diff options
Diffstat (limited to 'config')
22 files changed, 2261 insertions, 2664 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 47274e77..362002cd 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -49,30 +49,28 @@ global $rebuild_rules, $pfSense_snort_version; // Grab the Snort binary version programmatically, but if that fails use a safe default $snortver = array(); exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); -$snort_version = $snortver[0]; -if (empty($snort_version)) - $snort_version = "2.9.6.0"; /* Used to indicate latest version of this include file has been loaded */ -$pfSense_snort_version = "3.0.13"; +$pfSense_snort_version = "3.1"; /* get installed package version for display */ $snort_package_version = "Snort {$config['installedpackages']['package'][get_pkg_id("snort")]['version']}"; // Define SNORTDIR and SNORTLIBDIR constants according to pfSense version $pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); -if ($pfs_version > 2.0) { - define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/etc/snort"); - define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/lib/snort"); -} -else { +if ($pfs_version < 2.1) { define("SNORTDIR", "/usr/local/etc/snort"); define("SNORTLIBDIR", "/usr/local/lib/snort"); } +else { + define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/etc/snort"); + define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/lib/snort"); +} /* Define some useful constants for Snort */ /* Be sure to include trailing slash on the URL defines */ define("SNORTLOGDIR", "/var/log/snort"); +define("SNORT_BIN_VERSION", "2.9.6.2"); define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); @@ -761,7 +759,7 @@ function snort_rm_blocked_install_cron($should_install) { // Now either install the new or updated cron job, // or return if "rm_blocked" is disabled if ($should_install) { - $command = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $command = "/usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire {$snort_rm_blocked_expire}"; install_cron_job($command, $should_install, $snort_rm_blocked_min, $snort_rm_blocked_hr, $snort_rm_blocked_mday, $snort_rm_blocked_month, $snort_rm_blocked_wday, "root"); } } @@ -849,7 +847,7 @@ function sync_snort_package_config() { /* do not start config build if rules is empty or there are no Snort settings */ if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) { - @unlink("{$rcdir}/snort.sh"); + @unlink("{$rcdir}snort.sh"); conf_mount_ro(); return; } @@ -1936,11 +1934,8 @@ esac EOD; /* write out snort.sh */ - if (!@file_put_contents("{$rcdir}/snort.sh", $snort_sh_text)) { - log_error("Could not open {$rcdir}/snort.sh for writing."); - return; - } - @chmod("{$rcdir}/snort.sh", 0755); + @file_put_contents("{$rcdir}snort.sh", $snort_sh_text); + @chmod("{$rcdir}snort.sh", 0755); } function snort_generate_barnyard2_conf($snortcfg, $if_real) { @@ -2152,7 +2147,7 @@ function snort_deinstall() { log_error(gettext("[Snort] Package deletion requested... removing all files...")); mwexec("/bin/rm -rf {$snortdir}"); mwexec("/bin/rm -rf {$snortlibdir}/dynamicrules"); - mwexec("/bin/rm -f {$rcdir}/snort.sh"); + mwexec("/bin/rm -f {$rcdir}snort.sh"); mwexec("/bin/rm -rf /usr/local/pkg/snort"); mwexec("/bin/rm -rf /usr/local/www/snort"); mwexec("/bin/rm -rf /usr/local/etc/snort"); @@ -2515,1283 +2510,44 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa function snort_generate_conf($snortcfg) { + /********************************************************/ + /* This function generates the snort.conf file for the */ + /* passed interface using stored values from the Snort */ + /* package configuration. */ + /********************************************************/ + global $config, $g, $rebuild_rules; + // Exit if there are no configured Snort interfaces + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; $flowbit_rules_file = FLOWBITS_FILENAME; $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - - conf_mount_rw(); - - /* See if we should protect and not modify the preprocessor rules files */ - if (!empty($snortcfg['protect_preproc_rules'])) - $protect_preproc_rules = $snortcfg['protect_preproc_rules']; - else - $protect_preproc_rules = "off"; - $if_real = get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; - /* custom home nets */ - $home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']); - $home_net = implode(",", $home_net_list); - - $external_net = '!$HOME_NET'; - if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') { - $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']); - $external_net = implode(",", $external_net_list); - } - - /* user added arguments */ - $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); - // Remove the trailing newline - $snort_config_pass_thru = rtrim($snort_config_pass_thru); - - /* create a few directories and ensure the sample files are in place */ - $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", - "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", - "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", - "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "{$snortlibdir}/dynamicrules", - "dynamicengine" => "{$snortlibdir}/dynamicengine", - "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" - ); - foreach ($snort_dirs as $dir) { - if (!is_dir($dir)) - safe_mkdir($dir); - } - - /********************************************************************/ - /* For fail-safe on an initial startup following installation, and */ - /* before a rules update has occurred, copy the default config */ - /* files to the interface directory. If files already exist in */ - /* the interface directory, or they are newer, that means a rule */ - /* update has been done and we should leave the customized files */ - /* put in place by the rules update process. */ - /********************************************************************/ - $snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd", - "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", - "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" - ); - foreach ($snort_files as $file) { - if (file_exists("{$snortdir}/{$file}")) { - $ftime = filemtime("{$snortdir}/{$file}"); - if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) - @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); - } - } - - /* define alertsystemlog */ - $alertsystemlog_type = ""; - if ($snortcfg['alertsystemlog'] == "on") - $alertsystemlog_type = "output alert_syslog: log_alert"; - - /* define snortunifiedlog */ - $snortunifiedlog_type = ""; - if ($snortcfg['barnyard_enable'] == "on") { - if (isset($snortcfg['unified2_log_limit'])) - $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}"; - else - $u2_log_limit = "limit 128"; - - $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}"; - if ($snortcfg['barnyard_log_vlan_events'] == 'on') - $snortunifiedlog_type .= ", vlan_event_types"; - if ($snortcfg['barnyard_log_mpls_events'] == 'on') - $snortunifiedlog_type .= ", mpls_event_types"; - } - - /* define spoink */ - $spoink_type = ""; - if ($snortcfg['blockoffenders7'] == "on") { - $pfkill = ""; - if ($snortcfg['blockoffenderskill'] == "on") - $pfkill = "kill"; - $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); - /* write Pass List */ - @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); - $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; - } - - /* define selected suppress file */ - $suppress_file_name = ""; - $suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress'); - if (!empty($suppress)) { - $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru'])); - @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data); - $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}"; - } - - /* set the snort performance model */ - $snort_performance = "ac-bnfa"; - if(!empty($snortcfg['performance'])) - $snort_performance = $snortcfg['performance']; - - /* if user has defined a custom ssh port, use it */ - if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) - $ssh_port = $config['system']['ssh']['port']; - else - $ssh_port = "22"; - - /* Define an array of default values for the various preprocessor ports */ - $snort_ports = array( - "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", - "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", - "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", - "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, - "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", - "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", - "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", - "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", - "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", - "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", - "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", - "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", - "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", - "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", - "GTP_PORTS" => "2123,2152,3386" - ); - - /* Check for defined Aliases that may override default port settings as we build the portvars array */ - $portvardef = ""; - foreach ($snort_ports as $alias => $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); - $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); - $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; - } - - /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ - $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; - $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; - $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; - $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; - $stream5_ports_client .= "\t 32778 32779"; - $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; - $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; - $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; - $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; - $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; - $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; - $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; - $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; - $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; - $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; - $stream5_ports_both .= "\t 55555 56712"; - - ///////////////////////////// - /* preprocessor code */ - /* def perform_stat */ - $perform_stat = <<<EOD -# Performance Statistics # -preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000 - -EOD; - - /* def ftp_preprocessor */ - $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); - $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); - - // Configure FTP_Telnet global options - $ftp_telnet_globals = "inspection_type "; - if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; } - if ($snortcfg['ftp_telnet_alert_encrypted'] == "on") - $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes"; - else - $ftp_telnet_globals .= " \\\n\tencrypted_traffic no"; - if ($snortcfg['ftp_telnet_check_encrypted'] == "on") - $ftp_telnet_globals .= " \\\n\tcheck_encrypted"; - - // Configure FTP_Telnet Telnet protocol options - $ftp_telnet_protocol = "ports { {$telnet_ports} }"; - if ($snortcfg['ftp_telnet_normalize'] == "on") - $ftp_telnet_protocol .= " \\\n\tnormalize"; - if ($snortcfg['ftp_telnet_detect_anomalies'] == "on") - $ftp_telnet_protocol .= " \\\n\tdetect_anomalies"; - if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') { - $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; - if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") - $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; - else - $ftp_telnet_protocol .= "20"; - } - - // Setup the standard FTP commands used for all FTP Server engines - $ftp_cmds = <<<EOD - ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ - ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ - ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ - ftp_cmds { LPSV MACB MAIL MDTM MFMT MIC MKD MLSD MLST } \ - ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ - ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ - ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ - ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ - ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ - ftp_cmds { XSEN XSHA1 XSHA256 } \ - alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ - alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ - alt_max_param_len 256 { CWD RNTO } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { MFMT SIZE } \ - chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ - chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ - chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ - chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ - chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ - chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ - chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ - chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ - cmd_validity MACB < string > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity PORT < host_port > \ - cmd_validity PROT < char CSEP > \ - cmd_validity STRU < char FRPO [ string ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > - -EOD; - - // Configure all the FTP_Telnet FTP protocol options - // Iterate and configure the FTP Client engines - $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, - "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", - "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); - - if (!is_array($snortcfg['ftp_client_engine']['item'])) - $snortcfg['ftp_client_engine']['item'] = array(); - - // If no FTP client engine is configured, use the default - // to keep from breaking Snort. - if (empty($snortcfg['ftp_client_engine']['item'])) - $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; - $ftp_client_engine = ""; - - foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { - $buffer = "preprocessor ftp_telnet_protocol: ftp client "; - if ($v['name'] == "default" && $v['bind_to'] == "all") - $buffer .= "default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "{$tmp} \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); - continue; - } - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); - continue; - } - - if ($v['max_resp_len'] == "") - $buffer .= "\tmax_resp_len 256 \\\n"; - else - $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; - - $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; - $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; - - if ($v['bounce'] == "yes") { - if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { - $net = trim(filter_expand_alias($v['bounce_to_net'])); - $port = trim(filter_expand_alias($v['bounce_to_port'])); - if (!empty($net) && !empty($port) && - snort_is_single_addr_alias($v['bounce_to_net']) && - (is_port($port) || is_portrange($port))) { - $port = preg_replace('/\s+/', ',', $port); - // Change port range delimiter to comma for ftp_telnet client preprocessor - if (is_portrange($port)) - $port = str_replace(":", ",", $port); - $buffer .= "\tbounce yes \\\n"; - $buffer .= "\tbounce_to { {$net},{$port} }\n"; - } - else { - // One or both of the BOUNCE_TO alias values is not right, - // so figure out which and log an appropriate error. - if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) - log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); - if (empty($port) || !(is_port($port) || is_portrange($port))) - log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); - $buffer .= "\tbounce yes\n"; - } - } - else - $buffer .= "\tbounce yes\n"; - } - else - $buffer .= "\tbounce no\n"; - - // Add this FTP client engine to the master string - $ftp_client_engine .= "{$buffer}\n"; - } - // Trim final trailing newline - rtrim($ftp_client_engine); - - // Iterate and configure the FTP Server engines - $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", - "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", - "ignore_data_chan" => "no", "def_max_param_len" => 100 ); - - if (!is_array($snortcfg['ftp_server_engine']['item'])) - $snortcfg['ftp_server_engine']['item'] = array(); - - // If no FTP server engine is configured, use the default - // to keep from breaking Snort. - if (empty($snortcfg['ftp_server_engine']['item'])) - $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; - $ftp_server_engine = ""; - - foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { - $buffer = "preprocessor ftp_telnet_protocol: ftp server "; - if ($v['name'] == "default" && $v['bind_to'] == "all") - $buffer .= "default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "{$tmp} \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); - continue; - } - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); - continue; - } - - if ($v['def_max_param_len'] == "") - $buffer .= "\tdef_max_param_len 100 \\\n"; - elseif ($v['def_max_param_len'] <> '0') - $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; - - if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) - $buffer .= "\tports { {$ftp_ports} } \\\n"; - elseif (is_alias($v['ports'])) { - $tmp = trim(filter_expand_alias($v['ports'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $tmp = snort_expand_port_range($tmp, ' '); - $buffer .= "\tports { {$tmp} } \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); - $buffer .= "\tports { {$ftp_ports} } \\\n"; - } - } - - $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; - $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; - if ($v['ignore_data_chan'] == "yes") - $buffer .= "\tignore_data_chan yes \\\n"; - $buffer .= "{$ftp_cmds}\n"; - - // Add this FTP server engine to the master string - $ftp_server_engine .= $buffer; - } - // Remove trailing newlines - rtrim($ftp_server_engine); - - $ftp_preprocessor = <<<EOD -# ftp_telnet preprocessor # -preprocessor ftp_telnet: global \ - {$ftp_telnet_globals} - -preprocessor ftp_telnet_protocol: telnet \ - {$ftp_telnet_protocol} - -{$ftp_server_engine} -{$ftp_client_engine} -EOD; - - $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); - $pop_preproc = <<<EOD -# POP preprocessor # -preprocessor pop: \ - ports { {$pop_ports} } \ - memcap 1310700 \ - qp_decode_depth 0 \ - b64_decode_depth 0 \ - bitenc_decode_depth 0 - -EOD; - - $imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports'])); - $imap_preproc = <<<EOD -# IMAP preprocessor # -preprocessor imap: \ - ports { {$imap_ports} } \ - memcap 1310700 \ - qp_decode_depth 0 \ - b64_decode_depth 0 \ - bitenc_decode_depth 0 - -EOD; - - $smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports'])); - /* def smtp_preprocessor */ - $smtp_preprocessor = <<<EOD -# SMTP preprocessor # -preprocessor SMTP: \ - ports { {$smtp_ports} } \ - inspection_type stateful \ - normalize cmds \ - ignore_tls_data \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \ - NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \ - STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \ - XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \ - IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \ - ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \ - XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } \ - log_mailfrom \ - log_rcptto \ - log_email_hdrs \ - email_hdrs_log_depth 1464 \ - log_filename \ - qp_decode_depth 0 \ - b64_decode_depth 0 \ - bitenc_decode_depth 0 \ - uu_decode_depth 0 - -EOD; - - /* def sf_portscan */ - $sf_pscan_protocol = "all"; - if (!empty($snortcfg['pscan_protocol'])) - $sf_pscan_protocol = $snortcfg['pscan_protocol']; - $sf_pscan_type = "all"; - if (!empty($snortcfg['pscan_type'])) - $sf_pscan_type = $snortcfg['pscan_type']; - $sf_pscan_memcap = "10000000"; - if (!empty($snortcfg['pscan_memcap'])) - $sf_pscan_memcap = $snortcfg['pscan_memcap']; - $sf_pscan_sense_level = "medium"; - if (!empty($snortcfg['pscan_sense_level'])) - $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; - $sf_pscan_ignore_scanners = "\$HOME_NET"; - if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { - $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners'])); - $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); - } - - $sf_portscan = <<<EOD -# sf Portscan # -preprocessor sfportscan: \ - scan_type { {$sf_pscan_type} } \ - proto { {$sf_pscan_protocol} } \ - memcap { {$sf_pscan_memcap} } \ - sense_level { {$sf_pscan_sense_level} } \ - ignore_scanners { {$sf_pscan_ignore_scanners} } - -EOD; + // Pull in the PHP code that generates required string variables + include("/usr/local/pkg/snort/snort_generate_conf.php"); - /* def ssh_preproc */ - $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports'])); - $ssh_preproc = <<<EOD -# SSH preprocessor # -preprocessor ssh: \ - server_ports { {$ssh_ports} } \ - autodetect \ - max_client_bytes 19600 \ - max_encrypted_packets 20 \ - max_server_version_len 100 \ - enable_respoverflow enable_ssh1crc32 \ - enable_srvoverflow enable_protomismatch + // Pull in the boilerplate template for the snort.conf + // configuration file. The contents of the template along + // with substituted variables is stored in $snort_conf_text + // (which is defined in the included file). + include("/usr/local/pkg/snort/snort_conf_template.inc"); -EOD; - - /* def other_preprocs */ - $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports'])); - $other_preprocs = <<<EOD -# Other preprocs # -preprocessor rpc_decode: \ - {$sun_rpc_ports} \ - no_alert_multiple_requests \ - no_alert_large_fragments \ - no_alert_incomplete - -# Back Orifice preprocessor # -preprocessor bo - -EOD; - - /* def dce_rpc_2 */ - $dce_rpc_2 = <<<EOD -# DCE/RPC 2 # -preprocessor dcerpc2: \ - memcap 102400, \ - events [co] - -preprocessor dcerpc2_server: default, \ - policy WinXP, \ - detect [smb [{$snort_ports['smb_ports']}], \ - tcp 135, \ - udp 135, \ - rpc-over-http-server 593], \ - autodetect [tcp 1025:, \ - udp 1025:, \ - rpc-over-http-server 1025:], \ - smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] - -EOD; - - $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports'])); - $sip_preproc = <<<EOD -# SIP preprocessor # -preprocessor sip: \ - max_sessions 40000, \ - ports { {$sip_ports} }, \ - methods { invite \ - cancel \ - ack \ - bye \ - register \ - options \ - refer \ - subscribe \ - update \ - join \ - info \ - message \ - notify \ - benotify \ - do \ - qauth \ - sprack \ - publish \ - service \ - unsubscribe \ - prack }, \ - max_call_id_len 80, \ - max_from_len 256, \ - max_to_len 256, \ - max_via_len 1024, \ - max_requestName_len 50, \ - max_uri_len 512, \ - ignore_call_channel, \ - max_content_len 2048, \ - max_contact_len 512 - -EOD; - - $dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports'])); - /* def dns_preprocessor */ - $dns_preprocessor = <<<EOD -# DNS preprocessor # -preprocessor dns: \ - ports { {$dns_ports} } \ - enable_rdata_overflow - -EOD; - - /* def dnp3_preprocessor */ - $dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS'])); - $dnp3_preproc = <<<EOD -# DNP3 preprocessor # -preprocessor dnp3: \ - ports { {$dnp3_ports} } \ - memcap 262144 \ - check_crc - -EOD; - - /* def modbus_preprocessor */ - $modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS'])); - $modbus_preproc = <<<EOD -# Modbus preprocessor # -preprocessor modbus: \ - ports { {$modbus_ports} } - -EOD; - - /* def gtp_preprocessor */ - $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS'])); - $gtp_preproc = <<<EOD -# GTP preprocessor # -preprocessor gtp: \ - ports { {$gtp_ports} } - -EOD; - - /* def ssl_preprocessor */ - $ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports'])); - $ssl_preproc = <<<EOD -# SSL preprocessor # -preprocessor ssl: \ - ports { {$ssl_ports} }, \ - trustservers, \ - noinspect_encrypted - -EOD; - - /* def sensitive_data_preprocessor */ - if ($snortcfg['sdf_mask_output'] == "on") - $sdf_mask_output = "\\\n\tmask_output"; - else - $sdf_mask_output = ""; - if (empty($snortcfg['sdf_alert_threshold'])) - $snortcfg['sdf_alert_threshold'] = 25; - $sensitive_data = <<<EOD -# SDF preprocessor # -preprocessor sensitive_data: \ - alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output} - -EOD; - - /* define IP Reputation preprocessor */ - if (is_array($snortcfg['blist_files']['item'])) { - $blist_files = ""; - $bIsFirst = TRUE; - foreach ($snortcfg['blist_files']['item'] as $blist) { - if ($bIsFirst) { - $blist_files .= "blacklist " . IPREP_PATH . $blist; - $bIsFirst = FALSE; - } - else - $blist_files .= ", \\ \n\tblacklist " . IPREP_PATH . $blist; - } - } - if (is_array($snortcfg['wlist_files']['item'])) { - $wlist_files = ""; - $bIsFirst = TRUE; - foreach ($snortcfg['wlist_files']['item'] as $wlist) { - if ($bIsFirst) { - $wlist_files .= "whitelist " . IPREP_PATH . $wlist; - $bIsFirst = FALSE; - } - else - $wlist_files .= ", \\ \n\twhitelist " . IPREP_PATH . $wlist; - } - } - if (!empty($blist_files)) - $ip_lists = $blist_files; - if (!empty($wlist_files)) - $ip_lists .= ", \\ \n" . $wlist_files; - if ($snortcfg['iprep_scan_local'] == 'on') - $ip_lists .= ", \\ \n\tscan_local"; - - $reputation_preproc = <<<EOD -# IP Reputation preprocessor # -preprocessor reputation: \ - memcap {$snortcfg['iprep_memcap']}, \ - priority {$snortcfg['iprep_priority']}, \ - nested_ip {$snortcfg['iprep_nested_ip']}, \ - white {$snortcfg['iprep_white']}, \ - {$ip_lists} - -EOD; - - /* define servers as IP variables */ - $snort_servers = array ( - "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", - "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", - "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", - "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", - "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", - "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", - "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", - "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" - ); - - // Change old name from "var" to new name of "ipvar" for IP variables because - // Snort is deprecating the old "var" name in newer versions. - $ipvardef = ""; - foreach ($snort_servers as $alias => $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { - $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); - $avalue = preg_replace('/\s+/', ',', trim($avalue)); - } - $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; - } - - $snort_preproc_libs = array( - "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", - "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", - "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", - "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" - ); - $snort_preproc = array ( - "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", - "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc" - ); - $default_disabled_preprocs = array( - "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat" - ); - $snort_preprocessors = ""; - foreach ($snort_preproc as $preproc) { - if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { - - /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ - if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) - continue; - - /* NOTE: The $$ is not a bug. It is an advanced feature of php */ - if (!empty($snort_preproc_libs[$preproc])) { - $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; - if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { - if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { - @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } else - log_error("Could not find the {$preproclib} file. Snort might error out!"); - } else { - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } - } else { - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } - } - } - // Remove final trailing newline - $snort_preprocessors = rtrim($snort_preprocessors); - - $snort_misc_include_rules = ""; - if (file_exists("{$snortcfgdir}/reference.config")) - $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; - if (file_exists("{$snortcfgdir}/classification.config")) - $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { - $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); - } - - /* generate rule sections to load */ - /* The files are always configured so the update process is easier */ - $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; - $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; - $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; - - // Remove trailing newlines - $snort_misc_include_rules = rtrim($snort_misc_include_rules); - $selected_rules_sections = rtrim($selected_rules_sections); + // Write out snort.conf file using contents of $snort_conf_text + @file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text); - /* Create the actual rules files and save in the interface directory */ + // Create the actual rules files and save them in the interface directory snort_prepare_rule_files($snortcfg, $snortcfgdir); - $cksumcheck = "all"; - if ($snortcfg['cksumcheck'] == 'on') - $cksumcheck = "none"; - - /* Pull in user-configurable detection config options */ - $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; - if ($snortcfg['fpm_split_any_any'] == "on") - $cfg_detect_settings .= " split-any-any"; - if ($snortcfg['fpm_search_optimize'] == "on") - $cfg_detect_settings .= " search-optimize"; - if ($snortcfg['fpm_no_stream_inserts'] == "on") - $cfg_detect_settings .= " no_stream_inserts"; - - /* Pull in user-configurable options for Frag3 preprocessor settings */ - /* Get global Frag3 options first and put into a string */ - $frag3_global = "preprocessor frag3_global: "; - if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") - $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; - else - $frag3_global .= "memcap 4194304, "; - if (!empty($snortcfg['frag3_max_frags'])) - $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; - else - $frag3_global .= "max_frags 8192"; - if ($snortcfg['frag3_detection'] == "off") - $frag3_global .= ", disabled"; - - $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", - "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", - "overlap_limit" => 0, "min_frag_len" => 0 ); - $frag3_engine = ""; - - // Now iterate configured Frag3 engines and write them to a string if enabled - if ($snortcfg['frag3_detection'] == "on") { - if (!is_array($snortcfg['frag3_engine']['item'])) - $snortcfg['frag3_engine']['item'] = array(); - - // If no frag3 tcp engine is configured, use the default - if (empty($snortcfg['frag3_engine']['item'])) - $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; - - foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { - $frag3_engine .= "preprocessor frag3_engine: "; - $frag3_engine .= "policy {$v['policy']}"; - if ($v['bind_to'] <> "all") { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ',', $tmp); - if (strpos($tmp, ",") !== false) - $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; - else - $frag3_engine .= " \\\n\tbind_to {$tmp}"; - } - else - log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); - } - $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; - $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; - if ($v['detect_anomalies'] == "on") { - $frag3_engine .= " \\\n\tdetect_anomalies"; - $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; - $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; - } - // Add newlines to terminate this engine - $frag3_engine .= "\n\n"; - } - // Remove trailing newline - $frag3_engine = rtrim($frag3_engine); - } - - // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs - $paf_max_pdu_config = "config paf_max: "; - if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') - $paf_max_pdu_config .= "0"; - else - $paf_max_pdu_config .= $snortcfg['max_paf']; - - // Pull in user-configurable options for Stream5 preprocessor settings - // Get global options first and put into a string - $stream5_global = "preprocessor stream5_global: \\\n"; - if ($snortcfg['stream5_reassembly'] == "off") - $stream5_global .= "\tdisabled, \\\n"; - if ($snortcfg['stream5_track_tcp'] == "off") - $stream5_global .= "\ttrack_tcp no,"; - else { - $stream5_global .= "\ttrack_tcp yes,"; - if (!empty($snortcfg['stream5_max_tcp'])) - $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; - else - $stream5_global .= " \\\n\tmax_tcp 262144,"; - } - if ($snortcfg['stream5_track_udp'] == "off") - $stream5_global .= " \\\n\ttrack_udp no,"; - else { - $stream5_global .= " \\\n\ttrack_udp yes,"; - if (!empty($snortcfg['stream5_max_udp'])) - $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; - else - $stream5_global .= " \\\n\tmax_udp 131072,"; - } - if ($snortcfg['stream5_track_icmp'] == "on") { - $stream5_global .= " \\\n\ttrack_icmp yes,"; - if (!empty($snortcfg['stream5_max_icmp'])) - $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; - else - $stream5_global .= " \\\n\tmax_icmp 65536,"; - } - else - $stream5_global .= " \\\n\ttrack_icmp no,"; - if (!empty($snortcfg['stream5_mem_cap'])) - $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; - else - $stream5_global .= " \\\n\tmemcap 8388608,"; - - if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') - $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; - else - $stream5_global .= " \\\n\tprune_log_max 1048576"; - if ($snortcfg['stream5_flush_on_alert'] == "on") - $stream5_global .= ", \\\n\tflush_on_alert"; - - $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, - "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, - "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, - "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, - "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", - "ports_both" => "default", "ports_server" => "none" ); - $stream5_tcp_engine = ""; - - // Now iterate configured Stream5 TCP engines and write them to a string if enabled - if ($snortcfg['stream5_reassembly'] == "on") { - if (!is_array($snortcfg['stream5_tcp_engine']['item'])) - $snortcfg['stream5_tcp_engine']['item'] = array(); - - // If no stream5 tcp engine is configured, use the default - if (empty($snortcfg['stream5_tcp_engine']['item'])) - $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; - - foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { - $buffer = "preprocessor stream5_tcp: "; - $buffer .= "policy {$v['policy']},"; - if ($v['bind_to'] <> "all") { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ',', $tmp); - if (strpos($tmp, ",") !== false) - $buffer .= " \\\n\tbind_to [{$tmp}],"; - else - $buffer .= " \\\n\tbind_to {$tmp},"; - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); - continue; - } - } - $stream5_tcp_engine .= $buffer; - $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; - $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; - $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; - $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; - $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; - if ($v['use_static_footprint_sizes'] == "on") - $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; - if ($v['check_session_hijacking'] == "on") - $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; - if ($v['dont_store_lg_pkts'] == "on") - $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; - if ($v['no_reassemble_async'] == "on") - $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; - if ($v['detect_anomalies'] == "on") - $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; - if ($v['require_3whs'] == "on") - $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; - if (!empty($v['ports_client'])) { - $stream5_tcp_engine .= ", \\\n\tports client"; - if ($v['ports_client'] == " all") - $stream5_tcp_engine .= " all"; - elseif ($v['ports_client'] == "default") - $stream5_tcp_engine .= " {$stream5_ports_client}"; - else { - $tmp = trim(filter_expand_alias($v['ports_client'])); - if (!empty($tmp)) - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - else { - $stream5_tcp_engine .= " {$stream5_ports_client}"; - log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); - } - } - } - if (!empty($v['ports_both'])) { - $stream5_tcp_engine .= ", \\\n\tports both"; - if ($v['ports_both'] == " all") - $stream5_tcp_engine .= " all"; - elseif ($v['ports_both'] == "default") - $stream5_tcp_engine .= " {$stream5_ports_both}"; - else { - $tmp = trim(filter_expand_alias($v['ports_both'])); - if (!empty($tmp)) - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - else { - $stream5_tcp_engine .= " {$stream5_ports_both}"; - log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); - } - } - } - if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { - if ($v['ports_server'] == " all") { - $stream5_tcp_engine .= ", \\\n\tports server"; - $stream5_tcp_engine .= " all"; - } - else { - $tmp = trim(filter_expand_alias($v['ports_server'])); - if (!empty($tmp)) { - $stream5_tcp_engine .= ", \\\n\tports server"; - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - } - else - log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); - } - } - - // Make sure the "ports" parameter is set, or else default to a safe value - if (strpos($stream5_tcp_engine, "ports ") === false) - $stream5_tcp_engine .= ", \\\n\tports both all"; - - // Add a pair of newlines to terminate this engine - $stream5_tcp_engine .= "\n\n"; - } - // Trim off the final trailing newline - $stream5_tcp_engine = rtrim($stream5_tcp_engine); - } - - // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled - if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") - $stream5_udp_engine = ""; - else { - $stream5_udp_engine = "preprocessor stream5_udp: "; - if (!empty($snortcfg['stream5_udp_timeout'])) - $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; - else - $stream5_udp_engine .= "timeout 30"; - } - - // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled - if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { - $stream5_icmp_engine = "preprocessor stream5_icmp: "; - if (!empty($snortcfg['stream5_icmp_timeout'])) - $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; - else - $stream5_icmp_engine .= "timeout 30"; - } - else - $stream5_icmp_engine = ""; - - // Check for and configure Host Attribute Table if enabled - $host_attrib_config = ""; - if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { - @file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); - $host_attrib_config = "# Host Attribute Table #\n"; - $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; - if (!empty($snortcfg['max_attribute_hosts'])) - $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; - if (!empty($snortcfg['max_attribute_services_per_host'])) - $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; - } - - // Configure the HTTP_INSPECT preprocessor - // Get global options first and put into a string - $http_inspect_global = "preprocessor http_inspect: global "; - if ($snortcfg['http_inspect'] == "off") - $http_inspect_global .= "disabled "; - $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; - $http_inspect_global .= "\tcompress_depth 65535 \\\n"; - $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; - if (!empty($snortcfg['http_inspect_memcap'])) - $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; - else - $http_inspect_global .= "\tmemcap 150994944 \\\n"; - if (!empty($snortcfg['http_inspect_max_gzip_mem'])) - $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; - else - $http_inspect_global .= "\tmax_gzip_mem 838860"; - if ($snortcfg['http_inspect_proxy_alert'] == "on") - $http_inspect_global .= " \\\n\tproxy_alert"; - - $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", - "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", - "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", - "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", - "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", - "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, - "max_header_length" => 0, "ports" => "default" ); - $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); - $http_inspect_servers = ""; - - // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled - if ($snortcfg['http_inspect'] <> "off") { - if (!is_array($snortcfg['http_inspect_engine']['item'])) - $snortcfg['http_inspect_engine']['item'] = array(); - - // If no http_inspect_engine is configured, use the default - if (empty($snortcfg['http_inspect_engine']['item'])) - $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; - - foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { - $buffer = "preprocessor http_inspect_server: \\\n"; - if ($v['name'] == "default") - $buffer .= "\tserver default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "\tserver { {$tmp} } \\\n"; - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); - continue; - } - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); - continue; - } - $http_inspect_servers .= $buffer; - $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; - - if ($v['no_alerts'] == "on") - $http_inspect_servers .= "\tno_alerts \\\n"; - - if ($v['ports'] == "default" || empty($v['ports'])) - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - elseif (is_alias($v['ports'])) { - $tmp = trim(filter_expand_alias($v['ports'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $tmp = snort_expand_port_range($tmp, ' '); - $http_inspect_servers .= "\tports { {$tmp} } \\\n"; - } - else { - log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - } - } - else { - log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - } - - $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; - $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; - $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; - $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; - $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; - $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; - $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; - if ($v['enable_xff'] == "on") - $http_inspect_servers .= " \\\n\tenable_xff"; - if ($v['enable_cookie'] == "on") - $http_inspect_servers .= " \\\n\tenable_cookie"; - if ($v['normalize_cookies'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_cookies"; - if ($v['normalize_headers'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_headers"; - if ($v['normalize_utf'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_utf"; - if ($v['allow_proxy_use'] == "on") - $http_inspect_servers .= " \\\n\tallow_proxy_use"; - if ($v['inspect_uri_only'] == "on") - $http_inspect_servers .= " \\\n\tinspect_uri_only"; - if ($v['extended_response_inspection'] == "on") { - $http_inspect_servers .= " \\\n\textended_response_inspection"; - if ($v['inspect_gzip'] == "on") { - $http_inspect_servers .= " \\\n\tinspect_gzip"; - if ($v['unlimited_decompress'] == "on") - $http_inspect_servers .= " \\\n\tunlimited_decompress"; - } - if ($v['normalize_javascript'] == "on") { - $http_inspect_servers .= " \\\n\tnormalize_javascript"; - $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; - } - } - if ($v['log_uri'] == "on") - $http_inspect_servers .= " \\\n\tlog_uri"; - if ($v['log_hostname'] == "on") - $http_inspect_servers .= " \\\n\tlog_hostname"; - - // Add a pair of trailing newlines to terminate this server config - $http_inspect_servers .= "\n\n"; - } - /* Trim off the final trailing newline */ - $http_inspect_server = rtrim($http_inspect_server); - } - - // Finally, build the Snort configuration file - $snort_conf_text = <<<EOD -# snort configuration file -# generated automatically by the pfSense subsystems do not modify manually - -# Define Local Network # -ipvar HOME_NET [{$home_net}] -ipvar EXTERNAL_NET [{$external_net}] - -# Define Rule Path # -var RULE_PATH {$snortcfgdir}/rules - -# Define Servers # -{$ipvardef} - -# Define Server Ports # -{$portvardef} - -# Configure quiet startup mode # -config quiet - -# Configure the snort decoder # -config checksum_mode: {$cksumcheck} -config disable_decode_alerts -config disable_tcpopt_experimental_alerts -config disable_tcpopt_obsolete_alerts -config disable_ttcp_alerts -config disable_tcpopt_alerts -config disable_ipopt_alerts -config disable_decode_drops - -# Enable the GTP decoder # -config enable_gtp - -# Configure PCRE match limitations -config pcre_match_limit: 3500 -config pcre_match_limit_recursion: 1500 - -# Configure the detection engine # -config detection: {$cfg_detect_settings} -config event_queue: max_queue 8 log 5 order_events content_length - -# Configure to show year in timestamps -config show_year - -# Configure protocol aware flushing # -# For more information see README.stream5 # -{$paf_max_pdu_config} - -# Configure dynamically loaded libraries -dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']} -dynamicengine directory {$snort_dirs['dynamicengine']} -dynamicdetection directory {$snort_dirs['dynamicrules']} - -# Inline packet normalization. For more information, see README.normalize -# Disabled since we do not use "inline" mode with pfSense -# preprocessor normalize_ip4 -# preprocessor normalize_tcp: ips ecn stream -# preprocessor normalize_icmp4 -# preprocessor normalize_ip6 -# preprocessor normalize_icmp6 - -# Flow and stream # -{$frag3_global} - -{$frag3_engine} - -{$stream5_global} - -{$stream5_tcp_engine} - -{$stream5_udp_engine} - -{$stream5_icmp_engine} - -# HTTP Inspect # -{$http_inspect_global} - -{$http_inspect_servers} -{$snort_preprocessors} -{$host_attrib_config} - -# Snort Output Logs # -output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority -{$alertsystemlog_type} -{$snortunifiedlog_type} -{$spoink_type} - -# Misc Includes # -{$snort_misc_include_rules} - -{$suppress_file_name} - -# Snort user pass through configuration -{$snort_config_pass_thru} - -# Rules Selection # -{$selected_rules_sections} -EOD; - - // Write out snort.conf file - @file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text); - conf_mount_ro(); + // Clean up variables we no longer need and free memory unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type); unset($home_net, $external_net, $ipvardef, $portvardef); } diff --git a/config/snort/snort.priv.inc b/config/snort/snort.priv.inc index 8db5408d..9fac78e0 100644 --- a/config/snort/snort.priv.inc +++ b/config/snort/snort.priv.inc @@ -39,11 +39,13 @@ $priv_list['page-services-snort']['match'][] = "snort/snort_stream5_engine.php*" $priv_list['page-services-snort']['match'][] = "snort/snort_ip_list_mgmt.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_ip_reputation.php*"; $priv_list['page-services-snort']['match'][] = "snort/snort_iprep_list_browser.php*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_generate_conf.php*"; $priv_list['page-services-snort']['match'][] = "widgets/javascript/snort_alerts.js*"; $priv_list['page-services-snort']['match'][] = "widgets/include/widget-snort.inc*"; $priv_list['page-services-snort']['match'][] = "widgets/widgets/snort_alerts.widget.php*"; $priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=snort_sync.xml*"; $priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=snort/snort.xml*"; $priv_list['page-services-snort']['match'][] = "snort/snort_check_cron_misc.inc*"; +$priv_list['page-services-snort']['match'][] = "snort/snort_conf_template.inc*"; $priv_list['page-services-snort']['match'][] = "snort/snort.inc*"; ?>
\ No newline at end of file diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 977db98a..d9bc0ee6 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ <requirements>None</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.9.6.0</version> - <title>Services:2.9.6.0 pkg v3.0.13</title> + <version>2.9.6.2</version> + <title>Services:2.9.6.2 pkg v3.1</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -74,12 +74,17 @@ <item>https://packages.pfsense.org/packages/config/snort/snort_check_cron_misc.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>https://packages.pfsense.org/packages/config/snort/snort_conf_template.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> <item>https://packages.pfsense.org/packages/config/snort/snort_migrate_config.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> <item>https://packages.pfsense.org/packages/config/snort/snort_post_install.php</item> </additional_files_needed> @@ -119,7 +124,7 @@ <item>https://packages.pfsense.org/packages/config/snort/snort_download_updates.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> <item>https://packages.pfsense.org/packages/config/snort/snort_check_for_rule_updates.php</item> </additional_files_needed> @@ -249,6 +254,11 @@ <item>https://packages.pfsense.org/packages/config/snort/snort_iprep_list_browser.php</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>https://packages.pfsense.org/packages/config/snort/snort_generate_conf.php</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/widgets/javascript/</prefix> <chmod>0644</chmod> <item>https://packages.pfsense.org/packages/config/snort/snort_alerts.js</item> @@ -269,13 +279,13 @@ </custom_add_php_command> <custom_php_resync_config_command> <![CDATA[ - if ($GLOBALS['pfSense_snort_version'] == "3.0.13") + if ($GLOBALS['pfSense_snort_version'] == "3.1") sync_snort_package_config(); ]]> </custom_php_resync_config_command> <custom_php_install_command> <![CDATA[ - include_once("/usr/local/www/snort/snort_post_install.php"); + include_once("/usr/local/pkg/snort/snort_post_install.php"); ]]> </custom_php_install_command> <custom_php_deinstall_command> diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 45443ec2..1c9d8492 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -283,7 +283,9 @@ if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($a_instance[$instanceid]); + conf_mount_ro(); $rebuild_rules = false; /* Soft-restart Snort to live-load the new rules */ diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 76d5a9df..97301a0f 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -185,7 +185,7 @@ if ($savemsg) { <input name="download" type="submit" class="formbtns" value="Download" title="<?=gettext("Download list of blocked hosts as a gzip archive");?>"/> <?php echo gettext("All blocked hosts will be saved."); ?> <input name="remove" type="submit" class="formbtns" value="Clear" title="<?=gettext("Remove blocks for all listed hosts");?>" - onClick="return confirm('<?=gettext("Are you sure you want to remove all blocked hosts? Click OK to continue or CANCLE to quit.");?>');"/> + onClick="return confirm('<?=gettext("Are you sure you want to remove all blocked hosts? Click OK to continue or CANCEL to quit.");?>');"/> <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("all hosts will be removed."); ?> </td> </tr> diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc index a5b9e65e..9a1c7833 100644 --- a/config/snort/snort_check_cron_misc.inc +++ b/config/snort/snort_check_cron_misc.inc @@ -116,7 +116,7 @@ foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { } unset($files); if ($prune_count > 0) - log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s)...")); + log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/barnyard2/archive/...")); } } diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 667f4044..9d8d15d5 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -37,7 +37,9 @@ require_once "/usr/local/pkg/snort/snort.inc"; global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules; if (!defined("VRT_DNLD_URL")) - define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); + define("VRT_DNLD_URL", "https://www.snort.org/rules/"); +if (!defined("SNORT_BIN_VERSION")) + define("SNORT_BIN_VERSION", "2.9.6.2"); if (!defined("ET_VERSION")) define("ET_VERSION", "2.9.0"); if (!defined("ET_BASE_DNLD_URL")) @@ -98,7 +100,7 @@ exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26 // Save the version with decimal delimiters for use in extracting the rules $snort_version = $snortver[0]; if (empty($snort_version)) - $snort_version = "2.9.6.0"; + $snort_version = SNORT_BIN_VERSION; // Create a collapsed version string for use in the tarball filename $snortver[0] = str_replace(".", "", $snortver[0]); @@ -431,10 +433,10 @@ $update_errors = false; /* Check for and download any new Snort VRT sigs */ if ($snortdownload == 'on') { - if (snort_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) { + if (snort_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}?oinkcode={$oinkid}", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) { /* download snortrules file */ $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")); - if (!snort_fetch_new_rules("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules")) + if (!snort_fetch_new_rules("{$snort_rule_url}{$snort_filename}?oinkcode={$oinkid}", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules")) $snortdownload = 'off'; } else diff --git a/config/snort/snort_conf_template.inc b/config/snort/snort_conf_template.inc new file mode 100644 index 00000000..be4791af --- /dev/null +++ b/config/snort/snort_conf_template.inc @@ -0,0 +1,112 @@ +<?php + +// This is the template used to generate the snort.conf +// configuration file for the interface. The contents of +// this file are written to the snort.conf file for +// the interface. Key parameters are provided by the +// included string variables which are populated by the +// snort_generate_conf.php file. + +$snort_conf_text = <<<EOD +# snort configuration file +# generated automatically by the pfSense subsystems do not modify manually + +# Define Local Network # +ipvar HOME_NET [{$home_net}] +ipvar EXTERNAL_NET [{$external_net}] + +# Define Rule Path # +var RULE_PATH {$snortcfgdir}/rules + +# Define Servers # +{$ipvardef} + +# Define Server Ports # +{$portvardef} + +# Configure quiet startup mode # +config quiet + +# Configure the snort decoder # +config checksum_mode: {$cksumcheck} +config disable_decode_alerts +config disable_tcpopt_experimental_alerts +config disable_tcpopt_obsolete_alerts +config disable_ttcp_alerts +config disable_tcpopt_alerts +config disable_ipopt_alerts +config disable_decode_drops + +# Enable the GTP decoder # +config enable_gtp + +# Configure PCRE match limitations +config pcre_match_limit: 3500 +config pcre_match_limit_recursion: 1500 + +# Configure the detection engine # +config detection: {$cfg_detect_settings} +config event_queue: max_queue 8 log 5 order_events content_length + +# Configure to show year in timestamps +config show_year + +# Configure protocol aware flushing # +# For more information see README.stream5 # +{$paf_max_pdu_config} + +# Configure dynamically loaded libraries +dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']} +dynamicengine directory {$snort_dirs['dynamicengine']} +dynamicdetection directory {$snort_dirs['dynamicrules']} + +# Inline packet normalization. For more information, see README.normalize +# Disabled since we do not use "inline" mode with pfSense +# preprocessor normalize_ip4 +# preprocessor normalize_tcp: ips ecn stream +# preprocessor normalize_icmp4 +# preprocessor normalize_ip6 +# preprocessor normalize_icmp6 + +# Flow and stream # +{$frag3_global} + +{$frag3_engine} + +{$stream5_global} + +{$stream5_tcp_engine} + +{$stream5_udp_engine} + +{$stream5_icmp_engine} + +# HTTP Inspect # +{$http_inspect_global} + +{$http_inspect_servers} +{$snort_preprocessors} +{$host_attrib_config} + +# Snort Output Logs # +output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority +{$alertsystemlog_type} +{$snortunifiedlog_type} +{$spoink_type} + +# Misc Includes # +{$snort_misc_include_rules} + +{$suppress_file_name} + +# Snort user pass through configuration +{$snort_config_pass_thru} + +# Rules Selection # +{$selected_rules_sections} +EOD; + +// End of snort.conf template code + +?> + diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 4d1b3c2e..98a98fd9 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -138,7 +138,9 @@ if ($_POST['save']) { /* Update the snort conf file for this interface. */ $rebuild_rules = false; + conf_mount_rw(); snort_generate_conf($a_nat[$id]); + conf_mount_ro(); /* Soft-restart Snort to live-load new variables. */ snort_reload_config($a_nat[$id]); diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index f35341f1..0fa20e08 100755 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -43,7 +43,6 @@ include("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> <form action="/snort/snort_download_updates.php" method="GET"> @@ -91,7 +90,7 @@ include("head.inc"); <?php $snort_gui_include = true; -include("/usr/local/www/snort/snort_check_for_rule_updates.php"); +include("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); /* hide progress bar and lets end this party */ echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>"; diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index ecc1e5b5..7f8bc7a1 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -47,7 +47,7 @@ $snort_rules_upd_log = RULES_UPD_LOGFILE; $snortver = array(); exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); if (empty($snortver[0])) - $snortver[0] = "2.9.5.5"; + $snortver[0] = SNORT_BIN_VERSION; $snortver[0] = str_replace(".", "", $snortver[0]); $snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz"; diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php index a5ec0aad..04be18e7 100644 --- a/config/snort/snort_edit_hat_data.php +++ b/config/snort/snort_edit_hat_data.php @@ -68,7 +68,9 @@ if ($_POST['clear']) { $a_nat[$id]['host_attribute_table'] = 'off'; write_config("Snort pkg: cleared Host Attribute Table data for {$a_nat[$id]['interface']}."); $rebuild_rules = false; + conf_mount_rw(); snort_generate_conf($a_nat[$id]); + conf_mount_ro(); $pconfig['host_attribute_data'] = ""; } @@ -80,7 +82,9 @@ if ($_POST['save']) { $a_nat[$id]['host_attribute_table'] = 'off'; write_config("Snort pkg: modified Host Attribute Table data for {$a_nat[$id]['interface']}."); $rebuild_rules = false; + conf_mount_rw(); snort_generate_conf($a_nat[$id]); + conf_mount_ro(); $pconfig['host_attribute_data'] = $_POST['host_attribute_data']; } diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php new file mode 100644 index 00000000..c67ab3d6 --- /dev/null +++ b/config/snort/snort_generate_conf.php @@ -0,0 +1,1351 @@ +<?php +/* + * snort_generate_conf.php + * + * Copyright (C) 2006 Scott Ullrich + * Copyright (C) 2009-2010 Robert Zelaya + * Copyright (C) 2011-2012 Ermal Luci + * Copyright (C) 2013,2014 Bill Meeks + * part of pfSense + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/**************************************************************************/ +/* This code reads the stored Snort configuration and constructs a series */ +/* of string variables that are used as values for placeholders in the */ +/* snort_conf_template.inc file. These strings along with text in the */ +/* template are used to create the snort.conf file for the interface. */ +/**************************************************************************/ + +/* Custom home nets */ +$home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']); +$home_net = implode(",", $home_net_list); + +$external_net = '!$HOME_NET'; +if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') { + $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']); + $external_net = implode(",", $external_net_list); +} + +/* User added custom configuration arguments */ +$snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); +// Remove the trailing newline +$snort_config_pass_thru = rtrim($snort_config_pass_thru); + +/* create a few directories and ensure the sample files are in place */ +$snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", + "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", + "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", + "{$snortcfgdir}/preproc_rules", + "dynamicrules" => "{$snortlibdir}/dynamicrules", + "dynamicengine" => "{$snortlibdir}/dynamicengine", + "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" +); +foreach ($snort_dirs as $dir) { + if (!is_dir($dir)) + safe_mkdir($dir); +} + +/********************************************************************/ +/* For fail-safe on an initial startup following installation, and */ +/* before a rules update has occurred, copy the default config */ +/* files to the interface directory. If files already exist in */ +/* the interface directory, or they are newer, that means a rule */ +/* update has been done and we should leave the customized files */ +/* put in place by the rules update process. */ +/********************************************************************/ +$snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd", + "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", + "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" + ); +foreach ($snort_files as $file) { + if (file_exists("{$snortdir}/{$file}")) { + $ftime = filemtime("{$snortdir}/{$file}"); + if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) + @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + } +} + +/* define alertsystemlog */ +$alertsystemlog_type = ""; +if ($snortcfg['alertsystemlog'] == "on") + $alertsystemlog_type = "output alert_syslog: log_alert"; + +/* define snortunifiedlog */ +$snortunifiedlog_type = ""; +if ($snortcfg['barnyard_enable'] == "on") { + if (isset($snortcfg['unified2_log_limit'])) + $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}"; + else + $u2_log_limit = "limit 128"; + + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}"; + if ($snortcfg['barnyard_log_vlan_events'] == 'on') + $snortunifiedlog_type .= ", vlan_event_types"; + if ($snortcfg['barnyard_log_mpls_events'] == 'on') + $snortunifiedlog_type .= ", mpls_event_types"; +} + +/* define spoink */ +$spoink_type = ""; +if ($snortcfg['blockoffenders7'] == "on") { + $pfkill = ""; + if ($snortcfg['blockoffenderskill'] == "on") + $pfkill = "kill"; + $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); + /* write Pass List */ + @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); + $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; +} + +/* define selected suppress file */ +$suppress_file_name = ""; +$suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress'); +if (!empty($suppress)) { + $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru'])); + @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data); + $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}"; +} + +/* set the snort performance model */ +$snort_performance = "ac-bnfa"; +if(!empty($snortcfg['performance'])) + $snort_performance = $snortcfg['performance']; + +/* if user has defined a custom ssh port, use it */ +if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; +else + $ssh_port = "22"; + +/* Define an array of default values for the various preprocessor ports */ +$snort_ports = array( + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", + "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", + "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, + "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", + "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", + "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", + "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", + "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", + "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", + "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", + "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", + "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", + "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" +); + +/* Check for defined Aliases that may override default port settings as we build the portvars array */ +$portvardef = ""; +foreach ($snort_ports as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) + $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); + $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; +} + +/* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ +$stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; +$stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; +$stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; +$stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; +$stream5_ports_client .= "\t 32778 32779"; +$stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; +$stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; +$stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; +$stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; +$stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; +$stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; +$stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; +$stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; +$stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; +$stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; +$stream5_ports_both .= "\t 55555 56712"; + +/*********************/ +/* preprocessor code */ +/*********************/ + +/* def perform_stat */ + +$perform_stat = <<<EOD +# Performance Statistics # +preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000 + +EOD; + +/* def ftp_preprocessor */ + +$telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); +$ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); + +// Make sure we have port numbers or else use defaults +if (!isset($telnet_ports) || empty($telnet_ports)) + $telnet_ports = "23"; +if (!isset($ftp_ports) || empty($ftp_ports)) + $ftp_ports = "21 2100 3535"; + +// Configure FTP_Telnet global options +$ftp_telnet_globals = "inspection_type "; +if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; } +if ($snortcfg['ftp_telnet_alert_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes"; +else + $ftp_telnet_globals .= " \\\n\tencrypted_traffic no"; +if ($snortcfg['ftp_telnet_check_encrypted'] == "on") + $ftp_telnet_globals .= " \\\n\tcheck_encrypted"; + +// Configure FTP_Telnet Telnet protocol options +$ftp_telnet_protocol = "ports { {$telnet_ports} }"; +if ($snortcfg['ftp_telnet_normalize'] == "on") + $ftp_telnet_protocol .= " \\\n\tnormalize"; +if ($snortcfg['ftp_telnet_detect_anomalies'] == "on") + $ftp_telnet_protocol .= " \\\n\tdetect_anomalies"; +if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') { + $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; + if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") + $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; + else + $ftp_telnet_protocol .= "20"; +} + +// Setup the standard FTP commands used for all FTP Server engines +$ftp_cmds = <<<EOD + ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ + ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ + ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ + ftp_cmds { LPSV MACB MAIL MDTM MFMT MIC MKD MLSD MLST } \ + ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ + ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ + ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ + ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ + ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ + ftp_cmds { XSEN XSHA1 XSHA256 } \ + alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ + alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ + alt_max_param_len 256 { CWD RNTO } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { MFMT SIZE } \ + chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ + chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ + chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ + chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ + chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ + chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ + chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ + chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ + cmd_validity MACB < string > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity PORT < host_port > \ + cmd_validity PROT < char CSEP > \ + cmd_validity STRU < char FRPO [ string ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > + +EOD; + +// Configure all the FTP_Telnet FTP protocol options +// Iterate and configure the FTP Client engines +$ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); + +if (!is_array($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'] = array(); + +// If no FTP client engine is configured, use the default +// to keep from breaking Snort. +if (empty($snortcfg['ftp_client_engine']['item'])) + $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; +$ftp_client_engine = ""; + +foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp client "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['max_resp_len'] == "") + $buffer .= "\tmax_resp_len 256 \\\n"; + else + $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + + if ($v['bounce'] == "yes") { + if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { + $net = trim(filter_expand_alias($v['bounce_to_net'])); + $port = trim(filter_expand_alias($v['bounce_to_port'])); + if (!empty($net) && !empty($port) && + snort_is_single_addr_alias($v['bounce_to_net']) && + (is_port($port) || is_portrange($port))) { + $port = preg_replace('/\s+/', ',', $port); + // Change port range delimiter to comma for ftp_telnet client preprocessor + if (is_portrange($port)) + $port = str_replace(":", ",", $port); + $buffer .= "\tbounce yes \\\n"; + $buffer .= "\tbounce_to { {$net},{$port} }\n"; + } + else { + // One or both of the BOUNCE_TO alias values is not right, + // so figure out which and log an appropriate error. + if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) + log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + if (empty($port) || !(is_port($port) || is_portrange($port))) + log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); + $buffer .= "\tbounce yes\n"; + } + } + else + $buffer .= "\tbounce yes\n"; + } + else + $buffer .= "\tbounce no\n"; + + // Add this FTP client engine to the master string + $ftp_client_engine .= "{$buffer}\n"; +} +// Trim final trailing newline +rtrim($ftp_client_engine); + +// Iterate and configure the FTP Server engines +$ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", + "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", + "ignore_data_chan" => "no", "def_max_param_len" => 100 ); + +if (!is_array($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'] = array(); + +// If no FTP server engine is configured, use the default +// to keep from breaking Snort. +if (empty($snortcfg['ftp_server_engine']['item'])) + $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; +$ftp_server_engine = ""; + +foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { + $buffer = "preprocessor ftp_telnet_protocol: ftp server "; + if ($v['name'] == "default" && $v['bind_to'] == "all") + $buffer .= "default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "{$tmp} \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + } + else { + log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); + continue; + } + + if ($v['def_max_param_len'] == "") + $buffer .= "\tdef_max_param_len 100 \\\n"; + elseif ($v['def_max_param_len'] <> '0') + $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; + + if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) + $buffer .= "\tports { {$ftp_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $buffer .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); + $buffer .= "\tports { {$ftp_ports} } \\\n"; + } + } + + $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; + $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; + if ($v['ignore_data_chan'] == "yes") + $buffer .= "\tignore_data_chan yes \\\n"; + $buffer .= "{$ftp_cmds}\n"; + + // Add this FTP server engine to the master string + $ftp_server_engine .= $buffer; +} +// Remove trailing newlines +rtrim($ftp_server_engine); + + $ftp_preprocessor = <<<EOD +# ftp_telnet preprocessor # +preprocessor ftp_telnet: global \ + {$ftp_telnet_globals} + +preprocessor ftp_telnet_protocol: telnet \ + {$ftp_telnet_protocol} + +{$ftp_server_engine} +{$ftp_client_engine} +EOD; + +/* def pop_preprocessor */ + +$pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); + +// Make sure we have port numbers or else use defaults +if (!isset($pop_ports) || empty($pop_ports)) + $pop_ports = "110"; + +if (isset($snortcfg['pop_memcap'])) + $pop_memcap = $snortcfg['pop_memcap']; +else + $pop_memcap = "838860"; +if (isset($snortcfg['pop_qp_decode_depth'])) + $pop_qp_decode_depth = $snortcfg['pop_qp_decode_depth']; +else + $pop_qp_decode_depth = "0"; +if (isset($snortcfg['pop_b64_decode_depth'])) + $pop_b64_decode_depth = $snortcfg['pop_b64_decode_depth']; +else + $pop_b64_decode_depth = "0"; +if (isset($snortcfg['pop_bitenc_decode_depth'])) + $pop_bitenc_decode_depth = $snortcfg['pop_bitenc_decode_depth']; +else + $pop_bitenc_decode_depth = "0"; +if (isset($snortcfg['pop_uu_decode_depth'])) + $pop_uu_decode_depth = $snortcfg['pop_uu_decode_depth']; +else + $pop_uu_decode_depth = "0"; +$pop_preproc = <<<EOD +# POP preprocessor # +preprocessor pop: \ + ports { {$pop_ports} } \ + memcap {$pop_memcap} \ + qp_decode_depth {$pop_qp_decode_depth} \ + b64_decode_depth {$pop_b64_decode_depth} \ + bitenc_decode_depth {$pop_bitenc_decode_depth} \ + uu_decode_depth {$pop_uu_decode_depth} + +EOD; + +/* def imap_preprocessor */ + +$imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports'])); + +// Make sure we have port numbers or else use defaults +if (!isset($imap_ports) || empty($imap_ports)) + $imap_ports = "143"; + +if (isset($snortcfg['imap_memcap'])) + $imap_memcap = $snortcfg['imap_memcap']; +else + $imap_memcap = "838860"; +if (isset($snortcfg['imap_qp_decode_depth'])) + $imap_qp_decode_depth = $snortcfg['imap_qp_decode_depth']; +else + $imap_qp_decode_depth = "0"; +if (isset($snortcfg['imap_b64_decode_depth'])) + $imap_b64_decode_depth = $snortcfg['imap_b64_decode_depth']; +else + $imap_b64_decode_depth = "0"; +if (isset($snortcfg['imap_bitenc_decode_depth'])) + $imap_bitenc_decode_depth = $snortcfg['imap_bitenc_decode_depth']; +else + $imap_bitenc_decode_depth = "0"; +if (isset($snortcfg['imap_uu_decode_depth'])) + $imap_uu_decode_depth = $snortcfg['imap_uu_decode_depth']; +else + $imap_uu_decode_depth = "0"; +$imap_preproc = <<<EOD +# IMAP preprocessor # +preprocessor imap: \ + ports { {$imap_ports} } \ + memcap {$imap_memcap} \ + qp_decode_depth {$imap_qp_decode_depth} \ + b64_decode_depth {$imap_b64_decode_depth} \ + bitenc_decode_depth {$imap_bitenc_decode_depth} \ + uu_decode_depth {$imap_uu_decode_depth} + +EOD; + +/* def smtp_preprocessor */ + +$smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports'])); + +// Make sure we have port numbers or else use defaults +if (!isset($smtp_ports) || empty($smtp_ports)) + $smtp_ports = "25 465 587 691"; + +if (isset($snortcfg['smtp_memcap'])) + $smtp_memcap = $snortcfg['smtp_memcap']; +else + $smtp_memcap = "838860"; +if (isset($snortcfg['smtp_max_mime_mem'])) + $smtp_max_mime_mem = $snortcfg['smtp_max_mime_mem']; +else + $smtp_max_mime_mem = "838860"; +if (isset($snortcfg['smtp_qp_decode_depth'])) + $smtp_qp_decode_depth = $snortcfg['smtp_qp_decode_depth']; +else + $smtp_qp_decode_depth = "0"; +if (isset($snortcfg['smtp_b64_decode_depth'])) + $smtp_b64_decode_depth = $snortcfg['smtp_b64_decode_depth']; +else + $smtp_b64_decode_depth = "0"; +if (isset($snortcfg['smtp_bitenc_decode_depth'])) + $smtp_bitenc_decode_depth = $snortcfg['smtp_bitenc_decode_depth']; +else + $smtp_bitenc_decode_depth = "0"; +if (isset($snortcfg['smtp_uu_decode_depth'])) + $smtp_uu_decode_depth = $snortcfg['smtp_uu_decode_depth']; +else + $smtp_uu_decode_depth = "0"; +if (isset($snortcfg['smtp_email_hdrs_log_depth']) && $snortcfg['smtp_email_hdrs_log_depth'] != '0') + $smtp_email_hdrs_log_depth = $snortcfg['smtp_email_hdrs_log_depth']; +else + $smtp_email_hdrs_log_depth = "0"; +$smtp_boolean_params = ""; +if ($snortcfg['smtp_ignore_data'] == 'on') + $smtp_boolean_params .= "\tignore_data \\\n"; +if ($snortcfg['smtp_ignore_tls_data'] == 'on') + $smtp_boolean_params .= "\tignore_tls_data \\\n"; +if ($snortcfg['smtp_log_mail_from'] == 'on') + $smtp_boolean_params .= "\tlog_mailfrom \\\n"; +if ($snortcfg['smtp_log_rcpt_to'] == 'on') + $smtp_boolean_params .= "\tlog_rcptto \\\n"; +if ($snortcfg['smtp_log_filename'] == 'on') + $smtp_boolean_params .= "\tlog_filename \\\n"; +if ($snortcfg['smtp_log_email_hdrs'] == 'on') + $smtp_boolean_params .= "\tlog_email_hdrs\\\n"; +$smtp_boolean_params = trim($smtp_boolean_params, "\t\n\\"); +$smtp_preprocessor = <<<EOD +# SMTP preprocessor # +preprocessor SMTP: \ + ports { {$smtp_ports} } \ + inspection_type stateful \ + normalize cmds \ + memcap {$smtp_memcap} \ + max_mime_mem {$smtp_max_mime_mem} \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \ + NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \ + STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \ + XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \ + IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \ + ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \ + XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } \ + {$smtp_boolean_params} \ + email_hdrs_log_depth {$smtp_email_hdrs_log_depth} \ + qp_decode_depth {$smtp_qp_decode_depth} \ + b64_decode_depth {$smtp_b64_decode_depth} \ + bitenc_decode_depth {$smtp_bitenc_decode_depth} \ + uu_decode_depth {$smtp_uu_decode_depth} + +EOD; + +/* def sf_portscan */ + +$sf_pscan_protocol = "all"; +if (!empty($snortcfg['pscan_protocol'])) + $sf_pscan_protocol = $snortcfg['pscan_protocol']; +$sf_pscan_type = "all"; +if (!empty($snortcfg['pscan_type'])) + $sf_pscan_type = $snortcfg['pscan_type']; +$sf_pscan_memcap = "10000000"; +if (!empty($snortcfg['pscan_memcap'])) + $sf_pscan_memcap = $snortcfg['pscan_memcap']; +$sf_pscan_sense_level = "medium"; +if (!empty($snortcfg['pscan_sense_level'])) + $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; +$sf_pscan_ignore_scanners = "\$HOME_NET"; +if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { + $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners'])); + $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); +} + +$sf_portscan = <<<EOD +# sf Portscan # +preprocessor sfportscan: \ + scan_type { {$sf_pscan_type} } \ + proto { {$sf_pscan_protocol} } \ + memcap { {$sf_pscan_memcap} } \ + sense_level { {$sf_pscan_sense_level} } \ + ignore_scanners { {$sf_pscan_ignore_scanners} } + +EOD; + +/* def ssh_preproc */ + +$ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports'])); + +// Make sure we have port numbers or else use defaults +if (!isset($ssh_ports) || empty($ssh_ports)) + $ssh_ports = "22"; +$ssh_preproc = <<<EOD +# SSH preprocessor # +preprocessor ssh: \ + server_ports { {$ssh_ports} } \ + autodetect \ + max_client_bytes 19600 \ + max_encrypted_packets 20 \ + max_server_version_len 100 \ + enable_respoverflow enable_ssh1crc32 \ + enable_srvoverflow enable_protomismatch + +EOD; + +/* def other_preprocs */ + +$sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports'])); + +// Make sure we have port numbers or else use defaults +if (!isset($sun_rpc_ports) || empty($sun_rpc_ports)) + $sun_rpc_ports = "111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779"; +$other_preprocs = <<<EOD +# Other preprocs # +preprocessor rpc_decode: \ + {$sun_rpc_ports} \ + no_alert_multiple_requests \ + no_alert_large_fragments \ + no_alert_incomplete + +# Back Orifice preprocessor # +preprocessor bo + +EOD; + +/* def dce_rpc_2 */ + +$dce_rpc_2 = <<<EOD +# DCE/RPC 2 # +preprocessor dcerpc2: \ + memcap 102400, \ + events [co] + +preprocessor dcerpc2_server: default, \ + policy WinXP, \ + detect [smb [{$snort_ports['smb_ports']}], \ + tcp 135, \ + udp 135, \ + rpc-over-http-server 593], \ + autodetect [tcp 1025:, \ + udp 1025:, \ + rpc-over-http-server 1025:], \ + smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] + +EOD; + + +/* def sip_preprocessor */ + +$sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports'])); + +// Make sure we have port numbers or else use defaults +if (!isset($sip_ports) || empty($sip_ports)) + $sip_ports = "5060 5061 5600"; +$sip_preproc = <<<EOD +# SIP preprocessor # +preprocessor sip: \ + max_sessions 40000, \ + ports { {$sip_ports} }, \ + methods { invite \ + cancel \ + ack \ + bye \ + register \ + options \ + refer \ + subscribe \ + update \ + join \ + info \ + message \ + notify \ + benotify \ + do \ + qauth \ + sprack \ + publish \ + service \ + unsubscribe \ + prack }, \ + max_call_id_len 80, \ + max_from_len 256, \ + max_to_len 256, \ + max_via_len 1024, \ + max_requestName_len 50, \ + max_uri_len 512, \ + ignore_call_channel, \ + max_content_len 2048, \ + max_contact_len 512 + +EOD; + +/* def dns_preprocessor */ + +$dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports'])); + +// Make sure we have port numbers or else use defaults +if (!isset($dns_ports) || empty($dns_ports)) + $dns_ports = "53"; +$dns_preprocessor = <<<EOD +# DNS preprocessor # +preprocessor dns: \ + ports { {$dns_ports} } \ + enable_rdata_overflow + +EOD; + +/* def dnp3_preprocessor */ + +$dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS'])); + +// Make sure we have port numbers or else use defaults +if (!isset($dnp3_ports) || empty($dnp3_ports)) + $dnp3_ports = "20000"; +$dnp3_preproc = <<<EOD +# DNP3 preprocessor # +preprocessor dnp3: \ + ports { {$dnp3_ports} } \ + memcap 262144 \ + check_crc + +EOD; + +/* def modbus_preprocessor */ + +$modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS'])); + +// Make sure we have port numbers or else use defaults +if (!isset($modbus_ports) || empty($modbus_ports)) + $modbus_ports = "502"; +$modbus_preproc = <<<EOD +# Modbus preprocessor # +preprocessor modbus: \ + ports { {$modbus_ports} } + +EOD; + +/* def gtp_preprocessor */ + +$gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS'])); + +// Make sure we have port numbers or else use defaults +if (!isset($gtp_ports) || empty($gtp_ports)) + $gtp_ports = "2123 3386 2152"; +$gtp_preproc = <<<EOD +# GTP preprocessor # +preprocessor gtp: \ + ports { {$gtp_ports} } + +EOD; + +/* def ssl_preprocessor */ + +$ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports'])); + +// Make sure we have port numbers or else use defaults +if (!isset($ssl_ports) || empty($ssl_ports)) + $ssl_ports = "443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920"; +$ssl_preproc = <<<EOD +# SSL preprocessor # +preprocessor ssl: \ + ports { {$ssl_ports} }, \ + trustservers, \ + noinspect_encrypted + +EOD; + +/* def sensitive_data_preprocessor */ + +if ($snortcfg['sdf_mask_output'] == "on") + $sdf_mask_output = "\\\n\tmask_output"; +else + $sdf_mask_output = ""; +if (empty($snortcfg['sdf_alert_threshold'])) + $snortcfg['sdf_alert_threshold'] = 25; +$sensitive_data = <<<EOD +# SDF preprocessor # +preprocessor sensitive_data: \ + alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output} + +EOD; + +/* define IP Reputation preprocessor */ + +if (is_array($snortcfg['blist_files']['item'])) { + $blist_files = ""; + $bIsFirst = TRUE; + foreach ($snortcfg['blist_files']['item'] as $blist) { + if ($bIsFirst) { + $blist_files .= "blacklist " . IPREP_PATH . $blist; + $bIsFirst = FALSE; + } + else + $blist_files .= ", \\ \n\tblacklist " . IPREP_PATH . $blist; + } +} +if (is_array($snortcfg['wlist_files']['item'])) { + $wlist_files = ""; + $bIsFirst = TRUE; + foreach ($snortcfg['wlist_files']['item'] as $wlist) { + if ($bIsFirst) { + $wlist_files .= "whitelist " . IPREP_PATH . $wlist; + $bIsFirst = FALSE; + } + else + $wlist_files .= ", \\ \n\twhitelist " . IPREP_PATH . $wlist; + } +} +if (!empty($blist_files)) + $ip_lists = $blist_files; +if (!empty($wlist_files)) + $ip_lists .= ", \\ \n" . $wlist_files; +if ($snortcfg['iprep_scan_local'] == 'on') + $ip_lists .= ", \\ \n\tscan_local"; + +$reputation_preproc = <<<EOD +# IP Reputation preprocessor # +preprocessor reputation: \ + memcap {$snortcfg['iprep_memcap']}, \ + priority {$snortcfg['iprep_priority']}, \ + nested_ip {$snortcfg['iprep_nested_ip']}, \ + white {$snortcfg['iprep_white']}, \ + {$ip_lists} + +EOD; + +/***************************************/ +/* end of preprocessor string var code */ +/***************************************/ + +/* define servers as IP variables */ +$snort_servers = array ( + "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", + "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", + "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", + "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", + "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", + "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", + "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", + "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" + ); + +// Change old name from "var" to new name of "ipvar" for IP variables because +// Snort is deprecating the old "var" name in newer versions. +$ipvardef = ""; +foreach ($snort_servers as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { + $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $avalue = preg_replace('/\s+/', ',', trim($avalue)); + } + $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; +} + +$snort_preproc_libs = array( + "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", + "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", + "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" +); +$snort_preproc = array ( + "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", + "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc" +); +$default_disabled_preprocs = array( + "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat" +); +$snort_preprocessors = ""; +foreach ($snort_preproc as $preproc) { + if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { + + /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ + if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) + continue; + + /* NOTE: The $$ is not a bug. It is an advanced feature of php */ + if (!empty($snort_preproc_libs[$preproc])) { + $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; + if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { + if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { + @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } else + log_error("Could not find the {$preproclib} file. Snort might error out!"); + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } +} +// Remove final trailing newline +$snort_preprocessors = rtrim($snort_preprocessors); + +$snort_misc_include_rules = ""; +if (file_exists("{$snortcfgdir}/reference.config")) + $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; +if (file_exists("{$snortcfgdir}/classification.config")) + $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; +if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { + $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; + log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); +} + +/* generate rule sections to load */ +/* The files are always configured so the update process is easier */ +$selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; +$selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; +$selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; + +// Remove trailing newlines +$snort_misc_include_rules = rtrim($snort_misc_include_rules); +$selected_rules_sections = rtrim($selected_rules_sections); + +$cksumcheck = "all"; +if ($snortcfg['cksumcheck'] == 'on') + $cksumcheck = "none"; + +/* Pull in user-configurable detection config options */ +$cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; +if ($snortcfg['fpm_split_any_any'] == "on") + $cfg_detect_settings .= " split-any-any"; +if ($snortcfg['fpm_search_optimize'] == "on") + $cfg_detect_settings .= " search-optimize"; +if ($snortcfg['fpm_no_stream_inserts'] == "on") + $cfg_detect_settings .= " no_stream_inserts"; + +/* Pull in user-configurable options for Frag3 preprocessor settings */ +/* Get global Frag3 options first and put into a string */ +$frag3_global = "preprocessor frag3_global: "; +if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") + $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; +else + $frag3_global .= "memcap 4194304, "; +if (!empty($snortcfg['frag3_max_frags'])) + $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; +else + $frag3_global .= "max_frags 8192"; +if ($snortcfg['frag3_detection'] == "off") + $frag3_global .= ", disabled"; + +$frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", + "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", + "overlap_limit" => 0, "min_frag_len" => 0 ); +$frag3_engine = ""; + +// Now iterate configured Frag3 engines and write them to a string if enabled +if ($snortcfg['frag3_detection'] == "on") { + if (!is_array($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'] = array(); + + // If no frag3 tcp engine is configured, use the default + if (empty($snortcfg['frag3_engine']['item'])) + $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; + + foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { + $frag3_engine .= "preprocessor frag3_engine: "; + $frag3_engine .= "policy {$v['policy']}"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; + else + $frag3_engine .= " \\\n\tbind_to {$tmp}"; + } + else + log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); + } + $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; + $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; + if ($v['detect_anomalies'] == "on") { + $frag3_engine .= " \\\n\tdetect_anomalies"; + $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; + $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; + } + // Add newlines to terminate this engine + $frag3_engine .= "\n\n"; + } + // Remove trailing newline + $frag3_engine = rtrim($frag3_engine); +} + +// Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs +$paf_max_pdu_config = "config paf_max: "; +if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') + $paf_max_pdu_config .= "0"; +else + $paf_max_pdu_config .= $snortcfg['max_paf']; + +// Pull in user-configurable options for Stream5 preprocessor settings +// Get global options first and put into a string +$stream5_global = "preprocessor stream5_global: \\\n"; +if ($snortcfg['stream5_reassembly'] == "off") + $stream5_global .= "\tdisabled, \\\n"; +if ($snortcfg['stream5_track_tcp'] == "off") + $stream5_global .= "\ttrack_tcp no,"; +else { + $stream5_global .= "\ttrack_tcp yes,"; + if (!empty($snortcfg['stream5_max_tcp'])) + $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; + else + $stream5_global .= " \\\n\tmax_tcp 262144,"; +} +if ($snortcfg['stream5_track_udp'] == "off") + $stream5_global .= " \\\n\ttrack_udp no,"; +else { + $stream5_global .= " \\\n\ttrack_udp yes,"; + if (!empty($snortcfg['stream5_max_udp'])) + $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; + else + $stream5_global .= " \\\n\tmax_udp 131072,"; +} +if ($snortcfg['stream5_track_icmp'] == "on") { + $stream5_global .= " \\\n\ttrack_icmp yes,"; + if (!empty($snortcfg['stream5_max_icmp'])) + $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; + else + $stream5_global .= " \\\n\tmax_icmp 65536,"; +} +else + $stream5_global .= " \\\n\ttrack_icmp no,"; +if (!empty($snortcfg['stream5_mem_cap'])) + $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; +else + $stream5_global .= " \\\n\tmemcap 8388608,"; + +if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') + $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; +else + $stream5_global .= " \\\n\tprune_log_max 1048576"; +if ($snortcfg['stream5_flush_on_alert'] == "on") + $stream5_global .= ", \\\n\tflush_on_alert"; + +$stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, + "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, + "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, + "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, + "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", + "ports_both" => "default", "ports_server" => "none" ); +$stream5_tcp_engine = ""; + +// Now iterate configured Stream5 TCP engines and write them to a string if enabled +if ($snortcfg['stream5_reassembly'] == "on") { + if (!is_array($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'] = array(); + + // If no stream5 tcp engine is configured, use the default + if (empty($snortcfg['stream5_tcp_engine']['item'])) + $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; + + foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { + $buffer = "preprocessor stream5_tcp: "; + $buffer .= "policy {$v['policy']},"; + if ($v['bind_to'] <> "all") { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ',', $tmp); + if (strpos($tmp, ",") !== false) + $buffer .= " \\\n\tbind_to [{$tmp}],"; + else + $buffer .= " \\\n\tbind_to {$tmp},"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); + continue; + } + } + $stream5_tcp_engine .= $buffer; + $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; + $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; + $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; + $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; + if ($v['use_static_footprint_sizes'] == "on") + $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; + if ($v['check_session_hijacking'] == "on") + $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; + if ($v['dont_store_lg_pkts'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; + if ($v['no_reassemble_async'] == "on") + $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; + if ($v['detect_anomalies'] == "on") + $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; + if ($v['require_3whs'] == "on") + $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; + if (!empty($v['ports_client'])) { + $stream5_tcp_engine .= ", \\\n\tports client"; + if ($v['ports_client'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_client'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_client}"; + else { + $tmp = trim(filter_expand_alias($v['ports_client'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_client}"; + log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_both'])) { + $stream5_tcp_engine .= ", \\\n\tports both"; + if ($v['ports_both'] == " all") + $stream5_tcp_engine .= " all"; + elseif ($v['ports_both'] == "default") + $stream5_tcp_engine .= " {$stream5_ports_both}"; + else { + $tmp = trim(filter_expand_alias($v['ports_both'])); + if (!empty($tmp)) + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + else { + $stream5_tcp_engine .= " {$stream5_ports_both}"; + log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); + } + } + } + if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { + if ($v['ports_server'] == " all") { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " all"; + } + else { + $tmp = trim(filter_expand_alias($v['ports_server'])); + if (!empty($tmp)) { + $stream5_tcp_engine .= ", \\\n\tports server"; + $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); + } + else + log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); + } + } + + // Make sure the "ports" parameter is set, or else default to a safe value + if (strpos($stream5_tcp_engine, "ports ") === false) + $stream5_tcp_engine .= ", \\\n\tports both all"; + + // Add a pair of newlines to terminate this engine + $stream5_tcp_engine .= "\n\n"; + } + // Trim off the final trailing newline + $stream5_tcp_engine = rtrim($stream5_tcp_engine); +} + +// Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled +if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") + $stream5_udp_engine = ""; +else { + $stream5_udp_engine = "preprocessor stream5_udp: "; + if (!empty($snortcfg['stream5_udp_timeout'])) + $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; + else + $stream5_udp_engine .= "timeout 30"; +} + +// Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled +if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { + $stream5_icmp_engine = "preprocessor stream5_icmp: "; + if (!empty($snortcfg['stream5_icmp_timeout'])) + $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; + else + $stream5_icmp_engine .= "timeout 30"; +} +else + $stream5_icmp_engine = ""; + +// Check for and configure Host Attribute Table if enabled +$host_attrib_config = ""; +if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { + @file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); + $host_attrib_config = "# Host Attribute Table #\n"; + $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; + if (!empty($snortcfg['max_attribute_hosts'])) + $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; + if (!empty($snortcfg['max_attribute_services_per_host'])) + $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; +} + +// Configure the HTTP_INSPECT preprocessor +// Get global options first and put into a string +$http_inspect_global = "preprocessor http_inspect: global "; +if ($snortcfg['http_inspect'] == "off") + $http_inspect_global .= "disabled "; +$http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; +$http_inspect_global .= "\tcompress_depth 65535 \\\n"; +$http_inspect_global .= "\tdecompress_depth 65535 \\\n"; +if (!empty($snortcfg['http_inspect_memcap'])) + $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; +else + $http_inspect_global .= "\tmemcap 150994944 \\\n"; +if (!empty($snortcfg['http_inspect_max_gzip_mem'])) + $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; +else + $http_inspect_global .= "\tmax_gzip_mem 838860"; +if ($snortcfg['http_inspect_proxy_alert'] == "on") + $http_inspect_global .= " \\\n\tproxy_alert"; + +$http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", + "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", + "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", + "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", + "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", + "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, + "max_header_length" => 0, "ports" => "default" ); +$http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); +$http_inspect_servers = ""; + +// Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled +if ($snortcfg['http_inspect'] <> "off") { + if (!is_array($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'] = array(); + + // If no http_inspect_engine is configured, use the default + if (empty($snortcfg['http_inspect_engine']['item'])) + $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; + + foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { + $buffer = "preprocessor http_inspect_server: \\\n"; + if ($v['name'] == "default") + $buffer .= "\tserver default \\\n"; + elseif (is_alias($v['bind_to'])) { + $tmp = trim(filter_expand_alias($v['bind_to'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $buffer .= "\tserver { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + } + else { + log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); + continue; + } + $http_inspect_servers .= $buffer; + $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; + + if ($v['no_alerts'] == "on") + $http_inspect_servers .= "\tno_alerts \\\n"; + + if ($v['ports'] == "default" || empty($v['ports'])) + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + elseif (is_alias($v['ports'])) { + $tmp = trim(filter_expand_alias($v['ports'])); + if (!empty($tmp)) { + $tmp = preg_replace('/\s+/', ' ', $tmp); + $tmp = snort_expand_port_range($tmp, ' '); + $http_inspect_servers .= "\tports { {$tmp} } \\\n"; + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + } + else { + log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); + $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; + } + + $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; + $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; + $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; + $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; + $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; + $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; + $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; + if ($v['enable_xff'] == "on") + $http_inspect_servers .= " \\\n\tenable_xff"; + if ($v['enable_cookie'] == "on") + $http_inspect_servers .= " \\\n\tenable_cookie"; + if ($v['normalize_cookies'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_cookies"; + if ($v['normalize_headers'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_headers"; + if ($v['normalize_utf'] == "on") + $http_inspect_servers .= " \\\n\tnormalize_utf"; + if ($v['allow_proxy_use'] == "on") + $http_inspect_servers .= " \\\n\tallow_proxy_use"; + if ($v['inspect_uri_only'] == "on") + $http_inspect_servers .= " \\\n\tinspect_uri_only"; + if ($v['extended_response_inspection'] == "on") { + $http_inspect_servers .= " \\\n\textended_response_inspection"; + if ($v['inspect_gzip'] == "on") { + $http_inspect_servers .= " \\\n\tinspect_gzip"; + if ($v['unlimited_decompress'] == "on") + $http_inspect_servers .= " \\\n\tunlimited_decompress"; + } + if ($v['normalize_javascript'] == "on") { + $http_inspect_servers .= " \\\n\tnormalize_javascript"; + $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; + } + } + if ($v['log_uri'] == "on") + $http_inspect_servers .= " \\\n\tlog_uri"; + if ($v['log_hostname'] == "on") + $http_inspect_servers .= " \\\n\tlog_hostname"; + + // Add a pair of trailing newlines to terminate this server config + $http_inspect_servers .= "\n\n"; + } + /* Trim off the final trailing newline */ + $http_inspect_server = rtrim($http_inspect_server); +} + +?> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index c82ec57e..8b2ca2bb 100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -45,6 +45,9 @@ $a_nat = &$config['installedpackages']['snortglobal']['rule']; // Calculate the index of the next added Snort interface $id_gen = count($config['installedpackages']['snortglobal']['rule']); +// Get list of configured firewall interfaces +$ifaces = get_configured_interface_list(); + if (isset($_POST['del_x'])) { /* Delete selected Snort interfaces */ if (is_array($_POST['rule'])) { @@ -73,7 +76,7 @@ if (isset($_POST['del_x'])) { snort_create_rc(); else { conf_mount_rw(); - @unlink("{$rcdir}/snort.sh"); + @unlink("{$rcdir}snort.sh"); conf_mount_ro(); } @@ -173,18 +176,33 @@ include_once("fbegin.inc"); <tr id="frheader"> <td width="3%" class="list"> </td> <td width="10%" class="listhdrr"><?php echo gettext("Interface"); ?></td> - <td width="13%" class="listhdrr"><?php echo gettext("Snort"); ?></td> + <td width="14%" class="listhdrr"><?php echo gettext("Snort"); ?></td> <td width="10%" class="listhdrr"><?php echo gettext("Performance"); ?></td> <td width="10%" class="listhdrr"><?php echo gettext("Block"); ?></td> <td width="12%" class="listhdrr"><?php echo gettext("Barnyard2"); ?></td> - <td width="30%" class="listhdr"><?php echo gettext("Description"); ?></td> - <td width="3%" class="list"> + <td width="32%" class="listhdr"><?php echo gettext("Description"); ?></td> + <td class="list"> <table border="0" cellspacing="0" cellpadding="0"> <tr> - <td></td> - <td align="center" valign="middle"><a href="snort_interfaces_edit.php?id=<?php echo $id_gen;?>"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" - width="17" height="17" border="0" title="<?php echo gettext('Add Snort interface mapping');?>"></a></td> + <td class="list" valign="middle"> + <?php if ($id_gen < count($ifaces)): ?> + <a href="snort_interfaces_edit.php?id=<?php echo $id_gen;?>"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0" title="<?php echo gettext('Add Snort interface mapping');?>"></a> + <?php else: ?> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus_d.gif" width="17" height="17" border="0" + title="<?php echo gettext('No available interfaces for a new Snort mapping');?>"> + <?php endif; ?> + </td> + <td class="list" valign="middle"> + <?php if ($id_gen == 0): ?> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" " border="0"> + <?php else: ?> + <input name="del" type="image" src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + width="17" height="17" title="<?php echo gettext("Delete selected Snort interface mapping(s)"); ?>" + onclick="return intf_del()"> + <?php endif; ?> + </td> </tr> </table> </td> @@ -317,10 +335,20 @@ include_once("fbegin.inc"); <td valign="middle" class="list" nowrap> <table border="0" cellspacing="0" cellpadding="0"> <tr> - <td><a href="snort_interfaces_edit.php?id=<?=$i;?>"><img + <td class="list" valign="middle"><a href="snort_interfaces_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="<?php echo gettext('Edit Snort interface mapping'); ?>"></a> </td> + <td class="list" valign="middle"> + <?php if ($id_gen < count($ifaces)): ?> + <a href="snort_interfaces_edit.php?id=<?=$i;?>&action=dup"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0" title="<?php echo gettext('Add new interface mapping based on this one'); ?>"></a> + <?php else: ?> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus_d.gif" width="17" height="17" border="0" + title="<?php echo gettext('No available interfaces for a new Snort mapping');?>"> + <?php endif; ?> + </td> </tr> </table> </td> @@ -337,14 +365,25 @@ include_once("fbegin.inc"); <td class="list" valign="middle" nowrap> <table border="0" cellspacing="0" cellpadding="0"> <tr> - <td><?php if ($nnats == 0): ?><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" - width="17" height="17" " border="0"> - <?php else: ?> - <input name="del" type="image" src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" - width="17" height="17" title="<?php echo gettext("Delete selected Snort interface mapping(s)"); ?>" - onclick="return intf_del()"> - <?php endif; ?></td> + <td class="list"> + <?php if ($id_gen < count($ifaces)): ?> + <a href="snort_interfaces_edit.php?id=<?php echo $id_gen;?>"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" + width="17" height="17" border="0" title="<?php echo gettext('Add Snort interface mapping');?>"></a> + <?php else: ?> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus_d.gif" width="17" height="17" border="0" + title="<?php echo gettext('No available interfaces for a new Snort mapping');?>"> + <?php endif; ?> + </td> + <td class="list"> + <?php if ($id_gen == 0): ?> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" " border="0"> + <?php else: ?> + <input name="del" type="image" src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" + width="17" height="17" title="<?php echo gettext("Delete selected Snort interface mapping(s)"); ?>" + onclick="return intf_del()"> + <?php endif; ?> + </td> </tr> </table> </td> diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 4c868844..ca8d03ee 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -55,6 +55,13 @@ if (is_null($id)) { exit; } +if (isset($_POST['action'])) + $action = htmlspecialchars($_POST['action'], ENT_QUOTES | ENT_HTML401); +elseif (isset($_GET['action'])) + $action = htmlspecialchars($_GET['action'], ENT_QUOTES | ENT_HTML401); +else + $action = ""; + $pconfig = array(); if (empty($snortglob['rule'][$id]['uuid'])) { /* Adding new interface, so flag rules to build. */ @@ -107,7 +114,36 @@ if (empty($pconfig['blockoffendersip'])) if (empty($pconfig['performance'])) $pconfig['performance'] = "ac-bnfa"; -if ($_POST["save"]) { +// See if creating a new interface by duplicating an existing one +if (strcasecmp($action, 'dup') == 0) { + + // Try to pick the next available physical interface to use + $ifaces = get_configured_interface_list(); + $ifrules = array(); + foreach($a_rule as $r) + $ifrules[] = $r['interface']; + foreach ($ifaces as $i) { + if (!in_array($i, $ifrules)) { + $pconfig['interface'] = $i; + $pconfig['enable'] = 'on'; + $pconfig['descr'] = strtoupper($i); + break; + } + } + if (count($ifrules) == count($ifaces)) { + $input_errors[] = gettext("No more available interfaces to configure for Snort!"); + $interfaces = array(); + $pconfig = array(); + } + + // Set Home Net, External Net, Suppress List and Pass List to defaults + unset($pconfig['suppresslistname']); + unset($pconfig['whitelistname']); + unset($pconfig['homelistname']); + unset($pconfig['externallistname']); +} + +if ($_POST["save"] && !$input_errors) { if (!isset($_POST['interface'])) $input_errors[] = "Interface is mandatory"; @@ -121,6 +157,23 @@ if ($_POST["save"]) { } } + // If Snort is disabled on this interface, stop any running instance, + // save the change, and exit. + if ($_POST['enable'] != 'on') { + $a_rule[$id]['enable'] = $_POST['enable'] ? 'on' : 'off'; + snort_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface'])); + write_config("Snort pkg: modified interface configuration for {$a_rule[$id]['interface']}."); + $rebuild_rules = false; + sync_snort_package_config(); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /snort/snort_interfaces.php"); + exit; + } + /* if no errors write to conf */ if (!$input_errors) { $natent = $a_rule[$id]; @@ -157,7 +210,7 @@ if ($_POST["save"]) { if ($_POST['fpm_no_stream_inserts'] == "on") { $natent['fpm_no_stream_inserts'] = 'on'; }else{ $natent['fpm_no_stream_inserts'] = 'off'; } $if_real = get_real_interface($natent['interface']); - if (isset($id) && $a_rule[$id]) { + if (isset($id) && $a_rule[$id] && $action == '') { // See if moving an existing Snort instance to another physical interface if ($natent['interface'] != $a_rule[$id]['interface']) { $oif_real = get_real_interface($a_rule[$id]['interface']); @@ -173,7 +226,15 @@ if ($_POST["save"]) { conf_mount_ro(); } $a_rule[$id] = $natent; - } else { + } + elseif (strcasecmp($action, 'dup') == 0) { + // Duplicating a new interface, so set flag to build new rules + $rebuild_rules = true; + + // Add the new duplicated interface configuration to the [rule] array in config + $a_rule[] = $natent; + } + else { // Adding new interface, so set required interface configuration defaults $frag3_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", @@ -221,11 +282,35 @@ if ($_POST["save"]) { $natent['ftp_server_engine']['item'][] = $ftp_server_eng; $natent['smtp_preprocessor'] = 'on'; + $natent['smtp_memcap'] = "838860"; + $natent['smtp_max_mime_mem'] = "838860"; + $natent['smtp_b64_decode_depth'] = "0"; + $natent['smtp_qp_decode_depth'] = "0"; + $natent['smtp_bitenc_decode_depth'] = "0"; + $natent['smtp_uu_decode_depth'] = "0"; + $natent['smtp_email_hdrs_log_depth'] = "1464"; + $natent['smtp_ignore_data'] = 'off'; + $natent['smtp_ignore_tls_data'] = 'on'; + $natent['smtp_log_mail_from'] = 'on'; + $natent['smtp_log_rcpt_to'] = 'on'; + $natent['smtp_log_filename'] = 'on'; + $natent['smtp_log_email_hdrs'] = 'on'; + $natent['dce_rpc_2'] = 'on'; $natent['dns_preprocessor'] = 'on'; $natent['ssl_preproc'] = 'on'; $natent['pop_preproc'] = 'on'; + $natent['pop_memcap'] = "838860"; + $natent['pop_b64_decode_depth'] = "0"; + $natent['pop_qp_decode_depth'] = "0"; + $natent['pop_bitenc_decode_depth'] = "0"; + $natent['pop_uu_decode_depth'] = "0"; $natent['imap_preproc'] = 'on'; + $natent['imap_memcap'] = "838860"; + $natent['imap_b64_decode_depth'] = "0"; + $natent['imap_qp_decode_depth'] = "0"; + $natent['imap_bitenc_decode_depth'] = "0"; + $natent['imap_uu_decode_depth'] = "0"; $natent['sip_preproc'] = 'on'; $natent['other_preprocs'] = 'on'; @@ -326,6 +411,7 @@ include_once("head.inc"); <form action="snort_interfaces_edit.php" method="post" name="iform" id="iform"> <input name="id" type="hidden" value="<?=$id;?>"/> +<input name="action" type="hidden" value="<?=$action;?>"/> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 69a182bd..849dea8f 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -63,6 +63,8 @@ if (empty($pconfig['snortloglimit'])) $pconfig['snortloglimit'] = 'on'; if (!isset($pconfig['rule_update_starttime'])) $pconfig['rule_update_starttime'] = '00:05'; +if (!isset($config['installedpackages']['snortglobal']['forcekeepsettings'])) + $pconfig['forcekeepsettings'] = 'on'; if ($_POST['rule_update_starttime']) { if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['rule_update_starttime'])) @@ -390,7 +392,7 @@ if ($input_errors) <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep Snort Settings After Deinstall"); ?></td> <td width="78%" class="vtable"><input name="forcekeepsettings" id="forcekeepsettings" type="checkbox" value="yes" - <?php if ($config['installedpackages']['snortglobal']['forcekeepsettings']=="on") echo "checked"; ?> + <?php if ($pconfig['forcekeepsettings']=="on") echo "checked"; ?> > <?php echo gettext("Settings will not be removed during package deinstallation."); ?></td> </tr> <tr> diff --git a/config/snort/snort_ip_reputation.php b/config/snort/snort_ip_reputation.php index 3de8c661..c3536e89 100644 --- a/config/snort/snort_ip_reputation.php +++ b/config/snort/snort_ip_reputation.php @@ -162,7 +162,9 @@ if ($_POST['save'] || $_POST['apply']) { // Update the snort conf file for this interface $rebuild_rules = false; + conf_mount_rw(); snort_generate_conf($a_nat[$id]); + conf_mount_ro(); // Soft-restart Snort to live-load new variables snort_reload_config($a_nat[$id]); diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index d524e9f3..49ab95d5 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -357,6 +357,100 @@ foreach ($rule as &$r) { $updated_cfg = true; } + // Migrate new POP3 preprocessor parameter settings + if (empty($pconfig['pop_memcap'])) { + $pconfig['pop_memcap'] = "838860"; + $updated_cfg = true; + } + if (empty($pconfig['pop_b64_decode_depth']) && $pconfig['pop_b64_decode_depth'] != '0') { + $pconfig['pop_b64_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['pop_qp_decode_depth']) && $pconfig['pop_qp_decode_depth'] != '0') { + $pconfig['pop_qp_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['pop_bitenc_decode_depth']) && $pconfig['pop_bitenc_decode_depth'] != '0') { + $pconfig['pop_bitenc_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['pop_uu_decode_depth']) && $pconfig['pop_uu_decode_depth'] != '0') { + $pconfig['pop_uu_decode_depth'] = "0"; + $updated_cfg = true; + } + + // Migrate new IMAP preprocessor parameter settings + if (empty($pconfig['imap_memcap'])) { + $pconfig['imap_memcap'] = "838860"; + $updated_cfg = true; + } + if (empty($pconfig['imap_b64_decode_depth']) && $pconfig['imap_b64_decode_depth'] != '0') { + $pconfig['imap_b64_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['imap_qp_decode_depth']) && $pconfig['imap_qp_decode_depth'] != '0') { + $pconfig['imap_qp_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['imap_bitenc_decode_depth']) && $pconfig['imap_bitenc_decode_depth'] != '0') { + $pconfig['imap_bitenc_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['imap_uu_decode_depth']) && $pconfig['imap_uu_decode_depth'] != '0') { + $pconfig['imap_uu_decode_depth'] = "0"; + $updated_cfg = true; + } + + // Migrate new SMTP preprocessor parameter settings + if (empty($pconfig['smtp_memcap'])) { + $pconfig['smtp_memcap'] = "838860"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_max_mime_mem'])) { + $pconfig['smtp_max_mime_mem'] = "838860"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_b64_decode_depth'])) { + $pconfig['smtp_b64_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_qp_decode_depth'])) { + $pconfig['smtp_qp_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_bitenc_decode_depth'])) { + $pconfig['smtp_bitenc_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_uu_decode_depth'])) { + $pconfig['smtp_uu_decode_depth'] = "0"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_email_hdrs_log_depth']) && $pconfig['smtp_email_hdrs_log_depth'] != '0') { + $pconfig['smtp_email_hdrs_log_depth'] = "1464"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_ignore_tls_data'])) { + $pconfig['smtp_ignore_tls_data'] = 'on'; + $updated_cfg = true; + } + if (empty($pconfig['smtp_log_mail_from'])) { + $pconfig['smtp_log_mail_from'] = 'on'; + $updated_cfg = true; + } + if (empty($pconfig['smtp_log_rcpt_to'])) { + $pconfig['smtp_log_rcpt_to'] = 'on'; + $updated_cfg = true; + } + if (empty($pconfig['smtp_log_filename'])) { + $pconfig['smtp_log_filename'] = 'on'; + $updated_cfg = true; + } + if (empty($pconfig['smtp_log_email_hdrs'])) { + $pconfig['smtp_log_email_hdrs'] = 'on'; + $updated_cfg = true; + } + // Save the new configuration data into the $config array pointer $r = $pconfig; } @@ -365,7 +459,7 @@ unset($r); // Write out the new configuration to disk if we changed anything if ($updated_cfg) { - $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.13"; + $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1"; log_error("[Snort] Saving configuration settings in new format..."); write_config("Snort pkg: migrate existing settings to new format as part of package upgrade."); log_error("[Snort] Settings successfully migrated to new configuration format..."); diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index 6b645df5..b36578b8 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -48,1328 +48,6 @@ $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $rcdir = RCFILEPREFIX; -// This is a hack to workaround the caching of the old "snort.inc" by the -// Package Manager installation code. We need this new function which is -// in the new snort.inc file during post-installation. -if (!function_exists('snort_expand_port_range')) { - function snort_expand_port_range($ports, $delim = ',') { - // Split the incoming string on the specified delimiter - $tmp = explode($delim, $ports); - - // Look for any included port range and expand it - foreach ($tmp as $val) { - if (is_portrange($val)) { - $start = strtok($val, ":"); - $end = strtok(":"); - if ($end !== false) { - $val = $start . $delim; - for ($i = intval($start) + 1; $i < intval($end); $i++) - $val .= strval($i) . $delim; - $val .= $end; - } - } - $value .= $val . $delim; - } - - // Remove any trailing delimiter in return value - return trim($value, $delim); - } -} - -// This function mirrors the "snort_generate_conf()" function in the -// "snort.inc" file. It is here with a modified name as a workaround -// so that functionality built into the new package version can be -// implemented during installation. During a package reinstall, the -// Package Manager will cache the old version of "snort.inc" and thus -// new features are not available from the new "snort.inc" file in the -// new package. -function snort_build_new_conf($snortcfg) { - - global $config, $g, $rebuild_rules; - - $snortdir = SNORTDIR; - $snortlibdir = SNORTLIBDIR; - $snortlogdir = SNORTLOGDIR; - $flowbit_rules_file = FLOWBITS_FILENAME; - $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; - - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - - conf_mount_rw(); - - /* See if we should protect and not modify the preprocessor rules files */ - if (!empty($snortcfg['protect_preproc_rules'])) - $protect_preproc_rules = $snortcfg['protect_preproc_rules']; - else - $protect_preproc_rules = "off"; - - $if_real = get_real_interface($snortcfg['interface']); - $snort_uuid = $snortcfg['uuid']; - $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; - - /* custom home nets */ - $home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']); - $home_net = implode(",", $home_net_list); - - $external_net = '!$HOME_NET'; - if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') { - $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']); - $external_net = implode(",", $external_net_list); - } - - /* user added arguments */ - $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); - // Remove the trailing newline - $snort_config_pass_thru = rtrim($snort_config_pass_thru); - - /* create a few directories and ensure the sample files are in place */ - $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules", - "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", - "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", - "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "{$snortlibdir}/dynamicrules", - "dynamicengine" => "{$snortlibdir}/dynamicengine", - "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" - ); - foreach ($snort_dirs as $dir) { - if (!is_dir($dir)) - safe_mkdir($dir); - } - - /********************************************************************/ - /* For fail-safe on an initial startup following installation, and */ - /* before a rules update has occurred, copy the default config */ - /* files to the interface directory. If files already exist in */ - /* the interface directory, or they are newer, that means a rule */ - /* update has been done and we should leave the customized files */ - /* put in place by the rules update process. */ - /********************************************************************/ - $snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd", - "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", - "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" - ); - foreach ($snort_files as $file) { - if (file_exists("{$snortdir}/{$file}")) { - $ftime = filemtime("{$snortdir}/{$file}"); - if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) - @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); - } - } - - /* define alertsystemlog */ - $alertsystemlog_type = ""; - if ($snortcfg['alertsystemlog'] == "on") - $alertsystemlog_type = "output alert_syslog: log_alert"; - - /* define snortunifiedlog */ - $snortunifiedlog_type = ""; - if ($snortcfg['barnyard_enable'] == "on") { - if (isset($snortcfg['unified2_log_limit'])) - $u2_log_limit = "limit {$snortcfg['unified2_log_limit']}"; - else - $u2_log_limit = "limit 128"; - - $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}"; - if ($snortcfg['barnyard_log_vlan_events'] == 'on') - $snortunifiedlog_type .= ", vlan_event_types"; - if ($snortcfg['barnyard_log_mpls_events'] == 'on') - $snortunifiedlog_type .= ", mpls_event_types"; - } - - /* define spoink */ - $spoink_type = ""; - if ($snortcfg['blockoffenders7'] == "on") { - $pfkill = ""; - if ($snortcfg['blockoffenderskill'] == "on") - $pfkill = "kill"; - $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); - /* write whitelist */ - @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); - $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; - } - - /* define selected suppress file */ - $suppress_file_name = ""; - $suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress'); - if (!empty($suppress)) { - $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru'])); - @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data); - $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}"; - } - - /* set the snort performance model */ - $snort_performance = "ac-bnfa"; - if(!empty($snortcfg['performance'])) - $snort_performance = $snortcfg['performance']; - - /* if user has defined a custom ssh port, use it */ - if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port'])) - $ssh_port = $config['system']['ssh']['port']; - else - $ssh_port = "22"; - - /* Define an array of default values for the various preprocessor ports */ - $snort_ports = array( - "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", - "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712", - "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23", - "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, - "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", - "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", - "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", - "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", - "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", - "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", - "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", - "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", - "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", - "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", - "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", - "GTP_PORTS" => "2123,2152,3386" - ); - - /* Check for defined Aliases that may override default port settings as we build the portvars array */ - $portvardef = ""; - foreach ($snort_ports as $alias => $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); - $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); - $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; - } - - /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */ - $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n"; - $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n"; - $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n"; - $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n"; - $stream5_ports_client .= "\t 32778 32779"; - $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n"; - $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n"; - $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n"; - $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n"; - $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n"; - $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n"; - $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n"; - $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n"; - $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n"; - $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n"; - $stream5_ports_both .= "\t 55555 56712"; - - ///////////////////////////// - /* preprocessor code */ - /* def perform_stat */ - $perform_stat = <<<EOD -# Performance Statistics # -preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000 - -EOD; - - /* def ftp_preprocessor */ - $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); - $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); - - // Configure FTP_Telnet global options - $ftp_telnet_globals = "inspection_type "; - if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; } - if ($snortcfg['ftp_telnet_alert_encrypted'] == "on") - $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes"; - else - $ftp_telnet_globals .= " \\\n\tencrypted_traffic no"; - if ($snortcfg['ftp_telnet_check_encrypted'] == "on") - $ftp_telnet_globals .= " \\\n\tcheck_encrypted"; - - // Configure FTP_Telnet Telnet protocol options - $ftp_telnet_protocol = "ports { {$telnet_ports} }"; - if ($snortcfg['ftp_telnet_normalize'] == "on") - $ftp_telnet_protocol .= " \\\n\tnormalize"; - if ($snortcfg['ftp_telnet_detect_anomalies'] == "on") - $ftp_telnet_protocol .= " \\\n\tdetect_anomalies"; - if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') { - $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh "; - if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "") - $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold']; - else - $ftp_telnet_protocol .= "20"; - } - - // Setup the standard FTP commands used for all FTP Server engines - $ftp_cmds = <<<EOD - ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ - ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ - ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ - ftp_cmds { LPSV MACB MAIL MDTM MFMT MIC MKD MLSD MLST } \ - ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ - ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ - ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ - ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ - ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ - ftp_cmds { XSEN XSHA1 XSHA256 } \ - alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ - alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ - alt_max_param_len 256 { CWD RNTO } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { MFMT SIZE } \ - chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ - chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ - chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ - chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ - chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ - chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ - chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ - chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ - cmd_validity MACB < string > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity PORT < host_port > \ - cmd_validity PROT < char CSEP > \ - cmd_validity STRU < char FRPO [ string ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > - -EOD; - - // Configure all the FTP_Telnet FTP protocol options - // Iterate and configure the FTP Client engines - $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256, - "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", - "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" ); - - if (!is_array($snortcfg['ftp_client_engine']['item'])) - $snortcfg['ftp_client_engine']['item'] = array(); - - // If no FTP client engine is configured, use the default - // to keep from breaking Snort. - if (empty($snortcfg['ftp_client_engine']['item'])) - $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine; - $ftp_client_engine = ""; - - foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) { - $buffer = "preprocessor ftp_telnet_protocol: ftp client "; - if ($v['name'] == "default" && $v['bind_to'] == "all") - $buffer .= "default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "{$tmp} \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); - continue; - } - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry."); - continue; - } - - if ($v['max_resp_len'] == "") - $buffer .= "\tmax_resp_len 256 \\\n"; - else - $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n"; - - $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; - $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; - - if ($v['bounce'] == "yes") { - if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) { - $net = trim(filter_expand_alias($v['bounce_to_net'])); - $port = trim(filter_expand_alias($v['bounce_to_port'])); - if (!empty($net) && !empty($port) && - snort_is_single_addr_alias($v['bounce_to_net']) && - (is_port($port) || is_portrange($port))) { - $port = preg_replace('/\s+/', ',', $port); - // Change port range delimiter to comma for ftp_telnet client preprocessor - if (is_portrange($port)) - $port = str_replace(":", ",", $port); - $buffer .= "\tbounce yes \\\n"; - $buffer .= "\tbounce_to { {$net},{$port} }\n"; - } - else { - // One or both of the BOUNCE_TO alias values is not right, - // so figure out which and log an appropriate error. - if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net'])) - log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); - if (empty($port) || !(is_port($port) || is_portrange($port))) - log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine."); - $buffer .= "\tbounce yes\n"; - } - } - else - $buffer .= "\tbounce yes\n"; - } - else - $buffer .= "\tbounce no\n"; - - // Add this FTP client engine to the master string - $ftp_client_engine .= "{$buffer}\n"; - } - // Trim final trailing newline - rtrim($ftp_client_engine); - - // Iterate and configure the FTP Server engines - $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default", - "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes", - "ignore_data_chan" => "no", "def_max_param_len" => 100 ); - - if (!is_array($snortcfg['ftp_server_engine']['item'])) - $snortcfg['ftp_server_engine']['item'] = array(); - - // If no FTP server engine is configured, use the default - // to keep from breaking Snort. - if (empty($snortcfg['ftp_server_engine']['item'])) - $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine; - $ftp_server_engine = ""; - - foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) { - $buffer = "preprocessor ftp_telnet_protocol: ftp server "; - if ($v['name'] == "default" && $v['bind_to'] == "all") - $buffer .= "default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "{$tmp} \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); - continue; - } - } - else { - log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry."); - continue; - } - - if ($v['def_max_param_len'] == "") - $buffer .= "\tdef_max_param_len 100 \\\n"; - elseif ($v['def_max_param_len'] <> '0') - $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n"; - - if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports'])) - $buffer .= "\tports { {$ftp_ports} } \\\n"; - elseif (is_alias($v['ports'])) { - $tmp = trim(filter_expand_alias($v['ports'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $tmp = snort_expand_port_range($tmp, ' '); - $buffer .= "\tports { {$tmp} } \\\n"; - } - else { - log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults."); - $buffer .= "\tports { {$ftp_ports} } \\\n"; - } - } - - $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n"; - $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n"; - if ($v['ignore_data_chan'] == "yes") - $buffer .= "\tignore_data_chan yes \\\n"; - $buffer .= "{$ftp_cmds}\n"; - - // Add this FTP server engine to the master string - $ftp_server_engine .= $buffer; - } - // Remove trailing newlines - rtrim($ftp_server_engine); - - $ftp_preprocessor = <<<EOD -# ftp_telnet preprocessor # -preprocessor ftp_telnet: global \ - {$ftp_telnet_globals} - -preprocessor ftp_telnet_protocol: telnet \ - {$ftp_telnet_protocol} - -{$ftp_server_engine} -{$ftp_client_engine} -EOD; - - $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); - $pop_preproc = <<<EOD -# POP preprocessor # -preprocessor pop: \ - ports { {$pop_ports} } \ - memcap 1310700 \ - qp_decode_depth 0 \ - b64_decode_depth 0 \ - bitenc_decode_depth 0 - -EOD; - - $imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports'])); - $imap_preproc = <<<EOD -# IMAP preprocessor # -preprocessor imap: \ - ports { {$imap_ports} } \ - memcap 1310700 \ - qp_decode_depth 0 \ - b64_decode_depth 0 \ - bitenc_decode_depth 0 - -EOD; - - $smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports'])); - /* def smtp_preprocessor */ - $smtp_preprocessor = <<<EOD -# SMTP preprocessor # -preprocessor SMTP: \ - ports { {$smtp_ports} } \ - inspection_type stateful \ - normalize cmds \ - ignore_tls_data \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \ - NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \ - STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \ - XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \ - IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \ - ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \ - XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } \ - log_mailfrom \ - log_rcptto \ - log_email_hdrs \ - email_hdrs_log_depth 1464 \ - log_filename \ - qp_decode_depth 0 \ - b64_decode_depth 0 \ - bitenc_decode_depth 0 \ - uu_decode_depth 0 - -EOD; - - /* def sf_portscan */ - $sf_pscan_protocol = "all"; - if (!empty($snortcfg['pscan_protocol'])) - $sf_pscan_protocol = $snortcfg['pscan_protocol']; - $sf_pscan_type = "all"; - if (!empty($snortcfg['pscan_type'])) - $sf_pscan_type = $snortcfg['pscan_type']; - $sf_pscan_memcap = "10000000"; - if (!empty($snortcfg['pscan_memcap'])) - $sf_pscan_memcap = $snortcfg['pscan_memcap']; - $sf_pscan_sense_level = "medium"; - if (!empty($snortcfg['pscan_sense_level'])) - $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; - $sf_pscan_ignore_scanners = "\$HOME_NET"; - if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { - $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners'])); - $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); - } - - $sf_portscan = <<<EOD -# sf Portscan # -preprocessor sfportscan: \ - scan_type { {$sf_pscan_type} } \ - proto { {$sf_pscan_protocol} } \ - memcap { {$sf_pscan_memcap} } \ - sense_level { {$sf_pscan_sense_level} } \ - ignore_scanners { {$sf_pscan_ignore_scanners} } - -EOD; - - /* def ssh_preproc */ - $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports'])); - $ssh_preproc = <<<EOD -# SSH preprocessor # -preprocessor ssh: \ - server_ports { {$ssh_ports} } \ - autodetect \ - max_client_bytes 19600 \ - max_encrypted_packets 20 \ - max_server_version_len 100 \ - enable_respoverflow enable_ssh1crc32 \ - enable_srvoverflow enable_protomismatch - -EOD; - - /* def other_preprocs */ - $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports'])); - $other_preprocs = <<<EOD -# Other preprocs # -preprocessor rpc_decode: \ - {$sun_rpc_ports} \ - no_alert_multiple_requests \ - no_alert_large_fragments \ - no_alert_incomplete - -# Back Orifice preprocessor # -preprocessor bo - -EOD; - - /* def dce_rpc_2 */ - $dce_rpc_2 = <<<EOD -# DCE/RPC 2 # -preprocessor dcerpc2: \ - memcap 102400, \ - events [co] - -preprocessor dcerpc2_server: default, \ - policy WinXP, \ - detect [smb [{$snort_ports['smb_ports']}], \ - tcp 135, \ - udp 135, \ - rpc-over-http-server 593], \ - autodetect [tcp 1025:, \ - udp 1025:, \ - rpc-over-http-server 1025:], \ - smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] - -EOD; - - $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports'])); - $sip_preproc = <<<EOD -# SIP preprocessor # -preprocessor sip: \ - max_sessions 40000, \ - ports { {$sip_ports} }, \ - methods { invite \ - cancel \ - ack \ - bye \ - register \ - options \ - refer \ - subscribe \ - update \ - join \ - info \ - message \ - notify \ - benotify \ - do \ - qauth \ - sprack \ - publish \ - service \ - unsubscribe \ - prack }, \ - max_call_id_len 80, \ - max_from_len 256, \ - max_to_len 256, \ - max_via_len 1024, \ - max_requestName_len 50, \ - max_uri_len 512, \ - ignore_call_channel, \ - max_content_len 2048, \ - max_contact_len 512 - -EOD; - - $dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports'])); - /* def dns_preprocessor */ - $dns_preprocessor = <<<EOD -# DNS preprocessor # -preprocessor dns: \ - ports { {$dns_ports} } \ - enable_rdata_overflow - -EOD; - - /* def dnp3_preprocessor */ - $dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS'])); - $dnp3_preproc = <<<EOD -# DNP3 preprocessor # -preprocessor dnp3: \ - ports { {$dnp3_ports} } \ - memcap 262144 \ - check_crc - -EOD; - - /* def modbus_preprocessor */ - $modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS'])); - $modbus_preproc = <<<EOD -# Modbus preprocessor # -preprocessor modbus: \ - ports { {$modbus_ports} } - -EOD; - - /* def gtp_preprocessor */ - $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS'])); - $gtp_preproc = <<<EOD -# GTP preprocessor # -preprocessor gtp: \ - ports { {$gtp_ports} } - -EOD; - - /* def ssl_preprocessor */ - $ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports'])); - $ssl_preproc = <<<EOD -# SSL preprocessor # -preprocessor ssl: \ - ports { {$ssl_ports} }, \ - trustservers, \ - noinspect_encrypted - -EOD; - - /* def sensitive_data_preprocessor */ - if ($snortcfg['sdf_mask_output'] == "on") - $sdf_mask_output = "\\\n\tmask_output"; - else - $sdf_mask_output = ""; - if (empty($snortcfg['sdf_alert_threshold'])) - $snortcfg['sdf_alert_threshold'] = 25; - $sensitive_data = <<<EOD -# SDF preprocessor # -preprocessor sensitive_data: \ - alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output} - -EOD; - - /* define IP Reputation preprocessor */ - if (is_array($snortcfg['blist_files']['item'])) { - $blist_files = ""; - $bIsFirst = TRUE; - foreach ($snortcfg['blist_files']['item'] as $blist) { - if ($bIsFirst) { - $blist_files .= "blacklist " . IPREP_PATH . $blist; - $bIsFirst = FALSE; - } - else - $blist_files .= ", \\ \n\tblacklist " . IPREP_PATH . $blist; - } - } - if (is_array($snortcfg['wlist_files']['item'])) { - $wlist_files = ""; - $bIsFirst = TRUE; - foreach ($snortcfg['wlist_files']['item'] as $wlist) { - if ($bIsFirst) { - $wlist_files .= "whitelist " . IPREP_PATH . $wlist; - $bIsFirst = FALSE; - } - else - $wlist_files .= ", \\ \n\twhitelist " . IPREP_PATH . $wlist; - } - } - if (!empty($blist_files)) - $ip_lists = $blist_files; - if (!empty($wlist_files)) - $ip_lists .= ", \\ \n" . $wlist_files; - if ($snortcfg['iprep_scan_local'] == 'on') - $ip_lists .= ", \\ \n\tscan_local"; - - $reputation_preproc = <<<EOD -# IP Reputation preprocessor # -preprocessor reputation: \ - memcap {$snortcfg['iprep_memcap']}, \ - priority {$snortcfg['iprep_priority']}, \ - nested_ip {$snortcfg['iprep_nested_ip']}, \ - white {$snortcfg['iprep_white']}, \ - {$ip_lists} - -EOD; - - /* define servers as IP variables */ - $snort_servers = array ( - "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", - "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", - "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", - "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", - "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", - "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", - "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", - "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" - ); - - // Change old name from "var" to new name of "ipvar" for IP variables because - // Snort is deprecating the old "var" name in newer versions. - $ipvardef = ""; - foreach ($snort_servers as $alias => $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { - $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); - $avalue = preg_replace('/\s+/', ',', trim($avalue)); - } - $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n"; - } - - $snort_preproc_libs = array( - "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", - "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", - "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", - "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" - ); - $snort_preproc = array ( - "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", - "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc" - ); - $default_disabled_preprocs = array( - "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat" - ); - $snort_preprocessors = ""; - foreach ($snort_preproc as $preproc) { - if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) { - - /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */ - if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs)) - continue; - - /* NOTE: The $$ is not a bug. It is an advanced feature of php */ - if (!empty($snort_preproc_libs[$preproc])) { - $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; - if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { - if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { - @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } else - log_error("Could not find the {$preproclib} file. Snort might error out!"); - } else { - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } - } else { - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; - } - } - } - // Remove final trailing newline - $snort_preprocessors = rtrim($snort_preprocessors); - - $snort_misc_include_rules = ""; - if (file_exists("{$snortcfgdir}/reference.config")) - $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; - if (file_exists("{$snortcfgdir}/classification.config")) - $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { - $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); - } - - /* generate rule sections to load */ - /* The files are always configured so the update process is easier */ - $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n"; - $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n"; - $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n"; - - // Remove trailing newlines - $snort_misc_include_rules = rtrim($snort_misc_include_rules); - $selected_rules_sections = rtrim($selected_rules_sections); - - /* Create the actual rules files and save in the interface directory */ - snort_prepare_rule_files($snortcfg, $snortcfgdir); - - $cksumcheck = "all"; - if ($snortcfg['cksumcheck'] == 'on') - $cksumcheck = "none"; - - /* Pull in user-configurable detection config options */ - $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5"; - if ($snortcfg['fpm_split_any_any'] == "on") - $cfg_detect_settings .= " split-any-any"; - if ($snortcfg['fpm_search_optimize'] == "on") - $cfg_detect_settings .= " search-optimize"; - if ($snortcfg['fpm_no_stream_inserts'] == "on") - $cfg_detect_settings .= " no_stream_inserts"; - - /* Pull in user-configurable options for Frag3 preprocessor settings */ - /* Get global Frag3 options first and put into a string */ - $frag3_global = "preprocessor frag3_global: "; - if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0") - $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, "; - else - $frag3_global .= "memcap 4194304, "; - if (!empty($snortcfg['frag3_max_frags'])) - $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}"; - else - $frag3_global .= "max_frags 8192"; - if ($snortcfg['frag3_detection'] == "off") - $frag3_global .= ", disabled"; - - $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", - "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on", - "overlap_limit" => 0, "min_frag_len" => 0 ); - $frag3_engine = ""; - - // Now iterate configured Frag3 engines and write them to a string if enabled - if ($snortcfg['frag3_detection'] == "on") { - if (!is_array($snortcfg['frag3_engine']['item'])) - $snortcfg['frag3_engine']['item'] = array(); - - // If no frag3 tcp engine is configured, use the default - if (empty($snortcfg['frag3_engine']['item'])) - $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine; - - foreach ($snortcfg['frag3_engine']['item'] as $f => $v) { - $frag3_engine .= "preprocessor frag3_engine: "; - $frag3_engine .= "policy {$v['policy']}"; - if ($v['bind_to'] <> "all") { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ',', $tmp); - if (strpos($tmp, ",") !== false) - $frag3_engine .= " \\\n\tbind_to [{$tmp}]"; - else - $frag3_engine .= " \\\n\tbind_to {$tmp}"; - } - else - log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe."); - } - $frag3_engine .= " \\\n\ttimeout {$v['timeout']}"; - $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}"; - if ($v['detect_anomalies'] == "on") { - $frag3_engine .= " \\\n\tdetect_anomalies"; - $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}"; - $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}"; - } - // Add newlines to terminate this engine - $frag3_engine .= "\n\n"; - } - // Remove trailing newline - $frag3_engine = rtrim($frag3_engine); - } - - // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs - $paf_max_pdu_config = "config paf_max: "; - if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0') - $paf_max_pdu_config .= "0"; - else - $paf_max_pdu_config .= $snortcfg['max_paf']; - - // Pull in user-configurable options for Stream5 preprocessor settings - // Get global options first and put into a string - $stream5_global = "preprocessor stream5_global: \\\n"; - if ($snortcfg['stream5_reassembly'] == "off") - $stream5_global .= "\tdisabled, \\\n"; - if ($snortcfg['stream5_track_tcp'] == "off") - $stream5_global .= "\ttrack_tcp no,"; - else { - $stream5_global .= "\ttrack_tcp yes,"; - if (!empty($snortcfg['stream5_max_tcp'])) - $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},"; - else - $stream5_global .= " \\\n\tmax_tcp 262144,"; - } - if ($snortcfg['stream5_track_udp'] == "off") - $stream5_global .= " \\\n\ttrack_udp no,"; - else { - $stream5_global .= " \\\n\ttrack_udp yes,"; - if (!empty($snortcfg['stream5_max_udp'])) - $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},"; - else - $stream5_global .= " \\\n\tmax_udp 131072,"; - } - if ($snortcfg['stream5_track_icmp'] == "on") { - $stream5_global .= " \\\n\ttrack_icmp yes,"; - if (!empty($snortcfg['stream5_max_icmp'])) - $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},"; - else - $stream5_global .= " \\\n\tmax_icmp 65536,"; - } - else - $stream5_global .= " \\\n\ttrack_icmp no,"; - if (!empty($snortcfg['stream5_mem_cap'])) - $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},"; - else - $stream5_global .= " \\\n\tmemcap 8388608,"; - - if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0') - $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}"; - else - $stream5_global .= " \\\n\tprune_log_max 1048576"; - if ($snortcfg['stream5_flush_on_alert'] == "on") - $stream5_global .= ", \\\n\tflush_on_alert"; - - $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30, - "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0, - "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0, - "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0, - "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default", - "ports_both" => "default", "ports_server" => "none" ); - $stream5_tcp_engine = ""; - - // Now iterate configured Stream5 TCP engines and write them to a string if enabled - if ($snortcfg['stream5_reassembly'] == "on") { - if (!is_array($snortcfg['stream5_tcp_engine']['item'])) - $snortcfg['stream5_tcp_engine']['item'] = array(); - - // If no stream5 tcp engine is configured, use the default - if (empty($snortcfg['stream5_tcp_engine']['item'])) - $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine; - - foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) { - $buffer = "preprocessor stream5_tcp: "; - $buffer .= "policy {$v['policy']},"; - if ($v['bind_to'] <> "all") { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ',', $tmp); - if (strpos($tmp, ",") !== false) - $buffer .= " \\\n\tbind_to [{$tmp}],"; - else - $buffer .= " \\\n\tbind_to {$tmp},"; - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine."); - continue; - } - } - $stream5_tcp_engine .= $buffer; - $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},"; - $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},"; - $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},"; - $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},"; - $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}"; - if ($v['use_static_footprint_sizes'] == "on") - $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes"; - if ($v['check_session_hijacking'] == "on") - $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking"; - if ($v['dont_store_lg_pkts'] == "on") - $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets"; - if ($v['no_reassemble_async'] == "on") - $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async"; - if ($v['detect_anomalies'] == "on") - $stream5_tcp_engine .= ", \\\n\tdetect_anomalies"; - if ($v['require_3whs'] == "on") - $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}"; - if (!empty($v['ports_client'])) { - $stream5_tcp_engine .= ", \\\n\tports client"; - if ($v['ports_client'] == " all") - $stream5_tcp_engine .= " all"; - elseif ($v['ports_client'] == "default") - $stream5_tcp_engine .= " {$stream5_ports_client}"; - else { - $tmp = trim(filter_expand_alias($v['ports_client'])); - if (!empty($tmp)) - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - else { - $stream5_tcp_engine .= " {$stream5_ports_client}"; - log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); - } - } - } - if (!empty($v['ports_both'])) { - $stream5_tcp_engine .= ", \\\n\tports both"; - if ($v['ports_both'] == " all") - $stream5_tcp_engine .= " all"; - elseif ($v['ports_both'] == "default") - $stream5_tcp_engine .= " {$stream5_ports_both}"; - else { - $tmp = trim(filter_expand_alias($v['ports_both'])); - if (!empty($tmp)) - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - else { - $stream5_tcp_engine .= " {$stream5_ports_both}"; - log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value."); - } - } - } - if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") { - if ($v['ports_server'] == " all") { - $stream5_tcp_engine .= ", \\\n\tports server"; - $stream5_tcp_engine .= " all"; - } - else { - $tmp = trim(filter_expand_alias($v['ports_server'])); - if (!empty($tmp)) { - $stream5_tcp_engine .= ", \\\n\tports server"; - $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp)); - } - else - log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none."); - } - } - - // Make sure the "ports" parameter is set, or else default to a safe value - if (strpos($stream5_tcp_engine, "ports ") === false) - $stream5_tcp_engine .= ", \\\n\tports both all"; - - // Add a pair of newlines to terminate this engine - $stream5_tcp_engine .= "\n\n"; - } - // Trim off the final trailing newline - $stream5_tcp_engine = rtrim($stream5_tcp_engine); - } - - // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled - if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off") - $stream5_udp_engine = ""; - else { - $stream5_udp_engine = "preprocessor stream5_udp: "; - if (!empty($snortcfg['stream5_udp_timeout'])) - $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}"; - else - $stream5_udp_engine .= "timeout 30"; - } - - // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled - if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") { - $stream5_icmp_engine = "preprocessor stream5_icmp: "; - if (!empty($snortcfg['stream5_icmp_timeout'])) - $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}"; - else - $stream5_icmp_engine .= "timeout 30"; - } - else - $stream5_icmp_engine = ""; - - // Check for and configure Host Attribute Table if enabled - $host_attrib_config = ""; - if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) { - file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data'])); - $host_attrib_config = "# Host Attribute Table #\n"; - $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n"; - if (!empty($snortcfg['max_attribute_hosts'])) - $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n"; - if (!empty($snortcfg['max_attribute_services_per_host'])) - $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}"; - } - - // Configure the HTTP_INSPECT preprocessor - // Get global options first and put into a string - $http_inspect_global = "preprocessor http_inspect: global "; - if ($snortcfg['http_inspect'] == "off") - $http_inspect_global .= "disabled "; - $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n"; - $http_inspect_global .= "\tcompress_depth 65535 \\\n"; - $http_inspect_global .= "\tdecompress_depth 65535 \\\n"; - if (!empty($snortcfg['http_inspect_memcap'])) - $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n"; - else - $http_inspect_global .= "\tmemcap 150994944 \\\n"; - if (!empty($snortcfg['http_inspect_max_gzip_mem'])) - $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}"; - else - $http_inspect_global .= "\tmax_gzip_mem 838860"; - if ($snortcfg['http_inspect_proxy_alert'] == "on") - $http_inspect_global .= " \\\n\tproxy_alert"; - - $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off", - "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on", - "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off", - "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on", - "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off", - "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, - "max_header_length" => 0, "ports" => "default" ); - $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); - $http_inspect_servers = ""; - - // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled - if ($snortcfg['http_inspect'] <> "off") { - if (!is_array($snortcfg['http_inspect_engine']['item'])) - $snortcfg['http_inspect_engine']['item'] = array(); - - // If no http_inspect_engine is configured, use the default - if (empty($snortcfg['http_inspect_engine']['item'])) - $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine; - - foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) { - $buffer = "preprocessor http_inspect_server: \\\n"; - if ($v['name'] == "default") - $buffer .= "\tserver default \\\n"; - elseif (is_alias($v['bind_to'])) { - $tmp = trim(filter_expand_alias($v['bind_to'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $buffer .= "\tserver { {$tmp} } \\\n"; - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); - continue; - } - } - else { - log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine."); - continue; - } - $http_inspect_servers .= $buffer; - $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n"; - - if ($v['no_alerts'] == "on") - $http_inspect_servers .= "\tno_alerts \\\n"; - - if ($v['ports'] == "default" || empty($v['ports'])) - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - elseif (is_alias($v['ports'])) { - $tmp = trim(filter_expand_alias($v['ports'])); - if (!empty($tmp)) { - $tmp = preg_replace('/\s+/', ' ', $tmp); - $tmp = snort_expand_port_range($tmp, ' '); - $http_inspect_servers .= "\tports { {$tmp} } \\\n"; - } - else { - log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - } - } - else { - log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead."); - $http_inspect_servers .= "\tports { {$http_ports} } \\\n"; - } - - $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n"; - $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n"; - $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n"; - $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n"; - $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n"; - $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n"; - $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}"; - if ($v['enable_xff'] == "on") - $http_inspect_servers .= " \\\n\tenable_xff"; - if ($v['enable_cookie'] == "on") - $http_inspect_servers .= " \\\n\tenable_cookie"; - if ($v['normalize_cookies'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_cookies"; - if ($v['normalize_headers'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_headers"; - if ($v['normalize_utf'] == "on") - $http_inspect_servers .= " \\\n\tnormalize_utf"; - if ($v['allow_proxy_use'] == "on") - $http_inspect_servers .= " \\\n\tallow_proxy_use"; - if ($v['inspect_uri_only'] == "on") - $http_inspect_servers .= " \\\n\tinspect_uri_only"; - if ($v['extended_response_inspection'] == "on") { - $http_inspect_servers .= " \\\n\textended_response_inspection"; - if ($v['inspect_gzip'] == "on") { - $http_inspect_servers .= " \\\n\tinspect_gzip"; - if ($v['unlimited_decompress'] == "on") - $http_inspect_servers .= " \\\n\tunlimited_decompress"; - } - if ($v['normalize_javascript'] == "on") { - $http_inspect_servers .= " \\\n\tnormalize_javascript"; - $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}"; - } - } - if ($v['log_uri'] == "on") - $http_inspect_servers .= " \\\n\tlog_uri"; - if ($v['log_hostname'] == "on") - $http_inspect_servers .= " \\\n\tlog_hostname"; - - // Add a pair of trailing newlines to terminate this server config - $http_inspect_servers .= "\n\n"; - } - /* Trim off the final trailing newline */ - $http_inspect_server = rtrim($http_inspect_server); - } - - // Finally, build the Snort configuration file - $snort_conf_text = <<<EOD -# snort configuration file -# generated automatically by the pfSense subsystems do not modify manually - -# Define Local Network # -ipvar HOME_NET [{$home_net}] -ipvar EXTERNAL_NET [{$external_net}] - -# Define Rule Path # -var RULE_PATH {$snortcfgdir}/rules - -# Define Servers # -{$ipvardef} - -# Define Server Ports # -{$portvardef} - -# Configure quiet startup mode # -config quiet - -# Configure the snort decoder # -config checksum_mode: {$cksumcheck} -config disable_decode_alerts -config disable_tcpopt_experimental_alerts -config disable_tcpopt_obsolete_alerts -config disable_ttcp_alerts -config disable_tcpopt_alerts -config disable_ipopt_alerts -config disable_decode_drops - -# Enable the GTP decoder # -config enable_gtp - -# Configure PCRE match limitations -config pcre_match_limit: 3500 -config pcre_match_limit_recursion: 1500 - -# Configure the detection engine # -config detection: {$cfg_detect_settings} -config event_queue: max_queue 8 log 5 order_events content_length - -# Configure to show year in timestamps -config show_year - -# Configure protocol aware flushing # -# For more information see README.stream5 # -{$paf_max_pdu_config} - -# Configure dynamically loaded libraries -dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']} -dynamicengine directory {$snort_dirs['dynamicengine']} -dynamicdetection directory {$snort_dirs['dynamicrules']} - -# Inline packet normalization. For more information, see README.normalize -# Disabled since we do not use "inline" mode with pfSense -# preprocessor normalize_ip4 -# preprocessor normalize_tcp: ips ecn stream -# preprocessor normalize_icmp4 -# preprocessor normalize_ip6 -# preprocessor normalize_icmp6 - -# Flow and stream # -{$frag3_global} - -{$frag3_engine} - -{$stream5_global} - -{$stream5_tcp_engine} - -{$stream5_udp_engine} - -{$stream5_icmp_engine} - -# HTTP Inspect # -{$http_inspect_global} - -{$http_inspect_servers} -{$snort_preprocessors} -{$host_attrib_config} - -# Snort Output Logs # -output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority -{$alertsystemlog_type} -{$snortunifiedlog_type} -{$spoink_type} - -# Misc Includes # -{$snort_misc_include_rules} - -{$suppress_file_name} - -# Snort user pass through configuration -{$snort_config_pass_thru} - -# Rules Selection # -{$selected_rules_sections} -EOD; - - // Write out snort.conf file - file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text); - conf_mount_ro(); - unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type); - unset($home_net, $external_net, $ipvardef, $portvardef); -} - -/*****************************************************************************/ -/* This starts the actual post-install code */ -/*****************************************************************************/ - /* Hard kill any running Snort processes that may have been started by any */ /* of the pfSense scripts such as check_reload_status() or rc.start_packages */ if(is_process_running("snort")) { @@ -1389,6 +67,9 @@ if(is_process_running("barnyard")) { /* Set flag for post-install in progress */ $g['snort_postinstall'] = true; +/* Set Snort conf partition to read-write so we can make changes there */ +conf_mount_rw(); + /* cleanup default files */ @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); @rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf"); @@ -1398,7 +79,7 @@ $g['snort_postinstall'] = true; @rename("{$snortdir}/generators-sample", "{$snortdir}/generators"); @rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config"); @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); -@rename("{$snortdir}/attribute_table.dtd-sample", "{$snortdir}/attribute_table.dtd"); +//@rename("{$snortdir}/attribute_table.dtd-sample", "{$snortdir}/attribute_table.dtd"); /* fix up the preprocessor rules filenames from a PBI package install */ $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); @@ -1409,8 +90,8 @@ foreach ($preproc_rules as $file) { /* Remove any previously installed scripts since we rebuild them */ @unlink("{$snortdir}/sid"); -@unlink("{$rcdir}/snort.sh"); -@unlink("{$rcdir}/barnyard2"); +@unlink("{$rcdir}snort.sh"); +@unlink("{$rcdir}barnyard2"); /* Create required log and db directories in /var */ safe_mkdir(SNORTLOGDIR); @@ -1435,13 +116,13 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_status(gettext("Saved settings detected...")); /* Do one-time settings migration for new multi-engine configurations */ update_output_window(gettext("Please wait... migrating settings to new configuration...")); - include('/usr/local/www/snort/snort_migrate_config.php'); + include('/usr/local/pkg/snort/snort_migrate_config.php'); update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); log_error(gettext("[Snort] Downloading and updating configured rule types...")); update_output_window(gettext("Please wait... downloading and updating configured rule types...")); if ($pkg_interface <> "console") $snort_gui_include = true; - include('/usr/local/www/snort/snort_check_for_rule_updates.php'); + include('/usr/local/pkg/snort/snort_check_for_rule_updates.php'); update_status(gettext("Generating snort.conf configuration file from saved settings...")); $rebuild_rules = true; @@ -1451,7 +132,7 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { $if_real = get_real_interface($value['interface']); /* create a snort.conf file for interface */ - snort_build_new_conf($value); + snort_generate_conf($value); /* create barnyard2.conf file for interface */ if ($value['barnyard_enable'] == 'on') @@ -1479,22 +160,25 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { log_error(gettext("[Snort] Finished rebuilding installation from saved settings...")); /* Only try to start Snort if not in reboot */ - if (!$g['booting']) { + if (!($g['booting'])) { update_status(gettext("Starting Snort using rebuilt configuration...")); update_output_window(gettext("Please wait... while Snort is started...")); log_error(gettext("[Snort] Starting Snort using rebuilt configuration...")); - start_service("snort"); - update_output_window(gettext("Snort has been started using the rebuilt configuration...")); + mwexec_bg("{$rcdir}snort.sh start"); + update_output_window(gettext("Snort is starting using the rebuilt configuration...")); } } +/* We're finished with conf partition mods, return to read-only */ +conf_mount_ro(); + /* If an existing Snort Dashboard Widget container is not found, */ /* then insert our default Widget Dashboard container. */ if (stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE) $config['widgets']['sequence'] .= ",{$snort_widget_container}"; /* Update Snort package version in configuration */ -$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.13"; +$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1"; write_config("Snort pkg: post-install configuration saved."); /* Done with post-install, so clear flag */ diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 5cee95df..da1c515e 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -117,16 +117,64 @@ if (isset($id) && isset($a_nat[$id])) { if (empty($pconfig['smtp_preprocessor'])) $pconfig['smtp_preprocessor'] = 'on'; + if (empty($pconfig['smtp_memcap'])) + $pconfig['smtp_memcap'] = "838860"; + if (empty($pconfig['smtp_max_mime_mem'])) + $pconfig['smtp_max_mime_mem'] = "838860"; + if (empty($pconfig['smtp_b64_decode_depth'])) + $pconfig['smtp_b64_decode_depth'] = "0"; + if (empty($pconfig['smtp_qp_decode_depth'])) + $pconfig['smtp_qp_decode_depth'] = "0"; + if (empty($pconfig['smtp_bitenc_decode_depth'])) + $pconfig['smtp_bitenc_decode_depth'] = "0"; + if (empty($pconfig['smtp_uu_decode_depth'])) + $pconfig['smtp_uu_decode_depth'] = "0"; + if (empty($pconfig['smtp_email_hdrs_log_depth']) && $pconfig['smtp_email_hdrs_log_depth'] != '0') + $pconfig['smtp_email_hdrs_log_depth'] = "1464"; + if (empty($pconfig['smtp_ignore_tls_data'])) + $pconfig['smtp_ignore_tls_data'] = 'on'; + if (empty($pconfig['smtp_log_mail_from'])) + $pconfig['smtp_log_mail_from'] = 'on'; + if (empty($pconfig['smtp_log_rcpt_to'])) + $pconfig['smtp_log_rcpt_to'] = 'on'; + if (empty($pconfig['smtp_log_filename'])) + $pconfig['smtp_log_filename'] = 'on'; + if (empty($pconfig['smtp_log_email_hdrs'])) + $pconfig['smtp_log_email_hdrs'] = 'on'; + if (empty($pconfig['dce_rpc_2'])) $pconfig['dce_rpc_2'] = 'on'; if (empty($pconfig['dns_preprocessor'])) $pconfig['dns_preprocessor'] = 'on'; if (empty($pconfig['ssl_preproc'])) $pconfig['ssl_preproc'] = 'on'; + if (empty($pconfig['pop_preproc'])) $pconfig['pop_preproc'] = 'on'; + if (empty($pconfig['pop_memcap'])) + $pconfig['pop_memcap'] = "838860"; + if (empty($pconfig['pop_b64_decode_depth'])) + $pconfig['pop_b64_decode_depth'] = "0"; + if (empty($pconfig['pop_qp_decode_depth'])) + $pconfig['pop_qp_decode_depth'] = "0"; + if (empty($pconfig['pop_bitenc_decode_depth'])) + $pconfig['pop_bitenc_decode_depth'] = "0"; + if (empty($pconfig['pop_uu_decode_depth'])) + $pconfig['pop_uu_decode_depth'] = "0"; + if (empty($pconfig['imap_preproc'])) $pconfig['imap_preproc'] = 'on'; + if (empty($pconfig['imap_memcap'])) + $pconfig['imap_memcap'] = "838860"; + if (empty($pconfig['imap_b64_decode_depth'])) + $pconfig['imap_b64_decode_depth'] = "0"; + if (empty($pconfig['imap_qp_decode_depth'])) + $pconfig['imap_qp_decode_depth'] = "0"; + if (empty($pconfig['imap_bitenc_decode_depth'])) + $pconfig['imap_bitenc_decode_depth'] = "0"; + if (empty($pconfig['imap_uu_decode_depth'])) + $pconfig['imap_uu_decode_depth'] = "0"; + if (empty($pconfig['sip_preproc'])) $pconfig['sip_preproc'] = 'on'; if (empty($pconfig['other_preprocs'])) @@ -270,6 +318,19 @@ if ($_POST['ResetAll']) { $pconfig['ftp_telnet_detect_anomalies'] = "on"; $pconfig['ftp_telnet_ayt_attack_threshold'] = "20"; $pconfig['smtp_preprocessor'] = "on"; + $pconfig['smtp_memcap'] = "838860"; + $pconfig['smtp_max_mime_mem'] = "838860"; + $pconfig['smtp_b64_decode_depth'] = "0"; + $pconfig['smtp_qp_decode_depth'] = "0"; + $pconfig['smtp_bitenc_decode_depth'] = "0"; + $pconfig['smtp_uu_decode_depth'] = "0"; + $pconfig['smtp_email_hdrs_log_depth'] = "1464"; + $pconfig['smtp_ignore_data'] = 'off'; + $pconfig['smtp_ignore_tls_data'] = 'on'; + $pconfig['smtp_log_mail_from'] = 'on'; + $pconfig['smtp_log_rcpt_to'] = 'on'; + $pconfig['smtp_log_filename'] = 'on'; + $pconfig['smtp_log_email_hdrs'] = 'on'; $pconfig['sf_portscan'] = "off"; $pconfig['pscan_protocol'] = "all"; $pconfig['pscan_type'] = "all"; @@ -284,7 +345,17 @@ if ($_POST['ResetAll']) { $pconfig['sdf_mask_output'] = "off"; $pconfig['ssl_preproc'] = "on"; $pconfig['pop_preproc'] = "on"; + $pconfig['pop_memcap'] = "838860"; + $pconfig['pop_b64_decode_depth'] = "0"; + $pconfig['pop_qp_decode_depth'] = "0"; + $pconfig['pop_bitenc_decode_depth'] = "0"; + $pconfig['pop_uu_decode_depth'] = "0"; $pconfig['imap_preproc'] = "on"; + $pconfig['imap_memcap'] = "838860"; + $pconfig['imap_b64_decode_depth'] = "0"; + $pconfig['imap_qp_decode_depth'] = "0"; + $pconfig['imap_bitenc_decode_depth'] = "0"; + $pconfig['imap_uu_decode_depth'] = "0"; $pconfig['sip_preproc'] = "on"; $pconfig['dnp3_preproc'] = "off"; $pconfig['modbus_preproc'] = "off"; @@ -312,6 +383,52 @@ if ($_POST['save']) { $input_errors[] = gettext("You must select at least one sensitive data type to inspect for when Sensitive Data detection is enabled."); } + // Validate POP3 parameter values if POP3 Decoder is enabled + if ($_POST['pop_preproc'] == 'on') { + if ($_POST['pop_memcap'] < 3276 || $_POST['pop_memcap'] > 104857600) + $input_errors[] = gettext("The value for POP3 Decoder Memory Cap must be between 3,276 and 104,857,600."); + if ($_POST['pop_b64_decode_depth'] < -1 || $_POST['pop_b64_decode_depth'] > 65535) + $input_errors[] = gettext("The value for POP3 Decoder Base64 Decode Depth must be between -1 and 65,535."); + if ($_POST['pop_qp_decode_depth'] < -1 || $_POST['pop_qp_decode_depth'] > 65535) + $input_errors[] = gettext("The value for POP3 Decoder Quoted-Printable (QP) Decode Depth must be between -1 and 65,535."); + if ($_POST['pop_bitenc_decode_depth'] < -1 || $_POST['pop_bitenc_decode_depth'] > 65535) + $input_errors[] = gettext("The value for POP3 Decoder Non-Encoded MIME Extraction Depth must be between -1 and 65,535."); + if ($_POST['pop_uu_decode_depth'] < -1 || $_POST['pop_uu_decode_depth'] > 65535) + $input_errors[] = gettext("The value for POP3 Decoder Unix-to-Unix (UU) Decode Depth must be between -1 and 65,535."); + } + + // Validate IMAP parameter values if IMAP Decoder is enabled + if ($_POST['imap_preproc'] == 'on') { + if ($_POST['imap_memcap'] < 3276 || $_POST['imap_memcap'] > 104857600) + $input_errors[] = gettext("The value for IMAP Decoder Memory Cap must be between 3,276 and 104,857,600."); + if ($_POST['imap_b64_decode_depth'] < -1 || $_POST['imap_b64_decode_depth'] > 65535) + $input_errors[] = gettext("The value for IMAP Decoder Base64 Decode Depth must be between -1 and 65,535."); + if ($_POST['imap_qp_decode_depth'] < -1 || $_POST['imap_qp_decode_depth'] > 65535) + $input_errors[] = gettext("The value for IMAP Decoder Quoted-Printable (QP) Decode Depth must be between -1 and 65,535."); + if ($_POST['imap_bitenc_decode_depth'] < -1 || $_POST['imap_bitenc_decode_depth'] > 65535) + $input_errors[] = gettext("The value for IMAP Decoder Non-Encoded MIME Extraction Depth must be between -1 and 65,535."); + if ($_POST['imap_uu_decode_depth'] < -1 || $_POST['imap_uu_decode_depth'] > 65535) + $input_errors[] = gettext("The value for IMAP Decoder Unix-to-Unix (UU) Decode Depth must be between -1 and 65,535."); + } + + // Validate SMTP parameter values if SMTP Decoder is enabled + if ($_POST['smtp_preprocessor'] == 'on') { + if ($_POST['smtp_memcap'] < 3276 || $_POST['smtp_memcap'] > 104857600) + $input_errors[] = gettext("The value for SMTP Decoder Memory Cap must be between 3,276 and 104,857,600."); + if ($_POST['smtp_max_mime_mem'] < 3276 || $_POST['smtp_max_mime_mem'] > 104857600) + $input_errors[] = gettext("The value for SMTP Decoder Maximum MIME Memory must be between 3,276 and 104,857,600."); + if ($_POST['smtp_b64_decode_depth'] < -1 || $_POST['smtp_b64_decode_depth'] > 65535) + $input_errors[] = gettext("The value for SMTP Decoder Base64 Decode Depth must be between -1 and 65,535."); + if ($_POST['smtp_qp_decode_depth'] < -1 || $_POST['smtp_qp_decode_depth'] > 65535) + $input_errors[] = gettext("The value for SMTP Decoder Quoted-Printable (QP) Decode Depth must be between -1 and 65,535."); + if ($_POST['smtp_bitenc_decode_depth'] < -1 || $_POST['smtp_bitenc_decode_depth'] > 65535) + $input_errors[] = gettext("The value for SMTP Decoder Non-Encoded MIME Extraction Depth must be between -1 and 65,535."); + if ($_POST['smtp_uu_decode_depth'] < -1 || $_POST['smtp_uu_decode_depth'] > 65535) + $input_errors[] = gettext("The value for SMTP Decoder Unix-to-Unix (UU) Decode Depth must be between -1 and 65,535."); + if ($_POST['smtp_email_hdrs_log_depth'] < 0 || $_POST['smtp_email_hdrs_log_depth'] > 20480) + $input_errors[] = gettext("The value for SMTP Decoder E-Mail Headers Log Depth must be between 0 and 20,480."); + } + /* if no errors write to conf */ if (!$input_errors) { /* post new options */ @@ -337,6 +454,23 @@ if ($_POST['save']) { if ($_POST['ftp_telnet_inspection_type'] != "") { $natent['ftp_telnet_inspection_type'] = $_POST['ftp_telnet_inspection_type']; }else{ $natent['ftp_telnet_inspection_type'] = "stateful"; } if ($_POST['ftp_telnet_ayt_attack_threshold'] != "") { $natent['ftp_telnet_ayt_attack_threshold'] = $_POST['ftp_telnet_ayt_attack_threshold']; }else{ $natent['ftp_telnet_ayt_attack_threshold'] = "20"; } if ($_POST['sdf_alert_threshold'] != "") { $natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold']; }else{ $natent['sdf_alert_threshold'] = "25"; } + if ($_POST['pop_memcap'] != "") { $natent['pop_memcap'] = $_POST['pop_memcap']; }else{ $natent['pop_memcap'] = "838860"; } + if ($_POST['pop_b64_decode_depth'] != "") { $natent['pop_b64_decode_depth'] = $_POST['pop_b64_decode_depth']; }else{ $natent['pop_b64_decode_depth'] = "0"; } + if ($_POST['pop_qp_decode_depth'] != "") { $natent['pop_qp_decode_depth'] = $_POST['pop_qp_decode_depth']; }else{ $natent['pop_qp_decode_depth'] = "0"; } + if ($_POST['pop_bitenc_decode_depth'] != "") { $natent['pop_bitenc_decode_depth'] = $_POST['pop_bitenc_decode_depth']; }else{ $natent['pop_bitenc_decode_depth'] = "0"; } + if ($_POST['pop_uu_decode_depth'] != "") { $natent['pop_uu_decode_depth'] = $_POST['pop_uu_decode_depth']; }else{ $natent['pop_uu_decode_depth'] = "0"; } + if ($_POST['imap_memcap'] != "") { $natent['imap_memcap'] = $_POST['imap_memcap']; }else{ $natent['imap_memcap'] = "838860"; } + if ($_POST['imap_b64_decode_depth'] != "") { $natent['imap_b64_decode_depth'] = $_POST['imap_b64_decode_depth']; }else{ $natent['imap_b64_decode_depth'] = "0"; } + if ($_POST['imap_qp_decode_depth'] != "") { $natent['imap_qp_decode_depth'] = $_POST['imap_qp_decode_depth']; }else{ $natent['imap_qp_decode_depth'] = "0"; } + if ($_POST['imap_bitenc_decode_depth'] != "") { $natent['imap_bitenc_decode_depth'] = $_POST['imap_bitenc_decode_depth']; }else{ $natent['imap_bitenc_decode_depth'] = "0"; } + if ($_POST['imap_uu_decode_depth'] != "") { $natent['imap_uu_decode_depth'] = $_POST['imap_uu_decode_depth']; }else{ $natent['imap_uu_decode_depth'] = "0"; } + if ($_POST['smtp_memcap'] != "") { $natent['smtp_memcap'] = $_POST['smtp_memcap']; }else{ $natent['smtp_memcap'] = "838860"; } + if ($_POST['smtp_max_mime_mem'] != "") { $natent['smtp_max_mime_mem'] = $_POST['smtp_max_mime_mem']; }else{ $natent['smtp_max_mime_mem'] = "838860"; } + if ($_POST['smtp_b64_decode_depth'] != "") { $natent['smtp_b64_decode_depth'] = $_POST['smtp_b64_decode_depth']; }else{ $natent['smtp_b64_decode_depth'] = "0"; } + if ($_POST['smtp_qp_decode_depth'] != "") { $natent['smtp_qp_decode_depth'] = $_POST['smtp_qp_decode_depth']; }else{ $natent['smtp_qp_decode_depth'] = "0"; } + if ($_POST['smtp_bitenc_decode_depth'] != "") { $natent['smtp_bitenc_decode_depth'] = $_POST['smtp_bitenc_decode_depth']; }else{ $natent['smtp_bitenc_decode_depth'] = "0"; } + if ($_POST['smtp_uu_decode_depth'] != "") { $natent['smtp_uu_decode_depth'] = $_POST['smtp_uu_decode_depth']; }else{ $natent['smtp_uu_decode_depth'] = "0"; } + if ($_POST['smtp_email_hdrs_log_depth'] != "") { $natent['smtp_email_hdrs_log_depth'] = $_POST['smtp_email_hdrs_log_depth']; }else{ $natent['smtp_email_hdrs_log_depth'] = "1464"; } // Set SDF inspection types $natent['sdf_alert_data_type'] = implode(",",$_POST['sdf_alert_data_type']); @@ -352,6 +486,13 @@ if ($_POST['save']) { $natent['ftp_telnet_normalize'] = $_POST['ftp_telnet_normalize'] ? 'on' : 'off'; $natent['ftp_telnet_detect_anomalies'] = $_POST['ftp_telnet_detect_anomalies'] ? 'on' : 'off'; $natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off'; + $natent['smtp_ignore_data'] = $_POST['smtp_ignore_data'] ? 'on' : 'off'; + $natent['smtp_ignore_tls_data'] = $_POST['smtp_ignore_tls_data'] ? 'on' : 'off'; + $natent['smtp_log_mail_from'] = $_POST['smtp_log_mail_from'] ? 'on' : 'off'; + $natent['smtp_log_rcpt_to'] = $_POST['smtp_log_rcpt_to'] ? 'on' : 'off'; + $natent['smtp_log_filename'] = $_POST['smtp_log_filename'] ? 'on' : 'off'; + $natent['smtp_log_email_hdrs'] = $_POST['smtp_log_email_hdrs'] ? 'on' : 'off'; + $natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off'; $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; @@ -385,7 +526,9 @@ if ($_POST['save']) { /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($natent); + conf_mount_ro(); $rebuild_rules = false; /* If 'preproc_auto_rule_disable' is off, then clear log file */ @@ -1308,34 +1451,300 @@ if ($savemsg) { </td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessors"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("POP3 Decoder Settings"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable RPC Decode and Back Orifice detector"); ?></td> - <td width="78%" class="vtable"><input name="other_preprocs" type="checkbox" value="on" - <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?>> - <?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is ") . + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable POP3 Decoder"); ?></td> + <td width="78%" class="vtable"><input name="pop_preproc" type="checkbox" value="on" + <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?> onclick="pop_enable_change();"/> + <?php echo gettext("Normalize/Decode POP3 protocol for enforcement and buffer overflows. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> + <tbody id="pop_setting_rows"> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable POP Normalizer"); ?></td> - <td width="78%" class="vtable"><input name="pop_preproc" type="checkbox" value="on" - <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>> - <?php echo gettext("Normalize/Decode POP protocol for enforcement and buffer overflows. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <td width="78%" class="vtable"> + <input name="pop_memcap" type="text" class="formfld unknown" id="pop_memcap" size="9" + value="<?=htmlspecialchars($pconfig['pop_memcap']);?>"> + <?php echo gettext("Maximum memory in bytes to use for decoding attachments. ") . + gettext("Default is ") . "<strong>" . gettext("838860") . "</strong>" . + gettext(" bytes."); ?><br/><br/> + <?php echo gettext("The minimum value is ") . "<strong>" . gettext("3276") . "</strong>" . gettext(" bytes and the maximum is ") . + "<strong>" . gettext("100 MB") . "</strong>" . gettext(" (104857600). An IMAP preprocessor alert with sid 3 is ") . + gettext("generated (when enabled) if this limit is exceeded."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Base64 Decoding Depth"); ?></td> + <td width="78%" class="vtable"><input name="pop_b64_decode_depth" type="text" class="formfld unknown" id="pop_b64_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['pop_b64_decode_depth']);?>"> + <?php echo gettext("Depth in bytes to decode base64 encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the base64 decoding of MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the decoding of base64 encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. A POP preprocessor alert with sid 4 ") . + gettext("is generated (if enabled) when the decoding fails.");?> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable IMAP Normalizer"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Quoted Printable Decoding Depth"); ?></td> + <td width="78%" class="vtable"><input name="pop_qp_decode_depth" type="text" class="formfld unknown" id="pop_qp_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['pop_qp_decode_depth']);?>"> + <?php echo gettext("Byte depth to decode Quoted Printable (QP) encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the QP decoding of MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the decoding of QP encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies per attachment. A POP preprocessor alert with sid 5 ") . + gettext("is generated (if enabled) when the decoding fails.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Non-Encoded MIME Extraction Depth"); ?></td> + <td width="78%" class="vtable"><input name="pop_bitenc_decode_depth" type="text" class="formfld unknown" id="pop_bitenc_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['pop_bitenc_decode_depth']);?>"> + <?php echo gettext("Depth in bytes to extract non-encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the extraction of non-encoded MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the extraction of non-encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the extraction of non-encoded MIME attachments, and applies per attachment.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Unix-to-Unix Decoding Depth"); ?></td> + <td width="78%" class="vtable"><input name="pop_uu_decode_depth" type="text" class="formfld unknown" id="pop_uu_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['pop_uu_decode_depth']);?>"> + <?php echo gettext("Depth in bytes to decode Unix-to-Unix (UU) encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the UU decoding of MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the decoding of UU encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of UU MIME attachments, and applies per attachment. A POP preprocessor alert with sid 7 ") . + gettext("is generated (if enabled) when the decoding fails.");?> + </td> + </tr> + </tbody> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("IMAP Decoder Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable IMAP Decoder"); ?></td> <td width="78%" class="vtable"><input name="imap_preproc" type="checkbox" value="on" - <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?>> - <?php echo gettext("Normalize/Decode IMAP protocol for enforcement and buffer overflows. Default is ") . - "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> + <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?> onclick="imap_enable_change();"/> + <?php echo gettext("Normalize/Decode IMAP protocol for enforcement and buffer overflows. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?> + </td> + </tr> + <tbody id="imap_setting_rows"> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <td width="78%" class="vtable"> + <input name="imap_memcap" type="text" class="formfld unknown" id="imap_memcap" size="9" + value="<?=htmlspecialchars($pconfig['imap_memcap']);?>"> + <?php echo gettext("Maximum memory in bytes to use for decoding attachments. ") . + gettext("Default is ") . "<strong>" . gettext("838860") . "</strong>" . + gettext(" bytes."); ?><br/><br/> + <?php echo gettext("The minimum value is ") . "<strong>" . gettext("3276") . "</strong>" . gettext(" bytes and the maximum is ") . + "<strong>" . gettext("100 MB") . "</strong>" . gettext(" (104857600). An IMAP preprocessor alert with sid 3 is ") . + gettext("generated (when enabled) if this limit is exceeded."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Base64 Decoding Depth"); ?></td> + <td width="78%" class="vtable"><input name="imap_b64_decode_depth" type="text" class="formfld unknown" id="imap_b64_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['imap_b64_decode_depth']);?>"> + <?php echo gettext("Depth in bytes to decode base64 encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the base64 decoding of MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the decoding of base64 encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. An IMAP preprocessor alert with sid 4 ") . + gettext("is generated (if enabled) when the decoding fails.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Quoted Printable Decoding Depth"); ?></td> + <td width="78%" class="vtable"><input name="imap_qp_decode_depth" type="text" class="formfld unknown" id="imap_qp_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['imap_qp_decode_depth']);?>"> + <?php echo gettext("Byte depth to decode Quoted Printable (QP) encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the QP decoding of MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the decoding of QP encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies per attachment. An IMAP preprocessor alert with sid 5 ") . + gettext("is generated (if enabled) when the decoding fails.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Non-Encoded MIME Extraction Depth"); ?></td> + <td width="78%" class="vtable"><input name="imap_bitenc_decode_depth" type="text" class="formfld unknown" id="imap_bitenc_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['imap_bitenc_decode_depth']);?>"> + <?php echo gettext("Depth in bytes to extract non-encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the extraction of non-encoded MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the extraction of non-encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the extraction of non-encoded MIME attachments, and applies per attachment.");?> + </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SMTP Normalizer"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Unix-to-Unix Decoding Depth"); ?></td> + <td width="78%" class="vtable"><input name="imap_uu_decode_depth" type="text" class="formfld unknown" id="imap_uu_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['imap_uu_decode_depth']);?>"> + <?php echo gettext("Depth in bytes to decode Unix-to-Unix (UU) encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the UU decoding of MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the decoding of UU encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of UU MIME attachments, and applies per attachment. An IMAP preprocessor alert with sid 7 ") . + gettext("is generated (if enabled) when the decoding fails.");?> + </td> + </tr> + </tbody> + + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SMTP Decoder Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SMTP Decoder"); ?></td> <td width="78%" class="vtable"><input name="smtp_preprocessor" type="checkbox" value="on" - <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?>> - <?php echo gettext("Normalize/Decode SMTP protocol for enforcement and buffer overflows. Default is ") . + <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?> onclick="smtp_enable_change();"/> + <?php echo gettext("Normalize/Decode SMTP protocol for enforcement and buffer overflows. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?> + </td> + </tr> + <tbody id="smtp_setting_rows"> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td> + <td width="78%" class="vtable"> + <input name="smtp_memcap" type="text" class="formfld unknown" id="smtp_memcap" size="9" + value="<?=htmlspecialchars($pconfig['smtp_memcap']);?>"/> + <?php echo gettext("Max memory in bytes used to log filename, addresses and headers. ") . + gettext("Default is ") . "<strong>" . gettext("838860") . "</strong>" . gettext(" bytes."); ?><br/><br/> + <?php echo gettext("The minimum value is ") . "<strong>" . gettext("3276") . "</strong>" . gettext(" bytes and the maximum is ") . + "<strong>" . gettext("100 MB") . "</strong>" . gettext(" (104857600). When this memcap is reached, ") . + gettext("SMTP will stop logging the filename, MAIL FROM address, RCPT TO addresses and email headers until memory becomes available."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Data"); ?></td> + <td width="78%" class="vtable"><input name="smtp_ignore_data" type="checkbox" value="on" + <?php if ($pconfig['smtp_ignore_data']=="on") echo "checked"; ?>/> + <?php echo gettext("Ignore data section of mail (except for mail headers) when processing rules. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore TLS Data"); ?></td> + <td width="78%" class="vtable"><input name="smtp_ignore_tls_data" type="checkbox" value="on" + <?php if ($pconfig['smtp_ignore_tls_data']=="on") echo "checked"; ?>/> + <?php echo gettext("Ignore TLS-encrypted data when processing rules. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Mail From"); ?></td> + <td width="78%" class="vtable"><input name="smtp_log_mail_from" type="checkbox" value="on" + <?php if ($pconfig['smtp_log_mail_from']=="on") echo "checked"; ?>/> + <?php echo gettext("Log sender email address extracted from MAIL FROM command. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?><br/> + <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span> + <?php echo gettext("this is logged only with the unified2 (Barnyard2) output enabled."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Receipt To"); ?></td> + <td width="78%" class="vtable"><input name="smtp_log_rcpt_to" type="checkbox" value="on" + <?php if ($pconfig['smtp_log_rcpt_to']=="on") echo "checked"; ?>/> + <?php echo gettext("Log recipient email addresses extracted from RCPT TO command. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?><br/> + <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span> + <?php echo gettext("this is logged only with the unified2 (Barnyard2) output enabled."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Filename"); ?></td> + <td width="78%" class="vtable"><input name="smtp_log_filename" type="checkbox" value="on" + <?php if ($pconfig['smtp_log_filename']=="on") echo "checked"; ?>/> + <?php echo gettext("Log MIME attachment filenames extracted from Content-Disposition header. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?><br/> + <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span> + <?php echo gettext("this is logged only with the unified2 (Barnyard2) output enabled."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log E-Mail Headers"); ?></td> + <td width="78%" class="vtable"><input name="smtp_log_email_hdrs" type="checkbox" value="on" + <?php if ($pconfig['smtp_log_email_hdrs']=="on") echo "checked"; ?>/> + <?php echo gettext("Log SMTP email headers extracted from SMTP data. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?><br/> + <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span> + <?php echo gettext("this is logged only with the unified2 (Barnyard2) output enabled."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("E-Mail Headers Log Depth"); ?></td> + <td width="78%" class="vtable"> + <input name="smtp_email_hdrs_log_depth" type="text" class="formfld unknown" id="smtp_email_hdrs_log_depth" size="9" + value="<?=htmlspecialchars($pconfig['smtp_email_hdrs_log_depth']);?>"/> + <?php echo gettext("Memory in bytes to use for logging e-mail headers. ") . + gettext("Default is ") . "<strong>" . gettext("1464") . "</strong>" . gettext(" bytes."); ?><br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("0") . "</strong>" . gettext(" to ") . + "<strong>" . gettext("20480") . "</strong>" . gettext(". A value of ") . "<strong>" . gettext("0") . "</strong>" . + gettext(" will disable e-mail headers logging."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Maximum MIME Memory"); ?></td> + <td width="78%" class="vtable"> + <input name="smtp_max_mime_mem" type="text" class="formfld unknown" id="smtp_max_mime_mem" size="9" + value="<?=htmlspecialchars($pconfig['smtp_max_mime_mem']);?>"/> + <?php echo gettext("Maximum memory in bytes to use for decoding attachments. ") . + gettext("Default is ") . "<strong>" . gettext("838860") . "</strong>" . gettext(" bytes."); ?><br/><br/> + <?php echo gettext("The minimum value is ") . "<strong>" . gettext("3276") . "</strong>" . gettext(" bytes and the maximum is ") . + "<strong>" . gettext("100 MB") . "</strong>" . gettext(" (104857600)."); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Base64 Decoding Depth"); ?></td> + <td width="78%" class="vtable"><input name="smtp_b64_decode_depth" type="text" class="formfld unknown" id="smtp_b64_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['smtp_b64_decode_depth']);?>"> + <?php echo gettext("Depth in bytes to decode base64 encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the base64 decoding of MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the decoding of base64 encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. An SMTP preprocessor alert with sid 10 ") . + gettext("is generated when the decoding fails.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Quoted Printable Decoding Depth"); ?></td> + <td width="78%" class="vtable"><input name="smtp_qp_decode_depth" type="text" class="formfld unknown" id="smtp_qp_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['smtp_qp_decode_depth']);?>"> + <?php echo gettext("Byte depth to decode Quoted Printable (QP) encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the QP decoding of MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the decoding of QP encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies per attachment. An SMTP preprocessor alert with sid 11 ") . + gettext("is generated when the decoding fails.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Non-Encoded MIME Extraction Depth"); ?></td> + <td width="78%" class="vtable"><input name="smtp_bitenc_decode_depth" type="text" class="formfld unknown" id="smtp_bitenc_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['smtp_bitenc_decode_depth']);?>"> + <?php echo gettext("Depth in bytes to extract non-encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the extraction of non-encoded MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the extraction of non-encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the extraction of non-encoded MIME attachments, and applies per attachment.");?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Unix-to-Unix Decoding Depth"); ?></td> + <td width="78%" class="vtable"><input name="smtp_uu_decode_depth" type="text" class="formfld unknown" id="smtp_uu_decode_depth" size="9" value="<?=htmlspecialchars($pconfig['smtp_uu_decode_depth']);?>"> + <?php echo gettext("Depth in bytes to decode Unix-to-Unix (UU) encoded MIME attachments. Default is ") . "<strong>" . gettext("0") . "</strong>" . gettext(" (unlimited)");?>.<br/><br/> + <?php echo gettext("Allowable values range from ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . + gettext(". A value of ") . "<strong>" . gettext("-1") . "</strong>" . gettext(" turns off the UU decoding of MIME attachments. ") . + gettext("A value of ") . "<strong>" . gettext("0") . "</strong>" . gettext(" sets the decoding of UU encoded MIME attachments to unlimited. ") . + gettext("A value other than 0 or -1 restricts the decoding of UU MIME attachments, and applies per attachment. An SMTP preprocessor alert with sid 13 ") . + gettext("is generated (if enabled) when the decoding fails.");?> + </td> + </tr> + </tbody> + + + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessors"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable RPC Decode and Back Orifice detector"); ?></td> + <td width="78%" class="vtable"><input name="other_preprocs" type="checkbox" value="on" + <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?>> + <?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.</td> </tr> <tr> @@ -1692,6 +2101,36 @@ function sensitive_data_enable_change() { } } +function pop_enable_change() { + var endis = !(document.iform.pop_preproc.checked); + + // Hide POP3 configuration rows if POP preprocessor disabled + if (endis) + document.getElementById("pop_setting_rows").style.display = "none"; + else + document.getElementById("pop_setting_rows").style.display = ""; +} + +function imap_enable_change() { + var endis = !(document.iform.imap_preproc.checked); + + // Hide IMAP configuration rows if IMAP preprocessor disabled + if (endis) + document.getElementById("imap_setting_rows").style.display = "none"; + else + document.getElementById("imap_setting_rows").style.display = ""; +} + +function smtp_enable_change() { + var endis = !(document.iform.smtp_preprocessor.checked); + + // Hide SMTP configuration rows if SMTP preprocessor disabled + if (endis) + document.getElementById("smtp_setting_rows").style.display = "none"; + else + document.getElementById("smtp_setting_rows").style.display = ""; +} + function enable_change_all() { http_inspect_enable_change(); sf_portscan_enable_change(); @@ -1746,6 +2185,9 @@ function enable_change_all() { stream5_track_icmp_enable_change(); ftp_telnet_enable_change(); sensitive_data_enable_change(); + pop_enable_change(); + imap_enable_change(); + smtp_enable_change(); } function wopen(url, name, w, h) diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index e69152c3..df17efc0 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -330,7 +330,9 @@ elseif ($_POST['clear']) { unset($a_rule[$id]['customrules']); write_config("Snort pkg: clear all custom rules for {$a_rule[$id]['interface']}."); $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($a_rule[$id]); + conf_mount_ro(); $rebuild_rules = false; $pconfig['customrules'] = ''; } @@ -342,7 +344,9 @@ elseif ($_POST['save']) { unset($a_rule[$id]['customrules']); write_config("Snort pkg: save modified custom rules for {$a_rule[$id]['interface']}."); $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($a_rule[$id]); + conf_mount_ro(); $rebuild_rules = false; $output = ""; $retcode = ""; @@ -371,7 +375,9 @@ else if ($_POST['apply']) { /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($a_rule[$id]); + conf_mount_ro(); $rebuild_rules = false; /* Soft-restart Snort to live-load new rules */ diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 79365f5f..59fe6eef 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -160,7 +160,9 @@ if ($_POST["save"]) { /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); snort_generate_conf($a_nat[$id]); + conf_mount_ro(); $rebuild_rules = false; /* Soft-restart Snort to live-load new rules */ |