aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rwxr-xr-xconfig/dansguardian/dansguardian.inc28
-rwxr-xr-xconfig/dansguardian/dansguardian_groups.xml3
-rw-r--r--config/dansguardian/dansguardianfx.conf.template2
-rwxr-xr-xconfig/snort/snort.inc16
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php12
-rw-r--r--config/snort/snort_interfaces_global.php4
-rwxr-xr-xconfig/snort/snort_preprocessors.php98
-rwxr-xr-xconfig/snort/snort_rules.php6
8 files changed, 137 insertions, 32 deletions
diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc
index ae2b3264..5f06b75a 100755
--- a/config/dansguardian/dansguardian.inc
+++ b/config/dansguardian/dansguardian.inc
@@ -301,14 +301,14 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) {
exec("/usr/bin/openssl x509 -hash -noout -in /etc/ssl/demoCA/cacert.pem",$cert_hash);
file_put_contents("/usr/local/share/certs/".$cert_hash[0].".0",base64_decode($ca_cert['crt']));
$ca_pem = "cacertificatepath = '/etc/ssl/demoCA/cacert.pem'";
- $generatedcertpath= "generatedcertpath = '/etc/ssl/demoCA/certs/'";
+ $generatedcertpath= "generatedcertpath = '".$dansguardian_dir."/ssl/generatedcerts'";
#generatedcertpath = ".$dansguardian_dir . "/ssl/generatedcerts";
$generatedlinkpath= "generatedlinkpath = '".$dansguardian_dir . "/ssl/generatedlinks'";
}
$svr_cert = lookup_cert($dansguardian_config["dcert"]);
if ($svr_cert != false) {
if(base64_decode($svr_cert['prv'])) {
- file_put_contents("/etc/ssl/demoCA/private/serverkey.pem",base64_decode($svr_cert['prv']));
+ file_put_contents("/etc/ssl/demoCA/private/serverkey.pem",base64_decode($svr_cert['prv']).base64_decode($svr_cert['crt']));
$cert_key = "certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem' ";
}
}
@@ -721,7 +721,7 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) {
'mode'=> "1",
'report_level'=>"global");
- $groups=array("scancleancache","hexdecodecontent","blockdownloads","enablepics","deepurlanalysis","infectionbypasserrorsonly","disablecontentscan","sslcertcheck","sslmitm");
+ $groups=array("scancleancache","hexdecodecontent","blockdownloads","enablepics","deepurlanalysis","infectionbypasserrorsonly","disablecontentscan");
#loop on array
$count=1;
$user_xml="";
@@ -737,7 +737,6 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) {
$dansguardian_groups['embeddedurlweight']=($dansguardian_groups['embeddedurlweight']?$dansguardian_groups['embeddedurlweight']:"0");
$dansguardian_groups['bypass']=($dansguardian_groups['bypass']?$dansguardian_groups['bypass']:"0");
$dansguardian_groups['infectionbypass']=($dansguardian_groups['infectionbypass']?$dansguardian_groups['infectionbypass']:"0");
- $dansguardian_groups['mitmkey']=($dansguardian_groups['mitmkey']?$dansguardian_groups['mitmkey']:"dgs3dD3da");
switch ($dansguardian_groups['reportinglevel']){
case "1":
case "2":
@@ -761,8 +760,18 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) {
$groupaccessdeniedaddress="";
}
- foreach ($groups as $group)
+ foreach ($groups as $group){
$dansguardian_groups[$group]=(preg_match("/$group/",$dansguardian_groups['group_options'])?"on":"off");
+ }
+ if (preg_match("/sslmitm/",$dansguardian_groups['group_options'])){
+ $dansguardian_groups['mitmkey']="mitmkey = '".substr(md5(rand(100000000,999999999)),1,9)."'";
+ $dansguardian_groups["sslmitm"]="on";
+ $dansguardian_groups["sslcertcheck"]="on";
+ }
+ else{
+ $dansguardian_groups["sslmitm"]="off";
+ $dansguardian_groups["sslcertcheck"]="off";
+ }
#create group list files
$lists=array("phraseacl" => array("bannedphrase","weightedphrase","exceptionphrase"),
"siteacl" => array("bannedsite","greysite","exceptionsite","exceptionfilesite","logsite"),
@@ -939,6 +948,7 @@ EOF;
$cconf= DANSGUARDIAN_DIR. "/etc/clamd.conf";
$cconf_file=file_get_contents($cconf);
if (preg_match("/User (\w+)/",$cconf_file,$matches)){
+ mwexec("/usr/sbin/pw user show {$matches[1]} || /usr/sbin/pw user add -n {$matches[1]} -s /usr/sbin/nologin");
$daemonuser = $matches[1];
$daemongroup = 'nobody';
}
@@ -1103,8 +1113,8 @@ EOF;
if (!(file_exists('/var/db/clamav/main.cvd')||file_exists('/var/db/clamav/main.cld'))){
file_notice("Dansguardian - No antivirus database found for clamav, running freshclam in background.","");
- log_error('No antivirus database found for clamav, running freshclam in background.');
- mwexec_bg(DANSGUARDIAN_DIR.'/bin/freshclam');
+ log_error('No antivirus database found for clamav, running freshclam in background. Content-scanner may not work until freshclam finishes.');
+ mwexec_bg(DANSGUARDIAN_DIR.'/bin/freshclam && /usr/local/etc/rc.d/clamav-clamd');
}
$match=array();
@@ -1130,12 +1140,16 @@ EOF;
foreach ($script_file as $script_line){
if(preg_match("/command=/",$script_line)){
$new_clamav_startup.= 'if [ ! -d /var/run/clamav ];then /bin/mkdir /var/run/clamav;fi'."\n";
+ $new_clamav_startup.= 'if [ ! -d /var/db/clamav ];then /bin/mkdir /var/db/clamav;fi'."\n";
+ $new_clamav_startup.= 'if [ ! -d /var/log/clamav ];then /bin/mkdir -p /var/log/clamav;fi'."\n";
$new_clamav_startup.= "chown -R ".$matches[1]." /var/run/clamav\n";
+ $new_clamav_startup.= "chown -R ".$matches[1]." /var/db/clamav\n";
$new_clamav_startup.= "chown -R ".$matches[1]." /var/log/clamav\n";
$new_clamav_startup.=$script_line;
}
elseif(!preg_match("/(mkdir|chown|sleep|mailscanner)/",$script_line)) {
$new_clamav_startup.=preg_replace("/NO/","YES",$script_line);
+ $new_clamav_startup.=preg_replace("@/usr/local@",DANSGUARDIAN_DIR,$script_line);
}
}
file_put_contents($script, $new_clamav_startup, LOCK_EX);
diff --git a/config/dansguardian/dansguardian_groups.xml b/config/dansguardian/dansguardian_groups.xml
index 031ae88b..188b6d86 100755
--- a/config/dansguardian/dansguardian_groups.xml
+++ b/config/dansguardian/dansguardian_groups.xml
@@ -150,11 +150,10 @@
<option><name>Enable Deep URL Analysis (off)</name><value>deepurlanalysis</value></option>
<option><name>Infection/Scan Error Bypass on Scan Errors Only (on)</name><value>infectionbypasserrorsonly</value></option>
<option><name>Disable content scanning (off)</name><value>disablecontentscan</value></option>
- <option><name>Check servers ssl certificates (off)</name><value>sslcertcheck</value></option>
<option><name>Filter ssl sites forging SSL Certificates (off)</name><value>sslmitm</value></option>
</options>
<multiple/>
- <size>10</size>
+ <size>9</size>
</field>
<field>
<fielddescr>Pics</fielddescr>
diff --git a/config/dansguardian/dansguardianfx.conf.template b/config/dansguardian/dansguardianfx.conf.template
index f5296622..719c0c48 100644
--- a/config/dansguardian/dansguardianfx.conf.template
+++ b/config/dansguardian/dansguardianfx.conf.template
@@ -376,7 +376,7 @@ sslcertcheck = {$dansguardian_groups['sslcertcheck']}
# Forge ssl certificates for all sites, decrypt the data then re encrypt it
# using a different private key. Used to filter ssl sites
sslmitm = {$dansguardian_groups['sslmitm']}
-#mitmkey = '{$dansguardian_groups['mitmkey']}'
+{$dansguardian_groups['mitmkey']}
EOF;
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index dede1f1d..3571a215 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -2061,13 +2061,25 @@ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB
EOD;
/* def sf_portscan */
+ if (!empty($snortcfg['pscan_sense_level']))
+ $sf_pscan_sense_level = $snortcfg['pscan_sense_level'];
+ else
+ $sf_pscan_sense_level = "medium";
+
+ if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) {
+ $sf_pscan_ignore_scanners = filter_expand_alias($snortcfg['pscan_ignore_scanners']);
+ $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners));
+ }
+ else
+ $sf_pscan_ignore_scanners = "\$HOME_NET";
+
$sf_portscan = <<<EOD
# sf Portscan #
preprocessor sfportscan: scan_type { all } \
proto { all } \
memcap { 10000000 } \
- sense_level { medium } \
- ignore_scanners { \$HOME_NET }
+ sense_level { {$sf_pscan_sense_level} } \
+ ignore_scanners { {$sf_pscan_ignore_scanners} }
EOD;
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index cec43bb7a..d0fabbf4 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -295,7 +295,9 @@ function enable_change(enable_change) {
<td width="78%" class="vtable">
<select name="performance" class="formselect" id="performance">
<?php
- $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', 'ac-banded' => 'AC-BANDED', 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS');
+ $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'ac-split' => 'AC-SPLIT', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC',
+ 'ac-nq' => 'AC-NQ', 'ac-bnfa-nq' => 'AC-BNFA-NQ', 'lowmem-nq' => 'LOWMEM-NQ', 'ac-banded' => 'AC-BANDED',
+ 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS');
foreach ($interfaces2 as $iface2 => $ifacename2): ?>
<option value="<?=$iface2;?>"
<?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>>
@@ -303,10 +305,10 @@ function enable_change(enable_change) {
<?php endforeach; ?>
</select><br>
<span class="vexpl"><?php echo gettext("LOWMEM and AC-BNFA are recommended for low end " .
- "systems, AC: high memory, best performance, AC-STD: moderate " .
- "memory,high performance, ACS: small memory, moderate performance, " .
- "AC-BANDED: small memory,moderate performance, AC-SPARSEBANDS: small " .
- "memory, high performance."); ?>
+ "systems, AC-SPLIT: low memory, high performance, short-hand for search-method ac split-any-any, AC: high memory, " .
+ "best performance, -NQ: the -nq option specifies that matches should not be queued and evaluated as they are found," .
+ " AC-STD: moderate memory, high performance, ACS: small memory, moderate performance, " .
+ "AC-BANDED: small memory,moderate performance, AC-SPARSEBANDS: small memory, high performance."); ?>
</span><br/></td>
</tr>
<tr>
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php
index eb371119..9dde8aaf 100644
--- a/config/snort/snort_interfaces_global.php
+++ b/config/snort/snort_interfaces_global.php
@@ -75,11 +75,11 @@ if (!$input_errors) {
$retval = 0;
- write_config();
-
/* create whitelist and homenet file then sync files */
sync_snort_package_config();
+ write_config();
+
/* forces page to reload new settings */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 916fd413..89f1136c 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -81,6 +81,9 @@ if ($_POST) {
$natent = array();
$natent = $pconfig;
+ if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners']))
+ $input_errors[] = "Only aliases are allowed";
+
/* if no errors write to conf */
if (!$input_errors) {
/* post new options */
@@ -89,6 +92,12 @@ if ($_POST) {
if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; }
if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; }
if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = ""; }
+ if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; }
+
+ if ($_POST['pscan_ignore_scanners'])
+ $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners'];
+ else
+ unset($natent['pscan_ignore_scanners']);
$natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off';
$natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off';
@@ -155,6 +164,10 @@ include_once("head.inc");
?>
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
<form action="snort_preprocessors.php" method="post"
enctype="multipart/form-data" name="iform" id="iform">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
@@ -177,7 +190,7 @@ include_once("head.inc");
<td width="22%" valign="top">&nbsp;</td>
<td width="78%"><span class="vexpl"><span class="red"><strong<?php echo gettext("Note:"); ?>>
</strong></span><br>
- <?php echo gettext("Rules may be dependent on preprocessors!"); ?><br>
+ <?php echo gettext("Rules may be dependent on preprocessors! "); ?>
<?php echo gettext("Defaults will be used when there is no user input."); ?><br></td>
</tr>
<tr>
@@ -298,6 +311,46 @@ include_once("head.inc");
"in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?><br>
</td>
</tr>
+
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
+ <?php echo gettext("Portscan Detection"); ?></td>
+ <td width="78%" class="vtable"><input name="sf_portscan"
+ type="checkbox" value="on"
+ <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"><br>
+ <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td>
+ <td width="78%" class="vtable">
+ <select name="pscan_sense_level" class="formselect" id="pscan_sense_level">
+ <?php
+ $levels = array('low', 'medium', 'high');
+ foreach ($levels as $val): ?>
+ <option value="<?=$val;?>"
+ <?php if ($val == $pconfig['pscan_sense_level']) echo "selected"; ?>>
+ <?=gettext(ucfirst($val));?></option>
+ <?php endforeach; ?>
+ </select><br>
+ <?php echo gettext("LOW: alerts generated on error packets from the target host; "); ?>
+ <?php echo gettext("this setting should see few false positives. "); ?><br>
+ <?php echo gettext("MEDIUM: tracks connection counts, so will generate filtered alerts; may "); ?>
+ <?php echo gettext("false positive on active hosts."); ?><br>
+ <?php echo gettext("HIGH: tracks hosts using a time window; will catch some slow scans, but is "); ?>
+ <?php echo gettext("very sensitive to active hosts."); ?><br/>
+ </td>
+ </tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?> </td>
+ <td width="78%" class="vtable">
+ <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners"
+ value="<?=$pconfig['pscan_ignore_scanners'];?>"> <br><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias.");?><br>
+ <?php echo gettext("Default value: \$HOME_NET"); ?><?php echo gettext(" Leave " .
+ "blank for default value."); ?>
+ </td>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td>
</tr>
@@ -348,15 +401,6 @@ include_once("head.inc");
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
- <?php echo gettext("Portscan Detection"); ?></td>
- <td width="78%" class="vtable"><input name="sf_portscan"
- type="checkbox" value="on"
- <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?>
- onClick="enable_change(false)"><br>
- <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br>
<?php echo gettext("DCE/RPC2 Detection"); ?></td>
<td width="78%" class="vtable"><input name="dce_rpc_2"
type="checkbox" value="on"
@@ -438,6 +482,40 @@ include_once("head.inc");
</table>
</td></tr></table>
</form>
+<script type="text/javascript">
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $portisfirst = 0;
+ $aliasesaddr = "";
+ $aliasesports = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ } else if ($alias_name['type'] == "port") {
+ if($portisfirst == 1) $aliasesports .= ",";
+ $aliasesports .= "'" . $alias_name['name'] . "'";
+ $portisfirst = 1;
+ }
+ }
+?>
+
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+ var portsarray=new Array(<?php echo $aliasesports; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n";
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+
+</script>
<?php include("fend.inc"); ?>
</body>
</html>
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index 83e1ea8b..7457632d 100755
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -362,7 +362,7 @@ function popup(url)
<tr>
<td width="3%" class="list">&nbsp;</td>
<td colspan="7" class="listhdr" >&nbsp;</td>
- <td width="3%" align="center" valign="middle" class="list"><a href="javascript: void(0)"
+ <td width="3%" align="center" valign="middle" class="listt"><a href="javascript: void(0)"
onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>')">
<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php
echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"'
@@ -371,7 +371,7 @@ function popup(url)
</tr>
<tr id="frheader">
<td width="3%" class="list">&nbsp;</td>
- <td width="9%" class="listhdr"><?php echo gettext("SID"); ?></td>
+ <td width="9%" class="listhdrr"><?php echo gettext("SID"); ?></td>
<td width="2%" class="listhdrr"><?php echo gettext("Proto"); ?></td>
<td width="14%" class="listhdrr"><?php echo gettext("Source"); ?></td>
<td width="12%" class="listhdrr"><?php echo gettext("Port"); ?></td>
@@ -446,7 +446,7 @@ function popup(url)
$textss $message $textse
</td>";
?>
- <td width="3%" align="center" valign="middle" nowrap class="list">
+ <td width="3%" align="center" valign="middle" nowrap class="listt">
<a href="javascript: void(0)"
onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>')"><img
src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif"