aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort/snort_preprocessors.php
diff options
context:
space:
mode:
Diffstat (limited to 'config/snort/snort_preprocessors.php')
-rwxr-xr-xconfig/snort/snort_preprocessors.php189
1 files changed, 161 insertions, 28 deletions
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 7d0348e9..cf6146cf 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -34,7 +34,13 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
-global $g;
+global $g, $rebuild_rules;
+$snortlogdir = SNORTLOGDIR;
+
+if (!is_array($config['installedpackages']['snortglobal'])) {
+ $config['installedpackages']['snortglobal'] = array();
+}
+$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'];
if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
$config['installedpackages']['snortglobal']['rule'] = array();
@@ -77,8 +83,43 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc'];
$pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc'];
$pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc'];
+ $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable'];
+ $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules'];
+
+ /* If not using the Snort VRT rules, then disable */
+ /* the Sensitive Data (sdf) preprocessor. */
+ if ($vrt_enabled == "off")
+ $pconfig['sensitive_data'] = "off";
+
+ /**********************************************************/
+ /* To keep new users from shooting themselves in the foot */
+ /* enable the most common and necessary preprocessors by */
+ /* default. */
+ /**********************************************************/
+ if (empty($pconfig['ftp_preprocessor']))
+ $pconfig['ftp_preprocessor'] = 'on';
+ if (empty($pconfig['smtp_preprocessor']))
+ $pconfig['smtp_preprocessor'] = 'on';
+ if (empty($pconfig['dce_rpc_2']))
+ $pconfig['dce_rpc_2'] = 'on';
+ if (empty($pconfig['dns_preprocessor']))
+ $pconfig['dns_preprocessor'] = 'on';
+ if (empty($pconfig['ssl_preproc']))
+ $pconfig['ssl_preproc'] = 'on';
+ if (empty($pconfig['pop_preproc']))
+ $pconfig['pop_preproc'] = 'on';
+ if (empty($pconfig['imap_preproc']))
+ $pconfig['imap_preproc'] = 'on';
+ if (empty($pconfig['sip_preproc']))
+ $pconfig['sip_preproc'] = 'on';
+ if (empty($pconfig['other_preprocs']))
+ $pconfig['other_preprocs'] = 'on';
}
+/* Define the "disabled_preproc_rules.log" file for this interface */
+$iface = snort_get_friendly_interface($pconfig['interface']);
+$disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log";
+
if ($_POST) {
$natent = array();
$natent = $pconfig;
@@ -120,6 +161,12 @@ if ($_POST) {
$natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off';
$natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off';
$natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off';
+ $natent['preproc_auto_rule_disable'] = $_POST['preproc_auto_rule_disable'] ? 'on' : 'off';
+ $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off';
+
+ /* If 'preproc_auto_rule_disable' is off, then clear log file */
+ if ($natent['preproc_auto_rule_disable'] == 'off')
+ @unlink("{$disabled_rules_log}");
if (isset($id) && $a_nat[$id])
$a_nat[$id] = $natent;
@@ -132,8 +179,15 @@ if ($_POST) {
write_config();
- $if_real = snort_get_real_interface($pconfig['interface']);
- sync_snort_package_config();
+ /* Set flag to rebuild rules for this interface */
+ $rebuild_rules = "on";
+
+ /*************************************************/
+ /* Update the snort conf file and rebuild the */
+ /* rules for this interface. */
+ /*************************************************/
+ snort_generate_conf($natent);
+ $rebuild_rules = "off";
/* after click go to this page */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
@@ -172,6 +226,25 @@ include_once("head.inc");
</script>
<script type="text/javascript" src="/javascript/suggestions.js">
</script>
+
+<script language="javascript" type="text/javascript">
+
+function wopen(url, name, w, h)
+{
+// Fudge factors for window decoration space.
+// In my tests these work well on all platforms & browsers.
+w += 32;
+h += 96;
+ var win = window.open(url,
+ name,
+ 'width=' + w + ', height=' + h + ', ' +
+ 'location=no, menubar=no, ' +
+ 'status=no, toolbar=no, scrollbars=yes, resizable=yes');
+ win.resizeTo(w, h);
+ win.focus();
+}
+</script>
+
<form action="snort_preprocessors.php" method="post"
enctype="multipart/form-data" name="iform" id="iform">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
@@ -191,32 +264,76 @@ include_once("head.inc");
<tr><td class="tabcont">
<table width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
- <td colspan="2" align="center" valign="middle">
- <span class="red"><strong><?php echo gettext("NOTE"); ?></strong></span><br>
+ <td colspan="2" align="left" valign="middle">
<?php echo gettext("Rules may be dependent on preprocessors! Disabling preprocessors may result in "); ?>
- <?php echo gettext("dependent rules being automatically disabled."); ?><br>
- <?php echo gettext("Defaults will be used when there is no user input."); ?><br></td>
+ <?php echo gettext("Snort start failures unless dependent rules are also disabled."); ?>
+ <?php echo gettext("The Auto-Rule Disable feature can be used, but note the warning about compromising protection. " .
+ "Defaults will be used where no user input is provided."); ?></td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Performance Statistics"); ?></td>
+
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Preprocessors Configuration"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
- <td width="78%" class="vtable"><input name="perform_stat"
- type="checkbox" value="on"
+ <td width="78%" class="vtable"><input name="perform_stat" type="checkbox" value="on"
<?php if ($pconfig['perform_stat']=="on") echo "checked"; ?>
onClick="enable_change(false)"> <?php echo gettext("Collect Performance Statistics for this interface."); ?></td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Protect Customized Preprocessor Rules"); ?></td>
+ <td width="78%" class="vtable"><input name="protect_preproc_rules" type="checkbox" value="on"
+ <?php if ($pconfig['protect_preproc_rules']=="on") echo "checked ";
+ if ($vrt_enabled <> 'on') echo "disabled"; ?>
+ onClick="enable_change(false)"> <?php echo gettext("Check this box if you maintain customized preprocessor text rules files for this interface."); ?>
+ <table width="100%" border="0" cellpadding="2" cellpadding="2">
+ <tr>
+ <td width="3%">&nbsp;</td>
+ <td><?php echo gettext("Enable this only if you use customized preprocessor text rules files and " .
+ "you do not want them overwritten by automatic Snort VRT rule updates. " .
+ "This option is disabled when Snort VRT rules download is not enabled on the Global Settings tab."); ?><br/><br/>
+ <?php printf(gettext("%sHint:%s Most users should leave this unchecked."), '<span class="red"><strong>', '</strong></span>'); ?></span></td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Auto Rule Disable"); ?></td>
+ <td width="78%" class="vtable"><input name="preproc_auto_rule_disable" type="checkbox" value="on"
+ <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"> <?php echo gettext("Auto-disable text rules dependent on disabled preprocessors for this interface. ");
+ echo gettext("Default is ") . '<strong>' . gettext("Not Checked."); ?></strong><br/>
+ <table width="100%" border="0" cellpadding="2" cellpadding="2">
+ <tr>
+ <td width="3%">&nbsp;</td>
+ <td><span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span>
+ <?php echo gettext("Enabling this option allows Snort to automatically disable any text rules " .
+ "containing rule options or content modifiers that are dependent upon the preprocessors " .
+ "you have not enabled. This may facilitate starting Snort without errors related to " .
+ "disabled preprocessors, but can substantially compromise the level of protection by " .
+ "automatically disabling detection rules."); ?></td>
+ </tr>
+ <?php if (file_exists($disabled_rules_log) && filesize($disabled_rules_log) > 0): ?>
+ <tr>
+ <td width="3%">&nbsp;</td>
+ <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600)"/>
+ &nbsp;&nbsp;&nbsp;<?php echo gettext("Click to view the list of currently auto-disabled rules"); ?></td>
+ </tr>
+ <?php endif; ?>
+ </table>
+ </td>
+ </tr>
+ <tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect Settings"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="http_inspect"
type="checkbox" value="on"
- <?php if ($pconfig['http_inspect']=="on") echo "checked"; ?>
+ <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?>
onClick="enable_change(false)"> <?php echo gettext("Use HTTP Inspect to " .
- "Normalize/Decode and detect HTTP traffic and protocol anomalies."); ?></td>
+ "Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is "); ?>
+ <strong><?php echo gettext("Checked."); ?></strong></td>
</tr>
<tr>
<td valign="top" class="vncell"><?php echo gettext("HTTP server flow depth"); ?></td>
@@ -241,7 +358,7 @@ include_once("head.inc");
<td width="78%" class="vtable">
<select name="http_server_profile" class="formselect" id="http_server_profile">
<?php
- $profile = array('All', 'Apache', 'IIS', 'IIS_4.0', 'IIS_5.0');
+ $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0');
foreach ($profile as $val): ?>
<option value="<?=strtolower($val);?>"
<?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>>
@@ -275,9 +392,10 @@ include_once("head.inc");
<td width="22%" valign="top" class="vncell"><?php echo gettext("Disable HTTP Alerts"); ?></td>
<td width="78%" class="vtable"><input name="noalert_http_inspect"
type="checkbox" value="on"
- <?php if ($pconfig['noalert_http_inspect']=="on") echo "checked"; ?>
- onClick="enable_change(false)"> <?php echo gettext("Tick to turn off alerts from the HTTP Inspect " .
- "preprocessor. This has no effect on HTTP rules in the rule set."); ?></td>
+ <?php if ($pconfig['noalert_http_inspect']=="on" || empty($pconfig['noalert_http_inspect'])) echo "checked"; ?>
+ onClick="enable_change(false)"> <?php echo gettext("Turn off alerts from HTTP Inspect " .
+ "preprocessor. This has no effect on HTTP rules. Default is "); ?>
+ <strong><?php echo gettext("Checked."); ?></strong></td>
</tr>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Settings"); ?></td>
@@ -382,7 +500,8 @@ include_once("head.inc");
type="checkbox" value="on"
<?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network."); ?></td>
+ <?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
@@ -391,7 +510,8 @@ include_once("head.inc");
type="checkbox" value="on"
<?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies."); ?></td>
+ <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
@@ -400,7 +520,8 @@ include_once("head.inc");
type="checkbox" value="on"
<?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("Normalize/Decode POP protocol for enforcement and buffer overflows."); ?></td>
+ <?php echo gettext("Normalize/Decode POP protocol for enforcement and buffer overflows. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
@@ -409,7 +530,8 @@ include_once("head.inc");
type="checkbox" value="on"
<?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("Normalize/Decode IMAP protocol for enforcement and buffer overflows."); ?></td>
+ <?php echo gettext("Normalize/Decode IMAP protocol for enforcement and buffer overflows. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
@@ -418,7 +540,8 @@ include_once("head.inc");
type="checkbox" value="on"
<?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("Normalize/Decode SMTP protocol for enforcement and buffer overflows."); ?></td>
+ <?php echo gettext("Normalize/Decode SMTP protocol for enforcement and buffer overflows. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
@@ -427,7 +550,8 @@ include_once("head.inc");
type="checkbox" value="on"
<?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic."); ?></td>
+ <?php echo gettext("The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
@@ -436,7 +560,8 @@ include_once("head.inc");
type="checkbox" value="on"
<?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities."); ?></td>
+ <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
@@ -454,7 +579,8 @@ include_once("head.inc");
type="checkbox" value="on"
<?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects some vulnerabilities."); ?></td>
+ <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects some vulnerabilities. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("SSL Data"); ?></td>
@@ -462,16 +588,22 @@ include_once("head.inc");
<input name="ssl_preproc" type="checkbox" value="on"
<?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("SSL data searches for irregularities during SSL protocol exchange"); ?>
+ <?php echo gettext("SSL data searches for irregularities during SSL protocol exchange. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("Sensitive Data"); ?></td>
<td width="78%" class="vtable">
<input name="sensitive_data" type="checkbox" value="on"
- <?php if ($pconfig['sensitive_data']=="on") echo "checked"; ?>
+ <?php if ($pconfig['sensitive_data'] == "on")
+ echo "checked";
+ elseif ($vrt_enabled == "off")
+ echo "disabled";
+ ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("Sensitive data searches for credit card or Social Security numbers in data"); ?>
+ <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?><br/>
+ <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."); ?>
</td>
</tr>
<tr>
@@ -507,7 +639,8 @@ include_once("head.inc");
<td width="22%" valign="top">&nbsp;</td>
<td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span>
<br>
- <?php echo gettext("Please save your settings before you click Start."); ?> </td>
+ <?php echo gettext("Please save your settings before you click Start. Preprocessor changes will rebuild the rules file. "); ?>
+ </br><?php echo gettext("This may take several seconds. Snort must also be restarted to activate any changes made on this screen."); ?></td>
</tr>
</table>
</td></tr></table>
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-26 02:38:25 +0000