diff options
author | Ermal <eri@pfsense.org> | 2013-01-26 21:28:43 +0100 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2013-01-26 21:28:43 +0100 |
commit | 159f7aa6503168db8f0f8541312e55e1f67a8ee6 (patch) | |
tree | 903dcc9584ca82f8915536e18ed20d50bca21d1b /config/snort | |
parent | 995657bce91f35bf11beda71c224aa9afb2db9fe (diff) | |
download | pfsense-packages-159f7aa6503168db8f0f8541312e55e1f67a8ee6.tar.gz pfsense-packages-159f7aa6503168db8f0f8541312e55e1f67a8ee6.tar.bz2 pfsense-packages-159f7aa6503168db8f0f8541312e55e1f67a8ee6.zip |
Include sip preprocessor which is needed for VRT policy secure
Diffstat (limited to 'config/snort')
-rwxr-xr-x | config/snort/snort.inc | 14 | ||||
-rwxr-xr-x | config/snort/snort_define_servers.php | 2 | ||||
-rwxr-xr-x | config/snort/snort_preprocessors.php | 12 |
3 files changed, 25 insertions, 3 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 80088779..de0ac58f 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1893,7 +1893,7 @@ function snort_generate_conf($snortcfg) { "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", - "sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", + "sip_ports" => "5060, 5061", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", "ssl_ports" => "443,465,563,636,989,990,992,993,994,995", @@ -2094,6 +2094,16 @@ preprocessor dcerpc2_server: default, policy WinXP, \ EOD; + $sip_ports = str_replace(",", " ", $snort_ports['sip_ports']); + $sip_preproc = <<<EOD +# SIP preprocessor +preprocessor sip: ports { {$sip_ports} }, max_call_id_len 300, \ + max_from_len 100, max_to_len 200, max_via_len 1000, \ + max_requestName_len 50, max_uri_len 100, ignore_call_channel,\ + max_content_len 1000 + +EOD; + $dns_ports = str_replace(",", " ", $snort_ports['dns_ports']); /* def dns_preprocessor */ $dns_preprocessor = <<<EOD @@ -2174,7 +2184,7 @@ EOD; "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", + "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" ); $snort_preprocessors = ""; diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index ca153d68..3a12b284 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -72,7 +72,7 @@ $snort_ports = array( "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", -"sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", +"sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", "ssl_ports" => "443,465,563,636,989,990,992,993,994,995", diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 25e176cb..916fd413 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -72,6 +72,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc']; $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc']; $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc']; + $pconfig['sip_preproc'] = $a_nat[$id]['sip_preproc']; $pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc']; $pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc']; } @@ -104,6 +105,8 @@ if ($_POST) { $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off'; $natent['dnp3_preproc'] = $_POST['dnp3_preproc'] ? 'on' : 'off'; $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; + $natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off'; + $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -363,6 +366,15 @@ include_once("head.inc"); </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> + <?php echo gettext("SIP Detection"); ?></td> + <td width="78%" class="vtable"><input name="sip_preproc" + type="checkbox" value="on" + <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("DNS Detection"); ?></td> <td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on" |