diff options
Diffstat (limited to 'config/suricata/suricata_app_parsers.php')
| -rw-r--r-- | config/suricata/suricata_app_parsers.php | 392 |
1 files changed, 313 insertions, 79 deletions
diff --git a/config/suricata/suricata_app_parsers.php b/config/suricata/suricata_app_parsers.php index 0be45c32..c28b99d1 100644 --- a/config/suricata/suricata_app_parsers.php +++ b/config/suricata/suricata_app_parsers.php @@ -3,12 +3,23 @@ * suricata_app_parsers.php * part of pfSense * + * Significant portions of this code are based on original work done + * for the Snort package for pfSense from the following contributors: + * + * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * Copyright (C) 2006 Scott Ullrich + * Copyright (C) 2009 Robert Zelaya Sr. Developer + * Copyright (C) 2012 Ermal Luci + * All rights reserved. + * + * Adapted for Suricata by: * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: - * + * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * @@ -28,19 +39,18 @@ * POSSIBILITY OF SUCH DAMAGE. */ - require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); global $g, $rebuild_rules; -$id = $_GET['id']; -if (isset($_POST['id'])) +if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; -if (is_null($id)) { - header("Location: /suricata/suricata_interfaces.php"); - exit; -} +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + +if (is_null($id)) + $id = 0; if (!is_array($config['installedpackages']['suricata'])) $config['installedpackages']['suricata'] = array(); @@ -51,10 +61,21 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) if (!is_array($config['installedpackages']['suricata']['rule'][$id]['libhtp_policy']['item'])) $config['installedpackages']['suricata']['rule'][$id]['libhtp_policy']['item'] = array(); +// Initialize required array variables as necessary +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); +$a_aliases = $config['aliases']['alias']; + $a_nat = &$config['installedpackages']['suricata']['rule']; $libhtp_engine_next_id = count($a_nat[$id]['libhtp_policy']['item']); +// Build a lookup array of currently used engine 'bind_to' Aliases +// so we can screen matching Alias names from the list. +$used = array(); +foreach ($a_nat[$id]['libhtp_policy']['item'] as $v) + $used[$v['bind_to']] = true; + $pconfig = array(); if (isset($id) && $a_nat[$id]) { /* Get current values from config for page form fields */ @@ -78,29 +99,143 @@ if (isset($id) && $a_nat[$id]) { $pconfig['libhtp_policy'] = $a_nat[$id]['libhtp_policy']; } -// Check for returned "selected alias" if action is import -if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) { - $pconfig[$_GET['varname']] = $_GET['varvalue']; +// Check for "import or select alias mode" and set flags if TRUE. +// "selectalias", when true, displays radio buttons to limit +// multiple selections. +if ($_POST['import_alias']) { + $importalias = true; + $selectalias = false; + $title = "HTTP Server Policy"; } - -if ($_GET['act'] && isset($_GET['eng_id'])) { - +elseif ($_POST['select_alias']) { + $importalias = true; + $selectalias = true; + $title = "HTTP Server Policy"; + + // Preserve current Libhtp Policy Engine settings + $eng_id = $_POST['eng_id']; + $eng_name = $_POST['policy_name']; + $eng_bind = $_POST['policy_bind_to']; + $eng_personality = $_POST['personality']; + $eng_req_body_limit = $_POST['req_body_limit']; + $eng_resp_body_limit = $_POST['resp_body_limit']; + $eng_enable_double_decode_path = $_POST['enable_double_decode_path']; + $eng_enable_double_decode_query = $_POST['enable_double_decode_query']; + $mode = "add_edit_libhtp_policy"; +} +if ($_POST['save_libhtp_policy']) { + if ($_POST['eng_id'] != "") { + $eng_id = $_POST['eng_id']; + + // Grab all the POST values and save in new temp array + $engine = array(); + $policy_name = trim($_POST['policy_name']); + if ($policy_name) { + $engine['name'] = $policy_name; + } + else + $input_errors[] = gettext("The 'Policy Name' value cannot be blank."); + + if ($_POST['policy_bind_to']) { + if (is_alias($_POST['policy_bind_to'])) + $engine['bind_to'] = $_POST['policy_bind_to']; + elseif (strtolower(trim($_POST['policy_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + + if ($_POST['personality']) { $engine['personality'] = $_POST['personality']; } else { $engine['personality'] = "bsd"; } + + if (is_numeric($_POST['req_body_limit']) && $_POST['req_body_limit'] >= 0) + $engine['request-body-limit'] = $_POST['req_body_limit']; + else + $input_errors[] = gettext("The value for 'Request Body Limit' must be all numbers and greater than or equal to zero."); + + if (is_numeric($_POST['resp_body_limit']) && $_POST['resp_body_limit'] >= 0) + $engine['response-body-limit'] = $_POST['resp_body_limit']; + else + $input_errors[] = gettext("The value for 'Response Body Limit' must be all numbers and greater than or equal to zero."); + + if ($_POST['enable_double_decode_path']) { $engine['double-decode-path'] = 'yes'; }else{ $engine['double-decode-path'] = 'no'; } + if ($_POST['enable_double_decode_query']) { $engine['double-decode-query'] = 'yes'; }else{ $engine['double-decode-query'] = 'no'; } + + // Can only have one "all" Bind_To address + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") + $input_errors[] = gettext("Only one default OS-Policy Engine can be bound to all addresses."); + + // if no errors, write new entry to conf + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$id]['libhtp_policy']['item'][$eng_id]) { + $a_nat[$id]['libhtp_policy']['item'][$eng_id] = $engine; + } + else + $a_nat[$id]['libhtp_policy']['item'][] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat[$id]['libhtp_policy']['item']) > 1) { + $i = -1; + foreach ($a_nat[$id]['libhtp_policy']['item'] as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat[$id]['libhtp_policy']['item']) - 1))) { + $tmp = $a_nat[$id]['libhtp_policy']['item'][$i]; + unset($a_nat[$id]['libhtp_policy']['item'][$i]); + $a_nat[$id]['libhtp_policy']['item'][] = $tmp; + } + } + + // Now write the new engine array to conf + write_config(); + $pconfig['libhtp_policy']['item'] = $a_nat[$id]['libhtp_policy']['item']; + } + else { + $add_edit_libhtp_policy = true; + $pengcfg = $engine; + } + } +} +elseif ($_POST['add_libhtp_policy']) { + $add_edit_libhtp_policy = true; + $pengcfg = array( "name" => "engine_{$libhtp_engine_next_id}", "bind_to" => "", "personality" => "IDS", + "request-body-limit" => "4096", "response-body-limit" => "4096", + "double-decode-path" => "no", "double-decode-query" => "no" ); + $eng_id = $libhtp_engine_next_id; +} +elseif ($_POST['edit_libhtp_policy']) { + if ($_POST['eng_id'] != "") { + $add_edit_libhtp_policy = true; + $eng_id = $_POST['eng_id']; + $pengcfg = $a_nat[$id]['libhtp_policy']['item'][$eng_id]; + } +} +elseif ($_POST['del_libhtp_policy']) { $natent = array(); $natent = $pconfig; - if ($_GET['act'] == "del_libhtp_policy") - unset($natent['libhtp_policy']['item'][$_GET['eng_id']]); - + if ($_POST['eng_id'] != "") { + unset($natent['libhtp_policy']['item'][$_POST['eng_id']]); + $pconfig = $natent; + } if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; write_config(); } - - header("Location: /suricata/suricata_app_parsers.php?id=$id"); - exit; } - -if ($_POST['ResetAll']) { +elseif ($_POST['cancel_libhtp_policy']) { + $add_edit_libhtp_policy = false; +} +elseif ($_POST['ResetAll']) { /* Reset all the settings to defaults */ $pconfig['asn1_max_frames'] = "256"; @@ -108,7 +243,111 @@ if ($_POST['ResetAll']) { /* Log a message at the top of the page to inform the user */ $savemsg = gettext("All flow and stream settings have been reset to their defaults."); } -elseif ($_POST['Submit']) { +elseif ($_POST['save_import_alias']) { + // If saving out of "select alias" mode, + // then return to Libhtp Policy Engine edit + // page. + if ($_POST['mode'] == 'add_edit_libhtp_policy') { + $pengcfg = array(); + $eng_id = $_POST['eng_id']; + $pengcfg['name'] = $_POST['eng_name']; + $pengcfg['bind_to'] = $_POST['eng_bind']; + $pengcfg['personality'] = $_POST['eng_personality']; + $pengcfg['request-body-limit'] = $_POST['eng_req_body_limit']; + $pengcfg['response-body-limit'] = $_POST['eng_resp_body_limit']; + $pengcfg['double-decode-path'] = $_POST['eng_enable_double_decode_path']; + $pengcfg['double-decode-query'] = $_POST['eng_enable_double_decode_query']; + $add_edit_libhtp_policy = true; + $mode = "add_edit_libhtp_policy"; + + if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) == 1) { + $pengcfg['bind_to'] = $_POST['aliastoimport'][0]; + $importalias = false; + $selectalias = false; + } + else { + $input_errors[] = gettext("No Alias is selected for import. Nothing to SAVE."); + $importalias = true; + $selectalias = true; + $eng_id = $_POST['eng_id']; + $eng_name = $_POST['eng_name']; + $eng_bind = $_POST['eng_bind']; + $eng_personality = $_POST['eng_personality']; + $eng_req_body_limit = $_POST['eng_req_body_limit']; + $eng_resp_body_limit = $_POST['eng_resp_body_limit']; + $eng_enable_double_decode_path = $_POST['eng_enable_double_decode_path']; + $eng_enable_double_decode_query = $_POST['eng_enable_double_decode_query']; + } + } + else { + $engine = array( "name" => "", "bind_to" => "", "personality" => "IDS", + "request-body-limit" => "4096", "response-body-limit" => "4096", + "double-decode-path" => "no", "double-decode-query" => "no" ); + + // See if anything was checked to import + if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) > 0) { + foreach ($_POST['aliastoimport'] as $item) { + $engine['name'] = strtolower($item); + $engine['bind_to'] = $item; + $a_nat[$id]['libhtp_policy']['item'][] = $engine; + } + } + else { + $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); + $importalias = true; + } + + // if no errors, write new entry to conf + if (!$input_errors) { + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom if + // the array contains more than one entry. + if (count($a_nat[$id]['libhtp_policy']['item']) > 1) { + $i = -1; + foreach ($a_nat[$id]['libhtp_policy']['item'] as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + // Only relocate the entry if we + // found it, and it's not already + // at the end. + if ($i > -1 && ($i < (count($a_nat[$id]['libhtp_policy']['item']) - 1))) { + $tmp = $a_nat[$id]['libhtp_policy']['item'][$i]; + unset($a_nat[$id]['libhtp_policy']['item'][$i]); + $a_nat[$id]['libhtp_policy']['item'][] = $tmp; + } + $pconfig['libhtp_policy']['item'] = $a_nat[$id]['libhtp_policy']['item']; + } + + // Write the new engine array to config file + write_config(); + $importalias = false; + } + } +} +elseif ($_POST['cancel_import_alias']) { + $importalias = false; + $selectalias = false; + $eng_id = $_POST['eng_id']; + + // If cancelling out of "select alias" mode, + // then return to Libhtp Policy Engine edit + // page. + if ($_POST['mode'] == 'add_edit_libhtp_policy') { + $pengcfg = array(); + $pengcfg['name'] = $_POST['eng_name']; + $pengcfg['bind_to'] = $_POST['eng_bind']; + $pengcfg['personality'] = $_POST['eng_personality']; + $pengcfg['request-body-limit'] = $_POST['eng_req_body_limit']; + $pengcfg['response-body-limit'] = $_POST['eng_resp_body_limit']; + $pengcfg['double-decode-path'] = $_POST['eng_enable_double_decode_path']; + $pengcfg['double-decode-query'] = $_POST['eng_enable_double_decode_query']; + $add_edit_libhtp_policy = true; + } +} +elseif ($_POST['save']) { $natent = array(); $natent = $pconfig; @@ -122,15 +361,14 @@ elseif ($_POST['Submit']) { /**************************************************/ /* If we have a valid rule ID, save configuration */ - /* then update the suricata.conf file and rebuild */ - /* the rules for this interface. */ + /* then update the suricata.conf file for this */ + /* interface. */ /**************************************************/ if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; write_config(); - $rebuild_rules = true; - suricata_generate_yaml($natent); $rebuild_rules = false; + suricata_generate_yaml($natent); } header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -149,40 +387,33 @@ include_once("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} - - - /* Display Alert message */ - +<?php include("fbegin.inc"); + /* Display error or save message */ if ($input_errors) { - print_input_errors($input_errors); // TODO: add checks + print_input_errors($input_errors); } - if ($savemsg) { print_info_box($savemsg); } - ?> -<script type="text/javascript" src="/javascript/autosuggest.js"> -</script> -<script type="text/javascript" src="/javascript/suggestions.js"> -</script> - -<form action="suricata_app_parsers.php" method="post" - enctype="multipart/form-data" name="iform" id="iform"> +<form action="suricata_app_parsers.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id;?>"/> +<input type="hidden" name="eng_id" id="eng_id" value="<?=$eng_id;?>"/> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php $tab_array = array(); - $tab_array[] = array(gettext("Suricata Interfaces"), true, "/suricata/suricata_interfaces.php"); + $tab_array[] = array(gettext("Suricata Interfaces"), false, "/suricata/suricata_interfaces.php"); $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); - $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); + $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}"); + $tab_array[] = array(gettext("Blocked"), false, "/suricata/suricata_blocked.php"); + $tab_array[] = array(gettext("Pass Lists"), false, "/suricata/suricata_passlist.php"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); - $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); - display_top_tabs($tab_array); + $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}"); + $tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php"); + display_top_tabs($tab_array, true); echo '</td></tr>'; echo '<tr><td>'; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); @@ -194,10 +425,29 @@ include_once("head.inc"); $tab_array[] = array($menu_iface . gettext("App Parsers"), true, "/suricata/suricata_app_parsers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?> </td></tr> <tr><td><div id="mainarea"> + +<?php if ($importalias) : ?> + <?php include("/usr/local/www/suricata/suricata_import_aliases.php"); + if ($selectalias) { + echo '<input type="hidden" name="eng_name" value="' . $eng_name . '"/>'; + echo '<input type="hidden" name="eng_bind" value="' . $eng_bind . '"/>'; + echo '<input type="hidden" name="eng_personality" value="' . $eng_personality . '"/>'; + echo '<input type="hidden" name="eng_req_body_limit" value="' . $eng_req_body_limit . '"/>'; + echo '<input type="hidden" name="eng_resp_body_limit" value="' . $eng_resp_body_limit . '"/>'; + echo '<input type="hidden" name="eng_enable_double_decode_path" value="' . $eng_enable_double_decode_path . '"/>'; + echo '<input type="hidden" name="eng_enable_double_decode_query" value="' . $eng_enable_double_decode_query . '"/>'; + } + ?> + +<?php elseif ($add_edit_libhtp_policy) : ?> + <?php include("/usr/local/www/suricata/suricata_libhtp_policy_engine.php"); ?> + +<?php else: ?> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> @@ -231,25 +481,23 @@ include_once("head.inc"); <tr> <th class="listhdrr" axis="string"><?php echo gettext("Name");?></th> <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> - <th class="list" align="right"><a href="suricata_import_aliases.php?id=<?=$id?>&eng=libhtp_policy"> - <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" - height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"></a> - <a href="suricata_libhtp_policy_engine.php?id=<?=$id?>&eng_id=<?=$libhtp_engine_next_id?>"> - <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" - height="17" border="0" title="<?php echo gettext("Add a new server configuration");?>"></a></th> + <th class="list" align="right"><input type="image" name="import_alias[]" src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"/> + <input type="image" name="add_libhtp_policy[]" src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new server configuration");?>"></th> </tr> </thead> <?php foreach ($pconfig['libhtp_policy']['item'] as $f => $v): ?> <tr> <td class="listlr" align="left"><?=gettext($v['name']);?></td> <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> - <td class="listt" align="right"><a href="suricata_libhtp_policy_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> - <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" - width="17" height="17" border="0" title="<?=gettext("Edit this server configuration");?>"></a> + <td class="listt" align="right"><input type="image" name="edit_libhtp_policy[]" value="<?=$f;?>" onclick="document.getElementById('eng_id').value='<?=$f;?>'" + src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this server configuration");?>"/> <?php if ($v['bind_to'] <> "all") : ?> - <a href="suricata_app_parsers.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_libhtp_policy" onclick="return confirm('Are you sure you want to delete this entry?');"> - <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" - title="<?=gettext("Delete this server configuration");?>"></a> + <input type="image" name="del_libhtp_policy[]" value="<?=$f;?>" onclick="document.getElementById('eng_id').value='<?=$f;?>';return confirm('Are you sure you want to delete this entry?');" + src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this server configuration");?>"> <?php else : ?> <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" title="<?=gettext("Default server configuration cannot be deleted");?>"> @@ -263,9 +511,9 @@ include_once("head.inc"); <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" title="<?php echo + <input name="save" type="submit" class="formbtn" value="Save" title="<?php echo gettext("Save flow and stream settings"); ?>"> - <input name="id" type="hidden" value="<?=$id;?>"> + <input name="ResetAll" type="submit" class="formbtn" value="Reset" title="<?php echo gettext("Reset all settings to defaults") . "\" onclick=\"return confirm('" . gettext("WARNING: This will reset ALL App Parsers settings to their defaults. Click OK to continue or CANCEL to quit.") . @@ -278,26 +526,12 @@ include_once("head.inc"); <?php echo gettext("may take several seconds. Suricata must also be restarted to activate any changes made on this screen."); ?></td> </tr> </table> + +<?php endif; ?> + </div> </td></tr></table> </form> -<script type="text/javascript"> -function wopen(url, name, w, h) -{ - // Fudge factors for window decoration space. - // In my tests these work well on all platforms & browsers. - w += 32; - h += 96; - var win = window.open(url, - name, - 'width=' + w + ', height=' + h + ', ' + - 'location=no, menubar=no, ' + - 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); - win.resizeTo(w, h); - win.focus(); -} - -</script> <?php include("fend.inc"); ?> </body> </html> |