diff options
Diffstat (limited to 'config/snort')
| -rwxr-xr-x | config/snort/snort.inc | 744 | ||||
| -rwxr-xr-x | config/snort/snort.xml | 12 | ||||
| -rwxr-xr-x | config/snort/snort_alerts.php | 107 | ||||
| -rw-r--r-- | config/snort/snort_blocked.php | 73 | ||||
| -rwxr-xr-x | config/snort/snort_check_for_rule_updates.php | 6 | ||||
| -rwxr-xr-x | config/snort/snort_download_updates.php | 12 | ||||
| -rwxr-xr-x | config/snort/snort_interfaces.php | 15 | ||||
| -rwxr-xr-x | config/snort/snort_interfaces_edit.php | 284 | ||||
| -rw-r--r-- | config/snort/snort_interfaces_suppress_edit.php | 8 | ||||
| -rw-r--r-- | config/snort/snort_interfaces_whitelist_edit.php | 31 | ||||
| -rw-r--r-- | config/snort/snort_list_view.php | 103 | ||||
| -rwxr-xr-x | config/snort/snort_preprocessors.php | 856 | ||||
| -rwxr-xr-x | config/snort/snort_rules.php | 466 | ||||
| -rw-r--r-- | config/snort/snort_rules_flowbits.php | 265 | ||||
| -rwxr-xr-x | config/snort/snort_rulesets.php | 4 |
15 files changed, 2161 insertions, 825 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 7ecc40e7..236cb107 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -40,12 +40,12 @@ require_once("filter.inc"); // Explicitly declare these as global so they work through function call includes global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log; -global $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall; +global $all_rules, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall; global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename; /* package version */ $snort_version = "2.9.4.1"; -$pfSense_snort_version = "2.5.7"; +$pfSense_snort_version = "2.5.8"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; // Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) @@ -132,6 +132,53 @@ function snort_generate_id() { return $snort_uuid; } +function snort_load_suppress_sigs($snortcfg) { + + global $config; + + /**********************************************************/ + /* This function loads the GEN_ID and SIG_ID for all the */ + /* suppressed alert entries from the Suppression List of */ + /* the passed Snort interface. The results are returned */ + /* in an array with GEN_ID and SIG_ID as the keys. */ + /**********************************************************/ + + $suppress = array(); + + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + return; + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + return; + $a_suppress = $config['installedpackages']['snortglobal']['suppress']['item']; + + foreach ($a_suppress as $a_id => $alist) { + if ($alist['name'] == $snortcfg['suppresslistname']) { + if (!empty($alist['suppresspassthru'])) { + $tmplist = str_replace("\r", "", base64_decode($alist['suppresspassthru'])); + $tmp = explode("\n", $tmplist); + foreach ($tmp as $line) { + // Skip any blank lines + if (trim($line, " \n") == "") + continue; + // Skip any comment lines + if (preg_match('/^\s*#/', $line)) + continue; + if (preg_match('/gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+)/i', $line, $matches)) { + $genid = $matches[1]; + $sigid = $matches[2]; + if (!empty($genid) && !empty($sigid)) + $suppress[$genid][$sigid] = "suppress"; + } + } + unset($tmp); + } + break; + } + } + unset($alist); + return $suppress; +} + /* func builds custom white lists */ function snort_find_list($find_name, $type = 'whitelist') { global $config; @@ -150,117 +197,129 @@ function snort_find_list($find_name, $type = 'whitelist') { return array(); } -/* func builds custom whitelests */ +/* func builds custom whitelists and the HOME_NET variable */ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { global $config, $g; - - /* Add loopback to whitelist (ftphelper) */ - $home_net = "127.0.0.1 "; + global $aliastable, $filterdns; + $home_net = array(); if ($listname == 'default' || empty($listname)) { - $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; + $localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; } else { $list = snort_find_list($listname); if (empty($list)) return $list; + $localnet = $list['localnets']; $wanip = $list['wanips']; $wangw = $list['wangateips']; $wandns = $list['wandnsips']; $vips = $list['vips']; $vpns = $list['vpnips']; if (!empty($list['address']) && is_alias($list['address'])) { - $home_net .= trim(filter_expand_alias($list['address'])); - $home_net .= " "; + $home_net = explode(" ", trim(filter_expand_alias($list['address']))); } } - /* Always put snort running interface in the list */ + /* Always add loopback to HOME_NET and whitelist (ftphelper) */ + if (!in_array("127.0.0.1", $home_net)) + $home_net[] = "127.0.0.1"; + + /********************************************************************/ + /* Always put the interface running Snort in HOME_NET and whitelist */ + /* unless it's the WAN. WAN options are handled further down. */ + /********************************************************************/ $snortip = get_interface_ip($snortcfg['interface']); - if (is_ipaddr($snortip)) - $home_net .= "{$snortip} "; + if (is_ipaddr($snortip)) { + if ($snortcfg['interface'] <> "wan") { + $sn = get_interface_subnet($snortcfg['interface']); + $ip = gen_subnet($snortip, $sn) . "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + } + if (function_exists('get_interface_ipv6')) { $snortip = get_interface_ipv6($snortcfg['interface']); if (is_ipaddrv6($snortip)) { - if ($whitelist === false) { + if ($snortcfg['interface'] <> "wan") { $sn = get_interface_subnetv6($snortcfg['interface']); - $home_net .= "{$snortip}/{$sn} "; - } else - $home_net .= "{$snortip} "; + $ip = gen_subnetv6($snortip, $sn). "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } } } - - /* iterate through interface list and write out whitelist items - * and also compile a home_net list for snort. - */ - if ($wanip == 'yes') { - /* build an interface array list */ + + if ($localnet == 'yes') { + /*************************************************************************/ + /* Iterate through the interface list and write out whitelist items and */ + /* also compile a HOME_NET list of all the local interfaces for snort. */ + /* Skip the WAN interface as we do not typically want that whole subnet */ + /* whitelisted (just the interface IP itself). */ + /*************************************************************************/ if (function_exists('get_configured_interface_list')) $int_array = get_configured_interface_list(); else { $int_array = array('wan', 'lan'); - for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) + for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) { if(isset($config['interfaces']['opt' . $j]['enable'])) $int_array[] = "opt{$j}"; + } } - foreach ($int_array as $int) { - /* calculate interface subnet information */ - if (function_exists('get_interface_ip')) { - if (!interface_has_gateway($int)) + if ($int == "wan") + continue; + $subnet = get_interface_ip($int); + if (is_ipaddr($subnet)) { + $sn = get_interface_subnet($int); + $ip = gen_subnet($subnet, $sn) . "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + if (function_exists("get_interface_ipv6")) { + if ($int == "wan") continue; - $subnet = get_interface_ip($int); - if (is_ipaddr($subnet)) { - if ($whitelist === false) { - $sn = get_interface_subnet($int); - $home_net .= "{$subnet}/{$sn} "; - } else - $home_net .= "{$subnet} "; - } - if (function_exists("get_interface_ipv6")) { - if (!interface_has_gatewayv6($int)) - continue;; - $subnet = get_interface_ipv6($int); - if (is_ipaddrv6($subnet)) { - if ($whitelist === false) { - $sn = get_interface_subnetv6($int); - $home_net .= "{$subnet}/{$sn} "; - } else - $home_net .= "{$subnet} "; - } - } - } else { - $ifcfg = $config['interfaces'][$int]; - switch ($ifcfg['ipaddr']) { - case "pppoe": - case "pptp": - case "l2tp": - $subnet = find_interface_ip("ng0"); - if (is_ipaddr($subnet)) - $home_net .= "{$subnet} "; - break; - case "dhcp": - $subnet = find_interface_ip(snort_get_real_interface($int)); - if (is_ipaddr($subnet)) - $home_net .= "{$subnet} "; - break; - default: - if (is_ipaddr($ifcfg['ipaddr'])) { - $home_net .= "{$ifcfg['ipaddr']} "; - } - break; + $subnet = get_interface_ipv6($int); + if (is_ipaddrv6($subnet)) { + $sn = get_interface_subnetv6($int); + $ip = gen_subnetv6($subnet, $sn). "/{$sn}"; + if (!in_array($ip, $home_net)) + $home_net[] = $ip; } } } } + /* Grab the default gateway if set */ + $default_gw = exec("/sbin/route -n get default |grep 'gateway:' | /usr/bin/awk '{ print $2 }'"); + + if ($wanip == 'yes') { + $ip = get_interface_ip("wan"); + if (is_ipaddr($ip)) { + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + if (function_exists("get_interface_ipv6")) { + $ip = get_interface_ipv6("wan"); + if (is_ipaddrv6($ip)) { + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } + } + } + if ($wangw == 'yes') { + if (is_ipaddr($default_gw) && !in_array($default_gw, $home_net)) + $home_net[] = $default_gw; + + /* Get any other interface gateway and put in $HOME_NET if not there already */ $gw = get_interface_gateway($snortcfg['interface']); - if (is_ipaddr($gw)) - $home_net .= "{$gw} "; + if (is_ipaddr($gw) && !in_array($gw, $home_net)) + $home_net[] = $gw; if (function_exists("get_interface_gatewayv6")) { $gw = get_interface_gatewayv6($snortcfg['interface']); - if (is_ipaddrv6($gw)) - $home_net .= "{$gw} "; + if (is_ipaddrv6($gw) && !in_array($gw, $home_net)) + $home_net[] = $gw; } } @@ -268,8 +327,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { /* Add DNS server for WAN interface to whitelist */ $dns_servers = get_dns_servers(); foreach ($dns_servers as $dns) { - if ($dns) - $home_net .= "{$dns} "; + if ($dns && !in_array($dns, $home_net)) + $home_net[] = $dns; } } @@ -278,10 +337,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { foreach($config['virtualip']['vip'] as $vip) { if ($vip['subnet'] && $vip['mode'] != 'proxyarp') { - if ($whitelist === false) - $home_net .= "{$vip['subnet']}/{$vip['subnet_bits']} "; - else - $home_net .= "{$vip['subnet']} "; + if (!in_array("{$vip['subnet']}/{$vip['subnet_bits']}", $home_net)) + $home_net[] = "{$vip['subnet']}/{$vip['subnet_bits']}"; } } } @@ -289,27 +346,31 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ if ($vpns == 'yes') { - if ($config['version'] <= 6) // chk what pfsense version were on - $vpns_list = get_vpns_list(); - else - $vpns_list = filter_get_vpns_list(); - - if (!empty($vpns_list)) - $home_net .= "{$vpns_list} "; + $vpns_list = filter_get_vpns_list(); + if (!empty($vpns_list)) { + /* Convert the returned space-delimited string to an array */ + /* and then add each VPN address to our HOME_NET array. */ + $vpns = explode(" ", $vpns_list); + foreach ($vpns as $vpn) + $home_net[] = trim($vpn); + unset($vpns, $vpns_list); + } } - $home_net = trim($home_net); - $validator = explode(" ", $home_net); $valresult = array(); - foreach ($validator as $vald) { + foreach ($home_net as $vald) { if (empty($vald)) continue; $vald = trim($vald); if (empty($valresult[$vald])) $valresult[$vald] = $vald; } - unset($home_net, $validator); + /* Release memory no longer required */ + unset($home_net); + + /* Sort the list and return it */ + natsort($valresult); return $valresult; } @@ -328,6 +389,7 @@ function snort_barnyard_stop($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; if (file_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Barnyard2 STOP for {$snortcfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); } } @@ -337,12 +399,11 @@ function snort_stop($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Snort STOP for {$snortcfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); } snort_barnyard_stop($snortcfg, $if_real); - - log_error("Snort STOP for {$snortcfg['descr']}({$if_real})..."); } function snort_barnyard_start($snortcfg, $if_real) { @@ -352,9 +413,10 @@ function snort_barnyard_start($snortcfg, $if_real) { $snort_uuid = $snortcfg['uuid']; /* define snortbarnyardlog_chk */ - if ($snortcfg['barnyard_enable'] == 'on' && !empty($snortcfg['barnyard_mysql'])) + if ($snortcfg['barnyard_enable'] == 'on' && !empty($snortcfg['barnyard_mysql'])) { + log_error("[Snort] Barnyard2 START for {$snortcfg['descr']}({$if_real})..."); exec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q"); - + } } function snort_start($snortcfg, $if_real) { @@ -363,14 +425,37 @@ function snort_start($snortcfg, $if_real) { $snortdir = SNORTDIR; $snort_uuid = $snortcfg['uuid']; - if ($snortcfg['enable'] == 'on') + if ($snortcfg['enable'] == 'on') { + log_error("[Snort] Snort START for {$snortcfg['descr']}({$if_real})..."); exec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + } else return; snort_barnyard_start($snortcfg, $if_real); +} + +/**************************************************************/ +/* This function sends a SIGHUP to the Snort instance on the */ +/* passed interface to cause Snort to reload and parse the */ +/* running configuration without stopping packet processing. */ +/* It also executes the reload as a background process and */ +/* returns control immediately to the caller. */ +/**************************************************************/ +function snort_reload_config($snortcfg, $if_real) { + global $config, $g; + + $snortdir = SNORTDIR; + $snort_uuid = $snortcfg['uuid']; - log_error("Snort START for {$snortcfg['descr']}({$if_real})..."); + /******************************************************/ + /* Only send the SIGHUP if Snort is running and we */ + /* can find a valid PID for the process. */ + /******************************************************/ + if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { + log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']}({$if_real})..."); + exec("/bin/pkill -SIGHUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &"); + } } function snort_get_friendly_interface($interface) { @@ -425,8 +510,7 @@ function snort_get_real_interface($interface) { this code block is for deleteing logs while keeping the newest file, snort is linked to these files while running, do not take the easy way out by touch and rm, snort will lose sync and not log. - - */ +*/ function snort_post_delete_logs($snort_uuid = 0) { global $config, $g; @@ -511,10 +595,13 @@ function snort_postinstall() { $rebuild_rules = "off"; update_output_window(gettext("Finished rebuilding files...")); log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); - update_status(gettext("Starting Snort using rebuilt configuration...")); - log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); - if (!$g['booting']) + + /* Only try to start Snort if not in reboot */ + if (!$g['booting']) { + update_status(gettext("Starting Snort using rebuilt configuration...")); + log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); start_service("snort"); + } } /* Done with post-install, so clear flag */ @@ -743,7 +830,7 @@ function snort_rules_up_install_cron($should_install) { $cron_item['month'] = "$snort_rules_up_month"; $cron_item['wday'] = "$snort_rules_up_wday"; $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php"; /* Add cron job if not already installed, else just update the existing one */ if (!$is_installed) @@ -1099,8 +1186,13 @@ function snort_load_rules_map($rules_path) { } $gid = snort_get_gid($rule); + if (!is_array($map_ref[$gid])) + $map_ref[$gid] = array(); + if (!is_array($map_ref[$gid][$sid])) + $map_ref[$gid][$sid] = array(); $map_ref[$gid][$sid]['rule'] = $rule; $map_ref[$gid][$sid]['category'] = basename($file, ".rules"); + if (preg_match('/^\s*\#+/', $rule)) $map_ref[$gid][$sid]['disabled'] = 1; else @@ -1163,16 +1255,31 @@ function snort_get_flowbits($rule) { /*************************************************************/ /* This will pull out "flowbits:" options from the rule text */ - /* and return them in an array. */ + /* and return them in an array (minus the "flowbits:" part). */ /*************************************************************/ $flowbits = array(); - if (preg_match_all('/flowbits\b:\s*(set|setx|unset|toggle|isset|isnotset)\s*,([^;]+)/i', $rule, $matches)) { + + /* Grab any "flowbits:set, setx, unset, isset or toggle" options first. */ + /* Examine flowbits targets for logical operators to capture all targets */ + if (preg_match_all('/flowbits\b\s*:\s*(set|setx|unset|toggle|isset|isnotset)\s*,([^;]+)/i', $rule, $matches)) { + $i = -1; + while (++$i < count($matches[1])) { + $action = trim($matches[1][$i]) . ","; + $target = preg_split('/[&|]/', $matches[2][$i]); + foreach ($target as $t) + $flowbits[] = $action . trim($t); + } + } + + /* Include the "flowbits:noalert or reset" options, if present. */ + if (preg_match_all('/flowbits\b\s*:\s*(noalert|reset)\b/i', $rule, $matches)) { $i = -1; while (++$i < count($matches[1])) { - $flowbits[] = trim($matches[1][$i]) ."," . trim($matches[2][$i]); + $flowbits[] = trim($matches[1][$i]); } } + return $flowbits; } @@ -1200,11 +1307,15 @@ function snort_get_checked_flowbits(&$rules_map) { foreach ($rulem2['flowbits'] as $flowbit) { if (empty($flowbit)) continue; - $action = substr($flowbit, 0, strpos($flowbit, ",")); - if (preg_match('/is(not)?set/i', $action)) { - $tmp = substr($flowbit, strpos($flowbit, ",") +1 ); - if (!empty($tmp) && !in_array($tmp, $checked_flowbits)) - $checked_flowbits[] = $tmp; + /* If no comma in flowbits option, then skip it. */ + $pos = strpos($flowbit, ","); + if ($pos === false) + continue; + $action = substr(strtolower($flowbit), 0, $pos); + if ($action == "isset" || $action == "isnotset") { + $tmp = substr($flowbit, strpos($flowbit, ",") + 1 ); + if (!empty($tmp)) + $checked_flowbits[$tmp] = $action; } } } @@ -1236,11 +1347,15 @@ function snort_get_set_flowbits(&$rules_map) { foreach ($rulem2['flowbits'] as $flowbit) { if (empty($flowbit)) continue; - $action = substr($flowbit, 0, strpos($flowbit, ",")); - if (preg_match('/^set/i', $action)) { - $tmp = substr($flowbit, strpos($flowbit, ",") +1 ); - if (!empty($tmp) && !in_array($tmp, $set_flowbits)) - $set_flowbits[] = $tmp; + /* If no comma in flowbits option, then skip it. */ + $pos = strpos($flowbit, ","); + if ($pos === false) + continue; + $action = substr(strtolower($flowbit), 0, $pos); + if ($action == "set" || $action == "toggle" || $action == "setx") { + $tmp = substr($flowbit, strpos($flowbit, ",") + 1 ); + if (!empty($tmp)) + $set_flowbits[$tmp] = $action; } } } @@ -1274,7 +1389,7 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) { $action = substr($flowbit, 0, strpos($flowbit, ",")); if (!strcasecmp(substr($action, 0, 3), "set")) { $tmp = substr($flowbit, strpos($flowbit, ",") +1 ); - if (!empty($tmp) && in_array($tmp, $unchecked_flowbits)) { + if (!empty($tmp) && isset($unchecked_flowbits[$tmp])) { if (!is_array($required_flowbits_rules[$k1])) $required_flowbits_rules[$k1] = array(); if (!is_array($required_flowbits_rules[$k1][$k2])) @@ -1298,7 +1413,7 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) { return $required_flowbits_rules; } -function snort_resolve_flowbits($rule_path) { +function snort_resolve_flowbits(&$active_rules) { /******************************************************/ /* This function auto-resolves flowbit requirements */ @@ -1308,31 +1423,32 @@ function snort_resolve_flowbits($rule_path) { /* enabled. For any that are not enabled, they are */ /* copied to an array, enabled, and returned. */ /* */ - /* $rule_path --> rules files of the interface */ - /* to resolve flowbit dependencies */ - /* for. This can be either of the */ - /* following: */ - /* - directory of *.rules files */ - /* - array of *.rules filenames */ - /* - a single *.rules filename */ + /* $active_rules --> Rules Map array containing */ + /* the current rules for the */ + /* interface to resolve flowbit */ + /* dependencies for. */ + /* */ + /* NOTE: this function assumes the global variable */ + /* $all_rules is populated with all the rules */ + /* currently downloaded. */ /******************************************************/ + global $all_rules; $snortdir = SNORTDIR; - /* First, load up all the enabled rules. */ - $rules_map = snort_load_rules_map($rule_path); - - /* Next, find all the "checked" and "set" flowbits. */ - $checked_flowbits = snort_get_checked_flowbits($rules_map); - $set_flowbits = snort_get_set_flowbits($rules_map); + /* Check $all_rules array to be sure it is filled. */ + if (empty($all_rules)) { + log_error(gettext("[Snort] WARNING: Flowbit resolution not done - no rules in {$snortdir}/rules/ ...")); + return array(); + } - /* We're done with the first rules array, so cleanup */ - /* to conserve memory. */ - unset($rules_map); + /* First, find all the "checked" and "set" flowbits. */ + $checked_flowbits = snort_get_checked_flowbits($active_rules); + $set_flowbits = snort_get_set_flowbits($active_rules); /* Next find any "checked" flowbits without matching */ /* "set" flowbit rules in the enabled rule set. */ - $delta_flowbits = array_diff($checked_flowbits, $set_flowbits); + $delta_flowbits = array_diff_key($checked_flowbits, $set_flowbits); /* Cleanup and release the memory we no longer need. */ unset($checked_flowbits); @@ -1340,11 +1456,9 @@ function snort_resolve_flowbits($rule_path) { /* Now find all the needed "set flowbit" rules from */ /* the master list of all rules. */ - $all_rules_map = snort_load_rules_map("{$snortdir}/rules/"); - $required_rules = snort_find_flowbit_required_rules($all_rules_map, $delta_flowbits); + $required_rules = snort_find_flowbit_required_rules($all_rules, $delta_flowbits); /* Cleanup and release memory we no longer need. */ - unset($all_rules_map); unset($delta_flowbits); return $required_rules; @@ -1390,7 +1504,7 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { } } -function snort_load_vrt_policy($policy) { +function snort_load_vrt_policy($policy, $load_rules_map=true) { /************************************************/ /* This function returns an array of all rules */ @@ -1400,21 +1514,29 @@ function snort_load_vrt_policy($policy) { /* 1. connectivity */ /* 2. balanced */ /* 3. security */ + /* */ + /* $load_rules --> load a local copy of all */ + /* the rules if true. If */ + /* false, assume the global */ + /* $all_rules array is valid. */ /************************************************/ + global $all_rules; $snortdir = SNORTDIR; $vrt_policy_rules = array(); /* Create regular expression for searching. */ $policy_pcre = "/policy\\s" . $policy . "/i"; - /* First, load up all the rules we have. */ - $all_rules_map = snort_load_rules_map("{$snortdir}/rules/"); + /* Refresh the map of all the rules if flag */ + /* is set. */ + if ($load_rules_map == true) + $all_rules = snort_load_rules_map("{$snortdir}/rules/"); /* Now walk the rules list and find all those */ /* that are defined as active for the chosen */ /* security policy. */ - foreach ($all_rules_map as $k1 => $arulem) { + foreach ($all_rules as $k1 => $arulem) { foreach ($arulem as $k2 => $arulem2) { if (preg_match($policy_pcre, $arulem2['rule'])) { if (!preg_match('/flowbits\s*:\s*noalert/i', $arulem2['rule'])) { @@ -1435,7 +1557,12 @@ function snort_load_vrt_policy($policy) { } /* Release memory we no longer need. */ - unset($all_rules_map, $arulem, $arulem2); + unset($arulem, $arulem2); + + /* If we loaded the ALL_RULES map, */ + /* then release the memory. */ + if ($load_rules_map == true) + unset($all_rules); /* Return all the rules that match the policy. */ return $vrt_policy_rules; @@ -1477,6 +1604,9 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) { @fwrite($fp, "# to the rules in this file.\n\n"); foreach ($rule_map as $rulem) { foreach ($rulem as $rulem2) { + /* No reason to write disabled rules to enforcing file, so skip them. */ + if ($rulem2['disabled'] == 1) + continue; @fwrite($fp, $rulem2['rule']); } } @@ -1589,20 +1719,33 @@ function snort_create_rc() { $start_barnyard = <<<EOE if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then - /bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' > {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid + pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' > {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` else - /bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid + pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` fi - if [ $? = 0 ]; then - /bin/pkill -HUP -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid -a - else - /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q + if [ ! -z \$pid ]; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill $pid -a + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then + /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid + fi fi + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..." + /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q EOE; $stop_barnyard2 = <<<EOE if [ -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` /bin/pkill -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid -a time=0 timeout=30 @@ -1618,15 +1761,17 @@ EOE; fi else pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q'` - /bin/pkill -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' - time=0 timeout=30 - while kill -0 \$pid 2>/dev/null; do - sleep 1 - time=\$((time+1)) - if [ \$time -gt \$timeout ]; then - break - fi - done + if [ ! -z \$pid ]; then + /bin/pkill -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + fi fi EOE; @@ -1644,12 +1789,12 @@ EOE; else pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid` fi - if [ $? = 0 ]; then - /bin/pkill -HUP \$pid + if [ ! -z \$pid ]; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill -HUP \$pid else - /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..." + /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} fi sleep 2 @@ -1659,9 +1804,9 @@ EOE; $start_snort_iface_stop[] = <<<EOE - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." if [ -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid` + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." /bin/pkill -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a time=0 timeout=30 while kill -0 \$pid 2>/dev/null; do @@ -1676,15 +1821,18 @@ EOE; fi else pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'` - /bin/pkill -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' - time=0 timeout=30 - while kill -0 \$pid 2>/dev/null; do - sleep 1 - time=\$((time+1)) - if [ \$time -gt \$timeout ]; then - break - fi - done + if [ ! -z \$pid ]; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." + /bin/pkill -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' + time=0 timeout=30 + while kill -0 \$pid 2>/dev/null; do + sleep 1 + time=\$((time+1)) + if [ \$time -gt \$timeout ]; then + break + fi + done + fi fi sleep 2 @@ -1819,11 +1967,21 @@ function snort_deinstall() { $snortlogdir = SNORTLOGDIR; $rcdir = RCFILEPREFIX; + log_error(gettext("[Snort] Snort package uninstall in progress...")); + /* Make sure all active Snort processes are terminated */ + /* Log a message only if a running process is detected */ + if (is_service_running("snort")) + log_error(gettext("[Snort] Snort STOP for all interfaces...")); mwexec('/usr/bin/killall snort', true); sleep(2); mwexec('/usr/bin/killall -9 snort', true); sleep(2); + + /* Make sure all active Barnyard2 processes are terminated */ + /* Log a message only if a running process is detected */ + if (is_service_running("barnyard2")) + log_error(gettext("[Snort] Barnyard2 STOP for all interfaces...")); mwexec('/usr/bin/killall barnyard2', true); sleep(2); mwexec('/usr/bin/killall -9 barnyard2', true); @@ -1893,7 +2051,7 @@ function snort_deinstall() { function snort_prepare_rule_files($snortcfg, $snortcfgdir) { - global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules; + global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules, $all_rules; $snortdir = SNORTDIR; $no_rules_defined = true; @@ -1911,22 +2069,47 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_files = array(); $no_rules_defined = false; - /* Create an array with the full path filenames of the enabled */ - /* rule category files if we have any. */ + /* Load up all the rules into a Rules Map array. */ + $all_rules = snort_load_rules_map("{$snortdir}/rules/"); + + /* Create an array with the filenames of the enabled */ + /* rule category files if we have any. */ if (!empty($snortcfg['rulesets'])) { - foreach (explode("||", $snortcfg['rulesets']) as $file) { - if (file_exists("{$snortdir}/rules/{$file}")) - $enabled_files[] = "{$snortdir}/rules/{$file}"; + foreach (explode("||", $snortcfg['rulesets']) as $file){ + $category = basename($file, ".rules"); + if (!is_array($enabled_files[$category])) + $enabled_files[$category] = array(); + $enabled_files[$category] = $file; + } + + /****************************************************/ + /* Walk the ALL_RULES map array and copy the rules */ + /* matching our selected file categories to the */ + /* ENABLED_RULES map array. */ + /****************************************************/ + foreach ($all_rules as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if (isset($enabled_files[$v['category']])) { + if (!is_array($enabled_rules[$k1])) + $enabled_rules[$k1] = array(); + if (!is_array($enabled_rules[$k1][$k2])) + $enabled_rules[$k1][$k2] = array(); + $enabled_rules[$k1][$k2]['rule'] = $v['rule']; + $enabled_rules[$k1][$k2]['category'] = $v['category']; + $enabled_rules[$k1][$k2]['disabled'] = $v['disabled']; + $enabled_rules[$k1][$k2]['flowbits'] = $v['flowbits']; + } + } } - /* Load our rules map in preparation for writing the enforcing rules file. */ - $enabled_rules = snort_load_rules_map($enabled_files); + /* Release memory we no longer need. */ + unset($enabled_files, $rulem, $v); } /* Check if a pre-defined Snort VRT policy is selected. If so, */ /* add all the VRT policy rules to our enforcing rule set. */ if (!empty($snortcfg['ips_policy'])) { - $policy_rules = snort_load_vrt_policy($snortcfg['ips_policy']); + $policy_rules = snort_load_vrt_policy($snortcfg['ips_policy'], false); foreach ($policy_rules as $k1 => $policy) { foreach ($policy as $k2 => $p) { if (!is_array($enabled_rules[$k1])) @@ -1939,7 +2122,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_rules[$k1][$k2]['flowbits'] = $p['flowbits']; } } - unset($policy_rules); + unset($policy_rules, $policy, $p); } /* Process any enablesid or disablesid modifications for the selected rules. */ @@ -1954,13 +2137,11 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Write the enforcing rules file to the Snort interface's "rules" directory. */ snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); - unset($enabled_rules); /* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */ if ($snortcfg['autoflowbitrules'] == 'on') { log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); - $enabled_files[] = "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"; - $fbits = snort_resolve_flowbits($enabled_files); + $fbits = snort_resolve_flowbits($enabled_rules); /* Check for and disable any flowbit-required rules dependent upon */ /* disabled preprocessors if this option is enabled for the interface. */ @@ -1968,14 +2149,13 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { log_error('[Snort] Checking flowbit rules dependent on disabled preprocessors for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); snort_filter_preproc_rules($snortcfg, $fbits, true); } - snort_filter_preproc_rules($snortcfg, $fbits, true); snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}"); unset($fbits); } else /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); - unset($enabled_files); + unset($enabled_rules, $all_rules); } else { snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); @@ -2101,6 +2281,9 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa } } + /* Release memory we no longer need. */ + unset($rulem, $v, $preproc); + /***************************************************************/ /* If we are persisting the log from the last pass, then open */ /* the log file in append mode. Otherwise open in overwrite */ @@ -2239,8 +2422,7 @@ function snort_generate_conf($snortcfg) { $pfkill = ""; if ($snortcfg['blockoffenderskill'] == "on") $pfkill = "kill"; - /* No subnets to default addresses */ - $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); + $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname']); /* write whitelist */ @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; @@ -2271,7 +2453,7 @@ function snort_generate_conf($snortcfg) { "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", - "sip_ports" => "5060, 5061", "auth_ports" => "113", "finger_ports" => "79", + "sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", "ssl_ports" => "443,465,563,636,989,990,992,993,994,995", @@ -2288,7 +2470,7 @@ function snort_generate_conf($snortcfg) { foreach ($snort_ports as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]); - $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias])); + $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; } @@ -2302,41 +2484,53 @@ preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_u EOD; - $def_server_flow_depth_type = '300'; - if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) - $def_server_flow_depth_type = $snortcfg['server_flow_depth']; + /* Pull in the user-configurable HTTP_INSPECT global preprocessor options */ + $http_inspect_memcap = "150994944"; + if (!empty($snortcfg['http_inspect_memcap'])) + $http_inspect_memcap = $snortcfg['http_inspect_memcap']; + /* Pull in the user-configurable HTTP_INSPECT server preprocessor options */ + $server_flow_depth = '300'; + if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) + $server_flow_depth = $snortcfg['server_flow_depth']; $http_server_profile = "all"; if (!empty($snortcfg['http_server_profile'])) $http_server_profile = $snortcfg['http_server_profile']; - - $def_client_flow_depth_type = '300'; + $client_flow_depth = '300'; if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) - $def_client_flow_depth_type = $snortcfg['client_flow_depth']; - + $client_flow_depth = $snortcfg['client_flow_depth']; if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect'])) - $noalert_http_inspect = "no_alerts "; + $noalert_http_inspect = "no_alerts"; else $noalert_http_inspect = ""; + $http_inspect_server_opts = "enable_cookie \\\n\textended_response_inspection \\\n\tnormalize_javascript \\\n"; + $http_inspect_server_opts .= "\tinspect_gzip \\\n\tnormalize_utf \\\n\tunlimited_decompress \\\n"; + $http_inspect_server_opts .= "\tnormalize_headers \\\n\tnormalize_cookies"; + if ($snortcfg['http_inspect_enable_xff'] == "on") + $http_inspect_server_opts .= " \\\n\tenable_xff"; + + /* If Stream5 is enabled, then we can enable the "log_uri" and "log_hostname" options */ + if ($snortcfg['stream5_reassembly'] == "on") { + if ($snortcfg['http_inspect_log_uri'] == "on") + $http_inspect_server_opts .= " \\\n\tlog_uri"; + if ($snortcfg['http_inspect_log_hostname'] == "on") + $http_inspect_server_opts .= " \\\n\tlog_hostname"; + } $http_ports = str_replace(",", " ", $snort_ports['http_ports']); + /* def http_inspect */ $http_inspect = <<<EOD -# HTTP Inspect # -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 +# HTTP Inspect # +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 memcap {$http_inspect_memcap} -preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect}\ - ports { {$http_ports} } \ +preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect} \ + ports { {$http_ports} } \ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ - server_flow_depth {$def_server_flow_depth_type} \ - client_flow_depth {$def_client_flow_depth_type} \ - enable_cookie \ - extended_response_inspection \ - inspect_gzip \ - normalize_utf \ - unlimited_decompress \ - normalize_javascript - + server_flow_depth {$server_flow_depth} \ + client_flow_depth {$client_flow_depth} \ + {$http_inspect_server_opts} + EOD; /* def ftp_preprocessor */ @@ -2439,28 +2633,35 @@ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB log_filename \ qp_decode_depth 0 \ b64_decode_depth 0 \ - bitenc_decode_depth 0 + bitenc_decode_depth 0 \ + uu_decode_depth 0 EOD; /* def sf_portscan */ + $sf_pscan_protocol = "all"; + if (!empty($snortcfg['pscan_protocol'])) + $sf_pscan_protocol = $snortcfg['pscan_protocol']; + $sf_pscan_type = "all"; + if (!empty($snortcfg['pscan_type'])) + $sf_pscan_type = $snortcfg['pscan_type']; + $sf_pscan_memcap = "10000000"; + if (!empty($snortcfg['pscan_memcap'])) + $sf_pscan_memcap = $snortcfg['pscan_memcap']; + $sf_pscan_sense_level = "medium"; if (!empty($snortcfg['pscan_sense_level'])) $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; - else - $sf_pscan_sense_level = "medium"; - + $sf_pscan_ignore_scanners = "\$HOME_NET"; if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { $sf_pscan_ignore_scanners = filter_expand_alias($snortcfg['pscan_ignore_scanners']); $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); } - else - $sf_pscan_ignore_scanners = "\$HOME_NET"; $sf_portscan = <<<EOD # sf Portscan # -preprocessor sfportscan: scan_type { all } \ - proto { all } \ - memcap { 10000000 } \ +preprocessor sfportscan: scan_type { {$sf_pscan_type} } \ + proto { {$sf_pscan_protocol} } \ + memcap { {$sf_pscan_memcap} } \ sense_level { {$sf_pscan_sense_level} } \ ignore_scanners { {$sf_pscan_ignore_scanners} } @@ -2546,19 +2747,7 @@ EOD; $sensitive_data = "preprocessor sensitive_data:\n"; - /* stream5 queued settings */ - $def_max_queued_bytes_type = ''; - if ((!empty($snortcfg['max_queued_bytes'])) || ($snortcfg['max_queued_bytes'] == '0')) - $def_max_queued_bytes_type = ", max_queued_bytes {$snortcfg['max_queued_bytes']}"; - - $def_max_queued_segs_type = ''; - if ((!empty($snortcfg['max_queued_segs'])) || ($snortcfg['max_queued_segs'] == '0')) - $def_max_queued_segs_type = ", max_queued_segs {$snortcfg['max_queued_segs']}"; - - $def_stream5_mem_cap = ''; - if (!empty($snortcfg['stream5_mem_cap'])) - $def_stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}"; - + /**************************************************************/ /* Default the HTTP_INSPECT preprocessor to "on" if not set. */ /* The preprocessor is required by hundreds of Snort rules, */ /* and without it Snort may not start and/or the number of */ @@ -2600,10 +2789,18 @@ EOD; "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" ); + $default_disabled_preprocs = array( + "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc" + ); $snort_preprocessors = ""; foreach ($snort_preproc as $preproc) { - if ($snortcfg[$preproc] == 'on') { - /* NOTE: The $$ is not a bug. Its a advanced feature of php */ + if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { + + /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ + if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) + continue; + + /* NOTE: The $$ is not a bug. It is an advanced feature of php */ if (!empty($snort_preproc_libs[$preproc])) { $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { @@ -2664,13 +2861,83 @@ EOD; $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; - /* Create the actual rules file and save in the interface directory */ + /* Create the actual rules files and save in the interface directory */ snort_prepare_rule_files($snortcfg, $snortcfgdir); $cksumcheck = "all"; if ($snortcfg['cksumcheck'] == 'on') $cksumcheck = "none"; + /* Pull in user-configurable options for Frag3 preprocessor settings */ + $frag3_disabled = ""; + if ($snortcfg['frag3_detection'] == "off") + $frag3_disabled = ", disabled"; + $frag3_memcap = "memcap 4194304"; + if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") + $frag3_memcap = "memcap {$snortcfg['frag3_memcap']}"; + $frag3_max_frags = "max_frags 8192"; + if (!empty($snortcfg['frag3_max_frags'])) + $frag3_max_frags = "max_frags {$snortcfg['frag3_max_frags']}"; + $frag3_overlap_limit = "overlap_limit 0"; + if (!empty($snortcfg['frag3_overlap_limit'])) + $frag3_overlap_limit = "overlap_limit {$snortcfg['frag3_overlap_limit']}"; + $frag3_min_frag_len = "min_fragment_length 0"; + if (!empty($snortcfg['frag3_min_frag_len'])) + $frag3_min_frag_len = "min_fragment_length {$snortcfg['frag3_min_frag_len']}"; + $frag3_timeout = "timeout 60"; + if (!empty($snortcfg['frag3_timeout'])) + $frag3_timeout = "timeout {$snortcfg['frag3_timeout']}"; + $frag3_policy = "policy bsd"; + if (!empty($snortcfg['frag3_policy'])) + $frag3_policy = "policy {$snortcfg['frag3_policy']}"; + + /* Pull in user-configurable options for Stream5 preprocessor settings */ + $stream5_reassembly = ""; + if ($snortcfg['stream5_reassembly'] == "off") + $stream5_reassembly = "disabled,"; + $stream5_track_tcp = "yes"; + if ($snortcfg['stream5_track_tcp'] =="off") + $stream5_track_tcp = "no"; + $stream5_track_udp = "yes"; + if ($snortcfg['stream5_track_udp'] =="off") + $stream5_track_udp = "no"; + $stream5_track_icmp = "no"; + if ($snortcfg['stream5_track_icmp'] =="on") + $stream5_track_icmp = "yes"; + $stream5_require_3whs = ""; + if ($snortcfg['stream5_require_3whs'] == "on") + $stream5_require_3whs = ", require_3whs 0"; + $stream5_no_reassemble_async = ""; + if ($snortcfg['stream5_no_reassemble_async'] == "on") + $stream5_no_reassemble_async = ", dont_reassemble_async"; + $stream5_dont_store_lg_pkts = ""; + if ($snortcfg['stream5_dont_store_lg_pkts'] == "on") + $stream5_dont_store_lg_pkts = ", dont_store_large_packets"; + $stream5_max_queued_bytes_type = ""; + if ((!empty($snortcfg['max_queued_bytes'])) || ($snortcfg['max_queued_bytes'] == '0')) + $stream5_max_queued_bytes_type = ", max_queued_bytes {$snortcfg['max_queued_bytes']}"; + $stream5_max_queued_segs_type = ""; + if ((!empty($snortcfg['max_queued_segs'])) || ($snortcfg['max_queued_segs'] == '0')) + $stream5_max_queued_segs_type = ", max_queued_segs {$snortcfg['max_queued_segs']}"; + $stream5_mem_cap = ""; + if (!empty($snortcfg['stream5_mem_cap'])) + $stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}"; + $stream5_overlap_limit = "overlap_limit 0"; + if (!empty($snortcfg['stream5_overlap_limit'])) + $stream5_overlap_limit = "overlap_limit {$snortcfg['stream5_overlap_limit']}"; + $stream5_policy = "policy bsd"; + if (!empty($snortcfg['stream5_policy'])) + $stream5_policy = "policy {$snortcfg['stream5_policy']}"; + $stream5_tcp_timeout = "timeout 30"; + if (!empty($snortcfg['stream5_tcp_timeout'])) + $stream5_tcp_timeout = "timeout {$snortcfg['stream5_tcp_timeout']}"; + $stream5_udp_timeout = "timeout 30"; + if (!empty($snortcfg['stream5_udp_timeout'])) + $stream5_udp_timeout = "timeout {$snortcfg['stream5_udp_timeout']}"; + $stream5_icmp_timeout = "timeout 30"; + if (!empty($snortcfg['stream5_icmp_timeout'])) + $stream5_icmp_timeout = "timeout {$snortcfg['stream5_icmp_timeout']}"; + /* build snort configuration file */ $snort_conf_text = <<<EOD @@ -2732,12 +2999,13 @@ preprocessor normalize_ip6 preprocessor normalize_icmp6 # Flow and stream # -preprocessor frag3_global: max_frags 65536 -preprocessor frag3_engine: policy bsd detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180 +preprocessor frag3_global: {$frag3_memcap}, {$frag3_max_frags}{$frag3_disabled} +preprocessor frag3_engine: {$frag3_policy} detect_anomalies {$frag3_timeout} {$frag3_overlap_limit} {$frag3_min_frag_len} -preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp no, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5{$def_stream5_mem_cap} -preprocessor stream5_tcp: policy BSD, overlap_limit 10, timeout 180, ports both all{$def_max_queued_bytes_type}{$def_max_queued_segs_type} -preprocessor stream5_udp: timeout 180 +preprocessor stream5_global:{$stream5_reassembly} track_tcp {$stream5_track_tcp}, track_udp {$stream5_track_udp}, track_icmp {$stream5_track_icmp}, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5{$stream5_mem_cap} +preprocessor stream5_tcp: {$stream5_policy}, {$stream5_overlap_limit}, {$stream5_tcp_timeout}, ports both all{$stream5_max_queued_bytes_type}{$stream5_max_queued_segs_type}{$stream5_require_3whs}{$stream5_no_reassemble_async}$stream5_dont_store_lg_pkts +preprocessor stream5_udp: {$stream5_udp_timeout} +preprocessor stream5_icmp: {$stream5_icmp_timeout} {$snort_preprocessors} diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 2f60b7ae..8abb4865 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -47,7 +47,7 @@ <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> <version>2.9.4.1</version> - <title>Services:2.9.4.1 pkg v. 2.5.7</title> + <title>Services:2.9.4.1 pkg v. 2.5.8</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -168,6 +168,16 @@ <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_log_view.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_list_view.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_rules_flowbits.php</item> + </additional_files_needed> <fields> </fields> <custom_add_php_command> diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 3fcbe6b7..eb0912c8 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -38,6 +38,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; +$supplist = array(); if ($_GET['instance']) $instanceid = $_GET['instance']; @@ -80,8 +81,10 @@ if ($_POST['todelete'] || $_GET['todelete']) { $ip = $_POST['todelete']; else if($_GET['todelete']) $ip = $_GET['todelete']; - if (is_ipaddr($ip)) + if (is_ipaddr($ip)) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); + $savemsg = "Host IP address {$ip} has been removed from the Bocked Hosts table."; + } } if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { @@ -99,7 +102,7 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ $s_list = array(); $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress"; $s_list['uuid'] = uniqid(); - $s_list['descr'] = "Auto generted list for suppress"; + $s_list['descr'] = "Auto-generated list for suppress"; $s_list['suppresspassthru'] = base64_encode($suppress); $a_suppress[] = $s_list; $a_instance[$instanceid]['suppresslistname'] = $s_list['name']; @@ -115,6 +118,7 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ } } } + $savemsg = "GID:SID '{$_GET['gen_id']}:{$_GET['sidid']}' has been added to the Suppress List."; write_config(); sync_snort_package_config(); } @@ -157,6 +161,9 @@ if ($_POST['download']) { exit; } +/* Load up an array with the current Suppression List GID,SID values */ +$supplist = snort_load_suppress_sigs($a_instance[$instanceid]); + $pgtitle = "Services: Snort: Snort Alerts"; include_once("head.inc"); @@ -177,6 +184,9 @@ if ($pconfig['arefresh'] == 'on') if ($input_errors) { print_input_errors($input_errors); // TODO: add checks } + if ($savemsg) { + print_info_box($savemsg); + } ?> <form action="/snort/snort_alerts.php" method="post" id="formalert"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -195,15 +205,14 @@ if ($pconfig['arefresh'] == 'on') </td></tr> <tr> <td> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> <tr> - <td width="22%" class="listtopic"><?php printf(gettext('Last %s Alert Entries.'),$anentries); ?></td> - <td width="78%" class="listtopic"><?php echo gettext('Latest Alert Entries Are Listed First.'); ?></td> + <td colspan="2" class="listtopic"><?php echo gettext("Alert Log View Settings"); ?></td> </tr> <tr> <td width="22%" class="vncell"><?php echo gettext('Instance to inspect'); ?></td> <td width="78%" class="vtable"> - <br/> <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').submit()"> + <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').submit()"> <?php foreach ($a_instance as $id => $instance) { $selected = ""; @@ -212,14 +221,14 @@ if ($pconfig['arefresh'] == 'on') echo "<option value='{$id}' {$selected}> (" . snort_get_friendly_interface($instance['interface']) . "){$instance['descr']}</option>\n"; } ?> - </select><br/> <?php echo gettext('Choose which instance alerts you want to inspect.'); ?> + </select> <?php echo gettext('Choose which instance alerts you want to inspect.'); ?> </td> <tr> <td width="22%" class="vncell"><?php echo gettext('Save or Remove Logs'); ?></td> <td width="78%" class="vtable"> - <input name="download" type="submit" class="formbtn" value="Download"> <?php echo gettext('All ' . - 'log files will be saved.'); ?> <a href="/snort/snort_alerts.php?action=clear&instance=<?=$instanceid;?>"> - <input name="delete" type="submit" class="formbtn" value="Clear" + <input name="download" type="submit" class="formbtns" value="Download"> <?php echo gettext('All ' . + 'log files will be saved.'); ?> <a href="/snort/snort_alerts.php?action=clear&instance=<?=$instanceid;?>"> + <input name="delete" type="submit" class="formbtns" value="Clear" onclick="return confirm('Do you really want to remove all instance logs?')"></a> <span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span> <?php echo ' ' . gettext('all log files will be deleted.'); ?> </td> @@ -227,31 +236,32 @@ if ($pconfig['arefresh'] == 'on') <tr> <td width="22%" class="vncell"><?php echo gettext('Auto Refresh and Log View'); ?></td> <td width="78%" class="vtable"> - <input name="save" type="submit" class="formbtn" value="Save"> + <input name="save" type="submit" class="formbtns" value="Save"> <?php echo gettext('Refresh'); ?> <input name="arefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> - <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> - <?php printf(gettext('Enter the number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> </tr> <tr> - <td colspan="2" ><br/><br/></td> + <td colspan="2" class="listtopic"><?php printf(gettext("Last %s Alert Entries"), $anentries); ?> + <?php echo gettext("(Most recent entries are listed first)"); ?></td> </tr> <tr> <td width="100%" colspan="2" class='vtable'> <table id="myTable" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0"> <thead> - <th class='listhdr' width='10%' axis="date"><?php echo gettext("Date"); ?></th> - <th class='listhdrr' width='5%' axis="number"><?php echo gettext("PRI"); ?></th> - <th class='listhdrr' width='3%' axis="string"><?php echo gettext("PROTO"); ?></th> - <th class='listhdrr' width='7%' axis="string"><?php echo gettext("CLASS"); ?></th> - <th class='listhdrr' width='15%' axis="string"><?php echo gettext("SRC"); ?></th> - <th class='listhdrr' width='5%' axis="string"><?php echo gettext("SRCPORT"); ?></th> - <th class='listhdrr' width='15%' axis="string"><?php echo gettext("DST"); ?></th> - <th class='listhdrr' width='5%' axis="string"><?php echo gettext("DSTPORT"); ?></th> - <th class='listhdrr' width='5%' axis="string"><?php echo gettext("SID"); ?></th> - <th class='listhdrr' width='20%' axis="string"><?php echo gettext("DESCRIPTION"); ?></th> + <th class="listhdrr" align="center" axis="date"><?php echo gettext("DATE"); ?></th> + <th class="listhdrr" align="center" axis="number"><?php echo gettext("PRI"); ?></th> + <th class="listhdrr" align="center"axis="string"><?php echo gettext("PROTO"); ?></th> + <th class="listhdrr" width="10%" axis="string"><?php echo gettext("CLASS"); ?></th> + <th class="listhdrr" width="25%" axis="string"><?php echo gettext("SRC"); ?></th> + <th class="listhdrr" align="center" axis="string"><?php echo gettext("SPORT"); ?></th> + <th class="listhdrr" width="25%" axis="string"><?php echo gettext("DST"); ?></th> + <th class="listhdrr" align="center" axis="string"><?php echo gettext("DPORT"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("SID"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("DESCRIPTION"); ?></th> </thead> <tbody> <?php @@ -269,8 +279,10 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { if(count($fields) < 11) continue; + /* Time */ + $alert_time = substr($fields[0], strpos($fields[0], '-')+1, -8); /* Date */ - $alert_date = substr($fields[0], 0, -8); + $alert_date = substr($fields[0], 0, strpos($fields[0], '-')); /* Description */ $alert_descr = $fields[4]; $alert_descr_url = urlencode($fields[4]); @@ -281,40 +293,43 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { /* IP SRC */ $alert_ip_src = $fields[6]; if (isset($tmpblocked[$fields[6]])) { - $alert_ip_src .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'> - <img title=\"" . gettext("Remove from blocked ips") . "\" border=\"0\" width='10' height='10' name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; + $alert_ip_src .= "<br/><a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'> + <img title=\"" . gettext("Remove from Blocked Hosts") . "\" border=\"0\" width='10' height='10' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/></a>"; } /* IP SRC Port */ $alert_src_p = $fields[7]; /* IP Destination */ $alert_ip_dst = $fields[8]; if (isset($tmpblocked[$fields[8]])) { - $alert_ip_dst .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'> - <img title=\"" . gettext("Remove from blocked ips") . "\" border=\"0\" width='10' height='10' name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; + $alert_ip_dst .= "<br/><a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'> + <img title=\"" . gettext("Remove from Blocked Hosts") . "\" border=\"0\" width='10' height='10' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/></a>"; } /* IP DST Port */ $alert_dst_p = $fields[9]; /* SID */ - $alert_sid_str = "{$fields[1]}:{$fields[2]}:{$fields[3]}"; + $alert_sid_str = "{$fields[1]}:{$fields[2]}"; + if (!isset($supplist[$fields[1]][$fields[2]])) { + $sidsupplink = "<a href='?instance={$instanceid}&act=addsuppress&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}'>"; + $sidsupplink .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='10' height='10' border='0' "; + $sidsupplink .= "title='" . gettext("Add GID:SID to Suppress List") . "'></a>"; + } + else { + $sidsupplink = "<img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='10' height='10' border='0' "; + $sidsupplink .= "title='" . gettext("GID:SID already in Suppress List") . "'/>"; + } $alert_class = $fields[11]; echo "<tr> - <td class='listr' width='10%'>{$alert_date}</td> - <td class='listr' width='5%' >{$alert_priority}</td> - <td class='listr' width='3%'>{$alert_proto}</td> - <td class='listr' width='7%' >{$alert_class}</td> - <td class='listr' width='15%'>{$alert_ip_src}</td> - <td class='listr' width='5%'>{$alert_src_p}</td> - <td class='listr' width='15%'>{$alert_ip_dst}</td> - <td class='listr' width='5%'>{$alert_dst_p}</td> - <td class='listr' width='5%' > - {$alert_sid_str} - <a href='?instance={$instanceid}&act=addsuppress&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}'> - <img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' - width='10' height='10' border='0' - title='" . gettext("click to add to suppress list") . "'></a> - </td> - <td class='listr' width='20%'>{$alert_descr}</td> + <td class='listr' align='center'>{$alert_date}<br/>{$alert_time}</td> + <td class='listr' align='center'>{$alert_priority}</td> + <td class='listr' align='center'>{$alert_proto}</td> + <td class='listr' width='10%'>{$alert_class}</td> + <td class='listr' width='25%' align='center' style=\"word-break:break-all;\">{$alert_ip_src}</td> + <td class='listr' align='center'>{$alert_src_p}</td> + <td class='listr' width='25%' align='center' style=\"word-break:break-all;\">{$alert_ip_dst}</td> + <td class='listr' align='center'>{$alert_dst_p}</td> + <td class='listr' align='center'>{$alert_sid_str}<br/>{$sidsupplink}</td> + <td class='listr' style=\"word-wrap:break-word;\">{$alert_descr}</td> </tr>\n"; $counter++; diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 295218f6..bd7cabbc 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -134,7 +134,7 @@ if ($pconfig['brefresh'] == 'on') <?php if ($savemsg) print_info_box($savemsg); ?> <form action="/snort/snort_blocked.php" method="post"> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <?php @@ -152,44 +152,44 @@ if ($pconfig['brefresh'] == 'on') </tr> <tr> <td> - <table id="maintable" class="tabcont" width="100%" border="0" - cellpadding="0" cellspacing="0"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td width="22%" colspan="0" class="listtopic"><?php printf(gettext("Last %s " . - "Blocked."), $bnentries); ?></td> - <td width="78%" class="listtopic"><?php echo gettext("This page lists hosts that have " . - "been blocked by Snort."); ?> <?=$blocked_msg_txt;?></td> + <td colspan="2" class="listtopic"><?php echo gettext("Blocked Hosts Log View Settings"); ?></td> </tr> <tr> <td width="22%" class="vncell"><?php echo gettext("Save or Remove Hosts"); ?></td> <td width="78%" class="vtable"> - <input name="download" type="submit" class="formbtn" value="Download"> <?php echo gettext("All " . - "blocked hosts will be saved."); ?> <input name="remove" type="submit" - class="formbtn" value="Clear"> <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> + <input name="download" type="submit" class="formbtns" value="Download"> <?php echo gettext("All " . + "blocked hosts will be saved."); ?> <input name="remove" type="submit" + class="formbtns" value="Clear"> <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("all hosts will be removed."); ?> </td> </tr> <tr> <td width="22%" class="vncell"><?php echo gettext("Auto Refresh and Log View"); ?></td> <td width="78%" class="vtable"> - <input name="save" type="submit" class="formbtn" value="Save"> <?php echo gettext("Refresh"); ?> <input + <input name="save" type="submit" class="formbtns" value="Save"> <?php echo gettext("Refresh"); ?> <input name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> - <?php printf(gettext("%sDefault%s is %sON%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> <input + <?php printf(gettext("%sDefault%s is %sON%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> <input name="blertnumber" type="text" class="formfld" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>"> <?php printf(gettext("Enter the " . "number of blocked entries to view. %sDefault%s is %s500%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> </tr> <tr> + <td colspan="2" class="listtopic"><?php printf(gettext("Last %s Hosts Blocked by Snort"), $bnentries); ?></td> + </tr> + <tr> <td colspan="2"> - <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="5%" class="listhdrr">#</td> - <td width="15%" class="listhdrr"><?php echo gettext("IP"); ?></td> - <td width="70%" class="listhdrr"><?php echo gettext("Alert Description"); ?></td> - <td width="5%" class="listhdrr"><?php echo gettext("Remove"); ?></td> - </tr> + <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="2" cellspacing="0"> + <thead> + <th class='listhdr' width="5%" class="listhdrr" align="center" axis="number">#</th> + <th class='listhdr' width="15%" class="listhdrr" align="center" axis="string"><?php echo gettext("IP"); ?></th> + <th class='listhdr' width="70%" class="listhdrr" axis="string"><?php echo gettext("Alert Description"); ?></th> + <th class='listhdr' width="5%" class="listhdrr" align="center"><?php echo gettext("Remove"); ?></th> + </thead> + <tbody> <?php /* set the arrays */ $blocked_ips_array = array(); @@ -233,10 +233,10 @@ if ($pconfig['brefresh'] == 'on') $src_ip_list[$blocked_ip] = array("N\A\n"); } - /* buil final list, preg_match, buld html */ + /* build final list, preg_match, build html */ $counter = 0; foreach($src_ip_list as $blocked_ip => $blocked_msg) { - $blocked_desc = "<br/>" . implode("<br/>", $blocked_msg); + $blocked_desc = implode("<br/>", $blocked_msg); if($counter > $bnentries) break; else @@ -244,22 +244,35 @@ if ($pconfig['brefresh'] == 'on') /* use one echo to do the magic*/ echo "<tr> - <td width='5%' > {$counter}</td> - <td width='15%' > {$blocked_ip}</td> - <td width='70%' > {$blocked_desc}</td> - <td width='5%' align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'> + <td width='5%' align=\"center\" valign=\"middle\" class=\"listr\">{$counter}</td> + <td width='15%' valign=\"middle\" class=\"listr\">{$blocked_ip}</td> + <td width='70%' valign=\"middle\" class=\"listr\">{$blocked_desc}</td> + <td width='5%' align=\"center\" valign=\"middle\" class=\"listr\"><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'> <img title=\"" . gettext("Delete") . "\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> </tr>\n"; } - echo "\n<tr><td colspan='4' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; - } else - echo "\n<tr><td colspan='4' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; - ?> + } + ?> + </tbody> </table> </td> </tr> - </table> + <tr> + <td colspan="2" class="vncell" align="center"> + <?php if (!empty($blocked_ips_array)) { + if ($counter > 1) + echo "{$counter}" . gettext(" host IP addresses are currently being blocked."); + else + echo "{$counter}" . gettext(" host IP address is currently being blocked."); + } + else { + echo gettext("There are currently no hosts being blocked by Snort."); + } + ?> + </td> + </tr> + </table> </td> </tr> </table> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index f69c3b98..c1c9ce46 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -36,7 +36,7 @@ require_once("service-utils.inc"); global $snort_gui_include, $vrt_enabled, $et_enabled, $rebuild_rules, $snort_rules_upd_log; global $protect_preproc_rules, $is_postinstall, $snort_community_rules_filename; -global $snort_community_rules_url, $snort_rules_file, $emergingthreats_filename; +global $snort_community_rules_url, $snort_rules_file, $emergingthreats_filename, $g; $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; @@ -558,8 +558,8 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = exec("/bin/rm -r {$snortdir}/tmp"); } - /* Restart snort if already running to pick up the new rules. */ - if (is_process_running("snort")) { + /* Restart snort if already running and we are not rebooting to pick up the new rules. */ + if (is_process_running("snort") && !$g['booting']) { update_status(gettext('Restarting Snort to activate the new set of rules...')); error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, $snort_rules_upd_log); restart_service("snort"); diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 36319977..f2250236 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -88,18 +88,6 @@ include_once("head.inc"); <?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> <script language="javascript" type="text/javascript"> -function popup(url) -{ - params = 'width='+screen.width; - params += ', height='+screen.height; - params += ', top=0, left=0' - params += ', fullscreen=yes'; - - newwin=window.open(url,'LogViewer', params); - if (window.focus) {newwin.focus()} - return false; -} - function wopen(url, name, w, h) { // Fudge factors for window decoration space. diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index e96be262..4c21cdd9 100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -28,12 +28,6 @@ * POSSIBILITY OF SUCH DAMAGE. */ -// Turn on buffering to speed up rendering -ini_set('output_buffering','true'); - -// Start buffering with a cache size of 100000 -ob_start(null, "1000"); - $nocsrf = true; require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); @@ -225,6 +219,13 @@ if ($pfsense_stable == 'yes') </td> </tr> <?php $nnats = $i = 0; + +// Turn on buffering to speed up rendering +ini_set('output_buffering','true'); + +// Start buffering to fix display lag issues in IE9 and IE10 +ob_start(null, 0); + /* If no interfaces are defined, then turn off the "no rules" warning */ $no_rules_footnote = false; if ($id_gen == 0) @@ -344,7 +345,7 @@ foreach ($a_nat as $natent): ?> </table> </td> </tr> - <?php $i++; $nnats++; endforeach; ?> + <?php $i++; $nnats++; endforeach; ob_end_flush(); ?> <tr> <td class="list"></td> <td class="list" colspan="6"> diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 8d7b9c06..71cdc185 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -76,10 +76,6 @@ if (isset($_GET['dup'])) unset($id); if ($_POST["Submit"]) { - if ($_POST['descr'] == '' && $pconfig['descr'] == '') { - $input_errors[] = "Please enter a description for your reference."; - } - if (!$_POST['interface']) $input_errors[] = "Interface is mandatory"; @@ -89,7 +85,19 @@ if ($_POST["Submit"]) { $natent['interface'] = $_POST['interface']; $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; - if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else unset($natent['descr']); + + /* See if the HOME_NET, EXTERNAL_NET, WHITELIST or SUPPRESS LIST values were changed */ + $snort_reload = false; + if ($_POST['homelistname'] && ($_POST['homelistname'] <> $natent['homelistname'])) + $snort_reload = true; + if ($_POST['externallistname'] && ($_POST['externallistname'] <> $natent['externallistname'])) + $snort_reload = true; + if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname'])) + $snort_reload = true; + if ($_POST['whitelistname'] && ($_POST['whitelistname'] <> $natent['whitelistname'])) + $snort_reload = true; + + if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']); if ($_POST['performance']) $natent['performance'] = $_POST['performance']; else unset($natent['performance']); /* if post = on use on off or rewrite the conf */ if ($_POST['blockoffenders7'] == "on") $natent['blockoffenders7'] = 'on'; else $natent['blockoffenders7'] = 'off'; @@ -128,6 +136,15 @@ if ($_POST["Submit"]) { /* Update snort.conf and snort.sh files for this interface */ sync_snort_package_config(); + /*******************************************************/ + /* Signal Snort to reload configuration if we changed */ + /* HOME_NET, the Whitelist, EXTERNAL_NET or Suppress */ + /* list values. The function only signals a running */ + /* Snort instance to safely reload these parameters. */ + /*******************************************************/ + if ($snort_reload == true) + snort_reload_config($natent, $if_real); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); @@ -148,29 +165,6 @@ include_once("head.inc"); <?php include("fbegin.inc"); ?> -<script language="JavaScript"> -<!-- - -function enable_blockoffenders() { - var endis = !(document.iform.blockoffenders7.checked); - document.iform.blockoffenderskill.disabled=endis; - document.iform.blockoffendersip.disabled=endis; -} - -function enable_change(enable_change) { - endis = !(document.iform.enable.checked || enable_change); - // make sure a default answer is called if this is invoked. - endis2 = (document.iform.enable); - document.iform.performance.disabled = endis; - document.iform.blockoffenders7.disabled = endis; - document.iform.alertsystemlog.disabled = endis; - document.iform.externallistname.disabled = endis; - document.iform.homelistname.disabled = endis; - document.iform.suppresslistname.disabled = endis; - document.iform.configpassthru.disabled = endis; -} -//--> -</script> <?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> <?php @@ -220,7 +214,7 @@ function enable_change(enable_change) { <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Interface"); ?></td> <td width="78%" class="vtable"> - <select name="interface" class="formselect"> + <select name="interface" class="formselect" tabindex="0"> <?php if (function_exists('get_configured_interface_with_descr')) $interfaces = get_configured_interface_with_descr(); @@ -235,8 +229,8 @@ function enable_change(enable_change) { <?php if ($iface == $pconfig['interface']) echo "selected"; ?>><?=htmlspecialchars($ifacename);?> </option> <?php endforeach; ?> - </select><br> - <span class="vexpl"><?php echo gettext("Choose which interface this rule applies to."); ?><br/> + </select> + <span class="vexpl"><?php echo gettext("Choose which interface this Snort instance applies to."); ?><br/> <span class="red"><?php echo gettext("Hint:"); ?> </span><?php echo gettext("in most cases, you'll want to use WAN here."); ?></span><br/></td> </tr> <tr> @@ -244,8 +238,7 @@ function enable_change(enable_change) { <td width="78%" class="vtable"><input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> <br/> - <span class="vexpl"><?php echo gettext("You may enter a description here for your " . - "reference (not parsed)."); ?></span><br/></td> + <span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference."); ?></span><br/></td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Alert Settings"); ?></td> @@ -256,7 +249,7 @@ function enable_change(enable_change) { <td width="78%" class="vtable"><input name="alertsystemlog" type="checkbox" value="on" <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?> - onClick="enable_change(false)"><br> + onClick="enable_change(false)"> <?php echo gettext("Snort will send Alerts to the firewall's system logs."); ?></td> </tr> <tr> @@ -264,7 +257,7 @@ function enable_change(enable_change) { <td width="78%" class="vtable"> <input name="blockoffenders7" id="blockoffenders7" type="checkbox" value="on" <?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?> - onClick="enable_blockoffenders()"><br> + onClick="enable_blockoffenders()"> <?php echo gettext("Checking this option will automatically block hosts that generate a " . "Snort alert."); ?></td> </tr> @@ -272,11 +265,11 @@ function enable_change(enable_change) { <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill states"); ?></td> <td width="78%" class="vtable"> <input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>> - <br/><?php echo gettext("Checking this option will kill firewall states for the blocked ip"); ?> + <?php echo gettext("Checking this option will kill firewall states for the blocked IP"); ?> </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Which ip to block"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Which IP to block"); ?></td> <td width="78%" class="vtable"> <select name="blockoffendersip" class="formselect" id="blockoffendersip"> <?php @@ -288,8 +281,8 @@ function enable_change(enable_change) { echo htmlspecialchars($btype) . '</option>'; } ?> - </select> - <br/><?php echo gettext("Which ip extracted from the packet you want to block"); ?> + </select> + <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?> </td> </tr> <tr> @@ -308,7 +301,8 @@ function enable_change(enable_change) { <?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>> <?=htmlspecialchars($ifacename2);?></option> <?php endforeach; ?> - </select><br> + </select> + <?php echo gettext("Choose a search performance setting"); ?><br/> <span class="vexpl"><?php echo gettext("LOWMEM and AC-BNFA are recommended for low end " . "systems, AC-SPLIT: low memory, high performance, short-hand for search-method ac split-any-any, AC: high memory, " . "best performance, -NQ: the -nq option specifies that matches should not be queued and evaluated as they are found," . @@ -320,86 +314,99 @@ function enable_change(enable_change) { <td width="22%" valign="top" class="vncell"><?php echo gettext("Checksum Check Disable"); ?></td> <td width="78%" class="vtable"> <input name="cksumcheck" id="cksumcheck" type="checkbox" value="on" <?php if ($pconfig['cksumcheck'] == "on") echo "checked"; ?>> - <br><?php echo gettext("If ticked, checksum checking on Snort will be disabled to improve performance."); ?> - <br><?php echo gettext("Most of this is already done at the firewall/filter level."); ?> + <?php echo gettext("Disable checksum checking within Snort to improve performance."); ?> + <br><span class="red"><?php echo gettext("Hint: ") . "</span>" . + gettext("Most of this is already done at the firewall/filter level, so it is usually safe to check this box."); ?> </td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose the networks " . - "snort should inspect and whitelist."); ?></td> + "Snort should inspect and whitelist."); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Home net"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Home Net"); ?></td> <td width="78%" class="vtable"> + <select name="homelistname" class="formselect" id="homelistname"> - <?php - echo "<option value='default' >default</option>"; - /* find whitelist names and filter by type */ - if (is_array($snortglob['whitelist']['item'])) { - foreach ($snortglob['whitelist']['item'] as $value) { - $ilistname = $value['name']; - if ($ilistname == $pconfig['homelistname']) - echo "<option value='$ilistname' selected>"; - else - echo "<option value='$ilistname'>"; - echo htmlspecialchars($ilistname) . '</option>'; + <?php + echo "<option value='default' >default</option>"; + /* find whitelist names and filter by type */ + if (is_array($snortglob['whitelist']['item'])) { + foreach ($snortglob['whitelist']['item'] as $value) { + $ilistname = $value['name']; + if ($ilistname == $pconfig['homelistname']) + echo "<option value='$ilistname' selected>"; + else + echo "<option value='$ilistname'>"; + echo htmlspecialchars($ilistname) . '</option>'; + } } - } - ?> - </select><br/> - <span class="vexpl"><?php echo gettext("Choose the home net you will like this rule to " . - "use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("Default home " . - "net adds only local networks."); ?><br> - <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Most users add a list of " . - "friendly ips that the firewall cant see."); ?><br/></td> + ?> + </select> + <input type="button" class="formbtns" value="View List" + onclick="viewList('<?=$id;?>','homelistname')" id="btnHomeNet" + title="<?php echo gettext("Click to view currently selected Home Net contents"); ?>"/> + <br/> + <span class="vexpl"><?php echo gettext("Choose the Home Net you want this interface to use."); ?></span> + <br/></br> + <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("Default Home " . + "Net adds only local networks, WAN IPs, Gateways, VPNs and VIPs."); ?><br/> + <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Create an Alias to hold a list of " . + "friendly IPs that the firewall cannot see or to customize the default Home Net."); ?><br/> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("External net"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("External Net"); ?></td> <td width="78%" class="vtable"> <select name="externallistname" class="formselect" id="externallistname"> - <?php - echo "<option value='default' >default</option>"; - /* find whitelist names and filter by type */ - if (is_array($snortglob['whitelist']['item'])) { - foreach ($snortglob['whitelist']['item'] as $value) { - $ilistname = $value['name']; - if ($ilistname == $pconfig['externallistname']) - echo "<option value='$ilistname' selected>"; - else - echo "<option value='$ilistname'>"; - echo htmlspecialchars($ilistname) . '</option>'; + <?php + echo "<option value='default' >default</option>"; + /* find whitelist names and filter by type */ + if (is_array($snortglob['whitelist']['item'])) { + foreach ($snortglob['whitelist']['item'] as $value) { + $ilistname = $value['name']; + if ($ilistname == $pconfig['externallistname']) + echo "<option value='$ilistname' selected>"; + else + echo "<option value='$ilistname'>"; + echo htmlspecialchars($ilistname) . '</option>'; + } } - } - ?> - </select><br/> - <span class="vexpl"><?php echo gettext("Choose the external net you will like this rule " . - "to use."); ?> </span> <br/><span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("Default " . - "external net, networks that are not home net."); ?><br/> - <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Most users should leave this " . - "setting at default."); ?><br/></td> + ?> + </select> + <span class="vexpl"><?php echo gettext("Choose the External Net you want this interface " . + "to use."); ?></span> <br/><br/> + <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("Default " . + "External Net is networks that are not Home Net."); ?><br/> + <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Most users should leave this " . + "setting at default. Create an Alias for custom External Net settings."); ?><br/> + </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Whitelist"); ?></td> <td width="78%" class="vtable"> <select name="whitelistname" class="formselect" id="whitelistname"> - <?php - /* find whitelist names and filter by type, make sure to track by uuid */ - echo "<option value='default' >default</option>\n"; - if (is_array($snortglob['whitelist']['item'])) { - foreach ($snortglob['whitelist']['item'] as $value) { - if ($value['name'] == $pconfig['whitelistname']) - echo "<option value='{$value['name']}' selected>"; - else - echo "<option value='{$value['name']}'>"; - echo htmlspecialchars($value['name']) . '</option>'; + <?php + /* find whitelist names and filter by type, make sure to track by uuid */ + echo "<option value='default' >default</option>\n"; + if (is_array($snortglob['whitelist']['item'])) { + foreach ($snortglob['whitelist']['item'] as $value) { + if ($value['name'] == $pconfig['whitelistname']) + echo "<option value='{$value['name']}' selected>"; + else + echo "<option value='{$value['name']}'>"; + echo htmlspecialchars($value['name']) . '</option>'; + } } - } - ?> - </select><br> - <span class="vexpl"><?php echo gettext("Choose the whitelist you will like this rule to " . - "use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Note:"); ?></span><br/> <?php echo gettext("Default " . - "whitelist adds only local networks."); ?><br/> - <span class="red"><?php echo gettext("Note:"); ?></span><br/> <?php echo gettext("This option will only be used when block offenders is on."); ?> + ?> + </select> + <input type="button" class="formbtns" value="View List" onclick="viewList('<?=$id;?>','whitelistname')" + id="btnWhitelist" title="<?php echo gettext("Click to view currently selected Whitelist contents"); ?>"/> + <br/> + <span class="vexpl"><?php echo gettext("Choose the whitelist you want this interface to " . + "use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Default " . + "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?><br/> + <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("This option will only be used when block offenders is on."); ?> </td> </tr> <tr> @@ -424,10 +431,14 @@ function enable_change(enable_change) { } } ?> - </select><br> + </select> + <input type="button" class="formbtns" value="View List" onclick="viewList('<?=$id;?>','suppresslistname', 'suppress')" + id="btnSuppressList" title="<?php echo gettext("Click to view currently selected Suppression List contents"); ?>"/> + <br/> <span class="vexpl"><?php echo gettext("Choose the suppression or filtering file you " . - "will like this interface to use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Note:"); ?></span><br/> <?php echo gettext("Default " . - "option disables suppression and filtering."); ?></td> + "want this interface to use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Note: ") . "</span>" . + gettext("Default option disables suppression and filtering."); ?> + </td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Arguments here will " . @@ -437,19 +448,19 @@ function enable_change(enable_change) { <td width="22%" valign="top" class="vncell"><?php echo gettext("Advanced configuration pass through"); ?></td> <td width="78%" class="vtable"> <textarea wrap="off" name="configpassthru" cols="65" rows="12" id="configpassthru"><?=htmlspecialchars($pconfig['configpassthru']);?></textarea> - </td> </tr> <tr> <td width="22%" valign="top"></td> - <td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save"> - <input name="id" type="hidden" value="<?=$id;?>"> + <td width="78%"><input name="Submit" type="submit" class="formbtn" value="Save" title="<?php echo + gettext("Click to save settings and exit"); ?>"/> + <input name="id" type="hidden" value="<?=$id;?>"/> </td> </tr> <tr> <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span><br/> - <?php echo gettext("Please save your settings before you click start."); ?> + <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("Please save your settings before you attempt to start Snort."); ?> </td> </tr> </table> @@ -458,8 +469,61 @@ function enable_change(enable_change) { </form> <script language="JavaScript"> <!-- -enable_change(false); -enable_blockoffenders(); +function enable_blockoffenders() { + var endis = !(document.iform.blockoffenders7.checked); + document.iform.blockoffenderskill.disabled=endis; + document.iform.blockoffendersip.disabled=endis; + document.iform.whitelistname.disabled=endis; + document.iform.btnWhitelist.disabled=endis; +} + +function enable_change(enable_change) { + endis = !(document.iform.enable.checked || enable_change); + // make sure a default answer is called if this is invoked. + endis2 = (document.iform.enable); + document.iform.performance.disabled = endis; + document.iform.blockoffenders7.disabled = endis; + document.iform.blockoffendersip.disabled=endis; + document.iform.blockoffenderskill.disabled=endis; + document.iform.alertsystemlog.disabled = endis; + document.iform.externallistname.disabled = endis; + document.iform.cksumcheck.disabled = endis; + document.iform.homelistname.disabled = endis; + document.iform.whitelistname.disabled=endis; + document.iform.suppresslistname.disabled = endis; + document.iform.configpassthru.disabled = endis; + document.iform.btnHomeNet.disabled=endis; + document.iform.btnWhitelist.disabled=endis; + document.iform.btnSuppressList.disabled=endis; +} + +function wopen(url, name, w, h) { + // Fudge factors for window decoration space. + // In my tests these work well on all platforms & browsers. + w += 32; + h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} + +function getSelectedValue(elemID) { + var ctrl = document.getElementById(elemID); + return ctrl.options[ctrl.selectedIndex].value; +} + +function viewList(id, elemID, elemType) { + if (typeof elemType == "undefined") { + elemType = "whitelist"; + } + var url = "snort_list_view.php?id=" + id + "&wlist="; + url = url + getSelectedValue(elemID) + "&type=" + elemType; + wopen(url, 'WhitelistViewer', 640, 480); +} //--> </script> <?php include("fend.inc"); ?> diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 782b9784..1d2ad225 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -58,7 +58,7 @@ function is_validwhitelistname($name) { if (!is_string($name)) return false; - if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + if (!preg_match("/[^a-zA-Z0-9\_\.\/]/", $name)) return true; return false; @@ -88,7 +88,7 @@ if ($_POST['submit']) { $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; if (is_validwhitelistname($_POST['name']) == false) - $input_errors[] = "Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."; + $input_errors[] = "Whitelist file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset."; /* check for name conflicts */ foreach ($a_suppress as $s_list) { @@ -151,8 +151,8 @@ if ($savemsg) <td width="78%" class="vtable"><input name="name" type="text" id="name" class="formfld unkown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> <span class="vexpl"> <?php echo gettext("The list name may only consist of the " . - "characters a-z, A-Z and 0-9."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> - <?php echo gettext("No Spaces."); ?> </span></td> + "characters \"a-z, A-Z, 0-9 and _\"."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> + <?php echo gettext("No Spaces or dashes."); ?> </span></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td> diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index 378530ba..2f2afdad 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -66,7 +66,7 @@ function is_validwhitelistname($name) { if (!is_string($name)) return false; - if (!preg_match("/[^a-zA-Z0-9\.\/]/", $name)) + if (!preg_match("/[^a-zA-Z0-9\_\.\/]/", $name)) return true; return false; @@ -80,6 +80,7 @@ if (isset($id) && $a_whitelist[$id]) { $pconfig['detail'] = $a_whitelist[$id]['detail']; $pconfig['address'] = $a_whitelist[$id]['address']; $pconfig['descr'] = html_entity_decode($a_whitelist[$id]['descr']); + $pconfig['localnets'] = $a_whitelist[$id]['localnets']; $pconfig['wanips'] = $a_whitelist[$id]['wanips']; $pconfig['wangateips'] = $a_whitelist[$id]['wangateips']; $pconfig['wandnsips'] = $a_whitelist[$id]['wandnsips']; @@ -102,7 +103,7 @@ if ($_POST['submit']) { $input_errors[] = gettext("Whitelist file names may not be named defaultwhitelist."); if (is_validwhitelistname($_POST['name']) == false) - $input_errors[] = gettext("Whitelist file name may only consist of the characters a-z, A-Z and 0-9 _. Note: No Spaces. Press Cancel to reset."); + $input_errors[] = gettext("Whitelist file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset."); /* check for name conflicts */ foreach ($a_whitelist as $w_list) { @@ -124,6 +125,7 @@ if ($_POST['submit']) { /* post user input */ $w_list['name'] = $_POST['name']; $w_list['uuid'] = $whitelist_uuid; + $w_list['localnets'] = $_POST['localnets']? 'yes' : 'no'; $w_list['wanips'] = $_POST['wanips']? 'yes' : 'no'; $w_list['wangateips'] = $_POST['wangateips']? 'yes' : 'no'; $w_list['wandnsips'] = $_POST['wandnsips']? 'yes' : 'no'; @@ -179,8 +181,8 @@ if ($savemsg) <td class="vtable"><input name="name" type="text" id="name" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> <span class="vexpl"> <?php echo gettext("The list name may only consist of the " . - "characters a-z, A-Z and 0-9."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> - <?php echo gettext("No Spaces."); ?> </span></td> + "characters \"a-z, A-Z, 0-9 and _\"."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> + <?php echo gettext("No Spaces or dashes."); ?> </span></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td> @@ -190,24 +192,33 @@ if ($savemsg) "reference (not parsed)."); ?> </span></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Add auto generated ips."); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Add auto-generated IP Addresses."); ?></td> </tr> + + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Local Networks"); ?></td> + <td width="78%" class="vtable"><input name="localnets" type="checkbox" + id="localnets" size="40" value="yes" + <?php if($pconfig['localnets'] == 'yes'){ echo "checked";} if($pconfig['localnets'] == ''){ echo "checked";} ?> /> + <span class="vexpl"> <?php echo gettext("Add firewall Local Networks to the list (excluding WAN)."); ?> </span></td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("WAN IPs"); ?></td> <td width="78%" class="vtable"><input name="wanips" type="checkbox" id="wanips" size="40" value="yes" <?php if($pconfig['wanips'] == 'yes'){ echo "checked";} if($pconfig['wanips'] == ''){ echo "checked";} ?> /> - <span class="vexpl"> <?php echo gettext("Add WAN IPs to the list."); ?> </span></td> + <span class="vexpl"> <?php echo gettext("Add WAN interface IPs to the list."); ?> </span></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Wan Gateways"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("WAN Gateways"); ?></td> <td width="78%" class="vtable"><input name="wangateips" type="checkbox" id="wangateips" size="40" value="yes" <?php if($pconfig['wangateips'] == 'yes'){ echo "checked";} if($pconfig['wangateips'] == ''){ echo "checked";} ?> /> <span class="vexpl"> <?php echo gettext("Add WAN Gateways to the list."); ?> </span></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Wan DNS servers"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("WAN DNS servers"); ?></td> <td width="78%" class="vtable"><input name="wandnsips" type="checkbox" id="wandnsips" size="40" value="yes" <?php if($pconfig['wandnsips'] == 'yes'){ echo "checked";} if($pconfig['wandnsips'] == ''){ echo "checked";} ?> /> @@ -228,11 +239,11 @@ if ($savemsg) <span class="vexpl"> <?php echo gettext("Add VPN Addresses to the list."); ?> </span></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Add your own custom ips."); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Add custom IP Addresses from configured Aliases."); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncellreq"> - <div id="addressnetworkport"><?php echo gettext("Alias of IP's"); ?></div> + <div id="addressnetworkport"><?php echo gettext("Alias Name:"); ?></div> </td> <td width="78%" class="vtable"> <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" /> diff --git a/config/snort/snort_list_view.php b/config/snort/snort_list_view.php new file mode 100644 index 00000000..b7de064b --- /dev/null +++ b/config/snort/snort_list_view.php @@ -0,0 +1,103 @@ +<?php +/* + * snort_list_view.php + * + * Copyright (C) 2004, 2005 Scott Ullrich + * Copyright (C) 2011 Ermal Luci + * All rights reserved. + * + * Adapted for FreeNAS by Volker Theile (votdev@gmx.de) + * Copyright (C) 2006-2009 Volker Theile + * + * Adapted for Pfsense Snort package by Robert Zelaya + * Copyright (C) 2008-2009 Robert Zelaya + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g, $config; + +$contents = ''; + +$id = $_GET['id']; +$wlist = $_GET['wlist']; +$type = $_GET['type']; + +if (isset($id) && isset($wlist)) { + $a_rule = $config['installedpackages']['snortglobal']['rule'][$id]; + if ($type == "whitelist") { + $list = snort_build_list($a_rule, $wlist); + $contents = implode("\n", $list); + } + elseif ($type == "suppress") { + $list = snort_find_list($wlist, $type); + $contents = str_replace("\r", "", base64_decode($list['suppresspassthru'])); + } + else + $contents = gettext("\n\nERROR -- Requested List Type entity is not valid!"); +} +else + $contents = gettext("\n\nERROR -- Supplied interface or List entity is not valid!"); + +$pgtitle = array(gettext("Snort"), gettext(ucfirst($type) . " Viewer")); +?> + +<?php include("head.inc");?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php // include("fbegin.inc");?> + +<form action="snort_whitelist_view.php" method="post"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td class="tabcont"> + <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee"> + <tr> + <td class="pgtitle" colspan="2">Snort: <?php echo gettext(ucfirst($type) . " Viewer"); ?></td> + </tr> + <tr> + <td align="left" width="20%"> + <input type="button" class="formbtn" value="Return" onclick="window.close()"> + </td> + <td align="right"> + <b><?php echo gettext(ucfirst($type) . ": ") . '</b> ' . $_GET['wlist']; ?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="label"> + <div style="background: #eeeeee; width:100%; height:100%;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea style="width:100%; height:100%;" readonly wrap="off" rows="25" cols="80" name="code2"><?=$contents;?></textarea> + </div> + </td> + </tr> + </table> + </td> +</tr> +</table> +</form> +<?php // include("fend.inc");?> +</body> +</html> diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index cf6146cf..705dfe24 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -59,20 +59,41 @@ $pconfig = array(); if (isset($id) && $a_nat[$id]) { $pconfig = $a_nat[$id]; - /* new options */ + /* Get current values from config for page form fields */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; + $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly']; + $pconfig['stream5_require_3whs'] = $a_nat[$id]['stream5_require_3whs']; + $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp']; + $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp']; + $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; + $pconfig['stream5_overlap_limit'] = $a_nat[$id]['stream5_overlap_limit']; + $pconfig['stream5_policy'] = $a_nat[$id]['stream5_policy']; $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap']; + $pconfig['stream5_tcp_timeout'] = $a_nat[$id]['stream5_tcp_timeout']; + $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout']; + $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout']; + $pconfig['stream5_no_reassemble_async'] = $a_nat[$id]['stream5_no_reassemble_async']; + $pconfig['stream5_dont_store_lg_pkts'] = $a_nat[$id]['stream5_dont_store_lg_pkts']; $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap']; + $pconfig['http_inspect_enable_xff'] = $a_nat[$id]['http_inspect_enable_xff']; + $pconfig['http_inspect_log_uri'] = $a_nat[$id]['http_inspect_log_uri']; + $pconfig['http_inspect_log_hostname'] = $a_nat[$id]['http_inspect_log_hostname']; $pconfig['noalert_http_inspect'] = $a_nat[$id]['noalert_http_inspect']; $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; + $pconfig['pscan_protocol'] = $a_nat[$id]['pscan_protocol']; + $pconfig['pscan_type'] = $a_nat[$id]['pscan_type']; + $pconfig['pscan_sense_level'] = $a_nat[$id]['pscan_sense_level']; + $pconfig['pscan_memcap'] = $a_nat[$id]['pscan_memcap']; + $pconfig['pscan_ignore_scanners'] = $a_nat[$id]['pscan_ignore_scanners']; $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; @@ -85,17 +106,24 @@ if (isset($id) && $a_nat[$id]) { $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable']; $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules']; + $pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection']; + $pconfig['frag3_overlap_limit'] = $a_nat[$id]['frag3_overlap_limit']; + $pconfig['frag3_min_frag_len'] = $a_nat[$id]['frag3_min_frag_len']; + $pconfig['frag3_policy'] = $a_nat[$id]['frag3_policy']; + $pconfig['frag3_max_frags'] = $a_nat[$id]['frag3_max_frags']; + $pconfig['frag3_memcap'] = $a_nat[$id]['frag3_memcap']; + $pconfig['frag3_timeout'] = $a_nat[$id]['frag3_timeout']; /* If not using the Snort VRT rules, then disable */ /* the Sensitive Data (sdf) preprocessor. */ if ($vrt_enabled == "off") $pconfig['sensitive_data'] = "off"; - /**********************************************************/ - /* To keep new users from shooting themselves in the foot */ - /* enable the most common and necessary preprocessors by */ - /* default. */ - /**********************************************************/ + /************************************************************/ + /* To keep new users from shooting themselves in the foot */ + /* enable the most common required preprocessors by default */ + /* and set reasonable values for any options. */ + /************************************************************/ if (empty($pconfig['ftp_preprocessor'])) $pconfig['ftp_preprocessor'] = 'on'; if (empty($pconfig['smtp_preprocessor'])) @@ -114,29 +142,152 @@ if (isset($id) && $a_nat[$id]) { $pconfig['sip_preproc'] = 'on'; if (empty($pconfig['other_preprocs'])) $pconfig['other_preprocs'] = 'on'; + if (empty($pconfig['http_inspect_memcap'])) + $pconfig['http_inspect_memcap'] = "150994944"; + if (empty($pconfig['frag3_overlap_limit'])) + $pconfig['frag3_overlap_limit'] = '0'; + if (empty($pconfig['frag3_min_frag_len'])) + $pconfig['frag3_min_frag_len'] = '0'; + if (empty($pconfig['frag3_max_frags'])) + $pconfig['frag3_max_frags'] = '8192'; + if (empty($pconfig['frag3_policy'])) + $pconfig['frag3_policy'] = 'bsd'; + if (empty($pconfig['frag3_memcap'])) + $pconfig['frag3_memcap'] = '4194304'; + if (empty($pconfig['frag3_timeout'])) + $pconfig['frag3_timeout'] = '60'; + if (empty($pconfig['frag3_detection'])) + $pconfig['frag3_detection'] = 'on'; + if (empty($pconfig['stream5_reassembly'])) + $pconfig['stream5_reassembly'] = 'on'; + if (empty($pconfig['stream5_track_tcp'])) + $pconfig['stream5_track_tcp'] = 'on'; + if (empty($pconfig['stream5_track_udp'])) + $pconfig['stream5_track_udp'] = 'on'; + if (empty($pconfig['stream5_track_icmp'])) + $pconfig['stream5_track_icmp'] = 'off'; + if (empty($pconfig['stream5_require_3whs'])) + $pconfig['stream5_require_3whs'] = 'off'; + if (empty($pconfig['stream5_overlap_limit'])) + $pconfig['stream5_overlap_limit'] = '0'; + if (empty($pconfig['stream5_tcp_timeout'])) + $pconfig['stream5_tcp_timeout'] = '30'; + if (empty($pconfig['stream5_udp_timeout'])) + $pconfig['stream5_udp_timeout'] = '30'; + if (empty($pconfig['stream5_icmp_timeout'])) + $pconfig['stream5_icmp_timeout'] = '30'; + if (empty($pconfig['stream5_no_reassemble_async'])) + $pconfig['stream5_no_reassemble_async'] = 'off'; + if (empty($pconfig['stream5_dont_store_lg_pkts'])) + $pconfig['stream5_dont_store_lg_pkts'] = 'off'; + if (empty($pconfig['stream5_policy'])) + $pconfig['stream5_policy'] = 'bsd'; + if (empty($pconfig['pscan_protocol'])) + $pconfig['pscan_protocol'] = 'all'; + if (empty($pconfig['pscan_type'])) + $pconfig['pscan_type'] = 'all'; + if (empty($pconfig['pscan_memcap'])) + $pconfig['pscan_memcap'] = '10000000'; + if (empty($pconfig['pscan_sense_level'])) + $pconfig['pscan_sense_level'] = 'medium'; } /* Define the "disabled_preproc_rules.log" file for this interface */ $iface = snort_get_friendly_interface($pconfig['interface']); $disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; -if ($_POST) { +if ($_POST['ResetAll']) { + + /* Reset all the preprocessor settings to defaults */ + $pconfig['perform_stat'] = "off"; + $pconfig['server_flow_depth'] = "300"; + $pconfig['http_server_profile'] = "all"; + $pconfig['client_flow_depth'] = "300"; + $pconfig['stream5_reassembly'] = "on"; + $pconfig['stream5_require_3whs'] = "off"; + $pconfig['stream5_track_tcp'] = "on"; + $pconfig['stream5_track_udp'] = "on"; + $pconfig['stream5_track_icmp'] = "off"; + $pconfig['max_queued_bytes'] = "1048576"; + $pconfig['max_queued_segs'] = "2621"; + $pconfig['stream5_overlap_limit'] = "0"; + $pconfig['stream5_policy'] = "bsd"; + $pconfig['stream5_mem_cap'] = "8388608"; + $pconfig['stream5_tcp_timeout'] = "30"; + $pconfig['stream5_udp_timeout'] = "30"; + $pconfig['stream5_icmp_timeout'] = "30"; + $pconfig['stream5_no_reassemble_async'] = "off"; + $pconfig['stream5_dont_store_lg_pkts'] = "off"; + $pconfig['http_inspect'] = "on"; + $pconfig['http_inspect_enable_xff'] = "off"; + $pconfig['http_inspect_log_uri'] = "off"; + $pconfig['http_inspect_log_hostname'] = "off"; + $pconfig['noalert_http_inspect'] = "on"; + $pconfig['http_inspect_memcap'] = "150994944"; + $pconfig['other_preprocs'] = "on"; + $pconfig['ftp_preprocessor'] = "on"; + $pconfig['smtp_preprocessor'] = "on"; + $pconfig['sf_portscan'] = "off"; + $pconfig['pscan_protocol'] = "all"; + $pconfig['pscan_type'] = "all"; + $pconfig['pscan_sense_level'] = "medium"; + $pconfig['pscan_ignore_scanners'] = ""; + $pconfig['pscan_memcap'] = '10000000'; + $pconfig['dce_rpc_2'] = "on"; + $pconfig['dns_preprocessor'] = "on"; + $pconfig['sensitive_data'] = "off"; + $pconfig['ssl_preproc'] = "on"; + $pconfig['pop_preproc'] = "on"; + $pconfig['imap_preproc'] = "on"; + $pconfig['sip_preproc'] = "on"; + $pconfig['dnp3_preproc'] = "off"; + $pconfig['modbus_preproc'] = "off"; + $pconfig['gtp_preproc'] = "off"; + $pconfig['preproc_auto_rule_disable'] = "off"; + $pconfig['protect_preproc_rules'] = "off"; + $pconfig['frag3_detection'] = "on"; + $pconfig['frag3_overlap_limit'] = "0"; + $pconfig['frag3_min_frag_len'] = "0"; + $pconfig['frag3_policy'] = "bsd"; + $pconfig['frag3_max_frags'] = "8192"; + $pconfig['frag3_memcap'] = "4194304"; + $pconfig['frag3_timeout'] = "60"; + + /* Log a message at the top of the page to inform the user */ + $savemsg = "All preprocessor settings have been reset to the defaults."; +} +elseif ($_POST['Submit']) { $natent = array(); $natent = $pconfig; if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners'])) - $input_errors[] = "Only aliases are allowed"; + $input_errors[] = "Only aliases are allowed for the Portscan IGNORE_SCANNERS option."; /* if no errors write to conf */ if (!$input_errors) { /* post new options */ - if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = ""; } + if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = "300"; } if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } - if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = ""; } - if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } - if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } - if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = ""; } + if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = "300"; } + if ($_POST['http_inspect_memcap'] != "") { $natent['http_inspect_memcap'] = $_POST['http_inspect_memcap']; }else{ $natent['http_inspect_memcap'] = "150994944"; } + if ($_POST['stream5_overlap_limit'] != "") { $natent['stream5_overlap_limit'] = $_POST['stream5_overlap_limit']; }else{ $natent['stream5_overlap_limit'] = "0"; } + if ($_POST['stream5_policy'] != "") { $natent['stream5_policy'] = $_POST['stream5_policy']; }else{ $natent['stream5_policy'] = "bsd"; } + if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = "8388608"; } + if ($_POST['stream5_tcp_timeout'] != "") { $natent['stream5_tcp_timeout'] = $_POST['stream5_tcp_timeout']; }else{ $natent['stream5_tcp_timeout'] = "30"; } + if ($_POST['stream5_udp_timeout'] != "") { $natent['stream5_udp_timeout'] = $_POST['stream5_udp_timeout']; }else{ $natent['stream5_udp_timeout'] = "30"; } + if ($_POST['stream5_icmp_timeout'] != "") { $natent['stream5_icmp_timeout'] = $_POST['stream5_icmp_timeout']; }else{ $natent['stream5_icmp_timeout'] = "30"; } + if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = "1048576"; } + if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = "2621"; } + if ($_POST['pscan_protocol'] != "") { $natent['pscan_protocol'] = $_POST['pscan_protocol']; }else{ $natent['pscan_protocol'] = "all"; } + if ($_POST['pscan_type'] != "") { $natent['pscan_type'] = $_POST['pscan_type']; }else{ $natent['pscan_type'] = "all"; } + if ($_POST['pscan_memcap'] != "") { $natent['pscan_memcap'] = $_POST['pscan_memcap']; }else{ $natent['pscan_memcap'] = "10000000"; } if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; } + if ($_POST['frag3_overlap_limit'] != "") { $natent['frag3_overlap_limit'] = $_POST['frag3_overlap_limit']; }else{ $natent['frag3_overlap_limit'] = "0"; } + if ($_POST['frag3_min_frag_len'] != "") { $natent['frag3_min_frag_len'] = $_POST['frag3_min_frag_len']; }else{ $natent['frag3_min_frag_len'] = "0"; } + if ($_POST['frag3_policy'] != "") { $natent['frag3_policy'] = $_POST['frag3_policy']; }else{ $natent['frag3_policy'] = "bsd"; } + if ($_POST['frag3_max_frags'] != "") { $natent['frag3_max_frags'] = $_POST['frag3_max_frags']; }else{ $natent['frag3_max_frags'] = "8192"; } + if ($_POST['frag3_memcap'] != "") { $natent['frag3_memcap'] = $_POST['frag3_memcap']; }else{ $natent['frag3_memcap'] = "4194304"; } + if ($_POST['frag3_timeout'] != "") { $natent['frag3_timeout'] = $_POST['frag3_timeout']; }else{ $natent['frag3_timeout'] = "60"; } if ($_POST['pscan_ignore_scanners']) $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; @@ -145,6 +296,9 @@ if ($_POST) { $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; + $natent['http_inspect_enable_xff'] = $_POST['http_inspect_enable_xff'] ? 'on' : 'off'; + $natent['http_inspect_log_uri'] = $_POST['http_inspect_log_uri'] ? 'on' : 'off'; + $natent['http_inspect_log_hostname'] = $_POST['http_inspect_log_hostname'] ? 'on' : 'off'; $natent['noalert_http_inspect'] = $_POST['noalert_http_inspect'] ? 'on' : 'off'; $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; @@ -163,6 +317,14 @@ if ($_POST) { $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; $natent['preproc_auto_rule_disable'] = $_POST['preproc_auto_rule_disable'] ? 'on' : 'off'; $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off'; + $natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off'; + $natent['stream5_reassembly'] = $_POST['stream5_reassembly'] ? 'on' : 'off'; + $natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off'; + $natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off'; + $natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off'; + $natent['stream5_require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off'; + $natent['stream5_no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off'; + $natent['stream5_dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off'; /* If 'preproc_auto_rule_disable' is off, then clear log file */ if ($natent['preproc_auto_rule_disable'] == 'off') @@ -201,10 +363,10 @@ if ($_POST) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_real} Preprocessors and Flow"; +$pgtitle = "Snort: Interface {$if_friendly}: Preprocessors and Flow"; include_once("head.inc"); ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="enable_change_all()"> <?php include("fbegin.inc"); ?> <?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} @@ -227,24 +389,6 @@ include_once("head.inc"); <script type="text/javascript" src="/javascript/suggestions.js"> </script> -<script language="javascript" type="text/javascript"> - -function wopen(url, name, w, h) -{ -// Fudge factors for window decoration space. -// In my tests these work well on all platforms & browsers. -w += 32; -h += 96; - var win = window.open(url, - name, - 'width=' + w + ', height=' + h + ', ' + - 'location=no, menubar=no, ' + - 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); - win.resizeTo(w, h); - win.focus(); -} -</script> - <form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -275,24 +419,25 @@ h += 96; <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Preprocessors Configuration"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Performance Stats"); ?></td> <td width="78%" class="vtable"><input name="perform_stat" type="checkbox" value="on" - <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?> - onClick="enable_change(false)"> <?php echo gettext("Collect Performance Statistics for this interface."); ?></td> + <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?>> + <?php echo gettext("Collect Performance Statistics for this interface."); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Protect Customized Preprocessor Rules"); ?></td> <td width="78%" class="vtable"><input name="protect_preproc_rules" type="checkbox" value="on" <?php if ($pconfig['protect_preproc_rules']=="on") echo "checked "; - if ($vrt_enabled <> 'on') echo "disabled"; ?> - onClick="enable_change(false)"> <?php echo gettext("Check this box if you maintain customized preprocessor text rules files for this interface."); ?> + if ($vrt_enabled <> 'on') echo "disabled"; ?>> + <?php echo gettext("Check this box if you maintain customized preprocessor text rules files for this interface."); ?> <table width="100%" border="0" cellpadding="2" cellpadding="2"> <tr> <td width="3%"> </td> <td><?php echo gettext("Enable this only if you use customized preprocessor text rules files and " . "you do not want them overwritten by automatic Snort VRT rule updates. " . "This option is disabled when Snort VRT rules download is not enabled on the Global Settings tab."); ?><br/><br/> - <?php printf(gettext("%sHint:%s Most users should leave this unchecked."), '<span class="red"><strong>', '</strong></span>'); ?></span></td> + <?php echo "<span class=\"red\"><strong>" . gettext("Hint: ") . "</strong></span>" . + gettext("Most users should leave this unchecked."); ?></td> </tr> </table> </td> @@ -300,9 +445,9 @@ h += 96; <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Auto Rule Disable"); ?></td> <td width="78%" class="vtable"><input name="preproc_auto_rule_disable" type="checkbox" value="on" - <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?> - onClick="enable_change(false)"> <?php echo gettext("Auto-disable text rules dependent on disabled preprocessors for this interface. "); - echo gettext("Default is ") . '<strong>' . gettext("Not Checked."); ?></strong><br/> + <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?>> + <?php echo gettext("Auto-disable text rules dependent on disabled preprocessors for this interface. "); + echo gettext("Default is ") . '<strong>' . gettext("Not Checked"); ?></strong>.<br/> <table width="100%" border="0" cellpadding="2" cellpadding="2"> <tr> <td width="3%"> </td> @@ -329,11 +474,57 @@ h += 96; <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> <td width="78%" class="vtable"><input name="http_inspect" - type="checkbox" value="on" - <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?> - onClick="enable_change(false)"> <?php echo gettext("Use HTTP Inspect to " . + type="checkbox" value="on" id="http_inspect" onclick="http_inspect_enable_change()" + <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?>> + <?php echo gettext("Use HTTP Inspect to " . "Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is "); ?> - <strong><?php echo gettext("Checked."); ?></strong></td> + <strong><?php echo gettext("Checked"); ?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable XFF/True-Client-IP"); ?></td> + <td width="78%" class="vtable"><input name="http_inspect_enable_xff" + type="checkbox" value="on" id="http_inspect_enable_xff" + <?php if ($pconfig['http_inspect_enable_xff']=="on") echo "checked"; ?>> + <?php echo gettext("Log original client IP present in X-Forwarded-For or True-Client-IP " . + "HTTP headers. Default is "); ?> + <strong><?php echo gettext("Not Checked"); ?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable URI Logging"); ?></td> + <td width="78%" class="vtable"><input name="http_inspect_log_uri" + type="checkbox" value="on" id="http_inspect_log_uri" + <?php if ($pconfig['http_inspect_log_uri']=="on") echo "checked"; ?>> + <?php echo gettext("Parse URI data from the HTTP request and log it with other session data." . + " Default is "); ?> + <strong><?php echo gettext("Not Checked"); ?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Hostname Logging"); ?></td> + <td width="78%" class="vtable"><input name="http_inspect_log_hostname" + type="checkbox" value="on" id="http_inspect_log_hostname" + <?php if ($pconfig['http_inspect_log_hostname']=="on") echo "checked"; ?>> + <?php echo gettext("Parse Hostname data from the HTTP request and log it with other session data." . + " Default is "); ?> + <strong><?php echo gettext("Not Checked"); ?></strong>.</td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("HTTP Inspect Memory Cap"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="http_inspect_memcap" type="text" class="formfld" + id="http_inspect_memcap" size="6" + value="<?=htmlspecialchars($pconfig['http_inspect_memcap']);?>"> + <?php echo gettext("Max memory in bytes to use for URI and Hostname logging. Min is ") . + "<strong>" . gettext("2304") . "</strong>" . gettext(" and Max is ") . "<strong>" . + gettext("603979776") . "</strong>" . gettext(" (576 MB)"); ?>.</td> + </tr> + </table> + <?php echo gettext("Maximum amount of memory the preprocessor will us for logging the URI and Hostname data. The default " . + "value is ") . "<strong>" . gettext("150,994,944") . "</strong>" . gettext(" (144 MB)."); ?> + <?php echo gettext(" This option determines the maximum HTTP sessions that will log URI and Hostname data at any given instant. ") . + gettext(" Max Logged Sessions = MEMCAP / 2304"); ?>.<br/> + </td> </tr> <tr> <td valign="top" class="vncell"><?php echo gettext("HTTP server flow depth"); ?></td> @@ -341,16 +532,16 @@ h += 96; <table cellpadding="0" cellspacing="0"> <tr> <td><input name="server_flow_depth" type="text" class="formfld" - id="flow_depth" size="6" + id="server_flow_depth" size="6" value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . "to <strong>65535</strong> (<strong>-1</strong> disables HTTP " . "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> </tr> </table> <?php echo gettext("Amount of HTTP server response payload to inspect. Snort's " . - "performance may increase by adjusting this value."); ?><br> + "performance may increase by adjusting this value."); ?><br/> <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " . - "are specified in bytes. Recommended setting is maximum (65535). Default value is <strong>300</strong>"); ?><br> + "are specified in bytes. Recommended setting is maximum (65535). Default value is <strong>300</strong>"); ?><br/> </td> </tr> <tr> @@ -364,10 +555,10 @@ h += 96; <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>> <?=gettext($val);?></option> <?php endforeach; ?> - </select> <?php echo gettext("Choose the profile type of the protected web server."); ?><br> - <?php echo gettext(" The default is <strong>All</strong>. "); ?> - <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the "); ?> - <?php echo gettext("double decoding vulnerability present in those two versions."); ?><br> + </select> <?php echo gettext("Choose the profile type of the protected web server. The default is ") . + "<strong>" . gettext("All") . "</strong>"; ?><br/> + <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the ") . + gettext("double decoding vulnerability present in those versions."); ?><br/> </td> </tr> <tr> @@ -376,7 +567,7 @@ h += 96; <table cellpadding="0" cellspacing="0"> <tr> <td><input name="client_flow_depth" type="text" class="formfld" - id="flow_depth" size="6" + id="client_flow_depth" size="6" value="<?=htmlspecialchars($pconfig['client_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . "to <strong>1460</strong> (<strong>-1</strong> disables HTTP " . "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> @@ -385,22 +576,175 @@ h += 96; <?php echo gettext("Amount of raw HTTP client request payload to inspect. Snort's " . "performance may increase by adjusting this value."); ?><br> <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " . - "are specified in bytes. Recommended setting is maximum (1460). Default value is <strong>300</strong>"); ?><br> + "are specified in bytes. Recommended setting is maximum (1460). Default value is <strong>300</strong>"); ?><br/> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Disable HTTP Alerts"); ?></td> <td width="78%" class="vtable"><input name="noalert_http_inspect" - type="checkbox" value="on" + type="checkbox" value="on" id="noalert_http_inspect" <?php if ($pconfig['noalert_http_inspect']=="on" || empty($pconfig['noalert_http_inspect'])) echo "checked"; ?> onClick="enable_change(false)"> <?php echo gettext("Turn off alerts from HTTP Inspect " . "preprocessor. This has no effect on HTTP rules. Default is "); ?> - <strong><?php echo gettext("Checked."); ?></strong></td> + <strong><?php echo gettext("Checked"); ?></strong>.</td> + </tr> + + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Frag3 Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="78%" class="vtable"><input name="frag3_detection" type="checkbox" value="on" onclick="frag3_enable_change()" + <?php if ($pconfig['frag3_detection']=="on") echo "checked "; ?> + onClick="enable_change(false)"> + <?php echo gettext("Use Frag3 Engine to detect IDS evasion attempts via target-based IP packet fragmentation. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="frag3_memcap" type="text" class="formfld" + id="frag3_memcap" size="6" + value="<?=htmlspecialchars($pconfig['frag3_memcap']);?>"> + <?php echo gettext("Memory cap (in bytes) for self preservation."); ?>.</td> + </tr> + </table> + <?php echo gettext("The maximum amount of memory allocated for Frag3 fragment reassembly. Default value is ") . + "<strong>" . gettext("4MB") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Maximum Fragments"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="frag3_max_frags" type="text" class="formfld" + id="frag3_max_frags" size="6" + value="<?=htmlspecialchars($pconfig['frag3_max_frags']);?>"> + <?php echo gettext("Maximum simultaneous fragments to track."); ?></td> + </tr> + </table> + <?php echo gettext("The maximum number of simultaneous fragments to track. Default value is ") . + "<strong>8192</strong>."; ?><br> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="frag3_overlap_limit" type="text" class="formfld" + id="frag3_overlap_limit" size="6" + value="<?=htmlspecialchars($pconfig['frag3_overlap_limit']);?>"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), values greater than zero set the overlapped fragments per packet limit."); ?></td> + </tr> + </table> + <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") . + "<strong>0</strong>" . gettext(" (unlimited)."); ?><br> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Minimum Fragment Length"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="frag3_min_frag_len" type="text" class="formfld" + id="frag3_min_frag_len" size="6" + value="<?=htmlspecialchars($pconfig['frag3_min_frag_len']);?>"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (check is disabled). Fragments smaller than or equal to this limit are considered malicious."); ?></td> + </tr> + </table> + <?php echo gettext("Defines smallest fragment size (payload size) that should be considered valid. Default value is ") . + "<strong>0</strong>" . gettext(" (check is disabled)."); ?><br> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Timeout"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="frag3_timeout" type="text" class="formfld" + id="frag3_timeout" size="6" + value="<?=htmlspecialchars($pconfig['frag3_timeout']);?>"> + <?php echo gettext("Timeout period in seconds for fragments in the engine."); ?></td> + </tr> + </table> + <?php echo gettext("Fragments in the engine for longer than this period will be automatically dropped. Default value is ") . + "<strong>" . gettext("60 ") . "</strong>" . gettext("seconds."); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Target Policy"); ?> </td> + <td width="78%" class="vtable"> + <select name="frag3_policy" class="formselect" id="frag3_policy"> + <?php + $profile = array( 'BSD', 'BSD-Right', 'First', 'Last', 'Linux', 'Solaris', 'Windows' ); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['frag3_policy']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the IP fragmentation target policy appropriate for the protected hosts. The default is ") . + "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/> + <?php echo gettext("Available OS targets are BSD, BSD-Right, First, Last, Linux, Solaris and Windows."); ?><br/></td> + </td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Settings"); ?></td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="78%" class="vtable"><input name="stream5_reassembly" type="checkbox" value="on" onclick="stream5_enable_change()" + <?php if ($pconfig['stream5_reassembly']=="on") echo "checked "; ?>"> + <?php echo gettext("Use Stream5 session reassembly for TCP, UDP and/or ICMP traffic. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol Tracking"); ?></td> + <td width="78%" class="vtable"> + <input name="stream5_track_tcp" type="checkbox" value="on" id="stream5_track_tcp" + <?php if ($pconfig['stream5_track_tcp']=="on") echo "checked"; ?>> + <?php echo gettext("Track and reassemble TCP sessions. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?> + <br/> + <input name="stream5_track_udp" type="checkbox" value="on" id="stream5_track_udp" + <?php if ($pconfig['stream5_track_udp']=="on") echo "checked"; ?>> + <?php echo gettext("Track and reassemble UDP sessions. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?> + <br/> + <input name="stream5_track_icmp" type="checkbox" value="on" id="stream5_track_icmp" + <?php if ($pconfig['stream5_track_icmp']=="on") echo "checked"; ?>> + <?php echo gettext("Track and reassemble ICMP sessions. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Require 3-Way Handshake"); ?></td> + <td width="78%" class="vtable"><input name="stream5_require_3whs" type="checkbox" value="on" + <?php if ($pconfig['stream5_require_3whs']=="on") echo "checked "; ?>> + <?php echo gettext("Establish sessions only on completion of SYN/SYN-ACK/ACK handshake. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Reassemble Async"); ?></td> + <td width="78%" class="vtable"><input name="stream5_no_reassemble_async" type="checkbox" value="on" + <?php if ($pconfig['stream5_no_reassemble_async']=="on") echo "checked "; ?>> + <?php echo gettext("Do not queue packets for reassembly if traffic has not been seen in both directions. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Store Large TCP Packets"); ?></td> + <td width="78%" class="vtable"> + <input name="stream5_dont_store_lg_pkts" type="checkbox" value="on" + <?php if ($pconfig['stream5_dont_store_lg_pkts']=="on") echo "checked "; ?>> + <?php echo gettext("Do not queue large packets in reassembly buffer to increase performance. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + <?php echo "<span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" . + gettext("Enabing this option could result in missed packets. Recommended setting is not checked."); ?></td> + </tr> + <tr> <td valign="top" class="vncell"><?php echo gettext("Max Queued Bytes"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> @@ -410,11 +754,11 @@ h += 96; value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>"> <?php echo gettext("Minimum is <strong>1024</strong>, Maximum is <strong>1073741824</strong> " . "( default value is <strong>1048576</strong>, <strong>0</strong> " . - "means Maximum )"); ?></td> + "means Maximum )"); ?>.</td> </tr> </table> <?php echo gettext("The number of bytes to be queued for reassembly for TCP sessions in " . - "memory. Default value is <strong>1048576</strong>"); ?><br> + "memory. Default value is <strong>1048576</strong>"); ?>.<br> </td> </tr> <tr> @@ -427,11 +771,11 @@ h += 96; value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>"> <?php echo gettext("Minimum is <strong>2</strong>, Maximum is <strong>1073741824</strong> " . "( default value is <strong>2621</strong>, <strong>0</strong> means " . - "Maximum )"); ?></td> + "Maximum )"); ?>.</td> </tr> </table> <?php echo gettext("The number of segments to be queued for reassembly for TCP sessions " . - "in memory. Default value is <strong>2621</strong>"); ?><br> + "in memory. Default value is <strong>2621</strong>"); ?>.<br> </td> </tr> <tr> @@ -443,25 +787,152 @@ h += 96; id="stream5_mem_cap" size="6" value="<?=htmlspecialchars($pconfig['stream5_mem_cap']);?>"> <?php echo gettext("Minimum is <strong>32768</strong>, Maximum is <strong>1073741824</strong> " . - "( default value is <strong>8388608</strong>) "); ?></td> + "( default value is <strong>8388608</strong>) "); ?>.</td> </tr> </table> <?php echo gettext("The memory cap in bytes for TCP packet storage " . - "in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?><br> + "in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?>.<br> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="stream5_overlap_limit" type="text" class="formfld" + id="stream5_overlap_limit" size="6" + value="<?=htmlspecialchars($pconfig['stream5_overlap_limit']);?>"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), and the maximum is ") . + "<strong>255</strong>."; ?></td> + </tr> + </table> + <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") . + "<strong>0</strong>" . gettext(" (unlimited)."); ?><br> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Session Timeout"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="stream5_tcp_timeout" type="text" class="formfld" + id="stream5_tcp_timeout" size="6" + value="<?=htmlspecialchars($pconfig['stream5_tcp_timeout']);?>"> + <?php echo gettext("TCP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . + "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> + </tr> + </table> + <?php echo gettext("Sets the session reassembly timeout period for TCP packets. Default value is ") . + "<strong>30</strong>" . gettext(" seconds."); ?><br> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("UDP Session Timeout"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="stream5_udp_timeout" type="text" class="formfld" + id="stream5_udp_timeout" size="6" + value="<?=htmlspecialchars($pconfig['stream5_udp_timeout']);?>"> + <?php echo gettext("UDP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . + "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> + </tr> + </table> + <?php echo gettext("Sets the session reassembly timeout period for UDP packets. Default value is ") . + "<strong>30</strong>" . gettext(" seconds."); ?><br> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("ICMP Session Timeout"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="stream5_icmp_timeout" type="text" class="formfld" + id="stream5_icmp_timeout" size="6" + value="<?=htmlspecialchars($pconfig['stream5_icmp_timeout']);?>"> + <?php echo gettext("ICMP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . + "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> + </tr> + </table> + <?php echo gettext("Sets the session reassembly timeout period for ICMP packets. Default value is ") . + "<strong>30</strong>" . gettext(" seconds."); ?><br> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("IP Target Policy"); ?> </td> + <td width="78%" class="vtable"> + <select name="stream5_policy" class="formselect" id="stream5_policy"> + <?php + $profile = array( 'BSD', 'First', 'HPUX', 'HPUX10', 'Irix', 'Last', 'Linux', 'MacOS', 'Old-Linux', + 'Solaris', 'Vista', 'Windows', 'Win2003' ); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['stream5_policy']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the TCP reassembly target policy appropriate for the protected hosts. The default is ") . + "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/> + <?php echo gettext("Available OS targets are BSD, First, HPUX, HPUX10, Irix, Last, Linux, MacOS, Old Linux, Solaris, Vista, Windows, and Win2003 Server."); ?><br/></td> </td> </tr> - <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("Portscan Detection"); ?></td> - <td width="78%" class="vtable"><input name="sf_portscan" - type="checkbox" value="on" - <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td> + <td width="78%" class="vtable"><input name="sf_portscan" onclick="sf_portscan_enable_change()" + type="checkbox" value="on" id="sf_portscan" + <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?>> + <?php echo gettext("Use Portscan Detection to detect various types of port scans and sweeps. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol"); ?> </td> + <td width="78%" class="vtable"> + <select name="pscan_protocol" class="formselect" id="pscan_protocol"> + <?php + $protos = array('all', 'tcp', 'udp', 'icmp', 'ip'); + foreach ($protos as $val): ?> + <option value="<?=$val;?>" + <?php if ($val == $pconfig['pscan_protocol']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the Portscan protocol type to alert for (all, tcp, udp, icmp or ip). Default is ") . + "<strong>" . gettext("all") . "</strong>."; ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Scan Type"); ?> </td> + <td width="78%" class="vtable"> + <select name="pscan_type" class="formselect" id="pscan_type"> + <?php + $protos = array('all', 'portscan', 'portsweep', 'decoy_portscan', 'distributed_portscan'); + foreach ($protos as $val): ?> + <option value="<?=$val;?>" + <?php if ($val == $pconfig['pscan_type']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the Portscan scan type to alert for. Default is ") . + "<strong>" . gettext("all") . "</strong>."; ?><br/> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td><?php echo gettext("PORTSCAN: one->one scan; one host scans multiple ports on another host."); ?></td> + </tr> + <tr> + <td><?php echo gettext("PORTSWEEP: one->many scan; one host scans a single port on multiple hosts."); ?></td> + </tr> + <tr> + <td><?php echo gettext("DECOY_PORTSCAN: one->one scan; attacker has spoofed source address inter-mixed with real scanning address."); ?></td> + </tr> + <tr> + <td><?php echo gettext("DISTRIBUTED_PORTSCAN: many->one scan; multiple hosts query one host for open services."); ?></td> + </tr> + <tr> + <td><?php echo gettext("ALL: alerts for all of the above scan types."); ?></td> + </tr> + </table> + </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td> @@ -474,22 +945,51 @@ h += 96; <?php if ($val == $pconfig['pscan_sense_level']) echo "selected"; ?>> <?=gettext(ucfirst($val));?></option> <?php endforeach; ?> - </select><br> - <?php echo gettext("LOW: alerts generated on error packets from the target host; "); ?> - <?php echo gettext("this setting should see few false positives. "); ?><br> - <?php echo gettext("MEDIUM: tracks connection counts, so will generate filtered alerts; may "); ?> - <?php echo gettext("false positive on active hosts."); ?><br> - <?php echo gettext("HIGH: tracks hosts using a time window; will catch some slow scans, but is "); ?> - <?php echo gettext("very sensitive to active hosts."); ?><br/> + </select> <?php echo gettext("Choose the Portscan sensitivity level (Low, Medium, High). Default is ") . + "<strong>" . gettext("Medium") . "</strong>."; ?><br/> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td><?php echo gettext("LOW: alerts generated on error packets from the target host; "); ?> + <?php echo gettext("this setting should see few false positives. "); ?></td> + </tr> + <tr> + <td><?php echo gettext("MEDIUM: tracks connection counts, so will generate filtered alerts; may "); ?> + <?php echo gettext("false positive on active hosts."); ?></td> + </tr> + <tr> + <td><?php echo gettext("HIGH: tracks hosts using a time window; will catch some slow scans, but is "); ?> + <?php echo gettext("very sensitive to active hosts."); ?></td> + </tr> + </table> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="pscan_memcap" type="text" class="formfld" + id="pscan_memcap" size="6" + value="<?=htmlspecialchars($pconfig['pscan_memcap']);?>"> + <?php echo gettext("Maximum memory in bytes to allocate for portscan detection. ") . + gettext("Default is ") . "<strong>" . gettext("10000000") . "</strong>" . + gettext(" (10 MB)"); ?>.</td> + </tr> + </table> + <?php echo gettext("The maximum number of bytes to allocate for portscan detection. The higher this number, ") . + gettext("the more nodes that can be tracked. Default is ") . + "<strong>10,000,000</strong>" . gettext(" bytes. (10 MB)"); ?><br> </td> </tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?> </td> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?></td> <td width="78%" class="vtable"> <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" - value="<?=$pconfig['pscan_ignore_scanners'];?>"> <br><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias.");?><br> - <?php echo gettext("Default value: \$HOME_NET."); ?><?php echo gettext(" Leave " . - "blank for default value."); ?> + value="<?=$pconfig['pscan_ignore_scanners'];?>"> <?php echo gettext("Leave blank for default. ") . + gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.<br/> + <?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?><br/> </td> + </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td> </tr> @@ -498,78 +998,70 @@ h += 96; <?php echo gettext("RPC Decode and Back Orifice detector"); ?></td> <td width="78%" class="vtable"><input name="other_preprocs" type="checkbox" value="on" - <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> + <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?>> <?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?></td> + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("FTP and Telnet Normalizer"); ?></td> <td width="78%" class="vtable"><input name="ftp_preprocessor" type="checkbox" value="on" - <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> + <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?>> <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?></td> + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("POP Normalizer"); ?></td> <td width="78%" class="vtable"><input name="pop_preproc" type="checkbox" value="on" - <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> + <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>> <?php echo gettext("Normalize/Decode POP protocol for enforcement and buffer overflows. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?></td> + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("IMAP Normalizer"); ?></td> <td width="78%" class="vtable"><input name="imap_preproc" type="checkbox" value="on" - <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> + <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?>> <?php echo gettext("Normalize/Decode IMAP protocol for enforcement and buffer overflows. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?></td> + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("SMTP Normalizer"); ?></td> <td width="78%" class="vtable"><input name="smtp_preprocessor" type="checkbox" value="on" - <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> + <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?>> <?php echo gettext("Normalize/Decode SMTP protocol for enforcement and buffer overflows. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?></td> + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("DCE/RPC2 Detection"); ?></td> <td width="78%" class="vtable"><input name="dce_rpc_2" type="checkbox" value="on" - <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> + <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?>> <?php echo gettext("The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?></td> + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("SIP Detection"); ?></td> <td width="78%" class="vtable"><input name="sip_preproc" type="checkbox" value="on" - <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> + <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>> <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?></td> + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("GTP Detection"); ?></td> <td width="78%" class="vtable"><input name="gtp_preproc" type="checkbox" value="on" - <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> + <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?>> <?php echo gettext("The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts."); ?></td> </tr> <tr> @@ -577,20 +1069,17 @@ h += 96; <?php echo gettext("DNS Detection"); ?></td> <td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on" - <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects some vulnerabilities. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?></td> + <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>> + <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects vulnerabilities. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("SSL Data"); ?></td> <td width="78%" class="vtable"> <input name="ssl_preproc" type="checkbox" value="on" - <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> + <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?>> <?php echo gettext("SSL data searches for irregularities during SSL protocol exchange. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?> - </td> + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("Sensitive Data"); ?></td> @@ -600,9 +1089,9 @@ h += 96; echo "checked"; elseif ($vrt_enabled == "off") echo "disabled"; - ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?><br/> + ?>> + <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?> + <br/> <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."); ?> </td> </tr> @@ -613,32 +1102,34 @@ h += 96; <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("Modbus Detection"); ?></td> <td width="78%" class="vtable"> <input name="modbus_preproc" type="checkbox" value="on" - <?php if ($pconfig['modbus_preproc']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Modbus is a protocol used in SCADA networks. The default port is TCP 502. If your network does " . - "not contain Modbus-enabled devices, you should leave this preprocessor disabled."); ?> + <?php if ($pconfig['modbus_preproc']=="on") echo "checked"; ?>> + <?php echo gettext("Modbus is a protocol used in SCADA networks. The default port is TCP 502.") . "<br/>" . + gettext("If your network does not contain Modbus-enabled devices, you should leave this preprocessor disabled."); ?> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("DNP3 Detection"); ?></td> <td width="78%" class="vtable"> <input name="dnp3_preproc" type="checkbox" value="on" - <?php if ($pconfig['dnp3_preproc']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("DNP3 is a protocol used in SCADA networks. The default port is TCP 20000. If your network does " . - "not contain DNP3-enabled devices, you should leave this preprocessor disabled."); ?> + <?php if ($pconfig['dnp3_preproc']=="on") echo "checked"; ?>> + <?php echo gettext("DNP3 is a protocol used in SCADA networks. The default port is TCP 20000.") . "<br/>" . + gettext("If your network does not contain DNP3-enabled devices, you should leave this preprocessor disabled."); ?> </td> </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> - <input name="id" type="hidden" value="<?=$id;?>"></td> + <input name="Submit" type="submit" class="formbtn" value="Save" title="<?php echo + gettext("Save preprocessor settings"); ?>"/> + <input name="id" type="hidden" value="<?=$id;?>"> + <input name="ResetAll" type="submit" class="formbtn" value="Reset" title="<?php echo + gettext("Reset all settings to defaults") . "\" onclick=\"return confirm('" . + gettext("WARNING: This will reset ALL preprocessor settings to their defaults. Click OK to continue or CANCEL to quit.") . + "')\""; ?>/></td> </tr> <tr> <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> - <br> + <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note: "); ?></strong></span> <?php echo gettext("Please save your settings before you click Start. Preprocessor changes will rebuild the rules file. "); ?> </br><?php echo gettext("This may take several seconds. Snort must also be restarted to activate any changes made on this screen."); ?></td> </tr> @@ -678,6 +1169,119 @@ function createAutoSuggest() { setTimeout("createAutoSuggest();", 500); +function frag3_enable_change() { + if (!document.iform.frag3_detection.checked) { + var msg = "WARNING: Disabling the Frag3 preprocessor is not recommended!\n\n"; + msg = msg + "Snort may fail to start because of other dependent preprocessors or "; + msg = msg + "rule options. Are you sure you want to disable it?\n\n"; + msg = msg + "Click OK to disable Frag3, or CANCEL to quit."; + if (!confirm(msg)) { + document.iform.frag3_detection.checked=true; + } + } + var endis = !(document.iform.frag3_detection.checked); + document.iform.frag3_overlap_limit.disabled=endis; + document.iform.frag3_min_frag_len.disabled=endis; + document.iform.frag3_policy.disabled=endis; + document.iform.frag3_max_frags.disabled=endis; + document.iform.frag3_memcap.disabled=endis; + document.iform.frag3_timeout.disabled=endis; +} + +function http_inspect_enable_change() { + var endis = !(document.iform.http_inspect.checked); + document.iform.http_inspect_enable_xff.disabled=endis; + document.iform.server_flow_depth.disabled=endis; + document.iform.client_flow_depth.disabled=endis; + document.iform.http_server_profile.disabled=endis; + document.iform.http_inspect_memcap.disabled=endis; + document.iform.http_inspect_log_uri.disabled=endis; + document.iform.http_inspect_log_hostname.disabled=endis; +} + +function sf_portscan_enable_change() { + var endis = !(document.iform.sf_portscan.checked); + document.iform.pscan_protocol.disabled=endis; + document.iform.pscan_type.disabled=endis; + document.iform.pscan_memcap.disabled=endis; + document.iform.pscan_sense_level.disabled=endis; + document.iform.pscan_ignore_scanners.disabled=endis; +} + +function stream5_enable_change() { + if (!document.iform.stream5_reassembly.checked) { + var msg = "WARNING: Stream5 is a critical preprocessor, and disabling it is not recommended! "; + msg = msg + "The following preprocessors require Stream5 and will be automatically disabled if currently enabled:\n\n"; + msg = msg + " SMTP\t\tPOP\t\tSIP\n"; + msg = msg + " SENSITIVE_DATA\tSF_PORTSCAN\tDCE/RPC 2\n"; + msg = msg + " IMAP\t\tDNS\t\tSSL\n"; + msg = msg + " GTP\t\tDNP3\t\tMODBUS\n\n"; + msg = msg + "Snort may fail to start because of other preprocessors or rule options dependent on Stream5. "; + msg = msg + "Are you sure you want to disable it?\n\n"; + msg = msg + "Click OK to disable Stream5, or CANCEL to quit."; + if (!confirm(msg)) { + document.iform.stream5_reassembly.checked=true; + } + else { + alert("If Snort fails to start with Stream5 disabled, examine the system log for clues."); + document.iform.smtp_preprocessor.checked=false; + document.iform.dce_rpc_2.checked=false; + document.iform.sip_preproc.checked=false; + document.iform.sensitive_data.checked=false; + document.iform.imap_preproc.checked=false; + document.iform.pop_preproc.checked=false; + document.iform.ssl_preproc.checked=false; + document.iform.dns_preprocessor.checked=false; + document.iform.modbus_preproc.checked=false; + document.iform.dnp3_preproc.checked=false; + document.iform.sf_portscan.checked=false; + sf_portscan_enable_change(); + } + } + + var endis = !(document.iform.stream5_reassembly.checked); + document.iform.max_queued_bytes.disabled=endis; + document.iform.max_queued_segs.disabled=endis; + document.iform.stream5_mem_cap.disabled=endis; + document.iform.stream5_policy.disabled=endis; + document.iform.stream5_overlap_limit.disabled=endis; + document.iform.stream5_no_reassemble_async.disabled=endis; + document.iform.stream5_dont_store_lg_pkts.disabled=endis; + document.iform.stream5_tcp_timeout.disabled=endis; + document.iform.stream5_udp_timeout.disabled=endis; + document.iform.stream5_icmp_timeout.disabled=endis; +} + +function enable_change_all() { + http_inspect_enable_change(); + sf_portscan_enable_change(); + + // Enable/Disable Frag3 settings + var endis = !(document.iform.frag3_detection.checked); + document.iform.frag3_overlap_limit.disabled=endis; + document.iform.frag3_min_frag_len.disabled=endis; + document.iform.frag3_policy.disabled=endis; + document.iform.frag3_max_frags.disabled=endis; + document.iform.frag3_memcap.disabled=endis; + document.iform.frag3_timeout.disabled=endis; + + // Enable/Disable Stream5 settings + endis = !(document.iform.stream5_reassembly.checked); + document.iform.max_queued_bytes.disabled=endis; + document.iform.max_queued_segs.disabled=endis; + document.iform.stream5_mem_cap.disabled=endis; + document.iform.stream5_policy.disabled=endis; + document.iform.stream5_overlap_limit.disabled=endis; + document.iform.stream5_no_reassemble_async.disabled=endis; + document.iform.stream5_dont_store_lg_pkts.disabled=endis; + document.iform.stream5_tcp_timeout.disabled=endis; + document.iform.stream5_udp_timeout.disabled=endis; + document.iform.stream5_icmp_timeout.disabled=endis; +} + +// Set initial state of form controls +enable_change_all(); + </script> <?php include("fend.inc"); ?> </body> diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 46c3c264..609eb052 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -67,7 +67,7 @@ function truncate($string, $length) { * truncation was necessary. * ********************************/ if (strlen($string) > $length) - $string = substr($string, 0, ($length - 3)) . "..."; + $string = substr($string, 0, ($length - 2)) . "..."; return $string; } @@ -300,17 +300,6 @@ function go() if (destination) location.href = destination; } -function popup(url) -{ - params = 'width='+screen.width; - params += ', height='+screen.height; - params += ', top=0, left=0' - params += ', fullscreen=yes'; - - newwin=window.open(url,'windowname4', params); - if (window.focus) {newwin.focus()} - return false; -} function wopen(url, name, w, h) { @@ -331,232 +320,237 @@ h += 96; <form action="/snort/snort_rules.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> -<tr><td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); - $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array(gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array(gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); -?> -</td></tr> -<tr> - <td> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="3%" class="list"> </td> - <td class="listhdr" colspan="4"> - <br/>Category: - <select id="selectbox" name="selectbox" class="formselect" onChange="go()"> - <option value='?id=<?=$id;?>&openruleset=custom.rules'>custom.rules</option> - <?php - $files = explode("||", $pconfig['rulesets']); - if ($a_rule[$id]['ips_policy_enable'] == 'on') - $files[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); - natcasesort($files); - foreach ($files as $value) { - if ($snortdownload != 'on' && substr($value, 0, 6) == "snort_") - continue; - if ($emergingdownload != 'on' && substr($value, 0, 8) == "emerging") - continue; - if (empty($value)) - continue; - echo "<option value='?id={$id}&openruleset={$value}' "; - if ($value == $currentruleset) - echo "selected"; - echo ">{$value}</option>\n"; - } - ?> - </select> - <br/> - </td> - <td class="listhdr" colspan="3" valign="middle"> -<?php if ($currentruleset != 'custom.rules'): ?> - <?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetcategory'> - <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" - onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' - onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' - title='" . gettext("Click to remove enable/disable changes for rules in the selected category only") . "'></a>"?> - <?php echo gettext("Remove Enable/Disable changes in the current Category");?><br> - <?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetall'> - <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" - onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' - onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' - title='" . gettext("Click to remove all enable/disable changes for rules in all categories") . "'></a>"?> - <?php echo gettext("Remove all Enable/Disable changes in all Categories");?> -<?php endif;?> - </td> - <td width="3%" class="list"> </td> - </tr> -<?php if ($currentruleset == 'custom.rules'): ?> - <tr> - <td width="3%" class="list"> </td> - <td colspan="7" valign="top" class="vtable"> - <input type='hidden' name='openruleset' value='custom.rules'> - <input type='hidden' name='id' value='<?=$id;?>'> - - <textarea wrap="soft" cols="85" rows="40" name="customrules"><?=$pconfig['customrules'];?></textarea> - </td> - <td width="3%" class="list"> </td> - </tr> - <tr> - <td colspan="9"> </td> - </tr> - <tr> - <td width="3%" class="list"> </td> - <td colspan="7"> - <input name="Submit" type="submit" class="formbtn" value=" Save "> - <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> - <input name="clear" type="submit" class="formbtn" id="clear" value="Clear" onclick="return confirm('Do you really want to erase all custom rules?')"> - </td> - <td width="3%" class="list"> </td> - </tr> -<?php else: ?> - <tr> - <td width="3%" class="list"> </td> - <td colspan="7" class="listhdr" ><input type="submit" name="apply" id="apply" value="Apply Changes" class="formbtn"> - <?php echo gettext("Click to rebuild the rules with your changes. Snort must be restarted to use the new rules."); ?> - <input type='hidden' name='id' value='<?=$id;?>'></td> - <td width="3%" align="center" valign="middle" class="listt"><a href="javascript: void(0)" - onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>','FileViewer',800,600)"> - <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php - echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"' - onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_service_restart.gif\"' ";?> - title="<?php echo gettext("Click to view all rules"); ?>" width="17" height="17" border="0"></a></td> - </tr> - <tr id="frheader"> - <td width="3%" class="list"> </td> - <td width="9%" class="listhdrr"><?php echo gettext("SID"); ?></td> - <td width="2%" class="listhdrr"><?php echo gettext("Proto"); ?></td> - <td width="14%" class="listhdrr"><?php echo gettext("Source"); ?></td> - <td width="12%" class="listhdrr"><?php echo gettext("Port"); ?></td> - <td width="14%" class="listhdrr"><?php echo gettext("Destination"); ?></td> - <td width="12%" class="listhdrr"><?php echo gettext("Port"); ?></td> - <td width="31%" class="listhdrr"><?php echo gettext("Message"); ?></td> - <td width="3%" class="list"> </td> - </tr> -<?php - foreach (array_keys($rules_map) as $k1) { - foreach (array_keys($rules_map[$k1]) as $k2) { - $sid = snort_get_sid($rules_map[$k1][$k2]['rule']); - $gid = snort_get_gid($rules_map[$k1][$k2]['rule']); - if (isset($disablesid[$sid])) { - $textss = "<span class=\"gray\">"; - $textse = "</span>"; - $iconb = "icon_reject_d.gif"; - } - elseif (($rules_map[$k1][$k2]['disabled'] == 1) && (!isset($enablesid[$sid]))) { - $textss = "<span class=\"gray\">"; - $textse = "</span>"; - $iconb = "icon_block_d.gif"; - } - elseif (isset($enablesid[$sid])) { - $textss = $textse = ""; - $iconb = "icon_reject.gif"; - } - else { - $textss = $textse = ""; - $iconb = "icon_block.gif"; - } - - // Pick off the first section of the rule (prior to the start of the MSG field), - // and then use a REGX split to isolate the remaining fields into an array. - $tmp = substr($rules_map[$k1][$k2]['rule'], 0, strpos($rules_map[$k1][$k2]['rule'], "(")); - $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); - $rule_content = preg_split('/[\s]+/', $tmp); - - $protocol = truncate($rule_content[1], 5); //protocol location - $source = truncate($rule_content[2], 13); //source location - $source_port = truncate($rule_content[3], 11); //source port location - $destination = truncate($rule_content[5], 13); //destination location - $destination_port = truncate($rule_content[6], 11); //destination port location - $message = snort_get_msg($rules_map[$k1][$k2]['rule']); - - echo "<tr><td width=\"3%\" class=\"listt\" align=\"center\" valign=\"middle\"> $textss - <a href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}'> - <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" - width=\"10\" height=\"10\" border=\"0\" - title='" . gettext("Click to toggle enabled/disabled state") . "'></a> - $textse - </td> - <td width=\"9%\" class=\"listlr\"> - $textss $sid $textse - </td> - <td width=\"2%\" class=\"listlr\"> - $textss $protocol $textse - </td> - <td width=\"14%\" class=\"listlr\"> - $textss $source $textse - </td> - <td width=\"12%\" class=\"listlr\"> - $textss $source_port $textse - </td> - <td width=\"14%\" class=\"listlr\"> - $textss $destination $textse - </td> - <td width=\"12%\" class=\"listlr\"> - $textss $destination_port $textse - </td> - <td width=\"31%\" class=\"listbg\" style=\"word-break:break-all;\"><font color=\"white\"> - $textss $message $textse - </td>"; + <tr><td class="tabnavtbl"> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php"); + $tab_array[] = array(gettext("If Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array(gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array(gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array(gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array(gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array(gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?> - <td width="3%" align="center" valign="middle" nowrap class="listt"> - <a href="javascript: void(0)" - onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" - title="<?php echo gettext("Click to view rule"); ?>" width="17" height="17" border="0"></a> - <!-- Codes by Quackit.com --> - </td> - </tr> -<?php - } - } -?> - - </table> - </td> -</tr> -<?php endif;?> -<tr> - <td colspan="9"> -<?php if ($currentruleset != 'custom.rules'): ?> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="16"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" - width="11" height="11"></td> - <td><?php echo gettext("Rule default is Enabled"); ?></td> - </tr> - <tr> - <td><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" - width="11" height="11"></td> - <td nowrap><?php echo gettext("Rule default is Disabled"); ?></td> - </tr> - <tr> - <td><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_reject.gif" - width="11" height="11"></td> - <td nowrap><?php echo gettext("Rule changed to Enabled by user"); ?></td> - </tr> - <tr> - <td><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_reject_d.gif" - width="11" height="11"></td> - <td nowrap><?php echo gettext("Rule changed to Disabled by user"); ?></td> - </tr> - </table> -<?php endif;?> + </td></tr> + <tr><td class="tabcont"> + <table width="100%" border="0" cellpadding="4" cellspacing="0"> + <tr> + <td class="listtopic"><?php echo gettext("Rule Categories"); ?></td> + </tr> + + <tr> + <td class="vncell" height="30px"><strong><?php echo gettext("Category:"); ?></strong> <select id="selectbox" name="selectbox" class="formselect" onChange="go()"> + <option value='?id=<?=$id;?>&openruleset=custom.rules'>custom.rules</option> + <?php + $files = explode("||", $pconfig['rulesets']); + if ($a_rule[$id]['ips_policy_enable'] == 'on') + $files[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); + natcasesort($files); + foreach ($files as $value) { + if ($snortdownload != 'on' && substr($value, 0, 6) == "snort_") + continue; + if ($emergingdownload != 'on' && substr($value, 0, 8) == "emerging") + continue; + if (empty($value)) + continue; + echo "<option value='?id={$id}&openruleset={$value}' "; + if ($value == $currentruleset) + echo "selected"; + echo ">{$value}</option>\n"; + } + ?> + </select> <?php echo gettext("Select the rule category to view"); ?> + </td> + </tr> + + <?php if ($currentruleset == 'custom.rules'): ?> + <tr> + <td class="listtopic"><?php echo gettext("Defined Custom Rules"); ?></td> + </tr> + <tr> + <td valign="top" class="vtable"> + <input type='hidden' name='openruleset' value='custom.rules'> + <input type='hidden' name='id' value='<?=$id;?>'> + <textarea wrap="soft" cols="90" rows="40" name="customrules"><?=$pconfig['customrules'];?></textarea> + </td> + </tr> + <tr> + <td> + <input name="Submit" type="submit" class="formbtn" value="<?php echo gettext(" Save "); ?>" title=" <?php echo gettext("Save custom rules"); ?>"/> + <input type="button" class="formbtn" value=" <?php echo gettext("Cancel"); ?>" onclick="history.back()" title="<?php echo gettext("Cancel changes and return to last page"); ?>"/> + <input name="clear" type="submit" class="formbtn" id="clear" value="<?php echo gettext("Clear"); ?>" onclick="return confirm('<?php echo gettext("This will erase all custom rules for the interface. Are you sure?"); ?>')" title="<?php echo gettext("Deletes all custom rules"); ?>"/> + </td> + </tr> + <?php else: ?> + <tr> + <td class="listtopic"><?php echo gettext("SID Enable/Disable Overrides"); ?></td> + </tr> + <tr> + <td class="vncell"> + <table width="100%" align="center" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="55%" valign="middle" rowspan="2"><input type="submit" name="apply" id="apply" value="<?php echo gettext("Apply"); ?>" class="formbtn" + title="<?php echo gettext("Click to rebuild the rules with your changes"); ?>"/> + <input type='hidden' name='id' value='<?=$id;?>'/></td> + <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetcategory'> + <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' + onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' + title='" . gettext("Click to remove enable/disable changes for rules in the selected category only") . "'></a>"?> + <?php echo gettext("Remove Enable/Disable changes in the current Category"); ?></td> + </tr> + <tr> + <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetall'> + <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' + onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' + title='" . gettext("Click to remove all enable/disable changes for rules in all categories") . "'></a>"?> + <?php echo gettext("Remove all Enable/Disable changes in all Categories"); ?></td> + </tr> + <tr> + <td colspan="2" class="vexpl" valign="middle"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("Snort must be restarted to activate any SID enable/disable changes."); ?></td> + </tr> + </table> + </td> + </tr> + + <tr> + <td class="listtopic"><?php echo gettext("Selected Category Rules"); ?></td> + </tr> + + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="11px" class="list" align="left"> </td> + <td width="9%" class="listhdrr" align="center"><?php echo gettext("SID"); ?></td> + <td width="2%" class="listhdrr" align="center"><?php echo gettext("Proto"); ?></td> + <td width="14%" class="listhdrr" align="center"><?php echo gettext("Source"); ?></td> + <td width="12%" class="listhdrr" align="center"><?php echo gettext("Port"); ?></td> + <td width="14%" class="listhdrr" align="center"><?php echo gettext("Destination"); ?></td> + <td width="12%" class="listhdrr" align="center"><?php echo gettext("Port"); ?></td> + <td class="listhdrr" align="center"><?php echo gettext("Message"); ?></td> + <td width="18px" class="list" align="right"><a href="javascript: void(0)" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>','FileViewer',800,600)"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php + echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"' + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_service_restart.gif\"' ";?> + title="<?php echo gettext("Click to view full text of all the category rules"); ?>" width="17" height="17" border="0"></a></td> + </tr> + + <?php + foreach ($rules_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + $sid = snort_get_sid($v['rule']); + $gid = snort_get_gid($v['rule']); + if (isset($disablesid[$sid])) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_reject_d.gif"; + } + elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_block_d.gif"; + } + elseif (isset($enablesid[$sid])) { + $textss = $textse = ""; + $iconb = "icon_reject.gif"; + } + else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + } + + // Pick off the first section of the rule (prior to the start of the MSG field), + // and then use a REGX split to isolate the remaining fields into an array. + $tmp = substr($v['rule'], 0, strpos($v['rule'], "(")); + $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); + $rule_content = preg_split('/[\s]+/', $tmp); + + $protocol = truncate($rule_content[1], 5); //protocol location + $source = truncate($rule_content[2], 13); //source location + $source_port = truncate($rule_content[3], 12); //source port location + $destination = truncate($rule_content[5], 13); //destination location + $destination_port = truncate($rule_content[6], 12); //destination port location + $message = snort_get_msg($v['rule']); + + echo "<tr><td width=\"11px\" class=\"listt\" align=\"left\" valign=\"middle\"> $textss + <a href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}'> + <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" + width=\"11\" height=\"11\" border=\"0\" + title='" . gettext("Click to toggle enabled/disabled state") . "'></a> + $textse + </td> + <td width=\"9%\" class=\"listlr\" align=\"center\"> + $textss $sid $textse + </td> + <td width=\"2%\" class=\"listlr\" align=\"center\"> + $textss $protocol $textse + </td> + <td width=\"14%\" class=\"listlr\" align=\"center\"> + $textss $source $textse + </td> + <td width=\"12%\" class=\"listlr\" align=\"center\"> + $textss $source_port $textse + </td> + <td width=\"14%\" class=\"listlr\" align=\"center\"> + $textss $destination $textse + </td> + <td width=\"12%\" class=\"listlr\" align=\"center\"> + $textss $destination_port $textse + </td> + <td class=\"listbg\" style=\"word-wrap:break-word;\"><font color=\"white\"> + $textss $message $textse + </td>"; + ?> + <td width="18px" align="right" valign="middle" nowrap class="listt"> + <a href="javascript: void(0)" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"><img + src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" + title="<?php echo gettext("Click to view the entire rule text"); ?>" width="17" height="17" border="0"></a> + </td> + </tr> + <?php + } + } + unset($rulem, $v); + ?> + </table> + </td> + </tr> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="1"> + <tr> + <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" + width="11" height="11"></td> + <td><?php echo gettext("Rule default is Enabled"); ?></td> + </tr> + <tr> + <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" + width="11" height="11"></td> + <td nowrap><?php echo gettext("Rule default is Disabled"); ?></td> + </tr> + <tr> + <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_reject.gif" + width="11" height="11"></td> + <td nowrap><?php echo gettext("Rule changed to Enabled by user"); ?></td> + </tr> + <tr> + <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_reject_d.gif" + width="11" height="11"></td> + <td nowrap><?php echo gettext("Rule changed to Disabled by user"); ?></td> + </tr> + </table> + </td> + </tr> + <?php endif;?> + </table> </td> -</tr> -</table> -</td> -</tr> + </tr> </table> </form> <?php include("fend.inc"); ?> diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php new file mode 100644 index 00000000..104163f2 --- /dev/null +++ b/config/snort/snort_rules_flowbits.php @@ -0,0 +1,265 @@ +<?php +/* + * snort_rules_flowbits.php + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2011-2012 Ermal Luci + * All rights reserved. + * + * originially part of m0n0wall (http://m0n0.ch/wall) + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g, $flowbit_rules_file, $rebuild_rules; + +$snortdir = SNORTDIR; +$rules_map = array(); +$supplist = array(); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +$if_real = snort_get_real_interface($a_nat[$id]['interface']); +$snort_uuid = $a_nat[$id]['uuid']; + +/* We should normally never get to this page if Auto-Flowbits are disabled, but just in case... */ +if ($a_nat[$id]['autoflowbitrules'] == 'on') { + if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") && + filesize("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) { + $rules_map = snort_load_rules_map("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); + } + else + $savemsg = "There are no flowbit-required rules necessary for the current enforcing rule set."; +} +else + $input_errors[] = "Auto-Flowbit rule generation is disabled for this interface!"; + +if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + $descr = snort_get_msg($rules_map[$_GET['gen_id']][$_GET['sidid']]['rule']); + if (empty($descr)) + $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; + else + $suppress = "# {$descr}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}"; + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); + $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; + + if (empty($a_nat[$id]['suppresslistname']) || $a_nat[$id]['suppresslistname'] == 'default') { + $s_list = array(); + $s_list['name'] = $a_nat[$id]['interface'] . "suppress"; + $s_list['uuid'] = uniqid(); + $s_list['descr'] = "Auto-generated list for alert suppression"; + $s_list['suppresspassthru'] = base64_encode($suppress); + $a_suppress[] = $s_list; + $a_nat[$id]['suppresslistname'] = $s_list['name']; + } else { + foreach ($a_suppress as $a_id => $alist) { + if ($alist['name'] == $a_nat[$id]['suppresslistname']) { + if (!empty($alist['suppresspassthru'])) { + $tmplist = base64_decode($alist['suppresspassthru']); + $tmplist .= "\n{$suppress}"; + $alist['suppresspassthru'] = base64_encode($tmplist); + $a_suppress[$a_id] = $alist; + } + } + } + } + write_config(); + $rebuild_rules = "off"; + sync_snort_package_config(); + $savemsg = "Wrote suppress rule for gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']} to the {$a_nat[$id]['suppresslistname']} Suppression List."; +} + +function truncate($string, $length) { + + /******************************** + * This function truncates the * + * passed string to the length * + * specified adding ellipsis if * + * truncation was necessary. * + ********************************/ + if (strlen($string) > $length) + $string = substr($string, 0, ($length - 3)) . "..."; + return $string; +} + +/* Load up an array with the current Suppression List GID,SID values */ +$supplist = snort_load_suppress_sigs($a_nat[$id]); + +$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); +$pgtitle = "Services: Snort: {$if_friendly} Flowbit Rules"; +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> +<form action="snort_rules_flowbits.php" method="post" name="iform" id="iform"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td valign="middle" class="listtopic"><?php echo gettext("Auto-Generated Flowbit-Required Rules"); ?></td> + </tr> + <tr> + <td width="78%" class="vncell"> + <?php echo gettext("The rules listed below are required to be included in the rules set ") . + gettext("because they set flowbits that are checked and relied upon by rules in the enforcing rules set. ") . + gettext("If these dependent flowbits are not set, then some of your chosen rules may not fire. ") . + gettext("Enabling all the rules that set these dependent flowbits ensures your chosen rules fire as intended. ") . + gettext("Most flowbits rules contain the \"noalert\" keyword to prevent an alert from firing ") . + gettext("when the flowbit is detected. For those flowbit rules that do not contain the \"noalert\" option, click the ") . + gettext("icon displayed beside the Signature ID (SID) to add the alert to the Suppression List if desired."); ?></td> + </tr> + <tr> + <td valign="middle" class="listtopic"><?php echo gettext("Flowbit-Required Rules for {$if_friendly}"); ?></td> + </tr> + <tr> + <td width="78%" class="vncell"> + <table width="100%" border="0 cellspacing="2" cellpadding="0"> + <tr> + <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus.gif" width='12' height='12' border='0'/></td> + <td><span class="vexpl"><?php echo gettext("Alert is Not Suppressed"); ?></span></td> + <td rowspan="3" align="right"><input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="history.back()" <?php + echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/></td> + </tr> + <tr> + <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus_d.gif" width='12' height='12' border='0'/></td> + <td><span class="vexpl"><?php echo gettext("Alert has been Suppressed"); ?></span></td> + </tr> + <tr> + <td width="17px"> </td> + <td colspan="2" class="vexpl"><?php echo "<span class=\"red\"><strong>" . + gettext("Note: ") . "</strong></span>". gettext("the icon is only ") . + gettext("displayed for flowbit rules without the \"noalert\" option."); ?></td> + </tr> + </table> + </td> + </tr> + <tr> + <td> + <table id="myTable" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0"> + <thead> + <th width="12%" class="listhdrr" axis="number"><?php echo gettext("SID"); ?></th> + <td width="10%" class="listhdrr" axis="string"><?php echo gettext("Proto"); ?></th> + <th width="14%" class="listhdrr" axis="string"><?php echo gettext("Source"); ?></th> + <th width="14%" class="listhdrr" axis="string"><?php echo gettext("Destination"); ?></th> + <th width="20%" class="listhdrr" axis="string"><?php echo gettext("Flowbits"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Message"); ?></th> + <thead> + <tbody> + <?php + $count = 0; + foreach ($rules_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + $sid = snort_get_sid($v['rule']); + $gid = snort_get_gid($v['rule']); + + // Pick off the first section of the rule (prior to the start of the MSG field), + // and then use a REGX split to isolate the remaining fields into an array. + $tmp = substr($v['rule'], 0, strpos($v['rule'], "(")); + $tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp)); + $rule_content = preg_split('/[\s]+/', $tmp); + + $protocol = $rule_content[1]; //protocol + $source = truncate($rule_content[2], 14); //source + $destination = truncate($rule_content[5], 14); //destination + $message = snort_get_msg($v['rule']); + $flowbits = implode("; ", snort_get_flowbits($v['rule'])); + if (strstr($flowbits, "noalert")) + $supplink = ""; + else { + if (!isset($supplist[$gid][$sid])) { + $supplink = "<a href=\"?id={$id}&act=addsuppress&sidid={$sid}&gen_id={$gid}\">"; + $supplink .= "<img src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\""; + $supplink .= "width='12' height='12' border='0' title='"; + $supplink .= gettext("Click to add to Suppress List") . "'/></a>"; + } + else { + $supplink .= "<img src=\"../themes/{$g['theme']}/images/icons/icon_plus_d.gif\""; + $supplink .= "width='12' height='12' border='0' title='"; + $supplink .= gettext("Alert has been suppressed") . "'/>"; + } + } + + // Use "echo" to write the table HTML row-by-row. + echo "<tr>" . + "<td width=\"12%\" class=\"listr\">{$sid} {$supplink}</td>" . + "<td width=\"10%\" class=\"listr\">{$protocol}</td>" . + "<td width=\"14%\" class=\"listr\">{$source}</td>" . + "<td width=\"14%\" class=\"listr\">{$destination}</td>" . + "<td width=\"20%\" class=\"listr\" style=\"word-wrap:break-word; word-break:normal;\">{$flowbits}</td>" . + "<td class=\"listr\" style=\"word-wrap:break-word; word-break:normal;\">{$message}</td>" . + "</tr>"; + $count++; + } + } + unset($rulem, $v); + ?> + </tbody> + </table> + </td> + </tr> + <?php if ($count > 20): ?> + <tr> + <td align="center" valign="middle"> + <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="history.back()" <?php + echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> + <input name="id" type="hidden" value="<?=$id;?>" /> + </td> + </tr> + <?php endif; ?> +</table> +</td></tr> +</table> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 64998810..4a7380b1 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -299,7 +299,7 @@ function enable_change() ?> <tr> <td> - <table id="sortabletable1" class="sortable" width="100%" border="0" + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td colspan="6" class="listtopic"><?php echo gettext("Automatic flowbit resolution"); ?><br/></td> @@ -323,7 +323,7 @@ function enable_change() </tr> <tr> <td width="15%" class="listn"><?php echo gettext("Auto Flowbit Rules"); ?></td> - <td width="85%"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$flowbit_rules_file;?>','FileViewer',800,600)" <?php echo $btn_view_flowb_rules; ?>/> + <td width="85%"><input type="button" class="formbtn" value="View" onclick="parent.location='snort_rules_flowbits.php?id=<?=$id;?>'" <?php echo $btn_view_flowb_rules; ?>/> <span class="vexpl"><?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit dependencies"); ?></span></td> </tr> <tr> |