aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
authorChris Buechler <cmb@pfsense.org>2013-01-31 20:14:42 -0800
committerChris Buechler <cmb@pfsense.org>2013-01-31 20:14:42 -0800
commit409cfe40c38d90b42dc17794451806ba25bc9723 (patch)
treeb2f328df3bf34b0da220c9c22b3a82ee2ef582fd /config/snort
parent39427e8eb3e0956209f5dfef5edd3d854befad16 (diff)
parent459737cee3b9e740b0a7a18433daac2280119362 (diff)
downloadpfsense-packages-409cfe40c38d90b42dc17794451806ba25bc9723.tar.gz
pfsense-packages-409cfe40c38d90b42dc17794451806ba25bc9723.tar.bz2
pfsense-packages-409cfe40c38d90b42dc17794451806ba25bc9723.zip
Merge pull request #371 from bmeeks8/master
Add auto-rule disable feature based on disabled preprocessor dependencies
Diffstat (limited to 'config/snort')
-rwxr-xr-xconfig/snort/snort.inc69
-rwxr-xr-xconfig/snort/snort_preprocessors.php8
2 files changed, 72 insertions, 5 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 3571a215..24242bcd 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -1452,8 +1452,10 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
if (!empty($disablesid)) {
foreach ($rule_map as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
- if (in_array($k2, $disablesid) && $v['disabled'] == 0)
+ if (in_array($k2, $disablesid) && $v['disabled'] == 0) {
$rule_map[$k1][$k2]['rule'] = "# " . $v['rule'];
+ $rule_map[$k1][$k2]['disabled'] = 1;
+ }
}
}
}
@@ -1765,6 +1767,10 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Process any enablesid or disablesid modifications for the selected rules. */
snort_modify_sids($enabled_rules, $snortcfg);
+ /* Check for and disable any rules dependent upon disabled preprocessors. */
+ log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ snort_filter_preproc_rules($snortcfg, $enabled_rules);
+
/* Write the enforcing rules file to the Snort interface's "rules" directory. */
snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}");
unset($enabled_rules);
@@ -1794,6 +1800,67 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map");
}
+function snort_filter_preproc_rules($snortcfg, &$active_rules) {
+
+ /**************************************************/
+ /* This function checks the $active_rules array */
+ /* for rule options dependent upon preprocessors. */
+ /* Rules with rule options dependent upon any */
+ /* non-enabled preprocessors are disabled to */
+ /* start-up errors from unknown rule options. */
+ /* */
+ /* $snortcfg -> config parameters array for */
+ /* the interface */
+ /* $active_rules -> rules_map array of enabled */
+ /* rules for the interface */
+ /**************************************************/
+
+ global $config;
+
+ if (empty($active_rules))
+ return;
+
+ /***************************************************
+ * Construct an array of rule options with their *
+ * associated preprocessors. *
+ * *
+ * IMPORTANT -- Keep this part of the code current *
+ * with changes to preprocessor rule options in *
+ * Snort VRT rules. *
+ ***************************************************/
+ $rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc",
+ "dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2",
+ "dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data",
+ "sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc",
+ "sip_header;" => "sip_preproc", "sip_body;" => "sip_preproc",
+ "gtp_type:" => "gtp_preproc", "gtp_info:" => "gtp_preproc",
+ "gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc",
+ "modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc",
+ "dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc",
+ "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc");
+
+ /***************************************************
+ * Iterate the enabled rules, and check for rule *
+ * options that depend on disabled preprocessors. *
+ * Disable any of these preprocessor-dependent *
+ * rules we find. Once we find at least one *
+ * reason to disable the rule, stop further checks *
+ * and go to the next rule. *
+ ***************************************************/
+ foreach ($active_rules as $k1 => $rulem) {
+ foreach ($rulem as $k2 => $v) {
+ foreach ($rule_opts_preprocs as $opt => $preproc) {
+ $pcre = "/\s*\b" . $opt . "/i";
+ if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) {
+ $active_rules[$k1][$k2]['rule'] = "# " . $v['rule'];
+ $active_rules[$k1][$k2]['disabled'] = 1;
+ break;
+ }
+ }
+ }
+ }
+}
+
function snort_generate_conf($snortcfg) {
global $config, $g;
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 89f1136c..83025929 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -187,10 +187,10 @@ include_once("head.inc");
<tr><td class="tabcont">
<table width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
- <td width="22%" valign="top">&nbsp;</td>
- <td width="78%"><span class="vexpl"><span class="red"><strong<?php echo gettext("Note:"); ?>>
- </strong></span><br>
- <?php echo gettext("Rules may be dependent on preprocessors! "); ?>
+ <td colspan="2" align="center" valign="middle">
+ <span class="red"><strong><?php echo gettext("NOTE"); ?></strong></span><br>
+ <?php echo gettext("Rules may be dependent on preprocessors! Disabling preprocessors may result in "); ?>
+ <?php echo gettext("dependent rules being automatically disabled."); ?><br>
<?php echo gettext("Defaults will be used when there is no user input."); ?><br></td>
</tr>
<tr>