diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/snort/snort.inc | 80 | ||||
-rw-r--r-- | config/snort/snort_check_for_rule_updates.php | 13 | ||||
-rw-r--r-- | config/snort/snort_preprocessors.php | 33 |
3 files changed, 105 insertions, 21 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index d29833a2..3e9a46da 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1002,9 +1002,9 @@ function snort_generate_conf($snortcfg) { "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "/usr/local/lib/snort/dynamicrules", + "dynamicrules" => "{$snortcfgdir}/dynamicrules", "dynamicengine" => "/usr/local/lib/snort/dynamicengine", - "dynamicpreprocessor" => "/usr/local/lib/snort/dynamicpreprocessor" + "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" ); foreach ($snort_dirs as $dir) { if (!is_dir($dir)) @@ -1079,6 +1079,15 @@ function snort_generate_conf($snortcfg) { "DCERPC_BRIGHTSTORE" => "6503,6504" ); + $portvardef = ""; + foreach ($snort_ports as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) + $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]); + $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias])); + $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; + } + + ///////////////////////////// /* preprocessor code */ /* def perform_stat */ @@ -1170,6 +1179,24 @@ preprocessor ftp_telnet_protocol: ftp client default \ EOD; + $pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']); + $pop_preproc = <<<EOD +preprocessor pop: \ + ports { {$pop_ports} } \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 +EOD; + + $imap_ports = str_replace(",", " ", $snort_ports['imap_ports']); + $imap_preproc = <<<EOD +preprocessor imap: \ + ports { {$imap_ports} } \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 +EOD; + $smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']); /* def smtp_preprocessor */ $smtp_preprocessor = <<<EOD @@ -1238,6 +1265,13 @@ preprocessor dns: \ EOD; + $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']); + $ssl_preproc = <<<EOD +# Ignore SSL and Encryption # +preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted + +EOD; + $sensitive_data = "preprocessor sensitive_data:\n"; /* stream5 queued settings */ @@ -1268,25 +1302,36 @@ EOD; $vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n"; } - $portvardef = ""; - foreach ($snort_ports as $alias => $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]); - $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias])); - $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; - } - $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']); - + $snort_preproc_libs = array( + "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", + "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", + "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "ssl_preproc" => "ssl_preproc" + ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", - "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data" + "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", + "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc" ); $snort_preprocessors = ""; foreach ($snort_preproc as $preproc) { if ($snortcfg[$preproc] == 'on') { /* NOTE: The $$ is not a bug. Its a advanced feature of php */ - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; + if (!empty($snort_preproc_libs[$preproc])) { + $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; + if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { + if (file_exists("/usr/local/lib/dynamicpreprocessor/{$preproclib}.so")) { + @copy("/usr/local/lib/dynamicpreprocessor/{$preproclib}.so", $snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so"); + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } } } @@ -1330,6 +1375,8 @@ EOD; @copy("{$snortdir}/rules/{$file}", "{$rule_dir}/rules/{$file}"); if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") { $slib = substr($enabled_item, 6, -6); + if (!file_exists("{$snort_dirs['dynamicrules']}/{$slib}")) + @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}"); if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}") && file_exists("{$snortcfgdir}/rules/{$enabled_item}")) $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; @@ -1398,9 +1445,6 @@ preprocessor stream5_icmp: {$snort_preprocessors} -# Ignore SSL and Encryption # -preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted - # Snort Output Logs # output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority {$alertsystemlog_type} diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 112682d2..6221b38f 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -301,9 +301,16 @@ function snort_apply_customizations($snortcfg, $if_real) { else { update_status(gettext("Your set of configured rules are being copied...")); log_error(gettext("Your set of configured rules are being copied...")); - $files = explode("||", $snortcfg['rulesets']); - foreach ($files as $file) - @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$file}"); + $enabled_rulesets_array = explode("||", $snortcfg['rulesets']); + foreach($enabled_rulesets_array as $enabled_item) { + @copy("{$snortdir}/rules/{$file}", "{$rule_dir}/rules/{$file}"); + if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") { + $slib = substr($enabled_item, 6, -6); + if (file_exists("/usr/local/lib/snort/dynamicrules/{$slib}")) + @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}"); + + } + } @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index e38418e5..84313577 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -66,6 +66,9 @@ if (isset($id) && $a_nat[$id]) { $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; + $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc']; + $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc']; + $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc']; } if ($_POST) { @@ -88,6 +91,9 @@ if ($_POST) { $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; $natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off'; + $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off'; + $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off'; + $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -265,6 +271,24 @@ include_once("head.inc"); <tr> <td width="22%" valign="top" class="vncell">Enable <br> SMTP Normalizer</td> + <td width="78%" class="vtable"><input name="pop_preproc" + type="checkbox" value="on" + <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Normalize/Decode POP protocol for enforcement and buffer overflows.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Enable <br> + SMTP Normalizer</td> + <td width="78%" class="vtable"><input name="imap_preproc" + type="checkbox" value="on" + <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Normalize/Decode IMAP protocol for enforcement and buffer overflows.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Enable <br> + SMTP Normalizer</td> <td width="78%" class="vtable"><input name="smtp_preprocessor" type="checkbox" value="on" <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?> @@ -301,6 +325,15 @@ include_once("head.inc"); vulnerabilities.</td> </tr> <tr> + <td width="22%" valign="top" class="vncell">Enable <br> SSL Data</td> + <td width="78%" class="vtable"> + <input name="ssl_preproc" type="checkbox" value="on" + <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + SSL data searches for irregularities during SSL protocol exchange + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell">Enable <br> Sensitive Data</td> <td width="78%" class="vtable"> <input name="sensitive_data" type="checkbox" value="on" |