diff options
Diffstat (limited to 'config/snort')
| -rwxr-xr-x | config/snort/snort.inc | 123 | ||||
| -rwxr-xr-x | config/snort/snort_define_servers.php | 2 | ||||
| -rwxr-xr-x | config/snort/snort_interfaces_edit.php | 12 | ||||
| -rw-r--r-- | config/snort/snort_interfaces_global.php | 4 | ||||
| -rwxr-xr-x | config/snort/snort_preprocessors.php | 136 | ||||
| -rwxr-xr-x | config/snort/snort_rules.php | 6 |
6 files changed, 248 insertions, 35 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index dede1f1d..884c50ec 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1197,9 +1197,11 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) { if ($rule2['disabled'] == 0) /* If not disabled, just return the rule text "as is" */ $required_flowbits_rules[$k1][$k2]['rule'] = ltrim($rule2['rule']); - else + else { /* If rule is disabled, remove leading '#' to enable it */ $required_flowbits_rules[$k1][$k2]['rule'] = ltrim(substr($rule2['rule'], strpos($rule2['rule'], "#") + 1)); + $required_flowbits_rules[$k1][$k2]['disabled'] = 0; + } } } } @@ -1335,8 +1337,10 @@ function snort_load_vrt_policy($policy) { $vrt_policy_rules[$k1][$k2] = $arulem2; /* Enable the policy rule if disabled */ - if ($arulem2['disabled'] == 1) + if ($arulem2['disabled'] == 1) { $vrt_policy_rules[$k1][$k2]['rule'] = ltrim(substr($arulem2['rule'], strpos($arulem2['rule'], "#") + 1)); + $vrt_policy_rules[$k1][$k2]['disabled'] = 0; + } } } } @@ -1441,8 +1445,10 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($enablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $enablesid) && $v['disabled'] == 1) + if (in_array($k2, $enablesid) && $v['disabled'] == 1) { $rule_map[$k1][$k2]['rule'] = ltrim($v['rule'], " \t#"); + $rule_map[$k1][$k2]['disabled'] = 0; + } } } } @@ -1452,8 +1458,10 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($disablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $disablesid) && $v['disabled'] == 0) + if (in_array($k2, $disablesid) && $v['disabled'] == 0) { $rule_map[$k1][$k2]['rule'] = "# " . $v['rule']; + $rule_map[$k1][$k2]['disabled'] = 1; + } } } } @@ -1765,6 +1773,10 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Process any enablesid or disablesid modifications for the selected rules. */ snort_modify_sids($enabled_rules, $snortcfg); + /* Check for and disable any rules dependent upon disabled preprocessors. */ + log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $enabled_rules); + /* Write the enforcing rules file to the Snort interface's "rules" directory. */ snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); unset($enabled_rules); @@ -1794,6 +1806,69 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map"); } +function snort_filter_preproc_rules($snortcfg, &$active_rules) { + + /**************************************************/ + /* This function checks the $active_rules array */ + /* for rule options dependent upon preprocessors. */ + /* Rules with rule options dependent upon any */ + /* non-enabled preprocessors are disabled to stop */ + /* start-up errors from unknown rule options. */ + /* */ + /* $snortcfg -> config parameters array for */ + /* the interface */ + /* $active_rules -> rules_map array of enabled */ + /* rules for the interface */ + /**************************************************/ + + global $config; + + if (empty($active_rules)) + return; + + /*************************************************** + * Construct an array of rule options with their * + * associated preprocessors. * + * * + * IMPORTANT -- Keep this part of the code current * + * with changes to preprocessor rule options in * + * Snort VRT rules. * + ***************************************************/ + $rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc", + "dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2", + "dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data", + "sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc", + "sip_header;" => "sip_preproc", "sip_body;" => "sip_preproc", + "gtp_type:" => "gtp_preproc", "gtp_info:" => "gtp_preproc", + "gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc", + "modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc", + "dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc", + "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc"); + + /*************************************************** + * Iterate the enabled rules, and check for rule * + * options that depend on disabled preprocessors. * + * Disable any of these preprocessor-dependent * + * rules we find. Once we find at least one * + * reason to disable the rule, stop further checks * + * and go to the next rule. * + ***************************************************/ + foreach ($active_rules as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if ($v['disabled'] == 0) + continue; + foreach ($rule_opts_preprocs as $opt => $preproc) { + $pcre = "/\s*\b" . $opt . "/i"; + if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) { + $active_rules[$k1][$k2]['rule'] = "# " . $v['rule']; + $active_rules[$k1][$k2]['disabled'] = 1; + break; + } + } + } + } +} + function snort_generate_conf($snortcfg) { global $config, $g; @@ -1902,7 +1977,8 @@ function snort_generate_conf($snortcfg) { "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502" + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" ); $portvardef = ""; @@ -1927,6 +2003,10 @@ EOD; if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) $def_server_flow_depth_type = $snortcfg['server_flow_depth']; + $http_server_profile = "all"; + if (!empty($snortcfg['http_server_profile'])) + $http_server_profile = $snortcfg['http_server_profile']; + $def_client_flow_depth_type = '300'; if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) $def_client_flow_depth_type = $snortcfg['client_flow_depth']; @@ -1942,7 +2022,7 @@ EOD; # HTTP Inspect # preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 -preprocessor http_inspect_server: server default profile all {$noalert_http_inspect}\ +preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect}\ ports { {$http_ports} } \ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ server_flow_depth {$def_server_flow_depth_type} \ @@ -2061,13 +2141,25 @@ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB EOD; /* def sf_portscan */ + if (!empty($snortcfg['pscan_sense_level'])) + $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; + else + $sf_pscan_sense_level = "medium"; + + if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { + $sf_pscan_ignore_scanners = filter_expand_alias($snortcfg['pscan_ignore_scanners']); + $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); + } + else + $sf_pscan_ignore_scanners = "\$HOME_NET"; + $sf_portscan = <<<EOD # sf Portscan # preprocessor sfportscan: scan_type { all } \ proto { all } \ memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } + sense_level { {$sf_pscan_sense_level} } \ + ignore_scanners { {$sf_pscan_ignore_scanners} } EOD; @@ -2134,6 +2226,14 @@ preprocessor modbus: \ EOD; + /* def gtp_preprocessor */ + $gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']); + $gtp_preproc = <<<EOD +# GTP preprocessor # +preprocessor gtp: ports { {$gtp_ports} } + +EOD; + $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']); $ssl_preproc = <<<EOD # Ignore SSL and Encryption # @@ -2180,11 +2280,11 @@ EOD; $snort_preproc_libs = array( "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", - "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", + "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" ); $snort_preprocessors = ""; @@ -2282,6 +2382,9 @@ config disable_tcpopt_alerts config disable_ipopt_alerts config disable_decode_drops +# Enable the GTP decoder # +config enable_gtp + # Configure PCRE match limitations config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 3a12b284..4085b325 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -75,7 +75,7 @@ $snort_ports = array( "sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", -"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", +"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", "GTP_PORTS" => "2123,2152,3386", "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index cec43bb7a..d0fabbf4 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -295,7 +295,9 @@ function enable_change(enable_change) { <td width="78%" class="vtable"> <select name="performance" class="formselect" id="performance"> <?php - $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', 'ac-banded' => 'AC-BANDED', 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS'); + $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'ac-split' => 'AC-SPLIT', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', + 'ac-nq' => 'AC-NQ', 'ac-bnfa-nq' => 'AC-BNFA-NQ', 'lowmem-nq' => 'LOWMEM-NQ', 'ac-banded' => 'AC-BANDED', + 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS'); foreach ($interfaces2 as $iface2 => $ifacename2): ?> <option value="<?=$iface2;?>" <?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>> @@ -303,10 +305,10 @@ function enable_change(enable_change) { <?php endforeach; ?> </select><br> <span class="vexpl"><?php echo gettext("LOWMEM and AC-BNFA are recommended for low end " . - "systems, AC: high memory, best performance, AC-STD: moderate " . - "memory,high performance, ACS: small memory, moderate performance, " . - "AC-BANDED: small memory,moderate performance, AC-SPARSEBANDS: small " . - "memory, high performance."); ?> + "systems, AC-SPLIT: low memory, high performance, short-hand for search-method ac split-any-any, AC: high memory, " . + "best performance, -NQ: the -nq option specifies that matches should not be queued and evaluated as they are found," . + " AC-STD: moderate memory, high performance, ACS: small memory, moderate performance, " . + "AC-BANDED: small memory,moderate performance, AC-SPARSEBANDS: small memory, high performance."); ?> </span><br/></td> </tr> <tr> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index eb371119..9dde8aaf 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -75,11 +75,11 @@ if (!$input_errors) { $retval = 0; - write_config(); - /* create whitelist and homenet file then sync files */ sync_snort_package_config(); + write_config(); + /* forces page to reload new settings */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 916fd413..7d0348e9 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -56,6 +56,7 @@ if (isset($id) && $a_nat[$id]) { /* new options */ $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; + $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; @@ -75,20 +76,31 @@ if (isset($id) && $a_nat[$id]) { $pconfig['sip_preproc'] = $a_nat[$id]['sip_preproc']; $pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc']; $pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc']; + $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; } if ($_POST) { $natent = array(); $natent = $pconfig; + if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners'])) + $input_errors[] = "Only aliases are allowed"; + /* if no errors write to conf */ if (!$input_errors) { /* post new options */ if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = ""; } + if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = ""; } if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = ""; } + if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; } + + if ($_POST['pscan_ignore_scanners']) + $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; + else + unset($natent['pscan_ignore_scanners']); $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; @@ -107,6 +119,7 @@ if ($_POST) { $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; $natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off'; $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; + $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -155,6 +168,10 @@ include_once("head.inc"); ?> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> <form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -174,10 +191,10 @@ include_once("head.inc"); <tr><td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong<?php echo gettext("Note:"); ?>> - </strong></span><br> - <?php echo gettext("Rules may be dependent on preprocessors!"); ?><br> + <td colspan="2" align="center" valign="middle"> + <span class="red"><strong><?php echo gettext("NOTE"); ?></strong></span><br> + <?php echo gettext("Rules may be dependent on preprocessors! Disabling preprocessors may result in "); ?> + <?php echo gettext("dependent rules being automatically disabled."); ?><br> <?php echo gettext("Defaults will be used when there is no user input."); ?><br></td> </tr> <tr> @@ -208,7 +225,7 @@ include_once("head.inc"); <tr> <td><input name="server_flow_depth" type="text" class="formfld" id="flow_depth" size="6" - value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . + value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . "to <strong>65535</strong> (<strong>-1</strong> disables HTTP " . "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> </tr> @@ -220,6 +237,23 @@ include_once("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("HTTP server profile"); ?> </td> + <td width="78%" class="vtable"> + <select name="http_server_profile" class="formselect" id="http_server_profile"> + <?php + $profile = array('All', 'Apache', 'IIS', 'IIS_4.0', 'IIS_5.0'); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the profile type of the protected web server."); ?><br> + <?php echo gettext(" The default is <strong>All</strong>. "); ?> + <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the "); ?> + <?php echo gettext("double decoding vulnerability present in those two versions."); ?><br> + </td> + </tr> + <tr> <td valign="top" class="vncell"><?php echo gettext("HTTP client flow depth"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> @@ -298,6 +332,46 @@ include_once("head.inc"); "in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?><br> </td> </tr> + + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> + <?php echo gettext("Portscan Detection"); ?></td> + <td width="78%" class="vtable"><input name="sf_portscan" + type="checkbox" value="on" + <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td> + <td width="78%" class="vtable"> + <select name="pscan_sense_level" class="formselect" id="pscan_sense_level"> + <?php + $levels = array('low', 'medium', 'high'); + foreach ($levels as $val): ?> + <option value="<?=$val;?>" + <?php if ($val == $pconfig['pscan_sense_level']) echo "selected"; ?>> + <?=gettext(ucfirst($val));?></option> + <?php endforeach; ?> + </select><br> + <?php echo gettext("LOW: alerts generated on error packets from the target host; "); ?> + <?php echo gettext("this setting should see few false positives. "); ?><br> + <?php echo gettext("MEDIUM: tracks connection counts, so will generate filtered alerts; may "); ?> + <?php echo gettext("false positive on active hosts."); ?><br> + <?php echo gettext("HIGH: tracks hosts using a time window; will catch some slow scans, but is "); ?> + <?php echo gettext("very sensitive to active hosts."); ?><br/> + </td> + </tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?> </td> + <td width="78%" class="vtable"> + <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" + value="<?=$pconfig['pscan_ignore_scanners'];?>"> <br><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias.");?><br> + <?php echo gettext("Default value: \$HOME_NET."); ?><?php echo gettext(" Leave " . + "blank for default value."); ?> + </td> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td> </tr> @@ -348,15 +422,6 @@ include_once("head.inc"); </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("Portscan Detection"); ?></td> - <td width="78%" class="vtable"><input name="sf_portscan" - type="checkbox" value="on" - <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("DCE/RPC2 Detection"); ?></td> <td width="78%" class="vtable"><input name="dce_rpc_2" type="checkbox" value="on" @@ -375,6 +440,15 @@ include_once("head.inc"); </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> + <?php echo gettext("GTP Detection"); ?></td> + <td width="78%" class="vtable"><input name="gtp_preproc" + type="checkbox" value="on" + <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + <?php echo gettext("The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("DNS Detection"); ?></td> <td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on" @@ -438,6 +512,40 @@ include_once("head.inc"); </table> </td></tr></table> </form> +<script type="text/javascript"> +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesports = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } else if ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesports .= ","; + $aliasesports .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } +?> + + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portsarray=new Array(<?php echo $aliasesports; ?>); + +function createAutoSuggest() { +<?php + echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); + +</script> <?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 83e1ea8b..7457632d 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -362,7 +362,7 @@ function popup(url) <tr> <td width="3%" class="list"> </td> <td colspan="7" class="listhdr" > </td> - <td width="3%" align="center" valign="middle" class="list"><a href="javascript: void(0)" + <td width="3%" align="center" valign="middle" class="listt"><a href="javascript: void(0)" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>')"> <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"' @@ -371,7 +371,7 @@ function popup(url) </tr> <tr id="frheader"> <td width="3%" class="list"> </td> - <td width="9%" class="listhdr"><?php echo gettext("SID"); ?></td> + <td width="9%" class="listhdrr"><?php echo gettext("SID"); ?></td> <td width="2%" class="listhdrr"><?php echo gettext("Proto"); ?></td> <td width="14%" class="listhdrr"><?php echo gettext("Source"); ?></td> <td width="12%" class="listhdrr"><?php echo gettext("Port"); ?></td> @@ -446,7 +446,7 @@ function popup(url) $textss $message $textse </td>"; ?> - <td width="3%" align="center" valign="middle" nowrap class="list"> + <td width="3%" align="center" valign="middle" nowrap class="listt"> <a href="javascript: void(0)" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>')"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" |