diff options
Diffstat (limited to 'config/snort-dev/snortsam-package-code/snort_build.inc')
-rw-r--r-- | config/snort-dev/snortsam-package-code/snort_build.inc | 1288 |
1 files changed, 1288 insertions, 0 deletions
diff --git a/config/snort-dev/snortsam-package-code/snort_build.inc b/config/snort-dev/snortsam-package-code/snort_build.inc new file mode 100644 index 00000000..2c18d3d3 --- /dev/null +++ b/config/snort-dev/snortsam-package-code/snort_build.inc @@ -0,0 +1,1288 @@ +<?php +/* $Id$ */ +/* + + part of pfSense + All rights reserved. + + Pfsense Old snort GUI + Copyright (C) 2006 Scott Ullrich. + + Pfsense snort GUI + Copyright (C) 2008-2012 Robert Zelaya. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. Neither the name of the pfSense nor the names of its contributors + may be used to endorse or promote products derived from this software without + specific prior written permission. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +// unset crsf checks +if(isset($_POST['__csrf_magic'])) { + unset($_POST['__csrf_magic']); +} + + +/* + * Builds sid-block.map for snortsam + * May have to break this down into smaller funcs so that there is no namespace conflick + */ +function buildSnortSamSidBlockMap($rdbuuid) +{ + + + function buildSidMap($rdbuuid) + { + // list rules in the default dir + $filterDirList = array(); + $filterDirList = snortScanDirFilter('/usr/local/etc/snort/snortDBrules/DB/' . $rdbuuid . '/rules', '\.rules'); + + // list rules in db that are on in a array + $listOnRules = array(); + $listOnRules = snortSql_fetchAllSettings('snortDBrules', 'SnortRuleSetsIps', 'rdbuuid', $rdbuuid); + + // list rules in db that are on in a array + $listGenRules = array(); + $listGenRules = snortSql_fetchAllSettings('snortDBrules', 'SnortruleGenIps', 'rdbuuid', $rdbuuid); + + // get sigs in db + $listSigRules = array(); + $listSigRules = snortSql_fetchAllSettings('snortDBrules', 'SnortruleSigsIps', 'rdbuuid', $rdbuuid); + + // clear tmp db + exec('rm /usr/local/etc/snort/snortDBrules/DB/' . $rdbuuid . '/dbBlockSplit/*.rules'); + + foreach ($listOnRules as $listRule) + { + if ( $listRule['enable'] === 'on' ) { + exec('cp /usr/local/etc/snort/snortDBrules/DB/' . $rdbuuid . '/rules/' . $listRule['rulesetname'] . ' /usr/local/etc/snort/snortDBrules/DB/' . $rdbuuid . '/dbBlockSplit/' . $listRule['rulesetname']); + } + } + + // get list of sids + exec('perl /usr/local/bin/make_snortsam_map.pl /usr/local/etc/snort/snortDBrules/DB/' . $rdbuuid . '/dbBlockSplit/', $getEnableSidArray); + + // make sidMapFile lines 1023: src, 15 min + // remember to chech is Gen enable is on + foreach ( getCurrentIpsRuleArray($getEnableSidArray) as $sidLineMap ) + { + + $snortSigIpsExists = snortSearchArray($listSigRules, 'siguuid', $sidLineMap[0]); + + // if sig is in db use its settings else use default settings + if(!empty($snortSigIpsExists['siguuid'])) { + + $getSid = $snortSigIpsExists['siguuid']; + $getEnable = $snortSigIpsExists['enable']; + $getWho = $snortSigIpsExists['who']; + $getTimeamount = $snortSigIpsExists['timeamount']; + $getTimetype = $snortSigIpsExists['timetype']; + + }else{ + + $getSid = $sidLineMap[0]; + $getEnable = $listGenRules[0]['enable']; + $getWho = $listGenRules[0]['who']; + $getTimeamount = $listGenRules[0]['timeamount']; + $getTimetype = $listGenRules[0]['timetype']; + + } + + + if ( $getEnable === 'on' ) { + $newMapFileLine[] = $getSid . ': ' . $getWho . ', ' . $getTimeamount . ' ' . $getTimetype . "\n"; + } + + } // END forech + + return $newMapFileLine; + } // END buildSidMap Func + + write_rule_file(buildSidMap($rdbuuid), '/usr/local/etc/snort/snortDBrules/DB/' . $rdbuuid . '/sid-block.map'); + +} // END Func buildSnortSidBlockMap + +// -------------------------- START snort.conf ------------------------- + +/* func builds custom whitelests */ +function build_base_whitelist($lanip, $wanip, $wangw, $wandns, $vips, $vpns, $userwhtips, $netlist) { + + // bring in settings from /etc/inc + global $config; + + /* build an interface array list */ + if ($lanip === 'on') { + $int_array = array('lan'); + for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) + { + if(isset($config['interfaces']['opt' . $j]['enable'])) + if(isset($config['interfaces']['opt' . $j]['gateway'])) + $int_array[] = "opt{$j}"; + } + + /* iterate through interface list and write out whitelist items + * and also compile a home_net list for snort. + */ + foreach($int_array as $int) + { + /* calculate interface subnet information */ + $ifcfg = $config['interfaces'][$int]; + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + $subnetmask = gen_subnet_mask($ifcfg['subnet']); + if($subnet == "pppoe" or $subnet == "dhcp") { + $subnet = find_interface_ip("ng0"); + if($subnet) { + $home_net .= "{$subnet} "; + } + } else { + if ($subnet) + if($ifcfg['subnet']) + $home_net .= "{$subnet}/{$ifcfg['subnet']} "; + } + } + } + + if($wanip === 'on') { + // add all WAN ips to the whitelist + $wan_if = get_real_wan_interface(); + $ip = find_interface_ip($wan_if); + if($ip) { + $home_net .= "{$ip} "; + } + } + + if($wangw === 'on') { + // Add Gateway on WAN interface to whitelist (For RRD graphs) + $gw = get_interface_gateway('wan'); + if($gw) { + $home_net .= "{$gw} "; + } + } + + if($wandns === 'on') { + // Add DNS server for WAN interface to whitelist + $dns_servers = get_dns_servers(); + foreach($dns_servers as $dns) { + if($dns) { + $home_net .= "{$dns} "; + } + } + } + + // TESTING: NEEDED 06202011 + if($vips === 'on') { + // iterate all vips and add to whitelist + if($config['virtualip']) + foreach($config['virtualip']['vip'] as $vip) + if($vip['subnet']) + $home_net .= $vip['subnet'] . " "; + } + + // TESTING: NEEDED 06202011 + // grab a list of vpns and whitelist if user desires added by nestorfish 954 + if($vpns == 'on') { + // chk what pfsense version were on + if ($pfsense_stable == 'yes') { + $vpns_list = get_vpns_list(); + } + + // chk what pfsense version were on + if ($pfsense_stable == 'no') { + $vpns_list = filter_get_vpns_list(); + } + + if (!empty($vpns_list)) { + $home_net .= "$vpns_list "; + } + } + + // Add homenet, NETLIST + if($userwhtips == 'on') { + + $whitelistArray = snortSql_fetchAllSettings('snortDB', 'SnortWhitelistips', 'filename', $netlist); + + foreach ($whitelistArray as $whiteListIp) + { + $home_net .= $whiteListIp['ip'] . ' '; + } + + } + + // Add loopback to whitelist (ftphelper) + if ($lanip === 'on') { + $home_net .= '127.0.0.1'; + } + + // remove empty spaces + $home_net = trim($home_net); + + // this is for snort.conf + $home_net = str_replace(' ', ',', $home_net); + // by Thrae, helps people with more than one gateway, breaks snort as is + $home_net = str_replace(',,', ',', $home_net); + + if ($lanip !== 'on') { + + $snortHomeNetPieces = explode(',', $home_net); + $home_net = ''; + + $i = 1; + $homeNetPieceCount = count($snortHomeNetPieces); + foreach ($snortHomeNetPieces as $homeNetPiece) + { + if (!empty($homeNetPiece) && $homeNetPieceCount !== $i) { + $home_net .= $homeNetPiece . ','; + }else{ + $home_net .= $homeNetPiece . ''; + } + + $i++; + } + + } + + return $home_net; +} + + + +function create_snort_homenet($snortNet, $getSnortHomeNet) { + + if ($snortNet === 'homenet') { + + $listName = $getSnortHomeNet['homelistname']; + + if ($listName == 'default' || empty($listName)) { + return build_base_whitelist('on','on', 'on', 'on', 'on', 'on', 'off', ''); + }else{ + $getSnortWhitelist = snortSql_fetchAllSettings('snortDB', 'SnortWhitelist', 'filename', $listName); + return build_base_whitelist('on', $getSnortWhitelist[0]['wanips'], $getSnortWhitelist[0]['wangateips'], $getSnortWhitelist[0]['wandnsips'], $getSnortWhitelist[0]['vips'], $getSnortWhitelist[0]['vpnips'], 'on', $listName); + } + } + + if ($snortNet === 'externalnet') { + $listName = $getSnortHomeNet['externallistname']; + return build_base_whitelist('off', 'off', 'off', 'off', 'off', 'off', 'on', $listName); + } + +} + +function generate_snort_conf($uuid) +{ + + // Iface main setings + $ifaceSettingsArray = snortSql_fetchAllSettings('snortDB', 'SnortIfaces', 'uuid', $uuid); + + // custom home nets + // might need to make this same ass homenet + $home_net = '[' . create_snort_homenet('homenet', $ifaceSettingsArray) . ']'; + + if ($ifaceSettingsArray['externallistname'] === 'default'){ + $external_net = '!$HOME_NET'; + }else{ + $external_net = '[' . create_snort_homenet('externalnet', $ifaceSettingsArray) . ']'; + } + + // obtain external interface + // XXX: make multi wan friendly + $snort_ext_int = $ifaceSettingsArray['interface']; + + // user added arguments + $snort_config_pass_thru = str_replace("\r", '', base64_decode($ifaceSettingsArray['configpassthru'])); + + // define basic log filename + $snortunifiedlogbasic_type = "output unified: filename snort_{$ifaceSettingsArray['uuid']}.log, limit 128"; + + // define snortalertlogtype + $snortalertlogtype = $ifaceSettingsArray['snortalertlogtype']; + + if ($snortalertlogtype == 'fast' || $snortalertlogtype == 'full') { + $snortalertlogtype_type = "output alert_{$snortalertlogtype}: alert"; + }else{ + $snortalertlogtype_type = ''; + } + + // define alertsystemlog + $alertsystemlog_info_chk = $ifaceSettingsArray['alertsystemlog']; + if ($alertsystemlog_info_chk == on) { + $alertsystemlog_type = "output alert_syslog: log_alert"; + } + + // define tcpdumplog + $tcpdumplog_info_chk = $ifaceSettingsArray['tcpdumplog']; + if ($tcpdumplog_info_chk == on) { + $tcpdumplog_type = "output log_tcpdump: snort_{$ifaceSettingsArray['uuid']}.tcpdump"; + } + + // define snortunifiedlog + $snortunifiedlog_info_chk = $ifaceSettingsArray['snortunifiedlog']; + if ($snortunifiedlog_info_chk == on) { + $snortunifiedlog_type = "output unified2: filename snort_{$ifaceSettingsArray['uuid']}.u2, limit 128"; + } + + // define snortsam + $snortsam_info_chk = $ifaceSettingsArray['blockoffenders7']; + if ($snortsam_info_chk === 'on') { + $snortsam_type = "output alert_fwsam: 127.0.0.1:786/snortsam1234"; + }else{ + $snortsam_type = ''; + } + + /* define threshold file */ + $threshold_info_chk = $ifaceSettingsArray['suppresslistname']; + if ($threshold_info_chk !== 'default') { + + $threshold_info_chk = "include /usr/local/etc/snort/suppress/{$threshold_info_chk}"; + } + + /* define servers and ports snortdefservers */ + /* def DNS_SERVSERS */ + $def_dns_servers_info_chk = $ifaceSettingsArray['def_dns_servers']; + if (empty($def_dns_servers_info_chk)) { + $def_dns_servers_type = '$HOME_NET'; + }else{ + $def_dns_servers_type = "$def_dns_servers_info_chk"; + } + + /* def DNS_PORTS */ + $def_dns_ports_info_chk = $ifaceSettingsArray['def_dns_ports']; + if (empty($def_dns_ports_info_chk)) { + $def_dns_ports_type = '53'; + }else{ + $def_dns_ports_type = "$def_dns_ports_info_chk"; + } + + /* def SMTP_SERVSERS */ + $def_smtp_servers_info_chk = $ifaceSettingsArray['def_smtp_servers']; + if (empty($def_smtp_servers_info_chk)) { + $def_smtp_servers_type = '$HOME_NET'; + }else{ + $def_smtp_servers_type = $def_smtp_servers_info_chk; + } + + /* def SMTP_PORTS */ + $def_smtp_ports_info_chk = $ifaceSettingsArray['def_smtp_ports']; + if (empty($def_smtp_ports_info_chk)) { + $def_smtp_ports_type = '25'; + }else{ + $def_smtp_ports_type = $def_smtp_ports_info_chk; + } + + /* def MAIL_PORTS */ + $def_mail_ports_info_chk = $ifaceSettingsArray['def_mail_ports']; + if (empty($def_mail_ports_info_chk)) { + $def_mail_ports_type = '25,143,465,691'; + }else{ + $def_mail_ports_type = $def_mail_ports_info_chk; + } + + /* def HTTP_SERVSERS */ + $def_http_servers_info_chk = $ifaceSettingsArray['def_http_servers']; + if (empty($def_http_servers_info_chk)) { + $def_http_servers_type = '$HOME_NET'; + }else{ + $def_http_servers_type = $def_http_servers_info_chk; + } + + /* def WWW_SERVSERS */ + $def_www_servers_info_chk = $ifaceSettingsArray['def_www_servers']; + if (empty($def_www_servers_info_chk)) { + $def_www_servers_type = '$HOME_NET'; + }else{ + $def_www_servers_type = $def_www_servers_info_chk; + } + + /* def HTTP_PORTS */ + $def_http_ports_info_chk = $ifaceSettingsArray['def_http_ports']; + if (empty($def_http_ports_info_chk)) { + $def_http_ports_type = '80'; + }else{ + $def_http_ports_type = $def_http_ports_info_chk; + } + + /* def SQL_SERVSERS */ + $def_sql_servers_info_chk = $ifaceSettingsArray['def_sql_servers']; + if (empty($def_sql_servers_info_chk)) { + $def_sql_servers_type = '$HOME_NET'; + }else{ + $def_sql_servers_type = $def_sql_servers_info_chk; + } + + /* def ORACLE_PORTS */ + $def_oracle_ports_info_chk = $ifaceSettingsArray['def_oracle_ports']; + if (empty($def_oracle_ports_info_chk)) { + $def_oracle_ports_type = '1521'; + }else{ + $def_oracle_ports_type = $def_oracle_ports_info_chk; + } + + /* def MSSQL_PORTS */ + $def_mssql_ports_info_chk = $ifaceSettingsArray['def_mssql_ports']; + if (empty($def_mssql_ports_info_chk)) { + $def_mssql_ports_type = '1433'; + }else{ + $def_mssql_ports_type = $def_mssql_ports_info_chk; + } + + /* def TELNET_SERVSERS */ + $def_telnet_servers_info_chk = $ifaceSettingsArray['def_telnet_servers']; + if (empty($def_telnet_servers_info_chk)) { + $def_telnet_servers_type = '$HOME_NET'; + }else{ + $def_telnet_servers_type = $def_telnet_servers_info_chk; + } + + /* def TELNET_PORTS */ + $def_telnet_ports_info_chk = $ifaceSettingsArray['def_telnet_ports']; + if (empty($def_telnet_ports_info_chk)) { + $def_telnet_ports_type = '23'; + }else{ + $def_telnet_ports_type = $def_telnet_ports_info_chk; + } + + /* def SNMP_SERVSERS */ + $def_snmp_servers_info_chk = $ifaceSettingsArray['def_snmp_servers']; + if (empty($def_snmp_servers_info_chk)) { + $def_snmp_servers_type = '$HOME_NET'; + }else{ + $def_snmp_servers_type = $def_snmp_servers_info_chk; + } + + /* def SNMP_PORTS */ + $def_snmp_ports_info_chk = $ifaceSettingsArray['def_snmp_ports']; + if (empty($def_snmp_ports_info_chk)) { + $def_snmp_ports_type = '161'; + }else{ + $def_snmp_ports_type = $def_snmp_ports_info_chk; + } + + /* def FTP_SERVSERS */ + $def_ftp_servers_info_chk = $ifaceSettingsArray['def_ftp_servers']; + if (empty($def_ftp_servers_info_chk)) { + $def_ftp_servers_type = '$HOME_NET'; + }else{ + $def_ftp_servers_type = $def_ftp_servers_info_chk; + } + + /* def FTP_PORTS */ + $def_ftp_ports_info_chk = $ifaceSettingsArray['def_ftp_ports']; + if (empty($def_ftp_ports_info_chk)) { + $def_ftp_ports_type = '21'; + }else{ + $def_ftp_ports_type = $def_ftp_ports_info_chk; + } + + /* def SSH_SERVSERS */ + $def_ssh_servers_info_chk = $ifaceSettingsArray['def_ssh_servers']; + if (empty($def_ssh_servers_info_chk)) { + $def_ssh_servers_type = '$HOME_NET'; + }else{ + $def_ssh_servers_type = $def_ssh_servers_info_chk; + } + + /* if user has defined a custom ssh port, use it */ + if($config['system']['ssh']['port']) { + $ssh_port = $config['system']['ssh']['port']; + }else{ + $ssh_port = '22'; + } + + /* def SSH_PORTS */ + $def_ssh_ports_info_chk = $ifaceSettingsArray['def_ssh_ports']; + if (empty($def_ssh_ports_info_chk)) { + $def_ssh_ports_type = $ssh_port; + }else{ + $def_ssh_ports_type = $def_ssh_ports_info_chk; + } + + /* def POP_SERVSERS */ + $def_pop_servers_info_chk = $ifaceSettingsArray['def_pop_servers']; + if (empty($def_pop_servers_info_chk)) { + $def_pop_servers_type = '$HOME_NET'; + }else{ + $def_pop_servers_type = $def_pop_servers_info_chk; + } + + /* def POP2_PORTS */ + $def_pop2_ports_info_chk = $ifaceSettingsArray['def_pop2_ports']; + if (empty($def_pop2_ports_info_chk)) { + $def_pop2_ports_type = '109'; + }else{ + $def_pop2_ports_type = $def_pop2_ports_info_chk; + } + + /* def POP3_PORTS */ + $def_pop3_ports_info_chk = $ifaceSettingsArray['def_pop3_ports']; + if (empty($def_pop3_ports_info_chk)) { + $def_pop3_ports_type = '110'; + }else{ + $def_pop3_ports_type = $def_pop3_ports_info_chk; + } + + /* def IMAP_SERVSERS */ + $def_imap_servers_info_chk = $ifaceSettingsArray['def_imap_servers']; + if (empty($def_imap_servers_info_chk)) { + $def_imap_servers_type = '$HOME_NET'; + }else{ + $def_imap_servers_type = $def_imap_servers_info_chk; + } + + /* def IMAP_PORTS */ + $def_imap_ports_info_chk = $ifaceSettingsArray['def_imap_ports']; + if (empty($def_imap_ports_info_chk)) { + $def_imap_ports_type = '143'; + }else{ + $def_imap_ports_type = $def_imap_ports_info_chk; + } + /* def SIP_PROXY_IP */ + $def_sip_proxy_ip_info_chk = $ifaceSettingsArray['def_sip_proxy_ip']; + if (empty($def_sip_proxy_ip_info_chk)) { + $def_sip_proxy_ip_type = '$HOME_NET'; + }else{ + $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; + } + + /* def SIP_PROXY_PORTS */ + $def_sip_proxy_ports_info_chk = $ifaceSettingsArray['def_sip_proxy_ports']; + if (empty($def_sip_proxy_ports_info_chk)) { + $def_sip_proxy_ports_type = '5060:5090,16384:32768'; + }else{ + $def_sip_proxy_ports_type = $def_sip_proxy_ports_info_chk; + } + + /* def AUTH_PORTS */ + $def_auth_ports_info_chk = $ifaceSettingsArray['def_auth_ports']; + if (empty($def_auth_ports_info_chk)) { + $def_auth_ports_type = '113'; + }else{ + $def_auth_ports_type = $def_auth_ports_info_chk; + } + + /* def FINGER_PORTS */ + $def_finger_ports_info_chk = $ifaceSettingsArray['def_finger_ports']; + if (empty($def_finger_ports_info_chk)) { + $def_finger_ports_type = "79"; + }else{ + $def_finger_ports_type = $def_finger_ports_info_chk; + } + + /* def IRC_PORTS */ + $def_irc_ports_info_chk = $ifaceSettingsArray['def_irc_ports']; + if (empty($def_irc_ports_info_chk)) { + $def_irc_ports_type = '6665,6666,6667,6668,6669,7000'; + }else{ + $def_irc_ports_type = $def_irc_ports_info_chk; + } + + /* def NNTP_PORTS */ + $def_nntp_ports_info_chk = $ifaceSettingsArray['def_nntp_ports']; + if (empty($def_nntp_ports_info_chk)) { + $def_nntp_ports_type = '119'; + }else{ + $def_nntp_ports_type = $def_nntp_ports_info_chk; + } + + /* def RLOGIN_PORTS */ + $def_rlogin_ports_info_chk = $ifaceSettingsArray['def_rlogin_ports']; + if (empty($def_rlogin_ports_info_chk)) { + $def_rlogin_ports_type = '513'; + }else{ + $def_rlogin_ports_type = $def_rlogin_ports_info_chk; + } + + /* def RSH_PORTS */ + $def_rsh_ports_info_chk = $ifaceSettingsArray['def_rsh_ports']; + if (empty($def_rsh_ports_info_chk)) { + $def_rsh_ports_type = '514'; + }else{ + $def_rsh_ports_type = $def_rsh_ports_info_chk; + } + + /* def SSL_PORTS */ + $def_ssl_ports_info_chk = $ifaceSettingsArray['def_ssl_ports']; + if (empty($def_ssl_ports_info_chk)) { + $def_ssl_ports_type = '443,465,563,636,989,990,992,993,994,995'; + }else{ + $def_ssl_ports_type = $def_ssl_ports_info_chk; + } + + /* should we install a automatic update crontab entry? + $automaticrulesupdate = $config['installedpackages']['snortglobal']['automaticrulesupdate7']; + + // if user is on pppoe, we really want to use ng0 interface + if(isset($config['interfaces'][$snort_ext_int]['ipaddr']) && ($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe")) + $snort_ext_int = "ng0"; + + // set the snort performance model */ + if($ifaceSettingsArray['performance']) { + $snort_performance = $ifaceSettingsArray['performance']; + }else{ + $snort_performance = "ac-bnfa"; + } + + // list rules in db that are on in a array + $listEnabled_rulesets = array(); + $listEnabled_rulesets = snortSql_fetchAllSettings('snortDBrules', 'SnortRuleSets', 'rdbuuid', $ifaceSettingsArray['ruledbname']); + + $listCurntDirRules = array(); + $listCurntDirRules = snortScanDirFilter("/usr/local/etc/snort/sn_{$uuid}/rules", '\.rules'); + if(!empty($listEnabled_rulesets)) { + foreach($listEnabled_rulesets as $enabled_item) + { + if ($enabled_item['enable'] !== 'off' && in_array($enabled_item['rulesetname'], $listCurntDirRules)) { + $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item['rulesetname']}\n"; + } + } + } + + + ///////////////////////////// + + /* preprocessor code */ + + /* def perform_stat */ + + + $def_perform_stat_info_chk = $ifaceSettingsArray['perform_stat']; + if ($def_perform_stat_info_chk === 'on') { + $def_perform_stat_type = "preprocessor perfmonitor: time 300 file /var/log/snort/sn_{$ifaceSettingsArray['uuid']}.stats pktcnt 10000"; + }else{ + $def_perform_stat_type = ''; + } + + $def_flow_depth_info_chk = $ifaceSettingsArray['flow_depth']; + if (empty($def_flow_depth_info_chk)) { + $def_flow_depth_type = '0'; + }else{ + $def_flow_depth_type = $ifaceSettingsArray['flow_depth']; + } + + /* def http_inspect */ + $snort_http_inspect = <<<EOD +################# + # +# HTTP Inspect # + # +################# + +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 + +preprocessor http_inspect_server: server default \ + ports { 80 8080 } \ + non_strict \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + flow_depth {$def_flow_depth_type} \ + apache_whitespace no \ + directory no \ + iis_backslash no \ + u_encode yes \ + ascii no \ + chunk_length 500000 \ + bare_byte yes \ + double_decode yes \ + iis_unicode no \ + iis_delimiter no \ + multi_slash no + +EOD; + + $def_http_inspect_info_chk = $ifaceSettingsArray['http_inspect']; + if ($def_http_inspect_info_chk === 'on') { + $def_http_inspect_type = $snort_http_inspect; + }else{ + $def_http_inspect_type = ''; + } + + + /* def other_preprocs */ + $snort_other_preprocs = <<<EOD +################## + # +# Other preprocs # + # +################## + +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor bo + +EOD; + + $def_other_preprocs_info_chk = $ifaceSettingsArray['other_preprocs']; + if ($def_other_preprocs_info_chk === 'on') { + $def_other_preprocs_type = $snort_other_preprocs; + }else{ + $def_other_preprocs_type = ''; + } + + /* def ftp_preprocessor */ + $snort_ftp_preprocessor = <<<EOD +##################### + # +# ftp preprocessor # + # +##################### + +preprocessor ftp_telnet: global \ +inspection_type stateless + +preprocessor ftp_telnet_protocol: telnet \ + normalize \ + ayt_attack_thresh 200 + +preprocessor ftp_telnet_protocol: \ + ftp server default \ + def_max_param_len 100 \ + ports { 21 } \ + ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ + ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ + ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT CEL CMD MACB } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ + alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ + alt_max_param_len 256 { RNTO CWD } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ + chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ + chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ + chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ + chk_str_fmt { FEAT CEL CMD } \ + chk_str_fmt { MDTM REST SIZE MLST MLSD } \ + chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +EOD; + + $def_ftp_preprocessor_info_chk = $ifaceSettingsArray['ftp_preprocessor']; + if ($def_ftp_preprocessor_info_chk === 'on') { + $def_ftp_preprocessor_type = $snort_ftp_preprocessor; + }else{ + $def_ftp_preprocessor_type = ""; + } + + /* def smtp_preprocessor */ + $snort_smtp_preprocessor = <<<EOD +##################### + # +# SMTP preprocessor # + # +##################### + +preprocessor SMTP: \ + ports { 25 465 691 } \ + inspection_type stateful \ + normalize cmds \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ +CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ +PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } + +EOD; + + $def_smtp_preprocessor_info_chk = $ifaceSettingsArray['smtp_preprocessor']; + if ($def_smtp_preprocessor_info_chk === 'on') { + $def_smtp_preprocessor_type = $snort_smtp_preprocessor; + }else{ + $def_smtp_preprocessor_type = ''; + } + + /* def sf_portscan */ + $snort_sf_portscan = <<<EOD +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } + +EOD; + + $def_sf_portscan_info_chk = $ifaceSettingsArray['sf_portscan']; + if ($def_sf_portscan_info_chk === 'on') { + $def_sf_portscan_type = $snort_sf_portscan; + }else{ + $def_sf_portscan_type = ''; + } + + /* def dce_rpc_2 */ + $snort_dce_rpc_2 = <<<EOD +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3 + +EOD; + + $def_dce_rpc_2_info_chk = $ifaceSettingsArray['dce_rpc_2']; + if ($def_dce_rpc_2_info_chk === 'on') { + $def_dce_rpc_2_type = $snort_dce_rpc_2; + }else{ + $def_dce_rpc_2_type = ''; + } + + /* def dns_preprocessor */ + $snort_dns_preprocessor = <<<EOD +#################### + # +# DNS preprocessor # + # +#################### + +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +EOD; + + $def_dns_preprocessor_info_chk = $ifaceSettingsArray['dns_preprocessor']; + if ($def_dns_preprocessor_info_chk === 'on') { + $def_dns_preprocessor_type = $snort_dns_preprocessor; + }else{ + $def_dns_preprocessor_type = ''; + } + + /* def SSL_PORTS IGNORE */ + $def_ssl_ports_ignore_info_chk = $ifaceSettingsArray['def_ssl_ports_ignore']; + if (empty($def_ssl_ports_ignore_info_chk)) { + $def_ssl_ports_ignore_type = 'preprocessor ssl: ports { 443 465 563 636 989 990 992 993 994 995 }, trustservers, noinspect_encrypted'; + }else{ + $def_ssl_ports_ignore_type = "preprocessor ssl: ports { {$def_ssl_ports_ignore_info_chk} }, trustservers, noinspect_encrypted"; + } + + /* stream5 queued settings */ + + + $def_max_queued_bytes_info_chk = $ifaceSettingsArray['max_queued_bytes']; + if (empty($def_max_queued_bytes_info_chk)) { + $def_max_queued_bytes_type = ''; + }else{ + $def_max_queued_bytes_type = ' max_queued_bytes ' . $ifaceSettingsArray['max_queued_bytes'] . ','; + } + + $def_max_queued_segs_info_chk = $ifaceSettingsArray['max_queued_segs']; + if (empty($def_max_queued_segs_info_chk)) { + $def_max_queued_segs_type = ''; + }else{ + $def_max_queued_segs_type = ' max_queued_segs ' . $ifaceSettingsArray['max_queued_segs'] . ','; + } + + + /* build snort configuration file */ + /* TODO; feed back from pfsense users to reduce false positives */ + $snort_conf_text = <<<EOD + +# snort configuration file +# generated by the pfSense +# package manager system +# see /usr/local/pkg/snort.inc +# for more information +# snort.conf +# Snort can be found at http://www.snort.org/ +# +# Copyright (C) 2009-2010 Robert Zelaya +# part of pfSense +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +######################### + # +# Define Local Network # + # +######################### + +var HOME_NET {$home_net} +var EXTERNAL_NET {$external_net} + +################### + # +# Define Servers # + # +################### + +var DNS_SERVERS [{$def_dns_servers_type}] +var SMTP_SERVERS [{$def_smtp_servers_type}] +var HTTP_SERVERS [{$def_http_servers_type}] +var SQL_SERVERS [{$def_sql_servers_type}] +var TELNET_SERVERS [{$def_telnet_servers_type}] +var SNMP_SERVERS [{$def_snmp_servers_type}] +var FTP_SERVERS [{$def_ftp_servers_type}] +var SSH_SERVERS [{$def_ssh_servers_type}] +var POP_SERVERS [{$def_pop_servers_type}] +var IMAP_SERVERS [{$def_imap_servers_type}] +var RPC_SERVERS \$HOME_NET +var WWW_SERVERS [{$def_www_servers_type}] +var SIP_PROXY_IP [{$def_sip_proxy_ip_type}] +var AIM_SERVERS \ +[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] + +######################## + # +# Define Server Ports # + # +######################## + +portvar HTTP_PORTS [{$def_http_ports_type}] +portvar SHELLCODE_PORTS !80 +portvar ORACLE_PORTS [{$def_oracle_ports_type}] +portvar AUTH_PORTS [{$def_auth_ports_type}] +portvar DNS_PORTS [{$def_dns_ports_type}] +portvar FINGER_PORTS [{$def_finger_ports_type}] +portvar FTP_PORTS [{$def_ftp_ports_type}] +portvar IMAP_PORTS [{$def_imap_ports_type}] +portvar IRC_PORTS [{$def_irc_ports_type}] +portvar MSSQL_PORTS [{$def_mssql_ports_type}] +portvar NNTP_PORTS [{$def_nntp_ports_type}] +portvar POP2_PORTS [{$def_pop2_ports_type}] +portvar POP3_PORTS [{$def_pop3_ports_type}] +portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779] +portvar RLOGIN_PORTS [{$def_rlogin_ports_type}] +portvar RSH_PORTS [{$def_rsh_ports_type}] +portvar SMB_PORTS [139,445] +portvar SMTP_PORTS [{$def_smtp_ports_type}] +portvar SNMP_PORTS [{$def_snmp_ports_type}] +portvar SSH_PORTS [{$def_ssh_ports_type}] +portvar TELNET_PORTS [{$def_telnet_ports_type}] +portvar MAIL_PORTS [{$def_mail_ports_type}] +portvar SSL_PORTS [{$def_ssl_ports_type}] +portvar SIP_PROXY_PORTS [{$def_sip_proxy_ports_type}] + +# DCERPC NCACN-IP-TCP +portvar DCERPC_NCACN_IP_TCP [139,445] +portvar DCERPC_NCADG_IP_UDP [138,1024:] +portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:] +portvar DCERPC_NCACN_UDP_LONG [135,1024:] +portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:] +portvar DCERPC_NCACN_TCP [2103,2105,2107] +portvar DCERPC_BRIGHTSTORE [6503,6504] + +##################### + # +# Define Rule Paths # + # +##################### + +var RULE_PATH /usr/local/etc/snort/sn_{$ifaceSettingsArray['uuid']}/rules +# var PREPROC_RULE_PATH ./preproc_rules + +################################ + # +# Configure the snort decoder # + # +################################ + +config checksum_mode: all +config disable_decode_alerts +config disable_tcpopt_experimental_alerts +config disable_tcpopt_obsolete_alerts +config disable_ttcp_alerts +config disable_tcpopt_alerts +config disable_ipopt_alerts +config disable_decode_drops + +################################### + # +# Configure the detection engine # +# Use lower memory models # + # +################################### + +config detection: search-method {$snort_performance} max_queue_events 5 +config event_queue: max_queue 8 log 3 order_events content_length + +#Configure dynamic loaded libraries +dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/ +dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so +dynamicdetection directory /usr/local/lib/snort/dynamicrules/ + +################### + # +# Flow and stream # + # +################### + +preprocessor frag3_global: max_frags 8192 +preprocessor frag3_engine: policy bsd detect_anomalies + +preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ +track_udp yes, track_icmp yes +preprocessor stream5_tcp: policy BSD, ports both all,{$def_max_queued_bytes_type}{$def_max_queued_segs_type} use_static_footprint_sizes +preprocessor stream5_udp: +preprocessor stream5_icmp: + +########################## + # +# NEW # +# Performance Statistics # + # +########################## + +{$def_perform_stat_type} + +{$def_http_inspect_type} + +{$def_other_preprocs_type} + +{$def_ftp_preprocessor_type} + +{$def_smtp_preprocessor_type} + +{$def_sf_portscan_type} + +############################ + # +# OLD # +# preprocessor dcerpc: \ # +# autodetect \ # +# max_frag_size 3000 \ # +# memcap 100000 # + # +############################ + +{$def_dce_rpc_2_type} + +{$def_dns_preprocessor_type} + +############################## + # +# NEW # +# Ignore SSL and Encryption # + # +############################## + +{$def_ssl_ports_ignore_type} + +##################### + # +# Snort Output Logs # + # +##################### + +$snortunifiedlogbasic_type +$snortalertlogtype_type +$alertsystemlog_type +$tcpdumplog_type +$snortmysqllog_info_chk +$snortunifiedlog_type +$snortsam_type + +################# + # +# Misc Includes # + # +################# + +include /usr/local/etc/snort/sn_{$ifaceSettingsArray['uuid']}/reference.config +include /usr/local/etc/snort/sn_{$ifaceSettingsArray['uuid']}/classification.config +$threshold_file_name + +# Snort user pass through configuration +{$snort_config_pass_thru} + +################### + # +# Rules Selection # + # +################### + +{$selected_rules_sections} + +EOD; + + return $snort_conf_text; +} + + +function create_snort_conf($uuid) +{ + // write out snort.conf + + if (!file_exists("/usr/local/etc/snort/sn_{$uuid}/snort.conf")) { + exec("/usr/bin/touch /usr/local/etc/snort/sn_{$uuid}/snort.conf"); + } + + $snort_conf_text = generate_snort_conf($uuid); + + conf_mount_rw(); + $conf = fopen("/usr/local/etc/snort/sn_{$uuid}/snort.conf", "w"); + if(!$conf) { + log_error("Could not open /usr/local/etc/snort/sn_{$uuid}/snort.conf for writing."); + exit; + } + + fwrite($conf, $snort_conf_text); + fclose($conf); + conf_mount_ro(); + +} + +// create threshold.conf +function generate_threshold_conf($uuid) { + + global $config; + + // Iface main setings + $ifaceSettingsArray = snortSql_fetchAllSettings('snortDB', 'SnortIfaces', 'uuid', $uuid); + + $getSnortSuppresslist = snortSql_fetchAllSettings('snortDB', 'SnortSuppress', 'filename', $ifaceSettingsArray['suppresslistname']); + + if ($ifaceSettingsArray['suppresslistname'] === 'default') { + $getSnortSuppressPass = ''; + }else{ + $getSnortSuppressPass = base64_decode($getSnortSuppresslist[0]['suppresspassthru']); + } + + + $snort_threshold_text = <<<EOD + +# snort threshold file +# generated by the pfSense +# package manager system +# see /usr/local/pkg/snort_build.inc +# for more information +# threshold.conf +# Snort can be found at http://www.snort.org/ +# +# Copyright (C) 2009-2011 Robert Zelaya +# part of pfSense +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + + +{$getSnortSuppressPass} + +EOD; + +return $snort_threshold_text; + +} + +function create_threshold_conf($uuid) +{ + // make sure file is there + if (!file_exists("/usr/local/etc/snort/sn_{$uuid}/threshold.conf")) { + exec("/usr/bin/touch /usr/local/etc/snort/sn_{$uuid}/threshold.conf"); + } + + $threshold_conf_text = generate_threshold_conf($uuid); + + $conf = fopen("/usr/local/etc/snort/sn_{$uuid}/threshold.conf", "w"); + if(!$conf) { + log_error("Could not open /usr/local/etc/snort/sn_{$uuid}/threshold.conf for writing."); + exit; + } + + fwrite($conf, $threshold_conf_text); + fclose($conf); + +} + +function build_snort_settings($uuid) { + + // create snort.conf + create_snort_conf($uuid); + // create threshold.conf + create_threshold_conf($uuid); + +} + +// -------------------------- END snort.conf ------------------------- + +?> |