aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
authorErmal <eri@pfsense.org>2012-07-22 14:30:38 +0000
committerErmal <eri@pfsense.org>2012-07-22 14:30:38 +0000
commitb5787668a4dbf9f22ffeb4a2ab9b39fec2a9184b (patch)
treeefc0755f92449e6305be5cc1b04eeb1213dd3002 /config/snort
parent43a1843df119d61e23a2026f3f7723461c83b043 (diff)
downloadpfsense-packages-b5787668a4dbf9f22ffeb4a2ab9b39fec2a9184b.tar.gz
pfsense-packages-b5787668a4dbf9f22ffeb4a2ab9b39fec2a9184b.tar.bz2
pfsense-packages-b5787668a4dbf9f22ffeb4a2ab9b39fec2a9184b.zip
Keep a copy of the so rules for each instance to enable only selected ones
Diffstat (limited to 'config/snort')
-rw-r--r--config/snort/snort.inc80
-rw-r--r--config/snort/snort_check_for_rule_updates.php13
-rw-r--r--config/snort/snort_preprocessors.php33
3 files changed, 105 insertions, 21 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index d29833a2..3e9a46da 100644
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -1002,9 +1002,9 @@ function snort_generate_conf($snortcfg) {
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}",
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2",
"{$snortcfgdir}/preproc_rules",
- "dynamicrules" => "/usr/local/lib/snort/dynamicrules",
+ "dynamicrules" => "{$snortcfgdir}/dynamicrules",
"dynamicengine" => "/usr/local/lib/snort/dynamicengine",
- "dynamicpreprocessor" => "/usr/local/lib/snort/dynamicpreprocessor"
+ "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor"
);
foreach ($snort_dirs as $dir) {
if (!is_dir($dir))
@@ -1079,6 +1079,15 @@ function snort_generate_conf($snortcfg) {
"DCERPC_BRIGHTSTORE" => "6503,6504"
);
+ $portvardef = "";
+ foreach ($snort_ports as $alias => $avalue) {
+ if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
+ $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]);
+ $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias]));
+ $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
+ }
+
+
/////////////////////////////
/* preprocessor code */
/* def perform_stat */
@@ -1170,6 +1179,24 @@ preprocessor ftp_telnet_protocol: ftp client default \
EOD;
+ $pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']);
+ $pop_preproc = <<<EOD
+preprocessor pop: \
+ ports { {$pop_ports} } \
+ qp_decode_depth -1 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 100
+EOD;
+
+ $imap_ports = str_replace(",", " ", $snort_ports['imap_ports']);
+ $imap_preproc = <<<EOD
+preprocessor imap: \
+ ports { {$imap_ports} } \
+ qp_decode_depth -1 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 100
+EOD;
+
$smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']);
/* def smtp_preprocessor */
$smtp_preprocessor = <<<EOD
@@ -1238,6 +1265,13 @@ preprocessor dns: \
EOD;
+ $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']);
+ $ssl_preproc = <<<EOD
+# Ignore SSL and Encryption #
+preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted
+
+EOD;
+
$sensitive_data = "preprocessor sensitive_data:\n";
/* stream5 queued settings */
@@ -1268,25 +1302,36 @@ EOD;
$vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n";
}
- $portvardef = "";
- foreach ($snort_ports as $alias => $avalue) {
- if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
- $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]);
- $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias]));
- $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
- }
- $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']);
-
+ $snort_preproc_libs = array(
+ "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc",
+ "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc",
+ "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc",
+ "ssl_preproc" => "ssl_preproc"
+ );
$snort_preproc = array (
- "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor",
- "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data"
+ "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc",
+ "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc"
);
$snort_preprocessors = "";
foreach ($snort_preproc as $preproc) {
if ($snortcfg[$preproc] == 'on') {
/* NOTE: The $$ is not a bug. Its a advanced feature of php */
- $snort_preprocessors .= $$preproc;
- $snort_preprocessors .= "\n";
+ if (!empty($snort_preproc_libs[$preproc])) {
+ $preproclib = "libsf_" . $snort_preproc_libs[$preproc];
+ if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) {
+ if (file_exists("/usr/local/lib/dynamicpreprocessor/{$preproclib}.so")) {
+ @copy("/usr/local/lib/dynamicpreprocessor/{$preproclib}.so", $snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so");
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ }
+ } else {
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ }
+ } else {
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ }
}
}
@@ -1330,6 +1375,8 @@ EOD;
@copy("{$snortdir}/rules/{$file}", "{$rule_dir}/rules/{$file}");
if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") {
$slib = substr($enabled_item, 6, -6);
+ if (!file_exists("{$snort_dirs['dynamicrules']}/{$slib}"))
+ @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}");
if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}") &&
file_exists("{$snortcfgdir}/rules/{$enabled_item}"))
$selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n";
@@ -1398,9 +1445,6 @@ preprocessor stream5_icmp:
{$snort_preprocessors}
-# Ignore SSL and Encryption #
-preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted
-
# Snort Output Logs #
output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
{$alertsystemlog_type}
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index 112682d2..6221b38f 100644
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -301,9 +301,16 @@ function snort_apply_customizations($snortcfg, $if_real) {
else {
update_status(gettext("Your set of configured rules are being copied..."));
log_error(gettext("Your set of configured rules are being copied..."));
- $files = explode("||", $snortcfg['rulesets']);
- foreach ($files as $file)
- @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$file}");
+ $enabled_rulesets_array = explode("||", $snortcfg['rulesets']);
+ foreach($enabled_rulesets_array as $enabled_item) {
+ @copy("{$snortdir}/rules/{$file}", "{$rule_dir}/rules/{$file}");
+ if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") {
+ $slib = substr($enabled_item, 6, -6);
+ if (file_exists("/usr/local/lib/snort/dynamicrules/{$slib}"))
+ @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}");
+
+ }
+ }
@copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config");
@copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index e38418e5..84313577 100644
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -66,6 +66,9 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2'];
$pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor'];
$pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data'];
+ $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc'];
+ $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc'];
+ $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc'];
}
if ($_POST) {
@@ -88,6 +91,9 @@ if ($_POST) {
$natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off';
$natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off';
$natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off';
+ $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off';
+ $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off';
+ $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off';
if (isset($id) && $a_nat[$id])
$a_nat[$id] = $natent;
@@ -265,6 +271,24 @@ include_once("head.inc");
<tr>
<td width="22%" valign="top" class="vncell">Enable <br>
SMTP Normalizer</td>
+ <td width="78%" class="vtable"><input name="pop_preproc"
+ type="checkbox" value="on"
+ <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"><br>
+ Normalize/Decode POP protocol for enforcement and buffer overflows.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>
+ SMTP Normalizer</td>
+ <td width="78%" class="vtable"><input name="imap_preproc"
+ type="checkbox" value="on"
+ <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"><br>
+ Normalize/Decode IMAP protocol for enforcement and buffer overflows.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>
+ SMTP Normalizer</td>
<td width="78%" class="vtable"><input name="smtp_preprocessor"
type="checkbox" value="on"
<?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?>
@@ -301,6 +325,15 @@ include_once("head.inc");
vulnerabilities.</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell">Enable <br> SSL Data</td>
+ <td width="78%" class="vtable">
+ <input name="ssl_preproc" type="checkbox" value="on"
+ <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"><br>
+ SSL data searches for irregularities during SSL protocol exchange
+ </td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vncell">Enable <br> Sensitive Data</td>
<td width="78%" class="vtable">
<input name="sensitive_data" type="checkbox" value="on"