aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/apcupsd/apcupsd.conf.php362
-rw-r--r--config/apcupsd/apcupsd.inc191
-rw-r--r--config/apcupsd/apcupsd.xml333
-rwxr-xr-xconfig/apcupsd/apcupsd_status.php118
-rw-r--r--config/bandwidthd/bandwidthd.inc36
-rw-r--r--config/bandwidthd/bandwidthd.xml2
-rw-r--r--config/bind/bind.inc8
-rw-r--r--config/mailscanner/mailscanner.inc46
-rw-r--r--config/mailscanner/mailscanner.xml2
-rw-r--r--config/mailscanner/mailscanner_antispam.xml2
-rwxr-xr-xconfig/postfix/postfix.inc53
-rw-r--r--config/postfix/postfix.php9
-rw-r--r--config/postfix/postfix.xml22
-rwxr-xr-xconfig/postfix/postfix_about.php4
-rwxr-xr-xconfig/postfix/postfix_queue.php2
-rwxr-xr-xconfig/postfix/postfix_search.php2
-rw-r--r--config/postfix/postfix_view_config.php2
-rwxr-xr-xconfig/snort/snort.inc1312
-rw-r--r--config/snort/snort.priv.inc45
-rwxr-xr-xconfig/snort/snort.xml68
-rwxr-xr-xconfig/snort/snort_alerts.php13
-rw-r--r--config/snort/snort_barnyard.php4
-rw-r--r--config/snort/snort_blocked.php4
-rwxr-xr-xconfig/snort/snort_check_for_rule_updates.php455
-rwxr-xr-xconfig/snort/snort_define_servers.php25
-rwxr-xr-xconfig/snort/snort_download_updates.php9
-rw-r--r--config/snort/snort_edit_hat_data.php2
-rw-r--r--config/snort/snort_frag3_engine.php393
-rw-r--r--config/snort/snort_ftp_client_engine.php429
-rw-r--r--config/snort/snort_ftp_server_engine.php378
-rw-r--r--config/snort/snort_httpinspect_engine.php742
-rw-r--r--config/snort/snort_import_aliases.php323
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php158
-rw-r--r--config/snort/snort_interfaces_global.php140
-rw-r--r--config/snort/snort_interfaces_suppress.php2
-rw-r--r--config/snort/snort_interfaces_suppress_edit.php6
-rw-r--r--config/snort/snort_interfaces_whitelist.php2
-rw-r--r--config/snort/snort_interfaces_whitelist_edit.php28
-rw-r--r--config/snort/snort_migrate_config.php307
-rw-r--r--config/snort/snort_post_install.php1464
-rwxr-xr-xconfig/snort/snort_preprocessors.php1556
-rwxr-xr-xconfig/snort/snort_rules.php4
-rw-r--r--config/snort/snort_rules_flowbits.php37
-rwxr-xr-xconfig/snort/snort_rulesets.php81
-rw-r--r--config/snort/snort_select_alias.php234
-rw-r--r--config/snort/snort_stream5_engine.php661
-rw-r--r--config/varnish3/varnish.inc7
-rw-r--r--config/varnish3/varnish_backends.xml4
-rw-r--r--config/varnish3/varnish_lb_directors.xml3
-rw-r--r--config/varnish3/varnish_settings.xml5
-rw-r--r--config/varnish3/varnish_sync.xml1
-rw-r--r--config/widget-snort/snort_alerts.js2
-rw-r--r--config/widget-snort/snort_alerts.widget.php30
-rw-r--r--config/widget-snort/widget-snort.xml2
-rw-r--r--config/zabbix2/zabbix2-agent.xml2
-rw-r--r--config/zabbix2/zabbix2-proxy.xml2
-rw-r--r--config/zabbix2/zabbix2.inc20
57 files changed, 8649 insertions, 1505 deletions
diff --git a/config/apcupsd/apcupsd.conf.php b/config/apcupsd/apcupsd.conf.php
new file mode 100644
index 00000000..6a19b915
--- /dev/null
+++ b/config/apcupsd/apcupsd.conf.php
@@ -0,0 +1,362 @@
+<?php
+/*
+ apcupsd.conf.php
+ part of the apcupsd package for pfSense
+ Copyright (C) 2013 Danilo G. Baio <dbaio@bsd.com.br>
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+// create apcupsd.conf
+$apcupsdconf=<<<EOF
+## apcupsd.conf v1.1 ##
+#
+# for apcupsd release 3.14.10 (13 September 2011) - freebsd
+#
+# "apcupsd" POSIX config file
+
+#
+# ========= General configuration parameters ============
+#
+
+# UPSNAME xxx
+# Use this to give your UPS a name in log files and such. This
+# is particulary useful if you have multiple UPSes. This does not
+# set the EEPROM. It should be 8 characters or less.
+UPSNAME {$upsname}
+
+# UPSCABLE <cable>
+# Defines the type of cable connecting the UPS to your computer.
+#
+# Possible generic choices for <cable> are:
+# simple, smart, ether, usb
+#
+# Or a specific cable model number may be used:
+# 940-0119A, 940-0127A, 940-0128A, 940-0020B,
+# 940-0020C, 940-0023A, 940-0024B, 940-0024C,
+# 940-1524C, 940-0024G, 940-0095A, 940-0095B,
+# 940-0095C, M-04-02-2000
+#
+UPSCABLE {$upscable}
+
+# To get apcupsd to work, in addition to defining the cable
+# above, you must also define a UPSTYPE, which corresponds to
+# the type of UPS you have (see the Description for more details).
+# You must also specify a DEVICE, sometimes referred to as a port.
+# For USB UPSes, please leave the DEVICE directive blank. For
+# other UPS types, you must specify an appropriate port or address.
+#
+# UPSTYPE DEVICE Description
+# apcsmart /dev/tty** Newer serial character device, appropriate for
+# SmartUPS models using a serial cable (not USB).
+#
+# usb <BLANK> Most new UPSes are USB. A blank DEVICE
+# setting enables autodetection, which is
+# the best choice for most installations.
+#
+# net hostname:port Network link to a master apcupsd through apcupsd's
+# Network Information Server. This is used if the
+# UPS powering your computer is connected to a
+# different computer for monitoring.
+#
+# snmp hostname:port:vendor:community
+# SNMP network link to an SNMP-enabled UPS device.
+# Hostname is the ip address or hostname of the UPS
+# on the network. Vendor can be can be "APC" or
+# "APC_NOTRAP". "APC_NOTRAP" will disable SNMP trap
+# catching; you usually want "APC". Port is usually
+# 161. Community is usually "private".
+#
+# netsnmp hostname:port:vendor:community
+# OBSOLETE
+# Same as SNMP above but requires use of the
+# net-snmp library. Unless you have a specific need
+# for this old driver, you should use 'snmp' instead.
+#
+# dumb /dev/tty** Old serial character device for use with
+# simple-signaling UPSes.
+#
+# pcnet ipaddr:username:passphrase:port
+# PowerChute Network Shutdown protocol which can be
+# used as an alternative to SNMP with the AP9617
+# family of smart slot cards. ipaddr is the IP
+# address of the UPS management card. username and
+# passphrase are the credentials for which the card
+# has been configured. port is the port number on
+# which to listen for messages from the UPS, normally
+# 3052. If this parameter is empty or missing, the
+# default of 3052 will be used.
+#
+UPSTYPE {$upstype}
+
+# POLLTIME <int>
+# Interval (in seconds) at which apcupsd polls the UPS for status. This
+# setting applies both to directly-attached UPSes (UPSTYPE apcsmart, usb,
+# dumb) and networked UPSes (UPSTYPE net, snmp). Lowering this setting
+# will improve apcupsd's responsiveness to certain events at the cost of
+# higher CPU utilization. The default of 60 is appropriate for most
+# situations.
+POLLTIME {$polltime}
+
+# LOCKFILE <path to lockfile>
+# Path for device lock file. Not used on Win32.
+LOCKFILE /var/spool/lock
+
+# SCRIPTDIR <path to script directory>
+# Directory in which apccontrol and event scripts are located.
+SCRIPTDIR /usr/local/etc/apcupsd
+
+# PWRFAILDIR <path to powerfail directory>
+# Directory in which to write the powerfail flag file. This file
+# is created when apcupsd initiates a system shutdown and is
+# checked in the OS halt scripts to determine if a killpower
+# (turning off UPS output power) is required.
+PWRFAILDIR /var/run
+
+# NOLOGINDIR <path to nologin directory>
+# Directory in which to write the nologin file. The existence
+# of this flag file tells the OS to disallow new logins.
+NOLOGINDIR /var/run
+
+
+#
+# ======== Configuration parameters used during power failures ==========
+#
+
+# The ONBATTERYDELAY is the time in seconds from when a power failure
+# is detected until we react to it with an onbattery event.
+#
+# This means that, apccontrol will be called with the powerout argument
+# immediately when a power failure is detected. However, the
+# onbattery argument is passed to apccontrol only after the
+# ONBATTERYDELAY time. If you don't want to be annoyed by short
+# powerfailures, make sure that apccontrol powerout does nothing
+# i.e. comment out the wall.
+ONBATTERYDELAY {$onbatterydelay}
+
+#
+# Note: BATTERYLEVEL, MINUTES, and TIMEOUT work in conjunction, so
+# the first that occurs will cause the initation of a shutdown.
+#
+
+# If during a power failure, the remaining battery percentage
+# (as reported by the UPS) is below or equal to BATTERYLEVEL,
+# apcupsd will initiate a system shutdown.
+BATTERYLEVEL {$batterylevel}
+
+# If during a power failure, the remaining runtime in minutes
+# (as calculated internally by the UPS) is below or equal to MINUTES,
+# apcupsd, will initiate a system shutdown.
+MINUTES {$minutes}
+
+# If during a power failure, the UPS has run on batteries for TIMEOUT
+# many seconds or longer, apcupsd will initiate a system shutdown.
+# A value of 0 disables this timer.
+#
+# Note, if you have a Smart UPS, you will most likely want to disable
+# this timer by setting it to zero. That way, you UPS will continue
+# on batteries until either the % charge remaing drops to or below BATTERYLEVEL,
+# or the remaining battery runtime drops to or below MINUTES. Of course,
+# if you are testing, setting this to 60 causes a quick system shutdown
+# if you pull the power plug.
+# If you have an older dumb UPS, you will want to set this to less than
+# the time you know you can run on batteries.
+TIMEOUT {$timeout}
+
+# Time in seconds between annoying users to signoff prior to
+# system shutdown. 0 disables.
+ANNOY {$annoy}
+
+# Initial delay after power failure before warning users to get
+# off the system.
+ANNOYDELAY {$annoydelay}
+
+# The condition which determines when users are prevented from
+# logging in during a power failure.
+# NOLOGON <string> [ disable | timeout | percent | minutes | always ]
+NOLOGON disable
+
+# If KILLDELAY is non-zero, apcupsd will continue running after a
+# shutdown has been requested, and after the specified time in
+# seconds attempt to kill the power. This is for use on systems
+# where apcupsd cannot regain control after a shutdown.
+# KILLDELAY <seconds> 0 disables
+KILLDELAY {$killdelay}
+
+#
+# ==== Configuration statements for Network Information Server ====
+#
+
+# NETSERVER [ on | off ] on enables, off disables the network
+# information server. If netstatus is on, a network information
+# server process will be started for serving the STATUS and
+# EVENT data over the network (used by CGI programs).
+NETSERVER {$netserver}
+
+# NISIP <dotted notation ip address>
+# IP address on which NIS server will listen for incoming connections.
+# This is useful if your server is multi-homed (has more than one
+# network interface and IP address). Default value is 0.0.0.0 which
+# means any incoming request will be serviced. Alternatively, you can
+# configure this setting to any specific IP address of your server and
+# NIS will listen for connections only on that interface. Use the
+# loopback address (127.0.0.1) to accept connections only from the
+# local machine.
+NISIP ${nisip}
+
+# NISPORT <port> default is 3551 as registered with the IANA
+# port to use for sending STATUS and EVENTS data over the network.
+# It is not used unless NETSERVER is on. If you change this port,
+# you will need to change the corresponding value in the cgi directory
+# and rebuild the cgi programs.
+NISPORT ${nisport}
+
+# If you want the last few EVENTS to be available over the network
+# by the network information server, you must define an EVENTSFILE.
+EVENTSFILE /var/log/apcupsd.events
+
+# EVENTSFILEMAX <kilobytes>
+# By default, the size of the EVENTSFILE will be not be allowed to exceed
+# 10 kilobytes. When the file grows beyond this limit, older EVENTS will
+# be removed from the beginning of the file (first in first out). The
+# parameter EVENTSFILEMAX can be set to a different kilobyte value, or set
+# to zero to allow the EVENTSFILE to grow without limit.
+EVENTSFILEMAX 10
+
+#
+# ========== Configuration statements used if sharing =============
+# a UPS with more than one machine
+
+#
+# Remaining items are for ShareUPS (APC expansion card) ONLY
+#
+
+# UPSCLASS [ standalone | shareslave | sharemaster ]
+# Normally standalone unless you share an UPS using an APC ShareUPS
+# card.
+UPSCLASS {$upsclass}
+
+# UPSMODE [ disable | share ]
+# Normally disable unless you share an UPS using an APC ShareUPS card.
+UPSMODE {$upsmode}
+
+#
+# ===== Configuration statements to control apcupsd system logging ========
+#
+
+# Time interval in seconds between writing the STATUS file; 0 disables
+STATTIME 0
+
+# Location of STATUS file (written to only if STATTIME is non-zero)
+STATFILE /var/log/apcupsd.status
+
+# LOGSTATS [ on | off ] on enables, off disables
+# Note! This generates a lot of output, so if
+# you turn this on, be sure that the
+# file defined in syslog.conf for LOG_NOTICE is a named pipe.
+# You probably do not want this on.
+LOGSTATS off
+
+# Time interval in seconds between writing the DATA records to
+# the log file. 0 disables.
+DATATIME 0
+
+# FACILITY defines the logging facility (class) for logging to syslog.
+# If not specified, it defaults to "daemon". This is useful
+# if you want to separate the data logged by apcupsd from other
+# programs.
+#FACILITY DAEMON
+
+#
+# ========== Configuration statements used in updating the UPS EPROM =========
+#
+
+#
+# These statements are used only by apctest when choosing "Set EEPROM with conf
+# file values" from the EEPROM menu. THESE STATEMENTS HAVE NO EFFECT ON APCUPSD.
+#
+
+# UPS name, max 8 characters
+#UPSNAME UPS_IDEN
+
+# Battery date - 8 characters
+#BATTDATE mm/dd/yy
+
+# Sensitivity to line voltage quality (H cause faster transfer to batteries)
+# SENSITIVITY H M L (default = H)
+#SENSITIVITY H
+
+# UPS delay after power return (seconds)
+# WAKEUP 000 060 180 300 (default = 0)
+#WAKEUP 60
+
+# UPS Grace period after request to power off (seconds)
+# SLEEP 020 180 300 600 (default = 20)
+#SLEEP 180
+
+# Low line voltage causing transfer to batteries
+# The permitted values depend on your model as defined by last letter
+# of FIRMWARE or APCMODEL. Some representative values are:
+# D 106 103 100 097
+# M 177 172 168 182
+# A 092 090 088 086
+# I 208 204 200 196 (default = 0 => not valid)
+#LOTRANSFER 208
+
+# High line voltage causing transfer to batteries
+# The permitted values depend on your model as defined by last letter
+# of FIRMWARE or APCMODEL. Some representative values are:
+# D 127 130 133 136
+# M 229 234 239 224
+# A 108 110 112 114
+# I 253 257 261 265 (default = 0 => not valid)
+#HITRANSFER 253
+
+# Battery charge needed to restore power
+# RETURNCHARGE 00 15 50 90 (default = 15)
+#RETURNCHARGE 15
+
+# Alarm delay
+# 0 = zero delay after pwr fail, T = power fail + 30 sec, L = low battery, N = never
+# BEEPSTATE 0 T L N (default = 0)
+#BEEPSTATE T
+
+# Low battery warning delay in minutes
+# LOWBATT 02 05 07 10 (default = 02)
+#LOWBATT 2
+
+# UPS Output voltage when running on batteries
+# The permitted values depend on your model as defined by last letter
+# of FIRMWARE or APCMODEL. Some representative values are:
+# D 115
+# M 208
+# A 100
+# I 230 240 220 225 (default = 0 => not valid)
+#OUTPUTVOLTS 230
+
+# Self test interval in hours 336=2 weeks, 168=1 week, ON=at power on
+# SELFTEST 336 168 ON OFF (default = 336)
+#SELFTEST 336
+EOF;
+?>
diff --git a/config/apcupsd/apcupsd.inc b/config/apcupsd/apcupsd.inc
new file mode 100644
index 00000000..9abc23ba
--- /dev/null
+++ b/config/apcupsd/apcupsd.inc
@@ -0,0 +1,191 @@
+<?php
+/* $Id$ */
+/* ========================================================================== */
+/*
+ apcupsd.inc
+ part of the apcupsd package for pfSense
+ Copyright (C) 2013 Danilo G. Baio <dbaio@bsd.com.br>
+
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+require_once("util.inc");
+require_once("functions.inc");
+require_once("pkg-utils.inc");
+require_once("globals.inc");
+
+function php_install_apcupsd(){
+ sync_package_apcupsd();
+}
+
+function php_deinstall_apcupsd(){
+ global $config, $g;
+
+ conf_mount_rw();
+ $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
+ if ($pfs_version > 2.0){
+ define('APCUPSD_BASE', '/usr/pbi/apcupsd-' . php_uname("m"));
+ } else {
+ define('APCUPSD_BASE', '/usr/local');
+ }
+
+ exec("/usr/bin/killall apcupsd");
+ unlink_if_exists(APCUPSD_BASE . "/etc/rc.d/apcupsd.sh");
+ unlink_if_exists(APCUPSD_BASE . "/etc/apcupsd/apcupsd.conf");
+ unlink_if_exists("/var/log/apcupsd/apcupsd.log");
+ unlink_if_exists("/var/run/apcupsd/apcupsd.pid");
+
+ if (is_dir("/var/log/apcupsd"))
+ exec("/bin/rm -r /var/log/apcupsd/");
+ if (is_dir("/var/run/apcupsd"))
+ exec("/bin/rm -r /var/run/apcupsd/");
+
+ conf_mount_ro();
+}
+
+function validate_input_apcupsd($post,&$input_errors){
+
+ if (isset($post['apcupsdenabled'])){
+
+ if ($post['polltime'] != '' && !is_numericint($post['polltime'])) {
+ $input_errors[]='Poll Time is not numeric.';
+ }
+
+ if ($post['onbatterydelay'] != '' && !is_numericint($post['onbatterydelay'])) {
+ $input_errors[]='OnBattery Delay is not numeric.';
+ }
+
+ if ($post['batterylevel'] != '' && !is_numericint($post['batterylevel'])) {
+ $input_errors[]='Battery Level is not numeric.';
+ }
+
+ if ($post['minutes'] != '' && !is_numericint($post['minutes'])) {
+ $input_errors[]='Minutes is not numeric.';
+ }
+
+ if ($post['timeout'] != '' && !is_numericint($post['timeout'])) {
+ $input_errors[]='Timeout is not numeric.';
+ }
+
+ if ($post['annoy'] != '' && !is_numericint($post['annoy'])) {
+ $input_errors[]='Annoy is not numeric.';
+ }
+
+ if ($post['annoydelay'] != '' && !is_numericint($post['annoydelay'])) {
+ $input_errors[]='Annoy Delay is not numeric.';
+ }
+
+ if ($post['killdelay'] != '' && !is_numericint($post['killdelay'])) {
+ $input_errors[]='Kill Delay is not numeric.';
+ }
+
+ if ($post['nisip'] != '') {
+ if (!is_ipaddr_configured($post['nisip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['nisip'])) {
+ $input_errors[]='NIS Ip is not a configured IP address.';
+ }
+ }
+
+ if ($post['nisport'] != '') {
+ if (!preg_match("/^\d+$/", $post['nisport'])) {
+ $input_errors[]='NIS Port is not numeric.';
+ }
+ }
+
+ } // apcupsdenabled
+}
+
+function sync_package_apcupsd(){
+ global $config, $g;
+
+ conf_mount_rw();
+
+ // check pfsense version
+ $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
+ if ($pfs_version > 2.0){
+ define('APCUPSD_BASE', '/usr/pbi/apcupsd-' . php_uname("m"));
+ }
+ else {
+ define('APCUPSD_BASE', '/usr/local');
+ }
+
+ // check apcupsd settings
+ if (is_array($config['installedpackages']['apcupsd'])){
+ $apcupsd_config = $config['installedpackages']['apcupsd']['config'][0];
+ if ($apcupsd_config['apcupsdenabled']=="on"){
+ $upsname=$apcupsd_config['upsname'];
+ $upscable=$apcupsd_config['upscable'];
+ $upstype=$apcupsd_config['upstype'];
+ $polltime=($apcupsd_config['polltime'] != ''? $apcupsd_config['polltime'] : "60");
+ $onbatterydelay=($apcupsd_config['onbatterydelay'] != ''? $apcupsd_config['onbatterydelay'] : "6");
+ $batterylevel=($apcupsd_config['batterylevel'] != ''? $apcupsd_config['batterylevel'] : "5");
+ $minutes=($apcupsd_config['minutes'] != ''? $apcupsd_config['minutes'] : "3");
+ $timeout=($apcupsd_config['timeout'] != ''? $apcupsd_config['timeout'] : "0");
+ $annoy=($apcupsd_config['annoy'] != ''? $apcupsd_config['annoy'] : "300");
+ $annoydelay=($apcupsd_config['annoydelay'] != ''? $apcupsd_config['annoydelay'] : "60");
+ $killdelay=($apcupsd_config['killdelay'] != ''? $apcupsd_config['killdelay'] : "0");
+ $netserver=$apcupsd_config['netserver'];
+ $nisip=($apcupsd_config['nisip'] != ''? $apcupsd_config['nisip'] : "0.0.0.0");
+ $nisport=($apcupsd_config['nisport'] != ''? $apcupsd_config['nisport'] : "3551");
+ $upsclass=$apcupsd_config['upsclass'];
+ $upsmode=$apcupsd_config['upsmode'];
+
+ include("/usr/local/pkg/apcupsd.conf.php");
+ file_put_contents(APCUPSD_BASE . "/etc/apcupsd/apcupsd.conf", $apcupsdconf, LOCK_EX);
+ }
+ }
+
+ // RC FILE
+ $apcupsd_rcfile="/usr/local/etc/rc.d/apcupsd.sh";
+ if (is_array($apcupsd_config) && $apcupsd_config['apcupsdenabled']=="on"){
+ $apcupsd_start = "echo \"Starting APC UPS Daemon...\"\n";
+ if ($apcupsd_config['killonpowerfail']=="on"){
+ $apcupsd_start .= " " . APCUPSD_BASE . "/sbin/apcupsd --kill-on-powerfail";
+ }else{
+ $apcupsd_start .= " " . APCUPSD_BASE . "/sbin/apcupsd";
+ }
+
+ $apcupsd_stop = "echo \"Stopping APC UPS Daemon...\"\n";
+ $apcupsd_stop .= " /usr/bin/killall apcupsd\n";
+ $apcupsd_stop .= " /bin/sleep 5";
+
+ /* write out rc.d start/stop file */
+ write_rcfile(array(
+ "file" => "apcupsd.sh",
+ "start" => "$apcupsd_start",
+ "stop" => "$apcupsd_stop"
+ )
+ );
+ mwexec("{$apcupsd_rcfile} restart");
+ }else{
+ if (file_exists($apcupsd_rcfile)){
+ mwexec("{$apcupsd_rcfile} stop");
+ unlink($apcupsd_rcfile);
+ }
+ }
+
+ conf_mount_ro();
+}
+?>
diff --git a/config/apcupsd/apcupsd.xml b/config/apcupsd/apcupsd.xml
new file mode 100644
index 00000000..8674af61
--- /dev/null
+++ b/config/apcupsd/apcupsd.xml
@@ -0,0 +1,333 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packagegui>
+<copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ apcupsd.xml
+ part of the apcupsd package for pfSense
+ Copyright (C) 2013 Danilo G. Baio <dbaio@bsd.com.br>
+
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <name>Apcupsd</name>
+ <title>Services: Apcupsd (General)</title>
+ <category>Monitoring</category>
+ <version>0.1</version>
+ <include_file>/usr/local/pkg/apcupsd.inc</include_file>
+ <addedit_string>Apcupsd has been created/modified.</addedit_string>
+ <delete_string>Apcupsd has been deleted.</delete_string>
+ <restart_command>/usr/local/etc/rc.d/apcupsd.sh restart</restart_command>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/apcupsd/apcupsd.inc</item>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/apcupsd/apcupsd_status.php</item>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/apcupsd/apcupsd.conf.php</item>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <menu>
+ <name>Apcupsd</name>
+ <tooltiptext>Setup Apcupsd specific settings</tooltiptext>
+ <section>Services</section>
+ <url>/pkg_edit.php?xml=apcupsd.xml&amp;id=0</url>
+ </menu>
+ <service>
+ <name>apcupsd</name>
+ <rcfile>apcupsd.sh</rcfile>
+ <executable>apcupsd</executable>
+ <description>Apcupsd a daemon for controlling APC UPSes</description>
+ </service>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=apcupsd.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Status</text>
+ <url>apcupsd_status.php</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>General configuration parameters</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable</fielddescr>
+ <fieldname>apcupsdenabled</fieldname>
+ <description>Enable APC UPS Daemon service</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>UPS Name</fielddescr>
+ <fieldname>upsname</fieldname>
+ <description>Use this to give your UPS a name in log files and such</description>
+ <type>input</type>
+ <size>60</size>
+ <required>true</required>
+ </field>
+ <field>
+ <fielddescr>UPS Cable</fielddescr>
+ <fieldname>upscable</fieldname>
+ <description><![CDATA[Defines the type of cable connecting the UPS to your computer.<br>
+<br>
+Possible generic choices for <cable> are:<br>
+ simple, smart, ether, usb<br>
+<br>
+Or a specific cable model number may be used:<br>
+ 940-0119A, 940-0127A, 940-0128A, 940-0020B,<br>
+ 940-0020C, 940-0023A, 940-0024B, 940-0024C,<br>
+ 940-1524C, 940-0024G, 940-0095A, 940-0095B,<br>
+ 940-0095C, M-04-02-2000
+ ]]></description>
+ <type>input</type>
+ <size>60</size>
+ <required>true</required>
+ </field>
+ <field>
+ <fielddescr>UPS Type / Device</fielddescr>
+ <fieldname>upstype</fieldname>
+ <description><![CDATA[To get apcupsd to work, in addition to defining the cable
+above, you must also define a UPSTYPE, which corresponds to
+the type of UPS you have (see the Description for more details).
+You must also specify a DEVICE, sometimes referred to as a port.
+For USB UPSes, please leave the DEVICE directive blank. For
+other UPS types, you must specify an appropriate port or address.<br>
+<br>
+UPSTYPE DEVICE Description <br>
+<br>
+<strong>apcsmart /dev/tty**</strong> Newer serial character device, appropriate for
+ SmartUPS models using a serial cable (not USB).<br>
+<br>
+<strong>usb BLANK</strong> Most new UPSes are USB. A blank DEVICE
+ setting enables autodetection, which is
+ the best choice for most installations.<br>
+<br>
+<strong>net hostname:port</strong> Network link to a master apcupsd through apcupsd's
+ Network Information Server. This is used if the
+ UPS powering your computer is connected to a
+ different computer for monitoring.<br>
+<br>
+<strong>snmp hostname:port:vendor:community</strong>
+ SNMP network link to an SNMP-enabled UPS device.
+ Hostname is the ip address or hostname of the UPS
+ on the network. Vendor can be can be "APC" or
+ "APC_NOTRAP". "APC_NOTRAP" will disable SNMP trap
+ catching; you usually want "APC". Port is usually
+ 161. Community is usually "private".<br>
+<br>
+<strong>netsnmp hostname:port:vendor:community</strong>
+ OBSOLETE
+ Same as SNMP above but requires use of the
+ net-snmp library. Unless you have a specific need
+ for this old driver, you should use 'snmp' instead.<br>
+<br>
+<strong>dumb /dev/tty**</strong> Old serial character device for use with
+ simple-signaling UPSes.<br>
+<br>
+<strong>pcnet ipaddr:username:passphrase:port</strong>
+ PowerChute Network Shutdown protocol which can be
+ used as an alternative to SNMP with the AP9617
+ family of smart slot cards. ipaddr is the IP
+ address of the UPS management card. username and
+ passphrase are the credentials for which the card
+ has been configured. port is the port number on
+ which to listen for messages from the UPS, normally
+ 3052. If this parameter is empty or missing, the
+ default of 3052 will be used.<br>
+<br>
+ ]]></description>
+ <type>input</type>
+ <size>60</size>
+ <required>true</required>
+ </field>
+ <field>
+ <fielddescr>Poll Time</fielddescr>
+ <fieldname>polltime</fieldname>
+ <description>Interval (in seconds) at which apcupsd polls the UPS for status. Default is 60</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>60</default_value>
+ </field>
+ <field>
+ <fielddescr>Kill on Power Fail</fielddescr>
+ <fieldname>killonpowerfail</fieldname>
+ <description>Hibernate UPS on powerfail</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <name>Configuration parameters used during power failures</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>OnBattery Delay</fielddescr>
+ <fieldname>onbatterydelay</fieldname>
+ <description>Time in seconds from when a power failure is detected until we react to it with an onbattery event. Default is 6</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>6</default_value>
+ </field>
+ <field>
+ <fielddescr>Battery Level</fielddescr>
+ <fieldname>batterylevel</fieldname>
+ <description>If during a power failure, the remaining battery percentage (as reported by the UPS) is
+ below or equal to BATTERYLEVEL, apcupsd will initiate a system shutdown. Default is 5</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>5</default_value>
+ </field>
+ <field>
+ <fielddescr>Minutes</fielddescr>
+ <fieldname>minutes</fieldname>
+ <description>If during a power failure, the remaining runtime in minutes (as calculated internally
+ by the UPS) is below or equal to MINUTES, apcupsd, will initiate a system shutdown. Default is 3</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>3</default_value>
+ </field>
+ <field>
+ <fielddescr>Timeout</fielddescr>
+ <fieldname>timeout</fieldname>
+ <description>If during a power failure, the UPS has run on batteries for TIMEOUT many seconds
+ or longer, apcupsd will initiate a system shutdown. A value of 0 (default) disables this timer</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fielddescr>Annoy</fielddescr>
+ <fieldname>annoy</fieldname>
+ <description>Time in seconds between annoying users to signoff prior to system shutdown. 0 disables. Default is 300</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>300</default_value>
+ </field>
+ <field>
+ <fielddescr>Annoy Delay</fielddescr>
+ <fieldname>annoydelay</fieldname>
+ <description>Initial delay after power failure before warning users to get off the system. Default is 60</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>60</default_value>
+ </field>
+ <field>
+ <fielddescr>Kill Delay</fielddescr>
+ <fieldname>killdelay</fieldname>
+ <description>If KILLDELAY is non-zero, apcupsd will continue running after a shutdown has been
+ requested, and after the specified time in seconds attempt to kill the power. This is for use
+ on systems where apcupsd cannot regain control after a shutdown. 0 disables (default)</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <name>Configuration statements for Network Information Server</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Net Server</fielddescr>
+ <fieldname>netserver</fieldname>
+ <description>If netstatus is on, a network information server process will be started for serving
+ the STATUS and EVENT data over the network (used by CGI programs)</description>
+ <type>select</type>
+ <default_value>on</default_value>
+ <options>
+ <option><name>On</name><value>on</value></option>
+ <option><name>Off</name><value>off</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>NIS Ip</fielddescr>
+ <fieldname>nisip</fieldname>
+ <description>IP address on which NIS server will listen for incoming connections. Default value is
+ 0.0.0.0 which means any incoming request will be serviced. Alternatively, you can configure this
+ setting to any specific IP address of your server and NIS will listen for connections only on that
+ interface. Use the loopback address (127.0.0.1) to accept connections only from the local machine</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>0.0.0.0</default_value>
+ </field>
+ <field>
+ <fielddescr>NIS Port</fielddescr>
+ <fieldname>nisport</fieldname>
+ <description>Port to use for sending STATUS and EVENTS data over the network.
+ It is not used unless NETSERVER is on. If you change this port,
+ you will need to change the corresponding value in the cgi directory
+ and rebuild the cgi programs. Default is 3551 as registered with the IANA</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>3551</default_value>
+ </field>
+ <field>
+ <name>Configuration statements used if sharing</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>UPS Class</fielddescr>
+ <fieldname>upsclass</fieldname>
+ <description>Normally standalone unless you share an UPS using an APC ShareUPS card</description>
+ <type>select</type>
+ <default_value>standalone</default_value>
+ <options>
+ <option><name>Standalone</name><value>standalone</value></option>
+ <option><name>Share Master</name><value>sharemaster</value></option>
+ <option><name>Share Slave</name><value>shareslave</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>UPS Mode</fielddescr>
+ <fieldname>upsmode</fieldname>
+ <description>Normally disable unless you share an UPS using an APC ShareUPS card</description>
+ <type>select</type>
+ <default_value>disable</default_value>
+ <options>
+ <option><name>Disable</name><value>disable</value></option>
+ <option><name>Share</name><value>share</value></option>
+ </options>
+ </field>
+ </fields>
+ <custom_php_install_command>sync_package_apcupsd();</custom_php_install_command>
+ <custom_php_command_before_form></custom_php_command_before_form>
+ <custom_php_after_head_command></custom_php_after_head_command>
+ <custom_php_after_form_command></custom_php_after_form_command>
+ <custom_php_validation_command>validate_input_apcupsd($_POST, &amp;$input_errors);</custom_php_validation_command>
+ <custom_add_php_command></custom_add_php_command>
+ <custom_php_resync_config_command>sync_package_apcupsd();</custom_php_resync_config_command>
+ <custom_php_deinstall_command>php_deinstall_apcupsd();</custom_php_deinstall_command>
+</packagegui>
diff --git a/config/apcupsd/apcupsd_status.php b/config/apcupsd/apcupsd_status.php
new file mode 100755
index 00000000..e465f62c
--- /dev/null
+++ b/config/apcupsd/apcupsd_status.php
@@ -0,0 +1,118 @@
+<?php
+/*
+ apcupsd_status.php
+ part of pfSense (http://www.pfsense.com/)
+ Copyright (C) 2013 Danilo G. Baio <dbaio@bsd.com.br>
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require("guiconfig.inc");
+
+$pfSversion = str_replace("\n", "", file_get_contents("/etc/version"));
+
+if(strstr($pfSversion, "1.2"))
+ $one_two = true;
+
+$pgtitle = "Services: Apcupsd (Status)";
+include("head.inc");
+
+function puts( $arg ) { echo "$arg\n"; }
+
+?>
+
+<style>
+<!--
+
+input {
+ font-family: courier new, courier;
+ font-weight: normal;
+ font-size: 9pt;
+}
+
+pre {
+ border: 2px solid #435370;
+ background: #F0F0F0;
+ padding: 1em;
+ font-family: courier new, courier;
+ white-space: pre;
+ line-height: 10pt;
+ font-size: 10pt;
+}
+
+.label {
+ font-family: tahoma, verdana, arial, helvetica;
+ font-size: 11px;
+ font-weight: bold;
+}
+
+.button {
+ font-family: tahoma, verdana, arial, helvetica;
+ font-weight: bold;
+ font-size: 11px;
+}
+
+-->
+</style>
+</head>
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+
+ <?php include("fbegin.inc"); ?>
+
+ <?php if($one_two): ?>
+ <p class="pgtitle"><?=$pgtitle?></font></p>
+ <?php endif; ?>
+
+
+<div id="mainlevel">
+ <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr><td>
+ <?php
+ $tab_array = array();
+ $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=apcupsd.xml&amp;id=0");
+ $tab_array[] = array(gettext("Status"), true, "/apcupsd_status.php");
+ display_top_tabs($tab_array);
+ ?>
+ </td></tr>
+ </table>
+</div>
+
+<div id="mainarea" style="padding-top: 0px; padding-bottom: 0px; ">
+ <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6">
+ <tr><td>
+<?php
+ puts("<pre>");
+ putenv("PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin");
+ $ph = popen('apcaccess 2>&1', "r" );
+ while ($line = fgets($ph)) echo htmlspecialchars($line);
+ pclose($ph);
+ puts("</pre>");
+?>
+ </td></tr>
+ </table>
+</div>
+<?php
+include("fend.inc");
+?>
+</body>
+</html>
diff --git a/config/bandwidthd/bandwidthd.inc b/config/bandwidthd/bandwidthd.inc
index 1220e033..7cdc8006 100644
--- a/config/bandwidthd/bandwidthd.inc
+++ b/config/bandwidthd/bandwidthd.inc
@@ -40,6 +40,10 @@ switch ($pfs_version) {
}
// End: Check pfSense version
+function is_blank($value) {
+ return empty($value) && !is_numeric($value);
+}
+
function bandwidthd_install_deinstall() {
conf_mount_rw();
config_lock();
@@ -66,8 +70,11 @@ function bandwidthd_install_config() {
/* user defined values */
$bandwidthd_config = $config['installedpackages']['bandwidthd']['config'][0];
$meta_refresh = $bandwidthd_config['meta_refresh'];
- if ($meta_refresh)
+ if (is_numeric($meta_refresh))
$meta_refresh = "meta_refresh $meta_refresh\n";
+ else
+ $meta_refresh = "";
+
$graph = $bandwidthd_config['drawgraphs'];
if ($graph)
$graph = "graph true\n";
@@ -75,11 +82,17 @@ function bandwidthd_install_config() {
$graph = "graph false\n";
$filter_text = $bandwidthd_config['filter'];
- if ($filter_text)
+ if (!is_blank($filter_text))
$filter_text = "filter $filter_text\n";
+ else
+ $filter_text = "";
+
$recover_cdf = $bandwidthd_config['recovercdf'];
if ($recover_cdf)
$recover_cdf = "recover_cdf true\n";
+ else
+ $recover_cdf = "";
+
$output_cdf = $bandwidthd_config['outputcdf'];
if ($output_cdf)
$output_cdf_string = "output_cdf true\n";
@@ -93,15 +106,15 @@ function bandwidthd_install_config() {
$postgresql_password = $bandwidthd_config['postgresqlpassword'];
$postgresql_string = "";
if ($output_postgresql) {
- if ($postgresql_host && $postgresql_username && $postgresql_database && $postgresql_password)
+ if (!is_blank($postgresql_host) && !is_blank($postgresql_username) && !is_blank($postgresql_database) && !is_blank($postgresql_password))
$postgresql_string = "pgsql_connect_string \"user = $postgresql_username dbname = $postgresql_database password = $postgresql_password host = $postgresql_host\"\n";
else
- log_error("You have to specify the postgreSQL Host, Database, Username and Password. Exiting.");
+ log_error("bandwidthd: You have to specify the postgreSQL Host, Database, Username and Password. postgreSQL details have been ignored.");
}
$sensor_id = $bandwidthd_config['sensorid'];
- if ($sensor_id)
+ if (!is_blank($sensor_id))
$sensor_id_string = "sensor_id \"$sensor_id\"";
else
$sensor_id_string = "";
@@ -113,13 +126,20 @@ function bandwidthd_install_config() {
$promiscuous = "promiscuous false\n";
$graph_cutoff = $bandwidthd_config['graphcutoff'];
- if ($graph_cutoff)
+ if (!is_blank($graph_cutoff))
$graph_cutoff = "graph_cutoff $graph_cutoff\n";
+ else
+ $graph_cutoff = "";
+
$skip_intervals = $bandwidthd_config['skipintervals'];
- if ($skip_intervals)
+ if ($skip_intervals) {
$skip_intervals = "skip_intervals $skip_intervals\n";
+ } else {
+ /* Includes the case where 0 is explicitly specified, which is the default anyway. */
+ $skip_intervals = "";
+ }
- if ($bandwidthd_config['active_interface']){
+ if (!is_blank($bandwidthd_config['active_interface'])){
$ifdescrs = array($bandwidthd_config['active_interface']);
} else {
log_error("You should specify an interface for bandwidthd to listen on. Exiting.");
diff --git a/config/bandwidthd/bandwidthd.xml b/config/bandwidthd/bandwidthd.xml
index 672b5367..44a33bac 100644
--- a/config/bandwidthd/bandwidthd.xml
+++ b/config/bandwidthd/bandwidthd.xml
@@ -46,7 +46,7 @@
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>bandwidthd</name>
- <version>2.0.1_5 pkg v.0.2</version>
+ <version>2.0.1_5 pkg v.0.3</version>
<title>Bandwidthd</title>
<aftersaveredirect>/pkg_edit.php?xml=bandwidthd.xml&amp;id=0</aftersaveredirect>
<include_file>/usr/local/pkg/bandwidthd.inc</include_file>
diff --git a/config/bind/bind.inc b/config/bind/bind.inc
index 146632c9..ff3728fb 100644
--- a/config/bind/bind.inc
+++ b/config/bind/bind.inc
@@ -105,10 +105,10 @@ function bind_zone_validate($post, $input_errors){
exec("$rndc_confgen ",$rndc_conf);
foreach($rndc_conf as $line)
$confgen_file.="$line\n";
- file_put_contents(BIND_LOCALBASE."/etc/rndc-confgen.pfsese",$confgen_file);
+ file_put_contents(BIND_LOCALBASE."/etc/rndc-confgen.pfsense",$confgen_file);
}
- if (file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsese")){
- $rndc_conf=file(BIND_LOCALBASE."/etc/rndc-confgen.pfsese");
+ if (file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsense")){
+ $rndc_conf=file(BIND_LOCALBASE."/etc/rndc-confgen.pfsense");
$confgen="rndc.conf";
$rndc_bindconf="";
foreach ($rndc_conf as $line){
@@ -432,7 +432,7 @@ EOD;
$hostname = (preg_match("/(MX|NS)/",$zone['row'][$y]['hosttype'])?"@":$zone['row'][$y]['hostname']);
$hosttype = $zone['row'][$y]['hosttype'];
$hostdst = $zone['row'][$y]['hostdst'];
- if (preg_match("/[a-zA-Z]/",$hostdst) && !preg_match("/(TXT|SPF)/",$hosttype))
+ if (preg_match("/[a-zA-Z]/",$hostdst) && !preg_match("/(TXT|SPF|AAAA)/",$hosttype))
$hostdst .= ".";
$hostvalue = $zone['row'][$y]['hostvalue'];
diff --git a/config/mailscanner/mailscanner.inc b/config/mailscanner/mailscanner.inc
index 0b638166..9f5fd11d 100644
--- a/config/mailscanner/mailscanner.inc
+++ b/config/mailscanner/mailscanner.inc
@@ -442,15 +442,21 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
}
if (preg_match('/use_pyzor/',$antispam['safeatures'])){
$pattern[]='/#pyzor_path/';
+ $pattern[]="/\S+yzor_disabled/";
$pattern[]='/usr.bin.pyzor/';
- $pattern[]='/\nuse_pyzor\s+0/';
+ $pattern[]='/use_pyzor/';
+ $pattern[]="/\S+o_not_use_pyzor/";
+ $replacement[]="pyzor_path";
$replacement[]="pyzor_path";
$replacement[]="usr/local/bin/pyzor";
- $replacement[]="\n".'# use_pyzor 0';
+ $replacement[]="use_pyzor";
+ $replacement[]="use_pyzor";
}
else{
- $pattern[]='/\n#\s+use_pyzor\s+0/';
- $replacement[]="\n".'# use_pyzor 0';
+ $pattern[]='/use_pyzor/';
+ $pattern[]='/pyzor_path/';
+ $replacement[]="#do_not_use_pyzor";
+ $replacement[]="#pyzor_disabled";
}
if (preg_match('/use_auto_learn_bayes/',$antispam['safeatures'])){
$pattern[]='/\nbayes_auto_learn\s+0/';
@@ -677,23 +683,23 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
#fix MIME::ToolUtils deprecated function and usecure dependency calls in /usr/local/sbin/mailscanner
$cconf=MAILSCANNER_LOCALBASE. "/sbin/mailscanner";
if (file_exists($cconf)){
- #check perl's version
- exec('find '.MAILSCANNER_LOCALBASE. '/lib/perl5/site_perl -name Df.pm',$find_out);
- $perl_bin="perl";
- foreach($find_out as $perl_dir){
- if (preg_match ('@/usr\S+lib/perl5/site_perl/([.0-9]+)/mach/Filesys/Df.pm@',$perl_dir,$perl_match))
- $perl_bin.=$perl_match[1];
- }
- $cconf_file=file_get_contents($cconf);
- $pattern2[0]='@#!/usr\S+bin/perl.*I@';
- $pattern2[1]='/\smy .current = config MIME::ToolUtils/';
- $replacement2[0]='#!'.MAILSCANNER_LOCALBASE. "/bin/{$perl_bin} -U -I";
- $replacement2[1]=' #my $current = config MIME::ToolUtils';
- if (preg_match('@#!/usr\S+bin/perl.*I@',$cconf_file)){
- $cconf_file=preg_replace($pattern2,$replacement2,$cconf_file);
- file_put_contents($cconf, $cconf_file, LOCK_EX);
- }
+ $perl_bin="perl_mailscanner";
+ if(file_exists(MAILSCANNER_LOCALBASE . '/bin/perl') && !file_exists(MAILSCANNER_LOCALBASE . "/bin/{$perl_bin}")){
+ link(MAILSCANNER_LOCALBASE . '/bin/perl',MAILSCANNER_LOCALBASE . '/bin/perl_mailscanner');
+ }
+ if (file_exists(MAILSCANNER_LOCALBASE . "/bin/{$perl_bin}")){
+ $cconf_file=file_get_contents($cconf);
+ $pattern2[0]='@#!/usr\S+bin/perl.*I@';
+ //$pattern2[1]='/\smy .current = config MIME::ToolUtils/';
+ $replacement2[0]='#!'.MAILSCANNER_LOCALBASE. "/bin/{$perl_bin} -U -I";
+ //$replacement2[1]=' #my $current = config MIME::ToolUtils';
+ if (preg_match('@#!/usr\S+bin/perl.*I@',$cconf_file)){
+ $cconf_file=preg_replace($pattern2,$replacement2,$cconf_file);
+ file_put_contents($cconf, $cconf_file, LOCK_EX);
+ }
+ }
+
}
#check spam assassin rules
diff --git a/config/mailscanner/mailscanner.xml b/config/mailscanner/mailscanner.xml
index 05798a1e..2f97fcec 100644
--- a/config/mailscanner/mailscanner.xml
+++ b/config/mailscanner/mailscanner.xml
@@ -54,7 +54,7 @@
<service>
<name>mailscanner</name>
<rcfile>mailscanner</rcfile>
- <executable>perl5.14.2</executable>
+ <executable>perl_mailscanner</executable>
<description>MailScanner</description>
</service>
<additional_files_needed>
diff --git a/config/mailscanner/mailscanner_antispam.xml b/config/mailscanner/mailscanner_antispam.xml
index 7f989765..26295059 100644
--- a/config/mailscanner/mailscanner_antispam.xml
+++ b/config/mailscanner/mailscanner_antispam.xml
@@ -169,7 +169,7 @@
<option><name>Spam Score (yes)</name><value>spam_score</value></option>
<option><name>Cache SpamAssassin Results (yes)</name><value>cache_spamassassin_results</value></option>
<option><name>Wait During Bayes Rebuild (no)</name><value>wait_during_bayes_rebuild</value></option>
- <option><name>Use Pyzor plugin (yes)</name><value>use_pyzor</value></option>
+ <option><name>Use Pyzor plugin (no)</name><value>use_pyzor</value></option>
<option><name>Use Razor plugin (yes)</name><value>use_razor</value></option>
<option><name>Use DCC plugin (yes)</name><value>use_dcc</value></option>
<option><name>Use Bayes (yes)</name><value>use_bayes</value></option>
diff --git a/config/postfix/postfix.inc b/config/postfix/postfix.inc
index cf7cd786..50979f38 100755
--- a/config/postfix/postfix.inc
+++ b/config/postfix/postfix.inc
@@ -581,6 +581,34 @@ switch ($antispam['zombie_blocker'])
$postfix_main.="soft_bounce = yes\n";
}
+ //check ips to listen on
+ $inet_protocols=($postfix_config['inet_protocol'] ? $postfix_config['inet_protocol'] : "ipv4");
+ $inet_interfaces =array();
+ if (preg_match("/All/",$postfix_config['enabled_interface'])){
+ $inet_interfaces[]="";
+ }
+ elseif ($postfix_config['enabled_interface'] == "lo0"){
+ $inet_interfaces[]="loopback-only";
+ }
+ else{
+ $ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'wan');
+ foreach (explode(',',$ifaces) as $listenon){
+ if (is_ipaddrv6($listenon) && preg_match("/(ipv6|all)/i",$inet_protocols))
+ $inet_interfaces[]= "{$listenon}";
+ elseif (is_ipaddr($listenon) && preg_match("/(ipv4|all)/i",$inet_protocols))
+ $inet_interfaces[]= "{$listenon}";
+ else{
+ $listenon=(pfSense_get_interface_addresses(convert_friendly_interface_to_real_interface_name($listenon)));
+ if (is_ipaddr($listenon['ipaddr']) && preg_match("/(ipv4|all)/i",$inet_protocols))
+ $inet_interfaces []= "{$listenon['ipaddr']}";
+ if(is_ipaddrv6($listenon['ipaddr6']) && preg_match("/(ipv6|all)/i",$inet_protocols))
+ $inet_interfaces []= "{$listenon['ipaddr6']}";
+ }
+ }
+ }
+ $postfix_main.= "inet_protocols = {$inet_protocols}\n";
+ $postfix_main.= "inet_interfaces = ".implode(",",$inet_interfaces)."\n";
+
if ($postscreen==1) #Postscreen enabled
{
if(preg_match("/(\d+),(\d+)(s|m|h|w)/",$antispam['greet_time'],$greet)){
@@ -611,16 +639,17 @@ switch ($antispam['zombie_blocker'])
$postfix_main.="postscreen_blacklist_action= ".$antispam['zombie_blocker']."\n";
#postscreen interface loop
- $ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'wan');
- $real_ifaces = array();
- $postfix_master="";
- foreach (explode(",", $ifaces) as $i => $iface) {
- $real_ifaces[] = px_get_real_interface_address($iface);
- if($real_ifaces[$i][0]) {
- $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - 1 postscreen\n\t-o user=postfix\n";
- $postfix_master .=($antispam['soft_bounce'] == "postscreen"?"\t-o soft_bounce=yes\n":"");
- }
- }
+ //$ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'wan');
+ //$real_ifaces = array();
+ //$postfix_master="";
+ //foreach (explode(",", $ifaces) as $i => $iface) {
+ // $real_ifaces[] = px_get_real_interface_address($iface);
+ // if($real_ifaces[$i][0]) {
+ // $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - 1 postscreen\n\t-o user=postfix\n";
+ $postfix_master = "smtp inet n - n - 1 postscreen\n\t-o user=postfix\n";
+ $postfix_master .=($antispam['soft_bounce'] == "postscreen"?"\t-o soft_bounce=yes\n":"");
+ // }
+ //}
$postfix_master .= $postfix_inets.<<<MASTEREOF
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
@@ -647,7 +676,7 @@ MASTEREOF;
}
#interface loop
- $postfix_inets="";
+ /*$postfix_inets="";
$ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'loopback');
$real_ifaces = array();
$postfix_master="";
@@ -657,6 +686,8 @@ MASTEREOF;
$postfix_master .=$real_ifaces[$i][0].":25 inet n - n - - smtpd\n";
}
}
+ */
+ $postfix_master ="25 inet n - n - - smtpd\n";
}
$rbl2.=($rbl2 !=""?"\t\t\t\tpermit\n":"permit\n");
diff --git a/config/postfix/postfix.php b/config/postfix/postfix.php
index a11af2dd..78eb551d 100644
--- a/config/postfix/postfix.php
+++ b/config/postfix/postfix.php
@@ -150,10 +150,13 @@ function grep_log(){
$m=date('M',strtotime($postfix_arg['time'],$curr_time));
$j=substr(" ".date('j',strtotime($postfix_arg['time'],$curr_time)),-3);
# file grep loop
+ $maillog_filename = "/var/log/maillog";
foreach ($postfix_arg['grep'] as $hour){
- print "/usr/bin/grep '^".$m.$j." ".$hour.".*".$grep."' /var/log/maillog\n";
+ if (!file_exists($maillog_filename) || !is_readable($maillog_filename))
+ continue;
+ print "/usr/bin/grep '^".$m.$j." ".$hour.".*".$grep."' {$maillog_filename}\n";
$lists=array();
- exec("/usr/bin/grep " . escapeshellarg('^'.$m.$j." ".$hour.".*".$grep)." /var/log/maillog", $lists);
+ exec("/usr/bin/grep " . escapeshellarg('^'.$m.$j." ".$hour.".*".$grep)." {$maillog_filename}", $lists);
foreach ($lists as $line){
#check where is first mail record
if (preg_match("/ delay=(\d+)/",$line,$delay)){
@@ -294,7 +297,7 @@ function grep_log(){
}
$config=parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']);
- print count($config['installedpackages']);
+ //print count($config['installedpackages']);
#start db replication if configured
if ($config['installedpackages']['postfixsync']['config'][0]['rsync'])
foreach ($config['installedpackages']['postfixsync']['config'] as $rs )
diff --git a/config/postfix/postfix.xml b/config/postfix/postfix.xml
index c3b3664f..e9d2d953 100644
--- a/config/postfix/postfix.xml
+++ b/config/postfix/postfix.xml
@@ -207,13 +207,31 @@
<description></description>
</field>
<field>
- <fielddescr>Listen interface(s)</fielddescr>
+ <fielddescr>Listen Protocol</fielddescr>
+ <fieldname>inet_protocol</fieldname>
+ <description><![CDATA[Specify what protocols Postfix will use when it makes or accepts network connections<br>
+ This option controls what DNS lookups Postfix will use when it makes network connections.<br><br>
+ <b>Restart postfix daemon after changing Listen protocol.</b>]]></description>
+ <type>select</type>
+ <options>
+ <option><name>ipv4 (DEFAULT: enable IPv4 only)</name><value>ipv4</value></option>
+ <option><name>all (enable IPv4, and IPv6 if supported)</name><value>all</value></option>
+ <option><name>ipv4, ipv6 (enable both IPv4 and IPv6)</name><value>ipv4,ipv6</value></option>
+ <option><name>ipv6 (enable IPv6 only</name><value>ipv6</value></option>
+ </options>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Listen on</fielddescr>
<fieldname>enabled_interface</fieldname>
<description><![CDATA[Interface(s) that daemon will bind to.<br>Do not listen on WAN without a good "antispam/close relay" configuration.<br>
- If you need postfix on other ip then Interface address, choose localhost and then create a nat rule from external ip to localhost.]]></description>
+ If you need postfix on other ip then Interface address, choose localhost and then create a nat rule from external ip to localhost.<br><br>
+ <b>Restart postfix daemon after changing Listen on addresses/interfaces.</b>]]></description>
<type>interfaces_selection</type>
<required/>
<default_value>loopback</default_value>
+ <showlistenall/>
+ <showvirtualips/>
<multiple/>
</field>
<field>
diff --git a/config/postfix/postfix_about.php b/config/postfix/postfix_about.php
index 3f3e272a..56645646 100755
--- a/config/postfix/postfix_about.php
+++ b/config/postfix/postfix_about.php
@@ -2,7 +2,7 @@
/*
postfix_about.php
part of pfSense (http://www.pfsense.com/)
- Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com>
+ Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com>
based on varnish_view_config.
All rights reserved.
@@ -27,7 +27,7 @@
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
-
+$shortcut_section = "postfix";
require("guiconfig.inc");
$pfSversion = str_replace("\n", "", file_get_contents("/etc/version"));
diff --git a/config/postfix/postfix_queue.php b/config/postfix/postfix_queue.php
index 76bed31f..f60ac83e 100755
--- a/config/postfix/postfix_queue.php
+++ b/config/postfix/postfix_queue.php
@@ -27,7 +27,7 @@
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
-
+$shortcut_section = "postfix";
require("guiconfig.inc");
$uname=posix_uname();
diff --git a/config/postfix/postfix_search.php b/config/postfix/postfix_search.php
index a1cf6b3f..85648287 100755
--- a/config/postfix/postfix_search.php
+++ b/config/postfix/postfix_search.php
@@ -27,7 +27,7 @@
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
-
+$shortcut_section = "postfix";
require("guiconfig.inc");
$uname=posix_uname();
diff --git a/config/postfix/postfix_view_config.php b/config/postfix/postfix_view_config.php
index 5e1f6271..59deb11e 100644
--- a/config/postfix/postfix_view_config.php
+++ b/config/postfix/postfix_view_config.php
@@ -27,7 +27,7 @@
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
-
+$shortcut_section = "postfix";
require("guiconfig.inc");
$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
if ($pf_version > 2.0)
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 98b80d66..79fef4fa 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -5,6 +5,7 @@
* Copyright (C) 2006 Scott Ullrich
* Copyright (C) 2009-2010 Robert Zelaya
* Copyright (C) 2011-2012 Ermal Luci
+ * Copyright (C) 2013 Bill Meeks
* part of pfSense
* All rights reserved.
*
@@ -43,22 +44,24 @@ require_once("filter.inc");
ini_set("memory_limit", "192M");
// Explicitly declare this as global so it works through function call includes
-global $rebuild_rules;
+global $rebuild_rules, $pfSense_snort_version;
+
+// Grab the Snort binary version programmatically, but if that fails use a safe default
+$snortver = array();
+exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
+$snort_version = $snortver[0];
+if (empty($snort_version))
+ $snort_version = "2.9.5.5";
/* package version */
-$snort_version = "2.9.4.6";
-$pfSense_snort_version = "2.6.1";
-$snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}";
-
-// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI)
-if (floatval(php_uname("r")) >= 8.3) {
- exec("/usr/local/sbin/pbi_info | grep 'snort-{$snort_version}' | xargs /usr/local/sbin/pbi_info | awk '/Prefix/ {print $2}'",$pbidirarray);
- $snort_pbidir = "{$pbidirarray[0]}";
- /* In case this is an initial Snort install and pbi_info() above returned null, set a sane default value */
- if (empty($snort_pbidir))
- $snort_pbidir = "/usr/pbi/snort-" . php_uname("m");
- define("SNORTDIR", "{$snort_pbidir}/etc/snort");
- define("SNORTLIBDIR", "{$snort_pbidir}/lib/snort");
+$pfSense_snort_version = "3.0.1";
+$snort_package_version = "Snort {$snort_version} pkg v{$pfSense_snort_version}";
+
+// Define SNORTDIR and SNORTLIBDIR constants according to pfSense version
+$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3);
+if ($pfs_version > 2.0) {
+ define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/etc/snort");
+ define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/lib/snort");
}
else {
define("SNORTDIR", "/usr/local/etc/snort");
@@ -66,6 +69,7 @@ else {
}
/* Define some useful constants for Snort */
+/* Be sure to include trailing slash on the URL defines */
define("SNORTLOGDIR", "/var/log/snort");
define("ET_DNLD_FILENAME", "emerging.rules.tar.gz");
define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
@@ -73,6 +77,10 @@ define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
define("FLOWBITS_FILENAME", "flowbit-required.rules");
define("ENFORCING_RULES_FILENAME", "snort.rules");
define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
+define("VRT_FILE_PREFIX", "snort_");
+define("GPL_FILE_PREFIX", "GPLv2_");
+define("ET_OPEN_FILE_PREFIX", "emerging-");
+define("ET_PRO_FILE_PREFIX", "etpro-");
/* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */
$rebuild_rules = false;
@@ -100,24 +108,26 @@ function snort_is_single_addr_alias($alias) {
return true;
}
-function snort_expand_port_range($ports) {
+function snort_expand_port_range($ports, $delim = ',') {
/**************************************************/
/* This function examines the passed ports string */
/* and expands any embedded port ranges into the */
- /* individual ports separated by commas. A port */
- /* range is indicated by a colon in the string. */
+ /* individual ports separated by the specified */
+ /* delimiter. A port range is indicated by a */
+ /* colon in the string. */
/* */
/* On Entry: $ports ==> string to be evaluated */
- /* with commas separating */
+ /* with {$delim} separating */
/* the port values. */
/* Returns: string with any encountered port */
- /* ranges expanded. */
+ /* ranges expanded and the values */
+ /* delimited by {$delim}. */
/**************************************************/
$value = "";
- // Split the incoming string on the commas
- $tmp = explode(",", $ports);
+ // Split the incoming string on the specified delimiter
+ $tmp = explode($delim, $ports);
// Look for any included port range and expand it
foreach ($tmp as $val) {
@@ -125,17 +135,17 @@ function snort_expand_port_range($ports) {
$start = strtok($val, ":");
$end = strtok(":");
if ($end !== false) {
- $val = $start . ",";
+ $val = $start . $delim;
for ($i = intval($start) + 1; $i < intval($end); $i++)
- $val .= strval($i) . ",";
+ $val .= strval($i) . $delim;
$val .= $end;
}
}
- $value .= $val . ",";
+ $value .= $val . $delim;
}
- // Remove any trailing comma in return value
- return trim($value, ",");
+ // Remove any trailing delimiter in return value
+ return trim($value, $delim);
}
function snort_get_blocked_ips() {
@@ -318,9 +328,8 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
$wandns = $list['wandnsips'];
$vips = $list['vips'];
$vpns = $list['vpnips'];
- if (!empty($list['address']) && is_alias($list['address'])) {
+ if (!empty($list['address']) && is_alias($list['address']))
$home_net = explode(" ", trim(filter_expand_alias($list['address'])));
- }
}
/* Always add loopback to HOME_NET and whitelist (ftphelper) */
@@ -573,7 +582,7 @@ function snort_reload_config($snortcfg, $signal="SIGHUP") {
/* can find a valid PID for the process. */
/******************************************************/
if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid") && isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
- log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']}({$if_real})...");
+ log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']} ({$if_real})...");
exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid 2>&1 &");
}
}
@@ -661,78 +670,6 @@ function snort_post_delete_logs($snort_uuid = 0) {
}
}
-function snort_postinstall() {
- global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include;
-
- $snortdir = SNORTDIR;
- $snortlibdir = SNORTLIBDIR;
- $rcdir = RCFILEPREFIX;
-
- /* Set flag for post-install in progress */
- $g['snort_postinstall'] = true;
-
- /* cleanup default files */
- @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf");
- @rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf");
- @rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map");
- @rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map");
- @rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config");
- @rename("{$snortdir}/generators-sample", "{$snortdir}/generators");
- @rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config");
- @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map");
-
- /* fix up the preprocessor rules filenames from a PBI package install */
- $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules");
- foreach ($preproc_rules as $file) {
- if (file_exists("{$snortdir}/preproc_rules/{$file}-sample"))
- @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}");
- }
-
- /* Remove any previously installed scripts since we rebuild them */
- @unlink("{$snortdir}/sid");
- @unlink("{$rcdir}/snort.sh");
- @unlink("{$rcdir}/barnyard2");
-
- /* remove example library files */
- $files = glob("{$snortlibdir}/dynamicrules/*_example*");
- foreach ($files as $f)
- @unlink($f);
- $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*");
- foreach ($files as $f)
- @unlink($f);
-
- /* remake saved settings */
- if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
- log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings..."));
- update_status(gettext("Saved settings detected..."));
- update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
- log_error(gettext("[Snort] Downloading and updating configured rule types..."));
- update_output_window(gettext("Please wait... downloading and updating configured rule types..."));
- if ($pkg_interface <> "console")
- $snort_gui_include = true;
- @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php");
- update_status(gettext("Generating snort.conf configuration file from saved settings..."));
- $rebuild_rules = true;
- sync_snort_package_config();
- $rebuild_rules = false;
- update_output_window(gettext("Finished rebuilding files..."));
- log_error(gettext("[Snort] Finished rebuilding installation from saved settings..."));
-
- /* Only try to start Snort if not in reboot */
- if (!$g['booting']) {
- update_status(gettext("Starting Snort using rebuilt configuration..."));
- update_output_window(gettext("Please wait... while Snort is started..."));
- log_error(gettext("[Snort] Starting Snort using rebuilt configuration..."));
- update_output_window(gettext("Snort has been started using the rebuilt configuration..."));
- start_service("snort");
- }
- }
-
- /* Done with post-install, so clear flag */
- unset($g['snort_postinstall']);
- log_error(gettext("[Snort] Package post-installation tasks completed..."));
-}
-
function snort_Getdirsize($node) {
if(!is_readable($node))
return false;
@@ -761,7 +698,6 @@ function snort_snortloglimit_install_cron($should_install) {
switch($should_install) {
case true:
if(!$is_installed) {
-
$cron_item = array();
$cron_item['minute'] = "*/5";
$cron_item['hour'] = "*";
@@ -798,6 +734,22 @@ function snort_rm_blocked_install_cron($should_install) {
}
$snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked'];
+ if ($snort_rm_blocked_info_ck == "15m_b") {
+ $snort_rm_blocked_min = "*/2";
+ $snort_rm_blocked_hr = "*";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "900";
+ }
+ if ($snort_rm_blocked_info_ck == "30m_b") {
+ $snort_rm_blocked_min = "*/5";
+ $snort_rm_blocked_hr = "*";
+ $snort_rm_blocked_mday = "*";
+ $snort_rm_blocked_month = "*";
+ $snort_rm_blocked_wday = "*";
+ $snort_rm_blocked_expire = "1800";
+ }
if ($snort_rm_blocked_info_ck == "1h_b") {
$snort_rm_blocked_min = "*/5";
$snort_rm_blocked_hr = "*";
@@ -1047,13 +999,13 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
/* sid-msg.map file for use by Snort and/or barnyard2. */
/*************************************************************/
- $sidMap = array();
+ $sidMap = array();
$rule_files = array();
- /* First check if we were passed a directory, a single file */
- /* or an array of filenames to read. Set our $rule_files */
- /* variable accordingly. If we can't figure it out, return */
- /* and don't write a sid_msg_map file. */
+ /* First check if we were passed a directory, a single file */
+ /* or an array of filenames to read. Set our $rule_files */
+ /* variable accordingly. If we can't figure it out, return */
+ /* and don't write a sid_msg_map file. */
if (is_string($rules_path)) {
if (is_dir($rules_path))
$rule_files = glob($rules_path . "*.rules");
@@ -1065,71 +1017,71 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
else
return;
- /* Read the rule files into an array, then iterate the list */
- foreach ($rule_files as $file) {
+ /* Read the rule files into an array, then iterate the list */
+ foreach ($rule_files as $file) {
- /* Don't process files with "deleted" in the filename */
- if (stristr($file, "deleted"))
- continue;
+ /* Don't process files with "deleted" in the filename */
+ if (stristr($file, "deleted"))
+ continue;
- /* Read the file into an array, skipping missing files. */
- if (!file_exists($file))
+ /* Read the file into an array, skipping missing files. */
+ if (!file_exists($file))
continue;
- $rules_array = file($file, FILE_SKIP_EMPTY_LINES);
- $record = "";
- $b_Multiline = false;
-
- /* Read and process each line from the rules in the */
- /* current file. */
- foreach ($rules_array as $rule) {
-
- /* Skip any non-rule lines unless we're in */
- /* multiline mode. */
- if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline)
- continue;
-
- /* Test for a multi-line rule, and reassemble the */
- /* pieces back into a single line. */
- if (preg_match('/\\\\s*[\n]$/m', $rule)) {
- $rule = substr($rule, 0, strrpos($rule, '\\'));
- $record .= $rule;
- $b_Multiline = true;
- continue;
- }
- /* If the last segment of a multiline rule, then */
- /* append it onto the previous parts to form a */
- /* single-line rule for further processing below. */
- elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) {
- $record .= $rule;
- $rule = $record;
- }
- $b_Multiline = false;
- $record = "";
-
- /* Parse the rule to find sid and any references. */
- $sid = '';
- $msg = '';
- $matches = '';
- $sidEntry = '';
- if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches))
- $msg = trim($matches[1]);
- if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches))
- $sid = trim($matches[1]);
- if (!empty($sid) && !empty($msg)) {
- $sidEntry = $sid . ' || ' . $msg;
- preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches);
- foreach ($matches[1] as $ref)
- $sidEntry .= " || " . trim($ref);
- $sidEntry .= "\n";
- $sidMap[$sid] = $sidEntry;
- }
- }
+ $rules_array = file($file, FILE_SKIP_EMPTY_LINES);
+ $record = "";
+ $b_Multiline = false;
+
+ /* Read and process each line from the rules in the current file */
+ foreach ($rules_array as $rule) {
+
+ /* Skip any non-rule lines unless we're in multiline mode. */
+ if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline)
+ continue;
+
+ /* Test for a multi-line rule, and reassemble the */
+ /* pieces back into a single line. */
+ if (preg_match('/\\\\s*[\n]$/m', $rule)) {
+ $rule = substr($rule, 0, strrpos($rule, '\\'));
+ $record .= $rule;
+ $b_Multiline = true;
+ continue;
+ }
+ /* If the last segment of a multiline rule, then */
+ /* append it onto the previous parts to form a */
+ /* single-line rule for further processing below. */
+ elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) {
+ $record .= $rule;
+ $rule = $record;
+ }
+ $b_Multiline = false;
+ $record = "";
+
+ /* Parse the rule to find sid and any references. */
+ $sid = '';
+ $msg = '';
+ $matches = '';
+ $sidEntry = '';
+ if (preg_match('/\bmsg\s*:\s*"(.+?)"\s*;/i', $rule, $matches))
+ $msg = trim($matches[1]);
+ if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches))
+ $sid = trim($matches[1]);
+ if (!empty($sid) && !empty($msg)) {
+ $sidEntry = $sid . ' || ' . $msg;
+ preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches);
+ foreach ($matches[1] as $ref)
+ $sidEntry .= " || " . trim($ref);
+ $sidEntry .= "\n";
+ if (!is_array($sidMap[$sid]))
+ $sidMap[$sid] = array();
+ $sidMap[$sid] = $sidEntry;
+ }
+ }
}
- /* Sort the generated sid-msg map by sid */
- ksort($sidMap);
+ /* Sort the generated sid-msg map by sid */
+ ksort($sidMap);
- /* Now print the result to the supplied file */
+ /* Now print the result to the supplied file */
@file_put_contents($sid_file, array_values($sidMap));
}
@@ -1154,8 +1106,11 @@ function snort_merge_reference_configs($cfg_in, $cfg_out) {
if (preg_match('/(\:)\s*(\w+)\s*(.*)/', $line, $matches)) {
if (!empty($matches[2]) && !empty($matches[3])) {
$matches[2] = trim($matches[2]);
- if (!array_key_exists($matches[2], $outMap))
+ if (!array_key_exists($matches[2], $outMap)) {
+ if (!is_array($outMap[$matches[2]]))
+ $outMap[$matches[2]] = array();
$outMap[$matches[2]] = trim($matches[3]);
+ }
}
}
}
@@ -1199,8 +1154,11 @@ function snort_merge_classification_configs($cfg_in, $cfg_out) {
continue;
if (!empty($matches[2]) && !empty($matches[3]) && !empty($matches[4])) {
$matches[2] = trim($matches[2]);
- if (!array_key_exists($matches[2], $outMap))
+ if (!array_key_exists($matches[2], $outMap)) {
+ if (!is_array($outMap[$matches[2]]))
+ $outMap[$matches[2]] = array();
$outMap[$matches[2]] = trim($matches[3]) . "," . trim($matches[4]);
+ }
}
}
}
@@ -1463,8 +1421,11 @@ function snort_get_checked_flowbits($rules_map) {
if ($action == "isset" || $action == "isnotset") {
$target = preg_split('/[&|]/', substr($flowbit, $pos + 1));
foreach ($target as $t)
- if (!empty($t) && !isset($checked_flowbits[$t]))
+ if (!empty($t) && !isset($checked_flowbits[$t])) {
+ if (!is_array($checked_flowbits[$t]))
+ $checked_flowbits[$t] = array();
$checked_flowbits[$t] = $action;
+ }
}
}
}
@@ -1504,8 +1465,11 @@ function snort_get_set_flowbits($rules_map) {
if ($action == "set" || $action == "toggle" || $action == "setx") {
$target = preg_split('/[&|]/', substr($flowbit, $pos + 1));
foreach ($target as $t)
- if (!empty($t) && !isset($set_flowbits[$t]))
+ if (!empty($t) && !isset($set_flowbits[$t])) {
+ if (!is_array($set_flowbits[$t]))
+ $set_flowbits[$t] = array();
$set_flowbits[$t] = $action;
+ }
}
}
}
@@ -1584,7 +1548,7 @@ function snort_resolve_flowbits($rules, $active_rules) {
$snortdir = SNORTDIR;
- /* Check $all_rules array to be sure it is filled. */
+ /* Check $rules array to be sure it is filled. */
if (empty($rules)) {
log_error(gettext("[Snort] WARNING: Flowbit resolution not done - no rules in {$snortdir}/rules/ ..."));
return array();
@@ -1643,7 +1607,7 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) {
$fp = fopen($rule_file, "w");
if ($fp) {
@fwrite($fp, "# These rules set flowbits checked by your other enabled rules. If the\n");
- @fwrite($fp, "# the dependent flowbits are not set, then some of your chosen rules may\n");
+ @fwrite($fp, "# dependent flowbits are not set, then some of your chosen rules may\n");
@fwrite($fp, "# not fire. Enabling all rules that set these dependent flowbits ensures\n");
@fwrite($fp, "# your chosen rules fire as intended.\n#\n");
@fwrite($fp, "# If you wish to prevent alerts from any of these rules, add the GID:SID\n");
@@ -1791,8 +1755,11 @@ function snort_load_sid_mods($sids, $value) {
return $result;
$tmp = explode("||", $sids);
foreach ($tmp as $v) {
- if (preg_match('/\s\d+/', $v, $match))
+ if (preg_match('/\s\d+/', $v, $match)) {
+ if (!is_array($result[trim($match[0])]))
+ $result[trim($match[0])] = array();
$result[trim($match[0])] = trim($match[0]);
+ }
}
unset($tmp);
@@ -1849,12 +1816,12 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
function snort_create_rc() {
- /*********************************************************/
- /* This function builds the /usr/local/etc/rc.d/snort.sh */
- /* shell script for starting and stopping Snort. The */
- /* script is rebuilt on each package sync operation and */
- /* after any changes to snort.conf saved in the GUI. */
- /*********************************************************/
+/*********************************************************/
+/* This function builds the /usr/local/etc/rc.d/snort.sh */
+/* shell script for starting and stopping Snort. The */
+/* script is rebuilt on each package sync operation and */
+/* after any changes to snort.conf saved in the GUI. */
+/*********************************************************/
global $config, $g;
@@ -1887,7 +1854,7 @@ function snort_create_rc() {
fi
if [ ! -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill $pid -a
+ /bin/pkill \$pid -a
time=0 timeout=30
while kill -0 \$pid 2>/dev/null; do
sleep 1
@@ -2137,19 +2104,23 @@ function snort_deinstall() {
/* Log a message only if a running process is detected */
if (is_service_running("snort"))
log_error(gettext("[Snort] Snort STOP for all interfaces..."));
- mwexec('/usr/bin/killall snort', true);
+ mwexec('/usr/bin/killall -z snort', true);
sleep(2);
mwexec('/usr/bin/killall -9 snort', true);
sleep(2);
+ // Delete any leftover snort PID files in /var/run
+ array_map('@unlink', glob("/var/run/snort_*.pid"));
/* Make sure all active Barnyard2 processes are terminated */
/* Log a message only if a running process is detected */
if (is_service_running("barnyard2"))
log_error(gettext("[Snort] Barnyard2 STOP for all interfaces..."));
- mwexec('/usr/bin/killall barnyard2', true);
+ mwexec('/usr/bin/killall -z barnyard2', true);
sleep(2);
mwexec('/usr/bin/killall -9 barnyard2', true);
sleep(2);
+ // Delete any leftover barnyard2 PID files in /var/run
+ array_map('@unlink', glob("/var/run/barnyard2_*.pid"));
/* Remove the snort user and group */
mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true);
@@ -2201,6 +2172,7 @@ function snort_deinstall() {
mwexec("/bin/rm -rf /usr/local/pkg/snort");
mwexec("/bin/rm -rf /usr/local/www/snort");
mwexec("/bin/rm -rf /usr/local/etc/snort");
+ mwexec("/bin/rm -rf /usr/local/lib/snort");
}
/* Keep this as a last step */
@@ -2562,6 +2534,8 @@ function snort_generate_conf($snortcfg) {
/* user added arguments */
$snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru']));
+ // Remove the trailing newline
+ $snort_config_pass_thru = rtrim($snort_config_pass_thru);
/* create a few directories and ensure the sample files are in place */
$snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules",
@@ -2585,7 +2559,7 @@ function snort_generate_conf($snortcfg) {
/* update has been done and we should leave the customized files */
/* put in place by the rules update process. */
/********************************************************************/
- $snort_files = array("gen-msg.map", "classification.config", "reference.config",
+ $snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd",
"sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules",
"preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules"
);
@@ -2638,14 +2612,15 @@ function snort_generate_conf($snortcfg) {
$ssh_port = $config['system']['ssh']['port'];
else
$ssh_port = "22";
+
+ /* Define an array of default values for the various preprocessor ports */
$snort_ports = array(
- "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691",
- "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555",
- "oracle_ports" => "1024:", "mssql_ports" => "1433",
- "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535",
- "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110",
- "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768",
- "sip_ports" => "5060,5061, 5600", "auth_ports" => "113", "finger_ports" => "79",
+ "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691",
+ "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712",
+ "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23",
+ "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port,
+ "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143",
+ "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79",
"irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445",
"nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514",
"ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920",
@@ -2658,6 +2633,7 @@ function snort_generate_conf($snortcfg) {
"GTP_PORTS" => "2123,2152,3386"
);
+ /* Check for defined Aliases that may override default port settings as we build the portvars array */
$portvardef = "";
foreach ($snort_ports as $alias => $avalue) {
if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
@@ -2666,6 +2642,23 @@ function snort_generate_conf($snortcfg) {
$portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
}
+ /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */
+ $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n";
+ $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n";
+ $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n";
+ $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n";
+ $stream5_ports_client .= "\t 32778 32779";
+ $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n";
+ $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n";
+ $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n";
+ $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n";
+ $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n";
+ $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n";
+ $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n";
+ $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n";
+ $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n";
+ $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n";
+ $stream5_ports_both .= "\t 55555 56712";
/////////////////////////////
/* preprocessor code */
@@ -2676,106 +2669,226 @@ preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_u
EOD;
- /* Pull in the user-configurable HTTP_INSPECT global preprocessor options */
- $http_inspect_memcap = "150994944";
- if (!empty($snortcfg['http_inspect_memcap']))
- $http_inspect_memcap = $snortcfg['http_inspect_memcap'];
-
- /* Pull in the user-configurable HTTP_INSPECT server preprocessor options */
- $server_flow_depth = '300';
- if ((!empty($snortcfg['server_flow_depth'])) || ($snortcfg['server_flow_depth'] == '0'))
- $server_flow_depth = $snortcfg['server_flow_depth'];
- $http_server_profile = "all";
- if (!empty($snortcfg['http_server_profile']))
- $http_server_profile = $snortcfg['http_server_profile'];
- $client_flow_depth = '300';
- if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0'))
- $client_flow_depth = $snortcfg['client_flow_depth'];
- if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect']))
- $noalert_http_inspect = "no_alerts";
+ /* def ftp_preprocessor */
+ $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports']));
+ $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports']));
+
+ // Configure FTP_Telnet global options
+ $ftp_telnet_globals = "inspection_type ";
+ if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; }
+ if ($snortcfg['ftp_telnet_alert_encrypted'] == "on")
+ $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes";
else
- $noalert_http_inspect = "";
- $http_inspect_server_opts = "enable_cookie \\\n\textended_response_inspection \\\n\tnormalize_javascript \\\n";
- $http_inspect_server_opts .= "\tinspect_gzip \\\n\tnormalize_utf \\\n\tunlimited_decompress \\\n";
- $http_inspect_server_opts .= "\tnormalize_headers \\\n\tnormalize_cookies";
- if ($snortcfg['http_inspect_enable_xff'] == "on")
- $http_inspect_server_opts .= " \\\n\tenable_xff";
-
- /* If Stream5 is enabled, then we can enable the "log_uri" and "log_hostname" options */
- if ($snortcfg['stream5_reassembly'] == "on") {
- if ($snortcfg['http_inspect_log_uri'] == "on")
- $http_inspect_server_opts .= " \\\n\tlog_uri";
- if ($snortcfg['http_inspect_log_hostname'] == "on")
- $http_inspect_server_opts .= " \\\n\tlog_hostname";
- }
+ $ftp_telnet_globals .= " \\\n\tencrypted_traffic no";
+ if ($snortcfg['ftp_telnet_check_encrypted'] == "on")
+ $ftp_telnet_globals .= " \\\n\tcheck_encrypted";
+
+ // Configure FTP_Telnet Telnet protocol options
+ $ftp_telnet_protocol = "ports { {$telnet_ports} }";
+ if ($snortcfg['ftp_telnet_normalize'] == "on")
+ $ftp_telnet_protocol .= " \\\n\tnormalize";
+ if ($snortcfg['ftp_telnet_detect_anomalies'] == "on")
+ $ftp_telnet_protocol .= " \\\n\tdetect_anomalies";
+ if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') {
+ $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh ";
+ if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "")
+ $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold'];
+ else
+ $ftp_telnet_protocol .= "20";
+ }
+
+ // Setup the standard FTP commands used for all FTP Server engines
+ $ftp_cmds = <<<EOD
+ ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
+ ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
+ ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
+ ftp_cmds { LPSV MACB MAIL MDTM MFMT MIC MKD MLSD MLST } \
+ ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
+ ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
+ ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
+ ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
+ ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
+ ftp_cmds { XSEN XSHA1 XSHA256 } \
+ alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
+ alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
+ alt_max_param_len 256 { CWD RNTO } \
+ alt_max_param_len 400 { PORT } \
+ alt_max_param_len 512 { MFMT SIZE } \
+ chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
+ chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
+ chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
+ chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
+ chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
+ chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
+ chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
+ chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
+ cmd_validity ALLO < int [ char R int ] > \
+ cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
+ cmd_validity MACB < string > \
+ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
+ cmd_validity MODE < char ASBCZ > \
+ cmd_validity PORT < host_port > \
+ cmd_validity PROT < char CSEP > \
+ cmd_validity STRU < char FRPO [ string ] > \
+ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
- $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports']));
+EOD;
- /* def http_inspect */
- $http_inspect = <<<EOD
-# HTTP Inspect #
-preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 memcap {$http_inspect_memcap}
+ // Configure all the FTP_Telnet FTP protocol options
+ // Iterate and configure the FTP Client engines
+ $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+ if (!is_array($snortcfg['ftp_client_engine']['item']))
+ $snortcfg['ftp_client_engine']['item'] = array();
+
+ // If no FTP client engine is configured, use the default
+ // to keep from breaking Snort.
+ if (empty($snortcfg['ftp_client_engine']['item']))
+ $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine;
+ $ftp_client_engine = "";
+
+ foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor ftp_telnet_protocol: ftp client ";
+ if ($v['name'] == "default" && $v['bind_to'] == "all")
+ $buffer .= "default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "{$tmp} \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry.");
+ continue;
+ }
-preprocessor http_inspect_server: server default profile {$http_server_profile} {$noalert_http_inspect} \
- ports { {$http_ports} } \
- http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
- server_flow_depth {$server_flow_depth} \
- client_flow_depth {$client_flow_depth} \
- {$http_inspect_server_opts}
+ if ($v['max_resp_len'] == "")
+ $buffer .= "\tmax_resp_len 256 \\\n";
+ else
+ $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n";
+
+ $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n";
+ $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n";
+
+ if ($v['bounce'] == "yes") {
+ if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) {
+ $net = trim(filter_expand_alias($v['bounce_to_net']));
+ $port = trim(filter_expand_alias($v['bounce_to_port']));
+ if (!empty($net) && !empty($port) &&
+ snort_is_single_addr_alias($v['bounce_to_net']) &&
+ (is_port($port) || is_portrange($port))) {
+ $port = preg_replace('/\s+/', ',', $port);
+ // Change port range delimiter to comma for ftp_telnet client preprocessor
+ if (is_portrange($port))
+ $port = str_replace(":", ",", $port);
+ $buffer .= "\tbounce yes \\\n";
+ $buffer .= "\tbounce_to { {$net},{$port} }\n";
+ }
+ else {
+ // One or both of the BOUNCE_TO alias values is not right,
+ // so figure out which and log an appropriate error.
+ if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net']))
+ log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine.");
+ if (empty($port) || !(is_port($port) || is_portrange($port)))
+ log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine.");
+ $buffer .= "\tbounce yes\n";
+ }
+ }
+ else
+ $buffer .= "\tbounce yes\n";
+ }
+ else
+ $buffer .= "\tbounce no\n";
+
+ // Add this FTP client engine to the master string
+ $ftp_client_engine .= "{$buffer}\n";
+ }
+ // Trim final trailing newline
+ rtrim($ftp_client_engine);
+
+ // Iterate and configure the FTP Server engines
+ $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+ if (!is_array($snortcfg['ftp_server_engine']['item']))
+ $snortcfg['ftp_server_engine']['item'] = array();
+
+ // If no FTP server engine is configured, use the default
+ // to keep from breaking Snort.
+ if (empty($snortcfg['ftp_server_engine']['item']))
+ $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine;
+ $ftp_server_engine = "";
+
+ foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor ftp_telnet_protocol: ftp server ";
+ if ($v['name'] == "default" && $v['bind_to'] == "all")
+ $buffer .= "default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "{$tmp} \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry.");
+ continue;
+ }
-EOD;
+ if ($v['def_max_param_len'] == "")
+ $buffer .= "\tdef_max_param_len 100 \\\n";
+ elseif ($v['def_max_param_len'] <> '0')
+ $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n";
+
+ if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports']))
+ $buffer .= "\tports { {$ftp_ports} } \\\n";
+ elseif (is_alias($v['ports'])) {
+ $tmp = trim(filter_expand_alias($v['ports']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $tmp = snort_expand_port_range($tmp, ' ');
+ $buffer .= "\tports { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults.");
+ $buffer .= "\tports { {$ftp_ports} } \\\n";
+ }
+ }
+
+ $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n";
+ $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n";
+ if ($v['ignore_data_chan'] == "yes")
+ $buffer .= "\tignore_data_chan yes \\\n";
+ $buffer .= "{$ftp_cmds}\n";
+
+ // Add this FTP server engine to the master string
+ $ftp_server_engine .= $buffer;
+ }
+ // Remove trailing newlines
+ rtrim($ftp_server_engine);
- /* def ftp_preprocessor */
- $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports']));
- $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports']));
$ftp_preprocessor = <<<EOD
# ftp_telnet preprocessor #
preprocessor ftp_telnet: global \
-inspection_type stateless
+ {$ftp_telnet_globals}
preprocessor ftp_telnet_protocol: telnet \
- normalize ports { {$telnet_ports} } \
- ayt_attack_thresh 20 \
- detect_anomalies
-
-preprocessor ftp_telnet_protocol: ftp server default \
- def_max_param_len 100 \
- ports { $ftp_ports } \
- telnet_cmds yes \
- ignore_telnet_erase_cmds yes \
- ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
- ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
- ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
- ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
- ftp_cmds { FEAT CEL CMD MACB } \
- ftp_cmds { MDTM REST SIZE MLST MLSD } \
- ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
- alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
- alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \
- alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
- alt_max_param_len 256 { RNTO CWD } \
- alt_max_param_len 400 { PORT } \
- alt_max_param_len 512 { SIZE } \
- chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
- chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
- chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
- chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
- chk_str_fmt { FEAT CEL CMD } \
- chk_str_fmt { MDTM REST SIZE MLST MLSD } \
- chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
- cmd_validity MODE < char ASBCZ > \
- cmd_validity STRU < char FRP > \
- cmd_validity ALLO < int [ char R int ] > \
- cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
- cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
- cmd_validity PORT < host_port >
-
-preprocessor ftp_telnet_protocol: ftp client default \
- max_resp_len 256 \
- bounce yes \
- ignore_telnet_erase_cmds yes \
- telnet_cmds yes
-
+ {$ftp_telnet_protocol}
+
+{$ftp_server_engine}
+{$ftp_client_engine}
EOD;
$pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports']));
@@ -2783,7 +2896,7 @@ EOD;
# POP preprocessor #
preprocessor pop: \
ports { {$pop_ports} } \
- memcap 1310700 \
+ memcap 1310700 \
qp_decode_depth 0 \
b64_decode_depth 0 \
bitenc_decode_depth 0
@@ -2795,7 +2908,7 @@ EOD;
# IMAP preprocessor #
preprocessor imap: \
ports { {$imap_ports} } \
- memcap 1310700 \
+ memcap 1310700 \
qp_decode_depth 0 \
b64_decode_depth 0 \
bitenc_decode_depth 0
@@ -2807,35 +2920,37 @@ EOD;
$smtp_preprocessor = <<<EOD
# SMTP preprocessor #
preprocessor SMTP: \
- ports { {$smtp_ports} } \
- inspection_type stateful \
- normalize cmds \
- ignore_tls_data \
- valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET \
- SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME \
- TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
- normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP \
- RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK \
- TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
- max_header_line_len 1000 \
- max_response_line_len 512 \
- alt_max_command_line_len 260 { MAIL } \
- alt_max_command_line_len 300 { RCPT } \
- alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
- alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
- alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
- alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
- alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
- xlink2state { enable } \
- log_mailfrom \
- log_rcptto \
- log_email_hdrs \
- email_hdrs_log_depth 1464 \
- log_filename \
- qp_decode_depth 0 \
- b64_decode_depth 0 \
- bitenc_decode_depth 0 \
- uu_decode_depth 0
+ ports { {$smtp_ports} } \
+ inspection_type stateful \
+ normalize cmds \
+ ignore_tls_data \
+ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \
+ NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \
+ STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \
+ XQUEU XSTA XTRN XUSR } \
+ normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \
+ IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \
+ ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \
+ XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ max_header_line_len 1000 \
+ max_response_line_len 512 \
+ alt_max_command_line_len 260 { MAIL } \
+ alt_max_command_line_len 300 { RCPT } \
+ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
+ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
+ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
+ alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
+ alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ xlink2state { enable } \
+ log_mailfrom \
+ log_rcptto \
+ log_email_hdrs \
+ email_hdrs_log_depth 1464 \
+ log_filename \
+ qp_decode_depth 0 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 0 \
+ uu_decode_depth 0
EOD;
@@ -2859,12 +2974,13 @@ EOD;
}
$sf_portscan = <<<EOD
-# sf Portscan preprocessor #
-preprocessor sfportscan: scan_type { {$sf_pscan_type} } \
- proto { {$sf_pscan_protocol} } \
- memcap { {$sf_pscan_memcap} } \
- sense_level { {$sf_pscan_sense_level} } \
- ignore_scanners { {$sf_pscan_ignore_scanners} }
+# sf Portscan #
+preprocessor sfportscan: \
+ scan_type { {$sf_pscan_type} } \
+ proto { {$sf_pscan_protocol} } \
+ memcap { {$sf_pscan_memcap} } \
+ sense_level { {$sf_pscan_sense_level} } \
+ ignore_scanners { {$sf_pscan_ignore_scanners} }
EOD;
@@ -2872,7 +2988,8 @@ EOD;
$ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports']));
$ssh_preproc = <<<EOD
# SSH preprocessor #
-preprocessor ssh: server_ports { {$ssh_ports} } \
+preprocessor ssh: \
+ server_ports { {$ssh_ports} } \
autodetect \
max_client_bytes 19600 \
max_encrypted_packets 20 \
@@ -2886,7 +3003,11 @@ EOD;
$sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports']));
$other_preprocs = <<<EOD
# Other preprocs #
-preprocessor rpc_decode: {$sun_rpc_ports} no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
+preprocessor rpc_decode: \
+ {$sun_rpc_ports} \
+ no_alert_multiple_requests \
+ no_alert_large_fragments \
+ no_alert_incomplete
# Back Orifice preprocessor #
preprocessor bo
@@ -2896,18 +3017,28 @@ EOD;
/* def dce_rpc_2 */
$dce_rpc_2 = <<<EOD
# DCE/RPC 2 #
-preprocessor dcerpc2: memcap 102400, events [co]
-preprocessor dcerpc2_server: default, policy WinXP, \
- detect [smb [{$snort_ports['smb_ports']}], tcp 135, udp 135, rpc-over-http-server 593], \
- autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
- smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
+preprocessor dcerpc2: \
+ memcap 102400, \
+ events [co]
+
+preprocessor dcerpc2_server: default, \
+ policy WinXP, \
+ detect [smb [{$snort_ports['smb_ports']}], \
+ tcp 135, \
+ udp 135, \
+ rpc-over-http-server 593], \
+ autodetect [tcp 1025:, \
+ udp 1025:, \
+ rpc-over-http-server 1025:], \
+ smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
EOD;
$sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports']));
$sip_preproc = <<<EOD
# SIP preprocessor #
-preprocessor sip: max_sessions 40000, \
+preprocessor sip: \
+ max_sessions 40000, \
ports { {$sip_ports} }, \
methods { invite \
cancel \
@@ -2947,8 +3078,8 @@ EOD;
$dns_preprocessor = <<<EOD
# DNS preprocessor #
preprocessor dns: \
- ports { {$dns_ports} } \
- enable_rdata_overflow
+ ports { {$dns_ports} } \
+ enable_rdata_overflow
EOD;
@@ -2957,9 +3088,9 @@ EOD;
$dnp3_preproc = <<<EOD
# DNP3 preprocessor #
preprocessor dnp3: \
- ports { {$dnp3_ports} } \
- memcap 262144 \
- check_crc
+ ports { {$dnp3_ports} } \
+ memcap 262144 \
+ check_crc
EOD;
@@ -2968,7 +3099,7 @@ EOD;
$modbus_preproc = <<<EOD
# Modbus preprocessor #
preprocessor modbus: \
- ports { {$modbus_ports} }
+ ports { {$modbus_ports} }
EOD;
@@ -2976,7 +3107,8 @@ EOD;
$gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS']));
$gtp_preproc = <<<EOD
# GTP preprocessor #
-preprocessor gtp: ports { {$gtp_ports} }
+preprocessor gtp: \
+ ports { {$gtp_ports} }
EOD;
@@ -2986,24 +3118,26 @@ EOD;
# SSL preprocessor #
preprocessor ssl: \
ports { {$ssl_ports} }, \
- trustservers, noinspect_encrypted
+ trustservers, \
+ noinspect_encrypted
EOD;
- $sensitive_data = "preprocessor sensitive_data:\n";
+ /* def sensitive_data_preprocessor */
+ if ($snortcfg['sdf_mask_output'] == "on")
+ $sdf_mask_output = "\\\n\tmask_output";
+ else
+ $sdf_mask_output = "";
+ if (empty($snortcfg['sdf_alert_threshold']))
+ $snortcfg['sdf_alert_threshold'] = 25;
+ $sensitive_data = <<<EOD
+# SDF preprocessor #
+preprocessor sensitive_data: \
+ alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output}
- /**************************************************************/
- /* Default the HTTP_INSPECT preprocessor to "on" if not set. */
- /* The preprocessor is required by hundreds of Snort rules, */
- /* and without it Snort may not start and/or the number of */
- /* rules required to be disabled reduces Snort's capability. */
- /* Alerts from the HTTP_INSPECT preprocessor default to "off" */
- /* unless a specific value has been set by the user. */
- /**************************************************************/
- if (empty($snortcfg['http_inspect']))
- $snortcfg['http_inspect'] = 'on';
+EOD;
- /* define servers and ports snortdefservers */
+ /* define servers as IP variables */
$snort_servers = array (
"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
"www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET",
@@ -3015,13 +3149,15 @@ EOD;
"aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24"
);
- $vardef = "";
+ // Change old name from "var" to new name of "ipvar" for IP variables because
+ // Snort is deprecating the old "var" name in newer versions.
+ $ipvardef = "";
foreach ($snort_servers as $alias => $avalue) {
if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) {
$avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"]));
$avalue = preg_replace('/\s+/', ',', trim($avalue));
}
- $vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n";
+ $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n";
}
$snort_preproc_libs = array(
@@ -3031,7 +3167,7 @@ EOD;
"ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc"
);
$snort_preproc = array (
- "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc",
+ "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc",
"sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc"
);
$default_disabled_preprocs = array(
@@ -3065,6 +3201,8 @@ EOD;
}
}
}
+ // Remove final trailing newline
+ $snort_preprocessors = rtrim($snort_preprocessors);
$snort_misc_include_rules = "";
if (file_exists("{$snortcfgdir}/reference.config"))
@@ -3074,8 +3212,18 @@ EOD;
if (is_dir("{$snortcfgdir}/preproc_rules")) {
if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
$sedcmd = '/^#alert.*classtype:sdf/s/^#//';
- if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules"))
+ if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
+ #enable only selected sensitive data
+ if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){
+ $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")";
+ $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules");
+ $sd_tmp_new_file="";
+ foreach ($sd_tmp_file as $sd_tmp_line)
+ $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : "";
+ file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX);
+ }
+ }
} else
$sedcmd = '/^alert.*classtype:sdf/s/^/#/';
if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
@@ -3106,6 +3254,10 @@ EOD;
$selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n";
$selected_rules_sections .= "include \$RULE_PATH/custom.rules\n";
+ // Remove trailing newlines
+ $snort_misc_include_rules = rtrim($snort_misc_include_rules);
+ $selected_rules_sections = rtrim($selected_rules_sections);
+
/* Create the actual rules files and save in the interface directory */
snort_prepare_rule_files($snortcfg, $snortcfgdir);
@@ -3123,83 +3275,247 @@ EOD;
$cfg_detect_settings .= " no_stream_inserts";
/* Pull in user-configurable options for Frag3 preprocessor settings */
- $frag3_disabled = "";
- if ($snortcfg['frag3_detection'] == "off")
- $frag3_disabled = ", disabled";
- $frag3_memcap = "memcap 4194304";
+ /* Get global Frag3 options first and put into a string */
+ $frag3_global = "preprocessor frag3_global: ";
if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0")
- $frag3_memcap = "memcap {$snortcfg['frag3_memcap']}";
- $frag3_max_frags = "max_frags 8192";
+ $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, ";
+ else
+ $frag3_global .= "memcap 4194304, ";
if (!empty($snortcfg['frag3_max_frags']))
- $frag3_max_frags = "max_frags {$snortcfg['frag3_max_frags']}";
- $frag3_overlap_limit = "overlap_limit 0";
- if (!empty($snortcfg['frag3_overlap_limit']))
- $frag3_overlap_limit = "overlap_limit {$snortcfg['frag3_overlap_limit']}";
- $frag3_min_frag_len = "min_fragment_length 0";
- if (!empty($snortcfg['frag3_min_frag_len']))
- $frag3_min_frag_len = "min_fragment_length {$snortcfg['frag3_min_frag_len']}";
- $frag3_timeout = "timeout 60";
- if (!empty($snortcfg['frag3_timeout']))
- $frag3_timeout = "timeout {$snortcfg['frag3_timeout']}";
- $frag3_policy = "policy bsd";
- if (!empty($snortcfg['frag3_policy']))
- $frag3_policy = "policy {$snortcfg['frag3_policy']}";
-
- /* Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs */
+ $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}";
+ else
+ $frag3_global .= "max_frags 8192";
+ if ($snortcfg['frag3_detection'] == "off")
+ $frag3_global .= ", disabled";
+
+ $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+ $frag3_engine = "";
+
+ // Now iterate configured Frag3 engines and write them to a string if enabled
+ if ($snortcfg['frag3_detection'] == "on") {
+ if (!is_array($snortcfg['frag3_engine']['item']))
+ $snortcfg['frag3_engine']['item'] = array();
+
+ // If no frag3 tcp engine is configured, use the default
+ if (empty($snortcfg['frag3_engine']['item']))
+ $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine;
+
+ foreach ($snortcfg['frag3_engine']['item'] as $f => $v) {
+ $frag3_engine .= "preprocessor frag3_engine: ";
+ $frag3_engine .= "policy {$v['policy']}";
+ if ($v['bind_to'] <> "all") {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ',', $tmp);
+ if (strpos($tmp, ",") !== false)
+ $frag3_engine .= " \\\n\tbind_to [{$tmp}]";
+ else
+ $frag3_engine .= " \\\n\tbind_to {$tmp}";
+ }
+ else
+ log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe.");
+ }
+ $frag3_engine .= " \\\n\ttimeout {$v['timeout']}";
+ $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}";
+ if ($v['detect_anomalies'] == "on") {
+ $frag3_engine .= " \\\n\tdetect_anomalies";
+ $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}";
+ $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}";
+ }
+ // Add newlines to terminate this engine
+ $frag3_engine .= "\n\n";
+ }
+ // Remove trailing newline
+ $frag3_engine = rtrim($frag3_engine);
+ }
+
+ // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs
$paf_max_pdu_config = "config paf_max: ";
- if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == "0")
+ if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0')
$paf_max_pdu_config .= "0";
else
$paf_max_pdu_config .= $snortcfg['max_paf'];
- /* Pull in user-configurable options for Stream5 preprocessor settings */
- $stream5_reassembly = "";
+ // Pull in user-configurable options for Stream5 preprocessor settings
+ // Get global options first and put into a string
+ $stream5_global = "preprocessor stream5_global: \\\n";
if ($snortcfg['stream5_reassembly'] == "off")
- $stream5_reassembly = "disabled,";
- $stream5_track_tcp = "yes";
- if ($snortcfg['stream5_track_tcp'] =="off")
- $stream5_track_tcp = "no";
- $stream5_track_udp = "yes";
- if ($snortcfg['stream5_track_udp'] =="off")
- $stream5_track_udp = "no";
- $stream5_track_icmp = "no";
- if ($snortcfg['stream5_track_icmp'] =="on")
- $stream5_track_icmp = "yes";
- $stream5_require_3whs = "";
- if ($snortcfg['stream5_require_3whs'] == "on")
- $stream5_require_3whs = ", require_3whs 0";
- $stream5_no_reassemble_async = "";
- if ($snortcfg['stream5_no_reassemble_async'] == "on")
- $stream5_no_reassemble_async = ", dont_reassemble_async";
- $stream5_dont_store_lg_pkts = "";
- if ($snortcfg['stream5_dont_store_lg_pkts'] == "on")
- $stream5_dont_store_lg_pkts = ", dont_store_large_packets";
- $stream5_max_queued_bytes_type = "";
- if ((!empty($snortcfg['max_queued_bytes'])) || ($snortcfg['max_queued_bytes'] == '0'))
- $stream5_max_queued_bytes_type = ", max_queued_bytes {$snortcfg['max_queued_bytes']}";
- $stream5_max_queued_segs_type = "";
- if ((!empty($snortcfg['max_queued_segs'])) || ($snortcfg['max_queued_segs'] == '0'))
- $stream5_max_queued_segs_type = ", max_queued_segs {$snortcfg['max_queued_segs']}";
- $stream5_mem_cap = "";
+ $stream5_global .= "\tdisabled, \\\n";
+ if ($snortcfg['stream5_track_tcp'] == "off")
+ $stream5_global .= "\ttrack_tcp no,";
+ else {
+ $stream5_global .= "\ttrack_tcp yes,";
+ if (!empty($snortcfg['stream5_max_tcp']))
+ $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},";
+ else
+ $stream5_global .= " \\\n\tmax_tcp 262144,";
+ }
+ if ($snortcfg['stream5_track_udp'] == "off")
+ $stream5_global .= " \\\n\ttrack_udp no,";
+ else {
+ $stream5_global .= " \\\n\ttrack_udp yes,";
+ if (!empty($snortcfg['stream5_max_udp']))
+ $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},";
+ else
+ $stream5_global .= " \\\n\tmax_udp 131072,";
+ }
+ if ($snortcfg['stream5_track_icmp'] == "on") {
+ $stream5_global .= " \\\n\ttrack_icmp yes,";
+ if (!empty($snortcfg['stream5_max_icmp']))
+ $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},";
+ else
+ $stream5_global .= " \\\n\tmax_icmp 65536,";
+ }
+ else
+ $stream5_global .= " \\\n\ttrack_icmp no,";
if (!empty($snortcfg['stream5_mem_cap']))
- $stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}";
- $stream5_overlap_limit = "overlap_limit 0";
- if (!empty($snortcfg['stream5_overlap_limit']))
- $stream5_overlap_limit = "overlap_limit {$snortcfg['stream5_overlap_limit']}";
- $stream5_policy = "policy bsd";
- if (!empty($snortcfg['stream5_policy']))
- $stream5_policy = "policy {$snortcfg['stream5_policy']}";
- $stream5_tcp_timeout = "timeout 30";
- if (!empty($snortcfg['stream5_tcp_timeout']))
- $stream5_tcp_timeout = "timeout {$snortcfg['stream5_tcp_timeout']}";
- $stream5_udp_timeout = "timeout 30";
- if (!empty($snortcfg['stream5_udp_timeout']))
- $stream5_udp_timeout = "timeout {$snortcfg['stream5_udp_timeout']}";
- $stream5_icmp_timeout = "timeout 30";
- if (!empty($snortcfg['stream5_icmp_timeout']))
- $stream5_icmp_timeout = "timeout {$snortcfg['stream5_icmp_timeout']}";
-
- /* Check for and configure Host Attribute Table if enabled */
+ $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},";
+ else
+ $stream5_global .= " \\\n\tmemcap 8388608,";
+
+ if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0')
+ $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}";
+ else
+ $stream5_global .= " \\\n\tprune_log_max 1048576";
+ if ($snortcfg['stream5_flush_on_alert'] == "on")
+ $stream5_global .= ", \\\n\tflush_on_alert";
+
+ $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0,
+ "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+ $stream5_tcp_engine = "";
+
+ // Now iterate configured Stream5 TCP engines and write them to a string if enabled
+ if ($snortcfg['stream5_reassembly'] == "on") {
+ if (!is_array($snortcfg['stream5_tcp_engine']['item']))
+ $snortcfg['stream5_tcp_engine']['item'] = array();
+
+ // If no stream5 tcp engine is configured, use the default
+ if (empty($snortcfg['stream5_tcp_engine']['item']))
+ $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine;
+
+ foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor stream5_tcp: ";
+ $buffer .= "policy {$v['policy']},";
+ if ($v['bind_to'] <> "all") {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ',', $tmp);
+ if (strpos($tmp, ",") !== false)
+ $buffer .= " \\\n\tbind_to [{$tmp}],";
+ else
+ $buffer .= " \\\n\tbind_to {$tmp},";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine.");
+ continue;
+ }
+ }
+ $stream5_tcp_engine .= $buffer;
+ $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},";
+ $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},";
+ $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},";
+ $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},";
+ $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}";
+ if ($v['use_static_footprint_sizes'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes";
+ if ($v['check_session_hijacking'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking";
+ if ($v['dont_store_lg_pkts'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets";
+ if ($v['no_reassemble_async'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async";
+ if ($v['detect_anomalies'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdetect_anomalies";
+ if ($v['require_3whs'] == "on")
+ $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}";
+ if (!empty($v['ports_client'])) {
+ $stream5_tcp_engine .= ", \\\n\tports client";
+ if ($v['ports_client'] == " all")
+ $stream5_tcp_engine .= " all";
+ elseif ($v['ports_client'] == "default")
+ $stream5_tcp_engine .= " {$stream5_ports_client}";
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_client']));
+ if (!empty($tmp))
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ else {
+ $stream5_tcp_engine .= " {$stream5_ports_client}";
+ log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value.");
+ }
+ }
+ }
+ if (!empty($v['ports_both'])) {
+ $stream5_tcp_engine .= ", \\\n\tports both";
+ if ($v['ports_both'] == " all")
+ $stream5_tcp_engine .= " all";
+ elseif ($v['ports_both'] == "default")
+ $stream5_tcp_engine .= " {$stream5_ports_both}";
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_both']));
+ if (!empty($tmp))
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ else {
+ $stream5_tcp_engine .= " {$stream5_ports_both}";
+ log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value.");
+ }
+ }
+ }
+ if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") {
+ if ($v['ports_server'] == " all") {
+ $stream5_tcp_engine .= ", \\\n\tports server";
+ $stream5_tcp_engine .= " all";
+ }
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_server']));
+ if (!empty($tmp)) {
+ $stream5_tcp_engine .= ", \\\n\tports server";
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ }
+ else
+ log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none.");
+ }
+ }
+
+ // Make sure the "ports" parameter is set, or else default to a safe value
+ if (strpos($stream5_tcp_engine, "ports ") === false)
+ $stream5_tcp_engine .= ", \\\n\tports both all";
+
+ // Add a pair of newlines to terminate this engine
+ $stream5_tcp_engine .= "\n\n";
+ }
+ // Trim off the final trailing newline
+ $stream5_tcp_engine = rtrim($stream5_tcp_engine);
+ }
+
+ // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled
+ if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off")
+ $stream5_udp_engine = "";
+ else {
+ $stream5_udp_engine = "preprocessor stream5_udp: ";
+ if (!empty($snortcfg['stream5_udp_timeout']))
+ $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}";
+ else
+ $stream5_udp_engine .= "timeout 30";
+ }
+
+ // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled
+ if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") {
+ $stream5_icmp_engine = "preprocessor stream5_icmp: ";
+ if (!empty($snortcfg['stream5_icmp_timeout']))
+ $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}";
+ else
+ $stream5_icmp_engine .= "timeout 30";
+ }
+ else
+ $stream5_icmp_engine = "";
+
+ // Check for and configure Host Attribute Table if enabled
$host_attrib_config = "";
if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) {
file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data']));
@@ -3211,22 +3527,148 @@ EOD;
$host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}";
}
- /* Finally, build the Snort configuration file */
- $snort_conf_text = <<<EOD
+ // Configure the HTTP_INSPECT preprocessor
+ // Get global options first and put into a string
+ $http_inspect_global = "preprocessor http_inspect: global ";
+ if ($snortcfg['http_inspect'] == "off")
+ $http_inspect_global .= "disabled ";
+ $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n";
+ $http_inspect_global .= "\tcompress_depth 65535 \\\n";
+ $http_inspect_global .= "\tdecompress_depth 65535 \\\n";
+ if (!empty($snortcfg['http_inspect_memcap']))
+ $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n";
+ else
+ $http_inspect_global .= "\tmemcap 150994944 \\\n";
+ if (!empty($snortcfg['http_inspect_max_gzip_mem']))
+ $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}";
+ else
+ $http_inspect_global .= "\tmax_gzip_mem 838860";
+ if ($snortcfg['http_inspect_proxy_alert'] == "on")
+ $http_inspect_global .= " \\\n\tproxy_alert";
+
+ $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
+ "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
+ "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
+ "max_header_length" => 0, "ports" => "default" );
+ $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports']));
+ $http_inspect_servers = "";
+
+ // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled
+ if ($snortcfg['http_inspect'] <> "off") {
+ if (!is_array($snortcfg['http_inspect_engine']['item']))
+ $snortcfg['http_inspect_engine']['item'] = array();
+
+ // If no http_inspect_engine is configured, use the default
+ if (empty($snortcfg['http_inspect_engine']['item']))
+ $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine;
+
+ foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor http_inspect_server: \\\n";
+ if ($v['name'] == "default")
+ $buffer .= "\tserver default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "\tserver { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine.");
+ continue;
+ }
+ $http_inspect_servers .= $buffer;
+ $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n";
+
+ if ($v['no_alerts'] == "on")
+ $http_inspect_servers .= "\tno_alerts \\\n";
+
+ if ($v['ports'] == "default" || empty($v['ports']))
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ elseif (is_alias($v['ports'])) {
+ $tmp = trim(filter_expand_alias($v['ports']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $tmp = snort_expand_port_range($tmp, ' ');
+ $http_inspect_servers .= "\tports { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead.");
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ }
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead.");
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ }
+
+ $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n";
+ $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n";
+ $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n";
+ $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n";
+ $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n";
+ $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n";
+ $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}";
+ if ($v['enable_xff'] == "on")
+ $http_inspect_servers .= " \\\n\tenable_xff";
+ if ($v['enable_cookie'] == "on")
+ $http_inspect_servers .= " \\\n\tenable_cookie";
+ if ($v['normalize_cookies'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_cookies";
+ if ($v['normalize_headers'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_headers";
+ if ($v['normalize_utf'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_utf";
+ if ($v['allow_proxy_use'] == "on")
+ $http_inspect_servers .= " \\\n\tallow_proxy_use";
+ if ($v['inspect_uri_only'] == "on")
+ $http_inspect_servers .= " \\\n\tinspect_uri_only";
+ if ($v['extended_response_inspection'] == "on") {
+ $http_inspect_servers .= " \\\n\textended_response_inspection";
+ if ($v['inspect_gzip'] == "on") {
+ $http_inspect_servers .= " \\\n\tinspect_gzip";
+ if ($v['unlimited_decompress'] == "on")
+ $http_inspect_servers .= " \\\n\tunlimited_decompress";
+ }
+ if ($v['normalize_javascript'] == "on") {
+ $http_inspect_servers .= " \\\n\tnormalize_javascript";
+ $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}";
+ }
+ }
+ if ($v['log_uri'] == "on")
+ $http_inspect_servers .= " \\\n\tlog_uri";
+ if ($v['log_hostname'] == "on")
+ $http_inspect_servers .= " \\\n\tlog_hostname";
+ // Add a pair of trailing newlines to terminate this server config
+ $http_inspect_servers .= "\n\n";
+ }
+ /* Trim off the final trailing newline */
+ $http_inspect_server = rtrim($http_inspect_server);
+ }
+
+ // Finally, build the Snort configuration file
+ $snort_conf_text = <<<EOD
# snort configuration file
# generated automatically by the pfSense subsystems do not modify manually
# Define Local Network #
-var HOME_NET [{$home_net}]
-var EXTERNAL_NET [{$external_net}]
+ipvar HOME_NET [{$home_net}]
+ipvar EXTERNAL_NET [{$external_net}]
# Define Rule Paths #
var RULE_PATH {$snortcfgdir}/rules
var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules
# Define Servers #
-{$vardef}
+{$ipvardef}
# Define Server Ports #
{$portvardef}
@@ -3262,7 +3704,7 @@ config show_year
# For more information see README.stream5 #
{$paf_max_pdu_config}
-#Configure dynamically loaded libraries
+# Configure dynamically loaded libraries
dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']}
dynamicengine directory {$snort_dirs['dynamicengine']}
dynamicdetection directory {$snort_dirs['dynamicrules']}
@@ -3276,16 +3718,23 @@ dynamicdetection directory {$snort_dirs['dynamicrules']}
# preprocessor normalize_icmp6
# Flow and stream #
-preprocessor frag3_global: {$frag3_memcap}, {$frag3_max_frags}{$frag3_disabled}
-preprocessor frag3_engine: {$frag3_policy} detect_anomalies {$frag3_timeout} {$frag3_overlap_limit} {$frag3_min_frag_len}
+{$frag3_global}
-preprocessor stream5_global:{$stream5_reassembly} track_tcp {$stream5_track_tcp}, track_udp {$stream5_track_udp}, track_icmp {$stream5_track_icmp}, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5{$stream5_mem_cap}
-preprocessor stream5_tcp: {$stream5_policy}, {$stream5_overlap_limit}, {$stream5_tcp_timeout}, ports both all{$stream5_max_queued_bytes_type}{$stream5_max_queued_segs_type}{$stream5_require_3whs}{$stream5_no_reassemble_async}{$stream5_dont_store_lg_pkts}
-preprocessor stream5_udp: {$stream5_udp_timeout}
-preprocessor stream5_icmp: {$stream5_icmp_timeout}
+{$frag3_engine}
-{$snort_preprocessors}
+{$stream5_global}
+
+{$stream5_tcp_engine}
+{$stream5_udp_engine}
+
+{$stream5_icmp_engine}
+
+# HTTP Inspect #
+{$http_inspect_global}
+
+{$http_inspect_servers}
+{$snort_preprocessors}
{$host_attrib_config}
# Snort Output Logs #
@@ -3304,10 +3753,9 @@ output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,src
# Rules Selection #
{$selected_rules_sections}
-
EOD;
- /* write out snort.conf */
+ // Write out snort.conf file
$conf = fopen("{$snortcfgdir}/snort.conf", "w");
if(!$conf) {
log_error("Could not open {$snortcfgdir}/snort.conf for writing.");
@@ -3316,7 +3764,7 @@ EOD;
fwrite($conf, $snort_conf_text);
fclose($conf);
unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type);
- unset($home_net, $external_net, $vardef, $portvardef);
+ unset($home_net, $external_net, $ipvardef, $portvardef);
}
/* Uses XMLRPC to synchronize the changes to a remote node */
diff --git a/config/snort/snort.priv.inc b/config/snort/snort.priv.inc
new file mode 100644
index 00000000..5e159747
--- /dev/null
+++ b/config/snort/snort.priv.inc
@@ -0,0 +1,45 @@
+<?php
+
+global $priv_list;
+
+$priv_list['page-services-snort'] = array();
+$priv_list['page-services-snort']['name'] = "WebCfg - Services: Snort package.";
+$priv_list['page-services-snort']['descr'] = "Allow access to Snort package gui";
+$priv_list['page-services-snort']['match'] = array();
+$priv_list['page-services-snort']['match'][] = "snort/snort_alerts.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_barnyard.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_blocked.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_check_for_rule_updates.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_define_servers.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_download_rules.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_download_updates.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_edit_hat_data.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_frag3_engine.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_ftp_client_engine.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_ftp_server_engine.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_httpinspect_engine.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_import_aliases.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_edit.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_global.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_suppress.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_suppress_edit.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_whitelist.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interfaces_whitelist_edit.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_list_view.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_log_view.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_migrate_config.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_post_install.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_preprocessors.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_rules.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_rules_edit.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_rules_flowbits.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_rulesets.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_select_alias.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_stream5_engine.php*";
+$priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=snort_sync.xml*";
+$priv_list['page-services-snort']['match'][] = "pkg_edit.php?xml=sort/snort.xml*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_check_cron_misc.inc*";
+$priv_list['page-services-snort']['match'][] = "snort/snort.inc*";
+
+?> \ No newline at end of file
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index 49bec61c..c50c066a 100755
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -42,12 +42,12 @@
/* ========================================================================== */
]]>
</copyright>
- <description>Describe your package here</description>
- <requirements>Describe your package requirements here</requirements>
+ <description>Snort IDS/IPS Package</description>
+ <requirements>None</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>Snort</name>
- <version>2.9.4.6</version>
- <title>Services:2.9.4.6 pkg v. 2.6.1</title>
+ <version>2.9.5.5</version>
+ <title>Services:2.9.5.5 pkg v3.0.1</title>
<include_file>/usr/local/pkg/snort/snort.inc</include_file>
<menu>
<name>Snort</name>
@@ -76,6 +76,16 @@
<additional_files_needed>
<prefix>/usr/local/pkg/snort/</prefix>
<chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_migrate_config.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_post_install.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/snort/</prefix>
+ <chmod>077</chmod>
<item>http://www.pfsense.com/packages/config/snort/snort_sync.xml</item>
</additional_files_needed>
<additional_files_needed>
@@ -188,18 +198,64 @@
<chmod>077</chmod>
<item>http://www.pfsense.com/packages/config/snort/snort_edit_hat_data.php</item>
</additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_frag3_engine.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_stream5_engine.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_httpinspect_engine.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_ftp_client_engine.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_ftp_server_engine.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_import_aliases.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_select_alias.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/etc/inc/priv/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort.priv.inc</item>
+ </additional_files_needed>
<fields>
</fields>
<custom_add_php_command>
</custom_add_php_command>
<custom_php_resync_config_command>
+ <![CDATA[
+ if ($GLOBALS['pfSense_snort_version'] == "3.0.1")
sync_snort_package_config();
+ ]]>
</custom_php_resync_config_command>
<custom_php_install_command>
- snort_postinstall();
+ <![CDATA[
+ include_once("/usr/local/pkg/snort/snort_post_install.php");
+ ]]>
</custom_php_install_command>
<custom_php_deinstall_command>
+ <![CDATA[
snort_deinstall();
+ ]]>
</custom_php_deinstall_command>
</packagegui>
-
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php
index 728de751..ede6cf9a 100755
--- a/config/snort/snort_alerts.php
+++ b/config/snort/snort_alerts.php
@@ -144,12 +144,13 @@ $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']);
if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) {
$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'];
$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'];
- $anentries = $pconfig['alertnumber'];
-} else {
- $anentries = '250';
+}
+
+if (empty($pconfig['alertnumber']))
$pconfig['alertnumber'] = '250';
+if (empty($pconfig['arefresh']))
$pconfig['arefresh'] = 'off';
-}
+$anentries = $pconfig['alertnumber'];
if ($_POST['save']) {
if (!is_array($config['installedpackages']['snortglobal']['alertsblocks']))
@@ -259,7 +260,7 @@ if ($_POST['download']) {
/* Load up an array with the current Suppression List GID,SID values */
$supplist = snort_load_suppress_sigs($a_instance[$instanceid], true);
-$pgtitle = "Services: Snort: Snort Alerts";
+$pgtitle = gettext("Snort: Snort Alerts");
include_once("head.inc");
?>
@@ -336,7 +337,7 @@ if ($pconfig['arefresh'] == 'on')
<?php echo gettext('Refresh'); ?> <input name="arefresh" type="checkbox" value="on"
<?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>>
<?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?>&nbsp;&nbsp;
- <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>">
+ <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>">
<?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?>
</td>
</tr>
diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php
index a5c1ffec..2457b573 100644
--- a/config/snort/snort_barnyard.php
+++ b/config/snort/snort_barnyard.php
@@ -104,7 +104,7 @@ if ($_POST) {
}
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: Interface: {$if_friendly} Barnyard2 Edit";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Barnyard2 Settings");
include_once("head.inc");
?>
@@ -188,7 +188,7 @@ function enable_change(enable_change) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td>
<td width="78%" class="vtable"><input name="barnyard_mysql"
- type="text" class="formfld" id="barnyard_mysql" style="width:95%;" size="85"
+ type="text" class="formfld unknown" id="barnyard_mysql" style="width:95%;" size="85"
value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br/>
<span class="vexpl"><?php echo gettext("Example: output database: alert, mysql, " .
"dbname=snort user=snort host=localhost password=xyz"); ?><br/>
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
index 983e8905..8d106a90 100644
--- a/config/snort/snort_blocked.php
+++ b/config/snort/snort_blocked.php
@@ -121,7 +121,7 @@ if ($_POST['save'])
}
-$pgtitle = "Services: Snort Blocked Hosts";
+$pgtitle = gettext("Snort: Blocked Hosts");
include_once("head.inc");
?>
@@ -180,7 +180,7 @@ if ($pconfig['brefresh'] == 'on')
name="brefresh" type="checkbox" value="on"
<?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>>
<?php printf(gettext("%sDefault%s is %sON%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?>&nbsp;&nbsp;<input
- name="blertnumber" type="text" class="formfld" id="blertnumber"
+ name="blertnumber" type="text" class="formfld unknown" id="blertnumber"
size="5" value="<?=htmlspecialchars($bnentries);?>"> <?php printf(gettext("Enter the " .
"number of blocked entries to view. %sDefault%s is %s500%s."), '<strong>', '</strong>', '<strong>', '</strong>'); ?>
</td>
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index e7263330..a93aef56 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -5,6 +5,7 @@
* Copyright (C) 2006 Scott Ullrich
* Copyright (C) 2009 Robert Zelaya
* Copyright (C) 2011-2012 Ermal Luci
+ * Copyright (C) 2013 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -53,6 +54,14 @@ if (!defined("GPLV2_DNLD_URL"))
define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/");
if (!defined("RULES_UPD_LOGFILE"))
define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
+if (!defined("VRT_FILE_PREFIX"))
+ define("VRT_FILE_PREFIX", "snort_");
+if (!defined("GPL_FILE_PREFIX"))
+ define("GPL_FILE_PREFIX", "GPLv2_");
+if (!defined("ET_OPEN_FILE_PREFIX"))
+ define("ET_OPEN_FILE_PREFIX", "emerging-");
+if (!defined("ET_PRO_FILE_PREFIX"))
+ define("ET_PRO_FILE_PREFIX", "etpro-");
$snortdir = SNORTDIR;
$snortlibdir = SNORTLIBDIR;
@@ -80,10 +89,15 @@ $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats'];
$tmpfname = "{$snortdir}/tmp/snort_rules_up";
/* Grab the Snort binary version programmatically and use it to construct */
-/* the proper Snort VRT rules tarball and md5 filenames. */
+/* the proper Snort VRT rules tarball and md5 filenames. Fallback to a */
+/* default in the event we fail. */
+$snortver = array();
exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
// Save the version with decimal delimiters for use in extracting the rules
$snort_version = $snortver[0];
+if (empty($snort_version))
+ $snort_version = "2.9.5.5";
+
// Create a collapsed version string for use in the tarball filename
$snortver[0] = str_replace(".", "", $snortver[0]);
$snort_filename = "snortrules-snapshot-{$snortver[0]}.tar.gz";
@@ -97,6 +111,7 @@ if ($etpro == "on") {
$emergingthreats_url = ETPRO_BASE_DNLD_URL;
$emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/";
$emergingthreats = "on";
+ $et_enabled= "on";
$et_name = "Emerging Threats Pro";
$et_md5_remove = ET_DNLD_FILENAME . ".md5";
@unlink("{$snortdir}/{$et_md5_remove}");
@@ -118,7 +133,6 @@ $snort_community_rules_filename = GPLV2_DNLD_FILENAME;
$snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5";
$snort_community_rules_url = GPLV2_DNLD_URL;
-/* Custom function for rules file download via URL */
function snort_download_file_url($url, $file_out) {
/************************************************/
@@ -127,18 +141,21 @@ function snort_download_file_url($url, $file_out) {
/* saves the content to the file specified by */
/* $file. */
/* */
+ /* This is needed so console output can be */
+ /* suppressed to prevent XMLRPC sync errors. */
+ /* */
/* It provides logging of returned CURL errors. */
/************************************************/
global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update;
- // Initialize required variables for pfSense "read_body()" function
+ // Initialize required variables for the pfSense "read_body()" function
$file_size = 1;
$downloaded = 1;
$first_progress_update = TRUE;
- /* Array of message strings for HTTP Response Codes */
+ // Array of message strings for HTTP Response Codes
$http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content",
206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found",
305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request",
@@ -157,7 +174,7 @@ function snort_download_file_url($url, $file_out) {
return false;
curl_setopt($ch, CURLOPT_FILE, $fout);
- /* NOTE: required to suppress errors from XMLRPC due to progress bar output */
+ // NOTE: required to suppress errors from XMLRPC due to progress bar output
if ($g['snort_sync_in_progress'])
curl_setopt($ch, CURLOPT_HEADER, false);
else {
@@ -167,7 +184,6 @@ function snort_download_file_url($url, $file_out) {
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)");
- /* Don't verify SSL peers since we don't have the certificates to do so. */
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_TIMEOUT, 0);
@@ -185,7 +201,7 @@ function snort_download_file_url($url, $file_out) {
$counter = 0;
$rc = true;
- /* Try up to 4 times to download the file before giving up */
+ // Try up to 4 times to download the file before giving up
while ($counter < 4) {
$counter++;
$rc = curl_exec($ch);
@@ -202,7 +218,8 @@ function snort_download_file_url($url, $file_out) {
$last_curl_error = $http_resp_msg[$http_code];
curl_close($ch);
fclose($fout);
- /* If we had to try more than once, log it */
+
+ // If we had to try more than once, log it
if ($counter > 1)
log_error(gettext("File '" . basename($file_out) . "' download attempts: {$counter} ..."));
return ($http_code == 200) ? true : $http_code;
@@ -214,7 +231,140 @@ function snort_download_file_url($url, $file_out) {
}
}
-/* Start of code */
+function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
+
+ /**********************************************************/
+ /* This function attempts to download the passed MD5 hash */
+ /* file and compare its contents to the currently stored */
+ /* hash file to see if a new rules file has been posted. */
+ /* */
+ /* On Entry: $file_url = URL for md5 hash file */
+ /* $file_dst = Temp destination to store the */
+ /* downloaded hash file */
+ /* $desc = Short text string used to label */
+ /* log messages with rules type */
+ /* */
+ /* Returns: TRUE if new rule file download required. */
+ /* FALSE if rule download not required or an */
+ /* error occurred. */
+ /**********************************************************/
+
+ global $pkg_interface, $snort_rules_upd_log, $last_curl_error;
+
+ $snortdir = SNORTDIR;
+ $filename_md5 = basename($file_dst);
+
+ if ($pkg_interface <> "console")
+ update_status(gettext("Downloading {$desc} md5 file..."));
+ error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, $snort_rules_upd_log);
+ $rc = snort_download_file_url($file_url, $file_dst);
+
+ // See if download from URL was successful
+ if ($rc === true) {
+ if ($pkg_interface <> "console")
+ update_status(gettext("Done downloading {$filename_md5}."));
+ error_log("\tChecking {$desc} md5 file...\n", 3, $snort_rules_upd_log);
+
+ // check md5 hash in new file against current file to see if new download is posted
+ if (file_exists("{$snortdir}/{$filename_md5}")) {
+ $md5_check_new = file_get_contents($file_dst);
+ $md5_check_old = file_get_contents("{$snortdir}/{$filename_md5}");
+ if ($md5_check_new == $md5_check_old) {
+ if ($pkg_interface <> "console")
+ update_status(gettext("{$desc} are up to date..."));
+ log_error(gettext("[Snort] {$desc} are up to date..."));
+ error_log(gettext("\t{$desc} are up to date.\n"), 3, $snort_rules_upd_log);
+ return false;
+ }
+ else
+ return true;
+ }
+ return true;
+ }
+ else {
+ error_log(gettext("\t{$desc} md5 download failed.\n"), 3, $snort_rules_upd_log);
+ $snort_err_msg = gettext("Server returned error code {$rc}.");
+ if ($pkg_interface <> "console") {
+ update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
+ update_output_window(gettext("{$desc} will not be updated.\n\t{$snort_err_msg}"));
+ }
+ log_error(gettext("[Snort] {$desc} md5 download failed..."));
+ log_error(gettext("[Snort] Server returned error code {$rc}..."));
+ error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log);
+ if ($pkg_interface == "console")
+ error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ return false;
+ }
+}
+
+function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
+
+ /**********************************************************/
+ /* This function downloads the passed rules file and */
+ /* compares its computed md5 hash to the passed md5 hash */
+ /* to verify the file's integrity. */
+ /* */
+ /* On Entry: $file_url = URL of rules file */
+ /* $file_dst = Temp destination to store the */
+ /* downloaded rules file */
+ /* $file_md5 = Expected md5 hash for the new */
+ /* downloaded rules file */
+ /* $desc = Short text string for use in */
+ /* log messages */
+ /* */
+ /* Returns: TRUE if download was successful. */
+ /* FALSE if download was not successful. */
+ /**********************************************************/
+
+ global $pkg_interface, $snort_rules_upd_log, $last_curl_error;
+
+ $snortdir = SNORTDIR;
+ $filename = basename($file_dst);
+
+ if ($pkg_interface <> "console")
+ update_status(gettext("There is a new set of {$desc} posted. Downloading..."));
+ log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}..."));
+ error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, $snort_rules_upd_log);
+ $rc = snort_download_file_url($file_url, $file_dst);
+
+ // See if the download from the URL was successful
+ if ($rc === true) {
+ if ($pkg_interface <> "console")
+ update_status(gettext("Done downloading {$desc} file."));
+ log_error("[Snort] {$desc} file update downloaded successfully");
+ error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log);
+
+ // Test integrity of the rules file. Turn off update if file has wrong md5 hash
+ if ($file_md5 != trim(md5_file($file_dst))){
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("{$desc} file MD5 checksum failed..."));
+ log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum..."));
+ log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst)));
+ log_error(gettext("[Snort] Expected File MD5: {$file_md5}"));
+ error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ return false;
+ }
+ return true;
+ }
+ else {
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("{$desc} file download failed..."));
+ log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'..."));
+ error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log);
+ if ($pkg_interface == "console")
+ error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ return false;
+ }
+
+}
+
+/* Start of main code */
conf_mount_rw();
/* remove old $tmpfname files */
@@ -239,171 +389,43 @@ if (file_exists($snort_rules_upd_log)) {
error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log);
$last_curl_error = "";
-/* download md5 sig from snort.org */
+/* Check for and download any new Snort VRT sigs */
if ($snortdownload == 'on') {
- if ($pkg_interface <> "console")
- update_status(gettext("Downloading Snort VRT md5 file {$snort_filename_md5}..."));
- error_log(gettext("\tDownloading Snort VRT md5 file '{$snort_filename_md5}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}");
- if ($rc === true) {
- if ($pkg_interface <> "console")
- update_status(gettext("Done downloading {$snort_filename_md5}."));
- error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log);
- }
- else {
- error_log(gettext("\tSnort VRT md5 download failed.\n"), 3, $snort_rules_upd_log);
- if ($rc == 403) {
- $snort_err_msg = gettext("Too many attempts or Oinkcode not authorized for this Snort version.\n");
- $snort_err_msg .= gettext("\tFree Registered Users may download VRT Rules once every 15 minutes.\n");
- $snort_err_msg .= gettext("\tPaid Subscribers have no download limits.\n");
- }
- else
- $snort_err_msg = gettext("Server returned error code '{$rc}'.");
- if ($pkg_interface <> "console") {
- update_status(gettext("Snort VRT md5 error ... Server returned error code {$rc} ..."));
- update_output_window(gettext("Snort VRT rules will not be updated.\n\t{$snort_err_msg}"));
- }
- log_error(gettext("[Snort] Snort VRT md5 download failed..."));
- log_error(gettext("[Snort] Server returned error code '{$rc}'..."));
- error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tServer error message was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log);
- $snortdownload = 'off';
- }
-}
-
-/* Check if were up to date snort.org */
-if ($snortdownload == 'on') {
- if (file_exists("{$snortdir}/{$snort_filename_md5}")) {
- $md5_check_new = file_get_contents("{$tmpfname}/{$snort_filename_md5}");
- $md5_check_old = file_get_contents("{$snortdir}/{$snort_filename_md5}");
- if ($md5_check_new == $md5_check_old) {
- if ($pkg_interface <> "console")
- update_status(gettext("Snort VRT rules are up to date..."));
- log_error(gettext("[Snort] Snort VRT rules are up to date..."));
- error_log(gettext("\tSnort VRT rules are up to date.\n"), 3, $snort_rules_upd_log);
+ if (snort_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) {
+ /* download snortrules file */
+ $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}"));
+ if (!snort_fetch_new_rules("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules"))
$snortdownload = 'off';
- }
}
-}
-
-/* download snortrules file */
-if ($snortdownload == 'on') {
- if ($pkg_interface <> "console")
- update_status(gettext("There is a new set of Snort VRT rules posted. Downloading {$snort_filename}..."));
- log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading..."));
- error_log(gettext("\tThere is a new set of Snort VRT rules posted.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloading file '{$snort_filename}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}");
- if ($rc === true) {
- if ($pkg_interface <> "console")
- update_status(gettext("Done downloading Snort VRT rules file."));
- log_error("[Snort] Snort VRT rules file update downloaded successfully");
- error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log);
- if (trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_filename}"))){
- if ($pkg_interface <> "console")
- update_output_window(gettext("Snort VRT rules file MD5 checksum failed..."));
- log_error(gettext("[Snort] Snort VRT rules file download failed. Bad MD5 checksum..."));
- log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_filename}")));
- log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}")));
- error_log(gettext("\tSnort VRT rules file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloaded Snort VRT file MD5: " . md5_file("{$tmpfname}/{$snort_filename}") . "\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tExpected Snort VRT file MD5: " . file_get_contents("{$tmpfname}/{$snort_filename_md5}") . "\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log);
- $snortdownload = 'off';
- }
- }
- else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("Snort VRT rules file download failed..."));
- log_error(gettext("[Snort] Snort VRT rules file download failed... server returned error '{$rc}'..."));
- error_log(gettext("\tSnort VRT rules file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tThe error text was '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tSnort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log);
+ else
$snortdownload = 'off';
- }
}
-/* download md5 sig from Snort GPLv2 Community Rules */
+/* Check for and download any new Snort GPLv2 Community Rules sigs */
if ($snortcommunityrules == 'on') {
- if ($pkg_interface <> "console")
- update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file {$snort_community_rules_filename_md5}..."));
- error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file '{$snort_community_rules_filename_md5}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}");
- if ($rc === true) {
- if ($pkg_interface <> "console")
- update_status(gettext("Done downloading Snort GPLv2 Community Rules md5"));
- error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log);
- if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") {
- /* Check if were up to date Snort GPLv2 Community Rules */
- $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}");
- $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}");
- if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) {
- if ($pkg_interface <> "console")
- update_status(gettext("Snort GPLv2 Community Rules are up to date..."));
- log_error(gettext("[Snort] Snort GPLv2 Community Rules are up to date..."));
- error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log);
- $snortcommunityrules = 'off';
- }
- }
+ if (snort_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) {
+ /* download Snort GPLv2 Community Rules file */
+ $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"));
+ if (!snort_fetch_new_rules("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}", $file_md5, "Snort GPLv2 Community Rules"))
+ $snortcommunityrules = 'off';
}
- else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated."));
- log_error(gettext("[Snort] Snort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'."));
- error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tSnort GPLv2 Community Rules will not be updated.\n"), 3, $snort_rules_upd_log);
+ else
$snortcommunityrules = 'off';
- }
}
-/* download Snort GPLv2 Community rules file */
-if ($snortcommunityrules == "on") {
- if ($pkg_interface <> "console")
- update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading {$snort_community_rules_filename} ..."));
- log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading..."));
- error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloading file '{$snort_community_rules_filename}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}");
-
- /* Test for a valid rules file download. Turn off Snort Community update if download failed. */
- if ($rc === true) {
- if (trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_community_rules_filename}"))){
- if ($pkg_interface <> "console")
- update_output_window(gettext("Snort GPLv2 Community Rules file MD5 checksum failed..."));
- log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Bad MD5 checksum..."));
- log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}")));
- log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}")));
- error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloaded Snort GPLv2 file MD5: " . md5_file("{$tmpfname}/{$snort_community_rules_filename}") . "\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tExpected Snort GPLv2 file MD5: " . file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}") . "\n"), 3, $snort_rules_upd_log);
- $snortcommunityrules = 'off';
- }
- else {
- if ($pkg_interface <> "console")
- update_status(gettext('Done downloading Snort GPLv2 Community Rules file.'));
- log_error("[Snort] Snort GPLv2 Community Rules file update downloaded successfully");
- error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log);
- }
- }
- else {
- if ($pkg_interface <> "console") {
- update_status(gettext("The server returned error code {$rc} ... skipping GPLv2 Community Rules..."));
- update_output_window(gettext("Snort GPLv2 Community Rules file download failed..."));
- }
- log_error(gettext("[Snort] Snort GPLv2 Community Rules file download failed. Server returned error '{$rc}'..."));
- error_log(gettext("\tSnort GPLv2 Community Rules download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- $snortcommunityrules = 'off';
+/* Check for and download any new Emerging Threats Rules sigs */
+if ($emergingthreats == 'on') {
+ if (snort_check_rule_md5("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}", "{$et_name} rules")) {
+ /* download Emerging Threats rules file */
+ $file_md5 = trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"));
+ if (!snort_fetch_new_rules("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}", $file_md5, "{$et_name} rules"))
+ $emergingthreats = 'off';
}
+ else
+ $emergingthreats = 'off';
}
-/* Untar Snort GPLv2 Community rules to tmp */
+/* Untar Snort GPLv2 Community rules file to tmp */
if ($snortcommunityrules == 'on') {
safe_mkdir("{$snortdir}/tmp/community");
if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) {
@@ -417,12 +439,12 @@ if ($snortcommunityrules == 'on') {
$files = glob("{$snortdir}/tmp/community/community-rules/*.rules");
foreach ($files as $file) {
$newfile = basename($file);
- @copy($file, "{$snortdir}/rules/GPLv2_{$newfile}");
+ @copy($file, "{$snortdir}/rules/" . GPL_FILE_PREFIX . "{$newfile}");
}
/* base etc files for Snort GPLv2 Community rules */
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}"))
- @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/GPLv2_{$file}");
+ @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/" . GPL_FILE_PREFIX . "{$file}");
}
/* Copy snort community md5 sig to snort dir */
if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) {
@@ -439,84 +461,7 @@ if ($snortcommunityrules == 'on') {
}
}
-/* download md5 sig from emergingthreats.net */
-if ($emergingthreats == 'on') {
- if ($pkg_interface <> "console")
- update_status(gettext("Downloading {$et_name} md5 file..."));
- error_log(gettext("\tDownloading {$et_name} md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}");
- if ($rc === true) {
- if ($pkg_interface <> "console")
- update_status(gettext("Done downloading {$et_name} md5 file {$emergingthreats_filename_md5}"));
- error_log(gettext("\tChecking {$et_name} md5.\n"), 3, $snort_rules_upd_log);
- if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") {
- /* Check if were up to date emergingthreats.net */
- $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}");
- $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}");
- if ($emerg_md5_check_new == $emerg_md5_check_old) {
- if ($pkg_interface <> "console")
- update_status(gettext("{$et_name} rules are up to date..."));
- log_error(gettext("[Snort] {$et_name} rules are up to date..."));
- error_log(gettext("\t{$et_name} rules are up to date.\n"), 3, $snort_rules_upd_log);
- $emergingthreats = 'off';
- }
- }
- }
- else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("{$et_name} md5 file download failed. {$et_name} rules will not be updated."));
- log_error(gettext("[Snort] {$et_name} md5 file download failed. Server returned error code '{$rc}'."));
- error_log(gettext("\t{$et_name} md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\t{$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log);
- $emergingthreats = 'off';
- }
-}
-
-/* download emergingthreats rules file */
-if ($emergingthreats == "on") {
- if ($pkg_interface <> "console")
- update_status(gettext("There is a new set of {$et_name} rules posted. Downloading {$emergingthreats_filename}..."));
- log_error(gettext("[Snort] There is a new set of {$et_name} rules posted. Downloading..."));
- error_log(gettext("\tThere is a new set of {$et_name} rules posted.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloading file '{$emergingthreats_filename}'...\n"), 3, $snort_rules_upd_log);
- $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}");
-
- /* Test for a valid rules file download. Turn off ET update if download failed. */
- if ($rc === true) {
- if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){
- if ($pkg_interface <> "console")
- update_output_window(gettext("{$et_name} rules file MD5 checksum failed..."));
- log_error(gettext("[Snort] {$et_name} rules file download failed. Bad MD5 checksum..."));
- log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}")));
- log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")));
- error_log(gettext("\t{$et_name} rules file download failed. {$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log);
- $emergingthreats = 'off';
- }
- else {
- if ($pkg_interface <> "console")
- update_status(gettext('Done downloading {$et_name} rules file.'));
- log_error("[Snort] {$et_name} rules file update downloaded successfully");
- error_log(gettext("\tDone downloading {$et_name} rules file.\n"), 3, $snort_rules_upd_log);
- }
- }
- else {
- if ($pkg_interface <> "console") {
- update_status(gettext("The server returned error code {$rc} ... skipping {$et_name} update..."));
- update_output_window(gettext("{$et_name} rules file download failed..."));
- }
- log_error(gettext("[Snort] {$et_name} rules file download failed. Server returned error '{$rc}'..."));
- error_log(gettext("\t{$et_name} rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log);
- if ($pkg_interface == "console")
- error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log);
- $emergingthreats = 'off';
- }
-}
-
-/* Untar emergingthreats rules to tmp */
+/* Untar Emerging Threats rules file to tmp */
if ($emergingthreats == 'on') {
safe_mkdir("{$snortdir}/tmp/emerging");
if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
@@ -528,16 +473,18 @@ if ($emergingthreats == 'on') {
exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/");
/* Remove the old Emerging Threats rules files */
- array_map('unlink', glob("{$snortdir}/rules/emerging-*.rules"));
- array_map('unlink', glob("{$snortdir}/rules/etpro-*.rules"));
- array_map('unlink', glob("{$snortdir}/rules/emerging-*ips.txt"));
- array_map('unlink', glob("{$snortdir}/rules/etpro-*ips.txt"));
+ $eto_prefix = ET_OPEN_FILE_PREFIX;
+ $etpro_prefix = ET_PRO_FILE_PREFIX;
+ array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*.rules"));
+ array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*.rules"));
+ array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*ips.txt"));
+ array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*ips.txt"));
$files = glob("{$snortdir}/tmp/emerging/rules/*.rules");
foreach ($files as $file) {
$newfile = basename($file);
if ($etpro == "on")
- @copy($file, "{$snortdir}/rules/etpro-{$newfile}");
+ @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}");
else
@copy($file, "{$snortdir}/rules/{$newfile}");
}
@@ -546,9 +493,9 @@ if ($emergingthreats == 'on') {
foreach ($files as $file) {
$newfile = basename($file);
if ($etpro == "on")
- @copy($file, "{$snortdir}/rules/etpro-{$newfile}");
+ @copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}");
else
- @copy($file, "{$snortdir}/rules/emerging-{$newfile}");
+ @copy($file, "{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "{$newfile}");
}
/* base etc files for Emerging Threats rules */
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
@@ -571,7 +518,7 @@ if ($emergingthreats == 'on') {
}
}
-/* Untar snort rules file individually to help people with low system specs */
+/* Untar Snort rules file to tmp */
if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/{$snort_filename}")) {
/* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */
@@ -581,7 +528,8 @@ if ($snortdownload == 'on') {
$freebsd_version_so = 'FreeBSD-9-0';
/* Remove the old Snort rules files */
- array_map('unlink', glob("{$snortdir}/rules/snort_*.rules"));
+ $vrt_prefix = VRT_FILE_PREFIX;
+ array_map('unlink', glob("{$snortdir}/rules/{$vrt_prefix}*.rules"));
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort VRT rules..."));
@@ -594,7 +542,7 @@ if ($snortdownload == 'on') {
$files = glob("{$snortdir}/tmp/snortrules/rules/*.rules");
foreach ($files as $file) {
$newfile = basename($file);
- @copy($file, "{$snortdir}/rules/snort_{$newfile}");
+ @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}");
}
/* IP lists */
$files = glob("{$snortdir}/tmp/snortrules/rules/*.txt");
@@ -629,7 +577,7 @@ if ($snortdownload == 'on') {
$files = glob("{$snortdir}/tmp/so_rules/*.rules");
foreach ($files as $file) {
$newfile = basename($file, ".rules");
- @copy($file, "{$snortdir}/rules/snort_{$newfile}.so.rules");
+ @copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules");
}
exec("rm -r {$snortdir}/tmp/so_rules");
}
@@ -724,6 +672,11 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
$cfgs = glob("{$snortdir}/tmp/*classification.config");
$cfgs[] = "{$snortdir}/classification.config";
snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config");
+ /* Use the unicode.map and gen-msg.map files from ET rules. */
+ if (file_exists("{$snortdir}/tmp/ET_unicode.map"))
+ @copy("{$snortdir}/tmp/ET_unicode.map", "{$snortdir}/unicode.map");
+ if (file_exists("{$snortdir}/tmp/ET_gen-msg.map"))
+ @copy("{$snortdir}/tmp/ET_gen-msg.map", "{$snortdir}/gen-msg.map");
}
elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) {
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php
index ca549820..e9fcfcab 100755
--- a/config/snort/snort_define_servers.php
+++ b/config/snort/snort_define_servers.php
@@ -68,7 +68,7 @@ else
$ssh_port = "22";
$snort_ports = array(
"dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691",
- "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555",
+ "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712",
"oracle_ports" => "1024:", "mssql_ports" => "1433",
"telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535",
"ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110",
@@ -86,6 +86,11 @@ $snort_ports = array(
"GTP_PORTS" => "2123,2152,3386"
);
+// Sort our SERVERS and PORTS arrays to make values
+// easier to locate by the the user.
+ksort($snort_servers);
+ksort($snort_ports);
+
$pconfig = $a_nat[$id];
/* convert fake interfaces to real */
@@ -144,7 +149,7 @@ if ($_POST) {
}
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: Interface {$if_friendly} Define Servers";
+$pgtitle = gettext("Snort: Interface {$if_friendly} Variables - Servers and Ports");
include_once("head.inc");
?>
@@ -195,7 +200,7 @@ if ($savemsg)
<td><div id="mainarea">
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Servers"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Servers (IP variables)"); ?></td>
</tr>
<?php
foreach ($snort_servers as $key => $server):
@@ -210,8 +215,8 @@ if ($savemsg)
}
?>
<tr>
- <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td>
- <td width="78%" class="vtable">
+ <td width='30%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td>
+ <td width="70%" class="vtable">
<input name="def_<?=$key;?>" size="40"
type="text" autocomplete="off" class="formfldalias" id="def_<?=$key;?>"
value="<?=$value;?>" title="<?=$title;?>"> <br/>
@@ -221,7 +226,7 @@ if ($savemsg)
</tr>
<?php endforeach; ?>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Ports"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Define Ports (port variables)"); ?></td>
</tr>
<?php
foreach ($snort_ports as $key => $server):
@@ -236,8 +241,8 @@ if ($savemsg)
}
?>
<tr>
- <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td>
- <td width="78%" class="vtable">
+ <td width='30%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td>
+ <td width="70%" class="vtable">
<input name="def_<?=$key;?>" type="text" size="40" autocomplete="off" class="formfldalias" id="def_<?=$key;?>"
value="<?=$value;?>" title="<?=$title;?>"> <br/>
<span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/> <?php echo gettext("Leave " .
@@ -246,8 +251,8 @@ if ($savemsg)
</tr>
<?php endforeach; ?>
<tr>
- <td width="22%" valign="top">&nbsp;</td>
- <td width="78%">
+ <td width="30%" valign="top">&nbsp;</td>
+ <td width="70%">
<input name="Submit" type="submit" class="formbtn" value="Save">
<input name="id" type="hidden" value="<?=$id;?>">
</td>
diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php
index 09ab646a..5c9b8210 100755
--- a/config/snort/snort_download_updates.php
+++ b/config/snort/snort_download_updates.php
@@ -43,9 +43,14 @@ $log = $snort_rules_upd_log;
/* Grab the Snort binary version programmatically and */
/* use it to construct the proper Snort VRT rules */
-/* tarball filename. */
+/* tarball filename. Fallback to a safe default if */
+/* we fail. */
+$snortver = array();
exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
+if (empty($snortver[0]))
+ $snortver[0] = "2.9.5.5";
$snortver[0] = str_replace(".", "", $snortver[0]);
+
$snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz";
//$snort_rules_file = VRT_DNLD_FILENAME;
$snort_community_rules_filename = GPLV2_DNLD_FILENAME;
@@ -96,7 +101,7 @@ $snort_rules_upd_logfile_chk = 'no';
if (file_exists("{$snort_rules_upd_log}"))
$snort_rules_upd_logfile_chk = 'yes';
-$pgtitle = "Services: Snort: Updates";
+$pgtitle = gettext("Snort: Updates");
include_once("head.inc");
?>
diff --git a/config/snort/snort_edit_hat_data.php b/config/snort/snort_edit_hat_data.php
index f0562046..f6d00b0b 100644
--- a/config/snort/snort_edit_hat_data.php
+++ b/config/snort/snort_edit_hat_data.php
@@ -80,7 +80,7 @@ if ($_POST['host_attribute_data']) {
$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']);
-$pgtitle = "Services: Snort: {$if_friendly} Host Attribute Table Data";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Host Attribute Table Data");
include_once("head.inc");
?>
diff --git a/config/snort/snort_frag3_engine.php b/config/snort/snort_frag3_engine.php
new file mode 100644
index 00000000..89a21dc8
--- /dev/null
+++ b/config/snort/snort_frag3_engine.php
@@ -0,0 +1,393 @@
+<?php
+/*
+ * snort_frag3_engine.php
+ * Copyright (C) 2013 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+// Grab the incoming QUERY STRING or POST variables
+$id = $_GET['id'];
+$eng_id = $_GET['eng_id'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng_id']))
+ $eng_id = $_POST['eng_id'];
+
+if (is_null($id)) {
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'];
+
+$pconfig = array();
+if (empty($a_nat[$eng_id])) {
+ $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+ // See if this is initial entry and set to "default" if true
+ if ($eng_id < 1) {
+ $def['name'] = "default";
+ $def['bind_to'] = "all";
+ }
+ $pconfig = $def;
+}
+else {
+ $pconfig = $a_nat[$eng_id];
+
+ // Check for any empty values and set sensible defaults
+ if (empty($pconfig['policy']))
+ $pconfig['policy'] = "bsd";
+ if (empty($pconfig['timeout']))
+ $pconfig['timeout'] = 60;
+ if (empty($pconfig['min_ttl']))
+ $pconfig['min_ttl'] = 1;
+ if (empty($pconfig['detect_anomalies']))
+ $pconfig['detect_anomalies'] = "on";
+ if (empty($pconfig['overlap_limit']))
+ $pconfig['overlap_limit'] = 0;
+ if (empty($pconfig['min_frag_len']))
+ $pconfig['min_frag_len'] = 0;
+}
+
+if ($_POST['Cancel']) {
+ header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ if ($_GET['varname'] == "bind_to" && !empty($_GET['varvalue']))
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+}
+
+if ($_POST['Submit']) {
+
+ /* Grab all the POST values and save in new temp array */
+ $engine = array();
+ if ($_POST['frag3_name']) { $engine['name'] = trim($_POST['frag3_name']); } else { $engine['name'] = "default"; }
+ if ($_POST['frag3_bind_to']) {
+ if (is_alias($_POST['frag3_bind_to']))
+ $engine['bind_to'] = $_POST['frag3_bind_to'];
+ elseif (strtolower(trim($_POST['frag3_bind_to'])) == "all")
+ $engine['bind_to'] = "all";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
+ }
+ else {
+ $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'.");
+ }
+
+ /* Validate the text input fields before saving */
+ if (!empty($_POST['frag3_timeout']) || $_POST['frag3_timeout'] == 0) {
+ $engine['timeout'] = $_POST['frag3_timeout'];
+ if (!is_numeric($_POST['frag3_timeout']) || $_POST['frag3_timeout'] < 1)
+ $input_errors[] = gettext("The value for Timeout must be numeric and greater than zero.");
+ }
+ else
+ $engine['timeout'] = 60;
+
+ if (!empty($_POST['frag3_min_ttl']) || $_POST['frag3_min_ttl'] == 0) {
+ $engine['min_ttl'] = $_POST['frag3_min_ttl'];
+ if ($_POST['frag3_min_ttl'] < 1 || $_POST['frag3_min_ttl'] > 255)
+ $input_errors[] = gettext("The value for Minimum_Time-To-Live must be between 1 and 255.");
+ }
+ else
+ $engine['min_ttl'] = 1;
+
+ if (!empty($_POST['frag3_overlap_limit']) || $_POST['frag3_overlap_limit'] == 0) {
+ $engine['overlap_limit'] = $_POST['frag3_overlap_limit'];
+ if (!is_numeric($_POST['frag3_overlap_limit']) || $_POST['frag3_overlap_limit'] < 0)
+ $input_errors[] = gettext("The value for Overlap_Limit must be a number greater than or equal to zero.");
+ }
+ else
+ $engine['overlap_limit'] = 0;
+
+ if (!empty($_POST['frag3_min_frag_len']) || $_POST['frag3_min_frag_len'] == 0) {
+ $engine['min_frag_len'] = $_POST['frag3_min_frag_len'];
+ if (!is_numeric($_POST['frag3_min_frag_len']) || $_POST['frag3_min_frag_len'] < 0)
+ $input_errors[] = gettext("The value for Min_Fragment_Length must be a number greater than or equal to zero.");
+ }
+ else
+ $engine['min_frag_len'] = 0;
+
+ if ($_POST['frag3_policy']) { $engine['policy'] = $_POST['frag3_policy']; } else { $engine['policy'] = "bsd"; }
+ $engine['detect_anomalies'] = $_POST['frag3_detect_anomalies'] ? 'on' : 'off';
+
+ /* Can only have one "all" Bind_To address */
+ if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
+ $input_errors[] = gettext("Only one default Frag3 Engine can be bound to all addresses.");
+ $pconfig = $engine;
+ }
+
+ /* if no errors, write new entry to conf */
+ if (!$input_errors) {
+ if (isset($eng_id) && $a_nat[$eng_id]) {
+ $a_nat[$eng_id] = $engine;
+ }
+ else
+ $a_nat[] = $engine;
+
+ /* Reorder the engine array to ensure the */
+ /* 'bind_to=all' entry is at the bottom */
+ /* if it contains more than one entry. */
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ /* Only relocate the entry if we */
+ /* found it, and it's not already */
+ /* at the end. */
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ /* Now write the new engine array to conf */
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}#frag3_row");
+ exit;
+ }
+}
+
+$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']);
+$pgtitle = gettext("Snort: Interface {$if_friendly} Frag3 Preprocessor Engine");
+include_once("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" >
+
+<?php
+include("fbegin.inc");
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="snort_frag3_engine.php" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id?>">
+<input name="eng_id" type="hidden" value="<?=$eng_id?>">
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td class="tabcont">
+<table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based IP Defragmentation Engine Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td>
+ <td class="vtable">
+ <input name="frag3_name" type="text" class="formfld unknown" id="frag3_name" size="25" maxlength="25"
+ value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>>&nbsp;
+ <?php if (htmlspecialchars($pconfig['name']) <> "default")
+ echo gettext("Name or description for this engine. (Max 25 characters)");
+ else
+ echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/>
+ <?php echo gettext("Unique name or description for this engine configuration. Default value is ") .
+ "<strong>" . gettext("default") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td>
+ <td class="vtable">
+ <?php if ($pconfig['name'] <> "default") : ?>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="frag3_bind_to" type="text" class="formfldalias" id="frag3_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off">&nbsp;
+ <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td>
+ <td class="vexpl" align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=yes&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within this IP List.");?></td>
+ </tr>
+ </table>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?>
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <?php else : ?>
+ <input name="frag3_bind_to" type="text" class="formfldalias" id="frag3_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly>&nbsp;
+ <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/>
+ <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/>
+ <?php endif ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Target Policy"); ?> </td>
+ <td width="78%" class="vtable">
+ <select name="frag3_policy" class="formselect" id="policy">
+ <?php
+ $profile = array( 'BSD', 'BSD-Right', 'First', 'Last', 'Linux', 'Solaris', 'Windows' );
+ foreach ($profile as $val): ?>
+ <option value="<?=strtolower($val);?>"
+ <?php if (strtolower($val) == $pconfig['policy']) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach; ?>
+ </select>&nbsp;&nbsp;<?php echo gettext("Choose the IP fragmentation target policy appropriate for the protected hosts. The default is ") .
+ "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/><br/>
+ <?php echo gettext("Available OS targets are BSD, BSD-Right, First, Last, Linux, Solaris and Windows."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Timeout"); ?></td>
+ <td class="vtable">
+ <input name="frag3_timeout" type="text" class="formfld unknown" id="frag3_timeout" size="6"
+ value="<?=htmlspecialchars($pconfig['timeout']);?>">
+ <?php echo gettext("Timeout period in seconds for fragments in the engine."); ?><br/><br/>
+ <?php echo gettext("Fragments in the engine for longer than this period will be automatically dropped. Default value is ") .
+ "<strong>" . gettext("60 ") . "</strong>" . gettext("seconds."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Minimum Time-to-Live"); ?></td>
+ <td class="vtable">
+ <input name="frag3_min_ttl" type="text" class="formfld unknown" id="frag3_min_ttl" size="6"
+ value="<?=htmlspecialchars($pconfig['min_ttl']);?>">
+ <?php echo gettext("Minimum acceptable TTL for a fragment in the engine."); ?><br/><br/>
+ <?php echo gettext("The accepted range for this option is 1 - 255. Default value is ") .
+ "<strong>" . gettext("1") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Anomalies"); ?></td>
+ <td width="78%" class="vtable"><input name="frag3_detect_anomalies" id="frag3_detect_anomalies" type="checkbox" value="on"
+ <?php if ($pconfig['detect_anomalies']=="on") echo "checked "; ?> onclick="frag3_enable_change();">
+ <?php echo gettext("Use Frag3 Engine to detect fragment anomalies. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("In order to customize the Overlap Limit and Minimum Fragment Length parameters for this engine, Anomaly Detection must be enabled."); ?>
+ </td>
+ </tr>
+ <tr id="frag3_overlaplimit_row">
+ <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td>
+ <td class="vtable">
+ <input name="frag3_overlap_limit" type="text" class="formfld unknown" id="frag3_overlap_limit" size="6"
+ value="<?=htmlspecialchars($pconfig['overlap_limit']);?>">
+ <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited). Values greater than zero set the overlapped limit."); ?><br/><br/>
+ <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") .
+ "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/>
+ </td>
+ </tr>
+ <tr id="frag3_minfraglen_row">
+ <td valign="top" class="vncell"><?php echo gettext("Minimum Fragment Length"); ?></td>
+ <td class="vtable">
+ <input name="frag3_min_frag_len" type="text" class="formfld unknown" id="frag3_min_frag_len" size="6"
+ value="<?=htmlspecialchars($pconfig['min_frag_len']);?>">
+ <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (check is disabled). Values greater than zero enable the check."); ?><br/><br/>
+ <?php echo gettext("Defines smallest fragment size (payload size) that should be considered valid. " .
+ "Fragments smaller than or equal to this limit are considered malicious. Default value is ") .
+ "<strong>0</strong>" . gettext(" (check is disabled)."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="bottom">&nbsp;</td>
+ <td width="78%" valign="bottom">
+ <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo
+ gettext("Save Frag3 engine settings and return to Preprocessors tab"); ?>">
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo
+ gettext("Cancel changes and return to Preprocessors tab"); ?>"></td>
+ </tr>
+</table>
+</td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
+<script type="text/javascript">
+
+function frag3_enable_change() {
+ var endis = !(document.iform.frag3_detect_anomalies.checked);
+
+ // Hide the "frag3_overlap_limit and frag3_min_frag_len" rows if frag3_detect_anomablies disabled
+ if (endis) {
+ document.getElementById("frag3_overlaplimit_row").style.display="none";
+ document.getElementById("frag3_minfraglen_row").style.display="none";
+ }
+ else {
+ document.getElementById("frag3_overlaplimit_row").style.display="table-row";
+ document.getElementById("frag3_minfraglen_row").style.display="table-row";
+ }
+}
+
+// Set initial state of form controls
+frag3_enable_change();
+
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $aliasesaddr = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ if ($alias_name['type'] != "host" && $alias_name['type'] != "network")
+ continue;
+ // Skip any Aliases that resolve to an empty string
+ if (trim(filter_expand_alias($alias_name['name'])) == "")
+ continue;
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ }
+?>
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAlias = new AutoSuggestControl(document.getElementById('frag3_bind_to'), new StateSuggestions(addressarray));\n";
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+
+</script>
+
+</html>
diff --git a/config/snort/snort_ftp_client_engine.php b/config/snort/snort_ftp_client_engine.php
new file mode 100644
index 00000000..b039df5b
--- /dev/null
+++ b/config/snort/snort_ftp_client_engine.php
@@ -0,0 +1,429 @@
+<?php
+/*
+ * snort_ftp_client_engine.php
+ * Copyright (C) 2013 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+$id = $_GET['id'];
+$eng_id = $_GET['eng_id'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng_id']))
+ $eng_id = $_POST['eng_id'];
+
+if (is_null($id)) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_client_import']);
+ session_write_close();
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'];
+
+$pconfig = array();
+if (empty($a_nat[$eng_id])) {
+ $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+ // See if this is initial entry and set to "default" if true
+ if ($eng_id < 1) {
+ $def['name'] = "default";
+ $def['bind_to'] = "all";
+ }
+ $pconfig = $def;
+}
+else
+ $pconfig = $a_nat[$eng_id];
+
+if ($_POST['Cancel']) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_client_import']);
+ session_write_close();
+ header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ session_start();
+ if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "bounce_to_net" || $_GET['varname'] == "bounce_to_port")
+ && !empty($_GET['varvalue'])) {
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+ if(!isset($_SESSION['ftp_client_import']))
+ $_SESSION['ftp_client_import'] = array();
+
+ $_SESSION['ftp_client_import'][$_GET['varname']] = $_GET['varvalue'];
+ if (isset($_SESSION['ftp_client_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['ftp_client_import']['bind_to'];
+ if (isset($_SESSION['ftp_client_import']['bounce_to_net']))
+ $pconfig['bounce_to_net'] = $_SESSION['ftp_client_import']['bounce_to_net'];
+ if (isset($_SESSION['ftp_client_import']['bounce_to_port']))
+ $pconfig['bounce_to_port'] = $_SESSION['ftp_client_import']['bounce_to_port'];
+ }
+ // If "varvalue" is empty, user likely hit CANCEL in Select Dialog,
+ // so restore any saved values.
+ elseif (empty($_GET['varvalue'])) {
+ if (isset($_SESSION['ftp_client_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['ftp_client_import']['bind_to'];
+ if (isset($_SESSION['ftp_client_import']['bounce_to_net']))
+ $pconfig['bounce_to_net'] = $_SESSION['ftp_client_import']['bounce_to_net'];
+ if (isset($_SESSION['ftp_client_import']['bounce_to_port']))
+ $pconfig['bounce_to_port'] = $_SESSION['ftp_client_import']['bounce_to_port'];
+ }
+ else {
+ unset($_SESSION['ftp_client_import']);
+ session_write_close();
+ }
+}
+
+if ($_POST['Submit']) {
+
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_client_import']);
+ session_write_close();
+
+ /* Grab all the POST values and save in new temp array */
+ $engine = array();
+ if ($_POST['ftp_name']) { $engine['name'] = trim($_POST['ftp_name']); } else { $engine['name'] = "default"; }
+ if ($_POST['ftp_bind_to']) {
+ if (is_alias($_POST['ftp_bind_to']))
+ $engine['bind_to'] = $_POST['ftp_bind_to'];
+ elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all")
+ $engine['bind_to'] = "all";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
+ }
+ else {
+ $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'.");
+ }
+
+ // Validate BOUNCE-TO Alias entries to be sure if one is set, then both are set; since
+ // if you define a BOUNCE-TO address, you must also define the BOUNCE-TO port.
+ if ($_POST['ftp_client_bounce_to_net'] && !is_alias($_POST['ftp_client_bounce_to_net']))
+ $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO ADDRESS option.");
+
+ if ($_POST['ftp_client_bounce_to_port'] && !is_alias($_POST['ftp_client_bounce_to_port']))
+ $input_errors[] = gettext("Only aliases are allowed for the FTP Protocol BOUNCE-TO PORT option.");
+
+ if ($_POST['ftp_client_bounce_to_net'] && empty($_POST['ftp_client_bounce_to_port']))
+ $input_errors[] = gettext("FTP Protocol BOUNCE-TO PORT cannot be empty when BOUNCE-TO ADDRESS is set.");
+
+ if ($_POST['ftp_client_bounce_to_port'] && empty($_POST['ftp_client_bounce_to_net']))
+ $input_errors[] = gettext("FTP Protocol BOUNCE-TO ADDRESS cannot be empty when BOUNCE-TO PORT is set.");
+
+ // Validate the BOUNCE-TO Alias entries for correct format of their defined values. BOUNCE-TO ADDRESS must be
+ // a valid single IP, and BOUNCE-TO PORT must be either a single port value or a port range value. Provide
+ // detailed error messages for the user that explain any problems.
+ if ($_POST['ftp_client_bounce_to_net'] && $_POST['ftp_client_bounce_to_port']) {
+ if (!snort_is_single_addr_alias($_POST['ftp_client_bounce_to_net'])){
+ $net = trim(filter_expand_alias($_POST['ftp_client_bounce_to_net']));
+ $net = preg_replace('/\s+/', ',', $net);
+ $msg = gettext("The FTP Protocol BOUNCE-TO ADDRESS parameter must be a single IP network or address, ");
+ $msg .= gettext("so the supplied Alias must be defined as a single address or network in CIDR form. ");
+ $msg .= gettext("The Alias [ {$_POST['ftp_client_bounce_to_net']} ] is currently defined as [ {$net} ].");
+ $input_errors[] = $msg;
+ }
+ $port = trim(filter_expand_alias($_POST['ftp_client_bounce_to_port']));
+ $port = preg_replace('/\s+/', ',', $port);
+ if (!is_port($port) && !is_portrange($port)) {
+ $msg = gettext("The FTP Protocol BOUNCE-TO PORT parameter must be a single port or port-range, ");
+ $msg .= gettext("so the supplied Alias must be defined as a single port or port-range value. ");
+ $msg .= gettext("The Alias [ {$_POST['ftp_client_bounce_to_port']} ] is currently defined as [ {$port} ].");
+ $input_errors[] = $msg;
+ }
+ }
+
+ $engine['bounce_to_net'] = $_POST['ftp_client_bounce_to_net'];
+ $engine['bounce_to_port'] = $_POST['ftp_client_bounce_to_port'];
+ $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no';
+ $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no';
+ $engine['bounce'] = $_POST['ftp_client_bounce_detect'] ? 'yes' : 'no';
+ $engine['max_resp_len'] = $_POST['ftp_max_resp_len'];
+
+ /* Can only have one "all" Bind_To address */
+ if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
+ $input_errors[] = gettext("Only one default FTP Engine can be bound to all addresses.");
+ $pconfig = $engine;
+ }
+
+ /* if no errors, write new entry to conf */
+ if (!$input_errors) {
+ if (isset($eng_id) && $a_nat[$eng_id]) {
+ $a_nat[$eng_id] = $engine;
+ }
+ else
+ $a_nat[] = $engine;
+
+ /* Reorder the engine array to ensure the */
+ /* 'bind_to=all' entry is at the bottom */
+ /* if it contains more than one entry. */
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ /* Only relocate the entry if we */
+ /* found it, and it's not already */
+ /* at the end. */
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ /* Now write the new engine array to conf */
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts");
+ exit;
+ }
+}
+
+$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']);
+$pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Client Engine");
+include_once("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" >
+
+<?php
+include("fbegin.inc");
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="snort_ftp_client_engine.php" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id?>">
+<input name="eng_id" type="hidden" value="<?=$eng_id?>">
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td class="tabcont">
+<table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based FTP Client Engine Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td>
+ <td class="vtable">
+ <input name="ftp_name" type="text" class="formfld unknown" id="ftp_name" size="25" maxlength="25"
+ value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>>&nbsp;
+ <?php if (htmlspecialchars($pconfig['name']) <> "default")
+ echo gettext("Name or description for this engine. (Max 25 characters)");
+ else
+ echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/>
+ <?php echo gettext("Unique name or description for this engine configuration. Default value is ") .
+ "<strong>" . gettext("default") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td>
+ <td class="vtable">
+ <?php if ($pconfig['name'] <> "default") : ?>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off" >&nbsp;
+ <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within the IP List.");?>.<br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?></td>
+ </tr>
+ </table>
+ <?php else : ?>
+ <input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly>&nbsp;
+ <?php echo "<span class=\"red\">" . gettext("IP address for the default engine is read-only and must be 'all'.") . "</span>";?><br/>
+ <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP addresses.");?><br/>
+ <?php endif ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Telnet Commands"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_cmds" id="ftp_telnet_cmds" type="checkbox" value="on"
+ <?php if ($pconfig['telnet_cmds']=="yes") echo "checked "; ?>>
+ <?php echo gettext("Alert when Telnet commands are seen on the FTP command channel. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Telnet Erase Commands"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_ignore_telnet_erase_cmds" id="ftp_ignore_telnet_erase_cmds" type="checkbox" value="on"
+ <?php if ($pconfig['ignore_telnet_erase_cmds']=="yes") echo "checked "; ?>>
+ <?php echo gettext("Ignore Telnet escape sequences for erase character and erase line when normalizing FTP command channel.") . "<br/>" .
+ gettext("Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Maximum Response Length"); ?></td>
+ <td class="vtable">
+ <input name="ftp_max_resp_len" type="text" class="formfld unknown" id="ftp_max_resp_len" size="6"
+ value="<?=htmlspecialchars($pconfig['max_resp_len']);?>">
+ <?php echo gettext("Max FTP command response length accepted by client. Enter ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" to disable. Default is ") . "<strong>" . gettext("256.") . "</strong>";?><br/>
+ <?php echo gettext("Specifies the maximum allowed response length to an FTP command accepted by the client. It can be used as ") .
+ gettext("a basic buffer overflow detection.");?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Bounce Detection"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_client_bounce_detect" type="checkbox" value="on"
+ <?php if ($pconfig['bounce']=="yes") echo "checked"; ?> onclick="ftp_client_bounce_enable_change();">
+ <?php echo gettext("Enable detection and alerting of FTP bounce attacks. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_client_row_bounce_to">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Bounce-To Configuration"); ?></td>
+ <td width="78%" class="vtable">
+ <table border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><strong><?php echo gettext("Bounce-To Address:"); ?></strong></td>
+ <td class="vexpl"><input name="ftp_client_bounce_to_net" type="text" class="formfldalias" id="ftp_client_bounce_to_net" size="20"
+ value="<?=htmlspecialchars($pconfig['bounce_to_net']);?>" title="<?=trim(filter_expand_alias($pconfig['bounce_to_net']));?>" autocomplete="off"><span class="vexpl">&nbsp;
+ <?php echo gettext("Default is ") . "<strong>" . gettext("blank") . "</strong>.";?></span>
+ </td>
+ <td class="vexpl">&nbsp;&nbsp;<input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bounce_to_net&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/>
+ </td>
+ </tr>
+ <tr>
+ <td class="vexpl"><strong><?php echo gettext("Bounce-To Port:"); ?></strong></td>
+ <td class="vexpl"><input name="ftp_client_bounce_to_port" type="text" class="formfldalias" id="ftp_client_bounce_to_port" size="20"
+ value="<?=htmlspecialchars($pconfig['bounce_to_port']);?>" title="<?=trim(filter_expand_alias($pconfig['bounce_to_port']));?>" autocomplete="off"><span class="vexpl">&nbsp;
+ <?php echo gettext("Default is ") . "<strong>" . gettext("blank") . "</strong>.";?></span>
+ </td>
+ <td class="vexpl">&nbsp;&nbsp;<input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=bounce_to_port&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing port alias");?>"/>
+ </td>
+ </tr>
+ </table>
+ <?php echo gettext("When the Bounce option is enabled, this allows the PORT command to use the address and port (or inclusive port range) ") .
+ gettext("specified without generating an alert. It can be used with proxied FTP connections where the FTP data channel is different from the client.");?><br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("Supplied value must be a pre-configured Alias or left blank.");?><br/>
+ <span class="red"><?php echo gettext("Hint: ") . "</span>" . gettext("Leave these settings at their defaults unless you are proxying FTP connections.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="bottom">&nbsp;</td>
+ <td width="78%" valign="bottom">
+ <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo
+ gettext("Save ftp engine settings and return to Preprocessors tab"); ?>">
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo
+ gettext("Cancel changes and return to Preprocessors tab"); ?>"></td>
+ </tr>
+</table>
+</td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
+<script type="text/javascript">
+
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $portisfirst = 0;
+ $aliasesaddr = "";
+ $aliasesport = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ // Skip any Aliases that resolve to an empty string
+ if (trim(filter_expand_alias($alias_name['name'])) == "")
+ continue;
+ if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ }
+ elseif ($alias_name['type'] == "port") {
+ if($portisfirst == 1) $aliasesport .= ",";
+ $aliasesport .= "'" . $alias_name['name'] . "'";
+ $portisfirst = 1;
+ }
+ }
+
+?>
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+ var portarray=new Array(<?php echo $aliasesport; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAliasBindTo = new AutoSuggestControl(document.getElementById('ftp_bind_to'), new StateSuggestions(addressarray));\n";
+ echo "objAliasBounceNet = new AutoSuggestControl(document.getElementById('ftp_client_bounce_to_net'), new StateSuggestions(addressarray));\n";
+ echo "objAliasBouncePort = new AutoSuggestControl(document.getElementById('ftp_client_bounce_to_port'), new StateSuggestions(portarray));\n";
+
+
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+
+function ftp_client_bounce_enable_change() {
+ var endis = !(document.iform.ftp_client_bounce_detect.checked);
+ if (endis)
+ document.getElementById("ftp_client_row_bounce_to").style.display="none";
+ else
+ document.getElementById("ftp_client_row_bounce_to").style.display="table-row";
+}
+
+// Set initial state of form controls
+ftp_client_bounce_enable_change();
+
+</script>
+
+</html>
diff --git a/config/snort/snort_ftp_server_engine.php b/config/snort/snort_ftp_server_engine.php
new file mode 100644
index 00000000..e70033e7
--- /dev/null
+++ b/config/snort/snort_ftp_server_engine.php
@@ -0,0 +1,378 @@
+<?php
+/*
+ * snort_ftp_server_engine.php
+ * Copyright (C) 2013 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+// Grab any QUERY STRING or POST variables
+$id = $_GET['id'];
+$eng_id = $_GET['eng_id'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng_id']))
+ $eng_id = $_POST['eng_id'];
+
+if (is_null($id)) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_server_import']);
+ session_write_close();
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'];
+
+$pconfig = array();
+if (empty($a_nat[$eng_id])) {
+ $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+ // See if this is initial entry and set to "default" if true
+ if ($eng_id < 1) {
+ $def['name'] = "default";
+ $def['bind_to'] = "all";
+ }
+ $pconfig = $def;
+}
+else
+ $pconfig = $a_nat[$eng_id];
+
+if ($_POST['Cancel']) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_server_import']);
+ session_write_close();
+ header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ session_start();
+ if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports")
+ && !empty($_GET['varvalue'])) {
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+ if(!isset($_SESSION['ftp_server_import']))
+ $_SESSION['ftp_server_import'] = array();
+
+ $_SESSION['ftp_server_import'][$_GET['varname']] = $_GET['varvalue'];
+ if (isset($_SESSION['ftp_server_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['ftp_server_import']['bind_to'];
+ if (isset($_SESSION['ftp_server_import']['ports']))
+ $pconfig['ports'] = $_SESSION['ftp_server_import']['ports'];
+ }
+ // If "varvalue" is empty, user likely hit CANCEL in Select Dialog,
+ // so restore any saved values.
+ elseif (empty($_GET['varvalue'])) {
+ if (isset($_SESSION['ftp_server_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['ftp_server_import']['bind_to'];
+ if (isset($_SESSION['ftp_server_import']['ports']))
+ $pconfig['ports'] = $_SESSION['ftp_server_import']['ports'];
+ }
+ else {
+ unset($_SESSION['ftp_server_import']);
+ session_write_close();
+ }
+}
+
+if ($_POST['Submit']) {
+
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['ftp_server_import']);
+ session_write_close();
+
+ /* Grab all the POST values and save in new temp array */
+ $engine = array();
+ if ($_POST['ftp_name']) { $engine['name'] = trim($_POST['ftp_name']); } else { $engine['name'] = "default"; }
+ if ($_POST['ftp_bind_to']) {
+ if (is_alias($_POST['ftp_bind_to']))
+ $engine['bind_to'] = $_POST['ftp_bind_to'];
+ elseif (strtolower(trim($_POST['ftp_bind_to'])) == "all")
+ $engine['bind_to'] = "all";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
+ }
+ else {
+ $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'.");
+ }
+
+ if ($_POST['ftp_ports']) {
+ if ($_POST['ftp_ports'] == "default")
+ $engine['ports'] = $_POST['ftp_ports'];
+ elseif (is_alias($_POST['ftp_ports']))
+ $engine['ports'] = $_POST['ftp_ports'];
+ else
+ $input_errors[] = gettext("The value for Ports must be a valid Alias name or the keyword 'default'.");
+ }
+ else
+ $engine['ports'] = 21;
+
+ $engine['telnet_cmds'] = $_POST['ftp_telnet_cmds'] ? 'yes' : 'no';
+ $engine['ignore_telnet_erase_cmds'] = $_POST['ftp_ignore_telnet_erase_cmds'] ? 'yes' : 'no';
+ $engine['ignore_data_chan'] = $_POST['ftp_ignore_data_chan'] ? 'yes' : 'no';
+ $engine['def_max_param_len'] = $_POST['ftp_def_max_param_len'];
+
+
+ /* Can only have one "all" Bind_To address */
+ if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
+ $input_errors[] = gettext("Only one default ftp Engine can be bound to all addresses.");
+ $pconfig = $engine;
+ }
+
+ /* if no errors, write new entry to conf */
+ if (!$input_errors) {
+ if (isset($eng_id) && $a_nat[$eng_id]) {
+ $a_nat[$eng_id] = $engine;
+ }
+ else
+ $a_nat[] = $engine;
+
+ /* Reorder the engine array to ensure the */
+ /* 'bind_to=all' entry is at the bottom */
+ /* if it contains more than one entry. */
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ /* Only relocate the entry if we */
+ /* found it, and it's not already */
+ /* at the end. */
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ /* Now write the new engine array to conf */
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}#ftp_telnet_row_ftp_proto_opts");
+ exit;
+ }
+}
+
+$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']);
+$pgtitle = gettext("Snort: Interface {$if_friendly} - FTP Preprocessor Server Engine");
+include_once("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" >
+
+<?php
+include("fbegin.inc");
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="snort_ftp_server_engine.php" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id?>">
+<input name="eng_id" type="hidden" value="<?=$eng_id?>">
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td class="tabcont">
+<table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Snort Target-Based FTP Server Engine Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td>
+ <td class="vtable">
+ <input name="ftp_name" type="text" class="formfld unknown" id="ftp_name" size="25" maxlength="25"
+ value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>>&nbsp;
+ <?php if (htmlspecialchars($pconfig['name']) <> "default")
+ echo gettext("Name or description for this engine. (Max 25 characters)");
+ else
+ echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/>
+ <?php echo gettext("Unique name or description for this engine configuration. Default value is ") .
+ "<strong>" . gettext("default") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td>
+ <td class="vtable">
+ <?php if ($pconfig['name'] <> "default") : ?>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off">&nbsp;
+ <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within the IP List.");?>.</td>
+ </tr>
+ </table><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?>
+ <?php else : ?>
+ <input name="ftp_bind_to" type="text" class="formfldalias" id="ftp_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly>&nbsp;
+ <?php echo "<span class=\"red\">" . gettext("IP address for the default engine is read-only and must be 'all'.") . "</span>";?><br/>
+ <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP addresses.");?><br/>
+ <?php endif ?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Ports"); ?></td>
+ <td class="vtable">
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="ftp_ports" type="text" class="formfldalias" id="ftp_ports" size="25"
+ value="<?=htmlspecialchars($pconfig['ports']);?>" title="<?=trim(filter_expand_alias($pconfig['ports']));?>">
+ <?php echo gettext("Specifiy which ports to check for FTP data.");?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports&act=import'"
+ title="<?php echo gettext("Select an existing port alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("Default value is '") . "<strong>" . gettext("'default'") . "</strong>" .
+ gettext(" Using 'default' will include the FTP Ports defined on the ") . "<a href='snort_define_servers.php?id={$id}' title=\"" .
+ gettext("Go to {$if_friendly} Variables tab to define custom port variables") . "\">" . gettext("VARIABLES") . "</a>" .
+ gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?></td>
+ </tr>
+ </table><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Telnet Commands"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_cmds" id="ftp_telnet_cmds" type="checkbox" value="on"
+ <?php if ($pconfig['telnet_cmds']=="yes") echo "checked "; ?>>
+ <?php echo gettext("Alert when Telnet commands are seen on the FTP command channel. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Telnet Erase Commands"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_ignore_telnet_erase_cmds" id="ftp_ignore_telnet_erase_cmds" type="checkbox" value="on"
+ <?php if ($pconfig['ignore_telnet_erase_cmds']=="yes") echo "checked "; ?>>
+ <?php echo gettext("Ignore Telnet escape sequences for erase character and erase line when normalizing FTP command channel. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Data Channel"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_ignore_data_chan" id="ftp_ignore_data_chan" type="checkbox" value="on"
+ <?php if ($pconfig['ignore_data_chan']=="yes") echo "checked "; ?>>
+ <?php echo gettext("Force Snort to ignore the FTP data channel connections. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/>
+ <span class="red"><strong><?php echo gettext("Warning: ") . "</strong></span>" . gettext("When checked, NO INSPECTION other than state will be ") .
+ gettext("performed on the data channel. Enabling this option can improve performance for large FTP transfers from trusted servers.");?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Default Max Allowed Parameter Length"); ?></td>
+ <td class="vtable">
+ <input name="ftp_def_max_param_len" type="text" class="formfld unknown" id="ftp_def_max_param_len" size="6"
+ value="<?=htmlspecialchars($pconfig['def_max_param_len']);?>">
+ <?php echo gettext("Default allowed maximum parameter length for command. Enter ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" to disable. Default is ") . "<strong>" . gettext("100.") . "</strong>";?><br/>
+ <?php echo gettext("Specifies the maximum allowed parameter length for and FTP command. It can be used as a ") .
+ gettext("basic buffer overflow detection.");?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="bottom">&nbsp;</td>
+ <td width="78%" valign="bottom">
+ <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo
+ gettext("Save ftp engine settings and return to Preprocessors tab"); ?>">
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo
+ gettext("Cancel changes and return to Preprocessors tab"); ?>"></td>
+ </tr>
+</table>
+</td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
+<script type="text/javascript">
+
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $portisfirst = 0;
+ $aliasesaddr = "";
+ $aliasesport = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ // Skip any Aliases that resolve to an empty string
+ if (trim(filter_expand_alias($alias_name['name'])) == "")
+ continue;
+ if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ }
+ elseif ($alias_name['type'] == "port") {
+ if($portisfirst == 1) $aliasesport .= ",";
+ $aliasesport .= "'" . $alias_name['name'] . "'";
+ $portisfirst = 1;
+ }
+ }
+
+?>
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+ var portarray=new Array(<?php echo $aliasesport; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_bind_to'), new StateSuggestions(addressarray));\n";
+ echo "objAliasPort = new AutoSuggestControl(document.getElementById('ftp_ports'), new StateSuggestions(portarray));\n";
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+
+</script>
+
+</html>
diff --git a/config/snort/snort_httpinspect_engine.php b/config/snort/snort_httpinspect_engine.php
new file mode 100644
index 00000000..94d3364f
--- /dev/null
+++ b/config/snort/snort_httpinspect_engine.php
@@ -0,0 +1,742 @@
+<?php
+/*
+ * snort_httpinspect_engine.php
+ * Copyright (C) 2013 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+$id = $_GET['id'];
+$eng_id = $_GET['eng_id'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng_id']))
+ $eng_id = $_POST['eng_id'];
+
+if (is_null($id)) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['http_inspect_import']);
+ session_write_close();
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'];
+
+$pconfig = array();
+if (empty($a_nat[$eng_id])) {
+ $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
+ "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
+ "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
+ "max_header_length" => 0, "ports" => "default" );
+ // See if this is initial entry and set to "default" if true
+ if ($eng_id < 1) {
+ $def['name'] = "default";
+ $def['bind_to'] = "all";
+ }
+ $pconfig = $def;
+}
+else {
+ $pconfig = $a_nat[$eng_id];
+
+ // Check for any empty values and set sensible defaults
+ if (empty($pconfig['ports']))
+ $pconfig['ports'] = "default";
+ if (empty($pconfig['server_profile']))
+ $pconfig['server_profile'] = "all";
+ if (empty($pconfig['enable_xff']))
+ $pconfig['enable_xff'] = "off";
+ if (empty($pconfig['log_uri']))
+ $pconfig['log_uri'] = "off";
+ if (empty($pconfig['log_hostname']))
+ $pconfig['log_hostname'] = "off";
+ if (empty($pconfig['server_flow_depth']) && $pconfig['server_flow_depth'] <> 0)
+ $pconfig['server_flow_depth'] = 65535;
+ if (empty($pconfig['enable_cookie']))
+ $pconfig['enable_cookie'] = "on";
+ if (empty($pconfig['client_flow_depth']) && $pconfig['client_flow_depth'] <> 0)
+ $pconfig['client_flow_depth'] = 1460;
+ if (empty($pconfig['extended_response_inspection']))
+ $pconfig['extended_response_inspection'] = "on";
+ if (empty($pconfig['no_alerts']))
+ $pconfig['no_alerts'] = "off";
+ if (empty($pconfig['unlimited_decompress']))
+ $pconfig['unlimited_decompress'] = "on";
+ if (empty($pconfig['inspect_gzip']))
+ $pconfig['inspect_gzip'] = "on";
+ if (empty($pconfig['normalize_cookies']))
+ $pconfig['normalize_cookies'] = "on";
+ if (empty($pconfig['normalize_headers']))
+ $pconfig['normalize_headers'] = "on";
+ if (empty($pconfig['normalize_utf']))
+ $pconfig['normalize_utf'] = "on";
+ if (empty($pconfig['normalize_javascript']))
+ $pconfig['normalize_javascript'] = "on";
+ if (empty($pconfig['allow_proxy_use']))
+ $pconfig['allow_proxy_use'] = "off";
+ if (empty($pconfig['inspect_uri_only']))
+ $pconfig['inspect_uri_only'] = "off";
+ if (empty($pconfig['max_javascript_whitespaces']) && $pconfig['max_javascript_whitespaces'] <> 0)
+ $pconfig['max_javascript_whitespaces'] = 200;
+ if (empty($pconfig['post_depth']) && $pconfig['post_depth'] <> 0)
+ $pconfig['post_depth'] = -1;
+ if (empty($pconfig['max_headers']))
+ $pconfig['max_headers'] = 0;
+ if (empty($pconfig['max_spaces']))
+ $pconfig['max_spaces'] = 0;
+ if (empty($pconfig['max_header_length']))
+ $pconfig['max_header_length'] = 0;
+}
+
+if ($_POST['Cancel']) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['http_inspect_import']);
+ session_write_close();
+ header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ session_start();
+ if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports")
+ && !empty($_GET['varvalue'])) {
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+ $_SESSION['http_inspect_import'] = array();
+
+ $_SESSION['http_inspect_import'][$_GET['varname']] = $_GET['varvalue'];
+ if (isset($_SESSION['http_inspect_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to'];
+ if (isset($_SESSION['http_inspect_import']['ports']))
+ $pconfig['ports'] = $_SESSION['http_inspect_import']['ports'];
+ }
+ // If "varvalue" is empty, user likely hit CANCEL in Select Dialog,
+ // so restore any saved values.
+ elseif (empty($_GET['varvalue'])) {
+ if (isset($_SESSION['http_inspect_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['http_inspect_import']['bind_to'];
+ if (isset($_SESSION['http_inspect_import']['ports']))
+ $pconfig['ports'] = $_SESSION['http_inspect_import']['ports'];
+ }
+ else {
+ unset($_SESSION['http_inspect_import']);
+ session_write_close();
+ }
+}
+
+if ($_POST['Submit']) {
+
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['http_inspect_import']);
+ session_write_close();
+
+ // Grab all the POST values and save in new temp array
+ $engine = array();
+ if ($_POST['httpinspect_name']) { $engine['name'] = trim($_POST['httpinspect_name']); } else { $engine['name'] = "default"; }
+ if ($_POST['httpinspect_bind_to']) {
+ if (is_alias($_POST['httpinspect_bind_to']))
+ $engine['bind_to'] = $_POST['httpinspect_bind_to'];
+ elseif (strtolower(trim($_POST['httpinspect_bind_to'])) == "all")
+ $engine['bind_to'] = "all";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
+ }
+ else {
+ $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'.");
+ }
+ if ($_POST['httpinspect_ports']) { $engine['ports'] = trim($_POST['httpinspect_ports']); } else { $engine['ports'] = "default"; }
+
+ // Validate the text input fields before saving
+ if (!empty($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] == 0) {
+ $engine['server_flow_depth'] = $_POST['httpinspect_server_flow_depth'];
+ if (!is_numeric($_POST['httpinspect_server_flow_depth']) || $_POST['httpinspect_server_flow_depth'] < -1 || $_POST['httpinspect_server_flow_depth'] > 65535)
+ $input_errors[] = gettext("The value for Server_Flow_Depth must be numeric and between -1 and 65535.");
+ }
+ else
+ $engine['server_flow_depth'] = 65535;
+
+ if (!empty($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] == 0) {
+ $engine['client_flow_depth'] = $_POST['httpinspect_client_flow_depth'];
+ if (!is_numeric($_POST['httpinspect_client_flow_depth']) || $_POST['httpinspect_client_flow_depth'] < -1 || $_POST['httpinspect_client_flow_depth'] > 1460)
+ $input_errors[] = gettext("The value for Client_Flow_Depth must be between -1 and 1460.");
+ }
+ else
+ $engine['client_flow_depth'] = 1460;
+
+ if (!empty($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] == 0) {
+ $engine['max_javascript_whitespaces'] = $_POST['httpinspect_max_javascript_whitespaces'];
+ if (!is_numeric($_POST['httpinspect_max_javascript_whitespaces']) || $_POST['httpinspect_max_javascript_whitespaces'] < 0 || $_POST['httpinspect_max_javascript_whitespaces'] > 65535)
+ $input_errors[] = gettext("The value for Max_Javascript_Whitespaces must be between 0 and 65535.");
+ }
+ else
+ $engine['max_javascript_whitespaces'] = 200;
+
+ if (!empty($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] == 0) {
+ $engine['post_depth'] = $_POST['httpinspect_post_depth'];
+ if (!is_numeric($_POST['httpinspect_post_depth']) || $_POST['httpinspect_post_depth'] < -1 || $_POST['httpinspect_post_depth'] > 65495)
+ $input_errors[] = gettext("The value for Post_Depth must be between -1 and 65495.");
+ }
+ else
+ $engine['post_depth'] = -1;
+
+ if (!empty($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] == 0) {
+ $engine['max_headers'] = $_POST['httpinspect_max_headers'];
+ if (!is_numeric($_POST['httpinspect_max_headers']) || $_POST['httpinspect_max_headers'] < 0 || $_POST['httpinspect_max_headers'] > 65535)
+ $input_errors[] = gettext("The value for Max_Headers must be between 0 and 65535.");
+ }
+ else
+ $engine['max_headers'] = 0;
+
+ if (!empty($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] == 0) {
+ $engine['max_spaces'] = $_POST['httpinspect_max_spaces'];
+ if (!is_numeric($_POST['httpinspect_max_spaces']) || $_POST['httpinspect_max_spaces'] < 0 || $_POST['httpinspect_max_spaces'] > 65535)
+ $input_errors[] = gettext("The value for Max_Spaces must be between 0 and 65535.");
+ }
+ else
+ $engine['max_spaces'] = 0;
+
+ if (!empty($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] == 0) {
+ $engine['max_header_length'] = $_POST['httpinspect_max_header_length'];
+ if (!is_numeric($_POST['httpinspect_max_header_length']) || $_POST['httpinspect_max_header_length'] < 0 || $_POST['httpinspect_max_header_length'] > 65535)
+ $input_errors[] = gettext("The value for Max_Header_Length must be between 0 and 65535.");
+ }
+ else
+ $engine['max_header_length'] = 0;
+
+ if ($_POST['httpinspect_server_profile']) { $engine['server_profile'] = $_POST['httpinspect_server_profile']; } else { $engine['server_profile'] = "all"; }
+
+ $engine['no_alerts'] = $_POST['httpinspect_no_alerts'] ? 'on' : 'off';
+ $engine['enable_xff'] = $_POST['httpinspect_enable_xff'] ? 'on' : 'off';
+ $engine['log_uri'] = $_POST['httpinspect_log_uri'] ? 'on' : 'off';
+ $engine['log_hostname'] = $_POST['httpinspect_log_hostname'] ? 'on' : 'off';
+ $engine['extended_response_inspection'] = $_POST['httpinspect_extended_response_inspection'] ? 'on' : 'off';
+ $engine['enable_cookie'] = $_POST['httpinspect_enable_cookie'] ? 'on' : 'off';
+ $engine['unlimited_decompress'] = $_POST['httpinspect_unlimited_decompress'] ? 'on' : 'off';
+ $engine['inspect_gzip'] = $_POST['httpinspect_inspect_gzip'] ? 'on' : 'off';
+ $engine['normalize_cookies'] = $_POST['httpinspect_normalize_cookies'] ? 'on' : 'off';
+ $engine['normalize_headers'] = $_POST['httpinspect_normalize_headers'] ? 'on' : 'off';
+ $engine['normalize_utf'] = $_POST['httpinspect_normalize_utf'] ? 'on' : 'off';
+ $engine['normalize_javascript'] = $_POST['httpinspect_normalize_javascript'] ? 'on' : 'off';
+ $engine['allow_proxy_use'] = $_POST['httpinspect_allow_proxy_use'] ? 'on' : 'off';
+ $engine['inspect_uri_only'] = $_POST['httpinspect_inspect_uri_only'] ? 'on' : 'off';
+
+ // Can only have one "all" Bind_To address
+ if ($engine['bind_to'] == "all" && $engine['name'] <> "default") {
+ $input_errors[] = gettext("Only one default http_inspect Engine can be bound to all addresses.");
+ $pconfig = $engine;
+ }
+
+ // if no errors, write new entry to conf
+ if (!$input_errors) {
+ if (isset($eng_id) && $a_nat[$eng_id]) {
+ $a_nat[$eng_id] = $engine;
+ }
+ else
+ $a_nat[] = $engine;
+
+ // Reorder the engine array to ensure the
+ // 'bind_to=all' entry is at the bottom
+ // if it contains more than one entry.
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ /* Only relocate the entry if we */
+ /* found it, and it's not already */
+ /* at the end. */
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ // Now write the new engine array to conf
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}#httpinspect_row");
+ exit;
+ }
+}
+
+$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']);
+$pgtitle = gettext("Snort: {$if_friendly} - HTTP_Inspect Preprocessor Engine");
+include_once("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" >
+
+<?php
+include("fbegin.inc");
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="snort_httpinspect_engine.php" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id?>">
+<input name="eng_id" type="hidden" value="<?=$eng_id?>">
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td class="tabcont">
+<table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("HTTP Inspection Server Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Engine Name"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_name" type="text" class="formfld unknown" id="httpinspect_name" size="25" maxlength="25"
+ value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo " readonly";?>>&nbsp;
+ <?php if (htmlspecialchars($pconfig['name']) <> "default")
+ echo gettext("Name or description for this engine. (Max 25 characters)");
+ else
+ echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/>
+ <?php echo gettext("Unique name or description for this engine configuration. Default value is ") .
+ "<strong>" . gettext("default") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address Alias"); ?></td>
+ <td class="vtable">
+ <?php if ($pconfig['name'] <> "default") : ?>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="httpinspect_bind_to" type="text" class="formfldalias" id="httpinspect_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off">&nbsp;
+ <?php echo gettext("IP List to bind this engine to. (Cannot be blank)"); ?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=yes&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with destination addresses contained within this IP List.");?></td>
+ </tr>
+ </table><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?>
+ <?php else : ?>
+ <input name="httpinspect_bind_to" type="text" class="formfldalias" id="httpinspect_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly>&nbsp;
+ <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/>
+ <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/>
+ <?php endif ?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Ports"); ?></td>
+ <td class="vtable">
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="httpinspect_ports" type="text" class="formfldalias" id="httpinspect_ports" size="25"
+ value="<?=htmlspecialchars($pconfig['ports']);?>" title="<?=trim(filter_expand_alias($pconfig['ports']));?>">
+ <?php echo gettext("Specifiy which ports to check for HTTP data.");?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing port alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("Default value is '") . "<strong>" . gettext("'default'. ") . "</strong>";?>
+ <?php echo gettext("Using 'default' will include the HTTP Ports defined on the ") . "<a href='snort_define_servers.php?id={$id}' title=\"" .
+ gettext("Go to {$if_friendly} Variables tab to define custom port variables") . "\">" . gettext("VARIABLES") . "</a>" .
+ gettext(" tab. Specific ports for this server can be specified here using a pre-defined Alias.");?></td>
+ </tr>
+ </table><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'default'.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Profile");?> </td>
+ <td width="78%" class="vtable">
+ <select name="httpinspect_server_profile" class="formselect" id="httpinspect_server_profile">
+ <?php
+ $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0');
+ foreach ($profile as $val): ?>
+ <option value="<?=strtolower($val);?>"
+ <?php if (strtolower($val) == $pconfig['server_profile']) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach;?>
+ </select>&nbsp;&nbsp;<?php echo gettext("Choose the profile type of the protected web server. The default is ") .
+ "<strong>" . gettext("All") . "</strong>";?><br/>
+ <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the ") .
+ gettext("double decoding vulnerability present in those versions.");?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("No Alerts");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_no_alerts"
+ type="checkbox" value="on" id="httpinspect_no_alerts"
+ <?php if ($pconfig['no_alerts']=="on") echo "checked";?>>
+ <?php echo gettext("Disable Alerts from this engine configuration. Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Allow Proxy Use");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_allow_proxy_use"
+ type="checkbox" value="on" id="httpinspect_allow_proxy_use"
+ <?php if ($pconfig['allow_proxy_use']=="on") echo "checked";?>>
+ <?php echo gettext("Allow proxy use on this server. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.<br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("This prevents proxy alerts for this server. The global option Proxy_Alert must also be " .
+ "enabled, otherwise this setting does nothing.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("XFF/True-Client-IP");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_enable_xff"
+ type="checkbox" value="on" id="httpinspect_enable_xff"
+ <?php if ($pconfig['enable_xff']=="on") echo "checked";?>>
+ <?php echo gettext("Log original client IP present in X-Forwarded-For or True-Client-IP " .
+ "HTTP headers. Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("URI Logging"); ?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_log_uri"
+ type="checkbox" value="on" id="hhttpinspect_log_uri"
+ <?php if ($pconfig['log_uri']=="on") echo "checked"; ?>>
+ <?php echo gettext("Parse URI data from the HTTP request and log it with other session data." .
+ " Default is "); ?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Hostname Logging");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_log_hostname"
+ type="checkbox" value="on" id="httpinspect_log_hostname"
+ <?php if ($pconfig['log_hostname']=="on") echo "checked";?>>
+ <?php echo gettext("Parse Hostname data from the HTTP request and log it with other session data." .
+ " Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Cookie Extraction/Inspection");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_enable_cookie"
+ type="checkbox" value="on" id="httpinspect_enable_cookie"
+ <?php if ($pconfig['enable_cookie']=="on") echo "checked";?>>
+ <?php echo gettext("Enable HTTP cookie extraction and inspection. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect URI Only");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_inspect_uri_only"
+ type="checkbox" value="on" id="httpinspect_inspect_uri_only"
+ <?php if ($pconfig['inspect_uri_only']=="on") echo "checked";?>>
+ <?php echo gettext("Inspect only URI portion of HTTP requests. This is a performance enhancement. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Not Checked");?></strong>.<br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("If this option is used without any uricontent rules, then no inspection will take place. " .
+ "The URI is only inspected with uricontent rules, and if there are none available, then there is nothing to inspect.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Extended Response Inspection");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_extended_response_inspection"
+ type="checkbox" value="on" id="httpinspect_extended_response_inspection" onclick="extended_response_enable_change();"
+ <?php if ($pconfig['extended_response_inspection']=="on") echo "checked";?>>
+ <?php echo gettext("Enable extended response inspection to thoroughly inspect the HTTP response. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr id="httpinspect_normalizejavascript_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Javascript");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_normalize_javascript"
+ type="checkbox" value="on" id="httpinspect_normalize_javascript" onclick="normalize_javascript_enable_change();"
+ <?php if ($pconfig['normalize_javascript']=="on") echo "checked";?>>
+ <?php echo gettext("Enable Javascript normalization in HTTP response body. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr id="httpinspect_maxjavascriptwhitespaces_row">
+ <td valign="top" class="vncell"><?php echo gettext("Maximum Javascript Whitespaces"); ?></td>
+ <td class="vtable">
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td valign="top"><input name="httpinspect_max_javascript_whitespaces" type="text" class="formfld unknown"
+ id="httpinspect_max_javascript_whitespaces" size="6"
+ value="<?=htmlspecialchars($pconfig['max_javascript_whitespaces']);?>"></td>
+ <td class="vexpl" valign="top"><?php echo gettext("Maximum consecutive whitespaces allowed in Javascript obfuscated data. ");?>
+ <?php echo gettext("Minimum is ") . "<strong>" . gettext("1") . "</strong>" . gettext(" and maximum is ") .
+ "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") .
+ "</strong>" . gettext(" disables this alert). "). gettext("The default value is ") .
+ "<strong>" . gettext("200") . "</strong>."?></td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <tr id="httpinspect_inspectgzip_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect gzip");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_inspect_gzip"
+ type="checkbox" value="on" id="httpinspect_inspect_gzip" onclick="httpinspect_inspectgzip_enable_change();"
+ <?php if ($pconfig['inspect_gzip']=="on") echo "checked";?>>
+ <?php echo gettext("Uncompress and inspect compressed data in HTTP response. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr id="httpinspect_unlimiteddecompress_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Unlimited Decompress");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_unlimited_decompress"
+ type="checkbox" value="on" id="httpinspect_unlimited_decompress"
+ <?php if ($pconfig['unlimited_decompress']=="on") echo "checked";?>>
+ <?php echo gettext("Decompress unlimited gzip data (across multiple packets). Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Cookies");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_normalize_cookies"
+ type="checkbox" value="on" id="httpinspect_normalize_cookies"
+ <?php if ($pconfig['normalize_cookies']=="on") echo "checked";?>>
+ <?php echo gettext("Normalize HTTP cookie fields. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize UTF");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_normalize_utf"
+ type="checkbox" value="on" id="httpinspect_normalize_utf"
+ <?php if ($pconfig['normalize_utf']=="on") echo "checked";?>>
+ <?php echo gettext("Normalize HTTP response body character sets to 8-bit encoding. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalize Headers");?></td>
+ <td width="78%" class="vtable"><input name="httpinspect_normalize_headers"
+ type="checkbox" value="on" id="httpinspect_normalize_headers"
+ <?php if ($pconfig['normalize_headers']=="on") echo "checked";?>>
+ <?php echo gettext("Normalize HTTP Header fields. " .
+ "Default is ");?>
+ <strong><?php echo gettext("Checked");?></strong>.</td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Server Flow Depth"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_server_flow_depth" type="text" class="formfld unknown"
+ id="httpinspect_server_flow_depth" size="6"
+ value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>">&nbsp;<strong><?php echo gettext("-1") .
+ "</strong>" . gettext(" to ") . "<strong>" . gettext("65535") . "</strong> " . gettext("(") . "<strong>" .
+ gettext("-1") . "</strong>" . gettext(" disables HTTP inspect, ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" enables all HTTP inspect).");?><br/><br/>
+ <?php echo gettext("Amount of HTTP server response payload to inspect. Snort's performance " .
+ "may increase by adjusting this value. Setting this value too low may cause false negatives. ") .
+ gettext("Values above 0 are specified in bytes. Recommended setting is maximum (65535). " .
+ "Default value is ") . "<strong>" . gettext("65535") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Client Flow Depth"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_client_flow_depth" type="text" class="formfld unknown"
+ id="httpinspect_client_flow_depth" size="6"
+ value="<?=htmlspecialchars($pconfig['client_flow_depth']);?>">&nbsp;<strong><?php echo gettext("-1") . "</strong>" .
+ gettext(" to ") . "<strong>" . gettext("1460") . "</strong>" . gettext(" (") . "<strong>" . gettext("-1") .
+ "</strong>" . gettext(" disables HTTP inspect, ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" enables all HTTP inspect).");?><br/><br/>
+ <?php echo gettext("Amount of raw HTTP client request payload to inspect. Snort's " .
+ "performance may increase by adjusting this value. Setting this value too low may cause false negatives. ");?>
+ <?php echo gettext("Values above 0 are specified in bytes. Recommended setting is maximum (1460). " .
+ "Default value is ") . "<strong>" . gettext("1460") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Post Depth"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_post_depth" type="text" class="formfld unknown"
+ id="httpinspect_post_depth" size="6"
+ value="<?=htmlspecialchars($pconfig['post_depth']);?>">&nbsp;<strong><?php echo gettext("-1") . "</strong>" .
+ gettext(" to ") . "<strong>" . gettext("65495") . "</strong>" . gettext(" (") . "<strong>" . gettext("-1") .
+ "</strong>" . gettext(" ignores all post data, ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" inspects all post data).");?><br/><br/>
+ <?php echo gettext("Amount of data to inspect in client post message. Snort's performance may " .
+ "increase by adjusting this value. Values above 0 are specified in bytes. ") .
+ gettext("Default value is ") . "<strong>" . gettext("-1") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Max Headers"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_max_headers" type="text" class="formfld unknown"
+ id="httpinspect_max_headers" size="6"
+ value="<?=htmlspecialchars($pconfig['max_headers']);?>">&nbsp;<strong><?php echo gettext("1") . "</strong>" .
+ gettext(" to ") . "<strong>" . gettext("1024") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") .
+ "</strong>" . gettext(" disables the alert).");?><br/><br/>
+ <?php echo gettext("Sets the maximum number of HTTP client request header fields allowed. Requests that " .
+ "contain more HTTP headers than this value will cause a \"Max Header\" alert. ") .
+ gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Max Header Length"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_max_header_length" type="text" class="formfld unknown"
+ id="httpinspect_max_header_length" size="6"
+ value="<?=htmlspecialchars($pconfig['max_header_length']);?>">&nbsp;<strong><?php echo gettext("1") . "</strong>" .
+ gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") .
+ "</strong>" . gettext(" disables the alert).");?><br/><br/>
+ <?php echo gettext("This sets the maximum length allowed for an HTTP client request header field. " .
+ "Requests that exceed this limit well cause a \"Long Header\" alert. ") .
+ gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Max Spaces"); ?></td>
+ <td class="vtable">
+ <input name="httpinspect_max_spaces" type="text" class="formfld unknown"
+ id="httpinspect_max_spaces" size="6"
+ value="<?=htmlspecialchars($pconfig['max_spaces']);?>">&nbsp;<strong><?php echo gettext("1") . "</strong>" .
+ gettext(" to ") . "<strong>" . gettext("65535") . "</strong>" . gettext(" (") . "<strong>" . gettext("0") .
+ "</strong>" . gettext(" disables the alert).");?><br/><br/>
+ <?php echo gettext("This sets the maximum number of whitespaces allowed with HTTP client request line folding. " .
+ "Request headers folded with whitespaces equal to or greater than this value will cause a \"Whitespace Saturation\" alert. ") .
+ gettext("Default value is ") . "<strong>" . gettext("0") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="bottom">&nbsp;</td>
+ <td width="78%" valign="bottom">
+ <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo
+ gettext("Save httpinspect engine settings and return to Preprocessors tab"); ?>">
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo
+ gettext("Cancel changes and return to Preprocessors tab"); ?>"></td>
+ </tr>
+</table>
+</td>
+</tr>
+</table>
+</div>
+</form>
+
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
+
+<script type="text/javascript">
+
+function extended_response_enable_change() {
+ var endis = !(document.iform.httpinspect_extended_response_inspection.checked);
+
+ // Hide the "httpinspect_inspectgzip and httpinspect_normalizejavascript" rows if httpinspect_extended_response_inspection disabled
+ if (endis) {
+ document.getElementById("httpinspect_inspectgzip_row").style.display="none";
+ document.getElementById("httpinspect_unlimiteddecompress_row").style.display="none";
+ document.getElementById("httpinspect_normalizejavascript_row").style.display="none";
+ document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="none";
+ }
+ else {
+ document.getElementById("httpinspect_inspectgzip_row").style.display="table-row";
+ document.getElementById("httpinspect_unlimiteddecompress_row").style.display="table-row";
+ document.getElementById("httpinspect_normalizejavascript_row").style.display="table-row";
+ document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="table-row";
+ }
+}
+
+function httpinspect_inspectgzip_enable_change() {
+ var endis = !(document.iform.httpinspect_inspect_gzip.checked);
+ // Hide the "httpinspect_unlimited_decompress" row if httpinspect_inspect_gzip disabled
+ if (endis)
+ document.getElementById("httpinspect_unlimiteddecompress_row").style.display="none";
+ else
+ document.getElementById("httpinspect_unlimiteddecompress_row").style.display="table-row";
+}
+
+function normalize_javascript_enable_change() {
+ var endis = !(document.iform.httpinspect_normalize_javascript.checked);
+
+ // Hide the "httpinspect_maxjavascriptwhitespaces" row if httpinspect_normalize_javascript disabled
+ if (endis)
+ document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="none";
+ else
+ document.getElementById("httpinspect_maxjavascriptwhitespaces_row").style.display="table-row";
+}
+
+// Set initial state of form controls
+extended_response_enable_change();
+normalize_javascript_enable_change();
+httpinspect_inspectgzip_enable_change();
+
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $portisfirst = 0;
+ $aliasesaddr = "";
+ $aliasesport = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ // Skip any Aliases that resolve to an empty string
+ if (trim(filter_expand_alias($alias_name['name'])) == "")
+ continue;
+ if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ }
+ elseif ($alias_name['type'] == "port") {
+ if($portisfirst == 1) $aliasesport .= ",";
+ $aliasesport .= "'" . $alias_name['name'] . "'";
+ $portisfirst = 1;
+ }
+ }
+?>
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+ var portarray=new Array(<?php echo $aliasesport; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAliasAddr = new AutoSuggestControl(document.getElementById('httpinspect_bind_to'), new StateSuggestions(addressarray));\n";
+ echo "objAliasPort = new AutoSuggestControl(document.getElementById('httpinspect_ports'), new StateSuggestions(portarray));\n";
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+
+</script>
+<?php include("fend.inc");?>
+</body>
+</html>
diff --git a/config/snort/snort_import_aliases.php b/config/snort/snort_import_aliases.php
new file mode 100644
index 00000000..77cd5490
--- /dev/null
+++ b/config/snort/snort_import_aliases.php
@@ -0,0 +1,323 @@
+<?php
+/* $Id$ */
+/*
+ snort_import_aliases.php
+ Copyright (C) 2013 Bill Meeks
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require("guiconfig.inc");
+require_once("functions.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+// Retrieve any passed QUERY STRING or POST variables
+$id = $_GET['id'];
+$eng = $_GET['eng'];
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng']))
+ $eng = $_POST['eng'];
+
+// Make sure we have a valid rule ID and ENGINE name, or
+// else bail out to top-level menu.
+if (is_null($id) || is_null($eng)) {
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+// Used to track if any selectable Aliases are found
+$selectablealias = false;
+
+// Initialize required array variables as necessary
+if (!is_array($config['aliases']['alias']))
+ $config['aliases']['alias'] = array();
+$a_aliases = $config['aliases']['alias'];
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+
+// The $eng variable points to the specific Snort config section
+// engine we are importing values into. Initialize the config.xml
+// array if necessary.
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id][$eng]['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id][$eng]['item'] = array();
+
+// Initialize a pointer to the Snort config section engine we are
+// importing values into.
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id][$eng]['item'];
+
+// Build a lookup array of currently used engine 'bind_to' Aliases
+// so we can screen matching Alias names from the list.
+$used = array();
+foreach ($a_nat as $v)
+ $used[$v['bind_to']] = true;
+
+// Construct the correct return anchor string based on the Snort config section
+// engine we were called with. This lets us return to the page and section
+// we were called from. Also set the flag for those engines which accept
+// multiple IP addresses for the "bind_to" parameter.
+switch ($eng) {
+ case "frag3_engine":
+ $anchor = "#frag3_row";
+ $multi_ip = true;
+ $title = "Frag3 Engine";
+ break;
+ case "http_inspect_engine":
+ $anchor = "#httpinspect_row";
+ $multi_ip = true;
+ $title = "HTTP_Inspect Engine";
+ break;
+ case "stream5_tcp_engine":
+ $anchor = "#stream5_row";
+ $multi_ip = true;
+ $title = "Stream5 TCP Engine";
+ break;
+ case "ftp_server_engine":
+ $anchor = "#ftp_telnet_row";
+ $multi_ip = false;
+ $title = "FTP Server Engine";
+ break;
+ case "ftp_client_engine":
+ $anchor = "#ftp_telnet_row";
+ $multi_ip = false;
+ $title = "FTP Client Engine";
+ break;
+ default:
+ $anchor = "";
+}
+
+if ($_POST['cancel']) {
+ header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}");
+ exit;
+}
+
+if ($_POST['save']) {
+
+ // Define default engine configurations for each of the supported engines.
+
+ $def_frag3 = array( "name" => "", "bind_to" => "", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+
+ $def_ftp_server = array( "name" => "", "bind_to" => "", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+ $def_ftp_client = array( "name" => "", "bind_to" => "", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+ $def_http_inspect = array( "name" => "", "bind_to" => "", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
+ "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
+ "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
+ "max_header_length" => 0, "ports" => "default" );
+
+ $def_stream5 = array( "name" => "", "bind_to" => "", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0,
+ "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+
+ // Figure out which engine type we are importing and set up default engine array
+ $engine = array();
+ switch ($eng) {
+ case "frag3_engine":
+ $engine = $def_frag3;
+ break;
+ case "http_inspect_engine":
+ $engine = $def_http_inspect;
+ break;
+ case "stream5_tcp_engine":
+ $engine = $def_stream5;
+ break;
+ case "ftp_server_engine":
+ $engine = $def_ftp_server;
+ break;
+ case "ftp_client_engine":
+ $engine = $def_ftp_client;
+ break;
+ default:
+ $engine = "";
+ $input_errors[] = gettext("Invalid ENGINE TYPE passed in query string. Aborting operation.");
+ }
+
+ // See if anything was checked to import
+ if (is_array($_POST['toimport']) && count($_POST['toimport']) > 0) {
+ foreach ($_POST['toimport'] as $item) {
+ $engine['name'] = strtolower($item);
+ $engine['bind_to'] = $item;
+ $a_nat[] = $engine;
+ }
+ }
+ else
+ $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE.");
+
+ // if no errors, write new entry to conf
+ if (!$input_errors) {
+ // Reorder the engine array to ensure the
+ // 'bind_to=all' entry is at the bottom if
+ // the array contains more than one entry.
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ // Only relocate the entry if we
+ // found it, and it's not already
+ // at the end.
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ // Now write the new engine array to conf and return
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}{$anchor}");
+ exit;
+ }
+}
+
+$pgtitle = gettext("Snort: Import Host/Network Alias for {$title}");
+include("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+<form action="snort_import_aliases.php" method="post">
+<input type="hidden" name="id" value="<?=$id;?>">
+<input type="hidden" name="eng" value="<?=$eng;?>">
+<?php if ($input_errors) print_input_errors($input_errors); ?>
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+ <td class="tabcont"><strong><?=gettext("Select one or more Aliases to use as {$title} targets from the list below.");?></strong><br/>
+ </td>
+</tr>
+<tr>
+ <td class="tabcont">
+ <table id="sortabletable1" style="table-layout: fixed;" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <colgroup>
+ <col width="5%" align="center">
+ <col width="25%" align="left" axis="string">
+ <col width="35%" align="left" axis="string">
+ <col width="35%" align="left" axis="string">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr"></th>
+ <th class="listhdrr" axis="string"><?=gettext("Alias Name"); ?></th>
+ <th class="listhdrr" axis="string"><?=gettext("Values"); ?></th>
+ <th class="listhdrr" axis="string"><?=gettext("Description"); ?></th>
+ </tr>
+ </thead>
+ <tbody>
+ <?php $i = 0; foreach ($a_aliases as $alias): ?>
+ <?php if ($alias['type'] <> "host" && $alias['type'] <> "network")
+ continue;
+ if (isset($used[$alias['name']]))
+ continue;
+ if (!$multi_ip && !snort_is_single_addr_alias($alias['name'])) {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $disable = true;
+ $tooltip = gettext("Aliases resolving to multiple addresses cannot be used with the '{$eng}'.");
+ }
+ elseif (trim(filter_expand_alias($alias['name'])) == "") {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $disable = true;
+ $tooltip = gettext("Aliases representing a FQDN host cannot be used in Snort preprocessor configurations.");
+ }
+ else {
+ $textss = "";
+ $textse = "";
+ $disable = "";
+ $selectablealias = true;
+ $tooltip = gettext("Selected entries will be imported. Click to toggle selection of this entry.");
+ }
+ ?>
+ <?php if ($disable): ?>
+ <tr title="<?=$tooltip;?>">
+ <td class="listlr" align="center"><img src="../themes/<?=$g['theme'];?>/images/icons/icon_block_d.gif" width="11" height"11" border="0"/>
+ <?php else: ?>
+ <tr>
+ <td class="listlr" align="center"><input type="checkbox" name="toimport[]" value="<?=htmlspecialchars($alias['name']);?>" title="<?=$tooltip;?>"/></td>
+ <?php endif; ?>
+ <td class="listr" align="left"><?=$textss . htmlspecialchars($alias['name']) . $textse;?></td>
+ <td class="listr" align="left">
+ <?php
+ $tmpaddr = explode(" ", $alias['address']);
+ $addresses = implode(", ", array_slice($tmpaddr, 0, 10));
+ echo "{$textss}{$addresses}{$textse}";
+ if(count($tmpaddr) > 10) {
+ echo "...";
+ }
+ ?>
+ </td>
+ <td class="listbg" align="left">
+ <?=$textss . htmlspecialchars($alias['descr']) . $textse;?>&nbsp;
+ </td>
+ </tr>
+ <?php $i++; endforeach; ?>
+ </table>
+ </td>
+</tr>
+<?php if (!$selectablealias): ?>
+<tr>
+ <td class="tabcont" align="center"><b><?php echo gettext("There are currently no defined Aliases eligible for import.");?></b></td>
+</tr>
+<tr>
+ <td class="tabcont" align="center">
+ <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/>
+ </td>
+</tr>
+<?php else: ?>
+<tr>
+ <td class="tabcont" align="center">
+ <input type="Submit" name="save" value="Save" id="save" class="formbtn" title="<?=gettext("Import selected item and return");?>"/>&nbsp;&nbsp;&nbsp;
+ <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/>
+ </td>
+</tr>
+<?php endif; ?>
+<tr>
+ <td class="tabcont">
+ <span class="vexpl"><span class="red"><strong><?=gettext("Note:"); ?><br></strong></span><?=gettext("Fully-Qualified Domain Name (FQDN) host Aliases cannot be used as Snort configuration parameters. Aliases resolving to a single FQDN value are disabled in the list above. In the case of nested Aliases where one or more of the nested values is a FQDN host, the FQDN host will not be included in the {$title} configuration.");?></span>
+ </td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+</html>
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index bbd4338c..9d488207 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -102,6 +102,12 @@ elseif (isset($id) && !isset($a_rule[$id])) {
if (isset($_GET['dup']))
unset($id);
+// Set defaults for empty key parameters
+if (empty($pconfig['blockoffendersip']))
+ $pconfig['blockoffendersip'] = "both";
+if (empty($pconfig['performance']))
+ $pconfig['performance'] = "ac-bnfa";
+
if ($_POST["Submit"]) {
if (!$_POST['interface'])
$input_errors[] = "Interface is mandatory";
@@ -113,7 +119,7 @@ if ($_POST["Submit"]) {
$natent['enable'] = $_POST['enable'] ? 'on' : 'off';
$natent['uuid'] = $pconfig['uuid'];
- /* See if the HOME_NET, EXTERNAL_NET, WHITELIST or SUPPRESS LIST values were changed */
+ /* See if the HOME_NET, EXTERNAL_NET, or SUPPRESS LIST values were changed */
$snort_reload = false;
if ($_POST['homelistname'] && ($_POST['homelistname'] <> $natent['homelistname']))
$snort_reload = true;
@@ -121,8 +127,6 @@ if ($_POST["Submit"]) {
$snort_reload = true;
if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname']))
$snort_reload = true;
- if ($_POST['whitelistname'] && ($_POST['whitelistname'] <> $natent['whitelistname']))
- $snort_reload = true;
if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']);
if ($_POST['performance']) $natent['performance'] = $_POST['performance']; else unset($natent['performance']);
@@ -150,8 +154,100 @@ if ($_POST["Submit"]) {
exec("mv -f {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$snortdir}/snort_" . $a_rule[$id]['uuid'] . "_{$if_real}");
}
$a_rule[$id] = $natent;
- } else
+ } else {
+ // Adding new interface, so set required interface configuration defaults
+ $frag3_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+
+ $stream5_eng = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off",
+ "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+
+ $http_eng = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on",
+ "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on",
+ "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
+ "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+
+ $ftp_client_eng = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+ $ftp_server_eng = array( "name" => "default", "bind_to" => "all", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+ $natent['max_attribute_hosts'] = '10000';
+ $natent['max_attribute_services_per_host'] = '10';
+ $natent['max_paf'] = '16000';
+
+ $natent['ftp_preprocessor'] = 'on';
+ $natent['ftp_telnet_inspection_type'] = "stateful";
+ $natent['ftp_telnet_alert_encrypted'] = "off";
+ $natent['ftp_telnet_check_encrypted'] = "on";
+ $natent['ftp_telnet_normalize'] = "on";
+ $natent['ftp_telnet_detect_anomalies'] = "on";
+ $natent['ftp_telnet_ayt_attack_threshold'] = "20";
+ if (!is_array($natent['ftp_client_engine']['item']))
+ $natent['ftp_client_engine']['item'] = array();
+ $natent['ftp_client_engine']['item'][] = $ftp_client_eng;
+ if (!is_array($natent['ftp_server_engine']['item']))
+ $natent['ftp_server_engine']['item'] = array();
+ $natent['ftp_server_engine']['item'][] = $ftp_server_eng;
+
+ $natent['smtp_preprocessor'] = 'on';
+ $natent['dce_rpc_2'] = 'on';
+ $natent['dns_preprocessor'] = 'on';
+ $natent['ssl_preproc'] = 'on';
+ $natent['pop_preproc'] = 'on';
+ $natent['imap_preproc'] = 'on';
+ $natent['sip_preproc'] = 'on';
+ $natent['other_preprocs'] = 'on';
+
+ $natent['pscan_protocol'] = 'all';
+ $natent['pscan_type'] = 'all';
+ $natent['pscan_memcap'] = '10000000';
+ $natent['pscan_sense_level'] = 'medium';
+
+ $natent['http_inspect'] = "on";
+ $natent['http_inspect_proxy_alert'] = "off";
+ $natent['http_inspect_memcap'] = "150994944";
+ $natent['http_inspect_max_gzip_mem'] = "838860";
+ if (!is_array($natent['http_inspect_engine']['item']))
+ $natent['http_inspect_engine']['item'] = array();
+ $natent['http_inspect_engine']['item'][] = $http_eng;
+
+ $natent['frag3_max_frags'] = '8192';
+ $natent['frag3_memcap'] = '4194304';
+ $natent['frag3_detection'] = 'on';
+ if (!is_array($natent['frag3_engine']['item']))
+ $natent['frag3_engine']['item'] = array();
+ $natent['frag3_engine']['item'][] = $frag3_eng;
+
+ $natent['stream5_reassembly'] = 'on';
+ $natent['stream5_flush_on_alert'] = 'off';
+ $natent['stream5_prune_log_max'] = '1048576';
+ $natent['stream5_track_tcp'] = 'on';
+ $natent['stream5_max_tcp'] = '262144';
+ $natent['stream5_track_udp'] = 'on';
+ $natent['stream5_max_udp'] = '131072';
+ $natent['stream5_udp_timeout'] = '30';
+ $natent['stream5_track_icmp'] = 'off';
+ $natent['stream5_max_icmp'] = '65536';
+ $natent['stream5_icmp_timeout'] = '30';
+ $natent['stream5_mem_cap']= '8388608';
+ if (!is_array($natent['stream5_tcp_engine']['item']))
+ $natent['stream5_tcp_engine']['item'] = array();
+ $natent['stream5_tcp_engine']['item'][] = $stream5_eng;
+
$a_rule[] = $natent;
+ }
/* If Snort is disabled on this interface, stop any running instance */
if ($natent['enable'] != 'on')
@@ -168,9 +264,9 @@ if ($_POST["Submit"]) {
/*******************************************************/
/* Signal Snort to reload configuration if we changed */
- /* HOME_NET, the Whitelist, EXTERNAL_NET or Suppress */
- /* list values. The function only signals a running */
- /* Snort instance to safely reload these parameters. */
+ /* HOME_NET, EXTERNAL_NET or Suppress list values. */
+ /* The function only signals a running Snort instance */
+ /* to safely reload these parameters. */
/*******************************************************/
if ($snort_reload == true)
snort_reload_config($natent, "SIGHUP");
@@ -187,7 +283,7 @@ if ($_POST["Submit"]) {
}
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: Interface Edit: {$if_friendly}";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Edit Settings");
include_once("head.inc");
?>
@@ -265,28 +361,24 @@ include_once("head.inc");
<?php endforeach; ?>
</select>&nbsp;&nbsp;
<span class="vexpl"><?php echo gettext("Choose which interface this Snort instance applies to."); ?><br/>
- <span class="red"><?php echo gettext("Hint:"); ?> </span><?php echo gettext("in most cases, you'll want to use WAN here."); ?></span><br/></td>
+ <span class="red"><?php echo gettext("Hint:"); ?></span>&nbsp;<?php echo gettext("In most cases, you'll want to use WAN here."); ?></span><br/></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncellreq"><?php echo gettext("Description"); ?></td>
- <td width="78%" class="vtable"><input name="descr" type="text"
- class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"> <br/>
+ <td width="78%" class="vtable"><input name="descr" type="text"
+ class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"> <br/>
<span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference."); ?></span><br/></td>
</tr>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Alert Settings"); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Send alerts to main " .
- "System logs"); ?></td>
- <td width="78%" class="vtable"><input name="alertsystemlog"
- type="checkbox" value="on"
- <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?>
- onClick="enable_change(false)">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Send Alerts to System Logs"); ?></td>
+ <td width="78%" class="vtable"><input name="alertsystemlog" type="checkbox" value="on" <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?>>
<?php echo gettext("Snort will send Alerts to the firewall's system logs."); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Block offenders"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Block Offenders"); ?></td>
<td width="78%" class="vtable">
<input name="blockoffenders7" id="blockoffenders7" type="checkbox" value="on"
<?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?>
@@ -295,14 +387,14 @@ include_once("head.inc");
"Snort alert."); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill states"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Kill States"); ?></td>
<td width="78%" class="vtable">
<input name="blockoffenderskill" id="blockoffenderskill" type="checkbox" value="on" <?php if ($pconfig['blockoffenderskill'] == "on") echo "checked"; ?>>
<?php echo gettext("Checking this option will kill firewall states for the blocked IP"); ?>
</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Which IP to block"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Which IP to Block"); ?></td>
<td width="78%" class="vtable">
<select name="blockoffendersip" class="formselect" id="blockoffendersip">
<?php
@@ -315,7 +407,8 @@ include_once("head.inc");
}
?>
</select>&nbsp;&nbsp;
- <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?>
+ <?php echo gettext("Select which IP extracted from the packet you wish to block"); ?><br/>
+ <span class="red"><?php echo gettext("Hint:") . "</span>&nbsp;" . gettext("Choosing BOTH is suggested, and it is the default value."); ?></span><br/></td>
</td>
</tr>
<tr>
@@ -332,8 +425,8 @@ include_once("head.inc");
foreach ($interfaces2 as $iface2 => $ifacename2): ?>
<option value="<?=$iface2;?>"
<?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>>
- <?=htmlspecialchars($ifacename2);?></option>
- <?php endforeach; ?>
+ <?=htmlspecialchars($ifacename2);?></option>
+ <?php endforeach; ?>
</select>&nbsp;&nbsp;
<?php echo gettext("Choose a fast pattern matcher algorithm. ") . "<strong>" . gettext("Default") .
"</strong>" . gettext(" is ") . "<strong>" . gettext("AC-BNFA") . "</strong>"; ?>.<br/><br/>
@@ -471,17 +564,17 @@ include_once("head.inc");
id="btnWhitelist" title="<?php echo gettext("Click to view currently selected Whitelist contents"); ?>"/>
<br/>
<span class="vexpl"><?php echo gettext("Choose the whitelist you want this interface to " .
- "use."); ?> </span><br/>&nbsp;<br/><span class="red"><?php echo gettext("Hint:"); ?></span>&nbsp;<?php echo gettext("Default " .
- "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?><br/>
- <span class="red"><?php echo gettext("Note:"); ?></span>&nbsp;<?php echo gettext("This option will only be used when block offenders is on."); ?>
+ "use."); ?> </span><br/><br/>
+ <span class="red"><?php echo gettext("Note:"); ?></span>&nbsp;<?php echo gettext("This option will only be used when block offenders is on."); ?><br/>
+ <span class="red"><?php echo gettext("Hint:"); ?></span>&nbsp;<?php echo gettext("Default " .
+ "whitelist adds local networks, WAN IPs, Gateways, VPNs and VIPs. Create an Alias to customize."); ?>
</td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering " .
- "file if desired."); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Choose a suppression or filtering file if desired."); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Suppression and filtering"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert Suppression and Filtering"); ?></td>
<td width="78%" class="vtable">
<select name="suppresslistname" class="formselect" id="suppresslistname">
<?php
@@ -563,6 +656,9 @@ function enable_change(enable_change) {
document.iform.btnHomeNet.disabled=endis;
document.iform.btnWhitelist.disabled=endis;
document.iform.btnSuppressList.disabled=endis;
+ document.iform.fpm_split_any_any.disabled=endis;
+ document.iform.fpm_search_optimize.disabled=endis;
+ document.iform.fpm_no_stream_inserts.disabled=endis;
}
function wopen(url, name, w, h) {
@@ -592,6 +688,10 @@ function viewList(id, elemID, elemType) {
url = url + getSelectedValue(elemID) + "&type=" + elemType;
wopen(url, 'WhitelistViewer', 640, 480);
}
+
+enable_change(false);
+enable_blockoffenders();
+
//-->
</script>
<?php include("fend.inc"); ?>
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php
index 089255b6..b22a6934 100644
--- a/config/snort/snort_interfaces_global.php
+++ b/config/snort/snort_interfaces_global.php
@@ -58,7 +58,7 @@ $pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['s
if (empty($pconfig['snortloglimit']))
$pconfig['snortloglimit'] = 'on';
if (empty($pconfig['rule_update_starttime']))
- $pconfig['rule_update_starttime'] = '00:03';
+ $pconfig['rule_update_starttime'] = '00:30';
if ($_POST['rule_update_starttime']) {
if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['rule_update_starttime']))
@@ -71,15 +71,51 @@ if ($_POST['snortdownload'] == "on" && empty($_POST['oinkmastercode']))
if ($_POST['emergingthreats_pro'] == "on" && empty($_POST['etpro_code']))
$input_errors[] = "You must supply a subscription code in the box provided in order to enable Emerging Threats Pro rules!";
-/* if no errors move foward */
+/* if no errors move foward with save */
if (!$input_errors) {
if ($_POST["Submit"]) {
$config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload'] ? 'on' : 'off';
- $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode'];
$config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off';
+
+ // If any rule sets are being turned off, then remove them
+ // from the active rules section of each interface. Start
+ // by building an arry of prefixes for the disabled rules.
+ $disabled_rules = array();
+ $disable_ips_policy = false;
+ if ($config['installedpackages']['snortglobal']['snortdownload'] == 'off') {
+ $disabled_rules[] = VRT_FILE_PREFIX;
+ $disable_ips_policy = true;
+ }
+ if ($config['installedpackages']['snortglobal']['snortcommunityrules'] == 'off')
+ $disabled_rules[] = GPL_FILE_PREFIX;
+ if ($config['installedpackages']['snortglobal']['emergingthreats'] == 'off')
+ $disabled_rules[] = ET_OPEN_FILE_PREFIX;
+ if ($config['installedpackages']['snortglobal']['emergingthreats_pro'] == 'off')
+ $disabled_rules[] = ET_PRO_FILE_PREFIX;
+
+ // Now walk all the configured interface rulesets and remove
+ // any matching the disabled ruleset prefixes.
+ if (is_array($config['installedpackages']['snortglobal']['rule'])) {
+ foreach ($config['installedpackages']['snortglobal']['rule'] as &$iface) {
+ // Disable Snort IPS policy if VRT rules are disabled
+ if ($disable_ips_policy) {
+ $iface['ips_policy_enable'] = 'off';
+ unset($iface['ips_policy']);
+ }
+ $enabled_rules = explode("||", $iface['rulesets']);
+ foreach ($enabled_rules as $k => $v) {
+ foreach ($disabled_rules as $d)
+ if (strpos(trim($v), $d) !== false)
+ unset($enabled_rules[$k]);
+ }
+ $iface['rulesets'] = implode("||", $enabled_rules);
+ }
+ }
+
+ $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode'];
$config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code'];
$config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked'];
@@ -122,7 +158,7 @@ if (!$input_errors) {
}
}
-$pgtitle = 'Services: Snort: Global Settings';
+$pgtitle = gettext("Snort: Global Settings");
include_once("head.inc");
?>
@@ -137,7 +173,7 @@ if($pfsense_stable == 'yes')
/* Display Alert message, under form tag or no refresh */
if ($input_errors)
- print_input_errors($input_errors); // TODO: add checks
+ print_input_errors($input_errors);
?>
@@ -162,11 +198,10 @@ if ($input_errors)
<div id="mainarea">
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The " .
- "Type Of Rules You Wish To Download"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The Type Of Rules You Wish To Download");?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort VRT%s rules"), '<strong>' , '</strong>'); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Snort VRT") . "</strong>" . gettext(" rules");?></td>
<td width="78%" class="vtable">
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
@@ -175,45 +210,44 @@ if ($input_errors)
<td><span class="vexpl"><?php echo gettext("Snort VRT free Registered User or paid Subscriber rules"); ?></span></td>
<tr>
<td>&nbsp;</td>
- <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a free Registered User Rule Account"); ?> </a><br>
+ <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a free Registered User Rule Account"); ?> </a><br/>
<a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank">
<?php echo gettext("Sign Up for paid Sourcefire VRT Certified Subscriber Rules"); ?></a></td>
</tr>
+ </table>
+ <table id="snort_oink_code_tbl" width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2">&nbsp;</td>
</tr>
- </table>
- <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Snort VRT Oinkmaster Configuration"); ?></span></b></td>
</tr>
<tr>
<td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
<td><input name="oinkmastercode" type="text"
- class="formfld" id="oinkmastercode" size="52"
- value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"
- <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br>
+ class="formfld unknown" id="oinkmastercode" size="52"
+ value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br/>
<?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td>
</tr>
</table>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " .
- "rules"), '<strong>' , '</strong>'); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Snort Community") . "</strong>" . gettext(" rules");?></td>
<td width="78%" class="vtable">
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on"
- <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td>
- <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " .
- "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?>
- <br/><br/><?php printf(gettext("%sNote: %sIf you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the Snort VRT rules, and there is no benefit in adding this rule set."),'<span class="red"><strong>' ,'</strong></span>'); ?></span><br></td>
+ <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked";?> ></td>
+ <td class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " .
+ "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset.");?>
+ <br/><br/><?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
+ gettext("If you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the ") .
+ gettext("Snort VRT rules, and there is no benefit in adding this rule set.");?><br/></td>
</tr>
</table></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmerging Threats%s " .
- "rules"), '<strong>' , '</strong>'); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("Emerging Threats") . "</strong>" . gettext(" rules");?></td>
<td width="78%" class="vtable">
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
@@ -236,20 +270,19 @@ if ($input_errors)
<td class="vexpl"><?php echo "<span class='red'><strong>" . gettext("Note:") . "</strong></span>" . "&nbsp;" .
gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?></td>
</tr>
+ </table>
+ <table id="etpro_code_tbl" width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2">&nbsp;</td>
</tr>
- </table>
- <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("ETPro Subscription Configuration"); ?></span></b></td>
</tr>
<tr>
<td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
<td><input name="etpro_code" type="text"
- class="formfld" id="etpro_code" size="52"
- value="<?=htmlspecialchars($pconfig['etpro_code']);?>"
- <?php if($pconfig['emergingthreats_pro']<>'on') echo 'disabled'; ?>><br>
+ class="formfld unknown" id="etpro_code" size="52"
+ value="<?=htmlspecialchars($pconfig['etpro_code']);?>"><br/>
<?php echo gettext("Obtain an ETPro subscription code and paste it here."); ?></td>
</tr>
</table>
@@ -276,7 +309,7 @@ if ($input_errors)
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Update Start Time"); ?></td>
- <td width="78%" class="vtable"><input type="text" class="formfld" name="rule_update_starttime" id="rule_update_starttime" size="4"
+ <td width="78%" class="vtable"><input type="text" class="formfld time" name="rule_update_starttime" id="rule_update_starttime" size="4"
maxlength="5" value="<?=$pconfig['rule_update_starttime'];?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?>><span class="vexpl">&nbsp;&nbsp;
<?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). ") . "<strong>" .
gettext("Default") . "&nbsp;</strong>" . gettext("is ") . "<strong>" . gettext("00:03") . "</strong></span>"; ?>.<br/><br/>
@@ -304,44 +337,42 @@ if ($input_errors)
<tr>
<td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="off"
<?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong>
- <?php echo gettext("directory size limit"); ?></span><br>
- <br>
+ <?php echo gettext("directory size limit"); ?></span><br/>
+ <br/>
<span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("Nanobsd " .
"should use no more than 10MB of space."); ?></td>
</tr>
</table>
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
- <td><span class="vexpl"><?php echo gettext("Size in"); ?> <strong>MB</strong></span></td>
- <td><input name="snortloglimitsize" type="text" class="formfld" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>">
- &nbsp;&nbsp;<?php printf(gettext("Default is %s20%%%s of available space."), '<strong>', '</strong>'); ?></td>
+ <td class="vexpl"><?php echo gettext("Size in ") . "<strong>" . gettext("MB:") . "</strong>";?>&nbsp;
+ <input name="snortloglimitsize" type="text" class="formfld unknown" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>">
+ &nbsp;<?php echo gettext("Default is ") . "<strong>" . gettext("20%") . "</strong>" . gettext(" of available space.");?></td>
</tr>
</table>
</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove blocked hosts " .
- "every"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Blocked Hosts Interval"); ?></td>
<td width="78%" class="vtable">
<select name="rm_blocked" class="formselect" id="rm_blocked">
<?php
- $interfaces3 = array('never_b' => gettext('NEVER'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS'));
+ $interfaces3 = array('never_b' => gettext('NEVER'), '15m_b' => gettext('15 MINS'), '30m_b' => gettext('30 MINS'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS'));
foreach ($interfaces3 as $iface3 => $ifacename3): ?>
<option value="<?=$iface3;?>"
<?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>>
<?=htmlspecialchars($ifacename3);?></option>
<?php endforeach; ?>
- </select>&nbsp;&nbsp;
- <?php echo gettext("Please select the amount of time you would like hosts to be blocked for."); ?><br/><br/>
- <?php printf(gettext("%sHint:%s in most cases, 1 hour is a good choice."), '<span class="red"><strong>', '</strong></span>'); ?></td>
+ </select>&nbsp;
+ <?php echo gettext("Please select the amount of time you would like hosts to be blocked."); ?><br/><br/>
+ <?php echo "<span class=\"red\"><strong>" . gettext("Hint:") . "</strong></span>" . gettext(" in most cases, 1 hour is a good choice.");?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep snort settings " .
- "after deinstall"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep Snort Settings After Deinstall"); ?></td>
<td width="78%" class="vtable"><input name="forcekeepsettings"
id="forcekeepsettings" type="checkbox" value="yes"
<?php if ($config['installedpackages']['snortglobal']['forcekeepsettings']=="on") echo "checked"; ?>
- >&nbsp;&nbsp;<?php echo gettext("Settings will not be removed during deinstall."); ?></td>
+ >&nbsp;&nbsp;<?php echo gettext("Settings will not be removed during package deinstallation."); ?></td>
</tr>
<tr>
<td width="22%" valign="top">
@@ -351,10 +382,8 @@ if ($input_errors)
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>
- <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?><br>
- </strong></span> <?php echo gettext("Changing any settings on this page will affect all " .
- "interfaces. Double check that your oink code is correct, and verify the " .
- "type of Snort.org account you hold."); ?></span></td>
+ <td width="78%" class="vexpl"><span class="red"><strong><?php echo gettext("Note:");?></strong>&nbsp;
+ </span><?php echo gettext("Changing any settings on this page will affect all Snort-configured interfaces.");?></td>
</tr>
</table>
</div><br/>
@@ -367,15 +396,17 @@ if ($input_errors)
<!--
function enable_snort_vrt() {
var endis = !(document.iform.snortdownload.checked);
- document.iform.oinkmastercode.disabled = endis;
- document.iform.etpro_code.disabled = endis;
+ if (endis)
+ document.getElementById("snort_oink_code_tbl").style.display = "none";
+ else
+ document.getElementById("snort_oink_code_tbl").style.display = "table";
}
function enable_et_rules() {
var endis = document.iform.emergingthreats.checked;
if (endis) {
document.iform.emergingthreats_pro.checked = !(endis);
- document.iform.etpro_code.disabled = "true";
+ document.getElementById("etpro_code_tbl").style.display = "none";
}
}
@@ -384,9 +415,12 @@ function enable_etpro_rules() {
if (endis) {
document.iform.emergingthreats.checked = !(endis);
document.iform.etpro_code.disabled = "";
+ document.getElementById("etpro_code_tbl").style.display = "table";
}
- else
+ else {
document.iform.etpro_code.disabled = "true";
+ document.getElementById("etpro_code_tbl").style.display = "none";
+ }
}
function enable_change_rules_upd() {
@@ -396,6 +430,12 @@ function enable_change_rules_upd() {
document.iform.rule_update_starttime.disabled="";
}
+// Initialize the form controls state based on saved settings
+enable_snort_vrt();
+enable_et_rules();
+enable_etpro_rules();
+enable_change_rules_upd();
+
//-->
</script>
diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php
index 7eed6dd3..e42b7f8c 100644
--- a/config/snort/snort_interfaces_suppress.php
+++ b/config/snort/snort_interfaces_suppress.php
@@ -84,7 +84,7 @@ if ($_GET['act'] == "del") {
}
}
-$pgtitle = "Services: Snort: Suppression";
+$pgtitle = gettext("Snort: Suppression Lists");
include_once("head.inc");
?>
diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php
index 1eb16260..3d703987 100644
--- a/config/snort/snort_interfaces_suppress_edit.php
+++ b/config/snort/snort_interfaces_suppress_edit.php
@@ -126,7 +126,7 @@ if ($_POST['submit']) {
}
}
-$pgtitle = "Services: Snort: Suppression: Edit";
+$pgtitle = gettext("Snort: Suppression List Edit - {$a_suppress[$id]['name']}");
include_once("head.inc");
?>
@@ -166,7 +166,7 @@ if ($savemsg)
<tr>
<td width="22%" valign="top" class="vncellreq"><?php echo gettext("Name"); ?></td>
<td width="78%" class="vtable"><input name="name" type="text" id="name"
- class="formfld unkown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br />
+ class="formfld unknown" size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br />
<span class="vexpl"> <?php echo gettext("The list name may only consist of the " .
"characters \"a-z, A-Z, 0-9 and _\"."); ?>&nbsp;&nbsp;<span class="red"><?php echo gettext("Note:"); ?> </span>
<?php echo gettext("No Spaces or dashes."); ?> </span></td>
@@ -174,7 +174,7 @@ if ($savemsg)
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td>
<td width="78%" class="vtable"><input name="descr" type="text"
- class="formfld unkown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br />
+ class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br />
<span class="vexpl"> <?php echo gettext("You may enter a description here for your " .
"reference (not parsed)."); ?> </span></td>
</tr>
diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php
index ab22103e..9391eb85 100644
--- a/config/snort/snort_interfaces_whitelist.php
+++ b/config/snort/snort_interfaces_whitelist.php
@@ -61,7 +61,7 @@ if ($_GET['act'] == "del") {
}
}
-$pgtitle = "Services: Snort: Whitelist";
+$pgtitle = gettext("Snort: Whitelists");
include_once("head.inc");
?>
diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php
index 671fa4e5..cbc31378 100644
--- a/config/snort/snort_interfaces_whitelist_edit.php
+++ b/config/snort/snort_interfaces_whitelist_edit.php
@@ -38,6 +38,11 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
+if ($_POST['cancel']) {
+ header("Location: /snort/snort_interfaces_whitelist.php");
+ exit;
+}
+
if (!is_array($config['installedpackages']['snortglobal']['whitelist']))
$config['installedpackages']['snortglobal']['whitelist'] = array();
if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
@@ -88,6 +93,12 @@ if (isset($id) && $a_whitelist[$id]) {
$pconfig['vpnips'] = $a_whitelist[$id]['vpnips'];
}
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ if ($_GET['varname'] == "address" && !empty($_GET['varvalue']))
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+}
+
if ($_POST['submit']) {
conf_mount_rw();
@@ -118,7 +129,7 @@ if ($_POST['submit']) {
if ($_POST['address'])
if (!is_alias($_POST['address']))
- $input_errors[] = gettext("A valid alias need to be provided");
+ $input_errors[] = gettext("A valid alias must be provided");
if (!$input_errors) {
$w_list = array();
@@ -151,7 +162,7 @@ if ($_POST['submit']) {
}
}
-$pgtitle = "Services: Snort: Whitelist: Edit $whitelist_uuid";
+$pgtitle = gettext("Snort: Whitelist Edit - {$a_whitelist[$id]['name']}");
include_once("head.inc");
?>
@@ -193,7 +204,7 @@ if ($savemsg)
</tr>
<tr>
<td valign="top" class="vncellreq"><?php echo gettext("Name"); ?></td>
- <td class="vtable"><input name="name" type="text" id="name"
+ <td class="vtable"><input name="name" type="text" id="name" class="formfld unknown"
size="40" value="<?=htmlspecialchars($pconfig['name']);?>" /> <br />
<span class="vexpl"> <?php echo gettext("The list name may only consist of the " .
"characters \"a-z, A-Z, 0-9 and _\"."); ?>&nbsp;&nbsp;<span class="red"><?php echo gettext("Note:"); ?> </span>
@@ -201,7 +212,7 @@ if ($savemsg)
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Description"); ?></td>
- <td width="78%" class="vtable"><input name="descr" type="text"
+ <td width="78%" class="vtable"><input name="descr" type="text" class="formfld unknown"
id="descr" size="40" value="<?=$pconfig['descr'];?>" /> <br />
<span class="vexpl"> <?php echo gettext("You may enter a description here for your " .
"reference (not parsed)."); ?> </span></td>
@@ -261,14 +272,17 @@ if ($savemsg)
<div id="addressnetworkport"><?php echo gettext("Alias Name:"); ?></div>
</td>
<td width="78%" class="vtable">
- <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" title="<?=trim(filter_expand_alias($pconfig['address']));?>"/>
+ <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>"
+ title="<?=trim(filter_expand_alias($pconfig['address']));?>" />
+ &nbsp;&nbsp;&nbsp;&nbsp;<input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=0&type=host|network&varname=address&act=import&multi_ip=yes&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/>
</td>
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>
<td width="78%">
<input id="submit" name="submit" type="submit" class="formbtn" value="Save" />
- <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" value="Cancel" onclick="history.back()" />
+ <input id="cancel" name="cancel" type="submit" class="formbtn" value="Cancel" />
<input name="id" type="hidden" value="<?=$id;?>" />
</td>
</tr>
@@ -287,7 +301,7 @@ if ($savemsg)
foreach($config['aliases']['alias'] as $alias_name) {
if ($alias_name['type'] != "host" && $alias_name['type'] != "network")
continue;
- // Skip any Alias that resolves to an empty string
+ // Skip any Aliases that resolve to an empty string
if (trim(filter_expand_alias($alias_name['name'])) == "")
continue;
if($addrisfirst == 1) $aliasesaddr .= ",";
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
new file mode 100644
index 00000000..1a555408
--- /dev/null
+++ b/config/snort/snort_migrate_config.php
@@ -0,0 +1,307 @@
+<?php
+/*
+ * snort_migrate_config.inc
+ *
+ * Copyright (C) 2013 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("config.inc");
+require_once("functions.inc");
+
+/****************************************************************************/
+/* The code in this module is called once during the post-install process */
+/* via an "include" line. It is used to perform a one-time migration of */
+/* Snort preprocessor configuration parameters into the new format used */
+/* by the multi-engine config feature. Configuration parameters for the */
+/* multiple configuration engines of some preprocessors are stored as */
+/* array values within the "config.xml" file in the [snortglobals] section. */
+/****************************************************************************/
+
+global $config;
+
+if (!is_array($config['installedpackages']['snortglobal']))
+ $config['installedpackages']['snortglobal'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+
+// Just exit if this is a clean install with no saved settings
+if (empty($config['installedpackages']['snortglobal']['rule']))
+ return;
+
+$rule = &$config['installedpackages']['snortglobal']['rule'];
+
+/****************************************************************************/
+/* Loop through all the <rule> elements in the Snort configuration and */
+/* migrate the relevant preprocessor parameters to the new format. */
+/****************************************************************************/
+
+$updated_cfg = false;
+log_error("[Snort] Checking configuration settings version...");
+
+// Check the configuration version to see if XMLRPC Sync should
+// auto-disabled as part of the upgrade due to config format changes.
+if (empty($config['installedpackages']['snortglobal']['snort_config_ver']) &&
+ ($config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'auto' ||
+ $config['installedpackages']['snortsync']['config']['varsynconchanges'] == 'manual')) {
+ $config['installedpackages']['snortsync']['config']['varsynconchanges'] = "disabled";
+ log_error("[Snort] Turning off Snort Sync on this host due to configuration format changes in this update. Upgrade all Snort Sync targets to this same Snort package version before re-enabling Snort Sync.");
+ $updated_cfg = true;
+}
+
+foreach ($rule as &$r) {
+ // Initialize arrays for supported preprocessors if necessary
+ if (!is_array($r['frag3_engine']['item']))
+ $r['frag3_engine']['item'] = array();
+ if (!is_array($r['stream5_tcp_engine']['item']))
+ $r['stream5_tcp_engine']['item'] = array();
+ if (!is_array($r['http_inspect_engine']['item']))
+ $r['http_inspect_engine']['item'] = array();
+ if (!is_array($r['ftp_client_engine']['item']))
+ $r['ftp_client_engine']['item'] = array();
+ if (!is_array($r['ftp_server_engine']['item']))
+ $r['ftp_server_engine']['item'] = array();
+
+ $pconfig = array();
+ $pconfig = $r;
+
+ // Create a default "frag3_engine" if none are configured
+ if (empty($pconfig['frag3_engine']['item'])) {
+ $updated_cfg = true;
+ log_error("[Snort] Migrating Frag3 Engine configuration for interface {$pconfig['descr']}...");
+ $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+
+ // Ensure sensible default values exist for global Frag3 parameters
+ if (empty($pconfig['frag3_max_frags']))
+ $pconfig['frag3_max_frags'] = '8192';
+ if (empty($pconfig['frag3_memcap']))
+ $pconfig['frag3_memcap'] = '4194304';
+ if (empty($pconfig['frag3_detection']))
+ $pconfig['frag3_detection'] = 'on';
+
+ // Put any old values in new default engine and remove old value
+ if (isset($pconfig['frag3_policy']))
+ $default['policy'] = $pconfig['frag3_policy'];
+ unset($pconfig['frag3_policy']);
+ if (isset($pconfig['frag3_timeout']) && is_numeric($pconfig['frag3_timeout']))
+ $default['timeout'] = $pconfig['frag3_timeout'];
+ unset($pconfig['frag3_timeout']);
+ if (isset($pconfig['frag3_overlap_limit']) && is_numeric($pconfig['frag3_overlap_limit']))
+ $default['overlap_limit'] = $pconfig['frag3_overlap_limit'];
+ unset($pconfig['frag3_overlap_limit']);
+ if (isset($pconfig['frag3_min_frag_len']) && is_numeric($pconfig['frag3_min_frag_len']))
+ $default['min_frag_len'] = $pconfig['frag3_min_frag_len'];
+ unset($pconfig['frag3_min_frag_len']);
+
+ $pconfig['frag3_engine']['item'] = array();
+ $pconfig['frag3_engine']['item'][] = $default;
+ }
+
+ // Create a default Stream5 engine array if none are configured
+ if (empty($pconfig['stream5_tcp_engine']['item'])) {
+ $updated_cfg = true;
+ log_error("[Snort] Migrating Stream5 Engine configuration for interface {$pconfig['descr']}...");
+ $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off",
+ "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+
+ // Ensure sensible defaults exist for Stream5 global parameters
+ if (empty($pconfig['stream5_reassembly']))
+ $pconfig['stream5_reassembly'] = 'on';
+ if (empty($pconfig['stream5_flush_on_alert']))
+ $pconfig['stream5_flush_on_alert'] = 'off';
+ if (empty($pconfig['stream5_prune_log_max']))
+ $pconfig['stream5_prune_log_max'] = '1048576';
+ if (empty($pconfig['stream5_track_tcp']))
+ $pconfig['stream5_track_tcp'] = 'on';
+ if (empty($pconfig['stream5_max_tcp']))
+ $pconfig['stream5_max_tcp'] = '262144';
+ if (empty($pconfig['stream5_track_udp']))
+ $pconfig['stream5_track_udp'] = 'on';
+ if (empty($pconfig['stream5_max_udp']))
+ $pconfig['stream5_max_udp'] = '131072';
+ if (empty($pconfig['stream5_udp_timeout']))
+ $pconfig['stream5_udp_timeout'] = '30';
+ if (empty($pconfig['stream5_track_icmp']))
+ $pconfig['stream5_track_icmp'] = 'off';
+ if (empty($pconfig['stream5_max_icmp']))
+ $pconfig['stream5_max_icmp'] = '65536';
+ if (empty($pconfig['stream5_icmp_timeout']))
+ $pconfig['stream5_icmp_timeout'] = '30';
+ if (empty($pconfig['stream5_mem_cap']))
+ $pconfig['stream5_mem_cap']= '8388608';
+
+ // Put any old values in new default engine and remove old value
+ if (isset($pconfig['stream5_policy']))
+ $default['policy'] = $pconfig['stream5_policy'];
+ unset($pconfig['stream5_policy']);
+ if (isset($pconfig['stream5_tcp_timeout']) && is_numeric($pconfig['stream5_tcp_timeout']))
+ $default['timeout'] = $pconfig['stream5_tcp_timeout'];
+ unset($pconfig['stream5_tcp_timeout']);
+ if (isset($pconfig['stream5_overlap_limit']) && is_numeric($pconfig['stream5_overlap_limit']))
+ $default['overlap_limit'] = $pconfig['stream5_overlap_limit'];
+ unset($pconfig['stream5_overlap_limit']);
+ if (isset($pconfig['stream5_require_3whs']))
+ $default['require_3whs'] = $pconfig['stream5_require_3whs'];
+ unset($pconfig['stream5_require_3whs']);
+ if (isset($pconfig['stream5_no_reassemble_async']))
+ $default['no_reassemble_async'] = $pconfig['stream5_no_reassemble_async'];
+ unset($pconfig['stream5_no_reassemble_async']);
+ if (isset($pconfig['stream5_dont_store_lg_pkts']))
+ $default['dont_store_lg_pkts'] = $pconfig['stream5_dont_store_lg_pkts'];
+ unset($pconfig['stream5_dont_store_lg_pkts']);
+ if (isset($pconfig['max_queued_bytes']) && is_numeric($pconfig['max_queued_bytes']))
+ $default['max_queued_bytes'] = $pconfig['max_queued_bytes'];
+ unset($pconfig['max_queued_bytes']);
+ if (isset($pconfig['max_queued_segs']) && is_numeric($pconfig['max_queued_segs']))
+ $default['max_queued_segs'] = $pconfig['max_queued_segs'];
+ unset($pconfig['max_queued_segs']);
+
+ $pconfig['stream5_tcp_engine']['item'] = array();
+ $pconfig['stream5_tcp_engine']['item'][] = $default;
+ }
+
+ // Create a default HTTP_INSPECT engine if none are configured
+ if (empty($pconfig['http_inspect_engine']['item'])) {
+ $updated_cfg = true;
+ log_error("[Snort] Migrating HTTP_Inspect Engine configuration for interface {$pconfig['descr']}...");
+ $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on",
+ "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on",
+ "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
+ "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+
+ // Ensure sensible default values exist for global HTTP_INSPECT parameters
+ if (empty($pconfig['http_inspect']))
+ $pconfig['http_inspect'] = "on";
+ if (empty($pconfig['http_inspect_proxy_alert']))
+ $pconfig['http_inspect_proxy_alert'] = "off";
+ if (empty($pconfig['http_inspect_memcap']))
+ $pconfig['http_inspect_memcap'] = "150994944";
+ if (empty($pconfig['http_inspect_max_gzip_mem']))
+ $pconfig['http_inspect_max_gzip_mem'] = "838860";
+
+ // Put any old values in new default engine and remove old value
+ if (isset($pconfig['server_flow_depth']) && is_numeric($pconfig['server_flow_depth']))
+ $default['server_flow_depth'] = $pconfig['server_flow_depth'];
+ unset($pconfig['server_flow_depth']);
+ if (isset($pconfig['client_flow_depth']) & is_numeric($pconfig['client_flow_depth']))
+ $default['client_flow_depth'] = $pconfig['client_flow_depth'];
+ unset($pconfig['client_flow_depth']);
+ if (isset($pconfig['http_server_profile']))
+ $default['server_profile'] = $pconfig['http_server_profile'];
+ unset($pconfig['http_server_profile']);
+ if (isset($pconfig['http_inspect_enable_xff']))
+ $default['enable_xff'] = $pconfig['http_inspect_enable_xff'];
+ unset($pconfig['http_inspect_enable_xff']);
+ if (isset($pconfig['http_inspect_log_uri']))
+ $default['log_uri'] = $pconfig['http_inspect_log_uri'];
+ unset($pconfig['http_inspect_log_uri']);
+ if (isset($pconfig['http_inspect_log_hostname']))
+ $default['log_hostname'] = $pconfig['http_inspect_log_hostname'];
+ unset($pconfig['http_inspect_log_hostname']);
+ if (isset($pconfig['noalert_http_inspect']))
+ $default['no_alerts'] = $pconfig['noalert_http_inspect'];
+ unset($pconfig['noalert_http_inspect']);
+
+ $pconfig['http_inspect_engine']['item'] = array();
+ $pconfig['http_inspect_engine']['item'][] = $default;
+ }
+
+ // Create a default FTP_CLIENT engine if none are configured
+ if (empty($pconfig['ftp_client_engine']['item'])) {
+ $updated_cfg = true;
+ log_error("[Snort] Migrating FTP Client Engine configuration for interface {$pconfig['descr']}...");
+ $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+ // Set defaults for new FTP_Telnet preprocessor configurable parameters
+ if (empty($pconfig['ftp_telnet_inspection_type']))
+ $pconfig['ftp_telnet_inspection_type'] = 'stateful';
+ if (empty($pconfig['ftp_telnet_alert_encrypted']))
+ $pconfig['ftp_telnet_alert_encrypted'] = 'off';
+ if (empty($pconfig['ftp_telnet_check_encrypted']))
+ $pconfig['ftp_telnet_check_encrypted'] = 'on';
+ if (empty($pconfig['ftp_telnet_normalize']))
+ $pconfig['ftp_telnet_normalize'] = 'on';
+ if (empty($pconfig['ftp_telnet_detect_anomalies']))
+ $pconfig['ftp_telnet_detect_anomalies'] = 'on';
+ if (empty($pconfig['ftp_telnet_ayt_attack_threshold']))
+ $pconfig['ftp_telnet_ayt_attack_threshold'] = '20';
+
+ // Add new FTP_Telnet Client default engine
+ $pconfig['ftp_client_engine']['item'] = array();
+ $pconfig['ftp_client_engine']['item'][] = $default;
+ }
+
+ // Create a default FTP_SERVER engine if none are configured
+ if (empty($pconfig['ftp_server_engine']['item'])) {
+ $updated_cfg = true;
+ log_error("[Snort] Migrating FTP Server Engine configuration for interface {$pconfig['descr']}...");
+ $default = array( "name" => "default", "bind_to" => "all", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+ // Add new FTP_Telnet Server default engine
+ $pconfig['ftp_server_engine']['item'] = array();
+ $pconfig['ftp_server_engine']['item'][] = $default;
+ }
+
+ // Set sensible defaults for new SDF options if SDF is enabled
+ if ($pconfig['sensitive_data'] == 'on') {
+ if (empty($pconfig['sdf_alert_threshold'])) {
+ $pconfig['sdf_alert_threshold'] = 25;
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['sdf_alert_data_type'])) {
+ $pconfig['sdf_alert_data_type'] = "Credit Card,Email Addresses,U.S. Phone Numbers,U.S. Social Security Numbers";
+ $updated_cfg = true;
+ }
+ }
+
+ // Save the new configuration data into the $config array pointer
+ $r = $pconfig;
+}
+// Release reference to final array element
+unset($r);
+
+// Write out the new configuration to disk if we changed anything
+if ($updated_cfg) {
+ $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.1";
+ log_error("[Snort] Saving configuration settings in new format...");
+ write_config();
+ log_error("[Snort] Settings successfully migrated to new configuration format...");
+}
+else
+ log_error("[Snort] Configuration version is current...");
+
+?>
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
new file mode 100644
index 00000000..a7b54503
--- /dev/null
+++ b/config/snort/snort_post_install.php
@@ -0,0 +1,1464 @@
+<?php
+/*
+ * snort_post_install.php
+ *
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009-2010 Robert Zelaya
+ * Copyright (C) 2011-2012 Ermal Luci
+ * Copyright (C) 2013 Bill Meeks
+ * part of pfSense
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/****************************************************************************/
+/* This module is called once during the Snort package installation to */
+/* perform required post-installation setup. It should only be executed */
+/* from the Package Manager process via the custom-post-install hook in */
+/* the snort.xml package configuration file. */
+/****************************************************************************/
+
+require_once("config.inc");
+require_once("functions.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include;
+
+$snortdir = SNORTDIR;
+$snortlibdir = SNORTLIBDIR;
+$rcdir = RCFILEPREFIX;
+
+// This is a hack to workaround the caching of the old "snort.inc" by the
+// Package Manager installation code. We need this new function which is
+// in the new snort.inc file during post-installation.
+if (!function_exists('snort_expand_port_range')) {
+ function snort_expand_port_range($ports, $delim = ',') {
+ // Split the incoming string on the specified delimiter
+ $tmp = explode($delim, $ports);
+
+ // Look for any included port range and expand it
+ foreach ($tmp as $val) {
+ if (is_portrange($val)) {
+ $start = strtok($val, ":");
+ $end = strtok(":");
+ if ($end !== false) {
+ $val = $start . $delim;
+ for ($i = intval($start) + 1; $i < intval($end); $i++)
+ $val .= strval($i) . $delim;
+ $val .= $end;
+ }
+ }
+ $value .= $val . $delim;
+ }
+
+ // Remove any trailing delimiter in return value
+ return trim($value, $delim);
+ }
+}
+
+// This function mirrors the "snort_generate_conf()" function in the
+// "snort.inc" file. It is here with a modified name as a workaround
+// so that functionality built into the new package version can be
+// implemented during installation. During a package reinstall, the
+// Package Manager will cache the old version of "snort.inc" and thus
+// new features are not available from the new "snort.inc" file in the
+// new package.
+function snort_build_new_conf($snortcfg) {
+
+ global $config, $g, $rebuild_rules;
+
+ $snortdir = SNORTDIR;
+ $snortlibdir = SNORTLIBDIR;
+ $snortlogdir = SNORTLOGDIR;
+ $flowbit_rules_file = FLOWBITS_FILENAME;
+ $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME;
+
+ if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ return;
+
+ /* See if we should protect and not modify the preprocessor rules files */
+ if (!empty($snortcfg['protect_preproc_rules']))
+ $protect_preproc_rules = $snortcfg['protect_preproc_rules'];
+ else
+ $protect_preproc_rules = "off";
+
+ $if_real = snort_get_real_interface($snortcfg['interface']);
+ $snort_uuid = $snortcfg['uuid'];
+ $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
+
+ /* custom home nets */
+ $home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']);
+ $home_net = implode(",", $home_net_list);
+
+ $external_net = '!$HOME_NET';
+ if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') {
+ $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']);
+ $external_net = implode(",", $external_net_list);
+ }
+
+ /* user added arguments */
+ $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru']));
+ // Remove the trailing newline
+ $snort_config_pass_thru = rtrim($snort_config_pass_thru);
+
+ /* create a few directories and ensure the sample files are in place */
+ $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules",
+ "{$snortlogdir}/snort_{$if_real}{$snort_uuid}",
+ "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2",
+ "{$snortcfgdir}/preproc_rules",
+ "dynamicrules" => "{$snortlibdir}/dynamicrules",
+ "dynamicengine" => "{$snortlibdir}/dynamicengine",
+ "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor"
+ );
+ foreach ($snort_dirs as $dir) {
+ if (!is_dir($dir))
+ safe_mkdir($dir);
+ }
+
+ /********************************************************************/
+ /* For fail-safe on an initial startup following installation, and */
+ /* before a rules update has occurred, copy the default config */
+ /* files to the interface directory. If files already exist in */
+ /* the interface directory, or they are newer, that means a rule */
+ /* update has been done and we should leave the customized files */
+ /* put in place by the rules update process. */
+ /********************************************************************/
+ $snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd",
+ "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules",
+ "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules"
+ );
+ foreach ($snort_files as $file) {
+ if (file_exists("{$snortdir}/{$file}")) {
+ $ftime = filemtime("{$snortdir}/{$file}");
+ if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}")))
+ @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}");
+ }
+ }
+
+ /* define alertsystemlog */
+ $alertsystemlog_type = "";
+ if ($snortcfg['alertsystemlog'] == "on")
+ $alertsystemlog_type = "output alert_syslog: log_alert";
+
+ /* define snortunifiedlog */
+ $snortunifiedlog_type = "";
+ if ($snortcfg['snortunifiedlog'] == "on")
+ $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128";
+
+ /* define spoink */
+ $spoink_type = "";
+ if ($snortcfg['blockoffenders7'] == "on") {
+ $pfkill = "";
+ if ($snortcfg['blockoffenderskill'] == "on")
+ $pfkill = "kill";
+ $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true);
+ /* write whitelist */
+ @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist));
+ $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}";
+ }
+
+ /* define selected suppress file */
+ $suppress_file_name = "";
+ $suppress = snort_find_list($snortcfg['suppresslistname'], 'suppress');
+ if (!empty($suppress)) {
+ $suppress_data = str_replace("\r", "", base64_decode($suppress['suppresspassthru']));
+ @file_put_contents("{$snortcfgdir}/supp{$snortcfg['suppresslistname']}", $suppress_data);
+ $suppress_file_name = "include {$snortcfgdir}/supp{$snortcfg['suppresslistname']}";
+ }
+
+ /* set the snort performance model */
+ $snort_performance = "ac-bnfa";
+ if(!empty($snortcfg['performance']))
+ $snort_performance = $snortcfg['performance'];
+
+ /* if user has defined a custom ssh port, use it */
+ if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port']))
+ $ssh_port = $config['system']['ssh']['port'];
+ else
+ $ssh_port = "22";
+
+ /* Define an array of default values for the various preprocessor ports */
+ $snort_ports = array(
+ "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691",
+ "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1533,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,15489,29991,33300,34412,34443,34444,41080,44440,50000,50002,51423,55555,56712",
+ "oracle_ports" => "1024:", "mssql_ports" => "1433", "telnet_ports" => "23",
+ "snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port,
+ "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143",
+ "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79",
+ "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445",
+ "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514",
+ "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920",
+ "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80",
+ "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779",
+ "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:",
+ "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:",
+ "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107",
+ "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502",
+ "GTP_PORTS" => "2123,2152,3386"
+ );
+
+ /* Check for defined Aliases that may override default port settings as we build the portvars array */
+ $portvardef = "";
+ foreach ($snort_ports as $alias => $avalue) {
+ if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
+ $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"]));
+ $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias]));
+ $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
+ }
+
+ /* Define the default ports for the Stream5 preprocessor (formatted for easier reading in the snort.conf file) */
+ $stream5_ports_client = "21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 \\\n";
+ $stream5_ports_client .= "\t 139 143 161 445 513 514 587 593 691 1433 1521 1741 \\\n";
+ $stream5_ports_client .= "\t 2100 3306 6070 6665 6666 6667 6668 6669 7000 8181 \\\n";
+ $stream5_ports_client .= "\t 32770 32771 32772 32773 32774 32775 32776 32777 \\\n";
+ $stream5_ports_client .= "\t 32778 32779";
+ $stream5_ports_both = "80 81 82 83 84 85 86 87 88 89 90 110 311 383 443 465 563 \\\n";
+ $stream5_ports_both .= "\t 591 593 631 636 901 989 992 993 994 995 1220 1414 1533 \\\n";
+ $stream5_ports_both .= "\t 1830 2301 2381 2809 3037 3057 3128 3443 3702 4343 4848 \\\n";
+ $stream5_ports_both .= "\t 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 \\\n";
+ $stream5_ports_both .= "\t 7779 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 \\\n";
+ $stream5_ports_both .= "\t 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 \\\n";
+ $stream5_ports_both .= "\t 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 \\\n";
+ $stream5_ports_both .= "\t 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 \\\n";
+ $stream5_ports_both .= "\t 9060 9080 9090 9091 9443 9999 10000 11371 15489 29991 \\\n";
+ $stream5_ports_both .= "\t 33300 34412 34443 34444 41080 44440 50000 50002 51423 \\\n";
+ $stream5_ports_both .= "\t 55555 56712";
+
+ /////////////////////////////
+ /* preprocessor code */
+ /* def perform_stat */
+ $perform_stat = <<<EOD
+# Performance Statistics #
+preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000
+
+EOD;
+
+ /* def ftp_preprocessor */
+ $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports']));
+ $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports']));
+
+ // Configure FTP_Telnet global options
+ $ftp_telnet_globals = "inspection_type ";
+ if ($snortcfg['ftp_telnet_inspection_type'] != "") { $ftp_telnet_globals .= $snortcfg['ftp_telnet_inspection_type']; }else{ $ftp_telnet_globals .= "stateful"; }
+ if ($snortcfg['ftp_telnet_alert_encrypted'] == "on")
+ $ftp_telnet_globals .= " \\\n\tencrypted_traffic yes";
+ else
+ $ftp_telnet_globals .= " \\\n\tencrypted_traffic no";
+ if ($snortcfg['ftp_telnet_check_encrypted'] == "on")
+ $ftp_telnet_globals .= " \\\n\tcheck_encrypted";
+
+ // Configure FTP_Telnet Telnet protocol options
+ $ftp_telnet_protocol = "ports { {$telnet_ports} }";
+ if ($snortcfg['ftp_telnet_normalize'] == "on")
+ $ftp_telnet_protocol .= " \\\n\tnormalize";
+ if ($snortcfg['ftp_telnet_detect_anomalies'] == "on")
+ $ftp_telnet_protocol .= " \\\n\tdetect_anomalies";
+ if ($snortcfg['ftp_telnet_ayt_attack_threshold'] <> '0') {
+ $ftp_telnet_protocol .= " \\\n\tayt_attack_thresh ";
+ if ($snortcfg['ftp_telnet_ayt_attack_threshold'] != "")
+ $ftp_telnet_protocol .= $snortcfg['ftp_telnet_ayt_attack_threshold'];
+ else
+ $ftp_telnet_protocol .= "20";
+ }
+
+ // Setup the standard FTP commands used for all FTP Server engines
+ $ftp_cmds = <<<EOD
+ ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
+ ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
+ ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
+ ftp_cmds { LPSV MACB MAIL MDTM MFMT MIC MKD MLSD MLST } \
+ ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
+ ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
+ ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
+ ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
+ ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
+ ftp_cmds { XSEN XSHA1 XSHA256 } \
+ alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
+ alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
+ alt_max_param_len 256 { CWD RNTO } \
+ alt_max_param_len 400 { PORT } \
+ alt_max_param_len 512 { MFMT SIZE } \
+ chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
+ chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
+ chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
+ chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
+ chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
+ chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
+ chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
+ chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
+ cmd_validity ALLO < int [ char R int ] > \
+ cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
+ cmd_validity MACB < string > \
+ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
+ cmd_validity MODE < char ASBCZ > \
+ cmd_validity PORT < host_port > \
+ cmd_validity PROT < char CSEP > \
+ cmd_validity STRU < char FRPO [ string ] > \
+ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
+
+EOD;
+
+ // Configure all the FTP_Telnet FTP protocol options
+ // Iterate and configure the FTP Client engines
+ $ftp_default_client_engine = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+
+ if (!is_array($snortcfg['ftp_client_engine']['item']))
+ $snortcfg['ftp_client_engine']['item'] = array();
+
+ // If no FTP client engine is configured, use the default
+ // to keep from breaking Snort.
+ if (empty($snortcfg['ftp_client_engine']['item']))
+ $snortcfg['ftp_client_engine']['item'][] = $ftp_default_client_engine;
+ $ftp_client_engine = "";
+
+ foreach ($snortcfg['ftp_client_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor ftp_telnet_protocol: ftp client ";
+ if ($v['name'] == "default" && $v['bind_to'] == "all")
+ $buffer .= "default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "{$tmp} \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP client '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+
+ if ($v['max_resp_len'] == "")
+ $buffer .= "\tmax_resp_len 256 \\\n";
+ else
+ $buffer .= "\tmax_resp_len {$v['max_resp_len']} \\\n";
+
+ $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n";
+ $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n";
+
+ if ($v['bounce'] == "yes") {
+ if (is_alias($v['bounce_to_net']) && is_alias($v['bounce_to_port'])) {
+ $net = trim(filter_expand_alias($v['bounce_to_net']));
+ $port = trim(filter_expand_alias($v['bounce_to_port']));
+ if (!empty($net) && !empty($port) &&
+ snort_is_single_addr_alias($v['bounce_to_net']) &&
+ (is_port($port) || is_portrange($port))) {
+ $port = preg_replace('/\s+/', ',', $port);
+ // Change port range delimiter to comma for ftp_telnet client preprocessor
+ if (is_portrange($port))
+ $port = str_replace(":", ",", $port);
+ $buffer .= "\tbounce yes \\\n";
+ $buffer .= "\tbounce_to { {$net},{$port} }\n";
+ }
+ else {
+ // One or both of the BOUNCE_TO alias values is not right,
+ // so figure out which and log an appropriate error.
+ if (empty($net) || !snort_is_single_addr_alias($v['bounce_to_net']))
+ log_error("[snort] ERROR: illegal value for bounce_to Address Alias [{$v['bounce_to_net']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine.");
+ if (empty($port) || !(is_port($port) || is_portrange($port)))
+ log_error("[snort] ERROR: illegal value for bounce_to Port Alias [{$v['bounce_to_port']}] for FTP client engine [{$v['name']}] ... omitting 'bounce_to' option for this client engine.");
+ $buffer .= "\tbounce yes\n";
+ }
+ }
+ else
+ $buffer .= "\tbounce yes\n";
+ }
+ else
+ $buffer .= "\tbounce no\n";
+
+ // Add this FTP client engine to the master string
+ $ftp_client_engine .= "{$buffer}\n";
+ }
+ // Trim final trailing newline
+ rtrim($ftp_client_engine);
+
+ // Iterate and configure the FTP Server engines
+ $ftp_default_server_engine = array( "name" => "default", "bind_to" => "all", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+
+ if (!is_array($snortcfg['ftp_server_engine']['item']))
+ $snortcfg['ftp_server_engine']['item'] = array();
+
+ // If no FTP server engine is configured, use the default
+ // to keep from breaking Snort.
+ if (empty($snortcfg['ftp_server_engine']['item']))
+ $snortcfg['ftp_server_engine']['item'][] = $ftp_default_server_engine;
+ $ftp_server_engine = "";
+
+ foreach ($snortcfg['ftp_server_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor ftp_telnet_protocol: ftp server ";
+ if ($v['name'] == "default" && $v['bind_to'] == "all")
+ $buffer .= "default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "{$tmp} \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve IP Address Alias '{$v['bind_to']}' for FTP server '{$v['name']}' ... skipping entry.");
+ continue;
+ }
+
+ if ($v['def_max_param_len'] == "")
+ $buffer .= "\tdef_max_param_len 100 \\\n";
+ elseif ($v['def_max_param_len'] <> '0')
+ $buffer .= "\tdef_max_param_len {$v['def_max_param_len']} \\\n";
+
+ if ($v['ports'] == "default" || !is_alias($v['ports']) || empty($v['ports']))
+ $buffer .= "\tports { {$ftp_ports} } \\\n";
+ elseif (is_alias($v['ports'])) {
+ $tmp = trim(filter_expand_alias($v['ports']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $tmp = snort_expand_port_range($tmp, ' ');
+ $buffer .= "\tports { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] ERROR: unable to resolve Port Alias '{$v['ports']}' for FTP server '{$v['name']}' ... reverting to defaults.");
+ $buffer .= "\tports { {$ftp_ports} } \\\n";
+ }
+ }
+
+ $buffer .= "\ttelnet_cmds {$v['telnet_cmds']} \\\n";
+ $buffer .= "\tignore_telnet_erase_cmds {$v['ignore_telnet_erase_cmds']} \\\n";
+ if ($v['ignore_data_chan'] == "yes")
+ $buffer .= "\tignore_data_chan yes \\\n";
+ $buffer .= "{$ftp_cmds}\n";
+
+ // Add this FTP server engine to the master string
+ $ftp_server_engine .= $buffer;
+ }
+ // Remove trailing newlines
+ rtrim($ftp_server_engine);
+
+ $ftp_preprocessor = <<<EOD
+# ftp_telnet preprocessor #
+preprocessor ftp_telnet: global \
+ {$ftp_telnet_globals}
+
+preprocessor ftp_telnet_protocol: telnet \
+ {$ftp_telnet_protocol}
+
+{$ftp_server_engine}
+{$ftp_client_engine}
+EOD;
+
+ $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports']));
+ $pop_preproc = <<<EOD
+# POP preprocessor #
+preprocessor pop: \
+ ports { {$pop_ports} } \
+ memcap 1310700 \
+ qp_decode_depth 0 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 0
+
+EOD;
+
+ $imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports']));
+ $imap_preproc = <<<EOD
+# IMAP preprocessor #
+preprocessor imap: \
+ ports { {$imap_ports} } \
+ memcap 1310700 \
+ qp_decode_depth 0 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 0
+
+EOD;
+
+ $smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports']));
+ /* def smtp_preprocessor */
+ $smtp_preprocessor = <<<EOD
+# SMTP preprocessor #
+preprocessor SMTP: \
+ ports { {$smtp_ports} } \
+ inspection_type stateful \
+ normalize cmds \
+ ignore_tls_data \
+ valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT \
+ NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU \
+ STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE \
+ XQUEU XSTA XTRN XUSR } \
+ normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY \
+ IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT \
+ ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 \
+ XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ max_header_line_len 1000 \
+ max_response_line_len 512 \
+ alt_max_command_line_len 260 { MAIL } \
+ alt_max_command_line_len 300 { RCPT } \
+ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
+ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
+ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
+ alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \
+ alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \
+ xlink2state { enable } \
+ log_mailfrom \
+ log_rcptto \
+ log_email_hdrs \
+ email_hdrs_log_depth 1464 \
+ log_filename \
+ qp_decode_depth 0 \
+ b64_decode_depth 0 \
+ bitenc_decode_depth 0 \
+ uu_decode_depth 0
+
+EOD;
+
+ /* def sf_portscan */
+ $sf_pscan_protocol = "all";
+ if (!empty($snortcfg['pscan_protocol']))
+ $sf_pscan_protocol = $snortcfg['pscan_protocol'];
+ $sf_pscan_type = "all";
+ if (!empty($snortcfg['pscan_type']))
+ $sf_pscan_type = $snortcfg['pscan_type'];
+ $sf_pscan_memcap = "10000000";
+ if (!empty($snortcfg['pscan_memcap']))
+ $sf_pscan_memcap = $snortcfg['pscan_memcap'];
+ $sf_pscan_sense_level = "medium";
+ if (!empty($snortcfg['pscan_sense_level']))
+ $sf_pscan_sense_level = $snortcfg['pscan_sense_level'];
+ $sf_pscan_ignore_scanners = "\$HOME_NET";
+ if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) {
+ $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners']));
+ $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners));
+ }
+
+ $sf_portscan = <<<EOD
+# sf Portscan #
+preprocessor sfportscan: \
+ scan_type { {$sf_pscan_type} } \
+ proto { {$sf_pscan_protocol} } \
+ memcap { {$sf_pscan_memcap} } \
+ sense_level { {$sf_pscan_sense_level} } \
+ ignore_scanners { {$sf_pscan_ignore_scanners} }
+
+EOD;
+
+ /* def ssh_preproc */
+ $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports']));
+ $ssh_preproc = <<<EOD
+# SSH preprocessor #
+preprocessor ssh: \
+ server_ports { {$ssh_ports} } \
+ autodetect \
+ max_client_bytes 19600 \
+ max_encrypted_packets 20 \
+ max_server_version_len 100 \
+ enable_respoverflow enable_ssh1crc32 \
+ enable_srvoverflow enable_protomismatch
+
+EOD;
+
+ /* def other_preprocs */
+ $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports']));
+ $other_preprocs = <<<EOD
+# Other preprocs #
+preprocessor rpc_decode: \
+ {$sun_rpc_ports} \
+ no_alert_multiple_requests \
+ no_alert_large_fragments \
+ no_alert_incomplete
+
+# Back Orifice preprocessor #
+preprocessor bo
+
+EOD;
+
+ /* def dce_rpc_2 */
+ $dce_rpc_2 = <<<EOD
+# DCE/RPC 2 #
+preprocessor dcerpc2: \
+ memcap 102400, \
+ events [co]
+
+preprocessor dcerpc2_server: default, \
+ policy WinXP, \
+ detect [smb [{$snort_ports['smb_ports']}], \
+ tcp 135, \
+ udp 135, \
+ rpc-over-http-server 593], \
+ autodetect [tcp 1025:, \
+ udp 1025:, \
+ rpc-over-http-server 1025:], \
+ smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
+
+EOD;
+
+ $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports']));
+ $sip_preproc = <<<EOD
+# SIP preprocessor #
+preprocessor sip: \
+ max_sessions 40000, \
+ ports { {$sip_ports} }, \
+ methods { invite \
+ cancel \
+ ack \
+ bye \
+ register \
+ options \
+ refer \
+ subscribe \
+ update \
+ join \
+ info \
+ message \
+ notify \
+ benotify \
+ do \
+ qauth \
+ sprack \
+ publish \
+ service \
+ unsubscribe \
+ prack }, \
+ max_call_id_len 80, \
+ max_from_len 256, \
+ max_to_len 256, \
+ max_via_len 1024, \
+ max_requestName_len 50, \
+ max_uri_len 512, \
+ ignore_call_channel, \
+ max_content_len 2048, \
+ max_contact_len 512
+
+EOD;
+
+ $dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports']));
+ /* def dns_preprocessor */
+ $dns_preprocessor = <<<EOD
+# DNS preprocessor #
+preprocessor dns: \
+ ports { {$dns_ports} } \
+ enable_rdata_overflow
+
+EOD;
+
+ /* def dnp3_preprocessor */
+ $dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS']));
+ $dnp3_preproc = <<<EOD
+# DNP3 preprocessor #
+preprocessor dnp3: \
+ ports { {$dnp3_ports} } \
+ memcap 262144 \
+ check_crc
+
+EOD;
+
+ /* def modbus_preprocessor */
+ $modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS']));
+ $modbus_preproc = <<<EOD
+# Modbus preprocessor #
+preprocessor modbus: \
+ ports { {$modbus_ports} }
+
+EOD;
+
+ /* def gtp_preprocessor */
+ $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS']));
+ $gtp_preproc = <<<EOD
+# GTP preprocessor #
+preprocessor gtp: \
+ ports { {$gtp_ports} }
+
+EOD;
+
+ /* def ssl_preprocessor */
+ $ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports']));
+ $ssl_preproc = <<<EOD
+# SSL preprocessor #
+preprocessor ssl: \
+ ports { {$ssl_ports} }, \
+ trustservers, \
+ noinspect_encrypted
+
+EOD;
+
+ /* def sensitive_data_preprocessor */
+ if ($snortcfg['sdf_mask_output'] == "on")
+ $sdf_mask_output = "\\\n\tmask_output";
+ else
+ $sdf_mask_output = "";
+ if (empty($snortcfg['sdf_alert_threshold']))
+ $snortcfg['sdf_alert_threshold'] = 25;
+ $sensitive_data = <<<EOD
+# SDF preprocessor #
+preprocessor sensitive_data: \
+ alert_threshold {$snortcfg['sdf_alert_threshold']} {$sdf_mask_output}
+
+EOD;
+
+ /* define servers as IP variables */
+ $snort_servers = array (
+ "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
+ "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET",
+ "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET",
+ "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET",
+ "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET",
+ "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET",
+ "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET",
+ "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24"
+ );
+
+ // Change old name from "var" to new name of "ipvar" for IP variables because
+ // Snort is deprecating the old "var" name in newer versions.
+ $ipvardef = "";
+ foreach ($snort_servers as $alias => $avalue) {
+ if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) {
+ $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"]));
+ $avalue = preg_replace('/\s+/', ',', trim($avalue));
+ }
+ $ipvardef .= "ipvar " . strtoupper($alias) . " [{$avalue}]\n";
+ }
+
+ $snort_preproc_libs = array(
+ "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc",
+ "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc",
+ "sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc",
+ "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc"
+ );
+ $snort_preproc = array (
+ "perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc",
+ "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc"
+ );
+ $default_disabled_preprocs = array(
+ "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc"
+ );
+ $snort_preprocessors = "";
+ foreach ($snort_preproc as $preproc) {
+ if ($snortcfg[$preproc] == 'on' || empty($snortcfg[$preproc]) ) {
+
+ /* If preprocessor is not explicitly "on" or "off", then default to "off" if in our default disabled list */
+ if (empty($snortcfg[$preproc]) && in_array($preproc, $default_disabled_preprocs))
+ continue;
+
+ /* NOTE: The $$ is not a bug. It is an advanced feature of php */
+ if (!empty($snort_preproc_libs[$preproc])) {
+ $preproclib = "libsf_" . $snort_preproc_libs[$preproc];
+ if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) {
+ if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) {
+ @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ } else
+ log_error("Could not find the {$preproclib} file. Snort might error out!");
+ } else {
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ }
+ } else {
+ $snort_preprocessors .= $$preproc;
+ $snort_preprocessors .= "\n";
+ }
+ }
+ }
+ // Remove final trailing newline
+ $snort_preprocessors = rtrim($snort_preprocessors);
+
+ $snort_misc_include_rules = "";
+ if (file_exists("{$snortcfgdir}/reference.config"))
+ $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n";
+ if (file_exists("{$snortcfgdir}/classification.config"))
+ $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n";
+ if (is_dir("{$snortcfgdir}/preproc_rules")) {
+ if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
+ $sedcmd = '/^#alert.*classtype:sdf/s/^#//';
+ if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
+ #enable only selected sensitive data
+ if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){
+ $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")";
+ $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules");
+ $sd_tmp_new_file="";
+ foreach ($sd_tmp_file as $sd_tmp_line)
+ $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : "";
+ file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX);
+ }
+ }
+ } else
+ $sedcmd = '/^alert.*classtype:sdf/s/^/#/';
+ if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
+ file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") {
+ @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
+ mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
+ mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
+ @unlink("{$g['tmp_path']}/sedcmd");
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
+ } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
+ file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") {
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
+ }
+ else {
+ $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
+ log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
+ }
+ } else {
+ $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
+ log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
+ }
+
+ /* generate rule sections to load */
+ /* The files are always configured so the update process is easier */
+ $selected_rules_sections = "include \$RULE_PATH/{$snort_enforcing_rules_file}\n";
+ $selected_rules_sections .= "include \$RULE_PATH/{$flowbit_rules_file}\n";
+ $selected_rules_sections .= "include \$RULE_PATH/custom.rules\n";
+
+ // Remove trailing newlines
+ $snort_misc_include_rules = rtrim($snort_misc_include_rules);
+ $selected_rules_sections = rtrim($selected_rules_sections);
+
+ /* Create the actual rules files and save in the interface directory */
+ snort_prepare_rule_files($snortcfg, $snortcfgdir);
+
+ $cksumcheck = "all";
+ if ($snortcfg['cksumcheck'] == 'on')
+ $cksumcheck = "none";
+
+ /* Pull in user-configurable detection config options */
+ $cfg_detect_settings = "search-method {$snort_performance} max-pattern-len 20 max_queue_events 5";
+ if ($snortcfg['fpm_split_any_any'] == "on")
+ $cfg_detect_settings .= " split-any-any";
+ if ($snortcfg['fpm_search_optimize'] == "on")
+ $cfg_detect_settings .= " search-optimize";
+ if ($snortcfg['fpm_no_stream_inserts'] == "on")
+ $cfg_detect_settings .= " no_stream_inserts";
+
+ /* Pull in user-configurable options for Frag3 preprocessor settings */
+ /* Get global Frag3 options first and put into a string */
+ $frag3_global = "preprocessor frag3_global: ";
+ if (!empty($snortcfg['frag3_memcap']) || $snortcfg['frag3_memcap'] == "0")
+ $frag3_global .= "memcap {$snortcfg['frag3_memcap']}, ";
+ else
+ $frag3_global .= "memcap 4194304, ";
+ if (!empty($snortcfg['frag3_max_frags']))
+ $frag3_global .= "max_frags {$snortcfg['frag3_max_frags']}";
+ else
+ $frag3_global .= "max_frags 8192";
+ if ($snortcfg['frag3_detection'] == "off")
+ $frag3_global .= ", disabled";
+
+ $frag3_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+ $frag3_engine = "";
+
+ // Now iterate configured Frag3 engines and write them to a string if enabled
+ if ($snortcfg['frag3_detection'] == "on") {
+ if (!is_array($snortcfg['frag3_engine']['item']))
+ $snortcfg['frag3_engine']['item'] = array();
+
+ // If no frag3 tcp engine is configured, use the default
+ if (empty($snortcfg['frag3_engine']['item']))
+ $snortcfg['frag3_engine']['item'][] = $frag3_default_tcp_engine;
+
+ foreach ($snortcfg['frag3_engine']['item'] as $f => $v) {
+ $frag3_engine .= "preprocessor frag3_engine: ";
+ $frag3_engine .= "policy {$v['policy']}";
+ if ($v['bind_to'] <> "all") {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ',', $tmp);
+ if (strpos($tmp, ",") !== false)
+ $frag3_engine .= " \\\n\tbind_to [{$tmp}]";
+ else
+ $frag3_engine .= " \\\n\tbind_to {$tmp}";
+ }
+ else
+ log_error("[snort] WARNING: unable to resolve IP List Alias '{$v['bind_to']}' for Frag3 engine '{$v['name']}' ... using 0.0.0.0 failsafe.");
+ }
+ $frag3_engine .= " \\\n\ttimeout {$v['timeout']}";
+ $frag3_engine .= " \\\n\tmin_ttl {$v['min_ttl']}";
+ if ($v['detect_anomalies'] == "on") {
+ $frag3_engine .= " \\\n\tdetect_anomalies";
+ $frag3_engine .= " \\\n\toverlap_limit {$v['overlap_limit']}";
+ $frag3_engine .= " \\\n\tmin_fragment_length {$v['min_frag_len']}";
+ }
+ // Add newlines to terminate this engine
+ $frag3_engine .= "\n\n";
+ }
+ // Remove trailing newline
+ $frag3_engine = rtrim($frag3_engine);
+ }
+
+ // Grab any user-customized value for Protocol Aware Flushing (PAF) max PDUs
+ $paf_max_pdu_config = "config paf_max: ";
+ if (empty($snortcfg['max_paf']) || $snortcfg['max_paf'] == '0')
+ $paf_max_pdu_config .= "0";
+ else
+ $paf_max_pdu_config .= $snortcfg['max_paf'];
+
+ // Pull in user-configurable options for Stream5 preprocessor settings
+ // Get global options first and put into a string
+ $stream5_global = "preprocessor stream5_global: \\\n";
+ if ($snortcfg['stream5_reassembly'] == "off")
+ $stream5_global .= "\tdisabled, \\\n";
+ if ($snortcfg['stream5_track_tcp'] == "off")
+ $stream5_global .= "\ttrack_tcp no,";
+ else {
+ $stream5_global .= "\ttrack_tcp yes,";
+ if (!empty($snortcfg['stream5_max_tcp']))
+ $stream5_global .= " \\\n\tmax_tcp {$snortcfg['stream5_max_tcp']},";
+ else
+ $stream5_global .= " \\\n\tmax_tcp 262144,";
+ }
+ if ($snortcfg['stream5_track_udp'] == "off")
+ $stream5_global .= " \\\n\ttrack_udp no,";
+ else {
+ $stream5_global .= " \\\n\ttrack_udp yes,";
+ if (!empty($snortcfg['stream5_max_udp']))
+ $stream5_global .= " \\\n\tmax_udp {$snortcfg['stream5_max_udp']},";
+ else
+ $stream5_global .= " \\\n\tmax_udp 131072,";
+ }
+ if ($snortcfg['stream5_track_icmp'] == "on") {
+ $stream5_global .= " \\\n\ttrack_icmp yes,";
+ if (!empty($snortcfg['stream5_max_icmp']))
+ $stream5_global .= " \\\n\tmax_icmp {$snortcfg['stream5_max_icmp']},";
+ else
+ $stream5_global .= " \\\n\tmax_icmp 65536,";
+ }
+ else
+ $stream5_global .= " \\\n\ttrack_icmp no,";
+ if (!empty($snortcfg['stream5_mem_cap']))
+ $stream5_global .= " \\\n\tmemcap {$snortcfg['stream5_mem_cap']},";
+ else
+ $stream5_global .= " \\\n\tmemcap 8388608,";
+
+ if (!empty($snortcfg['stream5_prune_log_max']) || $snortcfg['stream5_prune_log_max'] == '0')
+ $stream5_global .= " \\\n\tprune_log_max {$snortcfg['stream5_prune_log_max']}";
+ else
+ $stream5_global .= " \\\n\tprune_log_max 1048576";
+ if ($snortcfg['stream5_flush_on_alert'] == "on")
+ $stream5_global .= ", \\\n\tflush_on_alert";
+
+ $stream5_default_tcp_engine = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0,
+ "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+ $stream5_tcp_engine = "";
+
+ // Now iterate configured Stream5 TCP engines and write them to a string if enabled
+ if ($snortcfg['stream5_reassembly'] == "on") {
+ if (!is_array($snortcfg['stream5_tcp_engine']['item']))
+ $snortcfg['stream5_tcp_engine']['item'] = array();
+
+ // If no stream5 tcp engine is configured, use the default
+ if (empty($snortcfg['stream5_tcp_engine']['item']))
+ $snortcfg['stream5_tcp_engine']['item'][] = $stream5_default_tcp_engine;
+
+ foreach ($snortcfg['stream5_tcp_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor stream5_tcp: ";
+ $buffer .= "policy {$v['policy']},";
+ if ($v['bind_to'] <> "all") {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ',', $tmp);
+ if (strpos($tmp, ",") !== false)
+ $buffer .= " \\\n\tbind_to [{$tmp}],";
+ else
+ $buffer .= " \\\n\tbind_to {$tmp},";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for Stream5 TCP engine '{$v['name']}' ... skipping this engine.");
+ continue;
+ }
+ }
+ $stream5_tcp_engine .= $buffer;
+ $stream5_tcp_engine .= " \\\n\ttimeout {$v['timeout']},";
+ $stream5_tcp_engine .= " \\\n\toverlap_limit {$v['overlap_limit']},";
+ $stream5_tcp_engine .= " \\\n\tmax_window {$v['max_window']},";
+ $stream5_tcp_engine .= " \\\n\tmax_queued_bytes {$v['max_queued_bytes']},";
+ $stream5_tcp_engine .= " \\\n\tmax_queued_segs {$v['max_queued_segs']}";
+ if ($v['use_static_footprint_sizes'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tuse_static_footprint_sizes";
+ if ($v['check_session_hijacking'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tcheck_session_hijacking";
+ if ($v['dont_store_lg_pkts'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdont_store_large_packets";
+ if ($v['no_reassemble_async'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdont_reassemble_async";
+ if ($v['detect_anomalies'] == "on")
+ $stream5_tcp_engine .= ", \\\n\tdetect_anomalies";
+ if ($v['require_3whs'] == "on")
+ $stream5_tcp_engine .= ", \\\n\trequire_3whs {$v['startup_3whs_timeout']}";
+ if (!empty($v['ports_client'])) {
+ $stream5_tcp_engine .= ", \\\n\tports client";
+ if ($v['ports_client'] == " all")
+ $stream5_tcp_engine .= " all";
+ elseif ($v['ports_client'] == "default")
+ $stream5_tcp_engine .= " {$stream5_ports_client}";
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_client']));
+ if (!empty($tmp))
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ else {
+ $stream5_tcp_engine .= " {$stream5_ports_client}";
+ log_error("[snort] WARNING: unable to resolve Ports Client Alias [{$v['ports_client']}] for Stream5 TCP engine '{$v['name']}' ... using default value.");
+ }
+ }
+ }
+ if (!empty($v['ports_both'])) {
+ $stream5_tcp_engine .= ", \\\n\tports both";
+ if ($v['ports_both'] == " all")
+ $stream5_tcp_engine .= " all";
+ elseif ($v['ports_both'] == "default")
+ $stream5_tcp_engine .= " {$stream5_ports_both}";
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_both']));
+ if (!empty($tmp))
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ else {
+ $stream5_tcp_engine .= " {$stream5_ports_both}";
+ log_error("[snort] WARNING: unable to resolve Ports Both Alias [{$v['ports_both']}] for Stream5 TCP engine '{$v['name']}' ... using default value.");
+ }
+ }
+ }
+ if (!empty($v['ports_server']) && $v['ports_server'] <> "none" && $v['ports_server'] <> "default") {
+ if ($v['ports_server'] == " all") {
+ $stream5_tcp_engine .= ", \\\n\tports server";
+ $stream5_tcp_engine .= " all";
+ }
+ else {
+ $tmp = trim(filter_expand_alias($v['ports_server']));
+ if (!empty($tmp)) {
+ $stream5_tcp_engine .= ", \\\n\tports server";
+ $stream5_tcp_engine .= " " . trim(preg_replace('/\s+/', ' ', $tmp));
+ }
+ else
+ log_error("[snort] WARNING: unable to resolve Ports Server Alias [{$v['ports_server']}] for Stream5 TCP engine '{$v['name']}' ... defaulting to none.");
+ }
+ }
+
+ // Make sure the "ports" parameter is set, or else default to a safe value
+ if (strpos($stream5_tcp_engine, "ports ") === false)
+ $stream5_tcp_engine .= ", \\\n\tports both all";
+
+ // Add a pair of newlines to terminate this engine
+ $stream5_tcp_engine .= "\n\n";
+ }
+ // Trim off the final trailing newline
+ $stream5_tcp_engine = rtrim($stream5_tcp_engine);
+ }
+
+ // Configure the Stream5 UDP engine if it and Stream5 reassembly are enabled
+ if ($snortcfg['stream5_track_udp'] == "off" || $snortcfg['stream5_reassembly'] == "off")
+ $stream5_udp_engine = "";
+ else {
+ $stream5_udp_engine = "preprocessor stream5_udp: ";
+ if (!empty($snortcfg['stream5_udp_timeout']))
+ $stream5_udp_engine .= "timeout {$snortcfg['stream5_udp_timeout']}";
+ else
+ $stream5_udp_engine .= "timeout 30";
+ }
+
+ // Configure the Stream5 ICMP engine if it and Stream5 reassembly are enabled
+ if ($snortcfg['stream5_track_icmp'] == "on" && $snortcfg['stream5_reassembly'] == "on") {
+ $stream5_icmp_engine = "preprocessor stream5_icmp: ";
+ if (!empty($snortcfg['stream5_icmp_timeout']))
+ $stream5_icmp_engine .= "timeout {$snortcfg['stream5_icmp_timeout']}";
+ else
+ $stream5_icmp_engine .= "timeout 30";
+ }
+ else
+ $stream5_icmp_engine = "";
+
+ // Check for and configure Host Attribute Table if enabled
+ $host_attrib_config = "";
+ if ($snortcfg['host_attribute_table'] == "on" && !empty($snortcfg['host_attribute_data'])) {
+ file_put_contents("{$snortcfgdir}/host_attributes", base64_decode($snortcfg['host_attribute_data']));
+ $host_attrib_config = "# Host Attribute Table #\n";
+ $host_attrib_config .= "attribute_table filename {$snortcfgdir}/host_attributes\n";
+ if (!empty($snortcfg['max_attribute_hosts']))
+ $host_attrib_config .= "config max_attribute_hosts: {$snortcfg['max_attribute_hosts']}\n";
+ if (!empty($snortcfg['max_attribute_services_per_host']))
+ $host_attrib_config .= "config max_attribute_services_per_host: {$snortcfg['max_attribute_services_per_host']}";
+ }
+
+ // Configure the HTTP_INSPECT preprocessor
+ // Get global options first and put into a string
+ $http_inspect_global = "preprocessor http_inspect: global ";
+ if ($snortcfg['http_inspect'] == "off")
+ $http_inspect_global .= "disabled ";
+ $http_inspect_global .= "\\\n\tiis_unicode_map unicode.map 1252 \\\n";
+ $http_inspect_global .= "\tcompress_depth 65535 \\\n";
+ $http_inspect_global .= "\tdecompress_depth 65535 \\\n";
+ if (!empty($snortcfg['http_inspect_memcap']))
+ $http_inspect_global .= "\tmemcap {$snortcfg['http_inspect_memcap']} \\\n";
+ else
+ $http_inspect_global .= "\tmemcap 150994944 \\\n";
+ if (!empty($snortcfg['http_inspect_max_gzip_mem']))
+ $http_inspect_global .= "\tmax_gzip_mem {$snortcfg['http_inspect_max_gzip_mem']}";
+ else
+ $http_inspect_global .= "\tmax_gzip_mem 838860";
+ if ($snortcfg['http_inspect_proxy_alert'] == "on")
+ $http_inspect_global .= " \\\n\tproxy_alert";
+
+ $http_inspect_default_engine = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on", "normalize_headers" => "on",
+ "normalize_utf" => "on", "normalize_javascript" => "on", "allow_proxy_use" => "off", "inspect_uri_only" => "off",
+ "max_javascript_whitespaces" => 200, "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0,
+ "max_header_length" => 0, "ports" => "default" );
+ $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports']));
+ $http_inspect_servers = "";
+
+ // Iterate configured HTTP_INSPECT servers and write them to string if HTTP_INSPECT enabled
+ if ($snortcfg['http_inspect'] <> "off") {
+ if (!is_array($snortcfg['http_inspect_engine']['item']))
+ $snortcfg['http_inspect_engine']['item'] = array();
+
+ // If no http_inspect_engine is configured, use the default
+ if (empty($snortcfg['http_inspect_engine']['item']))
+ $snortcfg['http_inspect_engine']['item'][] = $http_inspect_default_engine;
+
+ foreach ($snortcfg['http_inspect_engine']['item'] as $f => $v) {
+ $buffer = "preprocessor http_inspect_server: \\\n";
+ if ($v['name'] == "default")
+ $buffer .= "\tserver default \\\n";
+ elseif (is_alias($v['bind_to'])) {
+ $tmp = trim(filter_expand_alias($v['bind_to']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $buffer .= "\tserver { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine.");
+ continue;
+ }
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve IP Address Alias [{$v['bind_to']}] for HTTP_INSPECT server '{$v['name']}' ... skipping this server engine.");
+ continue;
+ }
+ $http_inspect_servers .= $buffer;
+ $http_inspect_servers .= "\tprofile {$v['server_profile']} \\\n";
+
+ if ($v['no_alerts'] == "on")
+ $http_inspect_servers .= "\tno_alerts \\\n";
+
+ if ($v['ports'] == "default" || empty($v['ports']))
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ elseif (is_alias($v['ports'])) {
+ $tmp = trim(filter_expand_alias($v['ports']));
+ if (!empty($tmp)) {
+ $tmp = preg_replace('/\s+/', ' ', $tmp);
+ $tmp = snort_expand_port_range($tmp, ' ');
+ $http_inspect_servers .= "\tports { {$tmp} } \\\n";
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead.");
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ }
+ }
+ else {
+ log_error("[snort] WARNING: unable to resolve Ports Alias [{$v['ports']}] for HTTP_INSPECT server '{$v['name']}' ... using safe default instead.");
+ $http_inspect_servers .= "\tports { {$http_ports} } \\\n";
+ }
+
+ $http_inspect_servers .= "\tserver_flow_depth {$v['server_flow_depth']} \\\n";
+ $http_inspect_servers .= "\tclient_flow_depth {$v['client_flow_depth']} \\\n";
+ $http_inspect_servers .= "\thttp_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \\\n";
+ $http_inspect_servers .= "\tpost_depth {$v['post_depth']} \\\n";
+ $http_inspect_servers .= "\tmax_headers {$v['max_headers']} \\\n";
+ $http_inspect_servers .= "\tmax_header_length {$v['max_header_length']} \\\n";
+ $http_inspect_servers .= "\tmax_spaces {$v['max_spaces']}";
+ if ($v['enable_xff'] == "on")
+ $http_inspect_servers .= " \\\n\tenable_xff";
+ if ($v['enable_cookie'] == "on")
+ $http_inspect_servers .= " \\\n\tenable_cookie";
+ if ($v['normalize_cookies'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_cookies";
+ if ($v['normalize_headers'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_headers";
+ if ($v['normalize_utf'] == "on")
+ $http_inspect_servers .= " \\\n\tnormalize_utf";
+ if ($v['allow_proxy_use'] == "on")
+ $http_inspect_servers .= " \\\n\tallow_proxy_use";
+ if ($v['inspect_uri_only'] == "on")
+ $http_inspect_servers .= " \\\n\tinspect_uri_only";
+ if ($v['extended_response_inspection'] == "on") {
+ $http_inspect_servers .= " \\\n\textended_response_inspection";
+ if ($v['inspect_gzip'] == "on") {
+ $http_inspect_servers .= " \\\n\tinspect_gzip";
+ if ($v['unlimited_decompress'] == "on")
+ $http_inspect_servers .= " \\\n\tunlimited_decompress";
+ }
+ if ($v['normalize_javascript'] == "on") {
+ $http_inspect_servers .= " \\\n\tnormalize_javascript";
+ $http_inspect_servers .= " \\\n\tmax_javascript_whitespaces {$v['max_javascript_whitespaces']}";
+ }
+ }
+ if ($v['log_uri'] == "on")
+ $http_inspect_servers .= " \\\n\tlog_uri";
+ if ($v['log_hostname'] == "on")
+ $http_inspect_servers .= " \\\n\tlog_hostname";
+
+ // Add a pair of trailing newlines to terminate this server config
+ $http_inspect_servers .= "\n\n";
+ }
+ /* Trim off the final trailing newline */
+ $http_inspect_server = rtrim($http_inspect_server);
+ }
+
+ // Finally, build the Snort configuration file
+ $snort_conf_text = <<<EOD
+# snort configuration file
+# generated automatically by the pfSense subsystems do not modify manually
+
+# Define Local Network #
+ipvar HOME_NET [{$home_net}]
+ipvar EXTERNAL_NET [{$external_net}]
+
+# Define Rule Paths #
+var RULE_PATH {$snortcfgdir}/rules
+var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules
+
+# Define Servers #
+{$ipvardef}
+
+# Define Server Ports #
+{$portvardef}
+
+# Configure quiet startup mode #
+config quiet
+
+# Configure the snort decoder #
+config checksum_mode: {$cksumcheck}
+config disable_decode_alerts
+config disable_tcpopt_experimental_alerts
+config disable_tcpopt_obsolete_alerts
+config disable_ttcp_alerts
+config disable_tcpopt_alerts
+config disable_ipopt_alerts
+config disable_decode_drops
+
+# Enable the GTP decoder #
+config enable_gtp
+
+# Configure PCRE match limitations
+config pcre_match_limit: 3500
+config pcre_match_limit_recursion: 1500
+
+# Configure the detection engine #
+config detection: {$cfg_detect_settings}
+config event_queue: max_queue 8 log 5 order_events content_length
+
+# Configure to show year in timestamps
+config show_year
+
+# Configure protocol aware flushing #
+# For more information see README.stream5 #
+{$paf_max_pdu_config}
+
+# Configure dynamically loaded libraries
+dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']}
+dynamicengine directory {$snort_dirs['dynamicengine']}
+dynamicdetection directory {$snort_dirs['dynamicrules']}
+
+# Inline packet normalization. For more information, see README.normalize
+# Disabled since we do not use "inline" mode with pfSense
+# preprocessor normalize_ip4
+# preprocessor normalize_tcp: ips ecn stream
+# preprocessor normalize_icmp4
+# preprocessor normalize_ip6
+# preprocessor normalize_icmp6
+
+# Flow and stream #
+{$frag3_global}
+
+{$frag3_engine}
+
+{$stream5_global}
+
+{$stream5_tcp_engine}
+
+{$stream5_udp_engine}
+
+{$stream5_icmp_engine}
+
+# HTTP Inspect #
+{$http_inspect_global}
+
+{$http_inspect_servers}
+{$snort_preprocessors}
+{$host_attrib_config}
+
+# Snort Output Logs #
+output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
+{$alertsystemlog_type}
+{$snortunifiedlog_type}
+{$spoink_type}
+
+# Misc Includes #
+{$snort_misc_include_rules}
+
+{$suppress_file_name}
+
+# Snort user pass through configuration
+{$snort_config_pass_thru}
+
+# Rules Selection #
+{$selected_rules_sections}
+EOD;
+
+ // Write out snort.conf file
+ $conf = fopen("{$snortcfgdir}/snort.conf", "w");
+ if(!$conf) {
+ log_error("Could not open {$snortcfgdir}/snort.conf for writing.");
+ return -1;
+ }
+ fwrite($conf, $snort_conf_text);
+ fclose($conf);
+ unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type);
+ unset($home_net, $external_net, $ipvardef, $portvardef);
+}
+
+/*****************************************************************************/
+/* This starts the actual post-install code */
+/*****************************************************************************/
+
+/* Hard kill any running Snort processes that may have been started by any */
+/* of the pfSense scripts such as check_reload_status() or rc.start_packages */
+if(is_process_running("snort")) {
+ exec("/usr/bin/killall -z snort");
+ sleep(2);
+ // Delete any leftover snort PID files in /var/run
+ array_map('@unlink', glob("/var/run/snort_*.pid"));
+}
+// Hard kill any running Barnyard2 processes
+if(is_process_running("barnyard")) {
+ exec("/usr/bin/killall -z barnyard2");
+ sleep(2);
+ // Delete any leftover barnyard2 PID files in /var/run
+ array_map('@unlink', glob("/var/run/barnyard2_*.pid"));
+}
+
+/* Set flag for post-install in progress */
+$g['snort_postinstall'] = true;
+
+/* cleanup default files */
+@rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf");
+@rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf");
+@rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map");
+@rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map");
+@rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config");
+@rename("{$snortdir}/generators-sample", "{$snortdir}/generators");
+@rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config");
+@rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map");
+@rename("{$snortdir}/attribute_table.dtd-sample", "{$snortdir}/attribute_table.dtd");
+
+/* fix up the preprocessor rules filenames from a PBI package install */
+$preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules");
+foreach ($preproc_rules as $file) {
+ if (file_exists("{$snortdir}/preproc_rules/{$file}-sample"))
+ @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}");
+}
+
+/* Remove any previously installed scripts since we rebuild them */
+@unlink("{$snortdir}/sid");
+@unlink("{$rcdir}/snort.sh");
+@unlink("{$rcdir}/barnyard2");
+
+/* remake saved settings */
+if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
+ log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings..."));
+ update_status(gettext("Saved settings detected..."));
+ /* Do one-time settings migration for new multi-engine configurations */
+ update_output_window(gettext("Please wait... migrating settings to new multi-engine configuration..."));
+ include "/usr/local/pkg/snort/snort_migrate_config.php";
+ update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
+ log_error(gettext("[Snort] Downloading and updating configured rule types..."));
+ update_output_window(gettext("Please wait... downloading and updating configured rule types..."));
+ if ($pkg_interface <> "console")
+ $snort_gui_include = true;
+ include "/usr/local/pkg/snort/snort_check_for_rule_updates.php";
+ update_status(gettext("Generating snort.conf configuration file from saved settings..."));
+ $rebuild_rules = true;
+
+ /* Create the snort.conf files for each enabled interface */
+ $snortconf = $config['installedpackages']['snortglobal']['rule'];
+ foreach ($snortconf as $value) {
+ $if_real = snort_get_real_interface($value['interface']);
+
+ /* create a snort.conf file for interface */
+ snort_build_new_conf($value);
+
+ /* create barnyard2.conf file for interface */
+ if ($value['barnyard_enable'] == 'on')
+ snort_create_barnyard2_conf($value, $if_real);
+ }
+
+ /* create snort bootup file snort.sh */
+ snort_create_rc();
+
+ /* Set Log Limit, Block Hosts Time and Rules Update Time */
+ snort_snortloglimit_install_cron($config['installedpackages']['snortglobal']['snortloglimit'] == 'on' ? true : false);
+ snort_rm_blocked_install_cron($config['installedpackages']['snortglobal']['rm_blocked'] != "never_b" ? true : false);
+ snort_rules_up_install_cron($config['installedpackages']['snortglobal']['autorulesupdate7'] != "never_up" ? true : false);
+
+ /* Add the recurring jobs created above to crontab */
+ configure_cron();
+ conf_mount_ro();
+
+ $rebuild_rules = false;
+ update_output_window(gettext("Finished rebuilding Snort configuration files..."));
+ log_error(gettext("[Snort] Finished rebuilding installation from saved settings..."));
+
+ /* Only try to start Snort if not in reboot */
+ if (!$g['booting']) {
+ update_status(gettext("Starting Snort using rebuilt configuration..."));
+ update_output_window(gettext("Please wait... while Snort is started..."));
+ log_error(gettext("[Snort] Starting Snort using rebuilt configuration..."));
+ start_service("snort");
+ update_output_window(gettext("Snort has been started using the rebuilt configuration..."));
+ }
+}
+
+/* Update Snort package version in configuration */
+$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.0.1";
+write_config();
+
+/* Done with post-install, so clear flag */
+unset($g['snort_postinstall']);
+log_error(gettext("[Snort] Package post-installation tasks completed..."));
+return true;
+
+?>
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 95d5a10e..289a3941 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -6,6 +6,7 @@
* Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
* Copyright (C) 2008-2009 Robert Zelaya.
* Copyright (C) 2011-2012 Ermal Luci
+ * Copyright (C) 2013 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -37,16 +38,6 @@ require_once("/usr/local/pkg/snort/snort.inc");
global $g, $rebuild_rules;
$snortlogdir = SNORTLOGDIR;
-if (!is_array($config['installedpackages']['snortglobal'])) {
- $config['installedpackages']['snortglobal'] = array();
-}
-$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'];
-
-if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
- $config['installedpackages']['snortglobal']['rule'] = array();
-}
-$a_nat = &$config['installedpackages']['snortglobal']['rule'];
-
$id = $_GET['id'];
if (isset($_POST['id']))
$id = $_POST['id'];
@@ -55,6 +46,32 @@ if (is_null($id)) {
exit;
}
+if (!is_array($config['installedpackages']['snortglobal']))
+ $config['installedpackages']['snortglobal'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+
+// Initialize multiple config engine arrays for supported preprocessors if necessary
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['frag3_engine']['item'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect_engine']['item'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['ftp_server_engine']['item'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['ftp_client_engine']['item'] = array();
+
+$a_nat = &$config['installedpackages']['snortglobal']['rule'];
+
+$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'];
+$frag3_engine_next_id = count($a_nat[$id]['frag3_engine']['item']);
+$stream5_tcp_engine_next_id = count($a_nat[$id]['stream5_tcp_engine']['item']);
+$http_inspect_engine_next_id = count($a_nat[$id]['http_inspect_engine']['item']);
+$ftp_server_engine_next_id = count($a_nat[$id]['ftp_server_engine']['item']);
+$ftp_client_engine_next_id = count($a_nat[$id]['ftp_client_engine']['item']);
+
$pconfig = array();
if (isset($id) && $a_nat[$id]) {
$pconfig = $a_nat[$id];
@@ -66,32 +83,14 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['max_attribute_hosts'] = $a_nat[$id]['max_attribute_hosts'];
$pconfig['max_attribute_services_per_host'] = $a_nat[$id]['max_attribute_services_per_host'];
$pconfig['max_paf'] = $a_nat[$id]['max_paf'];
- $pconfig['server_flow_depth'] = $a_nat[$id]['server_flow_depth'];
- $pconfig['http_server_profile'] = $a_nat[$id]['http_server_profile'];
- $pconfig['client_flow_depth'] = $a_nat[$id]['client_flow_depth'];
- $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly'];
- $pconfig['stream5_require_3whs'] = $a_nat[$id]['stream5_require_3whs'];
- $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp'];
- $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp'];
- $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp'];
- $pconfig['max_queued_bytes'] = $a_nat[$id]['max_queued_bytes'];
- $pconfig['max_queued_segs'] = $a_nat[$id]['max_queued_segs'];
- $pconfig['stream5_overlap_limit'] = $a_nat[$id]['stream5_overlap_limit'];
- $pconfig['stream5_policy'] = $a_nat[$id]['stream5_policy'];
- $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap'];
- $pconfig['stream5_tcp_timeout'] = $a_nat[$id]['stream5_tcp_timeout'];
- $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout'];
- $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout'];
- $pconfig['stream5_no_reassemble_async'] = $a_nat[$id]['stream5_no_reassemble_async'];
- $pconfig['stream5_dont_store_lg_pkts'] = $a_nat[$id]['stream5_dont_store_lg_pkts'];
- $pconfig['http_inspect'] = $a_nat[$id]['http_inspect'];
- $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap'];
- $pconfig['http_inspect_enable_xff'] = $a_nat[$id]['http_inspect_enable_xff'];
- $pconfig['http_inspect_log_uri'] = $a_nat[$id]['http_inspect_log_uri'];
- $pconfig['http_inspect_log_hostname'] = $a_nat[$id]['http_inspect_log_hostname'];
- $pconfig['noalert_http_inspect'] = $a_nat[$id]['noalert_http_inspect'];
$pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs'];
$pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor'];
+ $pconfig['ftp_telnet_inspection_type'] = $a_nat[$id]['ftp_telnet_inspection_type'];
+ $pconfig['ftp_telnet_alert_encrypted'] = $a_nat[$id]['ftp_telnet_alert_encrypted'];
+ $pconfig['ftp_telnet_check_encrypted'] = $a_nat[$id]['ftp_telnet_check_encrypted'];
+ $pconfig['ftp_telnet_normalize'] = $a_nat[$id]['ftp_telnet_normalize'];
+ $pconfig['ftp_telnet_detect_anomalies'] = $a_nat[$id]['ftp_telnet_detect_anomalies'];
+ $pconfig['ftp_telnet_ayt_attack_threshold'] = $a_nat[$id]['ftp_telnet_ayt_attack_threshold'];
$pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor'];
$pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan'];
$pconfig['pscan_protocol'] = $a_nat[$id]['pscan_protocol'];
@@ -102,6 +101,9 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2'];
$pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor'];
$pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data'];
+ $pconfig['sdf_alert_data_type'] = $a_nat[$id]['sdf_alert_data_type'];
+ $pconfig['sdf_alert_threshold'] = $a_nat[$id]['sdf_alert_threshold'];
+ $pconfig['sdf_mask_output'] = $a_nat[$id]['sdf_mask_output'];
$pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc'];
$pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc'];
$pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc'];
@@ -112,13 +114,123 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['ssh_preproc'] = $a_nat[$id]['ssh_preproc'];
$pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable'];
$pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules'];
+
+ // Frag3 global settings
$pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection'];
- $pconfig['frag3_overlap_limit'] = $a_nat[$id]['frag3_overlap_limit'];
- $pconfig['frag3_min_frag_len'] = $a_nat[$id]['frag3_min_frag_len'];
- $pconfig['frag3_policy'] = $a_nat[$id]['frag3_policy'];
$pconfig['frag3_max_frags'] = $a_nat[$id]['frag3_max_frags'];
$pconfig['frag3_memcap'] = $a_nat[$id]['frag3_memcap'];
- $pconfig['frag3_timeout'] = $a_nat[$id]['frag3_timeout'];
+
+ // See if new Frag3 engine array is configured and use it;
+ // otherwise create a default engine configuration.
+ if (empty($pconfig['frag3_engine']['item'])) {
+ $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd",
+ "timeout" => 60, "min_ttl" => 1, "detect_anomalies" => "on",
+ "overlap_limit" => 0, "min_frag_len" => 0 );
+ $pconfig['frag3_engine']['item'] = array();
+ $pconfig['frag3_engine']['item'][] = $default;
+ if (!is_array($a_nat[$id]['frag3_engine']['item']))
+ $a_nat[$id]['frag3_engine']['item'] = array();
+ $a_nat[$id]['frag3_engine']['item'][] = $default;
+ write_config();
+ $frag3_engine_next_id++;
+ }
+ else
+ $pconfig['frag3_engine'] = $a_nat[$id]['frag3_engine'];
+
+ // Stream5 global settings
+ $pconfig['stream5_reassembly'] = $a_nat[$id]['stream5_reassembly'];
+ $pconfig['stream5_flush_on_alert'] = $a_nat[$id]['stream5_flush_on_alert'];
+ $pconfig['stream5_prune_log_max'] = $a_nat[$id]['stream5_prune_log_max'];
+ $pconfig['stream5_mem_cap'] = $a_nat[$id]['stream5_mem_cap'];
+ $pconfig['stream5_track_tcp'] = $a_nat[$id]['stream5_track_tcp'];
+ $pconfig['stream5_max_tcp'] = $a_nat[$id]['stream5_max_tcp'];
+ $pconfig['stream5_track_udp'] = $a_nat[$id]['stream5_track_udp'];
+ $pconfig['stream5_max_udp'] = $a_nat[$id]['stream5_max_udp'];
+ $pconfig['stream5_udp_timeout'] = $a_nat[$id]['stream5_udp_timeout'];
+ $pconfig['stream5_track_icmp'] = $a_nat[$id]['stream5_track_icmp'];
+ $pconfig['stream5_max_icmp'] = $a_nat[$id]['stream5_max_icmp'];
+ $pconfig['stream5_icmp_timeout'] = $a_nat[$id]['stream5_icmp_timeout'];
+
+ // See if new Stream5 engine array is configured and use it;
+ // otherwise create a default engine configuration.
+ if (empty($pconfig['stream5_tcp_engine']['item'])) {
+ $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "max_window" => 0, "use_static_footprint_sizes" => "off",
+ "check_session_hijacking" => "off", "dont_store_lg_pkts" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+ $pconfig['stream5_tcp_engine']['item'] = array();
+ $pconfig['stream5_tcp_engine']['item'][] = $default;
+ if (!is_array($a_nat[$id]['stream5_tcp_engine']['item']))
+ $a_nat[$id]['stream5_tcp_engine']['item'] = array();
+ $a_nat[$id]['stream5_tcp_engine']['item'][] = $default;
+ write_config();
+ $stream5_tcp_engine_next_id++;
+ }
+ else
+ $pconfig['stream5_tcp_engine'] = $a_nat[$id]['stream5_tcp_engine'];
+
+ // HTTP_INSPECT global settings
+ $pconfig['http_inspect'] = $a_nat[$id]['http_inspect'];
+ $pconfig['http_inspect_memcap'] = $a_nat[$id]['http_inspect_memcap'];
+ $pconfig['http_inspect_proxy_alert'] = $a_nat[$id]['http_inspect_proxy_alert'];
+ $pconfig['http_inspect_max_gzip_mem'] = $a_nat[$id]['http_inspect_max_gzip_mem'];
+
+ // See if new HTTP_INSPECT engine array is configured and use it;
+ // otherwise create a default engine configuration.
+ if (empty($pconfig['http_inspect_engine']['item'])) {
+ $default = array( "name" => "default", "bind_to" => "all", "server_profile" => "all", "enable_xff" => "off",
+ "log_uri" => "off", "log_hostname" => "off", "server_flow_depth" => 65535, "enable_cookie" => "on",
+ "client_flow_depth" => 1460, "extended_response_inspection" => "on", "no_alerts" => "off",
+ "unlimited_decompress" => "on", "inspect_gzip" => "on", "normalize_cookies" =>"on",
+ "normalize_headers" => "on", "normalize_utf" => "on", "normalize_javascript" => "on",
+ "allow_proxy_use" => "off", "inspect_uri_only" => "off", "max_javascript_whitespaces" => 200,
+ "post_depth" => -1, "max_headers" => 0, "max_spaces" => 0, "max_header_length" => 0, "ports" => "default" );
+ $pconfig['http_inspect_engine']['item'] = array();
+ $pconfig['http_inspect_engine']['item'][] = $default;
+ if (!is_array($a_nat[$id]['http_inspect_engine']['item']))
+ $a_nat[$id]['http_inspect_engine']['item'] = array();
+ $a_nat[$id]['http_inspect_engine']['item'][] = $default;
+ write_config();
+ $http_inspect_engine_next_id++;
+ }
+ else
+ $pconfig['http_inspect_engine'] = $a_nat[$id]['http_inspect_engine'];
+
+ // See if new FTP client engine array is configured and use it;
+ // otherwise create a default engine configuration..
+ if (empty($pconfig['ftp_client_engine']['item'])) {
+ $default = array( "name" => "default", "bind_to" => "all", "max_resp_len" => 256,
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "bounce" => "yes", "bounce_to_net" => "", "bounce_to_port" => "" );
+ $pconfig['ftp_client_engine']['item'] = array();
+ $pconfig['ftp_client_engine']['item'][] = $default;
+ if (!is_array($a_nat[$id]['ftp_client_engine']['item']))
+ $a_nat[$id]['ftp_client_engine']['item'] = array();
+ $a_nat[$id]['ftp_client_engine']['item'][] = $default;
+ write_config();
+ $ftp_client_engine_next_id++;
+ }
+ else
+ $pconfig['ftp_client_engine'] = $a_nat[$id]['ftp_client_engine'];
+
+ // See if new FTP server engine array is configured and use it;
+ // otherwise create a default engine configuration..
+ if (empty($pconfig['ftp_server_engine']['item'])) {
+ $default = array( "name" => "default", "bind_to" => "all", "ports" => "default",
+ "telnet_cmds" => "no", "ignore_telnet_erase_cmds" => "yes",
+ "ignore_data_chan" => "no", "def_max_param_len" => 100 );
+ $pconfig['ftp_server_engine']['item'] = array();
+ $pconfig['ftp_server_engine']['item'][] = $default;
+ if (!is_array($a_nat[$id]['ftp_server_engine']['item']))
+ $a_nat[$id]['ftp_server_engine']['item'] = array();
+ $a_nat[$id]['ftp_server_engine']['item'][] = $default;
+ write_config();
+ $ftp_server_engine_next_id++;
+ }
+ else
+ $pconfig['ftp_server_engine'] = $a_nat[$id]['ftp_server_engine'];
/* If not using the Snort VRT rules, then disable */
/* the Sensitive Data (sdf) preprocessor. */
@@ -134,10 +246,30 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['max_attribute_hosts'] = '10000';
if (empty($pconfig['max_attribute_services_per_host']))
$pconfig['max_attribute_services_per_host'] = '10';
- if (empty($pconfig['max_paf']))
+
+ if (empty($pconfig['max_paf']) && $pconfig['max_paf'] <> 0)
$pconfig['max_paf'] = '16000';
+
if (empty($pconfig['ftp_preprocessor']))
$pconfig['ftp_preprocessor'] = 'on';
+ if (empty($pconfig['ftp_telnet_inspection_type']))
+ $pconfig['ftp_telnet_inspection_type'] = 'stateful';
+ if (empty($pconfig['ftp_telnet_alert_encrypted']))
+ $pconfig['ftp_telnet_alert_encrypted'] = 'off';
+ if (empty($pconfig['ftp_telnet_check_encrypted']))
+ $pconfig['ftp_telnet_check_encrypted'] = 'on';
+ if (empty($pconfig['ftp_telnet_normalize']))
+ $pconfig['ftp_telnet_normalize'] = 'on';
+ if (empty($pconfig['ftp_telnet_detect_anomalies']))
+ $pconfig['ftp_telnet_detect_anomalies'] = 'on';
+ if (empty($pconfig['ftp_telnet_ayt_attack_threshold']) && $pconfig['ftp_telnet_ayt_attack_threshold'] <> 0)
+ $pconfig['ftp_telnet_ayt_attack_threshold'] = '20';
+ if (empty($pconfig['sdf_alert_data_type']))
+ $pconfig['sdf_alert_data_type'] = "Credit Card,Email Addresses,U.S. Phone Numbers,U.S. Social Security Numbers";
+ if (empty($pconfig['sdf_alert_threshold']))
+ $pconfig['sdf_alert_threshold'] = '25';
+ if (empty($pconfig['sdf_mask_output']))
+ $pconfig['sdf_mask_output'] = 'off';
if (empty($pconfig['smtp_preprocessor']))
$pconfig['smtp_preprocessor'] = 'on';
if (empty($pconfig['dce_rpc_2']))
@@ -156,46 +288,48 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['other_preprocs'] = 'on';
if (empty($pconfig['ssh_preproc']))
$pconfig['ssh_preproc'] = 'on';
+
+ if (empty($pconfig['http_inspect']))
+ $pconfig['http_inspect'] = "on";
+ if (empty($pconfig['http_inspect_proxy_alert']))
+ $pconfig['http_inspect_proxy_alert'] = "off";
if (empty($pconfig['http_inspect_memcap']))
$pconfig['http_inspect_memcap'] = "150994944";
- if (empty($pconfig['frag3_overlap_limit']))
- $pconfig['frag3_overlap_limit'] = '0';
- if (empty($pconfig['frag3_min_frag_len']))
- $pconfig['frag3_min_frag_len'] = '0';
+ if (empty($pconfig['http_inspect_max_gzip_mem']))
+ $pconfig['http_inspect_max_gzip_mem'] = "838860";
+
if (empty($pconfig['frag3_max_frags']))
$pconfig['frag3_max_frags'] = '8192';
- if (empty($pconfig['frag3_policy']))
- $pconfig['frag3_policy'] = 'bsd';
if (empty($pconfig['frag3_memcap']))
$pconfig['frag3_memcap'] = '4194304';
- if (empty($pconfig['frag3_timeout']))
- $pconfig['frag3_timeout'] = '60';
if (empty($pconfig['frag3_detection']))
$pconfig['frag3_detection'] = 'on';
+
if (empty($pconfig['stream5_reassembly']))
$pconfig['stream5_reassembly'] = 'on';
+ if (empty($pconfig['stream5_flush_on_alert']))
+ $pconfig['stream5_flush_on_alert'] = 'off';
+ if (empty($pconfig['stream5_prune_log_max']) && $pconfig['stream5_prune_log_max'] <> 0)
+ $pconfig['stream5_prune_log_max'] = '1048576';
if (empty($pconfig['stream5_track_tcp']))
$pconfig['stream5_track_tcp'] = 'on';
+ if (empty($pconfig['stream5_max_tcp']))
+ $pconfig['stream5_max_tcp'] = '262144';
if (empty($pconfig['stream5_track_udp']))
$pconfig['stream5_track_udp'] = 'on';
- if (empty($pconfig['stream5_track_icmp']))
- $pconfig['stream5_track_icmp'] = 'off';
- if (empty($pconfig['stream5_require_3whs']))
- $pconfig['stream5_require_3whs'] = 'off';
- if (empty($pconfig['stream5_overlap_limit']))
- $pconfig['stream5_overlap_limit'] = '0';
- if (empty($pconfig['stream5_tcp_timeout']))
- $pconfig['stream5_tcp_timeout'] = '30';
+ if (empty($pconfig['stream5_max_udp']))
+ $pconfig['stream5_max_udp'] = '131072';
if (empty($pconfig['stream5_udp_timeout']))
$pconfig['stream5_udp_timeout'] = '30';
+ if (empty($pconfig['stream5_track_icmp']))
+ $pconfig['stream5_track_icmp'] = 'off';
+ if (empty($pconfig['stream5_max_icmp']))
+ $pconfig['stream5_max_icmp'] = '65536';
if (empty($pconfig['stream5_icmp_timeout']))
$pconfig['stream5_icmp_timeout'] = '30';
- if (empty($pconfig['stream5_no_reassemble_async']))
- $pconfig['stream5_no_reassemble_async'] = 'off';
- if (empty($pconfig['stream5_dont_store_lg_pkts']))
- $pconfig['stream5_dont_store_lg_pkts'] = 'off';
- if (empty($pconfig['stream5_policy']))
- $pconfig['stream5_policy'] = 'bsd';
+ if (empty($pconfig['stream5_mem_cap']))
+ $pconfig['stream5_mem_cap']= '8388608';
+
if (empty($pconfig['pscan_protocol']))
$pconfig['pscan_protocol'] = 'all';
if (empty($pconfig['pscan_type']))
@@ -210,6 +344,34 @@ if (isset($id) && $a_nat[$id]) {
$iface = snort_get_friendly_interface($pconfig['interface']);
$disabled_rules_log = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log";
+if ($_GET['act'] && isset($_GET['eng_id'])) {
+
+ $natent = array();
+ $natent = $pconfig;
+
+ if ($_GET['act'] == "del_frag3")
+ unset($natent['frag3_engine']['item'][$_GET['eng_id']]);
+ elseif ($_GET['act'] == "del_stream5_tcp")
+ unset($natent['stream5_tcp_engine']['item'][$_GET['eng_id']]);
+ elseif ($_GET['act'] == "del_http_inspect")
+ unset($natent['http_inspect_engine']['item'][$_GET['eng_id']]);
+ elseif ($_GET['act'] == "del_ftp_server")
+ unset($natent['ftp_server_engine']['item'][$_GET['eng_id']]);
+
+ if (isset($id) && $a_nat[$id]) {
+ $a_nat[$id] = $natent;
+ write_config();
+ }
+
+ header("Location: snort_preprocessors.php?id=$id");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) {
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+}
+
if ($_POST['ResetAll']) {
/* Reset all the preprocessor settings to defaults */
@@ -218,32 +380,30 @@ if ($_POST['ResetAll']) {
$pconfig['max_attribute_hosts'] = '10000';
$pconfig['max_attribute_services_per_host'] = '10';
$pconfig['max_paf'] = '16000';
- $pconfig['server_flow_depth'] = "300";
- $pconfig['http_server_profile'] = "all";
- $pconfig['client_flow_depth'] = "300";
$pconfig['stream5_reassembly'] = "on";
- $pconfig['stream5_require_3whs'] = "off";
+ $pconfig['stream5_flush_on_alert'] = 'off';
+ $pconfig['stream5_prune_log_max'] = '1048576';
$pconfig['stream5_track_tcp'] = "on";
+ $pconfig['stream5_max_tcp'] = "262144";
$pconfig['stream5_track_udp'] = "on";
+ $pconfig['stream5_max_udp'] = "131072";
$pconfig['stream5_track_icmp'] = "off";
- $pconfig['max_queued_bytes'] = "1048576";
- $pconfig['max_queued_segs'] = "2621";
- $pconfig['stream5_overlap_limit'] = "0";
- $pconfig['stream5_policy'] = "bsd";
+ $pconfig['stream5_max_icmp'] = "65536";
$pconfig['stream5_mem_cap'] = "8388608";
- $pconfig['stream5_tcp_timeout'] = "30";
$pconfig['stream5_udp_timeout'] = "30";
$pconfig['stream5_icmp_timeout'] = "30";
- $pconfig['stream5_no_reassemble_async'] = "off";
- $pconfig['stream5_dont_store_lg_pkts'] = "off";
$pconfig['http_inspect'] = "on";
- $pconfig['http_inspect_enable_xff'] = "off";
- $pconfig['http_inspect_log_uri'] = "off";
- $pconfig['http_inspect_log_hostname'] = "off";
- $pconfig['noalert_http_inspect'] = "on";
+ $pconfig['http_inspect_proxy_alert'] = "off";
$pconfig['http_inspect_memcap'] = "150994944";
+ $pconfig['http_inspect_max_gzip_mem'] = "838860";
$pconfig['other_preprocs'] = "on";
$pconfig['ftp_preprocessor'] = "on";
+ $pconfig['ftp_telnet_inspection_type'] = "stateful";
+ $pconfig['ftp_telnet_alert_encrypted'] = "off";
+ $pconfig['ftp_telnet_check_encrypted'] = "on";
+ $pconfig['ftp_telnet_normalize'] = "on";
+ $pconfig['ftp_telnet_detect_anomalies'] = "on";
+ $pconfig['ftp_telnet_ayt_attack_threshold'] = "20";
$pconfig['smtp_preprocessor'] = "on";
$pconfig['sf_portscan'] = "off";
$pconfig['pscan_protocol'] = "all";
@@ -254,6 +414,9 @@ if ($_POST['ResetAll']) {
$pconfig['dce_rpc_2'] = "on";
$pconfig['dns_preprocessor'] = "on";
$pconfig['sensitive_data'] = "off";
+ $pconfig['sdf_alert_data_type'] = "Credit Card,Email Addresses,U.S. Phone Numbers,U.S. Social Security Numbers";
+ $pconfig['sdf_alert_threshold'] = "25";
+ $pconfig['sdf_mask_output'] = "off";
$pconfig['ssl_preproc'] = "on";
$pconfig['pop_preproc'] = "on";
$pconfig['imap_preproc'] = "on";
@@ -265,22 +428,23 @@ if ($_POST['ResetAll']) {
$pconfig['preproc_auto_rule_disable'] = "off";
$pconfig['protect_preproc_rules'] = "off";
$pconfig['frag3_detection'] = "on";
- $pconfig['frag3_overlap_limit'] = "0";
- $pconfig['frag3_min_frag_len'] = "0";
- $pconfig['frag3_policy'] = "bsd";
$pconfig['frag3_max_frags'] = "8192";
$pconfig['frag3_memcap'] = "4194304";
- $pconfig['frag3_timeout'] = "60";
/* Log a message at the top of the page to inform the user */
- $savemsg = "All preprocessor settings have been reset to the defaults.";
+ $savemsg = gettext("All preprocessor settings have been reset to their defaults.");
}
elseif ($_POST['Submit']) {
$natent = array();
$natent = $pconfig;
- if ($_POST['pscan_ignore_scanners'] && !is_alias($_POST['pscan_ignore_scanners']))
- $input_errors[] = "Only aliases are allowed for the Portscan IGNORE_SCANNERS option.";
+ // Validate SDF alert threshold and alert data type values if SDF is enabled
+ if ($_POST['sensitive_data'] == 'on') {
+ if ($_POST['sdf_alert_threshold'] < 1 || $_POST['sdf_alert_threshold'] > 65535)
+ $input_errors[] = gettext("The value for Sensitive_Data_Alert_Threshold must be between 1 and 65,535.");
+ if (empty($_POST['sdf_alert_data_type']))
+ $input_errors[] = gettext("You must select at least one sensitive data type to inspect for when Sensitive Data detection is enabled.");
+ }
/* if no errors write to conf */
if (!$input_errors) {
@@ -288,48 +452,45 @@ elseif ($_POST['Submit']) {
if ($_POST['max_attribute_hosts'] != "") { $natent['max_attribute_hosts'] = $_POST['max_attribute_hosts']; }else{ $natent['max_attribute_hosts'] = "10000"; }
if ($_POST['max_attribute_services_per_host'] != "") { $natent['max_attribute_services_per_host'] = $_POST['max_attribute_services_per_host']; }else{ $natent['max_attribute_services_per_host'] = "10"; }
if ($_POST['max_paf'] != "") { $natent['max_paf'] = $_POST['max_paf']; }else{ $natent['max_paf'] = "16000"; }
- if ($_POST['server_flow_depth'] != "") { $natent['server_flow_depth'] = $_POST['server_flow_depth']; }else{ $natent['server_flow_depth'] = "300"; }
- if ($_POST['http_server_profile'] != "") { $natent['http_server_profile'] = $_POST['http_server_profile']; }else{ $natent['http_server_profile'] = "all"; }
- if ($_POST['client_flow_depth'] != "") { $natent['client_flow_depth'] = $_POST['client_flow_depth']; }else{ $natent['client_flow_depth'] = "300"; }
if ($_POST['http_inspect_memcap'] != "") { $natent['http_inspect_memcap'] = $_POST['http_inspect_memcap']; }else{ $natent['http_inspect_memcap'] = "150994944"; }
- if ($_POST['stream5_overlap_limit'] != "") { $natent['stream5_overlap_limit'] = $_POST['stream5_overlap_limit']; }else{ $natent['stream5_overlap_limit'] = "0"; }
- if ($_POST['stream5_policy'] != "") { $natent['stream5_policy'] = $_POST['stream5_policy']; }else{ $natent['stream5_policy'] = "bsd"; }
+ if ($_POST['http_inspect_max_gzip_mem'] != "") { $natent['http_inspect_max_gzip_mem'] = $_POST['http_inspect_max_gzip_mem']; }else{ $natent['http_inspect_max_gzip_mem'] = "838860"; }
if ($_POST['stream5_mem_cap'] != "") { $natent['stream5_mem_cap'] = $_POST['stream5_mem_cap']; }else{ $natent['stream5_mem_cap'] = "8388608"; }
- if ($_POST['stream5_tcp_timeout'] != "") { $natent['stream5_tcp_timeout'] = $_POST['stream5_tcp_timeout']; }else{ $natent['stream5_tcp_timeout'] = "30"; }
+ if ($_POST['stream5_prune_log_max'] != "") { $natent['stream5_prune_log_max'] = $_POST['stream5_prune_log_max']; }else{ $natent['stream5_prune_log_max'] = "1048576"; }
if ($_POST['stream5_udp_timeout'] != "") { $natent['stream5_udp_timeout'] = $_POST['stream5_udp_timeout']; }else{ $natent['stream5_udp_timeout'] = "30"; }
if ($_POST['stream5_icmp_timeout'] != "") { $natent['stream5_icmp_timeout'] = $_POST['stream5_icmp_timeout']; }else{ $natent['stream5_icmp_timeout'] = "30"; }
- if ($_POST['max_queued_bytes'] != "") { $natent['max_queued_bytes'] = $_POST['max_queued_bytes']; }else{ $natent['max_queued_bytes'] = "1048576"; }
- if ($_POST['max_queued_segs'] != "") { $natent['max_queued_segs'] = $_POST['max_queued_segs']; }else{ $natent['max_queued_segs'] = "2621"; }
+ if ($_POST['stream5_max_tcp'] != "") { $natent['stream5_max_tcp'] = $_POST['stream5_max_tcp']; }else{ $natent['stream5_max_tcp'] = "262144"; }
+ if ($_POST['stream5_max_udp'] != "") { $natent['stream5_max_udp'] = $_POST['stream5_max_udp']; }else{ $natent['stream5_max_udp'] = "131072"; }
+ if ($_POST['stream5_max_icmp'] != "") { $natent['stream5_max_icmp'] = $_POST['stream5_max_icmp']; }else{ $natent['stream5_max_icmp'] = "65536"; }
if ($_POST['pscan_protocol'] != "") { $natent['pscan_protocol'] = $_POST['pscan_protocol']; }else{ $natent['pscan_protocol'] = "all"; }
if ($_POST['pscan_type'] != "") { $natent['pscan_type'] = $_POST['pscan_type']; }else{ $natent['pscan_type'] = "all"; }
if ($_POST['pscan_memcap'] != "") { $natent['pscan_memcap'] = $_POST['pscan_memcap']; }else{ $natent['pscan_memcap'] = "10000000"; }
if ($_POST['pscan_sense_level'] != "") { $natent['pscan_sense_level'] = $_POST['pscan_sense_level']; }else{ $natent['pscan_sense_level'] = "medium"; }
- if ($_POST['frag3_overlap_limit'] != "") { $natent['frag3_overlap_limit'] = $_POST['frag3_overlap_limit']; }else{ $natent['frag3_overlap_limit'] = "0"; }
- if ($_POST['frag3_min_frag_len'] != "") { $natent['frag3_min_frag_len'] = $_POST['frag3_min_frag_len']; }else{ $natent['frag3_min_frag_len'] = "0"; }
- if ($_POST['frag3_policy'] != "") { $natent['frag3_policy'] = $_POST['frag3_policy']; }else{ $natent['frag3_policy'] = "bsd"; }
+ if ($_POST['pscan_ignore_scanners'] != "") { $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners']; }else{ $natent['pscan_ignore_scanners'] = ""; }
if ($_POST['frag3_max_frags'] != "") { $natent['frag3_max_frags'] = $_POST['frag3_max_frags']; }else{ $natent['frag3_max_frags'] = "8192"; }
if ($_POST['frag3_memcap'] != "") { $natent['frag3_memcap'] = $_POST['frag3_memcap']; }else{ $natent['frag3_memcap'] = "4194304"; }
- if ($_POST['frag3_timeout'] != "") { $natent['frag3_timeout'] = $_POST['frag3_timeout']; }else{ $natent['frag3_timeout'] = "60"; }
+ if ($_POST['ftp_telnet_inspection_type'] != "") { $natent['ftp_telnet_inspection_type'] = $_POST['ftp_telnet_inspection_type']; }else{ $natent['ftp_telnet_inspection_type'] = "stateful"; }
+ if ($_POST['ftp_telnet_ayt_attack_threshold'] != "") { $natent['ftp_telnet_ayt_attack_threshold'] = $_POST['ftp_telnet_ayt_attack_threshold']; }else{ $natent['ftp_telnet_ayt_attack_threshold'] = "20"; }
+ if ($_POST['sdf_alert_threshold'] != "") { $natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold']; }else{ $natent['sdf_alert_threshold'] = "25"; }
- if ($_POST['pscan_ignore_scanners'])
- $natent['pscan_ignore_scanners'] = $_POST['pscan_ignore_scanners'];
- else
- unset($natent['pscan_ignore_scanners']);
+ // Set SDF inspection types
+ $natent['sdf_alert_data_type'] = implode(",",$_POST['sdf_alert_data_type']);
$natent['perform_stat'] = $_POST['perform_stat'] ? 'on' : 'off';
$natent['host_attribute_table'] = $_POST['host_attribute_table'] ? 'on' : 'off';
$natent['http_inspect'] = $_POST['http_inspect'] ? 'on' : 'off';
- $natent['http_inspect_enable_xff'] = $_POST['http_inspect_enable_xff'] ? 'on' : 'off';
- $natent['http_inspect_log_uri'] = $_POST['http_inspect_log_uri'] ? 'on' : 'off';
- $natent['http_inspect_log_hostname'] = $_POST['http_inspect_log_hostname'] ? 'on' : 'off';
- $natent['noalert_http_inspect'] = $_POST['noalert_http_inspect'] ? 'on' : 'off';
+ $natent['http_inspect_proxy_alert'] = $_POST['http_inspect_proxy_alert'] ? 'on' : 'off';
$natent['other_preprocs'] = $_POST['other_preprocs'] ? 'on' : 'off';
$natent['ftp_preprocessor'] = $_POST['ftp_preprocessor'] ? 'on' : 'off';
+ $natent['ftp_telnet_alert_encrypted'] = $_POST['ftp_telnet_alert_encrypted'] ? 'on' : 'off';
+ $natent['ftp_telnet_check_encrypted'] = $_POST['ftp_telnet_check_encrypted'] ? 'on' : 'off';
+ $natent['ftp_telnet_normalize'] = $_POST['ftp_telnet_normalize'] ? 'on' : 'off';
+ $natent['ftp_telnet_detect_anomalies'] = $_POST['ftp_telnet_detect_anomalies'] ? 'on' : 'off';
$natent['smtp_preprocessor'] = $_POST['smtp_preprocessor'] ? 'on' : 'off';
$natent['sf_portscan'] = $_POST['sf_portscan'] ? 'on' : 'off';
$natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off';
$natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off';
$natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off';
+ $natent['sdf_mask_output'] = $_POST['sdf_mask_output'] ? 'on' : 'off';
$natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off';
$natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off';
$natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off';
@@ -343,28 +504,20 @@ elseif ($_POST['Submit']) {
$natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off';
$natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off';
$natent['stream5_reassembly'] = $_POST['stream5_reassembly'] ? 'on' : 'off';
+ $natent['stream5_flush_on_alert'] = $_POST['stream5_flush_on_alert'] ? 'on' : 'off';
$natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off';
$natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off';
$natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off';
- $natent['stream5_require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off';
- $natent['stream5_no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off';
- $natent['stream5_dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off';
/* If 'preproc_auto_rule_disable' is off, then clear log file */
if ($natent['preproc_auto_rule_disable'] == 'off')
@unlink("{$disabled_rules_log}");
- if (isset($id) && $a_nat[$id])
+ if (isset($id) && $a_nat[$id]) {
$a_nat[$id] = $natent;
- else {
- if (is_numeric($after))
- array_splice($a_nat, $after+1, 0, array($natent));
- else
- $a_nat[] = $natent;
+ write_config();
}
- write_config();
-
/* Set flag to rebuild rules for this interface */
$rebuild_rules = true;
@@ -436,7 +589,7 @@ if ($pconfig['host_attribute_table'] == 'on' && empty($pconfig['host_attribute_d
$input_errors[] = gettext("The Host Attribute Table option is enabled, but no Host Attribute data has been loaded. Data may be entered manually or imported from a suitable file.");
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: Interface {$if_friendly}: Preprocessors and Flow";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Preprocessors and Flow");
include_once("head.inc");
?>
<body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="enable_change_all()">
@@ -546,7 +699,7 @@ include_once("head.inc");
<?php if (file_exists($disabled_rules_log) && filesize($disabled_rules_log) > 0): ?>
<tr>
<td width="3%">&nbsp;</td>
- <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600)"/>
+ <td class="vexpl"><input type="button" class="formbtn" value="View" onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$disabled_rules_log;?>','FileViewer',800,600);">
&nbsp;&nbsp;&nbsp;<?php echo gettext("Click to view the list of currently auto-disabled rules"); ?></td>
</tr>
<?php endif; ?>
@@ -554,7 +707,7 @@ include_once("head.inc");
</td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Host Attribute Table Settings"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Host Attribute Table"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
@@ -564,13 +717,11 @@ include_once("head.inc");
<?php echo gettext("Use a Host Attribute Table file to auto-configure applicable preprocessors. " .
"Default is "); ?><strong><?php echo gettext("Not Checked"); ?></strong>.</td>
</tr>
- <tr>
+ <tr id="host_attrib_table_data_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Host Attribute Data"); ?></td>
<td width="78%" class="vtable"><strong><?php echo gettext("Import From File"); ?></strong><br/>
- <input name="host_attribute_file" type="file" class="formfld unknown" value="on" id="host_attribute_file" size="40"
- <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>>&nbsp;&nbsp;
- <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn"
- <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>><br/>
+ <input name="host_attribute_file" type="file" class="formfld file" value="on" id="host_attribute_file" size="40">&nbsp;&nbsp;
+ <input type="submit" name="btn_import" id="btn_import" value="Import" class="formbtn"><br/>
<?php echo gettext("Choose the Host Attributes file to use for auto-configuration."); ?><br/><br/>
<span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span>
<?php echo gettext("The Host Attributes file has a required format. See the "); ?><a href="http://manual.snort.org/" target="_blank">
@@ -580,9 +731,8 @@ include_once("head.inc");
<a href="http://code.google.com/p/hogger/" target="_blank"><?php echo gettext("Hogger"); ?></a><?php echo gettext(" or "); ?>
<a href="http://gamelinux.github.io/prads/" target="_blank"><?php echo gettext("PRADS"); ?></a><?php echo gettext(" can be used to " .
"scan networks and automatically generate a suitable Host Attribute Table file for import."); ?><br/><br/>
- <input type="submit" id="btn_edit_hat" name="btn_edit_hat" value="<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext(" Edit ");} else {echo gettext("Create");} ?>"
- class="formbtn"
- <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>>&nbsp;&nbsp;
+ <input type="submit" id="btn_edit_hat" name="btn_edit_hat" value="<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext(" Edit ");}
+ else {echo gettext("Create");} ?>" class="formbtn">&nbsp;&nbsp;
<?php if (!empty($pconfig['host_attribute_data'])) {echo gettext("Click to View or Edit the Host Attribute data.");}
else {echo gettext("Click to Create Host Attribute data manually.");}
if ($pconfig['host_attribute_table']=="on" && empty($pconfig['host_attribute_data'])){
@@ -590,14 +740,13 @@ include_once("head.inc");
gettext("No Host Attribute Data loaded - import from a file or enter it manually.");
} ?></td>
</tr>
- <tr>
+ <tr id="host_attrib_table_maxhosts_row">
<td valign="top" class="vncell"><?php echo gettext("Maximum Hosts"); ?></td>
<td class="vtable">
<table cellpadding="0" cellspacing="0">
<tr>
- <td><input name="max_attribute_hosts" type="text" class="formfld" id="max_attribute_hosts" size="6"
- value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>"
- <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>>&nbsp;&nbsp;
+ <td><input name="max_attribute_hosts" type="text" class="formfld unknown" id="max_attribute_hosts" size="9"
+ value="<?=htmlspecialchars($pconfig['max_attribute_hosts']);?>">&nbsp;&nbsp;
<?php echo gettext("Max number of hosts to read from the Attribute Table. Min is ") .
"<strong>" . gettext("32") . "</strong>" . gettext(" and Max is ") . "<strong>" .
gettext("524288") . "</strong>"; ?>.</td>
@@ -608,14 +757,13 @@ include_once("head.inc");
"Default is ") . "<strong>" . gettext("10000") . "</strong>"; ?>.<br/>
</td>
</tr>
- <tr>
+ <tr id="host_attrib_table_maxsvcs_row">
<td valign="top" class="vncell"><?php echo gettext("Maximum Services Per Host"); ?></td>
<td class="vtable">
<table cellpadding="0" cellspacing="0">
<tr>
- <td><input name="max_attribute_services_per_host" type="text" class="formfld" id="max_attribute_services_per_host" size="6"
- value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>"
- <?php if ($pconfig['host_attribute_table']<>"on") echo "disabled"; ?>>&nbsp;&nbsp;
+ <td><input name="max_attribute_services_per_host" type="text" class="formfld unknown" id="max_attribute_services_per_host" size="9"
+ value="<?=htmlspecialchars($pconfig['max_attribute_services_per_host']);?>">&nbsp;&nbsp;
<?php echo gettext("Max number of per host services to read from the Attribute Table. Min is ") .
"<strong>" . gettext("1") . "</strong>" . gettext(" and Max is ") . "<strong>" .
gettext("65535") . "</strong>"; ?>.</td>
@@ -627,250 +775,185 @@ include_once("head.inc");
</td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Protocol Aware Flushing Setting"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Protocol Aware Flushing"); ?></td>
</tr>
<tr>
<td valign="top" class="vncell"><?php echo gettext("Protocol Aware Flushing Maximum PDU"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="max_paf" type="text" class="formfld" id="max_paf" size="6"
- value="<?=htmlspecialchars($pconfig['max_paf']);?>">&nbsp;&nbsp;
- <?php echo gettext("Max number of PDUs to be reassembled into a single PDU. Min is ") .
- "<strong>" . gettext("0") . "</strong>" . gettext(" (off) and Max is ") . "<strong>" .
- gettext("63780") . "</strong>"; ?>.</td>
- </tr>
- </table>
- <?php echo gettext("Multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments, will be " .
- "reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets. " .
- "Default is ") . "<strong>" . gettext("16000") . "</strong>. " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.<br/>
+ <input name="max_paf" type="text" class="formfld unknown" id="max_paf" size="9"
+ value="<?=htmlspecialchars($pconfig['max_paf']);?>">&nbsp;
+ <?php echo gettext("Max number of PDUs to be reassembled into a single PDU. Min is ") .
+ "<strong>" . gettext("0") . "</strong>" . gettext(" (off) and Max is ") . "<strong>" .
+ gettext("63780") . "</strong>"; ?>.<br/><br/>
+ <?php echo gettext("Multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments, will be " .
+ "reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets. " .
+ "Default is ") . "<strong>" . gettext("16000") . "</strong>. " . gettext("A value of 0 disables Protocol Aware Flushing."); ?>.<br/>
</td>
</tr>
- <tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect Settings"); ?></td>
+ <tr id="httpinspect_row">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="http_inspect"
type="checkbox" value="on" id="http_inspect" onclick="http_inspect_enable_change();"
- <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?>>
- <?php echo gettext("Use HTTP Inspect to " .
- "Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is "); ?>
+ <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked";?>>
+ <?php echo gettext("Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is ");?>
<strong><?php echo gettext("Checked"); ?></strong>.</td>
</tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable XFF/True-Client-IP"); ?></td>
- <td width="78%" class="vtable"><input name="http_inspect_enable_xff"
- type="checkbox" value="on" id="http_inspect_enable_xff"
- <?php if ($pconfig['http_inspect_enable_xff']=="on") echo "checked"; ?>>
- <?php echo gettext("Log original client IP present in X-Forwarded-For or True-Client-IP " .
- "HTTP headers. Default is "); ?>
- <strong><?php echo gettext("Not Checked"); ?></strong>.</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable URI Logging"); ?></td>
- <td width="78%" class="vtable"><input name="http_inspect_log_uri"
- type="checkbox" value="on" id="http_inspect_log_uri"
- <?php if ($pconfig['http_inspect_log_uri']=="on") echo "checked"; ?>>
- <?php echo gettext("Parse URI data from the HTTP request and log it with other session data." .
- " Default is "); ?>
- <strong><?php echo gettext("Not Checked"); ?></strong>.</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Hostname Logging"); ?></td>
- <td width="78%" class="vtable"><input name="http_inspect_log_hostname"
- type="checkbox" value="on" id="http_inspect_log_hostname"
- <?php if ($pconfig['http_inspect_log_hostname']=="on") echo "checked"; ?>>
- <?php echo gettext("Parse Hostname data from the HTTP request and log it with other session data." .
- " Default is "); ?>
- <strong><?php echo gettext("Not Checked"); ?></strong>.</td>
- </tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("HTTP Inspect Memory Cap"); ?></td>
+ <tr id="httpinspect_proxyalert_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Proxy Alert"); ?></td>
+ <td width="78%" class="vtable"><input name="http_inspect_proxy_alert"
+ type="checkbox" value="on" id="http_inspect_proxy_alert"
+ <?php if ($pconfig['http_inspect_proxy_alert']=="on") echo "checked";?>>
+ <?php echo gettext("Enable global alerting on HTTP server proxy usage. Default is ");?>
+ <strong><?php echo gettext("Not Checked"); ?></strong>.<br/><br/><span class="red"><strong>
+ <?php echo gettext("Note: ") . "</strong></span>" . gettext("By adding Server Configurations below and enabling " .
+ "the 'allow_proxy_use' parameter within them, alerts will be generated for web users that aren't using the configured " .
+ "proxies or are using a rogue proxy server.") . "<br/><br/><span class=\"red\"><strong>" . gettext("Warning: ") .
+ "</strong></span>" . gettext("If users are not required to configure web proxy use, you may get a lot " .
+ "of proxy alerts. Only use this feature with traditional proxy environments. Blind firewall proxies don't count!");?>
+ </td>
+ </tr>
+ <tr id="httpinspect_memcap_row">
+ <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="http_inspect_memcap" type="text" class="formfld"
- id="http_inspect_memcap" size="6"
- value="<?=htmlspecialchars($pconfig['http_inspect_memcap']);?>">&nbsp;&nbsp;
- <?php echo gettext("Max memory in bytes to use for URI and Hostname logging. Min is ") .
- "<strong>" . gettext("2304") . "</strong>" . gettext(" and Max is ") . "<strong>" .
- gettext("603979776") . "</strong>" . gettext(" (576 MB)"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("Maximum amount of memory the preprocessor will use for logging the URI and Hostname data. The default " .
- "value is ") . "<strong>" . gettext("150,994,944") . "</strong>" . gettext(" (144 MB)."); ?>
- <?php echo gettext(" This option determines the maximum HTTP sessions that will log URI and Hostname data at any given instant. ") .
- gettext(" Max Logged Sessions = MEMCAP / 2304"); ?>.<br/>
+ <input name="http_inspect_memcap" type="text" class="formfld unknown"
+ id="http_inspect_memcap" size="9"
+ value="<?=htmlspecialchars($pconfig['http_inspect_memcap']);?>">&nbsp;
+ <?php echo gettext("Maximum memory in bytes to use for URI and Hostname logging. The Minimum value is ") .
+ "<strong>" . gettext("2304") . "</strong>" . gettext(" and the Maximum is ") . "<strong>" .
+ gettext("603979776") . "</strong>" . gettext(" (576 MB)"); ?>.<br/><br/>
+ <?php echo gettext("Sets the maximum amount of memory the preprocessor will use for logging the URI and Hostname data. The default " .
+ "value is ") . "<strong>" . gettext("150,994,944") . "</strong>" . gettext(" (144 MB)."); ?>
+ <?php echo gettext(" This option determines the maximum HTTP sessions that will log URI and Hostname data at any given instant. ") .
+ gettext(" Max Logged Sessions = MEMCAP / 2304"); ?>.
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("HTTP server flow depth"); ?></td>
+ <tr id="httpinspect_maxgzipmem_row">
+ <td valign="top" class="vncell"><?php echo gettext("Maximum gzip Memory"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="server_flow_depth" type="text" class="formfld"
- id="server_flow_depth" size="6"
- value="<?=htmlspecialchars($pconfig['server_flow_depth']);?>">&nbsp;&nbsp;<?php echo gettext("<strong>-1</strong> " .
- "to <strong>65535</strong> (<strong>-1</strong> disables HTTP " .
- "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td>
- </tr>
- </table>
- <?php echo gettext("Amount of HTTP server response payload to inspect. Snort's " .
- "performance may increase by adjusting this value."); ?><br/>
- <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " .
- "are specified in bytes. Recommended setting is maximum (65535). Default value is <strong>300</strong>"); ?><br/>
+ <input name="http_inspect_max_gzip_mem" type="text" class="formfld unknown"
+ id="http_inspect_memcap" size="9"
+ value="<?=htmlspecialchars($pconfig['http_inspect_max_gzip_mem']);?>">&nbsp;
+ <?php echo gettext("Maximum memory in bytes to use for decompression. The Minimum value is ") .
+ "<strong>" . gettext("3276") . "</strong>";?>.<br/><br/>
+ <?php echo gettext("The default value is ") . "<strong>" . gettext("838860") . "</strong>" . gettext(" bytes.");?>
+ <?php echo gettext(" This option determines the number of concurrent sessions that can be decompressed at any given instant.");?>
</td>
</tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("HTTP server profile"); ?> </td>
- <td width="78%" class="vtable">
- <select name="http_server_profile" class="formselect" id="http_server_profile">
- <?php
- $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0');
- foreach ($profile as $val): ?>
- <option value="<?=strtolower($val);?>"
- <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>>
- <?=gettext($val);?></option>
- <?php endforeach; ?>
- </select>&nbsp;&nbsp;<?php echo gettext("Choose the profile type of the protected web server. The default is ") .
- "<strong>" . gettext("All") . "</strong>"; ?><br/>
- <?php echo gettext("IIS_4.0 and IIS_5.0 are identical to IIS except they alert on the ") .
- gettext("double decoding vulnerability present in those versions."); ?><br/>
- </td>
- </tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("HTTP client flow depth"); ?></td>
+ <tr id="httpinspect_engconf_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Configuration"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="client_flow_depth" type="text" class="formfld"
- id="client_flow_depth" size="6"
- value="<?=htmlspecialchars($pconfig['client_flow_depth']);?>"> <?php echo gettext("<strong>-1</strong> " .
- "to <strong>1460</strong> (<strong>-1</strong> disables HTTP " .
- "inspect, <strong>0</strong> enables all HTTP inspect)"); ?></td>
- </tr>
- </table>
- <?php echo gettext("Amount of raw HTTP client request payload to inspect. Snort's " .
- "performance may increase by adjusting this value."); ?><br/>
- <?php echo gettext("Setting this value too low may cause false negatives. Values above 0 " .
- "are specified in bytes. Recommended setting is maximum (1460). Default value is <strong>300</strong>"); ?><br/>
+ <table width="95%" align="left" id="httpinspectEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0">
+ <colgroup>
+ <col width="45%" align="left">
+ <col width="45%" align="center">
+ <col width="10%" align="right">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr" axis="string"><?php echo gettext("Server Name");?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th>
+ <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=http_inspect_engine">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"></a>
+ <a href="snort_httpinspect_engine.php?id=<?=$id?>&eng_id=<?=$http_inspect_engine_next_id?>">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Add a new server configuration");?>"></a></th>
+ </tr>
+ </thead>
+ <?php foreach ($pconfig['http_inspect_engine']['item'] as $f => $v): ?>
+ <tr>
+ <td class="listlr" align="left"><?=gettext($v['name']);?></td>
+ <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td>
+ <td class="listt" align="right"><a href="snort_httpinspect_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
+ width="17" height="17" border="0" title="<?=gettext("Edit this server configuration");?>"></a>
+ <?php if ($v['bind_to'] <> "all") : ?>
+ <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_http_inspect" onclick="return confirm('Are you sure you want to delete this entry?');">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
+ title="<?=gettext("Delete this server configuration");?>"></a>
+ <?php else : ?>
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
+ title="<?=gettext("Default server configuration cannot be deleted");?>">
+ <?php endif ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
</td>
</tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Disable HTTP Alerts"); ?></td>
- <td width="78%" class="vtable"><input name="noalert_http_inspect"
- type="checkbox" value="on" id="noalert_http_inspect"
- <?php if ($pconfig['noalert_http_inspect']=="on" || empty($pconfig['noalert_http_inspect'])) echo "checked"; ?>
- onClick="enable_change(false);"> <?php echo gettext("Turn off alerts from HTTP Inspect " .
- "preprocessor. This has no effect on HTTP rules. Default is "); ?>
- <strong><?php echo gettext("Checked"); ?></strong>.</td>
- </tr>
-
- <tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Frag3 Settings"); ?></td>
+ <tr id="frag3_row">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Frag3 Target-Based IP Defragmentation"); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable");?></td>
<td width="78%" class="vtable"><input name="frag3_detection" type="checkbox" value="on" onclick="frag3_enable_change();"
- <?php if ($pconfig['frag3_detection']=="on") echo "checked "; ?>
- onClick="enable_change(false)">
+ <?php if ($pconfig['frag3_detection']=="on") echo "checked";?>>
<?php echo gettext("Use Frag3 Engine to detect IDS evasion attempts via target-based IP packet fragmentation. Default is ") .
- "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ "<strong>" . gettext("Checked") . "</strong>.";?></td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td>
- <td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="frag3_memcap" type="text" class="formfld"
- id="frag3_memcap" size="6"
- value="<?=htmlspecialchars($pconfig['frag3_memcap']);?>">
- <?php echo gettext("Memory cap (in bytes) for self preservation."); ?>.</td>
- </tr>
- </table>
+ <tr id="frag3_memcap_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Memory Cap");?></td>
+ <td width="78%" class="vtable"><input name="frag3_memcap" type="text" class="formfld unknown" id="frag3_memcap" size="9" value="<?=htmlspecialchars($pconfig['frag3_memcap']);?>">
+ <?php echo gettext("Memory cap (in bytes) for self preservation.");?><br/>
<?php echo gettext("The maximum amount of memory allocated for Frag3 fragment reassembly. Default value is ") .
- "<strong>" . gettext("4MB") . "</strong>"; ?>.<br/>
+ "<strong>" . gettext("4MB") . "</strong>."; ?>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Maximum Fragments"); ?></td>
- <td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="frag3_max_frags" type="text" class="formfld"
- id="frag3_max_frags" size="6"
- value="<?=htmlspecialchars($pconfig['frag3_max_frags']);?>">
- <?php echo gettext("Maximum simultaneous fragments to track."); ?></td>
- </tr>
- </table>
+ <tr id="frag3_maxfrags_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Maximum Fragments"); ?></td>
+ <td width="78%" class="vtable"><input name="frag3_max_frags" type="text" class="formfld unknown" id="frag3_max_frags" size="9" value="<?=htmlspecialchars($pconfig['frag3_max_frags']);?>">
+ <?php echo gettext("Maximum simultaneous fragments to track.");?>.<br/>
<?php echo gettext("The maximum number of simultaneous fragments to track. Default value is ") .
- "<strong>8192</strong>."; ?><br/>
- </td>
- </tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td>
- <td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="frag3_overlap_limit" type="text" class="formfld"
- id="frag3_overlap_limit" size="6"
- value="<?=htmlspecialchars($pconfig['frag3_overlap_limit']);?>">
- <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), values greater than zero set the overlapped fragments per packet limit."); ?></td>
- </tr>
- </table>
- <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") .
- "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/>
- </td>
- </tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Minimum Fragment Length"); ?></td>
- <td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="frag3_min_frag_len" type="text" class="formfld"
- id="frag3_min_frag_len" size="6"
- value="<?=htmlspecialchars($pconfig['frag3_min_frag_len']);?>">
- <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (check is disabled). Fragments smaller than or equal to this limit are considered malicious."); ?></td>
- </tr>
- </table>
- <?php echo gettext("Defines smallest fragment size (payload size) that should be considered valid. Default value is ") .
- "<strong>0</strong>" . gettext(" (check is disabled)."); ?><br/>
+ "<strong>8192</strong>.";?>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Timeout"); ?></td>
+ <tr id="frag3_engconf_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Engine Configuration"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="frag3_timeout" type="text" class="formfld"
- id="frag3_timeout" size="6"
- value="<?=htmlspecialchars($pconfig['frag3_timeout']);?>">
- <?php echo gettext("Timeout period in seconds for fragments in the engine."); ?></td>
- </tr>
- </table>
- <?php echo gettext("Fragments in the engine for longer than this period will be automatically dropped. Default value is ") .
- "<strong>" . gettext("60 ") . "</strong>" . gettext("seconds."); ?><br/>
- </td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Target Policy"); ?> </td>
- <td width="78%" class="vtable">
- <select name="frag3_policy" class="formselect" id="frag3_policy">
- <?php
- $profile = array( 'BSD', 'BSD-Right', 'First', 'Last', 'Linux', 'Solaris', 'Windows' );
- foreach ($profile as $val): ?>
- <option value="<?=strtolower($val);?>"
- <?php if (strtolower($val) == $pconfig['frag3_policy']) echo "selected"; ?>>
- <?=gettext($val);?></option>
- <?php endforeach; ?>
- </select>&nbsp;&nbsp;<?php echo gettext("Choose the IP fragmentation target policy appropriate for the protected hosts. The default is ") .
- "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/>
- <?php echo gettext("Available OS targets are BSD, BSD-Right, First, Last, Linux, Solaris and Windows."); ?><br/>
+ <table width="95%" align="left" id="frag3EnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0">
+ <colgroup>
+ <col width="45%" align="left">
+ <col width="45%" align="center">
+ <col width="10%" align="right">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th>
+ <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=frag3_engine">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Import engine configuration from existing Aliases");?>"></a>
+ <a href="snort_frag3_engine.php?id=<?=$id?>&eng_id=<?=$frag3_engine_next_id?>">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Add a new engine configuration");?>"></a></th>
+ </tr>
+ </thead>
+ <?php foreach ($pconfig['frag3_engine']['item'] as $f => $v): ?>
+ <tr>
+ <td class="listlr" align="left"><?=gettext($v['name']);?></td>
+ <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td>
+ <td class="listt" align="right"><a href="snort_frag3_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
+ width="17" height="17" border="0" title="<?=gettext("Edit this engine configuration");?>"></a>
+ <?php if ($v['bind_to'] <> "all") : ?>
+ <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_frag3" onclick="return confirm('Are you sure you want to delete this entry?');">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
+ title="<?=gettext("Delete this engine configuration");?>"></a>
+ <?php else : ?>
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
+ title="<?=gettext("Default engine configuration cannot be deleted");?>">
+ <?php endif ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
</td>
</tr>
- <tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Settings"); ?></td>
+ <tr id="stream5_row">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Target-Based Stream Reassembly"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
@@ -879,182 +962,155 @@ include_once("head.inc");
<?php echo gettext("Use Stream5 session reassembly for TCP, UDP and/or ICMP traffic. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
- <tr>
+ <tr id="stream5_flushonalert_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Flush On Alert"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_flush_on_alert" type="checkbox" value="on"
+ <?php if ($pconfig['stream5_flush_on_alert']=="on") echo "checked"; ?>>
+ <?php echo gettext("Flush a TCP stream when an alert is generated on that stream. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong><br/><span class=\"red\"><strong>" .
+ gettext("Note: ") . "</strong></span>" . gettext("This parameter is for backwards compatibility.");?></td>
+ </tr>
+ <tr id="stream5_prunelogmax_row">
+ <td valign="top" class="vncell"><?php echo gettext("Prune Log Max"); ?></td>
+ <td class="vtable">
+ <input name="stream5_prune_log_max" type="text" class="formfld unknown" id="stream5_prune_log_max" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_prune_log_max']);?>">
+ <?php echo gettext("Prune Log Max Bytes. Minimum can be either ") . "<strong>0</strong>" . gettext(" (disabled), or if not disabled, ") .
+ "<strong>1024</strong>" . gettext(". Maximum is ") . "<strong>" . gettext("1073741824") . "</strong>";?>.
+ <?php echo gettext("Logs a message when a session terminates that was using more than the specified number of bytes. Default value is ") .
+ "<strong>1048576</strong>" . gettext(" bytes."); ?><br/>
+ </td>
+ </tr>
+ <tr id="stream5_proto_tracking_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol Tracking"); ?></td>
<td width="78%" class="vtable">
<input name="stream5_track_tcp" type="checkbox" value="on" id="stream5_track_tcp"
- <?php if ($pconfig['stream5_track_tcp']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['stream5_track_tcp']=="on") echo "checked"; ?> onclick="stream5_track_tcp_enable_change();">
<?php echo gettext("Track and reassemble TCP sessions. Default is ") .
"<strong>" . gettext("Checked") . "</strong>."; ?>
<br/>
<input name="stream5_track_udp" type="checkbox" value="on" id="stream5_track_udp"
- <?php if ($pconfig['stream5_track_udp']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['stream5_track_udp']=="on") echo "checked"; ?> onclick="stream5_track_udp_enable_change();">
<?php echo gettext("Track and reassemble UDP sessions. Default is ") .
"<strong>" . gettext("Checked") . "</strong>."; ?>
<br/>
<input name="stream5_track_icmp" type="checkbox" value="on" id="stream5_track_icmp"
- <?php if ($pconfig['stream5_track_icmp']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['stream5_track_icmp']=="on") echo "checked"; ?> onclick="stream5_track_icmp_enable_change();">
<?php echo gettext("Track and reassemble ICMP sessions. Default is ") .
"<strong>" . gettext("Not Checked") . "</strong>."; ?>
</td>
</tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Require 3-Way Handshake"); ?></td>
- <td width="78%" class="vtable"><input name="stream5_require_3whs" type="checkbox" value="on"
- <?php if ($pconfig['stream5_require_3whs']=="on") echo "checked "; ?>>
- <?php echo gettext("Establish sessions only on completion of SYN/SYN-ACK/ACK handshake. Default is ") .
- "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Reassemble Async"); ?></td>
- <td width="78%" class="vtable"><input name="stream5_no_reassemble_async" type="checkbox" value="on"
- <?php if ($pconfig['stream5_no_reassemble_async']=="on") echo "checked "; ?>>
- <?php echo gettext("Do not queue packets for reassembly if traffic has not been seen in both directions. Default is ") .
- "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Store Large TCP Packets"); ?></td>
- <td width="78%" class="vtable">
- <input name="stream5_dont_store_lg_pkts" type="checkbox" value="on"
- <?php if ($pconfig['stream5_dont_store_lg_pkts']=="on") echo "checked"; ?>>
- <?php echo gettext("Do not queue large packets in reassembly buffer to increase performance. Default is ") .
- "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
- <?php echo "<span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" .
- gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?></td>
- </tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Max Queued Bytes"); ?></td>
+ <tr id="stream5_maxudp_row">
+ <td valign="top" class="vncell"><?php echo gettext("Maximum UDP Sessions"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="max_queued_bytes" type="text" class="formfld"
- id="max_queued_bytes" size="6"
- value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>">
- <?php echo gettext("Minimum is <strong>1024</strong>, Maximum is <strong>1073741824</strong> " .
- "( default value is <strong>1048576</strong>, <strong>0</strong> " .
- "means Maximum )"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("The number of bytes to be queued for reassembly for TCP sessions in " .
- "memory. Default value is <strong>1048576</strong>"); ?>.<br/>
+ <input name="stream5_max_udp" type="text" class="formfld unknown" id="stream5_max_udp" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_max_udp']);?>">
+ <?php echo gettext("Maximum concurrent UDP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") .
+ "<strong>" . gettext("1048576") . "</strong>.";?><br/>
+ <?php echo gettext("Sets the maximum number of concurrent UDP sessions that will be tracked. Default value is ") .
+ "<strong>" . gettext("131072") . "</strong>."; ?><br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Max Queued Segs"); ?></td>
+ <tr id="stream5_udp_sess_timeout_row">
+ <td valign="top" class="vncell"><?php echo gettext("UDP Session Timeout"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="max_queued_segs" type="text" class="formfld"
- id="max_queued_segs" size="6"
- value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>">
- <?php echo gettext("Minimum is <strong>2</strong>, Maximum is <strong>1073741824</strong> " .
- "( default value is <strong>2621</strong>, <strong>0</strong> means " .
- "Maximum )"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("The number of segments to be queued for reassembly for TCP sessions " .
- "in memory. Default value is <strong>2621</strong>"); ?>.<br/>
+ <input name="stream5_udp_timeout" type="text" class="formfld unknown" id="stream5_udp_timeout" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_udp_timeout']);?>">
+ <?php echo gettext("UDP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") .
+ "<strong>" . gettext("86400") . "</strong>" . gettext(" (1 day).");?><br/>
+ <?php echo gettext("Sets the session reassembly timeout period for UDP packets. Default value is ") .
+ "<strong>" . gettext("30") . "</strong>" . gettext(" seconds."); ?><br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td>
+ <tr id="stream5_maxicmp_row">
+ <td valign="top" class="vncell"><?php echo gettext("Maximum ICMP Sessions"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="stream5_mem_cap" type="text" class="formfld"
- id="stream5_mem_cap" size="6"
- value="<?=htmlspecialchars($pconfig['stream5_mem_cap']);?>">
- <?php echo gettext("Minimum is <strong>32768</strong>, Maximum is <strong>1073741824</strong> " .
- "( default value is <strong>8388608</strong>) "); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("The memory cap in bytes for TCP packet storage " .
- "in RAM. Default value is <strong>8388608</strong> (8 MB)"); ?>.<br/>
+ <input name="stream5_max_icmp" type="text" class="formfld unknown" id="stream5_max_icmp" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_max_icmp']);?>">
+ <?php echo gettext("Maximum concurrent ICMP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") .
+ "<strong>" . gettext("1048576") . "</strong>.";?><br/>
+ <?php echo gettext("Sets the maximum number of concurrent ICMP sessions that will be tracked. Default value is ") .
+ "<strong>" . gettext("65536") . "</strong>."; ?><br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("Overlap Limit"); ?></td>
+ <tr id="stream5_icmp_sess_timeout_row">
+ <td valign="top" class="vncell"><?php echo gettext("ICMP Session Timeout"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="stream5_overlap_limit" type="text" class="formfld"
- id="stream5_overlap_limit" size="6"
- value="<?=htmlspecialchars($pconfig['stream5_overlap_limit']);?>">
- <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited), and the maximum is ") .
- "<strong>255</strong>."; ?></td>
- </tr>
- </table>
- <?php echo gettext("Sets the limit for the number of overlapping fragments allowed per packet. Default value is ") .
- "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/>
+ <input name="stream5_icmp_timeout" type="text" class="formfld unknown" id="stream5_icmp_timeout" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_icmp_timeout']);?>">
+ <?php echo gettext("ICMP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") .
+ "<strong>86400</strong>" . gettext(" (1 day).");?><br/>
+ <?php echo gettext("Sets the session reassembly timeout period for ICMP packets. Default value is ") .
+ "<strong>" . gettext("30") . "</strong>" . gettext(" seconds."); ?><br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("TCP Session Timeout"); ?></td>
+ <tr id="stream5_maxtcp_row">
+ <td valign="top" class="vncell"><?php echo gettext("Maximum TCP Sessions"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="stream5_tcp_timeout" type="text" class="formfld"
- id="stream5_tcp_timeout" size="6"
- value="<?=htmlspecialchars($pconfig['stream5_tcp_timeout']);?>">
- <?php echo gettext("TCP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") .
- "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("Sets the session reassembly timeout period for TCP packets. Default value is ") .
- "<strong>30</strong>" . gettext(" seconds."); ?><br/>
+ <input name="stream5_max_tcp" type="text" class="formfld unknown" id="stream5_max_tcp" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_max_tcp']);?>">
+ <?php echo gettext("Maximum concurrent TCP sessions. Min is ") . "<strong>1</strong>" . gettext(" and Max is ") .
+ "<strong>" . gettext("1048576") . "</strong>.";?><br/>
+ <?php echo gettext("Sets the maximum number of concurrent TCP sessions that will be tracked. Default value is ") .
+ "<strong>" . gettext("262144") . "</strong>."; ?><br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("UDP Session Timeout"); ?></td>
+ <tr id="stream5_tcp_memcap_row">
+ <td valign="top" class="vncell"><?php echo gettext("TCP Memory Cap"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="stream5_udp_timeout" type="text" class="formfld"
- id="stream5_udp_timeout" size="6"
- value="<?=htmlspecialchars($pconfig['stream5_udp_timeout']);?>">
- <?php echo gettext("UDP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") .
- "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("Sets the session reassembly timeout period for UDP packets. Default value is ") .
- "<strong>30</strong>" . gettext(" seconds."); ?><br/>
+ <input name="stream5_mem_cap" type="text" class="formfld unknown" id="stream5_mem_cap" size="9"
+ value="<?=htmlspecialchars($pconfig['stream5_mem_cap']);?>">
+ <?php echo gettext("Memory for TCP packet storage. Min is ") . "<strong>" . gettext("32768") . "</strong>" .
+ gettext(" and Max is ") . "<strong>" . gettext("1073741824") . "</strong>" .
+ gettext(" bytes.");?><br/>
+ <?php echo gettext("The memory cap in bytes for TCP packet storage " .
+ "in RAM. Default value is ") . "<strong>" . gettext("8388608") . "</strong>" . gettext(" (8 MB)"); ?>.<br/>
</td>
</tr>
- <tr>
- <td valign="top" class="vncell"><?php echo gettext("ICMP Session Timeout"); ?></td>
+ <tr id="stream5_tcp_engconf_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Engine Configuration"); ?></td>
<td class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td><input name="stream5_icmp_timeout" type="text" class="formfld"
- id="stream5_icmp_timeout" size="6"
- value="<?=htmlspecialchars($pconfig['stream5_icmp_timeout']);?>">
- <?php echo gettext("ICMP Session timeout in seconds. Minimum is ") . "<strong>1</strong>" . gettext(" and the maximum is ") .
- "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.</td>
- </tr>
- </table>
- <?php echo gettext("Sets the session reassembly timeout period for ICMP packets. Default value is ") .
- "<strong>30</strong>" . gettext(" seconds."); ?><br/>
- </td>
- </tr>
- <tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("IP Target Policy"); ?></td>
- <td width="78%" class="vtable">
- <select name="stream5_policy" class="formselect" id="stream5_policy">
- <?php
- $profile = array( 'BSD', 'First', 'HPUX', 'HPUX10', 'Irix', 'Last', 'Linux', 'MacOS', 'Old-Linux',
- 'Solaris', 'Vista', 'Windows', 'Win2003' );
- foreach ($profile as $val): ?>
- <option value="<?=strtolower($val);?>"
- <?php if (strtolower($val) == $pconfig['stream5_policy']) echo "selected"; ?>>
- <?=gettext($val);?></option>
- <?php endforeach; ?>
- </select>&nbsp;&nbsp;<?php echo gettext("Choose the TCP reassembly target policy appropriate for the protected hosts. The default is ") .
- "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/>
- <?php echo gettext("Available OS targets are BSD, First, HPUX, HPUX10, Irix, Last, Linux, MacOS, Old Linux, Solaris, Vista, Windows, and Win2003 Server."); ?><br/>
+ <table width="95%" align="left" id="stream5EnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0">
+ <colgroup>
+ <col width="45%" align="left">
+ <col width="45%" align="center">
+ <col width="10%" align="right">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th>
+ <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=stream5_tcp_engine">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Import TCP engine configuration from existing Aliases");?>"></a>
+ <a href="snort_stream5_engine.php?id=<?=$id?>&eng_id=<?=$stream5_tcp_engine_next_id?>">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Add a new TCP engine configuration");?>"></a></th>
+ </tr>
+ </thead>
+ <?php foreach ($pconfig['stream5_tcp_engine']['item'] as $f => $v): ?>
+ <tr>
+ <td class="listlr" align="left"><?=gettext($v['name']);?></td>
+ <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td>
+ <td class="listt" align="right"><a href="snort_stream5_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
+ width="17" height="17" border="0" title="<?=gettext("Edit this TCP engine configuration");?>"></a>
+ <?php if ($v['bind_to'] <> "all") : ?>
+ <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_stream5_tcp" onclick="return confirm('Are you sure you want to delete this entry?');">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
+ title="<?=gettext("Delete this TCP engine configuration");?>"></a>
+ <?php else : ?>
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
+ title="<?=gettext("Default engine configuration cannot be deleted");?>">
+ <?php endif ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
</td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Settings"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Detection"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
@@ -1064,7 +1120,7 @@ include_once("head.inc");
<?php echo gettext("Use Portscan Detection to detect various types of port scans and sweeps. Default is ") .
"<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
</tr>
- <tr>
+ <tr id="portscan_protocol_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Protocol"); ?> </td>
<td width="78%" class="vtable">
<select name="pscan_protocol" class="formselect" id="pscan_protocol">
@@ -1079,7 +1135,7 @@ include_once("head.inc");
"<strong>" . gettext("all") . "</strong>."; ?><br/>
</td>
</tr>
- <tr>
+ <tr id="portscan_type_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Scan Type"); ?> </td>
<td width="78%" class="vtable">
<select name="pscan_type" class="formselect" id="pscan_type">
@@ -1111,7 +1167,7 @@ include_once("head.inc");
</table>
</td>
</tr>
- <tr>
+ <tr id="portscan_sensitivity_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Sensitivity"); ?> </td>
<td width="78%" class="vtable">
<select name="pscan_sense_level" class="formselect" id="pscan_sense_level">
@@ -1140,13 +1196,13 @@ include_once("head.inc");
</table>
</td>
</tr>
- <tr>
+ <tr id="portscan_memcap_row">
<td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td>
<td class="vtable">
<table cellpadding="0" cellspacing="0">
<tr>
- <td><input name="pscan_memcap" type="text" class="formfld"
- id="pscan_memcap" size="6"
+ <td class="vexpl"><input name="pscan_memcap" type="text" class="formfld unknown"
+ id="pscan_memcap" size="9"
value="<?=htmlspecialchars($pconfig['pscan_memcap']);?>">
<?php echo gettext("Maximum memory in bytes to allocate for portscan detection. ") .
gettext("Default is ") . "<strong>" . gettext("10000000") . "</strong>" .
@@ -1158,17 +1214,231 @@ include_once("head.inc");
"<strong>10,000,000</strong>" . gettext(" bytes. (10 MB)"); ?><br/>
</td>
</tr>
- <tr>
+ <tr id="portscan_ignorescanners_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?></td>
<td width="78%" class="vtable">
- <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners"
- value="<?=$pconfig['pscan_ignore_scanners'];?>" title="<?=trim(filter_expand_alias($pconfig['pscan_ignore_scanners']));?>">&nbsp;&nbsp;<?php echo gettext("Leave blank for default. ") .
- gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.<br/>
- <?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?><br/>
+ <table width="95%" cellspacing="0" cellpadding="0" border="0">
+ <tr>
+ <td class="vexpl">
+ <input name="pscan_ignore_scanners" type="text" size="25" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners"
+ value="<?=$pconfig['pscan_ignore_scanners'];?>" title="<?=trim(filter_expand_alias($pconfig['pscan_ignore_scanners']));?>">&nbsp;&nbsp;<?php echo gettext("Leave blank for default. ") .
+ gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.</td>
+ <td class="vexpl" align="right">
+ <input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&type=host|network&varname=pscan_ignore_scanners&act=import&multi_ip=yes&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?></td>
+ </tr>
+ </table>
</td>
</tr>
+ <tr id="ftp_telnet_row">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("FTP and Telnet Global Options"); ?></td>
+ </tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessor Settings"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_preprocessor" type="checkbox" value="on"
+ <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?> onclick="ftp_telnet_enable_change();">
+ <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_telnet_row_type">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspection Type"); ?> </td>
+ <td width="78%" class="vtable">
+ <select name="ftp_telnet_inspection_type" class="formselect" id="ftp_telnet_inspection_type">
+ <?php
+ $values = array('stateful', 'stateless');
+ foreach ($values as $val): ?>
+ <option value="<?=$val;?>"
+ <?php if ($val == $pconfig['ftp_telnet_inspection_type']) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach; ?>
+ </select>&nbsp;&nbsp;<?php echo gettext("Choose to operate in stateful or stateless mode. Default is ") .
+ "<strong>" . gettext("stateful") . "</strong>."; ?><br/>
+ </td>
+ </tr>
+ <tr id="ftp_telnet_row_encrypted_check">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Check Encrypted Traffic"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_check_encrypted" type="checkbox" value="on"
+ <?php if ($pconfig['ftp_telnet_check_encrypted']=="on") echo "checked"; ?>>
+ <?php echo gettext("Continue to check an encrypted session for subsequent command to cease encryption. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_telnet_row_encrypted_alert">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert on Encrypted Commands"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_alert_encrypted" type="checkbox" value="on"
+ <?php if ($pconfig['ftp_telnet_alert_encrypted']=="on") echo "checked"; ?>>
+ <?php echo gettext("Alert on encrypted FTP and Telnet command channels. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_telnet_row_telnet_proto_opts">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Telnet Protocol Options"); ?></td>
+ </tr>
+ <tr id="ftp_telnet_row_normalize">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Normalization"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_normalize" type="checkbox" value="on"
+ <?php if ($pconfig['ftp_telnet_normalize']=="on") echo "checked"; ?>>
+ <?php echo gettext("Normalize Telnet traffic by eliminating Telnet escape sequences. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_telnet_row_detect_anomalies">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Anomalies"); ?></td>
+ <td width="78%" class="vtable"><input name="ftp_telnet_detect_anomalies" type="checkbox" value="on"
+ <?php if ($pconfig['ftp_telnet_detect_anomalies']=="on") echo "checked"; ?>>
+ <?php echo gettext("Alert on Telnet subnegotiation begin without corresponding subnegotiation end. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tr id="ftp_telnet_row_ayt_threshold">
+ <td valign="top" class="vncell"><?php echo gettext("AYT Attack Threshold"); ?></td>
+ <td class="vtable">
+ <input name="ftp_telnet_ayt_attack_threshold" type="text" class="formfld unknown" id="ftp_telnet_ayt_attack_threshold" size="9"
+ value="<?=htmlspecialchars($pconfig['ftp_telnet_ayt_attack_threshold']);?>">
+ <?php echo gettext("Are-You-There (AYT) command alert threshold. Enter ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" to disable. Default is ") . "<strong>" . gettext("20.") . "</strong>";?><br/>
+ <?php echo gettext("Alert when the number of consecutive Telnet AYT commands reaches the number specified.");?><br/>
+ </td>
+ </tr>
+ <tr id="ftp_telnet_row_ftp_proto_opts">
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("FTP Protocol Options"); ?></td>
+ </tr>
+ <tr id="ftp_telnet_ftp_client_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Client Configuration"); ?></td>
+ <td class="vtable">
+ <table width="95%" align="left" id="FTPclientEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0">
+ <colgroup>
+ <col width="45%" align="left">
+ <col width="45%" align="center">
+ <col width="10%" align="right">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th>
+ <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=ftp_client_engine">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Import client configuration from existing Aliases");?>"></a>
+ <a href="snort_ftp_client_engine.php?id=<?=$id?>&eng_id=<?=$ftp_client_engine_next_id?>">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Add a new FTP client configuration");?>"></a></th>
+ </tr>
+ </thead>
+ <?php foreach ($pconfig['ftp_client_engine']['item'] as $f => $v): ?>
+ <tr>
+ <td class="listlr" align="left"><?=gettext($v['name']);?></td>
+ <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td>
+ <td class="listt" align="right"><a href="snort_ftp_client_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
+ width="17" height="17" border="0" title="<?=gettext("Edit this FTP client configuration");?>"></a>
+ <?php if ($v['bind_to'] <> "all") : ?>
+ <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_ftp_server" onclick="return confirm('Are you sure you want to delete this entry?');">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
+ title="<?=gettext("Delete this FTP client configuration");?>"></a>
+ <?php else : ?>
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
+ title="<?=gettext("Default client configuration cannot be deleted");?>">
+ <?php endif ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
+ </td>
+ </tr>
+ <tr id="ftp_telnet_ftp_server_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Server Configuration"); ?></td>
+ <td class="vtable">
+ <table width="95%" align="left" id="FTPserverEnginesTable" style="table-layout: fixed;" border="0" cellspacing="0" cellpadding="0">
+ <colgroup>
+ <col width="45%" align="left">
+ <col width="45%" align="center">
+ <col width="10%" align="right">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr" axis="string"><?php echo gettext("Engine Name");?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Bind-To Address Alias");?></th>
+ <th class="list" align="right"><a href="snort_import_aliases.php?id=<?=$id?>&eng=ftp_server_engine">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"></a>
+ <a href="snort_ftp_server_engine.php?id=<?=$id?>&eng_id=<?=$ftp_server_engine_next_id?>">
+ <img src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext("Add a new FTP Server configuration");?>"></a></th>
+ </tr>
+ </thead>
+ <?php foreach ($pconfig['ftp_server_engine']['item'] as $f => $v): ?>
+ <tr>
+ <td class="listlr" align="left"><?=gettext($v['name']);?></td>
+ <td class="listbg" align="center"><?=gettext($v['bind_to']);?></td>
+ <td class="listt" align="right"><a href="snort_ftp_server_engine.php?id=<?=$id;?>&eng_id=<?=$f;?>">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_e.gif"
+ width="17" height="17" border="0" title="<?=gettext("Edit this FTP server configuration");?>"></a>
+ <?php if ($v['bind_to'] <> "all") : ?>
+ <a href="snort_preprocessors.php?id=<?=$id;?>&eng_id=<?=$f;?>&act=del_ftp_server" onclick="return confirm('Are you sure you want to delete this entry?');">
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
+ title="<?=gettext("Delete this FTP server configuration");?>"></a>
+ <?php else : ?>
+ <img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
+ title="<?=gettext("Default server configuration cannot be deleted");?>">
+ <?php endif ?>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Sensitive Data Detection"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="sensitive_data" type="checkbox" value="on" onclick="sensitive_data_enable_change();"
+ <?php if ($pconfig['sensitive_data'] == "on")
+ echo "checked";
+ elseif ($vrt_enabled == "off")
+ echo "disabled";
+ ?>>
+ <?php echo gettext("Sensitive data searches for credit card numbers, Social Security numbers and e-mail addresses in data."); ?>
+ <br/>
+ <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the ") .
+ "<a href=\"/snort/snort_interfaces_global.php\" title=\"" . gettext("Modify Snort global settings") . "\"/>" . gettext("Global Settings") . "</a>" . gettext(" tab."); ?>
+ </td>
+ </tr>
+ <tr id="sdf_alert_data_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Inspect for"); ?> </td>
+ <td width="78%" class="vtable">
+ <select name="sdf_alert_data_type[]" class="formselect" id="sdf_alert_data_type" size="4" multiple="multiple">
+ <?php
+ $values = array('Credit Card', 'Email Addresses', 'U.S. Phone Numbers', 'U.S. Social Security Numbers');
+ foreach ($values as $val): ?>
+ <option value="<?=$val;?>"
+ <?php if (preg_match("/$val/",$pconfig['sdf_alert_data_type'])) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach; ?>
+ </select><br/><?php echo gettext("Choose which types of sensitive data to detect. Use CTRL + Click for multiple selections."); ?><br/>
+ </td>
+ </tr>
+ <tr id="sdf_alert_threshold_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Alert Threshold"); ?></td>
+ <td width="78%" class="vtable"><input name="sdf_alert_threshold" type="text" class="formfld unknown" id="sdf_alert_threshold" size="9" value="<?=htmlspecialchars($pconfig['sdf_alert_threshold']);?>">
+ <?php echo gettext("Personally Identifiable Information (PII) combination alert threshold.");?><br/>
+ <?php echo gettext("This value sets the number of PII combinations required to trigger an alert. This should be set higher than the highest individual count in your \"sd_pattern\" rules. Default value is ") .
+ "<strong>" . gettext("25") . "</strong>.";?>
+ </td>
+ </tr>
+ <tr id="sdf_mask_output_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Mask Output"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="sdf_mask_output" type="checkbox" value="on"
+ <?php if ($pconfig['sdf_mask_output'] == "on")
+ echo "checked";
+ ?>>
+ <?php echo gettext("Replace all but last 4 digits of PII with \"X\"s on credit card and Social Security Numbers. ") .
+ gettext("Default is ") . "<strong>" . gettext("Not Checked") . "</strong>."; ?>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Preprocessors"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable RPC Decode and Back Orifice detector"); ?></td>
@@ -1178,13 +1448,6 @@ include_once("head.inc");
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable FTP and Telnet Normalizer"); ?></td>
- <td width="78%" class="vtable"><input name="ftp_preprocessor" type="checkbox" value="on"
- <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?>>
- <?php echo gettext("Normalize/Decode FTP and Telnet traffic and protocol anomalies. Default is ") .
- "<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
- </tr>
- <tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable POP Normalizer"); ?></td>
<td width="78%" class="vtable"><input name="pop_preproc" type="checkbox" value="on"
<?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?>>
@@ -1216,7 +1479,7 @@ include_once("head.inc");
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SIP Detection"); ?></td>
<td width="78%" class="vtable"><input name="sip_preproc" type="checkbox" value="on"
<?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>>
- <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects some vulnerabilities. Default is ") .
+ <?php echo gettext("The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
@@ -1235,7 +1498,7 @@ include_once("head.inc");
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNS Detection"); ?></td>
<td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on"
<?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>>
- <?php echo gettext("The DNS preprocessor decodes DNS Response traffic and detects vulnerabilities. Default is ") .
+ <?php echo gettext("The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
@@ -1247,21 +1510,7 @@ include_once("head.inc");
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Sensitive Data"); ?></td>
- <td width="78%" class="vtable">
- <input name="sensitive_data" type="checkbox" value="on"
- <?php if ($pconfig['sensitive_data'] == "on")
- echo "checked";
- elseif ($vrt_enabled == "off")
- echo "disabled";
- ?>>
- <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?>
- <br/>
- <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."); ?>
- </td>
- </tr>
- <tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SCADA Preprocessor Settings"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SCADA Preprocessors"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Modbus Detection"); ?></td>
@@ -1315,6 +1564,7 @@ include_once("head.inc");
if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
foreach($config['aliases']['alias'] as $alias_name) {
if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ // Skip any Aliases that resolve to an empty string
if (trim(filter_expand_alias($alias_name['name'])) == "")
continue;
if($addrisfirst == 1) $aliasesaddr .= ",";
@@ -1334,6 +1584,8 @@ include_once("head.inc");
function createAutoSuggest() {
<?php
echo "objAlias = new AutoSuggestControl(document.getElementById('pscan_ignore_scanners'), new StateSuggestions(addressarray));\n";
+ echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_telnet_bounce_to_net'), new StateSuggestions(addressarray));\n";
+ echo "objAlias = new AutoSuggestControl(document.getElementById('ftp_telnet_bounce_to_port'), new StateSuggestions(portsarray));\n";
?>
}
@@ -1350,41 +1602,125 @@ function frag3_enable_change() {
}
}
var endis = !(document.iform.frag3_detection.checked);
- document.iform.frag3_overlap_limit.disabled=endis;
- document.iform.frag3_min_frag_len.disabled=endis;
- document.iform.frag3_policy.disabled=endis;
- document.iform.frag3_max_frags.disabled=endis;
- document.iform.frag3_memcap.disabled=endis;
- document.iform.frag3_timeout.disabled=endis;
+
+ // Hide the "config engines" table if Frag3 disabled
+ if (endis) {
+ document.getElementById("frag3_engconf_row").style.display="none";
+ document.getElementById("frag3_memcap_row").style.display="none";
+ document.getElementById("frag3_maxfrags_row").style.display="none";
+ }
+ else {
+ document.getElementById("frag3_engconf_row").style.display="table-row";
+ document.getElementById("frag3_memcap_row").style.display="table-row";
+ document.getElementById("frag3_maxfrags_row").style.display="table-row";
+ }
}
function host_attribute_table_enable_change() {
var endis = !(document.iform.host_attribute_table.checked);
- document.iform.host_attribute_file.disabled=endis;
- document.iform.btn_import.disabled=endis;
- document.iform.btn_edit_hat.disabled=endis;
- document.iform.max_attribute_hosts.disabled=endis;
- document.iform.max_attribute_services_per_host.disabled=endis;
+
+ // Hide "Host Attribute Table" config rows if HAT disabled
+ if (endis) {
+ document.getElementById("host_attrib_table_data_row").style.display="none";
+ document.getElementById("host_attrib_table_maxhosts_row").style.display="none";
+ document.getElementById("host_attrib_table_maxsvcs_row").style.display="none";
+ }
+ else {
+ document.getElementById("host_attrib_table_data_row").style.display="table-row";
+ document.getElementById("host_attrib_table_maxhosts_row").style.display="table-row";
+ document.getElementById("host_attrib_table_maxsvcs_row").style.display="table-row";
+ }
+}
+
+function stream5_track_tcp_enable_change() {
+ var endis = !(document.iform.stream5_track_tcp.checked);
+
+ // Hide the "tcp_memcap and tcp_engconf" rows if stream5_track_tcp disabled
+ if (endis) {
+ document.getElementById("stream5_maxtcp_row").style.display="none";
+ document.getElementById("stream5_tcp_memcap_row").style.display="none";
+ document.getElementById("stream5_tcp_engconf_row").style.display="none";
+ }
+ else {
+ document.getElementById("stream5_maxtcp_row").style.display="table-row";
+ document.getElementById("stream5_tcp_memcap_row").style.display="table-row";
+ document.getElementById("stream5_tcp_engconf_row").style.display="table-row";
+ }
+}
+
+function stream5_track_udp_enable_change() {
+ var endis = !(document.iform.stream5_track_udp.checked);
+
+ // Hide the "udp session timeout " row if stream5_track_udp disabled
+ if (endis) {
+ var msg = "WARNING: Stream5 UDP tracking is required by the Session Initiation Protocol (SIP) preprocessor! ";
+ msg = msg + "The SIP preprocessor will be automatically disabled if Stream5 UDP tracking is disabled.\n\n";
+ msg = msg + "Snort may fail to start because of rule options dependent on the SIP preprocessor. ";
+ msg = msg + "Are you sure you want to disable Stream5 UDP tracking?\n\n";
+ msg = msg + "Click OK to disable Stream5 UDP tracking, or CANCEL to quit.";
+ if (!confirm(msg))
+ return;
+ document.iform.sip_preproc.checked=false;
+ document.getElementById("stream5_maxudp_row").style.display="none";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="none";
+ }
+ else {
+ document.getElementById("stream5_maxudp_row").style.display="table-row";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row";
+ }
+}
+
+function stream5_track_icmp_enable_change() {
+ var endis = !(document.iform.stream5_track_icmp.checked);
+
+ // Hide the "icmp session timeout " row if stream5_track_icmp disabled
+ if (endis) {
+ document.getElementById("stream5_maxicmp_row").style.display="none";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="none";
+ }
+ else {
+ document.getElementById("stream5_maxicmp_row").style.display="table-row";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row";
+ }
}
function http_inspect_enable_change() {
var endis = !(document.iform.http_inspect.checked);
- document.iform.http_inspect_enable_xff.disabled=endis;
- document.iform.server_flow_depth.disabled=endis;
- document.iform.client_flow_depth.disabled=endis;
- document.iform.http_server_profile.disabled=endis;
document.iform.http_inspect_memcap.disabled=endis;
- document.iform.http_inspect_log_uri.disabled=endis;
- document.iform.http_inspect_log_hostname.disabled=endis;
+
+ // Hide the "icmp session timeout " row if stream5_track_icmp disabled
+ if (endis) {
+ document.getElementById("httpinspect_memcap_row").style.display="none";
+ document.getElementById("httpinspect_maxgzipmem_row").style.display="none";
+ document.getElementById("httpinspect_proxyalert_row").style.display="none";
+ document.getElementById("httpinspect_engconf_row").style.display="none";
+ }
+ else {
+ document.getElementById("httpinspect_memcap_row").style.display="table-row";
+ document.getElementById("httpinspect_maxgzipmem_row").style.display="table-row";
+ document.getElementById("httpinspect_proxyalert_row").style.display="table-row";
+ document.getElementById("httpinspect_engconf_row").style.display="table-row";
+ }
}
function sf_portscan_enable_change() {
var endis = !(document.iform.sf_portscan.checked);
- document.iform.pscan_protocol.disabled=endis;
- document.iform.pscan_type.disabled=endis;
- document.iform.pscan_memcap.disabled=endis;
- document.iform.pscan_sense_level.disabled=endis;
- document.iform.pscan_ignore_scanners.disabled=endis;
+
+ // Hide the portscan configuration rows if sf_portscan disabled
+ if (endis) {
+ document.getElementById("portscan_protocol_row").style.display="none";
+ document.getElementById("portscan_type_row").style.display="none";
+ document.getElementById("portscan_sensitivity_row").style.display="none";
+ document.getElementById("portscan_memcap_row").style.display="none";
+ document.getElementById("portscan_ignorescanners_row").style.display="none";
+ }
+ else {
+ document.getElementById("portscan_protocol_row").style.display="table-row";
+ document.getElementById("portscan_type_row").style.display="table-row";
+ document.getElementById("portscan_sensitivity_row").style.display="table-row";
+ document.getElementById("portscan_memcap_row").style.display="table-row";
+ document.getElementById("portscan_ignorescanners_row").style.display="table-row";
+ }
}
function stream5_enable_change() {
@@ -1419,43 +1755,129 @@ function stream5_enable_change() {
}
var endis = !(document.iform.stream5_reassembly.checked);
- document.iform.max_queued_bytes.disabled=endis;
- document.iform.max_queued_segs.disabled=endis;
- document.iform.stream5_mem_cap.disabled=endis;
- document.iform.stream5_policy.disabled=endis;
- document.iform.stream5_overlap_limit.disabled=endis;
- document.iform.stream5_no_reassemble_async.disabled=endis;
- document.iform.stream5_dont_store_lg_pkts.disabled=endis;
- document.iform.stream5_tcp_timeout.disabled=endis;
- document.iform.stream5_udp_timeout.disabled=endis;
- document.iform.stream5_icmp_timeout.disabled=endis;
+
+ // Hide the "stream5 conf" rows if stream5 disabled
+ if (endis) {
+ document.getElementById("stream5_tcp_memcap_row").style.display="none";
+ document.getElementById("stream5_tcp_engconf_row").style.display="none";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="none";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="none";
+ document.getElementById("stream5_proto_tracking_row").style.display="none";
+ document.getElementById("stream5_flushonalert_row").style.display="none";
+ document.getElementById("stream5_prunelogmax_row").style.display="none";
+ }
+ else {
+ document.getElementById("stream5_tcp_memcap_row").style.display="table-row";
+ document.getElementById("stream5_tcp_engconf_row").style.display="table-row";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row";
+ document.getElementById("stream5_proto_tracking_row").style.display="table-row";
+ document.getElementById("stream5_flushonalert_row").style.display="table-row";
+ document.getElementById("stream5_prunelogmax_row").style.display="table-row";
+ }
+}
+
+function ftp_telnet_enable_change() {
+ var endis = !(document.iform.ftp_preprocessor.checked);
+
+ // Hide the ftp_telnet configuration rows if ftp_telnet disabled
+ if (endis) {
+ document.getElementById("ftp_telnet_row_type").style.display="none";
+ document.getElementById("ftp_telnet_row_encrypted_alert").style.display="none";
+ document.getElementById("ftp_telnet_row_encrypted_check").style.display="none";
+ document.getElementById("ftp_telnet_row_telnet_proto_opts").style.display="none";
+ document.getElementById("ftp_telnet_row_normalize").style.display="none";
+ document.getElementById("ftp_telnet_row_detect_anomalies").style.display="none";
+ document.getElementById("ftp_telnet_row_ayt_threshold").style.display="none";
+ document.getElementById("ftp_telnet_row_ftp_proto_opts").style.display="none";
+ document.getElementById("ftp_telnet_ftp_client_row").style.display="none";
+ document.getElementById("ftp_telnet_ftp_server_row").style.display="none";
+ }
+ else {
+ document.getElementById("ftp_telnet_row_type").style.display="table-row";
+ document.getElementById("ftp_telnet_row_encrypted_alert").style.display="table-row";
+ document.getElementById("ftp_telnet_row_encrypted_check").style.display="table-row";
+ document.getElementById("ftp_telnet_row_telnet_proto_opts").style.display="table-row";
+ document.getElementById("ftp_telnet_row_normalize").style.display="table-row";
+ document.getElementById("ftp_telnet_row_detect_anomalies").style.display="table-row";
+ document.getElementById("ftp_telnet_row_ayt_threshold").style.display="table-row";
+ document.getElementById("ftp_telnet_row_ftp_proto_opts").style.display="table-row";
+ document.getElementById("ftp_telnet_ftp_client_row").style.display="table-row";
+ document.getElementById("ftp_telnet_ftp_server_row").style.display="table-row";
+ }
+}
+
+function sensitive_data_enable_change() {
+ var endis = !(document.iform.sensitive_data.checked);
+
+ // Hide the sensitive_data configuration rows if sensitive_data disabled
+ if (endis) {
+ document.getElementById("sdf_alert_threshold_row").style.display="none";
+ document.getElementById("sdf_mask_output_row").style.display="none";
+ document.getElementById("sdf_alert_data_row").style.display="none";
+
+ }
+ else {
+ document.getElementById("sdf_alert_threshold_row").style.display="table-row";
+ document.getElementById("sdf_mask_output_row").style.display="table-row";
+ document.getElementById("sdf_alert_data_row").style.display="table-row";
+ }
}
function enable_change_all() {
http_inspect_enable_change();
sf_portscan_enable_change();
- // Enable/Disable Frag3 settings
+ // -- Enable/Disable Host Attribute Table settings --
+ host_attribute_table_enable_change();
+
+ // -- Enable/Disable Frag3 settings --
var endis = !(document.iform.frag3_detection.checked);
- document.iform.frag3_overlap_limit.disabled=endis;
- document.iform.frag3_min_frag_len.disabled=endis;
- document.iform.frag3_policy.disabled=endis;
- document.iform.frag3_max_frags.disabled=endis;
- document.iform.frag3_memcap.disabled=endis;
- document.iform.frag3_timeout.disabled=endis;
-
- // Enable/Disable Stream5 settings
+ // Hide the "config engines" table if Frag3 disabled
+ if (endis) {
+ document.getElementById("frag3_engconf_row").style.display="none";
+ document.getElementById("frag3_memcap_row").style.display="none";
+ document.getElementById("frag3_maxfrags_row").style.display="none";
+ }
+ else {
+ document.getElementById("frag3_engconf_row").style.display="table-row";
+ document.getElementById("frag3_memcap_row").style.display="table-row";
+ document.getElementById("frag3_maxfrags_row").style.display="table-row";
+ }
+
+ // -- Enable/Disable Stream5 settings --
endis = !(document.iform.stream5_reassembly.checked);
- document.iform.max_queued_bytes.disabled=endis;
- document.iform.max_queued_segs.disabled=endis;
- document.iform.stream5_mem_cap.disabled=endis;
- document.iform.stream5_policy.disabled=endis;
- document.iform.stream5_overlap_limit.disabled=endis;
- document.iform.stream5_no_reassemble_async.disabled=endis;
- document.iform.stream5_dont_store_lg_pkts.disabled=endis;
- document.iform.stream5_tcp_timeout.disabled=endis;
- document.iform.stream5_udp_timeout.disabled=endis;
- document.iform.stream5_icmp_timeout.disabled=endis;
+ // Hide the "stream5 conf" rows if stream5 disabled
+ if (endis) {
+ document.getElementById("stream5_tcp_memcap_row").style.display="none";
+ document.getElementById("stream5_tcp_engconf_row").style.display="none";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="none";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="none";
+ document.getElementById("stream5_proto_tracking_row").style.display="none";
+ document.getElementById("stream5_flushonalert_row").style.display="none";
+ document.getElementById("stream5_prunelogmax_row").style.display="none";
+ document.getElementById("stream5_maxtcp_row").style.display="none";
+ document.getElementById("stream5_maxudp_row").style.display="none";
+ document.getElementById("stream5_maxicmp_row").style.display="none";
+ }
+ else {
+ document.getElementById("stream5_tcp_memcap_row").style.display="table-row";
+ document.getElementById("stream5_tcp_engconf_row").style.display="table-row";
+ document.getElementById("stream5_udp_sess_timeout_row").style.display="table-row";
+ document.getElementById("stream5_icmp_sess_timeout_row").style.display="table-row";
+ document.getElementById("stream5_proto_tracking_row").style.display="table-row";
+ document.getElementById("stream5_flushonalert_row").style.display="table-row";
+ document.getElementById("stream5_prunelogmax_row").style.display="table-row";
+ document.getElementById("stream5_maxtcp_row").style.display="table-row";
+ document.getElementById("stream5_maxudp_row").style.display="table-row";
+ document.getElementById("stream5_maxicmp_row").style.display="table-row";
+ }
+ // Set other stream5 initial conditions
+ stream5_track_tcp_enable_change();
+ stream5_track_udp_enable_change();
+ stream5_track_icmp_enable_change();
+ ftp_telnet_enable_change();
+ sensitive_data_enable_change();
}
function wopen(url, name, w, h)
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index c9852597..0434f88f 100755
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -379,7 +379,7 @@ require_once("guiconfig.inc");
include_once("head.inc");
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: {$if_friendly} Category: $currentruleset";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Rules: {$currentruleset}");
?>
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
@@ -528,7 +528,7 @@ if ($savemsg) {
<tr>
<td colspan="3" class="vexpl" align="center"><?php echo "<span class=\"red\"><b>" . gettext("WARNING: ") . "</b></span>" .
gettext("You should not disable flowbit rules! Add Suppress List entries for them instead by ") .
- "<a href='snort_rules_flowbits.php?id={$id}' title=\"" . gettext("Add Suppress List entry for Flowbit Rule") . "\">" .
+ "<a href='snort_rules_flowbits.php?id={$id}&openruleset={$currentruleset}&returl=" . urlencode($_SERVER['PHP_SELF']) . "' title=\"" . gettext("Add Suppress List entry for Flowbit Rule") . "\">" .
gettext("clicking here") . ".</a>";?></td>
</tr>
<?php endif;?>
diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php
index 92330ebf..325276ee 100644
--- a/config/snort/snort_rules_flowbits.php
+++ b/config/snort/snort_rules_flowbits.php
@@ -1,16 +1,7 @@
<?php
/*
* snort_rules_flowbits.php
- * Copyright (C) 2004 Scott Ullrich
- * Copyright (C) 2011-2012 Ermal Luci
- * All rights reserved.
- *
- * originially part of m0n0wall (http://m0n0.ch/wall)
- * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
- * All rights reserved.
- *
- * modified for the pfsense snort package
- * Copyright (C) 2009-2010 Robert Zelaya.
+ * Copyright (C) 2013 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -51,17 +42,23 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
$a_nat = &$config['installedpackages']['snortglobal']['rule'];
// Set who called us so we can return to the correct page with
-// the RETURN button. We will just trust this User-Agent supplied
-// string for now.
+// the RETURN button. Save the original referrer and the query
+// string in session variables.
session_start();
-if(!isset($_SESSION['org_referer']))
- $_SESSION['org_referer'] = $_SERVER['HTTP_REFERER'];
-$referrer = $_SESSION['org_referer'];
+if (!isset($_SESSION['org_referrer']) || isset($_GET['returl'])) {
+ $_SESSION['org_referrer'] = urldecode($_GET['returl']);
+ $_SESSION['org_querystr'] = $_SERVER['QUERY_STRING'];
+}
+$referrer = $_SESSION['org_referrer'];
+$querystr = $_SESSION['org_querystr'];
+session_write_close();
if ($_POST['cancel']) {
- unset($_SESSION['org_referer']);
+ session_start();
+ unset($_SESSION['org_referrer']);
+ unset($_SESSION['org_querystr']);
session_write_close();
- header("Location: {$referrer}");
+ header("Location: {$referrer}?{$querystr}");
exit;
}
@@ -69,6 +66,10 @@ $id = $_GET['id'];
if (isset($_POST['id']))
$id = $_POST['id'];
if (is_null($id)) {
+ session_start();
+ unset($_SESSION['org_referrer']);
+ unset($_SESSION['org_querystr']);
+ session_write_close();
header("Location: /snort/snort_interfaces.php");
exit;
}
@@ -158,7 +159,7 @@ function truncate($string, $length) {
$supplist = snort_load_suppress_sigs($a_nat[$id]);
$if_friendly = snort_get_friendly_interface($a_nat[$id]['interface']);
-$pgtitle = "Services: Snort: {$if_friendly} Flowbit Rules";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Flowbit Rules");
include_once("head.inc");
?>
diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php
index 3c613f84..62b68a1b 100755
--- a/config/snort/snort_rulesets.php
+++ b/config/snort/snort_rulesets.php
@@ -71,16 +71,20 @@ $no_snort_files = false;
$no_community_files = false;
/* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */
-if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on')
- $test = glob("{$snortdir}/rules/emerging-*.rules");
-elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload)))
- $test = glob("{$snortdir}/rules/etpro-*.rules");
+if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on') {
+ $test = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules");
+ $et_type = "ET Open";
+}
+elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload))) {
+ $test = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules");
+ $et_type = "ET Pro";
+}
if (empty($test))
$no_emerging_files = true;
-$test = glob("{$snortdir}/rules/snort*.rules");
+$test = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules");
if (empty($test))
$no_snort_files = true;
-if (!file_exists("{$snortdir}/rules/GPLv2_community.rules"))
+if (!file_exists("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules"))
$no_community_files = true;
if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on'))
@@ -188,25 +192,25 @@ if ($_POST['selectall']) {
}
if ($emergingdownload == 'on') {
- $files = glob("{$snortdir}/rules/emerging-*.rules");
+ $files = glob("{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "*.rules");
foreach ($files as $file)
$rulesets[] = basename($file);
}
elseif ($etpro == 'on') {
- $files = glob("{$snortdir}/rules/etpro-*.rules");
+ $files = glob("{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "*.rules");
foreach ($files as $file)
$rulesets[] = basename($file);
}
if ($snortcommunitydownload == 'on') {
- $files = glob("{$snortdir}/rules/*_community.rules");
+ $files = glob("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules");
foreach ($files as $file)
$rulesets[] = basename($file);
}
/* Include the Snort VRT rules only if enabled and no IPS policy is set */
if ($snortdownload == 'on' && $a_nat[$id]['ips_policy_enable'] == 'off') {
- $files = glob("{$snortdir}/rules/snort*.rules");
+ $files = glob("{$snortdir}/rules/" . VRT_FILE_PREFIX . "*.rules");
foreach ($files as $file)
$rulesets[] = basename($file);
}
@@ -223,7 +227,7 @@ if ($_POST['selectall']) {
$enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']);
$if_friendly = snort_get_friendly_interface($pconfig['interface']);
-$pgtitle = "Snort: Interface {$if_friendly} Categories";
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Categories");
include_once("head.inc");
?>
@@ -309,7 +313,7 @@ if ($savemsg) {
</tr>
<tr>
<td colspan="6" valign="center" class="listn">
- <table width="100%" border="0" cellpadding="2" cellspacing="2">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td>
<td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on"
@@ -326,13 +330,13 @@ if ($savemsg) {
</tr>
<tr>
<td width="15%" class="listn"><?php echo gettext("Auto Flowbit Rules"); ?></td>
- <td width="85%"><input type="button" class="formbtns" value="View" onclick="parent.location='snort_rules_flowbits.php?id=<?=$id;?>'" <?php echo $btn_view_flowb_rules; ?>/>
+ <td width="85%"><input type="button" class="formbtns" value="View" onclick="parent.location='snort_rules_flowbits.php?id=<?=$id;?>&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'" <?php echo $btn_view_flowb_rules; ?>/>
&nbsp;&nbsp;<span class="vexpl"><?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit dependencies"); ?></span></td>
</tr>
<tr>
<td width="15%">&nbsp;</td>
<td width="85%">
- <?php printf(gettext("%sNote: %sAuto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."), '<span class="red"><strong>', '</strong></span>'); ?>
+ <?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . gettext("Auto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."); ?>
<br/></td>
</tr>
</table>
@@ -343,23 +347,23 @@ if ($savemsg) {
</tr>
<tr>
<td colspan="6" valign="center" class="listn">
- <table width="100%" border="0" cellpadding="2" cellspacing="2">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td>
<td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?>
<?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/>&nbsp;&nbsp;<span class="vexpl">
- <?php echo gettext("If checked, Snort will use rules from the pre-defined IPS policy selected below."); ?></span></td>
+ <?php echo gettext("If checked, Snort will use rules from one of three pre-defined IPS policies."); ?></span></td>
</tr>
<tr>
- <td width="15%" class="vncell">&nbsp;</td>
- <td width="85%" class="vtable">
- <?php printf(gettext("%sNote:%s You must be using the Snort VRT rules to use this option."),'<span class="red"><strong>','</strong></span>'); ?>
+ <td width="15%" class="vncell" id="ips_col1">&nbsp;</td>
+ <td width="85%" class="vtable" id="ips_col2">
+ <?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . gettext("You must be using the Snort VRT rules to use this option."); ?>
<?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " .
"although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " .
"These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br/></td>
</tr>
- <tr>
- <td width="15%" class="listn"><?php echo gettext("IPS Policy"); ?></td>
+ <tr id="ips_row1">
+ <td width="15%" class="listn"><?php echo gettext("IPS Policy Selection"); ?></td>
<td width="85%"><select name="ips_policy" class="formselect" <?=$policy_select_disable?> >
<option value="connectivity" <?php if ($pconfig['ips_policy'] == "connected") echo "selected"; ?>><?php echo gettext("Connectivity"); ?></option>
<option value="balanced" <?php if ($pconfig['ips_policy'] == "balanced") echo "selected"; ?>><?php echo gettext("Balanced"); ?></option>
@@ -367,7 +371,7 @@ if ($savemsg) {
</select>
&nbsp;&nbsp;<span class="vexpl"><?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security."); ?></span></td>
</tr>
- <tr>
+ <tr id="ips_row2">
<td width="15%">&nbsp;</td>
<td width="85%">
<?php echo gettext("Connectivity blocks most major threats with few or no false positives. " .
@@ -397,22 +401,23 @@ if ($savemsg) {
$msg_community = "NOTE: Snort Community Rules have not been downloaded. Perform a Rules Update to enable them.";
else
$msg_community = "Snort GPLv2 Community Rules (VRT certified)";
+ $community_rules_file = GPL_FILE_PREFIX . "community.rules";
?>
<?php if ($snortcommunitydownload == 'on'): ?>
<tr id="frheader">
<td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td>
<td colspan="5" class="listhdrr"><?php echo gettext('Ruleset: Snort GPLv2 Community Rules');?></td>
</tr>
- <?php if (in_array("GPLv2_community.rules", $enabled_rulesets_array)): ?>
+ <?php if (in_array($community_rules_file, $enabled_rulesets_array)): ?>
<tr>
<td width="5" class="listr" align="center" valign="top">
- <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" checked="checked"/></td>
- <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=GPLv2_community.rules'><?php echo gettext("{$msg_community}"); ?></a></td>
+ <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" checked="checked"/></td>
+ <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?php echo gettext("{$msg_community}"); ?></a></td>
</tr>
<?php else: ?>
<tr>
<td width="5" class="listr" align="center" valign="top">
- <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td>
+ <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td>
<td colspan="5" class="listr"><?php echo gettext("{$msg_community}"); ?></td>
</tr>
@@ -436,7 +441,7 @@ if ($savemsg) {
<td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td>
<td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Pro Rules');?></td>
<?php else: ?>
- <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td>
+ <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("{$et_type} rules not {$msg_emerging}"); ?></td>
<?php endif; ?>
<?php if ($snortdownload == 'on' && !$no_snort_files): ?>
<td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td>
@@ -459,11 +464,11 @@ if ($savemsg) {
$filename = basename($filename);
if (substr($filename, -5) != "rules")
continue;
- if (strstr($filename, "emerging-") && $emergingdownload == 'on')
+ if (strstr($filename, ET_OPEN_FILE_PREFIX) && $emergingdownload == 'on')
$emergingrules[] = $filename;
- else if (strstr($filename, "etpro-") && $etpro == 'on')
+ else if (strstr($filename, ET_PRO_FILE_PREFIX) && $etpro == 'on')
$emergingrules[] = $filename;
- else if (strstr($filename, "snort") && $snortdownload == 'on') {
+ else if (strstr($filename, VRT_FILE_PREFIX) && $snortdownload == 'on') {
if (strstr($filename, ".so.rules"))
$snortsorules[] = $filename;
else
@@ -589,6 +594,18 @@ function enable_change()
var endis = !(document.iform.ips_policy_enable.checked);
document.iform.ips_policy.disabled=endis;
+ if (endis) {
+ document.getElementById("ips_row1").style.display="none";
+ document.getElementById("ips_row2").style.display="none";
+ document.getElementById("ips_col1").className="vexpl";
+ document.getElementById("ips_col2").className="vexpl";
+ }
+ else {
+ document.getElementById("ips_row1").style.display="table-row";
+ document.getElementById("ips_row2").style.display="table-row";
+ document.getElementById("ips_col1").className="vncell";
+ document.getElementById("ips_col2").className="vtable";
+ }
for (var i = 0; i < document.iform.elements.length; i++) {
if (document.iform.elements[i].type == 'checkbox') {
var str = document.iform.elements[i].value;
@@ -597,6 +614,10 @@ function enable_change()
}
}
}
+
+// Set initial state of dynamic HTML form controls
+enable_change();
+
</script>
</body>
diff --git a/config/snort/snort_select_alias.php b/config/snort/snort_select_alias.php
new file mode 100644
index 00000000..c5c6347e
--- /dev/null
+++ b/config/snort/snort_select_alias.php
@@ -0,0 +1,234 @@
+<?php
+/* $Id$ */
+/*
+ snort_select_alias.php
+ Copyright (C) 2013 Bill Meeks
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require("guiconfig.inc");
+require_once("functions.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+// Need to keep track of who called us so we can return to the correct page
+// when the SAVE button is clicked. On initial entry, a GET variable is
+// passed with the referrer's URL encoded within. That value is saved and
+// used when SAVE or CANCEL is clicked to return to the referring page.
+//
+
+// Retrieve the QUERY STRING of the original referrer so we can return it.
+// On the initial pass, we will save it in a hidden POST field so we won't
+// overwrite it on subsequent POST-BACKs to this page.
+if (!isset($_POST['org_querystr']))
+ $querystr = $_SERVER['QUERY_STRING'];
+
+// Retrieve any passed QUERY STRING or POST variables
+$type = $_GET['type'];
+$varname = $_GET['varname'];
+$multi_ip = $_GET['multi_ip'];
+$referrer = urldecode($_GET['returl']);
+if (isset($_POST['type']))
+ $type = $_POST['type'];
+if (isset($_POST['varname']))
+ $varname = $_POST['varname'];
+if (isset($_POST['multi_ip']))
+ $multi_ip = $_POST['multi_ip'];
+if (isset($_POST['returl']))
+ $referrer = urldecode($_POST['returl']);
+if (isset($_POST['org_querystr']))
+ $querystr = $_POST['org_querystr'];
+
+// Make sure we have a valid VARIABLE name
+// and ALIAS TYPE, or else bail out.
+if (is_null($type) || is_null($varname)) {
+ header("Location: http://{$referrer}?{$querystr}");
+ exit;
+}
+
+// Used to track if any selectable Aliases are found
+$selectablealias = false;
+
+// Initialize required array variables as necessary
+if (!is_array($config['aliases']['alias']))
+ $config['aliases']['alias'] = array();
+$a_aliases = $config['aliases']['alias'];
+
+// Create an array consisting of the Alias types the
+// caller wants to select from.
+$a_types = array();
+$a_types = explode('|', strtolower($type));
+
+// Create a proper title based on the Alias types
+$title = "a";
+switch (count($a_types)) {
+ case 1:
+ $title .= " " . ucfirst($a_types[0]);
+ break;
+
+ case 2:
+ $title .= " " . ucfirst($a_types[0]) . " or " . ucfirst($a_types[1]);
+ break;
+
+ case 3:
+ $title .= " " . ucfirst($a_types[0]) . ", " . ucfirst($a_types[1]) . " or " . ucfirst($a_types[2]);
+
+ default:
+ $title = "n";
+}
+
+if ($_POST['cancel']) {
+ header("Location: {$referrer}?{$querystr}");
+ exit;
+}
+
+if ($_POST['save']) {
+ if(empty($_POST['alias']))
+ $input_errors[] = gettext("No alias is selected. Please select an alias before saving.");
+
+ // if no errors, write new entry to conf
+ if (!$input_errors) {
+ $selection = $_POST['alias'];
+ header("Location: {$referrer}?{$querystr}&varvalue={$selection}");
+ exit;
+ }
+}
+
+$pgtitle = gettext("Snort: Select {$title} Alias");
+include("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+<form action="snort_select_alias.php" method="post">
+<input type="hidden" name="varname" value="<?=$varname;?>">
+<input type="hidden" name="type" value="<?=$type;?>">
+<input type="hidden" name="multi_ip" value="<?=$multi_ip;?>">
+<input type="hidden" name="returl" value="<?=$referrer;?>">
+<input type="hidden" name="org_querystr" value="<?=$querystr;?>">
+<?php if ($input_errors) print_input_errors($input_errors); ?>
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+ <td class="tabcont"><strong><?=gettext("Select an Alias to use from the list below.");?></strong><br/>
+ </td>
+</tr>
+<tr>
+ <td class="tabcont">
+ <table id="sortabletable1" style="table-layout: fixed;" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <colgroup>
+ <col width="5%" align="center">
+ <col width="25%" align="left" axis="string">
+ <col width="35%" align="left" axis="string">
+ <col width="35%" align="left" axis="string">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr"></th>
+ <th class="listhdrr" axis="string"><?=gettext("Alias Name"); ?></th>
+ <th class="listhdrr" axis="string"><?=gettext("Values"); ?></th>
+ <th class="listhdrr" axis="string"><?=gettext("Description"); ?></th>
+ </tr>
+ </thead>
+ <tbody>
+ <?php $i = 0; foreach ($a_aliases as $alias): ?>
+ <?php if (!in_array($alias['type'], $a_types))
+ continue;
+ if ( ($alias['type'] == "network" || $alias['type'] == "host") &&
+ $multi_ip != "yes" &&
+ !snort_is_single_addr_alias($alias['name'])) {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $disable = true;
+ $tooltip = gettext("Aliases resolving to multiple address entries cannot be used with the destination target.");
+ }
+ elseif (($alias['type'] == "network" || $alias['type'] == "host") &&
+ trim(filter_expand_alias($alias['name'])) == "") {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $disable = true;
+ $tooltip = gettext("Aliases representing a FQDN host cannot be used in Snort preprocessor configurations.");
+ }
+ else {
+ $textss = "";
+ $textse = "";
+ $disable = "";
+ $selectablealias = true;
+ $tooltip = gettext("Selected entry will be imported. Click to toggle selection.");
+ }
+ ?>
+ <?php if ($disable): ?>
+ <tr title="<?=$tooltip;?>">
+ <td class="listlr" align="center"><img src="../themes/<?=$g['theme'];?>/images/icons/icon_block_d.gif" width="11" height"11" border="0"/>
+ <?php else: ?>
+ <tr>
+ <td class="listlr" align="center"><input type="radio" name="alias" value="<?=htmlspecialchars($alias['name']);?>" title="<?=$tooltip;?>"/></td>
+ <?php endif; ?>
+ <td class="listr" align="left"><?=$textss . htmlspecialchars($alias['name']) . $textse;?></td>
+ <td class="listr" align="left">
+ <?php
+ $tmpaddr = explode(" ", $alias['address']);
+ $addresses = implode(", ", array_slice($tmpaddr, 0, 10));
+ echo "{$textss}{$addresses}{$textse}";
+ if(count($tmpaddr) > 10) {
+ echo "...";
+ }
+ ?>
+ </td>
+ <td class="listbg" align="left">
+ <?=$textss . htmlspecialchars($alias['descr']) . $textse;?>&nbsp;
+ </td>
+ </tr>
+ <?php $i++; endforeach; ?>
+ </table>
+ </td>
+</tr>
+<?php if (!$selectablealias): ?>
+<tr>
+ <td class="tabcont" align="center"><b><?php echo gettext("There are currently no defined Aliases eligible for selection.");?></b></td>
+</tr>
+<tr>
+ <td class="tabcont" align="center">
+ <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/>
+ </td>
+</tr>
+<?php else: ?>
+<tr>
+ <td class="tabcont" align="center">
+ <input type="Submit" name="save" value="Save" id="save" class="formbtn" title="<?=gettext("Import selected item and return");?>"/>&nbsp;&nbsp;&nbsp;
+ <input type="Submit" name="cancel" value="Cancel" id="cancel" class="formbtn" title="<?=gettext("Cancel import operation and return");?>"/>
+ </td>
+</tr>
+<?php endif; ?>
+<tr>
+ <td class="tabcont">
+ <span class="vexpl"><span class="red"><strong><?=gettext("Note:"); ?><br></strong></span><?=gettext("Fully-Qualified Domain Name (FQDN) host Aliases cannot be used as Snort configuration parameters. Aliases resolving to a single FQDN value are disabled in the list above. In the case of nested Aliases where one or more of the nested values is a FQDN host, the FQDN host will not be included in the {$title} configuration.");?></span>
+ </td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+</html>
diff --git a/config/snort/snort_stream5_engine.php b/config/snort/snort_stream5_engine.php
new file mode 100644
index 00000000..b3d81f37
--- /dev/null
+++ b/config/snort/snort_stream5_engine.php
@@ -0,0 +1,661 @@
+<?php
+/*
+ * snort_stream5_engine.php
+ * Copyright (C) 2013 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+/* Retrieve required array index values from QUERY string if available. */
+/* 'id' is the [rule] array index, and 'eng_id' is the index for the */
+/* stream5_tcp_engine's [item] array. */
+$id = $_GET['id'];
+$eng_id = $_GET['eng_id'];
+
+/* See if values are in our form's POST content */
+if (isset($_POST['id']))
+ $id = $_POST['id'];
+if (isset($_POST['eng_id']))
+ $eng_id = $_POST['eng_id'];
+
+/* If we don't have a [rule] index specified, exit */
+if (is_null($id)) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['stream5_client_import']);
+ session_write_close();
+ header("Location: /snort/snort_interfaces.php");
+ exit;
+}
+
+/* Initialize pointer into requisite section of [config] array */
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item']))
+ $config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'][$id]['stream5_tcp_engine']['item'];
+
+$pconfig = array();
+
+// If this is a new entry, intialize it with default values
+if (empty($a_nat[$eng_id])) {
+ $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd", "timeout" => 30,
+ "max_queued_bytes" => 1048576, "detect_anomalies" => "off", "overlap_limit" => 0,
+ "max_queued_segs" => 2621, "require_3whs" => "off", "startup_3whs_timeout" => 0,
+ "no_reassemble_async" => "off", "dont_store_lg_pkts" => "off", "max_window" => 0,
+ "use_static_footprint_sizes" => "off", "check_session_hijacking" => "off", "ports_client" => "default",
+ "ports_both" => "default", "ports_server" => "none" );
+ // See if this is initial entry and set to "default" if true
+ if ($eng_id < 1) {
+ $def['name'] = "default";
+ $def['bind_to'] = "all";
+ }
+ $pconfig = $def;
+}
+else {
+ $pconfig = $a_nat[$eng_id];
+
+ // Check for empty values and set sensible defaults
+ if (empty($pconfig['policy']))
+ $pconfig['policy'] = "bsd";
+ if (empty($pconfig['timeout']))
+ $pconfig['timeout'] = 30;
+ if (empty($pconfig['max_queued_bytes']) && $pconfig['max_queued_bytes'] <> 0)
+ $pconfig['max_queued_bytes'] = 1048576;
+ if (empty($pconfig['detect_anomalies']))
+ $pconfig['detect_anomalies'] = "off";
+ if (empty($pconfig['overlap_limit']))
+ $pconfig['overlap_limit'] = 0;
+ if (empty($pconfig['max_queued_segs']) && $pconfig['max_queued_segs'] <> 0)
+ $pconfig['max_queued_segs'] = 2621;
+ if (empty($pconfig['require_3whs']))
+ $pconfig['require_3whs'] = "off";
+ if (empty($pconfig['startup_3whs_timeout']))
+ $pconfig['startup_3whs_timeout'] = 0;
+ if (empty($pconfig['no_reassemble_async']))
+ $pconfig['no_reassemble_async'] = "off";
+ if (empty($pconfig['dont_store_lg_pkts']))
+ $pconfig['dont_store_lg_pkts'] = "off";
+ if (empty($pconfig['max_window']))
+ $pconfig['max_window'] = 0;
+ if (empty($pconfig['use_static_footprint_sizes']))
+ $pconfig['use_static_footprint_sizes'] = "off";
+ if (empty($pconfig['check_session_hijacking']))
+ $pconfig['check_session_hijacking'] = "off";
+ if (empty($pconfig['ports_client']))
+ $pconfig['ports_client'] = "default";
+ if (empty($pconfig['ports_both']))
+ $pconfig['ports_both'] = "default";
+ if (empty($pconfig['ports_server']))
+ $pconfig['ports_server'] = "none";
+}
+
+if ($_POST['Cancel']) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['stream5_client_import']);
+ session_write_close();
+ header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row");
+ exit;
+}
+
+// Check for returned "selected alias" if action is import
+if ($_GET['act'] == "import") {
+ session_start();
+ if (($_GET['varname'] == "bind_to" || $_GET['varname'] == "ports_client" || $_GET['varname'] == "ports_both" || $_GET['varname'] == "ports_server")
+ && !empty($_GET['varvalue'])) {
+ $pconfig[$_GET['varname']] = $_GET['varvalue'];
+ if(!isset($_SESSION['stream5_client_import']))
+ $_SESSION['stream5_client_import'] = array();
+
+ $_SESSION['stream5_client_import'][$_GET['varname']] = $_GET['varvalue'];
+ if (isset($_SESSION['stream5_client_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['stream5_client_import']['bind_to'];
+ if (isset($_SESSION['stream5_client_import']['ports_client']))
+ $pconfig['ports_client'] = $_SESSION['stream5_client_import']['ports_client'];
+ if (isset($_SESSION['stream5_client_import']['ports_both']))
+ $pconfig['ports_both'] = $_SESSION['stream5_client_import']['ports_both'];
+ if (isset($_SESSION['stream5_client_import']['ports_server']))
+ $pconfig['ports_server'] = $_SESSION['stream5_client_import']['ports_server'];
+ }
+ // If "varvalue" is empty, user likely hit CANCEL in Select Dialog,
+ // so restore any saved values.
+ elseif (empty($_GET['varvalue'])) {
+ if (isset($_SESSION['stream5_client_import']['bind_to']))
+ $pconfig['bind_to'] = $_SESSION['stream5_client_import']['bind_to'];
+ if (isset($_SESSION['stream5_client_import']['ports_client']))
+ $pconfig['ports_client'] = $_SESSION['stream5_client_import']['ports_client'];
+ if (isset($_SESSION['stream5_client_import']['ports_both']))
+ $pconfig['ports_both'] = $_SESSION['stream5_client_import']['ports_both'];
+ if (isset($_SESSION['stream5_client_import']['ports_server']))
+ $pconfig['ports_server'] = $_SESSION['stream5_client_import']['ports_server'];
+ }
+ else {
+ unset($_SESSION['stream5_client_import']);
+ unset($_SESSION['org_referer']);
+ unset($_SESSION['org_querystr']);
+ session_write_close();
+ }
+}
+
+if ($_POST['Submit']) {
+ // Clear and close out any session variable we created
+ session_start();
+ unset($_SESSION['org_referer']);
+ unset($_SESSION['org_querystr']);
+ unset($_SESSION['stream5_client_import']);
+ session_write_close();
+
+ /* Grab all the POST values and save in new temp array */
+ $engine = array();
+ if ($_POST['stream5_name']) { $engine['name'] = trim($_POST['stream5_name']); } else { $engine['name'] = "default"; }
+
+ /* Validate input values before saving */
+ if ($_POST['stream5_bind_to']) {
+ if (is_alias($_POST['stream5_bind_to'])) {
+ $engine['bind_to'] = $_POST['stream5_bind_to'];
+ if (!snort_is_single_addr_alias($_POST['stream5_bind_to']))
+ $input_errors[] = gettext("An Alias that evaluates to a single IP address or CIDR network is required for the 'Bind-To IP Address' value.");
+ }
+ elseif (strtolower(trim($_POST['stream5_bind_to'])) == "all")
+ $engine['bind_to'] = "all";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value.");
+ }
+ else {
+ $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'.");
+ }
+ if ($_POST['stream5_ports_client']) {
+ if (is_alias($_POST['stream5_ports_client']))
+ $engine['ports_client'] = $_POST['stream5_ports_client'];
+ elseif (strtolower(trim($_POST['stream5_ports_client'])) == "default")
+ $engine['ports_client'] = "default";
+ elseif (strtolower(trim($_POST['stream5_ports_client'])) == "all")
+ $engine['ports_client'] = "all";
+ elseif (strtolower(trim($_POST['stream5_ports_client'])) == "none")
+ $engine['ports_client'] = "none";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_client' value.");
+ }
+ if ($_POST['stream5_ports_both']) {
+ if (is_alias($_POST['stream5_ports_both']))
+ $engine['ports_both'] = $_POST['stream5_ports_both'];
+ elseif (strtolower(trim($_POST['stream5_ports_both'])) == "default")
+ $engine['ports_both'] = "default";
+ elseif (strtolower(trim($_POST['stream5_ports_both'])) == "all")
+ $engine['ports_both'] = "all";
+ elseif (strtolower(trim($_POST['stream5_ports_both'])) == "none")
+ $engine['ports_both'] = "none";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_both' value.");
+ }
+ if ($_POST['stream5_ports_server']) {
+ if (is_alias($_POST['stream5_ports_server']))
+ $engine['ports_server'] = $_POST['stream5_ports_server'];
+ elseif (strtolower(trim($_POST['stream5_ports_server'])) == "default")
+ $engine['ports_server'] = "default";
+ elseif (strtolower(trim($_POST['stream5_ports_server'])) == "all")
+ $engine['ports_server'] = "all";
+ elseif (strtolower(trim($_POST['stream5_ports_server'])) == "none")
+ $engine['ports_server'] = "none";
+ else
+ $input_errors[] = gettext("You must provide a valid Alias or one of the reserved keywords 'default', 'all' or 'none' for the TCP Target Ports 'ports_server' value.");
+ }
+
+ if (!empty($_POST['stream5_timeout']) || $_POST['stream5_timeout'] == 0) {
+ $engine['timeout'] = $_POST['stream5_timeout'];
+ if ($engine['timeout'] < 1 || $engine['timeout'] > 86400)
+ $input_errors[] = gettext("The value for Timeout must be between 1 and 86400.");
+ }
+ else
+ $engine['timeout'] = 60;
+
+ if (!empty($_POST['stream5_max_queued_bytes']) || $_POST['stream5_max_queued_bytes'] == 0) {
+ $engine['max_queued_bytes'] = $_POST['stream5_max_queued_bytes'];
+ if ($engine['max_queued_bytes'] <> 0) {
+ if ($engine['max_queued_bytes'] < 1024 || $engine['max_queued_bytes'] > 1073741824)
+ $input_errors[] = gettext("The value for Max_Queued_Bytes must either be 0, or between 1024 and 1073741824.");
+ }
+ }
+ else
+ $engine['max_queued_bytes'] = 1048576;
+
+ if (!empty($_POST['stream5_max_queued_segs']) || $_POST['stream5_max_queued_segs'] == 0) {
+ $engine['max_queued_segs'] = $_POST['stream5_max_queued_segs'];
+ if ($engine['max_queued_segs'] <> 0) {
+ if ($engine['max_queued_segs'] < 2 || $engine['max_queued_segs'] > 1073741824)
+ $input_errors[] = gettext("The value for Max_Queued_Segs must either be 0, or between 2 and 1073741824.");
+ }
+ }
+ else
+ $engine['max_queued_segs'] = 2621;
+
+ if (!empty($_POST['stream5_overlap_limit']) || $_POST['stream5_overlap_limit'] == 0) {
+ $engine['overlap_limit'] = $_POST['stream5_overlap_limit'];
+ if ($engine['overlap_limit'] < 0 || $engine['overlap_limit'] > 255)
+ $input_errors[] = gettext("The value for Overlap_Limit must be between 0 and 255.");
+ }
+ else
+ $engine['overlap_limit'] = 0;
+
+ if (!empty($_POST['stream5_max_window']) || $_POST['stream5_max_window'] == 0) {
+ $engine['max_window'] = $_POST['stream5_max_window'];
+ if ($engine['max_window'] < 0 || $engine['max_window'] > 1073725440)
+ $input_errors[] = gettext("The value for Max_Window must be between 0 and 1073725440.");
+ }
+ else
+ $engine['max_window'] = 0;
+
+ if (!empty($_POST['stream5_3whs_startup_timeout']) || $_POST['stream5_3whs_startup_timeout'] == 0) {
+ $engine['startup_3whs_timeout'] = $_POST['stream5_3whs_startup_timeout'];
+ if ($engine['startup_3whs_timeout'] < 0 || $engine['startup_3whs_timeout'] > 86400)
+ $input_errors[] = gettext("The value for 3whs_Startup_Timeout must be between 0 and 86400.");
+ }
+ else
+ $engine['startup_3whs_timeout'] = 0;
+
+ if ($_POST['stream5_policy']) { $engine['policy'] = $_POST['stream5_policy']; } else { $engine['policy'] = "bsd"; }
+ if ($_POST['stream5_ports']) { $engine['ports'] = $_POST['stream5_ports']; } else { $engine['ports'] = "both"; }
+
+ $engine['detect_anomalies'] = $_POST['stream5_detect_anomalies'] ? 'on' : 'off';
+ $engine['require_3whs'] = $_POST['stream5_require_3whs'] ? 'on' : 'off';
+ $engine['no_reassemble_async'] = $_POST['stream5_no_reassemble_async'] ? 'on' : 'off';
+ $engine['dont_store_lg_pkts'] = $_POST['stream5_dont_store_lg_pkts'] ? 'on' : 'off';
+ $engine['use_static_footprint_sizes'] = $_POST['stream5_use_static_footprint_sizes'] ? 'on' : 'off';
+ $engine['check_session_hijacking'] = $_POST['stream5_check_session_hijacking'] ? 'on' : 'off';
+
+ /* Can only have one "all" Bind_To address */
+ if ($engine['bind_to'] == "all" && $engine['name'] <> "default")
+ $input_errors[] = gettext("Only one default Stream5 Engine can be bound to all addresses.");
+ $pconfig = $engine;
+
+ /* if no errors, write new entry to conf */
+ if (!$input_errors) {
+ if (isset($eng_id) && $a_nat[$eng_id]) {
+ $a_nat[$eng_id] = $engine;
+ }
+ else
+ $a_nat[] = $engine;
+
+ /* Reorder the engine array to ensure the */
+ /* 'bind_to=all' entry is at the bottom */
+ /* if it contains more than one entry. */
+ if (count($a_nat) > 1) {
+ $i = -1;
+ foreach ($a_nat as $f => $v) {
+ if ($v['bind_to'] == "all") {
+ $i = $f;
+ break;
+ }
+ }
+ /* Only relocate the entry if we */
+ /* found it, and it's not already */
+ /* at the end. */
+ if ($i > -1 && ($i < (count($a_nat) - 1))) {
+ $tmp = $a_nat[$i];
+ unset($a_nat[$i]);
+ $a_nat[] = $tmp;
+ }
+ }
+
+ /* Now write the new engine array to conf */
+ write_config();
+
+ header("Location: /snort/snort_preprocessors.php?id={$id}#stream5_row");
+ exit;
+ }
+}
+
+$if_friendly = snort_get_friendly_interface($config['installedpackages']['snortglobal']['rule'][$id]['interface']);
+$pgtitle = gettext("Snort: Interface {$if_friendly} - Stream5 Preprocessor TCP Engine");
+include_once("head.inc");
+
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC" >
+
+<?php
+include("fbegin.inc");
+if ($input_errors) print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="snort_stream5_engine.php" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id?>">
+<input name="eng_id" type="hidden" value="<?=$eng_id?>">
+<div id="boxarea">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+<td class="tabcont">
+<table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tr>
+ <td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Stream5 Target-Based TCP Stream Reassembly Engine Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Engine Name"); ?></td>
+ <td class="vtable">
+ <input name="stream5_name" type="text" class="formfld unknown" id="stream5_name" size="25" maxlength="25"
+ value="<?=htmlspecialchars($pconfig['name']);?>"<?php if (htmlspecialchars($pconfig['name']) == "default") echo "readonly";?>>&nbsp;
+ <?php if (htmlspecialchars($pconfig['name']) <> "default")
+ echo gettext("Name or description for this engine. (Max 25 characters)");
+ else
+ echo "<span class=\"red\">" . gettext("The name for the 'default' engine is read-only.") . "</span>";?><br/>
+ <?php echo gettext("Unique name or description for this engine configuration. Default value is ") .
+ "<strong>" . gettext("default") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Bind-To IP Address"); ?></td>
+ <td class="vtable">
+ <?php if ($pconfig['name'] <> "default") : ?>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><input name="stream5_bind_to" type="text" class="formfldalias" id="stream5_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" title="<?=trim(filter_expand_alias($pconfig['bind_to']));?>" autocomplete="off">&nbsp;
+ <?php echo gettext("IP address or network to bind this engine to."); ?></td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=host|network&varname=bind_to&act=import&multi_ip=no&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing IP alias");?>"/></td>
+ </tr>
+ <tr>
+ <td class="vexpl" colspan="2"><?php echo gettext("This engine will only run for packets with the destination IP address specified. Default value is ") .
+ "<strong>" . gettext("all") . "</strong>" . gettext(". Only a single IP address or single network in CIDR form may be specified. ") .
+ gettext("IP Lists are not allowed.");?></td>
+ </tr>
+ </table><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'. ");?>
+ <?php else : ?>
+ <input name="stream5_bind_to" type="text" class="formfldalias" id="stream5_bind_to" size="32"
+ value="<?=htmlspecialchars($pconfig['bind_to']);?>" autocomplete="off" readonly>&nbsp;
+ <?php echo "<span class=\"red\">" . gettext("IP List for the default engine is read-only and must be 'all'.") . "</span>";?><br/>
+ <?php echo gettext("The default engine is required and only runs for packets with destination addresses not matching other engine IP Lists.");?><br/>
+ <?php endif ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Target Policy"); ?></td>
+ <td width="78%" class="vtable">
+ <select name="stream5_policy" class="formselect" id="stream5_policy">
+ <?php
+ $profile = array( 'BSD', 'First', 'HPUX', 'HPUX10', 'Irix', 'Last', 'Linux', 'MacOS', 'Old-Linux',
+ 'Solaris', 'Vista', 'Windows', 'Win2003' );
+ foreach ($profile as $val): ?>
+ <option value="<?=strtolower($val);?>"
+ <?php if (strtolower($val) == $pconfig['policy']) echo "selected"; ?>>
+ <?=gettext($val);?></option>
+ <?php endforeach; ?>
+ </select>&nbsp;&nbsp;<?php echo gettext("Choose the TCP target policy appropriate for the protected hosts. The default is ") .
+ "<strong>" . gettext("BSD") . "</strong>"; ?>.<br/><br/>
+ <?php echo gettext("Available OS targets are BSD, First, HPUX, HPUX10, Irix, Last, Linux, MacOS, Old Linux, Solaris, Vista, Windows, and Win2003 Server."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("TCP Target Ports"); ?></td>
+ <td width="78%" class="vtable">
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><strong><?php echo gettext("Client:"); ?></strong></td>
+ <td class="vexpl"><input name="stream5_ports_client" type="text" class="formfldalias" id="stream5_ports_client" size="32"
+ value="<?=htmlspecialchars($pconfig['ports_client']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_client']));?>" autocomplete="off"><span class="vexpl">&nbsp;
+ <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("default") . "</strong>.";?></span>
+ </td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_client&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing port alias");?>"/>
+ </td>
+ </tr>
+ <tr>
+ <td class="vexpl"><strong><?php echo gettext("Server:"); ?></strong></td>
+ <td class="vexpl"><input name="stream5_ports_server" type="text" class="formfldalias" id="stream5_ports_server" size="32"
+ value="<?=htmlspecialchars($pconfig['ports_server']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_server']));?>" autocomplete="off"><span class="vexpl">&nbsp;
+ <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("none") . "</strong>.";?></span>
+ </td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_server&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing port alias");?>"/>
+ </td>
+ </tr>
+ <tr>
+ <td class="vexpl"><strong><?php echo gettext("Both:"); ?></strong></td>
+ <td class="vexpl"><input name="stream5_ports_both" type="text" class="formfldalias" id="stream5_ports_both" size="32"
+ value="<?=htmlspecialchars($pconfig['ports_both']);?>" title="<?=trim(filter_expand_alias($pconfig['ports_both']));?>" autocomplete="off"><span class="vexpl">&nbsp;
+ <?php echo gettext("Default value is the keyword ") . "<strong>" . gettext("default") . "</strong>.";?></span>
+ </td>
+ <td align="right"><input type="button" class="formbtns" value="Aliases" onclick="parent.location='snort_select_alias.php?id=<?=$id;?>&eng_id=<?=$eng_id;?>&type=port&varname=ports_both&act=import&returl=<?=urlencode($_SERVER['PHP_SELF']);?>'"
+ title="<?php echo gettext("Select an existing port alias");?>"/>
+ </td>
+ </tr>
+ </table>
+ <br/><?php echo gettext("Configures which side of the connection packets should be reassembled for based on the configured destination ports. See ");?>
+ <a href="http://www.snort.org/vrt/snort-conf-configurations/" target="_blank"><?php echo gettext("www.snort.org/vrt/snort-conf-configurations");?></a>
+ <?php echo gettext(" for the default configuration port values.");?><br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("Supplied value must be a pre-configured Alias or the keyword 'default', 'all' or 'none'.");?><br/>
+ <span class="red"><?php echo gettext("Hint: ") . "</span>" . gettext("Most users should leave these settings at their default values.");?>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Max Window"); ?></td>
+ <td class="vtable">
+ <input name="stream5_max_window" type="text" class="formfld unknown" id="stream5_max_window" size="9"
+ value="<?=htmlspecialchars($pconfig['max_window']);?>" maxlength="10">
+ <?php echo gettext("Maximum allowed TCP window. Min is ") . "<strong>0</strong>" . gettext(" and max is ") .
+ "<strong>1073725440</strong>" . gettext(" (65535 left shift 14)"); ?>.<br/><br/>
+ <?php echo gettext("Sets the TCP max window size. Default value is ") .
+ "<strong>0</strong>" . gettext(" (unlimited). This option is intended to prevent a DoS against Stream5 by " .
+ "attacker using an abnormally large window, so using a value near the maximum is discouraged."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Timeout"); ?></td>
+ <td class="vtable">
+ <input name="stream5_timeout" type="text" class="formfld unknown" id="stream5_timeout" size="9"
+ value="<?=htmlspecialchars($pconfig['timeout']);?>" maxlength="5">
+ <?php echo gettext("TCP Session timeout in seconds. Min is ") . "<strong>1</strong>" . gettext(" and max is ") .
+ "<strong>86400</strong>" . gettext(" (approximately 1 day)"); ?>.<br/><br/>
+ <?php echo gettext("Sets the session reassembly timeout period for TCP packets. Default value is ") .
+ "<strong>30</strong>" . gettext(" seconds."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Max Queued Bytes"); ?></td>
+ <td class="vtable">
+ <input name="stream5_max_queued_bytes" type="text" class="formfld unknown" id="stream5_max_queued_bytes" size="9"
+ value="<?=htmlspecialchars($pconfig['max_queued_bytes']);?>" maxlength="10">
+ <?php echo gettext("Minimum is ") . "<strong>" . gettext("1024") . "</strong>" . gettext(" and Maximum is ") .
+ "<strong>" . gettext("1073741824") . "</strong>" . gettext(" (") .
+ "<strong>" . gettext("0") . "</strong>" . gettext(" means Maximum)."); ?><br/><br/>
+
+ <?php echo gettext("The number of bytes to be queued for reassembly of TCP sessions in " .
+ "memory. Default value is <strong>1048576</strong>"); ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Max Queued Segs"); ?></td>
+ <td class="vtable">
+ <input name="stream5_max_queued_segs" type="text" class="formfld unknown" id="stream5_max_queued_segs" size="9"
+ value="<?=htmlspecialchars($pconfig['max_queued_segs']);?>" maxlength="10">
+ <?php echo gettext("Minimum is ") . "<strong>" . gettext("2") . "</strong>" . gettext(" and Maximum is ") .
+ "<strong>" . gettext("1073741824") . "</strong>" . gettext(" (") .
+ "<strong>" . gettext("0") . "</strong>" . gettext(" means Maximum)");?>.<br/><br/>
+ <?php echo gettext("The number of segments to be queued for reassembly of TCP sessions " .
+ "in memory. Default value is <strong>2621</strong>"); ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("TCP Overlap Limit"); ?></td>
+ <td class="vtable">
+ <input name="stream5_overlap_limit" type="text" class="formfld unknown" id="stream5_overlap_limit" size="9"
+ value="<?=htmlspecialchars($pconfig['overlap_limit']);?>" maxlength="3">
+ <?php echo gettext("Minimum is ") . "<strong>0</strong>" . gettext(" (unlimited) and Maximum is ") . "<strong>" .
+ gettext("255") . "</strong>"; ?>.<br/><br/>
+ <?php echo gettext("Sets the limit for the number of overlapping packets. Default value is ") .
+ "<strong>0</strong>" . gettext(" (unlimited)."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Detect TCP Anomalies"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_detect_anomalies" id="stream5_detect_anomalies" type="checkbox" value="on"
+ <?php if ($pconfig['detect_anomalies']=="on") echo "checked"; ?>>
+ <?php echo gettext("Detect TCP protocol anomalies. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Check Session Hijacking"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_check_session_hijacking" id="stream5_check_session_hijacking" type="checkbox" value="on"
+ <?php if ($pconfig['check_session_hijacking']=="on") echo "checked"; ?>>
+ <?php echo gettext("Check for TCP session hijacking. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/>
+ <?php echo gettext("This check validates the hardware (MAC) address from both sides of the connection -- " .
+ "as established on the 3-way handshake -- against subsequent packets received on the session.");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Require 3-Way Handshake"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_require_3whs" type="checkbox" value="on"
+ <?php if ($pconfig['require_3whs']=="on") echo "checked"; ?> onclick="stream5_3whs_enable_change();">
+ <?php echo gettext("Establish sessions only on completion of SYN/SYN-ACK/ACK handshake. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr id="stream5_3whs_startuptimeout_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("3-Way Handshake Startup Timeout"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="stream5_3whs_startup_timeout" type="text" class="formfld unknown" id="stream5_3whs_startup_timeout" size="9"
+ value="<?=htmlspecialchars($pconfig['startup_3whs_timeout']);?>" maxlength="5">
+ <?php echo gettext("3-Way Handshake Startup Timeout in seconds. Min is ") . "<strong>" . gettext("0") . "</strong>" .
+ gettext(" and Max is ") . "<strong>" . gettext("86400") . "</strong>" . gettext(" (1 day).");?><br/><br/>
+ <?php echo gettext("This allows a grace period for existing sessions to be considered established during that " .
+ "interval immediately after Snort is started. The default is ") . "<strong>" . gettext("0") .
+ "</strong>" . gettext(", (don't consider existing sessions established).");?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Reassemble Async"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_no_reassemble_async" type="checkbox" value="on"
+ <?php if ($pconfig['no_reassemble_async']=="on") echo "checked "; ?>>
+ <?php echo gettext("Do not queue packets for reassembly if traffic has not been seen in both directions. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Use Static Footprint Sizes"); ?></td>
+ <td width="78%" class="vtable"><input name="stream5_use_static_footprint_sizes" id="stream5_use_static_footprint_sizes" type="checkbox" value="on"
+ <?php if ($pconfig['use_static_footprint_sizes']=="on") echo "checked "; ?>>
+ <?php echo gettext("Emulate Stream4 behavior for flushing reassembled packets. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Do Not Store Large TCP Packets"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="stream5_dont_store_lg_pkts" type="checkbox" value="on"
+ <?php if ($pconfig['dont_store_lg_pkts']=="on") echo "checked"; ?>>
+ <?php echo gettext("Do not queue large packets in reassembly buffer to increase performance. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.<br/><br/>
+ <?php echo "<span class=\"red\"><strong>" . gettext("Warning: ") . "</strong></span>" .
+ gettext("Enabling this option could result in missed packets. Recommended setting is not checked."); ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="bottom">&nbsp;</td>
+ <td width="78%" valign="bottom">
+ <input name="Submit" id="submit" type="submit" class="formbtn" value=" Save " title="<?php echo
+ gettext("Save Stream5 engine settings and return to Preprocessors tab"); ?>">
+ &nbsp;&nbsp;&nbsp;&nbsp;
+ <input name="Cancel" id="cancel" type="submit" class="formbtn" value="Cancel" title="<?php echo
+ gettext("Cancel changes and return to Preprocessors tab"); ?>"></td>
+ </tr>
+</table>
+</td>
+</tr>
+</table>
+</div>
+</form>
+<?php include("fend.inc"); ?>
+</body>
+<script type="text/javascript" src="/javascript/autosuggest.js">
+</script>
+<script type="text/javascript" src="/javascript/suggestions.js">
+</script>
+<script type="text/javascript">
+
+function stream5_3whs_enable_change() {
+ var endis = !(document.iform.stream5_require_3whs.checked);
+
+ // Hide the "3whs_startup_timeout" row if stream5_require_3whs disabled
+ if (endis)
+ document.getElementById("stream5_3whs_startuptimeout_row").style.display="none";
+ else
+ document.getElementById("stream5_3whs_startuptimeout_row").style.display="table-row";
+}
+
+<?php
+ $isfirst = 0;
+ $aliases = "";
+ $addrisfirst = 0;
+ $portisfirst = 0;
+ $aliasesaddr = "";
+ $aliasesport = "";
+ if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias']))
+ foreach($config['aliases']['alias'] as $alias_name) {
+ // Skip any Aliases that resolve to an empty string
+ if (trim(filter_expand_alias($alias_name['name'])) == "")
+ continue;
+ if ($alias_name['type'] == "host" || $alias_name['type'] == "network") {
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ }
+ elseif ($alias_name['type'] == "port") {
+ if($portisfirst == 1) $aliasesport .= ",";
+ $aliasesport .= "'" . $alias_name['name'] . "'";
+ $portisfirst = 1;
+ }
+ }
+
+?>
+ var addressarray=new Array(<?php echo $aliasesaddr; ?>);
+ var portarray=new Array(<?php echo $aliasesport; ?>);
+
+function createAutoSuggest() {
+<?php
+ echo "objAlias = new AutoSuggestControl(document.getElementById('stream5_bind_to'), new StateSuggestions(addressarray));\n";
+ echo "objAliasPortsClient = new AutoSuggestControl(document.getElementById('stream5_ports_client'), new StateSuggestions(portarray));\n";
+ echo "objAliasPortsServer = new AutoSuggestControl(document.getElementById('stream5_ports_server'), new StateSuggestions(portarray));\n";
+ echo "objAliasPortsBoth = new AutoSuggestControl(document.getElementById('stream5_ports_both'), new StateSuggestions(portarray));\n";
+?>
+}
+
+setTimeout("createAutoSuggest();", 500);
+stream5_3whs_enable_change();
+
+</script>
+
+</html>
diff --git a/config/varnish3/varnish.inc b/config/varnish3/varnish.inc
index 983804c9..1895d214 100644
--- a/config/varnish3/varnish.inc
+++ b/config/varnish3/varnish.inc
@@ -65,8 +65,13 @@ function varnish_settings_post_validate($post, $input_errors) {
}
function varnish_lb_directors_post_validate($post, $input_errors) {
- if (preg_match("/[^a-zA-Z0-9]/", $post['directorname']))
+ if (preg_match("/[^a-zA-Z0-9]/", $post['directorname'])){
$input_errors[] = "The directorname name must only contain the characters a-Z or 0-9";
+ }
+ else{
+ if(empty($post['failover']))
+ $_POST['failover'] = $post['directorname'];
+ }
if(stristr($post['directorurl'], 'http'))
$input_errors[] = "You do not need to include the http:// string in the director URL";
if($post['grace'] && ! preg_match("/^\d+(h|m|s)$/",$post['grace']))
diff --git a/config/varnish3/varnish_backends.xml b/config/varnish3/varnish_backends.xml
index 28e7caca..58216279 100644
--- a/config/varnish3/varnish_backends.xml
+++ b/config/varnish3/varnish_backends.xml
@@ -155,7 +155,6 @@
<fields>
<field>
<fielddescr>BackendSettings</fielddescr>
- <fieldname>BackendSettings</fieldname>
<type>listtopic</type>
<name>Backend settings</name>
</field>
@@ -189,7 +188,6 @@
</field>
<field>
<fielddescr>PerformanceMetrics</fielddescr>
- <fieldname>PerformanceMetrics</fieldname>
<type>listtopic</type>
<name>Performance metrics</name>
</field>
@@ -207,7 +205,6 @@
</field>
<field>
<fielddescr>ProbeInfo</fielddescr>
- <fieldname>ProbeInfo</fieldname>
<type>listtopic</type>
<name>Probe settings</name>
</field>
@@ -250,7 +247,6 @@
</field>
<field>
<fielddescr>Mappings</fielddescr>
- <fieldname>Mappings</fieldname>
<type>listtopic</type>
<name>Backend Mappings</name>
</field>
diff --git a/config/varnish3/varnish_lb_directors.xml b/config/varnish3/varnish_lb_directors.xml
index b9d8cc24..99a945d5 100644
--- a/config/varnish3/varnish_lb_directors.xml
+++ b/config/varnish3/varnish_lb_directors.xml
@@ -137,7 +137,6 @@
<fields>
<field>
<fielddescr>DirectorSettings</fielddescr>
- <fieldname>Director Settings</fieldname>
<type>listtopic</type>
<name>Director settings</name>
</field>
@@ -209,7 +208,6 @@
</field>
<field>
<fielddescr>Backendlist</fielddescr>
- <fieldname>Backendlist</fieldname>
<type>listtopic</type>
<name>Backend Settings</name>
</field>
@@ -249,7 +247,6 @@
</field>
<field>
<fielddescr>FailoverSettings</fielddescr>
- <fieldname>FailoverSettings</fieldname>
<type>listtopic</type>
<name>Failover Settings</name>
</field>
diff --git a/config/varnish3/varnish_settings.xml b/config/varnish3/varnish_settings.xml
index 38c68a03..bbb8d321 100644
--- a/config/varnish3/varnish_settings.xml
+++ b/config/varnish3/varnish_settings.xml
@@ -80,7 +80,6 @@
<fields>
<field>
<fielddescr>Listening</fielddescr>
- <fieldname>Listening</fieldname>
<type>listtopic</type>
<name>Daemon options</name>
</field>
@@ -112,7 +111,6 @@
</field>
<field>
<fielddescr>StorageTypeLT</fielddescr>
- <fieldname>StorageTypeLT</fieldname>
<type>listtopic</type>
<name>Storage type</name>
</field>
@@ -135,7 +133,6 @@
<field>
<fielddescr>WorkerThreadLT</fielddescr>
- <fieldname>WorkerThreadLT</fieldname>
<type>listtopic</type>
<name>Worker thread configuration</name>
</field>
@@ -159,7 +156,6 @@
</field>
<field>
<fielddescr>BasicVCLLT</fielddescr>
- <fieldname>BasicVCLLT</fieldname>
<type>listtopic</type>
<name>General VCL Settings</name>
</field>
@@ -245,7 +241,6 @@
</field>
<field>
<fielddescr>ErrorVCLLT</fielddescr>
- <fieldname>ErrorVCLLT</fieldname>
<type>listtopic</type>
<name>Error Settings</name>
</field>
diff --git a/config/varnish3/varnish_sync.xml b/config/varnish3/varnish_sync.xml
index fd387fdb..d81851b1 100644
--- a/config/varnish3/varnish_sync.xml
+++ b/config/varnish3/varnish_sync.xml
@@ -80,7 +80,6 @@
<fields>
<field>
<type>listtopic</type>
- <fieldname>temp</fieldname>
<name>Enable Varnish configuration sync</name>
</field>
<field>
diff --git a/config/widget-snort/snort_alerts.js b/config/widget-snort/snort_alerts.js
index 0c2d9ca6..c5c743df 100644
--- a/config/widget-snort/snort_alerts.js
+++ b/config/widget-snort/snort_alerts.js
@@ -1,7 +1,7 @@
var snortlines = Array();
var snorttimer;
-var snortupdateDelay = 25500;
+var snortupdateDelay = 22000;
var snortisBusy = false;
var snortisPaused = false;
diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php
index f4eaa140..691b03a3 100644
--- a/config/widget-snort/snort_alerts.widget.php
+++ b/config/widget-snort/snort_alerts.widget.php
@@ -26,6 +26,7 @@
POSSIBILITY OF SUCH DAMAGE.
*/
+require_once("guiconfig.inc");
require_once("/usr/local/www/widgets/include/widget-snort.inc");
global $config, $g;
@@ -61,7 +62,14 @@ function sksort(&$array, $subkey="id", $sort_ascending=false) {
};
/* check if firewall widget variable is set */
-if (!isset($nentries)) $nentries = 5;
+$nentries = $config['widgets']['widget_snort_display_lines'];
+if (!isset($nentries) || $nentries < 0) $nentries = 5;
+
+if(isset($_POST['widget_snort_display_lines'])) {
+ $config['widgets']['widget_snort_display_lines'] = $_POST['widget_snort_display_lines'];
+ write_config("Saved Snort Alerts Widget Displayed Lines Parameter via Dashboard");
+ header("Location: ../../index.php");
+}
/* check if Snort include file exists before we use it */
if (file_exists("/usr/local/pkg/snort/snort.inc")) {
@@ -121,6 +129,16 @@ if (file_exists("/usr/local/pkg/snort/snort.inc")) {
/* display the result */
?>
+
+<input type="hidden" id="snort_alerts-config" name="snort_alerts-config" value="" />
+<div id="snort_alerts-settings" class="widgetconfigdiv" style="display:none;">
+ <form action="/widgets/widgets/snort_alerts.widget.php" method="post" name="iformd">
+ Enter number of recent alerts to display (default is 5)<br/>
+ <input type="text" size="5" name="widget_snort_display_lines" class="formfld unknown" id="widget_snort_display_lines" value="<?= $config['widgets']['widget_snort_display_lines'] ?>" />
+ &nbsp;&nbsp;<input id="submitd" name="submitd" type="submit" class="formbtn" value="Save" />
+ </form>
+</div>
+
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr class="snort-alert-header">
@@ -150,3 +168,13 @@ if (is_array($snort_alerts)) {
?>
</tbody>
</table>
+
+<!-- needed to display the widget settings menu -->
+<script type="text/javascript">
+//<![CDATA[
+ selectIntLink = "snort_alerts-configure";
+ textlink = document.getElementById(selectIntLink);
+ textlink.style.display = "inline";
+//]]>
+</script>
+
diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml
index 29edcc3f..1a371ca5 100644
--- a/config/widget-snort/widget-snort.xml
+++ b/config/widget-snort/widget-snort.xml
@@ -46,7 +46,7 @@
<requirements>Dashboard package and Snort</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>widget-snort</name>
- <version>0.3.5</version>
+ <version>0.3.6</version>
<title>Widget - Snort</title>
<include_file>/usr/local/www/widgets/include/widget-snort.inc</include_file>
<additional_files_needed>
diff --git a/config/zabbix2/zabbix2-agent.xml b/config/zabbix2/zabbix2-agent.xml
index 0169e11f..3f8e84db 100644
--- a/config/zabbix2/zabbix2-agent.xml
+++ b/config/zabbix2/zabbix2-agent.xml
@@ -41,7 +41,7 @@
<name>zabbixagent</name>
<title>Services: Zabbix-2 Agent</title>
<category>Monitoring</category>
- <version>0.7_1</version>
+ <version>0.8_0</version>
<include_file>/usr/local/pkg/zabbix2.inc</include_file>
<addedit_string>Zabbix Agent has been created/modified.</addedit_string>
<delete_string>Zabbix Agent has been deleted.</delete_string>
diff --git a/config/zabbix2/zabbix2-proxy.xml b/config/zabbix2/zabbix2-proxy.xml
index c687c5ba..c857bec1 100644
--- a/config/zabbix2/zabbix2-proxy.xml
+++ b/config/zabbix2/zabbix2-proxy.xml
@@ -41,7 +41,7 @@
<name>zabbixproxy</name>
<title>Services: Zabbix-2 Proxy</title>
<category>Monitoring</category>
- <version>0.7_1</version>
+ <version>0.8_0</version>
<include_file>/usr/local/pkg/zabbix2.inc</include_file>
<addedit_string>Zabbix Proxy has been created/modified.</addedit_string>
<delete_string>Zabbix Proxy has been deleted.</delete_string>
diff --git a/config/zabbix2/zabbix2.inc b/config/zabbix2/zabbix2.inc
index 0a1c12be..92aad309 100644
--- a/config/zabbix2/zabbix2.inc
+++ b/config/zabbix2/zabbix2.inc
@@ -48,14 +48,14 @@ function php_deinstall_zabbix2_agent(){
conf_mount_rw();
$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
if ($pfs_version > 2.0){
- define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m"));
+ define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix22-agent-' . php_uname("m"));
} else {
define('ZABBIX_AGENT_BASE', '/usr/local');
}
exec("/usr/bin/killall zabbix_agentd");
unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix2_agentd.sh");
- unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf");
+ unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf");
unlink_if_exists("/var/log/zabbix2/zabbix2_agentd.log");
unlink_if_exists("/var/run/zabbix2/zabbix2_agentd.pid");
@@ -75,14 +75,14 @@ function php_deinstall_zabbix2_proxy(){
conf_mount_rw();
$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
if ($pfs_version > 2.0){
- define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m"));
+ define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix22-proxy-' . php_uname("m"));
} else {
define('ZABBIX_PROXY_BASE', '/usr/local');
}
exec("/usr/bin/killall zabbix_proxy");
unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix2_proxy.sh");
- unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf");
+ unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf");
unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log");
unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid");
@@ -180,8 +180,8 @@ function sync_package_zabbix2(){
#check pfsense version
$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
if ($pfs_version > 2.0){
- define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m"));
- define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m"));
+ define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix22-agent-' . php_uname("m"));
+ define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix22-proxy-' . php_uname("m"));
}
else {
define('ZABBIX_AGENT_BASE', '/usr/local');
@@ -208,7 +208,7 @@ Fping6Location=/usr/local/sbin/fping6
ProxyMode={$Mode}
EOF;
- file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => "")));
+ file_put_contents(ZABBIX_PROXY_BASE . "/etc/zabbix22/zabbix_proxy.conf", strtr($zbproxy_conf_file, array("\r" => "")));
}
}
/* check zabbix agent settings*/
@@ -242,7 +242,7 @@ StartAgents={$StartAgents}
{$UserParams}
EOF;
- file_put_contents(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf", strtr($zbagent_conf_file, array("\r" => "")));
+ file_put_contents(ZABBIX_AGENT_BASE . "/etc/zabbix22/zabbix_agentd.conf", strtr($zbagent_conf_file, array("\r" => "")));
}
}
$want_sysctls = array(
@@ -291,8 +291,8 @@ EOF;
/*check startup script files*/
/* create a few directories and ensure the sample files are in place */
- if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix2"))
- exec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix2");
+ if (!is_dir(ZABBIX_PROXY_BASE . "/etc/zabbix22"))
+ exec("/bin/mkdir -p " . ZABBIX_PROXY_BASE . "/etc/zabbix22");
$dir_checks = <<< EOF
if [ ! -d /var/log/zabbix2 ]