diff options
Diffstat (limited to 'config/snort-dev')
-rw-r--r-- | config/snort-dev/snort.inc | 661 | ||||
-rw-r--r-- | config/snort-dev/snort.xml | 18 | ||||
-rw-r--r-- | config/snort-dev/snort_preprocessors.php | 314 |
3 files changed, 763 insertions, 230 deletions
diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 6e3ced27..08b2aae1 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -43,6 +43,30 @@ if (isset($_POST['id'])) $interface_fake = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; $if_real = convert_friendly_interface_to_real_interface_name($interface_fake); +/* get the real iface name of wan */ +function convert_friendly_interface_to_real_interface_name2($interface) +{ + global $config; + + $lc_interface = strtolower($interface); + if($lc_interface == "lan") return $config['interfaces']['lan']['if']; + if($lc_interface == "wan") return $config['interfaces']['wan']['if']; + $ifdescrs = array(); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $ifdescrs['opt' . $j] = "opt" . $j; + foreach ($ifdescrs as $ifdescr => $ifname) + { + if(strtolower($ifname) == $lc_interface) + return $config['interfaces'][$ifname]['if']; + if(strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface) + return $config['interfaces'][$ifname]['if']; + } + + return $interface; +} + +$if_real_wan = convert_friendly_interface_to_real_interface_name2($interface_fake); + /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); ini_set('max_input_time', '9999'); @@ -51,23 +75,13 @@ ini_set('max_input_time', '9999'); if($config['installedpackages']['snortglobal']) $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; -function sync_package_snort_reinstall() +function snort_postinstall() { global $config; - if(!$config['installedpackages']['snortglobal']) - return; - - /* create snort configuration file */ - create_snort_conf(); - - /* start snort service */ - // start_service("snort"); // do not start, may be needed latter. -} - -/* make sure this func on writes to files and does not start snort */ -function sync_package_snort() -{ - global $config, $g, $id, $if_real; + conf_mount_rw(); + + exec("/usr/sbin/pw groupadd snort"); + exec('/usr/sbin/pw useradd snort -c "SNORT USER" -d /nonexistent -g snort -s /sbin/nologin'); if(!file_exists("/var/log/snort/")) mwexec("mkdir -p /var/log/snort/"); @@ -80,19 +94,14 @@ function sync_package_snort() $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; - /* set the snort performance model */ - if($config['installedpackages']['snortglobal']['rule'][$id]['performance']) - $config['installedpackages']['snortglobal']['rule'][$id]['performance']; - else - $snort_performance = "lowmem"; - - conf_mount_rw(); + /* create a few directories and ensure the sample files are in place */ exec("/bin/mkdir -p /usr/local/etc/snort"); exec("/bin/mkdir -p /var/log/snort"); exec("/bin/mkdir -p /usr/local/etc/snort/rules"); - if(file_exists("/usr/local/etc/snort/snort.conf-sample")) { + if(file_exists("/usr/local/etc/snort/snort.conf-sample")) + { exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); @@ -105,18 +114,60 @@ function sync_package_snort() exec("/bin/rm -f /usr/local/etc/rc.d/snort"); } - if(!file_exists("/usr/local/etc/snort/custom_rules")) { - exec("/bin/mkdir -p /usr/local/etc/snort/custom_rules/"); + if(!file_exists("/usr/local/etc/snort/custom_rules")) + { + exec("/bin/mkdir -p /usr/local/etc/snort/custom_rules/"); } - /* remove example files */ - /* TODO: remove these filese during binary builds */ - if(file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0")) { - exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); + exec("/usr/sbin/pw groupadd snort"); + exec('/usr/sbin/pw useradd snort -c "SNORT USER" -d /nonexistent -g snort -s /sbin/nologin'); + exec("/usr/sbin/chown -R snort:snort /var/log/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); + exec("/bin/chmod -R 755 /var/log/snort"); + exec("/bin/chmod -R 755 /usr/local/etc/snort"); + exec("/bin/chmod -R 755 /usr/local/lib/snort"); + + +/* remove example files */ +/* TODO: remove these filese during binary builds */ + + if(file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0")) + { + exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); } - if(file_exists("/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so")) { - exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); - } + + if(file_exists("/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so")) + { + exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + } + + conf_mount_ro(); + +} + +function sync_package_snort_reinstall() +{ + global $config; + conf_mount_rw(); + + if(!$config['installedpackages']['snortglobal']) + return; + + /* create snort configuration file */ + create_snort_conf(); + + /* start snort service */ + // start_service("snort"); // do not start, may be needed latter. + + conf_mount_ro(); +} + +/* make sure this func on writes to files and does not start snort */ +function sync_package_snort() +{ + global $config, $g, $id, $if_real, $interface_fake; + conf_mount_rw(); /* snort advanced features - bpf tuning */ // if($bpfbufsize) @@ -134,49 +185,72 @@ function sync_package_snort() // if($bpfmaxinsns) // mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); -/* do not start config build if rules is empty */ -if (!empty($config['installedpackages']['snortglobal']['rule'])) { -if ($id == "") { +/* RedDevil suggested code */ +/* TODO: more testing needs to be done */ +exec("/sbin/sysctl net.bpf.bufsize=8388608"); +exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); +exec("/sbin/sysctl net.bpf.maxinsns=512"); +exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); -$rule_array = $config['installedpackages']['snortglobal']['rule']; -$id = -1; -foreach ($rule_array as $value) { + /* do not start config build if rules is empty */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) + { + if ($id == "") + { -$id += 1; + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id = -1; + foreach ($rule_array as $value) + { -$result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; -$if_real = convert_friendly_interface_to_real_interface_name($result_lan); + $id += 1; - /* create snort configuration file */ - create_snort_conf(); + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name($result_lan); - /* create snort.sh file */ - create_snort_sh(); + /* create snort configuration file */ + create_snort_conf(); -/* create barnyard2 configuration file */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; -if ($snortbarnyardlog_info_chk == on) - create_barnyard2_conf(); + /* create snort.sh file */ + create_snort_sh(); + + /* create barnyard2 configuration file */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == on) + create_barnyard2_conf(); - } + } -}else{ + }else{ - /* create snort configuration file */ - create_snort_conf(); + /* create snort configuration file */ + create_snort_conf(); - /* create snort.sh file */ - create_snort_sh(); + /* create snort.sh file */ + create_snort_sh(); - /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == on) - create_barnyard2_conf(); + /* create barnyard2 configuration file */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == on) + create_barnyard2_conf(); + } } -} -conf_mount_ro(); + /* all new files are for the user snort nologin */ + if(!file_exists("/var/log/snort")) + { + exec("/bin/mkdir -p /var/log/snort"); + } + + exec("/usr/sbin/chown -R snort:snort /var/log/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); + exec("/bin/chmod -R 755 /var/log/snort"); + exec("/bin/chmod -R 755 /usr/local/etc/snort"); + exec("/bin/chmod -R 755 /usr/local/lib/snort"); + + conf_mount_ro(); } @@ -195,23 +269,24 @@ if($folder_chk == "empty") { } /* open snort.sh for writing" */ -function create_snort_sh() { +function create_snort_sh() +{ - global $config, $g, $id, $if_real; + global $config, $g, $id, $if_real, $if_real_wan; conf_mount_rw(); -/* let there be snort.sh for each rule */ -/* start snort.sh for writing */ + /* let there be snort.sh for each rule */ + /* start snort.sh for writing */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; -/* define snortbarnyardlog_chk */ -if ($snortbarnyardlog_info_chk == on) { + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; -$start_barnyard2 = "\nsleep 4\n/usr/local/bin/barnyard2 -c /usr/local/etc/snort/snort_$id$if_real/barnyard2.conf -d /var/log/snort -f snort.u2_$id$if_real -w /usr/local/etc/snort/snort_$id$if_real/barnyard2.waldo -D -q\n\n"; + /* define snortbarnyardlog_chk */ + if ($snortbarnyardlog_info_chk == on) { + $start_barnyard2 = "\nsleep 4\n/usr/local/bin/barnyard2 -c /usr/local/etc/snort/snort_$id$if_real/barnyard2.conf -d /var/log/snort -f snort.u2_$id$if_real -w /usr/local/etc/snort/snort_$id$if_real/barnyard2.waldo -D -q\n\n"; + } - /* open snort.sh for writing" */ conf_mount_rw(); @@ -316,17 +391,19 @@ rc_start_real() { /bin/echo "snort_$id$if_real.sh run" >> /tmp/snort_$id$if_real.sh_startup.log # Start the interfaces - - /usr/local/bin/snort -G $id -R $id$if_real -c /usr/local/etc/snort/snort_$id$if_real/snort.conf -l /var/log/snort -D -i $if_real -q + /bin/rm /var/run/snort_$if_real$id$if_real.pid + /bin/rm /var/run/snort_$if_real$id$if_real.pid.lck + /usr/local/bin/snort -u snort -g snort -G $id -R $id$if_real -c /usr/local/etc/snort/snort_$id$if_real/snort.conf -l /var/log/snort -D -i $if_real -q + /sbin/ifconfig $if_real_wan polling promisc sleep 3 - AFTER_MEM=`/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{print $12}'` /bin/cp /var/log/system.log /var/log/snort/snort_sys_$id$if_real.log /bin/killall syslogd /usr/sbin/clog -i -s 262144 /var/log/system.log /bin/cp /var/log/system.log.bk /var/log/system.log /usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For $id$if_real..." + AFTER_MEM=`/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{print $2}'` /usr/bin/logger -p daemon.info -i -t SnortStartup "MEM after $id$if_real START \${AFTER_MEM}" /bin/echo "snort is running, but snort.sh finished removed pid" /bin/rm /tmp/snort_$id$if_real.sh.pid @@ -342,8 +419,11 @@ rc_stop() { /bin/cp /var/log/system.log /var/log/system.log.bk /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort IS running, hard STOP" /bin/kill \${pid_s}; /bin/kill \${pid_b}; + /sbin/ifconfig $if_real_wan -promisc + /bin/rm /var/run/snort_$if_real$id$if_real.pid + /bin/rm /var/run/snort_$if_real$id$if_real.pid.lck sleep 3 - AFTER_MEM=`/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{print $12}'` + AFTER_MEM=`/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{print $2}'` /bin/cp /var/log/system.log /var/log/snort/snort_sys_$id$if_real.log /bin/killall syslogd /usr/sbin/clog -i -s 262144 /var/log/system.log @@ -481,14 +561,22 @@ function create_snort_conf() { function snort_deinstall() { global $config, $g, $id, $if_real; + conf_mount_rw(); /* remove custom sysctl */ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); /* decrease bpf buffers back to 4096, from 20480 */ exec("/sbin/sysctl net.bpf.bufsize=4096"); exec("/usr/bin/killall snort"); - sleep(5); + sleep(2); exec("/usr/bin/killall -9 snort"); + sleep(2); + exec("/usr/bin/killall barnyard2"); + sleep(2); + exec("/usr/bin/killall -9 barnyard2"); + sleep(2); + exec("/usr/sbin/pw userdel snort"); + exec("/usr/sbin/pw groupdel snort"); exec("rm -f /usr/local/etc/rc.d/snort*"); exec("rm -rf /usr/local/etc/snort*"); exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); @@ -519,6 +607,7 @@ function snort_deinstall() { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); + conf_mount_rw(); } configure_cron(); } @@ -544,6 +633,7 @@ function snort_deinstall() { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); + conf_mount_rw(); } configure_cron(); } @@ -555,9 +645,16 @@ snort_rules_up_deinstall_cron(""); /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ /* Keep this as a last step */ - unset($config['installedpackages']['snortglobal']['rule'][$id]['autorulesupdate7']); - unset($config['installedpackages']['snortglobal']['rm_blocked']); + unset($config['installedpackages']['snortglobal']); write_config(); + conf_mount_rw(); + + exec("rm -r /usr/local/www/snort"); + exec("rm -r /usr/local/pkg/snort"); + exec("rm -r /usr/local/lib/snort/"); + exec('rm -r /usr/local/etc/rc.d/snort_*'); + + conf_mount_ro(); } @@ -856,7 +953,7 @@ else /* def SSL_PORTS */ $def_ssl_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports']; if ($def_ssl_ports_info_chk == "") - $def_ssl_ports_type = "25,443,465,636,993,995"; + $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995"; else $def_ssl_ports_type = "$def_ssl_ports_info_chk"; @@ -879,6 +976,7 @@ else $snort_rm_blocked_false = ""; else $snort_rm_blocked_false = "true"; + if ($snort_rm_blocked_info_ck != "") { function snort_rm_blocked_install_cron($should_install) { @@ -986,6 +1084,7 @@ function snort_rm_blocked_install_cron($should_install) { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); + conf_mount_rw(); } configure_cron(); } @@ -1087,6 +1186,7 @@ function snort_rules_up_install_cron($should_install) { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); + conf_mount_rw(); } configure_cron(); } @@ -1205,6 +1305,250 @@ function snort_rules_up_install_cron($should_install) { conf_mount_ro(); +///////////////////////////// + +/* preprocessor code */ + +/* def perform_stat */ +$snort_perform_stat = <<<EOD +########################## + # +# NEW # +# Performance Statistics # + # +########################## + +preprocessor perfmonitor: time 300 file /var/log/snort/snort_$id$if_real.stats pktcnt 10000 + +EOD; + +$def_perform_stat_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['perform_stat']; +if ($def_perform_stat_info_chk == "on") + $def_perform_stat_type = "$snort_perform_stat"; +else + $def_perform_stat_type = ""; + +/* def http_inspect */ +$snort_http_inspect = <<<EOD +################# + # +# HTTP Inspect # + # +################# + +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 + +preprocessor http_inspect_server: server default \ + ports { 80 8080 } \ + non_strict \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + flow_depth 0 \ + apache_whitespace yes \ + directory no \ + iis_backslash no \ + u_encode yes \ + ascii yes \ + chunk_length 500000 \ + bare_byte yes \ + double_decode yes \ + iis_unicode yes \ + iis_delimiter yes \ + multi_slash no + +EOD; + +$def_http_inspect_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect']; +if ($def_http_inspect_info_chk == "on") + $def_http_inspect_type = "$snort_http_inspect"; +else + $def_http_inspect_type = ""; + +/* def other_preprocs */ +$snort_other_preprocs = <<<EOD +################## + # +# Other preprocs # + # +################## + +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor bo + +EOD; + +$def_other_preprocs_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['other_preprocs']; +if ($def_other_preprocs_info_chk == "on") + $def_other_preprocs_type = "$snort_other_preprocs"; +else + $def_other_preprocs_type = ""; + +/* def ftp_preprocessor */ +$snort_ftp_preprocessor = <<<EOD +##################### + # +# ftp preprocessor # + # +##################### + +preprocessor ftp_telnet: global \ +inspection_type stateless + +preprocessor ftp_telnet_protocol: telnet \ + normalize \ + ayt_attack_thresh 200 + +preprocessor ftp_telnet_protocol: \ + ftp server default \ + def_max_param_len 100 \ + ports { 21 } \ + ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ + ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ + ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT CEL CMD MACB } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ + alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ + alt_max_param_len 256 { RNTO CWD } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ + chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ + chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ + chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ + chk_str_fmt { FEAT CEL CMD } \ + chk_str_fmt { MDTM REST SIZE MLST MLSD } \ + chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +EOD; + +$def_ftp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['ftp_preprocessor']; +if ($def_ftp_preprocessor_info_chk == "on") + $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; +else + $def_ftp_preprocessor_type = ""; + +/* def smtp_preprocessor */ +$snort_smtp_preprocessor = <<<EOD +##################### + # +# SMTP preprocessor # + # +##################### + +preprocessor SMTP: \ + ports { 25 465 691 } \ + inspection_type stateful \ + normalize cmds \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ +CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ +PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } + +EOD; + +$def_smtp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['smtp_preprocessor']; +if ($def_smtp_preprocessor_info_chk == "on") + $def_smtp_preprocessor_type = "$snort_smtp_preprocessor"; +else + $def_smtp_preprocessor_type = ""; + +/* def sf_portscan */ +$snort_sf_portscan = <<<EOD +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } + +EOD; + +$def_sf_portscan_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['sf_portscan']; +if ($def_sf_portscan_info_chk == "on") + $def_sf_portscan_type = "$snort_sf_portscan"; +else + $def_sf_portscan_type = ""; + +/* def dce_rpc_2 */ +$snort_dce_rpc_2 = <<<EOD +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3 + +EOD; + +$def_dce_rpc_2_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dce_rpc_2']; +if ($def_dce_rpc_2_info_chk == "on") + $def_dce_rpc_2_type = "$snort_dce_rpc_2"; +else + $def_dce_rpc_2_type = ""; + +/* def dns_preprocessor */ +$snort_dns_preprocessor = <<<EOD +#################### + # +# DNS preprocessor # + # +#################### + +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +EOD; + +$def_dns_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dns_preprocessor']; +if ($def_dns_preprocessor_info_chk == "on") + $def_dns_preprocessor_type = "$snort_dns_preprocessor"; +else + $def_dns_preprocessor_type = ""; + +/* def SSL_PORTS IGNORE */ +$def_ssl_ports_ignore_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports_ignore']; +if ($def_ssl_ports_ignore_info_chk == "") + $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995"; +else + $def_ssl_ports_ignore_type = "$def_ssl_ports_info_chk"; + +////////////////////////////////////////////////////////////////// /* build snort configuration file */ /* TODO; feed back from pfsense users to reduce false positives */ $snort_conf_text = <<<EOD @@ -1344,8 +1688,7 @@ config disable_decode_drops # ################################### -config detection: search-method {$snort_performance} -config detection: max_queue_events 5 +config detection: search-method {$snort_performance} max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries @@ -1365,137 +1708,20 @@ preprocessor frag3_engine: policy bsd detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp yes, track_icmp yes preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes -preprocessor stream5_udp -preprocessor stream5_icmp - -########################## - # -# NEW # -# Performance Statistics # - # -########################## - -preprocessor perfmonitor: time 300 file /var/log/snort/snort_$id$if_real.stats pktcnt 10000 - -################# - # -# HTTP Inspect # - # -################# - -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 - -preprocessor http_inspect_server: server default \ - ports { 80 8080 } \ - non_strict \ - non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ - flow_depth 0 \ - apache_whitespace yes \ - directory no \ - iis_backslash no \ - u_encode yes \ - ascii yes \ - chunk_length 500000 \ - bare_byte yes \ - double_decode yes \ - iis_unicode yes \ - iis_delimiter yes \ - multi_slash no - -################## - # -# Other preprocs # - # -################## +preprocessor stream5_udp: +preprocessor stream5_icmp: -preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 -preprocessor bo +{$def_perform_stat_type} -##################### - # -# ftp preprocessor # - # -##################### +{$def_http_inspect_type} -preprocessor ftp_telnet: global \ -inspection_type stateless +{$def_other_preprocs_type} -preprocessor ftp_telnet_protocol: telnet \ - normalize \ - ayt_attack_thresh 200 +{$def_ftp_preprocessor_type} -preprocessor ftp_telnet_protocol: \ - ftp server default \ - def_max_param_len 100 \ - ports { 21 } \ - ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ - ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ - ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ - ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ - ftp_cmds { FEAT CEL CMD MACB } \ - ftp_cmds { MDTM REST SIZE MLST MLSD } \ - ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ - alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ - alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ - alt_max_param_len 256 { RNTO CWD } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { SIZE } \ - chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ - chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ - chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ - chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ - chk_str_fmt { FEAT CEL CMD } \ - chk_str_fmt { MDTM REST SIZE MLST MLSD } \ - chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity STRU < char FRP > \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity PORT < host_port > +{$def_smtp_preprocessor_type} -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - telnet_cmds yes - -##################### - # -# SMTP preprocessor # - # -##################### - -preprocessor SMTP: \ - ports { 25 465 691 } \ - inspection_type stateful \ - normalize cmds \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ -CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ -PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } - -################ - # -# sf Portscan # - # -################ - -preprocessor sfportscan: scan_type { all } \ - proto { all } \ - memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } +{$def_sf_portscan_type} ############################ # @@ -1507,28 +1733,9 @@ preprocessor sfportscan: scan_type { all } \ # ############################ -############### - # -# NEW # -# DCE/RPC 2 # - # -############### - -preprocessor dcerpc2: memcap 102400, events [smb, co, cl] -preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3 - -#################### - # -# DNS preprocessor # - # -#################### +{$def_dce_rpc_2_type} -preprocessor dns: \ - ports { 53 } \ - enable_rdata_overflow +{$def_dns_preprocessor_type} ############################## # @@ -1537,7 +1744,7 @@ preprocessor dns: \ # ############################## -preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted +preprocessor ssl: ports { $def_ssl_ports_ignore_type }, trustservers, noinspect_encrypted ##################### # diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml index 6023a353..cf72a7ca 100644 --- a/config/snort-dev/snort.xml +++ b/config/snort-dev/snort.xml @@ -69,6 +69,11 @@ <item>http://www.pfsense.com/packages/config/snort-dev/snort.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/bin/barnyard2</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort-dev/snort_gui.inc</item> @@ -84,7 +89,7 @@ <item>http://www.pfsense.com/packages/config/snort-dev/snort_whitelist.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/snort/images/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort-dev/images/alert.jpg</item> </additional_files_needed> @@ -158,13 +163,20 @@ <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort-dev/snort_rulesets.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-dev/snort_preprocessors.php</item> + </additional_files_needed> <fields> </fields> - <custom_php_resync_config_command> - </custom_php_resync_config_command> <custom_add_php_command> </custom_add_php_command> + <custom_php_resync_config_command> + sync_package_snort(); + </custom_php_resync_config_command> <custom_php_install_command> + snort_postinstall(); </custom_php_install_command> <custom_php_deinstall_command> snort_deinstall(); diff --git a/config/snort-dev/snort_preprocessors.php b/config/snort-dev/snort_preprocessors.php new file mode 100644 index 00000000..88f90b2e --- /dev/null +++ b/config/snort-dev/snort_preprocessors.php @@ -0,0 +1,314 @@ +<?php +/* $Id$ */ +/* + snort_interfaces.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008-2009 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* + +TODO: Nov 12 09 +Clean this code up its ugly +Important add error checking + +*/ + +require("guiconfig.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +//nat_rules_sort(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +if (isset($id) && $a_nat[$id]) { + + /* new options */ + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; + + /* old options */ + $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; + $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; + $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; + $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; + $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; + $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; + $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; + $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; + $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; + $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; + $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; + $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; + $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; + $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; + $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; + $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; + $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; + $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; + $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; + $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; + $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; + $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; + $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; + $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; + $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; + $pconfig['ip def_sip_proxy_ports'] = $a_nat[$id]['ip def_sip_proxy_ports']; + $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; + $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; + $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; + $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; + $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; + $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; + $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; + $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; + $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['performance'] = $a_nat[$id]['performance']; + $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; + $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; + $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; + $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + +if (isset($_GET['dup'])) + unset($id); +} + +/* convert fake interfaces to real */ +$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); + +if ($_POST) { + + /* check for overlaps */ + +/* if no errors write to conf */ + if (!$input_errors) { + $natent = array(); + /* repost the options already in conf */ + $natent['enable'] = $pconfig['enable']; + $natent['interface'] = $pconfig['interface']; + $natent['descr'] = $pconfig['descr']; + $natent['performance'] = $pconfig['performance']; + $natent['blockoffenders7'] = $pconfig['blockoffenders7']; + $natent['snortalertlogtype'] = $pconfig['snortalertlogtype']; + $natent['alertsystemlog'] = $pconfig['alertsystemlog']; + $natent['tcpdumplog'] = $pconfig['tcpdumplog']; + $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; + $natent['flow_depth'] = $pconfig['flow_depth']; + $natent['barnyard_enable'] = $pconfig['barnyard_enable']; + $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; + $natent['def_dns_servers'] = $pconfig['def_dns_servers']; + $natent['def_dns_ports'] = $pconfig['def_dns_ports']; + $natent['def_smtp_servers'] = $pconfig['def_smtp_servers']; + $natent['def_smtp_ports'] = $pconfig['def_smtp_ports']; + $natent['def_mail_ports'] = $pconfig['def_mail_ports']; + $natent['def_http_servers'] = $pconfig['def_http_servers']; + $natent['def_www_servers'] = $pconfig['def_www_servers']; + $natent['def_http_ports'] = $pconfig['def_http_ports']; + $natent['def_sql_servers'] = $pconfig['def_sql_servers']; + $natent['def_oracle_ports'] = $pconfig['def_oracle_ports']; + $natent['def_mssql_ports'] = $pconfig['def_mssql_ports']; + $natent['def_telnet_servers'] = $pconfig['def_telnet_servers']; + $natent['def_telnet_ports'] = $pconfig['def_telnet_ports']; + $natent['def_snmp_servers'] = $pconfig['def_snmp_servers']; + $natent['def_snmp_ports'] = $pconfig['def_snmp_ports']; + $natent['def_ftp_servers'] = $pconfig['def_ftp_servers']; + $natent['def_ftp_ports'] = $pconfig['def_ftp_ports']; + $natent['def_ssh_servers'] = $pconfig['def_ssh_servers']; + $natent['def_ssh_ports'] = $pconfig['def_ssh_ports']; + $natent['def_pop_servers'] = $pconfig['def_pop_servers']; + $natent['def_pop2_ports'] = $pconfig['def_pop2_ports']; + $natent['def_pop3_ports'] = $pconfig['def_pop3_ports']; + $natent['def_imap_servers'] = $pconfig['def_imap_servers']; + $natent['def_imap_ports'] = $pconfig['def_imap_ports']; + $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; + $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; + $natent['def_auth_ports'] = $pconfig['def_auth_ports']; + $natent['def_finger_ports'] = $pconfig['def_finger_ports']; + $natent['def_irc_ports'] = $pconfig['def_irc_ports']; + $natent['def_nntp_ports'] = $pconfig['def_nntp_ports']; + $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; + $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; + $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; + + /* post new options */ + $natent['perform_stat'] = $_POST['perform_stat']; + if ($_POST['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['def_ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + /* enable this if you want the user to aprove changes */ + // touch($d_natconfdirty_path); + + write_config(); + + /* after click go to this page */ + header("Location: snort_preprocessors.php?id=$id"); + exit; + } +} + +$pgtitle = "Snort: Interface $id$if_real Preprocessors and Flow"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php +include("fbegin.inc"); +?> +<style type="text/css"> +.alert { + position:absolute; + top:10px; + left:0px; + width:94%; +background:#FCE9C0; +background-position: 15px; +border-top:2px solid #DBAC48; +border-bottom:2px solid #DBAC48; +padding: 15px 10px 85% 50px; +} +</style> +<noscript><div class="alert" ALIGN=CENTER><img src="../themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> + +<p class="pgtitle"><?=$pgtitle?></p> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if ($savemsg) print_info_box($savemsg); ?> +<form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> +<?php +if($id != "") +{ + + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array("Preprocessors", true, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); + +} +?> +</td> +</tr> + <tr> + <td class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php + /* display error code if there is no id */ + if($id == "") + { + echo " + <style type=\"text/css\"> + .noid { + position:absolute; + top:10px; + left:0px; + width:94%; + background:#FCE9C0; + background-position: 15px; + border-top:2px solid #DBAC48; + border-bottom:2px solid #DBAC48; + padding: 15px 10px 85% 50px; + } + </style> + <div class=\"alert\" ALIGN=CENTER><img src=\"../themes/nervecenter/images/icons/icon_alert.gif\"/><strong>You can not edit options without an interface ID.</CENTER></div>\n"; + + } + ?> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span><br> + Please save your settings befor you click start.<br> + Please make sure there are <strong>no spaces</strong> in your definitions. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">perform_stat</td> + <td width="78%" class="vtable"> + <input name="perform_stat" type="checkbox" value="on" <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> + Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Define SSL_IGNORE</td> + <td width="78%" class="vtable"> + <input name="def_ssl_ports_ignore" type="text" class="formfld" id="def_ssl_ports_ignore" size="40" value="<?=htmlspecialchars($pconfig['def_ssl_ports_ignore']);?>"> + <br> <span class="vexpl">Example: "443 465 563 636 989 990 992 993 994 995".</span></td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <?php if (isset($id) && $a_nat[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> + <br> + Please save your settings befor you click start. </td> + </tr> + </table> + </table> +</form> + +<script language="JavaScript"> +<!-- +enable_change(false); +//--> +</script> +<?php include("fend.inc"); ?> +</body> +</html> |