aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/snort/snort_generate_conf.php6
-rw-r--r--config/snort/snort_httpinspect_engine.php28
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php5
-rw-r--r--config/snort/snort_migrate_config.php3
4 files changed, 36 insertions, 6 deletions
diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php
index 646697bf..6780da0a 100644
--- a/config/snort/snort_generate_conf.php
+++ b/config/snort/snort_generate_conf.php
@@ -1291,7 +1291,7 @@ $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "
"unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
"normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
"max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
- "max_header_length" => 0, "ports" => "default" );
+ "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" );
$http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports']));
$http_inspect_servers = "";
@@ -1385,6 +1385,10 @@ if ($snortcfg['http_inspect'] <> "off") {
$http_inspect_servers .= " \\\n\tlog_uri";
if ($v['log_hostname'] == "on")
$http_inspect_servers .= " \\\n\tlog_hostname";
+ if ($v['decompress_swf'] == "on")
+ $http_inspect_servers .= " \\\n\tdecompress_swf";
+ if ($v['decompress_pdf'] == "on")
+ $http_inspect_servers .= " \\\n\tdecompress_pdf";
// Add a pair of trailing newlines to terminate this server config
$http_inspect_servers .= "\n\n";
diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php
index c7680892..15d70f09 100644
--- a/config/snort/snort_httpinspect_engine.php
+++ b/config/snort/snort_httpinspect_engine.php
@@ -1,7 +1,7 @@
<?php
/*
* snort_httpinspect_engine.php
- * Copyright (C) 2013-2014 Bill Meeks
+ * Copyright (C) 2013-2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -66,7 +66,7 @@ if (empty($a_nat[$eng_id])) {
"unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
"normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
"max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
- "max_header_length" => 0, "ports" => "default" );
+ "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" );
// See if this is initial entry and set to "default" if true
if ($eng_id < 1) {
$def['name'] = "default";
@@ -124,6 +124,10 @@ else {
$pconfig['max_spaces'] = 0;
if (empty($pconfig['max_header_length']))
$pconfig['max_header_length'] = 0;
+ if (empty($pconfig['decompress_swf']))
+ $pconfig['decompress_swf'] = "off";
+ if (empty($pconfig['decompress_pdf']))
+ $pconfig['decompress_pdf'] = "off";
}
if ($_POST['Cancel']) {
@@ -259,6 +263,8 @@ if ($_POST['save']) {
$engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off';
$engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off';
$engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off';
+ $engine['decompress_swf'] = $_POST['httpinspect_decompress_swf'] ? 'on' : 'off';
+ $engine['decompress_pdf'] = $_POST['httpinspect_decompress_pdf'] ? 'on' : 'off';
// Can only have one "all" Bind_To address
if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
@@ -528,6 +534,24 @@ if ($savemsg)
<strong><?php echo gettext("Checked");?></strong>.</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Decompress SWF");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_decompress_swf"
+ type="checkbox" value="on" id="httpinspect_decompress_swf"
+ <?php if ($pconfig['decompress_swf']=="on") echo "checked";?>>
+ <?php echo gettext("Uncompress and inspect Shockwave Flash data in HTTP response. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Decompress PDF");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_decompress_pdf"
+ type="checkbox" value="on" id="httpinspect_decompress_pdf"
+ <?php if ($pconfig['decompress_pdf']=="on") echo "checked";?>>
+ <?php echo gettext("Uncompress and inspect PDF data in HTTP response. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Cookies");?></td>
<td width="78%" class="vtable"><input name="httpinspect_normalize_cookies"
type="checkbox" value="on" id="httpinspect_normalize_cookies"
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index 0d41c7db..41864a4f 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -4,7 +4,7 @@
*
* Copyright (C) 2008-2009 Robert Zelaya.
* Copyright (C) 2011-2012 Ermal Luci
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -269,7 +269,8 @@ if ($_POST["save"] && !$input_errors) {
"unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on",
"normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on",
"allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
- "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+ "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default",
+ "decompress_swf" => "off", "decompress_pdf" => "off" );
$ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
"telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
index edcbb2d5..a0cf24fe 100644
--- a/config/snort/snort_migrate_config.php
+++ b/config/snort/snort_migrate_config.php
@@ -254,7 +254,8 @@ foreach ($rule as &$r) {
"unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on",
"normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on",
"allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
- "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+ "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default",
+ "decompress_swf" => "off", "decompress_pdf" => "off" );
// Ensure sensible default values exist for global HTTP_INSPECT parameters
if (empty($pconfig['http_inspect']))