diff options
| author | Ermal <eri@pfsense.org> | 2012-01-25 23:12:11 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2012-01-25 23:12:11 +0000 |
| commit | e4c13a5752c5f7b4947edbc4227b005cd333566d (patch) | |
| tree | b9c732034f918878790751ef9dd0344110101a4e /config/snort | |
| parent | 3284c26553ab086cd8730e37c4f419d1b38acab0 (diff) | |
| download | pfsense-packages-e4c13a5752c5f7b4947edbc4227b005cd333566d.tar.gz pfsense-packages-e4c13a5752c5f7b4947edbc4227b005cd333566d.tar.bz2 pfsense-packages-e4c13a5752c5f7b4947edbc4227b005cd333566d.zip | |
Expose the new options of spoink to the GUI
Improve spoink code a lot:
- Allow to block by src/dst/both on the packet that generated alert. Default to src to keep backward compatibility
- Speedup whitelist search
- Create an option that allows to kill states on pf for blocked hosts. This allows to remove all access to the blocked host.
TODO:
- More fine grained blocking options?
- Make whiwhitelist hparsing less sucky and IPv6 compatible
Diffstat (limited to 'config/snort')
| -rw-r--r-- | config/snort/snort.inc | 6 | ||||
| -rw-r--r-- | config/snort/snort_interfaces_edit.php | 46 |
2 files changed, 48 insertions, 4 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 98d7ebfa..6aef1eed 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1383,7 +1383,11 @@ function generate_snort_conf($id, $if_real, $snort_uuid) else if (file_exists("/usr/local/etc/snort/whitelist/{$snortcfg['whitelistname']}")) $spoink_whitelist_name = $snortcfg['whitelistname']; - $spoink_type = "output alert_pf: /usr/local/etc/snort/whitelist/{$spoink_whitelist_name},snort2c"; + $pfkill = ""; + if ($snortcfg['blockoffenderskill'] == "on") + $pfkill = "kill"; + + $spoink_type = "output alert_pf: /usr/local/etc/snort/whitelist/{$spoink_whitelist_name},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; } /* define threshold file */ diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 3b4ae8b4..90f48a4b 100644 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -128,6 +128,8 @@ if (isset($id) && $a_nat[$id]) { $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['blockoffenderskill'] = $a_nat[$id]['blockoffenderskill']; + $pconfig['blockoffendersip'] = $a_nat[$id]['blockoffendersip']; $pconfig['whitelistname'] = $a_nat[$id]['whitelistname']; $pconfig['homelistname'] = $a_nat[$id]['homelistname']; $pconfig['externallistname'] = $a_nat[$id]['externallistname']; @@ -204,6 +206,11 @@ if (isset($_GET['dup'])) $natent['blockoffenders7'] = 'on'; else $natent['blockoffenders7'] = 'off'; + if ($_POST['blockoffenderskill'] == "on") + $natent['blockoffenderskill'] = 'on'; + if ($_POST['blockoffendersip']) + $natent['blockoffendersip'] = $_POST['blockoffendersip']; + $natent['whitelistname'] = $_POST['whitelistname'] ? $_POST['whitelistname'] : $pconfig['whitelistname']; $natent['homelistname'] = $_POST['homelistname'] ? $_POST['homelistname'] : $pconfig['homelistname']; $natent['externallistname'] = $_POST['externallistname'] ? $_POST['externallistname'] : $pconfig['externallistname']; @@ -340,6 +347,12 @@ enable JavaScript to view this content</strong></div> <script language="JavaScript"> <!-- +function enable_blockoffenders() { + var endis = !(document.iform.blockoffenders7.checked); + document.iform.blockoffenderskill.disabled=endis; + document.iform.blockoffendersip.disabled=endis; +} + function enable_change(enable_change) { endis = !(document.iform.enable.checked || enable_change); // make shure a default answer is called if this is envoked. @@ -562,14 +575,40 @@ function enable_change(enable_change) { </tr> <tr> <td width="22%" valign="top" class="vncell2">Block offenders</td> - <td width="78%" class="vtable"><input name="blockoffenders7" - type="checkbox" value="on" + <td width="78%" class="vtable"> + <input name="blockoffenders7" id="blockoffenders7" type="checkbox" value="on" <?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?> - onClick="enable_change(false)"><br> + onClick="enable_blockoffenders()"><br> Checking this option will automatically block hosts that generate a Snort alert.</td> </tr> <tr> + <td width="22%" valign="top" class="vncell2">Kill states</td> + <td width="78%" class="vtable"> + <input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>> + <br/>Should firewall states be killed for the blocked ip + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell2">Which ip to block</td> + <td width="78%" class="vtable"> + <select name="blockoffendersip" class="formfld" id="blockoffendersip"> + <?php + foreach (array("src", "dst", "both") as $btype) { + if ($value['snortlisttype'] == 'whitelist') { + if ($btype == $pconfig['blockoffendersip']) + echo "<option value='{$btype}' selected>"; + else + echo "<option value='{$btype}'>"; + echo htmlspecialchars($btype) . '</option>'; + } + } + ?> + </select> + <br/> Which ip extracted from the packet you want to block + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell2">Whitelist</td> <td width="78%" class="vtable"> <select name="whitelistname" class="formfld" id="whitelistname"> @@ -687,6 +726,7 @@ function enable_change(enable_change) { <script language="JavaScript"> <!-- enable_change(false); +enable_blockoffenders(); //--> </script> |