diff options
-rw-r--r-- | packages/snort/snort.inc | 182 |
1 files changed, 101 insertions, 81 deletions
diff --git a/packages/snort/snort.inc b/packages/snort/snort.inc index 159866c6..ec4bf8e5 100644 --- a/packages/snort/snort.inc +++ b/packages/snort/snort.inc @@ -4,6 +4,17 @@ function sync_package_snort() { global $config, $g; exec("mkdir -p /usr/local/etc/snort"); exec("mkdir -p /var/log/snort"); + exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); + exec("cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config"); + exec("cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map"); + exec("cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators"); + exec("cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config"); + exec("cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map"); + exec("cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid"); + exec("cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf"); + exec("cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); + exec("rm -f /usr/local/etc/rc.d/snort"); + $first = 0; /* if list */ $iflist = array("lan" => "LAN"); @@ -25,7 +36,7 @@ function sync_package_snort() { $first = 1; } } - $start = "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort " . $ifaces_final . " -D"; + $start = "/bin/mkdir -p /var/log/snort;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort " . $ifaces_final . " -D"; $start .= ";snort2c -s -w /var/db/whitelist -a /var/log/snort/alert"; write_rcfile(array( "file" => "snort.sh", @@ -46,12 +57,20 @@ function sync_package_snort() { } function generate_snort_conf() { - global $config, $g; + global $config, $g, $config; + + /* obtain external interface */ + $snort_ext_int = $config['installedpackages']['snort']['config'][0]['interface_array'][0]; + + /* calculate lan subnet information */ + $ifcfg = &$config['interfaces']['lan']; + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + $subnetmask = gen_subnet_mask($ifcfg['subnet']); /* XXX: set SSH port from config variable */ $ssh_port = "22"; - /* XXX: generate home net */ - $home_net = ""; + $home_net = "{$subnet}/{$ifcfg['subnet']}"; + /* XXX: add home net for all interfaces */ /* XXX: generate rule section */ $selected_rules_sections = ""; @@ -60,20 +79,23 @@ function generate_snort_conf() { var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var HTTP_PORTS 80 -var SHELLCODE_PORTS !$HTTP_PORTS +var SHELLCODE_PORTS !\$HTTP_PORTS var ORACLE_PORTS 1521 var HOME_NET {$home_net} -var TELNET_SERVERS $HOME_NET -var SQL_SERVERS $HOME_NET -var HTTP_SERVERS $HOME_NET -var SMTP_SERVERS $HOME_NET -var DNS_SERVERS $HOME_NET -var RULE_PATH . -var EXTERNAL_NET !$HOME_NET +var TELNET_SERVERS \$HOME_NET +var SQL_SERVERS \$HOME_NET +var HTTP_SERVERS \$HOME_NET +var SMTP_SERVERS \$HOME_NET +var DNS_SERVERS \$HOME_NET +var EXTERNAL_NET !\$HOME_NET var SSH_PORTS {$ssh_port} +var RULE_PATH /usr/local/etc/snort/rules + +# Use lower memory models +config detection: search-method lowmem #Output plugins -output database: alert +#output database: alert output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID #Flow and stream @@ -84,7 +106,7 @@ preprocessor stream4: disable_evasion_alerts,detect_scans preprocessor stream4_reassemble: both, ports all #XLink2State mini proc -preprocessor xlink2state: ports { 25 691 } +#preprocessor xlink2state: ports { 25 691 } #HTTP Inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 @@ -120,7 +142,7 @@ preprocessor flow-portscan: \ talker-sliding-window 20 \ talker-fixed-window 30 \ scoreboard-rows-talker 30000 \ - server-watchnet $HOME_NET \ + server-watchnet \$HOME_NET \ server-ignore-limit 200 \ server-rows 65535 \ server-learning-time 14400 \ @@ -147,107 +169,105 @@ include reference.config # XXX: axe below, use $selected_rules_sections #General -include $RULE_PATH/bleeding.rules -include $RULE_PATH/ftp.rules -include $RULE_PATH/telnet.rules -include $RULE_PATH/dns.rules -include $RULE_PATH/tftp.rules -include $RULE_PATH/x11.rules -include $RULE_PATH/misc.rules -include $RULE_PATH/nntp.rules -include $RULE_PATH/other-ids.rules +#include \$RULE_PATH/bleeding.rules +include \$RULE_PATH/ftp.rules +include \$RULE_PATH/telnet.rules +include \$RULE_PATH/dns.rules +include \$RULE_PATH/tftp.rules +include \$RULE_PATH/x11.rules +include \$RULE_PATH/misc.rules +include \$RULE_PATH/nntp.rules +include \$RULE_PATH/other-ids.rules # include $RULE_PATH/shellcode.rules -include $RULE_PATH/community-ftp.rules -include $RULE_PATH/community-misc.rules +#include \$RULE_PATH/community-ftp.rules +#include \$RULE_PATH/community-misc.rules #Mostly Spyware -include $RULE_PATH/bleeding-malware.rules +#include \$RULE_PATH/bleeding-malware.rules #Network issues -include $RULE_PATH/bad-traffic.rules -include $RULE_PATH/snmp.rules +include \$RULE_PATH/bad-traffic.rules +include \$RULE_PATH/snmp.rules #Exploits and direct attacks -include $RULE_PATH/exploit.rules -include $RULE_PATH/bleeding-exploit.rules -include $RULE_PATH/community-exploit.rules +include \$RULE_PATH/exploit.rules #Scans and recon -include $RULE_PATH/scan.rules -include $RULE_PATH/bleeding-scan.rules +include \$RULE_PATH/scan.rules +#include \$RULE_PATH/bleeding-scan.rules #Unusual stuff -include $RULE_PATH/finger.rules +include \$RULE_PATH/finger.rules #R-services, etc -include $RULE_PATH/rpc.rules -include $RULE_PATH/rservices.rules +include \$RULE_PATH/rpc.rules +include \$RULE_PATH/rservices.rules #DOS -include $RULE_PATH/dos.rules -include $RULE_PATH/ddos.rules -include $RULE_PATH/bleeding-dos.rules +include \$RULE_PATH/dos.rules +include \$RULE_PATH/ddos.rules +#include \$RULE_PATH/bleeding-dos.rules #Web issues -include $RULE_PATH/web-cgi.rules -include $RULE_PATH/web-coldfusion.rules -include $RULE_PATH/web-iis.rules -include $RULE_PATH/web-frontpage.rules -include $RULE_PATH/web-misc.rules -include $RULE_PATH/web-client.rules -include $RULE_PATH/web-php.rules -include $RULE_PATH/web-attacks.rules -include $RULE_PATH/bleeding-web.rules -include $RULE_PATH/community-web-cgi.rules -include $RULE_PATH/community-web-client.rules -include $RULE_PATH/community-web-dos.rules -include $RULE_PATH/community-web-misc.rules +include \$RULE_PATH/web-cgi.rules +include \$RULE_PATH/web-coldfusion.rules +include \$RULE_PATH/web-iis.rules +include \$RULE_PATH/web-frontpage.rules +include \$RULE_PATH/web-misc.rules +include \$RULE_PATH/web-client.rules +include \$RULE_PATH/web-php.rules +include \$RULE_PATH/web-attacks.rules +#include \$RULE_PATH/bleeding-web.rules +#include \$RULE_PATH/community-web-cgi.rules +#include \$RULE_PATH/community-web-client.rules +#include \$RULE_PATH/community-web-dos.rules +#include \$RULE_PATH/community-web-misc.rules #SQL and DB sigs -include $RULE_PATH/sql.rules -include $RULE_PATH/oracle.rules -include $RULE_PATH/mysql.rules -include $RULE_PATH/community-sql-injection.rules +include \$RULE_PATH/sql.rules +include \$RULE_PATH/oracle.rules +include \$RULE_PATH/mysql.rules +#include \$RULE_PATH/community-sql-injection.rules #Informational stuff #include $RULE_PATH/icmp.rules -include $RULE_PATH/info.rules +include \$RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules #Windows stuff -include $RULE_PATH/netbios.rules +include \$RULE_PATH/netbios.rules #Compromise responses -include $RULE_PATH/attack-responses.rules -include $RULE_PATH/bleeding-attack_response.rules +include \$RULE_PATH/attack-responses.rules +#include \$RULE_PATH/bleeding-attack_response.rules #Mail sigs -include $RULE_PATH/smtp.rules -include $RULE_PATH/imap.rules -include $RULE_PATH/pop2.rules -include $RULE_PATH/pop3.rules -include $RULE_PATH/community-mail-client.rules +include \$RULE_PATH/smtp.rules +include \$RULE_PATH/imap.rules +include \$RULE_PATH/pop2.rules +include \$RULE_PATH/pop3.rules +#include \$RULE_PATH/community-mail-client.rules #Trojans, Viruses, and spyware -include $RULE_PATH/backdoor.rules -include $RULE_PATH/virus.rules -include $RULE_PATH/bleeding-virus.rules -include $RULE_PATH/community-virus.rules +include \$RULE_PATH/backdoor.rules +include \$RULE_PATH/virus.rules +#include \$RULE_PATH/bleeding-virus.rules +#include \$RULE_PATH/community-virus.rules #Policy Sigs -include $RULE_PATH/policy.rules -include $RULE_PATH/porn.rules -include $RULE_PATH/chat.rules -include $RULE_PATH/p2p.rules -include $RULE_PATH/multimedia.rules -include $RULE_PATH/bleeding-policy.rules -include $RULE_PATH/bleeding-p2p.rules -include $RULE_PATH/bleeding-inappropriate.rules -include $RULE_PATH/community-game.rules -include $RULE_PATH/community-inappropriate.rules +include \$RULE_PATH/policy.rules +include \$RULE_PATH/porn.rules +include \$RULE_PATH/chat.rules +include \$RULE_PATH/p2p.rules +include \$RULE_PATH/multimedia.rules +#include \$RULE_PATH/bleeding-policy.rules +#include \$RULE_PATH/bleeding-p2p.rules +#include \$RULE_PATH/bleeding-inappropriate.rules +#include \$RULE_PATH/community-game.rules +#include \$RULE_PATH/community-inappropriate.rules #Experimental -include $RULE_PATH/experimental.rules +include \$RULE_PATH/experimental.rules EOD; |