diff options
Diffstat (limited to 'config/snort/snort.inc')
-rwxr-xr-x | config/snort/snort.inc | 123 |
1 files changed, 113 insertions, 10 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index dede1f1d..884c50ec 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1197,9 +1197,11 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) { if ($rule2['disabled'] == 0) /* If not disabled, just return the rule text "as is" */ $required_flowbits_rules[$k1][$k2]['rule'] = ltrim($rule2['rule']); - else + else { /* If rule is disabled, remove leading '#' to enable it */ $required_flowbits_rules[$k1][$k2]['rule'] = ltrim(substr($rule2['rule'], strpos($rule2['rule'], "#") + 1)); + $required_flowbits_rules[$k1][$k2]['disabled'] = 0; + } } } } @@ -1335,8 +1337,10 @@ function snort_load_vrt_policy($policy) { $vrt_policy_rules[$k1][$k2] = $arulem2; /* Enable the policy rule if disabled */ - if ($arulem2['disabled'] == 1) + if ($arulem2['disabled'] == 1) { $vrt_policy_rules[$k1][$k2]['rule'] = ltrim(substr($arulem2['rule'], strpos($arulem2['rule'], "#") + 1)); + $vrt_policy_rules[$k1][$k2]['disabled'] = 0; + } } } } @@ -1441,8 +1445,10 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($enablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $enablesid) && $v['disabled'] == 1) + if (in_array($k2, $enablesid) && $v['disabled'] == 1) { $rule_map[$k1][$k2]['rule'] = ltrim($v['rule'], " \t#"); + $rule_map[$k1][$k2]['disabled'] = 0; + } } } } @@ -1452,8 +1458,10 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($disablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $disablesid) && $v['disabled'] == 0) + if (in_array($k2, $disablesid) && $v['disabled'] == 0) { $rule_map[$k1][$k2]['rule'] = "# " . $v['rule']; + $rule_map[$k1][$k2]['disabled'] = 1; + } } } } @@ -1765,6 +1773,10 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Process any enablesid or disablesid modifications for the selected rules. */ snort_modify_sids($enabled_rules, $snortcfg); + /* Check for and disable any rules dependent upon disabled preprocessors. */ + log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $enabled_rules); + /* Write the enforcing rules file to the Snort interface's "rules" directory. */ snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); unset($enabled_rules); @@ -1794,6 +1806,69 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map"); } +function snort_filter_preproc_rules($snortcfg, &$active_rules) { + + /**************************************************/ + /* This function checks the $active_rules array */ + /* for rule options dependent upon preprocessors. */ + /* Rules with rule options dependent upon any */ + /* non-enabled preprocessors are disabled to stop */ + /* start-up errors from unknown rule options. */ + /* */ + /* $snortcfg -> config parameters array for */ + /* the interface */ + /* $active_rules -> rules_map array of enabled */ + /* rules for the interface */ + /**************************************************/ + + global $config; + + if (empty($active_rules)) + return; + + /*************************************************** + * Construct an array of rule options with their * + * associated preprocessors. * + * * + * IMPORTANT -- Keep this part of the code current * + * with changes to preprocessor rule options in * + * Snort VRT rules. * + ***************************************************/ + $rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc", + "dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2", + "dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data", + "sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc", + "sip_header;" => "sip_preproc", "sip_body;" => "sip_preproc", + "gtp_type:" => "gtp_preproc", "gtp_info:" => "gtp_preproc", + "gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc", + "modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc", + "dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc", + "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc"); + + /*************************************************** + * Iterate the enabled rules, and check for rule * + * options that depend on disabled preprocessors. * + * Disable any of these preprocessor-dependent * + * rules we find. Once we find at least one * + * reason to disable the rule, stop further checks * + * and go to the next rule. * + ***************************************************/ + foreach ($active_rules as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if ($v['disabled'] == 0) + continue; + foreach ($rule_opts_preprocs as $opt => $preproc) { + $pcre = "/\s*\b" . $opt . "/i"; + if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) { + $active_rules[$k1][$k2]['rule'] = "# " . $v['rule']; + $active_rules[$k1][$k2]['disabled'] = 1; + break; + } + } + } + } +} + function snort_generate_conf($snortcfg) { global $config, $g; @@ -1902,7 +1977,8 @@ function snort_generate_conf($snortcfg) { "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502" + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" ); $portvardef = ""; @@ -1927,6 +2003,10 @@ EOD; if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) $def_server_flow_depth_type = $snortcfg['server_flow_depth']; + $http_server_profile = "all"; + if (!empty($snortcfg['http_server_profile'])) + $http_server_profile = $snortcfg['http_server_profile']; + $def_client_flow_depth_type = '300'; if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) $def_client_flow_depth_type = $snortcfg['client_flow_depth']; @@ -1942,7 +2022,7 @@ EOD; # HTTP Inspect # preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 -preprocessor http_inspect_server: server default profile all {$noalert_http_inspect}\ +preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect}\ ports { {$http_ports} } \ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ server_flow_depth {$def_server_flow_depth_type} \ @@ -2061,13 +2141,25 @@ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB EOD; /* def sf_portscan */ + if (!empty($snortcfg['pscan_sense_level'])) + $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; + else + $sf_pscan_sense_level = "medium"; + + if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { + $sf_pscan_ignore_scanners = filter_expand_alias($snortcfg['pscan_ignore_scanners']); + $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); + } + else + $sf_pscan_ignore_scanners = "\$HOME_NET"; + $sf_portscan = <<<EOD # sf Portscan # preprocessor sfportscan: scan_type { all } \ proto { all } \ memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } + sense_level { {$sf_pscan_sense_level} } \ + ignore_scanners { {$sf_pscan_ignore_scanners} } EOD; @@ -2134,6 +2226,14 @@ preprocessor modbus: \ EOD; + /* def gtp_preprocessor */ + $gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']); + $gtp_preproc = <<<EOD +# GTP preprocessor # +preprocessor gtp: ports { {$gtp_ports} } + +EOD; + $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']); $ssl_preproc = <<<EOD # Ignore SSL and Encryption # @@ -2180,11 +2280,11 @@ EOD; $snort_preproc_libs = array( "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", - "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", + "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" ); $snort_preprocessors = ""; @@ -2282,6 +2382,9 @@ config disable_tcpopt_alerts config disable_ipopt_alerts config disable_decode_drops +# Enable the GTP decoder # +config enable_gtp + # Configure PCRE match limitations config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 |