diff options
| -rwxr-xr-x | config/snort/snort.inc | 24 | ||||
| -rwxr-xr-x | config/snort/snort_define_servers.php | 2 | ||||
| -rwxr-xr-x | config/snort/snort_preprocessors.php | 34 |
3 files changed, 53 insertions, 7 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 869e040e..884c50ec 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1977,7 +1977,8 @@ function snort_generate_conf($snortcfg) { "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502" + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" ); $portvardef = ""; @@ -2002,6 +2003,10 @@ EOD; if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) $def_server_flow_depth_type = $snortcfg['server_flow_depth']; + $http_server_profile = "all"; + if (!empty($snortcfg['http_server_profile'])) + $http_server_profile = $snortcfg['http_server_profile']; + $def_client_flow_depth_type = '300'; if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) $def_client_flow_depth_type = $snortcfg['client_flow_depth']; @@ -2017,7 +2022,7 @@ EOD; # HTTP Inspect # preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 -preprocessor http_inspect_server: server default profile all {$noalert_http_inspect}\ +preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect}\ ports { {$http_ports} } \ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ server_flow_depth {$def_server_flow_depth_type} \ @@ -2221,6 +2226,14 @@ preprocessor modbus: \ EOD; + /* def gtp_preprocessor */ + $gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']); + $gtp_preproc = <<<EOD +# GTP preprocessor # +preprocessor gtp: ports { {$gtp_ports} } + +EOD; + $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']); $ssl_preproc = <<<EOD # Ignore SSL and Encryption # @@ -2267,11 +2280,11 @@ EOD; $snort_preproc_libs = array( "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", - "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", + "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" ); $snort_preprocessors = ""; @@ -2369,6 +2382,9 @@ config disable_tcpopt_alerts config disable_ipopt_alerts config disable_decode_drops +# Enable the GTP decoder # +config enable_gtp + # Configure PCRE match limitations config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 3a12b284..4085b325 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -75,7 +75,7 @@ $snort_ports = array( "sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", -"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", +"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", "GTP_PORTS" => "2123,2152,3386", "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 83025929..7d0348e9 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -56,6 +56,7 @@ if (isset($id) && $a_nat[$id]) { /* new options */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; + $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; @@ -75,6 +76,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['sip_preproc'] = $a_nat[$id]['sip_preproc']; $pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc']; $pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc']; + $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; } if ($_POST) { @@ -88,6 +90,7 @@ if ($_POST) { if (!$input_errors) { /* post new options */ if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = ""; } + if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = ""; } if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } @@ -116,6 +119,7 @@ if ($_POST) { $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; $natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off'; $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; + $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -221,7 +225,7 @@ include_once("head.inc"); <tr> <td><input name="server_flow_depth" type="text" class="formfld" id="flow_depth" size="6" - value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . + value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . "to <strong>65535</strong> (<strong>-1</strong> disables HTTP " . "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> </tr> @@ -233,6 +237,23 @@ include_once("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("HTTP server profile"); ?> </td> + <td width="78%" class="vtable"> + <select name="http_server_profile" class="formselect" id="http_server_profile"> + <?php + $profile = array('All', 'Apache', 'IIS', 'IIS_4.0', 'IIS_5.0'); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the profile type of the protected web server."); ?><br> + <?php echo gettext(" The default is <strong>All</strong>. "); ?> + <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the "); ?> + <?php echo gettext("double decoding vulnerability present in those two versions."); ?><br> + </td> + </tr> + <tr> <td valign="top" class="vncell"><?php echo gettext("HTTP client flow depth"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> @@ -348,7 +369,7 @@ include_once("head.inc"); <td width="78%" class="vtable"> <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" value="<?=$pconfig['pscan_ignore_scanners'];?>"> <br><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias.");?><br> - <?php echo gettext("Default value: \$HOME_NET"); ?><?php echo gettext(" Leave " . + <?php echo gettext("Default value: \$HOME_NET."); ?><?php echo gettext(" Leave " . "blank for default value."); ?> </td> <tr> @@ -419,6 +440,15 @@ include_once("head.inc"); </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> + <?php echo gettext("GTP Detection"); ?></td> + <td width="78%" class="vtable"><input name="gtp_preproc" + type="checkbox" value="on" + <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + <?php echo gettext("The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("DNS Detection"); ?></td> <td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on" |