diff options
| author | Ermal <eri@pfsense.org> | 2012-07-15 21:08:48 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2012-07-15 21:09:07 +0000 |
| commit | a15664ad7508450ae5709462cefafb7bb107c159 (patch) | |
| tree | a79debcc9723409e9d030ff386ca007b55849a1c /config/snort/snort.inc | |
| parent | 99c2189fd0172dbf932441f9a44e4cc62b3071ff (diff) | |
| download | pfsense-packages-a15664ad7508450ae5709462cefafb7bb107c159.tar.gz pfsense-packages-a15664ad7508450ae5709462cefafb7bb107c159.tar.bz2 pfsense-packages-a15664ad7508450ae5709462cefafb7bb107c159.zip | |
Make sensitive data configurable
Diffstat (limited to 'config/snort/snort.inc')
| -rw-r--r-- | config/snort/snort.inc | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 54be4225..e7ba998b 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1221,6 +1221,8 @@ preprocessor dns: \ EOD; + $sensitive_data = "preprocessor sensitive_data:\n"; + /* stream5 queued settings */ $def_max_queued_bytes_type = ''; if (!empty($snortcfg['max_queued_bytes'])) @@ -1257,7 +1259,7 @@ EOD; $snort_preproc = array ( "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", - "sf_portscan", "dce_rpc_2", "dns_preprocessor" + "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data" ); $snort_preprocessors = ""; foreach ($snort_preproc as $preproc) { @@ -1274,9 +1276,16 @@ EOD; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; if (is_dir("{$snortdir}/preproc_rules")) { - foreach (glob("{$snortdir}/preproc_rules/*.rules") as $file) { - $file = basename($file); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/{$file}\n"; + if ($snortcfg['sensitive_data'] && file_exists("{$snortdir}/preproc_rules/sensitive-data.rules")) + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules/\n"; + + if (file_exists("{$snortdir}/preproc_rules/decoder.rules") && + file_exists("{$snortdir}/preproc_rules/preprocessor.rules")) { + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } else { + $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; + log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); } } else { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; @@ -1351,8 +1360,6 @@ preprocessor stream5_tcp: policy BSD, ports both all{$def_max_queued_bytes_type} preprocessor stream5_udp: preprocessor stream5_icmp: -preprocessor sensitive_data: - {$snort_preprocessors} # Ignore SSL and Encryption # |