aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
authorRenato Botelho <garga@pfSense.org>2013-09-27 05:01:17 -0700
committerRenato Botelho <garga@pfSense.org>2013-09-27 05:01:17 -0700
commita4cc247a0e5b7355506d0571f240ab1c9768125e (patch)
tree666ad30ae4ebda4105357730da8062c2445c6dce /config/snort
parentf1d24481b1af528e74d4c96c6af2c56e3b976a69 (diff)
parent2019b75b12c2355470dc854cc4a8a8aed2588ed7 (diff)
downloadpfsense-packages-a4cc247a0e5b7355506d0571f240ab1c9768125e.tar.gz
pfsense-packages-a4cc247a0e5b7355506d0571f240ab1c9768125e.tar.bz2
pfsense-packages-a4cc247a0e5b7355506d0571f240ab1c9768125e.zip
Merge pull request #514 from bmeeks8/master
Snort Package v2.6.0 Update
Diffstat (limited to 'config/snort')
-rwxr-xr-xconfig/snort/snort.inc296
-rwxr-xr-xconfig/snort/snort.xml2
-rwxr-xr-xconfig/snort/snort_alerts.php53
-rw-r--r--config/snort/snort_blocked.php6
-rwxr-xr-xconfig/snort/snort_check_for_rule_updates.php71
-rwxr-xr-xconfig/snort/snort_define_servers.php55
-rw-r--r--config/snort/snort_interfaces_suppress.php49
-rwxr-xr-xconfig/snort/snort_preprocessors.php26
-rwxr-xr-xconfig/snort/snort_rules.php19
9 files changed, 433 insertions, 144 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index f1f5ad9b..d69f6237 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -47,7 +47,7 @@ global $rebuild_rules;
/* package version */
$snort_version = "2.9.4.6";
-$pfSense_snort_version = "2.5.9";
+$pfSense_snort_version = "2.6.0";
$snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}";
// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI)
@@ -83,6 +83,101 @@ $rebuild_rules = false;
if (!is_array($config['installedpackages']['snortglobal']))
$config['installedpackages']['snortglobal'] = array();
+function snort_get_alias_value($alias) {
+ /***************************************************/
+ /* This function returns the value of the passed */
+ /* Alias, or an empty string if the value cannot */
+ /* be determined. */
+ /* */
+ /* On Entry: $alias ==> Alias to be evaluated */
+ /* Returns: Alias value as a string or an empty */
+ /* string */
+ /***************************************************/
+
+ global $config;
+
+ $entries = array();
+ $tmp = "";
+
+ // If no Aliases are defined in the configuration,
+ // return an empty string.
+ if (empty($config['aliases']))
+ return $tmp;
+
+ // See if we were passed a valid Alias and return
+ // an empty string if not.
+ if (!is_alias($alias))
+ return $tmp;
+
+ // We have a valid Alias, so find its value or
+ // values and return as a string.
+ return snort_unpack_alias($alias);
+}
+
+function snort_unpack_alias($alias) {
+
+ /**************************************************/
+ /* This function unpacks an Alias to determine */
+ /* the actual values it represents. Any nested */
+ /* Aliases encountered are also unpacked via */
+ /* recursive calls to this function. */
+ /* */
+ /* Fully-qualified-domain-name (FQDN) aliases */
+ /* are detected and resolved via a pfctl() call. */
+ /**************************************************/
+
+ global $config;
+ $value = "";
+
+ // Find the matching Alias entry in config
+ foreach ($config['aliases']['alias'] as $aliased) {
+ if($aliased['name'] == $alias) {
+ $addr = array();
+ $addr = explode(" ", trim($aliased['address']));
+ foreach ($addr as $a) {
+ if (!is_alias($a) && !empty($a)) {
+ if (is_ipaddr($a) || is_subnet($a) || is_port($a))
+ // If address, subnet or port, we found the final value
+ $value .= $a . " ";
+ elseif (is_hostname($a)) {
+ // Found a FQDN value for this Alias, so resolve it
+ $entries = array();
+ exec("/sbin/pfctl -t " . escapeshellarg($alias) . " -T show", $entries);
+ $value .= trim(implode(" ", $entries));
+ }
+ else
+ continue;
+ }
+ elseif (is_alias($a))
+ // Found a nested Alias, so recursively resolve it
+ $value .= snort_unpack_alias($a) . " ";
+ }
+ return trim($value);
+ }
+ }
+ return $value;
+}
+
+function snort_is_single_addr_alias($alias) {
+ /***************************************************/
+ /* This function evaluates the passed Alias to */
+ /* determine if it represents a single IP address, */
+ /* or a network in CIDR form, and returns TRUE if */
+ /* the condition is met, and FALSE if not. */
+ /* */
+ /* On Entry: $alias ==> Alias to be evaluated */
+ /* Returns: TRUE if Alias represents a single */
+ /* IP address or network, and FALSE */
+ /* if not. */
+ /***************************************************/
+
+ /* If spaces in expanded Alias, it's not a single entity */
+ if (strpos(snort_get_alias_value($alias), " ") !== false)
+ return false;
+ else
+ return true;
+}
+
function snort_get_blocked_ips() {
$blocked_ips = "";
exec('/sbin/pfctl -t snort2c -T show', $blocked_ips);
@@ -164,8 +259,13 @@ function snort_load_suppress_sigs($snortcfg, $track_by=false) {
if (preg_match('/\s*suppress\s*gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+)\s*$/i', $line, $matches)) {
$genid = $matches[1];
$sigid = $matches[2];
- if (!empty($genid) && !empty($sigid))
+ if (!empty($genid) && !empty($sigid)) {
+ if (!is_array($suppress[$genid]))
+ $suppress[$genid] = array();
+ if (!is_array($suppress[$genid][$sigid]))
+ $suppress[$genid][$sigid] = array();
$suppress[$genid][$sigid] = "suppress";
+ }
}
/* Get "track by IP" entries if requested */
@@ -176,8 +276,17 @@ function snort_load_suppress_sigs($snortcfg, $track_by=false) {
$sigid = $matches[2];
$whichip = trim($matches[3]);
$ip = $matches[4];
- if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip))
+ if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip)) {
+ if (!is_array($suppress[$genid]))
+ $suppress[$genid] = array();
+ if (!is_array($suppress[$genid][$sigid]))
+ $suppress[$genid][$sigid] = array();
+ if (!is_array($suppress[$genid][$sigid][$whichip]))
+ $suppress[$genid][$sigid][$whichip] = array();
+ if (!is_array($suppress[$genid][$sigid][$whichip][$ip]))
+ $suppress[$genid][$sigid][$whichip][$ip] = array();
$suppress[$genid][$sigid][$whichip][$ip] = "suppress";
+ }
}
/* See if entry suppresses only by SRC or DST IPv6 address */
if (preg_match('/\s*suppress\s*gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+),\s*track\s*(by_src|by_dst),\s*ip\s*([0-9a-f\.:]+)\s*$/i', $line, $matches)) {
@@ -185,8 +294,17 @@ function snort_load_suppress_sigs($snortcfg, $track_by=false) {
$sigid = $matches[2];
$whichip = trim($matches[3]);
$ip = trim($matches[4]);
- if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip))
+ if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip)) {
+ if (!is_array($suppress[$genid]))
+ $suppress[$genid] = array();
+ if (!is_array($suppress[$genid][$sigid]))
+ $suppress[$genid][$sigid] = array();
+ if (!is_array($suppress[$genid][$sigid][$whichip]))
+ $suppress[$genid][$sigid][$whichip] = array();
+ if (!is_array($suppress[$genid][$sigid][$whichip][$ip]))
+ $suppress[$genid][$sigid][$whichip][$ip] = array();
$suppress[$genid][$sigid][$whichip][$ip] = "suppress";
+ }
}
}
}
@@ -241,7 +359,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
$vips = $list['vips'];
$vpns = $list['vpnips'];
if (!empty($list['address']) && is_alias($list['address'])) {
- $home_net = explode(" ", trim(filter_expand_alias($list['address'])));
+ $home_net = explode(" ", trim(snort_get_alias_value($list['address'])));
}
}
@@ -1769,24 +1887,33 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
unset($enablesid, $disablesid);
}
-/* Start of main config files */
-/* open snort.sh for writing" */
function snort_create_rc() {
+
+ /*********************************************************/
+ /* This function builds the /usr/local/etc/rc.d/snort.sh */
+ /* shell script for starting and stopping Snort. The */
+ /* script is rebuilt on each package sync operation and */
+ /* after any changes to snort.conf saved in the GUI. */
+ /*********************************************************/
+
global $config, $g;
$snortdir = SNORTDIR;
$rcdir = RCFILEPREFIX;
+ // If no interfaces are configured for Snort, exit
if (!is_array($config['installedpackages']['snortglobal']['rule']))
return;
-
- $snortconf =& $config['installedpackages']['snortglobal']['rule'];
- /* do not start config build if rules is empty */
+ $snortconf = $config['installedpackages']['snortglobal']['rule'];
if (empty($snortconf))
return;
+ // At least one interface is configured, so OK
$start_snort_iface_start = array();
$start_snort_iface_stop = array();
+
+ // Loop thru each configured interface and build
+ // the shell script.
foreach ($snortconf as $value) {
$snort_uuid = $value['uuid'];
$if_real = snort_get_real_interface($value['interface']);
@@ -1794,7 +1921,7 @@ function snort_create_rc() {
$start_barnyard = <<<EOE
if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
- pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' > {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid`
+ pid=`/bin/pgrep -f "barnyard2 -r {$snort_uuid} "`
else
pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid`
fi
@@ -1835,9 +1962,9 @@ EOE;
/bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid
fi
else
- pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q'`
+ pid=`/bin/pgrep -f "barnyard2 -r {$snort_uuid} "`
if [ ! -z \$pid ]; then
- /bin/pkill -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q'
+ /bin/pkill -f "barnyard2 -r {$snort_uuid} "
time=0 timeout=30
while kill -0 \$pid 2>/dev/null; do
sleep 1
@@ -1860,10 +1987,11 @@ EOE;
###### For Each Iface
# Start snort and barnyard2
if [ ! -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then
- pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'`
+ pid=`/bin/pgrep -f "snort -R {$snort_uuid} "`
else
pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid`
fi
+
if [ ! -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..."
/bin/pkill -HUP \$pid
@@ -1895,10 +2023,10 @@ EOE;
/bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid
fi
else
- pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'`
+ pid=`/bin/pgrep -f "snort -R {$snort_uuid} "`
if [ ! -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'
+ /bin/pkill -f "snort -R {$snort_uuid} "
time=0 timeout=30
while kill -0 \$pid 2>/dev/null; do
sleep 1
@@ -1925,7 +2053,7 @@ EOE;
# This file was automatically generated
# by the pfSense service handler.
# Code added to protect from double starts on pfSense bootup
-######## Begining of Main snort.sh
+######## Start of main snort.sh
rc_start() {
{$rc_start}
@@ -2236,6 +2364,10 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
$fbits = snort_resolve_flowbits($all_rules, $enabled_rules);
+ /* Check for and disable any flowbit-required rules the user has */
+ /* manually forced to a disabled state. */
+ snort_modify_sids($fbits, $snortcfg);
+
/* Check for and disable any flowbit-required rules dependent upon */
/* disabled preprocessors if this option is enabled for the interface. */
if ($snortcfg['preproc_auto_rule_disable'] == "on") {
@@ -2548,14 +2680,15 @@ function snort_generate_conf($snortcfg) {
$ssh_port = "22";
$snort_ports = array(
"dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691",
- "http_ports" => "80,901,3128,8080,9000", "oracle_ports" => "1521", "mssql_ports" => "1433",
- "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21",
+ "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555",
+ "oracle_ports" => "1024:", "mssql_ports" => "1433",
+ "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535",
"ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110",
"imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768",
- "sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79",
+ "sip_ports" => "5060,5061, 5600", "auth_ports" => "113", "finger_ports" => "79",
"irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445",
"nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514",
- "ssl_ports" => "443,465,563,636,989,990,992,993,994,995",
+ "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920",
"file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80",
"sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779",
"DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:",
@@ -2568,7 +2701,7 @@ function snort_generate_conf($snortcfg) {
$portvardef = "";
foreach ($snort_ports as $alias => $avalue) {
if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
- $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]);
+ $snort_ports[$alias] = snort_get_alias_value($snortcfg["def_{$alias}"]);
$snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias]));
$portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
}
@@ -2633,19 +2766,23 @@ preprocessor http_inspect_server: server default profile {$http_server_profile}
EOD;
/* def ftp_preprocessor */
+ $telnet_ports = str_replace(",", " ", $snort_ports['telnet_ports']);
+ $ftp_ports = str_replace(",", " ", $snort_ports['ftp_ports']);
$ftp_preprocessor = <<<EOD
-# ftp preprocessor #
+# ftp_telnet preprocessor #
preprocessor ftp_telnet: global \
inspection_type stateless
preprocessor ftp_telnet_protocol: telnet \
- normalize \
- ayt_attack_thresh 200
+ normalize ports { {$telnet_ports} } \
+ ayt_attack_thresh 20 \
+ detect_anomalies
-preprocessor ftp_telnet_protocol: \
- ftp server default \
+preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
- ports { 21 } \
+ ports { $ftp_ports } \
+ telnet_cmds yes \
+ ignore_telnet_erase_cmds yes \
ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
@@ -2676,12 +2813,14 @@ preprocessor ftp_telnet_protocol: \
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
+ ignore_telnet_erase_cmds yes \
telnet_cmds yes
EOD;
$pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']);
$pop_preproc = <<<EOD
+# POP preprocessor #
preprocessor pop: \
ports { {$pop_ports} } \
memcap 1310700 \
@@ -2693,6 +2832,7 @@ EOD;
$imap_ports = str_replace(",", " ", $snort_ports['imap_ports']);
$imap_preproc = <<<EOD
+# IMAP preprocessor #
preprocessor imap: \
ports { {$imap_ports} } \
memcap 1310700 \
@@ -2711,10 +2851,12 @@ preprocessor SMTP: \
inspection_type stateful \
normalize cmds \
ignore_tls_data \
- valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \
-CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
- normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \
-PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET \
+ SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME \
+ TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP \
+ RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK \
+ TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
max_header_line_len 1000 \
max_response_line_len 512 \
alt_max_command_line_len 260 { MAIL } \
@@ -2752,12 +2894,12 @@ EOD;
$sf_pscan_sense_level = $snortcfg['pscan_sense_level'];
$sf_pscan_ignore_scanners = "\$HOME_NET";
if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) {
- $sf_pscan_ignore_scanners = filter_expand_alias($snortcfg['pscan_ignore_scanners']);
+ $sf_pscan_ignore_scanners = snort_get_alias_value($snortcfg['pscan_ignore_scanners']);
$sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners));
}
$sf_portscan = <<<EOD
-# sf Portscan #
+# sf Portscan preprocessor #
preprocessor sfportscan: scan_type { {$sf_pscan_type} } \
proto { {$sf_pscan_protocol} } \
memcap { {$sf_pscan_memcap} } \
@@ -2766,21 +2908,34 @@ preprocessor sfportscan: scan_type { {$sf_pscan_type} } \
EOD;
- $sun_rpc_ports = str_replace(",", " ", $snort_ports['sun_rpc_ports']);
+ /* def ssh_preproc */
+ $ssh_ports = str_replace(",", " ", $snort_ports['ssh_ports']);
+ $ssh_preproc = <<<EOD
+# SSH preprocessor #
+preprocessor ssh: server_ports { {$ssh_ports} } \
+ autodetect \
+ max_client_bytes 19600 \
+ max_encrypted_packets 20 \
+ max_server_version_len 100 \
+ enable_respoverflow enable_ssh1crc32 \
+ enable_srvoverflow enable_protomismatch
+
+EOD;
+
/* def other_preprocs */
+ $sun_rpc_ports = str_replace(",", " ", $snort_ports['sun_rpc_ports']);
$other_preprocs = <<<EOD
-
# Other preprocs #
preprocessor rpc_decode: {$sun_rpc_ports} no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
-# Back Orifice
+# Back Orifice preprocessor #
preprocessor bo
EOD;
/* def dce_rpc_2 */
$dce_rpc_2 = <<<EOD
-# DCE/RPC 2 #
+# DCE/RPC 2 #
preprocessor dcerpc2: memcap 102400, events [co]
preprocessor dcerpc2_server: default, policy WinXP, \
detect [smb [{$snort_ports['smb_ports']}], tcp 135, udp 135, rpc-over-http-server 593], \
@@ -2791,11 +2946,39 @@ EOD;
$sip_ports = str_replace(",", " ", $snort_ports['sip_ports']);
$sip_preproc = <<<EOD
-# SIP preprocessor
-preprocessor sip: ports { {$sip_ports} }, max_call_id_len 300, \
- max_from_len 100, max_to_len 200, max_via_len 1000, \
- max_requestName_len 50, max_uri_len 100, ignore_call_channel,\
- max_content_len 1000
+# SIP preprocessor #
+preprocessor sip: max_sessions 40000, \
+ ports { {$sip_ports} }, \
+ methods { invite \
+ cancel \
+ ack \
+ bye \
+ register \
+ options \
+ refer \
+ subscribe \
+ update \
+ join \
+ info \
+ message \
+ notify \
+ benotify \
+ do \
+ qauth \
+ sprack \
+ publish \
+ service \
+ unsubscribe \
+ prack }, \
+ max_call_id_len 80, \
+ max_from_len 256, \
+ max_to_len 256, \
+ max_via_len 1024, \
+ max_requestName_len 50, \
+ max_uri_len 512, \
+ ignore_call_channel, \
+ max_content_len 2048, \
+ max_contact_len 512
EOD;
@@ -2837,10 +3020,13 @@ preprocessor gtp: ports { {$gtp_ports} }
EOD;
- $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']);
+ /* def ssl_preprocessor */
+ $ssl_ports = str_replace(",", " ", $snort_ports['ssl_ports']);
$ssl_preproc = <<<EOD
-# Ignore SSL and Encryption #
-preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted
+# SSL preprocessor #
+preprocessor ssl: \
+ ports { {$ssl_ports} }, \
+ trustservers, noinspect_encrypted
EOD;
@@ -2872,7 +3058,7 @@ EOD;
$vardef = "";
foreach ($snort_servers as $alias => $avalue) {
if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) {
- $avalue = filter_expand_alias($snortcfg["def_{$alias}"]);
+ $avalue = snort_get_alias_value($snortcfg["def_{$alias}"]);
$avalue = str_replace(" ", ",", trim($avalue));
}
$vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n";
@@ -2885,7 +3071,7 @@ EOD;
"ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc"
);
$snort_preproc = array (
- "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc",
+ "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc",
"sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc"
);
$default_disabled_preprocs = array(
@@ -3071,7 +3257,7 @@ EOD;
# snort configuration file
# generated automatically by the pfSense subsystems do not modify manually
-# Define Local Network #
+# Define Local Network #
var HOME_NET [{$home_net}]
var EXTERNAL_NET [{$external_net}]
@@ -3079,16 +3265,16 @@ var EXTERNAL_NET [{$external_net}]
var RULE_PATH {$snortcfgdir}/rules
var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules
-# Define Servers #
+# Define Servers #
{$vardef}
-# Define Server Ports #
+# Define Server Ports #
{$portvardef}
# Configure quiet startup mode #
config quiet
-# Configure the snort decoder #
+# Configure the snort decoder #
config checksum_mode: {$cksumcheck}
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
@@ -3098,14 +3284,14 @@ config disable_tcpopt_alerts
config disable_ipopt_alerts
config disable_decode_drops
-# Enable the GTP decoder #
+# Enable the GTP decoder #
config enable_gtp
# Configure PCRE match limitations
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
-# Configure the detection engine #
+# Configure the detection engine #
config detection: {$cfg_detect_settings}
config event_queue: max_queue 8 log 5 order_events content_length
@@ -3134,7 +3320,7 @@ preprocessor frag3_global: {$frag3_memcap}, {$frag3_max_frags}{$frag3_disabled}
preprocessor frag3_engine: {$frag3_policy} detect_anomalies {$frag3_timeout} {$frag3_overlap_limit} {$frag3_min_frag_len}
preprocessor stream5_global:{$stream5_reassembly} track_tcp {$stream5_track_tcp}, track_udp {$stream5_track_udp}, track_icmp {$stream5_track_icmp}, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5{$stream5_mem_cap}
-preprocessor stream5_tcp: {$stream5_policy}, {$stream5_overlap_limit}, {$stream5_tcp_timeout}, ports both all{$stream5_max_queued_bytes_type}{$stream5_max_queued_segs_type}{$stream5_require_3whs}{$stream5_no_reassemble_async}$stream5_dont_store_lg_pkts
+preprocessor stream5_tcp: {$stream5_policy}, {$stream5_overlap_limit}, {$stream5_tcp_timeout}, ports both all{$stream5_max_queued_bytes_type}{$stream5_max_queued_segs_type}{$stream5_require_3whs}{$stream5_no_reassemble_async}{$stream5_dont_store_lg_pkts}
preprocessor stream5_udp: {$stream5_udp_timeout}
preprocessor stream5_icmp: {$stream5_icmp_timeout}
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index ed71abae..3d4c8016 100755
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -47,7 +47,7 @@
<faq>Currently there are no FAQ items provided.</faq>
<name>Snort</name>
<version>2.9.4.6</version>
- <title>Services:2.9.4.6 pkg v. 2.5.9</title>
+ <title>Services:2.9.4.6 pkg v. 2.6.0</title>
<include_file>/usr/local/pkg/snort/snort.inc</include_file>
<menu>
<name>Snort</name>
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php
index c296f81b..0295ed2f 100755
--- a/config/snort/snort_alerts.php
+++ b/config/snort/snort_alerts.php
@@ -90,8 +90,8 @@ function snort_add_supplist_entry($suppress) {
/* If no Suppress List is set for the interface, then create one with the interface name */
if (empty($a_instance[$instanceid]['suppresslistname']) || $a_instance[$instanceid]['suppresslistname'] == 'default') {
$s_list = array();
- $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress";
$s_list['uuid'] = uniqid();
+ $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress" . "_" . $s_list['uuid'];
$s_list['descr'] = "Auto-generated list for Alert suppression";
$s_list['suppresspassthru'] = base64_encode($suppress);
$a_suppress[] = $s_list;
@@ -108,6 +108,10 @@ function snort_add_supplist_entry($suppress) {
$alist['suppresspassthru'] = base64_encode($tmplist);
$a_suppress[$a_id] = $alist;
}
+ else {
+ $alist['suppresspassthru'] = base64_encode($suppress);
+ $a_suppress[$a_id] = $alist;
+ }
}
}
}
@@ -243,7 +247,6 @@ if ($_POST['download']) {
readfile("$file");
@unlink("/tmp/{$file_name}");
}
-
header("Location: /snort/snort_alerts.php?instance={$instanceid}");
exit;
}
@@ -263,7 +266,7 @@ include_once("fbegin.inc");
/* refresh every 60 secs */
if ($pconfig['arefresh'] == 'on')
- echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n";
+ echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php?instance={$instanceid}\" />\n";
?>
<?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}
@@ -300,7 +303,7 @@ if ($pconfig['arefresh'] == 'on')
<tr>
<td width="22%" class="vncell"><?php echo gettext('Instance to inspect'); ?></td>
<td width="78%" class="vtable">
- <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').submit()">
+ <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').method='get';document.getElementById('formalert').submit()">
<?php
foreach ($a_instance as $id => $instance) {
$selected = "";
@@ -396,19 +399,26 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
$alert_ip_src = $fields[6];
/* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */
$alert_ip_src = str_replace(":", ":&#8203;", $alert_ip_src);
+ /* Add Reverse DNS lookup icon */
+ $alert_ip_src .= "<br/><a href='/diag_dns.php?host={$fields[6]}&instance={$instanceid}'>";
+ $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' ";
+ $alert_ip_src .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>";
+ /* Add icons for auto-adding to Suppress List if appropriate */
if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) &&
!isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) {
- $alert_ip_src .= "<br/><a href='?instance={$instanceid}&act=addsuppress_srcip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[6])) . "'>";
+ $alert_ip_src .= "&nbsp;&nbsp;<a href='?instance={$instanceid}&act=addsuppress_srcip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[6])) . "'>";
$alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' ";
- $alert_ip_src .= "title='" . gettext("Add this gen_id:sig_id track by_src IP to Suppress List") . "'></a>";
+ $alert_ip_src .= "title='" . gettext("Add this alert to the Suppress List and track by_src IP") . "'></a>";
}
elseif (isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) {
- $alert_ip_src .= "<br/><img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' ";
- $alert_ip_src .= "title='" . gettext("This gen_id:sig_id track by_src IP already in Suppress List") . "'/>";
+ $alert_ip_src .= "&nbsp;&nbsp;<img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' ";
+ $alert_ip_src .= "title='" . gettext("This alert track by_src IP is already in the Suppress List") . "'/>";
}
+ /* Add icon for auto-removing from Blocked Table if required */
if (isset($tmpblocked[$fields[6]])) {
- $alert_ip_src .= "&nbsp;&nbsp;<a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'>
- <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/></a>";
+ $alert_ip_src .= "&nbsp;";
+ $alert_ip_src .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'>
+ <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>";
}
/* IP SRC Port */
$alert_src_p = $fields[7];
@@ -416,19 +426,26 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
$alert_ip_dst = $fields[8];
/* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */
$alert_ip_dst = str_replace(":", ":&#8203;", $alert_ip_dst);
+ /* Add Reverse DNS lookup icon */
+ $alert_ip_dst .= "<br/><a href='/diag_dns.php?host={$fields[8]}&instance={$instanceid}'>";
+ $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' ";
+ $alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>";
+ /* Add icons for auto-adding to Suppress List if appropriate */
if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) &&
!isset($supplist[$fields[1]][$fields[2]]['by_dst'][$fields[8]])) {
- $alert_ip_dst .= "<br/><a href='?instance={$instanceid}&act=addsuppress_dstip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[8])) . "'>";
+ $alert_ip_dst .= "&nbsp;&nbsp;<a href='?instance={$instanceid}&act=addsuppress_dstip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[8])) . "'>";
$alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' ";
- $alert_ip_dst .= "title='" . gettext("Add this gen_id:sig_id track by_dst IP to Suppress List") . "'></a>";
+ $alert_ip_dst .= "title='" . gettext("Add this alert to the Suppress List and track by_dst IP") . "'></a>";
}
elseif (isset($supplist[$fields[1]][$fields[2]]['by_dst'][$fields[8]])) {
- $alert_ip_dst .= "<br/><img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' ";
- $alert_ip_dst .= "title='" . gettext("This gen_id:sig_id track by_dst IP already in Suppress List") . "'/>";
+ $alert_ip_dst .= "&nbsp;&nbsp;<img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' ";
+ $alert_ip_dst .= "title='" . gettext("This alert track by_dst IP is already in the Suppress List") . "'/>";
}
+ /* Add icon for auto-removing from Blocked Table if required */
if (isset($tmpblocked[$fields[8]])) {
- $alert_ip_dst .= "&nbsp;&nbsp;<a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'>
- <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/></a>";
+ $alert_ip_dst .= "&nbsp;";
+ $alert_ip_dst .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'>
+ <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>";
}
/* IP DST Port */
$alert_dst_p = $fields[9];
@@ -437,11 +454,11 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2])) {
$sidsupplink = "<a href='?instance={$instanceid}&act=addsuppress&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}'>";
$sidsupplink .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' ";
- $sidsupplink .= "title='" . gettext("Add this gen_id:sig_id to Suppress List") . "'></a>";
+ $sidsupplink .= "title='" . gettext("Add this alert to the Suppress List") . "'></a>";
}
else {
$sidsupplink = "<img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' ";
- $sidsupplink .= "title='" . gettext("This gen_id:sig_id already in Suppress List") . "'/>";
+ $sidsupplink .= "title='" . gettext("This alert is already in the Suppress List") . "'/>";
}
$alert_class = $fields[11];
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
index 56edfbc5..a81b03d7 100644
--- a/config/snort/snort_blocked.php
+++ b/config/snort/snort_blocked.php
@@ -94,7 +94,7 @@ if ($_POST['download'])
@unlink("/tmp/{$file_name}");
exec("/bin/rm -fr /tmp/snort_blocked");
} else
- $savemsg = "An error occurred while createing archive";
+ $savemsg = "An error occurred while creating archive";
} else
$savemsg = "No content on snort block list";
}
@@ -257,7 +257,9 @@ if ($pconfig['brefresh'] == 'on')
/* use one echo to do the magic*/
echo "<tr>
<td align=\"center\" valign=\"middle\" class=\"listr\">{$counter}</td>
- <td valign=\"middle\" class=\"listr\">{$tmp_ip}</td>
+ <td valign=\"middle\" class=\"listr\">{$tmp_ip}&nbsp;<a href='/diag_dns.php?host={$blocked_ip}'>
+ <img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0'
+ title='" . gettext("Resolve host via reverse DNS lookup") . "'></a></td>
<td valign=\"middle\" class=\"listr\">{$blocked_desc}</td>
<td align=\"center\" valign=\"middle\" class=\"listr\"><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'>
<img title=\"" . gettext("Delete host from Blocked Table") . "\" border=\"0\" name='todelete' id='todelete' alt=\"Delete host from Blocked Table\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index c40d6ff4..30da4b74 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -42,6 +42,8 @@ if (!defined("VRT_DNLD_URL"))
define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");
if (!defined("ET_VERSION"))
define("ET_VERSION", "2.9.0");
+if (!defined("ET_BASE_DNLD_URL"))
+ define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/");
if (!defined("ET_DNLD_FILENAME"))
define("ET_DNLD_FILENAME", "emerging.rules.tar.gz");
if (!defined("GPLV2_DNLD_FILENAME"))
@@ -88,6 +90,10 @@ $snort_rule_url = VRT_DNLD_URL;
$emergingthreats_filename = ET_DNLD_FILENAME;
$emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5";
$emerging_threats_version = ET_VERSION;
+$emergingthreats_url = ET_BASE_DNLD_URL;
+// If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules
+$emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/";
+$emergingthreats_url .= "snort-" . ET_VERSION . "/";
/* Snort GPLv2 Community Rules filenames and URL */
$snort_community_rules_filename = GPLV2_DNLD_FILENAME;
@@ -141,6 +147,18 @@ function snort_download_file_url($url, $file_out) {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_TIMEOUT, 0);
+
+ // Use the system proxy server setttings if configured
+ if (!empty($config['system']['proxyurl'])) {
+ curl_setopt($ch, CURLOPT_PROXY, $config['system']['proxyurl']);
+ if (!empty($config['system']['proxyport']))
+ curl_setopt($ch, CURLOPT_PROXYPORT, $config['system']['proxyport']);
+ if (!empty($config['system']['proxyuser']) && !empty($config['system']['proxypass'])) {
+ @curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_ANY | CURLAUTH_ANYSAFE);
+ curl_setopt($ch, CURLOPT_PROXYUSERPWD, "{$config['system']['proxyuser']}:{$config['system']['proxypass']}");
+ }
+ }
+
$counter = 0;
$rc = true;
/* Try up to 4 times to download the file before giving up */
@@ -200,26 +218,26 @@ $last_curl_error = "";
/* download md5 sig from snort.org */
if ($snortdownload == 'on') {
if ($pkg_interface <> "console")
- update_status(gettext("Downloading Snort VRT md5 file..."));
- error_log(gettext("\tDownloading Snort VRT md5 file...\n"), 3, $snort_rules_upd_log);
+ update_status(gettext("Downloading Snort VRT md5 file {$snort_filename_md5}..."));
+ error_log(gettext("\tDownloading Snort VRT md5 file '{$snort_filename_md5}'...\n"), 3, $snort_rules_upd_log);
$rc = snort_download_file_url("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}");
if ($rc === true) {
if ($pkg_interface <> "console")
- update_status(gettext("Done downloading snort.org md5."));
+ update_status(gettext("Done downloading {$snort_filename_md5}."));
error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log);
}
else {
error_log(gettext("\tSnort VRT md5 download failed.\n"), 3, $snort_rules_upd_log);
if ($rc == 403) {
$snort_err_msg = gettext("Too many attempts or Oinkcode not authorized for this Snort version.\n");
- $snort_err_msg .= gettext("\tFree Registered User accounts may download Snort VRT Rules once every 15 minutes.\n");
- $snort_err_msg .= gettext("\tPaid Subscriber accounts have no download limits.\n");
+ $snort_err_msg .= gettext("\tFree Registered Users may download VRT Rules once every 15 minutes.\n");
+ $snort_err_msg .= gettext("\tPaid Subscribers have no download limits.\n");
}
else
$snort_err_msg = gettext("Server returned error code '{$rc}'.");
if ($pkg_interface <> "console") {
update_status(gettext("Snort VRT md5 error ... Server returned error code {$rc} ..."));
- update_output_window(gettext("Snort VRT rules will not be updated.\n{$snort_err_msg}"));
+ update_output_window(gettext("Snort VRT rules will not be updated.\n\t{$snort_err_msg}"));
}
log_error(gettext("[Snort] Snort VRT md5 download failed..."));
log_error(gettext("[Snort] Server returned error code '{$rc}'..."));
@@ -249,13 +267,15 @@ if ($snortdownload == 'on') {
/* download snortrules file */
if ($snortdownload == 'on') {
if ($pkg_interface <> "console")
- update_status(gettext("There is a new set of Snort VRT rules posted. Downloading..."));
+ update_status(gettext("There is a new set of Snort VRT rules posted. Downloading {$snort_filename}..."));
log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading..."));
- error_log(gettext("\tThere is a new set of Snort VRT rules posted. Downloading...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tThere is a new set of Snort VRT rules posted.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tDownloading file '{$snort_filename}'...\n"), 3, $snort_rules_upd_log);
$rc = snort_download_file_url("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}");
if ($rc === true) {
if ($pkg_interface <> "console")
update_status(gettext("Done downloading Snort VRT rules file."));
+ log_error("[Snort] Snort VRT rules file update downloaded successfully");
error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log);
if (trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_filename}"))){
if ($pkg_interface <> "console")
@@ -285,8 +305,8 @@ if ($snortdownload == 'on') {
/* download md5 sig from Snort GPLv2 Community Rules */
if ($snortcommunityrules == 'on') {
if ($pkg_interface <> "console")
- update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file..."));
- error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file...\n"), 3, $snort_rules_upd_log);
+ update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file {$snort_community_rules_filename_md5}..."));
+ error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file '{$snort_community_rules_filename_md5}'...\n"), 3, $snort_rules_upd_log);
$rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}");
if ($rc === true) {
if ($pkg_interface <> "console")
@@ -320,9 +340,10 @@ if ($snortcommunityrules == 'on') {
/* download Snort GPLv2 Community rules file */
if ($snortcommunityrules == "on") {
if ($pkg_interface <> "console")
- update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading..."));
+ update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading {$snort_community_rules_filename} ..."));
log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading..."));
- error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted. Downloading...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tDownloading file '{$snort_community_rules_filename}'...\n"), 3, $snort_rules_upd_log);
$rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}");
/* Test for a valid rules file download. Turn off Snort Community update if download failed. */
@@ -398,15 +419,11 @@ if ($snortcommunityrules == 'on') {
if ($emergingthreats == 'on') {
if ($pkg_interface <> "console")
update_status(gettext("Downloading EmergingThreats md5 file..."));
- error_log(gettext("\tDownloading EmergingThreats md5 file...\n"), 3, $snort_rules_upd_log);
- /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */
- if ($vrt_enabled == "on")
- $rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}");
- else
- $rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}");
+ error_log(gettext("\tDownloading EmergingThreats md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log);
+ $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}");
if ($rc === true) {
if ($pkg_interface <> "console")
- update_status(gettext("Done downloading EmergingThreats md5"));
+ update_status(gettext("Done downloading EmergingThreats md5 file {$emergingthreats_filename_md5}"));
error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log);
if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") {
/* Check if were up to date emergingthreats.net */
@@ -436,15 +453,11 @@ if ($emergingthreats == 'on') {
/* download emergingthreats rules file */
if ($emergingthreats == "on") {
if ($pkg_interface <> "console")
- update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading..."));
+ update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading {$emergingthreats_filename}..."));
log_error(gettext("[Snort] There is a new set of EmergingThreats rules posted. Downloading..."));
- error_log(gettext("\tThere is a new set of EmergingThreats rules posted. Downloading...\n"), 3, $snort_rules_upd_log);
-
- /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */
- if ($vrt_enabled == "on")
- $rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}");
- else
- $rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}");
+ error_log(gettext("\tThere is a new set of EmergingThreats rules posted.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tDownloading file '{$emergingthreats_filename}'...\n"), 3, $snort_rules_upd_log);
+ $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}");
/* Test for a valid rules file download. Turn off ET update if download failed. */
if ($rc === true) {
@@ -562,10 +575,10 @@ if ($snortdownload == 'on') {
$nosorules = false;
if ($snort_arch == 'i386'){
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/");
- exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/* {$snortlibdir}/dynamicrules/");
+ exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
} elseif ($snort_arch == 'amd64') {
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/");
- exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/* {$snortlibdir}/dynamicrules/");
+ exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
} else
$nosorules = true;
exec("rm -r {$snortdir}/tmp/so_rules");
diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php
index 371bbecd..2a6d47ff 100755
--- a/config/snort/snort_define_servers.php
+++ b/config/snort/snort_define_servers.php
@@ -48,17 +48,17 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
}
$a_nat = &$config['installedpackages']['snortglobal']['rule'];
-/* NOTE: KEEP IN SYNC WITH SNORT.INC since global do not work quite well with package */
+/* NOTE: KEEP IN SYNC WITH SNORT.INC since globals do not work well with package */
/* define servers and ports snortdefservers */
$snort_servers = array (
-"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
-"www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET",
-"snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET",
-"pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET",
-"sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET",
-"dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET",
-"enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET",
-"aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24"
+ "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
+ "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET",
+ "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET",
+ "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET",
+ "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET",
+ "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET",
+ "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET",
+ "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24"
);
/* if user has defined a custom ssh port, use it */
@@ -67,21 +67,23 @@ if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])
else
$ssh_port = "22";
$snort_ports = array(
-"dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691",
-"http_ports" => "80", "oracle_ports" => "1521", "mssql_ports" => "1433",
-"telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21",
-"ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110",
-"imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768",
-"sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79",
-"irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445",
-"nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514",
-"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", "GTP_PORTS" => "2123,2152,3386",
-"file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80",
-"sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779",
-"DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:",
-"DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:",
-"DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107",
-"DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502"
+ "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691",
+ "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555",
+ "oracle_ports" => "1024:", "mssql_ports" => "1433",
+ "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535",
+ "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110",
+ "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768",
+ "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79",
+ "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445",
+ "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514",
+ "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920",
+ "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80",
+ "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779",
+ "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:",
+ "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:",
+ "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107",
+ "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502",
+ "GTP_PORTS" => "2123,2152,3386"
);
$pconfig = $a_nat[$id];
@@ -220,7 +222,8 @@ if ($savemsg)
</tr>
<?php
foreach ($snort_ports as $key => $server):
- $server = substr($server, 0, 20);
+ if (strlen($server) > 40)
+ $server = substr($server, 0, 40) . "...";
$label = strtoupper($key);
$value = "";
if (!empty($pconfig["def_{$key}"]))
@@ -229,7 +232,7 @@ if ($savemsg)
<tr>
<td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td>
<td width="78%" class="vtable">
- <input name="def_<?=$key;?>" type="text" size="40" autocomplete="off" class="formfldalias" id="def_<?=$key;?>"
+ <input name="def_<?=$key;?>" type="text" size="40" autocomplete="off" class="formfldalias" id="def_<?=$key;?>"
value="<?=$value;?>"> <br/>
<span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/> <?php echo gettext("Leave " .
"blank for default value."); ?></span>
diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php
index 780a6e92..7eed6dd3 100644
--- a/config/snort/snort_interfaces_suppress.php
+++ b/config/snort/snort_interfaces_suppress.php
@@ -37,6 +37,8 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
if (!is_array($config['installedpackages']['snortglobal']['suppress']))
$config['installedpackages']['snortglobal']['suppress'] = array();
if (!is_array($config['installedpackages']['snortglobal']['suppress']['item']))
@@ -44,14 +46,41 @@ if (!is_array($config['installedpackages']['snortglobal']['suppress']['item']))
$a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item'];
$id_gen = count($config['installedpackages']['snortglobal']['suppress']['item']);
+
+function snort_suppresslist_used($supplist) {
+
+ /****************************************************************/
+ /* This function tests if the passed Suppress List is currently */
+ /* assigned to an interface. It returns TRUE if the list is */
+ /* in use. */
+ /* */
+ /* Returns: TRUE if list is in use, else FALSE */
+ /****************************************************************/
+
+ global $config;
+
+ $snortconf = $config['installedpackages']['snortglobal']['rule'];
+ if (empty($snortconf))
+ return false;
+ foreach ($snortconf as $value) {
+ if ($value['suppresslistname'] == $supplist)
+ return true;
+ }
+ return false;
+}
+
if ($_GET['act'] == "del") {
if ($a_suppress[$_GET['id']]) {
/* make sure rule is not being referenced by any nat or filter rules */
-
- unset($a_suppress[$_GET['id']]);
- write_config();
- header("Location: /snort/snort_interfaces_suppress.php");
- exit;
+ if (snort_suppresslist_used($a_suppress[$_GET['id']]['name'])) {
+ $input_errors[] = gettext("ERROR -- Suppress List is currently assigned to an interface and cannot be removed!");
+ }
+ else {
+ unset($a_suppress[$_GET['id']]);
+ write_config();
+ header("Location: /snort/snort_interfaces_suppress.php");
+ exit;
+ }
}
}
@@ -65,6 +94,10 @@ include_once("head.inc");
<?php
include_once("fbegin.inc");
if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}
+if ($input_errors) {
+ print_input_errors($input_errors);
+}
+
?>
<form action="/snort/snort_interfaces_suppress.php" method="post"><?php if ($savemsg) print_info_box($savemsg); ?>
@@ -107,12 +140,12 @@ if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}
<td valign="middle"><a
href="snort_interfaces_suppress_edit.php?id=<?=$i;?>"><img
src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif"
- width="17" height="17" border="0" title="<?php echo gettext("edit whitelist"); ?>"></a></td>
+ width="17" height="17" border="0" title="<?php echo gettext("edit Suppress List"); ?>"></a></td>
<td><a
href="/snort/snort_interfaces_suppress.php?act=del&id=<?=$i;?>"
- onclick="return confirm('<?php echo gettext("Do you really want to delete this whitelist? All elements that still use it will become invalid (e.g. snort rules will fall back to the default whitelist)!"); ?>')"><img
+ onclick="return confirm('<?php echo gettext("Do you really want to delete this Suppress List?"); ?>')"><img
src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif"
- width="17" height="17" border="0" title="<?php echo gettext("delete whitelist"); ?>"></a></td>
+ width="17" height="17" border="0" title="<?php echo gettext("delete Suppress List"); ?>"></a></td>
</tr>
</table>
</td>
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 3f88efaa..6c839846 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -109,6 +109,7 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc'];
$pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc'];
$pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc'];
+ $pconfig['ssh_preproc'] = $a_nat[$id]['ssh_preproc'];
$pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable'];
$pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules'];
$pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection'];
@@ -153,6 +154,8 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['sip_preproc'] = 'on';
if (empty($pconfig['other_preprocs']))
$pconfig['other_preprocs'] = 'on';
+ if (empty($pconfig['ssh_preproc']))
+ $pconfig['ssh_preproc'] = 'on';
if (empty($pconfig['http_inspect_memcap']))
$pconfig['http_inspect_memcap'] = "150994944";
if (empty($pconfig['frag3_overlap_limit']))
@@ -258,6 +261,7 @@ if ($_POST['ResetAll']) {
$pconfig['dnp3_preproc'] = "off";
$pconfig['modbus_preproc'] = "off";
$pconfig['gtp_preproc'] = "off";
+ $pconfig['ssh_preproc'] = "on";
$pconfig['preproc_auto_rule_disable'] = "off";
$pconfig['protect_preproc_rules'] = "off";
$pconfig['frag3_detection'] = "on";
@@ -334,6 +338,7 @@ elseif ($_POST['Submit']) {
$natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off';
$natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off';
$natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off';
+ $natent['ssh_preproc'] = $_POST['ssh_preproc'] ? 'on' : 'off';
$natent['preproc_auto_rule_disable'] = $_POST['preproc_auto_rule_disable'] ? 'on' : 'off';
$natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off';
$natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off';
@@ -1221,6 +1226,12 @@ include_once("head.inc");
<?php echo gettext("The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts."); ?></td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SSH Detection"); ?></td>
+ <td width="78%" class="vtable"><input name="ssh_preproc" type="checkbox" value="on"
+ <?php if ($pconfig['ssh_preproc']=="on") echo "checked"; ?>>
+ <?php echo gettext("The SSH preprocessor detects various Secure Shell exploit attempts."); ?></td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNS Detection"); ?></td>
<td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on"
<?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>>
@@ -1445,6 +1456,21 @@ function enable_change_all() {
document.iform.stream5_icmp_timeout.disabled=endis;
}
+function wopen(url, name, w, h)
+{
+// Fudge factors for window decoration space.
+// In my tests these work well on all platforms & browsers.
+ w += 32;
+ h += 96;
+ var win = window.open(url,
+ name,
+ 'width=' + w + ', height=' + h + ', ' +
+ 'location=no, menubar=no, ' +
+ 'status=no, toolbar=no, scrollbars=yes, resizable=yes');
+ win.resizeTo(w, h);
+ win.focus();
+}
+
// Set initial state of form controls
enable_change_all();
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index 7853b955..c9d90597 100755
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -511,9 +511,9 @@ if ($savemsg) {
</tr>
<tr>
<td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=enable_all'>
- <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\"
- onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"'
- onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0'
+ <img src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" width=\"15\" height=\"15\"
+ onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\"'
+ onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_plus_mo.gif\"' border='0'
title='" . gettext("Click to enable all rules in the selected category") . "'></a>"?>
&nbsp;&nbsp;<?php echo gettext("Enable all rules in the current Category"); ?></td>
</tr>
@@ -559,7 +559,7 @@ if ($savemsg) {
<tbody>
<?php
- $counter = 0;
+ $counter = $enable_cnt = $disable_cnt = 0;
foreach ($rules_map as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
$sid = snort_get_sid($v['rule']);
@@ -568,19 +568,23 @@ if ($savemsg) {
$textss = "<span class=\"gray\">";
$textse = "</span>";
$iconb = "icon_reject_d.gif";
+ $disable_cnt++;
}
elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) {
$textss = "<span class=\"gray\">";
$textse = "</span>";
$iconb = "icon_block_d.gif";
+ $disable_cnt++;
}
elseif (isset($enablesid[$sid])) {
$textss = $textse = "";
$iconb = "icon_reject.gif";
+ $enable_cnt++;
}
else {
$textss = $textse = "";
$iconb = "icon_block.gif";
+ $enable_cnt++;
}
// Pick off the first section of the rule (prior to the start of the MSG field),
@@ -653,7 +657,12 @@ if ($savemsg) {
<td>
<table width="100%" border="0" cellspacing="0" cellpadding="1">
<tr>
- <td class="vexpl" colspan="2" height="30" valign="middle"><?php echo gettext("Rule Count: {$counter}"); ?></td>
+ <td width="16"></td>
+ <td class="vexpl" height="35" valign="top">
+ <strong><?php echo gettext("--- Category Rules Summary ---") . "</strong><br/>" .
+ gettext("Total Rules: {$counter}") . "&nbsp;&nbsp;&nbsp;&nbsp;" .
+ gettext("Enabled: {$enable_cnt}") . "&nbsp;&nbsp;&nbsp;&nbsp;" .
+ gettext("Disabled: {$disable_cnt}"); ?></td>
</tr>
<tr>
<td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif"