diff options
Diffstat (limited to 'config/snort')
-rw-r--r-- | config/snort/snort.inc | 73 | ||||
-rw-r--r-- | config/snort/snort_preprocessors.php | 12 |
2 files changed, 39 insertions, 46 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index f6181819..9fa3beab 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1048,6 +1048,29 @@ function snort_generate_conf($snortcfg) { if(!empty($snortcfg['performance'])) $snort_performance = $snortcfg['performance']; + /* if user has defined a custom ssh port, use it */ + if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; + else + $ssh_port = "22"; + $ports = array( + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", + "http_ports" => "80", "oracle_ports" => "1521", "mssql_ports" => "1433", + "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", + "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", + "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", + "sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", + "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", + "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", + "ssl_ports" => "443,465,563,636,989,990,992,993,994,995", + "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", + "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", + "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", + "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", + "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", + "DCERPC_BRIGHTSTORE" => "6503,6504" + ); + ///////////////////////////// /* preprocessor code */ /* def perform_stat */ @@ -1061,13 +1084,14 @@ EOD; if (!empty($snortcfg['flow_depth'])) $def_flow_depth_type = $snortcfg['flow_depth']; + $http_ports = str_replace(",", " ", $ports['http_ports']); /* def http_inspect */ $http_inspect = <<<EOD # HTTP Inspect # preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ - ports { 80 8080 } \ + ports { {$http_ports } \ non_strict \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ flow_depth {$def_flow_depth_type} \ @@ -1138,11 +1162,12 @@ preprocessor ftp_telnet_protocol: ftp client default \ EOD; + $smtp_ports = str_replace(",", " ", $ports['mail_ports']); /* def smtp_preprocessor */ $smtp_preprocessor = <<<EOD # SMTP preprocessor # preprocessor SMTP: \ - ports { 25 465 691 } \ + ports { {$mail_ports} } \ inspection_type stateful \ normalize cmds \ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ @@ -1173,10 +1198,11 @@ preprocessor sfportscan: scan_type { all } \ EOD; + $sun_rpc_ports = str_replace(",", " ", $ports['sun_rpc_ports']); /* def other_preprocs */ $other_preprocs = <<<EOD # Other preprocs # -preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor rpc_decode: {$sun_rpc_ports} # Back Orifice preprocessor bo @@ -1188,17 +1214,18 @@ EOD; # DCE/RPC 2 # preprocessor dcerpc2: memcap 102400, events [smb, co, cl] preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + detect [smb [{$ports['smb_ports']}], tcp 135, udp 135, rpc-over-http-server 593], \ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ smb_max_chain 3 EOD; + $dns_ports = str_replace(",", " ", $ports['dns_ports']); /* def dns_preprocessor */ $dns_preprocessor = <<<EOD # DNS preprocessor # preprocessor dns: \ - ports { 53 } \ + ports { {$dns_ports} } \ enable_rdata_overflow EOD; @@ -1222,30 +1249,6 @@ EOD; "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" ); - /* if user has defined a custom ssh port, use it */ - if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) - $ssh_port = $config['system']['ssh']['port']; - else - $ssh_port = "22"; - $ports = array( - "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", - "http_ports" => "80", "oracle_ports" => "1521", "mssql_ports" => "1433", - "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", - "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", - "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", - "sip_ports" => "5060:5090,16384:32768", "auth_ports" => "113", "finger_ports" => "79", - "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", - "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", - "ssl_ports" => "443,465,563,636,989,990,992,993,994,995", - "ssl_ports_ignore" => "443,465,563,636,989,990,992,993,994,995", - "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", - "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", - "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", - "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", - "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504" - ); - $vardef = ""; foreach ($servers as $alias => $avalue) { if (!empty($snortcfg[$alias])) @@ -1259,7 +1262,7 @@ EOD; $ports[$alias] = $snortcfg["def_{$alias}"]; $portvardef .= "portvar " . strtoupper($alias) . " [" . $ports[$alias] . "]\n"; } - $def_ssl_ports_ignore = str_replace(",", " ", $ports['ssl_ports_ignore']); + $def_ssl_ports_ignore = str_replace(",", " ", $ports['ssl_ports']); $snort_preproc = array ( "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", @@ -1279,10 +1282,12 @@ EOD; $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (file_exists("{$snortdir}/preproc_rules/preprocessor.rules")) - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - if (file_exists("{$snortdir}/preproc_rules/decoder.rules")) - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + if (is_dir("{$snortdir}/preproc_rules")) { + foreach (glob("{$snortdir}/preproc_rules/*.rules") as $file) { + $file = basename($file); + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/{$file}\n"; + } + } /* generate rule sections to load */ $selected_rules_sections = ""; diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 29a1d7bb..339c0168 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -55,7 +55,6 @@ if (isset($id) && $a_nat[$id]) { /* new options */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; - $pconfig['ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; @@ -75,7 +74,6 @@ if ($_POST) { /* if no errors write to conf */ if (!$input_errors) { /* post new options */ - if ($_POST['ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $_POST['ssl_ports_ignore']; }else{ $natent['def_ssl_ports_ignore'] = ""; } if ($_POST['flow_depth'] != "") { $natent['flow_depth'] = $_POST['flow_depth']; }else{ $natent['flow_depth'] = ""; } if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } @@ -301,16 +299,6 @@ include_once("head.inc"); vulnerabilities.</td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Define SSL_IGNORE</td> - <td width="78%" class="vtable"><input name="ssl_ports_ignore" - type="text" class="formfld" id="ssl_ports_ignore" size="40" - value="<?=htmlspecialchars($pconfig['ssl_ports_ignore']);?>"> <br> - <span class="vexpl"> Encrypted traffic should be ignored by Snort - for both performance reasons and to reduce false positives.<br> - Default: "443 465 563 636 989 990 992 993 994 995".</span> <strong>Please - use spaces and not commas.</strong></td> - </tr> - <tr> <td width="22%" valign="top"> </td> <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="Save"> |