aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort-dev/snort_preprocessors.php
diff options
context:
space:
mode:
Diffstat (limited to 'config/snort-dev/snort_preprocessors.php')
-rw-r--r--config/snort-dev/snort_preprocessors.php175
1 files changed, 123 insertions, 52 deletions
diff --git a/config/snort-dev/snort_preprocessors.php b/config/snort-dev/snort_preprocessors.php
index 88f90b2e..39ed86d4 100644
--- a/config/snort-dev/snort_preprocessors.php
+++ b/config/snort-dev/snort_preprocessors.php
@@ -58,8 +58,16 @@ if (isset($_GET['dup'])) {
if (isset($id) && $a_nat[$id]) {
/* new options */
- $pconfig['perform_stat'] = $a_nat[$id]['perform_stat'];
$pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore'];
+ $pconfig['flow_depth'] = $a_nat[$id]['flow_depth'];
+ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat'];
+ $pconfig['http_inspect'] = $a_nat[$id]['http_inspect'];
+ $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs'];
+ $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor'];
+ $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor'];
+ $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan'];
+ $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2'];
+ $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor'];
/* old options */
$pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers'];
@@ -123,55 +131,63 @@ if ($_POST) {
if (!$input_errors) {
$natent = array();
/* repost the options already in conf */
- $natent['enable'] = $pconfig['enable'];
- $natent['interface'] = $pconfig['interface'];
- $natent['descr'] = $pconfig['descr'];
- $natent['performance'] = $pconfig['performance'];
- $natent['blockoffenders7'] = $pconfig['blockoffenders7'];
- $natent['snortalertlogtype'] = $pconfig['snortalertlogtype'];
- $natent['alertsystemlog'] = $pconfig['alertsystemlog'];
- $natent['tcpdumplog'] = $pconfig['tcpdumplog'];
- $natent['snortunifiedlog'] = $pconfig['snortunifiedlog'];
- $natent['flow_depth'] = $pconfig['flow_depth'];
- $natent['barnyard_enable'] = $pconfig['barnyard_enable'];
- $natent['barnyard_mysql'] = $pconfig['barnyard_mysql'];
- $natent['def_dns_servers'] = $pconfig['def_dns_servers'];
- $natent['def_dns_ports'] = $pconfig['def_dns_ports'];
- $natent['def_smtp_servers'] = $pconfig['def_smtp_servers'];
- $natent['def_smtp_ports'] = $pconfig['def_smtp_ports'];
- $natent['def_mail_ports'] = $pconfig['def_mail_ports'];
- $natent['def_http_servers'] = $pconfig['def_http_servers'];
- $natent['def_www_servers'] = $pconfig['def_www_servers'];
- $natent['def_http_ports'] = $pconfig['def_http_ports'];
- $natent['def_sql_servers'] = $pconfig['def_sql_servers'];
- $natent['def_oracle_ports'] = $pconfig['def_oracle_ports'];
- $natent['def_mssql_ports'] = $pconfig['def_mssql_ports'];
- $natent['def_telnet_servers'] = $pconfig['def_telnet_servers'];
- $natent['def_telnet_ports'] = $pconfig['def_telnet_ports'];
- $natent['def_snmp_servers'] = $pconfig['def_snmp_servers'];
- $natent['def_snmp_ports'] = $pconfig['def_snmp_ports'];
- $natent['def_ftp_servers'] = $pconfig['def_ftp_servers'];
- $natent['def_ftp_ports'] = $pconfig['def_ftp_ports'];
- $natent['def_ssh_servers'] = $pconfig['def_ssh_servers'];
- $natent['def_ssh_ports'] = $pconfig['def_ssh_ports'];
- $natent['def_pop_servers'] = $pconfig['def_pop_servers'];
- $natent['def_pop2_ports'] = $pconfig['def_pop2_ports'];
- $natent['def_pop3_ports'] = $pconfig['def_pop3_ports'];
- $natent['def_imap_servers'] = $pconfig['def_imap_servers'];
- $natent['def_imap_ports'] = $pconfig['def_imap_ports'];
- $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip'];
- $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports'];
- $natent['def_auth_ports'] = $pconfig['def_auth_ports'];
- $natent['def_finger_ports'] = $pconfig['def_finger_ports'];
- $natent['def_irc_ports'] = $pconfig['def_irc_ports'];
- $natent['def_nntp_ports'] = $pconfig['def_nntp_ports'];
- $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports'];
- $natent['def_rsh_ports'] = $pconfig['def_rsh_ports'];
- $natent['def_ssl_ports'] = $pconfig['def_ssl_ports'];
+ if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; }
+ if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; }
+ if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; }
+ if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; }
+ if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; }
+ if ($pconfig['snortalertlogtype'] != "") { $natent['snortalertlogtype'] = $pconfig['snortalertlogtype']; }
+ if ($pconfig['alertsystemlog'] != "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; }
+ if ($pconfig['tcpdumplog'] != "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; }
+ if ($pconfig['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; }
+ if ($pconfig['barnyard_enable'] != "") { $natent['barnyard_enable'] = $pconfig['barnyard_enable']; }
+ if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; }
+ if ($pconfig['def_dns_servers'] != "") { $natent['def_dns_servers'] = $pconfig['def_dns_servers']; }
+ if ($pconfig['def_dns_ports'] != "") { $natent['def_dns_ports'] = $pconfig['def_dns_ports']; }
+ if ($pconfig['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $pconfig['def_smtp_servers']; }
+ if ($pconfig['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $pconfig['def_smtp_ports']; }
+ if ($pconfig['def_mail_ports'] != "") { $natent['def_mail_ports'] = $pconfig['def_mail_ports']; }
+ if ($pconfig['def_http_servers'] != "") { $natent['def_http_servers'] = $pconfig['def_http_servers']; }
+ if ($pconfig['def_www_servers'] != "") { $natent['def_www_servers'] = $pconfig['def_www_servers']; }
+ if ($pconfig['def_http_ports'] != "") { $natent['def_http_ports'] = $pconfig['def_http_ports']; }
+ if ($pconfig['def_sql_servers'] != "") { $natent['def_sql_servers'] = $pconfig['def_sql_servers']; }
+ if ($pconfig['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $pconfig['def_oracle_ports']; }
+ if ($pconfig['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $pconfig['def_mssql_ports']; }
+ if ($pconfig['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $pconfig['def_telnet_servers']; }
+ if ($pconfig['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $pconfig['def_telnet_ports']; }
+ if ($pconfig['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $pconfig['def_snmp_servers']; }
+ if ($pconfig['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $pconfig['def_snmp_ports']; }
+ if ($pconfig['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $pconfig['def_ftp_servers']; }
+ if ($pconfig['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $pconfig['def_ftp_ports']; }
+ if ($pconfig['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $pconfig['def_ssh_servers']; }
+ if ($pconfig['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $pconfig['def_ssh_ports']; }
+ if ($pconfig['def_pop_servers'] != "") { $natent['def_pop_servers'] = $pconfig['def_pop_servers']; }
+ if ($pconfig['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $pconfig['def_pop2_ports']; }
+ if ($pconfig['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $pconfig['def_pop3_ports']; }
+ if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; }
+ if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; }
+ if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; }
+ if ($pconfig['ip def_sip_proxy_ports'] != "") { $natent['ip def_sip_proxy_ports'] = $pconfig['ip def_sip_proxy_ports']; }
+ if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; }
+ if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; }
+ if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; }
+ if ($pconfig['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $pconfig['def_nntp_ports']; }
+ if ($pconfig['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; }
+ if ($pconfig['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; }
+ if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; }
/* post new options */
$natent['perform_stat'] = $_POST['perform_stat'];
if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; }
+ if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; }
+ $natent['perform_stat'] = $_POST['perform_stat'] ? on : off;
+ $natent['http_inspect'] = $_POST['http_inspect'] ? on : off;
+ $natent['other_preprocs'] = $_POST['other_preprocs'] ? on : off;
+ $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? on : off;
+ $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? on : off;
+ $natent['sf_portscan'] = $_POST['sf_portscan'] ? on : off;
+ $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? on : off;
+ $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? on : off;
if (isset($id) && $a_nat[$id])
$a_nat[$id] = $natent;
@@ -268,22 +284,77 @@ if($id != "")
?>
<tr>
<td width="22%" valign="top">&nbsp;</td>
- <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span><br>
- Please save your settings befor you click start.<br>
- Please make sure there are <strong>no spaces</strong> in your definitions.
+ <td width="78%"><span class="vexpl"><span class="red"><strong>Note: </strong></span><br>
+ RULES MAY DEPENDENT ON Preprocessors!<br>
+ Please save your settings befor you click start.<br>
</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell">perform_stat</td>
+ <td width="22%" valign="top" class="vncell">Enable <br>Performance Statistics</td>
<td width="78%" class="vtable">
<input name="perform_stat" type="checkbox" value="on" <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?> onClick="enable_change(false)"><br>
- Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</td>
+ Performance Statistics for this interface.</td>
</tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>HTTP Inspect</td>
+ <td width="78%" class="vtable">
+ <input name="http_inspect" type="checkbox" value="on" <?php if ($pconfig['http_inspect']=="on") echo "checked"; ?> onClick="enable_change(false)"><br>
+ Normalize/Decode and detect HTTP traffic and protocol anomalies.</td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell">HTTP server flow depth</td>
+ <td class="vtable">
+ <table cellpadding="0" cellspacing="0">
+ <tr>
+ <td><input name="flow_depth" type="text" class="formfld" id="flow_depth" size="5" value="<?=htmlspecialchars($pconfig['flow_depth']);?>"> <strong>-1</strong> to <strong>1460</strong> (<strong>-1</strong> disables HTTP inspect, <strong>0</strong> enables all HTTP inspect)</td>
+ </tr>
+ </table>
+ Amount of HTTP server response payload to inspect. Snort's performance may increase by ajusting this value.<br>
+ Setting this value too low may cause false negatives. Value above 0 is in bytes.<br>
+ <strong>Default value is 0</strong></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>RPC Decode and Back Orifice detector</td>
+ <td width="78%" class="vtable">
+ <input name="other_preprocs" type="checkbox" value="on" <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?> onClick="enable_change(false)"><br>
+ Normalize/Decode RPC traffic and detects Back Orifice traffic on the network.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>FTP & Telnet Normalizer</td>
+ <td width="78%" class="vtable">
+ <input name="ftp_preprocessor" type="checkbox" value="on" <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?> onClick="enable_change(false)"><br>
+ Normalize/Decode FTP & Telnet traffic and protocol anomalies.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>SMTP Normalizer</td>
+ <td width="78%" class="vtable">
+ <input name="smtp_preprocessor" type="checkbox" value="on" <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?> onClick="enable_change(false)"><br>
+ Normalize/Decode SMTP protocol for enforcement and buffer overflows.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>Portscan Detection</td>
+ <td width="78%" class="vtable">
+ <input name="sf_portscan" type="checkbox" value="on" <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?> onClick="enable_change(false)"><br>
+ Detects various types of portscans and portsweeps.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>DCE/RPC2 Detection</td>
+ <td width="78%" class="vtable">
+ <input name="dce_rpc_2" type="checkbox" value="on" <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?> onClick="enable_change(false)"><br>
+ The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Enable <br>DNS Detection</td>
+ <td width="78%" class="vtable">
+ <input name="dns_preprocessor" type="checkbox" value="on" <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?> onClick="enable_change(false)"><br>
+ The dns preprocessor (currently) decodes DNS Response traffic and detects a few vulnerabilities.</td>
+ </tr>
<tr>
<td width="22%" valign="top" class="vncell">Define SSL_IGNORE</td>
<td width="78%" class="vtable">
<input name="def_ssl_ports_ignore" type="text" class="formfld" id="def_ssl_ports_ignore" size="40" value="<?=htmlspecialchars($pconfig['def_ssl_ports_ignore']);?>">
- <br> <span class="vexpl">Example: "443 465 563 636 989 990 992 993 994 995".</span></td>
+ <br> <span class="vexpl"> Encrypted traffic should be ignored by Snort for both performance reasons and to reduce false positives.<br>
+ Default: "443 465 563 636 989 990 992 993 994 995".</span> <strong>Please use spaces and not commas.</strong></td>
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>