diff options
Diffstat (limited to 'config')
28 files changed, 7339 insertions, 1383 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 98b80d66..1a6f1ac6 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -43,11 +43,15 @@ require_once("filter.inc"); ini_set("memory_limit", "192M"); // Explicitly declare this as global so it works through function call includes -global $rebuild_rules; +global $rebuild_rules, $pfSense_snort_version; + +// Grab the Snort binary version programmatically +$snortver = array(); +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +$snort_version = $snortver[0]; /* package version */ -$snort_version = "2.9.4.6"; -$pfSense_snort_version = "2.6.1"; +$pfSense_snort_version = "3.0.0"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; // Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) @@ -66,6 +70,7 @@ else { } /* Define some useful constants for Snort */ +/* Be sure to include trailing slash on the URL defines */ define("SNORTLOGDIR", "/var/log/snort"); define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); @@ -73,6 +78,10 @@ define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); define("FLOWBITS_FILENAME", "flowbit-required.rules"); define("ENFORCING_RULES_FILENAME", "snort.rules"); define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); +define("VRT_FILE_PREFIX", "snort_"); +define("GPL_FILE_PREFIX", "GPLv2_"); +define("ET_OPEN_FILE_PREFIX", "emerging-"); +define("ET_PRO_FILE_PREFIX", "etpro-"); /* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */ $rebuild_rules = false; @@ -100,24 +109,26 @@ function snort_is_single_addr_alias($alias) { return true; } -function snort_expand_port_range($ports) { +function snort_expand_port_range($ports, $delim = ',') { /**************************************************/ /* This function examines the passed ports string */ /* and expands any embedded port ranges into the */ - /* individual ports separated by commas. A port */ - /* range is indicated by a colon in the string. */ + /* individual ports separated by the specified */ + /* delimiter. A port range is indicated by a */ + /* colon in the string. */ /* */ /* On Entry: $ports ==> string to be evaluated */ - /* with commas separating */ + /* with {$delim} separating */ /* the port values. */ /* Returns: string with any encountered port */ - /* ranges expanded. */ + /* ranges expanded and the values */ + /* delimited by {$delim}. */ /**************************************************/ $value = ""; - // Split the incoming string on the commas - $tmp = explode(",", $ports); + // Split the incoming string on the specified delimiter + $tmp = explode($delim, $ports); // Look for any included port range and expand it foreach ($tmp as $val) { @@ -125,17 +136,17 @@ function snort_expand_port_range($ports) { $start = strtok($val, ":"); $end = strtok(":"); if ($end !== false) { - $val = $start . ","; + $val = $start . $delim; for ($i = intval($start) + 1; $i < intval($end); $i++) - $val .= strval($i) . ","; + $val .= strval($i) . $delim; $val .= $end; } } - $value .= $val . ","; + $value .= $val . $delim; } - // Remove any trailing comma in return value - return trim($value, ","); + // Remove any trailing delimiter in return value + return trim($value, $delim); } function snort_get_blocked_ips() { @@ -318,9 +329,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { $wandns = $list['wandnsips']; $vips = $list['vips']; $vpns = $list['vpnips']; - if (!empty($list['address']) && is_alias($list['address'])) { + if (!empty($list['address']) && is_alias($list['address'])) $home_net = explode(" ", trim(filter_expand_alias($list['address']))); - } } /* Always add loopback to HOME_NET and whitelist (ftphelper) */ @@ -573,7 +583,7 @@ function snort_reload_config($snortcfg, $signal="SIGHUP") { /* can find a valid PID for the process. */ /******************************************************/ if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { - log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']}({$if_real})..."); + log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']} ({$if_real})..."); exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &"); } } @@ -661,78 +671,6 @@ function snort_post_delete_logs($snort_uuid = 0) { } } -function snort_postinstall() { - global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include; - - $snortdir = SNORTDIR; - $snortlibdir = SNORTLIBDIR; - $rcdir = RCFILEPREFIX; - - /* Set flag for post-install in progress */ - $g['snort_postinstall'] = true; - - /* cleanup default files */ - @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); - @rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf"); - @rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map"); - @rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map"); - @rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config"); - @rename("{$snortdir}/generators-sample", "{$snortdir}/generators"); - @rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config"); - @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); - - /* fix up the preprocessor rules filenames from a PBI package install */ - $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); - foreach ($preproc_rules as $file) { - if (file_exists("{$snortdir}/preproc_rules/{$file}-sample")) - @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}"); - } - - /* Remove any previously installed scripts since we rebuild them */ - @unlink("{$snortdir}/sid"); - @unlink("{$rcdir}/snort.sh"); - @unlink("{$rcdir}/barnyard2"); - - /* remove example library files */ - $files = glob("{$snortlibdir}/dynamicrules/*_example*"); - foreach ($files as $f) - @unlink($f); - $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*"); - foreach ($files as $f) - @unlink($f); - - /* remake saved settings */ - if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { - log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings...")); - update_status(gettext("Saved settings detected...")); - update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); - log_error(gettext("[Snort] Downloading and updating configured rule types...")); - update_output_window(gettext("Please wait... downloading and updating configured rule types...")); - if ($pkg_interface <> "console") - $snort_gui_include = true; - @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); - update_status(gettext("Generating snort.conf configuration file from saved settings...")); - $rebuild_rules = true; - sync_snort_package_config(); - $rebuild_rules = false; - update_output_window(gettext("Finished rebuilding files...")); - log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); - - /* Only try to start Snort if not in reboot */ - if (!$g['booting']) { - update_status(gettext("Starting Snort using rebuilt configuration...")); - update_output_window(gettext("Please wait... while Snort is started...")); - log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); - update_output_window(gettext("Snort has been started using the rebuilt configuration...")); - start_service("snort"); - } - } - - /* Done with post-install, so clear flag */ - unset($g['snort_postinstall']); - log_error(gettext("[Snort] Package post-installation tasks completed...")); -} - function snort_Getdirsize($node) { if(!is_readable($node)) return false; @@ -761,7 +699,6 @@ function snort_snortloglimit_install_cron($should_install) { switch($should_install) { case true: if(!$is_installed) { - $cron_item = array(); $cron_item['minute'] = "*/5"; $cron_item['hour'] = "*"; @@ -798,6 +735,22 @@ function snort_rm_blocked_install_cron($should_install) { } $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "15m_b") { + $snort_rm_blocked_min = "*/2"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "900"; + } + if ($snort_rm_blocked_info_ck == "30m_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "1800"; + } if ($snort_rm_blocked_info_ck == "1h_b") { $snort_rm_blocked_min = "*/5"; $snort_rm_blocked_hr = "*"; @@ -1047,13 +1000,13 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { /* sid-msg.map file for use by Snort and/or barnyard2. */ /*************************************************************/ - $sidMap = array(); + $sidMap = array(); $rule_files = array(); - /* First check if we were passed a directory, a single file */ - /* or an array of filenames to read. Set our $rule_files */ - /* variable accordingly. If we can't figure it out, return */ - /* and don't write a sid_msg_map file. */ + /* First check if we were passed a directory, a single file */ + /* or an array of filenames to read. Set our $rule_files */ + /* variable accordingly. If we can't figure it out, return */ + /* and don't write a sid_msg_map file. */ if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -1065,71 +1018,71 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { else return; - /* Read the rule files into an array, then iterate the list */ - foreach ($rule_files as $file) { + /* Read the rule files into an array, then iterate the list */ + foreach ($rule_files as $file) { - /* Don't process files with "deleted" in the filename */ - if (stristr($file, "deleted")) - continue; + /* Don't process files with "deleted" in the filename */ + if (stristr($file, "deleted")) + continue; - /* Read the file into an array, skipping missing files. */ - if (!file_exists($file)) + /* Read the file into an array, skipping missing files. */ + if (!file_exists($file)) continue; - $rules_array = file($file, FILE_SKIP_EMPTY_LINES); - $record = ""; - $b_Multiline = false; - - /* Read and process each line from the rules in the */ - /* current file. */ - foreach ($rules_array as $rule) { - - /* Skip any non-rule lines unless we're in */ - /* multiline mode. */ - if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) - continue; - - /* Test for a multi-line rule, and reassemble the */ - /* pieces back into a single line. */ - if (preg_match('/\\\\s*[\n]$/m', $rule)) { - $rule = substr($rule, 0, strrpos($rule, '\\')); - $record .= $rule; - $b_Multiline = true; - continue; - } - /* If the last segment of a multiline rule, then */ - /* append it onto the previous parts to form a */ - /* single-line rule for further processing below. */ - elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) { - $record .= $rule; - $rule = $record; - } - $b_Multiline = false; - $record = ""; - - /* Parse the rule to find sid and any references. */ - $sid = ''; - $msg = ''; - $matches = ''; - $sidEntry = ''; - if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches)) - $msg = trim($matches[1]); - if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) - $sid = trim($matches[1]); - if (!empty($sid) && !empty($msg)) { - $sidEntry = $sid . ' || ' . $msg; - preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); - foreach ($matches[1] as $ref) - $sidEntry .= " || " . trim($ref); - $sidEntry .= "\n"; - $sidMap[$sid] = $sidEntry; - } - } + $rules_array = file($file, FILE_SKIP_EMPTY_LINES); + $record = ""; + $b_Multiline = false; + + /* Read and process each line from the rules in the current file */ + foreach ($rules_array as $rule) { + + /* Skip any non-rule lines unless we're in multiline mode. */ + if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) + continue; + + /* Test for a multi-line rule, and reassemble the */ + /* pieces back into a single line. */ + if (preg_match('/\\\\s*[\n]$/m', $rule)) { + $rule = substr($rule, 0, strrpos($rule, '\\')); + $record .= $rule; + $b_Multiline = true; + continue; + } + /* If the last segment of a multiline rule, then */ + /* append it onto the previous parts to form a */ + /* single-line rule for further processing below. */ + elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) { + $record .= $rule; + $rule = $record; + } + $b_Multiline = false; + $record = ""; + + /* Parse the rule to find sid and any references. */ + $sid = ''; + $msg = ''; + $matches = ''; + $sidEntry = ''; + if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches)) + $msg = trim($matches[1]); + if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) + $sid = trim($matches[1]); + if (!empty($sid) && !empty($msg)) { + $sidEntry = $sid . ' || ' . $msg; + preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); + foreach ($matches[1] as $ref) + $sidEntry .= " || " . trim($ref); + $sidEntry .= "\n"; + if (!is_array($sidMap[$sid])) + $sidMap[$sid] = array(); + $sidMap[$sid] = $sidEntry; + } + } } - /* Sort the generated sid-msg map by sid */ - ksort($sidMap); + /* Sort the generated sid-msg map by sid */ + ksort($sidMap); - /* Now print the result to the supplied file */ + /* Now print the result to the supplied file */ @file_put_contents($sid_file, array_values($sidMap)); } @@ -1154,8 +1107,11 @@ function snort_merge_reference_configs($cfg_in, $cfg_out) { if (preg_match('/(\:)\s*(\w+)\s*(.*)/', $line, $matches)) { if (!empty($matches[2]) && !empty($matches[3])) { $matches[2] = trim($matches[2]); - if (!array_key_exists($matches[2], $outMap)) + if (!array_key_exists($matches[2], $outMap)) { + if (!is_array($outMap[$matches[2]])) + $outMap[$matches[2]] = array(); $outMap[$matches[2]] = trim($matches[3]); + } } } } @@ -1199,8 +1155,11 @@ function snort_merge_classification_configs($cfg_in, $cfg_out) { continue; if (!empty($matches[2]) && !empty($matches[3]) && !empty($matches[4])) { $matches[2] = trim($matches[2]); - if (!array_key_exists($matches[2], $outMap)) + if (!array_key_exists($matches[2], $outMap)) { + if (!is_array($outMap[$matches[2]])) + $outMap[$matches[2]] = array(); $outMap[$matches[2]] = trim($matches[3]) . "," . trim($matches[4]); + } } } } @@ -1463,8 +1422,11 @@ function snort_get_checked_flowbits($rules_map) { if ($action == "isset" || $action == "isnotset") { $target = preg_split('/[&|]/', substr($flowbit, $pos + 1)); foreach ($target as $t) - if (!empty($t) && !isset($checked_flowbits[$t])) + if (!empty($t) && !isset($checked_flowbits[$t])) { + if (!is_array($checked_flowbits[$t])) + $checked_flowbits[$t] = array(); $checked_flowbits[$t] = $action; + } } } } @@ -1504,8 +1466,11 @@ function snort_get_set_flowbits($rules_map) { if ($action == "set" || $action == "toggle" || $action == "setx") { $target = preg_split('/[&|]/', substr($flowbit, $pos + 1)); foreach ($target as $t) - if (!empty($t) && !isset($set_flowbits[$t])) + if (!empty($t) && !isset($set_flowbits[$t])) { + if (!is_array($set_flowbits[$t])) + $set_flowbits[$t] = array(); $set_flowbits[$t] = $action; + } } } } @@ -1584,7 +1549,7 @@ function snort_resolve_flowbits($rules, $active_rules) { $snortdir = SNORTDIR; - /* Check $all_rules array to be sure it is filled. */ + /* Check $rules array to be sure it is filled. */ if (empty($rules)) { log_error(gettext("[Snort] WARNING: Flowbit resolution not done - no rules in {$snortdir}/rules/ ...")); return array(); @@ -1643,7 +1608,7 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { $fp = fopen($rule_file, "w"); if ($fp) { @fwrite($fp, "# These rules set flowbits checked by your other enabled rules. If the\n"); - @fwrite($fp, "# the dependent flowbits are not set, then some of your chosen rules may\n"); + @fwrite($fp, "# dependent flowbits are not set, then some of your chosen rules may\n"); @fwrite($fp, "# not fire. Enabling all rules that set these dependent flowbits ensures\n"); @fwrite($fp, "# your chosen rules fire as intended.\n#\n"); @fwrite($fp, "# If you wish to prevent alerts from any of these rules, add the GID:SID\n"); @@ -1791,8 +1756,11 @@ function snort_load_sid_mods($sids, $value) { return $result; $tmp = explode("||", $sids); foreach ($tmp as $v) { - if (preg_match('/\s\d+/', $v, $match)) + if (preg_match('/\s\d+/', $v, $match)) { + if (!is_array($result[trim($match[0])])) + $result[trim($match[0])] = array(); $result[trim($match[0])] = trim($match[0]); + } } unset($tmp); @@ -1849,12 +1817,12 @@ function snort_modify_sids(&$rule_map, $snortcfg) { function snort_create_rc() { - /*********************************************************/ - /* This function builds the /usr/local/etc/rc.d/snort.sh */ - /* shell script for starting and stopping Snort. The */ - /* script is rebuilt on each package sync operation and */ - /* after any changes to snort.conf saved in the GUI. */ - /*********************************************************/ +/*********************************************************/ +/* This function builds the /usr/local/etc/rc.d/snort.sh */ +/* shell script for starting and stopping Snort. The */ +/* script is rebuilt on each package sync operation and */ +/* after any changes to snort.conf saved in the GUI. */ +/*********************************************************/ global $config, $g; @@ -2137,19 +2105,23 @@ function snort_deinstall() { /* Log a message only if a running process is detected */ if (is_service_running("snort")) log_error(gettext("[Snort] Snort STOP for all interfaces...")); - mwexec('/usr/bin/killall snort', true); + mwexec('/usr/bin/killall -z snort', true); sleep(2); mwexec('/usr/bin/killall -9 snort', true); sleep(2); + // Delete any leftover snort PID files in /var/run + array_map('@unlink', glob("/var/run/snort_*.pid")); /* Make sure all active Barnyard2 processes are terminated */ /* Log a message only if a running process is detected */ if (is_service_running("barnyard2")) log_error(gettext("[Snort] Barnyard2 STOP for all interfaces...")); - mwexec('/usr/bin/killall barnyard2', true); + mwexec('/usr/bin/killall -z barnyard2', true); sleep(2); mwexec('/usr/bin/killall -9 barnyard2', true); sleep(2); + // Delete any leftover barnyard2 PID files in /var/run + array_map('@unlink', glob("/var/run/barnyard2_*.pid")); /* Remove the snort user and group */ mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); @@ -2562,6 +2534,8 @@ function snort_generate_conf($snortcfg) { /* user added arguments */ $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); + // Remove the trailing newline + $snort_config_pass_thru = rtrim($snort_config_pass_thru); /* create a few directories and ensure the sample files are in place */ $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", @@ -2638,14 +2612,15 @@ function snort_generate_conf($snortcfg) { $ssh_port = $config['system']['ssh']['port']; else $ssh_port = "22"; + + /* Define an array of default values for the various preprocessor ports */ $snort_ports = array( - "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", - "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555", - "oracle_ports" => "1024:", "mssql_ports" => "1433", - "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535", - "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", - "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", - "sip_ports" => "5060,5061, 5600", "auth_ports" => "113", "finger_ports" => "79", + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", + "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", + "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, + "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", + "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", @@ -2658,6 +2633,7 @@ function snort_generate_conf($snortcfg) { "GTP_PORTS" => "2123,2152,3386" ); + /* Check for defined Aliases that may override default port settings as we build the portvars array */ $portvardef = ""; foreach ($snort_ports as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) @@ -2666,6 +2642,23 @@ function snort_generate_conf($snortcfg) { $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; } + /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ + $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; + $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; + $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; + $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; + $stream5_ports_client .= "\t 32778 32779"; + $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; + $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; + $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; + $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; + $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; + $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; + $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; + $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; + $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; + $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; + $stream5_ports_both .= "\t 55555 56712"; ///////////////////////////// /* preprocessor code */ @@ -2676,106 +2669,220 @@ preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_u EOD; - /* Pull in the user-configurable HTTP_INSPECT global preprocessor options */ - $http_inspect_memcap = "150994944"; - if (!empty($snortcfg['http_inspect_memcap'])) - $http_inspect_memcap = $snortcfg['http_inspect_memcap']; - - /* Pull in the user-configurable HTTP_INSPECT server preprocessor options */ - $server_flow_depth = '300'; - if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0')) - $server_flow_depth = $snortcfg['server_flow_depth']; - $http_server_profile = "all"; - if (!empty($snortcfg['http_server_profile'])) - $http_server_profile = $snortcfg['http_server_profile']; - $client_flow_depth = '300'; - if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) - $client_flow_depth = $snortcfg['client_flow_depth']; - if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect'])) - $noalert_http_inspect = "no_alerts"; + /* def ftp_preprocessor */ + $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); + $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); + + // Configure FTP_Telnet global options + $ftp_telnet_globals = "inspection_type "; + if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; } + if ($snortcfg['ftp_telnet_alert_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes"; else - $noalert_http_inspect = ""; - $http_inspect_server_opts = "enable_cookie \\\n\textended_response_inspection \\\n\tnormalize_javascript \\\n"; - $http_inspect_server_opts .= "\tinspect_gzip \\\n\tnormalize_utf \\\n\tunlimited_decompress \\\n"; - $http_inspect_server_opts .= "\tnormalize_headers \\\n\tnormalize_cookies"; - if ($snortcfg['http_inspect_enable_xff'] == "on") - $http_inspect_server_opts .= " \\\n\tenable_xff"; - - /* If Stream5 is enabled, then we can enable the "log_uri" and "log_hostname" options */ - if ($snortcfg['stream5_reassembly'] == "on") { - if ($snortcfg['http_inspect_log_uri'] == "on") - $http_inspect_server_opts .= " \\\n\tlog_uri"; - if ($snortcfg['http_inspect_log_hostname'] == "on") - $http_inspect_server_opts .= " \\\n\tlog_hostname"; - } + $ftp_telnet_globals .= " \\\n\tencrypted_traffic no"; + if ($snortcfg['ftp_telnet_check_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tcheck_encrypted"; + + // Configure FTP_Telnet Telnet protocol options + $ftp_telnet_protocol = "ports { {$telnet_ports} }"; + if ($snortcfg['ftp_telnet_normalize'] == "on") + $ftp_telnet_protocol .= " \\\n\tnormalize"; + if ($snortcfg['ftp_telnet_detect_anomalies'] == "on") + $ftp_telnet_protocol .= " \\\n\tdetect_anomalies"; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') { + $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") + $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; + else + $ftp_telnet_protocol .= "20"; + } + + // Setup the standard FTP commands used for all FTP Server engines + $ftp_cmds = <<<EOD + ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ + ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ + ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT CEL CMD MACB } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ + alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ + alt_max_param_len 256 { RNTO CWD } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ + chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ + chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ + chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ + chk_str_fmt { FEAT CEL CMD } \ + chk_str_fmt { MDTM REST SIZE MLST MLSD } \ + chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > - $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); +EOD; - /* def http_inspect */ - $http_inspect = <<<EOD -# HTTP Inspect # -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 memcap {$http_inspect_memcap} + // Configure all the FTP_Telnet FTP protocol options + // Iterate and configure the FTP Client engines + $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + if (!is_array($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'] = array(); + + // If no FTP client engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; + $ftp_client_engine = ""; + + foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp client "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } -preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect} \ - ports { {$http_ports} } \ - http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ - server_flow_depth {$server_flow_depth} \ - client_flow_depth {$client_flow_depth} \ - {$http_inspect_server_opts} + if ($v['max_resp_len'] == "") + $buffer .= "\tmax_resp_len 256 \\\n"; + else + $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + + if ($v['bounce'] == "yes") { + if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { + $net = trim(filter_expand_alias($v['bounce_to_net'])); + $port = trim(filter_expand_alias($v['bounce_to_port'])); + if (!empty($net) && !empty($port) && + snort_is_single_addr_alias($v['bounce_to_net']) && + (is_port($port) || is_portrange($port))) { + $port = preg_replace('/\s+/', ',', $port); + // Change port range delimiter to comma for ftp_telnet client preprocessor + if (is_portrange($port)) + $port = str_replace(":", ",", $port); + $buffer .= "\tbounce yes \\\n"; + $buffer .= "\tbounce_to { {$net},{$port} }\n"; + } + else { + // One or both of the BOUNCE_TO alias values is not right, + // so figure out which and log an appropriate error. + if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) + log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + if (empty($port) || !(is_port($port) || is_portrange($port))) + log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + $buffer .= "\tbounce yes\n"; + } + } + else + $buffer .= "\tbounce yes\n"; + } + else + $buffer .= "\tbounce no\n"; + + // Add this FTP client engine to the master string + $ftp_client_engine .= "{$buffer}\n"; + } + // Trim final trailing newline + rtrim($ftp_client_engine); + + // Iterate and configure the FTP Server engines + $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + if (!is_array($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'] = array(); + + // If no FTP server engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; + $ftp_server_engine = ""; + + foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp server "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } -EOD; + if ($v['def_max_param_len'] == "") + $buffer .= "\tdef_max_param_len 100 \\\n"; + elseif ($v['def_max_param_len'] <> '0') + $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; + + if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) + $buffer .= "\tports { {$ftp_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $buffer .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); + $buffer .= "\tports { {$ftp_ports} } \\\n"; + } + } + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + if ($v['ignore_data_chan'] == "yes") + $buffer .= "\tignore_data_chan yes \\\n"; + $buffer .= "{$ftp_cmds}\n"; + + // Add this FTP server engine to the master string + $ftp_server_engine .= $buffer; + } + // Remove trailing newlines + rtrim($ftp_server_engine); - /* def ftp_preprocessor */ - $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); - $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); $ftp_preprocessor = <<<EOD # ftp_telnet preprocessor # preprocessor ftp_telnet: global \ -inspection_type stateless + {$ftp_telnet_globals} preprocessor ftp_telnet_protocol: telnet \ - normalize ports { {$telnet_ports} } \ - ayt_attack_thresh 20 \ - detect_anomalies - -preprocessor ftp_telnet_protocol: ftp server default \ - def_max_param_len 100 \ - ports { $ftp_ports } \ - telnet_cmds yes \ - ignore_telnet_erase_cmds yes \ - ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ - ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ - ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ - ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ - ftp_cmds { FEAT CEL CMD MACB } \ - ftp_cmds { MDTM REST SIZE MLST MLSD } \ - ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ - alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ - alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ - alt_max_param_len 256 { RNTO CWD } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { SIZE } \ - chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ - chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ - chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ - chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ - chk_str_fmt { FEAT CEL CMD } \ - chk_str_fmt { MDTM REST SIZE MLST MLSD } \ - chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity STRU < char FRP > \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity PORT < host_port > - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - ignore_telnet_erase_cmds yes \ - telnet_cmds yes - + {$ftp_telnet_protocol} + +{$ftp_server_engine} +{$ftp_client_engine} EOD; $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); @@ -2783,7 +2890,7 @@ EOD; # POP preprocessor # preprocessor pop: \ ports { {$pop_ports} } \ - memcap 1310700 \ + memcap 1310700 \ qp_decode_depth 0 \ b64_decode_depth 0 \ bitenc_decode_depth 0 @@ -2795,7 +2902,7 @@ EOD; # IMAP preprocessor # preprocessor imap: \ ports { {$imap_ports} } \ - memcap 1310700 \ + memcap 1310700 \ qp_decode_depth 0 \ b64_decode_depth 0 \ bitenc_decode_depth 0 @@ -2807,35 +2914,37 @@ EOD; $smtp_preprocessor = <<<EOD # SMTP preprocessor # preprocessor SMTP: \ - ports { {$smtp_ports} } \ - inspection_type stateful \ - normalize cmds \ - ignore_tls_data \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET \ - SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME \ - TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP \ - RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK \ - TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } \ - log_mailfrom \ - log_rcptto \ - log_email_hdrs \ - email_hdrs_log_depth 1464 \ - log_filename \ - qp_decode_depth 0 \ - b64_decode_depth 0 \ - bitenc_decode_depth 0 \ - uu_decode_depth 0 + ports { {$smtp_ports} } \ + inspection_type stateful \ + normalize cmds \ + ignore_tls_data \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \ + NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \ + STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \ + XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \ + IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \ + ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \ + XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } \ + log_mailfrom \ + log_rcptto \ + log_email_hdrs \ + email_hdrs_log_depth 1464 \ + log_filename \ + qp_decode_depth 0 \ + b64_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 EOD; @@ -2859,12 +2968,13 @@ EOD; } $sf_portscan = <<<EOD -# sf Portscan preprocessor # -preprocessor sfportscan: scan_type { {$sf_pscan_type} } \ - proto { {$sf_pscan_protocol} } \ - memcap { {$sf_pscan_memcap} } \ - sense_level { {$sf_pscan_sense_level} } \ - ignore_scanners { {$sf_pscan_ignore_scanners} } +# sf Portscan # +preprocessor sfportscan: \ + scan_type { {$sf_pscan_type} } \ + proto { {$sf_pscan_protocol} } \ + memcap { {$sf_pscan_memcap} } \ + sense_level { {$sf_pscan_sense_level} } \ + ignore_scanners { {$sf_pscan_ignore_scanners} } EOD; @@ -2872,7 +2982,8 @@ EOD; $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports'])); $ssh_preproc = <<<EOD # SSH preprocessor # -preprocessor ssh: server_ports { {$ssh_ports} } \ +preprocessor ssh: \ + server_ports { {$ssh_ports} } \ autodetect \ max_client_bytes 19600 \ max_encrypted_packets 20 \ @@ -2886,7 +2997,11 @@ EOD; $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports'])); $other_preprocs = <<<EOD # Other preprocs # -preprocessor rpc_decode: {$sun_rpc_ports} no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete +preprocessor rpc_decode: \ + {$sun_rpc_ports} \ + no_alert_multiple_requests \ + no_alert_large_fragments \ + no_alert_incomplete # Back Orifice preprocessor # preprocessor bo @@ -2896,18 +3011,28 @@ EOD; /* def dce_rpc_2 */ $dce_rpc_2 = <<<EOD # DCE/RPC 2 # -preprocessor dcerpc2: memcap 102400, events [co] -preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [{$snort_ports['smb_ports']}], tcp 135, udp 135, rpc-over-http-server 593], \ - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] +preprocessor dcerpc2: \ + memcap 102400, \ + events [co] + +preprocessor dcerpc2_server: default, \ + policy WinXP, \ + detect [smb [{$snort_ports['smb_ports']}], \ + tcp 135, \ + udp 135, \ + rpc-over-http-server 593], \ + autodetect [tcp 1025:, \ + udp 1025:, \ + rpc-over-http-server 1025:], \ + smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] EOD; $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports'])); $sip_preproc = <<<EOD # SIP preprocessor # -preprocessor sip: max_sessions 40000, \ +preprocessor sip: \ + max_sessions 40000, \ ports { {$sip_ports} }, \ methods { invite \ cancel \ @@ -2947,8 +3072,8 @@ EOD; $dns_preprocessor = <<<EOD # DNS preprocessor # preprocessor dns: \ - ports { {$dns_ports} } \ - enable_rdata_overflow + ports { {$dns_ports} } \ + enable_rdata_overflow EOD; @@ -2957,9 +3082,9 @@ EOD; $dnp3_preproc = <<<EOD # DNP3 preprocessor # preprocessor dnp3: \ - ports { {$dnp3_ports} } \ - memcap 262144 \ - check_crc + ports { {$dnp3_ports} } \ + memcap 262144 \ + check_crc EOD; @@ -2968,7 +3093,7 @@ EOD; $modbus_preproc = <<<EOD # Modbus preprocessor # preprocessor modbus: \ - ports { {$modbus_ports} } + ports { {$modbus_ports} } EOD; @@ -2976,7 +3101,8 @@ EOD; $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS'])); $gtp_preproc = <<<EOD # GTP preprocessor # -preprocessor gtp: ports { {$gtp_ports} } +preprocessor gtp: \ + ports { {$gtp_ports} } EOD; @@ -2986,24 +3112,24 @@ EOD; # SSL preprocessor # preprocessor ssl: \ ports { {$ssl_ports} }, \ - trustservers, noinspect_encrypted + trustservers, \ + noinspect_encrypted EOD; - $sensitive_data = "preprocessor sensitive_data:\n"; + /* def sensitive_data_preprocessor */ + if ($snortcfg['sdf_mask_output'] == "on") + $sdf_mask_output = "\\\n\tmask_output"; + else + $sdf_mask_output = ""; + $sensitive_data = <<<EOD +# SDF preprocessor # +preprocessor sensitive_data: \ + alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output} - /**************************************************************/ - /* Default the HTTP_INSPECT preprocessor to "on" if not set. */ - /* The preprocessor is required by hundreds of Snort rules, */ - /* and without it Snort may not start and/or the number of */ - /* rules required to be disabled reduces Snort's capability. */ - /* Alerts from the HTTP_INSPECT preprocessor default to "off" */ - /* unless a specific value has been set by the user. */ - /**************************************************************/ - if (empty($snortcfg['http_inspect'])) - $snortcfg['http_inspect'] = 'on'; +EOD; - /* define servers and ports snortdefservers */ + /* define servers as IP variables */ $snort_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", @@ -3015,13 +3141,15 @@ EOD; "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" ); - $vardef = ""; + // Change old name from "var" to new name of "ipvar" for IP variables because + // Snort is deprecating the old "var" name in newer versions. + $ipvardef = ""; foreach ($snort_servers as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); $avalue = preg_replace('/\s+/', ',', trim($avalue)); } - $vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n"; + $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; } $snort_preproc_libs = array( @@ -3031,7 +3159,7 @@ EOD; "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" ); $default_disabled_preprocs = array( @@ -3065,6 +3193,8 @@ EOD; } } } + // Remove final trailing newline + $snort_preprocessors = rtrim($snort_preprocessors); $snort_misc_include_rules = ""; if (file_exists("{$snortcfgdir}/reference.config")) @@ -3106,6 +3236,10 @@ EOD; $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; + // Remove trailing newlines + $snort_misc_include_rules = rtrim($snort_misc_include_rules); + $selected_rules_sections = rtrim($selected_rules_sections); + /* Create the actual rules files and save in the interface directory */ snort_prepare_rule_files($snortcfg, $snortcfgdir); @@ -3123,83 +3257,247 @@ EOD; $cfg_detect_settings .= " no_stream_inserts"; /* Pull in user-configurable options for Frag3 preprocessor settings */ - $frag3_disabled = ""; - if ($snortcfg['frag3_detection'] == "off") - $frag3_disabled = ", disabled"; - $frag3_memcap = "memcap 4194304"; + /* Get global Frag3 options first and put into a string */ + $frag3_global = "preprocessor frag3_global: "; if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") - $frag3_memcap = "memcap {$snortcfg['frag3_memcap']}"; - $frag3_max_frags = "max_frags 8192"; + $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; + else + $frag3_global .= "memcap 4194304, "; if (!empty($snortcfg['frag3_max_frags'])) - $frag3_max_frags = "max_frags {$snortcfg['frag3_max_frags']}"; - $frag3_overlap_limit = "overlap_limit 0"; - if (!empty($snortcfg['frag3_overlap_limit'])) - $frag3_overlap_limit = "overlap_limit {$snortcfg['frag3_overlap_limit']}"; - $frag3_min_frag_len = "min_fragment_length 0"; - if (!empty($snortcfg['frag3_min_frag_len'])) - $frag3_min_frag_len = "min_fragment_length {$snortcfg['frag3_min_frag_len']}"; - $frag3_timeout = "timeout 60"; - if (!empty($snortcfg['frag3_timeout'])) - $frag3_timeout = "timeout {$snortcfg['frag3_timeout']}"; - $frag3_policy = "policy bsd"; - if (!empty($snortcfg['frag3_policy'])) - $frag3_policy = "policy {$snortcfg['frag3_policy']}"; - - /* Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs */ + $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; + else + $frag3_global .= "max_frags 8192"; + if ($snortcfg['frag3_detection'] == "off") + $frag3_global .= ", disabled"; + + $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + $frag3_engine = ""; + + // Now iterate configured Frag3 engines and write them to a string if enabled + if ($snortcfg['frag3_detection'] == "on") { + if (!is_array($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'] = array(); + + // If no frag3 tcp engine is configured, use the default + if (empty($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; + + foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { + $frag3_engine .= "preprocessor frag3_engine: "; + $frag3_engine .= "policy {$v['policy']}"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; + else + $frag3_engine .= " \\\n\tbind_to {$tmp}"; + } + else + log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); + } + $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; + $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; + if ($v['detect_anomalies'] == "on") { + $frag3_engine .= " \\\n\tdetect_anomalies"; + $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; + $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; + } + // Add newlines to terminate this engine + $frag3_engine .= "\n\n"; + } + // Remove trailing newline + $frag3_engine = rtrim($frag3_engine); + } + + // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs $paf_max_pdu_config = "config paf_max: "; - if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == "0") + if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') $paf_max_pdu_config .= "0"; else $paf_max_pdu_config .= $snortcfg['max_paf']; - /* Pull in user-configurable options for Stream5 preprocessor settings */ - $stream5_reassembly = ""; + // Pull in user-configurable options for Stream5 preprocessor settings + // Get global options first and put into a string + $stream5_global = "preprocessor stream5_global: \\\n"; if ($snortcfg['stream5_reassembly'] == "off") - $stream5_reassembly = "disabled,"; - $stream5_track_tcp = "yes"; - if ($snortcfg['stream5_track_tcp'] =="off") - $stream5_track_tcp = "no"; - $stream5_track_udp = "yes"; - if ($snortcfg['stream5_track_udp'] =="off") - $stream5_track_udp = "no"; - $stream5_track_icmp = "no"; - if ($snortcfg['stream5_track_icmp'] =="on") - $stream5_track_icmp = "yes"; - $stream5_require_3whs = ""; - if ($snortcfg['stream5_require_3whs'] == "on") - $stream5_require_3whs = ", require_3whs 0"; - $stream5_no_reassemble_async = ""; - if ($snortcfg['stream5_no_reassemble_async'] == "on") - $stream5_no_reassemble_async = ", dont_reassemble_async"; - $stream5_dont_store_lg_pkts = ""; - if ($snortcfg['stream5_dont_store_lg_pkts'] == "on") - $stream5_dont_store_lg_pkts = ", dont_store_large_packets"; - $stream5_max_queued_bytes_type = ""; - if ((!empty($snortcfg['max_queued_bytes'])) || ($snortcfg['max_queued_bytes'] == '0')) - $stream5_max_queued_bytes_type = ", max_queued_bytes {$snortcfg['max_queued_bytes']}"; - $stream5_max_queued_segs_type = ""; - if ((!empty($snortcfg['max_queued_segs'])) || ($snortcfg['max_queued_segs'] == '0')) - $stream5_max_queued_segs_type = ", max_queued_segs {$snortcfg['max_queued_segs']}"; - $stream5_mem_cap = ""; + $stream5_global .= "\tdisabled, \\\n"; + if ($snortcfg['stream5_track_tcp'] == "off") + $stream5_global .= "\ttrack_tcp no,"; + else { + $stream5_global .= "\ttrack_tcp yes,"; + if (!empty($snortcfg['stream5_max_tcp'])) + $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; + else + $stream5_global .= " \\\n\tmax_tcp 262144,"; + } + if ($snortcfg['stream5_track_udp'] == "off") + $stream5_global .= " \\\n\ttrack_udp no,"; + else { + $stream5_global .= " \\\n\ttrack_udp yes,"; + if (!empty($snortcfg['stream5_max_udp'])) + $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; + else + $stream5_global .= " \\\n\tmax_udp 131072,"; + } + if ($snortcfg['stream5_track_icmp'] == "on") { + $stream5_global .= " \\\n\ttrack_icmp yes,"; + if (!empty($snortcfg['stream5_max_icmp'])) + $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; + else + $stream5_global .= " \\\n\tmax_icmp 65536,"; + } + else + $stream5_global .= " \\\n\ttrack_icmp no,"; if (!empty($snortcfg['stream5_mem_cap'])) - $stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}"; - $stream5_overlap_limit = "overlap_limit 0"; - if (!empty($snortcfg['stream5_overlap_limit'])) - $stream5_overlap_limit = "overlap_limit {$snortcfg['stream5_overlap_limit']}"; - $stream5_policy = "policy bsd"; - if (!empty($snortcfg['stream5_policy'])) - $stream5_policy = "policy {$snortcfg['stream5_policy']}"; - $stream5_tcp_timeout = "timeout 30"; - if (!empty($snortcfg['stream5_tcp_timeout'])) - $stream5_tcp_timeout = "timeout {$snortcfg['stream5_tcp_timeout']}"; - $stream5_udp_timeout = "timeout 30"; - if (!empty($snortcfg['stream5_udp_timeout'])) - $stream5_udp_timeout = "timeout {$snortcfg['stream5_udp_timeout']}"; - $stream5_icmp_timeout = "timeout 30"; - if (!empty($snortcfg['stream5_icmp_timeout'])) - $stream5_icmp_timeout = "timeout {$snortcfg['stream5_icmp_timeout']}"; - - /* Check for and configure Host Attribute Table if enabled */ + $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; + else + $stream5_global .= " \\\n\tmemcap 8388608,"; + + if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') + $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; + else + $stream5_global .= " \\\n\tprune_log_max 1048576"; + if ($snortcfg['stream5_flush_on_alert'] == "on") + $stream5_global .= ", \\\n\tflush_on_alert"; + + $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + $stream5_tcp_engine = ""; + + // Now iterate configured Stream5 TCP engines and write them to a string if enabled + if ($snortcfg['stream5_reassembly'] == "on") { + if (!is_array($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'] = array(); + + // If no stream5 tcp engine is configured, use the default + if (empty($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; + + foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { + $buffer = "preprocessor stream5_tcp: "; + $buffer .= "policy {$v['policy']},"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $buffer .= " \\\n\tbind_to [{$tmp}],"; + else + $buffer .= " \\\n\tbind_to {$tmp},"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); + continue; + } + } + $stream5_tcp_engine .= $buffer; + $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; + $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; + $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; + if ($v['use_static_footprint_sizes'] == "on") + $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; + if ($v['check_session_hijacking'] == "on") + $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; + if ($v['dont_store_lg_pkts'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; + if ($v['no_reassemble_async'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; + if ($v['detect_anomalies'] == "on") + $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; + if ($v['require_3whs'] == "on") + $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; + if (!empty($v['ports_client'])) { + $stream5_tcp_engine .= ", \\\n\tports client"; + if ($v['ports_client'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_client'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_client}"; + else { + $tmp = trim(filter_expand_alias($v['ports_client'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_client}"; + log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_both'])) { + $stream5_tcp_engine .= ", \\\n\tports both"; + if ($v['ports_both'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_both'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_both}"; + else { + $tmp = trim(filter_expand_alias($v['ports_both'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_both}"; + log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { + if ($v['ports_server'] == " all") { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " all"; + } + else { + $tmp = trim(filter_expand_alias($v['ports_server'])); + if (!empty($tmp)) { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + } + else + log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); + } + } + + // Make sure the "ports" parameter is set, or else default to a safe value + if (strpos($stream5_tcp_engine, "ports ") === false) + $stream5_tcp_engine .= ", \\\n\tports both all"; + + // Add a pair of newlines to terminate this engine + $stream5_tcp_engine .= "\n\n"; + } + // Trim off the final trailing newline + $stream5_tcp_engine = rtrim($stream5_tcp_engine); + } + + // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") + $stream5_udp_engine = ""; + else { + $stream5_udp_engine = "preprocessor stream5_udp: "; + if (!empty($snortcfg['stream5_udp_timeout'])) + $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; + else + $stream5_udp_engine .= "timeout 30"; + } + + // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { + $stream5_icmp_engine = "preprocessor stream5_icmp: "; + if (!empty($snortcfg['stream5_icmp_timeout'])) + $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; + else + $stream5_icmp_engine .= "timeout 30"; + } + else + $stream5_icmp_engine = ""; + + // Check for and configure Host Attribute Table if enabled $host_attrib_config = ""; if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); @@ -3211,22 +3509,148 @@ EOD; $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; } - /* Finally, build the Snort configuration file */ - $snort_conf_text = <<<EOD + // Configure the HTTP_INSPECT preprocessor + // Get global options first and put into a string + $http_inspect_global = "preprocessor http_inspect: global "; + if ($snortcfg['http_inspect'] == "off") + $http_inspect_global .= "disabled "; + $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; + $http_inspect_global .= "\tcompress_depth 65535 \\\n"; + $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; + if (!empty($snortcfg['http_inspect_memcap'])) + $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; + else + $http_inspect_global .= "\tmemcap 150994944 \\\n"; + if (!empty($snortcfg['http_inspect_max_gzip_mem'])) + $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; + else + $http_inspect_global .= "\tmax_gzip_mem 838860"; + if ($snortcfg['http_inspect_proxy_alert'] == "on") + $http_inspect_global .= " \\\n\tproxy_alert"; + + $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); + $http_inspect_servers = ""; + + // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled + if ($snortcfg['http_inspect'] <> "off") { + if (!is_array($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'] = array(); + + // If no http_inspect_engine is configured, use the default + if (empty($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; + + foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { + $buffer = "preprocessor http_inspect_server: \\\n"; + if ($v['name'] == "default") + $buffer .= "\tserver default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "\tserver { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + $http_inspect_servers .= $buffer; + $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; + + if ($v['no_alerts'] == "on") + $http_inspect_servers .= "\tno_alerts \\\n"; + + if ($v['ports'] == "default" || empty($v['ports'])) + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $http_inspect_servers .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + + $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; + $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; + $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; + $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; + $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; + $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; + $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; + if ($v['enable_xff'] == "on") + $http_inspect_servers .= " \\\n\tenable_xff"; + if ($v['enable_cookie'] == "on") + $http_inspect_servers .= " \\\n\tenable_cookie"; + if ($v['normalize_cookies'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_cookies"; + if ($v['normalize_headers'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_headers"; + if ($v['normalize_utf'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_utf"; + if ($v['allow_proxy_use'] == "on") + $http_inspect_servers .= " \\\n\tallow_proxy_use"; + if ($v['inspect_uri_only'] == "on") + $http_inspect_servers .= " \\\n\tinspect_uri_only"; + if ($v['extended_response_inspection'] == "on") { + $http_inspect_servers .= " \\\n\textended_response_inspection"; + if ($v['inspect_gzip'] == "on") { + $http_inspect_servers .= " \\\n\tinspect_gzip"; + if ($v['unlimited_decompress'] == "on") + $http_inspect_servers .= " \\\n\tunlimited_decompress"; + } + if ($v['normalize_javascript'] == "on") { + $http_inspect_servers .= " \\\n\tnormalize_javascript"; + $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; + } + } + if ($v['log_uri'] == "on") + $http_inspect_servers .= " \\\n\tlog_uri"; + if ($v['log_hostname'] == "on") + $http_inspect_servers .= " \\\n\tlog_hostname"; + // Add a pair of trailing newlines to terminate this server config + $http_inspect_servers .= "\n\n"; + } + /* Trim off the final trailing newline */ + $http_inspect_server = rtrim($http_inspect_server); + } + + // Finally, build the Snort configuration file + $snort_conf_text = <<<EOD # snort configuration file # generated automatically by the pfSense subsystems do not modify manually # Define Local Network # -var HOME_NET [{$home_net}] -var EXTERNAL_NET [{$external_net}] +ipvar HOME_NET [{$home_net}] +ipvar EXTERNAL_NET [{$external_net}] # Define Rule Paths # var RULE_PATH {$snortcfgdir}/rules var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules # Define Servers # -{$vardef} +{$ipvardef} # Define Server Ports # {$portvardef} @@ -3262,7 +3686,7 @@ config show_year # For more information see README.stream5 # {$paf_max_pdu_config} -#Configure dynamically loaded libraries +# Configure dynamically loaded libraries dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']} dynamicengine directory {$snort_dirs['dynamicengine']} dynamicdetection directory {$snort_dirs['dynamicrules']} @@ -3276,16 +3700,23 @@ dynamicdetection directory {$snort_dirs['dynamicrules']} # preprocessor normalize_icmp6 # Flow and stream # -preprocessor frag3_global: {$frag3_memcap}, {$frag3_max_frags}{$frag3_disabled} -preprocessor frag3_engine: {$frag3_policy} detect_anomalies {$frag3_timeout} {$frag3_overlap_limit} {$frag3_min_frag_len} +{$frag3_global} -preprocessor stream5_global:{$stream5_reassembly} track_tcp {$stream5_track_tcp}, track_udp {$stream5_track_udp}, track_icmp {$stream5_track_icmp}, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5{$stream5_mem_cap} -preprocessor stream5_tcp: {$stream5_policy}, {$stream5_overlap_limit}, {$stream5_tcp_timeout}, ports both all{$stream5_max_queued_bytes_type}{$stream5_max_queued_segs_type}{$stream5_require_3whs}{$stream5_no_reassemble_async}{$stream5_dont_store_lg_pkts} -preprocessor stream5_udp: {$stream5_udp_timeout} -preprocessor stream5_icmp: {$stream5_icmp_timeout} +{$frag3_engine} -{$snort_preprocessors} +{$stream5_global} + +{$stream5_tcp_engine} +{$stream5_udp_engine} + +{$stream5_icmp_engine} + +# HTTP Inspect # +{$http_inspect_global} + +{$http_inspect_servers} +{$snort_preprocessors} {$host_attrib_config} # Snort Output Logs # @@ -3304,10 +3735,9 @@ output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,src # Rules Selection # {$selected_rules_sections} - EOD; - /* write out snort.conf */ + // Write out snort.conf file $conf = fopen("{$snortcfgdir}/snort.conf", "w"); if(!$conf) { log_error("Could not open {$snortcfgdir}/snort.conf for writing."); @@ -3316,7 +3746,7 @@ EOD; fwrite($conf, $snort_conf_text); fclose($conf); unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type); - unset($home_net, $external_net, $vardef, $portvardef); + unset($home_net, $external_net, $ipvardef, $portvardef); } /* Uses XMLRPC to synchronize the changes to a remote node */ diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 49bec61c..c09e7a91 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.9.4.6</version> - <title>Services:2.9.4.6 pkg v. 2.6.1</title> + <version>2.9.5.5</version> + <title>Services:2.9.5.5 pkg v. 3.0.0</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -76,6 +76,16 @@ <additional_files_needed> <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_migrate_config.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_post_install.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_sync.xml</item> </additional_files_needed> <additional_files_needed> @@ -188,15 +198,55 @@ <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_edit_hat_data.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_frag3_engine.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_stream5_engine.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_httpinspect_engine.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_ftp_client_engine.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_ftp_server_engine.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_import_aliases.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_select_alias.php</item> + </additional_files_needed> <fields> </fields> <custom_add_php_command> </custom_add_php_command> <custom_php_resync_config_command> + <![CDATA[ + if ($GLOBALS['pfSense_snort_version'] == "3.0.0") sync_snort_package_config(); + ]]> </custom_php_resync_config_command> <custom_php_install_command> - snort_postinstall(); + <![CDATA[ + include_once("/usr/local/pkg/snort/snort_post_install.php"); + ]]> </custom_php_install_command> <custom_php_deinstall_command> snort_deinstall(); diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 728de751..ede6cf9a 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -144,12 +144,13 @@ $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; - $anentries = $pconfig['alertnumber']; -} else { - $anentries = '250'; +} + +if (empty($pconfig['alertnumber'])) $pconfig['alertnumber'] = '250'; +if (empty($pconfig['arefresh'])) $pconfig['arefresh'] = 'off'; -} +$anentries = $pconfig['alertnumber']; if ($_POST['save']) { if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) @@ -259,7 +260,7 @@ if ($_POST['download']) { /* Load up an array with the current Suppression List GID,SID values */ $supplist = snort_load_suppress_sigs($a_instance[$instanceid], true); -$pgtitle = "Services: Snort: Snort Alerts"; +$pgtitle = gettext("Snort: Snort Alerts"); include_once("head.inc"); ?> @@ -336,7 +337,7 @@ if ($pconfig['arefresh'] == 'on') <?php echo gettext('Refresh'); ?> <input name="arefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> - <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> + <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> <?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> </tr> diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index a5c1ffec..2457b573 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -104,7 +104,7 @@ if ($_POST) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface: {$if_friendly} Barnyard2 Edit"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Barnyard2 Settings"); include_once("head.inc"); ?> @@ -188,7 +188,7 @@ function enable_change(enable_change) { <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td> <td width="78%" class="vtable"><input name="barnyard_mysql" - type="text" class="formfld" id="barnyard_mysql" style="width:95%;" size="85" + type="text" class="formfld unknown" id="barnyard_mysql" style="width:95%;" size="85" value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br/> <span class="vexpl"><?php echo gettext("Example: output database: alert, mysql, " . "dbname=snort user=snort host=localhost password=xyz"); ?><br/> diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 983e8905..8d106a90 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -121,7 +121,7 @@ if ($_POST['save']) } -$pgtitle = "Services: Snort Blocked Hosts"; +$pgtitle = gettext("Snort: Blocked Hosts"); include_once("head.inc"); ?> @@ -180,7 +180,7 @@ if ($pconfig['brefresh'] == 'on') name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> <?php printf(gettext("%sDefault%s is %sON%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> <input - name="blertnumber" type="text" class="formfld" id="blertnumber" + name="blertnumber" type="text" class="formfld unknown" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>"> <?php printf(gettext("Enter the " . "number of blocked entries to view. %sDefault%s is %s500%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index e7263330..2afae663 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -53,6 +53,14 @@ if (!defined("GPLV2_DNLD_URL")) define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); if (!defined("RULES_UPD_LOGFILE")) define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); +if (!defined("VRT_FILE_PREFIX")) + define("VRT_FILE_PREFIX", "snort_"); +if (!defined("GPL_FILE_PREFIX")) + define("GPL_FILE_PREFIX", "GPLv2_"); +if (!defined("ET_OPEN_FILE_PREFIX")) + define("ET_OPEN_FILE_PREFIX", "emerging-"); +if (!defined("ET_PRO_FILE_PREFIX")) + define("ET_PRO_FILE_PREFIX", "etpro-"); $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; @@ -118,7 +126,6 @@ $snort_community_rules_filename = GPLV2_DNLD_FILENAME; $snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5"; $snort_community_rules_url = GPLV2_DNLD_URL; -/* Custom function for rules file download via URL */ function snort_download_file_url($url, $file_out) { /************************************************/ @@ -127,18 +134,21 @@ function snort_download_file_url($url, $file_out) { /* saves the content to the file specified by */ /* $file. */ /* */ + /* This is needed so console output can be */ + /* suppressed to prevent XMLRPC sync errors. */ + /* */ /* It provides logging of returned CURL errors. */ /************************************************/ global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; - // Initialize required variables for pfSense "read_body()" function + // Initialize required variables for the pfSense "read_body()" function $file_size = 1; $downloaded = 1; $first_progress_update = TRUE; - /* Array of message strings for HTTP Response Codes */ + // Array of message strings for HTTP Response Codes $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", 206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found", 305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request", @@ -157,7 +167,7 @@ function snort_download_file_url($url, $file_out) { return false; curl_setopt($ch, CURLOPT_FILE, $fout); - /* NOTE: required to suppress errors from XMLRPC due to progress bar output */ + // NOTE: required to suppress errors from XMLRPC due to progress bar output if ($g['snort_sync_in_progress']) curl_setopt($ch, CURLOPT_HEADER, false); else { @@ -167,7 +177,6 @@ function snort_download_file_url($url, $file_out) { curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)"); - /* Don't verify SSL peers since we don't have the certificates to do so. */ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); curl_setopt($ch, CURLOPT_TIMEOUT, 0); @@ -185,7 +194,7 @@ function snort_download_file_url($url, $file_out) { $counter = 0; $rc = true; - /* Try up to 4 times to download the file before giving up */ + // Try up to 4 times to download the file before giving up while ($counter < 4) { $counter++; $rc = curl_exec($ch); @@ -202,7 +211,8 @@ function snort_download_file_url($url, $file_out) { $last_curl_error = $http_resp_msg[$http_code]; curl_close($ch); fclose($fout); - /* If we had to try more than once, log it */ + + // If we had to try more than once, log it if ($counter > 1) log_error(gettext("File '" . basename($file_out) . "' download attempts: {$counter} ...")); return ($http_code == 200) ? true : $http_code; @@ -214,7 +224,140 @@ function snort_download_file_url($url, $file_out) { } } -/* Start of code */ +function snort_check_rule_md5($file_url, $file_dst, $desc = "") { + + /**********************************************************/ + /* This function attempts to download the passed MD5 hash */ + /* file and compare its contents to the currently stored */ + /* hash file to see if a new rules file has been posted. */ + /* */ + /* On Entry: $file_url = URL for md5 hash file */ + /* $file_dst = Temp destination to store the */ + /* downloaded hash file */ + /* $desc = Short text string used to label */ + /* log messages with rules type */ + /* */ + /* Returns: TRUE if new rule file download required. */ + /* FALSE if rule download not required or an */ + /* error occurred. */ + /**********************************************************/ + + global $pkg_interface, $snort_rules_upd_log, $last_curl_error; + + $snortdir = SNORTDIR; + $filename_md5 = basename($file_dst); + + if ($pkg_interface <> "console") + update_status(gettext("Downloading {$desc} md5 file...")); + error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url($file_url, $file_dst); + + // See if download from URL was successful + if ($rc === true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading {$filename_md5}.")); + error_log("\tChecking {$desc} md5 file...\n", 3, $snort_rules_upd_log); + + // check md5 hash in new file against current file to see if new download is posted + if (file_exists("{$snortdir}/{$filename_md5}")) { + $md5_check_new = file_get_contents($file_dst); + $md5_check_old = file_get_contents("{$snortdir}/{$filename_md5}"); + if ($md5_check_new == $md5_check_old) { + if ($pkg_interface <> "console") + update_status(gettext("{$desc} are up to date...")); + log_error(gettext("[Snort] {$desc} are up to date...")); + error_log(gettext("\t{$desc} are up to date.\n"), 3, $snort_rules_upd_log); + return false; + } + else + return true; + } + return true; + } + else { + error_log(gettext("\t{$desc} md5 download failed.\n"), 3, $snort_rules_upd_log); + $snort_err_msg = gettext("Server returned error code {$rc}."); + if ($pkg_interface <> "console") { + update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); + update_output_window(gettext("{$desc} will not be updated.\n\t{$snort_err_msg}")); + } + log_error(gettext("[Snort] {$desc} md5 download failed...")); + log_error(gettext("[Snort] Server returned error code {$rc}...")); + error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + return false; + } +} + +function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { + + /**********************************************************/ + /* This function downloads the passed rules file and */ + /* compares its computed md5 hash to the passed md5 hash */ + /* to verify the file's integrity. */ + /* */ + /* On Entry: $file_url = URL of rules file */ + /* $file_dst = Temp destination to store the */ + /* downloaded rules file */ + /* $file_md5 = Expected md5 hash for the new */ + /* downloaded rules file */ + /* $desc = Short text string for use in */ + /* log messages */ + /* */ + /* Returns: TRUE if download was successful. */ + /* FALSE if download was not successful. */ + /**********************************************************/ + + global $pkg_interface, $snort_rules_upd_log, $last_curl_error; + + $snortdir = SNORTDIR; + $filename = basename($file_dst); + + if ($pkg_interface <> "console") + update_status(gettext("There is a new set of {$desc} posted. Downloading...")); + log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}...")); + error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url($file_url, $file_dst); + + // See if the download from the URL was successful + if ($rc === true) { + if ($pkg_interface <> "console") + update_status(gettext("Done downloading {$desc} file.")); + log_error("[Snort] {$desc} file update downloaded successfully"); + error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); + + // Test integrity of the rules file. Turn off update if file has wrong md5 hash + if ($file_md5 != trim(md5_file($file_dst))){ + if ($pkg_interface <> "console") + update_output_window(gettext("{$desc} file MD5 checksum failed...")); + log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum...")); + log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst))); + log_error(gettext("[Snort] Expected File MD5: {$file_md5}")); + error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + return false; + } + return true; + } + else { + if ($pkg_interface <> "console") + update_output_window(gettext("{$desc} file download failed...")); + log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'...")); + error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log); + if ($pkg_interface == "console") + error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log); + return false; + } + +} + +/* Start of main code */ conf_mount_rw(); /* remove old $tmpfname files */ @@ -239,171 +382,43 @@ if (file_exists($snort_rules_upd_log)) { error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log); $last_curl_error = ""; -/* download md5 sig from snort.org */ -if ($snortdownload == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Downloading Snort VRT md5 file {$snort_filename_md5}...")); - error_log(gettext("\tDownloading Snort VRT md5 file '{$snort_filename_md5}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading {$snort_filename_md5}.")); - error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log); - } - else { - error_log(gettext("\tSnort VRT md5 download failed.\n"), 3, $snort_rules_upd_log); - if ($rc == 403) { - $snort_err_msg = gettext("Too many attempts or Oinkcode not authorized for this Snort version.\n"); - $snort_err_msg .= gettext("\tFree Registered Users may download VRT Rules once every 15 minutes.\n"); - $snort_err_msg .= gettext("\tPaid Subscribers have no download limits.\n"); - } - else - $snort_err_msg = gettext("Server returned error code '{$rc}'."); - if ($pkg_interface <> "console") { - update_status(gettext("Snort VRT md5 error ... Server returned error code {$rc} ...")); - update_output_window(gettext("Snort VRT rules will not be updated.\n\t{$snort_err_msg}")); - } - log_error(gettext("[Snort] Snort VRT md5 download failed...")); - log_error(gettext("[Snort] Server returned error code '{$rc}'...")); - error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tServer error message was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); - $snortdownload = 'off'; - } -} - -/* Check if were up to date snort.org */ +/* Check for and download any new Snort VRT sigs */ if ($snortdownload == 'on') { - if (file_exists("{$snortdir}/{$snort_filename_md5}")) { - $md5_check_new = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5_check_old = file_get_contents("{$snortdir}/{$snort_filename_md5}"); - if ($md5_check_new == $md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("Snort VRT rules are up to date...")); - log_error(gettext("[Snort] Snort VRT rules are up to date...")); - error_log(gettext("\tSnort VRT rules are up to date.\n"), 3, $snort_rules_upd_log); - $snortdownload = 'off'; - } - } -} - -/* download snortrules file */ -if ($snortdownload == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of Snort VRT rules posted. Downloading {$snort_filename}...")); - log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of Snort VRT rules posted.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloading file '{$snort_filename}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading Snort VRT rules file.")); - log_error("[Snort] Snort VRT rules file update downloaded successfully"); - error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); - if (trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("Snort VRT rules file MD5 checksum failed...")); - log_error(gettext("[Snort] Snort VRT rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}"))); - error_log(gettext("\tSnort VRT rules file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded Snort VRT file MD5: " . md5_file("{$tmpfname}/{$snort_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected Snort VRT file MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); + if (snort_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) { + /* download snortrules file */ + $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")); + if (!snort_fetch_new_rules("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules")) $snortdownload = 'off'; - } } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("Snort VRT rules file download failed...")); - log_error(gettext("[Snort] Snort VRT rules file download failed... server returned error '{$rc}'...")); - error_log(gettext("\tSnort VRT rules file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); + else $snortdownload = 'off'; - } } -/* download md5 sig from Snort GPLv2 Community Rules */ +/* Check for and download any new Snort GPLv2 Community Rules sigs */ if ($snortcommunityrules == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file {$snort_community_rules_filename_md5}...")); - error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file '{$snort_community_rules_filename_md5}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading Snort GPLv2 Community Rules md5")); - error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log); - if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") { - /* Check if were up to date Snort GPLv2 Community Rules */ - $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"); - $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}"); - if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("Snort GPLv2 Community Rules are up to date...")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date...")); - error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; - } - } + if (snort_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) { + /* download Snort GPLv2 Community Rules file */ + $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")); + if (!snort_fetch_new_rules("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}", $file_md5, "Snort GPLv2 Community Rules")) + $snortcommunityrules = 'off'; } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.")); - error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tSnort GPLv2 Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + else $snortcommunityrules = 'off'; - } } -/* download Snort GPLv2 Community rules file */ -if ($snortcommunityrules == "on") { - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading {$snort_community_rules_filename} ...")); - log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloading file '{$snort_community_rules_filename}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); - - /* Test for a valid rules file download. Turn off Snort Community update if download failed. */ - if ($rc === true) { - if (trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_community_rules_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("Snort GPLv2 Community Rules file MD5 checksum failed...")); - log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"))); - error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded Snort GPLv2 file MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected Snort GPLv2 file MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; - } - else { - if ($pkg_interface <> "console") - update_status(gettext('Done downloading Snort GPLv2 Community Rules file.')); - log_error("[Snort] Snort GPLv2 Community Rules file update downloaded successfully"); - error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log); - } - } - else { - if ($pkg_interface <> "console") { - update_status(gettext("The server returned error code {$rc} ... skipping GPLv2 Community Rules...")); - update_output_window(gettext("Snort GPLv2 Community Rules file download failed...")); - } - log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Server returned error '{$rc}'...")); - error_log(gettext("\tSnort GPLv2 Community Rules download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - $snortcommunityrules = 'off'; +/* Check for and download any new Emerging Threats Rules sigs */ +if ($emergingthreats == 'on') { + if (snort_check_rule_md5("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}", "{$et_name} rules")) { + /* download Emerging Threats rules file */ + $file_md5 = trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")); + if (!snort_fetch_new_rules("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}", $file_md5, "{$et_name} rules")) + $emergingthreats = 'off'; } + else + $emergingthreats = 'off'; } -/* Untar Snort GPLv2 Community rules to tmp */ +/* Untar Snort GPLv2 Community rules file to tmp */ if ($snortcommunityrules == 'on') { safe_mkdir("{$snortdir}/tmp/community"); if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { @@ -417,12 +432,12 @@ if ($snortcommunityrules == 'on') { $files = glob("{$snortdir}/tmp/community/community-rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/GPLv2_{$newfile}"); + @copy($file, "{$snortdir}/rules/" . GPL_FILE_PREFIX . "{$newfile}"); } /* base etc files for Snort GPLv2 Community rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}")) - @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/GPLv2_{$file}"); + @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/" . GPL_FILE_PREFIX . "{$file}"); } /* Copy snort community md5 sig to snort dir */ if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { @@ -439,84 +454,7 @@ if ($snortcommunityrules == 'on') { } } -/* download md5 sig from emergingthreats.net */ -if ($emergingthreats == 'on') { - if ($pkg_interface <> "console") - update_status(gettext("Downloading {$et_name} md5 file...")); - error_log(gettext("\tDownloading {$et_name} md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); - if ($rc === true) { - if ($pkg_interface <> "console") - update_status(gettext("Done downloading {$et_name} md5 file {$emergingthreats_filename_md5}")); - error_log(gettext("\tChecking {$et_name} md5.\n"), 3, $snort_rules_upd_log); - if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { - /* Check if were up to date emergingthreats.net */ - $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); - $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); - if ($emerg_md5_check_new == $emerg_md5_check_old) { - if ($pkg_interface <> "console") - update_status(gettext("{$et_name} rules are up to date...")); - log_error(gettext("[Snort] {$et_name} rules are up to date...")); - error_log(gettext("\t{$et_name} rules are up to date.\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } - } - } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("{$et_name} md5 file download failed. {$et_name} rules will not be updated.")); - log_error(gettext("[Snort] {$et_name} md5 file download failed. Server returned error code '{$rc}'.")); - error_log(gettext("\t{$et_name} md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\t{$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats == "on") { - if ($pkg_interface <> "console") - update_status(gettext("There is a new set of {$et_name} rules posted. Downloading {$emergingthreats_filename}...")); - log_error(gettext("[Snort] There is a new set of {$et_name} rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of {$et_name} rules posted.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloading file '{$emergingthreats_filename}'...\n"), 3, $snort_rules_upd_log); - $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); - - /* Test for a valid rules file download. Turn off ET update if download failed. */ - if ($rc === true) { - if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ - if ($pkg_interface <> "console") - update_output_window(gettext("{$et_name} rules file MD5 checksum failed...")); - log_error(gettext("[Snort] {$et_name} rules file download failed. Bad MD5 checksum...")); - log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); - log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); - error_log(gettext("\t{$et_name} rules file download failed. {$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } - else { - if ($pkg_interface <> "console") - update_status(gettext('Done downloading {$et_name} rules file.')); - log_error("[Snort] {$et_name} rules file update downloaded successfully"); - error_log(gettext("\tDone downloading {$et_name} rules file.\n"), 3, $snort_rules_upd_log); - } - } - else { - if ($pkg_interface <> "console") { - update_status(gettext("The server returned error code {$rc} ... skipping {$et_name} update...")); - update_output_window(gettext("{$et_name} rules file download failed...")); - } - log_error(gettext("[Snort] {$et_name} rules file download failed. Server returned error '{$rc}'...")); - error_log(gettext("\t{$et_name} rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); - if ($pkg_interface == "console") - error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - $emergingthreats = 'off'; - } -} - -/* Untar emergingthreats rules to tmp */ +/* Untar Emerging Threats rules file to tmp */ if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { @@ -528,16 +466,18 @@ if ($emergingthreats == 'on') { exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); /* Remove the old Emerging Threats rules files */ - array_map('unlink', glob("{$snortdir}/rules/emerging-*.rules")); - array_map('unlink', glob("{$snortdir}/rules/etpro-*.rules")); - array_map('unlink', glob("{$snortdir}/rules/emerging-*ips.txt")); - array_map('unlink', glob("{$snortdir}/rules/etpro-*ips.txt")); + $eto_prefix = ET_OPEN_FILE_PREFIX; + $etpro_prefix = ET_PRO_FILE_PREFIX; + array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*.rules")); + array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*.rules")); + array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*ips.txt")); + array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*ips.txt")); $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); if ($etpro == "on") - @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}"); else @copy($file, "{$snortdir}/rules/{$newfile}"); } @@ -546,9 +486,9 @@ if ($emergingthreats == 'on') { foreach ($files as $file) { $newfile = basename($file); if ($etpro == "on") - @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}"); else - @copy($file, "{$snortdir}/rules/emerging-{$newfile}"); + @copy($file, "{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "{$newfile}"); } /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { @@ -571,7 +511,7 @@ if ($emergingthreats == 'on') { } } -/* Untar snort rules file individually to help people with low system specs */ +/* Untar Snort rules file to tmp */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { /* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */ @@ -581,7 +521,8 @@ if ($snortdownload == 'on') { $freebsd_version_so = 'FreeBSD-9-0'; /* Remove the old Snort rules files */ - array_map('unlink', glob("{$snortdir}/rules/snort_*.rules")); + $vrt_prefix = VRT_FILE_PREFIX; + array_map('unlink', glob("{$snortdir}/rules/{$vrt_prefix}*.rules")); if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); @@ -594,7 +535,7 @@ if ($snortdownload == 'on') { $files = glob("{$snortdir}/tmp/snortrules/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/snort_{$newfile}"); + @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}"); } /* IP lists */ $files = glob("{$snortdir}/tmp/snortrules/rules/*.txt"); @@ -629,7 +570,7 @@ if ($snortdownload == 'on') { $files = glob("{$snortdir}/tmp/so_rules/*.rules"); foreach ($files as $file) { $newfile = basename($file, ".rules"); - @copy($file, "{$snortdir}/rules/snort_{$newfile}.so.rules"); + @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules"); } exec("rm -r {$snortdir}/tmp/so_rules"); } diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index ca549820..e9fcfcab 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -68,7 +68,7 @@ else $ssh_port = "22"; $snort_ports = array( "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", - "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", @@ -86,6 +86,11 @@ $snort_ports = array( "GTP_PORTS" => "2123,2152,3386" ); +// Sort our SERVERS and PORTS arrays to make values +// easier to locate by the the user. +ksort($snort_servers); +ksort($snort_ports); + $pconfig = $a_nat[$id]; /* convert fake interfaces to real */ @@ -144,7 +149,7 @@ if ($_POST) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly} Define Servers"; +$pgtitle = gettext("Snort: Interface {$if_friendly} Variables - Servers and Ports"); include_once("head.inc"); ?> @@ -195,7 +200,7 @@ if ($savemsg) <td><div id="mainarea"> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Servers"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Servers (IP variables)"); ?></td> </tr> <?php foreach ($snort_servers as $key => $server): @@ -210,8 +215,8 @@ if ($savemsg) } ?> <tr> - <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> - <td width="78%" class="vtable"> + <td width='30%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> + <td width="70%" class="vtable"> <input name="def_<?=$key;?>" size="40" type="text" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" value="<?=$value;?>" title="<?=$title;?>"> <br/> @@ -221,7 +226,7 @@ if ($savemsg) </tr> <?php endforeach; ?> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Ports"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Ports (port variables)"); ?></td> </tr> <?php foreach ($snort_ports as $key => $server): @@ -236,8 +241,8 @@ if ($savemsg) } ?> <tr> - <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> - <td width="78%" class="vtable"> + <td width='30%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> + <td width="70%" class="vtable"> <input name="def_<?=$key;?>" type="text" size="40" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" value="<?=$value;?>" title="<?=$title;?>"> <br/> <span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/> <?php echo gettext("Leave " . @@ -246,8 +251,8 @@ if ($savemsg) </tr> <?php endforeach; ?> <tr> - <td width="22%" valign="top"> </td> - <td width="78%"> + <td width="30%" valign="top"> </td> + <td width="70%"> <input name="Submit" type="submit" class="formbtn" value="Save"> <input name="id" type="hidden" value="<?=$id;?>"> </td> diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 09ab646a..1db5b6a0 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -96,7 +96,7 @@ $snort_rules_upd_logfile_chk = 'no'; if (file_exists("{$snort_rules_upd_log}")) $snort_rules_upd_logfile_chk = 'yes'; -$pgtitle = "Services: Snort: Updates"; +$pgtitle = gettext("Snort: Updates"); include_once("head.inc"); ?> diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php index f0562046..f6d00b0b 100644 --- a/config/snort/snort_edit_hat_data.php +++ b/config/snort/snort_edit_hat_data.php @@ -80,7 +80,7 @@ if ($_POST['host_attribute_data']) { $if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); -$pgtitle = "Services: Snort: {$if_friendly} Host Attribute Table Data"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Host Attribute Table Data"); include_once("head.inc"); ?> diff --git a/config/snort/snort_frag3_engine.php b/config/snort/snort_frag3_engine.php new file mode 100644 index 00000000..f344771b --- /dev/null +++ b/config/snort/snort_frag3_engine.php @@ -0,0 +1,402 @@ +<?php +/* + * snort_frag3_engine.php + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2011-2012 Ermal Luci + * All rights reserved. + * + * originially part of m0n0wall (http://m0n0.ch/wall) + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +// Grab the incoming QUERY STRING or POST variables +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else { + $pconfig = $a_nat[$eng_id]; + + // Check for any empty values and set sensible defaults + if (empty($pconfig['policy'])) + $pconfig['policy'] = "bsd"; + if (empty($pconfig['timeout'])) + $pconfig['timeout'] = 60; + if (empty($pconfig['min_ttl'])) + $pconfig['min_ttl'] = 1; + if (empty($pconfig['detect_anomalies'])) + $pconfig['detect_anomalies'] = "on"; + if (empty($pconfig['overlap_limit'])) + $pconfig['overlap_limit'] = 0; + if (empty($pconfig['min_frag_len'])) + $pconfig['min_frag_len'] = 0; +} + +if ($_POST['Cancel']) { + header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + if ($_GET['varname'] == "bind_to" && !empty($_GET['varvalue'])) + $pconfig[$_GET['varname']] = $_GET['varvalue']; +} + +if ($_POST['Submit']) { + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['frag3_name']) { $engine['name'] = trim($_POST['frag3_name']); } else { $engine['name'] = "default"; } + if ($_POST['frag3_bind_to']) { + if (is_alias($_POST['frag3_bind_to'])) + $engine['bind_to'] = $_POST['frag3_bind_to']; + elseif (strtolower(trim($_POST['frag3_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + + /* Validate the text input fields before saving */ + if (!empty($_POST['frag3_timeout']) || $_POST['frag3_timeout'] == 0) { + $engine['timeout'] = $_POST['frag3_timeout']; + if (!is_numeric($_POST['frag3_timeout']) || $_POST['frag3_timeout'] < 1) + $input_errors[] = gettext("The value for Timeout must be numeric and greater than zero."); + } + else + $engine['timeout'] = 60; + + if (!empty($_POST['frag3_min_ttl']) || $_POST['frag3_min_ttl'] == 0) { + $engine['min_ttl'] = $_POST['frag3_min_ttl']; + if ($_POST['frag3_min_ttl'] < 1 || $_POST['frag3_min_ttl'] > 255) + $input_errors[] = gettext("The value for Minimum_Time-To-Live must be between 1 and 255."); + } + else + $engine['min_ttl'] = 1; + + if (!empty($_POST['frag3_overlap_limit']) || $_POST['frag3_overlap_limit'] == 0) { + $engine['overlap_limit'] = $_POST['frag3_overlap_limit']; + if (!is_numeric($_POST['frag3_overlap_limit']) || $_POST['frag3_overlap_limit'] < 0) + $input_errors[] = gettext("The value for Overlap_Limit must be a number greater than or equal to zero."); + } + else + $engine['overlap_limit'] = 0; + + if (!empty($_POST['frag3_min_frag_len']) || $_POST['frag3_min_frag_len'] == 0) { + $engine['min_frag_len'] = $_POST['frag3_min_frag_len']; + if (!is_numeric($_POST['frag3_min_frag_len']) || $_POST['frag3_min_frag_len'] < 0) + $input_errors[] = gettext("The value for Min_Fragment_Length must be a number greater than or equal to zero."); + } + else + $engine['min_frag_len'] = 0; + + if ($_POST['frag3_policy']) { $engine['policy'] = $_POST['frag3_policy']; } else { $engine['policy'] = "bsd"; } + $engine['detect_anomalies'] = $_POST['frag3_detect_anomalies'] ? 'on' : 'off'; + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default Frag3 Engine can be bound to all addresses."); + $pconfig = $engine; + } + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} Frag3 Preprocessor Engine"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_frag3_engine.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id?>"> +<input name="eng_id" type="hidden" value="<?=$eng_id?>"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based IP Defragmentation Engine Configuration"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td> + <td class="vtable"> + <input name="frag3_name" type="text" class="formfld unknown" id="frag3_name" size="25" maxlength="25" + value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>> + <?php if (htmlspecialchars($pconfig['name']) <> "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/> + <?php echo gettext("Unique name or description for this engine configuration. Default value is ") . + "<strong>" . gettext("default") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td> + <td class="vtable"> + <?php if ($pconfig['name'] <> "default") : ?> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="frag3_bind_to" type="text" class="formfldalias" id="frag3_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off"> + <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td> + <td class="vexpl" align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=yes'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within this IP List.");?></td> + </tr> + </table> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> + + <?php else : ?> + <input name="frag3_bind_to" type="text" class="formfldalias" id="frag3_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly> + <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/> + <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/> + <?php endif ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Target Policy"); ?> </td> + <td width="78%" class="vtable"> + <select name="frag3_policy" class="formselect" id="policy"> + <?php + $profile = array( 'BSD', 'BSD-Right', 'First', 'Last', 'Linux', 'Solaris', 'Windows' ); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['policy']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the IP fragmentation target policy appropriate for the protected hosts. The default is ") . + "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/><br/> + <?php echo gettext("Available OS targets are BSD, BSD-Right, First, Last, Linux, Solaris and Windows."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Timeout"); ?></td> + <td class="vtable"> + <input name="frag3_timeout" type="text" class="formfld unknown" id="frag3_timeout" size="6" + value="<?=htmlspecialchars($pconfig['timeout']);?>"> + <?php echo gettext("Timeout period in seconds for fragments in the engine."); ?><br/><br/> + <?php echo gettext("Fragments in the engine for longer than this period will be automatically dropped. Default value is ") . + "<strong>" . gettext("60 ") . "</strong>" . gettext("seconds."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Minimum Time-to-Live"); ?></td> + <td class="vtable"> + <input name="frag3_min_ttl" type="text" class="formfld unknown" id="frag3_min_ttl" size="6" + value="<?=htmlspecialchars($pconfig['min_ttl']);?>"> + <?php echo gettext("Minimum acceptable TTL for a fragment in the engine."); ?><br/><br/> + <?php echo gettext("The accepted range for this option is 1 - 255. Default value is ") . + "<strong>" . gettext("1") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Anomalies"); ?></td> + <td width="78%" class="vtable"><input name="frag3_detect_anomalies" id="frag3_detect_anomalies" type="checkbox" value="on" + <?php if ($pconfig['detect_anomalies']=="on") echo "checked "; ?> onclick="frag3_enable_change();"> + <?php echo gettext("Use Frag3 Engine to detect fragment anomalies. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("In order to customize the Overlap Limit and Minimum Fragment Length parameters for this engine, Anomaly Detection must be enabled."); ?> + </td> + </tr> + <tr id="frag3_overlaplimit_row"> + <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td> + <td class="vtable"> + <input name="frag3_overlap_limit" type="text" class="formfld unknown" id="frag3_overlap_limit" size="6" + value="<?=htmlspecialchars($pconfig['overlap_limit']);?>"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited). Values greater than zero set the overlapped limit."); ?><br/><br/> + <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") . + "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/> + </td> + </tr> + <tr id="frag3_minfraglen_row"> + <td valign="top" class="vncell"><?php echo gettext("Minimum Fragment Length"); ?></td> + <td class="vtable"> + <input name="frag3_min_frag_len" type="text" class="formfld unknown" id="frag3_min_frag_len" size="6" + value="<?=htmlspecialchars($pconfig['min_frag_len']);?>"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (check is disabled). Values greater than zero enable the check."); ?><br/><br/> + <?php echo gettext("Defines smallest fragment size (payload size) that should be considered valid. " . + "Fragments smaller than or equal to this limit are considered malicious. Default value is ") . + "<strong>0</strong>" . gettext(" (check is disabled)."); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="bottom"> </td> + <td width="78%" valign="bottom"> + <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + gettext("Save Frag3 engine settings and return to Preprocessors tab"); ?>"> + + <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo + gettext("Cancel changes and return to Preprocessors tab"); ?>"></td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> +<script type="text/javascript"> + +function frag3_enable_change() { + var endis = !(document.iform.frag3_detect_anomalies.checked); + + // Hide the "frag3_overlap_limit and frag3_min_frag_len" rows if frag3_detect_anomablies disabled + if (endis) { + document.getElementById("frag3_overlaplimit_row").style.display="none"; + document.getElementById("frag3_minfraglen_row").style.display="none"; + } + else { + document.getElementById("frag3_overlaplimit_row").style.display="table-row"; + document.getElementById("frag3_minfraglen_row").style.display="table-row"; + } +} + +// Set initial state of form controls +frag3_enable_change(); + +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $aliasesaddr = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + if ($alias_name['type'] != "host" && $alias_name['type'] != "network") + continue; + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } +?> + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + +function createAutoSuggest() { +<?php + echo "objAlias = new AutoSuggestControl(document.getElementById('frag3_bind_to'), new StateSuggestions(addressarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); + +</script> + +</html> diff --git a/config/snort/snort_ftp_client_engine.php b/config/snort/snort_ftp_client_engine.php new file mode 100644 index 00000000..a9f5e82b --- /dev/null +++ b/config/snort/snort_ftp_client_engine.php @@ -0,0 +1,438 @@ +<?php +/* + * snort_ftp_client_engine.php + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2011-2012 Ermal Luci + * All rights reserved. + * + * originially part of m0n0wall (http://m0n0.ch/wall) + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_client_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else + $pconfig = $a_nat[$eng_id]; + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_client_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "bounce_to_net" || $_GET['varname'] == "bounce_to_port") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + if(!isset($_SESSION['ftp_client_import'])) + $_SESSION['ftp_client_import'] = array(); + + $_SESSION['ftp_client_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['ftp_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_client_import']['bind_to']; + if (isset($_SESSION['ftp_client_import']['bounce_to_net'])) + $pconfig['bounce_to_net'] = $_SESSION['ftp_client_import']['bounce_to_net']; + if (isset($_SESSION['ftp_client_import']['bounce_to_port'])) + $pconfig['bounce_to_port'] = $_SESSION['ftp_client_import']['bounce_to_port']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['ftp_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_client_import']['bind_to']; + if (isset($_SESSION['ftp_client_import']['bounce_to_net'])) + $pconfig['bounce_to_net'] = $_SESSION['ftp_client_import']['bounce_to_net']; + if (isset($_SESSION['ftp_client_import']['bounce_to_port'])) + $pconfig['bounce_to_port'] = $_SESSION['ftp_client_import']['bounce_to_port']; + } + else { + unset($_SESSION['ftp_client_import']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_client_import']); + session_write_close(); + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['ftp_name']) { $engine['name'] = trim($_POST['ftp_name']); } else { $engine['name'] = "default"; } + if ($_POST['ftp_bind_to']) { + if (is_alias($_POST['ftp_bind_to'])) + $engine['bind_to'] = $_POST['ftp_bind_to']; + elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + + // Validate BOUNCE-TO Alias entries to be sure if one is set, then both are set; since + // if you define a BOUNCE-TO address, you must also define the BOUNCE-TO port. + if ($_POST['ftp_client_bounce_to_net'] && !is_alias($_POST['ftp_client_bounce_to_net'])) + $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO ADDRESS option."); + + if ($_POST['ftp_client_bounce_to_port'] && !is_alias($_POST['ftp_client_bounce_to_port'])) + $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO PORT option."); + + if ($_POST['ftp_client_bounce_to_net'] && empty($_POST['ftp_client_bounce_to_port'])) + $input_errors[] = gettext("FTP Protocol BOUNCE-TO PORT cannot be empty when BOUNCE-TO ADDRESS is set."); + + if ($_POST['ftp_client_bounce_to_port'] && empty($_POST['ftp_client_bounce_to_net'])) + $input_errors[] = gettext("FTP Protocol BOUNCE-TO ADDRESS cannot be empty when BOUNCE-TO PORT is set."); + + // Validate the BOUNCE-TO Alias entries for correct format of their defined values. BOUNCE-TO ADDRESS must be + // a valid single IP, and BOUNCE-TO PORT must be either a single port value or a port range value. Provide + // detailed error messages for the user that explain any problems. + if ($_POST['ftp_client_bounce_to_net'] && $_POST['ftp_client_bounce_to_port']) { + if (!snort_is_single_addr_alias($_POST['ftp_client_bounce_to_net'])){ + $net = trim(filter_expand_alias($_POST['ftp_client_bounce_to_net'])); + $net = preg_replace('/\s+/', ',', $net); + $msg = gettext("The FTP Protocol BOUNCE-TO ADDRESS parameter must be a single IP network or address, "); + $msg .= gettext("so the supplied Alias must be defined as a single address or network in CIDR form. "); + $msg .= gettext("The Alias [ {$_POST['ftp_client_bounce_to_net']} ] is currently defined as [ {$net} ]."); + $input_errors[] = $msg; + } + $port = trim(filter_expand_alias($_POST['ftp_client_bounce_to_port'])); + $port = preg_replace('/\s+/', ',', $port); + if (!is_port($port) && !is_portrange($port)) { + $msg = gettext("The FTP Protocol BOUNCE-TO PORT parameter must be a single port or port-range, "); + $msg .= gettext("so the supplied Alias must be defined as a single port or port-range value. "); + $msg .= gettext("The Alias [ {$_POST['ftp_client_bounce_to_port']} ] is currently defined as [ {$port} ]."); + $input_errors[] = $msg; + } + } + + $engine['bounce_to_net'] = $_POST['ftp_client_bounce_to_net']; + $engine['bounce_to_port'] = $_POST['ftp_client_bounce_to_port']; + $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no'; + $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no'; + $engine['bounce'] = $_POST['ftp_client_bounce_detect'] ? 'yes' : 'no'; + $engine['max_resp_len'] = $_POST['ftp_max_resp_len']; + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default FTP Engine can be bound to all addresses."); + $pconfig = $engine; + } + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Client Engine"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_ftp_client_engine.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id?>"> +<input name="eng_id" type="hidden" value="<?=$eng_id?>"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based FTP Client Engine Configuration"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td> + <td class="vtable"> + <input name="ftp_name" type="text" class="formfld unknown" id="ftp_name" size="25" maxlength="25" + value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>> + <?php if (htmlspecialchars($pconfig['name']) <> "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/> + <?php echo gettext("Unique name or description for this engine configuration. Default value is ") . + "<strong>" . gettext("default") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td> + <td class="vtable"> + <?php if ($pconfig['name'] <> "default") : ?> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off" > + <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within the IP List.");?>.<br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?></td> + </tr> + </table> + <?php else : ?> + <input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly> + <?php echo "<span class=\"red\">" . gettext("IP address for the default engine is read-only and must be 'all'.") . "</span>";?><br/> + <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP addresses.");?><br/> + <?php endif ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Telnet Commands"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_cmds" id="ftp_telnet_cmds" type="checkbox" value="on" + <?php if ($pconfig['telnet_cmds']=="yes") echo "checked "; ?>> + <?php echo gettext("Alert when Telnet commands are seen on the FTP command channel. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Telnet Erase Commands"); ?></td> + <td width="78%" class="vtable"><input name="ftp_ignore_telnet_erase_cmds" id="ftp_ignore_telnet_erase_cmds" type="checkbox" value="on" + <?php if ($pconfig['ignore_telnet_erase_cmds']=="yes") echo "checked "; ?>> + <?php echo gettext("Ignore Telnet escape sequences for erase character and erase line when normalizing FTP command channel.") . "<br/>" . + gettext("Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Maximum Response Length"); ?></td> + <td class="vtable"> + <input name="ftp_max_resp_len" type="text" class="formfld unknown" id="ftp_max_resp_len" size="6" + value="<?=htmlspecialchars($pconfig['max_resp_len']);?>"> + <?php echo gettext("Max FTP command response length accepted by client. Enter ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" to disable. Default is ") . "<strong>" . gettext("256.") . "</strong>";?><br/> + <?php echo gettext("Specifies the maximum allowed response length to an FTP command accepted by the client. It can be used as ") . + gettext("a basic buffer overflow detection.");?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Bounce Detection"); ?></td> + <td width="78%" class="vtable"><input name="ftp_client_bounce_detect" type="checkbox" value="on" + <?php if ($pconfig['bounce']=="yes") echo "checked"; ?> onclick="ftp_client_bounce_enable_change();"> + <?php echo gettext("Enable detection and alerting of FTP bounce attacks. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_client_row_bounce_to"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Bounce-To Configuration"); ?></td> + <td width="78%" class="vtable"> + <table border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><strong><?php echo gettext("Bounce-To Address:"); ?></strong></td> + <td class="vexpl"><input name="ftp_client_bounce_to_net" type="text" class="formfldalias" id="ftp_client_bounce_to_net" size="20" + value="<?=htmlspecialchars($pconfig['bounce_to_net']);?>" title="<?=trim(filter_expand_alias($pconfig['bounce_to_net']));?>" autocomplete="off"><span class="vexpl"> + <?php echo gettext("Default is ") . "<strong>" . gettext("blank") . "</strong>.";?></span> + </td> + <td class="vexpl"> <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bounce_to_net&act=import'" + title="<?php echo gettext("Select an existing IP alias");?>"/> + </td> + </tr> + <tr> + <td class="vexpl"><strong><?php echo gettext("Bounce-To Port:"); ?></strong></td> + <td class="vexpl"><input name="ftp_client_bounce_to_port" type="text" class="formfldalias" id="ftp_client_bounce_to_port" size="20" + value="<?=htmlspecialchars($pconfig['bounce_to_port']);?>" title="<?=trim(filter_expand_alias($pconfig['bounce_to_port']));?>" autocomplete="off"><span class="vexpl"> + <?php echo gettext("Default is ") . "<strong>" . gettext("blank") . "</strong>.";?></span> + </td> + <td class="vexpl"> <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=bounce_to_port&act=import'" + title="<?php echo gettext("Select an existing port alias");?>"/> + </td> + </tr> + </table> + <?php echo gettext("When the Bounce option is enabled, this allows the PORT command to use the address and port (or inclusive port range) ") . + gettext("specified without generating an alert. It can be used with proxied FTP connections where the FTP data channel is different from the client.");?><br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("Supplied value must be a pre-configured Alias or left blank.");?><br/> + <span class="red"><?php echo gettext("Hint: ") . "</span>" . gettext("Leave these settings at their defaults unless you are proxying FTP connections.");?> + </td> + </tr> + <tr> + <td width="22%" valign="bottom"> </td> + <td width="78%" valign="bottom"> + <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + gettext("Save ftp engine settings and return to Preprocessors tab"); ?>"> + + <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo + gettext("Cancel changes and return to Preprocessors tab"); ?>"></td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> +<script type="text/javascript"> + +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesport = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } + elseif ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesport .= ","; + $aliasesport .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } + +?> + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portarray=new Array(<?php echo $aliasesport; ?>); + +function createAutoSuggest() { +<?php + echo "objAliasBindTo = new AutoSuggestControl(document.getElementById('ftp_bind_to'), new StateSuggestions(addressarray));\n"; + echo "objAliasBounceNet = new AutoSuggestControl(document.getElementById('ftp_client_bounce_to_net'), new StateSuggestions(addressarray));\n"; + echo "objAliasBouncePort = new AutoSuggestControl(document.getElementById('ftp_client_bounce_to_port'), new StateSuggestions(portarray));\n"; + + +?> +} + +setTimeout("createAutoSuggest();", 500); + +function ftp_client_bounce_enable_change() { + var endis = !(document.iform.ftp_client_bounce_detect.checked); + if (endis) + document.getElementById("ftp_client_row_bounce_to").style.display="none"; + else + document.getElementById("ftp_client_row_bounce_to").style.display="table-row"; +} + +// Set initial state of form controls +ftp_client_bounce_enable_change(); + +</script> + +</html> diff --git a/config/snort/snort_ftp_server_engine.php b/config/snort/snort_ftp_server_engine.php new file mode 100644 index 00000000..8f462ca9 --- /dev/null +++ b/config/snort/snort_ftp_server_engine.php @@ -0,0 +1,387 @@ +<?php +/* + * snort_ftp_server_engine.php + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2011-2012 Ermal Luci + * All rights reserved. + * + * originially part of m0n0wall (http://m0n0.ch/wall) + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +// Grab any QUERY STRING or POST variables +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_server_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else + $pconfig = $a_nat[$eng_id]; + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_server_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + if(!isset($_SESSION['ftp_server_import'])) + $_SESSION['ftp_server_import'] = array(); + + $_SESSION['ftp_server_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['ftp_server_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_server_import']['bind_to']; + if (isset($_SESSION['ftp_server_import']['ports'])) + $pconfig['ports'] = $_SESSION['ftp_server_import']['ports']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['ftp_server_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['ftp_server_import']['bind_to']; + if (isset($_SESSION['ftp_server_import']['ports'])) + $pconfig['ports'] = $_SESSION['ftp_server_import']['ports']; + } + else { + unset($_SESSION['ftp_server_import']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['ftp_server_import']); + session_write_close(); + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['ftp_name']) { $engine['name'] = trim($_POST['ftp_name']); } else { $engine['name'] = "default"; } + if ($_POST['ftp_bind_to']) { + if (is_alias($_POST['ftp_bind_to'])) + $engine['bind_to'] = $_POST['ftp_bind_to']; + elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + + if ($_POST['ftp_ports']) { + if ($_POST['ftp_ports'] == "default") + $engine['ports'] = $_POST['ftp_ports']; + elseif (is_alias($_POST['ftp_ports'])) + $engine['ports'] = $_POST['ftp_ports']; + else + $input_errors[] = gettext("The value for Ports must be a valid Alias name or the keyword 'default'."); + } + else + $engine['ports'] = 21; + + $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no'; + $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no'; + $engine['ignore_data_chan'] = $_POST['ftp_ignore_data_chan'] ? 'yes' : 'no'; + $engine['def_max_param_len'] = $_POST['ftp_def_max_param_len']; + + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default ftp Engine can be bound to all addresses."); + $pconfig = $engine; + } + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Server Engine"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_ftp_server_engine.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id?>"> +<input name="eng_id" type="hidden" value="<?=$eng_id?>"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based FTP Server Engine Configuration"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td> + <td class="vtable"> + <input name="ftp_name" type="text" class="formfld unknown" id="ftp_name" size="25" maxlength="25" + value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>> + <?php if (htmlspecialchars($pconfig['name']) <> "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/> + <?php echo gettext("Unique name or description for this engine configuration. Default value is ") . + "<strong>" . gettext("default") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td> + <td class="vtable"> + <?php if ($pconfig['name'] <> "default") : ?> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off"> + <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within the IP List.");?>.</td> + </tr> + </table><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> + <?php else : ?> + <input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly> + <?php echo "<span class=\"red\">" . gettext("IP address for the default engine is read-only and must be 'all'.") . "</span>";?><br/> + <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP addresses.");?><br/> + <?php endif ?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Ports"); ?></td> + <td class="vtable"> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="ftp_ports" type="text" class="formfldalias" id="ftp_ports" size="25" + value="<?=htmlspecialchars($pconfig['ports']);?>" title="<?=trim(filter_expand_alias($pconfig['ports']));?>"> + <?php echo gettext("Specifiy which ports to check for FTP data.");?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports&act=import'" + title="<?php echo gettext("Select an existing port alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("Default value is '") . "<strong>" . gettext("'default'") . "</strong>" . + gettext(" Using 'default' will include the FTP Ports defined on the ") . "<a href='snort_define_servers.php?id={$id}' title=\"" . + gettext("Go to {$if_friendly} Variables tab to define custom port variables") . "\">" . gettext("VARIABLES") . "</a>" . + gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?></td> + </tr> + </table><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Telnet Commands"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_cmds" id="ftp_telnet_cmds" type="checkbox" value="on" + <?php if ($pconfig['telnet_cmds']=="yes") echo "checked "; ?>> + <?php echo gettext("Alert when Telnet commands are seen on the FTP command channel. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Telnet Erase Commands"); ?></td> + <td width="78%" class="vtable"><input name="ftp_ignore_telnet_erase_cmds" id="ftp_ignore_telnet_erase_cmds" type="checkbox" value="on" + <?php if ($pconfig['ignore_telnet_erase_cmds']=="yes") echo "checked "; ?>> + <?php echo gettext("Ignore Telnet escape sequences for erase character and erase line when normalizing FTP command channel. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Data Channel"); ?></td> + <td width="78%" class="vtable"><input name="ftp_ignore_data_chan" id="ftp_ignore_data_chan" type="checkbox" value="on" + <?php if ($pconfig['ignore_data_chan']=="yes") echo "checked "; ?>> + <?php echo gettext("Force Snort to ignore the FTP data channel connections. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/> + <span class="red"><strong><?php echo gettext("Warning: ") . "</strong></span>" . gettext("When checked, NO INSPECTION other than state will be ") . + gettext("performed on the data channel. Enabling this option can improve performance for large FTP transfers from trusted servers.");?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Default Max Allowed Parameter Length"); ?></td> + <td class="vtable"> + <input name="ftp_def_max_param_len" type="text" class="formfld unknown" id="ftp_def_max_param_len" size="6" + value="<?=htmlspecialchars($pconfig['def_max_param_len']);?>"> + <?php echo gettext("Default allowed maximum parameter length for command. Enter ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" to disable. Default is ") . "<strong>" . gettext("100.") . "</strong>";?><br/> + <?php echo gettext("Specifies the maximum allowed parameter length for and FTP command. It can be used as a ") . + gettext("basic buffer overflow detection.");?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="bottom"> </td> + <td width="78%" valign="bottom"> + <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + gettext("Save ftp engine settings and return to Preprocessors tab"); ?>"> + + <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo + gettext("Cancel changes and return to Preprocessors tab"); ?>"></td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> +<script type="text/javascript"> + +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesport = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } + elseif ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesport .= ","; + $aliasesport .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } + +?> + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portarray=new Array(<?php echo $aliasesport; ?>); + +function createAutoSuggest() { +<?php + echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_bind_to'), new StateSuggestions(addressarray));\n"; + echo "objAliasPort = new AutoSuggestControl(document.getElementById('ftp_ports'), new StateSuggestions(portarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); + +</script> + +</html> diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php new file mode 100644 index 00000000..58488f2d --- /dev/null +++ b/config/snort/snort_httpinspect_engine.php @@ -0,0 +1,751 @@ +<?php +/* + * snort_httpinspect_engine.php + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2011-2012 Ermal Luci + * All rights reserved. + * + * originially part of m0n0wall (http://m0n0.ch/wall) + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item']; + +$pconfig = array(); +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else { + $pconfig = $a_nat[$eng_id]; + + // Check for any empty values and set sensible defaults + if (empty($pconfig['ports'])) + $pconfig['ports'] = "default"; + if (empty($pconfig['server_profile'])) + $pconfig['server_profile'] = "all"; + if (empty($pconfig['enable_xff'])) + $pconfig['enable_xff'] = "off"; + if (empty($pconfig['log_uri'])) + $pconfig['log_uri'] = "off"; + if (empty($pconfig['log_hostname'])) + $pconfig['log_hostname'] = "off"; + if (empty($pconfig['server_flow_depth']) && $pconfig['server_flow_depth'] <> 0) + $pconfig['server_flow_depth'] = 65535; + if (empty($pconfig['enable_cookie'])) + $pconfig['enable_cookie'] = "on"; + if (empty($pconfig['client_flow_depth']) && $pconfig['client_flow_depth'] <> 0) + $pconfig['client_flow_depth'] = 1460; + if (empty($pconfig['extended_response_inspection'])) + $pconfig['extended_response_inspection'] = "on"; + if (empty($pconfig['no_alerts'])) + $pconfig['no_alerts'] = "off"; + if (empty($pconfig['unlimited_decompress'])) + $pconfig['unlimited_decompress'] = "on"; + if (empty($pconfig['inspect_gzip'])) + $pconfig['inspect_gzip'] = "on"; + if (empty($pconfig['normalize_cookies'])) + $pconfig['normalize_cookies'] = "on"; + if (empty($pconfig['normalize_headers'])) + $pconfig['normalize_headers'] = "on"; + if (empty($pconfig['normalize_utf'])) + $pconfig['normalize_utf'] = "on"; + if (empty($pconfig['normalize_javascript'])) + $pconfig['normalize_javascript'] = "on"; + if (empty($pconfig['allow_proxy_use'])) + $pconfig['allow_proxy_use'] = "off"; + if (empty($pconfig['inspect_uri_only'])) + $pconfig['inspect_uri_only'] = "off"; + if (empty($pconfig['max_javascript_whitespaces']) && $pconfig['max_javascript_whitespaces'] <> 0) + $pconfig['max_javascript_whitespaces'] = 200; + if (empty($pconfig['post_depth']) && $pconfig['post_depth'] <> 0) + $pconfig['post_depth'] = -1; + if (empty($pconfig['max_headers'])) + $pconfig['max_headers'] = 0; + if (empty($pconfig['max_spaces'])) + $pconfig['max_spaces'] = 0; + if (empty($pconfig['max_header_length'])) + $pconfig['max_header_length'] = 0; +} + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + $_SESSION['http_inspect_import'] = array(); + + $_SESSION['http_inspect_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['http_inspect_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to']; + if (isset($_SESSION['http_inspect_import']['ports'])) + $pconfig['ports'] = $_SESSION['http_inspect_import']['ports']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['http_inspect_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to']; + if (isset($_SESSION['http_inspect_import']['ports'])) + $pconfig['ports'] = $_SESSION['http_inspect_import']['ports']; + } + else { + unset($_SESSION['http_inspect_import']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['http_inspect_import']); + session_write_close(); + + // Grab all the POST values and save in new temp array + $engine = array(); + if ($_POST['httpinspect_name']) { $engine['name'] = trim($_POST['httpinspect_name']); } else { $engine['name'] = "default"; } + if ($_POST['httpinspect_bind_to']) { + if (is_alias($_POST['httpinspect_bind_to'])) + $engine['bind_to'] = $_POST['httpinspect_bind_to']; + elseif (strtolower(trim($_POST['httpinspect_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + if ($_POST['httpinspect_ports']) { $engine['ports'] = trim($_POST['httpinspect_ports']); } else { $engine['ports'] = "default"; } + + // Validate the text input fields before saving + if (!empty($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] == 0) { + $engine['server_flow_depth'] = $_POST['httpinspect_server_flow_depth']; + if (!is_numeric($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] < -1 || $_POST['httpinspect_server_flow_depth'] > 65535) + $input_errors[] = gettext("The value for Server_Flow_Depth must be numeric and between -1 and 65535."); + } + else + $engine['server_flow_depth'] = 65535; + + if (!empty($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] == 0) { + $engine['client_flow_depth'] = $_POST['httpinspect_client_flow_depth']; + if (!is_numeric($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] < -1 || $_POST['httpinspect_client_flow_depth'] > 1460) + $input_errors[] = gettext("The value for Client_Flow_Depth must be between -1 and 1460."); + } + else + $engine['client_flow_depth'] = 1460; + + if (!empty($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] == 0) { + $engine['max_javascript_whitespaces'] = $_POST['httpinspect_max_javascript_whitespaces']; + if (!is_numeric($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] < 0 || $_POST['httpinspect_max_javascript_whitespaces'] > 65535) + $input_errors[] = gettext("The value for Max_Javascript_Whitespaces must be between 0 and 65535."); + } + else + $engine['max_javascript_whitespaces'] = 200; + + if (!empty($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] == 0) { + $engine['post_depth'] = $_POST['httpinspect_post_depth']; + if (!is_numeric($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] < -1 || $_POST['httpinspect_post_depth'] > 65495) + $input_errors[] = gettext("The value for Post_Depth must be between -1 and 65495."); + } + else + $engine['post_depth'] = -1; + + if (!empty($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] == 0) { + $engine['max_headers'] = $_POST['httpinspect_max_headers']; + if (!is_numeric($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] < 0 || $_POST['httpinspect_max_headers'] > 65535) + $input_errors[] = gettext("The value for Max_Headers must be between 0 and 65535."); + } + else + $engine['max_headers'] = 0; + + if (!empty($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] == 0) { + $engine['max_spaces'] = $_POST['httpinspect_max_spaces']; + if (!is_numeric($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] < 0 || $_POST['httpinspect_max_spaces'] > 65535) + $input_errors[] = gettext("The value for Max_Spaces must be between 0 and 65535."); + } + else + $engine['max_spaces'] = 0; + + if (!empty($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] == 0) { + $engine['max_header_length'] = $_POST['httpinspect_max_header_length']; + if (!is_numeric($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] < 0 || $_POST['httpinspect_max_header_length'] > 65535) + $input_errors[] = gettext("The value for Max_Header_Length must be between 0 and 65535."); + } + else + $engine['max_header_length'] = 0; + + if ($_POST['httpinspect_server_profile']) { $engine['server_profile'] = $_POST['httpinspect_server_profile']; } else { $engine['server_profile'] = "all"; } + + $engine['no_alerts'] = $_POST['httpinspect_no_alerts'] ? 'on' : 'off'; + $engine['enable_xff'] = $_POST['httpinspect_enable_xff'] ? 'on' : 'off'; + $engine['log_uri'] = $_POST['httpinspect_log_uri'] ? 'on' : 'off'; + $engine['log_hostname'] = $_POST['httpinspect_log_hostname'] ? 'on' : 'off'; + $engine['extended_response_inspection'] = $_POST['httpinspect_extended_response_inspection'] ? 'on' : 'off'; + $engine['enable_cookie'] = $_POST['httpinspect_enable_cookie'] ? 'on' : 'off'; + $engine['unlimited_decompress'] = $_POST['httpinspect_unlimited_decompress'] ? 'on' : 'off'; + $engine['inspect_gzip'] = $_POST['httpinspect_inspect_gzip'] ? 'on' : 'off'; + $engine['normalize_cookies'] = $_POST['httpinspect_normalize_cookies'] ? 'on' : 'off'; + $engine['normalize_headers'] = $_POST['httpinspect_normalize_headers'] ? 'on' : 'off'; + $engine['normalize_utf'] = $_POST['httpinspect_normalize_utf'] ? 'on' : 'off'; + $engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off'; + $engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off'; + $engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off'; + + // Can only have one "all" Bind_To address + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default http_inspect Engine can be bound to all addresses."); + $pconfig = $engine; + } + + // if no errors, write new entry to conf + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom + // if it contains more than one entry. + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + // Now write the new engine array to conf + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: {$if_friendly} - HTTP_Inspect Preprocessor Engine"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_httpinspect_engine.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id?>"> +<input name="eng_id" type="hidden" value="<?=$eng_id?>"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("HTTP Inspection Server Configuration"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td> + <td class="vtable"> + <input name="httpinspect_name" type="text" class="formfld unknown" id="httpinspect_name" size="25" maxlength="25" + value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo " readonly";?>> + <?php if (htmlspecialchars($pconfig['name']) <> "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/> + <?php echo gettext("Unique name or description for this engine configuration. Default value is ") . + "<strong>" . gettext("default") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td> + <td class="vtable"> + <?php if ($pconfig['name'] <> "default") : ?> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="httpinspect_bind_to" type="text" class="formfldalias" id="httpinspect_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off"> + <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=yes'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within this IP List.");?></td> + </tr> + </table><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> + <?php else : ?> + <input name="httpinspect_bind_to" type="text" class="formfldalias" id="httpinspect_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly> + <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/> + <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/> + <?php endif ?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Ports"); ?></td> + <td class="vtable"> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="httpinspect_ports" type="text" class="formfldalias" id="httpinspect_ports" size="25" + value="<?=htmlspecialchars($pconfig['ports']);?>" title="<?=trim(filter_expand_alias($pconfig['ports']));?>"> + <?php echo gettext("Specifiy which ports to check for HTTP data.");?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports&act=import'" + title="<?php echo gettext("Select an existing port alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("Default value is '") . "<strong>" . gettext("'default'. ") . "</strong>";?> + <?php echo gettext("Using 'default' will include the HTTP Ports defined on the ") . "<a href='snort_define_servers.php?id={$id}' title=\"" . + gettext("Go to {$if_friendly} Variables tab to define custom port variables") . "\">" . gettext("VARIABLES") . "</a>" . + gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?></td> + </tr> + </table><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Profile");?> </td> + <td width="78%" class="vtable"> + <select name="httpinspect_server_profile" class="formselect" id="httpinspect_server_profile"> + <?php + $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0'); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['server_profile']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach;?> + </select> <?php echo gettext("Choose the profile type of the protected web server. The default is ") . + "<strong>" . gettext("All") . "</strong>";?><br/> + <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the ") . + gettext("double decoding vulnerability present in those versions.");?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("No Alerts");?></td> + <td width="78%" class="vtable"><input name="httpinspect_no_alerts" + type="checkbox" value="on" id="httpinspect_no_alerts" + <?php if ($pconfig['no_alerts']=="on") echo "checked";?>> + <?php echo gettext("Disable Alerts from this engine configuration. Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Allow Proxy Use");?></td> + <td width="78%" class="vtable"><input name="httpinspect_allow_proxy_use" + type="checkbox" value="on" id="httpinspect_allow_proxy_use" + <?php if ($pconfig['allow_proxy_use']=="on") echo "checked";?>> + <?php echo gettext("Allow proxy use on this server. " . + "Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.<br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("This prevents proxy alerts for this server. The global option Proxy_Alert must also be " . + "enabled, otherwise this setting does nothing.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("XFF/True-Client-IP");?></td> + <td width="78%" class="vtable"><input name="httpinspect_enable_xff" + type="checkbox" value="on" id="httpinspect_enable_xff" + <?php if ($pconfig['enable_xff']=="on") echo "checked";?>> + <?php echo gettext("Log original client IP present in X-Forwarded-For or True-Client-IP " . + "HTTP headers. Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("URI Logging"); ?></td> + <td width="78%" class="vtable"><input name="httpinspect_log_uri" + type="checkbox" value="on" id="hhttpinspect_log_uri" + <?php if ($pconfig['log_uri']=="on") echo "checked"; ?>> + <?php echo gettext("Parse URI data from the HTTP request and log it with other session data." . + " Default is "); ?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Hostname Logging");?></td> + <td width="78%" class="vtable"><input name="httpinspect_log_hostname" + type="checkbox" value="on" id="httpinspect_log_hostname" + <?php if ($pconfig['log_hostname']=="on") echo "checked";?>> + <?php echo gettext("Parse Hostname data from the HTTP request and log it with other session data." . + " Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Cookie Extraction/Inspection");?></td> + <td width="78%" class="vtable"><input name="httpinspect_enable_cookie" + type="checkbox" value="on" id="httpinspect_enable_cookie" + <?php if ($pconfig['enable_cookie']=="on") echo "checked";?>> + <?php echo gettext("Enable HTTP cookie extraction and inspection. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect URI Only");?></td> + <td width="78%" class="vtable"><input name="httpinspect_inspect_uri_only" + type="checkbox" value="on" id="httpinspect_inspect_uri_only" + <?php if ($pconfig['inspect_uri_only']=="on") echo "checked";?>> + <?php echo gettext("Inspect only URI portion of HTTP requests. This is a performance enhancement. " . + "Default is ");?> + <strong><?php echo gettext("Not Checked");?></strong>.<br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("If this option is used without any uricontent rules, then no inspection will take place. " . + "The URI is only inspected with uricontent rules, and if there are none available, then there is nothing to inspect.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Extended Response Inspection");?></td> + <td width="78%" class="vtable"><input name="httpinspect_extended_response_inspection" + type="checkbox" value="on" id="httpinspect_extended_response_inspection" onclick="extended_response_enable_change();" + <?php if ($pconfig['extended_response_inspection']=="on") echo "checked";?>> + <?php echo gettext("Enable extended response inspection to thoroughly inspect the HTTP response. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr id="httpinspect_normalizejavascript_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Javascript");?></td> + <td width="78%" class="vtable"><input name="httpinspect_normalize_javascript" + type="checkbox" value="on" id="httpinspect_normalize_javascript" onclick="normalize_javascript_enable_change();" + <?php if ($pconfig['normalize_javascript']=="on") echo "checked";?>> + <?php echo gettext("Enable Javascript normalization in HTTP response body. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr id="httpinspect_maxjavascriptwhitespaces_row"> + <td valign="top" class="vncell"><?php echo gettext("Maximum Javascript Whitespaces"); ?></td> + <td class="vtable"> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td valign="top"><input name="httpinspect_max_javascript_whitespaces" type="text" class="formfld unknown" + id="httpinspect_max_javascript_whitespaces" size="6" + value="<?=htmlspecialchars($pconfig['max_javascript_whitespaces']);?>"></td> + <td class="vexpl" valign="top"><?php echo gettext("Maximum consecutive whitespaces allowed in Javascript obfuscated data. ");?> + <?php echo gettext("Minimum is ") . "<strong>" . gettext("1") . "</strong>" . gettext(" and maximum is ") . + "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") . + "</strong>" . gettext(" disables this alert). "). gettext("The default value is ") . + "<strong>" . gettext("200") . "</strong>."?></td> + </tr> + </table> + </td> + </tr> + <tr id="httpinspect_inspectgzip_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect gzip");?></td> + <td width="78%" class="vtable"><input name="httpinspect_inspect_gzip" + type="checkbox" value="on" id="httpinspect_inspect_gzip" onclick="httpinspect_inspectgzip_enable_change();" + <?php if ($pconfig['inspect_gzip']=="on") echo "checked";?>> + <?php echo gettext("Uncompress and inspect compressed data in HTTP response. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr id="httpinspect_unlimiteddecompress_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Unlimited Decompress");?></td> + <td width="78%" class="vtable"><input name="httpinspect_unlimited_decompress" + type="checkbox" value="on" id="httpinspect_unlimited_decompress" + <?php if ($pconfig['unlimited_decompress']=="on") echo "checked";?>> + <?php echo gettext("Decompress unlimited gzip data (across multiple packets). Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Cookies");?></td> + <td width="78%" class="vtable"><input name="httpinspect_normalize_cookies" + type="checkbox" value="on" id="httpinspect_normalize_cookies" + <?php if ($pconfig['normalize_cookies']=="on") echo "checked";?>> + <?php echo gettext("Normalize HTTP cookie fields. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize UTF");?></td> + <td width="78%" class="vtable"><input name="httpinspect_normalize_utf" + type="checkbox" value="on" id="httpinspect_normalize_utf" + <?php if ($pconfig['normalize_utf']=="on") echo "checked";?>> + <?php echo gettext("Normalize HTTP response body character sets to 8-bit encoding. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Headers");?></td> + <td width="78%" class="vtable"><input name="httpinspect_normalize_headers" + type="checkbox" value="on" id="httpinspect_normalize_headers" + <?php if ($pconfig['normalize_headers']=="on") echo "checked";?>> + <?php echo gettext("Normalize HTTP Header fields. " . + "Default is ");?> + <strong><?php echo gettext("Checked");?></strong>.</td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Server Flow Depth"); ?></td> + <td class="vtable"> + <input name="httpinspect_server_flow_depth" type="text" class="formfld unknown" + id="httpinspect_server_flow_depth" size="6" + value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <strong><?php echo gettext("-1") . + "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong> " . gettext("(") . "<strong>" . + gettext("-1") . "</strong>" . gettext(" disables HTTP inspect, ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" enables all HTTP inspect).");?><br/><br/> + <?php echo gettext("Amount of HTTP server response payload to inspect. Snort's performance " . + "may increase by adjusting this value. Setting this value too low may cause false negatives. ") . + gettext("Values above 0 are specified in bytes. Recommended setting is maximum (65535). " . + "Default value is ") . "<strong>" . gettext("65535") . "</strong>.";?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Client Flow Depth"); ?></td> + <td class="vtable"> + <input name="httpinspect_client_flow_depth" type="text" class="formfld unknown" + id="httpinspect_client_flow_depth" size="6" + value="<?=htmlspecialchars($pconfig['client_flow_depth']);?>"> <strong><?php echo gettext("-1") . "</strong>" . + gettext(" to ") . "<strong>" . gettext("1460") . "</strong>" . gettext(" (") . "<strong>" . gettext("-1") . + "</strong>" . gettext(" disables HTTP inspect, ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" enables all HTTP inspect).");?><br/><br/> + <?php echo gettext("Amount of raw HTTP client request payload to inspect. Snort's " . + "performance may increase by adjusting this value. Setting this value too low may cause false negatives. ");?> + <?php echo gettext("Values above 0 are specified in bytes. Recommended setting is maximum (1460). " . + "Default value is ") . "<strong>" . gettext("1460") . "</strong>.";?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Post Depth"); ?></td> + <td class="vtable"> + <input name="httpinspect_post_depth" type="text" class="formfld unknown" + id="httpinspect_post_depth" size="6" + value="<?=htmlspecialchars($pconfig['post_depth']);?>"> <strong><?php echo gettext("-1") . "</strong>" . + gettext(" to ") . "<strong>" . gettext("65495") . "</strong>" . gettext(" (") . "<strong>" . gettext("-1") . + "</strong>" . gettext(" ignores all post data, ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" inspects all post data).");?><br/><br/> + <?php echo gettext("Amount of data to inspect in client post message. Snort's performance may " . + "increase by adjusting this value. Values above 0 are specified in bytes. ") . + gettext("Default value is ") . "<strong>" . gettext("-1") . "</strong>.";?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Max Headers"); ?></td> + <td class="vtable"> + <input name="httpinspect_max_headers" type="text" class="formfld unknown" + id="httpinspect_max_headers" size="6" + value="<?=htmlspecialchars($pconfig['max_headers']);?>"> <strong><?php echo gettext("1") . "</strong>" . + gettext(" to ") . "<strong>" . gettext("1024") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") . + "</strong>" . gettext(" disables the alert).");?><br/><br/> + <?php echo gettext("Sets the maximum number of HTTP client request header fields allowed. Requests that " . + "contain more HTTP headers than this value will cause a \"Max Header\" alert. ") . + gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Max Header Length"); ?></td> + <td class="vtable"> + <input name="httpinspect_max_header_length" type="text" class="formfld unknown" + id="httpinspect_max_header_length" size="6" + value="<?=htmlspecialchars($pconfig['max_header_length']);?>"> <strong><?php echo gettext("1") . "</strong>" . + gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") . + "</strong>" . gettext(" disables the alert).");?><br/><br/> + <?php echo gettext("This sets the maximum length allowed for an HTTP client request header field. " . + "Requests that exceed this limit well cause a \"Long Header\" alert. ") . + gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Max Spaces"); ?></td> + <td class="vtable"> + <input name="httpinspect_max_spaces" type="text" class="formfld unknown" + id="httpinspect_max_spaces" size="6" + value="<?=htmlspecialchars($pconfig['max_spaces']);?>"> <strong><?php echo gettext("1") . "</strong>" . + gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") . + "</strong>" . gettext(" disables the alert).");?><br/><br/> + <?php echo gettext("This sets the maximum number of whitespaces allowed with HTTP client request line folding. " . + "Request headers folded with whitespaces equal to or greater than this value will cause a \"Whitespace Saturation\" alert. ") . + gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?> + </td> + </tr> + <tr> + <td width="22%" valign="bottom"> </td> + <td width="78%" valign="bottom"> + <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + gettext("Save httpinspect engine settings and return to Preprocessors tab"); ?>"> + + <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo + gettext("Cancel changes and return to Preprocessors tab"); ?>"></td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> + +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> + +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> + +<script type="text/javascript"> + +function extended_response_enable_change() { + var endis = !(document.iform.httpinspect_extended_response_inspection.checked); + + // Hide the "httpinspect_inspectgzip and httpinspect_normalizejavascript" rows if httpinspect_extended_response_inspection disabled + if (endis) { + document.getElementById("httpinspect_inspectgzip_row").style.display="none"; + document.getElementById("httpinspect_unlimiteddecompress_row").style.display="none"; + document.getElementById("httpinspect_normalizejavascript_row").style.display="none"; + document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="none"; + } + else { + document.getElementById("httpinspect_inspectgzip_row").style.display="table-row"; + document.getElementById("httpinspect_unlimiteddecompress_row").style.display="table-row"; + document.getElementById("httpinspect_normalizejavascript_row").style.display="table-row"; + document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="table-row"; + } +} + +function httpinspect_inspectgzip_enable_change() { + var endis = !(document.iform.httpinspect_inspect_gzip.checked); + // Hide the "httpinspect_unlimited_decompress" row if httpinspect_inspect_gzip disabled + if (endis) + document.getElementById("httpinspect_unlimiteddecompress_row").style.display="none"; + else + document.getElementById("httpinspect_unlimiteddecompress_row").style.display="table-row"; +} + +function normalize_javascript_enable_change() { + var endis = !(document.iform.httpinspect_normalize_javascript.checked); + + // Hide the "httpinspect_maxjavascriptwhitespaces" row if httpinspect_normalize_javascript disabled + if (endis) + document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="none"; + else + document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="table-row"; +} + +// Set initial state of form controls +extended_response_enable_change(); +normalize_javascript_enable_change(); +httpinspect_inspectgzip_enable_change(); + +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesport = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } + elseif ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesport .= ","; + $aliasesport .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } +?> + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portarray=new Array(<?php echo $aliasesport; ?>); + +function createAutoSuggest() { +<?php + echo "objAliasAddr = new AutoSuggestControl(document.getElementById('httpinspect_bind_to'), new StateSuggestions(addressarray));\n"; + echo "objAliasPort = new AutoSuggestControl(document.getElementById('httpinspect_ports'), new StateSuggestions(portarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); + +</script> +<?php include("fend.inc");?> +</body> +</html> diff --git a/config/snort/snort_import_aliases.php b/config/snort/snort_import_aliases.php new file mode 100644 index 00000000..d9f751cd --- /dev/null +++ b/config/snort/snort_import_aliases.php @@ -0,0 +1,327 @@ +<?php +/* $Id$ */ +/* + snort_import_aliases.php + Copyright (C) 2004 Scott Ullrich + All rights reserved. + + originially part of m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require_once("functions.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +// Retrieve any passed QUERY STRING or POST variables +$id = $_GET['id']; +$eng = $_GET['eng']; +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng'])) + $eng = $_POST['eng']; + +// Make sure we have a valid rule ID and ENGINE name, or +// else bail out to top-level menu. +if (is_null($id) || is_null($eng)) { + header("Location: /snort/snort_interfaces.php"); + exit; +} + +// Used to track if any selectable Aliases are found +$selectablealias = false; + +// Initialize required array variables as necessary +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); +$a_aliases = $config['aliases']['alias']; +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + +// The $eng variable points to the specific Snort config section +// engine we are importing values into. Initialize the config.xml +// array if necessary. +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id][$eng]['item'])) + $config['installedpackages']['snortglobal']['rule'][$id][$eng]['item'] = array(); + +// Initialize a pointer to the Snort config section engine we are +// importing values into. +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id][$eng]['item']; + +// Build a lookup array of currently used engine 'bind_to' Aliases +// so we can screen matching Alias names from the list. +$used = array(); +foreach ($a_nat as $v) + $used[$v['bind_to']] = true; + +// Construct the correct return anchor string based on the Snort config section +// engine we were called with. This lets us return to the page and section +// we were called from. Also set the flag for those engines which accept +// multiple IP addresses for the "bind_to" parameter. +switch ($eng) { + case "frag3_engine": + $anchor = "#frag3_row"; + $multi_ip = true; + $title = "Frag3 Engine"; + break; + case "http_inspect_engine": + $anchor = "#httpinspect_row"; + $multi_ip = true; + $title = "HTTP_Inspect Engine"; + break; + case "stream5_tcp_engine": + $anchor = "#stream5_row"; + $multi_ip = true; + $title = "Stream5 TCP Engine"; + break; + case "ftp_server_engine": + $anchor = "#ftp_telnet_row"; + $multi_ip = false; + $title = "FTP Server Engine"; + break; + case "ftp_client_engine": + $anchor = "#ftp_telnet_row"; + $multi_ip = false; + $title = "FTP Client Engine"; + break; + default: + $anchor = ""; +} + +if ($_POST['cancel']) { + header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}"); + exit; +} + +if ($_POST['save']) { + + // Define default engine configurations for each of the supported engines. + + $def_frag3 = array( "name" => "", "bind_to" => "", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + + $def_ftp_server = array( "name" => "", "bind_to" => "", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + $def_ftp_client = array( "name" => "", "bind_to" => "", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + $def_http_inspect = array( "name" => "", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + + $def_stream5 = array( "name" => "", "bind_to" => "", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + + // Figure out which engine type we are importing and set up default engine array + $engine = array(); + switch ($eng) { + case "frag3_engine": + $engine = $def_frag3; + break; + case "http_inspect_engine": + $engine = $def_http_inspect; + break; + case "stream5_tcp_engine": + $engine = $def_stream5; + break; + case "ftp_server_engine": + $engine = $def_ftp_server; + break; + case "ftp_client_engine": + $engine = $def_ftp_client; + break; + default: + $engine = ""; + $input_errors[] = gettext("Invalid ENGINE TYPE passed in query string. Aborting operation."); + } + + // See if anything was checked to import + if (is_array($_POST['toimport']) && count($_POST['toimport']) > 0) { + foreach ($_POST['toimport'] as $item) { + $engine['name'] = strtolower($item); + $engine['bind_to'] = $item; + $a_nat[] = $engine; + } + } + else + $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); + + // if no errors, write new entry to conf + if (!$input_errors) { + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom if + // the array contains more than one entry. + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + // Only relocate the entry if we + // found it, and it's not already + // at the end. + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + // Now write the new engine array to conf and return + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}"); + exit; + } +} + +$pgtitle = gettext("Snort: Import Host/Network Alias for {$title}"); +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<form action="snort_import_aliases.php" method="post"> +<input type="hidden" name="id" value="<?=$id;?>"> +<input type="hidden" name="eng" value="<?=$eng;?>"> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td class="tabcont"><strong><?=gettext("Select one or more Aliases to use as {$title} targets from the list below.");?></strong><br/> + </td> +</tr> +<tr> + <td class="tabcont"> + <table id="sortabletable1" style="table-layout: fixed;" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <colgroup> + <col width="5%" align="center"> + <col width="25%" align="left" axis="string"> + <col width="35%" align="left" axis="string"> + <col width="35%" align="left" axis="string"> + </colgroup> + <thead> + <tr> + <th class="listhdrr"></th> + <th class="listhdrr" axis="string"><?=gettext("Alias Name"); ?></th> + <th class="listhdrr" axis="string"><?=gettext("Values"); ?></th> + <th class="listhdrr" axis="string"><?=gettext("Description"); ?></th> + </tr> + </thead> + <tbody> + <?php $i = 0; foreach ($a_aliases as $alias): ?> + <?php if ($alias['type'] <> "host" && $alias['type'] <> "network") + continue; + if (isset($used[$alias['name']])) + continue; + if (!$multi_ip && !snort_is_single_addr_alias($alias['name'])) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $disable = true; + $tooltip = gettext("Aliases resolving to multiple addresses cannot be used with the '{$eng}'."); + } + elseif (trim(filter_expand_alias($alias['name'])) == "") { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $disable = true; + $tooltip = gettext("Aliases representing a FQDN host cannot be used in Snort preprocessor configurations."); + } + else { + $textss = ""; + $textse = ""; + $disable = ""; + $selectablealias = true; + $tooltip = gettext("Selected entries will be imported. Click to toggle selection of this entry."); + } + ?> + <?php if ($disable): ?> + <tr title="<?=$tooltip;?>"> + <td class="listlr" align="center"><img src="../themes/<?=$g['theme'];?>/images/icons/icon_block_d.gif" width="11" height"11" border="0"/> + <?php else: ?> + <tr> + <td class="listlr" align="center"><input type="checkbox" name="toimport[]" value="<?=htmlspecialchars($alias['name']);?>" title="<?=$tooltip;?>"/></td> + <?php endif; ?> + <td class="listr" align="left"><?=$textss . htmlspecialchars($alias['name']) . $textse;?></td> + <td class="listr" align="left"> + <?php + $tmpaddr = explode(" ", $alias['address']); + $addresses = implode(", ", array_slice($tmpaddr, 0, 10)); + echo "{$textss}{$addresses}{$textse}"; + if(count($tmpaddr) > 10) { + echo "..."; + } + ?> + </td> + <td class="listbg" align="left"> + <?=$textss . htmlspecialchars($alias['descr']) . $textse;?> + </td> + </tr> + <?php $i++; endforeach; ?> + </table> + </td> +</tr> +<?php if (!$selectablealias): ?> +<tr> + <td class="tabcont" align="center"><b><?php echo gettext("There are currently no defined Aliases eligible for import.");?></b></td> +</tr> +<tr> + <td class="tabcont" align="center"> + <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/> + </td> +</tr> +<?php else: ?> +<tr> + <td class="tabcont" align="center"> + <input type="Submit" name="save" value="Save" id="save" class="formbtn" title="<?=gettext("Import selected item and return");?>"/> + <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/> + </td> +</tr> +<?php endif; ?> +<tr> + <td class="tabcont"> + <span class="vexpl"><span class="red"><strong><?=gettext("Note:"); ?><br></strong></span><?=gettext("Fully-Qualified Domain Name (FQDN) host Aliases cannot be used as Snort configuration parameters. Aliases resolving to a single FQDN value are disabled in the list above. In the case of nested Aliases where one or more of the nested values is a FQDN host, the FQDN host will not be included in the {$title} configuration.");?></span> + </td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index bbd4338c..9d488207 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -102,6 +102,12 @@ elseif (isset($id) && !isset($a_rule[$id])) { if (isset($_GET['dup'])) unset($id); +// Set defaults for empty key parameters +if (empty($pconfig['blockoffendersip'])) + $pconfig['blockoffendersip'] = "both"; +if (empty($pconfig['performance'])) + $pconfig['performance'] = "ac-bnfa"; + if ($_POST["Submit"]) { if (!$_POST['interface']) $input_errors[] = "Interface is mandatory"; @@ -113,7 +119,7 @@ if ($_POST["Submit"]) { $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; - /* See if the HOME_NET, EXTERNAL_NET, WHITELIST or SUPPRESS LIST values were changed */ + /* See if the HOME_NET, EXTERNAL_NET, or SUPPRESS LIST values were changed */ $snort_reload = false; if ($_POST['homelistname'] && ($_POST['homelistname'] <> $natent['homelistname'])) $snort_reload = true; @@ -121,8 +127,6 @@ if ($_POST["Submit"]) { $snort_reload = true; if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname'])) $snort_reload = true; - if ($_POST['whitelistname'] && ($_POST['whitelistname'] <> $natent['whitelistname'])) - $snort_reload = true; if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']); if ($_POST['performance']) $natent['performance'] = $_POST['performance']; else unset($natent['performance']); @@ -150,8 +154,100 @@ if ($_POST["Submit"]) { exec("mv -f {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$if_real}"); } $a_rule[$id] = $natent; - } else + } else { + // Adding new interface, so set required interface configuration defaults + $frag3_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + + $stream5_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", + "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + + $http_eng = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", + "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", + "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + + $ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + $ftp_server_eng = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + $natent['max_attribute_hosts'] = '10000'; + $natent['max_attribute_services_per_host'] = '10'; + $natent['max_paf'] = '16000'; + + $natent['ftp_preprocessor'] = 'on'; + $natent['ftp_telnet_inspection_type'] = "stateful"; + $natent['ftp_telnet_alert_encrypted'] = "off"; + $natent['ftp_telnet_check_encrypted'] = "on"; + $natent['ftp_telnet_normalize'] = "on"; + $natent['ftp_telnet_detect_anomalies'] = "on"; + $natent['ftp_telnet_ayt_attack_threshold'] = "20"; + if (!is_array($natent['ftp_client_engine']['item'])) + $natent['ftp_client_engine']['item'] = array(); + $natent['ftp_client_engine']['item'][] = $ftp_client_eng; + if (!is_array($natent['ftp_server_engine']['item'])) + $natent['ftp_server_engine']['item'] = array(); + $natent['ftp_server_engine']['item'][] = $ftp_server_eng; + + $natent['smtp_preprocessor'] = 'on'; + $natent['dce_rpc_2'] = 'on'; + $natent['dns_preprocessor'] = 'on'; + $natent['ssl_preproc'] = 'on'; + $natent['pop_preproc'] = 'on'; + $natent['imap_preproc'] = 'on'; + $natent['sip_preproc'] = 'on'; + $natent['other_preprocs'] = 'on'; + + $natent['pscan_protocol'] = 'all'; + $natent['pscan_type'] = 'all'; + $natent['pscan_memcap'] = '10000000'; + $natent['pscan_sense_level'] = 'medium'; + + $natent['http_inspect'] = "on"; + $natent['http_inspect_proxy_alert'] = "off"; + $natent['http_inspect_memcap'] = "150994944"; + $natent['http_inspect_max_gzip_mem'] = "838860"; + if (!is_array($natent['http_inspect_engine']['item'])) + $natent['http_inspect_engine']['item'] = array(); + $natent['http_inspect_engine']['item'][] = $http_eng; + + $natent['frag3_max_frags'] = '8192'; + $natent['frag3_memcap'] = '4194304'; + $natent['frag3_detection'] = 'on'; + if (!is_array($natent['frag3_engine']['item'])) + $natent['frag3_engine']['item'] = array(); + $natent['frag3_engine']['item'][] = $frag3_eng; + + $natent['stream5_reassembly'] = 'on'; + $natent['stream5_flush_on_alert'] = 'off'; + $natent['stream5_prune_log_max'] = '1048576'; + $natent['stream5_track_tcp'] = 'on'; + $natent['stream5_max_tcp'] = '262144'; + $natent['stream5_track_udp'] = 'on'; + $natent['stream5_max_udp'] = '131072'; + $natent['stream5_udp_timeout'] = '30'; + $natent['stream5_track_icmp'] = 'off'; + $natent['stream5_max_icmp'] = '65536'; + $natent['stream5_icmp_timeout'] = '30'; + $natent['stream5_mem_cap']= '8388608'; + if (!is_array($natent['stream5_tcp_engine']['item'])) + $natent['stream5_tcp_engine']['item'] = array(); + $natent['stream5_tcp_engine']['item'][] = $stream5_eng; + $a_rule[] = $natent; + } /* If Snort is disabled on this interface, stop any running instance */ if ($natent['enable'] != 'on') @@ -168,9 +264,9 @@ if ($_POST["Submit"]) { /*******************************************************/ /* Signal Snort to reload configuration if we changed */ - /* HOME_NET, the Whitelist, EXTERNAL_NET or Suppress */ - /* list values. The function only signals a running */ - /* Snort instance to safely reload these parameters. */ + /* HOME_NET, EXTERNAL_NET or Suppress list values. */ + /* The function only signals a running Snort instance */ + /* to safely reload these parameters. */ /*******************************************************/ if ($snort_reload == true) snort_reload_config($natent, "SIGHUP"); @@ -187,7 +283,7 @@ if ($_POST["Submit"]) { } $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface Edit: {$if_friendly}"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Edit Settings"); include_once("head.inc"); ?> @@ -265,28 +361,24 @@ include_once("head.inc"); <?php endforeach; ?> </select> <span class="vexpl"><?php echo gettext("Choose which interface this Snort instance applies to."); ?><br/> - <span class="red"><?php echo gettext("Hint:"); ?> </span><?php echo gettext("in most cases, you'll want to use WAN here."); ?></span><br/></td> + <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("In most cases, you'll want to use WAN here."); ?></span><br/></td> </tr> <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Description"); ?></td> - <td width="78%" class="vtable"><input name="descr" type="text" - class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"> <br/> + <td width="78%" class="vtable"><input name="descr" type="text" + class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"> <br/> <span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference."); ?></span><br/></td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Alert Settings"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Send alerts to main " . - "System logs"); ?></td> - <td width="78%" class="vtable"><input name="alertsystemlog" - type="checkbox" value="on" - <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?> - onClick="enable_change(false)"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Send Alerts to System Logs"); ?></td> + <td width="78%" class="vtable"><input name="alertsystemlog" type="checkbox" value="on" <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?>> <?php echo gettext("Snort will send Alerts to the firewall's system logs."); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Block offenders"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Block Offenders"); ?></td> <td width="78%" class="vtable"> <input name="blockoffenders7" id="blockoffenders7" type="checkbox" value="on" <?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?> @@ -295,14 +387,14 @@ include_once("head.inc"); "Snort alert."); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill states"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill States"); ?></td> <td width="78%" class="vtable"> <input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>> <?php echo gettext("Checking this option will kill firewall states for the blocked IP"); ?> </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Which IP to block"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Which IP to Block"); ?></td> <td width="78%" class="vtable"> <select name="blockoffendersip" class="formselect" id="blockoffendersip"> <?php @@ -315,7 +407,8 @@ include_once("head.inc"); } ?> </select> - <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?> + <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?><br/> + <span class="red"><?php echo gettext("Hint:") . "</span> " . gettext("Choosing BOTH is suggested, and it is the default value."); ?></span><br/></td> </td> </tr> <tr> @@ -332,8 +425,8 @@ include_once("head.inc"); foreach ($interfaces2 as $iface2 => $ifacename2): ?> <option value="<?=$iface2;?>" <?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>> - <?=htmlspecialchars($ifacename2);?></option> - <?php endforeach; ?> + <?=htmlspecialchars($ifacename2);?></option> + <?php endforeach; ?> </select> <?php echo gettext("Choose a fast pattern matcher algorithm. ") . "<strong>" . gettext("Default") . "</strong>" . gettext(" is ") . "<strong>" . gettext("AC-BNFA") . "</strong>"; ?>.<br/><br/> @@ -471,17 +564,17 @@ include_once("head.inc"); id="btnWhitelist" title="<?php echo gettext("Click to view currently selected Whitelist contents"); ?>"/> <br/> <span class="vexpl"><?php echo gettext("Choose the whitelist you want this interface to " . - "use."); ?> </span><br/> <br/><span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Default " . - "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?><br/> - <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("This option will only be used when block offenders is on."); ?> + "use."); ?> </span><br/><br/> + <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("This option will only be used when block offenders is on."); ?><br/> + <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Default " . + "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?> </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering " . - "file if desired."); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering file if desired."); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Suppression and filtering"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert Suppression and Filtering"); ?></td> <td width="78%" class="vtable"> <select name="suppresslistname" class="formselect" id="suppresslistname"> <?php @@ -563,6 +656,9 @@ function enable_change(enable_change) { document.iform.btnHomeNet.disabled=endis; document.iform.btnWhitelist.disabled=endis; document.iform.btnSuppressList.disabled=endis; + document.iform.fpm_split_any_any.disabled=endis; + document.iform.fpm_search_optimize.disabled=endis; + document.iform.fpm_no_stream_inserts.disabled=endis; } function wopen(url, name, w, h) { @@ -592,6 +688,10 @@ function viewList(id, elemID, elemType) { url = url + getSelectedValue(elemID) + "&type=" + elemType; wopen(url, 'WhitelistViewer', 640, 480); } + +enable_change(false); +enable_blockoffenders(); + //--> </script> <?php include("fend.inc"); ?> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 089255b6..77cb0e7c 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -58,7 +58,7 @@ $pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['s if (empty($pconfig['snortloglimit'])) $pconfig['snortloglimit'] = 'on'; if (empty($pconfig['rule_update_starttime'])) - $pconfig['rule_update_starttime'] = '00:03'; + $pconfig['rule_update_starttime'] = '00:30'; if ($_POST['rule_update_starttime']) { if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['rule_update_starttime'])) @@ -71,15 +71,49 @@ if ($_POST['snortdownload'] == "on" && empty($_POST['oinkmastercode'])) if ($_POST['emergingthreats_pro'] == "on" && empty($_POST['etpro_code'])) $input_errors[] = "You must supply a subscription code in the box provided in order to enable Emerging Threats Pro rules!"; -/* if no errors move foward */ +/* if no errors move foward with save */ if (!$input_errors) { if ($_POST["Submit"]) { $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload'] ? 'on' : 'off'; - $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off'; + + // If any rule sets are being turned off, then remove them + // from the active rules section of each interface. Start + // by building an arry of prefixes for the disabled rules. + $disabled_rules = array(); + $disable_ips_policy = false; + if ($config['installedpackages']['snortglobal']['snortdownload'] == 'off') { + $disabled_rules[] = VRT_FILE_PREFIX; + $disable_ips_policy = true; + } + if ($config['installedpackages']['snortglobal']['snortcommunityrules'] == 'off') + $disabled_rules[] = GPL_FILE_PREFIX; + if ($config['installedpackages']['snortglobal']['emergingthreats'] == 'off') + $disabled_rules[] = ET_OPEN_FILE_PREFIX; + if ($config['installedpackages']['snortglobal']['emergingthreats_pro'] == 'off') + $disabled_rules[] = ET_PRO_FILE_PREFIX; + + // Now walk all the configured interface rulesets and remove + // any matching the disabled ruleset prefixes. + foreach ($config['installedpackages']['snortglobal']['rule'] as &$iface) { + // Disable Snort IPS policy if VRT rules are disabled + if ($disable_ips_policy) { + $iface['ips_policy_enable'] = 'off'; + unset($iface['ips_policy']); + } + $enabled_rules = explode("||", $iface['rulesets']); + foreach ($enabled_rules as $k => $v) { + foreach ($disabled_rules as $d) + if (strpos(trim($v), $d) !== false) + unset($enabled_rules[$k]); + } + $iface['rulesets'] = implode("||", $enabled_rules); + } + + $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; $config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code']; $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; @@ -122,7 +156,7 @@ if (!$input_errors) { } } -$pgtitle = 'Services: Snort: Global Settings'; +$pgtitle = gettext("Snort: Global Settings"); include_once("head.inc"); ?> @@ -137,7 +171,7 @@ if($pfsense_stable == 'yes') /* Display Alert message, under form tag or no refresh */ if ($input_errors) - print_input_errors($input_errors); // TODO: add checks + print_input_errors($input_errors); ?> @@ -162,11 +196,10 @@ if ($input_errors) <div id="mainarea"> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The " . - "Type Of Rules You Wish To Download"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The Type Of Rules You Wish To Download");?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort VRT%s rules"), '<strong>' , '</strong>'); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Snort VRT") . "</strong>" . gettext(" rules");?></td> <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> @@ -175,45 +208,44 @@ if ($input_errors) <td><span class="vexpl"><?php echo gettext("Snort VRT free Registered User or paid Subscriber rules"); ?></span></td> <tr> <td> </td> - <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a free Registered User Rule Account"); ?> </a><br> + <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a free Registered User Rule Account"); ?> </a><br/> <a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank"> <?php echo gettext("Sign Up for paid Sourcefire VRT Certified Subscriber Rules"); ?></a></td> </tr> + </table> + <table id="snort_oink_code_tbl" width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> <td colspan="2"> </td> </tr> - </table> - <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Snort VRT Oinkmaster Configuration"); ?></span></b></td> </tr> <tr> <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td> <td><input name="oinkmastercode" type="text" - class="formfld" id="oinkmastercode" size="52" - value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>" - <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br> + class="formfld unknown" id="oinkmastercode" size="52" + value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br/> <?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td> </tr> </table> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " . - "rules"), '<strong>' , '</strong>'); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Snort Community") . "</strong>" . gettext(" rules");?></td> <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on" - <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td> - <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " . - "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?> - <br/><br/><?php printf(gettext("%sNote: %sIf you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the Snort VRT rules, and there is no benefit in adding this rule set."),'<span class="red"><strong>' ,'</strong></span>'); ?></span><br></td> + <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked";?> ></td> + <td class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " . + "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset.");?> + <br/><br/><?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . + gettext("If you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the ") . + gettext("Snort VRT rules, and there is no benefit in adding this rule set.");?><br/></td> </tr> </table></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmerging Threats%s " . - "rules"), '<strong>' , '</strong>'); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Emerging Threats") . "</strong>" . gettext(" rules");?></td> <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> @@ -236,20 +268,19 @@ if ($input_errors) <td class="vexpl"><?php echo "<span class='red'><strong>" . gettext("Note:") . "</strong></span>" . " " . gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?></td> </tr> + </table> + <table id="etpro_code_tbl" width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> <td colspan="2"> </td> </tr> - </table> - <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("ETPro Subscription Configuration"); ?></span></b></td> </tr> <tr> <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td> <td><input name="etpro_code" type="text" - class="formfld" id="etpro_code" size="52" - value="<?=htmlspecialchars($pconfig['etpro_code']);?>" - <?php if($pconfig['emergingthreats_pro']<>'on') echo 'disabled'; ?>><br> + class="formfld unknown" id="etpro_code" size="52" + value="<?=htmlspecialchars($pconfig['etpro_code']);?>"><br/> <?php echo gettext("Obtain an ETPro subscription code and paste it here."); ?></td> </tr> </table> @@ -276,7 +307,7 @@ if ($input_errors) </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Update Start Time"); ?></td> - <td width="78%" class="vtable"><input type="text" class="formfld" name="rule_update_starttime" id="rule_update_starttime" size="4" + <td width="78%" class="vtable"><input type="text" class="formfld time" name="rule_update_starttime" id="rule_update_starttime" size="4" maxlength="5" value="<?=$pconfig['rule_update_starttime'];?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?>><span class="vexpl"> <?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). ") . "<strong>" . gettext("Default") . " </strong>" . gettext("is ") . "<strong>" . gettext("00:03") . "</strong></span>"; ?>.<br/><br/> @@ -304,44 +335,42 @@ if ($input_errors) <tr> <td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="off" <?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong> - <?php echo gettext("directory size limit"); ?></span><br> - <br> + <?php echo gettext("directory size limit"); ?></span><br/> + <br/> <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("Nanobsd " . "should use no more than 10MB of space."); ?></td> </tr> </table> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td><span class="vexpl"><?php echo gettext("Size in"); ?> <strong>MB</strong></span></td> - <td><input name="snortloglimitsize" type="text" class="formfld" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> - <?php printf(gettext("Default is %s20%%%s of available space."), '<strong>', '</strong>'); ?></td> + <td class="vexpl"><?php echo gettext("Size in ") . "<strong>" . gettext("MB:") . "</strong>";?> + <input name="snortloglimitsize" type="text" class="formfld unknown" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> + <?php echo gettext("Default is ") . "<strong>" . gettext("20%") . "</strong>" . gettext(" of available space.");?></td> </tr> </table> </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove blocked hosts " . - "every"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Blocked Hosts Interval"); ?></td> <td width="78%" class="vtable"> <select name="rm_blocked" class="formselect" id="rm_blocked"> <?php - $interfaces3 = array('never_b' => gettext('NEVER'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS')); + $interfaces3 = array('never_b' => gettext('NEVER'), '15m_b' => gettext('15 MINS'), '30m_b' => gettext('30 MINS'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS')); foreach ($interfaces3 as $iface3 => $ifacename3): ?> <option value="<?=$iface3;?>" <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>> <?=htmlspecialchars($ifacename3);?></option> <?php endforeach; ?> - </select> - <?php echo gettext("Please select the amount of time you would like hosts to be blocked for."); ?><br/><br/> - <?php printf(gettext("%sHint:%s in most cases, 1 hour is a good choice."), '<span class="red"><strong>', '</strong></span>'); ?></td> + </select> + <?php echo gettext("Please select the amount of time you would like hosts to be blocked."); ?><br/><br/> + <?php echo "<span class=\"red\"><strong>" . gettext("Hint:") . "</strong></span>" . gettext(" in most cases, 1 hour is a good choice.");?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep snort settings " . - "after deinstall"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep Snort Settings After Deinstall"); ?></td> <td width="78%" class="vtable"><input name="forcekeepsettings" id="forcekeepsettings" type="checkbox" value="yes" <?php if ($config['installedpackages']['snortglobal']['forcekeepsettings']=="on") echo "checked"; ?> - > <?php echo gettext("Settings will not be removed during deinstall."); ?></td> + > <?php echo gettext("Settings will not be removed during package deinstallation."); ?></td> </tr> <tr> <td width="22%" valign="top"> @@ -351,10 +380,8 @@ if ($input_errors) </tr> <tr> <td width="22%" valign="top"> </td> - <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?><br> - </strong></span> <?php echo gettext("Changing any settings on this page will affect all " . - "interfaces. Double check that your oink code is correct, and verify the " . - "type of Snort.org account you hold."); ?></span></td> + <td width="78%" class="vexpl"><span class="red"><strong><?php echo gettext("Note:");?></strong> + </span><?php echo gettext("Changing any settings on this page will affect all Snort-configured interfaces.");?></td> </tr> </table> </div><br/> @@ -367,15 +394,17 @@ if ($input_errors) <!-- function enable_snort_vrt() { var endis = !(document.iform.snortdownload.checked); - document.iform.oinkmastercode.disabled = endis; - document.iform.etpro_code.disabled = endis; + if (endis) + document.getElementById("snort_oink_code_tbl").style.display = "none"; + else + document.getElementById("snort_oink_code_tbl").style.display = "table"; } function enable_et_rules() { var endis = document.iform.emergingthreats.checked; if (endis) { document.iform.emergingthreats_pro.checked = !(endis); - document.iform.etpro_code.disabled = "true"; + document.getElementById("etpro_code_tbl").style.display = "none"; } } @@ -384,9 +413,12 @@ function enable_etpro_rules() { if (endis) { document.iform.emergingthreats.checked = !(endis); document.iform.etpro_code.disabled = ""; + document.getElementById("etpro_code_tbl").style.display = "table"; } - else + else { document.iform.etpro_code.disabled = "true"; + document.getElementById("etpro_code_tbl").style.display = "none"; + } } function enable_change_rules_upd() { @@ -396,6 +428,12 @@ function enable_change_rules_upd() { document.iform.rule_update_starttime.disabled=""; } +// Initialize the form controls state based on saved settings +enable_snort_vrt(); +enable_et_rules(); +enable_etpro_rules(); +enable_change_rules_upd(); + //--> </script> diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php index 7eed6dd3..e42b7f8c 100644 --- a/config/snort/snort_interfaces_suppress.php +++ b/config/snort/snort_interfaces_suppress.php @@ -84,7 +84,7 @@ if ($_GET['act'] == "del") { } } -$pgtitle = "Services: Snort: Suppression"; +$pgtitle = gettext("Snort: Suppression Lists"); include_once("head.inc"); ?> diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 1eb16260..3d703987 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -126,7 +126,7 @@ if ($_POST['submit']) { } } -$pgtitle = "Services: Snort: Suppression: Edit"; +$pgtitle = gettext("Snort: Suppression List Edit - {$a_suppress[$id]['name']}"); include_once("head.inc"); ?> @@ -166,7 +166,7 @@ if ($savemsg) <tr> <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Name"); ?></td> <td width="78%" class="vtable"><input name="name" type="text" id="name" - class="formfld unkown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> + class="formfld unknown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> <span class="vexpl"> <?php echo gettext("The list name may only consist of the " . "characters \"a-z, A-Z, 0-9 and _\"."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> <?php echo gettext("No Spaces or dashes."); ?> </span></td> @@ -174,7 +174,7 @@ if ($savemsg) <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td> <td width="78%" class="vtable"><input name="descr" type="text" - class="formfld unkown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br /> + class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br /> <span class="vexpl"> <?php echo gettext("You may enter a description here for your " . "reference (not parsed)."); ?> </span></td> </tr> diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php index ab22103e..9391eb85 100644 --- a/config/snort/snort_interfaces_whitelist.php +++ b/config/snort/snort_interfaces_whitelist.php @@ -61,7 +61,7 @@ if ($_GET['act'] == "del") { } } -$pgtitle = "Services: Snort: Whitelist"; +$pgtitle = gettext("Snort: Whitelists"); include_once("head.inc"); ?> diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index 671fa4e5..9fb97be1 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -38,6 +38,11 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +if ($_POST['cancel']) { + header("Location: /snort/snort_interfaces_whitelist.php"); + exit; +} + if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) $config['installedpackages']['snortglobal']['whitelist'] = array(); if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) @@ -88,6 +93,12 @@ if (isset($id) && $a_whitelist[$id]) { $pconfig['vpnips'] = $a_whitelist[$id]['vpnips']; } +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + if ($_GET['varname'] == "address" && !empty($_GET['varvalue'])) + $pconfig[$_GET['varname']] = $_GET['varvalue']; +} + if ($_POST['submit']) { conf_mount_rw(); @@ -118,7 +129,7 @@ if ($_POST['submit']) { if ($_POST['address']) if (!is_alias($_POST['address'])) - $input_errors[] = gettext("A valid alias need to be provided"); + $input_errors[] = gettext("A valid alias must be provided"); if (!$input_errors) { $w_list = array(); @@ -151,7 +162,7 @@ if ($_POST['submit']) { } } -$pgtitle = "Services: Snort: Whitelist: Edit $whitelist_uuid"; +$pgtitle = gettext("Snort: Whitelist Edit - {$a_whitelist[$id]['name']}"); include_once("head.inc"); ?> @@ -193,7 +204,7 @@ if ($savemsg) </tr> <tr> <td valign="top" class="vncellreq"><?php echo gettext("Name"); ?></td> - <td class="vtable"><input name="name" type="text" id="name" + <td class="vtable"><input name="name" type="text" id="name" class="formfld unknown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br /> <span class="vexpl"> <?php echo gettext("The list name may only consist of the " . "characters \"a-z, A-Z, 0-9 and _\"."); ?> <span class="red"><?php echo gettext("Note:"); ?> </span> @@ -201,7 +212,7 @@ if ($savemsg) </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td> - <td width="78%" class="vtable"><input name="descr" type="text" + <td width="78%" class="vtable"><input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br /> <span class="vexpl"> <?php echo gettext("You may enter a description here for your " . "reference (not parsed)."); ?> </span></td> @@ -261,14 +272,17 @@ if ($savemsg) <div id="addressnetworkport"><?php echo gettext("Alias Name:"); ?></div> </td> <td width="78%" class="vtable"> - <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" title="<?=trim(filter_expand_alias($pconfig['address']));?>"/> + <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" + title="<?=trim(filter_expand_alias($pconfig['address']));?>" /> + <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=0&type=host|network&varname=address&act=import&multi_ip=yes'" + title="<?php echo gettext("Select an existing IP alias");?>"/> </td> </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> <input id="submit" name="submit" type="submit" class="formbtn" value="Save" /> - <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" value="Cancel" onclick="history.back()" /> + <input id="cancel" name="cancel" type="submit" class="formbtn" value="Cancel" /> <input name="id" type="hidden" value="<?=$id;?>" /> </td> </tr> @@ -287,7 +301,7 @@ if ($savemsg) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] != "host" && $alias_name['type'] != "network") continue; - // Skip any Alias that resolves to an empty string + // Skip any Aliases that resolve to an empty string if (trim(filter_expand_alias($alias_name['name'])) == "") continue; if($addrisfirst == 1) $aliasesaddr .= ","; diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php new file mode 100644 index 00000000..35dd3847 --- /dev/null +++ b/config/snort/snort_migrate_config.php @@ -0,0 +1,298 @@ +<?php +/* + * snort_migrate_config.inc + * + * Copyright (C) 2006 Scott Ullrich + * Copyright (C) 2009-2010 Robert Zelaya + * Copyright (C) 2011-2012 Ermal Luci + * part of pfSense + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("config.inc"); +require_once("functions.inc"); + +/****************************************************************************/ +/* The code in this module is called once during the post-install process */ +/* via an "include" line. It is used to perform a one-time migration of */ +/* Snort preprocessor configuration parameters into the new format used */ +/* by the multi-engine config feature. Configuration parameters for the */ +/* multiple configuration engines of some preprocessors are stored as */ +/* array values within the "config.xml" file in the [snortglobals] section. */ +/****************************************************************************/ + +global $config; + +if (!is_array($config['installedpackages']['snortglobal'])) + $config['installedpackages']['snortglobal'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + +// Just exit if this is a clean install with no saved settings +if (empty($config['installedpackages']['snortglobal']['rule'])) + return; + +$rule = &$config['installedpackages']['snortglobal']['rule']; + +/****************************************************************************/ +/* Loop through all the <rule> elements in the Snort configuration and */ +/* migrate the relevant preprocessor parameters to the new format. */ +/****************************************************************************/ + +$updated_cfg = false; +log_error("[Snort] Checking configuration settings version..."); + +// Check the configuration version to see if XMLRPC Sync should +// auto-disabled as part of the upgrade due to config format changes. +if (empty($config['installedpackages']['snortglobal']['snort_config_ver']) && + ($config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'auto' || + $config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'manual')) { + $config['installedpackages']['snortsync']['config']['varsynconchanges'] = "disabled"; + log_error("[Snort] Turning off Snort Sync on this host due to configuration format changes in this update. Upgrade all Snort Sync targets to this same Snort package version before re-enabling Snort Sync."); + $updated_cfg = true; +} + +foreach ($rule as &$r) { + // Initialize arrays for supported preprocessors if necessary + if (!is_array($r['frag3_engine']['item'])) + $r['frag3_engine']['item'] = array(); + if (!is_array($r['stream5_tcp_engine']['item'])) + $r['stream5_tcp_engine']['item'] = array(); + if (!is_array($r['http_inspect_engine']['item'])) + $r['http_inspect_engine']['item'] = array(); + if (!is_array($r['ftp_client_engine']['item'])) + $r['ftp_client_engine']['item'] = array(); + if (!is_array($r['ftp_server_engine']['item'])) + $r['ftp_server_engine']['item'] = array(); + + $pconfig = array(); + $pconfig = $r; + + // Create a default "frag3_engine" if none are configured + if (empty($pconfig['frag3_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating Frag3 Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + + // Ensure sensible default values exist for global Frag3 parameters + if (empty($pconfig['frag3_max_frags'])) + $pconfig['frag3_max_frags'] = '8192'; + if (empty($pconfig['frag3_memcap'])) + $pconfig['frag3_memcap'] = '4194304'; + if (empty($pconfig['frag3_detection'])) + $pconfig['frag3_detection'] = 'on'; + + // Put any old values in new default engine and remove old value + if (isset($pconfig['frag3_policy'])) + $default['policy'] = $pconfig['frag3_policy']; + unset($pconfig['frag3_policy']); + if (isset($pconfig['frag3_timeout']) && is_numeric($pconfig['frag3_timeout'])) + $default['timeout'] = $pconfig['frag3_timeout']; + unset($pconfig['frag3_timeout']); + if (isset($pconfig['frag3_overlap_limit']) && is_numeric($pconfig['frag3_overlap_limit'])) + $default['overlap_limit'] = $pconfig['frag3_overlap_limit']; + unset($pconfig['frag3_overlap_limit']); + if (isset($pconfig['frag3_min_frag_len']) && is_numeric($pconfig['frag3_min_frag_len'])) + $default['min_frag_len'] = $pconfig['frag3_min_frag_len']; + unset($pconfig['frag3_min_frag_len']); + + $pconfig['frag3_engine']['item'] = array(); + $pconfig['frag3_engine']['item'][] = $default; + } + + // Create a default Stream5 engine array if none are configured + if (empty($pconfig['stream5_tcp_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating Stream5 Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", + "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + + // Ensure sensible defaults exist for Stream5 global parameters + if (empty($pconfig['stream5_reassembly'])) + $pconfig['stream5_reassembly'] = 'on'; + if (empty($pconfig['stream5_flush_on_alert'])) + $pconfig['stream5_flush_on_alert'] = 'off'; + if (empty($pconfig['stream5_prune_log_max'])) + $pconfig['stream5_prune_log_max'] = '1048576'; + if (empty($pconfig['stream5_track_tcp'])) + $pconfig['stream5_track_tcp'] = 'on'; + if (empty($pconfig['stream5_max_tcp'])) + $pconfig['stream5_max_tcp'] = '262144'; + if (empty($pconfig['stream5_track_udp'])) + $pconfig['stream5_track_udp'] = 'on'; + if (empty($pconfig['stream5_max_udp'])) + $pconfig['stream5_max_udp'] = '131072'; + if (empty($pconfig['stream5_udp_timeout'])) + $pconfig['stream5_udp_timeout'] = '30'; + if (empty($pconfig['stream5_track_icmp'])) + $pconfig['stream5_track_icmp'] = 'off'; + if (empty($pconfig['stream5_max_icmp'])) + $pconfig['stream5_max_icmp'] = '65536'; + if (empty($pconfig['stream5_icmp_timeout'])) + $pconfig['stream5_icmp_timeout'] = '30'; + if (empty($pconfig['stream5_mem_cap'])) + $pconfig['stream5_mem_cap']= '8388608'; + + // Put any old values in new default engine and remove old value + if (isset($pconfig['stream5_policy'])) + $default['policy'] = $pconfig['stream5_policy']; + unset($pconfig['stream5_policy']); + if (isset($pconfig['stream5_tcp_timeout']) && is_numeric($pconfig['stream5_tcp_timeout'])) + $default['timeout'] = $pconfig['stream5_tcp_timeout']; + unset($pconfig['stream5_tcp_timeout']); + if (isset($pconfig['stream5_overlap_limit']) && is_numeric($pconfig['stream5_overlap_limit'])) + $default['overlap_limit'] = $pconfig['stream5_overlap_limit']; + unset($pconfig['stream5_overlap_limit']); + if (isset($pconfig['stream5_require_3whs'])) + $default['require_3whs'] = $pconfig['stream5_require_3whs']; + unset($pconfig['stream5_require_3whs']); + if (isset($pconfig['stream5_no_reassemble_async'])) + $default['no_reassemble_async'] = $pconfig['stream5_no_reassemble_async']; + unset($pconfig['stream5_no_reassemble_async']); + if (isset($pconfig['stream5_dont_store_lg_pkts'])) + $default['dont_store_lg_pkts'] = $pconfig['stream5_dont_store_lg_pkts']; + unset($pconfig['stream5_dont_store_lg_pkts']); + if (isset($pconfig['max_queued_bytes']) && is_numeric($pconfig['max_queued_bytes'])) + $default['max_queued_bytes'] = $pconfig['max_queued_bytes']; + unset($pconfig['max_queued_bytes']); + if (isset($pconfig['max_queued_segs']) && is_numeric($pconfig['max_queued_segs'])) + $default['max_queued_segs'] = $pconfig['max_queued_segs']; + unset($pconfig['max_queued_segs']); + + $pconfig['stream5_tcp_engine']['item'] = array(); + $pconfig['stream5_tcp_engine']['item'][] = $default; + } + + // Create a default HTTP_INSPECT engine if none are configured + if (empty($pconfig['http_inspect_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating HTTP_Inspect Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", + "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", + "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + + // Ensure sensible default values exist for global HTTP_INSPECT parameters + if (empty($pconfig['http_inspect'])) + $pconfig['http_inspect'] = "on"; + if (empty($pconfig['http_inspect_proxy_alert'])) + $pconfig['http_inspect_proxy_alert'] = "off"; + if (empty($pconfig['http_inspect_memcap'])) + $pconfig['http_inspect_memcap'] = "150994944"; + if (empty($pconfig['http_inspect_max_gzip_mem'])) + $pconfig['http_inspect_max_gzip_mem'] = "838860"; + + // Put any old values in new default engine and remove old value + if (isset($pconfig['server_flow_depth']) && is_numeric($pconfig['server_flow_depth'])) + $default['server_flow_depth'] = $pconfig['server_flow_depth']; + unset($pconfig['server_flow_depth']); + if (isset($pconfig['client_flow_depth']) & is_numeric($pconfig['client_flow_depth'])) + $default['client_flow_depth'] = $pconfig['client_flow_depth']; + unset($pconfig['client_flow_depth']); + if (isset($pconfig['http_server_profile'])) + $default['server_profile'] = $pconfig['http_server_profile']; + unset($pconfig['http_server_profile']); + if (isset($pconfig['http_inspect_enable_xff'])) + $default['enable_xff'] = $pconfig['http_inspect_enable_xff']; + unset($pconfig['http_inspect_enable_xff']); + if (isset($pconfig['http_inspect_log_uri'])) + $default['log_uri'] = $pconfig['http_inspect_log_uri']; + unset($pconfig['http_inspect_log_uri']); + if (isset($pconfig['http_inspect_log_hostname'])) + $default['log_hostname'] = $pconfig['http_inspect_log_hostname']; + unset($pconfig['http_inspect_log_hostname']); + if (isset($pconfig['noalert_http_inspect'])) + $default['no_alerts'] = $pconfig['noalert_http_inspect']; + unset($pconfig['noalert_http_inspect']); + + $pconfig['http_inspect_engine']['item'] = array(); + $pconfig['http_inspect_engine']['item'][] = $default; + } + + // Create a default FTP_CLIENT engine if none are configured + if (empty($pconfig['ftp_client_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating FTP Client Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + // Set defaults for new FTP_Telnet preprocessor configurable parameters + if (empty($pconfig['ftp_telnet_inspection_type'])) + $pconfig['ftp_telnet_inspection_type'] = 'stateful'; + if (empty($pconfig['ftp_telnet_alert_encrypted'])) + $pconfig['ftp_telnet_alert_encrypted'] = 'off'; + if (empty($pconfig['ftp_telnet_check_encrypted'])) + $pconfig['ftp_telnet_check_encrypted'] = 'on'; + if (empty($pconfig['ftp_telnet_normalize'])) + $pconfig['ftp_telnet_normalize'] = 'on'; + if (empty($pconfig['ftp_telnet_detect_anomalies'])) + $pconfig['ftp_telnet_detect_anomalies'] = 'on'; + if (empty($pconfig['ftp_telnet_ayt_attack_threshold'])) + $pconfig['ftp_telnet_ayt_attack_threshold'] = '20'; + + // Add new FTP_Telnet Client default engine + $pconfig['ftp_client_engine']['item'] = array(); + $pconfig['ftp_client_engine']['item'][] = $default; + } + + // Create a default FTP_SERVER engine if none are configured + if (empty($pconfig['ftp_server_engine']['item'])) { + $updated_cfg = true; + log_error("[Snort] Migrating FTP Server Engine configuration for interface {$pconfig['descr']}..."); + $default = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + // Add new FTP_Telnet Server default engine + $pconfig['ftp_server_engine']['item'] = array(); + $pconfig['ftp_server_engine']['item'][] = $default; + } + + // Save the new configuration data into the $config array pointer + $r = $pconfig; +} +// Release reference to final array element +unset($r); + +// Write out the new configuration to disk if we changed anything +if ($updated_cfg) { + $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.0"; + log_error("[Snort] Saving configuration settings in new format..."); + write_config(); + log_error("[Snort] Settings successfully migrated to new configuration format..."); +} +else + log_error("[Snort] Configuration version is current..."); + +?> diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php new file mode 100644 index 00000000..9723a4ba --- /dev/null +++ b/config/snort/snort_post_install.php @@ -0,0 +1,1440 @@ +<?php +/* + * snort_post_install.php + * + * Copyright (C) 2006 Scott Ullrich + * Copyright (C) 2009-2010 Robert Zelaya + * Copyright (C) 2011-2012 Ermal Luci + * part of pfSense + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/****************************************************************************/ +/* This module is called once during the Snort package installation to */ +/* perform required post-installation setup. It should only be executed */ +/* from the Package Manager process via the custom-post-install hook in */ +/* the snort.xml package configuration file. */ +/****************************************************************************/ + +require_once("config.inc"); +require_once("functions.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include; + +$snortdir = SNORTDIR; +$snortlibdir = SNORTLIBDIR; +$rcdir = RCFILEPREFIX; + +// This is a hack to workaround the caching of the old "snort.inc" by the +// Package Manager installation code. We need this new function which is +// in the new snort.inc file during post-installation. +if (!function_exists('snort_expand_port_range')) { + function snort_expand_port_range($ports, $delim = ',') { + // Split the incoming string on the specified delimiter + $tmp = explode($delim, $ports); + + // Look for any included port range and expand it + foreach ($tmp as $val) { + if (is_portrange($val)) { + $start = strtok($val, ":"); + $end = strtok(":"); + if ($end !== false) { + $val = $start . $delim; + for ($i = intval($start) + 1; $i < intval($end); $i++) + $val .= strval($i) . $delim; + $val .= $end; + } + } + $value .= $val . $delim; + } + + // Remove any trailing delimiter in return value + return trim($value, $delim); + } +} + +// This function mirrors the "snort_generate_conf()" function in the +// "snort.inc" file. It is here with a modified name as a workaround +// so that functionality built into the new package version can be +// implemented during installation. During a package reinstall, the +// Package Manager will cache the old version of "snort.inc" and thus +// new features are not available from the new "snort.inc" file in the +// new package. +function snort_build_new_conf($snortcfg) { + + global $config, $g, $rebuild_rules; + + $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; + $snortlogdir = SNORTLOGDIR; + $flowbit_rules_file = FLOWBITS_FILENAME; + $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + /* See if we should protect and not modify the preprocessor rules files */ + if (!empty($snortcfg['protect_preproc_rules'])) + $protect_preproc_rules = $snortcfg['protect_preproc_rules']; + else + $protect_preproc_rules = "off"; + + $if_real = snort_get_real_interface($snortcfg['interface']); + $snort_uuid = $snortcfg['uuid']; + $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; + + /* custom home nets */ + $home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']); + $home_net = implode(",", $home_net_list); + + $external_net = '!$HOME_NET'; + if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') { + $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']); + $external_net = implode(",", $external_net_list); + } + + /* user added arguments */ + $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); + // Remove the trailing newline + $snort_config_pass_thru = rtrim($snort_config_pass_thru); + + /* create a few directories and ensure the sample files are in place */ + $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", + "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", + "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", + "{$snortcfgdir}/preproc_rules", + "dynamicrules" => "{$snortlibdir}/dynamicrules", + "dynamicengine" => "{$snortlibdir}/dynamicengine", + "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" + ); + foreach ($snort_dirs as $dir) { + if (!is_dir($dir)) + safe_mkdir($dir); + } + + /********************************************************************/ + /* For fail-safe on an initial startup following installation, and */ + /* before a rules update has occurred, copy the default config */ + /* files to the interface directory. If files already exist in */ + /* the interface directory, or they are newer, that means a rule */ + /* update has been done and we should leave the customized files */ + /* put in place by the rules update process. */ + /********************************************************************/ + $snort_files = array("gen-msg.map", "classification.config", "reference.config", + "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", + "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" + ); + foreach ($snort_files as $file) { + if (file_exists("{$snortdir}/{$file}")) { + $ftime = filemtime("{$snortdir}/{$file}"); + if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) + @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + } + } + + /* define alertsystemlog */ + $alertsystemlog_type = ""; + if ($snortcfg['alertsystemlog'] == "on") + $alertsystemlog_type = "output alert_syslog: log_alert"; + + /* define snortunifiedlog */ + $snortunifiedlog_type = ""; + if ($snortcfg['snortunifiedlog'] == "on") + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; + + /* define spoink */ + $spoink_type = ""; + if ($snortcfg['blockoffenders7'] == "on") { + $pfkill = ""; + if ($snortcfg['blockoffenderskill'] == "on") + $pfkill = "kill"; + $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); + /* write whitelist */ + @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); + $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; + } + + /* define selected suppress file */ + $suppress_file_name = ""; + $suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress'); + if (!empty($suppress)) { + $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru'])); + @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data); + $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}"; + } + + /* set the snort performance model */ + $snort_performance = "ac-bnfa"; + if(!empty($snortcfg['performance'])) + $snort_performance = $snortcfg['performance']; + + /* if user has defined a custom ssh port, use it */ + if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; + else + $ssh_port = "22"; + + /* Define an array of default values for the various preprocessor ports */ + $snort_ports = array( + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", + "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", + "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, + "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", + "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", + "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", + "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", + "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", + "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", + "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", + "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", + "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", + "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" + ); + + /* Check for defined Aliases that may override default port settings as we build the portvars array */ + $portvardef = ""; + foreach ($snort_ports as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) + $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); + $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; + } + + /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ + $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; + $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; + $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; + $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; + $stream5_ports_client .= "\t 32778 32779"; + $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; + $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; + $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; + $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; + $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; + $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; + $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; + $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; + $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; + $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; + $stream5_ports_both .= "\t 55555 56712"; + + ///////////////////////////// + /* preprocessor code */ + /* def perform_stat */ + $perform_stat = <<<EOD +# Performance Statistics # +preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000 + +EOD; + + /* def ftp_preprocessor */ + $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); + $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); + + // Configure FTP_Telnet global options + $ftp_telnet_globals = "inspection_type "; + if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; } + if ($snortcfg['ftp_telnet_alert_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes"; + else + $ftp_telnet_globals .= " \\\n\tencrypted_traffic no"; + if ($snortcfg['ftp_telnet_check_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tcheck_encrypted"; + + // Configure FTP_Telnet Telnet protocol options + $ftp_telnet_protocol = "ports { {$telnet_ports} }"; + if ($snortcfg['ftp_telnet_normalize'] == "on") + $ftp_telnet_protocol .= " \\\n\tnormalize"; + if ($snortcfg['ftp_telnet_detect_anomalies'] == "on") + $ftp_telnet_protocol .= " \\\n\tdetect_anomalies"; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') { + $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") + $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; + else + $ftp_telnet_protocol .= "20"; + } + + // Setup the standard FTP commands used for all FTP Server engines + $ftp_cmds = <<<EOD + ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ + ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ + ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT CEL CMD MACB } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ + alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ + alt_max_param_len 256 { RNTO CWD } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ + chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ + chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ + chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ + chk_str_fmt { FEAT CEL CMD } \ + chk_str_fmt { MDTM REST SIZE MLST MLSD } \ + chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > + +EOD; + + // Configure all the FTP_Telnet FTP protocol options + // Iterate and configure the FTP Client engines + $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + + if (!is_array($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'] = array(); + + // If no FTP client engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; + $ftp_client_engine = ""; + + foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp client "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['max_resp_len'] == "") + $buffer .= "\tmax_resp_len 256 \\\n"; + else + $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + + if ($v['bounce'] == "yes") { + if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { + $net = trim(filter_expand_alias($v['bounce_to_net'])); + $port = trim(filter_expand_alias($v['bounce_to_port'])); + if (!empty($net) && !empty($port) && + snort_is_single_addr_alias($v['bounce_to_net']) && + (is_port($port) || is_portrange($port))) { + $port = preg_replace('/\s+/', ',', $port); + // Change port range delimiter to comma for ftp_telnet client preprocessor + if (is_portrange($port)) + $port = str_replace(":", ",", $port); + $buffer .= "\tbounce yes \\\n"; + $buffer .= "\tbounce_to { {$net},{$port} }\n"; + } + else { + // One or both of the BOUNCE_TO alias values is not right, + // so figure out which and log an appropriate error. + if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) + log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + if (empty($port) || !(is_port($port) || is_portrange($port))) + log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + $buffer .= "\tbounce yes\n"; + } + } + else + $buffer .= "\tbounce yes\n"; + } + else + $buffer .= "\tbounce no\n"; + + // Add this FTP client engine to the master string + $ftp_client_engine .= "{$buffer}\n"; + } + // Trim final trailing newline + rtrim($ftp_client_engine); + + // Iterate and configure the FTP Server engines + $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + + if (!is_array($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'] = array(); + + // If no FTP server engine is configured, use the default + // to keep from breaking Snort. + if (empty($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; + $ftp_server_engine = ""; + + foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp server "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['def_max_param_len'] == "") + $buffer .= "\tdef_max_param_len 100 \\\n"; + elseif ($v['def_max_param_len'] <> '0') + $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; + + if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) + $buffer .= "\tports { {$ftp_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $buffer .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); + $buffer .= "\tports { {$ftp_ports} } \\\n"; + } + } + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + if ($v['ignore_data_chan'] == "yes") + $buffer .= "\tignore_data_chan yes \\\n"; + $buffer .= "{$ftp_cmds}\n"; + + // Add this FTP server engine to the master string + $ftp_server_engine .= $buffer; + } + // Remove trailing newlines + rtrim($ftp_server_engine); + + $ftp_preprocessor = <<<EOD +# ftp_telnet preprocessor # +preprocessor ftp_telnet: global \ + {$ftp_telnet_globals} + +preprocessor ftp_telnet_protocol: telnet \ + {$ftp_telnet_protocol} + +{$ftp_server_engine} +{$ftp_client_engine} +EOD; + + $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); + $pop_preproc = <<<EOD +# POP preprocessor # +preprocessor pop: \ + ports { {$pop_ports} } \ + memcap 1310700 \ + qp_decode_depth 0 \ + b64_decode_depth 0 \ + bitenc_decode_depth 0 + +EOD; + + $imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports'])); + $imap_preproc = <<<EOD +# IMAP preprocessor # +preprocessor imap: \ + ports { {$imap_ports} } \ + memcap 1310700 \ + qp_decode_depth 0 \ + b64_decode_depth 0 \ + bitenc_decode_depth 0 + +EOD; + + $smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports'])); + /* def smtp_preprocessor */ + $smtp_preprocessor = <<<EOD +# SMTP preprocessor # +preprocessor SMTP: \ + ports { {$smtp_ports} } \ + inspection_type stateful \ + normalize cmds \ + ignore_tls_data \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \ + NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \ + STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \ + XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \ + IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \ + ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \ + XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } \ + log_mailfrom \ + log_rcptto \ + log_email_hdrs \ + email_hdrs_log_depth 1464 \ + log_filename \ + qp_decode_depth 0 \ + b64_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + +EOD; + + /* def sf_portscan */ + $sf_pscan_protocol = "all"; + if (!empty($snortcfg['pscan_protocol'])) + $sf_pscan_protocol = $snortcfg['pscan_protocol']; + $sf_pscan_type = "all"; + if (!empty($snortcfg['pscan_type'])) + $sf_pscan_type = $snortcfg['pscan_type']; + $sf_pscan_memcap = "10000000"; + if (!empty($snortcfg['pscan_memcap'])) + $sf_pscan_memcap = $snortcfg['pscan_memcap']; + $sf_pscan_sense_level = "medium"; + if (!empty($snortcfg['pscan_sense_level'])) + $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; + $sf_pscan_ignore_scanners = "\$HOME_NET"; + if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { + $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners'])); + $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); + } + + $sf_portscan = <<<EOD +# sf Portscan # +preprocessor sfportscan: \ + scan_type { {$sf_pscan_type} } \ + proto { {$sf_pscan_protocol} } \ + memcap { {$sf_pscan_memcap} } \ + sense_level { {$sf_pscan_sense_level} } \ + ignore_scanners { {$sf_pscan_ignore_scanners} } + +EOD; + + /* def ssh_preproc */ + $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports'])); + $ssh_preproc = <<<EOD +# SSH preprocessor # +preprocessor ssh: \ + server_ports { {$ssh_ports} } \ + autodetect \ + max_client_bytes 19600 \ + max_encrypted_packets 20 \ + max_server_version_len 100 \ + enable_respoverflow enable_ssh1crc32 \ + enable_srvoverflow enable_protomismatch + +EOD; + + /* def other_preprocs */ + $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports'])); + $other_preprocs = <<<EOD +# Other preprocs # +preprocessor rpc_decode: \ + {$sun_rpc_ports} \ + no_alert_multiple_requests \ + no_alert_large_fragments \ + no_alert_incomplete + +# Back Orifice preprocessor # +preprocessor bo + +EOD; + + /* def dce_rpc_2 */ + $dce_rpc_2 = <<<EOD +# DCE/RPC 2 # +preprocessor dcerpc2: \ + memcap 102400, \ + events [co] + +preprocessor dcerpc2_server: default, \ + policy WinXP, \ + detect [smb [{$snort_ports['smb_ports']}], \ + tcp 135, \ + udp 135, \ + rpc-over-http-server 593], \ + autodetect [tcp 1025:, \ + udp 1025:, \ + rpc-over-http-server 1025:], \ + smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] + +EOD; + + $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports'])); + $sip_preproc = <<<EOD +# SIP preprocessor # +preprocessor sip: \ + max_sessions 40000, \ + ports { {$sip_ports} }, \ + methods { invite \ + cancel \ + ack \ + bye \ + register \ + options \ + refer \ + subscribe \ + update \ + join \ + info \ + message \ + notify \ + benotify \ + do \ + qauth \ + sprack \ + publish \ + service \ + unsubscribe \ + prack }, \ + max_call_id_len 80, \ + max_from_len 256, \ + max_to_len 256, \ + max_via_len 1024, \ + max_requestName_len 50, \ + max_uri_len 512, \ + ignore_call_channel, \ + max_content_len 2048, \ + max_contact_len 512 + +EOD; + + $dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports'])); + /* def dns_preprocessor */ + $dns_preprocessor = <<<EOD +# DNS preprocessor # +preprocessor dns: \ + ports { {$dns_ports} } \ + enable_rdata_overflow + +EOD; + + /* def dnp3_preprocessor */ + $dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS'])); + $dnp3_preproc = <<<EOD +# DNP3 preprocessor # +preprocessor dnp3: \ + ports { {$dnp3_ports} } \ + memcap 262144 \ + check_crc + +EOD; + + /* def modbus_preprocessor */ + $modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS'])); + $modbus_preproc = <<<EOD +# Modbus preprocessor # +preprocessor modbus: \ + ports { {$modbus_ports} } + +EOD; + + /* def gtp_preprocessor */ + $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS'])); + $gtp_preproc = <<<EOD +# GTP preprocessor # +preprocessor gtp: \ + ports { {$gtp_ports} } + +EOD; + + /* def ssl_preprocessor */ + $ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports'])); + $ssl_preproc = <<<EOD +# SSL preprocessor # +preprocessor ssl: \ + ports { {$ssl_ports} }, \ + trustservers, \ + noinspect_encrypted + +EOD; + + /* def sensitive_data_preprocessor */ + if ($snortcfg['sdf_mask_output'] == "on") + $sdf_mask_output = "\\\n\tmask_output"; + else + $sdf_mask_output = ""; + $sensitive_data = <<<EOD +# SDF preprocessor # +preprocessor sensitive_data: \ + alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output} + +EOD; + + /* define servers as IP variables */ + $snort_servers = array ( + "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", + "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", + "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", + "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", + "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", + "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", + "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", + "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" + ); + + // Change old name from "var" to new name of "ipvar" for IP variables because + // Snort is deprecating the old "var" name in newer versions. + $ipvardef = ""; + foreach ($snort_servers as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { + $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $avalue = preg_replace('/\s+/', ',', trim($avalue)); + } + $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; + } + + $snort_preproc_libs = array( + "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", + "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", + "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" + ); + $snort_preproc = array ( + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", + "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" + ); + $default_disabled_preprocs = array( + "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc" + ); + $snort_preprocessors = ""; + foreach ($snort_preproc as $preproc) { + if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { + + /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ + if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) + continue; + + /* NOTE: The $$ is not a bug. It is an advanced feature of php */ + if (!empty($snort_preproc_libs[$preproc])) { + $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; + if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { + if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { + @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } else + log_error("Could not find the {$preproclib} file. Snort might error out!"); + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } + } + // Remove final trailing newline + $snort_preprocessors = rtrim($snort_preprocessors); + + $snort_misc_include_rules = ""; + if (file_exists("{$snortcfgdir}/reference.config")) + $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; + if (file_exists("{$snortcfgdir}/classification.config")) + $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; + if (is_dir("{$snortcfgdir}/preproc_rules")) { + if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { + $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; + if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")) + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; + } else + $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; + if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { + @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); + @unlink("{$g['tmp_path']}/sedcmd"); + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } + else { + $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; + log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + } + } else { + $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; + log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + } + + /* generate rule sections to load */ + /* The files are always configured so the update process is easier */ + $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; + $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; + $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; + + // Remove trailing newlines + $snort_misc_include_rules = rtrim($snort_misc_include_rules); + $selected_rules_sections = rtrim($selected_rules_sections); + + /* Create the actual rules files and save in the interface directory */ + snort_prepare_rule_files($snortcfg, $snortcfgdir); + + $cksumcheck = "all"; + if ($snortcfg['cksumcheck'] == 'on') + $cksumcheck = "none"; + + /* Pull in user-configurable detection config options */ + $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; + if ($snortcfg['fpm_split_any_any'] == "on") + $cfg_detect_settings .= " split-any-any"; + if ($snortcfg['fpm_search_optimize'] == "on") + $cfg_detect_settings .= " search-optimize"; + if ($snortcfg['fpm_no_stream_inserts'] == "on") + $cfg_detect_settings .= " no_stream_inserts"; + + /* Pull in user-configurable options for Frag3 preprocessor settings */ + /* Get global Frag3 options first and put into a string */ + $frag3_global = "preprocessor frag3_global: "; + if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") + $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; + else + $frag3_global .= "memcap 4194304, "; + if (!empty($snortcfg['frag3_max_frags'])) + $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; + else + $frag3_global .= "max_frags 8192"; + if ($snortcfg['frag3_detection'] == "off") + $frag3_global .= ", disabled"; + + $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + $frag3_engine = ""; + + // Now iterate configured Frag3 engines and write them to a string if enabled + if ($snortcfg['frag3_detection'] == "on") { + if (!is_array($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'] = array(); + + // If no frag3 tcp engine is configured, use the default + if (empty($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; + + foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { + $frag3_engine .= "preprocessor frag3_engine: "; + $frag3_engine .= "policy {$v['policy']}"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; + else + $frag3_engine .= " \\\n\tbind_to {$tmp}"; + } + else + log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); + } + $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; + $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; + if ($v['detect_anomalies'] == "on") { + $frag3_engine .= " \\\n\tdetect_anomalies"; + $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; + $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; + } + // Add newlines to terminate this engine + $frag3_engine .= "\n\n"; + } + // Remove trailing newline + $frag3_engine = rtrim($frag3_engine); + } + + // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs + $paf_max_pdu_config = "config paf_max: "; + if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') + $paf_max_pdu_config .= "0"; + else + $paf_max_pdu_config .= $snortcfg['max_paf']; + + // Pull in user-configurable options for Stream5 preprocessor settings + // Get global options first and put into a string + $stream5_global = "preprocessor stream5_global: \\\n"; + if ($snortcfg['stream5_reassembly'] == "off") + $stream5_global .= "\tdisabled, \\\n"; + if ($snortcfg['stream5_track_tcp'] == "off") + $stream5_global .= "\ttrack_tcp no,"; + else { + $stream5_global .= "\ttrack_tcp yes,"; + if (!empty($snortcfg['stream5_max_tcp'])) + $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; + else + $stream5_global .= " \\\n\tmax_tcp 262144,"; + } + if ($snortcfg['stream5_track_udp'] == "off") + $stream5_global .= " \\\n\ttrack_udp no,"; + else { + $stream5_global .= " \\\n\ttrack_udp yes,"; + if (!empty($snortcfg['stream5_max_udp'])) + $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; + else + $stream5_global .= " \\\n\tmax_udp 131072,"; + } + if ($snortcfg['stream5_track_icmp'] == "on") { + $stream5_global .= " \\\n\ttrack_icmp yes,"; + if (!empty($snortcfg['stream5_max_icmp'])) + $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; + else + $stream5_global .= " \\\n\tmax_icmp 65536,"; + } + else + $stream5_global .= " \\\n\ttrack_icmp no,"; + if (!empty($snortcfg['stream5_mem_cap'])) + $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; + else + $stream5_global .= " \\\n\tmemcap 8388608,"; + + if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') + $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; + else + $stream5_global .= " \\\n\tprune_log_max 1048576"; + if ($snortcfg['stream5_flush_on_alert'] == "on") + $stream5_global .= ", \\\n\tflush_on_alert"; + + $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + $stream5_tcp_engine = ""; + + // Now iterate configured Stream5 TCP engines and write them to a string if enabled + if ($snortcfg['stream5_reassembly'] == "on") { + if (!is_array($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'] = array(); + + // If no stream5 tcp engine is configured, use the default + if (empty($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; + + foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { + $buffer = "preprocessor stream5_tcp: "; + $buffer .= "policy {$v['policy']},"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $buffer .= " \\\n\tbind_to [{$tmp}],"; + else + $buffer .= " \\\n\tbind_to {$tmp},"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); + continue; + } + } + $stream5_tcp_engine .= $buffer; + $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; + $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; + $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; + if ($v['use_static_footprint_sizes'] == "on") + $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; + if ($v['check_session_hijacking'] == "on") + $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; + if ($v['dont_store_lg_pkts'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; + if ($v['no_reassemble_async'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; + if ($v['detect_anomalies'] == "on") + $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; + if ($v['require_3whs'] == "on") + $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; + if (!empty($v['ports_client'])) { + $stream5_tcp_engine .= ", \\\n\tports client"; + if ($v['ports_client'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_client'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_client}"; + else { + $tmp = trim(filter_expand_alias($v['ports_client'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_client}"; + log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_both'])) { + $stream5_tcp_engine .= ", \\\n\tports both"; + if ($v['ports_both'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_both'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_both}"; + else { + $tmp = trim(filter_expand_alias($v['ports_both'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_both}"; + log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { + if ($v['ports_server'] == " all") { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " all"; + } + else { + $tmp = trim(filter_expand_alias($v['ports_server'])); + if (!empty($tmp)) { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + } + else + log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); + } + } + + // Make sure the "ports" parameter is set, or else default to a safe value + if (strpos($stream5_tcp_engine, "ports ") === false) + $stream5_tcp_engine .= ", \\\n\tports both all"; + + // Add a pair of newlines to terminate this engine + $stream5_tcp_engine .= "\n\n"; + } + // Trim off the final trailing newline + $stream5_tcp_engine = rtrim($stream5_tcp_engine); + } + + // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") + $stream5_udp_engine = ""; + else { + $stream5_udp_engine = "preprocessor stream5_udp: "; + if (!empty($snortcfg['stream5_udp_timeout'])) + $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; + else + $stream5_udp_engine .= "timeout 30"; + } + + // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled + if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { + $stream5_icmp_engine = "preprocessor stream5_icmp: "; + if (!empty($snortcfg['stream5_icmp_timeout'])) + $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; + else + $stream5_icmp_engine .= "timeout 30"; + } + else + $stream5_icmp_engine = ""; + + // Check for and configure Host Attribute Table if enabled + $host_attrib_config = ""; + if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { + file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); + $host_attrib_config = "# Host Attribute Table #\n"; + $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; + if (!empty($snortcfg['max_attribute_hosts'])) + $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; + if (!empty($snortcfg['max_attribute_services_per_host'])) + $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; + } + + // Configure the HTTP_INSPECT preprocessor + // Get global options first and put into a string + $http_inspect_global = "preprocessor http_inspect: global "; + if ($snortcfg['http_inspect'] == "off") + $http_inspect_global .= "disabled "; + $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; + $http_inspect_global .= "\tcompress_depth 65535 \\\n"; + $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; + if (!empty($snortcfg['http_inspect_memcap'])) + $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; + else + $http_inspect_global .= "\tmemcap 150994944 \\\n"; + if (!empty($snortcfg['http_inspect_max_gzip_mem'])) + $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; + else + $http_inspect_global .= "\tmax_gzip_mem 838860"; + if ($snortcfg['http_inspect_proxy_alert'] == "on") + $http_inspect_global .= " \\\n\tproxy_alert"; + + $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); + $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); + $http_inspect_servers = ""; + + // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled + if ($snortcfg['http_inspect'] <> "off") { + if (!is_array($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'] = array(); + + // If no http_inspect_engine is configured, use the default + if (empty($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; + + foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { + $buffer = "preprocessor http_inspect_server: \\\n"; + if ($v['name'] == "default") + $buffer .= "\tserver default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "\tserver { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + $http_inspect_servers .= $buffer; + $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; + + if ($v['no_alerts'] == "on") + $http_inspect_servers .= "\tno_alerts \\\n"; + + if ($v['ports'] == "default" || empty($v['ports'])) + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $http_inspect_servers .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + + $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; + $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; + $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; + $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; + $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; + $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; + $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; + if ($v['enable_xff'] == "on") + $http_inspect_servers .= " \\\n\tenable_xff"; + if ($v['enable_cookie'] == "on") + $http_inspect_servers .= " \\\n\tenable_cookie"; + if ($v['normalize_cookies'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_cookies"; + if ($v['normalize_headers'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_headers"; + if ($v['normalize_utf'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_utf"; + if ($v['allow_proxy_use'] == "on") + $http_inspect_servers .= " \\\n\tallow_proxy_use"; + if ($v['inspect_uri_only'] == "on") + $http_inspect_servers .= " \\\n\tinspect_uri_only"; + if ($v['extended_response_inspection'] == "on") { + $http_inspect_servers .= " \\\n\textended_response_inspection"; + if ($v['inspect_gzip'] == "on") { + $http_inspect_servers .= " \\\n\tinspect_gzip"; + if ($v['unlimited_decompress'] == "on") + $http_inspect_servers .= " \\\n\tunlimited_decompress"; + } + if ($v['normalize_javascript'] == "on") { + $http_inspect_servers .= " \\\n\tnormalize_javascript"; + $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; + } + } + if ($v['log_uri'] == "on") + $http_inspect_servers .= " \\\n\tlog_uri"; + if ($v['log_hostname'] == "on") + $http_inspect_servers .= " \\\n\tlog_hostname"; + + // Add a pair of trailing newlines to terminate this server config + $http_inspect_servers .= "\n\n"; + } + /* Trim off the final trailing newline */ + $http_inspect_server = rtrim($http_inspect_server); + } + + // Finally, build the Snort configuration file + $snort_conf_text = <<<EOD +# snort configuration file +# generated automatically by the pfSense subsystems do not modify manually + +# Define Local Network # +ipvar HOME_NET [{$home_net}] +ipvar EXTERNAL_NET [{$external_net}] + +# Define Rule Paths # +var RULE_PATH {$snortcfgdir}/rules +var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules + +# Define Servers # +{$ipvardef} + +# Define Server Ports # +{$portvardef} + +# Configure quiet startup mode # +config quiet + +# Configure the snort decoder # +config checksum_mode: {$cksumcheck} +config disable_decode_alerts +config disable_tcpopt_experimental_alerts +config disable_tcpopt_obsolete_alerts +config disable_ttcp_alerts +config disable_tcpopt_alerts +config disable_ipopt_alerts +config disable_decode_drops + +# Enable the GTP decoder # +config enable_gtp + +# Configure PCRE match limitations +config pcre_match_limit: 3500 +config pcre_match_limit_recursion: 1500 + +# Configure the detection engine # +config detection: {$cfg_detect_settings} +config event_queue: max_queue 8 log 5 order_events content_length + +# Configure to show year in timestamps +config show_year + +# Configure protocol aware flushing # +# For more information see README.stream5 # +{$paf_max_pdu_config} + +# Configure dynamically loaded libraries +dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']} +dynamicengine directory {$snort_dirs['dynamicengine']} +dynamicdetection directory {$snort_dirs['dynamicrules']} + +# Inline packet normalization. For more information, see README.normalize +# Disabled since we do not use "inline" mode with pfSense +# preprocessor normalize_ip4 +# preprocessor normalize_tcp: ips ecn stream +# preprocessor normalize_icmp4 +# preprocessor normalize_ip6 +# preprocessor normalize_icmp6 + +# Flow and stream # +{$frag3_global} + +{$frag3_engine} + +{$stream5_global} + +{$stream5_tcp_engine} + +{$stream5_udp_engine} + +{$stream5_icmp_engine} + +# HTTP Inspect # +{$http_inspect_global} + +{$http_inspect_servers} +{$snort_preprocessors} +{$host_attrib_config} + +# Snort Output Logs # +output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority +{$alertsystemlog_type} +{$snortunifiedlog_type} +{$spoink_type} + +# Misc Includes # +{$snort_misc_include_rules} + +{$suppress_file_name} + +# Snort user pass through configuration +{$snort_config_pass_thru} + +# Rules Selection # +{$selected_rules_sections} +EOD; + + // Write out snort.conf file + $conf = fopen("{$snortcfgdir}/snort.conf", "w"); + if(!$conf) { + log_error("Could not open {$snortcfgdir}/snort.conf for writing."); + return -1; + } + fwrite($conf, $snort_conf_text); + fclose($conf); + unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type); + unset($home_net, $external_net, $ipvardef, $portvardef); +} + +/*****************************************************************************/ +/* This starts the actual post-install code */ +/*****************************************************************************/ + +/* Hard kill any running Snort processes that may have been started by any */ +/* of the pfSense scripts such as check_reload_status() or rc.start_packages */ +if(is_process_running("snort")) { + exec("/usr/bin/killall -z snort"); + sleep(2); + // Delete any leftover snort PID files in /var/run + array_map('@unlink', glob("/var/run/snort_*.pid")); +} +// Hard kill any running Barnyard2 processes +if(is_process_running("barnyard")) { + exec("/usr/bin/killall -z barnyard2"); + sleep(2); + // Delete any leftover barnyard2 PID files in /var/run + array_map('@unlink', glob("/var/run/barnyard2_*.pid")); +} + +/* Set flag for post-install in progress */ +$g['snort_postinstall'] = true; + +/* cleanup default files */ +@rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); +@rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf"); +@rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map"); +@rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map"); +@rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config"); +@rename("{$snortdir}/generators-sample", "{$snortdir}/generators"); +@rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config"); +@rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); + +/* fix up the preprocessor rules filenames from a PBI package install */ +$preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); +foreach ($preproc_rules as $file) { + if (file_exists("{$snortdir}/preproc_rules/{$file}-sample")) + @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}"); +} + +/* Remove any previously installed scripts since we rebuild them */ +@unlink("{$snortdir}/sid"); +@unlink("{$rcdir}/snort.sh"); +@unlink("{$rcdir}/barnyard2"); + +/* remake saved settings */ +if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { + log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings...")); + update_status(gettext("Saved settings detected...")); + /* Do one-time settings migration for new multi-engine configurations */ + update_output_window(gettext("Please wait... migrating settings to new multi-engine configuration...")); + include "/usr/local/pkg/snort/snort_migrate_config.php"; + update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); + log_error(gettext("[Snort] Downloading and updating configured rule types...")); + update_output_window(gettext("Please wait... downloading and updating configured rule types...")); + if ($pkg_interface <> "console") + $snort_gui_include = true; + include "/usr/local/pkg/snort/snort_check_for_rule_updates.php"; + update_status(gettext("Generating snort.conf configuration file from saved settings...")); + $rebuild_rules = true; + + /* Create the snort.conf files for each enabled interface */ + $snortconf = $config['installedpackages']['snortglobal']['rule']; + foreach ($snortconf as $value) { + $if_real = snort_get_real_interface($value['interface']); + + /* create a snort.conf file for interface */ + snort_build_new_conf($value); + + /* create barnyard2.conf file for interface */ + if ($value['barnyard_enable'] == 'on') + snort_create_barnyard2_conf($value, $if_real); + } + + /* create snort bootup file snort.sh */ + snort_create_rc(); + + /* Set Log Limit, Block Hosts Time and Rules Update Time */ + snort_snortloglimit_install_cron($config['installedpackages']['snortglobal']['snortloglimit'] == 'on' ? true : false); + snort_rm_blocked_install_cron($config['installedpackages']['snortglobal']['rm_blocked'] != "never_b" ? true : false); + snort_rules_up_install_cron($config['installedpackages']['snortglobal']['autorulesupdate7'] != "never_up" ? true : false); + + /* Add the recurring jobs created above to crontab */ + configure_cron(); + conf_mount_ro(); + + $rebuild_rules = false; + update_output_window(gettext("Finished rebuilding Snort configuration files...")); + log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); + + /* Only try to start Snort if not in reboot */ + if (!$g['booting']) { + update_status(gettext("Starting Snort using rebuilt configuration...")); + update_output_window(gettext("Please wait... while Snort is started...")); + log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); + start_service("snort"); + update_output_window(gettext("Snort has been started using the rebuilt configuration...")); + } +} + +/* Done with post-install, so clear flag */ +unset($g['snort_postinstall']); +log_error(gettext("[Snort] Package post-installation tasks completed...")); +return true; + +?> diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 95d5a10e..98a0b106 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -37,16 +37,6 @@ require_once("/usr/local/pkg/snort/snort.inc"); global $g, $rebuild_rules; $snortlogdir = SNORTLOGDIR; -if (!is_array($config['installedpackages']['snortglobal'])) { - $config['installedpackages']['snortglobal'] = array(); -} -$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; @@ -55,6 +45,32 @@ if (is_null($id)) { exit; } +if (!is_array($config['installedpackages']['snortglobal'])) + $config['installedpackages']['snortglobal'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + +// Initialize multiple config engine arrays for supported preprocessors if necessary +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array(); + +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; +$frag3_engine_next_id = count($a_nat[$id]['frag3_engine']['item']); +$stream5_tcp_engine_next_id = count($a_nat[$id]['stream5_tcp_engine']['item']); +$http_inspect_engine_next_id = count($a_nat[$id]['http_inspect_engine']['item']); +$ftp_server_engine_next_id = count($a_nat[$id]['ftp_server_engine']['item']); +$ftp_client_engine_next_id = count($a_nat[$id]['ftp_client_engine']['item']); + $pconfig = array(); if (isset($id) && $a_nat[$id]) { $pconfig = $a_nat[$id]; @@ -66,32 +82,14 @@ if (isset($id) && $a_nat[$id]) { $pconfig['max_attribute_hosts'] = $a_nat[$id]['max_attribute_hosts']; $pconfig['max_attribute_services_per_host'] = $a_nat[$id]['max_attribute_services_per_host']; $pconfig['max_paf'] = $a_nat[$id]['max_paf']; - $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth']; - $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile']; - $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth']; - $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly']; - $pconfig['stream5_require_3whs'] = $a_nat[$id]['stream5_require_3whs']; - $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp']; - $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp']; - $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp']; - $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes']; - $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs']; - $pconfig['stream5_overlap_limit'] = $a_nat[$id]['stream5_overlap_limit']; - $pconfig['stream5_policy'] = $a_nat[$id]['stream5_policy']; - $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap']; - $pconfig['stream5_tcp_timeout'] = $a_nat[$id]['stream5_tcp_timeout']; - $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout']; - $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout']; - $pconfig['stream5_no_reassemble_async'] = $a_nat[$id]['stream5_no_reassemble_async']; - $pconfig['stream5_dont_store_lg_pkts'] = $a_nat[$id]['stream5_dont_store_lg_pkts']; - $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; - $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap']; - $pconfig['http_inspect_enable_xff'] = $a_nat[$id]['http_inspect_enable_xff']; - $pconfig['http_inspect_log_uri'] = $a_nat[$id]['http_inspect_log_uri']; - $pconfig['http_inspect_log_hostname'] = $a_nat[$id]['http_inspect_log_hostname']; - $pconfig['noalert_http_inspect'] = $a_nat[$id]['noalert_http_inspect']; $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; + $pconfig['ftp_telnet_inspection_type'] = $a_nat[$id]['ftp_telnet_inspection_type']; + $pconfig['ftp_telnet_alert_encrypted'] = $a_nat[$id]['ftp_telnet_alert_encrypted']; + $pconfig['ftp_telnet_check_encrypted'] = $a_nat[$id]['ftp_telnet_check_encrypted']; + $pconfig['ftp_telnet_normalize'] = $a_nat[$id]['ftp_telnet_normalize']; + $pconfig['ftp_telnet_detect_anomalies'] = $a_nat[$id]['ftp_telnet_detect_anomalies']; + $pconfig['ftp_telnet_ayt_attack_threshold'] = $a_nat[$id]['ftp_telnet_ayt_attack_threshold']; $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; $pconfig['pscan_protocol'] = $a_nat[$id]['pscan_protocol']; @@ -102,6 +100,8 @@ if (isset($id) && $a_nat[$id]) { $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; + $pconfig['sdf_alert_threshold'] = $a_nat[$id]['sdf_alert_threshold']; + $pconfig['sdf_mask_output'] = $a_nat[$id]['sdf_mask_output']; $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc']; $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc']; $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc']; @@ -112,13 +112,123 @@ if (isset($id) && $a_nat[$id]) { $pconfig['ssh_preproc'] = $a_nat[$id]['ssh_preproc']; $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable']; $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules']; + + // Frag3 global settings $pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection']; - $pconfig['frag3_overlap_limit'] = $a_nat[$id]['frag3_overlap_limit']; - $pconfig['frag3_min_frag_len'] = $a_nat[$id]['frag3_min_frag_len']; - $pconfig['frag3_policy'] = $a_nat[$id]['frag3_policy']; $pconfig['frag3_max_frags'] = $a_nat[$id]['frag3_max_frags']; $pconfig['frag3_memcap'] = $a_nat[$id]['frag3_memcap']; - $pconfig['frag3_timeout'] = $a_nat[$id]['frag3_timeout']; + + // See if new Frag3 engine array is configured and use it; + // otherwise create a default engine configuration. + if (empty($pconfig['frag3_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); + $pconfig['frag3_engine']['item'] = array(); + $pconfig['frag3_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['frag3_engine']['item'])) + $a_nat[$id]['frag3_engine']['item'] = array(); + $a_nat[$id]['frag3_engine']['item'][] = $default; + write_config(); + $frag3_engine_next_id++; + } + else + $pconfig['frag3_engine'] = $a_nat[$id]['frag3_engine']; + + // Stream5 global settings + $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly']; + $pconfig['stream5_flush_on_alert'] = $a_nat[$id]['stream5_flush_on_alert']; + $pconfig['stream5_prune_log_max'] = $a_nat[$id]['stream5_prune_log_max']; + $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap']; + $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp']; + $pconfig['stream5_max_tcp'] = $a_nat[$id]['stream5_max_tcp']; + $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp']; + $pconfig['stream5_max_udp'] = $a_nat[$id]['stream5_max_udp']; + $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout']; + $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp']; + $pconfig['stream5_max_icmp'] = $a_nat[$id]['stream5_max_icmp']; + $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout']; + + // See if new Stream5 engine array is configured and use it; + // otherwise create a default engine configuration. + if (empty($pconfig['stream5_tcp_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off", + "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + $pconfig['stream5_tcp_engine']['item'] = array(); + $pconfig['stream5_tcp_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['stream5_tcp_engine']['item'])) + $a_nat[$id]['stream5_tcp_engine']['item'] = array(); + $a_nat[$id]['stream5_tcp_engine']['item'][] = $default; + write_config(); + $stream5_tcp_engine_next_id++; + } + else + $pconfig['stream5_tcp_engine'] = $a_nat[$id]['stream5_tcp_engine']; + + // HTTP_INSPECT global settings + $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap']; + $pconfig['http_inspect_proxy_alert'] = $a_nat[$id]['http_inspect_proxy_alert']; + $pconfig['http_inspect_max_gzip_mem'] = $a_nat[$id]['http_inspect_max_gzip_mem']; + + // See if new HTTP_INSPECT engine array is configured and use it; + // otherwise create a default engine configuration. + if (empty($pconfig['http_inspect_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", + "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on", + "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200, + "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" ); + $pconfig['http_inspect_engine']['item'] = array(); + $pconfig['http_inspect_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['http_inspect_engine']['item'])) + $a_nat[$id]['http_inspect_engine']['item'] = array(); + $a_nat[$id]['http_inspect_engine']['item'][] = $default; + write_config(); + $http_inspect_engine_next_id++; + } + else + $pconfig['http_inspect_engine'] = $a_nat[$id]['http_inspect_engine']; + + // See if new FTP client engine array is configured and use it; + // otherwise create a default engine configuration.. + if (empty($pconfig['ftp_client_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + $pconfig['ftp_client_engine']['item'] = array(); + $pconfig['ftp_client_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['ftp_client_engine']['item'])) + $a_nat[$id]['ftp_client_engine']['item'] = array(); + $a_nat[$id]['ftp_client_engine']['item'][] = $default; + write_config(); + $ftp_client_engine_next_id++; + } + else + $pconfig['ftp_client_engine'] = $a_nat[$id]['ftp_client_engine']; + + // See if new FTP server engine array is configured and use it; + // otherwise create a default engine configuration.. + if (empty($pconfig['ftp_server_engine']['item'])) { + $default = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + $pconfig['ftp_server_engine']['item'] = array(); + $pconfig['ftp_server_engine']['item'][] = $default; + if (!is_array($a_nat[$id]['ftp_server_engine']['item'])) + $a_nat[$id]['ftp_server_engine']['item'] = array(); + $a_nat[$id]['ftp_server_engine']['item'][] = $default; + write_config(); + $ftp_server_engine_next_id++; + } + else + $pconfig['ftp_server_engine'] = $a_nat[$id]['ftp_server_engine']; /* If not using the Snort VRT rules, then disable */ /* the Sensitive Data (sdf) preprocessor. */ @@ -134,10 +244,28 @@ if (isset($id) && $a_nat[$id]) { $pconfig['max_attribute_hosts'] = '10000'; if (empty($pconfig['max_attribute_services_per_host'])) $pconfig['max_attribute_services_per_host'] = '10'; - if (empty($pconfig['max_paf'])) + + if (empty($pconfig['max_paf']) && $pconfig['max_paf'] <> 0) $pconfig['max_paf'] = '16000'; + if (empty($pconfig['ftp_preprocessor'])) $pconfig['ftp_preprocessor'] = 'on'; + if (empty($pconfig['ftp_telnet_inspection_type'])) + $pconfig['ftp_telnet_inspection_type'] = 'stateful'; + if (empty($pconfig['ftp_telnet_alert_encrypted'])) + $pconfig['ftp_telnet_alert_encrypted'] = 'off'; + if (empty($pconfig['ftp_telnet_check_encrypted'])) + $pconfig['ftp_telnet_check_encrypted'] = 'on'; + if (empty($pconfig['ftp_telnet_normalize'])) + $pconfig['ftp_telnet_normalize'] = 'on'; + if (empty($pconfig['ftp_telnet_detect_anomalies'])) + $pconfig['ftp_telnet_detect_anomalies'] = 'on'; + if (empty($pconfig['ftp_telnet_ayt_attack_threshold']) && $pconfig['ftp_telnet_ayt_attack_threshold'] <> 0) + $pconfig['ftp_telnet_ayt_attack_threshold'] = '20'; + if (empty($pconfig['sdf_alert_threshold'])) + $pconfig['sdf_alert_threshold'] = '25'; + if (empty($pconfig['sdf_mask_output'])) + $pconfig['sdf_mask_output'] = 'off'; if (empty($pconfig['smtp_preprocessor'])) $pconfig['smtp_preprocessor'] = 'on'; if (empty($pconfig['dce_rpc_2'])) @@ -156,46 +284,48 @@ if (isset($id) && $a_nat[$id]) { $pconfig['other_preprocs'] = 'on'; if (empty($pconfig['ssh_preproc'])) $pconfig['ssh_preproc'] = 'on'; + + if (empty($pconfig['http_inspect'])) + $pconfig['http_inspect'] = "on"; + if (empty($pconfig['http_inspect_proxy_alert'])) + $pconfig['http_inspect_proxy_alert'] = "off"; if (empty($pconfig['http_inspect_memcap'])) $pconfig['http_inspect_memcap'] = "150994944"; - if (empty($pconfig['frag3_overlap_limit'])) - $pconfig['frag3_overlap_limit'] = '0'; - if (empty($pconfig['frag3_min_frag_len'])) - $pconfig['frag3_min_frag_len'] = '0'; + if (empty($pconfig['http_inspect_max_gzip_mem'])) + $pconfig['http_inspect_max_gzip_mem'] = "838860"; + if (empty($pconfig['frag3_max_frags'])) $pconfig['frag3_max_frags'] = '8192'; - if (empty($pconfig['frag3_policy'])) - $pconfig['frag3_policy'] = 'bsd'; if (empty($pconfig['frag3_memcap'])) $pconfig['frag3_memcap'] = '4194304'; - if (empty($pconfig['frag3_timeout'])) - $pconfig['frag3_timeout'] = '60'; if (empty($pconfig['frag3_detection'])) $pconfig['frag3_detection'] = 'on'; + if (empty($pconfig['stream5_reassembly'])) $pconfig['stream5_reassembly'] = 'on'; + if (empty($pconfig['stream5_flush_on_alert'])) + $pconfig['stream5_flush_on_alert'] = 'off'; + if (empty($pconfig['stream5_prune_log_max']) && $pconfig['stream5_prune_log_max'] <> 0) + $pconfig['stream5_prune_log_max'] = '1048576'; if (empty($pconfig['stream5_track_tcp'])) $pconfig['stream5_track_tcp'] = 'on'; + if (empty($pconfig['stream5_max_tcp'])) + $pconfig['stream5_max_tcp'] = '262144'; if (empty($pconfig['stream5_track_udp'])) $pconfig['stream5_track_udp'] = 'on'; - if (empty($pconfig['stream5_track_icmp'])) - $pconfig['stream5_track_icmp'] = 'off'; - if (empty($pconfig['stream5_require_3whs'])) - $pconfig['stream5_require_3whs'] = 'off'; - if (empty($pconfig['stream5_overlap_limit'])) - $pconfig['stream5_overlap_limit'] = '0'; - if (empty($pconfig['stream5_tcp_timeout'])) - $pconfig['stream5_tcp_timeout'] = '30'; + if (empty($pconfig['stream5_max_udp'])) + $pconfig['stream5_max_udp'] = '131072'; if (empty($pconfig['stream5_udp_timeout'])) $pconfig['stream5_udp_timeout'] = '30'; + if (empty($pconfig['stream5_track_icmp'])) + $pconfig['stream5_track_icmp'] = 'off'; + if (empty($pconfig['stream5_max_icmp'])) + $pconfig['stream5_max_icmp'] = '65536'; if (empty($pconfig['stream5_icmp_timeout'])) $pconfig['stream5_icmp_timeout'] = '30'; - if (empty($pconfig['stream5_no_reassemble_async'])) - $pconfig['stream5_no_reassemble_async'] = 'off'; - if (empty($pconfig['stream5_dont_store_lg_pkts'])) - $pconfig['stream5_dont_store_lg_pkts'] = 'off'; - if (empty($pconfig['stream5_policy'])) - $pconfig['stream5_policy'] = 'bsd'; + if (empty($pconfig['stream5_mem_cap'])) + $pconfig['stream5_mem_cap']= '8388608'; + if (empty($pconfig['pscan_protocol'])) $pconfig['pscan_protocol'] = 'all'; if (empty($pconfig['pscan_type'])) @@ -210,6 +340,34 @@ if (isset($id) && $a_nat[$id]) { $iface = snort_get_friendly_interface($pconfig['interface']); $disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; +if ($_GET['act'] && isset($_GET['eng_id'])) { + + $natent = array(); + $natent = $pconfig; + + if ($_GET['act'] == "del_frag3") + unset($natent['frag3_engine']['item'][$_GET['eng_id']]); + elseif ($_GET['act'] == "del_stream5_tcp") + unset($natent['stream5_tcp_engine']['item'][$_GET['eng_id']]); + elseif ($_GET['act'] == "del_http_inspect") + unset($natent['http_inspect_engine']['item'][$_GET['eng_id']]); + elseif ($_GET['act'] == "del_ftp_server") + unset($natent['ftp_server_engine']['item'][$_GET['eng_id']]); + + if (isset($id) && $a_nat[$id]) { + $a_nat[$id] = $natent; + write_config(); + } + + header("Location: snort_preprocessors.php?id=$id"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; +} + if ($_POST['ResetAll']) { /* Reset all the preprocessor settings to defaults */ @@ -218,32 +376,30 @@ if ($_POST['ResetAll']) { $pconfig['max_attribute_hosts'] = '10000'; $pconfig['max_attribute_services_per_host'] = '10'; $pconfig['max_paf'] = '16000'; - $pconfig['server_flow_depth'] = "300"; - $pconfig['http_server_profile'] = "all"; - $pconfig['client_flow_depth'] = "300"; $pconfig['stream5_reassembly'] = "on"; - $pconfig['stream5_require_3whs'] = "off"; + $pconfig['stream5_flush_on_alert'] = 'off'; + $pconfig['stream5_prune_log_max'] = '1048576'; $pconfig['stream5_track_tcp'] = "on"; + $pconfig['stream5_max_tcp'] = "262144"; $pconfig['stream5_track_udp'] = "on"; + $pconfig['stream5_max_udp'] = "131072"; $pconfig['stream5_track_icmp'] = "off"; - $pconfig['max_queued_bytes'] = "1048576"; - $pconfig['max_queued_segs'] = "2621"; - $pconfig['stream5_overlap_limit'] = "0"; - $pconfig['stream5_policy'] = "bsd"; + $pconfig['stream5_max_icmp'] = "65536"; $pconfig['stream5_mem_cap'] = "8388608"; - $pconfig['stream5_tcp_timeout'] = "30"; $pconfig['stream5_udp_timeout'] = "30"; $pconfig['stream5_icmp_timeout'] = "30"; - $pconfig['stream5_no_reassemble_async'] = "off"; - $pconfig['stream5_dont_store_lg_pkts'] = "off"; $pconfig['http_inspect'] = "on"; - $pconfig['http_inspect_enable_xff'] = "off"; - $pconfig['http_inspect_log_uri'] = "off"; - $pconfig['http_inspect_log_hostname'] = "off"; - $pconfig['noalert_http_inspect'] = "on"; + $pconfig['http_inspect_proxy_alert'] = "off"; $pconfig['http_inspect_memcap'] = "150994944"; + $pconfig['http_inspect_max_gzip_mem'] = "838860"; $pconfig['other_preprocs'] = "on"; $pconfig['ftp_preprocessor'] = "on"; + $pconfig['ftp_telnet_inspection_type'] = "stateful"; + $pconfig['ftp_telnet_alert_encrypted'] = "off"; + $pconfig['ftp_telnet_check_encrypted'] = "on"; + $pconfig['ftp_telnet_normalize'] = "on"; + $pconfig['ftp_telnet_detect_anomalies'] = "on"; + $pconfig['ftp_telnet_ayt_attack_threshold'] = "20"; $pconfig['smtp_preprocessor'] = "on"; $pconfig['sf_portscan'] = "off"; $pconfig['pscan_protocol'] = "all"; @@ -254,6 +410,8 @@ if ($_POST['ResetAll']) { $pconfig['dce_rpc_2'] = "on"; $pconfig['dns_preprocessor'] = "on"; $pconfig['sensitive_data'] = "off"; + $pconfig['sdf_alert_threshold'] = "25"; + $pconfig['sdf_mask_output'] = "off"; $pconfig['ssl_preproc'] = "on"; $pconfig['pop_preproc'] = "on"; $pconfig['imap_preproc'] = "on"; @@ -265,22 +423,21 @@ if ($_POST['ResetAll']) { $pconfig['preproc_auto_rule_disable'] = "off"; $pconfig['protect_preproc_rules'] = "off"; $pconfig['frag3_detection'] = "on"; - $pconfig['frag3_overlap_limit'] = "0"; - $pconfig['frag3_min_frag_len'] = "0"; - $pconfig['frag3_policy'] = "bsd"; $pconfig['frag3_max_frags'] = "8192"; $pconfig['frag3_memcap'] = "4194304"; - $pconfig['frag3_timeout'] = "60"; /* Log a message at the top of the page to inform the user */ - $savemsg = "All preprocessor settings have been reset to the defaults."; + $savemsg = gettext("All preprocessor settings have been reset to their defaults."); } elseif ($_POST['Submit']) { $natent = array(); $natent = $pconfig; - if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners'])) - $input_errors[] = "Only aliases are allowed for the Portscan IGNORE_SCANNERS option."; + // Validate SDF alert threshold if value if enabled + if ($_POST['sensitive_data'] == 'on') { + if ($_POST['sdf_alert_threshold'] < 1 || $_POST['sdf_alert_threshold'] > 4294067295) + $input_errors[] = gettext("The value for Sensitive_Data_Alert_Threshold must be between 1 and 4,294,067,295."); + } /* if no errors write to conf */ if (!$input_errors) { @@ -288,48 +445,42 @@ elseif ($_POST['Submit']) { if ($_POST['max_attribute_hosts'] != "") { $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts']; }else{ $natent['max_attribute_hosts'] = "10000"; } if ($_POST['max_attribute_services_per_host'] != "") { $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host']; }else{ $natent['max_attribute_services_per_host'] = "10"; } if ($_POST['max_paf'] != "") { $natent['max_paf'] = $_POST['max_paf']; }else{ $natent['max_paf'] = "16000"; } - if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = "300"; } - if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; } - if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = "300"; } if ($_POST['http_inspect_memcap'] != "") { $natent['http_inspect_memcap'] = $_POST['http_inspect_memcap']; }else{ $natent['http_inspect_memcap'] = "150994944"; } - if ($_POST['stream5_overlap_limit'] != "") { $natent['stream5_overlap_limit'] = $_POST['stream5_overlap_limit']; }else{ $natent['stream5_overlap_limit'] = "0"; } - if ($_POST['stream5_policy'] != "") { $natent['stream5_policy'] = $_POST['stream5_policy']; }else{ $natent['stream5_policy'] = "bsd"; } + if ($_POST['http_inspect_max_gzip_mem'] != "") { $natent['http_inspect_max_gzip_mem'] = $_POST['http_inspect_max_gzip_mem']; }else{ $natent['http_inspect_max_gzip_mem'] = "838860"; } if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = "8388608"; } - if ($_POST['stream5_tcp_timeout'] != "") { $natent['stream5_tcp_timeout'] = $_POST['stream5_tcp_timeout']; }else{ $natent['stream5_tcp_timeout'] = "30"; } + if ($_POST['stream5_prune_log_max'] != "") { $natent['stream5_prune_log_max'] = $_POST['stream5_prune_log_max']; }else{ $natent['stream5_prune_log_max'] = "1048576"; } if ($_POST['stream5_udp_timeout'] != "") { $natent['stream5_udp_timeout'] = $_POST['stream5_udp_timeout']; }else{ $natent['stream5_udp_timeout'] = "30"; } if ($_POST['stream5_icmp_timeout'] != "") { $natent['stream5_icmp_timeout'] = $_POST['stream5_icmp_timeout']; }else{ $natent['stream5_icmp_timeout'] = "30"; } - if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = "1048576"; } - if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = "2621"; } + if ($_POST['stream5_max_tcp'] != "") { $natent['stream5_max_tcp'] = $_POST['stream5_max_tcp']; }else{ $natent['stream5_max_tcp'] = "262144"; } + if ($_POST['stream5_max_udp'] != "") { $natent['stream5_max_udp'] = $_POST['stream5_max_udp']; }else{ $natent['stream5_max_udp'] = "131072"; } + if ($_POST['stream5_max_icmp'] != "") { $natent['stream5_max_icmp'] = $_POST['stream5_max_icmp']; }else{ $natent['stream5_max_icmp'] = "65536"; } if ($_POST['pscan_protocol'] != "") { $natent['pscan_protocol'] = $_POST['pscan_protocol']; }else{ $natent['pscan_protocol'] = "all"; } if ($_POST['pscan_type'] != "") { $natent['pscan_type'] = $_POST['pscan_type']; }else{ $natent['pscan_type'] = "all"; } if ($_POST['pscan_memcap'] != "") { $natent['pscan_memcap'] = $_POST['pscan_memcap']; }else{ $natent['pscan_memcap'] = "10000000"; } if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; } - if ($_POST['frag3_overlap_limit'] != "") { $natent['frag3_overlap_limit'] = $_POST['frag3_overlap_limit']; }else{ $natent['frag3_overlap_limit'] = "0"; } - if ($_POST['frag3_min_frag_len'] != "") { $natent['frag3_min_frag_len'] = $_POST['frag3_min_frag_len']; }else{ $natent['frag3_min_frag_len'] = "0"; } - if ($_POST['frag3_policy'] != "") { $natent['frag3_policy'] = $_POST['frag3_policy']; }else{ $natent['frag3_policy'] = "bsd"; } + if ($_POST['pscan_ignore_scanners'] != "") { $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; }else{ $natent['pscan_ignore_scanners'] = ""; } if ($_POST['frag3_max_frags'] != "") { $natent['frag3_max_frags'] = $_POST['frag3_max_frags']; }else{ $natent['frag3_max_frags'] = "8192"; } if ($_POST['frag3_memcap'] != "") { $natent['frag3_memcap'] = $_POST['frag3_memcap']; }else{ $natent['frag3_memcap'] = "4194304"; } - if ($_POST['frag3_timeout'] != "") { $natent['frag3_timeout'] = $_POST['frag3_timeout']; }else{ $natent['frag3_timeout'] = "60"; } - - if ($_POST['pscan_ignore_scanners']) - $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; - else - unset($natent['pscan_ignore_scanners']); + if ($_POST['ftp_telnet_inspection_type'] != "") { $natent['ftp_telnet_inspection_type'] = $_POST['ftp_telnet_inspection_type']; }else{ $natent['ftp_telnet_inspection_type'] = "stateful"; } + if ($_POST['ftp_telnet_ayt_attack_threshold'] != "") { $natent['ftp_telnet_ayt_attack_threshold'] = $_POST['ftp_telnet_ayt_attack_threshold']; }else{ $natent['ftp_telnet_ayt_attack_threshold'] = "20"; } + if ($_POST['sdf_alert_threshold'] != "") { $natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold']; }else{ $natent['sdf_alert_threshold'] = "25"; } $natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off'; $natent['host_attribute_table'] = $_POST['host_attribute_table'] ? 'on' : 'off'; $natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off'; - $natent['http_inspect_enable_xff'] = $_POST['http_inspect_enable_xff'] ? 'on' : 'off'; - $natent['http_inspect_log_uri'] = $_POST['http_inspect_log_uri'] ? 'on' : 'off'; - $natent['http_inspect_log_hostname'] = $_POST['http_inspect_log_hostname'] ? 'on' : 'off'; - $natent['noalert_http_inspect'] = $_POST['noalert_http_inspect'] ? 'on' : 'off'; + $natent['http_inspect_proxy_alert'] = $_POST['http_inspect_proxy_alert'] ? 'on' : 'off'; $natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off'; $natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off'; + $natent['ftp_telnet_alert_encrypted'] = $_POST['ftp_telnet_alert_encrypted'] ? 'on' : 'off'; + $natent['ftp_telnet_check_encrypted'] = $_POST['ftp_telnet_check_encrypted'] ? 'on' : 'off'; + $natent['ftp_telnet_normalize'] = $_POST['ftp_telnet_normalize'] ? 'on' : 'off'; + $natent['ftp_telnet_detect_anomalies'] = $_POST['ftp_telnet_detect_anomalies'] ? 'on' : 'off'; $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; $natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off'; + $natent['sdf_mask_output'] = $_POST['sdf_mask_output'] ? 'on' : 'off'; $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off'; $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off'; $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off'; @@ -343,28 +494,20 @@ elseif ($_POST['Submit']) { $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off'; $natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off'; $natent['stream5_reassembly'] = $_POST['stream5_reassembly'] ? 'on' : 'off'; + $natent['stream5_flush_on_alert'] = $_POST['stream5_flush_on_alert'] ? 'on' : 'off'; $natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off'; $natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off'; $natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off'; - $natent['stream5_require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off'; - $natent['stream5_no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off'; - $natent['stream5_dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off'; /* If 'preproc_auto_rule_disable' is off, then clear log file */ if ($natent['preproc_auto_rule_disable'] == 'off') @unlink("{$disabled_rules_log}"); - if (isset($id) && $a_nat[$id]) + if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; - else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); - else - $a_nat[] = $natent; + write_config(); } - write_config(); - /* Set flag to rebuild rules for this interface */ $rebuild_rules = true; @@ -436,7 +579,7 @@ if ($pconfig['host_attribute_table'] == 'on' && empty($pconfig['host_attribute_d $input_errors[] = gettext("The Host Attribute Table option is enabled, but no Host Attribute data has been loaded. Data may be entered manually or imported from a suitable file."); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly}: Preprocessors and Flow"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Preprocessors and Flow"); include_once("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="enable_change_all()"> @@ -546,7 +689,7 @@ include_once("head.inc"); <?php if (file_exists($disabled_rules_log) && filesize($disabled_rules_log) > 0): ?> <tr> <td width="3%"> </td> - <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600)"/> + <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600);"> <?php echo gettext("Click to view the list of currently auto-disabled rules"); ?></td> </tr> <?php endif; ?> @@ -554,7 +697,7 @@ include_once("head.inc"); </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Host Attribute Table Settings"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Host Attribute Table"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> @@ -564,13 +707,11 @@ include_once("head.inc"); <?php echo gettext("Use a Host Attribute Table file to auto-configure applicable preprocessors. " . "Default is "); ?><strong><?php echo gettext("Not Checked"); ?></strong>.</td> </tr> - <tr> + <tr id="host_attrib_table_data_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Host Attribute Data"); ?></td> <td width="78%" class="vtable"><strong><?php echo gettext("Import From File"); ?></strong><br/> - <input name="host_attribute_file" type="file" class="formfld unknown" value="on" id="host_attribute_file" size="40" - <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> - <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn" - <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>><br/> + <input name="host_attribute_file" type="file" class="formfld file" value="on" id="host_attribute_file" size="40"> + <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn"><br/> <?php echo gettext("Choose the Host Attributes file to use for auto-configuration."); ?><br/><br/> <span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span> <?php echo gettext("The Host Attributes file has a required format. See the "); ?><a href="http://manual.snort.org/" target="_blank"> @@ -580,9 +721,8 @@ include_once("head.inc"); <a href="http://code.google.com/p/hogger/" target="_blank"><?php echo gettext("Hogger"); ?></a><?php echo gettext(" or "); ?> <a href="http://gamelinux.github.io/prads/" target="_blank"><?php echo gettext("PRADS"); ?></a><?php echo gettext(" can be used to " . "scan networks and automatically generate a suitable Host Attribute Table file for import."); ?><br/><br/> - <input type="submit" id="btn_edit_hat" name="btn_edit_hat" value="<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext(" Edit ");} else {echo gettext("Create");} ?>" - class="formbtn" - <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> + <input type="submit" id="btn_edit_hat" name="btn_edit_hat" value="<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext(" Edit ");} + else {echo gettext("Create");} ?>" class="formbtn"> <?php if (!empty($pconfig['host_attribute_data'])) {echo gettext("Click to View or Edit the Host Attribute data.");} else {echo gettext("Click to Create Host Attribute data manually.");} if ($pconfig['host_attribute_table']=="on" && empty($pconfig['host_attribute_data'])){ @@ -590,14 +730,13 @@ include_once("head.inc"); gettext("No Host Attribute Data loaded - import from a file or enter it manually."); } ?></td> </tr> - <tr> + <tr id="host_attrib_table_maxhosts_row"> <td valign="top" class="vncell"><?php echo gettext("Maximum Hosts"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> <tr> - <td><input name="max_attribute_hosts" type="text" class="formfld" id="max_attribute_hosts" size="6" - value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>" - <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> + <td><input name="max_attribute_hosts" type="text" class="formfld unknown" id="max_attribute_hosts" size="9" + value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>"> <?php echo gettext("Max number of hosts to read from the Attribute Table. Min is ") . "<strong>" . gettext("32") . "</strong>" . gettext(" and Max is ") . "<strong>" . gettext("524288") . "</strong>"; ?>.</td> @@ -608,14 +747,13 @@ include_once("head.inc"); "Default is ") . "<strong>" . gettext("10000") . "</strong>"; ?>.<br/> </td> </tr> - <tr> + <tr id="host_attrib_table_maxsvcs_row"> <td valign="top" class="vncell"><?php echo gettext("Maximum Services Per Host"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> <tr> - <td><input name="max_attribute_services_per_host" type="text" class="formfld" id="max_attribute_services_per_host" size="6" - value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>" - <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>> + <td><input name="max_attribute_services_per_host" type="text" class="formfld unknown" id="max_attribute_services_per_host" size="9" + value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>"> <?php echo gettext("Max number of per host services to read from the Attribute Table. Min is ") . "<strong>" . gettext("1") . "</strong>" . gettext(" and Max is ") . "<strong>" . gettext("65535") . "</strong>"; ?>.</td> @@ -627,250 +765,185 @@ include_once("head.inc"); </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Protocol Aware Flushing Setting"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Protocol Aware Flushing"); ?></td> </tr> <tr> <td valign="top" class="vncell"><?php echo gettext("Protocol Aware Flushing Maximum PDU"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="max_paf" type="text" class="formfld" id="max_paf" size="6" - value="<?=htmlspecialchars($pconfig['max_paf']);?>"> - <?php echo gettext("Max number of PDUs to be reassembled into a single PDU. Min is ") . - "<strong>" . gettext("0") . "</strong>" . gettext(" (off) and Max is ") . "<strong>" . - gettext("63780") . "</strong>"; ?>.</td> - </tr> - </table> - <?php echo gettext("Multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments, will be " . - "reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets. " . - "Default is ") . "<strong>" . gettext("16000") . "</strong>. " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.<br/> + <input name="max_paf" type="text" class="formfld unknown" id="max_paf" size="9" + value="<?=htmlspecialchars($pconfig['max_paf']);?>"> + <?php echo gettext("Max number of PDUs to be reassembled into a single PDU. Min is ") . + "<strong>" . gettext("0") . "</strong>" . gettext(" (off) and Max is ") . "<strong>" . + gettext("63780") . "</strong>"; ?>.<br/><br/> + <?php echo gettext("Multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments, will be " . + "reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets. " . + "Default is ") . "<strong>" . gettext("16000") . "</strong>. " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.<br/> </td> </tr> - <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect Settings"); ?></td> + <tr id="httpinspect_row"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> <td width="78%" class="vtable"><input name="http_inspect" type="checkbox" value="on" id="http_inspect" onclick="http_inspect_enable_change();" - <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?>> - <?php echo gettext("Use HTTP Inspect to " . - "Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is "); ?> + <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked";?>> + <?php echo gettext("Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is ");?> <strong><?php echo gettext("Checked"); ?></strong>.</td> </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable XFF/True-Client-IP"); ?></td> - <td width="78%" class="vtable"><input name="http_inspect_enable_xff" - type="checkbox" value="on" id="http_inspect_enable_xff" - <?php if ($pconfig['http_inspect_enable_xff']=="on") echo "checked"; ?>> - <?php echo gettext("Log original client IP present in X-Forwarded-For or True-Client-IP " . - "HTTP headers. Default is "); ?> - <strong><?php echo gettext("Not Checked"); ?></strong>.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable URI Logging"); ?></td> - <td width="78%" class="vtable"><input name="http_inspect_log_uri" - type="checkbox" value="on" id="http_inspect_log_uri" - <?php if ($pconfig['http_inspect_log_uri']=="on") echo "checked"; ?>> - <?php echo gettext("Parse URI data from the HTTP request and log it with other session data." . - " Default is "); ?> - <strong><?php echo gettext("Not Checked"); ?></strong>.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Hostname Logging"); ?></td> - <td width="78%" class="vtable"><input name="http_inspect_log_hostname" - type="checkbox" value="on" id="http_inspect_log_hostname" - <?php if ($pconfig['http_inspect_log_hostname']=="on") echo "checked"; ?>> - <?php echo gettext("Parse Hostname data from the HTTP request and log it with other session data." . - " Default is "); ?> - <strong><?php echo gettext("Not Checked"); ?></strong>.</td> - </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("HTTP Inspect Memory Cap"); ?></td> + <tr id="httpinspect_proxyalert_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Proxy Alert"); ?></td> + <td width="78%" class="vtable"><input name="http_inspect_proxy_alert" + type="checkbox" value="on" id="http_inspect_proxy_alert" + <?php if ($pconfig['http_inspect_proxy_alert']=="on") echo "checked";?>> + <?php echo gettext("Enable global alerting on HTTP server proxy usage. Default is ");?> + <strong><?php echo gettext("Not Checked"); ?></strong>.<br/><br/><span class="red"><strong> + <?php echo gettext("Note: ") . "</strong></span>" . gettext("By adding Server Configurations below and enabling " . + "the 'allow_proxy_use' parameter within them, alerts will be generated for web users that aren't using the configured " . + "proxies or are using a rogue proxy server.") . "<br/><br/><span class=\"red\"><strong>" . gettext("Warning: ") . + "</strong></span>" . gettext("If users are not required to configure web proxy use, you may get a lot " . + "of proxy alerts. Only use this feature with traditional proxy environments. Blind firewall proxies don't count!");?> + </td> + </tr> + <tr id="httpinspect_memcap_row"> + <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="http_inspect_memcap" type="text" class="formfld" - id="http_inspect_memcap" size="6" - value="<?=htmlspecialchars($pconfig['http_inspect_memcap']);?>"> - <?php echo gettext("Max memory in bytes to use for URI and Hostname logging. Min is ") . - "<strong>" . gettext("2304") . "</strong>" . gettext(" and Max is ") . "<strong>" . - gettext("603979776") . "</strong>" . gettext(" (576 MB)"); ?>.</td> - </tr> - </table> - <?php echo gettext("Maximum amount of memory the preprocessor will use for logging the URI and Hostname data. The default " . - "value is ") . "<strong>" . gettext("150,994,944") . "</strong>" . gettext(" (144 MB)."); ?> - <?php echo gettext(" This option determines the maximum HTTP sessions that will log URI and Hostname data at any given instant. ") . - gettext(" Max Logged Sessions = MEMCAP / 2304"); ?>.<br/> + <input name="http_inspect_memcap" type="text" class="formfld unknown" + id="http_inspect_memcap" size="9" + value="<?=htmlspecialchars($pconfig['http_inspect_memcap']);?>"> + <?php echo gettext("Maximum memory in bytes to use for URI and Hostname logging. The Minimum value is ") . + "<strong>" . gettext("2304") . "</strong>" . gettext(" and the Maximum is ") . "<strong>" . + gettext("603979776") . "</strong>" . gettext(" (576 MB)"); ?>.<br/><br/> + <?php echo gettext("Sets the maximum amount of memory the preprocessor will use for logging the URI and Hostname data. The default " . + "value is ") . "<strong>" . gettext("150,994,944") . "</strong>" . gettext(" (144 MB)."); ?> + <?php echo gettext(" This option determines the maximum HTTP sessions that will log URI and Hostname data at any given instant. ") . + gettext(" Max Logged Sessions = MEMCAP / 2304"); ?>. </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("HTTP server flow depth"); ?></td> + <tr id="httpinspect_maxgzipmem_row"> + <td valign="top" class="vncell"><?php echo gettext("Maximum gzip Memory"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="server_flow_depth" type="text" class="formfld" - id="server_flow_depth" size="6" - value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . - "to <strong>65535</strong> (<strong>-1</strong> disables HTTP " . - "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> - </tr> - </table> - <?php echo gettext("Amount of HTTP server response payload to inspect. Snort's " . - "performance may increase by adjusting this value."); ?><br/> - <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " . - "are specified in bytes. Recommended setting is maximum (65535). Default value is <strong>300</strong>"); ?><br/> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("HTTP server profile"); ?> </td> - <td width="78%" class="vtable"> - <select name="http_server_profile" class="formselect" id="http_server_profile"> - <?php - $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0'); - foreach ($profile as $val): ?> - <option value="<?=strtolower($val);?>" - <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>> - <?=gettext($val);?></option> - <?php endforeach; ?> - </select> <?php echo gettext("Choose the profile type of the protected web server. The default is ") . - "<strong>" . gettext("All") . "</strong>"; ?><br/> - <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the ") . - gettext("double decoding vulnerability present in those versions."); ?><br/> + <input name="http_inspect_max_gzip_mem" type="text" class="formfld unknown" + id="http_inspect_memcap" size="9" + value="<?=htmlspecialchars($pconfig['http_inspect_max_gzip_mem']);?>"> + <?php echo gettext("Maximum memory in bytes to use for decompression. The Minimum value is ") . + "<strong>" . gettext("3276") . "</strong>";?>.<br/><br/> + <?php echo gettext("The default value is ") . "<strong>" . gettext("838860") . "</strong>" . gettext(" bytes.");?> + <?php echo gettext(" This option determines the number of concurrent sessions that can be decompressed at any given instant.");?> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("HTTP client flow depth"); ?></td> + <tr id="httpinspect_engconf_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Configuration"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="client_flow_depth" type="text" class="formfld" - id="client_flow_depth" size="6" - value="<?=htmlspecialchars($pconfig['client_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " . - "to <strong>1460</strong> (<strong>-1</strong> disables HTTP " . - "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td> - </tr> - </table> - <?php echo gettext("Amount of raw HTTP client request payload to inspect. Snort's " . - "performance may increase by adjusting this value."); ?><br/> - <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " . - "are specified in bytes. Recommended setting is maximum (1460). Default value is <strong>300</strong>"); ?><br/> + <table width="95%" align="left" id="httpinspectEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> + <colgroup> + <col width="45%" align="left"> + <col width="45%" align="center"> + <col width="10%" align="right"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="string"><?php echo gettext("Server Name");?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> + <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=http_inspect_engine"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"></a> + <a href="snort_httpinspect_engine.php?id=<?=$id?>&eng_id=<?=$http_inspect_engine_next_id?>"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new server configuration");?>"></a></th> + </tr> + </thead> + <?php foreach ($pconfig['http_inspect_engine']['item'] as $f => $v): ?> + <tr> + <td class="listlr" align="left"><?=gettext($v['name']);?></td> + <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> + <td class="listt" align="right"><a href="snort_httpinspect_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this server configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_http_inspect" onclick="return confirm('Are you sure you want to delete this entry?');"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this server configuration");?>"></a> + <?php else : ?> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" + title="<?=gettext("Default server configuration cannot be deleted");?>"> + <?php endif ?> + </td> + </tr> + <?php endforeach; ?> + </table> </td> </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Disable HTTP Alerts"); ?></td> - <td width="78%" class="vtable"><input name="noalert_http_inspect" - type="checkbox" value="on" id="noalert_http_inspect" - <?php if ($pconfig['noalert_http_inspect']=="on" || empty($pconfig['noalert_http_inspect'])) echo "checked"; ?> - onClick="enable_change(false);"> <?php echo gettext("Turn off alerts from HTTP Inspect " . - "preprocessor. This has no effect on HTTP rules. Default is "); ?> - <strong><?php echo gettext("Checked"); ?></strong>.</td> - </tr> - - <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Frag3 Settings"); ?></td> + <tr id="frag3_row"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Frag3 Target-Based IP Defragmentation"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable");?></td> <td width="78%" class="vtable"><input name="frag3_detection" type="checkbox" value="on" onclick="frag3_enable_change();" - <?php if ($pconfig['frag3_detection']=="on") echo "checked "; ?> - onClick="enable_change(false)"> + <?php if ($pconfig['frag3_detection']=="on") echo "checked";?>> <?php echo gettext("Use Frag3 Engine to detect IDS evasion attempts via target-based IP packet fragmentation. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + "<strong>" . gettext("Checked") . "</strong>.";?></td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> - <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="frag3_memcap" type="text" class="formfld" - id="frag3_memcap" size="6" - value="<?=htmlspecialchars($pconfig['frag3_memcap']);?>"> - <?php echo gettext("Memory cap (in bytes) for self preservation."); ?>.</td> - </tr> - </table> + <tr id="frag3_memcap_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Memory Cap");?></td> + <td width="78%" class="vtable"><input name="frag3_memcap" type="text" class="formfld unknown" id="frag3_memcap" size="9" value="<?=htmlspecialchars($pconfig['frag3_memcap']);?>"> + <?php echo gettext("Memory cap (in bytes) for self preservation.");?><br/> <?php echo gettext("The maximum amount of memory allocated for Frag3 fragment reassembly. Default value is ") . - "<strong>" . gettext("4MB") . "</strong>"; ?>.<br/> + "<strong>" . gettext("4MB") . "</strong>."; ?> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Maximum Fragments"); ?></td> - <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="frag3_max_frags" type="text" class="formfld" - id="frag3_max_frags" size="6" - value="<?=htmlspecialchars($pconfig['frag3_max_frags']);?>"> - <?php echo gettext("Maximum simultaneous fragments to track."); ?></td> - </tr> - </table> + <tr id="frag3_maxfrags_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Maximum Fragments"); ?></td> + <td width="78%" class="vtable"><input name="frag3_max_frags" type="text" class="formfld unknown" id="frag3_max_frags" size="9" value="<?=htmlspecialchars($pconfig['frag3_max_frags']);?>"> + <?php echo gettext("Maximum simultaneous fragments to track.");?>.<br/> <?php echo gettext("The maximum number of simultaneous fragments to track. Default value is ") . - "<strong>8192</strong>."; ?><br/> - </td> - </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td> - <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="frag3_overlap_limit" type="text" class="formfld" - id="frag3_overlap_limit" size="6" - value="<?=htmlspecialchars($pconfig['frag3_overlap_limit']);?>"> - <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), values greater than zero set the overlapped fragments per packet limit."); ?></td> - </tr> - </table> - <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") . - "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/> + "<strong>8192</strong>.";?> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Minimum Fragment Length"); ?></td> - <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="frag3_min_frag_len" type="text" class="formfld" - id="frag3_min_frag_len" size="6" - value="<?=htmlspecialchars($pconfig['frag3_min_frag_len']);?>"> - <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (check is disabled). Fragments smaller than or equal to this limit are considered malicious."); ?></td> - </tr> - </table> - <?php echo gettext("Defines smallest fragment size (payload size) that should be considered valid. Default value is ") . - "<strong>0</strong>" . gettext(" (check is disabled)."); ?><br/> - </td> - </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Timeout"); ?></td> + <tr id="frag3_engconf_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Engine Configuration"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="frag3_timeout" type="text" class="formfld" - id="frag3_timeout" size="6" - value="<?=htmlspecialchars($pconfig['frag3_timeout']);?>"> - <?php echo gettext("Timeout period in seconds for fragments in the engine."); ?></td> - </tr> - </table> - <?php echo gettext("Fragments in the engine for longer than this period will be automatically dropped. Default value is ") . - "<strong>" . gettext("60 ") . "</strong>" . gettext("seconds."); ?><br/> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Target Policy"); ?> </td> - <td width="78%" class="vtable"> - <select name="frag3_policy" class="formselect" id="frag3_policy"> - <?php - $profile = array( 'BSD', 'BSD-Right', 'First', 'Last', 'Linux', 'Solaris', 'Windows' ); - foreach ($profile as $val): ?> - <option value="<?=strtolower($val);?>" - <?php if (strtolower($val) == $pconfig['frag3_policy']) echo "selected"; ?>> - <?=gettext($val);?></option> - <?php endforeach; ?> - </select> <?php echo gettext("Choose the IP fragmentation target policy appropriate for the protected hosts. The default is ") . - "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/> - <?php echo gettext("Available OS targets are BSD, BSD-Right, First, Last, Linux, Solaris and Windows."); ?><br/> + <table width="95%" align="left" id="frag3EnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> + <colgroup> + <col width="45%" align="left"> + <col width="45%" align="center"> + <col width="10%" align="right"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> + <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=frag3_engine"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import engine configuration from existing Aliases");?>"></a> + <a href="snort_frag3_engine.php?id=<?=$id?>&eng_id=<?=$frag3_engine_next_id?>"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new engine configuration");?>"></a></th> + </tr> + </thead> + <?php foreach ($pconfig['frag3_engine']['item'] as $f => $v): ?> + <tr> + <td class="listlr" align="left"><?=gettext($v['name']);?></td> + <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> + <td class="listt" align="right"><a href="snort_frag3_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this engine configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_frag3" onclick="return confirm('Are you sure you want to delete this entry?');"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this engine configuration");?>"></a> + <?php else : ?> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" + title="<?=gettext("Default engine configuration cannot be deleted");?>"> + <?php endif ?> + </td> + </tr> + <?php endforeach; ?> + </table> </td> </tr> - <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Settings"); ?></td> + <tr id="stream5_row"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Target-Based Stream Reassembly"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> @@ -879,182 +952,155 @@ include_once("head.inc"); <?php echo gettext("Use Stream5 session reassembly for TCP, UDP and/or ICMP traffic. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> - <tr> + <tr id="stream5_flushonalert_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Flush On Alert"); ?></td> + <td width="78%" class="vtable"><input name="stream5_flush_on_alert" type="checkbox" value="on" + <?php if ($pconfig['stream5_flush_on_alert']=="on") echo "checked"; ?>> + <?php echo gettext("Flush a TCP stream when an alert is generated on that stream. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong><br/><span class=\"red\"><strong>" . + gettext("Note: ") . "</strong></span>" . gettext("This parameter is for backwards compatibility.");?></td> + </tr> + <tr id="stream5_prunelogmax_row"> + <td valign="top" class="vncell"><?php echo gettext("Prune Log Max"); ?></td> + <td class="vtable"> + <input name="stream5_prune_log_max" type="text" class="formfld unknown" id="stream5_prune_log_max" size="9" + value="<?=htmlspecialchars($pconfig['stream5_prune_log_max']);?>"> + <?php echo gettext("Prune Log Max Bytes. Minimum can be either ") . "<strong>0</strong>" . gettext(" (disabled), or if not disabled, ") . + "<strong>1024</strong>" . gettext(". Maximum is ") . "<strong>" . gettext("1073741824") . "</strong>";?>. + <?php echo gettext("Logs a message when a session terminates that was using more than the specified number of bytes. Default value is ") . + "<strong>1048576</strong>" . gettext(" bytes."); ?><br/> + </td> + </tr> + <tr id="stream5_proto_tracking_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol Tracking"); ?></td> <td width="78%" class="vtable"> <input name="stream5_track_tcp" type="checkbox" value="on" id="stream5_track_tcp" - <?php if ($pconfig['stream5_track_tcp']=="on") echo "checked"; ?>> + <?php if ($pconfig['stream5_track_tcp']=="on") echo "checked"; ?> onclick="stream5_track_tcp_enable_change();"> <?php echo gettext("Track and reassemble TCP sessions. Default is ") . "<strong>" . gettext("Checked") . "</strong>."; ?> <br/> <input name="stream5_track_udp" type="checkbox" value="on" id="stream5_track_udp" - <?php if ($pconfig['stream5_track_udp']=="on") echo "checked"; ?>> + <?php if ($pconfig['stream5_track_udp']=="on") echo "checked"; ?> onclick="stream5_track_udp_enable_change();"> <?php echo gettext("Track and reassemble UDP sessions. Default is ") . "<strong>" . gettext("Checked") . "</strong>."; ?> <br/> <input name="stream5_track_icmp" type="checkbox" value="on" id="stream5_track_icmp" - <?php if ($pconfig['stream5_track_icmp']=="on") echo "checked"; ?>> + <?php if ($pconfig['stream5_track_icmp']=="on") echo "checked"; ?> onclick="stream5_track_icmp_enable_change();"> <?php echo gettext("Track and reassemble ICMP sessions. Default is ") . "<strong>" . gettext("Not Checked") . "</strong>."; ?> </td> </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Require 3-Way Handshake"); ?></td> - <td width="78%" class="vtable"><input name="stream5_require_3whs" type="checkbox" value="on" - <?php if ($pconfig['stream5_require_3whs']=="on") echo "checked "; ?>> - <?php echo gettext("Establish sessions only on completion of SYN/SYN-ACK/ACK handshake. Default is ") . - "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Reassemble Async"); ?></td> - <td width="78%" class="vtable"><input name="stream5_no_reassemble_async" type="checkbox" value="on" - <?php if ($pconfig['stream5_no_reassemble_async']=="on") echo "checked "; ?>> - <?php echo gettext("Do not queue packets for reassembly if traffic has not been seen in both directions. Default is ") . - "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Store Large TCP Packets"); ?></td> - <td width="78%" class="vtable"> - <input name="stream5_dont_store_lg_pkts" type="checkbox" value="on" - <?php if ($pconfig['stream5_dont_store_lg_pkts']=="on") echo "checked"; ?>> - <?php echo gettext("Do not queue large packets in reassembly buffer to increase performance. Default is ") . - "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> - <?php echo "<span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" . - gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?></td> - </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Max Queued Bytes"); ?></td> + <tr id="stream5_maxudp_row"> + <td valign="top" class="vncell"><?php echo gettext("Maximum UDP Sessions"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="max_queued_bytes" type="text" class="formfld" - id="max_queued_bytes" size="6" - value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>"> - <?php echo gettext("Minimum is <strong>1024</strong>, Maximum is <strong>1073741824</strong> " . - "( default value is <strong>1048576</strong>, <strong>0</strong> " . - "means Maximum )"); ?>.</td> - </tr> - </table> - <?php echo gettext("The number of bytes to be queued for reassembly for TCP sessions in " . - "memory. Default value is <strong>1048576</strong>"); ?>.<br/> + <input name="stream5_max_udp" type="text" class="formfld unknown" id="stream5_max_udp" size="9" + value="<?=htmlspecialchars($pconfig['stream5_max_udp']);?>"> + <?php echo gettext("Maximum concurrent UDP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") . + "<strong>" . gettext("1048576") . "</strong>.";?><br/> + <?php echo gettext("Sets the maximum number of concurrent UDP sessions that will be tracked. Default value is ") . + "<strong>" . gettext("131072") . "</strong>."; ?><br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Max Queued Segs"); ?></td> + <tr id="stream5_udp_sess_timeout_row"> + <td valign="top" class="vncell"><?php echo gettext("UDP Session Timeout"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="max_queued_segs" type="text" class="formfld" - id="max_queued_segs" size="6" - value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>"> - <?php echo gettext("Minimum is <strong>2</strong>, Maximum is <strong>1073741824</strong> " . - "( default value is <strong>2621</strong>, <strong>0</strong> means " . - "Maximum )"); ?>.</td> - </tr> - </table> - <?php echo gettext("The number of segments to be queued for reassembly for TCP sessions " . - "in memory. Default value is <strong>2621</strong>"); ?>.<br/> + <input name="stream5_udp_timeout" type="text" class="formfld unknown" id="stream5_udp_timeout" size="9" + value="<?=htmlspecialchars($pconfig['stream5_udp_timeout']);?>"> + <?php echo gettext("UDP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") . + "<strong>" . gettext("86400") . "</strong>" . gettext(" (1 day).");?><br/> + <?php echo gettext("Sets the session reassembly timeout period for UDP packets. Default value is ") . + "<strong>" . gettext("30") . "</strong>" . gettext(" seconds."); ?><br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <tr id="stream5_maxicmp_row"> + <td valign="top" class="vncell"><?php echo gettext("Maximum ICMP Sessions"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="stream5_mem_cap" type="text" class="formfld" - id="stream5_mem_cap" size="6" - value="<?=htmlspecialchars($pconfig['stream5_mem_cap']);?>"> - <?php echo gettext("Minimum is <strong>32768</strong>, Maximum is <strong>1073741824</strong> " . - "( default value is <strong>8388608</strong>) "); ?>.</td> - </tr> - </table> - <?php echo gettext("The memory cap in bytes for TCP packet storage " . - "in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?>.<br/> + <input name="stream5_max_icmp" type="text" class="formfld unknown" id="stream5_max_icmp" size="9" + value="<?=htmlspecialchars($pconfig['stream5_max_icmp']);?>"> + <?php echo gettext("Maximum concurrent ICMP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") . + "<strong>" . gettext("1048576") . "</strong>.";?><br/> + <?php echo gettext("Sets the maximum number of concurrent ICMP sessions that will be tracked. Default value is ") . + "<strong>" . gettext("65536") . "</strong>."; ?><br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td> + <tr id="stream5_icmp_sess_timeout_row"> + <td valign="top" class="vncell"><?php echo gettext("ICMP Session Timeout"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="stream5_overlap_limit" type="text" class="formfld" - id="stream5_overlap_limit" size="6" - value="<?=htmlspecialchars($pconfig['stream5_overlap_limit']);?>"> - <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), and the maximum is ") . - "<strong>255</strong>."; ?></td> - </tr> - </table> - <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") . - "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/> + <input name="stream5_icmp_timeout" type="text" class="formfld unknown" id="stream5_icmp_timeout" size="9" + value="<?=htmlspecialchars($pconfig['stream5_icmp_timeout']);?>"> + <?php echo gettext("ICMP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") . + "<strong>86400</strong>" . gettext(" (1 day).");?><br/> + <?php echo gettext("Sets the session reassembly timeout period for ICMP packets. Default value is ") . + "<strong>" . gettext("30") . "</strong>" . gettext(" seconds."); ?><br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("TCP Session Timeout"); ?></td> + <tr id="stream5_maxtcp_row"> + <td valign="top" class="vncell"><?php echo gettext("Maximum TCP Sessions"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="stream5_tcp_timeout" type="text" class="formfld" - id="stream5_tcp_timeout" size="6" - value="<?=htmlspecialchars($pconfig['stream5_tcp_timeout']);?>"> - <?php echo gettext("TCP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . - "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> - </tr> - </table> - <?php echo gettext("Sets the session reassembly timeout period for TCP packets. Default value is ") . - "<strong>30</strong>" . gettext(" seconds."); ?><br/> + <input name="stream5_max_tcp" type="text" class="formfld unknown" id="stream5_max_tcp" size="9" + value="<?=htmlspecialchars($pconfig['stream5_max_tcp']);?>"> + <?php echo gettext("Maximum concurrent TCP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") . + "<strong>" . gettext("1048576") . "</strong>.";?><br/> + <?php echo gettext("Sets the maximum number of concurrent TCP sessions that will be tracked. Default value is ") . + "<strong>" . gettext("262144") . "</strong>."; ?><br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("UDP Session Timeout"); ?></td> + <tr id="stream5_tcp_memcap_row"> + <td valign="top" class="vncell"><?php echo gettext("TCP Memory Cap"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="stream5_udp_timeout" type="text" class="formfld" - id="stream5_udp_timeout" size="6" - value="<?=htmlspecialchars($pconfig['stream5_udp_timeout']);?>"> - <?php echo gettext("UDP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . - "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> - </tr> - </table> - <?php echo gettext("Sets the session reassembly timeout period for UDP packets. Default value is ") . - "<strong>30</strong>" . gettext(" seconds."); ?><br/> + <input name="stream5_mem_cap" type="text" class="formfld unknown" id="stream5_mem_cap" size="9" + value="<?=htmlspecialchars($pconfig['stream5_mem_cap']);?>"> + <?php echo gettext("Memory for TCP packet storage. Min is ") . "<strong>" . gettext("32768") . "</strong>" . + gettext(" and Max is ") . "<strong>" . gettext("1073741824") . "</strong>" . + gettext(" bytes.");?><br/> + <?php echo gettext("The memory cap in bytes for TCP packet storage " . + "in RAM. Default value is ") . "<strong>" . gettext("8388608") . "</strong>" . gettext(" (8 MB)"); ?>.<br/> </td> </tr> - <tr> - <td valign="top" class="vncell"><?php echo gettext("ICMP Session Timeout"); ?></td> + <tr id="stream5_tcp_engconf_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Engine Configuration"); ?></td> <td class="vtable"> - <table cellpadding="0" cellspacing="0"> - <tr> - <td><input name="stream5_icmp_timeout" type="text" class="formfld" - id="stream5_icmp_timeout" size="6" - value="<?=htmlspecialchars($pconfig['stream5_icmp_timeout']);?>"> - <?php echo gettext("ICMP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") . - "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td> - </tr> - </table> - <?php echo gettext("Sets the session reassembly timeout period for ICMP packets. Default value is ") . - "<strong>30</strong>" . gettext(" seconds."); ?><br/> - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("IP Target Policy"); ?></td> - <td width="78%" class="vtable"> - <select name="stream5_policy" class="formselect" id="stream5_policy"> - <?php - $profile = array( 'BSD', 'First', 'HPUX', 'HPUX10', 'Irix', 'Last', 'Linux', 'MacOS', 'Old-Linux', - 'Solaris', 'Vista', 'Windows', 'Win2003' ); - foreach ($profile as $val): ?> - <option value="<?=strtolower($val);?>" - <?php if (strtolower($val) == $pconfig['stream5_policy']) echo "selected"; ?>> - <?=gettext($val);?></option> - <?php endforeach; ?> - </select> <?php echo gettext("Choose the TCP reassembly target policy appropriate for the protected hosts. The default is ") . - "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/> - <?php echo gettext("Available OS targets are BSD, First, HPUX, HPUX10, Irix, Last, Linux, MacOS, Old Linux, Solaris, Vista, Windows, and Win2003 Server."); ?><br/> + <table width="95%" align="left" id="stream5EnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> + <colgroup> + <col width="45%" align="left"> + <col width="45%" align="center"> + <col width="10%" align="right"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> + <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=stream5_tcp_engine"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import TCP engine configuration from existing Aliases");?>"></a> + <a href="snort_stream5_engine.php?id=<?=$id?>&eng_id=<?=$stream5_tcp_engine_next_id?>"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new TCP engine configuration");?>"></a></th> + </tr> + </thead> + <?php foreach ($pconfig['stream5_tcp_engine']['item'] as $f => $v): ?> + <tr> + <td class="listlr" align="left"><?=gettext($v['name']);?></td> + <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> + <td class="listt" align="right"><a href="snort_stream5_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this TCP engine configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_stream5_tcp" onclick="return confirm('Are you sure you want to delete this entry?');"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this TCP engine configuration");?>"></a> + <?php else : ?> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" + title="<?=gettext("Default engine configuration cannot be deleted");?>"> + <?php endif ?> + </td> + </tr> + <?php endforeach; ?> + </table> </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Detection"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> @@ -1064,7 +1110,7 @@ include_once("head.inc"); <?php echo gettext("Use Portscan Detection to detect various types of port scans and sweeps. Default is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> </tr> - <tr> + <tr id="portscan_protocol_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol"); ?> </td> <td width="78%" class="vtable"> <select name="pscan_protocol" class="formselect" id="pscan_protocol"> @@ -1079,7 +1125,7 @@ include_once("head.inc"); "<strong>" . gettext("all") . "</strong>."; ?><br/> </td> </tr> - <tr> + <tr id="portscan_type_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Scan Type"); ?> </td> <td width="78%" class="vtable"> <select name="pscan_type" class="formselect" id="pscan_type"> @@ -1111,7 +1157,7 @@ include_once("head.inc"); </table> </td> </tr> - <tr> + <tr id="portscan_sensitivity_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td> <td width="78%" class="vtable"> <select name="pscan_sense_level" class="formselect" id="pscan_sense_level"> @@ -1140,13 +1186,13 @@ include_once("head.inc"); </table> </td> </tr> - <tr> + <tr id="portscan_memcap_row"> <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> <td class="vtable"> <table cellpadding="0" cellspacing="0"> <tr> - <td><input name="pscan_memcap" type="text" class="formfld" - id="pscan_memcap" size="6" + <td class="vexpl"><input name="pscan_memcap" type="text" class="formfld unknown" + id="pscan_memcap" size="9" value="<?=htmlspecialchars($pconfig['pscan_memcap']);?>"> <?php echo gettext("Maximum memory in bytes to allocate for portscan detection. ") . gettext("Default is ") . "<strong>" . gettext("10000000") . "</strong>" . @@ -1158,17 +1204,216 @@ include_once("head.inc"); "<strong>10,000,000</strong>" . gettext(" bytes. (10 MB)"); ?><br/> </td> </tr> - <tr> + <tr id="portscan_ignorescanners_row"> <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?></td> <td width="78%" class="vtable"> - <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" - value="<?=$pconfig['pscan_ignore_scanners'];?>" title="<?=trim(filter_expand_alias($pconfig['pscan_ignore_scanners']));?>"> <?php echo gettext("Leave blank for default. ") . - gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.<br/> - <?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?><br/> + <table width="95%" cellspacing="0" cellpadding="0" border="0"> + <tr> + <td class="vexpl"> + <input name="pscan_ignore_scanners" type="text" size="25" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" + value="<?=$pconfig['pscan_ignore_scanners'];?>" title="<?=trim(filter_expand_alias($pconfig['pscan_ignore_scanners']));?>"> <?php echo gettext("Leave blank for default. ") . + gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.</td> + <td class="vexpl" align="right"> + <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&type=host|network&varname=pscan_ignore_scanners&act=import&multi_ip=yes'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?></td> + </tr> + </table> + </td> + </tr> + <tr id="ftp_telnet_row"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("FTP and Telnet Global Options"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="78%" class="vtable"><input name="ftp_preprocessor" type="checkbox" value="on" + <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?> onclick="ftp_telnet_enable_change();"> + <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_telnet_row_type"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspection Type"); ?> </td> + <td width="78%" class="vtable"> + <select name="ftp_telnet_inspection_type" class="formselect" id="ftp_telnet_inspection_type"> + <?php + $values = array('stateful', 'stateless'); + foreach ($values as $val): ?> + <option value="<?=$val;?>" + <?php if ($val == $pconfig['ftp_telnet_inspection_type']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose to operate in stateful or stateless mode. Default is ") . + "<strong>" . gettext("stateful") . "</strong>."; ?><br/> + </td> + <tr id="ftp_telnet_row_encrypted_check"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Check Encrypted Traffic"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_check_encrypted" type="checkbox" value="on" + <?php if ($pconfig['ftp_telnet_check_encrypted']=="on") echo "checked"; ?>> + <?php echo gettext("Continue to check an encrypted session for subsequent command to cease encryption. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_telnet_row_encrypted_alert"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert on Encrypted Commands"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_alert_encrypted" type="checkbox" value="on" + <?php if ($pconfig['ftp_telnet_alert_encrypted']=="on") echo "checked"; ?>> + <?php echo gettext("Alert on encrypted FTP and Telnet command channels. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_telnet_row_telnet_proto_opts"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Telnet Protocol Options"); ?></td> + </tr> + <tr id="ftp_telnet_row_normalize"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalization"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_normalize" type="checkbox" value="on" + <?php if ($pconfig['ftp_telnet_normalize']=="on") echo "checked"; ?>> + <?php echo gettext("Normalize Telnet traffic by eliminating Telnet escape sequences. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_telnet_row_detect_anomalies"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Anomalies"); ?></td> + <td width="78%" class="vtable"><input name="ftp_telnet_detect_anomalies" type="checkbox" value="on" + <?php if ($pconfig['ftp_telnet_detect_anomalies']=="on") echo "checked"; ?>> + <?php echo gettext("Alert on Telnet subnegotiation begin without corresponding subnegotiation end. Default is ") . + "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + </tr> + <tr id="ftp_telnet_row_ayt_threshold"> + <td valign="top" class="vncell"><?php echo gettext("AYT Attack Threshold"); ?></td> + <td class="vtable"> + <input name="ftp_telnet_ayt_attack_threshold" type="text" class="formfld unknown" id="ftp_telnet_ayt_attack_threshold" size="9" + value="<?=htmlspecialchars($pconfig['ftp_telnet_ayt_attack_threshold']);?>"> + <?php echo gettext("Are-You-There (AYT) command alert threshold. Enter ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" to disable. Default is ") . "<strong>" . gettext("20.") . "</strong>";?><br/> + <?php echo gettext("Alert when the number of consecutive Telnet AYT commands reaches the number specified.");?><br/> + </td> + </tr> + <tr id="ftp_telnet_row_ftp_proto_opts"> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("FTP Protocol Options"); ?></td> + </tr> + <tr id="ftp_telnet_ftp_client_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Client Configuration"); ?></td> + <td class="vtable"> + <table width="95%" align="left" id="FTPclientEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> + <colgroup> + <col width="45%" align="left"> + <col width="45%" align="center"> + <col width="10%" align="right"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> + <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=ftp_client_engine"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import client configuration from existing Aliases");?>"></a> + <a href="snort_ftp_client_engine.php?id=<?=$id?>&eng_id=<?=$ftp_client_engine_next_id?>"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new FTP client configuration");?>"></a></th> + </tr> + </thead> + <?php foreach ($pconfig['ftp_client_engine']['item'] as $f => $v): ?> + <tr> + <td class="listlr" align="left"><?=gettext($v['name']);?></td> + <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> + <td class="listt" align="right"><a href="snort_ftp_client_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this FTP client configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_ftp_server" onclick="return confirm('Are you sure you want to delete this entry?');"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this FTP client configuration");?>"></a> + <?php else : ?> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" + title="<?=gettext("Default client configuration cannot be deleted");?>"> + <?php endif ?> + </td> + </tr> + <?php endforeach; ?> + </table> + </td> + </tr> + <tr id="ftp_telnet_ftp_server_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Configuration"); ?></td> + <td class="vtable"> + <table width="95%" align="left" id="FTPserverEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0"> + <colgroup> + <col width="45%" align="left"> + <col width="45%" align="center"> + <col width="10%" align="right"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th> + <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=ftp_server_engine"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17" + height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"></a> + <a href="snort_ftp_server_engine.php?id=<?=$id?>&eng_id=<?=$ftp_server_engine_next_id?>"> + <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17" + height="17" border="0" title="<?php echo gettext("Add a new FTP Server configuration");?>"></a></th> + </tr> + </thead> + <?php foreach ($pconfig['ftp_server_engine']['item'] as $f => $v): ?> + <tr> + <td class="listlr" align="left"><?=gettext($v['name']);?></td> + <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td> + <td class="listt" align="right"><a href="snort_ftp_server_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif" + width="17" height="17" border="0" title="<?=gettext("Edit this FTP server configuration");?>"></a> + <?php if ($v['bind_to'] <> "all") : ?> + <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_ftp_server" onclick="return confirm('Are you sure you want to delete this entry?');"> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" + title="<?=gettext("Delete this FTP server configuration");?>"></a> + <?php else : ?> + <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0" + title="<?=gettext("Default server configuration cannot be deleted");?>"> + <?php endif ?> + </td> + </tr> + <?php endforeach; ?> + </table> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Sensitive Data Detection"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> + <td width="78%" class="vtable"> + <input name="sensitive_data" type="checkbox" value="on" onclick="sensitive_data_enable_change();" + <?php if ($pconfig['sensitive_data'] == "on") + echo "checked"; + elseif ($vrt_enabled == "off") + echo "disabled"; + ?>> + <?php echo gettext("Sensitive data searches for credit card numbers, Social Security numbers and e-mail addresses in data."); ?> + <br/> + <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the ") . + "<a href=\"/snort/snort_interfaces_global.php\" title=\"" . gettext("Modify Snort global settings") . "\"/>" . gettext("Global Settings") . "</a>" . gettext(" tab."); ?> + </td> + </tr> + <tr id="sdf_alert_threshold_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert Threshold"); ?></td> + <td width="78%" class="vtable"><input name="sdf_alert_threshold" type="text" class="formfld unknown" id="sdf_alert_threshold" size="9" value="<?=htmlspecialchars($pconfig['sdf_alert_threshold']);?>"> + <?php echo gettext("Personally Identifiable Information (PII) combination alert threshold.");?><br/> + <?php echo gettext("This value sets the number of PII combinations required to trigger an alert. This should be set higher than the highest individual count in your \"sd_pattern\" rules. Default value is ") . + "<strong>" . gettext("25") . "</strong>.";?> + </td> + </tr> + <tr id="sdf_mask_output_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Mask Output"); ?></td> + <td width="78%" class="vtable"> + <input name="sdf_mask_output" type="checkbox" value="on" + <?php if ($pconfig['sdf_mask_output'] == "on") + echo "checked"; + ?>> + <?php echo gettext("Replace all but last 4 digits of PII with \"X\"s on credit card and Social Security Numbers. ") . + gettext("Default is ") . "<strong>" . gettext("Not Checked") . "</strong>."; ?> </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessors"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable RPC Decode and Back Orifice detector"); ?></td> @@ -1178,13 +1423,6 @@ include_once("head.inc"); "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable FTP and Telnet Normalizer"); ?></td> - <td width="78%" class="vtable"><input name="ftp_preprocessor" type="checkbox" value="on" - <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?>> - <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> - </tr> - <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable POP Normalizer"); ?></td> <td width="78%" class="vtable"><input name="pop_preproc" type="checkbox" value="on" <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>> @@ -1216,7 +1454,7 @@ include_once("head.inc"); <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SIP Detection"); ?></td> <td width="78%" class="vtable"><input name="sip_preproc" type="checkbox" value="on" <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>> - <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities. Default is ") . + <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> @@ -1235,7 +1473,7 @@ include_once("head.inc"); <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNS Detection"); ?></td> <td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on" <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>> - <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects vulnerabilities. Default is ") . + <?php echo gettext("The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> @@ -1247,21 +1485,7 @@ include_once("head.inc"); "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Sensitive Data"); ?></td> - <td width="78%" class="vtable"> - <input name="sensitive_data" type="checkbox" value="on" - <?php if ($pconfig['sensitive_data'] == "on") - echo "checked"; - elseif ($vrt_enabled == "off") - echo "disabled"; - ?>> - <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?> - <br/> - <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."); ?> - </td> - </tr> - <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SCADA Preprocessor Settings"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SCADA Preprocessors"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Modbus Detection"); ?></td> @@ -1315,6 +1539,7 @@ include_once("head.inc"); if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + // Skip any Aliases that resolve to an empty string if (trim(filter_expand_alias($alias_name['name'])) == "") continue; if($addrisfirst == 1) $aliasesaddr .= ","; @@ -1334,6 +1559,8 @@ include_once("head.inc"); function createAutoSuggest() { <?php echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n"; + echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_telnet_bounce_to_net'), new StateSuggestions(addressarray));\n"; + echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_telnet_bounce_to_port'), new StateSuggestions(portsarray));\n"; ?> } @@ -1350,41 +1577,125 @@ function frag3_enable_change() { } } var endis = !(document.iform.frag3_detection.checked); - document.iform.frag3_overlap_limit.disabled=endis; - document.iform.frag3_min_frag_len.disabled=endis; - document.iform.frag3_policy.disabled=endis; - document.iform.frag3_max_frags.disabled=endis; - document.iform.frag3_memcap.disabled=endis; - document.iform.frag3_timeout.disabled=endis; + + // Hide the "config engines" table if Frag3 disabled + if (endis) { + document.getElementById("frag3_engconf_row").style.display="none"; + document.getElementById("frag3_memcap_row").style.display="none"; + document.getElementById("frag3_maxfrags_row").style.display="none"; + } + else { + document.getElementById("frag3_engconf_row").style.display="table-row"; + document.getElementById("frag3_memcap_row").style.display="table-row"; + document.getElementById("frag3_maxfrags_row").style.display="table-row"; + } } function host_attribute_table_enable_change() { var endis = !(document.iform.host_attribute_table.checked); - document.iform.host_attribute_file.disabled=endis; - document.iform.btn_import.disabled=endis; - document.iform.btn_edit_hat.disabled=endis; - document.iform.max_attribute_hosts.disabled=endis; - document.iform.max_attribute_services_per_host.disabled=endis; + + // Hide "Host Attribute Table" config rows if HAT disabled + if (endis) { + document.getElementById("host_attrib_table_data_row").style.display="none"; + document.getElementById("host_attrib_table_maxhosts_row").style.display="none"; + document.getElementById("host_attrib_table_maxsvcs_row").style.display="none"; + } + else { + document.getElementById("host_attrib_table_data_row").style.display="table-row"; + document.getElementById("host_attrib_table_maxhosts_row").style.display="table-row"; + document.getElementById("host_attrib_table_maxsvcs_row").style.display="table-row"; + } +} + +function stream5_track_tcp_enable_change() { + var endis = !(document.iform.stream5_track_tcp.checked); + + // Hide the "tcp_memcap and tcp_engconf" rows if stream5_track_tcp disabled + if (endis) { + document.getElementById("stream5_maxtcp_row").style.display="none"; + document.getElementById("stream5_tcp_memcap_row").style.display="none"; + document.getElementById("stream5_tcp_engconf_row").style.display="none"; + } + else { + document.getElementById("stream5_maxtcp_row").style.display="table-row"; + document.getElementById("stream5_tcp_memcap_row").style.display="table-row"; + document.getElementById("stream5_tcp_engconf_row").style.display="table-row"; + } +} + +function stream5_track_udp_enable_change() { + var endis = !(document.iform.stream5_track_udp.checked); + + // Hide the "udp session timeout " row if stream5_track_udp disabled + if (endis) { + var msg = "WARNING: Stream5 UDP tracking is required by the Session Initiation Protocol (SIP) preprocessor! "; + msg = msg + "The SIP preprocessor will be automatically disabled if Stream5 UDP tracking is disabled.\n\n"; + msg = msg + "Snort may fail to start because of rule options dependent on the SIP preprocessor. "; + msg = msg + "Are you sure you want to disable Stream5 UDP tracking?\n\n"; + msg = msg + "Click OK to disable Stream5 UDP tracking, or CANCEL to quit."; + if (!confirm(msg)) + return; + document.iform.sip_preproc.checked=false; + document.getElementById("stream5_maxudp_row").style.display="none"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="none"; + } + else { + document.getElementById("stream5_maxudp_row").style.display="table-row"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row"; + } +} + +function stream5_track_icmp_enable_change() { + var endis = !(document.iform.stream5_track_icmp.checked); + + // Hide the "icmp session timeout " row if stream5_track_icmp disabled + if (endis) { + document.getElementById("stream5_maxicmp_row").style.display="none"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="none"; + } + else { + document.getElementById("stream5_maxicmp_row").style.display="table-row"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row"; + } } function http_inspect_enable_change() { var endis = !(document.iform.http_inspect.checked); - document.iform.http_inspect_enable_xff.disabled=endis; - document.iform.server_flow_depth.disabled=endis; - document.iform.client_flow_depth.disabled=endis; - document.iform.http_server_profile.disabled=endis; document.iform.http_inspect_memcap.disabled=endis; - document.iform.http_inspect_log_uri.disabled=endis; - document.iform.http_inspect_log_hostname.disabled=endis; + + // Hide the "icmp session timeout " row if stream5_track_icmp disabled + if (endis) { + document.getElementById("httpinspect_memcap_row").style.display="none"; + document.getElementById("httpinspect_maxgzipmem_row").style.display="none"; + document.getElementById("httpinspect_proxyalert_row").style.display="none"; + document.getElementById("httpinspect_engconf_row").style.display="none"; + } + else { + document.getElementById("httpinspect_memcap_row").style.display="table-row"; + document.getElementById("httpinspect_maxgzipmem_row").style.display="table-row"; + document.getElementById("httpinspect_proxyalert_row").style.display="table-row"; + document.getElementById("httpinspect_engconf_row").style.display="table-row"; + } } function sf_portscan_enable_change() { var endis = !(document.iform.sf_portscan.checked); - document.iform.pscan_protocol.disabled=endis; - document.iform.pscan_type.disabled=endis; - document.iform.pscan_memcap.disabled=endis; - document.iform.pscan_sense_level.disabled=endis; - document.iform.pscan_ignore_scanners.disabled=endis; + + // Hide the portscan configuration rows if sf_portscan disabled + if (endis) { + document.getElementById("portscan_protocol_row").style.display="none"; + document.getElementById("portscan_type_row").style.display="none"; + document.getElementById("portscan_sensitivity_row").style.display="none"; + document.getElementById("portscan_memcap_row").style.display="none"; + document.getElementById("portscan_ignorescanners_row").style.display="none"; + } + else { + document.getElementById("portscan_protocol_row").style.display="table-row"; + document.getElementById("portscan_type_row").style.display="table-row"; + document.getElementById("portscan_sensitivity_row").style.display="table-row"; + document.getElementById("portscan_memcap_row").style.display="table-row"; + document.getElementById("portscan_ignorescanners_row").style.display="table-row"; + } } function stream5_enable_change() { @@ -1419,43 +1730,126 @@ function stream5_enable_change() { } var endis = !(document.iform.stream5_reassembly.checked); - document.iform.max_queued_bytes.disabled=endis; - document.iform.max_queued_segs.disabled=endis; - document.iform.stream5_mem_cap.disabled=endis; - document.iform.stream5_policy.disabled=endis; - document.iform.stream5_overlap_limit.disabled=endis; - document.iform.stream5_no_reassemble_async.disabled=endis; - document.iform.stream5_dont_store_lg_pkts.disabled=endis; - document.iform.stream5_tcp_timeout.disabled=endis; - document.iform.stream5_udp_timeout.disabled=endis; - document.iform.stream5_icmp_timeout.disabled=endis; + + // Hide the "stream5 conf" rows if stream5 disabled + if (endis) { + document.getElementById("stream5_tcp_memcap_row").style.display="none"; + document.getElementById("stream5_tcp_engconf_row").style.display="none"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_proto_tracking_row").style.display="none"; + document.getElementById("stream5_flushonalert_row").style.display="none"; + document.getElementById("stream5_prunelogmax_row").style.display="none"; + } + else { + document.getElementById("stream5_tcp_memcap_row").style.display="table-row"; + document.getElementById("stream5_tcp_engconf_row").style.display="table-row"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_proto_tracking_row").style.display="table-row"; + document.getElementById("stream5_flushonalert_row").style.display="table-row"; + document.getElementById("stream5_prunelogmax_row").style.display="table-row"; + } +} + +function ftp_telnet_enable_change() { + var endis = !(document.iform.ftp_preprocessor.checked); + + // Hide the ftp_telnet configuration rows if ftp_telnet disabled + if (endis) { + document.getElementById("ftp_telnet_row_type").style.display="none"; + document.getElementById("ftp_telnet_row_encrypted_alert").style.display="none"; + document.getElementById("ftp_telnet_row_encrypted_check").style.display="none"; + document.getElementById("ftp_telnet_row_telnet_proto_opts").style.display="none"; + document.getElementById("ftp_telnet_row_normalize").style.display="none"; + document.getElementById("ftp_telnet_row_detect_anomalies").style.display="none"; + document.getElementById("ftp_telnet_row_ayt_threshold").style.display="none"; + document.getElementById("ftp_telnet_row_ftp_proto_opts").style.display="none"; + document.getElementById("ftp_telnet_ftp_client_row").style.display="none"; + document.getElementById("ftp_telnet_ftp_server_row").style.display="none"; + } + else { + document.getElementById("ftp_telnet_row_type").style.display="table-row"; + document.getElementById("ftp_telnet_row_encrypted_alert").style.display="table-row"; + document.getElementById("ftp_telnet_row_encrypted_check").style.display="table-row"; + document.getElementById("ftp_telnet_row_telnet_proto_opts").style.display="table-row"; + document.getElementById("ftp_telnet_row_normalize").style.display="table-row"; + document.getElementById("ftp_telnet_row_detect_anomalies").style.display="table-row"; + document.getElementById("ftp_telnet_row_ayt_threshold").style.display="table-row"; + document.getElementById("ftp_telnet_row_ftp_proto_opts").style.display="table-row"; + document.getElementById("ftp_telnet_ftp_client_row").style.display="table-row"; + document.getElementById("ftp_telnet_ftp_server_row").style.display="table-row"; + } +} + +function sensitive_data_enable_change() { + var endis = !(document.iform.sensitive_data.checked); + + // Hide the sensitive_data configuration rows if sensitive_data disabled + if (endis) { + document.getElementById("sdf_alert_threshold_row").style.display="none"; + document.getElementById("sdf_mask_output_row").style.display="none"; + } + else { + document.getElementById("sdf_alert_threshold_row").style.display="table-row"; + document.getElementById("sdf_mask_output_row").style.display="table-row"; + } } function enable_change_all() { http_inspect_enable_change(); sf_portscan_enable_change(); - // Enable/Disable Frag3 settings + // -- Enable/Disable Host Attribute Table settings -- + host_attribute_table_enable_change(); + + // -- Enable/Disable Frag3 settings -- var endis = !(document.iform.frag3_detection.checked); - document.iform.frag3_overlap_limit.disabled=endis; - document.iform.frag3_min_frag_len.disabled=endis; - document.iform.frag3_policy.disabled=endis; - document.iform.frag3_max_frags.disabled=endis; - document.iform.frag3_memcap.disabled=endis; - document.iform.frag3_timeout.disabled=endis; - - // Enable/Disable Stream5 settings + // Hide the "config engines" table if Frag3 disabled + if (endis) { + document.getElementById("frag3_engconf_row").style.display="none"; + document.getElementById("frag3_memcap_row").style.display="none"; + document.getElementById("frag3_maxfrags_row").style.display="none"; + } + else { + document.getElementById("frag3_engconf_row").style.display="table-row"; + document.getElementById("frag3_memcap_row").style.display="table-row"; + document.getElementById("frag3_maxfrags_row").style.display="table-row"; + } + + // -- Enable/Disable Stream5 settings -- endis = !(document.iform.stream5_reassembly.checked); - document.iform.max_queued_bytes.disabled=endis; - document.iform.max_queued_segs.disabled=endis; - document.iform.stream5_mem_cap.disabled=endis; - document.iform.stream5_policy.disabled=endis; - document.iform.stream5_overlap_limit.disabled=endis; - document.iform.stream5_no_reassemble_async.disabled=endis; - document.iform.stream5_dont_store_lg_pkts.disabled=endis; - document.iform.stream5_tcp_timeout.disabled=endis; - document.iform.stream5_udp_timeout.disabled=endis; - document.iform.stream5_icmp_timeout.disabled=endis; + // Hide the "stream5 conf" rows if stream5 disabled + if (endis) { + document.getElementById("stream5_tcp_memcap_row").style.display="none"; + document.getElementById("stream5_tcp_engconf_row").style.display="none"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="none"; + document.getElementById("stream5_proto_tracking_row").style.display="none"; + document.getElementById("stream5_flushonalert_row").style.display="none"; + document.getElementById("stream5_prunelogmax_row").style.display="none"; + document.getElementById("stream5_maxtcp_row").style.display="none"; + document.getElementById("stream5_maxudp_row").style.display="none"; + document.getElementById("stream5_maxicmp_row").style.display="none"; + } + else { + document.getElementById("stream5_tcp_memcap_row").style.display="table-row"; + document.getElementById("stream5_tcp_engconf_row").style.display="table-row"; + document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row"; + document.getElementById("stream5_proto_tracking_row").style.display="table-row"; + document.getElementById("stream5_flushonalert_row").style.display="table-row"; + document.getElementById("stream5_prunelogmax_row").style.display="table-row"; + document.getElementById("stream5_maxtcp_row").style.display="table-row"; + document.getElementById("stream5_maxudp_row").style.display="table-row"; + document.getElementById("stream5_maxicmp_row").style.display="table-row"; + } + // Set other stream5 initial conditions + stream5_track_tcp_enable_change(); + stream5_track_udp_enable_change(); + stream5_track_icmp_enable_change(); + ftp_telnet_enable_change(); + sensitive_data_enable_change(); } function wopen(url, name, w, h) diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index c9852597..48d26d1d 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -379,7 +379,7 @@ require_once("guiconfig.inc"); include_once("head.inc"); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: {$if_friendly} Category: $currentruleset"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Rules: {$currentruleset}"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php index 92330ebf..2f13d6bc 100644 --- a/config/snort/snort_rules_flowbits.php +++ b/config/snort/snort_rules_flowbits.php @@ -59,6 +59,7 @@ if(!isset($_SESSION['org_referer'])) $referrer = $_SESSION['org_referer']; if ($_POST['cancel']) { + session_start(); unset($_SESSION['org_referer']); session_write_close(); header("Location: {$referrer}"); @@ -69,6 +70,9 @@ $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; if (is_null($id)) { + session_start(); + unset($_SESSION['org_referer']); + session_write_close(); header("Location: /snort/snort_interfaces.php"); exit; } @@ -158,7 +162,7 @@ function truncate($string, $length) { $supplist = snort_load_suppress_sigs($a_nat[$id]); $if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']); -$pgtitle = "Services: Snort: {$if_friendly} Flowbit Rules"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Flowbit Rules"); include_once("head.inc"); ?> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 3c613f84..3b7ef916 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -71,16 +71,20 @@ $no_snort_files = false; $no_community_files = false; /* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */ -if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on') - $test = glob("{$snortdir}/rules/emerging-*.rules"); -elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload))) - $test = glob("{$snortdir}/rules/etpro-*.rules"); +if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on') { + $test = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules"); + $et_type = "ET Open"; +} +elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload))) { + $test = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules"); + $et_type = "ET Pro"; +} if (empty($test)) $no_emerging_files = true; -$test = glob("{$snortdir}/rules/snort*.rules"); +$test = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules"); if (empty($test)) $no_snort_files = true; -if (!file_exists("{$snortdir}/rules/GPLv2_community.rules")) +if (!file_exists("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules")) $no_community_files = true; if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on')) @@ -188,25 +192,25 @@ if ($_POST['selectall']) { } if ($emergingdownload == 'on') { - $files = glob("{$snortdir}/rules/emerging-*.rules"); + $files = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } elseif ($etpro == 'on') { - $files = glob("{$snortdir}/rules/etpro-*.rules"); + $files = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } if ($snortcommunitydownload == 'on') { - $files = glob("{$snortdir}/rules/*_community.rules"); + $files = glob("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules"); foreach ($files as $file) $rulesets[] = basename($file); } /* Include the Snort VRT rules only if enabled and no IPS policy is set */ if ($snortdownload == 'on' && $a_nat[$id]['ips_policy_enable'] == 'off') { - $files = glob("{$snortdir}/rules/snort*.rules"); + $files = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } @@ -223,7 +227,7 @@ if ($_POST['selectall']) { $enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']); $if_friendly = snort_get_friendly_interface($pconfig['interface']); -$pgtitle = "Snort: Interface {$if_friendly} Categories"; +$pgtitle = gettext("Snort: Interface {$if_friendly} - Categories"); include_once("head.inc"); ?> @@ -309,7 +313,7 @@ if ($savemsg) { </tr> <tr> <td colspan="6" valign="center" class="listn"> - <table width="100%" border="0" cellpadding="2" cellspacing="2"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> <td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td> <td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on" @@ -332,7 +336,7 @@ if ($savemsg) { <tr> <td width="15%"> </td> <td width="85%"> - <?php printf(gettext("%sNote: %sAuto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."), '<span class="red"><strong>', '</strong></span>'); ?> + <?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . gettext("Auto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."); ?> <br/></td> </tr> </table> @@ -343,23 +347,23 @@ if ($savemsg) { </tr> <tr> <td colspan="6" valign="center" class="listn"> - <table width="100%" border="0" cellpadding="2" cellspacing="2"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> <td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td> <td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?> <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/> <span class="vexpl"> - <?php echo gettext("If checked, Snort will use rules from the pre-defined IPS policy selected below."); ?></span></td> + <?php echo gettext("If checked, Snort will use rules from one of three pre-defined IPS policies."); ?></span></td> </tr> <tr> - <td width="15%" class="vncell"> </td> - <td width="85%" class="vtable"> - <?php printf(gettext("%sNote:%s You must be using the Snort VRT rules to use this option."),'<span class="red"><strong>','</strong></span>'); ?> + <td width="15%" class="vncell" id="ips_col1"> </td> + <td width="85%" class="vtable" id="ips_col2"> + <?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . gettext("You must be using the Snort VRT rules to use this option."); ?> <?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " . "although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " . "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br/></td> </tr> - <tr> - <td width="15%" class="listn"><?php echo gettext("IPS Policy"); ?></td> + <tr id="ips_row1"> + <td width="15%" class="listn"><?php echo gettext("IPS Policy Selection"); ?></td> <td width="85%"><select name="ips_policy" class="formselect" <?=$policy_select_disable?> > <option value="connectivity" <?php if ($pconfig['ips_policy'] == "connected") echo "selected"; ?>><?php echo gettext("Connectivity"); ?></option> <option value="balanced" <?php if ($pconfig['ips_policy'] == "balanced") echo "selected"; ?>><?php echo gettext("Balanced"); ?></option> @@ -367,7 +371,7 @@ if ($savemsg) { </select> <span class="vexpl"><?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security."); ?></span></td> </tr> - <tr> + <tr id="ips_row2"> <td width="15%"> </td> <td width="85%"> <?php echo gettext("Connectivity blocks most major threats with few or no false positives. " . @@ -397,22 +401,23 @@ if ($savemsg) { $msg_community = "NOTE: Snort Community Rules have not been downloaded. Perform a Rules Update to enable them."; else $msg_community = "Snort GPLv2 Community Rules (VRT certified)"; + $community_rules_file = GPL_FILE_PREFIX . "community.rules"; ?> <?php if ($snortcommunitydownload == 'on'): ?> <tr id="frheader"> <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> <td colspan="5" class="listhdrr"><?php echo gettext('Ruleset: Snort GPLv2 Community Rules');?></td> </tr> - <?php if (in_array("GPLv2_community.rules", $enabled_rulesets_array)): ?> + <?php if (in_array($community_rules_file, $enabled_rulesets_array)): ?> <tr> <td width="5" class="listr" align="center" valign="top"> - <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" checked="checked"/></td> - <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=GPLv2_community.rules'><?php echo gettext("{$msg_community}"); ?></a></td> + <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" checked="checked"/></td> + <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?php echo gettext("{$msg_community}"); ?></a></td> </tr> <?php else: ?> <tr> <td width="5" class="listr" align="center" valign="top"> - <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td> + <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td> <td colspan="5" class="listr"><?php echo gettext("{$msg_community}"); ?></td> </tr> @@ -436,7 +441,7 @@ if ($savemsg) { <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Pro Rules');?></td> <?php else: ?> - <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td> + <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("{$et_type} rules not {$msg_emerging}"); ?></td> <?php endif; ?> <?php if ($snortdownload == 'on' && !$no_snort_files): ?> <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> @@ -459,11 +464,11 @@ if ($savemsg) { $filename = basename($filename); if (substr($filename, -5) != "rules") continue; - if (strstr($filename, "emerging-") && $emergingdownload == 'on') + if (strstr($filename, ET_OPEN_FILE_PREFIX) && $emergingdownload == 'on') $emergingrules[] = $filename; - else if (strstr($filename, "etpro-") && $etpro == 'on') + else if (strstr($filename, ET_PRO_FILE_PREFIX) && $etpro == 'on') $emergingrules[] = $filename; - else if (strstr($filename, "snort") && $snortdownload == 'on') { + else if (strstr($filename, VRT_FILE_PREFIX) && $snortdownload == 'on') { if (strstr($filename, ".so.rules")) $snortsorules[] = $filename; else @@ -589,6 +594,18 @@ function enable_change() var endis = !(document.iform.ips_policy_enable.checked); document.iform.ips_policy.disabled=endis; + if (endis) { + document.getElementById("ips_row1").style.display="none"; + document.getElementById("ips_row2").style.display="none"; + document.getElementById("ips_col1").className="vexpl"; + document.getElementById("ips_col2").className="vexpl"; + } + else { + document.getElementById("ips_row1").style.display="table-row"; + document.getElementById("ips_row2").style.display="table-row"; + document.getElementById("ips_col1").className="vncell"; + document.getElementById("ips_col2").className="vtable"; + } for (var i = 0; i < document.iform.elements.length; i++) { if (document.iform.elements[i].type == 'checkbox') { var str = document.iform.elements[i].value; @@ -597,6 +614,10 @@ function enable_change() } } } + +// Set initial state of dynamic HTML form controls +enable_change(); + </script> </body> diff --git a/config/snort/snort_select_alias.php b/config/snort/snort_select_alias.php new file mode 100644 index 00000000..bd0a02e2 --- /dev/null +++ b/config/snort/snort_select_alias.php @@ -0,0 +1,245 @@ +<?php +/* $Id$ */ +/* + snort_select_alias.php + Copyright (C) 2004 Scott Ullrich + All rights reserved. + + originially part of m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require_once("functions.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +// Set who called us so we can return to the correct page with +// the RETURN button. We will just trust this User-Agent supplied +// string for now. Check and make sure we don't store this page +// as the referrer so we don't stick the user in a loop. +session_start(); +if(!isset($_SESSION['org_referer']) && strpos($_SERVER['HTTP_REFERER'], $SERVER['PHP_SELF']) === false) + $_SESSION['org_referer'] = substr($_SERVER['HTTP_REFERER'], 0, strpos($_SERVER['HTTP_REFERER'], "?")); +$referrer = $_SESSION['org_referer']; + +// Get the QUERY_STRING from our referrer so we can return it. +if(!isset($_SESSION['org_querystr'])) + $_SESSION['org_querystr'] = $_SERVER['QUERY_STRING']; +$querystr = $_SESSION['org_querystr']; + +// Retrieve any passed QUERY STRING or POST variables +$type = $_GET['type']; +$varname = $_GET['varname']; +$multi_ip = $_GET['multi_ip']; +if (isset($_POST['type'])) + $type = $_POST['type']; +if (isset($_POST['varname'])) + $varname = $_POST['varname']; +if (isset($_POST['multi_ip'])) + $multi_ip = $_POST['multi_ip']; + +// Make sure we have a valid VARIABLE name +// and ALIAS TYPE, or else bail out. +if (is_null($type) || is_null($varname)) { + session_start(); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + session_write_close(); + header("Location: http://{$referrer}?{$querystr}"); + exit; +} + +// Used to track if any selectable Aliases are found +$selectablealias = false; + +// Initialize required array variables as necessary +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); +$a_aliases = $config['aliases']['alias']; + +// Create an array consisting of the Alias types the +// caller wants to select from. +$a_types = array(); +$a_types = explode('|', strtolower($type)); + +// Create a proper title based on the Alias types +$title = "a"; +switch (count($a_types)) { + case 1: + $title .= " " . ucfirst($a_types[0]); + break; + + case 2: + $title .= " " . ucfirst($a_types[0]) . " or " . ucfirst($a_types[1]); + break; + + case 3: + $title .= " " . ucfirst($a_types[0]) . ", " . ucfirst($a_types[1]) . " or " . ucfirst($a_types[2]); + + default: + $title = "n"; +} + +if ($_POST['cancel']) { + session_start(); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + session_write_close(); + header("Location: {$referrer}?{$querystr}"); + exit; +} + +if ($_POST['save']) { + if(empty($_POST['alias'])) + $input_errors[] = gettext("No alias is selected. Please select an alias before saving."); + + // if no errors, write new entry to conf + if (!$input_errors) { + $selection = $_POST['alias']; + session_start(); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + session_write_close(); + header("Location: {$referrer}?{$querystr}&varvalue={$selection}"); + exit; + } +} + +$pgtitle = gettext("Snort: Select {$title} Alias"); +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<form action="snort_select_alias.php" method="post"> +<input type="hidden" name="varname" value="<?=$varname;?>"> +<input type="hidden" name="type" value="<?=$type;?>"> +<input type="hidden" name="multi_ip" value="<?=$multi_ip;?>"> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td class="tabcont"><strong><?=gettext("Select an Alias to use from the list below.");?></strong><br/> + </td> +</tr> +<tr> + <td class="tabcont"> + <table id="sortabletable1" style="table-layout: fixed;" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <colgroup> + <col width="5%" align="center"> + <col width="25%" align="left" axis="string"> + <col width="35%" align="left" axis="string"> + <col width="35%" align="left" axis="string"> + </colgroup> + <thead> + <tr> + <th class="listhdrr"></th> + <th class="listhdrr" axis="string"><?=gettext("Alias Name"); ?></th> + <th class="listhdrr" axis="string"><?=gettext("Values"); ?></th> + <th class="listhdrr" axis="string"><?=gettext("Description"); ?></th> + </tr> + </thead> + <tbody> + <?php $i = 0; foreach ($a_aliases as $alias): ?> + <?php if (!in_array($alias['type'], $a_types)) + continue; + if ( ($alias['type'] == "network" || $alias['type'] == "host") && + $multi_ip != "yes" && + !snort_is_single_addr_alias($alias['name'])) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $disable = true; + $tooltip = gettext("Aliases resolving to multiple address entries cannot be used with the destination target."); + } + elseif (($alias['type'] == "network" || $alias['type'] == "host") && + trim(filter_expand_alias($alias['name'])) == "") { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $disable = true; + $tooltip = gettext("Aliases representing a FQDN host cannot be used in Snort preprocessor configurations."); + } + else { + $textss = ""; + $textse = ""; + $disable = ""; + $selectablealias = true; + $tooltip = gettext("Selected entry will be imported. Click to toggle selection."); + } + ?> + <?php if ($disable): ?> + <tr title="<?=$tooltip;?>"> + <td class="listlr" align="center"><img src="../themes/<?=$g['theme'];?>/images/icons/icon_block_d.gif" width="11" height"11" border="0"/> + <?php else: ?> + <tr> + <td class="listlr" align="center"><input type="radio" name="alias" value="<?=htmlspecialchars($alias['name']);?>" title="<?=$tooltip;?>"/></td> + <?php endif; ?> + <td class="listr" align="left"><?=$textss . htmlspecialchars($alias['name']) . $textse;?></td> + <td class="listr" align="left"> + <?php + $tmpaddr = explode(" ", $alias['address']); + $addresses = implode(", ", array_slice($tmpaddr, 0, 10)); + echo "{$textss}{$addresses}{$textse}"; + if(count($tmpaddr) > 10) { + echo "..."; + } + ?> + </td> + <td class="listbg" align="left"> + <?=$textss . htmlspecialchars($alias['descr']) . $textse;?> + </td> + </tr> + <?php $i++; endforeach; ?> + </table> + </td> +</tr> +<?php if (!$selectablealias): ?> +<tr> + <td class="tabcont" align="center"><b><?php echo gettext("There are currently no defined Aliases eligible for selection.");?></b></td> +</tr> +<tr> + <td class="tabcont" align="center"> + <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/> + </td> +</tr> +<?php else: ?> +<tr> + <td class="tabcont" align="center"> + <input type="Submit" name="save" value="Save" id="save" class="formbtn" title="<?=gettext("Import selected item and return");?>"/> + <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/> + </td> +</tr> +<?php endif; ?> +<tr> + <td class="tabcont"> + <span class="vexpl"><span class="red"><strong><?=gettext("Note:"); ?><br></strong></span><?=gettext("Fully-Qualified Domain Name (FQDN) host Aliases cannot be used as Snort configuration parameters. Aliases resolving to a single FQDN value are disabled in the list above. In the case of nested Aliases where one or more of the nested values is a FQDN host, the FQDN host will not be included in the {$title} configuration.");?></span> + </td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_stream5_engine.php b/config/snort/snort_stream5_engine.php new file mode 100644 index 00000000..33fade40 --- /dev/null +++ b/config/snort/snort_stream5_engine.php @@ -0,0 +1,670 @@ +<?php +/* + * snort_stream5_engine.php + * Copyright (C) 2004 Scott Ullrich + * Copyright (C) 2011-2012 Ermal Luci + * All rights reserved. + * + * originially part of m0n0wall (http://m0n0.ch/wall) + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * All rights reserved. + * + * modified for the pfsense snort package + * Copyright (C) 2009-2010 Robert Zelaya. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +global $g; + +$snortdir = SNORTDIR; + +/* Retrieve required array index values from QUERY string if available. */ +/* 'id' is the [rule] array index, and 'eng_id' is the index for the */ +/* stream5_tcp_engine's [item] array. */ +$id = $_GET['id']; +$eng_id = $_GET['eng_id']; + +/* See if values are in our form's POST content */ +if (isset($_POST['id'])) + $id = $_POST['id']; +if (isset($_POST['eng_id'])) + $eng_id = $_POST['eng_id']; + +/* If we don't have a [rule] index specified, exit */ +if (is_null($id)) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['stream5_client_import']); + session_write_close(); + header("Location: /snort/snort_interfaces.php"); + exit; +} + +/* Initialize pointer into requisite section of [config] array */ +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'])) + $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array(); +$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item']; + +$pconfig = array(); + +// If this is a new entry, intialize it with default values +if (empty($a_nat[$eng_id])) { + $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); + // See if this is initial entry and set to "default" if true + if ($eng_id < 1) { + $def['name'] = "default"; + $def['bind_to'] = "all"; + } + $pconfig = $def; +} +else { + $pconfig = $a_nat[$eng_id]; + + // Check for empty values and set sensible defaults + if (empty($pconfig['policy'])) + $pconfig['policy'] = "bsd"; + if (empty($pconfig['timeout'])) + $pconfig['timeout'] = 30; + if (empty($pconfig['max_queued_bytes']) && $pconfig['max_queued_bytes'] <> 0) + $pconfig['max_queued_bytes'] = 1048576; + if (empty($pconfig['detect_anomalies'])) + $pconfig['detect_anomalies'] = "off"; + if (empty($pconfig['overlap_limit'])) + $pconfig['overlap_limit'] = 0; + if (empty($pconfig['max_queued_segs']) && $pconfig['max_queued_segs'] <> 0) + $pconfig['max_queued_segs'] = 2621; + if (empty($pconfig['require_3whs'])) + $pconfig['require_3whs'] = "off"; + if (empty($pconfig['startup_3whs_timeout'])) + $pconfig['startup_3whs_timeout'] = 0; + if (empty($pconfig['no_reassemble_async'])) + $pconfig['no_reassemble_async'] = "off"; + if (empty($pconfig['dont_store_lg_pkts'])) + $pconfig['dont_store_lg_pkts'] = "off"; + if (empty($pconfig['max_window'])) + $pconfig['max_window'] = 0; + if (empty($pconfig['use_static_footprint_sizes'])) + $pconfig['use_static_footprint_sizes'] = "off"; + if (empty($pconfig['check_session_hijacking'])) + $pconfig['check_session_hijacking'] = "off"; + if (empty($pconfig['ports_client'])) + $pconfig['ports_client'] = "default"; + if (empty($pconfig['ports_both'])) + $pconfig['ports_both'] = "default"; + if (empty($pconfig['ports_server'])) + $pconfig['ports_server'] = "none"; +} + +if ($_POST['Cancel']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['stream5_client_import']); + session_write_close(); + header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row"); + exit; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + session_start(); + if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports_client" || $_GET['varname'] == "ports_both" || $_GET['varname'] == "ports_server") + && !empty($_GET['varvalue'])) { + $pconfig[$_GET['varname']] = $_GET['varvalue']; + if(!isset($_SESSION['stream5_client_import'])) + $_SESSION['stream5_client_import'] = array(); + + $_SESSION['stream5_client_import'][$_GET['varname']] = $_GET['varvalue']; + if (isset($_SESSION['stream5_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['stream5_client_import']['bind_to']; + if (isset($_SESSION['stream5_client_import']['ports_client'])) + $pconfig['ports_client'] = $_SESSION['stream5_client_import']['ports_client']; + if (isset($_SESSION['stream5_client_import']['ports_both'])) + $pconfig['ports_both'] = $_SESSION['stream5_client_import']['ports_both']; + if (isset($_SESSION['stream5_client_import']['ports_server'])) + $pconfig['ports_server'] = $_SESSION['stream5_client_import']['ports_server']; + } + // If "varvalue" is empty, user likely hit CANCEL in Select Dialog, + // so restore any saved values. + elseif (empty($_GET['varvalue'])) { + if (isset($_SESSION['stream5_client_import']['bind_to'])) + $pconfig['bind_to'] = $_SESSION['stream5_client_import']['bind_to']; + if (isset($_SESSION['stream5_client_import']['ports_client'])) + $pconfig['ports_client'] = $_SESSION['stream5_client_import']['ports_client']; + if (isset($_SESSION['stream5_client_import']['ports_both'])) + $pconfig['ports_both'] = $_SESSION['stream5_client_import']['ports_both']; + if (isset($_SESSION['stream5_client_import']['ports_server'])) + $pconfig['ports_server'] = $_SESSION['stream5_client_import']['ports_server']; + } + else { + unset($_SESSION['stream5_client_import']); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + session_write_close(); + } +} + +if ($_POST['Submit']) { + // Clear and close out any session variable we created + session_start(); + unset($_SESSION['org_referer']); + unset($_SESSION['org_querystr']); + unset($_SESSION['stream5_client_import']); + session_write_close(); + + /* Grab all the POST values and save in new temp array */ + $engine = array(); + if ($_POST['stream5_name']) { $engine['name'] = trim($_POST['stream5_name']); } else { $engine['name'] = "default"; } + + /* Validate input values before saving */ + if ($_POST['stream5_bind_to']) { + if (is_alias($_POST['stream5_bind_to'])) { + $engine['bind_to'] = $_POST['stream5_bind_to']; + if (!snort_is_single_addr_alias($_POST['stream5_bind_to'])) + $input_errors[] = gettext("An Alias that evaluates to a single IP address or CIDR network is required for the 'Bind-To IP Address' value."); + } + elseif (strtolower(trim($_POST['stream5_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + } + if ($_POST['stream5_ports_client']) { + if (is_alias($_POST['stream5_ports_client'])) + $engine['ports_client'] = $_POST['stream5_ports_client']; + elseif (strtolower(trim($_POST['stream5_ports_client'])) == "default") + $engine['ports_client'] = "default"; + elseif (strtolower(trim($_POST['stream5_ports_client'])) == "all") + $engine['ports_client'] = "all"; + elseif (strtolower(trim($_POST['stream5_ports_client'])) == "none") + $engine['ports_client'] = "none"; + else + $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_client' value."); + } + if ($_POST['stream5_ports_both']) { + if (is_alias($_POST['stream5_ports_both'])) + $engine['ports_both'] = $_POST['stream5_ports_both']; + elseif (strtolower(trim($_POST['stream5_ports_both'])) == "default") + $engine['ports_both'] = "default"; + elseif (strtolower(trim($_POST['stream5_ports_both'])) == "all") + $engine['ports_both'] = "all"; + elseif (strtolower(trim($_POST['stream5_ports_both'])) == "none") + $engine['ports_both'] = "none"; + else + $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_both' value."); + } + if ($_POST['stream5_ports_server']) { + if (is_alias($_POST['stream5_ports_server'])) + $engine['ports_server'] = $_POST['stream5_ports_server']; + elseif (strtolower(trim($_POST['stream5_ports_server'])) == "default") + $engine['ports_server'] = "default"; + elseif (strtolower(trim($_POST['stream5_ports_server'])) == "all") + $engine['ports_server'] = "all"; + elseif (strtolower(trim($_POST['stream5_ports_server'])) == "none") + $engine['ports_server'] = "none"; + else + $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_server' value."); + } + + if (!empty($_POST['stream5_timeout']) || $_POST['stream5_timeout'] == 0) { + $engine['timeout'] = $_POST['stream5_timeout']; + if ($engine['timeout'] < 1 || $engine['timeout'] > 86400) + $input_errors[] = gettext("The value for Timeout must be between 1 and 86400."); + } + else + $engine['timeout'] = 60; + + if (!empty($_POST['stream5_max_queued_bytes']) || $_POST['stream5_max_queued_bytes'] == 0) { + $engine['max_queued_bytes'] = $_POST['stream5_max_queued_bytes']; + if ($engine['max_queued_bytes'] <> 0) { + if ($engine['max_queued_bytes'] < 1024 || $engine['max_queued_bytes'] > 1073741824) + $input_errors[] = gettext("The value for Max_Queued_Bytes must either be 0, or between 1024 and 1073741824."); + } + } + else + $engine['max_queued_bytes'] = 1048576; + + if (!empty($_POST['stream5_max_queued_segs']) || $_POST['stream5_max_queued_segs'] == 0) { + $engine['max_queued_segs'] = $_POST['stream5_max_queued_segs']; + if ($engine['max_queued_segs'] <> 0) { + if ($engine['max_queued_segs'] < 2 || $engine['max_queued_segs'] > 1073741824) + $input_errors[] = gettext("The value for Max_Queued_Segs must either be 0, or between 2 and 1073741824."); + } + } + else + $engine['max_queued_segs'] = 2621; + + if (!empty($_POST['stream5_overlap_limit']) || $_POST['stream5_overlap_limit'] == 0) { + $engine['overlap_limit'] = $_POST['stream5_overlap_limit']; + if ($engine['overlap_limit'] < 0 || $engine['overlap_limit'] > 255) + $input_errors[] = gettext("The value for Overlap_Limit must be between 0 and 255."); + } + else + $engine['overlap_limit'] = 0; + + if (!empty($_POST['stream5_max_window']) || $_POST['stream5_max_window'] == 0) { + $engine['max_window'] = $_POST['stream5_max_window']; + if ($engine['max_window'] < 0 || $engine['max_window'] > 1073725440) + $input_errors[] = gettext("The value for Max_Window must be between 0 and 1073725440."); + } + else + $engine['max_window'] = 0; + + if (!empty($_POST['stream5_3whs_startup_timeout']) || $_POST['stream5_3whs_startup_timeout'] == 0) { + $engine['startup_3whs_timeout'] = $_POST['stream5_3whs_startup_timeout']; + if ($engine['startup_3whs_timeout'] < 0 || $engine['startup_3whs_timeout'] > 86400) + $input_errors[] = gettext("The value for 3whs_Startup_Timeout must be between 0 and 86400."); + } + else + $engine['startup_3whs_timeout'] = 0; + + if ($_POST['stream5_policy']) { $engine['policy'] = $_POST['stream5_policy']; } else { $engine['policy'] = "bsd"; } + if ($_POST['stream5_ports']) { $engine['ports'] = $_POST['stream5_ports']; } else { $engine['ports'] = "both"; } + + $engine['detect_anomalies'] = $_POST['stream5_detect_anomalies'] ? 'on' : 'off'; + $engine['require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off'; + $engine['no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off'; + $engine['dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off'; + $engine['use_static_footprint_sizes'] = $_POST['stream5_use_static_footprint_sizes'] ? 'on' : 'off'; + $engine['check_session_hijacking'] = $_POST['stream5_check_session_hijacking'] ? 'on' : 'off'; + + /* Can only have one "all" Bind_To address */ + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") + $input_errors[] = gettext("Only one default Stream5 Engine can be bound to all addresses."); + $pconfig = $engine; + + /* if no errors, write new entry to conf */ + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$eng_id]) { + $a_nat[$eng_id] = $engine; + } + else + $a_nat[] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat) > 1) { + $i = -1; + foreach ($a_nat as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat) - 1))) { + $tmp = $a_nat[$i]; + unset($a_nat[$i]); + $a_nat[] = $tmp; + } + } + + /* Now write the new engine array to conf */ + write_config(); + + header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row"); + exit; + } +} + +$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']); +$pgtitle = gettext("Snort: Interface {$if_friendly} - Stream5 Preprocessor TCP Engine"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC" > + +<?php +include("fbegin.inc"); +if ($input_errors) print_input_errors($input_errors); +if ($savemsg) + print_info_box($savemsg); +?> + +<form action="snort_stream5_engine.php" method="post" name="iform" id="iform"> +<input name="id" type="hidden" value="<?=$id?>"> +<input name="eng_id" type="hidden" value="<?=$eng_id?>"> +<div id="boxarea"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Stream5 Target-Based TCP Stream Reassembly Engine Configuration"); ?></td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Engine Name"); ?></td> + <td class="vtable"> + <input name="stream5_name" type="text" class="formfld unknown" id="stream5_name" size="25" maxlength="25" + value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>> + <?php if (htmlspecialchars($pconfig['name']) <> "default") + echo gettext("Name or description for this engine. (Max 25 characters)"); + else + echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/> + <?php echo gettext("Unique name or description for this engine configuration. Default value is ") . + "<strong>" . gettext("default") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address"); ?></td> + <td class="vtable"> + <?php if ($pconfig['name'] <> "default") : ?> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><input name="stream5_bind_to" type="text" class="formfldalias" id="stream5_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off"> + <?php echo gettext("IP address or network to bind this engine to."); ?></td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=no'" + title="<?php echo gettext("Select an existing IP alias");?>"/></td> + </tr> + <tr> + <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with the destination IP address specified. Default value is ") . + "<strong>" . gettext("all") . "</strong>" . gettext(". Only a single IP address or single network in CIDR form may be specified. ") . + gettext("IP Lists are not allowed.");?></td> + </tr> + </table><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'. ");?> + <?php else : ?> + <input name="stream5_bind_to" type="text" class="formfldalias" id="stream5_bind_to" size="32" + value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly> + <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/> + <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/> + <?php endif ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Target Policy"); ?></td> + <td width="78%" class="vtable"> + <select name="stream5_policy" class="formselect" id="stream5_policy"> + <?php + $profile = array( 'BSD', 'First', 'HPUX', 'HPUX10', 'Irix', 'Last', 'Linux', 'MacOS', 'Old-Linux', + 'Solaris', 'Vista', 'Windows', 'Win2003' ); + foreach ($profile as $val): ?> + <option value="<?=strtolower($val);?>" + <?php if (strtolower($val) == $pconfig['policy']) echo "selected"; ?>> + <?=gettext($val);?></option> + <?php endforeach; ?> + </select> <?php echo gettext("Choose the TCP target policy appropriate for the protected hosts. The default is ") . + "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/><br/> + <?php echo gettext("Available OS targets are BSD, First, HPUX, HPUX10, Irix, Last, Linux, MacOS, Old Linux, Solaris, Vista, Windows, and Win2003 Server."); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Target Ports"); ?></td> + <td width="78%" class="vtable"> + <table width="95%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td class="vexpl"><strong><?php echo gettext("Client:"); ?></strong></td> + <td class="vexpl"><input name="stream5_ports_client" type="text" class="formfldalias" id="stream5_ports_client" size="32" + value="<?=htmlspecialchars($pconfig['ports_client']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_client']));?>" autocomplete="off"><span class="vexpl"> + <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("default") . "</strong>.";?></span> + </td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_client&act=import'" + title="<?php echo gettext("Select an existing port alias");?>"/> + </td> + </tr> + <tr> + <td class="vexpl"><strong><?php echo gettext("Server:"); ?></strong></td> + <td class="vexpl"><input name="stream5_ports_server" type="text" class="formfldalias" id="stream5_ports_server" size="32" + value="<?=htmlspecialchars($pconfig['ports_server']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_server']));?>" autocomplete="off"><span class="vexpl"> + <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("none") . "</strong>.";?></span> + </td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_server&act=import'" + title="<?php echo gettext("Select an existing port alias");?>"/> + </td> + </tr> + <tr> + <td class="vexpl"><strong><?php echo gettext("Both:"); ?></strong></td> + <td class="vexpl"><input name="stream5_ports_both" type="text" class="formfldalias" id="stream5_ports_both" size="32" + value="<?=htmlspecialchars($pconfig['ports_both']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_both']));?>" autocomplete="off"><span class="vexpl"> + <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("default") . "</strong>.";?></span> + </td> + <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_both&act=import'" + title="<?php echo gettext("Select an existing port alias");?>"/> + </td> + </tr> + </table> + <br/><?php echo gettext("Configures which side of the connection packets should be reassembled for based on the configured destination ports. See ");?> + <a href="http://www.snort.org/vrt/snort-conf-configurations/" target="_blank"><?php echo gettext("www.snort.org/vrt/snort-conf-configurations");?></a> + <?php echo gettext(" for the default configuration port values.");?><br/><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("Supplied value must be a pre-configured Alias or the keyword 'default', 'all' or 'none'.");?><br/> + <span class="red"><?php echo gettext("Hint: ") . "</span>" . gettext("Most users should leave these settings at their default values.");?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Max Window"); ?></td> + <td class="vtable"> + <input name="stream5_max_window" type="text" class="formfld unknown" id="stream5_max_window" size="9" + value="<?=htmlspecialchars($pconfig['max_window']);?>" maxlength="10"> + <?php echo gettext("Maximum allowed TCP window. Min is ") . "<strong>0</strong>" . gettext(" and max is ") . + "<strong>1073725440</strong>" . gettext(" (65535 left shift 14)"); ?>.<br/><br/> + <?php echo gettext("Sets the TCP max window size. Default value is ") . + "<strong>0</strong>" . gettext(" (unlimited). This option is intended to prevent a DoS against Stream5 by " . + "attacker using an abnormally large window, so using a value near the maximum is discouraged."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Timeout"); ?></td> + <td class="vtable"> + <input name="stream5_timeout" type="text" class="formfld unknown" id="stream5_timeout" size="9" + value="<?=htmlspecialchars($pconfig['timeout']);?>" maxlength="5"> + <?php echo gettext("TCP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and max is ") . + "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.<br/><br/> + <?php echo gettext("Sets the session reassembly timeout period for TCP packets. Default value is ") . + "<strong>30</strong>" . gettext(" seconds."); ?><br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Max Queued Bytes"); ?></td> + <td class="vtable"> + <input name="stream5_max_queued_bytes" type="text" class="formfld unknown" id="stream5_max_queued_bytes" size="9" + value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>" maxlength="10"> + <?php echo gettext("Minimum is ") . "<strong>" . gettext("1024") . "</strong>" . gettext(" and Maximum is ") . + "<strong>" . gettext("1073741824") . "</strong>" . gettext(" (") . + "<strong>" . gettext("0") . "</strong>" . gettext(" means Maximum)."); ?><br/><br/> + + <?php echo gettext("The number of bytes to be queued for reassembly of TCP sessions in " . + "memory. Default value is <strong>1048576</strong>"); ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Max Queued Segs"); ?></td> + <td class="vtable"> + <input name="stream5_max_queued_segs" type="text" class="formfld unknown" id="stream5_max_queued_segs" size="9" + value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>" maxlength="10"> + <?php echo gettext("Minimum is ") . "<strong>" . gettext("2") . "</strong>" . gettext(" and Maximum is ") . + "<strong>" . gettext("1073741824") . "</strong>" . gettext(" (") . + "<strong>" . gettext("0") . "</strong>" . gettext(" means Maximum)");?>.<br/><br/> + <?php echo gettext("The number of segments to be queued for reassembly of TCP sessions " . + "in memory. Default value is <strong>2621</strong>"); ?>.<br/> + </td> + </tr> + <tr> + <td valign="top" class="vncell"><?php echo gettext("TCP Overlap Limit"); ?></td> + <td class="vtable"> + <input name="stream5_overlap_limit" type="text" class="formfld unknown" id="stream5_overlap_limit" size="9" + value="<?=htmlspecialchars($pconfig['overlap_limit']);?>" maxlength="3"> + <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited) and Maximum is ") . "<strong>" . + gettext("255") . "</strong>"; ?>.<br/><br/> + <?php echo gettext("Sets the limit for the number of overlapping packets. Default value is ") . + "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect TCP Anomalies"); ?></td> + <td width="78%" class="vtable"><input name="stream5_detect_anomalies" id="stream5_detect_anomalies" type="checkbox" value="on" + <?php if ($pconfig['detect_anomalies']=="on") echo "checked"; ?>> + <?php echo gettext("Detect TCP protocol anomalies. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Check Session Hijacking"); ?></td> + <td width="78%" class="vtable"><input name="stream5_check_session_hijacking" id="stream5_check_session_hijacking" type="checkbox" value="on" + <?php if ($pconfig['check_session_hijacking']=="on") echo "checked"; ?>> + <?php echo gettext("Check for TCP session hijacking. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/> + <?php echo gettext("This check validates the hardware (MAC) address from both sides of the connection -- " . + "as established on the 3-way handshake -- against subsequent packets received on the session.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Require 3-Way Handshake"); ?></td> + <td width="78%" class="vtable"><input name="stream5_require_3whs" type="checkbox" value="on" + <?php if ($pconfig['require_3whs']=="on") echo "checked"; ?> onclick="stream5_3whs_enable_change();"> + <?php echo gettext("Establish sessions only on completion of SYN/SYN-ACK/ACK handshake. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr id="stream5_3whs_startuptimeout_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("3-Way Handshake Startup Timeout"); ?></td> + <td width="78%" class="vtable"> + <input name="stream5_3whs_startup_timeout" type="text" class="formfld unknown" id="stream5_3whs_startup_timeout" size="9" + value="<?=htmlspecialchars($pconfig['startup_3whs_timeout']);?>" maxlength="5"> + <?php echo gettext("3-Way Handshake Startup Timeout in seconds. Min is ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" and Max is ") . "<strong>" . gettext("86400") . "</strong>" . gettext(" (1 day).");?><br/><br/> + <?php echo gettext("This allows a grace period for existing sessions to be considered established during that " . + "interval immediately after Snort is started. The default is ") . "<strong>" . gettext("0") . + "</strong>" . gettext(", (don't consider existing sessions established).");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Reassemble Async"); ?></td> + <td width="78%" class="vtable"><input name="stream5_no_reassemble_async" type="checkbox" value="on" + <?php if ($pconfig['no_reassemble_async']=="on") echo "checked "; ?>> + <?php echo gettext("Do not queue packets for reassembly if traffic has not been seen in both directions. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Use Static Footprint Sizes"); ?></td> + <td width="78%" class="vtable"><input name="stream5_use_static_footprint_sizes" id="stream5_use_static_footprint_sizes" type="checkbox" value="on" + <?php if ($pconfig['use_static_footprint_sizes']=="on") echo "checked "; ?>> + <?php echo gettext("Emulate Stream4 behavior for flushing reassembled packets. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Store Large TCP Packets"); ?></td> + <td width="78%" class="vtable"> + <input name="stream5_dont_store_lg_pkts" type="checkbox" value="on" + <?php if ($pconfig['dont_store_lg_pkts']=="on") echo "checked"; ?>> + <?php echo gettext("Do not queue large packets in reassembly buffer to increase performance. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/> + <?php echo "<span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" . + gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="bottom"> </td> + <td width="78%" valign="bottom"> + <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo + gettext("Save Stream5 engine settings and return to Preprocessors tab"); ?>"> + + <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo + gettext("Cancel changes and return to Preprocessors tab"); ?>"></td> + </tr> +</table> +</td> +</tr> +</table> +</div> +</form> +<?php include("fend.inc"); ?> +</body> +<script type="text/javascript" src="/javascript/autosuggest.js"> +</script> +<script type="text/javascript" src="/javascript/suggestions.js"> +</script> +<script type="text/javascript"> + +function stream5_3whs_enable_change() { + var endis = !(document.iform.stream5_require_3whs.checked); + + // Hide the "3whs_startup_timeout" row if stream5_require_3whs disabled + if (endis) + document.getElementById("stream5_3whs_startuptimeout_row").style.display="none"; + else + document.getElementById("stream5_3whs_startuptimeout_row").style.display="table-row"; +} + +<?php + $isfirst = 0; + $aliases = ""; + $addrisfirst = 0; + $portisfirst = 0; + $aliasesaddr = ""; + $aliasesport = ""; + if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) + foreach($config['aliases']['alias'] as $alias_name) { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; + if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if($addrisfirst == 1) $aliasesaddr .= ","; + $aliasesaddr .= "'" . $alias_name['name'] . "'"; + $addrisfirst = 1; + } + elseif ($alias_name['type'] == "port") { + if($portisfirst == 1) $aliasesport .= ","; + $aliasesport .= "'" . $alias_name['name'] . "'"; + $portisfirst = 1; + } + } + +?> + var addressarray=new Array(<?php echo $aliasesaddr; ?>); + var portarray=new Array(<?php echo $aliasesport; ?>); + +function createAutoSuggest() { +<?php + echo "objAlias = new AutoSuggestControl(document.getElementById('stream5_bind_to'), new StateSuggestions(addressarray));\n"; + echo "objAliasPortsClient = new AutoSuggestControl(document.getElementById('stream5_ports_client'), new StateSuggestions(portarray));\n"; + echo "objAliasPortsServer = new AutoSuggestControl(document.getElementById('stream5_ports_server'), new StateSuggestions(portarray));\n"; + echo "objAliasPortsBoth = new AutoSuggestControl(document.getElementById('stream5_ports_both'), new StateSuggestions(portarray));\n"; +?> +} + +setTimeout("createAutoSuggest();", 500); +stream5_3whs_enable_change(); + +</script> + +</html> |