diff options
author | Chris Buechler <cmb@pfsense.org> | 2013-01-31 20:14:42 -0800 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2013-01-31 20:14:42 -0800 |
commit | 409cfe40c38d90b42dc17794451806ba25bc9723 (patch) | |
tree | b2f328df3bf34b0da220c9c22b3a82ee2ef582fd /config/snort | |
parent | 39427e8eb3e0956209f5dfef5edd3d854befad16 (diff) | |
parent | 459737cee3b9e740b0a7a18433daac2280119362 (diff) | |
download | pfsense-packages-409cfe40c38d90b42dc17794451806ba25bc9723.tar.gz pfsense-packages-409cfe40c38d90b42dc17794451806ba25bc9723.tar.bz2 pfsense-packages-409cfe40c38d90b42dc17794451806ba25bc9723.zip |
Merge pull request #371 from bmeeks8/master
Add auto-rule disable feature based on disabled preprocessor dependencies
Diffstat (limited to 'config/snort')
-rwxr-xr-x | config/snort/snort.inc | 69 | ||||
-rwxr-xr-x | config/snort/snort_preprocessors.php | 8 |
2 files changed, 72 insertions, 5 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 3571a215..24242bcd 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1452,8 +1452,10 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($disablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $disablesid) && $v['disabled'] == 0) + if (in_array($k2, $disablesid) && $v['disabled'] == 0) { $rule_map[$k1][$k2]['rule'] = "# " . $v['rule']; + $rule_map[$k1][$k2]['disabled'] = 1; + } } } } @@ -1765,6 +1767,10 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Process any enablesid or disablesid modifications for the selected rules. */ snort_modify_sids($enabled_rules, $snortcfg); + /* Check for and disable any rules dependent upon disabled preprocessors. */ + log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $enabled_rules); + /* Write the enforcing rules file to the Snort interface's "rules" directory. */ snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); unset($enabled_rules); @@ -1794,6 +1800,67 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map"); } +function snort_filter_preproc_rules($snortcfg, &$active_rules) { + + /**************************************************/ + /* This function checks the $active_rules array */ + /* for rule options dependent upon preprocessors. */ + /* Rules with rule options dependent upon any */ + /* non-enabled preprocessors are disabled to */ + /* start-up errors from unknown rule options. */ + /* */ + /* $snortcfg -> config parameters array for */ + /* the interface */ + /* $active_rules -> rules_map array of enabled */ + /* rules for the interface */ + /**************************************************/ + + global $config; + + if (empty($active_rules)) + return; + + /*************************************************** + * Construct an array of rule options with their * + * associated preprocessors. * + * * + * IMPORTANT -- Keep this part of the code current * + * with changes to preprocessor rule options in * + * Snort VRT rules. * + ***************************************************/ + $rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc", + "dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2", + "dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data", + "sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc", + "sip_header;" => "sip_preproc", "sip_body;" => "sip_preproc", + "gtp_type:" => "gtp_preproc", "gtp_info:" => "gtp_preproc", + "gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc", + "modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc", + "dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc", + "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc"); + + /*************************************************** + * Iterate the enabled rules, and check for rule * + * options that depend on disabled preprocessors. * + * Disable any of these preprocessor-dependent * + * rules we find. Once we find at least one * + * reason to disable the rule, stop further checks * + * and go to the next rule. * + ***************************************************/ + foreach ($active_rules as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + foreach ($rule_opts_preprocs as $opt => $preproc) { + $pcre = "/\s*\b" . $opt . "/i"; + if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) { + $active_rules[$k1][$k2]['rule'] = "# " . $v['rule']; + $active_rules[$k1][$k2]['disabled'] = 1; + break; + } + } + } + } +} + function snort_generate_conf($snortcfg) { global $config, $g; diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 89f1136c..83025929 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -187,10 +187,10 @@ include_once("head.inc"); <tr><td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong<?php echo gettext("Note:"); ?>> - </strong></span><br> - <?php echo gettext("Rules may be dependent on preprocessors! "); ?> + <td colspan="2" align="center" valign="middle"> + <span class="red"><strong><?php echo gettext("NOTE"); ?></strong></span><br> + <?php echo gettext("Rules may be dependent on preprocessors! Disabling preprocessors may result in "); ?> + <?php echo gettext("dependent rules being automatically disabled."); ?><br> <?php echo gettext("Defaults will be used when there is no user input."); ?><br></td> </tr> <tr> |