diff options
Diffstat (limited to 'config')
-rwxr-xr-x | config/dansguardian/dansguardian.inc | 28 | ||||
-rwxr-xr-x | config/dansguardian/dansguardian_groups.xml | 3 | ||||
-rw-r--r-- | config/dansguardian/dansguardianfx.conf.template | 2 | ||||
-rwxr-xr-x | config/snort/snort.inc | 16 | ||||
-rwxr-xr-x | config/snort/snort_interfaces_edit.php | 12 | ||||
-rw-r--r-- | config/snort/snort_interfaces_global.php | 4 | ||||
-rwxr-xr-x | config/snort/snort_preprocessors.php | 98 | ||||
-rwxr-xr-x | config/snort/snort_rules.php | 6 |
8 files changed, 137 insertions, 32 deletions
diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc index ae2b3264..5f06b75a 100755 --- a/config/dansguardian/dansguardian.inc +++ b/config/dansguardian/dansguardian.inc @@ -301,14 +301,14 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) { exec("/usr/bin/openssl x509 -hash -noout -in /etc/ssl/demoCA/cacert.pem",$cert_hash); file_put_contents("/usr/local/share/certs/".$cert_hash[0].".0",base64_decode($ca_cert['crt'])); $ca_pem = "cacertificatepath = '/etc/ssl/demoCA/cacert.pem'"; - $generatedcertpath= "generatedcertpath = '/etc/ssl/demoCA/certs/'"; + $generatedcertpath= "generatedcertpath = '".$dansguardian_dir."/ssl/generatedcerts'"; #generatedcertpath = ".$dansguardian_dir . "/ssl/generatedcerts"; $generatedlinkpath= "generatedlinkpath = '".$dansguardian_dir . "/ssl/generatedlinks'"; } $svr_cert = lookup_cert($dansguardian_config["dcert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { - file_put_contents("/etc/ssl/demoCA/private/serverkey.pem",base64_decode($svr_cert['prv'])); + file_put_contents("/etc/ssl/demoCA/private/serverkey.pem",base64_decode($svr_cert['prv']).base64_decode($svr_cert['crt'])); $cert_key = "certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem' "; } } @@ -721,7 +721,7 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) { 'mode'=> "1", 'report_level'=>"global"); - $groups=array("scancleancache","hexdecodecontent","blockdownloads","enablepics","deepurlanalysis","infectionbypasserrorsonly","disablecontentscan","sslcertcheck","sslmitm"); + $groups=array("scancleancache","hexdecodecontent","blockdownloads","enablepics","deepurlanalysis","infectionbypasserrorsonly","disablecontentscan"); #loop on array $count=1; $user_xml=""; @@ -737,7 +737,6 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) { $dansguardian_groups['embeddedurlweight']=($dansguardian_groups['embeddedurlweight']?$dansguardian_groups['embeddedurlweight']:"0"); $dansguardian_groups['bypass']=($dansguardian_groups['bypass']?$dansguardian_groups['bypass']:"0"); $dansguardian_groups['infectionbypass']=($dansguardian_groups['infectionbypass']?$dansguardian_groups['infectionbypass']:"0"); - $dansguardian_groups['mitmkey']=($dansguardian_groups['mitmkey']?$dansguardian_groups['mitmkey']:"dgs3dD3da"); switch ($dansguardian_groups['reportinglevel']){ case "1": case "2": @@ -761,8 +760,18 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) { $groupaccessdeniedaddress=""; } - foreach ($groups as $group) + foreach ($groups as $group){ $dansguardian_groups[$group]=(preg_match("/$group/",$dansguardian_groups['group_options'])?"on":"off"); + } + if (preg_match("/sslmitm/",$dansguardian_groups['group_options'])){ + $dansguardian_groups['mitmkey']="mitmkey = '".substr(md5(rand(100000000,999999999)),1,9)."'"; + $dansguardian_groups["sslmitm"]="on"; + $dansguardian_groups["sslcertcheck"]="on"; + } + else{ + $dansguardian_groups["sslmitm"]="off"; + $dansguardian_groups["sslcertcheck"]="off"; + } #create group list files $lists=array("phraseacl" => array("bannedphrase","weightedphrase","exceptionphrase"), "siteacl" => array("bannedsite","greysite","exceptionsite","exceptionfilesite","logsite"), @@ -939,6 +948,7 @@ EOF; $cconf= DANSGUARDIAN_DIR. "/etc/clamd.conf"; $cconf_file=file_get_contents($cconf); if (preg_match("/User (\w+)/",$cconf_file,$matches)){ + mwexec("/usr/sbin/pw user show {$matches[1]} || /usr/sbin/pw user add -n {$matches[1]} -s /usr/sbin/nologin"); $daemonuser = $matches[1]; $daemongroup = 'nobody'; } @@ -1103,8 +1113,8 @@ EOF; if (!(file_exists('/var/db/clamav/main.cvd')||file_exists('/var/db/clamav/main.cld'))){ file_notice("Dansguardian - No antivirus database found for clamav, running freshclam in background.",""); - log_error('No antivirus database found for clamav, running freshclam in background.'); - mwexec_bg(DANSGUARDIAN_DIR.'/bin/freshclam'); + log_error('No antivirus database found for clamav, running freshclam in background. Content-scanner may not work until freshclam finishes.'); + mwexec_bg(DANSGUARDIAN_DIR.'/bin/freshclam && /usr/local/etc/rc.d/clamav-clamd'); } $match=array(); @@ -1130,12 +1140,16 @@ EOF; foreach ($script_file as $script_line){ if(preg_match("/command=/",$script_line)){ $new_clamav_startup.= 'if [ ! -d /var/run/clamav ];then /bin/mkdir /var/run/clamav;fi'."\n"; + $new_clamav_startup.= 'if [ ! -d /var/db/clamav ];then /bin/mkdir /var/db/clamav;fi'."\n"; + $new_clamav_startup.= 'if [ ! -d /var/log/clamav ];then /bin/mkdir -p /var/log/clamav;fi'."\n"; $new_clamav_startup.= "chown -R ".$matches[1]." /var/run/clamav\n"; + $new_clamav_startup.= "chown -R ".$matches[1]." /var/db/clamav\n"; $new_clamav_startup.= "chown -R ".$matches[1]." /var/log/clamav\n"; $new_clamav_startup.=$script_line; } elseif(!preg_match("/(mkdir|chown|sleep|mailscanner)/",$script_line)) { $new_clamav_startup.=preg_replace("/NO/","YES",$script_line); + $new_clamav_startup.=preg_replace("@/usr/local@",DANSGUARDIAN_DIR,$script_line); } } file_put_contents($script, $new_clamav_startup, LOCK_EX); diff --git a/config/dansguardian/dansguardian_groups.xml b/config/dansguardian/dansguardian_groups.xml index 031ae88b..188b6d86 100755 --- a/config/dansguardian/dansguardian_groups.xml +++ b/config/dansguardian/dansguardian_groups.xml @@ -150,11 +150,10 @@ <option><name>Enable Deep URL Analysis (off)</name><value>deepurlanalysis</value></option> <option><name>Infection/Scan Error Bypass on Scan Errors Only (on)</name><value>infectionbypasserrorsonly</value></option> <option><name>Disable content scanning (off)</name><value>disablecontentscan</value></option> - <option><name>Check servers ssl certificates (off)</name><value>sslcertcheck</value></option> <option><name>Filter ssl sites forging SSL Certificates (off)</name><value>sslmitm</value></option> </options> <multiple/> - <size>10</size> + <size>9</size> </field> <field> <fielddescr>Pics</fielddescr> diff --git a/config/dansguardian/dansguardianfx.conf.template b/config/dansguardian/dansguardianfx.conf.template index f5296622..719c0c48 100644 --- a/config/dansguardian/dansguardianfx.conf.template +++ b/config/dansguardian/dansguardianfx.conf.template @@ -376,7 +376,7 @@ sslcertcheck = {$dansguardian_groups['sslcertcheck']} # Forge ssl certificates for all sites, decrypt the data then re encrypt it # using a different private key. Used to filter ssl sites sslmitm = {$dansguardian_groups['sslmitm']} -#mitmkey = '{$dansguardian_groups['mitmkey']}' +{$dansguardian_groups['mitmkey']} EOF; diff --git a/config/snort/snort.inc b/config/snort/snort.inc index dede1f1d..3571a215 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -2061,13 +2061,25 @@ PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB EOD; /* def sf_portscan */ + if (!empty($snortcfg['pscan_sense_level'])) + $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; + else + $sf_pscan_sense_level = "medium"; + + if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { + $sf_pscan_ignore_scanners = filter_expand_alias($snortcfg['pscan_ignore_scanners']); + $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); + } + else + $sf_pscan_ignore_scanners = "\$HOME_NET"; + $sf_portscan = <<<EOD # sf Portscan # preprocessor sfportscan: scan_type { all } \ proto { all } \ memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } + sense_level { {$sf_pscan_sense_level} } \ + ignore_scanners { {$sf_pscan_ignore_scanners} } EOD; diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index cec43bb7a..d0fabbf4 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -295,7 +295,9 @@ function enable_change(enable_change) { <td width="78%" class="vtable"> <select name="performance" class="formselect" id="performance"> <?php - $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', 'ac-banded' => 'AC-BANDED', 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS'); + $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'ac-split' => 'AC-SPLIT', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', + 'ac-nq' => 'AC-NQ', 'ac-bnfa-nq' => 'AC-BNFA-NQ', 'lowmem-nq' => 'LOWMEM-NQ', 'ac-banded' => 'AC-BANDED', + 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS'); foreach ($interfaces2 as $iface2 => $ifacename2): ?> <option value="<?=$iface2;?>" <?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>> @@ -303,10 +305,10 @@ function enable_change(enable_change) { <?php endforeach; ?> </select><br> <span class="vexpl"><?php echo gettext("LOWMEM and AC-BNFA are recommended for low end " . - "systems, AC: high memory, best performance, AC-STD: moderate " . - "memory,high performance, ACS: small memory, moderate performance, " . - "AC-BANDED: small memory,moderate performance, AC-SPARSEBANDS: small " . - "memory, high performance."); ?> + "systems, AC-SPLIT: low memory, high performance, short-hand for search-method ac split-any-any, AC: high memory, " . + "best performance, -NQ: the -nq option specifies that matches should not be queued and evaluated as they are found," . + " AC-STD: moderate memory, high performance, ACS: small memory, moderate performance, " . + "AC-BANDED: small memory,moderate performance, AC-SPARSEBANDS: small memory, high performance."); ?> </span><br/></td> </tr> <tr> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index eb371119..9dde8aaf 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -75,11 +75,11 @@ if (!$input_errors) { $retval = 0; - write_config(); - /* create whitelist and homenet file then sync files */ sync_snort_package_config(); + write_config(); + /* forces page to reload new settings */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 916fd413..89f1136c 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -81,6 +81,9 @@ if ($_POST) { $natent = array(); $natent = $pconfig; + if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners'])) + $input_errors[] = "Only aliases are allowed"; + /* if no errors write to conf */ if (!$input_errors) { /* post new options */ @@ -89,6 +92,12 @@ if ($_POST) { if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = ""; } if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = ""; } if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = ""; } + if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; } + + if ($_POST['pscan_ignore_scanners']) + $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; + else + unset($natent['pscan_ignore_scanners']); $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; @@ -155,6 +164,10 @@ include_once("head.inc"); ?> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> <form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -177,7 +190,7 @@ include_once("head.inc"); <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong<?php echo gettext("Note:"); ?>> </strong></span><br> - <?php echo gettext("Rules may be dependent on preprocessors!"); ?><br> + <?php echo gettext("Rules may be dependent on preprocessors! "); ?> <?php echo gettext("Defaults will be used when there is no user input."); ?><br></td> </tr> <tr> @@ -298,6 +311,46 @@ include_once("head.inc"); "in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?><br> </td> </tr> + + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> + <?php echo gettext("Portscan Detection"); ?></td> + <td width="78%" class="vtable"><input name="sf_portscan" + type="checkbox" value="on" + <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td> + <td width="78%" class="vtable"> + <select name="pscan_sense_level" class="formselect" id="pscan_sense_level"> + <?php + $levels = array('low', 'medium', 'high'); + foreach ($levels as $val): ?> + <option value="<?=$val;?>" + <?php if ($val == $pconfig['pscan_sense_level']) echo "selected"; ?>> + <?=gettext(ucfirst($val));?></option> + <?php endforeach; ?> + </select><br> + <?php echo gettext("LOW: alerts generated on error packets from the target host; "); ?> + <?php echo gettext("this setting should see few false positives. "); ?><br> + <?php echo gettext("MEDIUM: tracks connection counts, so will generate filtered alerts; may "); ?> + <?php echo gettext("false positive on active hosts."); ?><br> + <?php echo gettext("HIGH: tracks hosts using a time window; will catch some slow scans, but is "); ?> + <?php echo gettext("very sensitive to active hosts."); ?><br/> + </td> + </tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?> </td> + <td width="78%" class="vtable"> + <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" + value="<?=$pconfig['pscan_ignore_scanners'];?>"> <br><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias.");?><br> + <?php echo gettext("Default value: \$HOME_NET"); ?><?php echo gettext(" Leave " . + "blank for default value."); ?> + </td> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td> </tr> @@ -348,15 +401,6 @@ include_once("head.inc"); </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> - <?php echo gettext("Portscan Detection"); ?></td> - <td width="78%" class="vtable"><input name="sf_portscan" - type="checkbox" value="on" - <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?> - onClick="enable_change(false)"><br> - <?php echo gettext("Detects various types of portscans and portsweeps."); ?></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("DCE/RPC2 Detection"); ?></td> <td width="78%" class="vtable"><input name="dce_rpc_2" type="checkbox" value="on" @@ -438,6 +482,40 @@ include_once("head.inc"); </table> </td></tr></table> </form> +<script type="text/javascript"> +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesports = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } else if ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesports .= ","; + $aliasesports .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } +?> + + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portsarray=new Array(<?php echo $aliasesports; ?>); + +function createAutoSuggest() { +<?php + echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); + +</script> <?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 83e1ea8b..7457632d 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -362,7 +362,7 @@ function popup(url) <tr> <td width="3%" class="list"> </td> <td colspan="7" class="listhdr" > </td> - <td width="3%" align="center" valign="middle" class="list"><a href="javascript: void(0)" + <td width="3%" align="center" valign="middle" class="listt"><a href="javascript: void(0)" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>')"> <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"' @@ -371,7 +371,7 @@ function popup(url) </tr> <tr id="frheader"> <td width="3%" class="list"> </td> - <td width="9%" class="listhdr"><?php echo gettext("SID"); ?></td> + <td width="9%" class="listhdrr"><?php echo gettext("SID"); ?></td> <td width="2%" class="listhdrr"><?php echo gettext("Proto"); ?></td> <td width="14%" class="listhdrr"><?php echo gettext("Source"); ?></td> <td width="12%" class="listhdrr"><?php echo gettext("Port"); ?></td> @@ -446,7 +446,7 @@ function popup(url) $textss $message $textse </td>"; ?> - <td width="3%" align="center" valign="middle" nowrap class="list"> + <td width="3%" align="center" valign="middle" nowrap class="listt"> <a href="javascript: void(0)" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>')"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" |