Keep a copy of the so rules for each instance to enable only selected ones

3 files changed, 105 insertions, 21 deletions

diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index d29833a2..3e9a46da 100644
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -1002,9 +1002,9 @@ function snort_generate_conf($snortcfg) {
 		"{$snortlogdir}/snort_{$if_real}{$snort_uuid}",
 		"{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", 
 		"{$snortcfgdir}/preproc_rules", 
-		"dynamicrules" => "/usr/local/lib/snort/dynamicrules",
+		"dynamicrules" => "{$snortcfgdir}/dynamicrules",
 		"dynamicengine" => "/usr/local/lib/snort/dynamicengine",
-		"dynamicpreprocessor" => "/usr/local/lib/snort/dynamicpreprocessor"
+		"dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor"
 	    );
 	foreach ($snort_dirs as $dir) {
 		if (!is_dir($dir))
@@ -1079,6 +1079,15 @@ function snort_generate_conf($snortcfg) {
 		"DCERPC_BRIGHTSTORE" => "6503,6504"
 	);
 
+	$portvardef = "";
+	foreach ($snort_ports as $alias => $avalue) {
+		if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
+			$snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]);
+			$snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias]));
+		$portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
+	}
+
+
 	/////////////////////////////
 	/* preprocessor code */
 	/* def perform_stat */
@@ -1170,6 +1179,24 @@ preprocessor ftp_telnet_protocol: ftp client default \
 	
 EOD;
 
+	$pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']);
+	$pop_preproc = <<<EOD
+preprocessor pop: \
+	ports { {$pop_ports} } \
+	qp_decode_depth -1 \
+	b64_decode_depth 0 \
+	bitenc_decode_depth 100
+EOD;
+
+	$imap_ports = str_replace(",", " ", $snort_ports['imap_ports']);
+	$imap_preproc = <<<EOD
+preprocessor imap: \
+	ports { {$imap_ports} } \
+	qp_decode_depth -1 \
+	b64_decode_depth 0 \
+	bitenc_decode_depth 100
+EOD;
+
 	$smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']);
 	/* def smtp_preprocessor */
 	$smtp_preprocessor = <<<EOD
@@ -1238,6 +1265,13 @@ preprocessor dns: \
 	
 EOD;
 
+	$def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']);
+	$ssl_preproc = <<<EOD
+# Ignore SSL and Encryption  #
+preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted
+
+EOD;
+
 	$sensitive_data = "preprocessor sensitive_data:\n";
 
 	/* stream5 queued settings */
@@ -1268,25 +1302,36 @@ EOD;
 		$vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n";
 	}
 
-	$portvardef = "";
-	foreach ($snort_ports as $alias => $avalue) {
-		if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
-			$snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]);
-			$snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias]));
-		$portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
-	}
-	$def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']);
-
+	$snort_preproc_libs = array(
+		"dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc",
+		"pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", 
+		"sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", 
+		"ssl_preproc" => "ssl_preproc"
+	);
 	$snort_preproc = array (
-		"perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", 
-		"sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data"
+		"perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc",
+		"sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc"
 	);
 	$snort_preprocessors = "";
 	foreach ($snort_preproc as $preproc) {
 		if ($snortcfg[$preproc] == 'on') {
 			/* NOTE: The $$ is not a bug. Its a advanced feature of php */
-			$snort_preprocessors .= $$preproc;
-			$snort_preprocessors .= "\n";
+			if (!empty($snort_preproc_libs[$preproc])) {
+				$preproclib = "libsf_" . $snort_preproc_libs[$preproc];
+				if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) {
+					if (file_exists("/usr/local/lib/dynamicpreprocessor/{$preproclib}.so")) {
+						@copy("/usr/local/lib/dynamicpreprocessor/{$preproclib}.so", $snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so");
+						$snort_preprocessors .= $$preproc;
+						$snort_preprocessors .= "\n";
+					}
+				} else {
+					$snort_preprocessors .= $$preproc;
+					$snort_preprocessors .= "\n";
+				}
+			} else {
+				$snort_preprocessors .= $$preproc;
+				$snort_preprocessors .= "\n";
+			}
 		}
 	}
 
@@ -1330,6 +1375,8 @@ EOD;
 				@copy("{$snortdir}/rules/{$file}", "{$rule_dir}/rules/{$file}");
 			if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") {
 				$slib = substr($enabled_item, 6, -6);
+				if (!file_exists("{$snort_dirs['dynamicrules']}/{$slib}"))
+					@copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}");
 				if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}") && 
 				    file_exists("{$snortcfgdir}/rules/{$enabled_item}"))
 					$selected_rules_sections  .= "include \$RULE_PATH/{$enabled_item}\n";
@@ -1398,9 +1445,6 @@ preprocessor stream5_icmp:
 
 {$snort_preprocessors}
 
-# Ignore SSL and Encryption  #
-preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted
-
 # Snort Output Logs #
 output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
 {$alertsystemlog_type}
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index 112682d2..6221b38f 100644
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -301,9 +301,16 @@ function snort_apply_customizations($snortcfg, $if_real) {
 	else {
 		update_status(gettext("Your set of configured rules are being copied..."));
 		log_error(gettext("Your set of configured rules are being copied..."));
-		$files = explode("||", $snortcfg['rulesets']);
-		foreach ($files as $file)
-			@copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$file}");
+		$enabled_rulesets_array = explode("||", $snortcfg['rulesets']);
+		foreach($enabled_rulesets_array as $enabled_item) {
+			@copy("{$snortdir}/rules/{$file}", "{$rule_dir}/rules/{$file}");
+			if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") {
+				$slib = substr($enabled_item, 6, -6);
+				if (file_exists("/usr/local/lib/snort/dynamicrules/{$slib}"))
+					@copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}");
+			
+			}
+		}
 
 		@copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config");
 		@copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index e38418e5..84313577 100644
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -66,6 +66,9 @@ if (isset($id) && $a_nat[$id]) {
 	$pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2'];
 	$pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor'];
 	$pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data'];
+	$pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc'];
+	$pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc'];
+	$pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc'];
 }
 
 if ($_POST) {
@@ -88,6 +91,9 @@ if ($_POST) {
 		$natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off';
 		$natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off';
 		$natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off';
+		$natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off';
+		$natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off';
+		$natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off';
 
 		if (isset($id) && $a_nat[$id])
 			$a_nat[$id] = $natent;
@@ -265,6 +271,24 @@ include_once("head.inc");
 	<tr>
 		<td width="22%" valign="top" class="vncell">Enable <br>
 		SMTP Normalizer</td>
+		<td width="78%" class="vtable"><input name="pop_preproc"
+			type="checkbox" value="on"
+			<?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>
+			onClick="enable_change(false)"><br>
+		Normalize/Decode POP protocol for enforcement and buffer overflows.</td>
+	</tr>
+	<tr>
+		<td width="22%" valign="top" class="vncell">Enable <br>
+		SMTP Normalizer</td>
+		<td width="78%" class="vtable"><input name="imap_preproc"
+			type="checkbox" value="on"
+			<?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?>
+			onClick="enable_change(false)"><br>
+		Normalize/Decode IMAP protocol for enforcement and buffer overflows.</td>
+	</tr>
+	<tr>
+		<td width="22%" valign="top" class="vncell">Enable <br>
+		SMTP Normalizer</td>
 		<td width="78%" class="vtable"><input name="smtp_preprocessor"
 			type="checkbox" value="on"
 			<?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?>
@@ -301,6 +325,15 @@ include_once("head.inc");
 		vulnerabilities.</td>
 	</tr>
 	<tr>
+		<td width="22%" valign="top" class="vncell">Enable <br> SSL Data</td>
+		<td width="78%" class="vtable">
+			<input name="ssl_preproc" type="checkbox" value="on"
+			<?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?>
+			onClick="enable_change(false)"><br>
+		SSL data searches for irregularities during SSL protocol exchange
+		</td>
+	</tr>
+	<tr>
 		<td width="22%" valign="top" class="vncell">Enable <br> Sensitive Data</td>
 		<td width="78%" class="vtable">
 			<input name="sensitive_data" type="checkbox" value="on"