aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort-dev
diff options
context:
space:
mode:
Diffstat (limited to 'config/snort-dev')
-rw-r--r--config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md52
-rw-r--r--config/snort-dev/pfsense_rules/rules/pfsense-voip.rules11
-rw-r--r--config/snort-dev/snort.inc128
-rw-r--r--config/snort-dev/snort.xml45
-rw-r--r--config/snort-dev/snort_check_for_rule_updates.php10
5 files changed, 172 insertions, 24 deletions
diff --git a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5
index 97a55e1d..0aede4a0 100644
--- a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5
+++ b/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5
@@ -1 +1 @@
-101 \ No newline at end of file
+102 \ No newline at end of file
diff --git a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules b/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules
index 3142c0b6..12f2fdf2 100644
--- a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules
+++ b/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules
@@ -1,11 +1,10 @@
-alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;)
+alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000001; rev:1;)
# Excessive number of SIP 4xx Responses Does not work
-#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;)
-alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;)
-
+#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000002; rev:1;)
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000003; rev:1;)
# Rule for alerting of INVITE flood attack:
-alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000002; rev:1;)
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000004; rev:1;)
# Rule for alerting of REGISTER flood attack:
alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;)
# Threshold rule for unauthorized responses:
-alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;)
+alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000006; rev:1;)
diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc
index e84c0e31..e1685124 100644
--- a/config/snort-dev/snort.inc
+++ b/config/snort-dev/snort.inc
@@ -64,17 +64,23 @@ function sync_package_snort_install() {
exec("/bin/mkdir -p /var/log/snort");
exec("/bin/mkdir -p /usr/local/etc/snort/rules");
- exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
- exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config");
- exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map");
- exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators");
- exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config");
- exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map");
- exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid");
- exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf");
- exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
- exec("/usr/bin/touch /usr/local/etc/snort/rules/local.rules");
- exec("/bin/rm -f /usr/local/etc/rc.d/snort");
+ if(file_exists("/usr/local/etc/snort/unicode.map-sample")) {
+ exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
+ exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config");
+ exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map");
+ exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators");
+ exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config");
+ exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map");
+ exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid");
+ exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf");
+ exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map");
+ exec("/bin/rm -f /usr/local/etc/rc.d/snort");
+ exec("/bin/rm /usr/local/lib/snort/dynamicrules/*");
+ }
+
+ if(!file_exists("/usr/local/etc/snort/rules/local.rules"))
+ exec("/bin/cp /usr/local/pkg/local.rules /usr/local/etc/snort/rules/local.rules");
+
}
function sync_package_snort()
@@ -723,6 +729,106 @@ function snort_rm_blocked_install_cron($should_install) {
snort_rm_blocked_install_cron("");
snort_rm_blocked_install_cron($snort_rm_blocked_false);
+
+ /* set the snort rules update time */
+ $snort_up_rules_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7'];
+ if ($snort_up_rules_info_ck == "never_up")
+ $snort_up_rules_false = "";
+ else
+ $snort_up_rules_false = "true";
+
+function snort_up_rules_install_cron($should_install) {
+ global $config, $g;
+
+ if ($g['booting']==true)
+ return;
+
+ $is_installed = false;
+
+ if(!$config['cron']['item'])
+ return;
+
+ $x=0;
+ foreach($config['cron']['item'] as $item) {
+ if (strstr($item['command'], "snort_check_for_rule_updates.php")) {
+ $is_installed = true;
+ break;
+ }
+ $x++;
+ }
+ $snort_up_rules_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7'];
+ if ($snort_up_rules_info_ck == "6h_up") {
+ $snort_up_rules_min = "*";
+ $snort_up_rules_hr = "*/6";
+ $snort_up_rules_mday = "*";
+ $snort_up_rules_month = "*";
+ $snort_up_rules_wday = "*";
+ }
+ if ($snort_up_rules_info_ck == "12h_up") {
+ $snort_up_rules_min = "*";
+ $snort_up_rules_hr = "*/12";
+ $snort_up_rules_mday = "*";
+ $snort_up_rules_month = "*";
+ $snort_up_rules_wday = "*";
+ }
+ if ($snort_up_rules_info_ck == "1d_up") {
+ $snort_up_rules_min = "*";
+ $snort_up_rules_hr = "*";
+ $snort_up_rules_mday = "*/1";
+ $snort_up_rules_month = "*";
+ $snort_up_rules_wday = "*";
+ }
+ if ($snort_up_rules_info_ck == "4d_up") {
+ $snort_up_rules_min = "*";
+ $snort_up_rules_hr = "*";
+ $snort_up_rules_mday = "*/4";
+ $snort_up_rules_month = "*";
+ $snort_up_rules_wday = "*";
+ }
+ if ($snort_up_rules_info_ck == "7d_up") {
+ $snort_up_rules_min = "*";
+ $snort_up_rules_hr = "*";
+ $snort_up_rules_mday = "*/7";
+ $snort_up_rules_month = "*";
+ $snort_up_rules_wday = "*";
+ }
+ if ($snort_up_rules_info_ck == "28d_up") {
+ $snort_up_rules_min = "*";
+ $snort_up_rules_hr = "*";
+ $snort_up_rules_mday = "*/28";
+ $snort_up_rules_month = "*";
+ $snort_up_rules_wday = "*";
+ }
+ switch($should_install) {
+ case true:
+ if(!$is_installed) {
+ $cron_item = array();
+ $cron_item['minute'] = "$snort_up_rules_min";
+ $cron_item['hour'] = "$snort_up_rules_hr";
+ $cron_item['mday'] = "$snort_up_rules_mday";
+ $cron_item['month'] = "$snort_up_rules_month";
+ $cron_item['wday'] = "$snort_up_rules_wday";
+ $cron_item['who'] = "root";
+ $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log";
+ $config['cron']['item'][] = $cron_item;
+ write_config("Installed 15 minute filter reload for Time Based Rules");
+ configure_cron();
+ }
+ break;
+ case false:
+ if($is_installed == true) {
+ if($x > 0) {
+ unset($config['cron']['item'][$x]);
+ write_config();
+ }
+ configure_cron();
+ }
+ break;
+ }
+}
+
+snort_up_rules_install_cron("");
+snort_up_rules_install_cron($snort_up_rules_false);
/* open snort2c's whitelist for writing */
diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml
index 20655170..568f7d27 100644
--- a/config/snort-dev/snort.xml
+++ b/config/snort-dev/snort.xml
@@ -178,6 +178,11 @@
<chmod>077</chmod>
<item>http://www.pfsense.com/packages/config/snort-dev/snort_threshold.xml</item>
</additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort-dev/pfsense_rules/local.rules</item>
+ </additional_files_needed>
<fields>
<field>
<fielddescr>Interface</fielddescr>
@@ -291,10 +296,42 @@
</options>
</field>
<field>
+ </field>
+ <field>
<fielddescr>Update rules automatically</fielddescr>
- <fieldname>automaticrulesupdate</fieldname>
- <description>Checking this option will automatically check for and update rules once a week from snort.org.</description>
- <type>checkbox</type>
+ <fieldname>autorulesupdate7</fieldname>
+ <description>Please select the update times for rules.</description>
+ <type>select</type>
+ <options>
+ <option>
+ <name>never</name>
+ <value>never_up</value>
+ </option>
+ <option>
+ <name>6 hours</name>
+ <value>6h_up</value>
+ </option>
+ <option>
+ <name>12 hours</name>
+ <value>12h_up</value>
+ </option>
+ <option>
+ <name>1 day</name>
+ <value>1d_up</value>
+ </option>
+ <option>
+ <name>4 days</name>
+ <value>4d_up</value>
+ </option>
+ <option>
+ <name>7 days</name>
+ <value>7d_up</value>
+ </option>
+ <option>
+ <name>28 days</name>
+ <value>28d_up</value>
+ </option>
+ </options>
</field>
<field>
<fielddescr>Whitelist VPNs automatically</fielddescr>
@@ -328,9 +365,9 @@
</field>
</fields>
<custom_add_php_command>
- sync_package_snort();
</custom_add_php_command>
<custom_php_resync_config_command>
+ sync_package_snort();
sync_package_snort_install();
</custom_php_resync_config_command>
<custom_php_install_command>
diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php
index 98cb82ae..0e851165 100644
--- a/config/snort-dev/snort_check_for_rule_updates.php
+++ b/config/snort-dev/snort_check_for_rule_updates.php
@@ -45,6 +45,12 @@ require_once("config.inc");
<?php
+$up_date_time = date('l jS \of F Y h:i:s A');
+echo "";
+echo "#########################";
+echo "$up_date_time";
+echo "#########################";
+echo "";
/* Begin main code */
/* Set user agent to Mozilla */
@@ -284,7 +290,7 @@ if ($pfsense_md5_check_ok != on) {
if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) {
echo "Snortrule tar file exists...\n";
} else {
- unhide_progress_bar_status();
+
echo "There is a new set of Pfsense rules posted. Downloading...\n";
echo "May take 4 to 10 min...\n";
ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
@@ -517,7 +523,7 @@ exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/syn
echo "Updating Alert Messages...\n";
echo "Please Wait...\n";
sleep(2);
-exec("/usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/gen-msg.map");
+exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/gen-msg.map");
/* php code finish */
echo "The Rules update finished...\n";