aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rwxr-xr-xconfig/snort/snort.inc1283
-rw-r--r--config/snort/snort.priv.inc45
-rwxr-xr-xconfig/snort/snort.xml61
-rwxr-xr-xconfig/snort/snort_alerts.php13
-rw-r--r--config/snort/snort_barnyard.php4
-rw-r--r--config/snort/snort_blocked.php4
-rwxr-xr-xconfig/snort/snort_check_for_rule_updates.php450
-rwxr-xr-xconfig/snort/snort_define_servers.php25
-rwxr-xr-xconfig/snort/snort_download_updates.php2
-rw-r--r--config/snort/snort_edit_hat_data.php2
-rw-r--r--config/snort/snort_frag3_engine.php402
-rw-r--r--config/snort/snort_ftp_client_engine.php438
-rw-r--r--config/snort/snort_ftp_server_engine.php387
-rw-r--r--config/snort/snort_httpinspect_engine.php751
-rw-r--r--config/snort/snort_import_aliases.php327
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php158
-rw-r--r--config/snort/snort_interfaces_global.php140
-rw-r--r--config/snort/snort_interfaces_suppress.php2
-rw-r--r--config/snort/snort_interfaces_suppress_edit.php6
-rw-r--r--config/snort/snort_interfaces_whitelist.php2
-rw-r--r--config/snort/snort_interfaces_whitelist_edit.php28
-rw-r--r--config/snort/snort_migrate_config.php298
-rw-r--r--config/snort/snort_post_install.php1451
-rwxr-xr-xconfig/snort/snort_preprocessors.php1554
-rwxr-xr-xconfig/snort/snort_rules.php2
-rw-r--r--config/snort/snort_rules_flowbits.php6
-rwxr-xr-xconfig/snort/snort_rulesets.php79
-rw-r--r--config/snort/snort_select_alias.php245
-rw-r--r--config/snort/snort_stream5_engine.php670
29 files changed, 7448 insertions, 1387 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 98b80d66..af1c0993 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -43,11 +43,15 @@ require_once("filter.inc");
ini_set("memory_limit", "192M");
// Explicitly declare this as global so it works through function call includes
-global $rebuild_rules;
+global $rebuild_rules, $pfSense_snort_version;
+
+// Grab the Snort binary version programmatically
+$snortver = array();
+exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
+$snort_version = $snortver[0];
/* package version */
-$snort_version = "2.9.4.6";
-$pfSense_snort_version = "2.6.1";
+$pfSense_snort_version = "3.0.0";
$snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}";
// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI)
@@ -66,6 +70,7 @@ else {
}
/* Define some useful constants for Snort */
+/* Be sure to include trailing slash on the URL defines */
define("SNORTLOGDIR", "/var/log/snort");
define("ET_DNLD_FILENAME", "emerging.rules.tar.gz");
define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
@@ -73,6 +78,10 @@ define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
define("FLOWBITS_FILENAME", "flowbit-required.rules");
define("ENFORCING_RULES_FILENAME", "snort.rules");
define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
+define("VRT_FILE_PREFIX", "snort_");
+define("GPL_FILE_PREFIX", "GPLv2_");
+define("ET_OPEN_FILE_PREFIX", "emerging-");
+define("ET_PRO_FILE_PREFIX", "etpro-");
/* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */
$rebuild_rules = false;
@@ -100,24 +109,26 @@ function snort_is_single_addr_alias($alias) {
return true;
}
-function snort_expand_port_range($ports) {
+function snort_expand_port_range($ports, $delim = ',') {
/**************************************************/
/* This function examines the passed ports string */
/* and expands any embedded port ranges into the */
- /* individual ports separated by commas. A port */
- /* range is indicated by a colon in the string. */
+ /* individual ports separated by the specified */
+ /* delimiter. A port range is indicated by a */
+ /* colon in the string. */
/* */
/* On Entry: $ports ==> string to be evaluated */
- /* with commas separating */
+ /* with {$delim} separating */
/* the port values. */
/* Returns: string with any encountered port */
- /* ranges expanded. */
+ /* ranges expanded and the values */
+ /* delimited by {$delim}. */
/**************************************************/
$value = "";
- // Split the incoming string on the commas
- $tmp = explode(",", $ports);
+ // Split the incoming string on the specified delimiter
+ $tmp = explode($delim, $ports);
// Look for any included port range and expand it
foreach ($tmp as $val) {
@@ -125,17 +136,17 @@ function snort_expand_port_range($ports) {
$start = strtok($val, ":");
$end = strtok(":");
if ($end !== false) {
- $val = $start . ",";
+ $val = $start . $delim;
for ($i = intval($start) + 1; $i < intval($end); $i++)
- $val .= strval($i) . ",";
+ $val .= strval($i) . $delim;
$val .= $end;
}
}
- $value .= $val . ",";
+ $value .= $val . $delim;
}
- // Remove any trailing comma in return value
- return trim($value, ",");
+ // Remove any trailing delimiter in return value
+ return trim($value, $delim);
}
function snort_get_blocked_ips() {
@@ -318,9 +329,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
$wandns = $list['wandnsips'];
$vips = $list['vips'];
$vpns = $list['vpnips'];
- if (!empty($list['address']) && is_alias($list['address'])) {
+ if (!empty($list['address']) && is_alias($list['address']))
$home_net = explode(" ", trim(filter_expand_alias($list['address'])));
- }
}
/* Always add loopback to HOME_NET and whitelist (ftphelper) */
@@ -573,7 +583,7 @@ function snort_reload_config($snortcfg, $signal="SIGHUP") {
/* can find a valid PID for the process. */
/******************************************************/
if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
- log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']}({$if_real})...");
+ log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']} ({$if_real})...");
exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &");
}
}
@@ -661,78 +671,6 @@ function snort_post_delete_logs($snort_uuid = 0) {
}
}
-function snort_postinstall() {
- global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include;
-
- $snortdir = SNORTDIR;
- $snortlibdir = SNORTLIBDIR;
- $rcdir = RCFILEPREFIX;
-
- /* Set flag for post-install in progress */
- $g['snort_postinstall'] = true;
-
- /* cleanup default files */
- @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf");
- @rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf");
- @rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map");
- @rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map");
- @rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config");
- @rename("{$snortdir}/generators-sample", "{$snortdir}/generators");
- @rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config");
- @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map");
-
- /* fix up the preprocessor rules filenames from a PBI package install */
- $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules");
- foreach ($preproc_rules as $file) {
- if (file_exists("{$snortdir}/preproc_rules/{$file}-sample"))
- @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}");
- }
-
- /* Remove any previously installed scripts since we rebuild them */
- @unlink("{$snortdir}/sid");
- @unlink("{$rcdir}/snort.sh");
- @unlink("{$rcdir}/barnyard2");
-
- /* remove example library files */
- $files = glob("{$snortlibdir}/dynamicrules/*_example*");
- foreach ($files as $f)
- @unlink($f);
- $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*");
- foreach ($files as $f)
- @unlink($f);
-
- /* remake saved settings */
- if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
- log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings..."));
- update_status(gettext("Saved settings detected..."));
- update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
- log_error(gettext("[Snort] Downloading and updating configured rule types..."));
- update_output_window(gettext("Please wait... downloading and updating configured rule types..."));
- if ($pkg_interface <> "console")
- $snort_gui_include = true;
- @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php");
- update_status(gettext("Generating snort.conf configuration file from saved settings..."));
- $rebuild_rules = true;
- sync_snort_package_config();
- $rebuild_rules = false;
- update_output_window(gettext("Finished rebuilding files..."));
- log_error(gettext("[Snort] Finished rebuilding installation from saved settings..."));
-
- /* Only try to start Snort if not in reboot */
- if (!$g['booting']) {
- update_status(gettext("Starting Snort using rebuilt configuration..."));
- update_output_window(gettext("Please wait... while Snort is started..."));
- log_error(gettext("[Snort] Starting Snort using rebuilt configuration..."));
- update_output_window(gettext("Snort has been started using the rebuilt configuration..."));
- start_service("snort");
- }
- }
-
- /* Done with post-install, so clear flag */
- unset($g['snort_postinstall']);
- log_error(gettext("[Snort] Package post-installation tasks completed..."));
-}
-
function snort_Getdirsize($node) {
if(!is_readable($node))
return false;
@@ -761,7 +699,6 @@ function snort_snortloglimit_install_cron($should_install) {
switch($should_install) {
case true:
if(!$is_installed) {
-
$cron_item = array();
$cron_item['minute'] = "*/5";
$cron_item['hour'] = "*";
@@ -798,6 +735,22 @@ function snort_rm_blocked_install_cron($should_install) {
}
$snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked'];
+ if ($snort_rm_blocked_info_ck == "15m_b") {
+ $snort_rm_blocked_min = "*/2";
+ $snort_rm_blocked_hr = "*";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "900";
+ }
+ if ($snort_rm_blocked_info_ck == "30m_b") {
+ $snort_rm_blocked_min = "*/5";
+ $snort_rm_blocked_hr = "*";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "1800";
+ }
if ($snort_rm_blocked_info_ck == "1h_b") {
$snort_rm_blocked_min = "*/5";
$snort_rm_blocked_hr = "*";
@@ -1047,13 +1000,13 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
/* sid-msg.map file for use by Snort and/or barnyard2. */
/*************************************************************/
- $sidMap = array();
+ $sidMap = array();
$rule_files = array();
- /* First check if we were passed a directory, a single file */
- /* or an array of filenames to read. Set our $rule_files */
- /* variable accordingly. If we can't figure it out, return */
- /* and don't write a sid_msg_map file. */
+ /* First check if we were passed a directory, a single file */
+ /* or an array of filenames to read. Set our $rule_files */
+ /* variable accordingly. If we can't figure it out, return */
+ /* and don't write a sid_msg_map file. */
if (is_string($rules_path)) {
if (is_dir($rules_path))
$rule_files = glob($rules_path . "*.rules");
@@ -1065,71 +1018,71 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
else
return;
- /* Read the rule files into an array, then iterate the list */
- foreach ($rule_files as $file) {
+ /* Read the rule files into an array, then iterate the list */
+ foreach ($rule_files as $file) {
- /* Don't process files with "deleted" in the filename */
- if (stristr($file, "deleted"))
- continue;
+ /* Don't process files with "deleted" in the filename */
+ if (stristr($file, "deleted"))
+ continue;
- /* Read the file into an array, skipping missing files. */
- if (!file_exists($file))
+ /* Read the file into an array, skipping missing files. */
+ if (!file_exists($file))
continue;
- $rules_array = file($file, FILE_SKIP_EMPTY_LINES);
- $record = "";
- $b_Multiline = false;
-
- /* Read and process each line from the rules in the */
- /* current file. */
- foreach ($rules_array as $rule) {
-
- /* Skip any non-rule lines unless we're in */
- /* multiline mode. */
- if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline)
- continue;
-
- /* Test for a multi-line rule, and reassemble the */
- /* pieces back into a single line. */
- if (preg_match('/\\\\s*[\n]$/m', $rule)) {
- $rule = substr($rule, 0, strrpos($rule, '\\'));
- $record .= $rule;
- $b_Multiline = true;
- continue;
- }
- /* If the last segment of a multiline rule, then */
- /* append it onto the previous parts to form a */
- /* single-line rule for further processing below. */
- elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) {
- $record .= $rule;
- $rule = $record;
- }
- $b_Multiline = false;
- $record = "";
-
- /* Parse the rule to find sid and any references. */
- $sid = '';
- $msg = '';
- $matches = '';
- $sidEntry = '';
- if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches))
- $msg = trim($matches[1]);
- if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches))
- $sid = trim($matches[1]);
- if (!empty($sid) && !empty($msg)) {
- $sidEntry = $sid . ' || ' . $msg;
- preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches);
- foreach ($matches[1] as $ref)
- $sidEntry .= " || " . trim($ref);
- $sidEntry .= "\n";
- $sidMap[$sid] = $sidEntry;
- }
- }
+ $rules_array = file($file, FILE_SKIP_EMPTY_LINES);
+ $record = "";
+ $b_Multiline = false;
+
+ /* Read and process each line from the rules in the current file */
+ foreach ($rules_array as $rule) {
+
+ /* Skip any non-rule lines unless we're in multiline mode. */
+ if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline)
+ continue;
+
+ /* Test for a multi-line rule, and reassemble the */
+ /* pieces back into a single line. */
+ if (preg_match('/\\\\s*[\n]$/m', $rule)) {
+ $rule = substr($rule, 0, strrpos($rule, '\\'));
+ $record .= $rule;
+ $b_Multiline = true;
+ continue;
+ }
+ /* If the last segment of a multiline rule, then */
+ /* append it onto the previous parts to form a */
+ /* single-line rule for further processing below. */
+ elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) {
+ $record .= $rule;
+ $rule = $record;
+ }
+ $b_Multiline = false;
+ $record = "";
+
+ /* Parse the rule to find sid and any references. */
+ $sid = '';
+ $msg = '';
+ $matches = '';
+ $sidEntry = '';
+ if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches))
+ $msg = trim($matches[1]);
+ if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches))
+ $sid = trim($matches[1]);
+ if (!empty($sid) && !empty($msg)) {
+ $sidEntry = $sid . ' || ' . $msg;
+ preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches);
+ foreach ($matches[1] as $ref)
+ $sidEntry .= " || " . trim($ref);
+ $sidEntry .= "\n";
+ if (!is_array($sidMap[$sid]))
+ $sidMap[$sid] = array();
+ $sidMap[$sid] = $sidEntry;
+ }
+ }
}
- /* Sort the generated sid-msg map by sid */
- ksort($sidMap);
+ /* Sort the generated sid-msg map by sid */
+ ksort($sidMap);
- /* Now print the result to the supplied file */
+ /* Now print the result to the supplied file */
@file_put_contents($sid_file, array_values($sidMap));
}
@@ -1154,8 +1107,11 @@ function snort_merge_reference_configs($cfg_in, $cfg_out) {
if (preg_match('/(\:)\s*(\w+)\s*(.*)/', $line, $matches)) {
if (!empty($matches[2]) && !empty($matches[3])) {
$matches[2] = trim($matches[2]);
- if (!array_key_exists($matches[2], $outMap))
+ if (!array_key_exists($matches[2], $outMap)) {
+ if (!is_array($outMap[$matches[2]]))
+ $outMap[$matches[2]] = array();
$outMap[$matches[2]] = trim($matches[3]);
+ }
}
}
}
@@ -1199,8 +1155,11 @@ function snort_merge_classification_configs($cfg_in, $cfg_out) {
continue;
if (!empty($matches[2]) && !empty($matches[3]) && !empty($matches[4])) {
$matches[2] = trim($matches[2]);
- if (!array_key_exists($matches[2], $outMap))
+ if (!array_key_exists($matches[2], $outMap)) {
+ if (!is_array($outMap[$matches[2]]))
+ $outMap[$matches[2]] = array();
$outMap[$matches[2]] = trim($matches[3]) . "," . trim($matches[4]);
+ }
}
}
}
@@ -1463,8 +1422,11 @@ function snort_get_checked_flowbits($rules_map) {
if ($action == "isset" || $action == "isnotset") {
$target = preg_split('/[&|]/', substr($flowbit, $pos + 1));
foreach ($target as $t)
- if (!empty($t) && !isset($checked_flowbits[$t]))
+ if (!empty($t) && !isset($checked_flowbits[$t])) {
+ if (!is_array($checked_flowbits[$t]))
+ $checked_flowbits[$t] = array();
$checked_flowbits[$t] = $action;
+ }
}
}
}
@@ -1504,8 +1466,11 @@ function snort_get_set_flowbits($rules_map) {
if ($action == "set" || $action == "toggle" || $action == "setx") {
$target = preg_split('/[&|]/', substr($flowbit, $pos + 1));
foreach ($target as $t)
- if (!empty($t) && !isset($set_flowbits[$t]))
+ if (!empty($t) && !isset($set_flowbits[$t])) {
+ if (!is_array($set_flowbits[$t]))
+ $set_flowbits[$t] = array();
$set_flowbits[$t] = $action;
+ }
}
}
}
@@ -1584,7 +1549,7 @@ function snort_resolve_flowbits($rules, $active_rules) {
$snortdir = SNORTDIR;
- /* Check $all_rules array to be sure it is filled. */
+ /* Check $rules array to be sure it is filled. */
if (empty($rules)) {
log_error(gettext("[Snort] WARNING: Flowbit resolution not done - no rules in {$snortdir}/rules/ ..."));
return array();
@@ -1643,7 +1608,7 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) {
$fp = fopen($rule_file, "w");
if ($fp) {
@fwrite($fp, "# These rules set flowbits checked by your other enabled rules. If the\n");
- @fwrite($fp, "# the dependent flowbits are not set, then some of your chosen rules may\n");
+ @fwrite($fp, "# dependent flowbits are not set, then some of your chosen rules may\n");
@fwrite($fp, "# not fire. Enabling all rules that set these dependent flowbits ensures\n");
@fwrite($fp, "# your chosen rules fire as intended.\n#\n");
@fwrite($fp, "# If you wish to prevent alerts from any of these rules, add the GID:SID\n");
@@ -1791,8 +1756,11 @@ function snort_load_sid_mods($sids, $value) {
return $result;
$tmp = explode("||", $sids);
foreach ($tmp as $v) {
- if (preg_match('/\s\d+/', $v, $match))
+ if (preg_match('/\s\d+/', $v, $match)) {
+ if (!is_array($result[trim($match[0])]))
+ $result[trim($match[0])] = array();
$result[trim($match[0])] = trim($match[0]);
+ }
}
unset($tmp);
@@ -1849,12 +1817,12 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
function snort_create_rc() {
- /*********************************************************/
- /* This function builds the /usr/local/etc/rc.d/snort.sh */
- /* shell script for starting and stopping Snort. The */
- /* script is rebuilt on each package sync operation and */
- /* after any changes to snort.conf saved in the GUI. */
- /*********************************************************/
+/*********************************************************/
+/* This function builds the /usr/local/etc/rc.d/snort.sh */
+/* shell script for starting and stopping Snort. The */
+/* script is rebuilt on each package sync operation and */
+/* after any changes to snort.conf saved in the GUI. */
+/*********************************************************/
global $config, $g;
@@ -1887,7 +1855,7 @@ function snort_create_rc() {
fi
if [ ! -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill $pid -a
+ /bin/pkill \$pid -a
time=0 timeout=30
while kill -0 \$pid 2>/dev/null; do
sleep 1
@@ -2137,19 +2105,23 @@ function snort_deinstall() {
/* Log a message only if a running process is detected */
if (is_service_running("snort"))
log_error(gettext("[Snort] Snort STOP for all interfaces..."));
- mwexec('/usr/bin/killall snort', true);
+ mwexec('/usr/bin/killall -z snort', true);
sleep(2);
mwexec('/usr/bin/killall -9 snort', true);
sleep(2);
+ // Delete any leftover snort PID files in /var/run
+ array_map('@unlink', glob("/var/run/snort_*.pid"));
/* Make sure all active Barnyard2 processes are terminated */
/* Log a message only if a running process is detected */
if (is_service_running("barnyard2"))
log_error(gettext("[Snort] Barnyard2 STOP for all interfaces..."));
- mwexec('/usr/bin/killall barnyard2', true);
+ mwexec('/usr/bin/killall -z barnyard2', true);
sleep(2);
mwexec('/usr/bin/killall -9 barnyard2', true);
sleep(2);
+ // Delete any leftover barnyard2 PID files in /var/run
+ array_map('@unlink', glob("/var/run/barnyard2_*.pid"));
/* Remove the snort user and group */
mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true);
@@ -2201,6 +2173,7 @@ function snort_deinstall() {
mwexec("/bin/rm -rf /usr/local/pkg/snort");
mwexec("/bin/rm -rf /usr/local/www/snort");
mwexec("/bin/rm -rf /usr/local/etc/snort");
+ mwexec("/bin/rm -rf /usr/local/lib/snort");
}
/* Keep this as a last step */
@@ -2562,6 +2535,8 @@ function snort_generate_conf($snortcfg) {
/* user added arguments */
$snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru']));
+ // Remove the trailing newline
+ $snort_config_pass_thru = rtrim($snort_config_pass_thru);
/* create a few directories and ensure the sample files are in place */
$snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules",
@@ -2585,7 +2560,7 @@ function snort_generate_conf($snortcfg) {
/* update has been done and we should leave the customized files */
/* put in place by the rules update process. */
/********************************************************************/
- $snort_files = array("gen-msg.map", "classification.config", "reference.config",
+ $snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd",
"sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules",
"preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules"
);
@@ -2638,14 +2613,15 @@ function snort_generate_conf($snortcfg) {
$ssh_port = $config['system']['ssh']['port'];
else
$ssh_port = "22";
+
+ /* Define an array of default values for the various preprocessor ports */
$snort_ports = array(
- "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691",
- "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555",
- "oracle_ports" => "1024:", "mssql_ports" => "1433",
- "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535",
- "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110",
- "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768",
- "sip_ports" => "5060,5061, 5600", "auth_ports" => "113", "finger_ports" => "79",
+ "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691",
+ "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712",
+ "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23",
+ "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port,
+ "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143",
+ "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79",
"irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445",
"nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514",
"ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920",
@@ -2658,6 +2634,7 @@ function snort_generate_conf($snortcfg) {
"GTP_PORTS" => "2123,2152,3386"
);
+ /* Check for defined Aliases that may override default port settings as we build the portvars array */
$portvardef = "";
foreach ($snort_ports as $alias => $avalue) {
if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
@@ -2666,6 +2643,23 @@ function snort_generate_conf($snortcfg) {
$portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
}
+ /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */
+ $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n";
+ $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n";
+ $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n";
+ $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n";
+ $stream5_ports_client .= "\t 32778 32779";
+ $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n";
+ $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n";
+ $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n";
+ $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n";
+ $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n";
+ $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n";
+ $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n";
+ $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n";
+ $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n";
+ $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n";
+ $stream5_ports_both .= "\t 55555 56712";
/////////////////////////////
/* preprocessor code */
@@ -2676,106 +2670,220 @@ preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_u
EOD;
- /* Pull in the user-configurable HTTP_INSPECT global preprocessor options */
- $http_inspect_memcap = "150994944";
- if (!empty($snortcfg['http_inspect_memcap']))
- $http_inspect_memcap = $snortcfg['http_inspect_memcap'];
-
- /* Pull in the user-configurable HTTP_INSPECT server preprocessor options */
- $server_flow_depth = '300';
- if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0'))
- $server_flow_depth = $snortcfg['server_flow_depth'];
- $http_server_profile = "all";
- if (!empty($snortcfg['http_server_profile']))
- $http_server_profile = $snortcfg['http_server_profile'];
- $client_flow_depth = '300';
- if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0'))
- $client_flow_depth = $snortcfg['client_flow_depth'];
- if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect']))
- $noalert_http_inspect = "no_alerts";
+ /* def ftp_preprocessor */
+ $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports']));
+ $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports']));
+
+ // Configure FTP_Telnet global options
+ $ftp_telnet_globals = "inspection_type ";
+ if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; }
+ if ($snortcfg['ftp_telnet_alert_encrypted'] == "on")
+ $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes";
else
- $noalert_http_inspect = "";
- $http_inspect_server_opts = "enable_cookie \\\n\textended_response_inspection \\\n\tnormalize_javascript \\\n";
- $http_inspect_server_opts .= "\tinspect_gzip \\\n\tnormalize_utf \\\n\tunlimited_decompress \\\n";
- $http_inspect_server_opts .= "\tnormalize_headers \\\n\tnormalize_cookies";
- if ($snortcfg['http_inspect_enable_xff'] == "on")
- $http_inspect_server_opts .= " \\\n\tenable_xff";
-
- /* If Stream5 is enabled, then we can enable the "log_uri" and "log_hostname" options */
- if ($snortcfg['stream5_reassembly'] == "on") {
- if ($snortcfg['http_inspect_log_uri'] == "on")
- $http_inspect_server_opts .= " \\\n\tlog_uri";
- if ($snortcfg['http_inspect_log_hostname'] == "on")
- $http_inspect_server_opts .= " \\\n\tlog_hostname";
- }
+ $ftp_telnet_globals .= " \\\n\tencrypted_traffic no";
+ if ($snortcfg['ftp_telnet_check_encrypted'] == "on")
+ $ftp_telnet_globals .= " \\\n\tcheck_encrypted";
+
+ // Configure FTP_Telnet Telnet protocol options
+ $ftp_telnet_protocol = "ports { {$telnet_ports} }";
+ if ($snortcfg['ftp_telnet_normalize'] == "on")
+ $ftp_telnet_protocol .= " \\\n\tnormalize";
+ if ($snortcfg['ftp_telnet_detect_anomalies'] == "on")
+ $ftp_telnet_protocol .= " \\\n\tdetect_anomalies";
+ if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') {
+ $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh ";
+ if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "")
+ $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold'];
+ else
+ $ftp_telnet_protocol .= "20";
+ }
+
+ // Setup the standard FTP commands used for all FTP Server engines
+ $ftp_cmds = <<<EOD
+ ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
+ ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
+ ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
+ ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
+ ftp_cmds { FEAT CEL CMD MACB } \
+ ftp_cmds { MDTM REST SIZE MLST MLSD } \
+ ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
+ alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
+ alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
+ alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
+ alt_max_param_len 256 { RNTO CWD } \
+ alt_max_param_len 400 { PORT } \
+ alt_max_param_len 512 { SIZE } \
+ chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
+ chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
+ chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
+ chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
+ chk_str_fmt { FEAT CEL CMD } \
+ chk_str_fmt { MDTM REST SIZE MLST MLSD } \
+ chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
+ cmd_validity MODE < char ASBCZ > \
+ cmd_validity STRU < char FRP > \
+ cmd_validity ALLO < int [ char R int ] > \
+ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
+ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
+ cmd_validity PORT < host_port >
- $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports']));
+EOD;
- /* def http_inspect */
- $http_inspect = <<<EOD
-# HTTP Inspect #
-preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 memcap {$http_inspect_memcap}
+ // Configure all the FTP_Telnet FTP protocol options
+ // Iterate and configure the FTP Client engines
+ $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+ if (!is_array($snortcfg['ftp_client_engine']['item']))
+ $snortcfg['ftp_client_engine']['item'] = array();
+
+ // If no FTP client engine is configured, use the default
+ // to keep from breaking Snort.
+ if (empty($snortcfg['ftp_client_engine']['item']))
+ $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine;
+ $ftp_client_engine = "";
+
+ foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor ftp_telnet_protocol: ftp client ";
+ if ($v['name'] == "default" && $v['bind_to'] == "all")
+ $buffer .= "default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "{$tmp} \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry.");
+ continue;
+ }
-preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect} \
- ports { {$http_ports} } \
- http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
- server_flow_depth {$server_flow_depth} \
- client_flow_depth {$client_flow_depth} \
- {$http_inspect_server_opts}
+ if ($v['max_resp_len'] == "")
+ $buffer .= "\tmax_resp_len 256 \\\n";
+ else
+ $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n";
+
+ $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n";
+ $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n";
+
+ if ($v['bounce'] == "yes") {
+ if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) {
+ $net = trim(filter_expand_alias($v['bounce_to_net']));
+ $port = trim(filter_expand_alias($v['bounce_to_port']));
+ if (!empty($net) && !empty($port) &&
+ snort_is_single_addr_alias($v['bounce_to_net']) &&
+ (is_port($port) || is_portrange($port))) {
+ $port = preg_replace('/\s+/', ',', $port);
+ // Change port range delimiter to comma for ftp_telnet client preprocessor
+ if (is_portrange($port))
+ $port = str_replace(":", ",", $port);
+ $buffer .= "\tbounce yes \\\n";
+ $buffer .= "\tbounce_to { {$net},{$port} }\n";
+ }
+ else {
+ // One or both of the BOUNCE_TO alias values is not right,
+ // so figure out which and log an appropriate error.
+ if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net']))
+ log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine.");
+ if (empty($port) || !(is_port($port) || is_portrange($port)))
+ log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine.");
+ $buffer .= "\tbounce yes\n";
+ }
+ }
+ else
+ $buffer .= "\tbounce yes\n";
+ }
+ else
+ $buffer .= "\tbounce no\n";
+
+ // Add this FTP client engine to the master string
+ $ftp_client_engine .= "{$buffer}\n";
+ }
+ // Trim final trailing newline
+ rtrim($ftp_client_engine);
+
+ // Iterate and configure the FTP Server engines
+ $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+ if (!is_array($snortcfg['ftp_server_engine']['item']))
+ $snortcfg['ftp_server_engine']['item'] = array();
+
+ // If no FTP server engine is configured, use the default
+ // to keep from breaking Snort.
+ if (empty($snortcfg['ftp_server_engine']['item']))
+ $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine;
+ $ftp_server_engine = "";
+
+ foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor ftp_telnet_protocol: ftp server ";
+ if ($v['name'] == "default" && $v['bind_to'] == "all")
+ $buffer .= "default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "{$tmp} \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry.");
+ continue;
+ }
-EOD;
+ if ($v['def_max_param_len'] == "")
+ $buffer .= "\tdef_max_param_len 100 \\\n";
+ elseif ($v['def_max_param_len'] <> '0')
+ $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n";
+
+ if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports']))
+ $buffer .= "\tports { {$ftp_ports} } \\\n";
+ elseif (is_alias($v['ports'])) {
+ $tmp = trim(filter_expand_alias($v['ports']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $tmp = snort_expand_port_range($tmp, ' ');
+ $buffer .= "\tports { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults.");
+ $buffer .= "\tports { {$ftp_ports} } \\\n";
+ }
+ }
+
+ $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n";
+ $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n";
+ if ($v['ignore_data_chan'] == "yes")
+ $buffer .= "\tignore_data_chan yes \\\n";
+ $buffer .= "{$ftp_cmds}\n";
+
+ // Add this FTP server engine to the master string
+ $ftp_server_engine .= $buffer;
+ }
+ // Remove trailing newlines
+ rtrim($ftp_server_engine);
- /* def ftp_preprocessor */
- $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports']));
- $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports']));
$ftp_preprocessor = <<<EOD
# ftp_telnet preprocessor #
preprocessor ftp_telnet: global \
-inspection_type stateless
+ {$ftp_telnet_globals}
preprocessor ftp_telnet_protocol: telnet \
- normalize ports { {$telnet_ports} } \
- ayt_attack_thresh 20 \
- detect_anomalies
-
-preprocessor ftp_telnet_protocol: ftp server default \
- def_max_param_len 100 \
- ports { $ftp_ports } \
- telnet_cmds yes \
- ignore_telnet_erase_cmds yes \
- ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
- ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
- ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
- ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
- ftp_cmds { FEAT CEL CMD MACB } \
- ftp_cmds { MDTM REST SIZE MLST MLSD } \
- ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
- alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
- alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
- alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
- alt_max_param_len 256 { RNTO CWD } \
- alt_max_param_len 400 { PORT } \
- alt_max_param_len 512 { SIZE } \
- chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
- chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
- chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
- chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
- chk_str_fmt { FEAT CEL CMD } \
- chk_str_fmt { MDTM REST SIZE MLST MLSD } \
- chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
- cmd_validity MODE < char ASBCZ > \
- cmd_validity STRU < char FRP > \
- cmd_validity ALLO < int [ char R int ] > \
- cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
- cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
- cmd_validity PORT < host_port >
-
-preprocessor ftp_telnet_protocol: ftp client default \
- max_resp_len 256 \
- bounce yes \
- ignore_telnet_erase_cmds yes \
- telnet_cmds yes
-
+ {$ftp_telnet_protocol}
+
+{$ftp_server_engine}
+{$ftp_client_engine}
EOD;
$pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports']));
@@ -2783,7 +2891,7 @@ EOD;
# POP preprocessor #
preprocessor pop: \
ports { {$pop_ports} } \
- memcap 1310700 \
+ memcap 1310700 \
qp_decode_depth 0 \
b64_decode_depth 0 \
bitenc_decode_depth 0
@@ -2795,7 +2903,7 @@ EOD;
# IMAP preprocessor #
preprocessor imap: \
ports { {$imap_ports} } \
- memcap 1310700 \
+ memcap 1310700 \
qp_decode_depth 0 \
b64_decode_depth 0 \
bitenc_decode_depth 0
@@ -2807,35 +2915,37 @@ EOD;
$smtp_preprocessor = <<<EOD
# SMTP preprocessor #
preprocessor SMTP: \
- ports { {$smtp_ports} } \
- inspection_type stateful \
- normalize cmds \
- ignore_tls_data \
- valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET \
- SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME \
- TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
- normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP \
- RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK \
- TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
- max_header_line_len 1000 \
- max_response_line_len 512 \
- alt_max_command_line_len 260 { MAIL } \
- alt_max_command_line_len 300 { RCPT } \
- alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
- alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
- alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
- alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
- alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
- xlink2state { enable } \
- log_mailfrom \
- log_rcptto \
- log_email_hdrs \
- email_hdrs_log_depth 1464 \
- log_filename \
- qp_decode_depth 0 \
- b64_decode_depth 0 \
- bitenc_decode_depth 0 \
- uu_decode_depth 0
+ ports { {$smtp_ports} } \
+ inspection_type stateful \
+ normalize cmds \
+ ignore_tls_data \
+ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \
+ NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \
+ STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \
+ XQUEU XSTA XTRN XUSR } \
+ normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \
+ IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \
+ ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \
+ XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ max_header_line_len 1000 \
+ max_response_line_len 512 \
+ alt_max_command_line_len 260 { MAIL } \
+ alt_max_command_line_len 300 { RCPT } \
+ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
+ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
+ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
+ alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
+ alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ xlink2state { enable } \
+ log_mailfrom \
+ log_rcptto \
+ log_email_hdrs \
+ email_hdrs_log_depth 1464 \
+ log_filename \
+ qp_decode_depth 0 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 0 \
+ uu_decode_depth 0
EOD;
@@ -2859,12 +2969,13 @@ EOD;
}
$sf_portscan = <<<EOD
-# sf Portscan preprocessor #
-preprocessor sfportscan: scan_type { {$sf_pscan_type} } \
- proto { {$sf_pscan_protocol} } \
- memcap { {$sf_pscan_memcap} } \
- sense_level { {$sf_pscan_sense_level} } \
- ignore_scanners { {$sf_pscan_ignore_scanners} }
+# sf Portscan #
+preprocessor sfportscan: \
+ scan_type { {$sf_pscan_type} } \
+ proto { {$sf_pscan_protocol} } \
+ memcap { {$sf_pscan_memcap} } \
+ sense_level { {$sf_pscan_sense_level} } \
+ ignore_scanners { {$sf_pscan_ignore_scanners} }
EOD;
@@ -2872,7 +2983,8 @@ EOD;
$ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports']));
$ssh_preproc = <<<EOD
# SSH preprocessor #
-preprocessor ssh: server_ports { {$ssh_ports} } \
+preprocessor ssh: \
+ server_ports { {$ssh_ports} } \
autodetect \
max_client_bytes 19600 \
max_encrypted_packets 20 \
@@ -2886,7 +2998,11 @@ EOD;
$sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports']));
$other_preprocs = <<<EOD
# Other preprocs #
-preprocessor rpc_decode: {$sun_rpc_ports} no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
+preprocessor rpc_decode: \
+ {$sun_rpc_ports} \
+ no_alert_multiple_requests \
+ no_alert_large_fragments \
+ no_alert_incomplete
# Back Orifice preprocessor #
preprocessor bo
@@ -2896,18 +3012,28 @@ EOD;
/* def dce_rpc_2 */
$dce_rpc_2 = <<<EOD
# DCE/RPC 2 #
-preprocessor dcerpc2: memcap 102400, events [co]
-preprocessor dcerpc2_server: default, policy WinXP, \
- detect [smb [{$snort_ports['smb_ports']}], tcp 135, udp 135, rpc-over-http-server 593], \
- autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
- smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
+preprocessor dcerpc2: \
+ memcap 102400, \
+ events [co]
+
+preprocessor dcerpc2_server: default, \
+ policy WinXP, \
+ detect [smb [{$snort_ports['smb_ports']}], \
+ tcp 135, \
+ udp 135, \
+ rpc-over-http-server 593], \
+ autodetect [tcp 1025:, \
+ udp 1025:, \
+ rpc-over-http-server 1025:], \
+ smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
EOD;
$sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports']));
$sip_preproc = <<<EOD
# SIP preprocessor #
-preprocessor sip: max_sessions 40000, \
+preprocessor sip: \
+ max_sessions 40000, \
ports { {$sip_ports} }, \
methods { invite \
cancel \
@@ -2947,8 +3073,8 @@ EOD;
$dns_preprocessor = <<<EOD
# DNS preprocessor #
preprocessor dns: \
- ports { {$dns_ports} } \
- enable_rdata_overflow
+ ports { {$dns_ports} } \
+ enable_rdata_overflow
EOD;
@@ -2957,9 +3083,9 @@ EOD;
$dnp3_preproc = <<<EOD
# DNP3 preprocessor #
preprocessor dnp3: \
- ports { {$dnp3_ports} } \
- memcap 262144 \
- check_crc
+ ports { {$dnp3_ports} } \
+ memcap 262144 \
+ check_crc
EOD;
@@ -2968,7 +3094,7 @@ EOD;
$modbus_preproc = <<<EOD
# Modbus preprocessor #
preprocessor modbus: \
- ports { {$modbus_ports} }
+ ports { {$modbus_ports} }
EOD;
@@ -2976,7 +3102,8 @@ EOD;
$gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS']));
$gtp_preproc = <<<EOD
# GTP preprocessor #
-preprocessor gtp: ports { {$gtp_ports} }
+preprocessor gtp: \
+ ports { {$gtp_ports} }
EOD;
@@ -2986,24 +3113,24 @@ EOD;
# SSL preprocessor #
preprocessor ssl: \
ports { {$ssl_ports} }, \
- trustservers, noinspect_encrypted
+ trustservers, \
+ noinspect_encrypted
EOD;
- $sensitive_data = "preprocessor sensitive_data:\n";
+ /* def sensitive_data_preprocessor */
+ if ($snortcfg['sdf_mask_output'] == "on")
+ $sdf_mask_output = "\\\n\tmask_output";
+ else
+ $sdf_mask_output = "";
+ $sensitive_data = <<<EOD
+# SDF preprocessor #
+preprocessor sensitive_data: \
+ alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output}
- /**************************************************************/
- /* Default the HTTP_INSPECT preprocessor to "on" if not set. */
- /* The preprocessor is required by hundreds of Snort rules, */
- /* and without it Snort may not start and/or the number of */
- /* rules required to be disabled reduces Snort's capability. */
- /* Alerts from the HTTP_INSPECT preprocessor default to "off" */
- /* unless a specific value has been set by the user. */
- /**************************************************************/
- if (empty($snortcfg['http_inspect']))
- $snortcfg['http_inspect'] = 'on';
+EOD;
- /* define servers and ports snortdefservers */
+ /* define servers as IP variables */
$snort_servers = array (
"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
"www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET",
@@ -3015,13 +3142,15 @@ EOD;
"aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24"
);
- $vardef = "";
+ // Change old name from "var" to new name of "ipvar" for IP variables because
+ // Snort is deprecating the old "var" name in newer versions.
+ $ipvardef = "";
foreach ($snort_servers as $alias => $avalue) {
if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) {
$avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"]));
$avalue = preg_replace('/\s+/', ',', trim($avalue));
}
- $vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n";
+ $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n";
}
$snort_preproc_libs = array(
@@ -3031,7 +3160,7 @@ EOD;
"ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc"
);
$snort_preproc = array (
- "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc",
+ "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc",
"sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc"
);
$default_disabled_preprocs = array(
@@ -3065,6 +3194,8 @@ EOD;
}
}
}
+ // Remove final trailing newline
+ $snort_preprocessors = rtrim($snort_preprocessors);
$snort_misc_include_rules = "";
if (file_exists("{$snortcfgdir}/reference.config"))
@@ -3074,8 +3205,18 @@ EOD;
if (is_dir("{$snortcfgdir}/preproc_rules")) {
if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
$sedcmd = '/^#alert.*classtype:sdf/s/^#//';
- if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules"))
+ if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
+ #enable only selected sensitive data
+ if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){
+ $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")";
+ $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules");
+ $sd_tmp_new_file="";
+ foreach ($sd_tmp_file as $sd_tmp_line)
+ $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : "";
+ file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX);
+ }
+ }
} else
$sedcmd = '/^alert.*classtype:sdf/s/^/#/';
if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
@@ -3106,6 +3247,10 @@ EOD;
$selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n";
$selected_rules_sections .= "include \$RULE_PATH/custom.rules\n";
+ // Remove trailing newlines
+ $snort_misc_include_rules = rtrim($snort_misc_include_rules);
+ $selected_rules_sections = rtrim($selected_rules_sections);
+
/* Create the actual rules files and save in the interface directory */
snort_prepare_rule_files($snortcfg, $snortcfgdir);
@@ -3123,83 +3268,247 @@ EOD;
$cfg_detect_settings .= " no_stream_inserts";
/* Pull in user-configurable options for Frag3 preprocessor settings */
- $frag3_disabled = "";
- if ($snortcfg['frag3_detection'] == "off")
- $frag3_disabled = ", disabled";
- $frag3_memcap = "memcap 4194304";
+ /* Get global Frag3 options first and put into a string */
+ $frag3_global = "preprocessor frag3_global: ";
if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0")
- $frag3_memcap = "memcap {$snortcfg['frag3_memcap']}";
- $frag3_max_frags = "max_frags 8192";
+ $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, ";
+ else
+ $frag3_global .= "memcap 4194304, ";
if (!empty($snortcfg['frag3_max_frags']))
- $frag3_max_frags = "max_frags {$snortcfg['frag3_max_frags']}";
- $frag3_overlap_limit = "overlap_limit 0";
- if (!empty($snortcfg['frag3_overlap_limit']))
- $frag3_overlap_limit = "overlap_limit {$snortcfg['frag3_overlap_limit']}";
- $frag3_min_frag_len = "min_fragment_length 0";
- if (!empty($snortcfg['frag3_min_frag_len']))
- $frag3_min_frag_len = "min_fragment_length {$snortcfg['frag3_min_frag_len']}";
- $frag3_timeout = "timeout 60";
- if (!empty($snortcfg['frag3_timeout']))
- $frag3_timeout = "timeout {$snortcfg['frag3_timeout']}";
- $frag3_policy = "policy bsd";
- if (!empty($snortcfg['frag3_policy']))
- $frag3_policy = "policy {$snortcfg['frag3_policy']}";
-
- /* Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs */
+ $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}";
+ else
+ $frag3_global .= "max_frags 8192";
+ if ($snortcfg['frag3_detection'] == "off")
+ $frag3_global .= ", disabled";
+
+ $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+ $frag3_engine = "";
+
+ // Now iterate configured Frag3 engines and write them to a string if enabled
+ if ($snortcfg['frag3_detection'] == "on") {
+ if (!is_array($snortcfg['frag3_engine']['item']))
+ $snortcfg['frag3_engine']['item'] = array();
+
+ // If no frag3 tcp engine is configured, use the default
+ if (empty($snortcfg['frag3_engine']['item']))
+ $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine;
+
+ foreach ($snortcfg['frag3_engine']['item'] as $f => $v) {
+ $frag3_engine .= "preprocessor frag3_engine: ";
+ $frag3_engine .= "policy {$v['policy']}";
+ if ($v['bind_to'] <> "all") {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ',', $tmp);
+ if (strpos($tmp, ",") !== false)
+ $frag3_engine .= " \\\n\tbind_to [{$tmp}]";
+ else
+ $frag3_engine .= " \\\n\tbind_to {$tmp}";
+ }
+ else
+ log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe.");
+ }
+ $frag3_engine .= " \\\n\ttimeout {$v['timeout']}";
+ $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}";
+ if ($v['detect_anomalies'] == "on") {
+ $frag3_engine .= " \\\n\tdetect_anomalies";
+ $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}";
+ $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}";
+ }
+ // Add newlines to terminate this engine
+ $frag3_engine .= "\n\n";
+ }
+ // Remove trailing newline
+ $frag3_engine = rtrim($frag3_engine);
+ }
+
+ // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs
$paf_max_pdu_config = "config paf_max: ";
- if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == "0")
+ if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0')
$paf_max_pdu_config .= "0";
else
$paf_max_pdu_config .= $snortcfg['max_paf'];
- /* Pull in user-configurable options for Stream5 preprocessor settings */
- $stream5_reassembly = "";
+ // Pull in user-configurable options for Stream5 preprocessor settings
+ // Get global options first and put into a string
+ $stream5_global = "preprocessor stream5_global: \\\n";
if ($snortcfg['stream5_reassembly'] == "off")
- $stream5_reassembly = "disabled,";
- $stream5_track_tcp = "yes";
- if ($snortcfg['stream5_track_tcp'] =="off")
- $stream5_track_tcp = "no";
- $stream5_track_udp = "yes";
- if ($snortcfg['stream5_track_udp'] =="off")
- $stream5_track_udp = "no";
- $stream5_track_icmp = "no";
- if ($snortcfg['stream5_track_icmp'] =="on")
- $stream5_track_icmp = "yes";
- $stream5_require_3whs = "";
- if ($snortcfg['stream5_require_3whs'] == "on")
- $stream5_require_3whs = ", require_3whs 0";
- $stream5_no_reassemble_async = "";
- if ($snortcfg['stream5_no_reassemble_async'] == "on")
- $stream5_no_reassemble_async = ", dont_reassemble_async";
- $stream5_dont_store_lg_pkts = "";
- if ($snortcfg['stream5_dont_store_lg_pkts'] == "on")
- $stream5_dont_store_lg_pkts = ", dont_store_large_packets";
- $stream5_max_queued_bytes_type = "";
- if ((!empty($snortcfg['max_queued_bytes'])) || ($snortcfg['max_queued_bytes'] == '0'))
- $stream5_max_queued_bytes_type = ", max_queued_bytes {$snortcfg['max_queued_bytes']}";
- $stream5_max_queued_segs_type = "";
- if ((!empty($snortcfg['max_queued_segs'])) || ($snortcfg['max_queued_segs'] == '0'))
- $stream5_max_queued_segs_type = ", max_queued_segs {$snortcfg['max_queued_segs']}";
- $stream5_mem_cap = "";
+ $stream5_global .= "\tdisabled, \\\n";
+ if ($snortcfg['stream5_track_tcp'] == "off")
+ $stream5_global .= "\ttrack_tcp no,";
+ else {
+ $stream5_global .= "\ttrack_tcp yes,";
+ if (!empty($snortcfg['stream5_max_tcp']))
+ $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},";
+ else
+ $stream5_global .= " \\\n\tmax_tcp 262144,";
+ }
+ if ($snortcfg['stream5_track_udp'] == "off")
+ $stream5_global .= " \\\n\ttrack_udp no,";
+ else {
+ $stream5_global .= " \\\n\ttrack_udp yes,";
+ if (!empty($snortcfg['stream5_max_udp']))
+ $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},";
+ else
+ $stream5_global .= " \\\n\tmax_udp 131072,";
+ }
+ if ($snortcfg['stream5_track_icmp'] == "on") {
+ $stream5_global .= " \\\n\ttrack_icmp yes,";
+ if (!empty($snortcfg['stream5_max_icmp']))
+ $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},";
+ else
+ $stream5_global .= " \\\n\tmax_icmp 65536,";
+ }
+ else
+ $stream5_global .= " \\\n\ttrack_icmp no,";
if (!empty($snortcfg['stream5_mem_cap']))
- $stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}";
- $stream5_overlap_limit = "overlap_limit 0";
- if (!empty($snortcfg['stream5_overlap_limit']))
- $stream5_overlap_limit = "overlap_limit {$snortcfg['stream5_overlap_limit']}";
- $stream5_policy = "policy bsd";
- if (!empty($snortcfg['stream5_policy']))
- $stream5_policy = "policy {$snortcfg['stream5_policy']}";
- $stream5_tcp_timeout = "timeout 30";
- if (!empty($snortcfg['stream5_tcp_timeout']))
- $stream5_tcp_timeout = "timeout {$snortcfg['stream5_tcp_timeout']}";
- $stream5_udp_timeout = "timeout 30";
- if (!empty($snortcfg['stream5_udp_timeout']))
- $stream5_udp_timeout = "timeout {$snortcfg['stream5_udp_timeout']}";
- $stream5_icmp_timeout = "timeout 30";
- if (!empty($snortcfg['stream5_icmp_timeout']))
- $stream5_icmp_timeout = "timeout {$snortcfg['stream5_icmp_timeout']}";
-
- /* Check for and configure Host Attribute Table if enabled */
+ $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},";
+ else
+ $stream5_global .= " \\\n\tmemcap 8388608,";
+
+ if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0')
+ $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}";
+ else
+ $stream5_global .= " \\\n\tprune_log_max 1048576";
+ if ($snortcfg['stream5_flush_on_alert'] == "on")
+ $stream5_global .= ", \\\n\tflush_on_alert";
+
+ $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0,
+ "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+ $stream5_tcp_engine = "";
+
+ // Now iterate configured Stream5 TCP engines and write them to a string if enabled
+ if ($snortcfg['stream5_reassembly'] == "on") {
+ if (!is_array($snortcfg['stream5_tcp_engine']['item']))
+ $snortcfg['stream5_tcp_engine']['item'] = array();
+
+ // If no stream5 tcp engine is configured, use the default
+ if (empty($snortcfg['stream5_tcp_engine']['item']))
+ $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine;
+
+ foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor stream5_tcp: ";
+ $buffer .= "policy {$v['policy']},";
+ if ($v['bind_to'] <> "all") {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ',', $tmp);
+ if (strpos($tmp, ",") !== false)
+ $buffer .= " \\\n\tbind_to [{$tmp}],";
+ else
+ $buffer .= " \\\n\tbind_to {$tmp},";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine.");
+ continue;
+ }
+ }
+ $stream5_tcp_engine .= $buffer;
+ $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},";
+ $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},";
+ $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},";
+ $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},";
+ $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}";
+ if ($v['use_static_footprint_sizes'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes";
+ if ($v['check_session_hijacking'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking";
+ if ($v['dont_store_lg_pkts'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets";
+ if ($v['no_reassemble_async'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async";
+ if ($v['detect_anomalies'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdetect_anomalies";
+ if ($v['require_3whs'] == "on")
+ $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}";
+ if (!empty($v['ports_client'])) {
+ $stream5_tcp_engine .= ", \\\n\tports client";
+ if ($v['ports_client'] == " all")
+ $stream5_tcp_engine .= " all";
+ elseif ($v['ports_client'] == "default")
+ $stream5_tcp_engine .= " {$stream5_ports_client}";
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_client']));
+ if (!empty($tmp))
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ else {
+ $stream5_tcp_engine .= " {$stream5_ports_client}";
+ log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value.");
+ }
+ }
+ }
+ if (!empty($v['ports_both'])) {
+ $stream5_tcp_engine .= ", \\\n\tports both";
+ if ($v['ports_both'] == " all")
+ $stream5_tcp_engine .= " all";
+ elseif ($v['ports_both'] == "default")
+ $stream5_tcp_engine .= " {$stream5_ports_both}";
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_both']));
+ if (!empty($tmp))
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ else {
+ $stream5_tcp_engine .= " {$stream5_ports_both}";
+ log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value.");
+ }
+ }
+ }
+ if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") {
+ if ($v['ports_server'] == " all") {
+ $stream5_tcp_engine .= ", \\\n\tports server";
+ $stream5_tcp_engine .= " all";
+ }
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_server']));
+ if (!empty($tmp)) {
+ $stream5_tcp_engine .= ", \\\n\tports server";
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ }
+ else
+ log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none.");
+ }
+ }
+
+ // Make sure the "ports" parameter is set, or else default to a safe value
+ if (strpos($stream5_tcp_engine, "ports ") === false)
+ $stream5_tcp_engine .= ", \\\n\tports both all";
+
+ // Add a pair of newlines to terminate this engine
+ $stream5_tcp_engine .= "\n\n";
+ }
+ // Trim off the final trailing newline
+ $stream5_tcp_engine = rtrim($stream5_tcp_engine);
+ }
+
+ // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled
+ if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off")
+ $stream5_udp_engine = "";
+ else {
+ $stream5_udp_engine = "preprocessor stream5_udp: ";
+ if (!empty($snortcfg['stream5_udp_timeout']))
+ $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}";
+ else
+ $stream5_udp_engine .= "timeout 30";
+ }
+
+ // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled
+ if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") {
+ $stream5_icmp_engine = "preprocessor stream5_icmp: ";
+ if (!empty($snortcfg['stream5_icmp_timeout']))
+ $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}";
+ else
+ $stream5_icmp_engine .= "timeout 30";
+ }
+ else
+ $stream5_icmp_engine = "";
+
+ // Check for and configure Host Attribute Table if enabled
$host_attrib_config = "";
if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) {
file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data']));
@@ -3211,22 +3520,148 @@ EOD;
$host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}";
}
- /* Finally, build the Snort configuration file */
- $snort_conf_text = <<<EOD
+ // Configure the HTTP_INSPECT preprocessor
+ // Get global options first and put into a string
+ $http_inspect_global = "preprocessor http_inspect: global ";
+ if ($snortcfg['http_inspect'] == "off")
+ $http_inspect_global .= "disabled ";
+ $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n";
+ $http_inspect_global .= "\tcompress_depth 65535 \\\n";
+ $http_inspect_global .= "\tdecompress_depth 65535 \\\n";
+ if (!empty($snortcfg['http_inspect_memcap']))
+ $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n";
+ else
+ $http_inspect_global .= "\tmemcap 150994944 \\\n";
+ if (!empty($snortcfg['http_inspect_max_gzip_mem']))
+ $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}";
+ else
+ $http_inspect_global .= "\tmax_gzip_mem 838860";
+ if ($snortcfg['http_inspect_proxy_alert'] == "on")
+ $http_inspect_global .= " \\\n\tproxy_alert";
+
+ $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
+ "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
+ "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
+ "max_header_length" => 0, "ports" => "default" );
+ $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports']));
+ $http_inspect_servers = "";
+
+ // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled
+ if ($snortcfg['http_inspect'] <> "off") {
+ if (!is_array($snortcfg['http_inspect_engine']['item']))
+ $snortcfg['http_inspect_engine']['item'] = array();
+
+ // If no http_inspect_engine is configured, use the default
+ if (empty($snortcfg['http_inspect_engine']['item']))
+ $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine;
+
+ foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor http_inspect_server: \\\n";
+ if ($v['name'] == "default")
+ $buffer .= "\tserver default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "\tserver { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine.");
+ continue;
+ }
+ $http_inspect_servers .= $buffer;
+ $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n";
+
+ if ($v['no_alerts'] == "on")
+ $http_inspect_servers .= "\tno_alerts \\\n";
+
+ if ($v['ports'] == "default" || empty($v['ports']))
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ elseif (is_alias($v['ports'])) {
+ $tmp = trim(filter_expand_alias($v['ports']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $tmp = snort_expand_port_range($tmp, ' ');
+ $http_inspect_servers .= "\tports { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead.");
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ }
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead.");
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ }
+
+ $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n";
+ $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n";
+ $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n";
+ $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n";
+ $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n";
+ $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n";
+ $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}";
+ if ($v['enable_xff'] == "on")
+ $http_inspect_servers .= " \\\n\tenable_xff";
+ if ($v['enable_cookie'] == "on")
+ $http_inspect_servers .= " \\\n\tenable_cookie";
+ if ($v['normalize_cookies'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_cookies";
+ if ($v['normalize_headers'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_headers";
+ if ($v['normalize_utf'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_utf";
+ if ($v['allow_proxy_use'] == "on")
+ $http_inspect_servers .= " \\\n\tallow_proxy_use";
+ if ($v['inspect_uri_only'] == "on")
+ $http_inspect_servers .= " \\\n\tinspect_uri_only";
+ if ($v['extended_response_inspection'] == "on") {
+ $http_inspect_servers .= " \\\n\textended_response_inspection";
+ if ($v['inspect_gzip'] == "on") {
+ $http_inspect_servers .= " \\\n\tinspect_gzip";
+ if ($v['unlimited_decompress'] == "on")
+ $http_inspect_servers .= " \\\n\tunlimited_decompress";
+ }
+ if ($v['normalize_javascript'] == "on") {
+ $http_inspect_servers .= " \\\n\tnormalize_javascript";
+ $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}";
+ }
+ }
+ if ($v['log_uri'] == "on")
+ $http_inspect_servers .= " \\\n\tlog_uri";
+ if ($v['log_hostname'] == "on")
+ $http_inspect_servers .= " \\\n\tlog_hostname";
+ // Add a pair of trailing newlines to terminate this server config
+ $http_inspect_servers .= "\n\n";
+ }
+ /* Trim off the final trailing newline */
+ $http_inspect_server = rtrim($http_inspect_server);
+ }
+
+ // Finally, build the Snort configuration file
+ $snort_conf_text = <<<EOD
# snort configuration file
# generated automatically by the pfSense subsystems do not modify manually
# Define Local Network #
-var HOME_NET [{$home_net}]
-var EXTERNAL_NET [{$external_net}]
+ipvar HOME_NET [{$home_net}]
+ipvar EXTERNAL_NET [{$external_net}]
# Define Rule Paths #
var RULE_PATH {$snortcfgdir}/rules
var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules
# Define Servers #
-{$vardef}
+{$ipvardef}
# Define Server Ports #
{$portvardef}
@@ -3262,7 +3697,7 @@ config show_year
# For more information see README.stream5 #
{$paf_max_pdu_config}
-#Configure dynamically loaded libraries
+# Configure dynamically loaded libraries
dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']}
dynamicengine directory {$snort_dirs['dynamicengine']}
dynamicdetection directory {$snort_dirs['dynamicrules']}
@@ -3276,16 +3711,23 @@ dynamicdetection directory {$snort_dirs['dynamicrules']}
# preprocessor normalize_icmp6
# Flow and stream #
-preprocessor frag3_global: {$frag3_memcap}, {$frag3_max_frags}{$frag3_disabled}
-preprocessor frag3_engine: {$frag3_policy} detect_anomalies {$frag3_timeout} {$frag3_overlap_limit} {$frag3_min_frag_len}
+{$frag3_global}
-preprocessor stream5_global:{$stream5_reassembly} track_tcp {$stream5_track_tcp}, track_udp {$stream5_track_udp}, track_icmp {$stream5_track_icmp}, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5{$stream5_mem_cap}
-preprocessor stream5_tcp: {$stream5_policy}, {$stream5_overlap_limit}, {$stream5_tcp_timeout}, ports both all{$stream5_max_queued_bytes_type}{$stream5_max_queued_segs_type}{$stream5_require_3whs}{$stream5_no_reassemble_async}{$stream5_dont_store_lg_pkts}
-preprocessor stream5_udp: {$stream5_udp_timeout}
-preprocessor stream5_icmp: {$stream5_icmp_timeout}
+{$frag3_engine}
-{$snort_preprocessors}
+{$stream5_global}
+
+{$stream5_tcp_engine}
+{$stream5_udp_engine}
+
+{$stream5_icmp_engine}
+
+# HTTP Inspect #
+{$http_inspect_global}
+
+{$http_inspect_servers}
+{$snort_preprocessors}
{$host_attrib_config}
# Snort Output Logs #
@@ -3304,10 +3746,9 @@ output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,src
# Rules Selection #
{$selected_rules_sections}
-
EOD;
- /* write out snort.conf */
+ // Write out snort.conf file
$conf = fopen("{$snortcfgdir}/snort.conf", "w");
if(!$conf) {
log_error("Could not open {$snortcfgdir}/snort.conf for writing.");
@@ -3316,7 +3757,7 @@ EOD;
fwrite($conf, $snort_conf_text);
fclose($conf);
unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type);
- unset($home_net, $external_net, $vardef, $portvardef);
+ unset($home_net, $external_net, $ipvardef, $portvardef);
}
/* Uses XMLRPC to synchronize the changes to a remote node */
diff --git a/config/snort/snort.priv.inc b/config/snort/snort.priv.inc
new file mode 100644
index 00000000..5e159747
--- /dev/null
+++ b/config/snort/snort.priv.inc
@@ -0,0 +1,45 @@
+<?php
+
+global $priv_list;
+
+$priv_list['page-services-snort'] = array();
+$priv_list['page-services-snort']['name'] = "WebCfg - Services: Snort package.";
+$priv_list['page-services-snort']['descr'] = "Allow access to Snort package gui";
+$priv_list['page-services-snort']['match'] = array();
+$priv_list['page-services-snort']['match'][] = "snort/snort_alerts.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_barnyard.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_blocked.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_check_for_rule_updates.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_define_servers.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_download_rules.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_download_updates.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_edit_hat_data.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_frag3_engine.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_ftp_client_engine.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_ftp_server_engine.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_httpinspect_engine.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_import_aliases.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_edit.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_global.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_suppress.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_suppress_edit.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_whitelist.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_whitelist_edit.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_list_view.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_log_view.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_migrate_config.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_post_install.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_preprocessors.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_rules.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_rules_edit.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_rules_flowbits.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_rulesets.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_select_alias.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_stream5_engine.php*";
+$priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=snort_sync.xml*";
+$priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=sort/snort.xml*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_check_cron_misc.inc*";
+$priv_list['page-services-snort']['match'][] = "snort/snort.inc*";
+
+?> \ No newline at end of file
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index 49bec61c..412974b5 100755
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -46,8 +46,8 @@
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>Snort</name>
- <version>2.9.4.6</version>
- <title>Services:2.9.4.6 pkg v. 2.6.1</title>
+ <version>2.9.5.5</version>
+ <title>Services:2.9.5.5 pkg v. 3.0.0</title>
<include_file>/usr/local/pkg/snort/snort.inc</include_file>
<menu>
<name>Snort</name>
@@ -76,6 +76,16 @@
<additional_files_needed>
<prefix>/usr/local/pkg/snort/</prefix>
<chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_migrate_config.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_post_install.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/snort/</prefix>
+ <chmod>077</chmod>
<item>http://www.pfsense.com/packages/config/snort/snort_sync.xml</item>
</additional_files_needed>
<additional_files_needed>
@@ -188,15 +198,60 @@
<chmod>077</chmod>
<item>http://www.pfsense.com/packages/config/snort/snort_edit_hat_data.php</item>
</additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_frag3_engine.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_stream5_engine.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_httpinspect_engine.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_ftp_client_engine.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_ftp_server_engine.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_import_aliases.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_select_alias.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/etc/inc/priv/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort.priv.inc</item>
+ </additional_files_needed>
<fields>
</fields>
<custom_add_php_command>
</custom_add_php_command>
<custom_php_resync_config_command>
+ <![CDATA[
+ if ($GLOBALS['pfSense_snort_version'] == "3.0.0")
sync_snort_package_config();
+ ]]>
</custom_php_resync_config_command>
<custom_php_install_command>
- snort_postinstall();
+ <![CDATA[
+ include_once("/usr/local/pkg/snort/snort_post_install.php");
+ ]]>
</custom_php_install_command>
<custom_php_deinstall_command>
snort_deinstall();
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php
index 728de751..ede6cf9a 100755
--- a/config/snort/snort_alerts.php
+++ b/config/snort/snort_alerts.php
@@ -144,12 +144,13 @@ $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']);
if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) {
$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'];
$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'];
- $anentries = $pconfig['alertnumber'];
-} else {
- $anentries = '250';
+}
+
+if (empty($pconfig['alertnumber']))
$pconfig['alertnumber'] = '250';
+if (empty($pconfig['arefresh']))
$pconfig['arefresh'] = 'off';
-}
+$anentries = $pconfig['alertnumber'];
if ($_POST['save']) {
if (!is_array($config['installedpackages']['snortglobal']['alertsblocks']))
@@ -259,7 +260,7 @@ if ($_POST['download']) {
/* Load up an array with the current Suppression List GID,SID values */
$supplist = snort_load_suppress_sigs($a_instance[$instanceid], true);
-$pgtitle = "Services: Snort: Snort Alerts";
+$pgtitle = gettext("Snort: Snort Alerts");
include_once("head.inc");
?>
@@ -336,7 +337,7 @@ if ($pconfig['arefresh'] == 'on')
<?php echo gettext('Refresh'); ?> <input name="arefresh" type="checkbox" value="on"
<?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>>
<?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?>&nbsp;&nbsp;
- <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>">
+ <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>">
<?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?>
</td>
</tr>
diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php
index a5c1ffec..2457b573 100644
--- a/config/snort/snort_barnyard.php
+++ b/config/snort/snort_barnyard.php
@@ -104,7 +104,7 @@ if ($_POST) {
}
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: Interface: {$if_friendly} Barnyard2 Edit";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Barnyard2 Settings");
include_once("head.inc");
?>
@@ -188,7 +188,7 @@ function enable_change(enable_change) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td>
<td width="78%" class="vtable"><input name="barnyard_mysql"
- type="text" class="formfld" id="barnyard_mysql" style="width:95%;" size="85"
+ type="text" class="formfld unknown" id="barnyard_mysql" style="width:95%;" size="85"
value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br/>
<span class="vexpl"><?php echo gettext("Example: output database: alert, mysql, " .
"dbname=snort user=snort host=localhost password=xyz"); ?><br/>
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
index 983e8905..8d106a90 100644
--- a/config/snort/snort_blocked.php
+++ b/config/snort/snort_blocked.php
@@ -121,7 +121,7 @@ if ($_POST['save'])
}
-$pgtitle = "Services: Snort Blocked Hosts";
+$pgtitle = gettext("Snort: Blocked Hosts");
include_once("head.inc");
?>
@@ -180,7 +180,7 @@ if ($pconfig['brefresh'] == 'on')
name="brefresh" type="checkbox" value="on"
<?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>>
<?php printf(gettext("%sDefault%s is %sON%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?>&nbsp;&nbsp;<input
- name="blertnumber" type="text" class="formfld" id="blertnumber"
+ name="blertnumber" type="text" class="formfld unknown" id="blertnumber"
size="5" value="<?=htmlspecialchars($bnentries);?>"> <?php printf(gettext("Enter the " .
"number of blocked entries to view. %sDefault%s is %s500%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?>
</td>
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index e7263330..28539f1f 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -53,6 +53,14 @@ if (!defined("GPLV2_DNLD_URL"))
define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/");
if (!defined("RULES_UPD_LOGFILE"))
define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
+if (!defined("VRT_FILE_PREFIX"))
+ define("VRT_FILE_PREFIX", "snort_");
+if (!defined("GPL_FILE_PREFIX"))
+ define("GPL_FILE_PREFIX", "GPLv2_");
+if (!defined("ET_OPEN_FILE_PREFIX"))
+ define("ET_OPEN_FILE_PREFIX", "emerging-");
+if (!defined("ET_PRO_FILE_PREFIX"))
+ define("ET_PRO_FILE_PREFIX", "etpro-");
$snortdir = SNORTDIR;
$snortlibdir = SNORTLIBDIR;
@@ -97,6 +105,7 @@ if ($etpro == "on") {
$emergingthreats_url = ETPRO_BASE_DNLD_URL;
$emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/";
$emergingthreats = "on";
+ $et_enabled= "on";
$et_name = "Emerging Threats Pro";
$et_md5_remove = ET_DNLD_FILENAME . ".md5";
@unlink("{$snortdir}/{$et_md5_remove}");
@@ -118,7 +127,6 @@ $snort_community_rules_filename = GPLV2_DNLD_FILENAME;
$snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5";
$snort_community_rules_url = GPLV2_DNLD_URL;
-/* Custom function for rules file download via URL */
function snort_download_file_url($url, $file_out) {
/************************************************/
@@ -127,18 +135,21 @@ function snort_download_file_url($url, $file_out) {
/* saves the content to the file specified by */
/* $file. */
/* */
+ /* This is needed so console output can be */
+ /* suppressed to prevent XMLRPC sync errors. */
+ /* */
/* It provides logging of returned CURL errors. */
/************************************************/
global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update;
- // Initialize required variables for pfSense "read_body()" function
+ // Initialize required variables for the pfSense "read_body()" function
$file_size = 1;
$downloaded = 1;
$first_progress_update = TRUE;
- /* Array of message strings for HTTP Response Codes */
+ // Array of message strings for HTTP Response Codes
$http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content",
206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found",
305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request",
@@ -157,7 +168,7 @@ function snort_download_file_url($url, $file_out) {
return false;
curl_setopt($ch, CURLOPT_FILE, $fout);
- /* NOTE: required to suppress errors from XMLRPC due to progress bar output */
+ // NOTE: required to suppress errors from XMLRPC due to progress bar output
if ($g['snort_sync_in_progress'])
curl_setopt($ch, CURLOPT_HEADER, false);
else {
@@ -167,7 +178,6 @@ function snort_download_file_url($url, $file_out) {
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)");
- /* Don't verify SSL peers since we don't have the certificates to do so. */
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_TIMEOUT, 0);
@@ -185,7 +195,7 @@ function snort_download_file_url($url, $file_out) {
$counter = 0;
$rc = true;
- /* Try up to 4 times to download the file before giving up */
+ // Try up to 4 times to download the file before giving up
while ($counter < 4) {
$counter++;
$rc = curl_exec($ch);
@@ -202,7 +212,8 @@ function snort_download_file_url($url, $file_out) {
$last_curl_error = $http_resp_msg[$http_code];
curl_close($ch);
fclose($fout);
- /* If we had to try more than once, log it */
+
+ // If we had to try more than once, log it
if ($counter > 1)
log_error(gettext("File '" . basename($file_out) . "' download attempts: {$counter} ..."));
return ($http_code == 200) ? true : $http_code;
@@ -214,7 +225,140 @@ function snort_download_file_url($url, $file_out) {
}
}
-/* Start of code */
+function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
+
+ /**********************************************************/
+ /* This function attempts to download the passed MD5 hash */
+ /* file and compare its contents to the currently stored */
+ /* hash file to see if a new rules file has been posted. */
+ /* */
+ /* On Entry: $file_url = URL for md5 hash file */
+ /* $file_dst = Temp destination to store the */
+ /* downloaded hash file */
+ /* $desc = Short text string used to label */
+ /* log messages with rules type */
+ /* */
+ /* Returns: TRUE if new rule file download required. */
+ /* FALSE if rule download not required or an */
+ /* error occurred. */
+ /**********************************************************/
+
+ global $pkg_interface, $snort_rules_upd_log, $last_curl_error;
+
+ $snortdir = SNORTDIR;
+ $filename_md5 = basename($file_dst);
+
+ if ($pkg_interface <> "console")
+ update_status(gettext("Downloading {$desc} md5 file..."));
+ error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, $snort_rules_upd_log);
+ $rc = snort_download_file_url($file_url, $file_dst);
+
+ // See if download from URL was successful
+ if ($rc === true) {
+ if ($pkg_interface <> "console")
+ update_status(gettext("Done downloading {$filename_md5}."));
+ error_log("\tChecking {$desc} md5 file...\n", 3, $snort_rules_upd_log);
+
+ // check md5 hash in new file against current file to see if new download is posted
+ if (file_exists("{$snortdir}/{$filename_md5}")) {
+ $md5_check_new = file_get_contents($file_dst);
+ $md5_check_old = file_get_contents("{$snortdir}/{$filename_md5}");
+ if ($md5_check_new == $md5_check_old) {
+ if ($pkg_interface <> "console")
+ update_status(gettext("{$desc} are up to date..."));
+ log_error(gettext("[Snort] {$desc} are up to date..."));
+ error_log(gettext("\t{$desc} are up to date.\n"), 3, $snort_rules_upd_log);
+ return false;
+ }
+ else
+ return true;
+ }
+ return true;
+ }
+ else {
+ error_log(gettext("\t{$desc} md5 download failed.\n"), 3, $snort_rules_upd_log);
+ $snort_err_msg = gettext("Server returned error code {$rc}.");
+ if ($pkg_interface <> "console") {
+ update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
+ update_output_window(gettext("{$desc} will not be updated.\n\t{$snort_err_msg}"));
+ }
+ log_error(gettext("[Snort] {$desc} md5 download failed..."));
+ log_error(gettext("[Snort] Server returned error code {$rc}..."));
+ error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log);
+ if ($pkg_interface == "console")
+ error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ return false;
+ }
+}
+
+function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
+
+ /**********************************************************/
+ /* This function downloads the passed rules file and */
+ /* compares its computed md5 hash to the passed md5 hash */
+ /* to verify the file's integrity. */
+ /* */
+ /* On Entry: $file_url = URL of rules file */
+ /* $file_dst = Temp destination to store the */
+ /* downloaded rules file */
+ /* $file_md5 = Expected md5 hash for the new */
+ /* downloaded rules file */
+ /* $desc = Short text string for use in */
+ /* log messages */
+ /* */
+ /* Returns: TRUE if download was successful. */
+ /* FALSE if download was not successful. */
+ /**********************************************************/
+
+ global $pkg_interface, $snort_rules_upd_log, $last_curl_error;
+
+ $snortdir = SNORTDIR;
+ $filename = basename($file_dst);
+
+ if ($pkg_interface <> "console")
+ update_status(gettext("There is a new set of {$desc} posted. Downloading..."));
+ log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}..."));
+ error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, $snort_rules_upd_log);
+ $rc = snort_download_file_url($file_url, $file_dst);
+
+ // See if the download from the URL was successful
+ if ($rc === true) {
+ if ($pkg_interface <> "console")
+ update_status(gettext("Done downloading {$desc} file."));
+ log_error("[Snort] {$desc} file update downloaded successfully");
+ error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log);
+
+ // Test integrity of the rules file. Turn off update if file has wrong md5 hash
+ if ($file_md5 != trim(md5_file($file_dst))){
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("{$desc} file MD5 checksum failed..."));
+ log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum..."));
+ log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst)));
+ log_error(gettext("[Snort] Expected File MD5: {$file_md5}"));
+ error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ return false;
+ }
+ return true;
+ }
+ else {
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("{$desc} file download failed..."));
+ log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'..."));
+ error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log);
+ if ($pkg_interface == "console")
+ error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ return false;
+ }
+
+}
+
+/* Start of main code */
conf_mount_rw();
/* remove old $tmpfname files */
@@ -239,171 +383,43 @@ if (file_exists($snort_rules_upd_log)) {
error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log);
$last_curl_error = "";
-/* download md5 sig from snort.org */
-if ($snortdownload == 'on') {
- if ($pkg_interface <> "console")
- update_status(gettext("Downloading Snort VRT md5 file {$snort_filename_md5}..."));
- error_log(gettext("\tDownloading Snort VRT md5 file '{$snort_filename_md5}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}");
- if ($rc === true) {
- if ($pkg_interface <> "console")
- update_status(gettext("Done downloading {$snort_filename_md5}."));
- error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log);
- }
- else {
- error_log(gettext("\tSnort VRT md5 download failed.\n"), 3, $snort_rules_upd_log);
- if ($rc == 403) {
- $snort_err_msg = gettext("Too many attempts or Oinkcode not authorized for this Snort version.\n");
- $snort_err_msg .= gettext("\tFree Registered Users may download VRT Rules once every 15 minutes.\n");
- $snort_err_msg .= gettext("\tPaid Subscribers have no download limits.\n");
- }
- else
- $snort_err_msg = gettext("Server returned error code '{$rc}'.");
- if ($pkg_interface <> "console") {
- update_status(gettext("Snort VRT md5 error ... Server returned error code {$rc} ..."));
- update_output_window(gettext("Snort VRT rules will not be updated.\n\t{$snort_err_msg}"));
- }
- log_error(gettext("[Snort] Snort VRT md5 download failed..."));
- log_error(gettext("[Snort] Server returned error code '{$rc}'..."));
- error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tServer error message was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log);
- $snortdownload = 'off';
- }
-}
-
-/* Check if were up to date snort.org */
+/* Check for and download any new Snort VRT sigs */
if ($snortdownload == 'on') {
- if (file_exists("{$snortdir}/{$snort_filename_md5}")) {
- $md5_check_new = file_get_contents("{$tmpfname}/{$snort_filename_md5}");
- $md5_check_old = file_get_contents("{$snortdir}/{$snort_filename_md5}");
- if ($md5_check_new == $md5_check_old) {
- if ($pkg_interface <> "console")
- update_status(gettext("Snort VRT rules are up to date..."));
- log_error(gettext("[Snort] Snort VRT rules are up to date..."));
- error_log(gettext("\tSnort VRT rules are up to date.\n"), 3, $snort_rules_upd_log);
- $snortdownload = 'off';
- }
- }
-}
-
-/* download snortrules file */
-if ($snortdownload == 'on') {
- if ($pkg_interface <> "console")
- update_status(gettext("There is a new set of Snort VRT rules posted. Downloading {$snort_filename}..."));
- log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading..."));
- error_log(gettext("\tThere is a new set of Snort VRT rules posted.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloading file '{$snort_filename}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}");
- if ($rc === true) {
- if ($pkg_interface <> "console")
- update_status(gettext("Done downloading Snort VRT rules file."));
- log_error("[Snort] Snort VRT rules file update downloaded successfully");
- error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log);
- if (trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_filename}"))){
- if ($pkg_interface <> "console")
- update_output_window(gettext("Snort VRT rules file MD5 checksum failed..."));
- log_error(gettext("[Snort] Snort VRT rules file download failed. Bad MD5 checksum..."));
- log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_filename}")));
- log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}")));
- error_log(gettext("\tSnort VRT rules file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloaded Snort VRT file MD5: " . md5_file("{$tmpfname}/{$snort_filename}") . "\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tExpected Snort VRT file MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}") . "\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log);
+ if (snort_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) {
+ /* download snortrules file */
+ $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}"));
+ if (!snort_fetch_new_rules("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules"))
$snortdownload = 'off';
- }
}
- else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("Snort VRT rules file download failed..."));
- log_error(gettext("[Snort] Snort VRT rules file download failed... server returned error '{$rc}'..."));
- error_log(gettext("\tSnort VRT rules file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tThe error text was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log);
+ else
$snortdownload = 'off';
- }
}
-/* download md5 sig from Snort GPLv2 Community Rules */
+/* Check for and download any new Snort GPLv2 Community Rules sigs */
if ($snortcommunityrules == 'on') {
- if ($pkg_interface <> "console")
- update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file {$snort_community_rules_filename_md5}..."));
- error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file '{$snort_community_rules_filename_md5}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}");
- if ($rc === true) {
- if ($pkg_interface <> "console")
- update_status(gettext("Done downloading Snort GPLv2 Community Rules md5"));
- error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log);
- if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") {
- /* Check if were up to date Snort GPLv2 Community Rules */
- $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}");
- $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}");
- if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) {
- if ($pkg_interface <> "console")
- update_status(gettext("Snort GPLv2 Community Rules are up to date..."));
- log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date..."));
- error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log);
- $snortcommunityrules = 'off';
- }
- }
+ if (snort_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) {
+ /* download Snort GPLv2 Community Rules file */
+ $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"));
+ if (!snort_fetch_new_rules("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}", $file_md5, "Snort GPLv2 Community Rules"))
+ $snortcommunityrules = 'off';
}
- else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated."));
- log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'."));
- error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tSnort GPLv2 Community Rules will not be updated.\n"), 3, $snort_rules_upd_log);
+ else
$snortcommunityrules = 'off';
- }
}
-/* download Snort GPLv2 Community rules file */
-if ($snortcommunityrules == "on") {
- if ($pkg_interface <> "console")
- update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading {$snort_community_rules_filename} ..."));
- log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading..."));
- error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloading file '{$snort_community_rules_filename}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}");
-
- /* Test for a valid rules file download. Turn off Snort Community update if download failed. */
- if ($rc === true) {
- if (trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_community_rules_filename}"))){
- if ($pkg_interface <> "console")
- update_output_window(gettext("Snort GPLv2 Community Rules file MD5 checksum failed..."));
- log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Bad MD5 checksum..."));
- log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}")));
- log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")));
- error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloaded Snort GPLv2 file MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}") . "\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tExpected Snort GPLv2 file MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}") . "\n"), 3, $snort_rules_upd_log);
- $snortcommunityrules = 'off';
- }
- else {
- if ($pkg_interface <> "console")
- update_status(gettext('Done downloading Snort GPLv2 Community Rules file.'));
- log_error("[Snort] Snort GPLv2 Community Rules file update downloaded successfully");
- error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log);
- }
- }
- else {
- if ($pkg_interface <> "console") {
- update_status(gettext("The server returned error code {$rc} ... skipping GPLv2 Community Rules..."));
- update_output_window(gettext("Snort GPLv2 Community Rules file download failed..."));
- }
- log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Server returned error '{$rc}'..."));
- error_log(gettext("\tSnort GPLv2 Community Rules download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- $snortcommunityrules = 'off';
+/* Check for and download any new Emerging Threats Rules sigs */
+if ($emergingthreats == 'on') {
+ if (snort_check_rule_md5("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}", "{$et_name} rules")) {
+ /* download Emerging Threats rules file */
+ $file_md5 = trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"));
+ if (!snort_fetch_new_rules("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}", $file_md5, "{$et_name} rules"))
+ $emergingthreats = 'off';
}
+ else
+ $emergingthreats = 'off';
}
-/* Untar Snort GPLv2 Community rules to tmp */
+/* Untar Snort GPLv2 Community rules file to tmp */
if ($snortcommunityrules == 'on') {
safe_mkdir("{$snortdir}/tmp/community");
if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) {
@@ -417,12 +433,12 @@ if ($snortcommunityrules == 'on') {
$files = glob("{$snortdir}/tmp/community/community-rules/*.rules");
foreach ($files as $file) {
$newfile = basename($file);
- @copy($file, "{$snortdir}/rules/GPLv2_{$newfile}");
+ @copy($file, "{$snortdir}/rules/" . GPL_FILE_PREFIX . "{$newfile}");
}
/* base etc files for Snort GPLv2 Community rules */
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}"))
- @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/GPLv2_{$file}");
+ @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/" . GPL_FILE_PREFIX . "{$file}");
}
/* Copy snort community md5 sig to snort dir */
if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) {
@@ -439,84 +455,7 @@ if ($snortcommunityrules == 'on') {
}
}
-/* download md5 sig from emergingthreats.net */
-if ($emergingthreats == 'on') {
- if ($pkg_interface <> "console")
- update_status(gettext("Downloading {$et_name} md5 file..."));
- error_log(gettext("\tDownloading {$et_name} md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}");
- if ($rc === true) {
- if ($pkg_interface <> "console")
- update_status(gettext("Done downloading {$et_name} md5 file {$emergingthreats_filename_md5}"));
- error_log(gettext("\tChecking {$et_name} md5.\n"), 3, $snort_rules_upd_log);
- if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") {
- /* Check if were up to date emergingthreats.net */
- $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}");
- $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}");
- if ($emerg_md5_check_new == $emerg_md5_check_old) {
- if ($pkg_interface <> "console")
- update_status(gettext("{$et_name} rules are up to date..."));
- log_error(gettext("[Snort] {$et_name} rules are up to date..."));
- error_log(gettext("\t{$et_name} rules are up to date.\n"), 3, $snort_rules_upd_log);
- $emergingthreats = 'off';
- }
- }
- }
- else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("{$et_name} md5 file download failed. {$et_name} rules will not be updated."));
- log_error(gettext("[Snort] {$et_name} md5 file download failed. Server returned error code '{$rc}'."));
- error_log(gettext("\t{$et_name} md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\t{$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log);
- $emergingthreats = 'off';
- }
-}
-
-/* download emergingthreats rules file */
-if ($emergingthreats == "on") {
- if ($pkg_interface <> "console")
- update_status(gettext("There is a new set of {$et_name} rules posted. Downloading {$emergingthreats_filename}..."));
- log_error(gettext("[Snort] There is a new set of {$et_name} rules posted. Downloading..."));
- error_log(gettext("\tThere is a new set of {$et_name} rules posted.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloading file '{$emergingthreats_filename}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}");
-
- /* Test for a valid rules file download. Turn off ET update if download failed. */
- if ($rc === true) {
- if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){
- if ($pkg_interface <> "console")
- update_output_window(gettext("{$et_name} rules file MD5 checksum failed..."));
- log_error(gettext("[Snort] {$et_name} rules file download failed. Bad MD5 checksum..."));
- log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}")));
- log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")));
- error_log(gettext("\t{$et_name} rules file download failed. {$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log);
- $emergingthreats = 'off';
- }
- else {
- if ($pkg_interface <> "console")
- update_status(gettext('Done downloading {$et_name} rules file.'));
- log_error("[Snort] {$et_name} rules file update downloaded successfully");
- error_log(gettext("\tDone downloading {$et_name} rules file.\n"), 3, $snort_rules_upd_log);
- }
- }
- else {
- if ($pkg_interface <> "console") {
- update_status(gettext("The server returned error code {$rc} ... skipping {$et_name} update..."));
- update_output_window(gettext("{$et_name} rules file download failed..."));
- }
- log_error(gettext("[Snort] {$et_name} rules file download failed. Server returned error '{$rc}'..."));
- error_log(gettext("\t{$et_name} rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- $emergingthreats = 'off';
- }
-}
-
-/* Untar emergingthreats rules to tmp */
+/* Untar Emerging Threats rules file to tmp */
if ($emergingthreats == 'on') {
safe_mkdir("{$snortdir}/tmp/emerging");
if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
@@ -528,16 +467,18 @@ if ($emergingthreats == 'on') {
exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/");
/* Remove the old Emerging Threats rules files */
- array_map('unlink', glob("{$snortdir}/rules/emerging-*.rules"));
- array_map('unlink', glob("{$snortdir}/rules/etpro-*.rules"));
- array_map('unlink', glob("{$snortdir}/rules/emerging-*ips.txt"));
- array_map('unlink', glob("{$snortdir}/rules/etpro-*ips.txt"));
+ $eto_prefix = ET_OPEN_FILE_PREFIX;
+ $etpro_prefix = ET_PRO_FILE_PREFIX;
+ array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*.rules"));
+ array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*.rules"));
+ array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*ips.txt"));
+ array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*ips.txt"));
$files = glob("{$snortdir}/tmp/emerging/rules/*.rules");
foreach ($files as $file) {
$newfile = basename($file);
if ($etpro == "on")
- @copy($file, "{$snortdir}/rules/etpro-{$newfile}");
+ @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}");
else
@copy($file, "{$snortdir}/rules/{$newfile}");
}
@@ -546,9 +487,9 @@ if ($emergingthreats == 'on') {
foreach ($files as $file) {
$newfile = basename($file);
if ($etpro == "on")
- @copy($file, "{$snortdir}/rules/etpro-{$newfile}");
+ @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}");
else
- @copy($file, "{$snortdir}/rules/emerging-{$newfile}");
+ @copy($file, "{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "{$newfile}");
}
/* base etc files for Emerging Threats rules */
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
@@ -571,7 +512,7 @@ if ($emergingthreats == 'on') {
}
}
-/* Untar snort rules file individually to help people with low system specs */
+/* Untar Snort rules file to tmp */
if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/{$snort_filename}")) {
/* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */
@@ -581,7 +522,8 @@ if ($snortdownload == 'on') {
$freebsd_version_so = 'FreeBSD-9-0';
/* Remove the old Snort rules files */
- array_map('unlink', glob("{$snortdir}/rules/snort_*.rules"));
+ $vrt_prefix = VRT_FILE_PREFIX;
+ array_map('unlink', glob("{$snortdir}/rules/{$vrt_prefix}*.rules"));
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort VRT rules..."));
@@ -594,7 +536,7 @@ if ($snortdownload == 'on') {
$files = glob("{$snortdir}/tmp/snortrules/rules/*.rules");
foreach ($files as $file) {
$newfile = basename($file);
- @copy($file, "{$snortdir}/rules/snort_{$newfile}");
+ @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}");
}
/* IP lists */
$files = glob("{$snortdir}/tmp/snortrules/rules/*.txt");
@@ -629,7 +571,7 @@ if ($snortdownload == 'on') {
$files = glob("{$snortdir}/tmp/so_rules/*.rules");
foreach ($files as $file) {
$newfile = basename($file, ".rules");
- @copy($file, "{$snortdir}/rules/snort_{$newfile}.so.rules");
+ @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules");
}
exec("rm -r {$snortdir}/tmp/so_rules");
}
@@ -724,6 +666,11 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
$cfgs = glob("{$snortdir}/tmp/*classification.config");
$cfgs[] = "{$snortdir}/classification.config";
snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config");
+ /* Use the unicode.map and gen-msg.map files from ET rules. */
+ if (file_exists("{$snortdir}/tmp/ET_unicode.map"))
+ @copy("{$snortdir}/tmp/ET_unicode.map", "{$snortdir}/unicode.map");
+ if (file_exists("{$snortdir}/tmp/ET_gen-msg.map"))
+ @copy("{$snortdir}/tmp/ET_gen-msg.map", "{$snortdir}/gen-msg.map");
}
elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) {
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
@@ -748,7 +695,8 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
}
/* Start the rules rebuild proccess for each configured interface */
- if (is_array($config['installedpackages']['snortglobal']['rule'])) {
+ if (is_array($config['installedpackages']['snortglobal']['rule']) &&
+ !empty($config['installedpackages']['snortglobal']['rule'])) {
/* Set the flag to force rule rebuilds since we downloaded new rules, */
/* except when in post-install mode. Post-install does its own rebuild. */
diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php
index ca549820..e9fcfcab 100755
--- a/config/snort/snort_define_servers.php
+++ b/config/snort/snort_define_servers.php
@@ -68,7 +68,7 @@ else
$ssh_port = "22";
$snort_ports = array(
"dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691",
- "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555",
+ "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712",
"oracle_ports" => "1024:", "mssql_ports" => "1433",
"telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535",
"ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110",
@@ -86,6 +86,11 @@ $snort_ports = array(
"GTP_PORTS" => "2123,2152,3386"
);
+// Sort our SERVERS and PORTS arrays to make values
+// easier to locate by the the user.
+ksort($snort_servers);
+ksort($snort_ports);
+
$pconfig = $a_nat[$id];
/* convert fake interfaces to real */
@@ -144,7 +149,7 @@ if ($_POST) {
}
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: Interface {$if_friendly} Define Servers";
+$pgtitle = gettext("Snort: Interface {$if_friendly} Variables - Servers and Ports");
include_once("head.inc");
?>
@@ -195,7 +200,7 @@ if ($savemsg)
<td><div id="mainarea">
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Servers"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Servers (IP variables)"); ?></td>
</tr>
<?php
foreach ($snort_servers as $key => $server):
@@ -210,8 +215,8 @@ if ($savemsg)
}
?>
<tr>
- <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td>
- <td width="78%" class="vtable">
+ <td width='30%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td>
+ <td width="70%" class="vtable">
<input name="def_<?=$key;?>" size="40"
type="text" autocomplete="off" class="formfldalias" id="def_<?=$key;?>"
value="<?=$value;?>" title="<?=$title;?>"> <br/>
@@ -221,7 +226,7 @@ if ($savemsg)
</tr>
<?php endforeach; ?>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Ports"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Ports (port variables)"); ?></td>
</tr>
<?php
foreach ($snort_ports as $key => $server):
@@ -236,8 +241,8 @@ if ($savemsg)
}
?>
<tr>
- <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td>
- <td width="78%" class="vtable">
+ <td width='30%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td>
+ <td width="70%" class="vtable">
<input name="def_<?=$key;?>" type="text" size="40" autocomplete="off" class="formfldalias" id="def_<?=$key;?>"
value="<?=$value;?>" title="<?=$title;?>"> <br/>
<span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/> <?php echo gettext("Leave " .
@@ -246,8 +251,8 @@ if ($savemsg)
</tr>
<?php endforeach; ?>
<tr>
- <td width="22%" valign="top">&nbsp;</td>
- <td width="78%">
+ <td width="30%" valign="top">&nbsp;</td>
+ <td width="70%">
<input name="Submit" type="submit" class="formbtn" value="Save">
<input name="id" type="hidden" value="<?=$id;?>">
</td>
diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php
index 09ab646a..1db5b6a0 100755
--- a/config/snort/snort_download_updates.php
+++ b/config/snort/snort_download_updates.php
@@ -96,7 +96,7 @@ $snort_rules_upd_logfile_chk = 'no';
if (file_exists("{$snort_rules_upd_log}"))
$snort_rules_upd_logfile_chk = 'yes';
-$pgtitle = "Services: Snort: Updates";
+$pgtitle = gettext("Snort: Updates");
include_once("head.inc");
?>
diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php
index f0562046..f6d00b0b 100644
--- a/config/snort/snort_edit_hat_data.php
+++ b/config/snort/snort_edit_hat_data.php
@@ -80,7 +80,7 @@ if ($_POST['host_attribute_data']) {
$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']);
-$pgtitle = "Services: Snort: {$if_friendly} Host Attribute Table Data";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Host Attribute Table Data");
include_once("head.inc");
?>
diff --git a/config/snort/snort_frag3_engine.php b/config/snort/snort_frag3_engine.php
new file mode 100644
index 00000000..f344771b
--- /dev/null
+++ b/config/snort/snort_frag3_engine.php
@@ -0,0 +1,402 @@
+<?php
+/*
+ * snort_frag3_engine.php
+ * Copyright (C) 2004 Scott Ullrich
+ * Copyright (C) 2011-2012 Ermal Luci
+ * All rights reserved.
+ *
+ * originially part of m0n0wall (http://m0n0.ch/wall)
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * All rights reserved.
+ *
+ * modified for the pfsense snort package
+ * Copyright (C) 2009-2010 Robert Zelaya.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+// Grab the incoming QUERY STRING or POST variables
+$id = $_GET['id'];
+$eng_id = $_GET['eng_id'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng_id']))
+ $eng_id = $_POST['eng_id'];
+
+if (is_null($id)) {
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'];
+
+$pconfig = array();
+if (empty($a_nat[$eng_id])) {
+ $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+ // See if this is initial entry and set to "default" if true
+ if ($eng_id < 1) {
+ $def['name'] = "default";
+ $def['bind_to'] = "all";
+ }
+ $pconfig = $def;
+}
+else {
+ $pconfig = $a_nat[$eng_id];
+
+ // Check for any empty values and set sensible defaults
+ if (empty($pconfig['policy']))
+ $pconfig['policy'] = "bsd";
+ if (empty($pconfig['timeout']))
+ $pconfig['timeout'] = 60;
+ if (empty($pconfig['min_ttl']))
+ $pconfig['min_ttl'] = 1;
+ if (empty($pconfig['detect_anomalies']))
+ $pconfig['detect_anomalies'] = "on";
+ if (empty($pconfig['overlap_limit']))
+ $pconfig['overlap_limit'] = 0;
+ if (empty($pconfig['min_frag_len']))
+ $pconfig['min_frag_len'] = 0;
+}
+
+if ($_POST['Cancel']) {
+ header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ if ($_GET['varname'] == "bind_to" && !empty($_GET['varvalue']))
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+}
+
+if ($_POST['Submit']) {
+
+ /* Grab all the POST values and save in new temp array */
+ $engine = array();
+ if ($_POST['frag3_name']) { $engine['name'] = trim($_POST['frag3_name']); } else { $engine['name'] = "default"; }
+ if ($_POST['frag3_bind_to']) {
+ if (is_alias($_POST['frag3_bind_to']))
+ $engine['bind_to'] = $_POST['frag3_bind_to'];
+ elseif (strtolower(trim($_POST['frag3_bind_to'])) == "all")
+ $engine['bind_to'] = "all";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
+ }
+ else {
+ $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'.");
+ }
+
+ /* Validate the text input fields before saving */
+ if (!empty($_POST['frag3_timeout']) || $_POST['frag3_timeout'] == 0) {
+ $engine['timeout'] = $_POST['frag3_timeout'];
+ if (!is_numeric($_POST['frag3_timeout']) || $_POST['frag3_timeout'] < 1)
+ $input_errors[] = gettext("The value for Timeout must be numeric and greater than zero.");
+ }
+ else
+ $engine['timeout'] = 60;
+
+ if (!empty($_POST['frag3_min_ttl']) || $_POST['frag3_min_ttl'] == 0) {
+ $engine['min_ttl'] = $_POST['frag3_min_ttl'];
+ if ($_POST['frag3_min_ttl'] < 1 || $_POST['frag3_min_ttl'] > 255)
+ $input_errors[] = gettext("The value for Minimum_Time-To-Live must be between 1 and 255.");
+ }
+ else
+ $engine['min_ttl'] = 1;
+
+ if (!empty($_POST['frag3_overlap_limit']) || $_POST['frag3_overlap_limit'] == 0) {
+ $engine['overlap_limit'] = $_POST['frag3_overlap_limit'];
+ if (!is_numeric($_POST['frag3_overlap_limit']) || $_POST['frag3_overlap_limit'] < 0)
+ $input_errors[] = gettext("The value for Overlap_Limit must be a number greater than or equal to zero.");
+ }
+ else
+ $engine['overlap_limit'] = 0;
+
+ if (!empty($_POST['frag3_min_frag_len']) || $_POST['frag3_min_frag_len'] == 0) {
+ $engine['min_frag_len'] = $_POST['frag3_min_frag_len'];
+ if (!is_numeric($_POST['frag3_min_frag_len']) || $_POST['frag3_min_frag_len'] < 0)
+ $input_errors[] = gettext("The value for Min_Fragment_Length must be a number greater than or equal to zero.");
+ }
+ else
+ $engine['min_frag_len'] = 0;
+
+ if ($_POST['frag3_policy']) { $engine['policy'] = $_POST['frag3_policy']; } else { $engine['policy'] = "bsd"; }
+ $engine['detect_anomalies'] = $_POST['frag3_detect_anomalies'] ? 'on' : 'off';
+
+ /* Can only have one "all" Bind_To address */
+ if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
+ $input_errors[] = gettext("Only one default Frag3 Engine can be bound to all addresses.");
+ $pconfig = $engine;
+ }
+
+ /* if no errors, write new entry to conf */
+ if (!$input_errors) {
+ if (isset($eng_id) && $a_nat[$eng_id]) {
+ $a_nat[$eng_id] = $engine;
+ }
+ else
+ $a_nat[] = $engine;
+
+ /* Reorder the engine array to ensure the */
+ /* 'bind_to=all' entry is at the bottom */
+ /* if it contains more than one entry. */
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ /* Only relocate the entry if we */
+ /* found it, and it's not already */
+ /* at the end. */
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ /* Now write the new engine array to conf */
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row");
+ exit;
+ }
+}
+
+$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']);
+$pgtitle = gettext("Snort: Interface {$if_friendly} Frag3 Preprocessor Engine");
+include_once("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" >
+
+<?php
+include("fbegin.inc");
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="snort_frag3_engine.php" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id?>">
+<input name="eng_id" type="hidden" value="<?=$eng_id?>">
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td class="tabcont">
+<table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based IP Defragmentation Engine Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td>
+ <td class="vtable">
+ <input name="frag3_name" type="text" class="formfld unknown" id="frag3_name" size="25" maxlength="25"
+ value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>>&nbsp;
+ <?php if (htmlspecialchars($pconfig['name']) <> "default")
+ echo gettext("Name or description for this engine. (Max 25 characters)");
+ else
+ echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/>
+ <?php echo gettext("Unique name or description for this engine configuration. Default value is ") .
+ "<strong>" . gettext("default") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td>
+ <td class="vtable">
+ <?php if ($pconfig['name'] <> "default") : ?>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="frag3_bind_to" type="text" class="formfldalias" id="frag3_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off">&nbsp;
+ <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td>
+ <td class="vexpl" align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=yes'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within this IP List.");?></td>
+ </tr>
+ </table>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?>
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <?php else : ?>
+ <input name="frag3_bind_to" type="text" class="formfldalias" id="frag3_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly>&nbsp;
+ <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/>
+ <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/>
+ <?php endif ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Target Policy"); ?> </td>
+ <td width="78%" class="vtable">
+ <select name="frag3_policy" class="formselect" id="policy">
+ <?php
+ $profile = array( 'BSD', 'BSD-Right', 'First', 'Last', 'Linux', 'Solaris', 'Windows' );
+ foreach ($profile as $val): ?>
+ <option value="<?=strtolower($val);?>"
+ <?php if (strtolower($val) == $pconfig['policy']) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach; ?>
+ </select>&nbsp;&nbsp;<?php echo gettext("Choose the IP fragmentation target policy appropriate for the protected hosts. The default is ") .
+ "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/><br/>
+ <?php echo gettext("Available OS targets are BSD, BSD-Right, First, Last, Linux, Solaris and Windows."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Timeout"); ?></td>
+ <td class="vtable">
+ <input name="frag3_timeout" type="text" class="formfld unknown" id="frag3_timeout" size="6"
+ value="<?=htmlspecialchars($pconfig['timeout']);?>">
+ <?php echo gettext("Timeout period in seconds for fragments in the engine."); ?><br/><br/>
+ <?php echo gettext("Fragments in the engine for longer than this period will be automatically dropped. Default value is ") .
+ "<strong>" . gettext("60 ") . "</strong>" . gettext("seconds."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Minimum Time-to-Live"); ?></td>
+ <td class="vtable">
+ <input name="frag3_min_ttl" type="text" class="formfld unknown" id="frag3_min_ttl" size="6"
+ value="<?=htmlspecialchars($pconfig['min_ttl']);?>">
+ <?php echo gettext("Minimum acceptable TTL for a fragment in the engine."); ?><br/><br/>
+ <?php echo gettext("The accepted range for this option is 1 - 255. Default value is ") .
+ "<strong>" . gettext("1") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Anomalies"); ?></td>
+ <td width="78%" class="vtable"><input name="frag3_detect_anomalies" id="frag3_detect_anomalies" type="checkbox" value="on"
+ <?php if ($pconfig['detect_anomalies']=="on") echo "checked "; ?> onclick="frag3_enable_change();">
+ <?php echo gettext("Use Frag3 Engine to detect fragment anomalies. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("In order to customize the Overlap Limit and Minimum Fragment Length parameters for this engine, Anomaly Detection must be enabled."); ?>
+ </td>
+ </tr>
+ <tr id="frag3_overlaplimit_row">
+ <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td>
+ <td class="vtable">
+ <input name="frag3_overlap_limit" type="text" class="formfld unknown" id="frag3_overlap_limit" size="6"
+ value="<?=htmlspecialchars($pconfig['overlap_limit']);?>">
+ <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited). Values greater than zero set the overlapped limit."); ?><br/><br/>
+ <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") .
+ "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/>
+ </td>
+ </tr>
+ <tr id="frag3_minfraglen_row">
+ <td valign="top" class="vncell"><?php echo gettext("Minimum Fragment Length"); ?></td>
+ <td class="vtable">
+ <input name="frag3_min_frag_len" type="text" class="formfld unknown" id="frag3_min_frag_len" size="6"
+ value="<?=htmlspecialchars($pconfig['min_frag_len']);?>">
+ <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (check is disabled). Values greater than zero enable the check."); ?><br/><br/>
+ <?php echo gettext("Defines smallest fragment size (payload size) that should be considered valid. " .
+ "Fragments smaller than or equal to this limit are considered malicious. Default value is ") .
+ "<strong>0</strong>" . gettext(" (check is disabled)."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="bottom">&nbsp;</td>
+ <td width="78%" valign="bottom">
+ <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo
+ gettext("Save Frag3 engine settings and return to Preprocessors tab"); ?>">
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo
+ gettext("Cancel changes and return to Preprocessors tab"); ?>"></td>
+ </tr>
+</table>
+</td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
+<script type="text/javascript">
+
+function frag3_enable_change() {
+ var endis = !(document.iform.frag3_detect_anomalies.checked);
+
+ // Hide the "frag3_overlap_limit and frag3_min_frag_len" rows if frag3_detect_anomablies disabled
+ if (endis) {
+ document.getElementById("frag3_overlaplimit_row").style.display="none";
+ document.getElementById("frag3_minfraglen_row").style.display="none";
+ }
+ else {
+ document.getElementById("frag3_overlaplimit_row").style.display="table-row";
+ document.getElementById("frag3_minfraglen_row").style.display="table-row";
+ }
+}
+
+// Set initial state of form controls
+frag3_enable_change();
+
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $aliasesaddr = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ if ($alias_name['type'] != "host" && $alias_name['type'] != "network")
+ continue;
+ // Skip any Aliases that resolve to an empty string
+ if (trim(filter_expand_alias($alias_name['name'])) == "")
+ continue;
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ }
+?>
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAlias = new AutoSuggestControl(document.getElementById('frag3_bind_to'), new StateSuggestions(addressarray));\n";
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+
+</script>
+
+</html>
diff --git a/config/snort/snort_ftp_client_engine.php b/config/snort/snort_ftp_client_engine.php
new file mode 100644
index 00000000..a9f5e82b
--- /dev/null
+++ b/config/snort/snort_ftp_client_engine.php
@@ -0,0 +1,438 @@
+<?php
+/*
+ * snort_ftp_client_engine.php
+ * Copyright (C) 2004 Scott Ullrich
+ * Copyright (C) 2011-2012 Ermal Luci
+ * All rights reserved.
+ *
+ * originially part of m0n0wall (http://m0n0.ch/wall)
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * All rights reserved.
+ *
+ * modified for the pfsense snort package
+ * Copyright (C) 2009-2010 Robert Zelaya.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+$id = $_GET['id'];
+$eng_id = $_GET['eng_id'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng_id']))
+ $eng_id = $_POST['eng_id'];
+
+if (is_null($id)) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_client_import']);
+ session_write_close();
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'];
+
+$pconfig = array();
+if (empty($a_nat[$eng_id])) {
+ $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+ // See if this is initial entry and set to "default" if true
+ if ($eng_id < 1) {
+ $def['name'] = "default";
+ $def['bind_to'] = "all";
+ }
+ $pconfig = $def;
+}
+else
+ $pconfig = $a_nat[$eng_id];
+
+if ($_POST['Cancel']) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_client_import']);
+ session_write_close();
+ header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ session_start();
+ if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "bounce_to_net" || $_GET['varname'] == "bounce_to_port")
+ && !empty($_GET['varvalue'])) {
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+ if(!isset($_SESSION['ftp_client_import']))
+ $_SESSION['ftp_client_import'] = array();
+
+ $_SESSION['ftp_client_import'][$_GET['varname']] = $_GET['varvalue'];
+ if (isset($_SESSION['ftp_client_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['ftp_client_import']['bind_to'];
+ if (isset($_SESSION['ftp_client_import']['bounce_to_net']))
+ $pconfig['bounce_to_net'] = $_SESSION['ftp_client_import']['bounce_to_net'];
+ if (isset($_SESSION['ftp_client_import']['bounce_to_port']))
+ $pconfig['bounce_to_port'] = $_SESSION['ftp_client_import']['bounce_to_port'];
+ }
+ // If "varvalue" is empty, user likely hit CANCEL in Select Dialog,
+ // so restore any saved values.
+ elseif (empty($_GET['varvalue'])) {
+ if (isset($_SESSION['ftp_client_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['ftp_client_import']['bind_to'];
+ if (isset($_SESSION['ftp_client_import']['bounce_to_net']))
+ $pconfig['bounce_to_net'] = $_SESSION['ftp_client_import']['bounce_to_net'];
+ if (isset($_SESSION['ftp_client_import']['bounce_to_port']))
+ $pconfig['bounce_to_port'] = $_SESSION['ftp_client_import']['bounce_to_port'];
+ }
+ else {
+ unset($_SESSION['ftp_client_import']);
+ session_write_close();
+ }
+}
+
+if ($_POST['Submit']) {
+
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_client_import']);
+ session_write_close();
+
+ /* Grab all the POST values and save in new temp array */
+ $engine = array();
+ if ($_POST['ftp_name']) { $engine['name'] = trim($_POST['ftp_name']); } else { $engine['name'] = "default"; }
+ if ($_POST['ftp_bind_to']) {
+ if (is_alias($_POST['ftp_bind_to']))
+ $engine['bind_to'] = $_POST['ftp_bind_to'];
+ elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all")
+ $engine['bind_to'] = "all";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
+ }
+ else {
+ $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'.");
+ }
+
+ // Validate BOUNCE-TO Alias entries to be sure if one is set, then both are set; since
+ // if you define a BOUNCE-TO address, you must also define the BOUNCE-TO port.
+ if ($_POST['ftp_client_bounce_to_net'] && !is_alias($_POST['ftp_client_bounce_to_net']))
+ $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO ADDRESS option.");
+
+ if ($_POST['ftp_client_bounce_to_port'] && !is_alias($_POST['ftp_client_bounce_to_port']))
+ $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO PORT option.");
+
+ if ($_POST['ftp_client_bounce_to_net'] && empty($_POST['ftp_client_bounce_to_port']))
+ $input_errors[] = gettext("FTP Protocol BOUNCE-TO PORT cannot be empty when BOUNCE-TO ADDRESS is set.");
+
+ if ($_POST['ftp_client_bounce_to_port'] && empty($_POST['ftp_client_bounce_to_net']))
+ $input_errors[] = gettext("FTP Protocol BOUNCE-TO ADDRESS cannot be empty when BOUNCE-TO PORT is set.");
+
+ // Validate the BOUNCE-TO Alias entries for correct format of their defined values. BOUNCE-TO ADDRESS must be
+ // a valid single IP, and BOUNCE-TO PORT must be either a single port value or a port range value. Provide
+ // detailed error messages for the user that explain any problems.
+ if ($_POST['ftp_client_bounce_to_net'] && $_POST['ftp_client_bounce_to_port']) {
+ if (!snort_is_single_addr_alias($_POST['ftp_client_bounce_to_net'])){
+ $net = trim(filter_expand_alias($_POST['ftp_client_bounce_to_net']));
+ $net = preg_replace('/\s+/', ',', $net);
+ $msg = gettext("The FTP Protocol BOUNCE-TO ADDRESS parameter must be a single IP network or address, ");
+ $msg .= gettext("so the supplied Alias must be defined as a single address or network in CIDR form. ");
+ $msg .= gettext("The Alias [ {$_POST['ftp_client_bounce_to_net']} ] is currently defined as [ {$net} ].");
+ $input_errors[] = $msg;
+ }
+ $port = trim(filter_expand_alias($_POST['ftp_client_bounce_to_port']));
+ $port = preg_replace('/\s+/', ',', $port);
+ if (!is_port($port) && !is_portrange($port)) {
+ $msg = gettext("The FTP Protocol BOUNCE-TO PORT parameter must be a single port or port-range, ");
+ $msg .= gettext("so the supplied Alias must be defined as a single port or port-range value. ");
+ $msg .= gettext("The Alias [ {$_POST['ftp_client_bounce_to_port']} ] is currently defined as [ {$port} ].");
+ $input_errors[] = $msg;
+ }
+ }
+
+ $engine['bounce_to_net'] = $_POST['ftp_client_bounce_to_net'];
+ $engine['bounce_to_port'] = $_POST['ftp_client_bounce_to_port'];
+ $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no';
+ $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no';
+ $engine['bounce'] = $_POST['ftp_client_bounce_detect'] ? 'yes' : 'no';
+ $engine['max_resp_len'] = $_POST['ftp_max_resp_len'];
+
+ /* Can only have one "all" Bind_To address */
+ if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
+ $input_errors[] = gettext("Only one default FTP Engine can be bound to all addresses.");
+ $pconfig = $engine;
+ }
+
+ /* if no errors, write new entry to conf */
+ if (!$input_errors) {
+ if (isset($eng_id) && $a_nat[$eng_id]) {
+ $a_nat[$eng_id] = $engine;
+ }
+ else
+ $a_nat[] = $engine;
+
+ /* Reorder the engine array to ensure the */
+ /* 'bind_to=all' entry is at the bottom */
+ /* if it contains more than one entry. */
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ /* Only relocate the entry if we */
+ /* found it, and it's not already */
+ /* at the end. */
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ /* Now write the new engine array to conf */
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts");
+ exit;
+ }
+}
+
+$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']);
+$pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Client Engine");
+include_once("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" >
+
+<?php
+include("fbegin.inc");
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="snort_ftp_client_engine.php" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id?>">
+<input name="eng_id" type="hidden" value="<?=$eng_id?>">
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td class="tabcont">
+<table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based FTP Client Engine Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td>
+ <td class="vtable">
+ <input name="ftp_name" type="text" class="formfld unknown" id="ftp_name" size="25" maxlength="25"
+ value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>>&nbsp;
+ <?php if (htmlspecialchars($pconfig['name']) <> "default")
+ echo gettext("Name or description for this engine. (Max 25 characters)");
+ else
+ echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/>
+ <?php echo gettext("Unique name or description for this engine configuration. Default value is ") .
+ "<strong>" . gettext("default") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td>
+ <td class="vtable">
+ <?php if ($pconfig['name'] <> "default") : ?>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off" >&nbsp;
+ <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within the IP List.");?>.<br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?></td>
+ </tr>
+ </table>
+ <?php else : ?>
+ <input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly>&nbsp;
+ <?php echo "<span class=\"red\">" . gettext("IP address for the default engine is read-only and must be 'all'.") . "</span>";?><br/>
+ <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP addresses.");?><br/>
+ <?php endif ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Telnet Commands"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_cmds" id="ftp_telnet_cmds" type="checkbox" value="on"
+ <?php if ($pconfig['telnet_cmds']=="yes") echo "checked "; ?>>
+ <?php echo gettext("Alert when Telnet commands are seen on the FTP command channel. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Telnet Erase Commands"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_ignore_telnet_erase_cmds" id="ftp_ignore_telnet_erase_cmds" type="checkbox" value="on"
+ <?php if ($pconfig['ignore_telnet_erase_cmds']=="yes") echo "checked "; ?>>
+ <?php echo gettext("Ignore Telnet escape sequences for erase character and erase line when normalizing FTP command channel.") . "<br/>" .
+ gettext("Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Maximum Response Length"); ?></td>
+ <td class="vtable">
+ <input name="ftp_max_resp_len" type="text" class="formfld unknown" id="ftp_max_resp_len" size="6"
+ value="<?=htmlspecialchars($pconfig['max_resp_len']);?>">
+ <?php echo gettext("Max FTP command response length accepted by client. Enter ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" to disable. Default is ") . "<strong>" . gettext("256.") . "</strong>";?><br/>
+ <?php echo gettext("Specifies the maximum allowed response length to an FTP command accepted by the client. It can be used as ") .
+ gettext("a basic buffer overflow detection.");?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Bounce Detection"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_client_bounce_detect" type="checkbox" value="on"
+ <?php if ($pconfig['bounce']=="yes") echo "checked"; ?> onclick="ftp_client_bounce_enable_change();">
+ <?php echo gettext("Enable detection and alerting of FTP bounce attacks. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_client_row_bounce_to">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Bounce-To Configuration"); ?></td>
+ <td width="78%" class="vtable">
+ <table border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><strong><?php echo gettext("Bounce-To Address:"); ?></strong></td>
+ <td class="vexpl"><input name="ftp_client_bounce_to_net" type="text" class="formfldalias" id="ftp_client_bounce_to_net" size="20"
+ value="<?=htmlspecialchars($pconfig['bounce_to_net']);?>" title="<?=trim(filter_expand_alias($pconfig['bounce_to_net']));?>" autocomplete="off"><span class="vexpl">&nbsp;
+ <?php echo gettext("Default is ") . "<strong>" . gettext("blank") . "</strong>.";?></span>
+ </td>
+ <td class="vexpl">&nbsp;&nbsp;<input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bounce_to_net&act=import'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/>
+ </td>
+ </tr>
+ <tr>
+ <td class="vexpl"><strong><?php echo gettext("Bounce-To Port:"); ?></strong></td>
+ <td class="vexpl"><input name="ftp_client_bounce_to_port" type="text" class="formfldalias" id="ftp_client_bounce_to_port" size="20"
+ value="<?=htmlspecialchars($pconfig['bounce_to_port']);?>" title="<?=trim(filter_expand_alias($pconfig['bounce_to_port']));?>" autocomplete="off"><span class="vexpl">&nbsp;
+ <?php echo gettext("Default is ") . "<strong>" . gettext("blank") . "</strong>.";?></span>
+ </td>
+ <td class="vexpl">&nbsp;&nbsp;<input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=bounce_to_port&act=import'"
+ title="<?php echo gettext("Select an existing port alias");?>"/>
+ </td>
+ </tr>
+ </table>
+ <?php echo gettext("When the Bounce option is enabled, this allows the PORT command to use the address and port (or inclusive port range) ") .
+ gettext("specified without generating an alert. It can be used with proxied FTP connections where the FTP data channel is different from the client.");?><br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("Supplied value must be a pre-configured Alias or left blank.");?><br/>
+ <span class="red"><?php echo gettext("Hint: ") . "</span>" . gettext("Leave these settings at their defaults unless you are proxying FTP connections.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="bottom">&nbsp;</td>
+ <td width="78%" valign="bottom">
+ <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo
+ gettext("Save ftp engine settings and return to Preprocessors tab"); ?>">
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo
+ gettext("Cancel changes and return to Preprocessors tab"); ?>"></td>
+ </tr>
+</table>
+</td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
+<script type="text/javascript">
+
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $portisfirst = 0;
+ $aliasesaddr = "";
+ $aliasesport = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ // Skip any Aliases that resolve to an empty string
+ if (trim(filter_expand_alias($alias_name['name'])) == "")
+ continue;
+ if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ }
+ elseif ($alias_name['type'] == "port") {
+ if($portisfirst == 1) $aliasesport .= ",";
+ $aliasesport .= "'" . $alias_name['name'] . "'";
+ $portisfirst = 1;
+ }
+ }
+
+?>
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+ var portarray=new Array(<?php echo $aliasesport; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAliasBindTo = new AutoSuggestControl(document.getElementById('ftp_bind_to'), new StateSuggestions(addressarray));\n";
+ echo "objAliasBounceNet = new AutoSuggestControl(document.getElementById('ftp_client_bounce_to_net'), new StateSuggestions(addressarray));\n";
+ echo "objAliasBouncePort = new AutoSuggestControl(document.getElementById('ftp_client_bounce_to_port'), new StateSuggestions(portarray));\n";
+
+
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+
+function ftp_client_bounce_enable_change() {
+ var endis = !(document.iform.ftp_client_bounce_detect.checked);
+ if (endis)
+ document.getElementById("ftp_client_row_bounce_to").style.display="none";
+ else
+ document.getElementById("ftp_client_row_bounce_to").style.display="table-row";
+}
+
+// Set initial state of form controls
+ftp_client_bounce_enable_change();
+
+</script>
+
+</html>
diff --git a/config/snort/snort_ftp_server_engine.php b/config/snort/snort_ftp_server_engine.php
new file mode 100644
index 00000000..8f462ca9
--- /dev/null
+++ b/config/snort/snort_ftp_server_engine.php
@@ -0,0 +1,387 @@
+<?php
+/*
+ * snort_ftp_server_engine.php
+ * Copyright (C) 2004 Scott Ullrich
+ * Copyright (C) 2011-2012 Ermal Luci
+ * All rights reserved.
+ *
+ * originially part of m0n0wall (http://m0n0.ch/wall)
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * All rights reserved.
+ *
+ * modified for the pfsense snort package
+ * Copyright (C) 2009-2010 Robert Zelaya.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+// Grab any QUERY STRING or POST variables
+$id = $_GET['id'];
+$eng_id = $_GET['eng_id'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng_id']))
+ $eng_id = $_POST['eng_id'];
+
+if (is_null($id)) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_server_import']);
+ session_write_close();
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'];
+
+$pconfig = array();
+if (empty($a_nat[$eng_id])) {
+ $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+ // See if this is initial entry and set to "default" if true
+ if ($eng_id < 1) {
+ $def['name'] = "default";
+ $def['bind_to'] = "all";
+ }
+ $pconfig = $def;
+}
+else
+ $pconfig = $a_nat[$eng_id];
+
+if ($_POST['Cancel']) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_server_import']);
+ session_write_close();
+ header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ session_start();
+ if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports")
+ && !empty($_GET['varvalue'])) {
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+ if(!isset($_SESSION['ftp_server_import']))
+ $_SESSION['ftp_server_import'] = array();
+
+ $_SESSION['ftp_server_import'][$_GET['varname']] = $_GET['varvalue'];
+ if (isset($_SESSION['ftp_server_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['ftp_server_import']['bind_to'];
+ if (isset($_SESSION['ftp_server_import']['ports']))
+ $pconfig['ports'] = $_SESSION['ftp_server_import']['ports'];
+ }
+ // If "varvalue" is empty, user likely hit CANCEL in Select Dialog,
+ // so restore any saved values.
+ elseif (empty($_GET['varvalue'])) {
+ if (isset($_SESSION['ftp_server_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['ftp_server_import']['bind_to'];
+ if (isset($_SESSION['ftp_server_import']['ports']))
+ $pconfig['ports'] = $_SESSION['ftp_server_import']['ports'];
+ }
+ else {
+ unset($_SESSION['ftp_server_import']);
+ session_write_close();
+ }
+}
+
+if ($_POST['Submit']) {
+
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_server_import']);
+ session_write_close();
+
+ /* Grab all the POST values and save in new temp array */
+ $engine = array();
+ if ($_POST['ftp_name']) { $engine['name'] = trim($_POST['ftp_name']); } else { $engine['name'] = "default"; }
+ if ($_POST['ftp_bind_to']) {
+ if (is_alias($_POST['ftp_bind_to']))
+ $engine['bind_to'] = $_POST['ftp_bind_to'];
+ elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all")
+ $engine['bind_to'] = "all";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
+ }
+ else {
+ $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'.");
+ }
+
+ if ($_POST['ftp_ports']) {
+ if ($_POST['ftp_ports'] == "default")
+ $engine['ports'] = $_POST['ftp_ports'];
+ elseif (is_alias($_POST['ftp_ports']))
+ $engine['ports'] = $_POST['ftp_ports'];
+ else
+ $input_errors[] = gettext("The value for Ports must be a valid Alias name or the keyword 'default'.");
+ }
+ else
+ $engine['ports'] = 21;
+
+ $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no';
+ $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no';
+ $engine['ignore_data_chan'] = $_POST['ftp_ignore_data_chan'] ? 'yes' : 'no';
+ $engine['def_max_param_len'] = $_POST['ftp_def_max_param_len'];
+
+
+ /* Can only have one "all" Bind_To address */
+ if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
+ $input_errors[] = gettext("Only one default ftp Engine can be bound to all addresses.");
+ $pconfig = $engine;
+ }
+
+ /* if no errors, write new entry to conf */
+ if (!$input_errors) {
+ if (isset($eng_id) && $a_nat[$eng_id]) {
+ $a_nat[$eng_id] = $engine;
+ }
+ else
+ $a_nat[] = $engine;
+
+ /* Reorder the engine array to ensure the */
+ /* 'bind_to=all' entry is at the bottom */
+ /* if it contains more than one entry. */
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ /* Only relocate the entry if we */
+ /* found it, and it's not already */
+ /* at the end. */
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ /* Now write the new engine array to conf */
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts");
+ exit;
+ }
+}
+
+$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']);
+$pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Server Engine");
+include_once("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" >
+
+<?php
+include("fbegin.inc");
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="snort_ftp_server_engine.php" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id?>">
+<input name="eng_id" type="hidden" value="<?=$eng_id?>">
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td class="tabcont">
+<table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based FTP Server Engine Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td>
+ <td class="vtable">
+ <input name="ftp_name" type="text" class="formfld unknown" id="ftp_name" size="25" maxlength="25"
+ value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>>&nbsp;
+ <?php if (htmlspecialchars($pconfig['name']) <> "default")
+ echo gettext("Name or description for this engine. (Max 25 characters)");
+ else
+ echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/>
+ <?php echo gettext("Unique name or description for this engine configuration. Default value is ") .
+ "<strong>" . gettext("default") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td>
+ <td class="vtable">
+ <?php if ($pconfig['name'] <> "default") : ?>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off">&nbsp;
+ <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within the IP List.");?>.</td>
+ </tr>
+ </table><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?>
+ <?php else : ?>
+ <input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly>&nbsp;
+ <?php echo "<span class=\"red\">" . gettext("IP address for the default engine is read-only and must be 'all'.") . "</span>";?><br/>
+ <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP addresses.");?><br/>
+ <?php endif ?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Ports"); ?></td>
+ <td class="vtable">
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="ftp_ports" type="text" class="formfldalias" id="ftp_ports" size="25"
+ value="<?=htmlspecialchars($pconfig['ports']);?>" title="<?=trim(filter_expand_alias($pconfig['ports']));?>">
+ <?php echo gettext("Specifiy which ports to check for FTP data.");?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports&act=import'"
+ title="<?php echo gettext("Select an existing port alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("Default value is '") . "<strong>" . gettext("'default'") . "</strong>" .
+ gettext(" Using 'default' will include the FTP Ports defined on the ") . "<a href='snort_define_servers.php?id={$id}' title=\"" .
+ gettext("Go to {$if_friendly} Variables tab to define custom port variables") . "\">" . gettext("VARIABLES") . "</a>" .
+ gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?></td>
+ </tr>
+ </table><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Telnet Commands"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_cmds" id="ftp_telnet_cmds" type="checkbox" value="on"
+ <?php if ($pconfig['telnet_cmds']=="yes") echo "checked "; ?>>
+ <?php echo gettext("Alert when Telnet commands are seen on the FTP command channel. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Telnet Erase Commands"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_ignore_telnet_erase_cmds" id="ftp_ignore_telnet_erase_cmds" type="checkbox" value="on"
+ <?php if ($pconfig['ignore_telnet_erase_cmds']=="yes") echo "checked "; ?>>
+ <?php echo gettext("Ignore Telnet escape sequences for erase character and erase line when normalizing FTP command channel. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Data Channel"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_ignore_data_chan" id="ftp_ignore_data_chan" type="checkbox" value="on"
+ <?php if ($pconfig['ignore_data_chan']=="yes") echo "checked "; ?>>
+ <?php echo gettext("Force Snort to ignore the FTP data channel connections. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/>
+ <span class="red"><strong><?php echo gettext("Warning: ") . "</strong></span>" . gettext("When checked, NO INSPECTION other than state will be ") .
+ gettext("performed on the data channel. Enabling this option can improve performance for large FTP transfers from trusted servers.");?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Default Max Allowed Parameter Length"); ?></td>
+ <td class="vtable">
+ <input name="ftp_def_max_param_len" type="text" class="formfld unknown" id="ftp_def_max_param_len" size="6"
+ value="<?=htmlspecialchars($pconfig['def_max_param_len']);?>">
+ <?php echo gettext("Default allowed maximum parameter length for command. Enter ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" to disable. Default is ") . "<strong>" . gettext("100.") . "</strong>";?><br/>
+ <?php echo gettext("Specifies the maximum allowed parameter length for and FTP command. It can be used as a ") .
+ gettext("basic buffer overflow detection.");?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="bottom">&nbsp;</td>
+ <td width="78%" valign="bottom">
+ <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo
+ gettext("Save ftp engine settings and return to Preprocessors tab"); ?>">
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo
+ gettext("Cancel changes and return to Preprocessors tab"); ?>"></td>
+ </tr>
+</table>
+</td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
+<script type="text/javascript">
+
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $portisfirst = 0;
+ $aliasesaddr = "";
+ $aliasesport = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ // Skip any Aliases that resolve to an empty string
+ if (trim(filter_expand_alias($alias_name['name'])) == "")
+ continue;
+ if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ }
+ elseif ($alias_name['type'] == "port") {
+ if($portisfirst == 1) $aliasesport .= ",";
+ $aliasesport .= "'" . $alias_name['name'] . "'";
+ $portisfirst = 1;
+ }
+ }
+
+?>
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+ var portarray=new Array(<?php echo $aliasesport; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_bind_to'), new StateSuggestions(addressarray));\n";
+ echo "objAliasPort = new AutoSuggestControl(document.getElementById('ftp_ports'), new StateSuggestions(portarray));\n";
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+
+</script>
+
+</html>
diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php
new file mode 100644
index 00000000..58488f2d
--- /dev/null
+++ b/config/snort/snort_httpinspect_engine.php
@@ -0,0 +1,751 @@
+<?php
+/*
+ * snort_httpinspect_engine.php
+ * Copyright (C) 2004 Scott Ullrich
+ * Copyright (C) 2011-2012 Ermal Luci
+ * All rights reserved.
+ *
+ * originially part of m0n0wall (http://m0n0.ch/wall)
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * All rights reserved.
+ *
+ * modified for the pfsense snort package
+ * Copyright (C) 2009-2010 Robert Zelaya.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+$id = $_GET['id'];
+$eng_id = $_GET['eng_id'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng_id']))
+ $eng_id = $_POST['eng_id'];
+
+if (is_null($id)) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['http_inspect_import']);
+ session_write_close();
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'];
+
+$pconfig = array();
+if (empty($a_nat[$eng_id])) {
+ $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
+ "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
+ "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
+ "max_header_length" => 0, "ports" => "default" );
+ // See if this is initial entry and set to "default" if true
+ if ($eng_id < 1) {
+ $def['name'] = "default";
+ $def['bind_to'] = "all";
+ }
+ $pconfig = $def;
+}
+else {
+ $pconfig = $a_nat[$eng_id];
+
+ // Check for any empty values and set sensible defaults
+ if (empty($pconfig['ports']))
+ $pconfig['ports'] = "default";
+ if (empty($pconfig['server_profile']))
+ $pconfig['server_profile'] = "all";
+ if (empty($pconfig['enable_xff']))
+ $pconfig['enable_xff'] = "off";
+ if (empty($pconfig['log_uri']))
+ $pconfig['log_uri'] = "off";
+ if (empty($pconfig['log_hostname']))
+ $pconfig['log_hostname'] = "off";
+ if (empty($pconfig['server_flow_depth']) && $pconfig['server_flow_depth'] <> 0)
+ $pconfig['server_flow_depth'] = 65535;
+ if (empty($pconfig['enable_cookie']))
+ $pconfig['enable_cookie'] = "on";
+ if (empty($pconfig['client_flow_depth']) && $pconfig['client_flow_depth'] <> 0)
+ $pconfig['client_flow_depth'] = 1460;
+ if (empty($pconfig['extended_response_inspection']))
+ $pconfig['extended_response_inspection'] = "on";
+ if (empty($pconfig['no_alerts']))
+ $pconfig['no_alerts'] = "off";
+ if (empty($pconfig['unlimited_decompress']))
+ $pconfig['unlimited_decompress'] = "on";
+ if (empty($pconfig['inspect_gzip']))
+ $pconfig['inspect_gzip'] = "on";
+ if (empty($pconfig['normalize_cookies']))
+ $pconfig['normalize_cookies'] = "on";
+ if (empty($pconfig['normalize_headers']))
+ $pconfig['normalize_headers'] = "on";
+ if (empty($pconfig['normalize_utf']))
+ $pconfig['normalize_utf'] = "on";
+ if (empty($pconfig['normalize_javascript']))
+ $pconfig['normalize_javascript'] = "on";
+ if (empty($pconfig['allow_proxy_use']))
+ $pconfig['allow_proxy_use'] = "off";
+ if (empty($pconfig['inspect_uri_only']))
+ $pconfig['inspect_uri_only'] = "off";
+ if (empty($pconfig['max_javascript_whitespaces']) && $pconfig['max_javascript_whitespaces'] <> 0)
+ $pconfig['max_javascript_whitespaces'] = 200;
+ if (empty($pconfig['post_depth']) && $pconfig['post_depth'] <> 0)
+ $pconfig['post_depth'] = -1;
+ if (empty($pconfig['max_headers']))
+ $pconfig['max_headers'] = 0;
+ if (empty($pconfig['max_spaces']))
+ $pconfig['max_spaces'] = 0;
+ if (empty($pconfig['max_header_length']))
+ $pconfig['max_header_length'] = 0;
+}
+
+if ($_POST['Cancel']) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['http_inspect_import']);
+ session_write_close();
+ header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ session_start();
+ if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports")
+ && !empty($_GET['varvalue'])) {
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+ $_SESSION['http_inspect_import'] = array();
+
+ $_SESSION['http_inspect_import'][$_GET['varname']] = $_GET['varvalue'];
+ if (isset($_SESSION['http_inspect_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to'];
+ if (isset($_SESSION['http_inspect_import']['ports']))
+ $pconfig['ports'] = $_SESSION['http_inspect_import']['ports'];
+ }
+ // If "varvalue" is empty, user likely hit CANCEL in Select Dialog,
+ // so restore any saved values.
+ elseif (empty($_GET['varvalue'])) {
+ if (isset($_SESSION['http_inspect_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to'];
+ if (isset($_SESSION['http_inspect_import']['ports']))
+ $pconfig['ports'] = $_SESSION['http_inspect_import']['ports'];
+ }
+ else {
+ unset($_SESSION['http_inspect_import']);
+ session_write_close();
+ }
+}
+
+if ($_POST['Submit']) {
+
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['http_inspect_import']);
+ session_write_close();
+
+ // Grab all the POST values and save in new temp array
+ $engine = array();
+ if ($_POST['httpinspect_name']) { $engine['name'] = trim($_POST['httpinspect_name']); } else { $engine['name'] = "default"; }
+ if ($_POST['httpinspect_bind_to']) {
+ if (is_alias($_POST['httpinspect_bind_to']))
+ $engine['bind_to'] = $_POST['httpinspect_bind_to'];
+ elseif (strtolower(trim($_POST['httpinspect_bind_to'])) == "all")
+ $engine['bind_to'] = "all";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
+ }
+ else {
+ $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'.");
+ }
+ if ($_POST['httpinspect_ports']) { $engine['ports'] = trim($_POST['httpinspect_ports']); } else { $engine['ports'] = "default"; }
+
+ // Validate the text input fields before saving
+ if (!empty($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] == 0) {
+ $engine['server_flow_depth'] = $_POST['httpinspect_server_flow_depth'];
+ if (!is_numeric($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] < -1 || $_POST['httpinspect_server_flow_depth'] > 65535)
+ $input_errors[] = gettext("The value for Server_Flow_Depth must be numeric and between -1 and 65535.");
+ }
+ else
+ $engine['server_flow_depth'] = 65535;
+
+ if (!empty($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] == 0) {
+ $engine['client_flow_depth'] = $_POST['httpinspect_client_flow_depth'];
+ if (!is_numeric($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] < -1 || $_POST['httpinspect_client_flow_depth'] > 1460)
+ $input_errors[] = gettext("The value for Client_Flow_Depth must be between -1 and 1460.");
+ }
+ else
+ $engine['client_flow_depth'] = 1460;
+
+ if (!empty($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] == 0) {
+ $engine['max_javascript_whitespaces'] = $_POST['httpinspect_max_javascript_whitespaces'];
+ if (!is_numeric($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] < 0 || $_POST['httpinspect_max_javascript_whitespaces'] > 65535)
+ $input_errors[] = gettext("The value for Max_Javascript_Whitespaces must be between 0 and 65535.");
+ }
+ else
+ $engine['max_javascript_whitespaces'] = 200;
+
+ if (!empty($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] == 0) {
+ $engine['post_depth'] = $_POST['httpinspect_post_depth'];
+ if (!is_numeric($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] < -1 || $_POST['httpinspect_post_depth'] > 65495)
+ $input_errors[] = gettext("The value for Post_Depth must be between -1 and 65495.");
+ }
+ else
+ $engine['post_depth'] = -1;
+
+ if (!empty($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] == 0) {
+ $engine['max_headers'] = $_POST['httpinspect_max_headers'];
+ if (!is_numeric($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] < 0 || $_POST['httpinspect_max_headers'] > 65535)
+ $input_errors[] = gettext("The value for Max_Headers must be between 0 and 65535.");
+ }
+ else
+ $engine['max_headers'] = 0;
+
+ if (!empty($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] == 0) {
+ $engine['max_spaces'] = $_POST['httpinspect_max_spaces'];
+ if (!is_numeric($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] < 0 || $_POST['httpinspect_max_spaces'] > 65535)
+ $input_errors[] = gettext("The value for Max_Spaces must be between 0 and 65535.");
+ }
+ else
+ $engine['max_spaces'] = 0;
+
+ if (!empty($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] == 0) {
+ $engine['max_header_length'] = $_POST['httpinspect_max_header_length'];
+ if (!is_numeric($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] < 0 || $_POST['httpinspect_max_header_length'] > 65535)
+ $input_errors[] = gettext("The value for Max_Header_Length must be between 0 and 65535.");
+ }
+ else
+ $engine['max_header_length'] = 0;
+
+ if ($_POST['httpinspect_server_profile']) { $engine['server_profile'] = $_POST['httpinspect_server_profile']; } else { $engine['server_profile'] = "all"; }
+
+ $engine['no_alerts'] = $_POST['httpinspect_no_alerts'] ? 'on' : 'off';
+ $engine['enable_xff'] = $_POST['httpinspect_enable_xff'] ? 'on' : 'off';
+ $engine['log_uri'] = $_POST['httpinspect_log_uri'] ? 'on' : 'off';
+ $engine['log_hostname'] = $_POST['httpinspect_log_hostname'] ? 'on' : 'off';
+ $engine['extended_response_inspection'] = $_POST['httpinspect_extended_response_inspection'] ? 'on' : 'off';
+ $engine['enable_cookie'] = $_POST['httpinspect_enable_cookie'] ? 'on' : 'off';
+ $engine['unlimited_decompress'] = $_POST['httpinspect_unlimited_decompress'] ? 'on' : 'off';
+ $engine['inspect_gzip'] = $_POST['httpinspect_inspect_gzip'] ? 'on' : 'off';
+ $engine['normalize_cookies'] = $_POST['httpinspect_normalize_cookies'] ? 'on' : 'off';
+ $engine['normalize_headers'] = $_POST['httpinspect_normalize_headers'] ? 'on' : 'off';
+ $engine['normalize_utf'] = $_POST['httpinspect_normalize_utf'] ? 'on' : 'off';
+ $engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off';
+ $engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off';
+ $engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off';
+
+ // Can only have one "all" Bind_To address
+ if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
+ $input_errors[] = gettext("Only one default http_inspect Engine can be bound to all addresses.");
+ $pconfig = $engine;
+ }
+
+ // if no errors, write new entry to conf
+ if (!$input_errors) {
+ if (isset($eng_id) && $a_nat[$eng_id]) {
+ $a_nat[$eng_id] = $engine;
+ }
+ else
+ $a_nat[] = $engine;
+
+ // Reorder the engine array to ensure the
+ // 'bind_to=all' entry is at the bottom
+ // if it contains more than one entry.
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ /* Only relocate the entry if we */
+ /* found it, and it's not already */
+ /* at the end. */
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ // Now write the new engine array to conf
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row");
+ exit;
+ }
+}
+
+$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']);
+$pgtitle = gettext("Snort: {$if_friendly} - HTTP_Inspect Preprocessor Engine");
+include_once("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" >
+
+<?php
+include("fbegin.inc");
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="snort_httpinspect_engine.php" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id?>">
+<input name="eng_id" type="hidden" value="<?=$eng_id?>">
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td class="tabcont">
+<table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("HTTP Inspection Server Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_name" type="text" class="formfld unknown" id="httpinspect_name" size="25" maxlength="25"
+ value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo " readonly";?>>&nbsp;
+ <?php if (htmlspecialchars($pconfig['name']) <> "default")
+ echo gettext("Name or description for this engine. (Max 25 characters)");
+ else
+ echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/>
+ <?php echo gettext("Unique name or description for this engine configuration. Default value is ") .
+ "<strong>" . gettext("default") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td>
+ <td class="vtable">
+ <?php if ($pconfig['name'] <> "default") : ?>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="httpinspect_bind_to" type="text" class="formfldalias" id="httpinspect_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off">&nbsp;
+ <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=yes'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within this IP List.");?></td>
+ </tr>
+ </table><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?>
+ <?php else : ?>
+ <input name="httpinspect_bind_to" type="text" class="formfldalias" id="httpinspect_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly>&nbsp;
+ <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/>
+ <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/>
+ <?php endif ?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Ports"); ?></td>
+ <td class="vtable">
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="httpinspect_ports" type="text" class="formfldalias" id="httpinspect_ports" size="25"
+ value="<?=htmlspecialchars($pconfig['ports']);?>" title="<?=trim(filter_expand_alias($pconfig['ports']));?>">
+ <?php echo gettext("Specifiy which ports to check for HTTP data.");?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports&act=import'"
+ title="<?php echo gettext("Select an existing port alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("Default value is '") . "<strong>" . gettext("'default'. ") . "</strong>";?>
+ <?php echo gettext("Using 'default' will include the HTTP Ports defined on the ") . "<a href='snort_define_servers.php?id={$id}' title=\"" .
+ gettext("Go to {$if_friendly} Variables tab to define custom port variables") . "\">" . gettext("VARIABLES") . "</a>" .
+ gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?></td>
+ </tr>
+ </table><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Profile");?> </td>
+ <td width="78%" class="vtable">
+ <select name="httpinspect_server_profile" class="formselect" id="httpinspect_server_profile">
+ <?php
+ $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0');
+ foreach ($profile as $val): ?>
+ <option value="<?=strtolower($val);?>"
+ <?php if (strtolower($val) == $pconfig['server_profile']) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach;?>
+ </select>&nbsp;&nbsp;<?php echo gettext("Choose the profile type of the protected web server. The default is ") .
+ "<strong>" . gettext("All") . "</strong>";?><br/>
+ <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the ") .
+ gettext("double decoding vulnerability present in those versions.");?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("No Alerts");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_no_alerts"
+ type="checkbox" value="on" id="httpinspect_no_alerts"
+ <?php if ($pconfig['no_alerts']=="on") echo "checked";?>>
+ <?php echo gettext("Disable Alerts from this engine configuration. Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Allow Proxy Use");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_allow_proxy_use"
+ type="checkbox" value="on" id="httpinspect_allow_proxy_use"
+ <?php if ($pconfig['allow_proxy_use']=="on") echo "checked";?>>
+ <?php echo gettext("Allow proxy use on this server. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.<br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("This prevents proxy alerts for this server. The global option Proxy_Alert must also be " .
+ "enabled, otherwise this setting does nothing.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("XFF/True-Client-IP");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_enable_xff"
+ type="checkbox" value="on" id="httpinspect_enable_xff"
+ <?php if ($pconfig['enable_xff']=="on") echo "checked";?>>
+ <?php echo gettext("Log original client IP present in X-Forwarded-For or True-Client-IP " .
+ "HTTP headers. Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("URI Logging"); ?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_log_uri"
+ type="checkbox" value="on" id="hhttpinspect_log_uri"
+ <?php if ($pconfig['log_uri']=="on") echo "checked"; ?>>
+ <?php echo gettext("Parse URI data from the HTTP request and log it with other session data." .
+ " Default is "); ?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Hostname Logging");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_log_hostname"
+ type="checkbox" value="on" id="httpinspect_log_hostname"
+ <?php if ($pconfig['log_hostname']=="on") echo "checked";?>>
+ <?php echo gettext("Parse Hostname data from the HTTP request and log it with other session data." .
+ " Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Cookie Extraction/Inspection");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_enable_cookie"
+ type="checkbox" value="on" id="httpinspect_enable_cookie"
+ <?php if ($pconfig['enable_cookie']=="on") echo "checked";?>>
+ <?php echo gettext("Enable HTTP cookie extraction and inspection. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect URI Only");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_inspect_uri_only"
+ type="checkbox" value="on" id="httpinspect_inspect_uri_only"
+ <?php if ($pconfig['inspect_uri_only']=="on") echo "checked";?>>
+ <?php echo gettext("Inspect only URI portion of HTTP requests. This is a performance enhancement. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.<br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("If this option is used without any uricontent rules, then no inspection will take place. " .
+ "The URI is only inspected with uricontent rules, and if there are none available, then there is nothing to inspect.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Extended Response Inspection");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_extended_response_inspection"
+ type="checkbox" value="on" id="httpinspect_extended_response_inspection" onclick="extended_response_enable_change();"
+ <?php if ($pconfig['extended_response_inspection']=="on") echo "checked";?>>
+ <?php echo gettext("Enable extended response inspection to thoroughly inspect the HTTP response. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr id="httpinspect_normalizejavascript_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Javascript");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_normalize_javascript"
+ type="checkbox" value="on" id="httpinspect_normalize_javascript" onclick="normalize_javascript_enable_change();"
+ <?php if ($pconfig['normalize_javascript']=="on") echo "checked";?>>
+ <?php echo gettext("Enable Javascript normalization in HTTP response body. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr id="httpinspect_maxjavascriptwhitespaces_row">
+ <td valign="top" class="vncell"><?php echo gettext("Maximum Javascript Whitespaces"); ?></td>
+ <td class="vtable">
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td valign="top"><input name="httpinspect_max_javascript_whitespaces" type="text" class="formfld unknown"
+ id="httpinspect_max_javascript_whitespaces" size="6"
+ value="<?=htmlspecialchars($pconfig['max_javascript_whitespaces']);?>"></td>
+ <td class="vexpl" valign="top"><?php echo gettext("Maximum consecutive whitespaces allowed in Javascript obfuscated data. ");?>
+ <?php echo gettext("Minimum is ") . "<strong>" . gettext("1") . "</strong>" . gettext(" and maximum is ") .
+ "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") .
+ "</strong>" . gettext(" disables this alert). "). gettext("The default value is ") .
+ "<strong>" . gettext("200") . "</strong>."?></td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <tr id="httpinspect_inspectgzip_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect gzip");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_inspect_gzip"
+ type="checkbox" value="on" id="httpinspect_inspect_gzip" onclick="httpinspect_inspectgzip_enable_change();"
+ <?php if ($pconfig['inspect_gzip']=="on") echo "checked";?>>
+ <?php echo gettext("Uncompress and inspect compressed data in HTTP response. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr id="httpinspect_unlimiteddecompress_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Unlimited Decompress");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_unlimited_decompress"
+ type="checkbox" value="on" id="httpinspect_unlimited_decompress"
+ <?php if ($pconfig['unlimited_decompress']=="on") echo "checked";?>>
+ <?php echo gettext("Decompress unlimited gzip data (across multiple packets). Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Cookies");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_normalize_cookies"
+ type="checkbox" value="on" id="httpinspect_normalize_cookies"
+ <?php if ($pconfig['normalize_cookies']=="on") echo "checked";?>>
+ <?php echo gettext("Normalize HTTP cookie fields. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize UTF");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_normalize_utf"
+ type="checkbox" value="on" id="httpinspect_normalize_utf"
+ <?php if ($pconfig['normalize_utf']=="on") echo "checked";?>>
+ <?php echo gettext("Normalize HTTP response body character sets to 8-bit encoding. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Headers");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_normalize_headers"
+ type="checkbox" value="on" id="httpinspect_normalize_headers"
+ <?php if ($pconfig['normalize_headers']=="on") echo "checked";?>>
+ <?php echo gettext("Normalize HTTP Header fields. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Server Flow Depth"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_server_flow_depth" type="text" class="formfld unknown"
+ id="httpinspect_server_flow_depth" size="6"
+ value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>">&nbsp;<strong><?php echo gettext("-1") .
+ "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong> " . gettext("(") . "<strong>" .
+ gettext("-1") . "</strong>" . gettext(" disables HTTP inspect, ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" enables all HTTP inspect).");?><br/><br/>
+ <?php echo gettext("Amount of HTTP server response payload to inspect. Snort's performance " .
+ "may increase by adjusting this value. Setting this value too low may cause false negatives. ") .
+ gettext("Values above 0 are specified in bytes. Recommended setting is maximum (65535). " .
+ "Default value is ") . "<strong>" . gettext("65535") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Client Flow Depth"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_client_flow_depth" type="text" class="formfld unknown"
+ id="httpinspect_client_flow_depth" size="6"
+ value="<?=htmlspecialchars($pconfig['client_flow_depth']);?>">&nbsp;<strong><?php echo gettext("-1") . "</strong>" .
+ gettext(" to ") . "<strong>" . gettext("1460") . "</strong>" . gettext(" (") . "<strong>" . gettext("-1") .
+ "</strong>" . gettext(" disables HTTP inspect, ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" enables all HTTP inspect).");?><br/><br/>
+ <?php echo gettext("Amount of raw HTTP client request payload to inspect. Snort's " .
+ "performance may increase by adjusting this value. Setting this value too low may cause false negatives. ");?>
+ <?php echo gettext("Values above 0 are specified in bytes. Recommended setting is maximum (1460). " .
+ "Default value is ") . "<strong>" . gettext("1460") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Post Depth"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_post_depth" type="text" class="formfld unknown"
+ id="httpinspect_post_depth" size="6"
+ value="<?=htmlspecialchars($pconfig['post_depth']);?>">&nbsp;<strong><?php echo gettext("-1") . "</strong>" .
+ gettext(" to ") . "<strong>" . gettext("65495") . "</strong>" . gettext(" (") . "<strong>" . gettext("-1") .
+ "</strong>" . gettext(" ignores all post data, ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" inspects all post data).");?><br/><br/>
+ <?php echo gettext("Amount of data to inspect in client post message. Snort's performance may " .
+ "increase by adjusting this value. Values above 0 are specified in bytes. ") .
+ gettext("Default value is ") . "<strong>" . gettext("-1") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Max Headers"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_max_headers" type="text" class="formfld unknown"
+ id="httpinspect_max_headers" size="6"
+ value="<?=htmlspecialchars($pconfig['max_headers']);?>">&nbsp;<strong><?php echo gettext("1") . "</strong>" .
+ gettext(" to ") . "<strong>" . gettext("1024") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") .
+ "</strong>" . gettext(" disables the alert).");?><br/><br/>
+ <?php echo gettext("Sets the maximum number of HTTP client request header fields allowed. Requests that " .
+ "contain more HTTP headers than this value will cause a \"Max Header\" alert. ") .
+ gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Max Header Length"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_max_header_length" type="text" class="formfld unknown"
+ id="httpinspect_max_header_length" size="6"
+ value="<?=htmlspecialchars($pconfig['max_header_length']);?>">&nbsp;<strong><?php echo gettext("1") . "</strong>" .
+ gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") .
+ "</strong>" . gettext(" disables the alert).");?><br/><br/>
+ <?php echo gettext("This sets the maximum length allowed for an HTTP client request header field. " .
+ "Requests that exceed this limit well cause a \"Long Header\" alert. ") .
+ gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Max Spaces"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_max_spaces" type="text" class="formfld unknown"
+ id="httpinspect_max_spaces" size="6"
+ value="<?=htmlspecialchars($pconfig['max_spaces']);?>">&nbsp;<strong><?php echo gettext("1") . "</strong>" .
+ gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") .
+ "</strong>" . gettext(" disables the alert).");?><br/><br/>
+ <?php echo gettext("This sets the maximum number of whitespaces allowed with HTTP client request line folding. " .
+ "Request headers folded with whitespaces equal to or greater than this value will cause a \"Whitespace Saturation\" alert. ") .
+ gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="bottom">&nbsp;</td>
+ <td width="78%" valign="bottom">
+ <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo
+ gettext("Save httpinspect engine settings and return to Preprocessors tab"); ?>">
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo
+ gettext("Cancel changes and return to Preprocessors tab"); ?>"></td>
+ </tr>
+</table>
+</td>
+</tr>
+</table>
+</div>
+</form>
+
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
+
+<script type="text/javascript">
+
+function extended_response_enable_change() {
+ var endis = !(document.iform.httpinspect_extended_response_inspection.checked);
+
+ // Hide the "httpinspect_inspectgzip and httpinspect_normalizejavascript" rows if httpinspect_extended_response_inspection disabled
+ if (endis) {
+ document.getElementById("httpinspect_inspectgzip_row").style.display="none";
+ document.getElementById("httpinspect_unlimiteddecompress_row").style.display="none";
+ document.getElementById("httpinspect_normalizejavascript_row").style.display="none";
+ document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="none";
+ }
+ else {
+ document.getElementById("httpinspect_inspectgzip_row").style.display="table-row";
+ document.getElementById("httpinspect_unlimiteddecompress_row").style.display="table-row";
+ document.getElementById("httpinspect_normalizejavascript_row").style.display="table-row";
+ document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="table-row";
+ }
+}
+
+function httpinspect_inspectgzip_enable_change() {
+ var endis = !(document.iform.httpinspect_inspect_gzip.checked);
+ // Hide the "httpinspect_unlimited_decompress" row if httpinspect_inspect_gzip disabled
+ if (endis)
+ document.getElementById("httpinspect_unlimiteddecompress_row").style.display="none";
+ else
+ document.getElementById("httpinspect_unlimiteddecompress_row").style.display="table-row";
+}
+
+function normalize_javascript_enable_change() {
+ var endis = !(document.iform.httpinspect_normalize_javascript.checked);
+
+ // Hide the "httpinspect_maxjavascriptwhitespaces" row if httpinspect_normalize_javascript disabled
+ if (endis)
+ document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="none";
+ else
+ document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="table-row";
+}
+
+// Set initial state of form controls
+extended_response_enable_change();
+normalize_javascript_enable_change();
+httpinspect_inspectgzip_enable_change();
+
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $portisfirst = 0;
+ $aliasesaddr = "";
+ $aliasesport = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ // Skip any Aliases that resolve to an empty string
+ if (trim(filter_expand_alias($alias_name['name'])) == "")
+ continue;
+ if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ }
+ elseif ($alias_name['type'] == "port") {
+ if($portisfirst == 1) $aliasesport .= ",";
+ $aliasesport .= "'" . $alias_name['name'] . "'";
+ $portisfirst = 1;
+ }
+ }
+?>
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+ var portarray=new Array(<?php echo $aliasesport; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAliasAddr = new AutoSuggestControl(document.getElementById('httpinspect_bind_to'), new StateSuggestions(addressarray));\n";
+ echo "objAliasPort = new AutoSuggestControl(document.getElementById('httpinspect_ports'), new StateSuggestions(portarray));\n";
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+
+</script>
+<?php include("fend.inc");?>
+</body>
+</html>
diff --git a/config/snort/snort_import_aliases.php b/config/snort/snort_import_aliases.php
new file mode 100644
index 00000000..d9f751cd
--- /dev/null
+++ b/config/snort/snort_import_aliases.php
@@ -0,0 +1,327 @@
+<?php
+/* $Id$ */
+/*
+ snort_import_aliases.php
+ Copyright (C) 2004 Scott Ullrich
+ All rights reserved.
+
+ originially part of m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require("guiconfig.inc");
+require_once("functions.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+// Retrieve any passed QUERY STRING or POST variables
+$id = $_GET['id'];
+$eng = $_GET['eng'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng']))
+ $eng = $_POST['eng'];
+
+// Make sure we have a valid rule ID and ENGINE name, or
+// else bail out to top-level menu.
+if (is_null($id) || is_null($eng)) {
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+// Used to track if any selectable Aliases are found
+$selectablealias = false;
+
+// Initialize required array variables as necessary
+if (!is_array($config['aliases']['alias']))
+ $config['aliases']['alias'] = array();
+$a_aliases = $config['aliases']['alias'];
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+
+// The $eng variable points to the specific Snort config section
+// engine we are importing values into. Initialize the config.xml
+// array if necessary.
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id][$eng]['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id][$eng]['item'] = array();
+
+// Initialize a pointer to the Snort config section engine we are
+// importing values into.
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id][$eng]['item'];
+
+// Build a lookup array of currently used engine 'bind_to' Aliases
+// so we can screen matching Alias names from the list.
+$used = array();
+foreach ($a_nat as $v)
+ $used[$v['bind_to']] = true;
+
+// Construct the correct return anchor string based on the Snort config section
+// engine we were called with. This lets us return to the page and section
+// we were called from. Also set the flag for those engines which accept
+// multiple IP addresses for the "bind_to" parameter.
+switch ($eng) {
+ case "frag3_engine":
+ $anchor = "#frag3_row";
+ $multi_ip = true;
+ $title = "Frag3 Engine";
+ break;
+ case "http_inspect_engine":
+ $anchor = "#httpinspect_row";
+ $multi_ip = true;
+ $title = "HTTP_Inspect Engine";
+ break;
+ case "stream5_tcp_engine":
+ $anchor = "#stream5_row";
+ $multi_ip = true;
+ $title = "Stream5 TCP Engine";
+ break;
+ case "ftp_server_engine":
+ $anchor = "#ftp_telnet_row";
+ $multi_ip = false;
+ $title = "FTP Server Engine";
+ break;
+ case "ftp_client_engine":
+ $anchor = "#ftp_telnet_row";
+ $multi_ip = false;
+ $title = "FTP Client Engine";
+ break;
+ default:
+ $anchor = "";
+}
+
+if ($_POST['cancel']) {
+ header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}");
+ exit;
+}
+
+if ($_POST['save']) {
+
+ // Define default engine configurations for each of the supported engines.
+
+ $def_frag3 = array( "name" => "", "bind_to" => "", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+
+ $def_ftp_server = array( "name" => "", "bind_to" => "", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+ $def_ftp_client = array( "name" => "", "bind_to" => "", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+ $def_http_inspect = array( "name" => "", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
+ "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
+ "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
+ "max_header_length" => 0, "ports" => "default" );
+
+ $def_stream5 = array( "name" => "", "bind_to" => "", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0,
+ "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+
+ // Figure out which engine type we are importing and set up default engine array
+ $engine = array();
+ switch ($eng) {
+ case "frag3_engine":
+ $engine = $def_frag3;
+ break;
+ case "http_inspect_engine":
+ $engine = $def_http_inspect;
+ break;
+ case "stream5_tcp_engine":
+ $engine = $def_stream5;
+ break;
+ case "ftp_server_engine":
+ $engine = $def_ftp_server;
+ break;
+ case "ftp_client_engine":
+ $engine = $def_ftp_client;
+ break;
+ default:
+ $engine = "";
+ $input_errors[] = gettext("Invalid ENGINE TYPE passed in query string. Aborting operation.");
+ }
+
+ // See if anything was checked to import
+ if (is_array($_POST['toimport']) && count($_POST['toimport']) > 0) {
+ foreach ($_POST['toimport'] as $item) {
+ $engine['name'] = strtolower($item);
+ $engine['bind_to'] = $item;
+ $a_nat[] = $engine;
+ }
+ }
+ else
+ $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE.");
+
+ // if no errors, write new entry to conf
+ if (!$input_errors) {
+ // Reorder the engine array to ensure the
+ // 'bind_to=all' entry is at the bottom if
+ // the array contains more than one entry.
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ // Only relocate the entry if we
+ // found it, and it's not already
+ // at the end.
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ // Now write the new engine array to conf and return
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}");
+ exit;
+ }
+}
+
+$pgtitle = gettext("Snort: Import Host/Network Alias for {$title}");
+include("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+<form action="snort_import_aliases.php" method="post">
+<input type="hidden" name="id" value="<?=$id;?>">
+<input type="hidden" name="eng" value="<?=$eng;?>">
+<?php if ($input_errors) print_input_errors($input_errors); ?>
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+ <td class="tabcont"><strong><?=gettext("Select one or more Aliases to use as {$title} targets from the list below.");?></strong><br/>
+ </td>
+</tr>
+<tr>
+ <td class="tabcont">
+ <table id="sortabletable1" style="table-layout: fixed;" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <colgroup>
+ <col width="5%" align="center">
+ <col width="25%" align="left" axis="string">
+ <col width="35%" align="left" axis="string">
+ <col width="35%" align="left" axis="string">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr"></th>
+ <th class="listhdrr" axis="string"><?=gettext("Alias Name"); ?></th>
+ <th class="listhdrr" axis="string"><?=gettext("Values"); ?></th>
+ <th class="listhdrr" axis="string"><?=gettext("Description"); ?></th>
+ </tr>
+ </thead>
+ <tbody>
+ <?php $i = 0; foreach ($a_aliases as $alias): ?>
+ <?php if ($alias['type'] <> "host" && $alias['type'] <> "network")
+ continue;
+ if (isset($used[$alias['name']]))
+ continue;
+ if (!$multi_ip && !snort_is_single_addr_alias($alias['name'])) {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $disable = true;
+ $tooltip = gettext("Aliases resolving to multiple addresses cannot be used with the '{$eng}'.");
+ }
+ elseif (trim(filter_expand_alias($alias['name'])) == "") {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $disable = true;
+ $tooltip = gettext("Aliases representing a FQDN host cannot be used in Snort preprocessor configurations.");
+ }
+ else {
+ $textss = "";
+ $textse = "";
+ $disable = "";
+ $selectablealias = true;
+ $tooltip = gettext("Selected entries will be imported. Click to toggle selection of this entry.");
+ }
+ ?>
+ <?php if ($disable): ?>
+ <tr title="<?=$tooltip;?>">
+ <td class="listlr" align="center"><img src="../themes/<?=$g['theme'];?>/images/icons/icon_block_d.gif" width="11" height"11" border="0"/>
+ <?php else: ?>
+ <tr>
+ <td class="listlr" align="center"><input type="checkbox" name="toimport[]" value="<?=htmlspecialchars($alias['name']);?>" title="<?=$tooltip;?>"/></td>
+ <?php endif; ?>
+ <td class="listr" align="left"><?=$textss . htmlspecialchars($alias['name']) . $textse;?></td>
+ <td class="listr" align="left">
+ <?php
+ $tmpaddr = explode(" ", $alias['address']);
+ $addresses = implode(", ", array_slice($tmpaddr, 0, 10));
+ echo "{$textss}{$addresses}{$textse}";
+ if(count($tmpaddr) > 10) {
+ echo "...";
+ }
+ ?>
+ </td>
+ <td class="listbg" align="left">
+ <?=$textss . htmlspecialchars($alias['descr']) . $textse;?>&nbsp;
+ </td>
+ </tr>
+ <?php $i++; endforeach; ?>
+ </table>
+ </td>
+</tr>
+<?php if (!$selectablealias): ?>
+<tr>
+ <td class="tabcont" align="center"><b><?php echo gettext("There are currently no defined Aliases eligible for import.");?></b></td>
+</tr>
+<tr>
+ <td class="tabcont" align="center">
+ <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/>
+ </td>
+</tr>
+<?php else: ?>
+<tr>
+ <td class="tabcont" align="center">
+ <input type="Submit" name="save" value="Save" id="save" class="formbtn" title="<?=gettext("Import selected item and return");?>"/>&nbsp;&nbsp;&nbsp;
+ <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/>
+ </td>
+</tr>
+<?php endif; ?>
+<tr>
+ <td class="tabcont">
+ <span class="vexpl"><span class="red"><strong><?=gettext("Note:"); ?><br></strong></span><?=gettext("Fully-Qualified Domain Name (FQDN) host Aliases cannot be used as Snort configuration parameters. Aliases resolving to a single FQDN value are disabled in the list above. In the case of nested Aliases where one or more of the nested values is a FQDN host, the FQDN host will not be included in the {$title} configuration.");?></span>
+ </td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+</html>
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index bbd4338c..9d488207 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -102,6 +102,12 @@ elseif (isset($id) && !isset($a_rule[$id])) {
if (isset($_GET['dup']))
unset($id);
+// Set defaults for empty key parameters
+if (empty($pconfig['blockoffendersip']))
+ $pconfig['blockoffendersip'] = "both";
+if (empty($pconfig['performance']))
+ $pconfig['performance'] = "ac-bnfa";
+
if ($_POST["Submit"]) {
if (!$_POST['interface'])
$input_errors[] = "Interface is mandatory";
@@ -113,7 +119,7 @@ if ($_POST["Submit"]) {
$natent['enable'] = $_POST['enable'] ? 'on' : 'off';
$natent['uuid'] = $pconfig['uuid'];
- /* See if the HOME_NET, EXTERNAL_NET, WHITELIST or SUPPRESS LIST values were changed */
+ /* See if the HOME_NET, EXTERNAL_NET, or SUPPRESS LIST values were changed */
$snort_reload = false;
if ($_POST['homelistname'] && ($_POST['homelistname'] <> $natent['homelistname']))
$snort_reload = true;
@@ -121,8 +127,6 @@ if ($_POST["Submit"]) {
$snort_reload = true;
if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname']))
$snort_reload = true;
- if ($_POST['whitelistname'] && ($_POST['whitelistname'] <> $natent['whitelistname']))
- $snort_reload = true;
if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']);
if ($_POST['performance']) $natent['performance'] = $_POST['performance']; else unset($natent['performance']);
@@ -150,8 +154,100 @@ if ($_POST["Submit"]) {
exec("mv -f {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$if_real}");
}
$a_rule[$id] = $natent;
- } else
+ } else {
+ // Adding new interface, so set required interface configuration defaults
+ $frag3_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+
+ $stream5_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off",
+ "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+
+ $http_eng = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on",
+ "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on",
+ "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
+ "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+
+ $ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+ $ftp_server_eng = array( "name" => "default", "bind_to" => "all", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+ $natent['max_attribute_hosts'] = '10000';
+ $natent['max_attribute_services_per_host'] = '10';
+ $natent['max_paf'] = '16000';
+
+ $natent['ftp_preprocessor'] = 'on';
+ $natent['ftp_telnet_inspection_type'] = "stateful";
+ $natent['ftp_telnet_alert_encrypted'] = "off";
+ $natent['ftp_telnet_check_encrypted'] = "on";
+ $natent['ftp_telnet_normalize'] = "on";
+ $natent['ftp_telnet_detect_anomalies'] = "on";
+ $natent['ftp_telnet_ayt_attack_threshold'] = "20";
+ if (!is_array($natent['ftp_client_engine']['item']))
+ $natent['ftp_client_engine']['item'] = array();
+ $natent['ftp_client_engine']['item'][] = $ftp_client_eng;
+ if (!is_array($natent['ftp_server_engine']['item']))
+ $natent['ftp_server_engine']['item'] = array();
+ $natent['ftp_server_engine']['item'][] = $ftp_server_eng;
+
+ $natent['smtp_preprocessor'] = 'on';
+ $natent['dce_rpc_2'] = 'on';
+ $natent['dns_preprocessor'] = 'on';
+ $natent['ssl_preproc'] = 'on';
+ $natent['pop_preproc'] = 'on';
+ $natent['imap_preproc'] = 'on';
+ $natent['sip_preproc'] = 'on';
+ $natent['other_preprocs'] = 'on';
+
+ $natent['pscan_protocol'] = 'all';
+ $natent['pscan_type'] = 'all';
+ $natent['pscan_memcap'] = '10000000';
+ $natent['pscan_sense_level'] = 'medium';
+
+ $natent['http_inspect'] = "on";
+ $natent['http_inspect_proxy_alert'] = "off";
+ $natent['http_inspect_memcap'] = "150994944";
+ $natent['http_inspect_max_gzip_mem'] = "838860";
+ if (!is_array($natent['http_inspect_engine']['item']))
+ $natent['http_inspect_engine']['item'] = array();
+ $natent['http_inspect_engine']['item'][] = $http_eng;
+
+ $natent['frag3_max_frags'] = '8192';
+ $natent['frag3_memcap'] = '4194304';
+ $natent['frag3_detection'] = 'on';
+ if (!is_array($natent['frag3_engine']['item']))
+ $natent['frag3_engine']['item'] = array();
+ $natent['frag3_engine']['item'][] = $frag3_eng;
+
+ $natent['stream5_reassembly'] = 'on';
+ $natent['stream5_flush_on_alert'] = 'off';
+ $natent['stream5_prune_log_max'] = '1048576';
+ $natent['stream5_track_tcp'] = 'on';
+ $natent['stream5_max_tcp'] = '262144';
+ $natent['stream5_track_udp'] = 'on';
+ $natent['stream5_max_udp'] = '131072';
+ $natent['stream5_udp_timeout'] = '30';
+ $natent['stream5_track_icmp'] = 'off';
+ $natent['stream5_max_icmp'] = '65536';
+ $natent['stream5_icmp_timeout'] = '30';
+ $natent['stream5_mem_cap']= '8388608';
+ if (!is_array($natent['stream5_tcp_engine']['item']))
+ $natent['stream5_tcp_engine']['item'] = array();
+ $natent['stream5_tcp_engine']['item'][] = $stream5_eng;
+
$a_rule[] = $natent;
+ }
/* If Snort is disabled on this interface, stop any running instance */
if ($natent['enable'] != 'on')
@@ -168,9 +264,9 @@ if ($_POST["Submit"]) {
/*******************************************************/
/* Signal Snort to reload configuration if we changed */
- /* HOME_NET, the Whitelist, EXTERNAL_NET or Suppress */
- /* list values. The function only signals a running */
- /* Snort instance to safely reload these parameters. */
+ /* HOME_NET, EXTERNAL_NET or Suppress list values. */
+ /* The function only signals a running Snort instance */
+ /* to safely reload these parameters. */
/*******************************************************/
if ($snort_reload == true)
snort_reload_config($natent, "SIGHUP");
@@ -187,7 +283,7 @@ if ($_POST["Submit"]) {
}
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: Interface Edit: {$if_friendly}";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Edit Settings");
include_once("head.inc");
?>
@@ -265,28 +361,24 @@ include_once("head.inc");
<?php endforeach; ?>
</select>&nbsp;&nbsp;
<span class="vexpl"><?php echo gettext("Choose which interface this Snort instance applies to."); ?><br/>
- <span class="red"><?php echo gettext("Hint:"); ?> </span><?php echo gettext("in most cases, you'll want to use WAN here."); ?></span><br/></td>
+ <span class="red"><?php echo gettext("Hint:"); ?></span>&nbsp;<?php echo gettext("In most cases, you'll want to use WAN here."); ?></span><br/></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?php echo gettext("Description"); ?></td>
- <td width="78%" class="vtable"><input name="descr" type="text"
- class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"> <br/>
+ <td width="78%" class="vtable"><input name="descr" type="text"
+ class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"> <br/>
<span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference."); ?></span><br/></td>
</tr>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Alert Settings"); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Send alerts to main " .
- "System logs"); ?></td>
- <td width="78%" class="vtable"><input name="alertsystemlog"
- type="checkbox" value="on"
- <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?>
- onClick="enable_change(false)">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Send Alerts to System Logs"); ?></td>
+ <td width="78%" class="vtable"><input name="alertsystemlog" type="checkbox" value="on" <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?>>
<?php echo gettext("Snort will send Alerts to the firewall's system logs."); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Block offenders"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Block Offenders"); ?></td>
<td width="78%" class="vtable">
<input name="blockoffenders7" id="blockoffenders7" type="checkbox" value="on"
<?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?>
@@ -295,14 +387,14 @@ include_once("head.inc");
"Snort alert."); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill states"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill States"); ?></td>
<td width="78%" class="vtable">
<input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>>
<?php echo gettext("Checking this option will kill firewall states for the blocked IP"); ?>
</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Which IP to block"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Which IP to Block"); ?></td>
<td width="78%" class="vtable">
<select name="blockoffendersip" class="formselect" id="blockoffendersip">
<?php
@@ -315,7 +407,8 @@ include_once("head.inc");
}
?>
</select>&nbsp;&nbsp;
- <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?>
+ <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?><br/>
+ <span class="red"><?php echo gettext("Hint:") . "</span>&nbsp;" . gettext("Choosing BOTH is suggested, and it is the default value."); ?></span><br/></td>
</td>
</tr>
<tr>
@@ -332,8 +425,8 @@ include_once("head.inc");
foreach ($interfaces2 as $iface2 => $ifacename2): ?>
<option value="<?=$iface2;?>"
<?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>>
- <?=htmlspecialchars($ifacename2);?></option>
- <?php endforeach; ?>
+ <?=htmlspecialchars($ifacename2);?></option>
+ <?php endforeach; ?>
</select>&nbsp;&nbsp;
<?php echo gettext("Choose a fast pattern matcher algorithm. ") . "<strong>" . gettext("Default") .
"</strong>" . gettext(" is ") . "<strong>" . gettext("AC-BNFA") . "</strong>"; ?>.<br/><br/>
@@ -471,17 +564,17 @@ include_once("head.inc");
id="btnWhitelist" title="<?php echo gettext("Click to view currently selected Whitelist contents"); ?>"/>
<br/>
<span class="vexpl"><?php echo gettext("Choose the whitelist you want this interface to " .
- "use."); ?> </span><br/>&nbsp;<br/><span class="red"><?php echo gettext("Hint:"); ?></span>&nbsp;<?php echo gettext("Default " .
- "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?><br/>
- <span class="red"><?php echo gettext("Note:"); ?></span>&nbsp;<?php echo gettext("This option will only be used when block offenders is on."); ?>
+ "use."); ?> </span><br/><br/>
+ <span class="red"><?php echo gettext("Note:"); ?></span>&nbsp;<?php echo gettext("This option will only be used when block offenders is on."); ?><br/>
+ <span class="red"><?php echo gettext("Hint:"); ?></span>&nbsp;<?php echo gettext("Default " .
+ "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?>
</td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering " .
- "file if desired."); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering file if desired."); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Suppression and filtering"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert Suppression and Filtering"); ?></td>
<td width="78%" class="vtable">
<select name="suppresslistname" class="formselect" id="suppresslistname">
<?php
@@ -563,6 +656,9 @@ function enable_change(enable_change) {
document.iform.btnHomeNet.disabled=endis;
document.iform.btnWhitelist.disabled=endis;
document.iform.btnSuppressList.disabled=endis;
+ document.iform.fpm_split_any_any.disabled=endis;
+ document.iform.fpm_search_optimize.disabled=endis;
+ document.iform.fpm_no_stream_inserts.disabled=endis;
}
function wopen(url, name, w, h) {
@@ -592,6 +688,10 @@ function viewList(id, elemID, elemType) {
url = url + getSelectedValue(elemID) + "&type=" + elemType;
wopen(url, 'WhitelistViewer', 640, 480);
}
+
+enable_change(false);
+enable_blockoffenders();
+
//-->
</script>
<?php include("fend.inc"); ?>
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php
index 089255b6..b22a6934 100644
--- a/config/snort/snort_interfaces_global.php
+++ b/config/snort/snort_interfaces_global.php
@@ -58,7 +58,7 @@ $pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['s
if (empty($pconfig['snortloglimit']))
$pconfig['snortloglimit'] = 'on';
if (empty($pconfig['rule_update_starttime']))
- $pconfig['rule_update_starttime'] = '00:03';
+ $pconfig['rule_update_starttime'] = '00:30';
if ($_POST['rule_update_starttime']) {
if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['rule_update_starttime']))
@@ -71,15 +71,51 @@ if ($_POST['snortdownload'] == "on" && empty($_POST['oinkmastercode']))
if ($_POST['emergingthreats_pro'] == "on" && empty($_POST['etpro_code']))
$input_errors[] = "You must supply a subscription code in the box provided in order to enable Emerging Threats Pro rules!";
-/* if no errors move foward */
+/* if no errors move foward with save */
if (!$input_errors) {
if ($_POST["Submit"]) {
$config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload'] ? 'on' : 'off';
- $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode'];
$config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off';
+
+ // If any rule sets are being turned off, then remove them
+ // from the active rules section of each interface. Start
+ // by building an arry of prefixes for the disabled rules.
+ $disabled_rules = array();
+ $disable_ips_policy = false;
+ if ($config['installedpackages']['snortglobal']['snortdownload'] == 'off') {
+ $disabled_rules[] = VRT_FILE_PREFIX;
+ $disable_ips_policy = true;
+ }
+ if ($config['installedpackages']['snortglobal']['snortcommunityrules'] == 'off')
+ $disabled_rules[] = GPL_FILE_PREFIX;
+ if ($config['installedpackages']['snortglobal']['emergingthreats'] == 'off')
+ $disabled_rules[] = ET_OPEN_FILE_PREFIX;
+ if ($config['installedpackages']['snortglobal']['emergingthreats_pro'] == 'off')
+ $disabled_rules[] = ET_PRO_FILE_PREFIX;
+
+ // Now walk all the configured interface rulesets and remove
+ // any matching the disabled ruleset prefixes.
+ if (is_array($config['installedpackages']['snortglobal']['rule'])) {
+ foreach ($config['installedpackages']['snortglobal']['rule'] as &$iface) {
+ // Disable Snort IPS policy if VRT rules are disabled
+ if ($disable_ips_policy) {
+ $iface['ips_policy_enable'] = 'off';
+ unset($iface['ips_policy']);
+ }
+ $enabled_rules = explode("||", $iface['rulesets']);
+ foreach ($enabled_rules as $k => $v) {
+ foreach ($disabled_rules as $d)
+ if (strpos(trim($v), $d) !== false)
+ unset($enabled_rules[$k]);
+ }
+ $iface['rulesets'] = implode("||", $enabled_rules);
+ }
+ }
+
+ $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode'];
$config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code'];
$config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked'];
@@ -122,7 +158,7 @@ if (!$input_errors) {
}
}
-$pgtitle = 'Services: Snort: Global Settings';
+$pgtitle = gettext("Snort: Global Settings");
include_once("head.inc");
?>
@@ -137,7 +173,7 @@ if($pfsense_stable == 'yes')
/* Display Alert message, under form tag or no refresh */
if ($input_errors)
- print_input_errors($input_errors); // TODO: add checks
+ print_input_errors($input_errors);
?>
@@ -162,11 +198,10 @@ if ($input_errors)
<div id="mainarea">
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The " .
- "Type Of Rules You Wish To Download"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The Type Of Rules You Wish To Download");?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort VRT%s rules"), '<strong>' , '</strong>'); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Snort VRT") . "</strong>" . gettext(" rules");?></td>
<td width="78%" class="vtable">
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
@@ -175,45 +210,44 @@ if ($input_errors)
<td><span class="vexpl"><?php echo gettext("Snort VRT free Registered User or paid Subscriber rules"); ?></span></td>
<tr>
<td>&nbsp;</td>
- <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a free Registered User Rule Account"); ?> </a><br>
+ <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a free Registered User Rule Account"); ?> </a><br/>
<a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank">
<?php echo gettext("Sign Up for paid Sourcefire VRT Certified Subscriber Rules"); ?></a></td>
</tr>
+ </table>
+ <table id="snort_oink_code_tbl" width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2">&nbsp;</td>
</tr>
- </table>
- <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Snort VRT Oinkmaster Configuration"); ?></span></b></td>
</tr>
<tr>
<td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
<td><input name="oinkmastercode" type="text"
- class="formfld" id="oinkmastercode" size="52"
- value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"
- <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br>
+ class="formfld unknown" id="oinkmastercode" size="52"
+ value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br/>
<?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td>
</tr>
</table>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " .
- "rules"), '<strong>' , '</strong>'); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Snort Community") . "</strong>" . gettext(" rules");?></td>
<td width="78%" class="vtable">
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on"
- <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td>
- <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " .
- "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?>
- <br/><br/><?php printf(gettext("%sNote: %sIf you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the Snort VRT rules, and there is no benefit in adding this rule set."),'<span class="red"><strong>' ,'</strong></span>'); ?></span><br></td>
+ <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked";?> ></td>
+ <td class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " .
+ "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset.");?>
+ <br/><br/><?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
+ gettext("If you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the ") .
+ gettext("Snort VRT rules, and there is no benefit in adding this rule set.");?><br/></td>
</tr>
</table></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmerging Threats%s " .
- "rules"), '<strong>' , '</strong>'); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Emerging Threats") . "</strong>" . gettext(" rules");?></td>
<td width="78%" class="vtable">
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
@@ -236,20 +270,19 @@ if ($input_errors)
<td class="vexpl"><?php echo "<span class='red'><strong>" . gettext("Note:") . "</strong></span>" . "&nbsp;" .
gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?></td>
</tr>
+ </table>
+ <table id="etpro_code_tbl" width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2">&nbsp;</td>
</tr>
- </table>
- <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("ETPro Subscription Configuration"); ?></span></b></td>
</tr>
<tr>
<td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
<td><input name="etpro_code" type="text"
- class="formfld" id="etpro_code" size="52"
- value="<?=htmlspecialchars($pconfig['etpro_code']);?>"
- <?php if($pconfig['emergingthreats_pro']<>'on') echo 'disabled'; ?>><br>
+ class="formfld unknown" id="etpro_code" size="52"
+ value="<?=htmlspecialchars($pconfig['etpro_code']);?>"><br/>
<?php echo gettext("Obtain an ETPro subscription code and paste it here."); ?></td>
</tr>
</table>
@@ -276,7 +309,7 @@ if ($input_errors)
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Update Start Time"); ?></td>
- <td width="78%" class="vtable"><input type="text" class="formfld" name="rule_update_starttime" id="rule_update_starttime" size="4"
+ <td width="78%" class="vtable"><input type="text" class="formfld time" name="rule_update_starttime" id="rule_update_starttime" size="4"
maxlength="5" value="<?=$pconfig['rule_update_starttime'];?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?>><span class="vexpl">&nbsp;&nbsp;
<?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). ") . "<strong>" .
gettext("Default") . "&nbsp;</strong>" . gettext("is ") . "<strong>" . gettext("00:03") . "</strong></span>"; ?>.<br/><br/>
@@ -304,44 +337,42 @@ if ($input_errors)
<tr>
<td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="off"
<?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong>
- <?php echo gettext("directory size limit"); ?></span><br>
- <br>
+ <?php echo gettext("directory size limit"); ?></span><br/>
+ <br/>
<span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("Nanobsd " .
"should use no more than 10MB of space."); ?></td>
</tr>
</table>
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
- <td><span class="vexpl"><?php echo gettext("Size in"); ?> <strong>MB</strong></span></td>
- <td><input name="snortloglimitsize" type="text" class="formfld" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>">
- &nbsp;&nbsp;<?php printf(gettext("Default is %s20%%%s of available space."), '<strong>', '</strong>'); ?></td>
+ <td class="vexpl"><?php echo gettext("Size in ") . "<strong>" . gettext("MB:") . "</strong>";?>&nbsp;
+ <input name="snortloglimitsize" type="text" class="formfld unknown" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>">
+ &nbsp;<?php echo gettext("Default is ") . "<strong>" . gettext("20%") . "</strong>" . gettext(" of available space.");?></td>
</tr>
</table>
</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove blocked hosts " .
- "every"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Blocked Hosts Interval"); ?></td>
<td width="78%" class="vtable">
<select name="rm_blocked" class="formselect" id="rm_blocked">
<?php
- $interfaces3 = array('never_b' => gettext('NEVER'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS'));
+ $interfaces3 = array('never_b' => gettext('NEVER'), '15m_b' => gettext('15 MINS'), '30m_b' => gettext('30 MINS'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS'));
foreach ($interfaces3 as $iface3 => $ifacename3): ?>
<option value="<?=$iface3;?>"
<?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>>
<?=htmlspecialchars($ifacename3);?></option>
<?php endforeach; ?>
- </select>&nbsp;&nbsp;
- <?php echo gettext("Please select the amount of time you would like hosts to be blocked for."); ?><br/><br/>
- <?php printf(gettext("%sHint:%s in most cases, 1 hour is a good choice."), '<span class="red"><strong>', '</strong></span>'); ?></td>
+ </select>&nbsp;
+ <?php echo gettext("Please select the amount of time you would like hosts to be blocked."); ?><br/><br/>
+ <?php echo "<span class=\"red\"><strong>" . gettext("Hint:") . "</strong></span>" . gettext(" in most cases, 1 hour is a good choice.");?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep snort settings " .
- "after deinstall"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep Snort Settings After Deinstall"); ?></td>
<td width="78%" class="vtable"><input name="forcekeepsettings"
id="forcekeepsettings" type="checkbox" value="yes"
<?php if ($config['installedpackages']['snortglobal']['forcekeepsettings']=="on") echo "checked"; ?>
- >&nbsp;&nbsp;<?php echo gettext("Settings will not be removed during deinstall."); ?></td>
+ >&nbsp;&nbsp;<?php echo gettext("Settings will not be removed during package deinstallation."); ?></td>
</tr>
<tr>
<td width="22%" valign="top">
@@ -351,10 +382,8 @@ if ($input_errors)
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>
- <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?><br>
- </strong></span> <?php echo gettext("Changing any settings on this page will affect all " .
- "interfaces. Double check that your oink code is correct, and verify the " .
- "type of Snort.org account you hold."); ?></span></td>
+ <td width="78%" class="vexpl"><span class="red"><strong><?php echo gettext("Note:");?></strong>&nbsp;
+ </span><?php echo gettext("Changing any settings on this page will affect all Snort-configured interfaces.");?></td>
</tr>
</table>
</div><br/>
@@ -367,15 +396,17 @@ if ($input_errors)
<!--
function enable_snort_vrt() {
var endis = !(document.iform.snortdownload.checked);
- document.iform.oinkmastercode.disabled = endis;
- document.iform.etpro_code.disabled = endis;
+ if (endis)
+ document.getElementById("snort_oink_code_tbl").style.display = "none";
+ else
+ document.getElementById("snort_oink_code_tbl").style.display = "table";
}
function enable_et_rules() {
var endis = document.iform.emergingthreats.checked;
if (endis) {
document.iform.emergingthreats_pro.checked = !(endis);
- document.iform.etpro_code.disabled = "true";
+ document.getElementById("etpro_code_tbl").style.display = "none";
}
}
@@ -384,9 +415,12 @@ function enable_etpro_rules() {
if (endis) {
document.iform.emergingthreats.checked = !(endis);
document.iform.etpro_code.disabled = "";
+ document.getElementById("etpro_code_tbl").style.display = "table";
}
- else
+ else {
document.iform.etpro_code.disabled = "true";
+ document.getElementById("etpro_code_tbl").style.display = "none";
+ }
}
function enable_change_rules_upd() {
@@ -396,6 +430,12 @@ function enable_change_rules_upd() {
document.iform.rule_update_starttime.disabled="";
}
+// Initialize the form controls state based on saved settings
+enable_snort_vrt();
+enable_et_rules();
+enable_etpro_rules();
+enable_change_rules_upd();
+
//-->
</script>
diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php
index 7eed6dd3..e42b7f8c 100644
--- a/config/snort/snort_interfaces_suppress.php
+++ b/config/snort/snort_interfaces_suppress.php
@@ -84,7 +84,7 @@ if ($_GET['act'] == "del") {
}
}
-$pgtitle = "Services: Snort: Suppression";
+$pgtitle = gettext("Snort: Suppression Lists");
include_once("head.inc");
?>
diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php
index 1eb16260..3d703987 100644
--- a/config/snort/snort_interfaces_suppress_edit.php
+++ b/config/snort/snort_interfaces_suppress_edit.php
@@ -126,7 +126,7 @@ if ($_POST['submit']) {
}
}
-$pgtitle = "Services: Snort: Suppression: Edit";
+$pgtitle = gettext("Snort: Suppression List Edit - {$a_suppress[$id]['name']}");
include_once("head.inc");
?>
@@ -166,7 +166,7 @@ if ($savemsg)
<tr>
<td width="22%" valign="top" class="vncellreq"><?php echo gettext("Name"); ?></td>
<td width="78%" class="vtable"><input name="name" type="text" id="name"
- class="formfld unkown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br />
+ class="formfld unknown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br />
<span class="vexpl"> <?php echo gettext("The list name may only consist of the " .
"characters \"a-z, A-Z, 0-9 and _\"."); ?>&nbsp;&nbsp;<span class="red"><?php echo gettext("Note:"); ?> </span>
<?php echo gettext("No Spaces or dashes."); ?> </span></td>
@@ -174,7 +174,7 @@ if ($savemsg)
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td>
<td width="78%" class="vtable"><input name="descr" type="text"
- class="formfld unkown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br />
+ class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br />
<span class="vexpl"> <?php echo gettext("You may enter a description here for your " .
"reference (not parsed)."); ?> </span></td>
</tr>
diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php
index ab22103e..9391eb85 100644
--- a/config/snort/snort_interfaces_whitelist.php
+++ b/config/snort/snort_interfaces_whitelist.php
@@ -61,7 +61,7 @@ if ($_GET['act'] == "del") {
}
}
-$pgtitle = "Services: Snort: Whitelist";
+$pgtitle = gettext("Snort: Whitelists");
include_once("head.inc");
?>
diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php
index 671fa4e5..9fb97be1 100644
--- a/config/snort/snort_interfaces_whitelist_edit.php
+++ b/config/snort/snort_interfaces_whitelist_edit.php
@@ -38,6 +38,11 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
+if ($_POST['cancel']) {
+ header("Location: /snort/snort_interfaces_whitelist.php");
+ exit;
+}
+
if (!is_array($config['installedpackages']['snortglobal']['whitelist']))
$config['installedpackages']['snortglobal']['whitelist'] = array();
if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
@@ -88,6 +93,12 @@ if (isset($id) && $a_whitelist[$id]) {
$pconfig['vpnips'] = $a_whitelist[$id]['vpnips'];
}
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ if ($_GET['varname'] == "address" && !empty($_GET['varvalue']))
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+}
+
if ($_POST['submit']) {
conf_mount_rw();
@@ -118,7 +129,7 @@ if ($_POST['submit']) {
if ($_POST['address'])
if (!is_alias($_POST['address']))
- $input_errors[] = gettext("A valid alias need to be provided");
+ $input_errors[] = gettext("A valid alias must be provided");
if (!$input_errors) {
$w_list = array();
@@ -151,7 +162,7 @@ if ($_POST['submit']) {
}
}
-$pgtitle = "Services: Snort: Whitelist: Edit $whitelist_uuid";
+$pgtitle = gettext("Snort: Whitelist Edit - {$a_whitelist[$id]['name']}");
include_once("head.inc");
?>
@@ -193,7 +204,7 @@ if ($savemsg)
</tr>
<tr>
<td valign="top" class="vncellreq"><?php echo gettext("Name"); ?></td>
- <td class="vtable"><input name="name" type="text" id="name"
+ <td class="vtable"><input name="name" type="text" id="name" class="formfld unknown"
size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br />
<span class="vexpl"> <?php echo gettext("The list name may only consist of the " .
"characters \"a-z, A-Z, 0-9 and _\"."); ?>&nbsp;&nbsp;<span class="red"><?php echo gettext("Note:"); ?> </span>
@@ -201,7 +212,7 @@ if ($savemsg)
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td>
- <td width="78%" class="vtable"><input name="descr" type="text"
+ <td width="78%" class="vtable"><input name="descr" type="text" class="formfld unknown"
id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br />
<span class="vexpl"> <?php echo gettext("You may enter a description here for your " .
"reference (not parsed)."); ?> </span></td>
@@ -261,14 +272,17 @@ if ($savemsg)
<div id="addressnetworkport"><?php echo gettext("Alias Name:"); ?></div>
</td>
<td width="78%" class="vtable">
- <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" title="<?=trim(filter_expand_alias($pconfig['address']));?>"/>
+ <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>"
+ title="<?=trim(filter_expand_alias($pconfig['address']));?>" />
+ &nbsp;&nbsp;&nbsp;&nbsp;<input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=0&type=host|network&varname=address&act=import&multi_ip=yes'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/>
</td>
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>
<td width="78%">
<input id="submit" name="submit" type="submit" class="formbtn" value="Save" />
- <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" value="Cancel" onclick="history.back()" />
+ <input id="cancel" name="cancel" type="submit" class="formbtn" value="Cancel" />
<input name="id" type="hidden" value="<?=$id;?>" />
</td>
</tr>
@@ -287,7 +301,7 @@ if ($savemsg)
foreach($config['aliases']['alias'] as $alias_name) {
if ($alias_name['type'] != "host" && $alias_name['type'] != "network")
continue;
- // Skip any Alias that resolves to an empty string
+ // Skip any Aliases that resolve to an empty string
if (trim(filter_expand_alias($alias_name['name'])) == "")
continue;
if($addrisfirst == 1) $aliasesaddr .= ",";
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
new file mode 100644
index 00000000..35dd3847
--- /dev/null
+++ b/config/snort/snort_migrate_config.php
@@ -0,0 +1,298 @@
+<?php
+/*
+ * snort_migrate_config.inc
+ *
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009-2010 Robert Zelaya
+ * Copyright (C) 2011-2012 Ermal Luci
+ * part of pfSense
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("config.inc");
+require_once("functions.inc");
+
+/****************************************************************************/
+/* The code in this module is called once during the post-install process */
+/* via an "include" line. It is used to perform a one-time migration of */
+/* Snort preprocessor configuration parameters into the new format used */
+/* by the multi-engine config feature. Configuration parameters for the */
+/* multiple configuration engines of some preprocessors are stored as */
+/* array values within the "config.xml" file in the [snortglobals] section. */
+/****************************************************************************/
+
+global $config;
+
+if (!is_array($config['installedpackages']['snortglobal']))
+ $config['installedpackages']['snortglobal'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+
+// Just exit if this is a clean install with no saved settings
+if (empty($config['installedpackages']['snortglobal']['rule']))
+ return;
+
+$rule = &$config['installedpackages']['snortglobal']['rule'];
+
+/****************************************************************************/
+/* Loop through all the <rule> elements in the Snort configuration and */
+/* migrate the relevant preprocessor parameters to the new format. */
+/****************************************************************************/
+
+$updated_cfg = false;
+log_error("[Snort] Checking configuration settings version...");
+
+// Check the configuration version to see if XMLRPC Sync should
+// auto-disabled as part of the upgrade due to config format changes.
+if (empty($config['installedpackages']['snortglobal']['snort_config_ver']) &&
+ ($config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'auto' ||
+ $config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'manual')) {
+ $config['installedpackages']['snortsync']['config']['varsynconchanges'] = "disabled";
+ log_error("[Snort] Turning off Snort Sync on this host due to configuration format changes in this update. Upgrade all Snort Sync targets to this same Snort package version before re-enabling Snort Sync.");
+ $updated_cfg = true;
+}
+
+foreach ($rule as &$r) {
+ // Initialize arrays for supported preprocessors if necessary
+ if (!is_array($r['frag3_engine']['item']))
+ $r['frag3_engine']['item'] = array();
+ if (!is_array($r['stream5_tcp_engine']['item']))
+ $r['stream5_tcp_engine']['item'] = array();
+ if (!is_array($r['http_inspect_engine']['item']))
+ $r['http_inspect_engine']['item'] = array();
+ if (!is_array($r['ftp_client_engine']['item']))
+ $r['ftp_client_engine']['item'] = array();
+ if (!is_array($r['ftp_server_engine']['item']))
+ $r['ftp_server_engine']['item'] = array();
+
+ $pconfig = array();
+ $pconfig = $r;
+
+ // Create a default "frag3_engine" if none are configured
+ if (empty($pconfig['frag3_engine']['item'])) {
+ $updated_cfg = true;
+ log_error("[Snort] Migrating Frag3 Engine configuration for interface {$pconfig['descr']}...");
+ $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+
+ // Ensure sensible default values exist for global Frag3 parameters
+ if (empty($pconfig['frag3_max_frags']))
+ $pconfig['frag3_max_frags'] = '8192';
+ if (empty($pconfig['frag3_memcap']))
+ $pconfig['frag3_memcap'] = '4194304';
+ if (empty($pconfig['frag3_detection']))
+ $pconfig['frag3_detection'] = 'on';
+
+ // Put any old values in new default engine and remove old value
+ if (isset($pconfig['frag3_policy']))
+ $default['policy'] = $pconfig['frag3_policy'];
+ unset($pconfig['frag3_policy']);
+ if (isset($pconfig['frag3_timeout']) && is_numeric($pconfig['frag3_timeout']))
+ $default['timeout'] = $pconfig['frag3_timeout'];
+ unset($pconfig['frag3_timeout']);
+ if (isset($pconfig['frag3_overlap_limit']) && is_numeric($pconfig['frag3_overlap_limit']))
+ $default['overlap_limit'] = $pconfig['frag3_overlap_limit'];
+ unset($pconfig['frag3_overlap_limit']);
+ if (isset($pconfig['frag3_min_frag_len']) && is_numeric($pconfig['frag3_min_frag_len']))
+ $default['min_frag_len'] = $pconfig['frag3_min_frag_len'];
+ unset($pconfig['frag3_min_frag_len']);
+
+ $pconfig['frag3_engine']['item'] = array();
+ $pconfig['frag3_engine']['item'][] = $default;
+ }
+
+ // Create a default Stream5 engine array if none are configured
+ if (empty($pconfig['stream5_tcp_engine']['item'])) {
+ $updated_cfg = true;
+ log_error("[Snort] Migrating Stream5 Engine configuration for interface {$pconfig['descr']}...");
+ $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off",
+ "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+
+ // Ensure sensible defaults exist for Stream5 global parameters
+ if (empty($pconfig['stream5_reassembly']))
+ $pconfig['stream5_reassembly'] = 'on';
+ if (empty($pconfig['stream5_flush_on_alert']))
+ $pconfig['stream5_flush_on_alert'] = 'off';
+ if (empty($pconfig['stream5_prune_log_max']))
+ $pconfig['stream5_prune_log_max'] = '1048576';
+ if (empty($pconfig['stream5_track_tcp']))
+ $pconfig['stream5_track_tcp'] = 'on';
+ if (empty($pconfig['stream5_max_tcp']))
+ $pconfig['stream5_max_tcp'] = '262144';
+ if (empty($pconfig['stream5_track_udp']))
+ $pconfig['stream5_track_udp'] = 'on';
+ if (empty($pconfig['stream5_max_udp']))
+ $pconfig['stream5_max_udp'] = '131072';
+ if (empty($pconfig['stream5_udp_timeout']))
+ $pconfig['stream5_udp_timeout'] = '30';
+ if (empty($pconfig['stream5_track_icmp']))
+ $pconfig['stream5_track_icmp'] = 'off';
+ if (empty($pconfig['stream5_max_icmp']))
+ $pconfig['stream5_max_icmp'] = '65536';
+ if (empty($pconfig['stream5_icmp_timeout']))
+ $pconfig['stream5_icmp_timeout'] = '30';
+ if (empty($pconfig['stream5_mem_cap']))
+ $pconfig['stream5_mem_cap']= '8388608';
+
+ // Put any old values in new default engine and remove old value
+ if (isset($pconfig['stream5_policy']))
+ $default['policy'] = $pconfig['stream5_policy'];
+ unset($pconfig['stream5_policy']);
+ if (isset($pconfig['stream5_tcp_timeout']) && is_numeric($pconfig['stream5_tcp_timeout']))
+ $default['timeout'] = $pconfig['stream5_tcp_timeout'];
+ unset($pconfig['stream5_tcp_timeout']);
+ if (isset($pconfig['stream5_overlap_limit']) && is_numeric($pconfig['stream5_overlap_limit']))
+ $default['overlap_limit'] = $pconfig['stream5_overlap_limit'];
+ unset($pconfig['stream5_overlap_limit']);
+ if (isset($pconfig['stream5_require_3whs']))
+ $default['require_3whs'] = $pconfig['stream5_require_3whs'];
+ unset($pconfig['stream5_require_3whs']);
+ if (isset($pconfig['stream5_no_reassemble_async']))
+ $default['no_reassemble_async'] = $pconfig['stream5_no_reassemble_async'];
+ unset($pconfig['stream5_no_reassemble_async']);
+ if (isset($pconfig['stream5_dont_store_lg_pkts']))
+ $default['dont_store_lg_pkts'] = $pconfig['stream5_dont_store_lg_pkts'];
+ unset($pconfig['stream5_dont_store_lg_pkts']);
+ if (isset($pconfig['max_queued_bytes']) && is_numeric($pconfig['max_queued_bytes']))
+ $default['max_queued_bytes'] = $pconfig['max_queued_bytes'];
+ unset($pconfig['max_queued_bytes']);
+ if (isset($pconfig['max_queued_segs']) && is_numeric($pconfig['max_queued_segs']))
+ $default['max_queued_segs'] = $pconfig['max_queued_segs'];
+ unset($pconfig['max_queued_segs']);
+
+ $pconfig['stream5_tcp_engine']['item'] = array();
+ $pconfig['stream5_tcp_engine']['item'][] = $default;
+ }
+
+ // Create a default HTTP_INSPECT engine if none are configured
+ if (empty($pconfig['http_inspect_engine']['item'])) {
+ $updated_cfg = true;
+ log_error("[Snort] Migrating HTTP_Inspect Engine configuration for interface {$pconfig['descr']}...");
+ $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on",
+ "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on",
+ "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
+ "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+
+ // Ensure sensible default values exist for global HTTP_INSPECT parameters
+ if (empty($pconfig['http_inspect']))
+ $pconfig['http_inspect'] = "on";
+ if (empty($pconfig['http_inspect_proxy_alert']))
+ $pconfig['http_inspect_proxy_alert'] = "off";
+ if (empty($pconfig['http_inspect_memcap']))
+ $pconfig['http_inspect_memcap'] = "150994944";
+ if (empty($pconfig['http_inspect_max_gzip_mem']))
+ $pconfig['http_inspect_max_gzip_mem'] = "838860";
+
+ // Put any old values in new default engine and remove old value
+ if (isset($pconfig['server_flow_depth']) && is_numeric($pconfig['server_flow_depth']))
+ $default['server_flow_depth'] = $pconfig['server_flow_depth'];
+ unset($pconfig['server_flow_depth']);
+ if (isset($pconfig['client_flow_depth']) & is_numeric($pconfig['client_flow_depth']))
+ $default['client_flow_depth'] = $pconfig['client_flow_depth'];
+ unset($pconfig['client_flow_depth']);
+ if (isset($pconfig['http_server_profile']))
+ $default['server_profile'] = $pconfig['http_server_profile'];
+ unset($pconfig['http_server_profile']);
+ if (isset($pconfig['http_inspect_enable_xff']))
+ $default['enable_xff'] = $pconfig['http_inspect_enable_xff'];
+ unset($pconfig['http_inspect_enable_xff']);
+ if (isset($pconfig['http_inspect_log_uri']))
+ $default['log_uri'] = $pconfig['http_inspect_log_uri'];
+ unset($pconfig['http_inspect_log_uri']);
+ if (isset($pconfig['http_inspect_log_hostname']))
+ $default['log_hostname'] = $pconfig['http_inspect_log_hostname'];
+ unset($pconfig['http_inspect_log_hostname']);
+ if (isset($pconfig['noalert_http_inspect']))
+ $default['no_alerts'] = $pconfig['noalert_http_inspect'];
+ unset($pconfig['noalert_http_inspect']);
+
+ $pconfig['http_inspect_engine']['item'] = array();
+ $pconfig['http_inspect_engine']['item'][] = $default;
+ }
+
+ // Create a default FTP_CLIENT engine if none are configured
+ if (empty($pconfig['ftp_client_engine']['item'])) {
+ $updated_cfg = true;
+ log_error("[Snort] Migrating FTP Client Engine configuration for interface {$pconfig['descr']}...");
+ $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+ // Set defaults for new FTP_Telnet preprocessor configurable parameters
+ if (empty($pconfig['ftp_telnet_inspection_type']))
+ $pconfig['ftp_telnet_inspection_type'] = 'stateful';
+ if (empty($pconfig['ftp_telnet_alert_encrypted']))
+ $pconfig['ftp_telnet_alert_encrypted'] = 'off';
+ if (empty($pconfig['ftp_telnet_check_encrypted']))
+ $pconfig['ftp_telnet_check_encrypted'] = 'on';
+ if (empty($pconfig['ftp_telnet_normalize']))
+ $pconfig['ftp_telnet_normalize'] = 'on';
+ if (empty($pconfig['ftp_telnet_detect_anomalies']))
+ $pconfig['ftp_telnet_detect_anomalies'] = 'on';
+ if (empty($pconfig['ftp_telnet_ayt_attack_threshold']))
+ $pconfig['ftp_telnet_ayt_attack_threshold'] = '20';
+
+ // Add new FTP_Telnet Client default engine
+ $pconfig['ftp_client_engine']['item'] = array();
+ $pconfig['ftp_client_engine']['item'][] = $default;
+ }
+
+ // Create a default FTP_SERVER engine if none are configured
+ if (empty($pconfig['ftp_server_engine']['item'])) {
+ $updated_cfg = true;
+ log_error("[Snort] Migrating FTP Server Engine configuration for interface {$pconfig['descr']}...");
+ $default = array( "name" => "default", "bind_to" => "all", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+ // Add new FTP_Telnet Server default engine
+ $pconfig['ftp_server_engine']['item'] = array();
+ $pconfig['ftp_server_engine']['item'][] = $default;
+ }
+
+ // Save the new configuration data into the $config array pointer
+ $r = $pconfig;
+}
+// Release reference to final array element
+unset($r);
+
+// Write out the new configuration to disk if we changed anything
+if ($updated_cfg) {
+ $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.0";
+ log_error("[Snort] Saving configuration settings in new format...");
+ write_config();
+ log_error("[Snort] Settings successfully migrated to new configuration format...");
+}
+else
+ log_error("[Snort] Configuration version is current...");
+
+?>
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
new file mode 100644
index 00000000..2ef0bde9
--- /dev/null
+++ b/config/snort/snort_post_install.php
@@ -0,0 +1,1451 @@
+<?php
+/*
+ * snort_post_install.php
+ *
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009-2010 Robert Zelaya
+ * Copyright (C) 2011-2012 Ermal Luci
+ * part of pfSense
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/****************************************************************************/
+/* This module is called once during the Snort package installation to */
+/* perform required post-installation setup. It should only be executed */
+/* from the Package Manager process via the custom-post-install hook in */
+/* the snort.xml package configuration file. */
+/****************************************************************************/
+
+require_once("config.inc");
+require_once("functions.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include;
+
+$snortdir = SNORTDIR;
+$snortlibdir = SNORTLIBDIR;
+$rcdir = RCFILEPREFIX;
+
+// This is a hack to workaround the caching of the old "snort.inc" by the
+// Package Manager installation code. We need this new function which is
+// in the new snort.inc file during post-installation.
+if (!function_exists('snort_expand_port_range')) {
+ function snort_expand_port_range($ports, $delim = ',') {
+ // Split the incoming string on the specified delimiter
+ $tmp = explode($delim, $ports);
+
+ // Look for any included port range and expand it
+ foreach ($tmp as $val) {
+ if (is_portrange($val)) {
+ $start = strtok($val, ":");
+ $end = strtok(":");
+ if ($end !== false) {
+ $val = $start . $delim;
+ for ($i = intval($start) + 1; $i < intval($end); $i++)
+ $val .= strval($i) . $delim;
+ $val .= $end;
+ }
+ }
+ $value .= $val . $delim;
+ }
+
+ // Remove any trailing delimiter in return value
+ return trim($value, $delim);
+ }
+}
+
+// This function mirrors the "snort_generate_conf()" function in the
+// "snort.inc" file. It is here with a modified name as a workaround
+// so that functionality built into the new package version can be
+// implemented during installation. During a package reinstall, the
+// Package Manager will cache the old version of "snort.inc" and thus
+// new features are not available from the new "snort.inc" file in the
+// new package.
+function snort_build_new_conf($snortcfg) {
+
+ global $config, $g, $rebuild_rules;
+
+ $snortdir = SNORTDIR;
+ $snortlibdir = SNORTLIBDIR;
+ $snortlogdir = SNORTLOGDIR;
+ $flowbit_rules_file = FLOWBITS_FILENAME;
+ $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME;
+
+ if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ return;
+
+ /* See if we should protect and not modify the preprocessor rules files */
+ if (!empty($snortcfg['protect_preproc_rules']))
+ $protect_preproc_rules = $snortcfg['protect_preproc_rules'];
+ else
+ $protect_preproc_rules = "off";
+
+ $if_real = snort_get_real_interface($snortcfg['interface']);
+ $snort_uuid = $snortcfg['uuid'];
+ $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
+
+ /* custom home nets */
+ $home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']);
+ $home_net = implode(",", $home_net_list);
+
+ $external_net = '!$HOME_NET';
+ if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') {
+ $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']);
+ $external_net = implode(",", $external_net_list);
+ }
+
+ /* user added arguments */
+ $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru']));
+ // Remove the trailing newline
+ $snort_config_pass_thru = rtrim($snort_config_pass_thru);
+
+ /* create a few directories and ensure the sample files are in place */
+ $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules",
+ "{$snortlogdir}/snort_{$if_real}{$snort_uuid}",
+ "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2",
+ "{$snortcfgdir}/preproc_rules",
+ "dynamicrules" => "{$snortlibdir}/dynamicrules",
+ "dynamicengine" => "{$snortlibdir}/dynamicengine",
+ "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor"
+ );
+ foreach ($snort_dirs as $dir) {
+ if (!is_dir($dir))
+ safe_mkdir($dir);
+ }
+
+ /********************************************************************/
+ /* For fail-safe on an initial startup following installation, and */
+ /* before a rules update has occurred, copy the default config */
+ /* files to the interface directory. If files already exist in */
+ /* the interface directory, or they are newer, that means a rule */
+ /* update has been done and we should leave the customized files */
+ /* put in place by the rules update process. */
+ /********************************************************************/
+ $snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd",
+ "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules",
+ "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules"
+ );
+ foreach ($snort_files as $file) {
+ if (file_exists("{$snortdir}/{$file}")) {
+ $ftime = filemtime("{$snortdir}/{$file}");
+ if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}")))
+ @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}");
+ }
+ }
+
+ /* define alertsystemlog */
+ $alertsystemlog_type = "";
+ if ($snortcfg['alertsystemlog'] == "on")
+ $alertsystemlog_type = "output alert_syslog: log_alert";
+
+ /* define snortunifiedlog */
+ $snortunifiedlog_type = "";
+ if ($snortcfg['snortunifiedlog'] == "on")
+ $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128";
+
+ /* define spoink */
+ $spoink_type = "";
+ if ($snortcfg['blockoffenders7'] == "on") {
+ $pfkill = "";
+ if ($snortcfg['blockoffenderskill'] == "on")
+ $pfkill = "kill";
+ $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true);
+ /* write whitelist */
+ @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist));
+ $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}";
+ }
+
+ /* define selected suppress file */
+ $suppress_file_name = "";
+ $suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress');
+ if (!empty($suppress)) {
+ $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru']));
+ @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data);
+ $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}";
+ }
+
+ /* set the snort performance model */
+ $snort_performance = "ac-bnfa";
+ if(!empty($snortcfg['performance']))
+ $snort_performance = $snortcfg['performance'];
+
+ /* if user has defined a custom ssh port, use it */
+ if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port']))
+ $ssh_port = $config['system']['ssh']['port'];
+ else
+ $ssh_port = "22";
+
+ /* Define an array of default values for the various preprocessor ports */
+ $snort_ports = array(
+ "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691",
+ "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712",
+ "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23",
+ "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port,
+ "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143",
+ "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79",
+ "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445",
+ "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514",
+ "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920",
+ "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80",
+ "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779",
+ "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:",
+ "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:",
+ "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107",
+ "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502",
+ "GTP_PORTS" => "2123,2152,3386"
+ );
+
+ /* Check for defined Aliases that may override default port settings as we build the portvars array */
+ $portvardef = "";
+ foreach ($snort_ports as $alias => $avalue) {
+ if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
+ $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"]));
+ $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias]));
+ $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
+ }
+
+ /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */
+ $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n";
+ $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n";
+ $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n";
+ $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n";
+ $stream5_ports_client .= "\t 32778 32779";
+ $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n";
+ $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n";
+ $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n";
+ $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n";
+ $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n";
+ $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n";
+ $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n";
+ $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n";
+ $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n";
+ $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n";
+ $stream5_ports_both .= "\t 55555 56712";
+
+ /////////////////////////////
+ /* preprocessor code */
+ /* def perform_stat */
+ $perform_stat = <<<EOD
+# Performance Statistics #
+preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000
+
+EOD;
+
+ /* def ftp_preprocessor */
+ $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports']));
+ $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports']));
+
+ // Configure FTP_Telnet global options
+ $ftp_telnet_globals = "inspection_type ";
+ if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; }
+ if ($snortcfg['ftp_telnet_alert_encrypted'] == "on")
+ $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes";
+ else
+ $ftp_telnet_globals .= " \\\n\tencrypted_traffic no";
+ if ($snortcfg['ftp_telnet_check_encrypted'] == "on")
+ $ftp_telnet_globals .= " \\\n\tcheck_encrypted";
+
+ // Configure FTP_Telnet Telnet protocol options
+ $ftp_telnet_protocol = "ports { {$telnet_ports} }";
+ if ($snortcfg['ftp_telnet_normalize'] == "on")
+ $ftp_telnet_protocol .= " \\\n\tnormalize";
+ if ($snortcfg['ftp_telnet_detect_anomalies'] == "on")
+ $ftp_telnet_protocol .= " \\\n\tdetect_anomalies";
+ if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') {
+ $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh ";
+ if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "")
+ $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold'];
+ else
+ $ftp_telnet_protocol .= "20";
+ }
+
+ // Setup the standard FTP commands used for all FTP Server engines
+ $ftp_cmds = <<<EOD
+ ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
+ ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
+ ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
+ ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
+ ftp_cmds { FEAT CEL CMD MACB } \
+ ftp_cmds { MDTM REST SIZE MLST MLSD } \
+ ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
+ alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
+ alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
+ alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
+ alt_max_param_len 256 { RNTO CWD } \
+ alt_max_param_len 400 { PORT } \
+ alt_max_param_len 512 { SIZE } \
+ chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
+ chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
+ chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
+ chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
+ chk_str_fmt { FEAT CEL CMD } \
+ chk_str_fmt { MDTM REST SIZE MLST MLSD } \
+ chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
+ cmd_validity MODE < char ASBCZ > \
+ cmd_validity STRU < char FRP > \
+ cmd_validity ALLO < int [ char R int ] > \
+ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
+ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
+ cmd_validity PORT < host_port >
+
+EOD;
+
+ // Configure all the FTP_Telnet FTP protocol options
+ // Iterate and configure the FTP Client engines
+ $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+ if (!is_array($snortcfg['ftp_client_engine']['item']))
+ $snortcfg['ftp_client_engine']['item'] = array();
+
+ // If no FTP client engine is configured, use the default
+ // to keep from breaking Snort.
+ if (empty($snortcfg['ftp_client_engine']['item']))
+ $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine;
+ $ftp_client_engine = "";
+
+ foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor ftp_telnet_protocol: ftp client ";
+ if ($v['name'] == "default" && $v['bind_to'] == "all")
+ $buffer .= "default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "{$tmp} \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+
+ if ($v['max_resp_len'] == "")
+ $buffer .= "\tmax_resp_len 256 \\\n";
+ else
+ $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n";
+
+ $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n";
+ $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n";
+
+ if ($v['bounce'] == "yes") {
+ if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) {
+ $net = trim(filter_expand_alias($v['bounce_to_net']));
+ $port = trim(filter_expand_alias($v['bounce_to_port']));
+ if (!empty($net) && !empty($port) &&
+ snort_is_single_addr_alias($v['bounce_to_net']) &&
+ (is_port($port) || is_portrange($port))) {
+ $port = preg_replace('/\s+/', ',', $port);
+ // Change port range delimiter to comma for ftp_telnet client preprocessor
+ if (is_portrange($port))
+ $port = str_replace(":", ",", $port);
+ $buffer .= "\tbounce yes \\\n";
+ $buffer .= "\tbounce_to { {$net},{$port} }\n";
+ }
+ else {
+ // One or both of the BOUNCE_TO alias values is not right,
+ // so figure out which and log an appropriate error.
+ if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net']))
+ log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine.");
+ if (empty($port) || !(is_port($port) || is_portrange($port)))
+ log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine.");
+ $buffer .= "\tbounce yes\n";
+ }
+ }
+ else
+ $buffer .= "\tbounce yes\n";
+ }
+ else
+ $buffer .= "\tbounce no\n";
+
+ // Add this FTP client engine to the master string
+ $ftp_client_engine .= "{$buffer}\n";
+ }
+ // Trim final trailing newline
+ rtrim($ftp_client_engine);
+
+ // Iterate and configure the FTP Server engines
+ $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+ if (!is_array($snortcfg['ftp_server_engine']['item']))
+ $snortcfg['ftp_server_engine']['item'] = array();
+
+ // If no FTP server engine is configured, use the default
+ // to keep from breaking Snort.
+ if (empty($snortcfg['ftp_server_engine']['item']))
+ $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine;
+ $ftp_server_engine = "";
+
+ foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor ftp_telnet_protocol: ftp server ";
+ if ($v['name'] == "default" && $v['bind_to'] == "all")
+ $buffer .= "default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "{$tmp} \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+
+ if ($v['def_max_param_len'] == "")
+ $buffer .= "\tdef_max_param_len 100 \\\n";
+ elseif ($v['def_max_param_len'] <> '0')
+ $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n";
+
+ if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports']))
+ $buffer .= "\tports { {$ftp_ports} } \\\n";
+ elseif (is_alias($v['ports'])) {
+ $tmp = trim(filter_expand_alias($v['ports']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $tmp = snort_expand_port_range($tmp, ' ');
+ $buffer .= "\tports { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults.");
+ $buffer .= "\tports { {$ftp_ports} } \\\n";
+ }
+ }
+
+ $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n";
+ $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n";
+ if ($v['ignore_data_chan'] == "yes")
+ $buffer .= "\tignore_data_chan yes \\\n";
+ $buffer .= "{$ftp_cmds}\n";
+
+ // Add this FTP server engine to the master string
+ $ftp_server_engine .= $buffer;
+ }
+ // Remove trailing newlines
+ rtrim($ftp_server_engine);
+
+ $ftp_preprocessor = <<<EOD
+# ftp_telnet preprocessor #
+preprocessor ftp_telnet: global \
+ {$ftp_telnet_globals}
+
+preprocessor ftp_telnet_protocol: telnet \
+ {$ftp_telnet_protocol}
+
+{$ftp_server_engine}
+{$ftp_client_engine}
+EOD;
+
+ $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports']));
+ $pop_preproc = <<<EOD
+# POP preprocessor #
+preprocessor pop: \
+ ports { {$pop_ports} } \
+ memcap 1310700 \
+ qp_decode_depth 0 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 0
+
+EOD;
+
+ $imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports']));
+ $imap_preproc = <<<EOD
+# IMAP preprocessor #
+preprocessor imap: \
+ ports { {$imap_ports} } \
+ memcap 1310700 \
+ qp_decode_depth 0 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 0
+
+EOD;
+
+ $smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports']));
+ /* def smtp_preprocessor */
+ $smtp_preprocessor = <<<EOD
+# SMTP preprocessor #
+preprocessor SMTP: \
+ ports { {$smtp_ports} } \
+ inspection_type stateful \
+ normalize cmds \
+ ignore_tls_data \
+ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \
+ NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \
+ STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \
+ XQUEU XSTA XTRN XUSR } \
+ normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \
+ IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \
+ ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \
+ XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ max_header_line_len 1000 \
+ max_response_line_len 512 \
+ alt_max_command_line_len 260 { MAIL } \
+ alt_max_command_line_len 300 { RCPT } \
+ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
+ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
+ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
+ alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
+ alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ xlink2state { enable } \
+ log_mailfrom \
+ log_rcptto \
+ log_email_hdrs \
+ email_hdrs_log_depth 1464 \
+ log_filename \
+ qp_decode_depth 0 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 0 \
+ uu_decode_depth 0
+
+EOD;
+
+ /* def sf_portscan */
+ $sf_pscan_protocol = "all";
+ if (!empty($snortcfg['pscan_protocol']))
+ $sf_pscan_protocol = $snortcfg['pscan_protocol'];
+ $sf_pscan_type = "all";
+ if (!empty($snortcfg['pscan_type']))
+ $sf_pscan_type = $snortcfg['pscan_type'];
+ $sf_pscan_memcap = "10000000";
+ if (!empty($snortcfg['pscan_memcap']))
+ $sf_pscan_memcap = $snortcfg['pscan_memcap'];
+ $sf_pscan_sense_level = "medium";
+ if (!empty($snortcfg['pscan_sense_level']))
+ $sf_pscan_sense_level = $snortcfg['pscan_sense_level'];
+ $sf_pscan_ignore_scanners = "\$HOME_NET";
+ if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) {
+ $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners']));
+ $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners));
+ }
+
+ $sf_portscan = <<<EOD
+# sf Portscan #
+preprocessor sfportscan: \
+ scan_type { {$sf_pscan_type} } \
+ proto { {$sf_pscan_protocol} } \
+ memcap { {$sf_pscan_memcap} } \
+ sense_level { {$sf_pscan_sense_level} } \
+ ignore_scanners { {$sf_pscan_ignore_scanners} }
+
+EOD;
+
+ /* def ssh_preproc */
+ $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports']));
+ $ssh_preproc = <<<EOD
+# SSH preprocessor #
+preprocessor ssh: \
+ server_ports { {$ssh_ports} } \
+ autodetect \
+ max_client_bytes 19600 \
+ max_encrypted_packets 20 \
+ max_server_version_len 100 \
+ enable_respoverflow enable_ssh1crc32 \
+ enable_srvoverflow enable_protomismatch
+
+EOD;
+
+ /* def other_preprocs */
+ $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports']));
+ $other_preprocs = <<<EOD
+# Other preprocs #
+preprocessor rpc_decode: \
+ {$sun_rpc_ports} \
+ no_alert_multiple_requests \
+ no_alert_large_fragments \
+ no_alert_incomplete
+
+# Back Orifice preprocessor #
+preprocessor bo
+
+EOD;
+
+ /* def dce_rpc_2 */
+ $dce_rpc_2 = <<<EOD
+# DCE/RPC 2 #
+preprocessor dcerpc2: \
+ memcap 102400, \
+ events [co]
+
+preprocessor dcerpc2_server: default, \
+ policy WinXP, \
+ detect [smb [{$snort_ports['smb_ports']}], \
+ tcp 135, \
+ udp 135, \
+ rpc-over-http-server 593], \
+ autodetect [tcp 1025:, \
+ udp 1025:, \
+ rpc-over-http-server 1025:], \
+ smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
+
+EOD;
+
+ $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports']));
+ $sip_preproc = <<<EOD
+# SIP preprocessor #
+preprocessor sip: \
+ max_sessions 40000, \
+ ports { {$sip_ports} }, \
+ methods { invite \
+ cancel \
+ ack \
+ bye \
+ register \
+ options \
+ refer \
+ subscribe \
+ update \
+ join \
+ info \
+ message \
+ notify \
+ benotify \
+ do \
+ qauth \
+ sprack \
+ publish \
+ service \
+ unsubscribe \
+ prack }, \
+ max_call_id_len 80, \
+ max_from_len 256, \
+ max_to_len 256, \
+ max_via_len 1024, \
+ max_requestName_len 50, \
+ max_uri_len 512, \
+ ignore_call_channel, \
+ max_content_len 2048, \
+ max_contact_len 512
+
+EOD;
+
+ $dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports']));
+ /* def dns_preprocessor */
+ $dns_preprocessor = <<<EOD
+# DNS preprocessor #
+preprocessor dns: \
+ ports { {$dns_ports} } \
+ enable_rdata_overflow
+
+EOD;
+
+ /* def dnp3_preprocessor */
+ $dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS']));
+ $dnp3_preproc = <<<EOD
+# DNP3 preprocessor #
+preprocessor dnp3: \
+ ports { {$dnp3_ports} } \
+ memcap 262144 \
+ check_crc
+
+EOD;
+
+ /* def modbus_preprocessor */
+ $modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS']));
+ $modbus_preproc = <<<EOD
+# Modbus preprocessor #
+preprocessor modbus: \
+ ports { {$modbus_ports} }
+
+EOD;
+
+ /* def gtp_preprocessor */
+ $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS']));
+ $gtp_preproc = <<<EOD
+# GTP preprocessor #
+preprocessor gtp: \
+ ports { {$gtp_ports} }
+
+EOD;
+
+ /* def ssl_preprocessor */
+ $ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports']));
+ $ssl_preproc = <<<EOD
+# SSL preprocessor #
+preprocessor ssl: \
+ ports { {$ssl_ports} }, \
+ trustservers, \
+ noinspect_encrypted
+
+EOD;
+
+ /* def sensitive_data_preprocessor */
+ if ($snortcfg['sdf_mask_output'] == "on")
+ $sdf_mask_output = "\\\n\tmask_output";
+ else
+ $sdf_mask_output = "";
+ $sensitive_data = <<<EOD
+# SDF preprocessor #
+preprocessor sensitive_data: \
+ alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output}
+
+EOD;
+
+ /* define servers as IP variables */
+ $snort_servers = array (
+ "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
+ "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET",
+ "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET",
+ "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET",
+ "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET",
+ "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET",
+ "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET",
+ "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24"
+ );
+
+ // Change old name from "var" to new name of "ipvar" for IP variables because
+ // Snort is deprecating the old "var" name in newer versions.
+ $ipvardef = "";
+ foreach ($snort_servers as $alias => $avalue) {
+ if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) {
+ $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"]));
+ $avalue = preg_replace('/\s+/', ',', trim($avalue));
+ }
+ $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n";
+ }
+
+ $snort_preproc_libs = array(
+ "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc",
+ "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc",
+ "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc",
+ "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc"
+ );
+ $snort_preproc = array (
+ "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc",
+ "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc"
+ );
+ $default_disabled_preprocs = array(
+ "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc"
+ );
+ $snort_preprocessors = "";
+ foreach ($snort_preproc as $preproc) {
+ if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) {
+
+ /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */
+ if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs))
+ continue;
+
+ /* NOTE: The $$ is not a bug. It is an advanced feature of php */
+ if (!empty($snort_preproc_libs[$preproc])) {
+ $preproclib = "libsf_" . $snort_preproc_libs[$preproc];
+ if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) {
+ if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) {
+ @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ } else
+ log_error("Could not find the {$preproclib} file. Snort might error out!");
+ } else {
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ }
+ } else {
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ }
+ }
+ }
+ // Remove final trailing newline
+ $snort_preprocessors = rtrim($snort_preprocessors);
+
+ $snort_misc_include_rules = "";
+ if (file_exists("{$snortcfgdir}/reference.config"))
+ $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n";
+ if (file_exists("{$snortcfgdir}/classification.config"))
+ $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n";
+ if (is_dir("{$snortcfgdir}/preproc_rules")) {
+ if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
+ $sedcmd = '/^#alert.*classtype:sdf/s/^#//';
+ if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
+ #enable only selected sensitive data
+ if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){
+ $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")";
+ $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules");
+ $sd_tmp_new_file="";
+ foreach ($sd_tmp_file as $sd_tmp_line)
+ $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : "";
+ file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX);
+ }
+ }
+ } else
+ $sedcmd = '/^alert.*classtype:sdf/s/^/#/';
+ if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
+ file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") {
+ @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
+ mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
+ mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
+ @unlink("{$g['tmp_path']}/sedcmd");
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
+ } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
+ file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") {
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
+ }
+ else {
+ $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
+ log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
+ }
+ } else {
+ $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
+ log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
+ }
+
+ /* generate rule sections to load */
+ /* The files are always configured so the update process is easier */
+ $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n";
+ $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n";
+ $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n";
+
+ // Remove trailing newlines
+ $snort_misc_include_rules = rtrim($snort_misc_include_rules);
+ $selected_rules_sections = rtrim($selected_rules_sections);
+
+ /* Create the actual rules files and save in the interface directory */
+ snort_prepare_rule_files($snortcfg, $snortcfgdir);
+
+ $cksumcheck = "all";
+ if ($snortcfg['cksumcheck'] == 'on')
+ $cksumcheck = "none";
+
+ /* Pull in user-configurable detection config options */
+ $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5";
+ if ($snortcfg['fpm_split_any_any'] == "on")
+ $cfg_detect_settings .= " split-any-any";
+ if ($snortcfg['fpm_search_optimize'] == "on")
+ $cfg_detect_settings .= " search-optimize";
+ if ($snortcfg['fpm_no_stream_inserts'] == "on")
+ $cfg_detect_settings .= " no_stream_inserts";
+
+ /* Pull in user-configurable options for Frag3 preprocessor settings */
+ /* Get global Frag3 options first and put into a string */
+ $frag3_global = "preprocessor frag3_global: ";
+ if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0")
+ $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, ";
+ else
+ $frag3_global .= "memcap 4194304, ";
+ if (!empty($snortcfg['frag3_max_frags']))
+ $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}";
+ else
+ $frag3_global .= "max_frags 8192";
+ if ($snortcfg['frag3_detection'] == "off")
+ $frag3_global .= ", disabled";
+
+ $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+ $frag3_engine = "";
+
+ // Now iterate configured Frag3 engines and write them to a string if enabled
+ if ($snortcfg['frag3_detection'] == "on") {
+ if (!is_array($snortcfg['frag3_engine']['item']))
+ $snortcfg['frag3_engine']['item'] = array();
+
+ // If no frag3 tcp engine is configured, use the default
+ if (empty($snortcfg['frag3_engine']['item']))
+ $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine;
+
+ foreach ($snortcfg['frag3_engine']['item'] as $f => $v) {
+ $frag3_engine .= "preprocessor frag3_engine: ";
+ $frag3_engine .= "policy {$v['policy']}";
+ if ($v['bind_to'] <> "all") {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ',', $tmp);
+ if (strpos($tmp, ",") !== false)
+ $frag3_engine .= " \\\n\tbind_to [{$tmp}]";
+ else
+ $frag3_engine .= " \\\n\tbind_to {$tmp}";
+ }
+ else
+ log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe.");
+ }
+ $frag3_engine .= " \\\n\ttimeout {$v['timeout']}";
+ $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}";
+ if ($v['detect_anomalies'] == "on") {
+ $frag3_engine .= " \\\n\tdetect_anomalies";
+ $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}";
+ $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}";
+ }
+ // Add newlines to terminate this engine
+ $frag3_engine .= "\n\n";
+ }
+ // Remove trailing newline
+ $frag3_engine = rtrim($frag3_engine);
+ }
+
+ // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs
+ $paf_max_pdu_config = "config paf_max: ";
+ if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0')
+ $paf_max_pdu_config .= "0";
+ else
+ $paf_max_pdu_config .= $snortcfg['max_paf'];
+
+ // Pull in user-configurable options for Stream5 preprocessor settings
+ // Get global options first and put into a string
+ $stream5_global = "preprocessor stream5_global: \\\n";
+ if ($snortcfg['stream5_reassembly'] == "off")
+ $stream5_global .= "\tdisabled, \\\n";
+ if ($snortcfg['stream5_track_tcp'] == "off")
+ $stream5_global .= "\ttrack_tcp no,";
+ else {
+ $stream5_global .= "\ttrack_tcp yes,";
+ if (!empty($snortcfg['stream5_max_tcp']))
+ $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},";
+ else
+ $stream5_global .= " \\\n\tmax_tcp 262144,";
+ }
+ if ($snortcfg['stream5_track_udp'] == "off")
+ $stream5_global .= " \\\n\ttrack_udp no,";
+ else {
+ $stream5_global .= " \\\n\ttrack_udp yes,";
+ if (!empty($snortcfg['stream5_max_udp']))
+ $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},";
+ else
+ $stream5_global .= " \\\n\tmax_udp 131072,";
+ }
+ if ($snortcfg['stream5_track_icmp'] == "on") {
+ $stream5_global .= " \\\n\ttrack_icmp yes,";
+ if (!empty($snortcfg['stream5_max_icmp']))
+ $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},";
+ else
+ $stream5_global .= " \\\n\tmax_icmp 65536,";
+ }
+ else
+ $stream5_global .= " \\\n\ttrack_icmp no,";
+ if (!empty($snortcfg['stream5_mem_cap']))
+ $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},";
+ else
+ $stream5_global .= " \\\n\tmemcap 8388608,";
+
+ if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0')
+ $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}";
+ else
+ $stream5_global .= " \\\n\tprune_log_max 1048576";
+ if ($snortcfg['stream5_flush_on_alert'] == "on")
+ $stream5_global .= ", \\\n\tflush_on_alert";
+
+ $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0,
+ "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+ $stream5_tcp_engine = "";
+
+ // Now iterate configured Stream5 TCP engines and write them to a string if enabled
+ if ($snortcfg['stream5_reassembly'] == "on") {
+ if (!is_array($snortcfg['stream5_tcp_engine']['item']))
+ $snortcfg['stream5_tcp_engine']['item'] = array();
+
+ // If no stream5 tcp engine is configured, use the default
+ if (empty($snortcfg['stream5_tcp_engine']['item']))
+ $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine;
+
+ foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor stream5_tcp: ";
+ $buffer .= "policy {$v['policy']},";
+ if ($v['bind_to'] <> "all") {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ',', $tmp);
+ if (strpos($tmp, ",") !== false)
+ $buffer .= " \\\n\tbind_to [{$tmp}],";
+ else
+ $buffer .= " \\\n\tbind_to {$tmp},";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine.");
+ continue;
+ }
+ }
+ $stream5_tcp_engine .= $buffer;
+ $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},";
+ $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},";
+ $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},";
+ $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},";
+ $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}";
+ if ($v['use_static_footprint_sizes'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes";
+ if ($v['check_session_hijacking'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking";
+ if ($v['dont_store_lg_pkts'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets";
+ if ($v['no_reassemble_async'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async";
+ if ($v['detect_anomalies'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdetect_anomalies";
+ if ($v['require_3whs'] == "on")
+ $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}";
+ if (!empty($v['ports_client'])) {
+ $stream5_tcp_engine .= ", \\\n\tports client";
+ if ($v['ports_client'] == " all")
+ $stream5_tcp_engine .= " all";
+ elseif ($v['ports_client'] == "default")
+ $stream5_tcp_engine .= " {$stream5_ports_client}";
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_client']));
+ if (!empty($tmp))
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ else {
+ $stream5_tcp_engine .= " {$stream5_ports_client}";
+ log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value.");
+ }
+ }
+ }
+ if (!empty($v['ports_both'])) {
+ $stream5_tcp_engine .= ", \\\n\tports both";
+ if ($v['ports_both'] == " all")
+ $stream5_tcp_engine .= " all";
+ elseif ($v['ports_both'] == "default")
+ $stream5_tcp_engine .= " {$stream5_ports_both}";
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_both']));
+ if (!empty($tmp))
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ else {
+ $stream5_tcp_engine .= " {$stream5_ports_both}";
+ log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value.");
+ }
+ }
+ }
+ if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") {
+ if ($v['ports_server'] == " all") {
+ $stream5_tcp_engine .= ", \\\n\tports server";
+ $stream5_tcp_engine .= " all";
+ }
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_server']));
+ if (!empty($tmp)) {
+ $stream5_tcp_engine .= ", \\\n\tports server";
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ }
+ else
+ log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none.");
+ }
+ }
+
+ // Make sure the "ports" parameter is set, or else default to a safe value
+ if (strpos($stream5_tcp_engine, "ports ") === false)
+ $stream5_tcp_engine .= ", \\\n\tports both all";
+
+ // Add a pair of newlines to terminate this engine
+ $stream5_tcp_engine .= "\n\n";
+ }
+ // Trim off the final trailing newline
+ $stream5_tcp_engine = rtrim($stream5_tcp_engine);
+ }
+
+ // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled
+ if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off")
+ $stream5_udp_engine = "";
+ else {
+ $stream5_udp_engine = "preprocessor stream5_udp: ";
+ if (!empty($snortcfg['stream5_udp_timeout']))
+ $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}";
+ else
+ $stream5_udp_engine .= "timeout 30";
+ }
+
+ // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled
+ if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") {
+ $stream5_icmp_engine = "preprocessor stream5_icmp: ";
+ if (!empty($snortcfg['stream5_icmp_timeout']))
+ $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}";
+ else
+ $stream5_icmp_engine .= "timeout 30";
+ }
+ else
+ $stream5_icmp_engine = "";
+
+ // Check for and configure Host Attribute Table if enabled
+ $host_attrib_config = "";
+ if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) {
+ file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data']));
+ $host_attrib_config = "# Host Attribute Table #\n";
+ $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n";
+ if (!empty($snortcfg['max_attribute_hosts']))
+ $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n";
+ if (!empty($snortcfg['max_attribute_services_per_host']))
+ $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}";
+ }
+
+ // Configure the HTTP_INSPECT preprocessor
+ // Get global options first and put into a string
+ $http_inspect_global = "preprocessor http_inspect: global ";
+ if ($snortcfg['http_inspect'] == "off")
+ $http_inspect_global .= "disabled ";
+ $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n";
+ $http_inspect_global .= "\tcompress_depth 65535 \\\n";
+ $http_inspect_global .= "\tdecompress_depth 65535 \\\n";
+ if (!empty($snortcfg['http_inspect_memcap']))
+ $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n";
+ else
+ $http_inspect_global .= "\tmemcap 150994944 \\\n";
+ if (!empty($snortcfg['http_inspect_max_gzip_mem']))
+ $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}";
+ else
+ $http_inspect_global .= "\tmax_gzip_mem 838860";
+ if ($snortcfg['http_inspect_proxy_alert'] == "on")
+ $http_inspect_global .= " \\\n\tproxy_alert";
+
+ $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
+ "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
+ "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
+ "max_header_length" => 0, "ports" => "default" );
+ $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports']));
+ $http_inspect_servers = "";
+
+ // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled
+ if ($snortcfg['http_inspect'] <> "off") {
+ if (!is_array($snortcfg['http_inspect_engine']['item']))
+ $snortcfg['http_inspect_engine']['item'] = array();
+
+ // If no http_inspect_engine is configured, use the default
+ if (empty($snortcfg['http_inspect_engine']['item']))
+ $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine;
+
+ foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor http_inspect_server: \\\n";
+ if ($v['name'] == "default")
+ $buffer .= "\tserver default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "\tserver { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine.");
+ continue;
+ }
+ $http_inspect_servers .= $buffer;
+ $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n";
+
+ if ($v['no_alerts'] == "on")
+ $http_inspect_servers .= "\tno_alerts \\\n";
+
+ if ($v['ports'] == "default" || empty($v['ports']))
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ elseif (is_alias($v['ports'])) {
+ $tmp = trim(filter_expand_alias($v['ports']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $tmp = snort_expand_port_range($tmp, ' ');
+ $http_inspect_servers .= "\tports { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead.");
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ }
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead.");
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ }
+
+ $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n";
+ $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n";
+ $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n";
+ $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n";
+ $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n";
+ $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n";
+ $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}";
+ if ($v['enable_xff'] == "on")
+ $http_inspect_servers .= " \\\n\tenable_xff";
+ if ($v['enable_cookie'] == "on")
+ $http_inspect_servers .= " \\\n\tenable_cookie";
+ if ($v['normalize_cookies'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_cookies";
+ if ($v['normalize_headers'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_headers";
+ if ($v['normalize_utf'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_utf";
+ if ($v['allow_proxy_use'] == "on")
+ $http_inspect_servers .= " \\\n\tallow_proxy_use";
+ if ($v['inspect_uri_only'] == "on")
+ $http_inspect_servers .= " \\\n\tinspect_uri_only";
+ if ($v['extended_response_inspection'] == "on") {
+ $http_inspect_servers .= " \\\n\textended_response_inspection";
+ if ($v['inspect_gzip'] == "on") {
+ $http_inspect_servers .= " \\\n\tinspect_gzip";
+ if ($v['unlimited_decompress'] == "on")
+ $http_inspect_servers .= " \\\n\tunlimited_decompress";
+ }
+ if ($v['normalize_javascript'] == "on") {
+ $http_inspect_servers .= " \\\n\tnormalize_javascript";
+ $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}";
+ }
+ }
+ if ($v['log_uri'] == "on")
+ $http_inspect_servers .= " \\\n\tlog_uri";
+ if ($v['log_hostname'] == "on")
+ $http_inspect_servers .= " \\\n\tlog_hostname";
+
+ // Add a pair of trailing newlines to terminate this server config
+ $http_inspect_servers .= "\n\n";
+ }
+ /* Trim off the final trailing newline */
+ $http_inspect_server = rtrim($http_inspect_server);
+ }
+
+ // Finally, build the Snort configuration file
+ $snort_conf_text = <<<EOD
+# snort configuration file
+# generated automatically by the pfSense subsystems do not modify manually
+
+# Define Local Network #
+ipvar HOME_NET [{$home_net}]
+ipvar EXTERNAL_NET [{$external_net}]
+
+# Define Rule Paths #
+var RULE_PATH {$snortcfgdir}/rules
+var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules
+
+# Define Servers #
+{$ipvardef}
+
+# Define Server Ports #
+{$portvardef}
+
+# Configure quiet startup mode #
+config quiet
+
+# Configure the snort decoder #
+config checksum_mode: {$cksumcheck}
+config disable_decode_alerts
+config disable_tcpopt_experimental_alerts
+config disable_tcpopt_obsolete_alerts
+config disable_ttcp_alerts
+config disable_tcpopt_alerts
+config disable_ipopt_alerts
+config disable_decode_drops
+
+# Enable the GTP decoder #
+config enable_gtp
+
+# Configure PCRE match limitations
+config pcre_match_limit: 3500
+config pcre_match_limit_recursion: 1500
+
+# Configure the detection engine #
+config detection: {$cfg_detect_settings}
+config event_queue: max_queue 8 log 5 order_events content_length
+
+# Configure to show year in timestamps
+config show_year
+
+# Configure protocol aware flushing #
+# For more information see README.stream5 #
+{$paf_max_pdu_config}
+
+# Configure dynamically loaded libraries
+dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']}
+dynamicengine directory {$snort_dirs['dynamicengine']}
+dynamicdetection directory {$snort_dirs['dynamicrules']}
+
+# Inline packet normalization. For more information, see README.normalize
+# Disabled since we do not use "inline" mode with pfSense
+# preprocessor normalize_ip4
+# preprocessor normalize_tcp: ips ecn stream
+# preprocessor normalize_icmp4
+# preprocessor normalize_ip6
+# preprocessor normalize_icmp6
+
+# Flow and stream #
+{$frag3_global}
+
+{$frag3_engine}
+
+{$stream5_global}
+
+{$stream5_tcp_engine}
+
+{$stream5_udp_engine}
+
+{$stream5_icmp_engine}
+
+# HTTP Inspect #
+{$http_inspect_global}
+
+{$http_inspect_servers}
+{$snort_preprocessors}
+{$host_attrib_config}
+
+# Snort Output Logs #
+output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
+{$alertsystemlog_type}
+{$snortunifiedlog_type}
+{$spoink_type}
+
+# Misc Includes #
+{$snort_misc_include_rules}
+
+{$suppress_file_name}
+
+# Snort user pass through configuration
+{$snort_config_pass_thru}
+
+# Rules Selection #
+{$selected_rules_sections}
+EOD;
+
+ // Write out snort.conf file
+ $conf = fopen("{$snortcfgdir}/snort.conf", "w");
+ if(!$conf) {
+ log_error("Could not open {$snortcfgdir}/snort.conf for writing.");
+ return -1;
+ }
+ fwrite($conf, $snort_conf_text);
+ fclose($conf);
+ unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type);
+ unset($home_net, $external_net, $ipvardef, $portvardef);
+}
+
+/*****************************************************************************/
+/* This starts the actual post-install code */
+/*****************************************************************************/
+
+/* Hard kill any running Snort processes that may have been started by any */
+/* of the pfSense scripts such as check_reload_status() or rc.start_packages */
+if(is_process_running("snort")) {
+ exec("/usr/bin/killall -z snort");
+ sleep(2);
+ // Delete any leftover snort PID files in /var/run
+ array_map('@unlink', glob("/var/run/snort_*.pid"));
+}
+// Hard kill any running Barnyard2 processes
+if(is_process_running("barnyard")) {
+ exec("/usr/bin/killall -z barnyard2");
+ sleep(2);
+ // Delete any leftover barnyard2 PID files in /var/run
+ array_map('@unlink', glob("/var/run/barnyard2_*.pid"));
+}
+
+/* Set flag for post-install in progress */
+$g['snort_postinstall'] = true;
+
+/* cleanup default files */
+@rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf");
+@rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf");
+@rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map");
+@rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map");
+@rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config");
+@rename("{$snortdir}/generators-sample", "{$snortdir}/generators");
+@rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config");
+@rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map");
+@rename("{$snortdir}/attribute_table.dtd-sample", "{$snortdir}/attribute_table.dtd");
+
+/* fix up the preprocessor rules filenames from a PBI package install */
+$preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules");
+foreach ($preproc_rules as $file) {
+ if (file_exists("{$snortdir}/preproc_rules/{$file}-sample"))
+ @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}");
+}
+
+/* Remove any previously installed scripts since we rebuild them */
+@unlink("{$snortdir}/sid");
+@unlink("{$rcdir}/snort.sh");
+@unlink("{$rcdir}/barnyard2");
+
+/* remake saved settings */
+if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
+ log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings..."));
+ update_status(gettext("Saved settings detected..."));
+ /* Do one-time settings migration for new multi-engine configurations */
+ update_output_window(gettext("Please wait... migrating settings to new multi-engine configuration..."));
+ include "/usr/local/pkg/snort/snort_migrate_config.php";
+ update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
+ log_error(gettext("[Snort] Downloading and updating configured rule types..."));
+ update_output_window(gettext("Please wait... downloading and updating configured rule types..."));
+ if ($pkg_interface <> "console")
+ $snort_gui_include = true;
+ include "/usr/local/pkg/snort/snort_check_for_rule_updates.php";
+ update_status(gettext("Generating snort.conf configuration file from saved settings..."));
+ $rebuild_rules = true;
+
+ /* Create the snort.conf files for each enabled interface */
+ $snortconf = $config['installedpackages']['snortglobal']['rule'];
+ foreach ($snortconf as $value) {
+ $if_real = snort_get_real_interface($value['interface']);
+
+ /* create a snort.conf file for interface */
+ snort_build_new_conf($value);
+
+ /* create barnyard2.conf file for interface */
+ if ($value['barnyard_enable'] == 'on')
+ snort_create_barnyard2_conf($value, $if_real);
+ }
+
+ /* create snort bootup file snort.sh */
+ snort_create_rc();
+
+ /* Set Log Limit, Block Hosts Time and Rules Update Time */
+ snort_snortloglimit_install_cron($config['installedpackages']['snortglobal']['snortloglimit'] == 'on' ? true : false);
+ snort_rm_blocked_install_cron($config['installedpackages']['snortglobal']['rm_blocked'] != "never_b" ? true : false);
+ snort_rules_up_install_cron($config['installedpackages']['snortglobal']['autorulesupdate7'] != "never_up" ? true : false);
+
+ /* Add the recurring jobs created above to crontab */
+ configure_cron();
+ conf_mount_ro();
+
+ $rebuild_rules = false;
+ update_output_window(gettext("Finished rebuilding Snort configuration files..."));
+ log_error(gettext("[Snort] Finished rebuilding installation from saved settings..."));
+
+ /* Only try to start Snort if not in reboot */
+ if (!$g['booting']) {
+ update_status(gettext("Starting Snort using rebuilt configuration..."));
+ update_output_window(gettext("Please wait... while Snort is started..."));
+ log_error(gettext("[Snort] Starting Snort using rebuilt configuration..."));
+ start_service("snort");
+ update_output_window(gettext("Snort has been started using the rebuilt configuration..."));
+ }
+}
+
+/* Done with post-install, so clear flag */
+unset($g['snort_postinstall']);
+log_error(gettext("[Snort] Package post-installation tasks completed..."));
+return true;
+
+?>
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 95d5a10e..1d47ccdb 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -37,16 +37,6 @@ require_once("/usr/local/pkg/snort/snort.inc");
global $g, $rebuild_rules;
$snortlogdir = SNORTLOGDIR;
-if (!is_array($config['installedpackages']['snortglobal'])) {
- $config['installedpackages']['snortglobal'] = array();
-}
-$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'];
-
-if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
- $config['installedpackages']['snortglobal']['rule'] = array();
-}
-$a_nat = &$config['installedpackages']['snortglobal']['rule'];
-
$id = $_GET['id'];
if (isset($_POST['id']))
$id = $_POST['id'];
@@ -55,6 +45,32 @@ if (is_null($id)) {
exit;
}
+if (!is_array($config['installedpackages']['snortglobal']))
+ $config['installedpackages']['snortglobal'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+
+// Initialize multiple config engine arrays for supported preprocessors if necessary
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array();
+
+$a_nat = &$config['installedpackages']['snortglobal']['rule'];
+
+$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'];
+$frag3_engine_next_id = count($a_nat[$id]['frag3_engine']['item']);
+$stream5_tcp_engine_next_id = count($a_nat[$id]['stream5_tcp_engine']['item']);
+$http_inspect_engine_next_id = count($a_nat[$id]['http_inspect_engine']['item']);
+$ftp_server_engine_next_id = count($a_nat[$id]['ftp_server_engine']['item']);
+$ftp_client_engine_next_id = count($a_nat[$id]['ftp_client_engine']['item']);
+
$pconfig = array();
if (isset($id) && $a_nat[$id]) {
$pconfig = $a_nat[$id];
@@ -66,32 +82,14 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['max_attribute_hosts'] = $a_nat[$id]['max_attribute_hosts'];
$pconfig['max_attribute_services_per_host'] = $a_nat[$id]['max_attribute_services_per_host'];
$pconfig['max_paf'] = $a_nat[$id]['max_paf'];
- $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth'];
- $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile'];
- $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth'];
- $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly'];
- $pconfig['stream5_require_3whs'] = $a_nat[$id]['stream5_require_3whs'];
- $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp'];
- $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp'];
- $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp'];
- $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes'];
- $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs'];
- $pconfig['stream5_overlap_limit'] = $a_nat[$id]['stream5_overlap_limit'];
- $pconfig['stream5_policy'] = $a_nat[$id]['stream5_policy'];
- $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap'];
- $pconfig['stream5_tcp_timeout'] = $a_nat[$id]['stream5_tcp_timeout'];
- $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout'];
- $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout'];
- $pconfig['stream5_no_reassemble_async'] = $a_nat[$id]['stream5_no_reassemble_async'];
- $pconfig['stream5_dont_store_lg_pkts'] = $a_nat[$id]['stream5_dont_store_lg_pkts'];
- $pconfig['http_inspect'] = $a_nat[$id]['http_inspect'];
- $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap'];
- $pconfig['http_inspect_enable_xff'] = $a_nat[$id]['http_inspect_enable_xff'];
- $pconfig['http_inspect_log_uri'] = $a_nat[$id]['http_inspect_log_uri'];
- $pconfig['http_inspect_log_hostname'] = $a_nat[$id]['http_inspect_log_hostname'];
- $pconfig['noalert_http_inspect'] = $a_nat[$id]['noalert_http_inspect'];
$pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs'];
$pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor'];
+ $pconfig['ftp_telnet_inspection_type'] = $a_nat[$id]['ftp_telnet_inspection_type'];
+ $pconfig['ftp_telnet_alert_encrypted'] = $a_nat[$id]['ftp_telnet_alert_encrypted'];
+ $pconfig['ftp_telnet_check_encrypted'] = $a_nat[$id]['ftp_telnet_check_encrypted'];
+ $pconfig['ftp_telnet_normalize'] = $a_nat[$id]['ftp_telnet_normalize'];
+ $pconfig['ftp_telnet_detect_anomalies'] = $a_nat[$id]['ftp_telnet_detect_anomalies'];
+ $pconfig['ftp_telnet_ayt_attack_threshold'] = $a_nat[$id]['ftp_telnet_ayt_attack_threshold'];
$pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor'];
$pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan'];
$pconfig['pscan_protocol'] = $a_nat[$id]['pscan_protocol'];
@@ -102,6 +100,9 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2'];
$pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor'];
$pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data'];
+ $pconfig['sdf_alert_data_type'] = $a_nat[$id]['sdf_alert_data_type'];
+ $pconfig['sdf_alert_threshold'] = $a_nat[$id]['sdf_alert_threshold'];
+ $pconfig['sdf_mask_output'] = $a_nat[$id]['sdf_mask_output'];
$pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc'];
$pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc'];
$pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc'];
@@ -112,13 +113,123 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['ssh_preproc'] = $a_nat[$id]['ssh_preproc'];
$pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable'];
$pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules'];
+
+ // Frag3 global settings
$pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection'];
- $pconfig['frag3_overlap_limit'] = $a_nat[$id]['frag3_overlap_limit'];
- $pconfig['frag3_min_frag_len'] = $a_nat[$id]['frag3_min_frag_len'];
- $pconfig['frag3_policy'] = $a_nat[$id]['frag3_policy'];
$pconfig['frag3_max_frags'] = $a_nat[$id]['frag3_max_frags'];
$pconfig['frag3_memcap'] = $a_nat[$id]['frag3_memcap'];
- $pconfig['frag3_timeout'] = $a_nat[$id]['frag3_timeout'];
+
+ // See if new Frag3 engine array is configured and use it;
+ // otherwise create a default engine configuration.
+ if (empty($pconfig['frag3_engine']['item'])) {
+ $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+ $pconfig['frag3_engine']['item'] = array();
+ $pconfig['frag3_engine']['item'][] = $default;
+ if (!is_array($a_nat[$id]['frag3_engine']['item']))
+ $a_nat[$id]['frag3_engine']['item'] = array();
+ $a_nat[$id]['frag3_engine']['item'][] = $default;
+ write_config();
+ $frag3_engine_next_id++;
+ }
+ else
+ $pconfig['frag3_engine'] = $a_nat[$id]['frag3_engine'];
+
+ // Stream5 global settings
+ $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly'];
+ $pconfig['stream5_flush_on_alert'] = $a_nat[$id]['stream5_flush_on_alert'];
+ $pconfig['stream5_prune_log_max'] = $a_nat[$id]['stream5_prune_log_max'];
+ $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap'];
+ $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp'];
+ $pconfig['stream5_max_tcp'] = $a_nat[$id]['stream5_max_tcp'];
+ $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp'];
+ $pconfig['stream5_max_udp'] = $a_nat[$id]['stream5_max_udp'];
+ $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout'];
+ $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp'];
+ $pconfig['stream5_max_icmp'] = $a_nat[$id]['stream5_max_icmp'];
+ $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout'];
+
+ // See if new Stream5 engine array is configured and use it;
+ // otherwise create a default engine configuration.
+ if (empty($pconfig['stream5_tcp_engine']['item'])) {
+ $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off",
+ "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+ $pconfig['stream5_tcp_engine']['item'] = array();
+ $pconfig['stream5_tcp_engine']['item'][] = $default;
+ if (!is_array($a_nat[$id]['stream5_tcp_engine']['item']))
+ $a_nat[$id]['stream5_tcp_engine']['item'] = array();
+ $a_nat[$id]['stream5_tcp_engine']['item'][] = $default;
+ write_config();
+ $stream5_tcp_engine_next_id++;
+ }
+ else
+ $pconfig['stream5_tcp_engine'] = $a_nat[$id]['stream5_tcp_engine'];
+
+ // HTTP_INSPECT global settings
+ $pconfig['http_inspect'] = $a_nat[$id]['http_inspect'];
+ $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap'];
+ $pconfig['http_inspect_proxy_alert'] = $a_nat[$id]['http_inspect_proxy_alert'];
+ $pconfig['http_inspect_max_gzip_mem'] = $a_nat[$id]['http_inspect_max_gzip_mem'];
+
+ // See if new HTTP_INSPECT engine array is configured and use it;
+ // otherwise create a default engine configuration.
+ if (empty($pconfig['http_inspect_engine']['item'])) {
+ $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on",
+ "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on",
+ "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
+ "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+ $pconfig['http_inspect_engine']['item'] = array();
+ $pconfig['http_inspect_engine']['item'][] = $default;
+ if (!is_array($a_nat[$id]['http_inspect_engine']['item']))
+ $a_nat[$id]['http_inspect_engine']['item'] = array();
+ $a_nat[$id]['http_inspect_engine']['item'][] = $default;
+ write_config();
+ $http_inspect_engine_next_id++;
+ }
+ else
+ $pconfig['http_inspect_engine'] = $a_nat[$id]['http_inspect_engine'];
+
+ // See if new FTP client engine array is configured and use it;
+ // otherwise create a default engine configuration..
+ if (empty($pconfig['ftp_client_engine']['item'])) {
+ $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+ $pconfig['ftp_client_engine']['item'] = array();
+ $pconfig['ftp_client_engine']['item'][] = $default;
+ if (!is_array($a_nat[$id]['ftp_client_engine']['item']))
+ $a_nat[$id]['ftp_client_engine']['item'] = array();
+ $a_nat[$id]['ftp_client_engine']['item'][] = $default;
+ write_config();
+ $ftp_client_engine_next_id++;
+ }
+ else
+ $pconfig['ftp_client_engine'] = $a_nat[$id]['ftp_client_engine'];
+
+ // See if new FTP server engine array is configured and use it;
+ // otherwise create a default engine configuration..
+ if (empty($pconfig['ftp_server_engine']['item'])) {
+ $default = array( "name" => "default", "bind_to" => "all", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+ $pconfig['ftp_server_engine']['item'] = array();
+ $pconfig['ftp_server_engine']['item'][] = $default;
+ if (!is_array($a_nat[$id]['ftp_server_engine']['item']))
+ $a_nat[$id]['ftp_server_engine']['item'] = array();
+ $a_nat[$id]['ftp_server_engine']['item'][] = $default;
+ write_config();
+ $ftp_server_engine_next_id++;
+ }
+ else
+ $pconfig['ftp_server_engine'] = $a_nat[$id]['ftp_server_engine'];
/* If not using the Snort VRT rules, then disable */
/* the Sensitive Data (sdf) preprocessor. */
@@ -134,10 +245,28 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['max_attribute_hosts'] = '10000';
if (empty($pconfig['max_attribute_services_per_host']))
$pconfig['max_attribute_services_per_host'] = '10';
- if (empty($pconfig['max_paf']))
+
+ if (empty($pconfig['max_paf']) && $pconfig['max_paf'] <> 0)
$pconfig['max_paf'] = '16000';
+
if (empty($pconfig['ftp_preprocessor']))
$pconfig['ftp_preprocessor'] = 'on';
+ if (empty($pconfig['ftp_telnet_inspection_type']))
+ $pconfig['ftp_telnet_inspection_type'] = 'stateful';
+ if (empty($pconfig['ftp_telnet_alert_encrypted']))
+ $pconfig['ftp_telnet_alert_encrypted'] = 'off';
+ if (empty($pconfig['ftp_telnet_check_encrypted']))
+ $pconfig['ftp_telnet_check_encrypted'] = 'on';
+ if (empty($pconfig['ftp_telnet_normalize']))
+ $pconfig['ftp_telnet_normalize'] = 'on';
+ if (empty($pconfig['ftp_telnet_detect_anomalies']))
+ $pconfig['ftp_telnet_detect_anomalies'] = 'on';
+ if (empty($pconfig['ftp_telnet_ayt_attack_threshold']) && $pconfig['ftp_telnet_ayt_attack_threshold'] <> 0)
+ $pconfig['ftp_telnet_ayt_attack_threshold'] = '20';
+ if (empty($pconfig['sdf_alert_threshold']))
+ $pconfig['sdf_alert_threshold'] = '25';
+ if (empty($pconfig['sdf_mask_output']))
+ $pconfig['sdf_mask_output'] = 'off';
if (empty($pconfig['smtp_preprocessor']))
$pconfig['smtp_preprocessor'] = 'on';
if (empty($pconfig['dce_rpc_2']))
@@ -156,46 +285,48 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['other_preprocs'] = 'on';
if (empty($pconfig['ssh_preproc']))
$pconfig['ssh_preproc'] = 'on';
+
+ if (empty($pconfig['http_inspect']))
+ $pconfig['http_inspect'] = "on";
+ if (empty($pconfig['http_inspect_proxy_alert']))
+ $pconfig['http_inspect_proxy_alert'] = "off";
if (empty($pconfig['http_inspect_memcap']))
$pconfig['http_inspect_memcap'] = "150994944";
- if (empty($pconfig['frag3_overlap_limit']))
- $pconfig['frag3_overlap_limit'] = '0';
- if (empty($pconfig['frag3_min_frag_len']))
- $pconfig['frag3_min_frag_len'] = '0';
+ if (empty($pconfig['http_inspect_max_gzip_mem']))
+ $pconfig['http_inspect_max_gzip_mem'] = "838860";
+
if (empty($pconfig['frag3_max_frags']))
$pconfig['frag3_max_frags'] = '8192';
- if (empty($pconfig['frag3_policy']))
- $pconfig['frag3_policy'] = 'bsd';
if (empty($pconfig['frag3_memcap']))
$pconfig['frag3_memcap'] = '4194304';
- if (empty($pconfig['frag3_timeout']))
- $pconfig['frag3_timeout'] = '60';
if (empty($pconfig['frag3_detection']))
$pconfig['frag3_detection'] = 'on';
+
if (empty($pconfig['stream5_reassembly']))
$pconfig['stream5_reassembly'] = 'on';
+ if (empty($pconfig['stream5_flush_on_alert']))
+ $pconfig['stream5_flush_on_alert'] = 'off';
+ if (empty($pconfig['stream5_prune_log_max']) && $pconfig['stream5_prune_log_max'] <> 0)
+ $pconfig['stream5_prune_log_max'] = '1048576';
if (empty($pconfig['stream5_track_tcp']))
$pconfig['stream5_track_tcp'] = 'on';
+ if (empty($pconfig['stream5_max_tcp']))
+ $pconfig['stream5_max_tcp'] = '262144';
if (empty($pconfig['stream5_track_udp']))
$pconfig['stream5_track_udp'] = 'on';
- if (empty($pconfig['stream5_track_icmp']))
- $pconfig['stream5_track_icmp'] = 'off';
- if (empty($pconfig['stream5_require_3whs']))
- $pconfig['stream5_require_3whs'] = 'off';
- if (empty($pconfig['stream5_overlap_limit']))
- $pconfig['stream5_overlap_limit'] = '0';
- if (empty($pconfig['stream5_tcp_timeout']))
- $pconfig['stream5_tcp_timeout'] = '30';
+ if (empty($pconfig['stream5_max_udp']))
+ $pconfig['stream5_max_udp'] = '131072';
if (empty($pconfig['stream5_udp_timeout']))
$pconfig['stream5_udp_timeout'] = '30';
+ if (empty($pconfig['stream5_track_icmp']))
+ $pconfig['stream5_track_icmp'] = 'off';
+ if (empty($pconfig['stream5_max_icmp']))
+ $pconfig['stream5_max_icmp'] = '65536';
if (empty($pconfig['stream5_icmp_timeout']))
$pconfig['stream5_icmp_timeout'] = '30';
- if (empty($pconfig['stream5_no_reassemble_async']))
- $pconfig['stream5_no_reassemble_async'] = 'off';
- if (empty($pconfig['stream5_dont_store_lg_pkts']))
- $pconfig['stream5_dont_store_lg_pkts'] = 'off';
- if (empty($pconfig['stream5_policy']))
- $pconfig['stream5_policy'] = 'bsd';
+ if (empty($pconfig['stream5_mem_cap']))
+ $pconfig['stream5_mem_cap']= '8388608';
+
if (empty($pconfig['pscan_protocol']))
$pconfig['pscan_protocol'] = 'all';
if (empty($pconfig['pscan_type']))
@@ -210,6 +341,34 @@ if (isset($id) && $a_nat[$id]) {
$iface = snort_get_friendly_interface($pconfig['interface']);
$disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log";
+if ($_GET['act'] && isset($_GET['eng_id'])) {
+
+ $natent = array();
+ $natent = $pconfig;
+
+ if ($_GET['act'] == "del_frag3")
+ unset($natent['frag3_engine']['item'][$_GET['eng_id']]);
+ elseif ($_GET['act'] == "del_stream5_tcp")
+ unset($natent['stream5_tcp_engine']['item'][$_GET['eng_id']]);
+ elseif ($_GET['act'] == "del_http_inspect")
+ unset($natent['http_inspect_engine']['item'][$_GET['eng_id']]);
+ elseif ($_GET['act'] == "del_ftp_server")
+ unset($natent['ftp_server_engine']['item'][$_GET['eng_id']]);
+
+ if (isset($id) && $a_nat[$id]) {
+ $a_nat[$id] = $natent;
+ write_config();
+ }
+
+ header("Location: snort_preprocessors.php?id=$id");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) {
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+}
+
if ($_POST['ResetAll']) {
/* Reset all the preprocessor settings to defaults */
@@ -218,32 +377,30 @@ if ($_POST['ResetAll']) {
$pconfig['max_attribute_hosts'] = '10000';
$pconfig['max_attribute_services_per_host'] = '10';
$pconfig['max_paf'] = '16000';
- $pconfig['server_flow_depth'] = "300";
- $pconfig['http_server_profile'] = "all";
- $pconfig['client_flow_depth'] = "300";
$pconfig['stream5_reassembly'] = "on";
- $pconfig['stream5_require_3whs'] = "off";
+ $pconfig['stream5_flush_on_alert'] = 'off';
+ $pconfig['stream5_prune_log_max'] = '1048576';
$pconfig['stream5_track_tcp'] = "on";
+ $pconfig['stream5_max_tcp'] = "262144";
$pconfig['stream5_track_udp'] = "on";
+ $pconfig['stream5_max_udp'] = "131072";
$pconfig['stream5_track_icmp'] = "off";
- $pconfig['max_queued_bytes'] = "1048576";
- $pconfig['max_queued_segs'] = "2621";
- $pconfig['stream5_overlap_limit'] = "0";
- $pconfig['stream5_policy'] = "bsd";
+ $pconfig['stream5_max_icmp'] = "65536";
$pconfig['stream5_mem_cap'] = "8388608";
- $pconfig['stream5_tcp_timeout'] = "30";
$pconfig['stream5_udp_timeout'] = "30";
$pconfig['stream5_icmp_timeout'] = "30";
- $pconfig['stream5_no_reassemble_async'] = "off";
- $pconfig['stream5_dont_store_lg_pkts'] = "off";
$pconfig['http_inspect'] = "on";
- $pconfig['http_inspect_enable_xff'] = "off";
- $pconfig['http_inspect_log_uri'] = "off";
- $pconfig['http_inspect_log_hostname'] = "off";
- $pconfig['noalert_http_inspect'] = "on";
+ $pconfig['http_inspect_proxy_alert'] = "off";
$pconfig['http_inspect_memcap'] = "150994944";
+ $pconfig['http_inspect_max_gzip_mem'] = "838860";
$pconfig['other_preprocs'] = "on";
$pconfig['ftp_preprocessor'] = "on";
+ $pconfig['ftp_telnet_inspection_type'] = "stateful";
+ $pconfig['ftp_telnet_alert_encrypted'] = "off";
+ $pconfig['ftp_telnet_check_encrypted'] = "on";
+ $pconfig['ftp_telnet_normalize'] = "on";
+ $pconfig['ftp_telnet_detect_anomalies'] = "on";
+ $pconfig['ftp_telnet_ayt_attack_threshold'] = "20";
$pconfig['smtp_preprocessor'] = "on";
$pconfig['sf_portscan'] = "off";
$pconfig['pscan_protocol'] = "all";
@@ -254,6 +411,9 @@ if ($_POST['ResetAll']) {
$pconfig['dce_rpc_2'] = "on";
$pconfig['dns_preprocessor'] = "on";
$pconfig['sensitive_data'] = "off";
+ $pconfig['sdf_alert_data_type'] = "";
+ $pconfig['sdf_alert_threshold'] = "25";
+ $pconfig['sdf_mask_output'] = "off";
$pconfig['ssl_preproc'] = "on";
$pconfig['pop_preproc'] = "on";
$pconfig['imap_preproc'] = "on";
@@ -265,22 +425,23 @@ if ($_POST['ResetAll']) {
$pconfig['preproc_auto_rule_disable'] = "off";
$pconfig['protect_preproc_rules'] = "off";
$pconfig['frag3_detection'] = "on";
- $pconfig['frag3_overlap_limit'] = "0";
- $pconfig['frag3_min_frag_len'] = "0";
- $pconfig['frag3_policy'] = "bsd";
$pconfig['frag3_max_frags'] = "8192";
$pconfig['frag3_memcap'] = "4194304";
- $pconfig['frag3_timeout'] = "60";
/* Log a message at the top of the page to inform the user */
- $savemsg = "All preprocessor settings have been reset to the defaults.";
+ $savemsg = gettext("All preprocessor settings have been reset to their defaults.");
}
elseif ($_POST['Submit']) {
$natent = array();
$natent = $pconfig;
- if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners']))
- $input_errors[] = "Only aliases are allowed for the Portscan IGNORE_SCANNERS option.";
+ // Validate SDF alert threshold and alert data type values if SDF is enabled
+ if ($_POST['sensitive_data'] == 'on') {
+ if ($_POST['sdf_alert_threshold'] < 1 || $_POST['sdf_alert_threshold'] > 4294067295)
+ $input_errors[] = gettext("The value for Sensitive_Data_Alert_Threshold must be between 1 and 4,294,067,295.");
+ if (empty($_POST['sdf_alert_data_type']))
+ $input_errors[] = gettext("You must select at least one sensitive data type to inspect for when Sensitive Data detection is enabled.");
+ }
/* if no errors write to conf */
if (!$input_errors) {
@@ -288,48 +449,44 @@ elseif ($_POST['Submit']) {
if ($_POST['max_attribute_hosts'] != "") { $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts']; }else{ $natent['max_attribute_hosts'] = "10000"; }
if ($_POST['max_attribute_services_per_host'] != "") { $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host']; }else{ $natent['max_attribute_services_per_host'] = "10"; }
if ($_POST['max_paf'] != "") { $natent['max_paf'] = $_POST['max_paf']; }else{ $natent['max_paf'] = "16000"; }
- if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = "300"; }
- if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; }
- if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = "300"; }
if ($_POST['http_inspect_memcap'] != "") { $natent['http_inspect_memcap'] = $_POST['http_inspect_memcap']; }else{ $natent['http_inspect_memcap'] = "150994944"; }
- if ($_POST['stream5_overlap_limit'] != "") { $natent['stream5_overlap_limit'] = $_POST['stream5_overlap_limit']; }else{ $natent['stream5_overlap_limit'] = "0"; }
- if ($_POST['stream5_policy'] != "") { $natent['stream5_policy'] = $_POST['stream5_policy']; }else{ $natent['stream5_policy'] = "bsd"; }
+ if ($_POST['http_inspect_max_gzip_mem'] != "") { $natent['http_inspect_max_gzip_mem'] = $_POST['http_inspect_max_gzip_mem']; }else{ $natent['http_inspect_max_gzip_mem'] = "838860"; }
if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = "8388608"; }
- if ($_POST['stream5_tcp_timeout'] != "") { $natent['stream5_tcp_timeout'] = $_POST['stream5_tcp_timeout']; }else{ $natent['stream5_tcp_timeout'] = "30"; }
+ if ($_POST['stream5_prune_log_max'] != "") { $natent['stream5_prune_log_max'] = $_POST['stream5_prune_log_max']; }else{ $natent['stream5_prune_log_max'] = "1048576"; }
if ($_POST['stream5_udp_timeout'] != "") { $natent['stream5_udp_timeout'] = $_POST['stream5_udp_timeout']; }else{ $natent['stream5_udp_timeout'] = "30"; }
if ($_POST['stream5_icmp_timeout'] != "") { $natent['stream5_icmp_timeout'] = $_POST['stream5_icmp_timeout']; }else{ $natent['stream5_icmp_timeout'] = "30"; }
- if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = "1048576"; }
- if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = "2621"; }
+ if ($_POST['stream5_max_tcp'] != "") { $natent['stream5_max_tcp'] = $_POST['stream5_max_tcp']; }else{ $natent['stream5_max_tcp'] = "262144"; }
+ if ($_POST['stream5_max_udp'] != "") { $natent['stream5_max_udp'] = $_POST['stream5_max_udp']; }else{ $natent['stream5_max_udp'] = "131072"; }
+ if ($_POST['stream5_max_icmp'] != "") { $natent['stream5_max_icmp'] = $_POST['stream5_max_icmp']; }else{ $natent['stream5_max_icmp'] = "65536"; }
if ($_POST['pscan_protocol'] != "") { $natent['pscan_protocol'] = $_POST['pscan_protocol']; }else{ $natent['pscan_protocol'] = "all"; }
if ($_POST['pscan_type'] != "") { $natent['pscan_type'] = $_POST['pscan_type']; }else{ $natent['pscan_type'] = "all"; }
if ($_POST['pscan_memcap'] != "") { $natent['pscan_memcap'] = $_POST['pscan_memcap']; }else{ $natent['pscan_memcap'] = "10000000"; }
if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; }
- if ($_POST['frag3_overlap_limit'] != "") { $natent['frag3_overlap_limit'] = $_POST['frag3_overlap_limit']; }else{ $natent['frag3_overlap_limit'] = "0"; }
- if ($_POST['frag3_min_frag_len'] != "") { $natent['frag3_min_frag_len'] = $_POST['frag3_min_frag_len']; }else{ $natent['frag3_min_frag_len'] = "0"; }
- if ($_POST['frag3_policy'] != "") { $natent['frag3_policy'] = $_POST['frag3_policy']; }else{ $natent['frag3_policy'] = "bsd"; }
+ if ($_POST['pscan_ignore_scanners'] != "") { $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; }else{ $natent['pscan_ignore_scanners'] = ""; }
if ($_POST['frag3_max_frags'] != "") { $natent['frag3_max_frags'] = $_POST['frag3_max_frags']; }else{ $natent['frag3_max_frags'] = "8192"; }
if ($_POST['frag3_memcap'] != "") { $natent['frag3_memcap'] = $_POST['frag3_memcap']; }else{ $natent['frag3_memcap'] = "4194304"; }
- if ($_POST['frag3_timeout'] != "") { $natent['frag3_timeout'] = $_POST['frag3_timeout']; }else{ $natent['frag3_timeout'] = "60"; }
-
- if ($_POST['pscan_ignore_scanners'])
- $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners'];
- else
- unset($natent['pscan_ignore_scanners']);
+ if ($_POST['ftp_telnet_inspection_type'] != "") { $natent['ftp_telnet_inspection_type'] = $_POST['ftp_telnet_inspection_type']; }else{ $natent['ftp_telnet_inspection_type'] = "stateful"; }
+ if ($_POST['ftp_telnet_ayt_attack_threshold'] != "") { $natent['ftp_telnet_ayt_attack_threshold'] = $_POST['ftp_telnet_ayt_attack_threshold']; }else{ $natent['ftp_telnet_ayt_attack_threshold'] = "20"; }
+ if ($_POST['sdf_alert_threshold'] != "") { $natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold']; }else{ $natent['sdf_alert_threshold'] = "25"; }
$natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off';
$natent['host_attribute_table'] = $_POST['host_attribute_table'] ? 'on' : 'off';
$natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off';
- $natent['http_inspect_enable_xff'] = $_POST['http_inspect_enable_xff'] ? 'on' : 'off';
- $natent['http_inspect_log_uri'] = $_POST['http_inspect_log_uri'] ? 'on' : 'off';
- $natent['http_inspect_log_hostname'] = $_POST['http_inspect_log_hostname'] ? 'on' : 'off';
- $natent['noalert_http_inspect'] = $_POST['noalert_http_inspect'] ? 'on' : 'off';
+ $natent['http_inspect_proxy_alert'] = $_POST['http_inspect_proxy_alert'] ? 'on' : 'off';
$natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off';
$natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off';
+ $natent['ftp_telnet_alert_encrypted'] = $_POST['ftp_telnet_alert_encrypted'] ? 'on' : 'off';
+ $natent['ftp_telnet_check_encrypted'] = $_POST['ftp_telnet_check_encrypted'] ? 'on' : 'off';
+ $natent['ftp_telnet_normalize'] = $_POST['ftp_telnet_normalize'] ? 'on' : 'off';
+ $natent['ftp_telnet_detect_anomalies'] = $_POST['ftp_telnet_detect_anomalies'] ? 'on' : 'off';
$natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off';
$natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off';
$natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off';
$natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off';
$natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off';
+ $natent['sdf_alert_data_type'] = implode(",",$_POST['sdf_alert_data_type']);
+ $natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold'];
+ $natent['sdf_mask_output'] = $_POST['sdf_mask_output'] ? 'on' : 'off';
$natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off';
$natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off';
$natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off';
@@ -343,28 +500,20 @@ elseif ($_POST['Submit']) {
$natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off';
$natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off';
$natent['stream5_reassembly'] = $_POST['stream5_reassembly'] ? 'on' : 'off';
+ $natent['stream5_flush_on_alert'] = $_POST['stream5_flush_on_alert'] ? 'on' : 'off';
$natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off';
$natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off';
$natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off';
- $natent['stream5_require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off';
- $natent['stream5_no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off';
- $natent['stream5_dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off';
/* If 'preproc_auto_rule_disable' is off, then clear log file */
if ($natent['preproc_auto_rule_disable'] == 'off')
@unlink("{$disabled_rules_log}");
- if (isset($id) && $a_nat[$id])
+ if (isset($id) && $a_nat[$id]) {
$a_nat[$id] = $natent;
- else {
- if (is_numeric($after))
- array_splice($a_nat, $after+1, 0, array($natent));
- else
- $a_nat[] = $natent;
+ write_config();
}
- write_config();
-
/* Set flag to rebuild rules for this interface */
$rebuild_rules = true;
@@ -436,7 +585,7 @@ if ($pconfig['host_attribute_table'] == 'on' && empty($pconfig['host_attribute_d
$input_errors[] = gettext("The Host Attribute Table option is enabled, but no Host Attribute data has been loaded. Data may be entered manually or imported from a suitable file.");
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: Interface {$if_friendly}: Preprocessors and Flow";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Preprocessors and Flow");
include_once("head.inc");
?>
<body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="enable_change_all()">
@@ -546,7 +695,7 @@ include_once("head.inc");
<?php if (file_exists($disabled_rules_log) && filesize($disabled_rules_log) > 0): ?>
<tr>
<td width="3%">&nbsp;</td>
- <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600)"/>
+ <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600);">
&nbsp;&nbsp;&nbsp;<?php echo gettext("Click to view the list of currently auto-disabled rules"); ?></td>
</tr>
<?php endif; ?>
@@ -554,7 +703,7 @@ include_once("head.inc");
</td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Host Attribute Table Settings"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Host Attribute Table"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
@@ -564,13 +713,11 @@ include_once("head.inc");
<?php echo gettext("Use a Host Attribute Table file to auto-configure applicable preprocessors. " .
"Default is "); ?><strong><?php echo gettext("Not Checked"); ?></strong>.</td>
</tr>
- <tr>
+ <tr id="host_attrib_table_data_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Host Attribute Data"); ?></td>
<td width="78%" class="vtable"><strong><?php echo gettext("Import From File"); ?></strong><br/>
- <input name="host_attribute_file" type="file" class="formfld unknown" value="on" id="host_attribute_file" size="40"
- <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>>&nbsp;&nbsp;
- <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn"
- <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>><br/>
+ <input name="host_attribute_file" type="file" class="formfld file" value="on" id="host_attribute_file" size="40">&nbsp;&nbsp;
+ <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn"><br/>
<?php echo gettext("Choose the Host Attributes file to use for auto-configuration."); ?><br/><br/>
<span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span>
<?php echo gettext("The Host Attributes file has a required format. See the "); ?><a href="http://manual.snort.org/" target="_blank">
@@ -580,9 +727,8 @@ include_once("head.inc");
<a href="http://code.google.com/p/hogger/" target="_blank"><?php echo gettext("Hogger"); ?></a><?php echo gettext(" or "); ?>
<a href="http://gamelinux.github.io/prads/" target="_blank"><?php echo gettext("PRADS"); ?></a><?php echo gettext(" can be used to " .
"scan networks and automatically generate a suitable Host Attribute Table file for import."); ?><br/><br/>
- <input type="submit" id="btn_edit_hat" name="btn_edit_hat" value="<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext(" Edit ");} else {echo gettext("Create");} ?>"
- class="formbtn"
- <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>>&nbsp;&nbsp;
+ <input type="submit" id="btn_edit_hat" name="btn_edit_hat" value="<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext(" Edit ");}
+ else {echo gettext("Create");} ?>" class="formbtn">&nbsp;&nbsp;
<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext("Click to View or Edit the Host Attribute data.");}
else {echo gettext("Click to Create Host Attribute data manually.");}
if ($pconfig['host_attribute_table']=="on" && empty($pconfig['host_attribute_data'])){
@@ -590,14 +736,13 @@ include_once("head.inc");
gettext("No Host Attribute Data loaded - import from a file or enter it manually.");
} ?></td>
</tr>
- <tr>
+ <tr id="host_attrib_table_maxhosts_row">
<td valign="top" class="vncell"><?php echo gettext("Maximum Hosts"); ?></td>
<td class="vtable">
<table cellpadding="0" cellspacing="0">
<tr>
- <td><input name="max_attribute_hosts" type="text" class="formfld" id="max_attribute_hosts" size="6"
- value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>"
- <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>>&nbsp;&nbsp;
+ <td><input name="max_attribute_hosts" type="text" class="formfld unknown" id="max_attribute_hosts" size="9"
+ value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>">&nbsp;&nbsp;
<?php echo gettext("Max number of hosts to read from the Attribute Table. Min is ") .
"<strong>" . gettext("32") . "</strong>" . gettext(" and Max is ") . "<strong>" .
gettext("524288") . "</strong>"; ?>.</td>
@@ -608,14 +753,13 @@ include_once("head.inc");
"Default is ") . "<strong>" . gettext("10000") . "</strong>"; ?>.<br/>
</td>
</tr>
- <tr>
+ <tr id="host_attrib_table_maxsvcs_row">
<td valign="top" class="vncell"><?php echo gettext("Maximum Services Per Host"); ?></td>
<td class="vtable">
<table cellpadding="0" cellspacing="0">
<tr>
- <td><input name="max_attribute_services_per_host" type="text" class="formfld" id="max_attribute_services_per_host" size="6"
- value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>"
- <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>>&nbsp;&nbsp;
+ <td><input name="max_attribute_services_per_host" type="text" class="formfld unknown" id="max_attribute_services_per_host" size="9"
+ value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>">&nbsp;&nbsp;
<?php echo gettext("Max number of per host services to read from the Attribute Table. Min is ") .
"<strong>" . gettext("1") . "</strong>" . gettext(" and Max is ") . "<strong>" .
gettext("65535") . "</strong>"; ?>.</td>
@@ -627,250 +771,185 @@ include_once("head.inc");
</td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Protocol Aware Flushing Setting"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Protocol Aware Flushing"); ?></td>
</tr>
<tr>
<td valign="top" class="vncell"><?php echo gettext("Protocol Aware Flushing Maximum PDU"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="max_paf" type="text" class="formfld" id="max_paf" size="6"
- value="<?=htmlspecialchars($pconfig['max_paf']);?>">&nbsp;&nbsp;
- <?php echo gettext("Max number of PDUs to be reassembled into a single PDU. Min is ") .
- "<strong>" . gettext("0") . "</strong>" . gettext(" (off) and Max is ") . "<strong>" .
- gettext("63780") . "</strong>"; ?>.</td>
- </tr>
- </table>
- <?php echo gettext("Multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments, will be " .
- "reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets. " .
- "Default is ") . "<strong>" . gettext("16000") . "</strong>. " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.<br/>
+ <input name="max_paf" type="text" class="formfld unknown" id="max_paf" size="9"
+ value="<?=htmlspecialchars($pconfig['max_paf']);?>">&nbsp;
+ <?php echo gettext("Max number of PDUs to be reassembled into a single PDU. Min is ") .
+ "<strong>" . gettext("0") . "</strong>" . gettext(" (off) and Max is ") . "<strong>" .
+ gettext("63780") . "</strong>"; ?>.<br/><br/>
+ <?php echo gettext("Multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments, will be " .
+ "reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets. " .
+ "Default is ") . "<strong>" . gettext("16000") . "</strong>. " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.<br/>
</td>
</tr>
- <tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect Settings"); ?></td>
+ <tr id="httpinspect_row">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="http_inspect"
type="checkbox" value="on" id="http_inspect" onclick="http_inspect_enable_change();"
- <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?>>
- <?php echo gettext("Use HTTP Inspect to " .
- "Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is "); ?>
+ <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked";?>>
+ <?php echo gettext("Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is ");?>
<strong><?php echo gettext("Checked"); ?></strong>.</td>
</tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable XFF/True-Client-IP"); ?></td>
- <td width="78%" class="vtable"><input name="http_inspect_enable_xff"
- type="checkbox" value="on" id="http_inspect_enable_xff"
- <?php if ($pconfig['http_inspect_enable_xff']=="on") echo "checked"; ?>>
- <?php echo gettext("Log original client IP present in X-Forwarded-For or True-Client-IP " .
- "HTTP headers. Default is "); ?>
- <strong><?php echo gettext("Not Checked"); ?></strong>.</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable URI Logging"); ?></td>
- <td width="78%" class="vtable"><input name="http_inspect_log_uri"
- type="checkbox" value="on" id="http_inspect_log_uri"
- <?php if ($pconfig['http_inspect_log_uri']=="on") echo "checked"; ?>>
- <?php echo gettext("Parse URI data from the HTTP request and log it with other session data." .
- " Default is "); ?>
- <strong><?php echo gettext("Not Checked"); ?></strong>.</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Hostname Logging"); ?></td>
- <td width="78%" class="vtable"><input name="http_inspect_log_hostname"
- type="checkbox" value="on" id="http_inspect_log_hostname"
- <?php if ($pconfig['http_inspect_log_hostname']=="on") echo "checked"; ?>>
- <?php echo gettext("Parse Hostname data from the HTTP request and log it with other session data." .
- " Default is "); ?>
- <strong><?php echo gettext("Not Checked"); ?></strong>.</td>
- </tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("HTTP Inspect Memory Cap"); ?></td>
+ <tr id="httpinspect_proxyalert_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Proxy Alert"); ?></td>
+ <td width="78%" class="vtable"><input name="http_inspect_proxy_alert"
+ type="checkbox" value="on" id="http_inspect_proxy_alert"
+ <?php if ($pconfig['http_inspect_proxy_alert']=="on") echo "checked";?>>
+ <?php echo gettext("Enable global alerting on HTTP server proxy usage. Default is ");?>
+ <strong><?php echo gettext("Not Checked"); ?></strong>.<br/><br/><span class="red"><strong>
+ <?php echo gettext("Note: ") . "</strong></span>" . gettext("By adding Server Configurations below and enabling " .
+ "the 'allow_proxy_use' parameter within them, alerts will be generated for web users that aren't using the configured " .
+ "proxies or are using a rogue proxy server.") . "<br/><br/><span class=\"red\"><strong>" . gettext("Warning: ") .
+ "</strong></span>" . gettext("If users are not required to configure web proxy use, you may get a lot " .
+ "of proxy alerts. Only use this feature with traditional proxy environments. Blind firewall proxies don't count!");?>
+ </td>
+ </tr>
+ <tr id="httpinspect_memcap_row">
+ <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="http_inspect_memcap" type="text" class="formfld"
- id="http_inspect_memcap" size="6"
- value="<?=htmlspecialchars($pconfig['http_inspect_memcap']);?>">&nbsp;&nbsp;
- <?php echo gettext("Max memory in bytes to use for URI and Hostname logging. Min is ") .
- "<strong>" . gettext("2304") . "</strong>" . gettext(" and Max is ") . "<strong>" .
- gettext("603979776") . "</strong>" . gettext(" (576 MB)"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("Maximum amount of memory the preprocessor will use for logging the URI and Hostname data. The default " .
- "value is ") . "<strong>" . gettext("150,994,944") . "</strong>" . gettext(" (144 MB)."); ?>
- <?php echo gettext(" This option determines the maximum HTTP sessions that will log URI and Hostname data at any given instant. ") .
- gettext(" Max Logged Sessions = MEMCAP / 2304"); ?>.<br/>
+ <input name="http_inspect_memcap" type="text" class="formfld unknown"
+ id="http_inspect_memcap" size="9"
+ value="<?=htmlspecialchars($pconfig['http_inspect_memcap']);?>">&nbsp;
+ <?php echo gettext("Maximum memory in bytes to use for URI and Hostname logging. The Minimum value is ") .
+ "<strong>" . gettext("2304") . "</strong>" . gettext(" and the Maximum is ") . "<strong>" .
+ gettext("603979776") . "</strong>" . gettext(" (576 MB)"); ?>.<br/><br/>
+ <?php echo gettext("Sets the maximum amount of memory the preprocessor will use for logging the URI and Hostname data. The default " .
+ "value is ") . "<strong>" . gettext("150,994,944") . "</strong>" . gettext(" (144 MB)."); ?>
+ <?php echo gettext(" This option determines the maximum HTTP sessions that will log URI and Hostname data at any given instant. ") .
+ gettext(" Max Logged Sessions = MEMCAP / 2304"); ?>.
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("HTTP server flow depth"); ?></td>
+ <tr id="httpinspect_maxgzipmem_row">
+ <td valign="top" class="vncell"><?php echo gettext("Maximum gzip Memory"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="server_flow_depth" type="text" class="formfld"
- id="server_flow_depth" size="6"
- value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>">&nbsp;&nbsp;<?php echo gettext("<strong>-1</strong> " .
- "to <strong>65535</strong> (<strong>-1</strong> disables HTTP " .
- "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td>
- </tr>
- </table>
- <?php echo gettext("Amount of HTTP server response payload to inspect. Snort's " .
- "performance may increase by adjusting this value."); ?><br/>
- <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " .
- "are specified in bytes. Recommended setting is maximum (65535). Default value is <strong>300</strong>"); ?><br/>
+ <input name="http_inspect_max_gzip_mem" type="text" class="formfld unknown"
+ id="http_inspect_memcap" size="9"
+ value="<?=htmlspecialchars($pconfig['http_inspect_max_gzip_mem']);?>">&nbsp;
+ <?php echo gettext("Maximum memory in bytes to use for decompression. The Minimum value is ") .
+ "<strong>" . gettext("3276") . "</strong>";?>.<br/><br/>
+ <?php echo gettext("The default value is ") . "<strong>" . gettext("838860") . "</strong>" . gettext(" bytes.");?>
+ <?php echo gettext(" This option determines the number of concurrent sessions that can be decompressed at any given instant.");?>
</td>
</tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("HTTP server profile"); ?> </td>
- <td width="78%" class="vtable">
- <select name="http_server_profile" class="formselect" id="http_server_profile">
- <?php
- $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0');
- foreach ($profile as $val): ?>
- <option value="<?=strtolower($val);?>"
- <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>>
- <?=gettext($val);?></option>
- <?php endforeach; ?>
- </select>&nbsp;&nbsp;<?php echo gettext("Choose the profile type of the protected web server. The default is ") .
- "<strong>" . gettext("All") . "</strong>"; ?><br/>
- <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the ") .
- gettext("double decoding vulnerability present in those versions."); ?><br/>
- </td>
- </tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("HTTP client flow depth"); ?></td>
+ <tr id="httpinspect_engconf_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Configuration"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="client_flow_depth" type="text" class="formfld"
- id="client_flow_depth" size="6"
- value="<?=htmlspecialchars($pconfig['client_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " .
- "to <strong>1460</strong> (<strong>-1</strong> disables HTTP " .
- "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td>
- </tr>
- </table>
- <?php echo gettext("Amount of raw HTTP client request payload to inspect. Snort's " .
- "performance may increase by adjusting this value."); ?><br/>
- <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " .
- "are specified in bytes. Recommended setting is maximum (1460). Default value is <strong>300</strong>"); ?><br/>
+ <table width="95%" align="left" id="httpinspectEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0">
+ <colgroup>
+ <col width="45%" align="left">
+ <col width="45%" align="center">
+ <col width="10%" align="right">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr" axis="string"><?php echo gettext("Server Name");?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th>
+ <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=http_inspect_engine">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"></a>
+ <a href="snort_httpinspect_engine.php?id=<?=$id?>&eng_id=<?=$http_inspect_engine_next_id?>">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Add a new server configuration");?>"></a></th>
+ </tr>
+ </thead>
+ <?php foreach ($pconfig['http_inspect_engine']['item'] as $f => $v): ?>
+ <tr>
+ <td class="listlr" align="left"><?=gettext($v['name']);?></td>
+ <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td>
+ <td class="listt" align="right"><a href="snort_httpinspect_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
+ width="17" height="17" border="0" title="<?=gettext("Edit this server configuration");?>"></a>
+ <?php if ($v['bind_to'] <> "all") : ?>
+ <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_http_inspect" onclick="return confirm('Are you sure you want to delete this entry?');">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
+ title="<?=gettext("Delete this server configuration");?>"></a>
+ <?php else : ?>
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
+ title="<?=gettext("Default server configuration cannot be deleted");?>">
+ <?php endif ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
</td>
</tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Disable HTTP Alerts"); ?></td>
- <td width="78%" class="vtable"><input name="noalert_http_inspect"
- type="checkbox" value="on" id="noalert_http_inspect"
- <?php if ($pconfig['noalert_http_inspect']=="on" || empty($pconfig['noalert_http_inspect'])) echo "checked"; ?>
- onClick="enable_change(false);"> <?php echo gettext("Turn off alerts from HTTP Inspect " .
- "preprocessor. This has no effect on HTTP rules. Default is "); ?>
- <strong><?php echo gettext("Checked"); ?></strong>.</td>
- </tr>
-
- <tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Frag3 Settings"); ?></td>
+ <tr id="frag3_row">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Frag3 Target-Based IP Defragmentation"); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable");?></td>
<td width="78%" class="vtable"><input name="frag3_detection" type="checkbox" value="on" onclick="frag3_enable_change();"
- <?php if ($pconfig['frag3_detection']=="on") echo "checked "; ?>
- onClick="enable_change(false)">
+ <?php if ($pconfig['frag3_detection']=="on") echo "checked";?>>
<?php echo gettext("Use Frag3 Engine to detect IDS evasion attempts via target-based IP packet fragmentation. Default is ") .
- "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ "<strong>" . gettext("Checked") . "</strong>.";?></td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td>
- <td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="frag3_memcap" type="text" class="formfld"
- id="frag3_memcap" size="6"
- value="<?=htmlspecialchars($pconfig['frag3_memcap']);?>">
- <?php echo gettext("Memory cap (in bytes) for self preservation."); ?>.</td>
- </tr>
- </table>
+ <tr id="frag3_memcap_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Memory Cap");?></td>
+ <td width="78%" class="vtable"><input name="frag3_memcap" type="text" class="formfld unknown" id="frag3_memcap" size="9" value="<?=htmlspecialchars($pconfig['frag3_memcap']);?>">
+ <?php echo gettext("Memory cap (in bytes) for self preservation.");?><br/>
<?php echo gettext("The maximum amount of memory allocated for Frag3 fragment reassembly. Default value is ") .
- "<strong>" . gettext("4MB") . "</strong>"; ?>.<br/>
+ "<strong>" . gettext("4MB") . "</strong>."; ?>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Maximum Fragments"); ?></td>
- <td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="frag3_max_frags" type="text" class="formfld"
- id="frag3_max_frags" size="6"
- value="<?=htmlspecialchars($pconfig['frag3_max_frags']);?>">
- <?php echo gettext("Maximum simultaneous fragments to track."); ?></td>
- </tr>
- </table>
+ <tr id="frag3_maxfrags_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Maximum Fragments"); ?></td>
+ <td width="78%" class="vtable"><input name="frag3_max_frags" type="text" class="formfld unknown" id="frag3_max_frags" size="9" value="<?=htmlspecialchars($pconfig['frag3_max_frags']);?>">
+ <?php echo gettext("Maximum simultaneous fragments to track.");?>.<br/>
<?php echo gettext("The maximum number of simultaneous fragments to track. Default value is ") .
- "<strong>8192</strong>."; ?><br/>
- </td>
- </tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td>
- <td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="frag3_overlap_limit" type="text" class="formfld"
- id="frag3_overlap_limit" size="6"
- value="<?=htmlspecialchars($pconfig['frag3_overlap_limit']);?>">
- <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), values greater than zero set the overlapped fragments per packet limit."); ?></td>
- </tr>
- </table>
- <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") .
- "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/>
- </td>
- </tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Minimum Fragment Length"); ?></td>
- <td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="frag3_min_frag_len" type="text" class="formfld"
- id="frag3_min_frag_len" size="6"
- value="<?=htmlspecialchars($pconfig['frag3_min_frag_len']);?>">
- <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (check is disabled). Fragments smaller than or equal to this limit are considered malicious."); ?></td>
- </tr>
- </table>
- <?php echo gettext("Defines smallest fragment size (payload size) that should be considered valid. Default value is ") .
- "<strong>0</strong>" . gettext(" (check is disabled)."); ?><br/>
+ "<strong>8192</strong>.";?>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Timeout"); ?></td>
+ <tr id="frag3_engconf_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Engine Configuration"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="frag3_timeout" type="text" class="formfld"
- id="frag3_timeout" size="6"
- value="<?=htmlspecialchars($pconfig['frag3_timeout']);?>">
- <?php echo gettext("Timeout period in seconds for fragments in the engine."); ?></td>
- </tr>
- </table>
- <?php echo gettext("Fragments in the engine for longer than this period will be automatically dropped. Default value is ") .
- "<strong>" . gettext("60 ") . "</strong>" . gettext("seconds."); ?><br/>
- </td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Target Policy"); ?> </td>
- <td width="78%" class="vtable">
- <select name="frag3_policy" class="formselect" id="frag3_policy">
- <?php
- $profile = array( 'BSD', 'BSD-Right', 'First', 'Last', 'Linux', 'Solaris', 'Windows' );
- foreach ($profile as $val): ?>
- <option value="<?=strtolower($val);?>"
- <?php if (strtolower($val) == $pconfig['frag3_policy']) echo "selected"; ?>>
- <?=gettext($val);?></option>
- <?php endforeach; ?>
- </select>&nbsp;&nbsp;<?php echo gettext("Choose the IP fragmentation target policy appropriate for the protected hosts. The default is ") .
- "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/>
- <?php echo gettext("Available OS targets are BSD, BSD-Right, First, Last, Linux, Solaris and Windows."); ?><br/>
+ <table width="95%" align="left" id="frag3EnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0">
+ <colgroup>
+ <col width="45%" align="left">
+ <col width="45%" align="center">
+ <col width="10%" align="right">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th>
+ <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=frag3_engine">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Import engine configuration from existing Aliases");?>"></a>
+ <a href="snort_frag3_engine.php?id=<?=$id?>&eng_id=<?=$frag3_engine_next_id?>">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Add a new engine configuration");?>"></a></th>
+ </tr>
+ </thead>
+ <?php foreach ($pconfig['frag3_engine']['item'] as $f => $v): ?>
+ <tr>
+ <td class="listlr" align="left"><?=gettext($v['name']);?></td>
+ <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td>
+ <td class="listt" align="right"><a href="snort_frag3_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
+ width="17" height="17" border="0" title="<?=gettext("Edit this engine configuration");?>"></a>
+ <?php if ($v['bind_to'] <> "all") : ?>
+ <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_frag3" onclick="return confirm('Are you sure you want to delete this entry?');">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
+ title="<?=gettext("Delete this engine configuration");?>"></a>
+ <?php else : ?>
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
+ title="<?=gettext("Default engine configuration cannot be deleted");?>">
+ <?php endif ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
</td>
</tr>
- <tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Settings"); ?></td>
+ <tr id="stream5_row">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Target-Based Stream Reassembly"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
@@ -879,182 +958,155 @@ include_once("head.inc");
<?php echo gettext("Use Stream5 session reassembly for TCP, UDP and/or ICMP traffic. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
- <tr>
+ <tr id="stream5_flushonalert_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Flush On Alert"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_flush_on_alert" type="checkbox" value="on"
+ <?php if ($pconfig['stream5_flush_on_alert']=="on") echo "checked"; ?>>
+ <?php echo gettext("Flush a TCP stream when an alert is generated on that stream. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong><br/><span class=\"red\"><strong>" .
+ gettext("Note: ") . "</strong></span>" . gettext("This parameter is for backwards compatibility.");?></td>
+ </tr>
+ <tr id="stream5_prunelogmax_row">
+ <td valign="top" class="vncell"><?php echo gettext("Prune Log Max"); ?></td>
+ <td class="vtable">
+ <input name="stream5_prune_log_max" type="text" class="formfld unknown" id="stream5_prune_log_max" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_prune_log_max']);?>">
+ <?php echo gettext("Prune Log Max Bytes. Minimum can be either ") . "<strong>0</strong>" . gettext(" (disabled), or if not disabled, ") .
+ "<strong>1024</strong>" . gettext(". Maximum is ") . "<strong>" . gettext("1073741824") . "</strong>";?>.
+ <?php echo gettext("Logs a message when a session terminates that was using more than the specified number of bytes. Default value is ") .
+ "<strong>1048576</strong>" . gettext(" bytes."); ?><br/>
+ </td>
+ </tr>
+ <tr id="stream5_proto_tracking_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol Tracking"); ?></td>
<td width="78%" class="vtable">
<input name="stream5_track_tcp" type="checkbox" value="on" id="stream5_track_tcp"
- <?php if ($pconfig['stream5_track_tcp']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['stream5_track_tcp']=="on") echo "checked"; ?> onclick="stream5_track_tcp_enable_change();">
<?php echo gettext("Track and reassemble TCP sessions. Default is ") .
"<strong>" . gettext("Checked") . "</strong>."; ?>
<br/>
<input name="stream5_track_udp" type="checkbox" value="on" id="stream5_track_udp"
- <?php if ($pconfig['stream5_track_udp']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['stream5_track_udp']=="on") echo "checked"; ?> onclick="stream5_track_udp_enable_change();">
<?php echo gettext("Track and reassemble UDP sessions. Default is ") .
"<strong>" . gettext("Checked") . "</strong>."; ?>
<br/>
<input name="stream5_track_icmp" type="checkbox" value="on" id="stream5_track_icmp"
- <?php if ($pconfig['stream5_track_icmp']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['stream5_track_icmp']=="on") echo "checked"; ?> onclick="stream5_track_icmp_enable_change();">
<?php echo gettext("Track and reassemble ICMP sessions. Default is ") .
"<strong>" . gettext("Not Checked") . "</strong>."; ?>
</td>
</tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Require 3-Way Handshake"); ?></td>
- <td width="78%" class="vtable"><input name="stream5_require_3whs" type="checkbox" value="on"
- <?php if ($pconfig['stream5_require_3whs']=="on") echo "checked "; ?>>
- <?php echo gettext("Establish sessions only on completion of SYN/SYN-ACK/ACK handshake. Default is ") .
- "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Reassemble Async"); ?></td>
- <td width="78%" class="vtable"><input name="stream5_no_reassemble_async" type="checkbox" value="on"
- <?php if ($pconfig['stream5_no_reassemble_async']=="on") echo "checked "; ?>>
- <?php echo gettext("Do not queue packets for reassembly if traffic has not been seen in both directions. Default is ") .
- "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Store Large TCP Packets"); ?></td>
- <td width="78%" class="vtable">
- <input name="stream5_dont_store_lg_pkts" type="checkbox" value="on"
- <?php if ($pconfig['stream5_dont_store_lg_pkts']=="on") echo "checked"; ?>>
- <?php echo gettext("Do not queue large packets in reassembly buffer to increase performance. Default is ") .
- "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
- <?php echo "<span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" .
- gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?></td>
- </tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Max Queued Bytes"); ?></td>
+ <tr id="stream5_maxudp_row">
+ <td valign="top" class="vncell"><?php echo gettext("Maximum UDP Sessions"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="max_queued_bytes" type="text" class="formfld"
- id="max_queued_bytes" size="6"
- value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>">
- <?php echo gettext("Minimum is <strong>1024</strong>, Maximum is <strong>1073741824</strong> " .
- "( default value is <strong>1048576</strong>, <strong>0</strong> " .
- "means Maximum )"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("The number of bytes to be queued for reassembly for TCP sessions in " .
- "memory. Default value is <strong>1048576</strong>"); ?>.<br/>
+ <input name="stream5_max_udp" type="text" class="formfld unknown" id="stream5_max_udp" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_max_udp']);?>">
+ <?php echo gettext("Maximum concurrent UDP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") .
+ "<strong>" . gettext("1048576") . "</strong>.";?><br/>
+ <?php echo gettext("Sets the maximum number of concurrent UDP sessions that will be tracked. Default value is ") .
+ "<strong>" . gettext("131072") . "</strong>."; ?><br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Max Queued Segs"); ?></td>
+ <tr id="stream5_udp_sess_timeout_row">
+ <td valign="top" class="vncell"><?php echo gettext("UDP Session Timeout"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="max_queued_segs" type="text" class="formfld"
- id="max_queued_segs" size="6"
- value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>">
- <?php echo gettext("Minimum is <strong>2</strong>, Maximum is <strong>1073741824</strong> " .
- "( default value is <strong>2621</strong>, <strong>0</strong> means " .
- "Maximum )"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("The number of segments to be queued for reassembly for TCP sessions " .
- "in memory. Default value is <strong>2621</strong>"); ?>.<br/>
+ <input name="stream5_udp_timeout" type="text" class="formfld unknown" id="stream5_udp_timeout" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_udp_timeout']);?>">
+ <?php echo gettext("UDP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") .
+ "<strong>" . gettext("86400") . "</strong>" . gettext(" (1 day).");?><br/>
+ <?php echo gettext("Sets the session reassembly timeout period for UDP packets. Default value is ") .
+ "<strong>" . gettext("30") . "</strong>" . gettext(" seconds."); ?><br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td>
+ <tr id="stream5_maxicmp_row">
+ <td valign="top" class="vncell"><?php echo gettext("Maximum ICMP Sessions"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="stream5_mem_cap" type="text" class="formfld"
- id="stream5_mem_cap" size="6"
- value="<?=htmlspecialchars($pconfig['stream5_mem_cap']);?>">
- <?php echo gettext("Minimum is <strong>32768</strong>, Maximum is <strong>1073741824</strong> " .
- "( default value is <strong>8388608</strong>) "); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("The memory cap in bytes for TCP packet storage " .
- "in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?>.<br/>
+ <input name="stream5_max_icmp" type="text" class="formfld unknown" id="stream5_max_icmp" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_max_icmp']);?>">
+ <?php echo gettext("Maximum concurrent ICMP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") .
+ "<strong>" . gettext("1048576") . "</strong>.";?><br/>
+ <?php echo gettext("Sets the maximum number of concurrent ICMP sessions that will be tracked. Default value is ") .
+ "<strong>" . gettext("65536") . "</strong>."; ?><br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td>
+ <tr id="stream5_icmp_sess_timeout_row">
+ <td valign="top" class="vncell"><?php echo gettext("ICMP Session Timeout"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="stream5_overlap_limit" type="text" class="formfld"
- id="stream5_overlap_limit" size="6"
- value="<?=htmlspecialchars($pconfig['stream5_overlap_limit']);?>">
- <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), and the maximum is ") .
- "<strong>255</strong>."; ?></td>
- </tr>
- </table>
- <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") .
- "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/>
+ <input name="stream5_icmp_timeout" type="text" class="formfld unknown" id="stream5_icmp_timeout" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_icmp_timeout']);?>">
+ <?php echo gettext("ICMP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") .
+ "<strong>86400</strong>" . gettext(" (1 day).");?><br/>
+ <?php echo gettext("Sets the session reassembly timeout period for ICMP packets. Default value is ") .
+ "<strong>" . gettext("30") . "</strong>" . gettext(" seconds."); ?><br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("TCP Session Timeout"); ?></td>
+ <tr id="stream5_maxtcp_row">
+ <td valign="top" class="vncell"><?php echo gettext("Maximum TCP Sessions"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="stream5_tcp_timeout" type="text" class="formfld"
- id="stream5_tcp_timeout" size="6"
- value="<?=htmlspecialchars($pconfig['stream5_tcp_timeout']);?>">
- <?php echo gettext("TCP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") .
- "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("Sets the session reassembly timeout period for TCP packets. Default value is ") .
- "<strong>30</strong>" . gettext(" seconds."); ?><br/>
+ <input name="stream5_max_tcp" type="text" class="formfld unknown" id="stream5_max_tcp" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_max_tcp']);?>">
+ <?php echo gettext("Maximum concurrent TCP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") .
+ "<strong>" . gettext("1048576") . "</strong>.";?><br/>
+ <?php echo gettext("Sets the maximum number of concurrent TCP sessions that will be tracked. Default value is ") .
+ "<strong>" . gettext("262144") . "</strong>."; ?><br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("UDP Session Timeout"); ?></td>
+ <tr id="stream5_tcp_memcap_row">
+ <td valign="top" class="vncell"><?php echo gettext("TCP Memory Cap"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="stream5_udp_timeout" type="text" class="formfld"
- id="stream5_udp_timeout" size="6"
- value="<?=htmlspecialchars($pconfig['stream5_udp_timeout']);?>">
- <?php echo gettext("UDP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") .
- "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("Sets the session reassembly timeout period for UDP packets. Default value is ") .
- "<strong>30</strong>" . gettext(" seconds."); ?><br/>
+ <input name="stream5_mem_cap" type="text" class="formfld unknown" id="stream5_mem_cap" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_mem_cap']);?>">
+ <?php echo gettext("Memory for TCP packet storage. Min is ") . "<strong>" . gettext("32768") . "</strong>" .
+ gettext(" and Max is ") . "<strong>" . gettext("1073741824") . "</strong>" .
+ gettext(" bytes.");?><br/>
+ <?php echo gettext("The memory cap in bytes for TCP packet storage " .
+ "in RAM. Default value is ") . "<strong>" . gettext("8388608") . "</strong>" . gettext(" (8 MB)"); ?>.<br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("ICMP Session Timeout"); ?></td>
+ <tr id="stream5_tcp_engconf_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Engine Configuration"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="stream5_icmp_timeout" type="text" class="formfld"
- id="stream5_icmp_timeout" size="6"
- value="<?=htmlspecialchars($pconfig['stream5_icmp_timeout']);?>">
- <?php echo gettext("ICMP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") .
- "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("Sets the session reassembly timeout period for ICMP packets. Default value is ") .
- "<strong>30</strong>" . gettext(" seconds."); ?><br/>
- </td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("IP Target Policy"); ?></td>
- <td width="78%" class="vtable">
- <select name="stream5_policy" class="formselect" id="stream5_policy">
- <?php
- $profile = array( 'BSD', 'First', 'HPUX', 'HPUX10', 'Irix', 'Last', 'Linux', 'MacOS', 'Old-Linux',
- 'Solaris', 'Vista', 'Windows', 'Win2003' );
- foreach ($profile as $val): ?>
- <option value="<?=strtolower($val);?>"
- <?php if (strtolower($val) == $pconfig['stream5_policy']) echo "selected"; ?>>
- <?=gettext($val);?></option>
- <?php endforeach; ?>
- </select>&nbsp;&nbsp;<?php echo gettext("Choose the TCP reassembly target policy appropriate for the protected hosts. The default is ") .
- "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/>
- <?php echo gettext("Available OS targets are BSD, First, HPUX, HPUX10, Irix, Last, Linux, MacOS, Old Linux, Solaris, Vista, Windows, and Win2003 Server."); ?><br/>
+ <table width="95%" align="left" id="stream5EnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0">
+ <colgroup>
+ <col width="45%" align="left">
+ <col width="45%" align="center">
+ <col width="10%" align="right">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th>
+ <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=stream5_tcp_engine">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Import TCP engine configuration from existing Aliases");?>"></a>
+ <a href="snort_stream5_engine.php?id=<?=$id?>&eng_id=<?=$stream5_tcp_engine_next_id?>">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Add a new TCP engine configuration");?>"></a></th>
+ </tr>
+ </thead>
+ <?php foreach ($pconfig['stream5_tcp_engine']['item'] as $f => $v): ?>
+ <tr>
+ <td class="listlr" align="left"><?=gettext($v['name']);?></td>
+ <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td>
+ <td class="listt" align="right"><a href="snort_stream5_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
+ width="17" height="17" border="0" title="<?=gettext("Edit this TCP engine configuration");?>"></a>
+ <?php if ($v['bind_to'] <> "all") : ?>
+ <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_stream5_tcp" onclick="return confirm('Are you sure you want to delete this entry?');">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
+ title="<?=gettext("Delete this TCP engine configuration");?>"></a>
+ <?php else : ?>
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
+ title="<?=gettext("Default engine configuration cannot be deleted");?>">
+ <?php endif ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
</td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Detection"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
@@ -1064,7 +1116,7 @@ include_once("head.inc");
<?php echo gettext("Use Portscan Detection to detect various types of port scans and sweeps. Default is ") .
"<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
</tr>
- <tr>
+ <tr id="portscan_protocol_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol"); ?> </td>
<td width="78%" class="vtable">
<select name="pscan_protocol" class="formselect" id="pscan_protocol">
@@ -1079,7 +1131,7 @@ include_once("head.inc");
"<strong>" . gettext("all") . "</strong>."; ?><br/>
</td>
</tr>
- <tr>
+ <tr id="portscan_type_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Scan Type"); ?> </td>
<td width="78%" class="vtable">
<select name="pscan_type" class="formselect" id="pscan_type">
@@ -1111,7 +1163,7 @@ include_once("head.inc");
</table>
</td>
</tr>
- <tr>
+ <tr id="portscan_sensitivity_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td>
<td width="78%" class="vtable">
<select name="pscan_sense_level" class="formselect" id="pscan_sense_level">
@@ -1140,13 +1192,13 @@ include_once("head.inc");
</table>
</td>
</tr>
- <tr>
+ <tr id="portscan_memcap_row">
<td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td>
<td class="vtable">
<table cellpadding="0" cellspacing="0">
<tr>
- <td><input name="pscan_memcap" type="text" class="formfld"
- id="pscan_memcap" size="6"
+ <td class="vexpl"><input name="pscan_memcap" type="text" class="formfld unknown"
+ id="pscan_memcap" size="9"
value="<?=htmlspecialchars($pconfig['pscan_memcap']);?>">
<?php echo gettext("Maximum memory in bytes to allocate for portscan detection. ") .
gettext("Default is ") . "<strong>" . gettext("10000000") . "</strong>" .
@@ -1158,17 +1210,231 @@ include_once("head.inc");
"<strong>10,000,000</strong>" . gettext(" bytes. (10 MB)"); ?><br/>
</td>
</tr>
- <tr>
+ <tr id="portscan_ignorescanners_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?></td>
<td width="78%" class="vtable">
- <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners"
- value="<?=$pconfig['pscan_ignore_scanners'];?>" title="<?=trim(filter_expand_alias($pconfig['pscan_ignore_scanners']));?>">&nbsp;&nbsp;<?php echo gettext("Leave blank for default. ") .
- gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.<br/>
- <?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?><br/>
+ <table width="95%" cellspacing="0" cellpadding="0" border="0">
+ <tr>
+ <td class="vexpl">
+ <input name="pscan_ignore_scanners" type="text" size="25" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners"
+ value="<?=$pconfig['pscan_ignore_scanners'];?>" title="<?=trim(filter_expand_alias($pconfig['pscan_ignore_scanners']));?>">&nbsp;&nbsp;<?php echo gettext("Leave blank for default. ") .
+ gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.</td>
+ <td class="vexpl" align="right">
+ <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&type=host|network&varname=pscan_ignore_scanners&act=import&multi_ip=yes'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?></td>
+ </tr>
+ </table>
</td>
</tr>
+ <tr id="ftp_telnet_row">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("FTP and Telnet Global Options"); ?></td>
+ </tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_preprocessor" type="checkbox" value="on"
+ <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?> onclick="ftp_telnet_enable_change();">
+ <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_telnet_row_type">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspection Type"); ?> </td>
+ <td width="78%" class="vtable">
+ <select name="ftp_telnet_inspection_type" class="formselect" id="ftp_telnet_inspection_type">
+ <?php
+ $values = array('stateful', 'stateless');
+ foreach ($values as $val): ?>
+ <option value="<?=$val;?>"
+ <?php if ($val == $pconfig['ftp_telnet_inspection_type']) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach; ?>
+ </select>&nbsp;&nbsp;<?php echo gettext("Choose to operate in stateful or stateless mode. Default is ") .
+ "<strong>" . gettext("stateful") . "</strong>."; ?><br/>
+ </td>
+ </tr>
+ <tr id="ftp_telnet_row_encrypted_check">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Check Encrypted Traffic"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_check_encrypted" type="checkbox" value="on"
+ <?php if ($pconfig['ftp_telnet_check_encrypted']=="on") echo "checked"; ?>>
+ <?php echo gettext("Continue to check an encrypted session for subsequent command to cease encryption. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_telnet_row_encrypted_alert">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert on Encrypted Commands"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_alert_encrypted" type="checkbox" value="on"
+ <?php if ($pconfig['ftp_telnet_alert_encrypted']=="on") echo "checked"; ?>>
+ <?php echo gettext("Alert on encrypted FTP and Telnet command channels. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_telnet_row_telnet_proto_opts">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Telnet Protocol Options"); ?></td>
+ </tr>
+ <tr id="ftp_telnet_row_normalize">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalization"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_normalize" type="checkbox" value="on"
+ <?php if ($pconfig['ftp_telnet_normalize']=="on") echo "checked"; ?>>
+ <?php echo gettext("Normalize Telnet traffic by eliminating Telnet escape sequences. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_telnet_row_detect_anomalies">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Anomalies"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_detect_anomalies" type="checkbox" value="on"
+ <?php if ($pconfig['ftp_telnet_detect_anomalies']=="on") echo "checked"; ?>>
+ <?php echo gettext("Alert on Telnet subnegotiation begin without corresponding subnegotiation end. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_telnet_row_ayt_threshold">
+ <td valign="top" class="vncell"><?php echo gettext("AYT Attack Threshold"); ?></td>
+ <td class="vtable">
+ <input name="ftp_telnet_ayt_attack_threshold" type="text" class="formfld unknown" id="ftp_telnet_ayt_attack_threshold" size="9"
+ value="<?=htmlspecialchars($pconfig['ftp_telnet_ayt_attack_threshold']);?>">
+ <?php echo gettext("Are-You-There (AYT) command alert threshold. Enter ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" to disable. Default is ") . "<strong>" . gettext("20.") . "</strong>";?><br/>
+ <?php echo gettext("Alert when the number of consecutive Telnet AYT commands reaches the number specified.");?><br/>
+ </td>
+ </tr>
+ <tr id="ftp_telnet_row_ftp_proto_opts">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("FTP Protocol Options"); ?></td>
+ </tr>
+ <tr id="ftp_telnet_ftp_client_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Client Configuration"); ?></td>
+ <td class="vtable">
+ <table width="95%" align="left" id="FTPclientEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0">
+ <colgroup>
+ <col width="45%" align="left">
+ <col width="45%" align="center">
+ <col width="10%" align="right">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th>
+ <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=ftp_client_engine">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Import client configuration from existing Aliases");?>"></a>
+ <a href="snort_ftp_client_engine.php?id=<?=$id?>&eng_id=<?=$ftp_client_engine_next_id?>">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Add a new FTP client configuration");?>"></a></th>
+ </tr>
+ </thead>
+ <?php foreach ($pconfig['ftp_client_engine']['item'] as $f => $v): ?>
+ <tr>
+ <td class="listlr" align="left"><?=gettext($v['name']);?></td>
+ <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td>
+ <td class="listt" align="right"><a href="snort_ftp_client_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
+ width="17" height="17" border="0" title="<?=gettext("Edit this FTP client configuration");?>"></a>
+ <?php if ($v['bind_to'] <> "all") : ?>
+ <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_ftp_server" onclick="return confirm('Are you sure you want to delete this entry?');">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
+ title="<?=gettext("Delete this FTP client configuration");?>"></a>
+ <?php else : ?>
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
+ title="<?=gettext("Default client configuration cannot be deleted");?>">
+ <?php endif ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
+ </td>
+ </tr>
+ <tr id="ftp_telnet_ftp_server_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Configuration"); ?></td>
+ <td class="vtable">
+ <table width="95%" align="left" id="FTPserverEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0">
+ <colgroup>
+ <col width="45%" align="left">
+ <col width="45%" align="center">
+ <col width="10%" align="right">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th>
+ <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=ftp_server_engine">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"></a>
+ <a href="snort_ftp_server_engine.php?id=<?=$id?>&eng_id=<?=$ftp_server_engine_next_id?>">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Add a new FTP Server configuration");?>"></a></th>
+ </tr>
+ </thead>
+ <?php foreach ($pconfig['ftp_server_engine']['item'] as $f => $v): ?>
+ <tr>
+ <td class="listlr" align="left"><?=gettext($v['name']);?></td>
+ <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td>
+ <td class="listt" align="right"><a href="snort_ftp_server_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
+ width="17" height="17" border="0" title="<?=gettext("Edit this FTP server configuration");?>"></a>
+ <?php if ($v['bind_to'] <> "all") : ?>
+ <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_ftp_server" onclick="return confirm('Are you sure you want to delete this entry?');">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
+ title="<?=gettext("Delete this FTP server configuration");?>"></a>
+ <?php else : ?>
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
+ title="<?=gettext("Default server configuration cannot be deleted");?>">
+ <?php endif ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Sensitive Data Detection"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="sensitive_data" type="checkbox" value="on" onclick="sensitive_data_enable_change();"
+ <?php if ($pconfig['sensitive_data'] == "on")
+ echo "checked";
+ elseif ($vrt_enabled == "off")
+ echo "disabled";
+ ?>>
+ <?php echo gettext("Sensitive data searches for credit card numbers, Social Security numbers and e-mail addresses in data."); ?>
+ <br/>
+ <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the ") .
+ "<a href=\"/snort/snort_interfaces_global.php\" title=\"" . gettext("Modify Snort global settings") . "\"/>" . gettext("Global Settings") . "</a>" . gettext(" tab."); ?>
+ </td>
+ </tr>
+ <tr id="sdf_alert_data_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect for"); ?> </td>
+ <td width="78%" class="vtable">
+ <select name="sdf_alert_data_type[]" class="formselect" id="sdf_alert_data_type" size="4" multiple="multiple">
+ <?php
+ $values = array('Credit Card', 'Email Addresses', 'U.S. Phone Numbers', 'U.S. Social Security Numbers');
+ foreach ($values as $val): ?>
+ <option value="<?=$val;?>"
+ <?php if (preg_match("/$val/",$pconfig['sdf_alert_data_type'])) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach; ?>
+ </select><br/><?php echo gettext("Choose which types of sensitive data to detect. Use CTRL + Click for multiple selections."); ?><br/>
+ </td>
+ </tr>
+ <tr id="sdf_alert_threshold_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert Threshold"); ?></td>
+ <td width="78%" class="vtable"><input name="sdf_alert_threshold" type="text" class="formfld unknown" id="sdf_alert_threshold" size="9" value="<?=htmlspecialchars($pconfig['sdf_alert_threshold']);?>">
+ <?php echo gettext("Personally Identifiable Information (PII) combination alert threshold.");?><br/>
+ <?php echo gettext("This value sets the number of PII combinations required to trigger an alert. This should be set higher than the highest individual count in your \"sd_pattern\" rules. Default value is ") .
+ "<strong>" . gettext("25") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr id="sdf_mask_output_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Mask Output"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="sdf_mask_output" type="checkbox" value="on"
+ <?php if ($pconfig['sdf_mask_output'] == "on")
+ echo "checked";
+ ?>>
+ <?php echo gettext("Replace all but last 4 digits of PII with \"X\"s on credit card and Social Security Numbers. ") .
+ gettext("Default is ") . "<strong>" . gettext("Not Checked") . "</strong>."; ?>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessors"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable RPC Decode and Back Orifice detector"); ?></td>
@@ -1178,13 +1444,6 @@ include_once("head.inc");
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable FTP and Telnet Normalizer"); ?></td>
- <td width="78%" class="vtable"><input name="ftp_preprocessor" type="checkbox" value="on"
- <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?>>
- <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") .
- "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
- </tr>
- <tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable POP Normalizer"); ?></td>
<td width="78%" class="vtable"><input name="pop_preproc" type="checkbox" value="on"
<?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>>
@@ -1216,7 +1475,7 @@ include_once("head.inc");
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SIP Detection"); ?></td>
<td width="78%" class="vtable"><input name="sip_preproc" type="checkbox" value="on"
<?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>>
- <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities. Default is ") .
+ <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
@@ -1235,7 +1494,7 @@ include_once("head.inc");
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNS Detection"); ?></td>
<td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on"
<?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>>
- <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects vulnerabilities. Default is ") .
+ <?php echo gettext("The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
@@ -1247,21 +1506,7 @@ include_once("head.inc");
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Sensitive Data"); ?></td>
- <td width="78%" class="vtable">
- <input name="sensitive_data" type="checkbox" value="on"
- <?php if ($pconfig['sensitive_data'] == "on")
- echo "checked";
- elseif ($vrt_enabled == "off")
- echo "disabled";
- ?>>
- <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?>
- <br/>
- <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."); ?>
- </td>
- </tr>
- <tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SCADA Preprocessor Settings"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SCADA Preprocessors"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Modbus Detection"); ?></td>
@@ -1315,6 +1560,7 @@ include_once("head.inc");
if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
foreach($config['aliases']['alias'] as $alias_name) {
if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ // Skip any Aliases that resolve to an empty string
if (trim(filter_expand_alias($alias_name['name'])) == "")
continue;
if($addrisfirst == 1) $aliasesaddr .= ",";
@@ -1334,6 +1580,8 @@ include_once("head.inc");
function createAutoSuggest() {
<?php
echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n";
+ echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_telnet_bounce_to_net'), new StateSuggestions(addressarray));\n";
+ echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_telnet_bounce_to_port'), new StateSuggestions(portsarray));\n";
?>
}
@@ -1350,41 +1598,125 @@ function frag3_enable_change() {
}
}
var endis = !(document.iform.frag3_detection.checked);
- document.iform.frag3_overlap_limit.disabled=endis;
- document.iform.frag3_min_frag_len.disabled=endis;
- document.iform.frag3_policy.disabled=endis;
- document.iform.frag3_max_frags.disabled=endis;
- document.iform.frag3_memcap.disabled=endis;
- document.iform.frag3_timeout.disabled=endis;
+
+ // Hide the "config engines" table if Frag3 disabled
+ if (endis) {
+ document.getElementById("frag3_engconf_row").style.display="none";
+ document.getElementById("frag3_memcap_row").style.display="none";
+ document.getElementById("frag3_maxfrags_row").style.display="none";
+ }
+ else {
+ document.getElementById("frag3_engconf_row").style.display="table-row";
+ document.getElementById("frag3_memcap_row").style.display="table-row";
+ document.getElementById("frag3_maxfrags_row").style.display="table-row";
+ }
}
function host_attribute_table_enable_change() {
var endis = !(document.iform.host_attribute_table.checked);
- document.iform.host_attribute_file.disabled=endis;
- document.iform.btn_import.disabled=endis;
- document.iform.btn_edit_hat.disabled=endis;
- document.iform.max_attribute_hosts.disabled=endis;
- document.iform.max_attribute_services_per_host.disabled=endis;
+
+ // Hide "Host Attribute Table" config rows if HAT disabled
+ if (endis) {
+ document.getElementById("host_attrib_table_data_row").style.display="none";
+ document.getElementById("host_attrib_table_maxhosts_row").style.display="none";
+ document.getElementById("host_attrib_table_maxsvcs_row").style.display="none";
+ }
+ else {
+ document.getElementById("host_attrib_table_data_row").style.display="table-row";
+ document.getElementById("host_attrib_table_maxhosts_row").style.display="table-row";
+ document.getElementById("host_attrib_table_maxsvcs_row").style.display="table-row";
+ }
+}
+
+function stream5_track_tcp_enable_change() {
+ var endis = !(document.iform.stream5_track_tcp.checked);
+
+ // Hide the "tcp_memcap and tcp_engconf" rows if stream5_track_tcp disabled
+ if (endis) {
+ document.getElementById("stream5_maxtcp_row").style.display="none";
+ document.getElementById("stream5_tcp_memcap_row").style.display="none";
+ document.getElementById("stream5_tcp_engconf_row").style.display="none";
+ }
+ else {
+ document.getElementById("stream5_maxtcp_row").style.display="table-row";
+ document.getElementById("stream5_tcp_memcap_row").style.display="table-row";
+ document.getElementById("stream5_tcp_engconf_row").style.display="table-row";
+ }
+}
+
+function stream5_track_udp_enable_change() {
+ var endis = !(document.iform.stream5_track_udp.checked);
+
+ // Hide the "udp session timeout " row if stream5_track_udp disabled
+ if (endis) {
+ var msg = "WARNING: Stream5 UDP tracking is required by the Session Initiation Protocol (SIP) preprocessor! ";
+ msg = msg + "The SIP preprocessor will be automatically disabled if Stream5 UDP tracking is disabled.\n\n";
+ msg = msg + "Snort may fail to start because of rule options dependent on the SIP preprocessor. ";
+ msg = msg + "Are you sure you want to disable Stream5 UDP tracking?\n\n";
+ msg = msg + "Click OK to disable Stream5 UDP tracking, or CANCEL to quit.";
+ if (!confirm(msg))
+ return;
+ document.iform.sip_preproc.checked=false;
+ document.getElementById("stream5_maxudp_row").style.display="none";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="none";
+ }
+ else {
+ document.getElementById("stream5_maxudp_row").style.display="table-row";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row";
+ }
+}
+
+function stream5_track_icmp_enable_change() {
+ var endis = !(document.iform.stream5_track_icmp.checked);
+
+ // Hide the "icmp session timeout " row if stream5_track_icmp disabled
+ if (endis) {
+ document.getElementById("stream5_maxicmp_row").style.display="none";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="none";
+ }
+ else {
+ document.getElementById("stream5_maxicmp_row").style.display="table-row";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row";
+ }
}
function http_inspect_enable_change() {
var endis = !(document.iform.http_inspect.checked);
- document.iform.http_inspect_enable_xff.disabled=endis;
- document.iform.server_flow_depth.disabled=endis;
- document.iform.client_flow_depth.disabled=endis;
- document.iform.http_server_profile.disabled=endis;
document.iform.http_inspect_memcap.disabled=endis;
- document.iform.http_inspect_log_uri.disabled=endis;
- document.iform.http_inspect_log_hostname.disabled=endis;
+
+ // Hide the "icmp session timeout " row if stream5_track_icmp disabled
+ if (endis) {
+ document.getElementById("httpinspect_memcap_row").style.display="none";
+ document.getElementById("httpinspect_maxgzipmem_row").style.display="none";
+ document.getElementById("httpinspect_proxyalert_row").style.display="none";
+ document.getElementById("httpinspect_engconf_row").style.display="none";
+ }
+ else {
+ document.getElementById("httpinspect_memcap_row").style.display="table-row";
+ document.getElementById("httpinspect_maxgzipmem_row").style.display="table-row";
+ document.getElementById("httpinspect_proxyalert_row").style.display="table-row";
+ document.getElementById("httpinspect_engconf_row").style.display="table-row";
+ }
}
function sf_portscan_enable_change() {
var endis = !(document.iform.sf_portscan.checked);
- document.iform.pscan_protocol.disabled=endis;
- document.iform.pscan_type.disabled=endis;
- document.iform.pscan_memcap.disabled=endis;
- document.iform.pscan_sense_level.disabled=endis;
- document.iform.pscan_ignore_scanners.disabled=endis;
+
+ // Hide the portscan configuration rows if sf_portscan disabled
+ if (endis) {
+ document.getElementById("portscan_protocol_row").style.display="none";
+ document.getElementById("portscan_type_row").style.display="none";
+ document.getElementById("portscan_sensitivity_row").style.display="none";
+ document.getElementById("portscan_memcap_row").style.display="none";
+ document.getElementById("portscan_ignorescanners_row").style.display="none";
+ }
+ else {
+ document.getElementById("portscan_protocol_row").style.display="table-row";
+ document.getElementById("portscan_type_row").style.display="table-row";
+ document.getElementById("portscan_sensitivity_row").style.display="table-row";
+ document.getElementById("portscan_memcap_row").style.display="table-row";
+ document.getElementById("portscan_ignorescanners_row").style.display="table-row";
+ }
}
function stream5_enable_change() {
@@ -1419,43 +1751,129 @@ function stream5_enable_change() {
}
var endis = !(document.iform.stream5_reassembly.checked);
- document.iform.max_queued_bytes.disabled=endis;
- document.iform.max_queued_segs.disabled=endis;
- document.iform.stream5_mem_cap.disabled=endis;
- document.iform.stream5_policy.disabled=endis;
- document.iform.stream5_overlap_limit.disabled=endis;
- document.iform.stream5_no_reassemble_async.disabled=endis;
- document.iform.stream5_dont_store_lg_pkts.disabled=endis;
- document.iform.stream5_tcp_timeout.disabled=endis;
- document.iform.stream5_udp_timeout.disabled=endis;
- document.iform.stream5_icmp_timeout.disabled=endis;
+
+ // Hide the "stream5 conf" rows if stream5 disabled
+ if (endis) {
+ document.getElementById("stream5_tcp_memcap_row").style.display="none";
+ document.getElementById("stream5_tcp_engconf_row").style.display="none";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="none";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="none";
+ document.getElementById("stream5_proto_tracking_row").style.display="none";
+ document.getElementById("stream5_flushonalert_row").style.display="none";
+ document.getElementById("stream5_prunelogmax_row").style.display="none";
+ }
+ else {
+ document.getElementById("stream5_tcp_memcap_row").style.display="table-row";
+ document.getElementById("stream5_tcp_engconf_row").style.display="table-row";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row";
+ document.getElementById("stream5_proto_tracking_row").style.display="table-row";
+ document.getElementById("stream5_flushonalert_row").style.display="table-row";
+ document.getElementById("stream5_prunelogmax_row").style.display="table-row";
+ }
+}
+
+function ftp_telnet_enable_change() {
+ var endis = !(document.iform.ftp_preprocessor.checked);
+
+ // Hide the ftp_telnet configuration rows if ftp_telnet disabled
+ if (endis) {
+ document.getElementById("ftp_telnet_row_type").style.display="none";
+ document.getElementById("ftp_telnet_row_encrypted_alert").style.display="none";
+ document.getElementById("ftp_telnet_row_encrypted_check").style.display="none";
+ document.getElementById("ftp_telnet_row_telnet_proto_opts").style.display="none";
+ document.getElementById("ftp_telnet_row_normalize").style.display="none";
+ document.getElementById("ftp_telnet_row_detect_anomalies").style.display="none";
+ document.getElementById("ftp_telnet_row_ayt_threshold").style.display="none";
+ document.getElementById("ftp_telnet_row_ftp_proto_opts").style.display="none";
+ document.getElementById("ftp_telnet_ftp_client_row").style.display="none";
+ document.getElementById("ftp_telnet_ftp_server_row").style.display="none";
+ }
+ else {
+ document.getElementById("ftp_telnet_row_type").style.display="table-row";
+ document.getElementById("ftp_telnet_row_encrypted_alert").style.display="table-row";
+ document.getElementById("ftp_telnet_row_encrypted_check").style.display="table-row";
+ document.getElementById("ftp_telnet_row_telnet_proto_opts").style.display="table-row";
+ document.getElementById("ftp_telnet_row_normalize").style.display="table-row";
+ document.getElementById("ftp_telnet_row_detect_anomalies").style.display="table-row";
+ document.getElementById("ftp_telnet_row_ayt_threshold").style.display="table-row";
+ document.getElementById("ftp_telnet_row_ftp_proto_opts").style.display="table-row";
+ document.getElementById("ftp_telnet_ftp_client_row").style.display="table-row";
+ document.getElementById("ftp_telnet_ftp_server_row").style.display="table-row";
+ }
+}
+
+function sensitive_data_enable_change() {
+ var endis = !(document.iform.sensitive_data.checked);
+
+ // Hide the sensitive_data configuration rows if sensitive_data disabled
+ if (endis) {
+ document.getElementById("sdf_alert_threshold_row").style.display="none";
+ document.getElementById("sdf_mask_output_row").style.display="none";
+ document.getElementById("sdf_alert_data_row").style.display="none";
+
+ }
+ else {
+ document.getElementById("sdf_alert_threshold_row").style.display="table-row";
+ document.getElementById("sdf_mask_output_row").style.display="table-row";
+ document.getElementById("sdf_alert_data_row").style.display="table-row";
+ }
}
function enable_change_all() {
http_inspect_enable_change();
sf_portscan_enable_change();
- // Enable/Disable Frag3 settings
+ // -- Enable/Disable Host Attribute Table settings --
+ host_attribute_table_enable_change();
+
+ // -- Enable/Disable Frag3 settings --
var endis = !(document.iform.frag3_detection.checked);
- document.iform.frag3_overlap_limit.disabled=endis;
- document.iform.frag3_min_frag_len.disabled=endis;
- document.iform.frag3_policy.disabled=endis;
- document.iform.frag3_max_frags.disabled=endis;
- document.iform.frag3_memcap.disabled=endis;
- document.iform.frag3_timeout.disabled=endis;
-
- // Enable/Disable Stream5 settings
+ // Hide the "config engines" table if Frag3 disabled
+ if (endis) {
+ document.getElementById("frag3_engconf_row").style.display="none";
+ document.getElementById("frag3_memcap_row").style.display="none";
+ document.getElementById("frag3_maxfrags_row").style.display="none";
+ }
+ else {
+ document.getElementById("frag3_engconf_row").style.display="table-row";
+ document.getElementById("frag3_memcap_row").style.display="table-row";
+ document.getElementById("frag3_maxfrags_row").style.display="table-row";
+ }
+
+ // -- Enable/Disable Stream5 settings --
endis = !(document.iform.stream5_reassembly.checked);
- document.iform.max_queued_bytes.disabled=endis;
- document.iform.max_queued_segs.disabled=endis;
- document.iform.stream5_mem_cap.disabled=endis;
- document.iform.stream5_policy.disabled=endis;
- document.iform.stream5_overlap_limit.disabled=endis;
- document.iform.stream5_no_reassemble_async.disabled=endis;
- document.iform.stream5_dont_store_lg_pkts.disabled=endis;
- document.iform.stream5_tcp_timeout.disabled=endis;
- document.iform.stream5_udp_timeout.disabled=endis;
- document.iform.stream5_icmp_timeout.disabled=endis;
+ // Hide the "stream5 conf" rows if stream5 disabled
+ if (endis) {
+ document.getElementById("stream5_tcp_memcap_row").style.display="none";
+ document.getElementById("stream5_tcp_engconf_row").style.display="none";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="none";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="none";
+ document.getElementById("stream5_proto_tracking_row").style.display="none";
+ document.getElementById("stream5_flushonalert_row").style.display="none";
+ document.getElementById("stream5_prunelogmax_row").style.display="none";
+ document.getElementById("stream5_maxtcp_row").style.display="none";
+ document.getElementById("stream5_maxudp_row").style.display="none";
+ document.getElementById("stream5_maxicmp_row").style.display="none";
+ }
+ else {
+ document.getElementById("stream5_tcp_memcap_row").style.display="table-row";
+ document.getElementById("stream5_tcp_engconf_row").style.display="table-row";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row";
+ document.getElementById("stream5_proto_tracking_row").style.display="table-row";
+ document.getElementById("stream5_flushonalert_row").style.display="table-row";
+ document.getElementById("stream5_prunelogmax_row").style.display="table-row";
+ document.getElementById("stream5_maxtcp_row").style.display="table-row";
+ document.getElementById("stream5_maxudp_row").style.display="table-row";
+ document.getElementById("stream5_maxicmp_row").style.display="table-row";
+ }
+ // Set other stream5 initial conditions
+ stream5_track_tcp_enable_change();
+ stream5_track_udp_enable_change();
+ stream5_track_icmp_enable_change();
+ ftp_telnet_enable_change();
+ sensitive_data_enable_change();
}
function wopen(url, name, w, h)
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index c9852597..48d26d1d 100755
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -379,7 +379,7 @@ require_once("guiconfig.inc");
include_once("head.inc");
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: {$if_friendly} Category: $currentruleset";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Rules: {$currentruleset}");
?>
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php
index 92330ebf..2f13d6bc 100644
--- a/config/snort/snort_rules_flowbits.php
+++ b/config/snort/snort_rules_flowbits.php
@@ -59,6 +59,7 @@ if(!isset($_SESSION['org_referer']))
$referrer = $_SESSION['org_referer'];
if ($_POST['cancel']) {
+ session_start();
unset($_SESSION['org_referer']);
session_write_close();
header("Location: {$referrer}");
@@ -69,6 +70,9 @@ $id = $_GET['id'];
if (isset($_POST['id']))
$id = $_POST['id'];
if (is_null($id)) {
+ session_start();
+ unset($_SESSION['org_referer']);
+ session_write_close();
header("Location: /snort/snort_interfaces.php");
exit;
}
@@ -158,7 +162,7 @@ function truncate($string, $length) {
$supplist = snort_load_suppress_sigs($a_nat[$id]);
$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']);
-$pgtitle = "Services: Snort: {$if_friendly} Flowbit Rules";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Flowbit Rules");
include_once("head.inc");
?>
diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php
index 3c613f84..3b7ef916 100755
--- a/config/snort/snort_rulesets.php
+++ b/config/snort/snort_rulesets.php
@@ -71,16 +71,20 @@ $no_snort_files = false;
$no_community_files = false;
/* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */
-if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on')
- $test = glob("{$snortdir}/rules/emerging-*.rules");
-elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload)))
- $test = glob("{$snortdir}/rules/etpro-*.rules");
+if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on') {
+ $test = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules");
+ $et_type = "ET Open";
+}
+elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload))) {
+ $test = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules");
+ $et_type = "ET Pro";
+}
if (empty($test))
$no_emerging_files = true;
-$test = glob("{$snortdir}/rules/snort*.rules");
+$test = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules");
if (empty($test))
$no_snort_files = true;
-if (!file_exists("{$snortdir}/rules/GPLv2_community.rules"))
+if (!file_exists("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules"))
$no_community_files = true;
if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on'))
@@ -188,25 +192,25 @@ if ($_POST['selectall']) {
}
if ($emergingdownload == 'on') {
- $files = glob("{$snortdir}/rules/emerging-*.rules");
+ $files = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules");
foreach ($files as $file)
$rulesets[] = basename($file);
}
elseif ($etpro == 'on') {
- $files = glob("{$snortdir}/rules/etpro-*.rules");
+ $files = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules");
foreach ($files as $file)
$rulesets[] = basename($file);
}
if ($snortcommunitydownload == 'on') {
- $files = glob("{$snortdir}/rules/*_community.rules");
+ $files = glob("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules");
foreach ($files as $file)
$rulesets[] = basename($file);
}
/* Include the Snort VRT rules only if enabled and no IPS policy is set */
if ($snortdownload == 'on' && $a_nat[$id]['ips_policy_enable'] == 'off') {
- $files = glob("{$snortdir}/rules/snort*.rules");
+ $files = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules");
foreach ($files as $file)
$rulesets[] = basename($file);
}
@@ -223,7 +227,7 @@ if ($_POST['selectall']) {
$enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']);
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: Interface {$if_friendly} Categories";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Categories");
include_once("head.inc");
?>
@@ -309,7 +313,7 @@ if ($savemsg) {
</tr>
<tr>
<td colspan="6" valign="center" class="listn">
- <table width="100%" border="0" cellpadding="2" cellspacing="2">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td>
<td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on"
@@ -332,7 +336,7 @@ if ($savemsg) {
<tr>
<td width="15%">&nbsp;</td>
<td width="85%">
- <?php printf(gettext("%sNote: %sAuto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."), '<span class="red"><strong>', '</strong></span>'); ?>
+ <?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . gettext("Auto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."); ?>
<br/></td>
</tr>
</table>
@@ -343,23 +347,23 @@ if ($savemsg) {
</tr>
<tr>
<td colspan="6" valign="center" class="listn">
- <table width="100%" border="0" cellpadding="2" cellspacing="2">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td>
<td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?>
<?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/>&nbsp;&nbsp;<span class="vexpl">
- <?php echo gettext("If checked, Snort will use rules from the pre-defined IPS policy selected below."); ?></span></td>
+ <?php echo gettext("If checked, Snort will use rules from one of three pre-defined IPS policies."); ?></span></td>
</tr>
<tr>
- <td width="15%" class="vncell">&nbsp;</td>
- <td width="85%" class="vtable">
- <?php printf(gettext("%sNote:%s You must be using the Snort VRT rules to use this option."),'<span class="red"><strong>','</strong></span>'); ?>
+ <td width="15%" class="vncell" id="ips_col1">&nbsp;</td>
+ <td width="85%" class="vtable" id="ips_col2">
+ <?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . gettext("You must be using the Snort VRT rules to use this option."); ?>
<?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " .
"although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " .
"These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br/></td>
</tr>
- <tr>
- <td width="15%" class="listn"><?php echo gettext("IPS Policy"); ?></td>
+ <tr id="ips_row1">
+ <td width="15%" class="listn"><?php echo gettext("IPS Policy Selection"); ?></td>
<td width="85%"><select name="ips_policy" class="formselect" <?=$policy_select_disable?> >
<option value="connectivity" <?php if ($pconfig['ips_policy'] == "connected") echo "selected"; ?>><?php echo gettext("Connectivity"); ?></option>
<option value="balanced" <?php if ($pconfig['ips_policy'] == "balanced") echo "selected"; ?>><?php echo gettext("Balanced"); ?></option>
@@ -367,7 +371,7 @@ if ($savemsg) {
</select>
&nbsp;&nbsp;<span class="vexpl"><?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security."); ?></span></td>
</tr>
- <tr>
+ <tr id="ips_row2">
<td width="15%">&nbsp;</td>
<td width="85%">
<?php echo gettext("Connectivity blocks most major threats with few or no false positives. " .
@@ -397,22 +401,23 @@ if ($savemsg) {
$msg_community = "NOTE: Snort Community Rules have not been downloaded. Perform a Rules Update to enable them.";
else
$msg_community = "Snort GPLv2 Community Rules (VRT certified)";
+ $community_rules_file = GPL_FILE_PREFIX . "community.rules";
?>
<?php if ($snortcommunitydownload == 'on'): ?>
<tr id="frheader">
<td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td>
<td colspan="5" class="listhdrr"><?php echo gettext('Ruleset: Snort GPLv2 Community Rules');?></td>
</tr>
- <?php if (in_array("GPLv2_community.rules", $enabled_rulesets_array)): ?>
+ <?php if (in_array($community_rules_file, $enabled_rulesets_array)): ?>
<tr>
<td width="5" class="listr" align="center" valign="top">
- <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" checked="checked"/></td>
- <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=GPLv2_community.rules'><?php echo gettext("{$msg_community}"); ?></a></td>
+ <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" checked="checked"/></td>
+ <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?php echo gettext("{$msg_community}"); ?></a></td>
</tr>
<?php else: ?>
<tr>
<td width="5" class="listr" align="center" valign="top">
- <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td>
+ <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td>
<td colspan="5" class="listr"><?php echo gettext("{$msg_community}"); ?></td>
</tr>
@@ -436,7 +441,7 @@ if ($savemsg) {
<td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td>
<td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Pro Rules');?></td>
<?php else: ?>
- <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td>
+ <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("{$et_type} rules not {$msg_emerging}"); ?></td>
<?php endif; ?>
<?php if ($snortdownload == 'on' && !$no_snort_files): ?>
<td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td>
@@ -459,11 +464,11 @@ if ($savemsg) {
$filename = basename($filename);
if (substr($filename, -5) != "rules")
continue;
- if (strstr($filename, "emerging-") && $emergingdownload == 'on')
+ if (strstr($filename, ET_OPEN_FILE_PREFIX) && $emergingdownload == 'on')
$emergingrules[] = $filename;
- else if (strstr($filename, "etpro-") && $etpro == 'on')
+ else if (strstr($filename, ET_PRO_FILE_PREFIX) && $etpro == 'on')
$emergingrules[] = $filename;
- else if (strstr($filename, "snort") && $snortdownload == 'on') {
+ else if (strstr($filename, VRT_FILE_PREFIX) && $snortdownload == 'on') {
if (strstr($filename, ".so.rules"))
$snortsorules[] = $filename;
else
@@ -589,6 +594,18 @@ function enable_change()
var endis = !(document.iform.ips_policy_enable.checked);
document.iform.ips_policy.disabled=endis;
+ if (endis) {
+ document.getElementById("ips_row1").style.display="none";
+ document.getElementById("ips_row2").style.display="none";
+ document.getElementById("ips_col1").className="vexpl";
+ document.getElementById("ips_col2").className="vexpl";
+ }
+ else {
+ document.getElementById("ips_row1").style.display="table-row";
+ document.getElementById("ips_row2").style.display="table-row";
+ document.getElementById("ips_col1").className="vncell";
+ document.getElementById("ips_col2").className="vtable";
+ }
for (var i = 0; i < document.iform.elements.length; i++) {
if (document.iform.elements[i].type == 'checkbox') {
var str = document.iform.elements[i].value;
@@ -597,6 +614,10 @@ function enable_change()
}
}
}
+
+// Set initial state of dynamic HTML form controls
+enable_change();
+
</script>
</body>
diff --git a/config/snort/snort_select_alias.php b/config/snort/snort_select_alias.php
new file mode 100644
index 00000000..bd0a02e2
--- /dev/null
+++ b/config/snort/snort_select_alias.php
@@ -0,0 +1,245 @@
+<?php
+/* $Id$ */
+/*
+ snort_select_alias.php
+ Copyright (C) 2004 Scott Ullrich
+ All rights reserved.
+
+ originially part of m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require("guiconfig.inc");
+require_once("functions.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+// Set who called us so we can return to the correct page with
+// the RETURN button. We will just trust this User-Agent supplied
+// string for now. Check and make sure we don't store this page
+// as the referrer so we don't stick the user in a loop.
+session_start();
+if(!isset($_SESSION['org_referer']) && strpos($_SERVER['HTTP_REFERER'], $SERVER['PHP_SELF']) === false)
+ $_SESSION['org_referer'] = substr($_SERVER['HTTP_REFERER'], 0, strpos($_SERVER['HTTP_REFERER'], "?"));
+$referrer = $_SESSION['org_referer'];
+
+// Get the QUERY_STRING from our referrer so we can return it.
+if(!isset($_SESSION['org_querystr']))
+ $_SESSION['org_querystr'] = $_SERVER['QUERY_STRING'];
+$querystr = $_SESSION['org_querystr'];
+
+// Retrieve any passed QUERY STRING or POST variables
+$type = $_GET['type'];
+$varname = $_GET['varname'];
+$multi_ip = $_GET['multi_ip'];
+if (isset($_POST['type']))
+ $type = $_POST['type'];
+if (isset($_POST['varname']))
+ $varname = $_POST['varname'];
+if (isset($_POST['multi_ip']))
+ $multi_ip = $_POST['multi_ip'];
+
+// Make sure we have a valid VARIABLE name
+// and ALIAS TYPE, or else bail out.
+if (is_null($type) || is_null($varname)) {
+ session_start();
+ unset($_SESSION['org_referer']);
+ unset($_SESSION['org_querystr']);
+ session_write_close();
+ header("Location: http://{$referrer}?{$querystr}");
+ exit;
+}
+
+// Used to track if any selectable Aliases are found
+$selectablealias = false;
+
+// Initialize required array variables as necessary
+if (!is_array($config['aliases']['alias']))
+ $config['aliases']['alias'] = array();
+$a_aliases = $config['aliases']['alias'];
+
+// Create an array consisting of the Alias types the
+// caller wants to select from.
+$a_types = array();
+$a_types = explode('|', strtolower($type));
+
+// Create a proper title based on the Alias types
+$title = "a";
+switch (count($a_types)) {
+ case 1:
+ $title .= " " . ucfirst($a_types[0]);
+ break;
+
+ case 2:
+ $title .= " " . ucfirst($a_types[0]) . " or " . ucfirst($a_types[1]);
+ break;
+
+ case 3:
+ $title .= " " . ucfirst($a_types[0]) . ", " . ucfirst($a_types[1]) . " or " . ucfirst($a_types[2]);
+
+ default:
+ $title = "n";
+}
+
+if ($_POST['cancel']) {
+ session_start();
+ unset($_SESSION['org_referer']);
+ unset($_SESSION['org_querystr']);
+ session_write_close();
+ header("Location: {$referrer}?{$querystr}");
+ exit;
+}
+
+if ($_POST['save']) {
+ if(empty($_POST['alias']))
+ $input_errors[] = gettext("No alias is selected. Please select an alias before saving.");
+
+ // if no errors, write new entry to conf
+ if (!$input_errors) {
+ $selection = $_POST['alias'];
+ session_start();
+ unset($_SESSION['org_referer']);
+ unset($_SESSION['org_querystr']);
+ session_write_close();
+ header("Location: {$referrer}?{$querystr}&varvalue={$selection}");
+ exit;
+ }
+}
+
+$pgtitle = gettext("Snort: Select {$title} Alias");
+include("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+<form action="snort_select_alias.php" method="post">
+<input type="hidden" name="varname" value="<?=$varname;?>">
+<input type="hidden" name="type" value="<?=$type;?>">
+<input type="hidden" name="multi_ip" value="<?=$multi_ip;?>">
+<?php if ($input_errors) print_input_errors($input_errors); ?>
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+ <td class="tabcont"><strong><?=gettext("Select an Alias to use from the list below.");?></strong><br/>
+ </td>
+</tr>
+<tr>
+ <td class="tabcont">
+ <table id="sortabletable1" style="table-layout: fixed;" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <colgroup>
+ <col width="5%" align="center">
+ <col width="25%" align="left" axis="string">
+ <col width="35%" align="left" axis="string">
+ <col width="35%" align="left" axis="string">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr"></th>
+ <th class="listhdrr" axis="string"><?=gettext("Alias Name"); ?></th>
+ <th class="listhdrr" axis="string"><?=gettext("Values"); ?></th>
+ <th class="listhdrr" axis="string"><?=gettext("Description"); ?></th>
+ </tr>
+ </thead>
+ <tbody>
+ <?php $i = 0; foreach ($a_aliases as $alias): ?>
+ <?php if (!in_array($alias['type'], $a_types))
+ continue;
+ if ( ($alias['type'] == "network" || $alias['type'] == "host") &&
+ $multi_ip != "yes" &&
+ !snort_is_single_addr_alias($alias['name'])) {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $disable = true;
+ $tooltip = gettext("Aliases resolving to multiple address entries cannot be used with the destination target.");
+ }
+ elseif (($alias['type'] == "network" || $alias['type'] == "host") &&
+ trim(filter_expand_alias($alias['name'])) == "") {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $disable = true;
+ $tooltip = gettext("Aliases representing a FQDN host cannot be used in Snort preprocessor configurations.");
+ }
+ else {
+ $textss = "";
+ $textse = "";
+ $disable = "";
+ $selectablealias = true;
+ $tooltip = gettext("Selected entry will be imported. Click to toggle selection.");
+ }
+ ?>
+ <?php if ($disable): ?>
+ <tr title="<?=$tooltip;?>">
+ <td class="listlr" align="center"><img src="../themes/<?=$g['theme'];?>/images/icons/icon_block_d.gif" width="11" height"11" border="0"/>
+ <?php else: ?>
+ <tr>
+ <td class="listlr" align="center"><input type="radio" name="alias" value="<?=htmlspecialchars($alias['name']);?>" title="<?=$tooltip;?>"/></td>
+ <?php endif; ?>
+ <td class="listr" align="left"><?=$textss . htmlspecialchars($alias['name']) . $textse;?></td>
+ <td class="listr" align="left">
+ <?php
+ $tmpaddr = explode(" ", $alias['address']);
+ $addresses = implode(", ", array_slice($tmpaddr, 0, 10));
+ echo "{$textss}{$addresses}{$textse}";
+ if(count($tmpaddr) > 10) {
+ echo "...";
+ }
+ ?>
+ </td>
+ <td class="listbg" align="left">
+ <?=$textss . htmlspecialchars($alias['descr']) . $textse;?>&nbsp;
+ </td>
+ </tr>
+ <?php $i++; endforeach; ?>
+ </table>
+ </td>
+</tr>
+<?php if (!$selectablealias): ?>
+<tr>
+ <td class="tabcont" align="center"><b><?php echo gettext("There are currently no defined Aliases eligible for selection.");?></b></td>
+</tr>
+<tr>
+ <td class="tabcont" align="center">
+ <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/>
+ </td>
+</tr>
+<?php else: ?>
+<tr>
+ <td class="tabcont" align="center">
+ <input type="Submit" name="save" value="Save" id="save" class="formbtn" title="<?=gettext("Import selected item and return");?>"/>&nbsp;&nbsp;&nbsp;
+ <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/>
+ </td>
+</tr>
+<?php endif; ?>
+<tr>
+ <td class="tabcont">
+ <span class="vexpl"><span class="red"><strong><?=gettext("Note:"); ?><br></strong></span><?=gettext("Fully-Qualified Domain Name (FQDN) host Aliases cannot be used as Snort configuration parameters. Aliases resolving to a single FQDN value are disabled in the list above. In the case of nested Aliases where one or more of the nested values is a FQDN host, the FQDN host will not be included in the {$title} configuration.");?></span>
+ </td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+</html>
diff --git a/config/snort/snort_stream5_engine.php b/config/snort/snort_stream5_engine.php
new file mode 100644
index 00000000..33fade40
--- /dev/null
+++ b/config/snort/snort_stream5_engine.php
@@ -0,0 +1,670 @@
+<?php
+/*
+ * snort_stream5_engine.php
+ * Copyright (C) 2004 Scott Ullrich
+ * Copyright (C) 2011-2012 Ermal Luci
+ * All rights reserved.
+ *
+ * originially part of m0n0wall (http://m0n0.ch/wall)
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * All rights reserved.
+ *
+ * modified for the pfsense snort package
+ * Copyright (C) 2009-2010 Robert Zelaya.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+/* Retrieve required array index values from QUERY string if available. */
+/* 'id' is the [rule] array index, and 'eng_id' is the index for the */
+/* stream5_tcp_engine's [item] array. */
+$id = $_GET['id'];
+$eng_id = $_GET['eng_id'];
+
+/* See if values are in our form's POST content */
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng_id']))
+ $eng_id = $_POST['eng_id'];
+
+/* If we don't have a [rule] index specified, exit */
+if (is_null($id)) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['stream5_client_import']);
+ session_write_close();
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+/* Initialize pointer into requisite section of [config] array */
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'];
+
+$pconfig = array();
+
+// If this is a new entry, intialize it with default values
+if (empty($a_nat[$eng_id])) {
+ $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0,
+ "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+ // See if this is initial entry and set to "default" if true
+ if ($eng_id < 1) {
+ $def['name'] = "default";
+ $def['bind_to'] = "all";
+ }
+ $pconfig = $def;
+}
+else {
+ $pconfig = $a_nat[$eng_id];
+
+ // Check for empty values and set sensible defaults
+ if (empty($pconfig['policy']))
+ $pconfig['policy'] = "bsd";
+ if (empty($pconfig['timeout']))
+ $pconfig['timeout'] = 30;
+ if (empty($pconfig['max_queued_bytes']) && $pconfig['max_queued_bytes'] <> 0)
+ $pconfig['max_queued_bytes'] = 1048576;
+ if (empty($pconfig['detect_anomalies']))
+ $pconfig['detect_anomalies'] = "off";
+ if (empty($pconfig['overlap_limit']))
+ $pconfig['overlap_limit'] = 0;
+ if (empty($pconfig['max_queued_segs']) && $pconfig['max_queued_segs'] <> 0)
+ $pconfig['max_queued_segs'] = 2621;
+ if (empty($pconfig['require_3whs']))
+ $pconfig['require_3whs'] = "off";
+ if (empty($pconfig['startup_3whs_timeout']))
+ $pconfig['startup_3whs_timeout'] = 0;
+ if (empty($pconfig['no_reassemble_async']))
+ $pconfig['no_reassemble_async'] = "off";
+ if (empty($pconfig['dont_store_lg_pkts']))
+ $pconfig['dont_store_lg_pkts'] = "off";
+ if (empty($pconfig['max_window']))
+ $pconfig['max_window'] = 0;
+ if (empty($pconfig['use_static_footprint_sizes']))
+ $pconfig['use_static_footprint_sizes'] = "off";
+ if (empty($pconfig['check_session_hijacking']))
+ $pconfig['check_session_hijacking'] = "off";
+ if (empty($pconfig['ports_client']))
+ $pconfig['ports_client'] = "default";
+ if (empty($pconfig['ports_both']))
+ $pconfig['ports_both'] = "default";
+ if (empty($pconfig['ports_server']))
+ $pconfig['ports_server'] = "none";
+}
+
+if ($_POST['Cancel']) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['stream5_client_import']);
+ session_write_close();
+ header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ session_start();
+ if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports_client" || $_GET['varname'] == "ports_both" || $_GET['varname'] == "ports_server")
+ && !empty($_GET['varvalue'])) {
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+ if(!isset($_SESSION['stream5_client_import']))
+ $_SESSION['stream5_client_import'] = array();
+
+ $_SESSION['stream5_client_import'][$_GET['varname']] = $_GET['varvalue'];
+ if (isset($_SESSION['stream5_client_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['stream5_client_import']['bind_to'];
+ if (isset($_SESSION['stream5_client_import']['ports_client']))
+ $pconfig['ports_client'] = $_SESSION['stream5_client_import']['ports_client'];
+ if (isset($_SESSION['stream5_client_import']['ports_both']))
+ $pconfig['ports_both'] = $_SESSION['stream5_client_import']['ports_both'];
+ if (isset($_SESSION['stream5_client_import']['ports_server']))
+ $pconfig['ports_server'] = $_SESSION['stream5_client_import']['ports_server'];
+ }
+ // If "varvalue" is empty, user likely hit CANCEL in Select Dialog,
+ // so restore any saved values.
+ elseif (empty($_GET['varvalue'])) {
+ if (isset($_SESSION['stream5_client_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['stream5_client_import']['bind_to'];
+ if (isset($_SESSION['stream5_client_import']['ports_client']))
+ $pconfig['ports_client'] = $_SESSION['stream5_client_import']['ports_client'];
+ if (isset($_SESSION['stream5_client_import']['ports_both']))
+ $pconfig['ports_both'] = $_SESSION['stream5_client_import']['ports_both'];
+ if (isset($_SESSION['stream5_client_import']['ports_server']))
+ $pconfig['ports_server'] = $_SESSION['stream5_client_import']['ports_server'];
+ }
+ else {
+ unset($_SESSION['stream5_client_import']);
+ unset($_SESSION['org_referer']);
+ unset($_SESSION['org_querystr']);
+ session_write_close();
+ }
+}
+
+if ($_POST['Submit']) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['org_referer']);
+ unset($_SESSION['org_querystr']);
+ unset($_SESSION['stream5_client_import']);
+ session_write_close();
+
+ /* Grab all the POST values and save in new temp array */
+ $engine = array();
+ if ($_POST['stream5_name']) { $engine['name'] = trim($_POST['stream5_name']); } else { $engine['name'] = "default"; }
+
+ /* Validate input values before saving */
+ if ($_POST['stream5_bind_to']) {
+ if (is_alias($_POST['stream5_bind_to'])) {
+ $engine['bind_to'] = $_POST['stream5_bind_to'];
+ if (!snort_is_single_addr_alias($_POST['stream5_bind_to']))
+ $input_errors[] = gettext("An Alias that evaluates to a single IP address or CIDR network is required for the 'Bind-To IP Address' value.");
+ }
+ elseif (strtolower(trim($_POST['stream5_bind_to'])) == "all")
+ $engine['bind_to'] = "all";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
+ }
+ else {
+ $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'.");
+ }
+ if ($_POST['stream5_ports_client']) {
+ if (is_alias($_POST['stream5_ports_client']))
+ $engine['ports_client'] = $_POST['stream5_ports_client'];
+ elseif (strtolower(trim($_POST['stream5_ports_client'])) == "default")
+ $engine['ports_client'] = "default";
+ elseif (strtolower(trim($_POST['stream5_ports_client'])) == "all")
+ $engine['ports_client'] = "all";
+ elseif (strtolower(trim($_POST['stream5_ports_client'])) == "none")
+ $engine['ports_client'] = "none";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_client' value.");
+ }
+ if ($_POST['stream5_ports_both']) {
+ if (is_alias($_POST['stream5_ports_both']))
+ $engine['ports_both'] = $_POST['stream5_ports_both'];
+ elseif (strtolower(trim($_POST['stream5_ports_both'])) == "default")
+ $engine['ports_both'] = "default";
+ elseif (strtolower(trim($_POST['stream5_ports_both'])) == "all")
+ $engine['ports_both'] = "all";
+ elseif (strtolower(trim($_POST['stream5_ports_both'])) == "none")
+ $engine['ports_both'] = "none";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_both' value.");
+ }
+ if ($_POST['stream5_ports_server']) {
+ if (is_alias($_POST['stream5_ports_server']))
+ $engine['ports_server'] = $_POST['stream5_ports_server'];
+ elseif (strtolower(trim($_POST['stream5_ports_server'])) == "default")
+ $engine['ports_server'] = "default";
+ elseif (strtolower(trim($_POST['stream5_ports_server'])) == "all")
+ $engine['ports_server'] = "all";
+ elseif (strtolower(trim($_POST['stream5_ports_server'])) == "none")
+ $engine['ports_server'] = "none";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_server' value.");
+ }
+
+ if (!empty($_POST['stream5_timeout']) || $_POST['stream5_timeout'] == 0) {
+ $engine['timeout'] = $_POST['stream5_timeout'];
+ if ($engine['timeout'] < 1 || $engine['timeout'] > 86400)
+ $input_errors[] = gettext("The value for Timeout must be between 1 and 86400.");
+ }
+ else
+ $engine['timeout'] = 60;
+
+ if (!empty($_POST['stream5_max_queued_bytes']) || $_POST['stream5_max_queued_bytes'] == 0) {
+ $engine['max_queued_bytes'] = $_POST['stream5_max_queued_bytes'];
+ if ($engine['max_queued_bytes'] <> 0) {
+ if ($engine['max_queued_bytes'] < 1024 || $engine['max_queued_bytes'] > 1073741824)
+ $input_errors[] = gettext("The value for Max_Queued_Bytes must either be 0, or between 1024 and 1073741824.");
+ }
+ }
+ else
+ $engine['max_queued_bytes'] = 1048576;
+
+ if (!empty($_POST['stream5_max_queued_segs']) || $_POST['stream5_max_queued_segs'] == 0) {
+ $engine['max_queued_segs'] = $_POST['stream5_max_queued_segs'];
+ if ($engine['max_queued_segs'] <> 0) {
+ if ($engine['max_queued_segs'] < 2 || $engine['max_queued_segs'] > 1073741824)
+ $input_errors[] = gettext("The value for Max_Queued_Segs must either be 0, or between 2 and 1073741824.");
+ }
+ }
+ else
+ $engine['max_queued_segs'] = 2621;
+
+ if (!empty($_POST['stream5_overlap_limit']) || $_POST['stream5_overlap_limit'] == 0) {
+ $engine['overlap_limit'] = $_POST['stream5_overlap_limit'];
+ if ($engine['overlap_limit'] < 0 || $engine['overlap_limit'] > 255)
+ $input_errors[] = gettext("The value for Overlap_Limit must be between 0 and 255.");
+ }
+ else
+ $engine['overlap_limit'] = 0;
+
+ if (!empty($_POST['stream5_max_window']) || $_POST['stream5_max_window'] == 0) {
+ $engine['max_window'] = $_POST['stream5_max_window'];
+ if ($engine['max_window'] < 0 || $engine['max_window'] > 1073725440)
+ $input_errors[] = gettext("The value for Max_Window must be between 0 and 1073725440.");
+ }
+ else
+ $engine['max_window'] = 0;
+
+ if (!empty($_POST['stream5_3whs_startup_timeout']) || $_POST['stream5_3whs_startup_timeout'] == 0) {
+ $engine['startup_3whs_timeout'] = $_POST['stream5_3whs_startup_timeout'];
+ if ($engine['startup_3whs_timeout'] < 0 || $engine['startup_3whs_timeout'] > 86400)
+ $input_errors[] = gettext("The value for 3whs_Startup_Timeout must be between 0 and 86400.");
+ }
+ else
+ $engine['startup_3whs_timeout'] = 0;
+
+ if ($_POST['stream5_policy']) { $engine['policy'] = $_POST['stream5_policy']; } else { $engine['policy'] = "bsd"; }
+ if ($_POST['stream5_ports']) { $engine['ports'] = $_POST['stream5_ports']; } else { $engine['ports'] = "both"; }
+
+ $engine['detect_anomalies'] = $_POST['stream5_detect_anomalies'] ? 'on' : 'off';
+ $engine['require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off';
+ $engine['no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off';
+ $engine['dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off';
+ $engine['use_static_footprint_sizes'] = $_POST['stream5_use_static_footprint_sizes'] ? 'on' : 'off';
+ $engine['check_session_hijacking'] = $_POST['stream5_check_session_hijacking'] ? 'on' : 'off';
+
+ /* Can only have one "all" Bind_To address */
+ if ($engine['bind_to'] == "all" && $engine['name'] <> "default")
+ $input_errors[] = gettext("Only one default Stream5 Engine can be bound to all addresses.");
+ $pconfig = $engine;
+
+ /* if no errors, write new entry to conf */
+ if (!$input_errors) {
+ if (isset($eng_id) && $a_nat[$eng_id]) {
+ $a_nat[$eng_id] = $engine;
+ }
+ else
+ $a_nat[] = $engine;
+
+ /* Reorder the engine array to ensure the */
+ /* 'bind_to=all' entry is at the bottom */
+ /* if it contains more than one entry. */
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ /* Only relocate the entry if we */
+ /* found it, and it's not already */
+ /* at the end. */
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ /* Now write the new engine array to conf */
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row");
+ exit;
+ }
+}
+
+$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']);
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Stream5 Preprocessor TCP Engine");
+include_once("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" >
+
+<?php
+include("fbegin.inc");
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="snort_stream5_engine.php" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id?>">
+<input name="eng_id" type="hidden" value="<?=$eng_id?>">
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td class="tabcont">
+<table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Stream5 Target-Based TCP Stream Reassembly Engine Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Engine Name"); ?></td>
+ <td class="vtable">
+ <input name="stream5_name" type="text" class="formfld unknown" id="stream5_name" size="25" maxlength="25"
+ value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>>&nbsp;
+ <?php if (htmlspecialchars($pconfig['name']) <> "default")
+ echo gettext("Name or description for this engine. (Max 25 characters)");
+ else
+ echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/>
+ <?php echo gettext("Unique name or description for this engine configuration. Default value is ") .
+ "<strong>" . gettext("default") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address"); ?></td>
+ <td class="vtable">
+ <?php if ($pconfig['name'] <> "default") : ?>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="stream5_bind_to" type="text" class="formfldalias" id="stream5_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off">&nbsp;
+ <?php echo gettext("IP address or network to bind this engine to."); ?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=no'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with the destination IP address specified. Default value is ") .
+ "<strong>" . gettext("all") . "</strong>" . gettext(". Only a single IP address or single network in CIDR form may be specified. ") .
+ gettext("IP Lists are not allowed.");?></td>
+ </tr>
+ </table><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'. ");?>
+ <?php else : ?>
+ <input name="stream5_bind_to" type="text" class="formfldalias" id="stream5_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly>&nbsp;
+ <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/>
+ <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/>
+ <?php endif ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Target Policy"); ?></td>
+ <td width="78%" class="vtable">
+ <select name="stream5_policy" class="formselect" id="stream5_policy">
+ <?php
+ $profile = array( 'BSD', 'First', 'HPUX', 'HPUX10', 'Irix', 'Last', 'Linux', 'MacOS', 'Old-Linux',
+ 'Solaris', 'Vista', 'Windows', 'Win2003' );
+ foreach ($profile as $val): ?>
+ <option value="<?=strtolower($val);?>"
+ <?php if (strtolower($val) == $pconfig['policy']) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach; ?>
+ </select>&nbsp;&nbsp;<?php echo gettext("Choose the TCP target policy appropriate for the protected hosts. The default is ") .
+ "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/><br/>
+ <?php echo gettext("Available OS targets are BSD, First, HPUX, HPUX10, Irix, Last, Linux, MacOS, Old Linux, Solaris, Vista, Windows, and Win2003 Server."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Target Ports"); ?></td>
+ <td width="78%" class="vtable">
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><strong><?php echo gettext("Client:"); ?></strong></td>
+ <td class="vexpl"><input name="stream5_ports_client" type="text" class="formfldalias" id="stream5_ports_client" size="32"
+ value="<?=htmlspecialchars($pconfig['ports_client']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_client']));?>" autocomplete="off"><span class="vexpl">&nbsp;
+ <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("default") . "</strong>.";?></span>
+ </td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_client&act=import'"
+ title="<?php echo gettext("Select an existing port alias");?>"/>
+ </td>
+ </tr>
+ <tr>
+ <td class="vexpl"><strong><?php echo gettext("Server:"); ?></strong></td>
+ <td class="vexpl"><input name="stream5_ports_server" type="text" class="formfldalias" id="stream5_ports_server" size="32"
+ value="<?=htmlspecialchars($pconfig['ports_server']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_server']));?>" autocomplete="off"><span class="vexpl">&nbsp;
+ <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("none") . "</strong>.";?></span>
+ </td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_server&act=import'"
+ title="<?php echo gettext("Select an existing port alias");?>"/>
+ </td>
+ </tr>
+ <tr>
+ <td class="vexpl"><strong><?php echo gettext("Both:"); ?></strong></td>
+ <td class="vexpl"><input name="stream5_ports_both" type="text" class="formfldalias" id="stream5_ports_both" size="32"
+ value="<?=htmlspecialchars($pconfig['ports_both']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_both']));?>" autocomplete="off"><span class="vexpl">&nbsp;
+ <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("default") . "</strong>.";?></span>
+ </td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_both&act=import'"
+ title="<?php echo gettext("Select an existing port alias");?>"/>
+ </td>
+ </tr>
+ </table>
+ <br/><?php echo gettext("Configures which side of the connection packets should be reassembled for based on the configured destination ports. See ");?>
+ <a href="http://www.snort.org/vrt/snort-conf-configurations/" target="_blank"><?php echo gettext("www.snort.org/vrt/snort-conf-configurations");?></a>
+ <?php echo gettext(" for the default configuration port values.");?><br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("Supplied value must be a pre-configured Alias or the keyword 'default', 'all' or 'none'.");?><br/>
+ <span class="red"><?php echo gettext("Hint: ") . "</span>" . gettext("Most users should leave these settings at their default values.");?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Max Window"); ?></td>
+ <td class="vtable">
+ <input name="stream5_max_window" type="text" class="formfld unknown" id="stream5_max_window" size="9"
+ value="<?=htmlspecialchars($pconfig['max_window']);?>" maxlength="10">
+ <?php echo gettext("Maximum allowed TCP window. Min is ") . "<strong>0</strong>" . gettext(" and max is ") .
+ "<strong>1073725440</strong>" . gettext(" (65535 left shift 14)"); ?>.<br/><br/>
+ <?php echo gettext("Sets the TCP max window size. Default value is ") .
+ "<strong>0</strong>" . gettext(" (unlimited). This option is intended to prevent a DoS against Stream5 by " .
+ "attacker using an abnormally large window, so using a value near the maximum is discouraged."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Timeout"); ?></td>
+ <td class="vtable">
+ <input name="stream5_timeout" type="text" class="formfld unknown" id="stream5_timeout" size="9"
+ value="<?=htmlspecialchars($pconfig['timeout']);?>" maxlength="5">
+ <?php echo gettext("TCP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and max is ") .
+ "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.<br/><br/>
+ <?php echo gettext("Sets the session reassembly timeout period for TCP packets. Default value is ") .
+ "<strong>30</strong>" . gettext(" seconds."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Max Queued Bytes"); ?></td>
+ <td class="vtable">
+ <input name="stream5_max_queued_bytes" type="text" class="formfld unknown" id="stream5_max_queued_bytes" size="9"
+ value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>" maxlength="10">
+ <?php echo gettext("Minimum is ") . "<strong>" . gettext("1024") . "</strong>" . gettext(" and Maximum is ") .
+ "<strong>" . gettext("1073741824") . "</strong>" . gettext(" (") .
+ "<strong>" . gettext("0") . "</strong>" . gettext(" means Maximum)."); ?><br/><br/>
+
+ <?php echo gettext("The number of bytes to be queued for reassembly of TCP sessions in " .
+ "memory. Default value is <strong>1048576</strong>"); ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Max Queued Segs"); ?></td>
+ <td class="vtable">
+ <input name="stream5_max_queued_segs" type="text" class="formfld unknown" id="stream5_max_queued_segs" size="9"
+ value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>" maxlength="10">
+ <?php echo gettext("Minimum is ") . "<strong>" . gettext("2") . "</strong>" . gettext(" and Maximum is ") .
+ "<strong>" . gettext("1073741824") . "</strong>" . gettext(" (") .
+ "<strong>" . gettext("0") . "</strong>" . gettext(" means Maximum)");?>.<br/><br/>
+ <?php echo gettext("The number of segments to be queued for reassembly of TCP sessions " .
+ "in memory. Default value is <strong>2621</strong>"); ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Overlap Limit"); ?></td>
+ <td class="vtable">
+ <input name="stream5_overlap_limit" type="text" class="formfld unknown" id="stream5_overlap_limit" size="9"
+ value="<?=htmlspecialchars($pconfig['overlap_limit']);?>" maxlength="3">
+ <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited) and Maximum is ") . "<strong>" .
+ gettext("255") . "</strong>"; ?>.<br/><br/>
+ <?php echo gettext("Sets the limit for the number of overlapping packets. Default value is ") .
+ "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect TCP Anomalies"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_detect_anomalies" id="stream5_detect_anomalies" type="checkbox" value="on"
+ <?php if ($pconfig['detect_anomalies']=="on") echo "checked"; ?>>
+ <?php echo gettext("Detect TCP protocol anomalies. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Check Session Hijacking"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_check_session_hijacking" id="stream5_check_session_hijacking" type="checkbox" value="on"
+ <?php if ($pconfig['check_session_hijacking']=="on") echo "checked"; ?>>
+ <?php echo gettext("Check for TCP session hijacking. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/>
+ <?php echo gettext("This check validates the hardware (MAC) address from both sides of the connection -- " .
+ "as established on the 3-way handshake -- against subsequent packets received on the session.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Require 3-Way Handshake"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_require_3whs" type="checkbox" value="on"
+ <?php if ($pconfig['require_3whs']=="on") echo "checked"; ?> onclick="stream5_3whs_enable_change();">
+ <?php echo gettext("Establish sessions only on completion of SYN/SYN-ACK/ACK handshake. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr id="stream5_3whs_startuptimeout_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("3-Way Handshake Startup Timeout"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="stream5_3whs_startup_timeout" type="text" class="formfld unknown" id="stream5_3whs_startup_timeout" size="9"
+ value="<?=htmlspecialchars($pconfig['startup_3whs_timeout']);?>" maxlength="5">
+ <?php echo gettext("3-Way Handshake Startup Timeout in seconds. Min is ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" and Max is ") . "<strong>" . gettext("86400") . "</strong>" . gettext(" (1 day).");?><br/><br/>
+ <?php echo gettext("This allows a grace period for existing sessions to be considered established during that " .
+ "interval immediately after Snort is started. The default is ") . "<strong>" . gettext("0") .
+ "</strong>" . gettext(", (don't consider existing sessions established).");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Reassemble Async"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_no_reassemble_async" type="checkbox" value="on"
+ <?php if ($pconfig['no_reassemble_async']=="on") echo "checked "; ?>>
+ <?php echo gettext("Do not queue packets for reassembly if traffic has not been seen in both directions. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Use Static Footprint Sizes"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_use_static_footprint_sizes" id="stream5_use_static_footprint_sizes" type="checkbox" value="on"
+ <?php if ($pconfig['use_static_footprint_sizes']=="on") echo "checked "; ?>>
+ <?php echo gettext("Emulate Stream4 behavior for flushing reassembled packets. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Store Large TCP Packets"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="stream5_dont_store_lg_pkts" type="checkbox" value="on"
+ <?php if ($pconfig['dont_store_lg_pkts']=="on") echo "checked"; ?>>
+ <?php echo gettext("Do not queue large packets in reassembly buffer to increase performance. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/>
+ <?php echo "<span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" .
+ gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="bottom">&nbsp;</td>
+ <td width="78%" valign="bottom">
+ <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo
+ gettext("Save Stream5 engine settings and return to Preprocessors tab"); ?>">
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo
+ gettext("Cancel changes and return to Preprocessors tab"); ?>"></td>
+ </tr>
+</table>
+</td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
+<script type="text/javascript">
+
+function stream5_3whs_enable_change() {
+ var endis = !(document.iform.stream5_require_3whs.checked);
+
+ // Hide the "3whs_startup_timeout" row if stream5_require_3whs disabled
+ if (endis)
+ document.getElementById("stream5_3whs_startuptimeout_row").style.display="none";
+ else
+ document.getElementById("stream5_3whs_startuptimeout_row").style.display="table-row";
+}
+
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $portisfirst = 0;
+ $aliasesaddr = "";
+ $aliasesport = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ // Skip any Aliases that resolve to an empty string
+ if (trim(filter_expand_alias($alias_name['name'])) == "")
+ continue;
+ if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ }
+ elseif ($alias_name['type'] == "port") {
+ if($portisfirst == 1) $aliasesport .= ",";
+ $aliasesport .= "'" . $alias_name['name'] . "'";
+ $portisfirst = 1;
+ }
+ }
+
+?>
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+ var portarray=new Array(<?php echo $aliasesport; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAlias = new AutoSuggestControl(document.getElementById('stream5_bind_to'), new StateSuggestions(addressarray));\n";
+ echo "objAliasPortsClient = new AutoSuggestControl(document.getElementById('stream5_ports_client'), new StateSuggestions(portarray));\n";
+ echo "objAliasPortsServer = new AutoSuggestControl(document.getElementById('stream5_ports_server'), new StateSuggestions(portarray));\n";
+ echo "objAliasPortsBoth = new AutoSuggestControl(document.getElementById('stream5_ports_both'), new StateSuggestions(portarray));\n";
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+stream5_3whs_enable_change();
+
+</script>
+
+</html>