aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rwxr-xr-xconfig/dansguardian/dansguardian.inc21
-rwxr-xr-xconfig/dansguardian/dansguardian_groups.xml17
-rw-r--r--config/dansguardian/dansguardian_ldap.php6
-rw-r--r--config/dansguardian/dansguardian_limits.xml2
-rw-r--r--config/dansguardian/dansguardianfx.conf.template5
-rw-r--r--config/iperf.xml2
-rw-r--r--config/iperfserver.xml2
-rwxr-xr-xconfig/snort/snort.inc123
-rwxr-xr-xconfig/snort/snort_define_servers.php2
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php12
-rw-r--r--config/snort/snort_interfaces_global.php4
-rwxr-xr-xconfig/snort/snort_preprocessors.php136
-rwxr-xr-xconfig/snort/snort_rules.php6
-rw-r--r--config/squid-reverse/squid_ng.inc4
-rw-r--r--config/squid/squid_ng.inc4
15 files changed, 291 insertions, 55 deletions
diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc
index ae2b3264..3077eddb 100755
--- a/config/dansguardian/dansguardian.inc
+++ b/config/dansguardian/dansguardian.inc
@@ -301,14 +301,14 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) {
exec("/usr/bin/openssl x509 -hash -noout -in /etc/ssl/demoCA/cacert.pem",$cert_hash);
file_put_contents("/usr/local/share/certs/".$cert_hash[0].".0",base64_decode($ca_cert['crt']));
$ca_pem = "cacertificatepath = '/etc/ssl/demoCA/cacert.pem'";
- $generatedcertpath= "generatedcertpath = '/etc/ssl/demoCA/certs/'";
+ $generatedcertpath= "generatedcertpath = '".$dansguardian_dir."/ssl/generatedcerts'";
#generatedcertpath = ".$dansguardian_dir . "/ssl/generatedcerts";
$generatedlinkpath= "generatedlinkpath = '".$dansguardian_dir . "/ssl/generatedlinks'";
}
$svr_cert = lookup_cert($dansguardian_config["dcert"]);
if ($svr_cert != false) {
if(base64_decode($svr_cert['prv'])) {
- file_put_contents("/etc/ssl/demoCA/private/serverkey.pem",base64_decode($svr_cert['prv']));
+ file_put_contents("/etc/ssl/demoCA/private/serverkey.pem",base64_decode($svr_cert['prv']).base64_decode($svr_cert['crt']));
$cert_key = "certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem' ";
}
}
@@ -721,7 +721,7 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) {
'mode'=> "1",
'report_level'=>"global");
- $groups=array("scancleancache","hexdecodecontent","blockdownloads","enablepics","deepurlanalysis","infectionbypasserrorsonly","disablecontentscan","sslcertcheck","sslmitm");
+ $groups=array("scancleancache","hexdecodecontent","blockdownloads","enablepics","deepurlanalysis","infectionbypasserrorsonly","disablecontentscan","sslcheckcert","sslmitm");
#loop on array
$count=1;
$user_xml="";
@@ -737,7 +737,7 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) {
$dansguardian_groups['embeddedurlweight']=($dansguardian_groups['embeddedurlweight']?$dansguardian_groups['embeddedurlweight']:"0");
$dansguardian_groups['bypass']=($dansguardian_groups['bypass']?$dansguardian_groups['bypass']:"0");
$dansguardian_groups['infectionbypass']=($dansguardian_groups['infectionbypass']?$dansguardian_groups['infectionbypass']:"0");
- $dansguardian_groups['mitmkey']=($dansguardian_groups['mitmkey']?$dansguardian_groups['mitmkey']:"dgs3dD3da");
+ $dansguardian_groups['maxuploadsize']=($dansguardian_groups['maxuploadsize']?$dansguardian_groups['maxuploadsize']:$maxuploadsize);
switch ($dansguardian_groups['reportinglevel']){
case "1":
case "2":
@@ -761,8 +761,10 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) {
$groupaccessdeniedaddress="";
}
- foreach ($groups as $group)
+ foreach ($groups as $group){
$dansguardian_groups[$group]=(preg_match("/$group/",$dansguardian_groups['group_options'])?"on":"off");
+ }
+
#create group list files
$lists=array("phraseacl" => array("bannedphrase","weightedphrase","exceptionphrase"),
"siteacl" => array("bannedsite","greysite","exceptionsite","exceptionfilesite","logsite"),
@@ -939,6 +941,7 @@ EOF;
$cconf= DANSGUARDIAN_DIR. "/etc/clamd.conf";
$cconf_file=file_get_contents($cconf);
if (preg_match("/User (\w+)/",$cconf_file,$matches)){
+ mwexec("/usr/sbin/pw user show {$matches[1]} || /usr/sbin/pw user add -n {$matches[1]} -s /usr/sbin/nologin");
$daemonuser = $matches[1];
$daemongroup = 'nobody';
}
@@ -1103,8 +1106,8 @@ EOF;
if (!(file_exists('/var/db/clamav/main.cvd')||file_exists('/var/db/clamav/main.cld'))){
file_notice("Dansguardian - No antivirus database found for clamav, running freshclam in background.","");
- log_error('No antivirus database found for clamav, running freshclam in background.');
- mwexec_bg(DANSGUARDIAN_DIR.'/bin/freshclam');
+ log_error('No antivirus database found for clamav, running freshclam in background. Content-scanner may not work until freshclam finishes.');
+ mwexec_bg(DANSGUARDIAN_DIR.'/bin/freshclam && /usr/local/etc/rc.d/clamav-clamd');
}
$match=array();
@@ -1130,12 +1133,16 @@ EOF;
foreach ($script_file as $script_line){
if(preg_match("/command=/",$script_line)){
$new_clamav_startup.= 'if [ ! -d /var/run/clamav ];then /bin/mkdir /var/run/clamav;fi'."\n";
+ $new_clamav_startup.= 'if [ ! -d /var/db/clamav ];then /bin/mkdir /var/db/clamav;fi'."\n";
+ $new_clamav_startup.= 'if [ ! -d /var/log/clamav ];then /bin/mkdir -p /var/log/clamav;fi'."\n";
$new_clamav_startup.= "chown -R ".$matches[1]." /var/run/clamav\n";
+ $new_clamav_startup.= "chown -R ".$matches[1]." /var/db/clamav\n";
$new_clamav_startup.= "chown -R ".$matches[1]." /var/log/clamav\n";
$new_clamav_startup.=$script_line;
}
elseif(!preg_match("/(mkdir|chown|sleep|mailscanner)/",$script_line)) {
$new_clamav_startup.=preg_replace("/NO/","YES",$script_line);
+ $new_clamav_startup.=preg_replace("@/usr/local@",DANSGUARDIAN_DIR,$script_line);
}
}
file_put_contents($script, $new_clamav_startup, LOCK_EX);
diff --git a/config/dansguardian/dansguardian_groups.xml b/config/dansguardian/dansguardian_groups.xml
index 031ae88b..fc9ff8a8 100755
--- a/config/dansguardian/dansguardian_groups.xml
+++ b/config/dansguardian/dansguardian_groups.xml
@@ -150,11 +150,11 @@
<option><name>Enable Deep URL Analysis (off)</name><value>deepurlanalysis</value></option>
<option><name>Infection/Scan Error Bypass on Scan Errors Only (on)</name><value>infectionbypasserrorsonly</value></option>
<option><name>Disable content scanning (off)</name><value>disablecontentscan</value></option>
- <option><name>Check servers ssl certificates (off)</name><value>sslcertcheck</value></option>
+ <option><name>Check Server SSLCertificates (off)</name><value>sslcheckcert</value></option>
<option><name>Filter ssl sites forging SSL Certificates (off)</name><value>sslmitm</value></option>
</options>
<multiple/>
- <size>10</size>
+ <size>9</size>
</field>
<field>
<fielddescr>Pics</fielddescr>
@@ -298,7 +298,7 @@
</options>
</field>
<field>
- <fielddescr>Naughtiness limite</fielddescr>
+ <fielddescr>Naughtiness limit</fielddescr>
<fieldname>naughtynesslimit</fieldname>
<description><![CDATA[This the limit over which the page will be blocked. Each weighted phrase is given a value either positive or negative and the values added up.<br>
Phrases to do with good subjects will have negative values, and bad subjects will have positive values.<br>
@@ -318,6 +318,17 @@
<size>10</size>
</field>
<field>
+ <fielddescr>Max upload size</fielddescr>
+ <fieldname>maxuploadsize</fieldname>
+ <type>input</type>
+ <size>10</size>
+ <description><![CDATA[POST protection (web upload and forms) does not block forms without any file upload, i.e. this is just for blocking or limiting uploads measured in kilobytes after MIME encoding and header bump<br>
+ use 0 for a complete block<br>
+ use higher (e.g. 512 = 512Kbytes) for limiting<br>
+ use -1 for no blocking(default)<br>
+ Leave empty to use global Max upload size limit value.]]></description>
+ </field>
+ <field>
<fielddescr>Category display threshold</fielddescr>
<fieldname>categorydisplaythreshold</fieldname>
<description><![CDATA[This option only applies to pages blocked by weighted phrase filtering.<br>
diff --git a/config/dansguardian/dansguardian_ldap.php b/config/dansguardian/dansguardian_ldap.php
index d44f3de4..beb57ee0 100644
--- a/config/dansguardian/dansguardian_ldap.php
+++ b/config/dansguardian/dansguardian_ldap.php
@@ -129,7 +129,11 @@ if (is_array($config['installedpackages']['dansguardiangroups']['config']))
}
}
}
- if (!empty($members)){
+ if (empty($members)){
+ $config['installedpackages']['dansguardianusers']['config'][0][strtolower($group['name'])] = NULL;
+ $apply_config++;
+ }
+ else{
$import_users = explode("\n", $members);
asort($import_users);
$members=base64_encode(implode("\n", $import_users));
diff --git a/config/dansguardian/dansguardian_limits.xml b/config/dansguardian/dansguardian_limits.xml
index c8011357..2c147f1b 100644
--- a/config/dansguardian/dansguardian_limits.xml
+++ b/config/dansguardian/dansguardian_limits.xml
@@ -107,7 +107,7 @@
<fieldname>maxuploadsize</fieldname>
<type>input</type>
<size>10</size>
- <description><![CDATA[POST protection (web upload and forms) does not block forms without any file upload, i.e. this is just for blocking or limiting uploads measured in kibibytes after MIME encoding and header bumph<br>
+ <description><![CDATA[POST protection (web upload and forms) does not block forms without any file upload, i.e. this is just for blocking or limiting uploads measured in kilobytes after MIME encoding and header bump<br>
use 0 for a complete block<br>
use higher (e.g. 512 = 512Kbytes) for limiting<br>
use -1 for no blocking(default)]]></description>
diff --git a/config/dansguardian/dansguardianfx.conf.template b/config/dansguardian/dansguardianfx.conf.template
index f5296622..96b2b1b9 100644
--- a/config/dansguardian/dansguardianfx.conf.template
+++ b/config/dansguardian/dansguardianfx.conf.template
@@ -198,6 +198,7 @@ categorydisplaythreshold = {$dansguardian_groups['categorydisplaythreshold']}
# WARNING: This option is highly CPU intensive!
embeddedurlweight = {$dansguardian_groups['embeddedurlweight']}
+maxuploadsize = {$dansguardian_groups['maxuploadsize']}
# Enable PICS rating support
#
# Defaults to disabled
@@ -370,13 +371,13 @@ deepurlanalysis = {$dansguardian_groups['deepurlanalysis']}
#SSL certificate checking
# Check that ssl certificates for servers on https connections are valid
# and signed by a ca in the configured path
-sslcertcheck = {$dansguardian_groups['sslcertcheck']}
+sslcheckcert = {$dansguardian_groups['sslcheckcert']}
#SSL man in the middle
# Forge ssl certificates for all sites, decrypt the data then re encrypt it
# using a different private key. Used to filter ssl sites
sslmitm = {$dansguardian_groups['sslmitm']}
-#mitmkey = '{$dansguardian_groups['mitmkey']}'
+{$dansguardian_groups['mitmkey']}
EOF;
diff --git a/config/iperf.xml b/config/iperf.xml
index 3de57441..e5de8b85 100644
--- a/config/iperf.xml
+++ b/config/iperf.xml
@@ -132,7 +132,7 @@
<type>input</type>
</field>
<field>
- <fielddescr>Socket buffer bize</fielddescr>
+ <fielddescr>Socket buffer size</fielddescr>
<fieldname>window</fieldname>
<description>Enter the desired socket buffer size, if needed.</description>
<type>input</type>
diff --git a/config/iperfserver.xml b/config/iperfserver.xml
index 99d8ba34..493c41c8 100644
--- a/config/iperfserver.xml
+++ b/config/iperfserver.xml
@@ -119,7 +119,7 @@
<type>input</type>
</field>
<field>
- <fielddescr>Socket buffer bize</fielddescr>
+ <fielddescr>Socket buffer size</fielddescr>
<fieldname>window</fieldname>
<description>Enter the desired socket buffer size, if needed.</description>
<type>input</type>
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index dede1f1d..884c50ec 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -1197,9 +1197,11 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) {
if ($rule2['disabled'] == 0)
/* If not disabled, just return the rule text "as is" */
$required_flowbits_rules[$k1][$k2]['rule'] = ltrim($rule2['rule']);
- else
+ else {
/* If rule is disabled, remove leading '#' to enable it */
$required_flowbits_rules[$k1][$k2]['rule'] = ltrim(substr($rule2['rule'], strpos($rule2['rule'], "#") + 1));
+ $required_flowbits_rules[$k1][$k2]['disabled'] = 0;
+ }
}
}
}
@@ -1335,8 +1337,10 @@ function snort_load_vrt_policy($policy) {
$vrt_policy_rules[$k1][$k2] = $arulem2;
/* Enable the policy rule if disabled */
- if ($arulem2['disabled'] == 1)
+ if ($arulem2['disabled'] == 1) {
$vrt_policy_rules[$k1][$k2]['rule'] = ltrim(substr($arulem2['rule'], strpos($arulem2['rule'], "#") + 1));
+ $vrt_policy_rules[$k1][$k2]['disabled'] = 0;
+ }
}
}
}
@@ -1441,8 +1445,10 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
if (!empty($enablesid)) {
foreach ($rule_map as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
- if (in_array($k2, $enablesid) && $v['disabled'] == 1)
+ if (in_array($k2, $enablesid) && $v['disabled'] == 1) {
$rule_map[$k1][$k2]['rule'] = ltrim($v['rule'], " \t#");
+ $rule_map[$k1][$k2]['disabled'] = 0;
+ }
}
}
}
@@ -1452,8 +1458,10 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
if (!empty($disablesid)) {
foreach ($rule_map as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
- if (in_array($k2, $disablesid) && $v['disabled'] == 0)
+ if (in_array($k2, $disablesid) && $v['disabled'] == 0) {
$rule_map[$k1][$k2]['rule'] = "# " . $v['rule'];
+ $rule_map[$k1][$k2]['disabled'] = 1;
+ }
}
}
}
@@ -1765,6 +1773,10 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Process any enablesid or disablesid modifications for the selected rules. */
snort_modify_sids($enabled_rules, $snortcfg);
+ /* Check for and disable any rules dependent upon disabled preprocessors. */
+ log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ snort_filter_preproc_rules($snortcfg, $enabled_rules);
+
/* Write the enforcing rules file to the Snort interface's "rules" directory. */
snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}");
unset($enabled_rules);
@@ -1794,6 +1806,69 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map");
}
+function snort_filter_preproc_rules($snortcfg, &$active_rules) {
+
+ /**************************************************/
+ /* This function checks the $active_rules array */
+ /* for rule options dependent upon preprocessors. */
+ /* Rules with rule options dependent upon any */
+ /* non-enabled preprocessors are disabled to stop */
+ /* start-up errors from unknown rule options. */
+ /* */
+ /* $snortcfg -> config parameters array for */
+ /* the interface */
+ /* $active_rules -> rules_map array of enabled */
+ /* rules for the interface */
+ /**************************************************/
+
+ global $config;
+
+ if (empty($active_rules))
+ return;
+
+ /***************************************************
+ * Construct an array of rule options with their *
+ * associated preprocessors. *
+ * *
+ * IMPORTANT -- Keep this part of the code current *
+ * with changes to preprocessor rule options in *
+ * Snort VRT rules. *
+ ***************************************************/
+ $rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc",
+ "dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2",
+ "dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data",
+ "sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc",
+ "sip_header;" => "sip_preproc", "sip_body;" => "sip_preproc",
+ "gtp_type:" => "gtp_preproc", "gtp_info:" => "gtp_preproc",
+ "gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc",
+ "modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc",
+ "dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc",
+ "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc");
+
+ /***************************************************
+ * Iterate the enabled rules, and check for rule *
+ * options that depend on disabled preprocessors. *
+ * Disable any of these preprocessor-dependent *
+ * rules we find. Once we find at least one *
+ * reason to disable the rule, stop further checks *
+ * and go to the next rule. *
+ ***************************************************/
+ foreach ($active_rules as $k1 => $rulem) {
+ foreach ($rulem as $k2 => $v) {
+ if ($v['disabled'] == 0)
+ continue;
+ foreach ($rule_opts_preprocs as $opt => $preproc) {
+ $pcre = "/\s*\b" . $opt . "/i";
+ if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) {
+ $active_rules[$k1][$k2]['rule'] = "# " . $v['rule'];
+ $active_rules[$k1][$k2]['disabled'] = 1;
+ break;
+ }
+ }
+ }
+ }
+}
+
function snort_generate_conf($snortcfg) {
global $config, $g;
@@ -1902,7 +1977,8 @@ function snort_generate_conf($snortcfg) {
"DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:",
"DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:",
"DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107",
- "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502"
+ "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502",
+ "GTP_PORTS" => "2123,2152,3386"
);
$portvardef = "";
@@ -1927,6 +2003,10 @@ EOD;
if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0'))
$def_server_flow_depth_type = $snortcfg['server_flow_depth'];
+ $http_server_profile = "all";
+ if (!empty($snortcfg['http_server_profile']))
+ $http_server_profile = $snortcfg['http_server_profile'];
+
$def_client_flow_depth_type = '300';
if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0'))
$def_client_flow_depth_type = $snortcfg['client_flow_depth'];
@@ -1942,7 +2022,7 @@ EOD;
# HTTP Inspect #
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
-preprocessor http_inspect_server: server default profile all {$noalert_http_inspect}\
+preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect}\
ports { {$http_ports} } \
http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
server_flow_depth {$def_server_flow_depth_type} \
@@ -2061,13 +2141,25 @@ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB
EOD;
/* def sf_portscan */
+ if (!empty($snortcfg['pscan_sense_level']))
+ $sf_pscan_sense_level = $snortcfg['pscan_sense_level'];
+ else
+ $sf_pscan_sense_level = "medium";
+
+ if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) {
+ $sf_pscan_ignore_scanners = filter_expand_alias($snortcfg['pscan_ignore_scanners']);
+ $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners));
+ }
+ else
+ $sf_pscan_ignore_scanners = "\$HOME_NET";
+
$sf_portscan = <<<EOD
# sf Portscan #
preprocessor sfportscan: scan_type { all } \
proto { all } \
memcap { 10000000 } \
- sense_level { medium } \
- ignore_scanners { \$HOME_NET }
+ sense_level { {$sf_pscan_sense_level} } \
+ ignore_scanners { {$sf_pscan_ignore_scanners} }
EOD;
@@ -2134,6 +2226,14 @@ preprocessor modbus: \
EOD;
+ /* def gtp_preprocessor */
+ $gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']);
+ $gtp_preproc = <<<EOD
+# GTP preprocessor #
+preprocessor gtp: ports { {$gtp_ports} }
+
+EOD;
+
$def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']);
$ssl_preproc = <<<EOD
# Ignore SSL and Encryption #
@@ -2180,11 +2280,11 @@ EOD;
$snort_preproc_libs = array(
"dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc",
"pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc",
- "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc",
+ "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc",
"ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc"
);
$snort_preproc = array (
- "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc",
+ "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc",
"sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc"
);
$snort_preprocessors = "";
@@ -2282,6 +2382,9 @@ config disable_tcpopt_alerts
config disable_ipopt_alerts
config disable_decode_drops
+# Enable the GTP decoder #
+config enable_gtp
+
# Configure PCRE match limitations
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php
index 3a12b284..4085b325 100755
--- a/config/snort/snort_define_servers.php
+++ b/config/snort/snort_define_servers.php
@@ -75,7 +75,7 @@ $snort_ports = array(
"sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79",
"irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445",
"nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514",
-"ssl_ports" => "443,465,563,636,989,990,992,993,994,995",
+"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", "GTP_PORTS" => "2123,2152,3386",
"file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80",
"sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779",
"DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:",
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index cec43bb7a..d0fabbf4 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -295,7 +295,9 @@ function enable_change(enable_change) {
<td width="78%" class="vtable">
<select name="performance" class="formselect" id="performance">
<?php
- $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', 'ac-banded' => 'AC-BANDED', 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS');
+ $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'ac-split' => 'AC-SPLIT', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC',
+ 'ac-nq' => 'AC-NQ', 'ac-bnfa-nq' => 'AC-BNFA-NQ', 'lowmem-nq' => 'LOWMEM-NQ', 'ac-banded' => 'AC-BANDED',
+ 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS');
foreach ($interfaces2 as $iface2 => $ifacename2): ?>
<option value="<?=$iface2;?>"
<?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>>
@@ -303,10 +305,10 @@ function enable_change(enable_change) {
<?php endforeach; ?>
</select><br>
<span class="vexpl"><?php echo gettext("LOWMEM and AC-BNFA are recommended for low end " .
- "systems, AC: high memory, best performance, AC-STD: moderate " .
- "memory,high performance, ACS: small memory, moderate performance, " .
- "AC-BANDED: small memory,moderate performance, AC-SPARSEBANDS: small " .
- "memory, high performance."); ?>
+ "systems, AC-SPLIT: low memory, high performance, short-hand for search-method ac split-any-any, AC: high memory, " .
+ "best performance, -NQ: the -nq option specifies that matches should not be queued and evaluated as they are found," .
+ " AC-STD: moderate memory, high performance, ACS: small memory, moderate performance, " .
+ "AC-BANDED: small memory,moderate performance, AC-SPARSEBANDS: small memory, high performance."); ?>
</span><br/></td>
</tr>
<tr>
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php
index eb371119..9dde8aaf 100644
--- a/config/snort/snort_interfaces_global.php
+++ b/config/snort/snort_interfaces_global.php
@@ -75,11 +75,11 @@ if (!$input_errors) {
$retval = 0;
- write_config();
-
/* create whitelist and homenet file then sync files */
sync_snort_package_config();
+ write_config();
+
/* forces page to reload new settings */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 916fd413..7d0348e9 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -56,6 +56,7 @@ if (isset($id) && $a_nat[$id]) {
/* new options */
$pconfig['perform_stat'] = $a_nat[$id]['perform_stat'];
$pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth'];
+ $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile'];
$pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth'];
$pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes'];
$pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs'];
@@ -75,20 +76,31 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['sip_preproc'] = $a_nat[$id]['sip_preproc'];
$pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc'];
$pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc'];
+ $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc'];
}
if ($_POST) {
$natent = array();
$natent = $pconfig;
+ if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners']))
+ $input_errors[] = "Only aliases are allowed";
+
/* if no errors write to conf */
if (!$input_errors) {
/* post new options */
if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = ""; }
+ if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; }
if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = ""; }
if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; }
if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; }
if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = ""; }
+ if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; }
+
+ if ($_POST['pscan_ignore_scanners'])
+ $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners'];
+ else
+ unset($natent['pscan_ignore_scanners']);
$natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off';
$natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off';
@@ -107,6 +119,7 @@ if ($_POST) {
$natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off';
$natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off';
$natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off';
+ $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off';
if (isset($id) && $a_nat[$id])
$a_nat[$id] = $natent;
@@ -155,6 +168,10 @@ include_once("head.inc");
?>
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
<form action="snort_preprocessors.php" method="post"
enctype="multipart/form-data" name="iform" id="iform">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
@@ -174,10 +191,10 @@ include_once("head.inc");
<tr><td class="tabcont">
<table width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
- <td width="22%" valign="top">&nbsp;</td>
- <td width="78%"><span class="vexpl"><span class="red"><strong<?php echo gettext("Note:"); ?>>
- </strong></span><br>
- <?php echo gettext("Rules may be dependent on preprocessors!"); ?><br>
+ <td colspan="2" align="center" valign="middle">
+ <span class="red"><strong><?php echo gettext("NOTE"); ?></strong></span><br>
+ <?php echo gettext("Rules may be dependent on preprocessors! Disabling preprocessors may result in "); ?>
+ <?php echo gettext("dependent rules being automatically disabled."); ?><br>
<?php echo gettext("Defaults will be used when there is no user input."); ?><br></td>
</tr>
<tr>
@@ -208,7 +225,7 @@ include_once("head.inc");
<tr>
<td><input name="server_flow_depth" type="text" class="formfld"
id="flow_depth" size="6"
- value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " .
+ value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>">&nbsp;&nbsp;<?php echo gettext("<strong>-1</strong> " .
"to <strong>65535</strong> (<strong>-1</strong> disables HTTP " .
"inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td>
</tr>
@@ -220,6 +237,23 @@ include_once("head.inc");
</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("HTTP server profile"); ?> </td>
+ <td width="78%" class="vtable">
+ <select name="http_server_profile" class="formselect" id="http_server_profile">
+ <?php
+ $profile = array('All', 'Apache', 'IIS', 'IIS_4.0', 'IIS_5.0');
+ foreach ($profile as $val): ?>
+ <option value="<?=strtolower($val);?>"
+ <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach; ?>
+ </select>&nbsp;&nbsp;<?php echo gettext("Choose the profile type of the protected web server."); ?><br>
+ <?php echo gettext(" The default is <strong>All</strong>. "); ?>
+ <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the "); ?>
+ <?php echo gettext("double decoding vulnerability present in those two versions."); ?><br>
+ </td>
+ </tr>
+ <tr>
<td valign="top" class="vncell"><?php echo gettext("HTTP client flow depth"); ?></td>
<td class="vtable">
<table cellpadding="0" cellspacing="0">
@@ -298,6 +332,46 @@ include_once("head.inc");
"in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?><br>
</td>
</tr>
+
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
+ <?php echo gettext("Portscan Detection"); ?></td>
+ <td width="78%" class="vtable"><input name="sf_portscan"
+ type="checkbox" value="on"
+ <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"><br>
+ <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td>
+ <td width="78%" class="vtable">
+ <select name="pscan_sense_level" class="formselect" id="pscan_sense_level">
+ <?php
+ $levels = array('low', 'medium', 'high');
+ foreach ($levels as $val): ?>
+ <option value="<?=$val;?>"
+ <?php if ($val == $pconfig['pscan_sense_level']) echo "selected"; ?>>
+ <?=gettext(ucfirst($val));?></option>
+ <?php endforeach; ?>
+ </select><br>
+ <?php echo gettext("LOW: alerts generated on error packets from the target host; "); ?>
+ <?php echo gettext("this setting should see few false positives. "); ?><br>
+ <?php echo gettext("MEDIUM: tracks connection counts, so will generate filtered alerts; may "); ?>
+ <?php echo gettext("false positive on active hosts."); ?><br>
+ <?php echo gettext("HIGH: tracks hosts using a time window; will catch some slow scans, but is "); ?>
+ <?php echo gettext("very sensitive to active hosts."); ?><br/>
+ </td>
+ </tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?> </td>
+ <td width="78%" class="vtable">
+ <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners"
+ value="<?=$pconfig['pscan_ignore_scanners'];?>"> <br><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias.");?><br>
+ <?php echo gettext("Default value: \$HOME_NET."); ?><?php echo gettext(" Leave " .
+ "blank for default value."); ?>
+ </td>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td>
</tr>
@@ -348,15 +422,6 @@ include_once("head.inc");
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
- <?php echo gettext("Portscan Detection"); ?></td>
- <td width="78%" class="vtable"><input name="sf_portscan"
- type="checkbox" value="on"
- <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?>
- onClick="enable_change(false)"><br>
- <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
<?php echo gettext("DCE/RPC2 Detection"); ?></td>
<td width="78%" class="vtable"><input name="dce_rpc_2"
type="checkbox" value="on"
@@ -375,6 +440,15 @@ include_once("head.inc");
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
+ <?php echo gettext("GTP Detection"); ?></td>
+ <td width="78%" class="vtable"><input name="gtp_preproc"
+ type="checkbox" value="on"
+ <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"><br>
+ <?php echo gettext("The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts."); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
<?php echo gettext("DNS Detection"); ?></td>
<td width="78%" class="vtable"><input name="dns_preprocessor"
type="checkbox" value="on"
@@ -438,6 +512,40 @@ include_once("head.inc");
</table>
</td></tr></table>
</form>
+<script type="text/javascript">
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $portisfirst = 0;
+ $aliasesaddr = "";
+ $aliasesports = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ } else if ($alias_name['type'] == "port") {
+ if($portisfirst == 1) $aliasesports .= ",";
+ $aliasesports .= "'" . $alias_name['name'] . "'";
+ $portisfirst = 1;
+ }
+ }
+?>
+
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+ var portsarray=new Array(<?php echo $aliasesports; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n";
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+
+</script>
<?php include("fend.inc"); ?>
</body>
</html>
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index 83e1ea8b..7457632d 100755
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -362,7 +362,7 @@ function popup(url)
<tr>
<td width="3%" class="list">&nbsp;</td>
<td colspan="7" class="listhdr" >&nbsp;</td>
- <td width="3%" align="center" valign="middle" class="list"><a href="javascript: void(0)"
+ <td width="3%" align="center" valign="middle" class="listt"><a href="javascript: void(0)"
onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>')">
<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php
echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"'
@@ -371,7 +371,7 @@ function popup(url)
</tr>
<tr id="frheader">
<td width="3%" class="list">&nbsp;</td>
- <td width="9%" class="listhdr"><?php echo gettext("SID"); ?></td>
+ <td width="9%" class="listhdrr"><?php echo gettext("SID"); ?></td>
<td width="2%" class="listhdrr"><?php echo gettext("Proto"); ?></td>
<td width="14%" class="listhdrr"><?php echo gettext("Source"); ?></td>
<td width="12%" class="listhdrr"><?php echo gettext("Port"); ?></td>
@@ -446,7 +446,7 @@ function popup(url)
$textss $message $textse
</td>";
?>
- <td width="3%" align="center" valign="middle" nowrap class="list">
+ <td width="3%" align="center" valign="middle" nowrap class="listt">
<a href="javascript: void(0)"
onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>')"><img
src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif"
diff --git a/config/squid-reverse/squid_ng.inc b/config/squid-reverse/squid_ng.inc
index b0604b02..0e1e0515 100644
--- a/config/squid-reverse/squid_ng.inc
+++ b/config/squid-reverse/squid_ng.inc
@@ -47,7 +47,7 @@ function global_write_squid_config()
$active_interface = $config['installedpackages']['squid']['config'][0]['active_interface'];
$transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy'];
$log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled'];
- $urlfier_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable'];
+ $urlfilter_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable'];
$accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled'];
$log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms'];
$log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents'];
@@ -560,7 +560,7 @@ function global_write_squid_config()
$config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n";
}
- unset($banned_ip_addr);
+ unset($banned_ip_array);
unset($banned_ip_addr);
unset($ind_banned_ip);
diff --git a/config/squid/squid_ng.inc b/config/squid/squid_ng.inc
index 03f6d48c..cfd2fe66 100644
--- a/config/squid/squid_ng.inc
+++ b/config/squid/squid_ng.inc
@@ -47,7 +47,7 @@ function global_write_squid_config()
$active_interface = $config['installedpackages']['squid']['config'][0]['active_interface'];
$transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy'];
$log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled'];
- $urlfier_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable'];
+ $urlfilter_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable'];
$accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled'];
$log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms'];
$log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents'];
@@ -560,7 +560,7 @@ function global_write_squid_config()
$config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n";
}
- unset($banned_ip_addr);
+ unset($banned_ip_array);
unset($banned_ip_addr);
unset($ind_banned_ip);