diff options
Diffstat (limited to 'config/snort-dev')
-rw-r--r-- | config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 | 2 | ||||
-rw-r--r-- | config/snort-dev/pfsense_rules/rules/pfsense-voip.rules | 11 | ||||
-rw-r--r-- | config/snort-dev/snort.inc | 128 | ||||
-rw-r--r-- | config/snort-dev/snort.xml | 45 | ||||
-rw-r--r-- | config/snort-dev/snort_check_for_rule_updates.php | 10 |
5 files changed, 172 insertions, 24 deletions
diff --git a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 index 97a55e1d..0aede4a0 100644 --- a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 +++ b/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 @@ -1 +1 @@ -101
\ No newline at end of file +102
\ No newline at end of file diff --git a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules b/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules index 3142c0b6..12f2fdf2 100644 --- a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules +++ b/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules @@ -1,11 +1,10 @@ -alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;) +alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000001; rev:1;) # Excessive number of SIP 4xx Responses Does not work -#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;) -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;) - +#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000002; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000003; rev:1;) # Rule for alerting of INVITE flood attack: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000002; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000004; rev:1;) # Rule for alerting of REGISTER flood attack: alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;) # Threshold rule for unauthorized responses: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000006; rev:1;) diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index e84c0e31..e1685124 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -64,17 +64,23 @@ function sync_package_snort_install() { exec("/bin/mkdir -p /var/log/snort"); exec("/bin/mkdir -p /usr/local/etc/snort/rules"); - exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); - exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config"); - exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map"); - exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators"); - exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config"); - exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map"); - exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid"); - exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf"); - exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); - exec("/usr/bin/touch /usr/local/etc/snort/rules/local.rules"); - exec("/bin/rm -f /usr/local/etc/rc.d/snort"); + if(file_exists("/usr/local/etc/snort/unicode.map-sample")) { + exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); + exec("/bin/cp /usr/local/etc/snort/classification.config-sample /usr/local/etc/snort/classification.config"); + exec("/bin/cp /usr/local/etc/snort/gen-msg.map-sample /usr/local/etc/snort/gen-msg.map"); + exec("/bin/cp /usr/local/etc/snort/generators-sample /usr/local/etc/snort/generators"); + exec("/bin/cp /usr/local/etc/snort/reference.config-sample /usr/local/etc/snort/reference.config"); + exec("/bin/cp /usr/local/etc/snort/sid-msg.map-sample /usr/local/etc/snort/sid-msg.map"); + exec("/bin/cp /usr/local/etc/snort/sid-sample /usr/local/etc/snort/sid"); + exec("/bin/cp /usr/local/etc/snort/threshold.conf-sample /usr/local/etc/snort/threshold.conf"); + exec("/bin/cp /usr/local/etc/snort/unicode.map-sample /usr/local/etc/snort/unicode.map"); + exec("/bin/rm -f /usr/local/etc/rc.d/snort"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); + } + + if(!file_exists("/usr/local/etc/snort/rules/local.rules")) + exec("/bin/cp /usr/local/pkg/local.rules /usr/local/etc/snort/rules/local.rules"); + } function sync_package_snort() @@ -723,6 +729,106 @@ function snort_rm_blocked_install_cron($should_install) { snort_rm_blocked_install_cron(""); snort_rm_blocked_install_cron($snort_rm_blocked_false); + + /* set the snort rules update time */ + $snort_up_rules_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_up_rules_info_ck == "never_up") + $snort_up_rules_false = ""; + else + $snort_up_rules_false = "true"; + +function snort_up_rules_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_up_rules_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_up_rules_info_ck == "6h_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*/6"; + $snort_up_rules_mday = "*"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + if ($snort_up_rules_info_ck == "12h_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*/12"; + $snort_up_rules_mday = "*"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + if ($snort_up_rules_info_ck == "1d_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*"; + $snort_up_rules_mday = "*/1"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + if ($snort_up_rules_info_ck == "4d_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*"; + $snort_up_rules_mday = "*/4"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + if ($snort_up_rules_info_ck == "7d_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*"; + $snort_up_rules_mday = "*/7"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + if ($snort_up_rules_info_ck == "28d_up") { + $snort_up_rules_min = "*"; + $snort_up_rules_hr = "*"; + $snort_up_rules_mday = "*/28"; + $snort_up_rules_month = "*"; + $snort_up_rules_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_up_rules_min"; + $cron_item['hour'] = "$snort_up_rules_hr"; + $cron_item['mday'] = "$snort_up_rules_mday"; + $cron_item['month'] = "$snort_up_rules_month"; + $cron_item['wday'] = "$snort_up_rules_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + break; + } +} + +snort_up_rules_install_cron(""); +snort_up_rules_install_cron($snort_up_rules_false); /* open snort2c's whitelist for writing */ diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml index 20655170..568f7d27 100644 --- a/config/snort-dev/snort.xml +++ b/config/snort-dev/snort.xml @@ -178,6 +178,11 @@ <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort-dev/snort_threshold.xml</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-dev/pfsense_rules/local.rules</item> + </additional_files_needed> <fields> <field> <fielddescr>Interface</fielddescr> @@ -291,10 +296,42 @@ </options> </field> <field> + </field> + <field> <fielddescr>Update rules automatically</fielddescr> - <fieldname>automaticrulesupdate</fieldname> - <description>Checking this option will automatically check for and update rules once a week from snort.org.</description> - <type>checkbox</type> + <fieldname>autorulesupdate7</fieldname> + <description>Please select the update times for rules.</description> + <type>select</type> + <options> + <option> + <name>never</name> + <value>never_up</value> + </option> + <option> + <name>6 hours</name> + <value>6h_up</value> + </option> + <option> + <name>12 hours</name> + <value>12h_up</value> + </option> + <option> + <name>1 day</name> + <value>1d_up</value> + </option> + <option> + <name>4 days</name> + <value>4d_up</value> + </option> + <option> + <name>7 days</name> + <value>7d_up</value> + </option> + <option> + <name>28 days</name> + <value>28d_up</value> + </option> + </options> </field> <field> <fielddescr>Whitelist VPNs automatically</fielddescr> @@ -328,9 +365,9 @@ </field> </fields> <custom_add_php_command> - sync_package_snort(); </custom_add_php_command> <custom_php_resync_config_command> + sync_package_snort(); sync_package_snort_install(); </custom_php_resync_config_command> <custom_php_install_command> diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php index 98cb82ae..0e851165 100644 --- a/config/snort-dev/snort_check_for_rule_updates.php +++ b/config/snort-dev/snort_check_for_rule_updates.php @@ -45,6 +45,12 @@ require_once("config.inc"); <?php
+$up_date_time = date('l jS \of F Y h:i:s A');
+echo "";
+echo "#########################";
+echo "$up_date_time";
+echo "#########################";
+echo "";
/* Begin main code */
/* Set user agent to Mozilla */
@@ -284,7 +290,7 @@ if ($pfsense_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) {
echo "Snortrule tar file exists...\n";
} else {
- unhide_progress_bar_status();
+
echo "There is a new set of Pfsense rules posted. Downloading...\n";
echo "May take 4 to 10 min...\n";
ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
@@ -517,7 +523,7 @@ exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/syn echo "Updating Alert Messages...\n";
echo "Please Wait...\n";
sleep(2);
-exec("/usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/gen-msg.map");
+exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/gen-msg.map");
/* php code finish */
echo "The Rules update finished...\n";
|