diff options
Diffstat (limited to 'config/snort/snort_preprocessors.php')
| -rwxr-xr-x | config/snort/snort_preprocessors.php | 136 |
1 files changed, 122 insertions, 14 deletions
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 916fd413..7d0348e9 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -56,6 +56,7 @@ if (isset($id) && $a_nat[$id]) { /* new options */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; + $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; @@ -75,20 +76,31 @@ if (isset($id) && $a_nat[$id]) { $pconfig['sip_preproc'] = $a_nat[$id]['sip_preproc']; $pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc']; $pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc']; + $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; } if ($_POST) { $natent = array(); $natent = $pconfig; + if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners'])) + $input_errors[] = "Only aliases are allowed"; + /* if no errors write to conf */ if (!$input_errors) { /* post new options */ if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = ""; } + if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = ""; } if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = ""; } + if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; } + + if ($_POST['pscan_ignore_scanners']) + $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; + else + unset($natent['pscan_ignore_scanners']); $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; @@ -107,6 +119,7 @@ if ($_POST) { $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; $natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off'; $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; + $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -155,6 +168,10 @@ include_once("head.inc"); ?> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> <form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -174,10 +191,10 @@ include_once("head.inc"); <tr><td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong<?php echo gettext("Note:"); ?>> - </strong></span><br> - <?php echo gettext("Rules may be dependent on preprocessors!"); ?><br> + <td colspan="2" align="center" valign="middle"> + <span class="red"><strong><?php echo gettext("NOTE"); ?></strong></span><br> + <?php echo gettext("Rules may be dependent on preprocessors! Disabling preprocessors may result in "); ?> + <?php echo gettext("dependent rules being automatically disabled."); ?><br> <?php echo gettext("Defaults will be used when there is no user input."); ?><br></td> </tr> <tr> @@ -208,7 +225,7 @@ include_once("head.inc"); <tr> <td><input name="server_flow_depth" type="text" class="formfld" id="flow_depth" size="6" - value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . + value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . "to <strong>65535</strong> (<strong>-1</strong> disables HTTP " . "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> </tr> @@ -220,6 +237,23 @@ include_once("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("HTTP server profile"); ?> </td> + <td width="78%" class="vtable"> + <select name="http_server_profile" class="formselect" id="http_server_profile"> + <?php + $profile = array('All', 'Apache', 'IIS', 'IIS_4.0', 'IIS_5.0'); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the profile type of the protected web server."); ?><br> + <?php echo gettext(" The default is <strong>All</strong>. "); ?> + <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the "); ?> + <?php echo gettext("double decoding vulnerability present in those two versions."); ?><br> + </td> + </tr> + <tr> <td valign="top" class="vncell"><?php echo gettext("HTTP client flow depth"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> @@ -298,6 +332,46 @@ include_once("head.inc"); "in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?><br> </td> </tr> + + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> + <?php echo gettext("Portscan Detection"); ?></td> + <td width="78%" class="vtable"><input name="sf_portscan" + type="checkbox" value="on" + <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td> + <td width="78%" class="vtable"> + <select name="pscan_sense_level" class="formselect" id="pscan_sense_level"> + <?php + $levels = array('low', 'medium', 'high'); + foreach ($levels as $val): ?> + <option value="<?=$val;?>" + <?php if ($val == $pconfig['pscan_sense_level']) echo "selected"; ?>> + <?=gettext(ucfirst($val));?></option> + <?php endforeach; ?> + </select><br> + <?php echo gettext("LOW: alerts generated on error packets from the target host; "); ?> + <?php echo gettext("this setting should see few false positives. "); ?><br> + <?php echo gettext("MEDIUM: tracks connection counts, so will generate filtered alerts; may "); ?> + <?php echo gettext("false positive on active hosts."); ?><br> + <?php echo gettext("HIGH: tracks hosts using a time window; will catch some slow scans, but is "); ?> + <?php echo gettext("very sensitive to active hosts."); ?><br/> + </td> + </tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?> </td> + <td width="78%" class="vtable"> + <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" + value="<?=$pconfig['pscan_ignore_scanners'];?>"> <br><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias.");?><br> + <?php echo gettext("Default value: \$HOME_NET."); ?><?php echo gettext(" Leave " . + "blank for default value."); ?> + </td> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td> </tr> @@ -348,15 +422,6 @@ include_once("head.inc"); </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("Portscan Detection"); ?></td> - <td width="78%" class="vtable"><input name="sf_portscan" - type="checkbox" value="on" - <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("DCE/RPC2 Detection"); ?></td> <td width="78%" class="vtable"><input name="dce_rpc_2" type="checkbox" value="on" @@ -375,6 +440,15 @@ include_once("head.inc"); </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> + <?php echo gettext("GTP Detection"); ?></td> + <td width="78%" class="vtable"><input name="gtp_preproc" + type="checkbox" value="on" + <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + <?php echo gettext("The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("DNS Detection"); ?></td> <td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on" @@ -438,6 +512,40 @@ include_once("head.inc"); </table> </td></tr></table> </form> +<script type="text/javascript"> +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesports = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } else if ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesports .= ","; + $aliasesports .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } +?> + + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portsarray=new Array(<?php echo $aliasesports; ?>); + +function createAutoSuggest() { +<?php + echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); + +</script> <?php include("fend.inc"); ?> </body> </html> |