aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@pfsense.org>2006-09-25 20:26:56 +0000
committerScott Ullrich <sullrich@pfsense.org>2006-09-25 20:26:56 +0000
commit3c8526293f20bf9d0a472be7c3003834551871cd (patch)
tree397c5d4688144c29e11e33d5e3d7356506a5cccc
parent6e67b3a56b70e66c74eca687ebb404473b315ba6 (diff)
downloadpfsense-packages-3c8526293f20bf9d0a472be7c3003834551871cd.tar.gz
pfsense-packages-3c8526293f20bf9d0a472be7c3003834551871cd.tar.bz2
pfsense-packages-3c8526293f20bf9d0a472be7c3003834551871cd.zip
Snort now starts out of the box.
-rw-r--r--packages/snort/snort.inc182
1 files changed, 101 insertions, 81 deletions
diff --git a/packages/snort/snort.inc b/packages/snort/snort.inc
index 159866c6..ec4bf8e5 100644
--- a/packages/snort/snort.inc
+++ b/packages/snort/snort.inc
@@ -4,6 +4,17 @@ function sync_package_snort() {
global $config, $g;
exec("mkdir -p /usr/local/etc/snort");
exec("mkdir -p /var/log/snort");
+ exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
+ exec("cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config");
+ exec("cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map");
+ exec("cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators");
+ exec("cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config");
+ exec("cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map");
+ exec("cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid");
+ exec("cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf");
+ exec("cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
+ exec("rm -f /usr/local/etc/rc.d/snort");
+
$first = 0;
/* if list */
$iflist = array("lan" => "LAN");
@@ -25,7 +36,7 @@ function sync_package_snort() {
$first = 1;
}
}
- $start = "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort " . $ifaces_final . " -D";
+ $start = "/bin/mkdir -p /var/log/snort;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort " . $ifaces_final . " -D";
$start .= ";snort2c -s -w /var/db/whitelist -a /var/log/snort/alert";
write_rcfile(array(
"file" => "snort.sh",
@@ -46,12 +57,20 @@ function sync_package_snort() {
}
function generate_snort_conf() {
- global $config, $g;
+ global $config, $g, $config;
+
+ /* obtain external interface */
+ $snort_ext_int = $config['installedpackages']['snort']['config'][0]['interface_array'][0];
+
+ /* calculate lan subnet information */
+ $ifcfg = &$config['interfaces']['lan'];
+ $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']);
+ $subnetmask = gen_subnet_mask($ifcfg['subnet']);
/* XXX: set SSH port from config variable */
$ssh_port = "22";
- /* XXX: generate home net */
- $home_net = "";
+ $home_net = "{$subnet}/{$ifcfg['subnet']}";
+ /* XXX: add home net for all interfaces */
/* XXX: generate rule section */
$selected_rules_sections = "";
@@ -60,20 +79,23 @@ function generate_snort_conf() {
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var HTTP_PORTS 80
-var SHELLCODE_PORTS !$HTTP_PORTS
+var SHELLCODE_PORTS !\$HTTP_PORTS
var ORACLE_PORTS 1521
var HOME_NET {$home_net}
-var TELNET_SERVERS $HOME_NET
-var SQL_SERVERS $HOME_NET
-var HTTP_SERVERS $HOME_NET
-var SMTP_SERVERS $HOME_NET
-var DNS_SERVERS $HOME_NET
-var RULE_PATH .
-var EXTERNAL_NET !$HOME_NET
+var TELNET_SERVERS \$HOME_NET
+var SQL_SERVERS \$HOME_NET
+var HTTP_SERVERS \$HOME_NET
+var SMTP_SERVERS \$HOME_NET
+var DNS_SERVERS \$HOME_NET
+var EXTERNAL_NET !\$HOME_NET
var SSH_PORTS {$ssh_port}
+var RULE_PATH /usr/local/etc/snort/rules
+
+# Use lower memory models
+config detection: search-method lowmem
#Output plugins
-output database: alert
+#output database: alert
output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID
#Flow and stream
@@ -84,7 +106,7 @@ preprocessor stream4: disable_evasion_alerts,detect_scans
preprocessor stream4_reassemble: both, ports all
#XLink2State mini proc
-preprocessor xlink2state: ports { 25 691 }
+#preprocessor xlink2state: ports { 25 691 }
#HTTP Inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
@@ -120,7 +142,7 @@ preprocessor flow-portscan: \
talker-sliding-window 20 \
talker-fixed-window 30 \
scoreboard-rows-talker 30000 \
- server-watchnet $HOME_NET \
+ server-watchnet \$HOME_NET \
server-ignore-limit 200 \
server-rows 65535 \
server-learning-time 14400 \
@@ -147,107 +169,105 @@ include reference.config
# XXX: axe below, use $selected_rules_sections
#General
-include $RULE_PATH/bleeding.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/tftp.rules
-include $RULE_PATH/x11.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/other-ids.rules
+#include \$RULE_PATH/bleeding.rules
+include \$RULE_PATH/ftp.rules
+include \$RULE_PATH/telnet.rules
+include \$RULE_PATH/dns.rules
+include \$RULE_PATH/tftp.rules
+include \$RULE_PATH/x11.rules
+include \$RULE_PATH/misc.rules
+include \$RULE_PATH/nntp.rules
+include \$RULE_PATH/other-ids.rules
# include $RULE_PATH/shellcode.rules
-include $RULE_PATH/community-ftp.rules
-include $RULE_PATH/community-misc.rules
+#include \$RULE_PATH/community-ftp.rules
+#include \$RULE_PATH/community-misc.rules
#Mostly Spyware
-include $RULE_PATH/bleeding-malware.rules
+#include \$RULE_PATH/bleeding-malware.rules
#Network issues
-include $RULE_PATH/bad-traffic.rules
-include $RULE_PATH/snmp.rules
+include \$RULE_PATH/bad-traffic.rules
+include \$RULE_PATH/snmp.rules
#Exploits and direct attacks
-include $RULE_PATH/exploit.rules
-include $RULE_PATH/bleeding-exploit.rules
-include $RULE_PATH/community-exploit.rules
+include \$RULE_PATH/exploit.rules
#Scans and recon
-include $RULE_PATH/scan.rules
-include $RULE_PATH/bleeding-scan.rules
+include \$RULE_PATH/scan.rules
+#include \$RULE_PATH/bleeding-scan.rules
#Unusual stuff
-include $RULE_PATH/finger.rules
+include \$RULE_PATH/finger.rules
#R-services, etc
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
+include \$RULE_PATH/rpc.rules
+include \$RULE_PATH/rservices.rules
#DOS
-include $RULE_PATH/dos.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/bleeding-dos.rules
+include \$RULE_PATH/dos.rules
+include \$RULE_PATH/ddos.rules
+#include \$RULE_PATH/bleeding-dos.rules
#Web issues
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-php.rules
-include $RULE_PATH/web-attacks.rules
-include $RULE_PATH/bleeding-web.rules
-include $RULE_PATH/community-web-cgi.rules
-include $RULE_PATH/community-web-client.rules
-include $RULE_PATH/community-web-dos.rules
-include $RULE_PATH/community-web-misc.rules
+include \$RULE_PATH/web-cgi.rules
+include \$RULE_PATH/web-coldfusion.rules
+include \$RULE_PATH/web-iis.rules
+include \$RULE_PATH/web-frontpage.rules
+include \$RULE_PATH/web-misc.rules
+include \$RULE_PATH/web-client.rules
+include \$RULE_PATH/web-php.rules
+include \$RULE_PATH/web-attacks.rules
+#include \$RULE_PATH/bleeding-web.rules
+#include \$RULE_PATH/community-web-cgi.rules
+#include \$RULE_PATH/community-web-client.rules
+#include \$RULE_PATH/community-web-dos.rules
+#include \$RULE_PATH/community-web-misc.rules
#SQL and DB sigs
-include $RULE_PATH/sql.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/community-sql-injection.rules
+include \$RULE_PATH/sql.rules
+include \$RULE_PATH/oracle.rules
+include \$RULE_PATH/mysql.rules
+#include \$RULE_PATH/community-sql-injection.rules
#Informational stuff
#include $RULE_PATH/icmp.rules
-include $RULE_PATH/info.rules
+include \$RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
#Windows stuff
-include $RULE_PATH/netbios.rules
+include \$RULE_PATH/netbios.rules
#Compromise responses
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/bleeding-attack_response.rules
+include \$RULE_PATH/attack-responses.rules
+#include \$RULE_PATH/bleeding-attack_response.rules
#Mail sigs
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
-include $RULE_PATH/community-mail-client.rules
+include \$RULE_PATH/smtp.rules
+include \$RULE_PATH/imap.rules
+include \$RULE_PATH/pop2.rules
+include \$RULE_PATH/pop3.rules
+#include \$RULE_PATH/community-mail-client.rules
#Trojans, Viruses, and spyware
-include $RULE_PATH/backdoor.rules
-include $RULE_PATH/virus.rules
-include $RULE_PATH/bleeding-virus.rules
-include $RULE_PATH/community-virus.rules
+include \$RULE_PATH/backdoor.rules
+include \$RULE_PATH/virus.rules
+#include \$RULE_PATH/bleeding-virus.rules
+#include \$RULE_PATH/community-virus.rules
#Policy Sigs
-include $RULE_PATH/policy.rules
-include $RULE_PATH/porn.rules
-include $RULE_PATH/chat.rules
-include $RULE_PATH/p2p.rules
-include $RULE_PATH/multimedia.rules
-include $RULE_PATH/bleeding-policy.rules
-include $RULE_PATH/bleeding-p2p.rules
-include $RULE_PATH/bleeding-inappropriate.rules
-include $RULE_PATH/community-game.rules
-include $RULE_PATH/community-inappropriate.rules
+include \$RULE_PATH/policy.rules
+include \$RULE_PATH/porn.rules
+include \$RULE_PATH/chat.rules
+include \$RULE_PATH/p2p.rules
+include \$RULE_PATH/multimedia.rules
+#include \$RULE_PATH/bleeding-policy.rules
+#include \$RULE_PATH/bleeding-p2p.rules
+#include \$RULE_PATH/bleeding-inappropriate.rules
+#include \$RULE_PATH/community-game.rules
+#include \$RULE_PATH/community-inappropriate.rules
#Experimental
-include $RULE_PATH/experimental.rules
+include \$RULE_PATH/experimental.rules
EOD;