diff options
-rw-r--r-- | config/snort/snort_generate_conf.php | 6 | ||||
-rw-r--r-- | config/snort/snort_httpinspect_engine.php | 28 | ||||
-rwxr-xr-x | config/snort/snort_interfaces_edit.php | 5 | ||||
-rw-r--r-- | config/snort/snort_migrate_config.php | 3 |
4 files changed, 36 insertions, 6 deletions
diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php index 646697bf..6780da0a 100644 --- a/config/snort/snort_generate_conf.php +++ b/config/snort/snort_generate_conf.php @@ -1291,7 +1291,7 @@ $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", " "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, - "max_header_length" => 0, "ports" => "default" ); + "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" ); $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); $http_inspect_servers = ""; @@ -1385,6 +1385,10 @@ if ($snortcfg['http_inspect'] <> "off") { $http_inspect_servers .= " \\\n\tlog_uri"; if ($v['log_hostname'] == "on") $http_inspect_servers .= " \\\n\tlog_hostname"; + if ($v['decompress_swf'] == "on") + $http_inspect_servers .= " \\\n\tdecompress_swf"; + if ($v['decompress_pdf'] == "on") + $http_inspect_servers .= " \\\n\tdecompress_pdf"; // Add a pair of trailing newlines to terminate this server config $http_inspect_servers .= "\n\n"; diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php index c7680892..15d70f09 100644 --- a/config/snort/snort_httpinspect_engine.php +++ b/config/snort/snort_httpinspect_engine.php @@ -1,7 +1,7 @@ <?php /* * snort_httpinspect_engine.php - * Copyright (C) 2013-2014 Bill Meeks + * Copyright (C) 2013-2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -66,7 +66,7 @@ if (empty($a_nat[$eng_id])) { "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, - "max_header_length" => 0, "ports" => "default" ); + "max_header_length" => 0, "ports" => "default", "decompress_swf" => "off", "decompress_pdf" => "off" ); // See if this is initial entry and set to "default" if true if ($eng_id < 1) { $def['name'] = "default"; @@ -124,6 +124,10 @@ else { $pconfig['max_spaces'] = 0; if (empty($pconfig['max_header_length'])) $pconfig['max_header_length'] = 0; + if (empty($pconfig['decompress_swf'])) + $pconfig['decompress_swf'] = "off"; + if (empty($pconfig['decompress_pdf'])) + $pconfig['decompress_pdf'] = "off"; } if ($_POST['Cancel']) { @@ -259,6 +263,8 @@ if ($_POST['save']) { $engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off'; $engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off'; $engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off'; + $engine['decompress_swf'] = $_POST['httpinspect_decompress_swf'] ? 'on' : 'off'; + $engine['decompress_pdf'] = $_POST['httpinspect_decompress_pdf'] ? 'on' : 'off'; // Can only have one "all" Bind_To address if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { @@ -528,6 +534,24 @@ if ($savemsg) <strong><?php echo gettext("Checked");?></strong>.</td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Decompress SWF");?></td> + <td width="78%" class="vtable"><input name="httpinspect_decompress_swf" + type="checkbox" value="on" id="httpinspect_decompress_swf" + <?php if ($pconfig['decompress_swf']=="on") echo "checked";?>> + <?php echo gettext("Uncompress and inspect Shockwave Flash data in HTTP response. " . + "Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Decompress PDF");?></td> + <td width="78%" class="vtable"><input name="httpinspect_decompress_pdf" + type="checkbox" value="on" id="httpinspect_decompress_pdf" + <?php if ($pconfig['decompress_pdf']=="on") echo "checked";?>> + <?php echo gettext("Uncompress and inspect PDF data in HTTP response. " . + "Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Cookies");?></td> <td width="78%" class="vtable"><input name="httpinspect_normalize_cookies" type="checkbox" value="on" id="httpinspect_normalize_cookies" diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 0d41c7db..41864a4f 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -4,7 +4,7 @@ * * Copyright (C) 2008-2009 Robert Zelaya. * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -269,7 +269,8 @@ if ($_POST["save"] && !$input_errors) { "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, - "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default", + "decompress_swf" => "off", "decompress_pdf" => "off" ); $ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index edcbb2d5..a0cf24fe 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -254,7 +254,8 @@ foreach ($rule as &$r) { "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, - "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default", + "decompress_swf" => "off", "decompress_pdf" => "off" ); // Ensure sensible default values exist for global HTTP_INSPECT parameters if (empty($pconfig['http_inspect'])) |