.  Where you have edited rules, the system will need to download and re-process the new rulesets and any exclusions specified.</p><p>The IPS engine will restart each time you click the Save & Apply or On/Off button.</p><p><b>DO NOT REFRESH</b> if you see a <b>Bad Gateway</b> timeout message presented, since that may re-process your changes again.  Instead, place the cursor in your address bar and press Enter to re-navigate back to this page.</p>"))

 m.on_init = function()
 --[[
   -- Get the Shield Mode
   io.input("/var/.mode")
   line = io.read("*line")
   if line == "Router" then
   luci.sys.call("cp /var/log/snort/alert.fast /var/log/snort/alert.log")
   luci.sys.call("sed '1!G;h$!d' /var/log/snort/alert.log > /var/log/snort/snort_luci.log")
   luci.sys.call("rm /var/log/snort/alert.log")
   end
   luci.sys.call("grep -i 'priority: 1' /var/log/snort/snort_luci.log > /var/log/snort/priority1.log")
 --]]
 end

 m.reset = false
 m.submit = false

 s = m:section(NamedSection, "snort")
 s.anonymous = true
 s.addremove = false

 s:tab("tab_basic", translate("Basic Settings"))
 s:tab("tab_advanced", translate("Advanced Settings"))
 s:tab("tab_engine", translate("Engine"))
 s:tab("tab_preprocessors", translate("Preprocessors"))
 s:tab("tab_other", translate("Other Settings"))
 s:tab("tab_priority", translate("IPS Priority 1 Log"))
 s:tab("tab_logs", translate("IPS Logs"))
 s:tab("tab_threshold", translate("Threshold Config"))
 s:tab("tab_emerging_threats", translate("Emerging Threats"))
 s:tab("tab_custom", translate("Custom Rules"))
 s:tab("tab_rules", translate("Exclude Rules"))
 s:tab("tab_counter", translate("Rule Counter"))
 --s:tab("tab_snort1", translate("Snort Rules Selector"))

 	--------------------- Basic Tab ------------------------
 	local status="not running"
 	require "ubus"
 	local conn = ubus.connect()
 	if not conn then
   		error("Failed to connect to ubusd")
 	end

 	for k, v in pairs(conn:call("service", "list", { name="snort" })) do
   		status="running"
 	end

 	button_start = s:taboption("tab_basic",Button, "start", translate("Status: "))
  	if status == "running" then
  		 button_start.inputtitle = "ON"
  	else
   		button_start.inputtitle = "OFF"
  	end

  	button_start.write = function(self, section)
   		if status == "not running" then
      			sys.call("service snort start")
      			button_start.inputtitle = "ON"
      			button_start.title = "Status: "
   		else
      			sys.call("service snort stop")
      			button_start.inputtitle = "OFF"
      			button_start.title = "Status: "
   		end
 	end

  	if status == "running" then
   		button_restart = s:taboption("tab_basic", Button, "restart", translate("Restart: "))
   		button_restart.inputtitle = "Restart"
   		button_restart.write = function(self, section)
      		sys.call("service snort restart")   
   	end
  end

 --[[  io.input("/var/.mode")
  line = io.read("*line")
  if line == "Router" then
   --------------------- Snort Instance WAN Tab -----------------------

   config_file1 = s:taboption("tab_wan", TextValue, "text1", "")
   config_file1.wrap = "off"
   config_file1.rows = 25
   config_file1.rmempty = false

   function config_file1.cfgvalue()
      local uci = require "luci.model.uci".cursor_state()
      file = "/etc/snort/snort7.conf"
      if file then
         return fs.readfile(file) or ""
      else
         return ""
      end
   end

   function config_file1.write(self, section, value)
      if value then
         local uci = require "luci.model.uci".cursor_state()
 	       file = "/etc/snort/snort7.conf"
 	       fs.writefile(file, value:gsub("\r\n", "\n"))
 	       luci.sys.call("/etc/init.d/snort restart")
      end
   end
   ---------------------- Snort Instance LAN Tab ------------------------

   config_file2 = s:taboption("tab_lan", TextValue, "text2", "")
   config_file2.wrap = "off"
   config_file2.rows = 25
   config_file2.rmempty = false

   function config_file2.cfgvalue()
      local uci = require "luci.model.uci".cursor_state()
      file = "/etc/snort/snort8.conf"
      if file then
         return fs.readfile(file) or ""
      else
         return ""
      end
   end

   function config_file2.write(self, section, value)
      if value then
         local uci = require "luci.model.uci".cursor_state()
 	 file = "/etc/snort/snort8.conf"
 	 fs.writefile(file, value:gsub("\r\n", "\n"))
 	 luci.sys.call("/etc/init.d/snort restart")
      end
   end

   else
   ---------------------- Snort Config Tab ------------------------

   config_file2 = s:taboption("tab_config", TextValue, "config1", "")
   config_file2.wrap = "off"
   config_file2.rows = 25
   config_file2.rmempty = false

   function config_file2.cfgvalue()
      local uci = require "luci.model.uci".cursor_state()
      file = "/etc/snort/snort_bridge.conf"
      if file then
         return fs.readfile(file) or ""
      else
 	       return ""
      end
   end

   function config_file2.write(self, section, value)
      if value then
         local uci = require "luci.model.uci".cursor_state()
         file = "/etc/snort/snort_bridge.conf"
         fs.writefile(file, value:gsub("\r\n", "\n"))
         luci.sys.call("/etc/init.d/snort restart")
      end
   end
 end
 --]]

 	--------------------- Advanced Tab -----------------------

        config_file1 = s:taboption("tab_advanced", TextValue, "text1", "")
        config_file1.wrap = "off"
        config_file1.rows = 25
        config_file1.rmempty = false

        function config_file1.cfgvalue()
                local uci = require "luci.model.uci".cursor_state()
                file = "/etc/snort/profile/config1_advanced.conf"
                if file then
                        return fs.readfile(file) or ""
                else
                        return ""
                end
        end

        function config_file1.write(self, section, value)
                if value then
                        local uci = require "luci.model.uci".cursor_state()
                        file = "/etc/snort/profile/config1_advanced.conf"
                        fs.writefile(file, value:gsub("\r\n", "\n"))
                        luci.sys.call("/etc/init.d/snort restart")
 --                      luci.sys.call("/etc/init.d/suricata restart")
                end
        end


        ---------------------- Engine Tab ------------------------

        config_file2 = s:taboption("tab_engine", TextValue, "text2", "")
        config_file2.wrap = "off"
        config_file2.rows = 25
        config_file2.rmempty = false

        function config_file2.cfgvalue()
                local uci = require "luci.model.uci".cursor_state()
                file = "/etc/snort/profile/config2_engine.conf"
                if file then
                        return fs.readfile(file) or ""
                else
                        return ""
                end
        end

        function config_file2.write(self, section, value)
                if value then
                        local uci = require "luci.model.uci".cursor_state()
                        file = "/etc/snort/profile/config2_engine.conf"
                        fs.writefile(file, value:gsub("\r\n", "\n"))
                        luci.sys.call("/etc/init.d/snort restart")
 --                      luci.sys.call("/etc/init.d/suricata restart")
                end
        end

        ------------------- Preprocessors Tab ---------------------

        config_file3 = s:taboption("tab_preprocessors", TextValue, "text3", "")
        config_file3.wrap = "off"
        config_file3.rows = 25
        config_file3.rmempty = false

        function config_file3.cfgvalue()
                local uci = require "luci.model.uci".cursor_state()
                file = "/etc/snort/profile/config3_preprocessors.conf"
                if file then
                        return fs.readfile(file) or ""
                else
                        return ""
                end
        end

        function config_file3.write(self, section, value)
                if value then
                        local uci = require "luci.model.uci".cursor_state()
                        file = "/etc/snort/profile/config3_preprocessors.conf"
                        fs.writefile(file, value:gsub("\r\n", "\n"))
                        luci.sys.call("/etc/init.d/snort restart")
 --                      luci.sys.call("/etc/init.d/suricata restart")
                end
        end

        --------------------- Other Tab ------------------------

        config_file4 = s:taboption("tab_other", TextValue, "text4", "")
        config_file4.wrap = "off"
        config_file4.rows = 25
        config_file4.rmempty = false

        function config_file4.cfgvalue()
                local uci = require "luci.model.uci".cursor_state()
                file = "/etc/snort/profile/config4_other.conf"
                if file then
                        return fs.readfile(file) or ""
                else
                        return ""
                end
        end

        function config_file4.write(self, section, value)
                if value then
                        local uci = require "luci.model.uci".cursor_state()
                        file = "/etc/snort/profile/config4_other.conf"
                        fs.writefile(file, value:gsub("\r\n", "\n"))
                        luci.sys.call("/etc/init.d/snort restart")
 --                      luci.sys.call("/etc/init.d/suricata restart")
                end
        end

 	---------------------- Threshold Config Tab ------------------------

 	config_file5 = s:taboption("tab_threshold", TextValue, "threshold", "")
 	config_file5.wrap = "off"
 	config_file5.rows = 25
 	config_file5.rmempty = false

 	function config_file5.cfgvalue()
 		local uci = require "luci.model.uci".cursor_state()
 		file = "/etc/snort/threshold.conf"
 		if file then
 			return fs.readfile(file) or ""
 		else
 			return ""
 		end
 	end

 	function config_file5.write(self, section, value)
 		if value then
 			local uci = require "luci.model.uci".cursor_state()
 			file = "/etc/snort/threshold.conf"
 			fs.writefile(file, value:gsub("\r\n", "\n"))
 			luci.sys.call("/etc/init.d/snort restart")
 		end
 	end

 	---------------------- Emerging Threats Tab ------------------------
 	config_file6 = s:taboption("tab_emerging_threats", TextValue, "emergingThreats", translate("Uncomment rules from <a href='https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ' target='_blank'>Emerging Threats</a> that you want included as DROPs within your snort.rules"))
 	config_file6.wrap = "off"
 	config_file6.rows = 25
 	config_file6.rmempty = false

 	function config_file6.cfgvalue()
 		local uci = require "luci.model.uci".cursor_state()
 		file = "/etc/snort/rules/emerging-threats.rules"
 		if file then
 			return fs.readfile(file) or ""
 		else
 			return ""
 		end
 	end

 	function config_file6.write(self, section, value)
 		if value then
 			local uci = require "luci.model.uci".cursor_state()
 			file = "/etc/snort/rules/emerging-threats.rules"
 			fs.writefile(file, value:gsub("\r\n", "\n"))
 			luci.sys.call("/etc/snort/updaterules.sh")
 		end
 	end

 	---------------------- Custom Rules Tab ------------------------

 	config_file7 = s:taboption("tab_custom", TextValue, "customRules", "")
 	config_file7.wrap = "off"
 	config_file7.rows = 25
 	config_file7.rmempty = false

 	function config_file7.cfgvalue()
 		local uci = require "luci.model.uci".cursor_state()
 		file = "/etc/snort/rules/local.rules"
 		if file then
 			return fs.readfile(file) or ""
 		else
 			return ""
 		end
 	end

 	function config_file7.write(self, section, value)
 		if value then
 			local uci = require "luci.model.uci".cursor_state()
 			file = "/etc/snort/rules/local.rules"
 			fs.writefile(file, value:gsub("\r\n", "\n"))
 			luci.sys.call("/etc/init.d/snort restart")
 		end
 	end

 	--------------------- Exclude Rules Tab ------------------------

 	config_file8 = s:taboption("tab_rules", TextValue, "excludeRules", translate("<p>Some rules can cause issues with certain apps or websites</p><p>You can exclude these rules if you identify their <abbr title=\"Snort Intrusion Detection\">sid</abbr> numbers</p><p><a href='https://snort.org/documents#OfficialDocumentation' target='_blank'>Read more</a></p>"))
   config_file8.wrap = "off"
 	config_file8.rows = 25
 	config_file8.rmempty = false

 	function config_file8.cfgvalue()
 		local uci = require "luci.model.uci".cursor_state()
 		file = "/etc/snort/rules/exclude.rules"
 		if file then
 		return fs.readfile(file) or ""
 	else
 		return ""
 	end
 end

 	function config_file8.write(self, section, value)
 	if value then
 		local uci = require "luci.model.uci".cursor_state()
 		file = "/etc/snort/rules/exclude.rules"
 		fs.writefile(file, value:gsub("\r\n", "\n"))
      luci.sys.call("/etc/snort/updaterules.sh")
 	end
 end

 	--------------------- Logs Tab ------------------------

 	snort_logfile = s:taboption("tab_logs", TextValue, "logfile", "")
 	snort_logfile.wrap = "off"
 	snort_logfile.rows = 25
 	snort_logfile.rmempty = false

 	function snort_logfile.cfgvalue()
 		local uci = require "luci.model.uci".cursor_state()
 		local file = "/var/log/snort/snort_luci.log"
 		if file then
 			return fs.readfile(file) or ""
 		else
 			return ""
 		end
 end

 	---------------------Priority Tab ------------------------
 	snort_logfile1 = s:taboption("tab_priority", TextValue, "IPS Priority 1 Log", "")
 	snort_logfile1.wrap = "off"
 	snort_logfile1.rows = 25
 	snort_logfile1.rmempty = false

 	function snort_logfile1.cfgvalue()
 		local uci = require "luci.model.uci".cursor_state()
 		local file = "/etc/snort/logs/priority1.log"
 	if file then
 		return fs.readfile(file) or ""
 	else
 		return ""
 	end
 end

 	--------------------- Rule Counter Tab ------------------------

 counter = s:taboption("tab_counter", TextValue, "Counter", "")
 counter.wrap = "off"
 counter.rows = 25
 counter.rmempty = false

 function counter.cfgvalue()
 	local uci = require "luci.model.uci".cursor_state()
 	local file = "/var/log/snort/rule_counter.log"
 	if file then
 		return fs.readfile(file) or ""
 	else
 		return ""
 	end
 end

 	--------------------- snort rule selector Tab ------------------------


 --	firefox = s:taboption("tab_snort1", Flag, "content_firefox", translate("Firefox"))
 -- firefox.default=firefox.disabled
 --	firefox.rmempty = false

 	--firefox = s:taboption("tab_snort1", Flag, "content_firefox", translate("Firefox"))
 --	firefox.default=snort1.enabled
 --	firefox.rmempty = false








 return m
	# Uncommented rules/*.rules files below are included as DROPs within your snort.rules
	# updaterules.sh extracts them selectively from https://rules.emergingthreats.net/open/snort-edge/emerging.rules.tar.gz

	# Emerging Threats FAQ https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ

	# BotCC: Detect hosts communicating with a known and active Bot or Malware command and control server.
	rules/emerging-botcc.portgrouped.rules
	rules/emerging-botcc.rules

	# CIArmy: Subset of CINS Active Threat Intelligence rules, where an IP's 'Rogue Packet' score is poor or it has tripped a number of trusted alerts around the world.
	rules/emerging-ciarmy.rules

	# Compromised: Hosts compromised by bots, phishing sites, or spewing hostile traffic. These are not your everyday infected and sending a bit of spam hosts, these are significantly infected and hostile hosts.
	rules/emerging-compromised.rules

	# Current Events
	# Most often simple sigs for the Storm binary URL of the day, sigs to catch CLSIDs of newly found vulnerable apps where we don't have detail on the exploit.
	# Useful sigs but not for the long term until they have been properly tested.
	rules/emerging-current_events.rules

	# Don't Route or Peer (DROP): Daily updated list of the Spamhaus Don't Route or Peer list. Primarily known professional spammers. More info at http://www.spamhaus.org
	rules/emerging-drop.rules

	# Dshield: Daily updated list of the DShield top attackers list. Reliable. More info at http://www.dshield.org
	rules/emerging-dshield.rules

	# Exploits: Detect direct exploits including Windows exploits, Veritas, etc.
	rules/emerging-exploit.rules

	# Malware: Spyware and other things you don't want running on your network. URL hooks for known update schemes, User-Agent strings of known malware, and a load of other goodies.
	rules/emerging-malware.rules
	rules/emerging-mobile_malware.rules

	# Scan: Things to detect reconnaissance and probing. Nessus, Nikto, portscanning, etc. Early warning stuff.
	rules/emerging-scan.rules

	rules/emerging-trojan.rules
	rules/emerging-user_agents.rules

	# Web clients: Some SQL Injection, web server overflows, vulnerable web apps, that kind of thing. Very important if you're running web servers, and pretty reasonable load.
	rules/emerging-web_client.rules
	rules/emerging-worm.rules

	# Optionally uncomment others below, depending on what you're running on your network
	# Descriptions at https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#What_is_the_general_intent_of_ea
	# rules/emerging-activex.rules
	# rules/emerging-attack_response.rules
	# rules/emerging-chat.rules
	# rules/emerging-deleted.rules
	# rules/emerging-dns.rules
	# rules/emerging-dos.rules
	# rules/emerging-ftp.rules
	# rules/emerging-games.rules
	# rules/emerging-icmp.rules
	# rules/emerging-icmp_info.rules
	# rules/emerging-imap.rules
	# rules/emerging-inappropriate.rules
	# rules/emerging-info.rules
	# rules/emerging-misc.rules
	# rules/emerging-netbios.rules
	# rules/emerging-p2p.rules
	# rules/emerging-policy.rules
	# rules/emerging-pop3.rules
	# rules/emerging-rpc.rules
	# rules/emerging-scada.rules
	# rules/emerging-shellcode.rules
	# rules/emerging-smtp.rules
	# rules/emerging-snmp.rules
	# rules/emerging-sql.rules
	# rules/emerging-telnet.rules
	# rules/emerging-tftp.rules
	# rules/emerging-tor.rules
	# rules/emerging-voip.rules
	# rules/emerging-web_server.rules
	# rules/emerging-web_specific_apps.rules
	#!/bin/sh

	# Wrapper to handle downloads
	download () {
	# try
	{
	local ruleset=$1
	local url=$2
	local followRedirect=$3
	local timeout=$4

	if [ -z "$timeout" ] ; then timeout=120 ; fi

	echo " "
	echo "Downloading $ruleset"
	echo " $url"

	if [ "$followRedirect" == "true" ]
	then
	curl -k -1 -m $timeout -o $ruleset -L $url
	else
	curl -k -1 -m $timeout -o $ruleset $url
	fi
	} \|\| {
	echo "Unable to download rules '$1' from $2"
	echo "error $1" >> rule_counter.log
	return 1
	}
	}

	# Ingests files conforming to a specified filespec, appending lines from each to alert.list
	ingest () {
	# try
	{
	for filename in $(ls $1)
	do
	# Extract rules to alert.tmp
	cat $filename \| sed '/^\#/d' \| sed '/^$/d' > alert.tmp &&
	# Append to alert.list
	cat alert.tmp >> alert.list &&
	# Output count to rule_counter.log
	local count=$(wc -l alert.tmp \| awk '{print $1}')
	printf "%7d\t%s\n" $count "$filename" >> rule_counter.log
	done
	return 0
	} \|\| {
	echo "Unable to ingest rules '$1'"
	echo "error $1" >> rule_counter.log
	return 1
	}
	}

	# Downloads and ingests rules from an url
	# (gzips will be unpacked, resultant $filenames spec should be provided as the last argument)
	downloadAndIngest() {
	local ruleset=$1
	local url=$2
	local followRedirect=$3
	local filenames=$4
	if [ -n "$url" ]
	then
	if [ -z "$filenames" ] ; then
	filenames=$ruleset
	fi
	download "$ruleset" "$url" $followRedirect &&
	(
	(file "$ruleset" \| grep -q gzip &&
	mv "$ruleset" "$ruleset.tar.gz" &&
	tar -zxf "$ruleset.tar.gz") \|\|
	touch "$ruleset" # null op - no unzip required
	) &&
	ingest "$filenames" &&
	return 0
	fi
	return 1
	}

	# Prepare /tmp/snort/ and cumulative output files
	echo " "
	echo "Preparing working directory for rule download and ingestion"
	echo "/tmp/snort"
	if [ ! -d "/tmp/snort" ] ; then mkdir /tmp/snort ; else rm -rf /tmp/snort/* ; fi
	cd /tmp/snort
	touch alert.list
	touch ip.list

	# Prepare rule_counter.log
	echo "# Rules Set processed by etc/snort/updaterules.sh" > rule_counter.log
	echo "-------- -----------------------------------------" >> rule_counter.log

	# NOTE: Snort Community Rules ~1.7MB (`true` below flags that 302 redirects should be followed -> actual file is in an Amazon S3 bucket)
	downloadAndIngest community-rules https://www.snort.org/downloads/community/community-rules.tar.gz true community-rules/*.rules

	# SSL Blacklist: Bad SSL certificates identified by abuse.ch to be associated with malware or botnet activities in the past 30 days.
	downloadAndIngest abuse-sslbl.rules https://sslbl.abuse.ch/blacklist/sslipblacklist.rules

	# SSL Aggressive: Bad SSL certificates ever identified by abuse.ch to be associated with malware or botnet activities.
	# Since IP addresses can change, may contain false positives - comment out by default
	# downloadAndIngest abuse-dyre.rules https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist_aggressive.rules

	# ZeuS servers: DISCONTINUED 2019-07 https://zeustracker.abuse.ch/byebye.php?download=snort
	# downloadAndIngest zeus.rules https://zeustracker.abuse.ch/blocklist.php?download=snort

	# Emerging Threats zip ~2.3MB https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ
	download emerging-threats.tar.gz https://rules.emergingthreats.net/open/snort-edge/emerging.rules.tar.gz &&
	(
	# Extract emerging-threats.tar.gz, assumed it will unzip to folder "rules"
	echo " "

	# Look for pre-defined subset of rules to extract
	if [ -f "/etc/snort/rules/emerging-threats.rules" ]; then
	echo "Extracting subset listed in /etc/snort/rules/emerging-threats.rules"
	# Expect errors due to commented lines, so send error output to null
	tar -zxvf "emerging-threats.tar.gz" -T "/etc/snort/rules/emerging-threats.rules" 2>/dev/null
	# Also extract IP blacklist and sid-msg.map for later use
	tar -zxvf "emerging-threats.tar.gz" "rules/compromised-ips.txt" "rules/sid-msg.map"

	else # unzip the lot
	echo "Extracting:"
	tar -zxvf "emerging-threats.tar.gz"
	fi

	# Now ingest *.rules
	ingest "rules/*.rules"
	)

	echo " "
	echo "Changing rules that only alert to drop instead"
	sed -i 's/alert /drop /' alert.list
	# wc -l alert.list
	sed '/^\#/d' alert.list >> drop.list
	# wc -l drop.list
	sed '/^$/d' drop.list \| sort \| uniq > drop.sorted
	# wc -l drop.sorted

	# Snort only allows one sid number, so we have to delete where rules contain multiple revisions
	echo "Removing rules with extra sid revision numbers"
	cat drop.sorted \| awk -F"sid:" '{print $2}' \| awk -F";" '{print $1}' \| sort \| uniq -d > duplicate.sids
	touch duplicate.sed
	for i in $(cat duplicate.sids)
	do
	echo "0,/$i/{/$i/d}" >> duplicate.sed
	done
	cat drop.sorted \| awk -F"sid:" '{print $2 $1}' \| sort > drop.tmp
	sed -i -f duplicate.sed drop.tmp
	sed -i 's/^/sid:/' drop.tmp
	cat drop.tmp \| awk -F";)" '{print $2 $1}' \| sort > drop.sorted
	sed -i 's/$/;\)/' drop.sorted

	# Exclude rules determined by ITUS Networks to cause web site issues
	# Searching and removing ~100 rules takes a couple of minutes
	# (note: as of August 2019 though, none seem to be present in default sets above)
	if [ -f "/etc/snort/rules/exclude.rules" ]; then
	echo "-------- -----------------------------------------" >> rule_counter.log
	count=$(wc -l drop.sorted \| awk '{print $1}')
	printf "%7d\t%s\n" $count "unique rules before applying exclude.rules" >> rule_counter.log
	original=$(wc -l drop.sorted \| awk '{print $1}')
	total=$(wc -l /etc/snort/rules/exclude.rules \| awk '{print $1}')
	pattern=0
	for sid in $(cat /etc/snort/rules/exclude.rules)
	do
	if [ "$sid" -eq "$sid" ] 2>/dev/null
	then # it's an integer sid
	percent=$((++pattern*100/total))
	printf "\rExcluding rules that can cause web site issues: %3d%%" $percent;
	sed -i "/sid:$sid/s/^/#/" drop.sorted
	fi
	done
	printf "\rExcluding rules that can cause web site issues: 100%%\n";
	final=$(wc -l drop.sorted \| awk '{print $1}')
	if [ "$final" -eq "$original" ] 2>/dev/null
	then
	echo "No rules excluded - consider removing old sids from /etc/snort/rules/exclude.rules"
	else
	removed=$((final-original))
	echo "$removed rules removed"
	fi
	fi

	# Remove carriage return characters and blank lines
	tr -d '\r' < drop.sorted \| awk 'NF' > snort.rules

	# Cleanup working files
	echo "Cleaning up working files"
	rm -f ip.list alert.* duplicate.* drop.*

	# Update IP blacklists ---------------------------------
	echo " "
	echo "Updating IP blacklists"
	echo "-------- -----------------------------------------" >> rule_counter.log

	# rules/compromised-ips.txt comes from emerging-threats.tar.gz downloaded above
	if [ -f "rules/compromised-ips.txt" ]; then
	cat rules/compromised-ips.txt >> ip.list
	count=$(wc -l rules/compromised-ips.txt \| awk '{print $1}')
	printf "%7d\t%s\n" $count "rules/compromised-ips.txt" >> rule_counter.log
	fi

	# Snort Community blacklist url found via https://blog.snort.org/2015/09/ip-blacklist-feed-has-moved-locations.html
	# Note other potentially useful urls within https://github.com/shirkdog/pulledpork/blob/master/etc/pulledpork.conf
	download talos-ip-blacklist.txt https://talosintelligence.com/documents/ip-blacklist true # follow url 302 redirects
	if [ -f "talos-ip-blacklist.txt" ]; then
	cat talos-ip-blacklist.txt >> ip.list
	count=$(wc -l talos-ip-blacklist.txt \| awk '{print $1}')
	printf "%7d\t%s\n" $count "talos-ip-blacklist.txt" >> rule_counter.log
	fi

	# Output unique IPs from our downloaded blacklist(s) to L2.blacklist
	awk '!seen[$0]++' ip.list > L2.blacklist

	# Update rule_counter.log with final results
	echo "-------- -----------------------------------------" >> rule_counter.log
	count=$(wc -l snort.rules \| awk '{print $1}')
	printf "%7d\t%s\n" $count "snort.rules" >> rule_counter.log
	count=$(wc -l L2.blacklist \| awk '{print $1}')
	printf "%7d\t%s\n" $count "L2.blacklist" >> rule_counter.log
	echo \ >> rule_counter.log
	echo " "
	echo "Displaying rule_counter.log"
	echo " "
	cat rule_counter.log

	# Replace snort files and restart ----------------------
	if [ -s "snort.rules" ]; then
	echo "Replacing /etc/snort/rules/snort.rules"
	mv /etc/snort/rules/snort.rules /etc/snort/rules/snort.rules.bak
	mv snort.rules /etc/snort/rules/snort.rules
	else
	echo "No snort rules downloaded"
	fi
	if [ -s "L2.blacklist" ]; then
	echo "Replacing /etc/snort/rules/iplists/L2.blacklist"
	mv /etc/snort/rules/iplists/L2.blacklist /etc/snort/rules/iplists/L2.blacklist.bak
	mv L2.blacklist /etc/snort/rules/iplists/L2.blacklist
	else
	echo "No IP blacklists downloaded"
	fi
	cp -f rule_counter.log /var/log/snort/rule_counter.log

	echo "Restarting SNORT service"
	# service snort restart
	/etc/init.d/snort restart
	sleep 1
	echo " "
	cd /etc/snort
	exit 0
	--[[

	LuCI Snort module

	Copyright (C) 2015, Itus Networks, Inc.

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Author: Luka Perkov <[email protected]>

	Version 4:
	Redo some of the system calls and file paths for the updated Firmware

	version 3
	Modified by Roadrunnere42 added if then statement to choose which mode the shield's in and display in >>services >> intrusion prevention window
	either one snort config file or 2 snort config files if running in router mode.

	version 2
	Modified by Roadrunnere42 to include a tab called priority 1 logs in intrusion prevention window, which displays any IPS rules that has trigger a priority 1 log in the IPS log.
	/usr/lib/lua/luci/model/cbi/snort.lua - changed
	/tmp/snort/priority1 - added to hold priority 1 logs

	version 1
	Modified by Roadrunnere42 to include a tab called rule counter in intrusion prevention window, which displays the number of rules that each rule set has.
	This requires the following files to be changed or added
	/tmp/rule_counter.log - created when run
	/sbin/fw_upgrade.sh - changed
	/usr/lib/lua/luci/model/cbi/snort.lua - changed

	]]--

	local fs = require "nixio.fs"
	local sys = require "luci.sys"
	require "ubus"

	m = Map("snort", translate("Intrusion Prevention"), translate("<p>Changes may take a couple of minutes to take effect, service may be interrupted during that time. Where you have edited rules, the system will need to download and re-process the new rulesets and any exclusions specified.</p><p>The IPS engine will restart each time you click the Save & Apply or On/Off button.</p><p><b>DO NOT REFRESH</b> if you see a <b>Bad Gateway</b> timeout message presented, since that may re-process your changes again. Instead, place the cursor in your address bar and press Enter to re-navigate back to this page.</p>"))

	m.on_init = function()
	--[[
	-- Get the Shield Mode
	io.input("/var/.mode")
	line = io.read("*line")
	if line == "Router" then
	luci.sys.call("cp /var/log/snort/alert.fast /var/log/snort/alert.log")
	luci.sys.call("sed '1!G;h$!d' /var/log/snort/alert.log > /var/log/snort/snort_luci.log")
	luci.sys.call("rm /var/log/snort/alert.log")
	end
	luci.sys.call("grep -i 'priority: 1' /var/log/snort/snort_luci.log > /var/log/snort/priority1.log")
	--]]
	end

	m.reset = false
	m.submit = false

	s = m:section(NamedSection, "snort")
	s.anonymous = true
	s.addremove = false

	s:tab("tab_basic", translate("Basic Settings"))
	s:tab("tab_advanced", translate("Advanced Settings"))
	s:tab("tab_engine", translate("Engine"))
	s:tab("tab_preprocessors", translate("Preprocessors"))
	s:tab("tab_other", translate("Other Settings"))
	s:tab("tab_priority", translate("IPS Priority 1 Log"))
	s:tab("tab_logs", translate("IPS Logs"))
	s:tab("tab_threshold", translate("Threshold Config"))
	s:tab("tab_emerging_threats", translate("Emerging Threats"))
	s:tab("tab_custom", translate("Custom Rules"))
	s:tab("tab_rules", translate("Exclude Rules"))
	s:tab("tab_counter", translate("Rule Counter"))
	--s:tab("tab_snort1", translate("Snort Rules Selector"))

	--------------------- Basic Tab ------------------------
	local status="not running"
	require "ubus"
	local conn = ubus.connect()
	if not conn then
	error("Failed to connect to ubusd")
	end

	for k, v in pairs(conn:call("service", "list", { name="snort" })) do
	status="running"
	end

	button_start = s:taboption("tab_basic",Button, "start", translate("Status: "))
	if status == "running" then
	button_start.inputtitle = "ON"
	else
	button_start.inputtitle = "OFF"
	end

	button_start.write = function(self, section)
	if status == "not running" then
	sys.call("service snort start")
	button_start.inputtitle = "ON"
	button_start.title = "Status: "
	else
	sys.call("service snort stop")
	button_start.inputtitle = "OFF"
	button_start.title = "Status: "
	end
	end

	if status == "running" then
	button_restart = s:taboption("tab_basic", Button, "restart", translate("Restart: "))
	button_restart.inputtitle = "Restart"
	button_restart.write = function(self, section)
	sys.call("service snort restart")
	end
	end

	--[[ io.input("/var/.mode")
	line = io.read("*line")
	if line == "Router" then
	--------------------- Snort Instance WAN Tab -----------------------

	config_file1 = s:taboption("tab_wan", TextValue, "text1", "")
	config_file1.wrap = "off"
	config_file1.rows = 25
	config_file1.rmempty = false

	function config_file1.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/snort7.conf"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file1.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/snort7.conf"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/init.d/snort restart")
	end
	end
	---------------------- Snort Instance LAN Tab ------------------------

	config_file2 = s:taboption("tab_lan", TextValue, "text2", "")
	config_file2.wrap = "off"
	config_file2.rows = 25
	config_file2.rmempty = false

	function config_file2.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/snort8.conf"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file2.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/snort8.conf"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/init.d/snort restart")
	end
	end

	else
	---------------------- Snort Config Tab ------------------------

	config_file2 = s:taboption("tab_config", TextValue, "config1", "")
	config_file2.wrap = "off"
	config_file2.rows = 25
	config_file2.rmempty = false

	function config_file2.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/snort_bridge.conf"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file2.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/snort_bridge.conf"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/init.d/snort restart")
	end
	end
	end
	--]]

	--------------------- Advanced Tab -----------------------

	config_file1 = s:taboption("tab_advanced", TextValue, "text1", "")
	config_file1.wrap = "off"
	config_file1.rows = 25
	config_file1.rmempty = false

	function config_file1.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/profile/config1_advanced.conf"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file1.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/profile/config1_advanced.conf"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/init.d/snort restart")
	-- luci.sys.call("/etc/init.d/suricata restart")
	end
	end


	---------------------- Engine Tab ------------------------

	config_file2 = s:taboption("tab_engine", TextValue, "text2", "")
	config_file2.wrap = "off"
	config_file2.rows = 25
	config_file2.rmempty = false

	function config_file2.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/profile/config2_engine.conf"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file2.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/profile/config2_engine.conf"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/init.d/snort restart")
	-- luci.sys.call("/etc/init.d/suricata restart")
	end
	end

	------------------- Preprocessors Tab ---------------------

	config_file3 = s:taboption("tab_preprocessors", TextValue, "text3", "")
	config_file3.wrap = "off"
	config_file3.rows = 25
	config_file3.rmempty = false

	function config_file3.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/profile/config3_preprocessors.conf"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file3.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/profile/config3_preprocessors.conf"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/init.d/snort restart")
	-- luci.sys.call("/etc/init.d/suricata restart")
	end
	end

	--------------------- Other Tab ------------------------

	config_file4 = s:taboption("tab_other", TextValue, "text4", "")
	config_file4.wrap = "off"
	config_file4.rows = 25
	config_file4.rmempty = false

	function config_file4.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/profile/config4_other.conf"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file4.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/profile/config4_other.conf"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/init.d/snort restart")
	-- luci.sys.call("/etc/init.d/suricata restart")
	end
	end

	---------------------- Threshold Config Tab ------------------------

	config_file5 = s:taboption("tab_threshold", TextValue, "threshold", "")
	config_file5.wrap = "off"
	config_file5.rows = 25
	config_file5.rmempty = false

	function config_file5.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/threshold.conf"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file5.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/threshold.conf"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/init.d/snort restart")
	end
	end

	---------------------- Emerging Threats Tab ------------------------
	config_file6 = s:taboption("tab_emerging_threats", TextValue, "emergingThreats", translate("Uncomment rules from <a href='https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ' target='_blank'>Emerging Threats</a> that you want included as DROPs within your snort.rules"))
	config_file6.wrap = "off"
	config_file6.rows = 25
	config_file6.rmempty = false

	function config_file6.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/rules/emerging-threats.rules"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file6.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/rules/emerging-threats.rules"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/snort/updaterules.sh")
	end
	end

	---------------------- Custom Rules Tab ------------------------

	config_file7 = s:taboption("tab_custom", TextValue, "customRules", "")
	config_file7.wrap = "off"
	config_file7.rows = 25
	config_file7.rmempty = false

	function config_file7.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/rules/local.rules"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file7.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/rules/local.rules"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/init.d/snort restart")
	end
	end

	--------------------- Exclude Rules Tab ------------------------

	config_file8 = s:taboption("tab_rules", TextValue, "excludeRules", translate("<p>Some rules can cause issues with certain apps or websites</p><p>You can exclude these rules if you identify their <abbr title=\"Snort Intrusion Detection\">sid</abbr> numbers</p><p><a href='https://snort.org/documents#OfficialDocumentation' target='_blank'>Read more</a></p>"))
	config_file8.wrap = "off"
	config_file8.rows = 25
	config_file8.rmempty = false

	function config_file8.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/rules/exclude.rules"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	function config_file8.write(self, section, value)
	if value then
	local uci = require "luci.model.uci".cursor_state()
	file = "/etc/snort/rules/exclude.rules"
	fs.writefile(file, value:gsub("\r\n", "\n"))
	luci.sys.call("/etc/snort/updaterules.sh")
	end
	end

	--------------------- Logs Tab ------------------------

	snort_logfile = s:taboption("tab_logs", TextValue, "logfile", "")
	snort_logfile.wrap = "off"
	snort_logfile.rows = 25
	snort_logfile.rmempty = false

	function snort_logfile.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	local file = "/var/log/snort/snort_luci.log"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	---------------------Priority Tab ------------------------
	snort_logfile1 = s:taboption("tab_priority", TextValue, "IPS Priority 1 Log", "")
	snort_logfile1.wrap = "off"
	snort_logfile1.rows = 25
	snort_logfile1.rmempty = false

	function snort_logfile1.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	local file = "/etc/snort/logs/priority1.log"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	--------------------- Rule Counter Tab ------------------------

	counter = s:taboption("tab_counter", TextValue, "Counter", "")
	counter.wrap = "off"
	counter.rows = 25
	counter.rmempty = false

	function counter.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	local file = "/var/log/snort/rule_counter.log"
	if file then
	return fs.readfile(file) or ""
	else
	return ""
	end
	end

	--------------------- snort rule selector Tab ------------------------


	-- firefox = s:taboption("tab_snort1", Flag, "content_firefox", translate("Firefox"))
	-- firefox.default=firefox.disabled
	-- firefox.rmempty = false

	--firefox = s:taboption("tab_snort1", Flag, "content_firefox", translate("Firefox"))
	-- firefox.default=snort1.enabled
	-- firefox.rmempty = false








	return m