aboutsummaryrefslogtreecommitdiffstats
path: root/packages/snort
diff options
context:
space:
mode:
Diffstat (limited to 'packages/snort')
-rw-r--r--packages/snort/snort.inc219
1 files changed, 218 insertions, 1 deletions
diff --git a/packages/snort/snort.inc b/packages/snort/snort.inc
index 1debde6a..22227345 100644
--- a/packages/snort/snort.inc
+++ b/packages/snort/snort.inc
@@ -1,7 +1,9 @@
<?php
function sync_package_snort() {
+ global $config, $g;
exec("mkdir -p /usr/local/etc/snort");
+ exec("mkdir -p /var/log/snort");
$first = 0;
/* if list */
$iflist = array("lan" => "LAN");
@@ -31,8 +33,223 @@ function sync_package_snort() {
"stop" => "/usr/bin/killall snort; killall snort2c"
)
);
- exec("cp /usr/local/etc/snort/snort.conf-sample /usr/local/etc/snort.conf");
+ /* write out snort.conf */
+ $snort_conf = generate_snort_conf();
+ $conf = fopen("/usr/local/etc/snort/snort.conf","w");
+ if(!$conf) {
+ log_error("Could not open /usr/local/etc/snort/snort.conf for writing.");
+ exit;
+ }
+ fwrite($conf, $snort_conf);
+ fclose($conf);
start_service("snort");
}
+function generate_snort_conf() {
+ global $config, $g;
+
+ $ssh_port = "";
+ $home_net = "";
+
+ /* XXX: generate rule section */
+ $selected_rules_sections = "";
+
+ $snort_conf = <<<EOD
+
+var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
+var HTTP_PORTS 80
+var SHELLCODE_PORTS !$HTTP_PORTS
+var ORACLE_PORTS 1521
+var HOME_NET {$home_net}
+var TELNET_SERVERS $HOME_NET
+var SQL_SERVERS $HOME_NET
+var HTTP_SERVERS $HOME_NET
+var SMTP_SERVERS $HOME_NET
+var DNS_SERVERS $HOME_NET
+var RULE_PATH .
+var EXTERNAL_NET !$HOME_NET
+var SSH_PORTS {$ssh_port}
+
+#Output plugins
+output database: alert
+output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID
+
+#Flow and stream
+preprocessor flow: stats_interval 0 hash 2
+preprocessor frag2
+preprocessor stream4: disable_evasion_alerts,detect_scans
+
+preprocessor stream4_reassemble: both, ports all
+
+#XLink2State mini proc
+preprocessor xlink2state: ports { 25 691 }
+
+#HTTP Inspect
+preprocessor http_inspect: global iis_unicode_map unicode.map 1252
+
+preprocessor http_inspect_server: server default \
+ ports { 80 8080 3128 } \
+ no_alerts \
+ non_strict \
+ non_rfc_char { 0x00 } \
+ flow_depth 0 \
+ apache_whitespace yes \
+ directory no \
+ iis_backslash no \
+ u_encode yes \
+ ascii no \
+ chunk_length 500000 \
+ bare_byte yes \
+ double_decode yes \
+ iis_unicode yes \
+ iis_delimiter yes \
+ multi_slash no
+
+#Other preprocs
+preprocessor rpc_decode: 111 32771
+preprocessor bo
+preprocessor telnet_decode
+
+#Flow Portscan
+preprocessor flow-portscan: \
+ talker-sliding-scale-factor 0.50 \
+ talker-fixed-threshold 30 \
+ talker-sliding-threshold 30 \
+ talker-sliding-window 20 \
+ talker-fixed-window 30 \
+ scoreboard-rows-talker 30000 \
+ server-watchnet $HOME_NET \
+ server-ignore-limit 200 \
+ server-rows 65535 \
+ server-learning-time 14400 \
+ server-scanner-limit 4 \
+ scanner-sliding-window 20 \
+ scanner-sliding-scale-factor 0.50 \
+ scanner-fixed-threshold 15 \
+ scanner-sliding-threshold 40 \
+ scanner-fixed-window 15 \
+ scoreboard-rows-scanner 30000 \
+ alert-mode once \
+ output-mode msg \
+ tcp-penalties on
+
+
+#Required files
+include classification.config
+include reference.config
+
+#Rulesets, all optional
+
+{$selected_rules_sections}
+
+# XXX: axe below, use $selected_rules_sections
+
+#General
+include $RULE_PATH/bleeding.rules
+include $RULE_PATH/ftp.rules
+include $RULE_PATH/telnet.rules
+include $RULE_PATH/dns.rules
+include $RULE_PATH/tftp.rules
+include $RULE_PATH/x11.rules
+include $RULE_PATH/misc.rules
+include $RULE_PATH/nntp.rules
+include $RULE_PATH/other-ids.rules
+# include $RULE_PATH/shellcode.rules
+include $RULE_PATH/community-ftp.rules
+include $RULE_PATH/community-misc.rules
+
+#Mostly Spyware
+include $RULE_PATH/bleeding-malware.rules
+
+#Network issues
+include $RULE_PATH/bad-traffic.rules
+include $RULE_PATH/snmp.rules
+
+#Exploits and direct attacks
+include $RULE_PATH/exploit.rules
+include $RULE_PATH/bleeding-exploit.rules
+include $RULE_PATH/community-exploit.rules
+
+#Scans and recon
+include $RULE_PATH/scan.rules
+include $RULE_PATH/bleeding-scan.rules
+
+#Unusual stuff
+include $RULE_PATH/finger.rules
+
+#R-services, etc
+include $RULE_PATH/rpc.rules
+include $RULE_PATH/rservices.rules
+
+#DOS
+include $RULE_PATH/dos.rules
+include $RULE_PATH/ddos.rules
+include $RULE_PATH/bleeding-dos.rules
+
+#Web issues
+include $RULE_PATH/web-cgi.rules
+include $RULE_PATH/web-coldfusion.rules
+include $RULE_PATH/web-iis.rules
+include $RULE_PATH/web-frontpage.rules
+include $RULE_PATH/web-misc.rules
+include $RULE_PATH/web-client.rules
+include $RULE_PATH/web-php.rules
+include $RULE_PATH/web-attacks.rules
+include $RULE_PATH/bleeding-web.rules
+include $RULE_PATH/community-web-cgi.rules
+include $RULE_PATH/community-web-client.rules
+include $RULE_PATH/community-web-dos.rules
+include $RULE_PATH/community-web-misc.rules
+
+#SQL and DB sigs
+include $RULE_PATH/sql.rules
+include $RULE_PATH/oracle.rules
+include $RULE_PATH/mysql.rules
+include $RULE_PATH/community-sql-injection.rules
+
+#Informational stuff
+#include $RULE_PATH/icmp.rules
+include $RULE_PATH/info.rules
+# include $RULE_PATH/icmp-info.rules
+
+#Windows stuff
+include $RULE_PATH/netbios.rules
+
+#Compromise responses
+include $RULE_PATH/attack-responses.rules
+include $RULE_PATH/bleeding-attack_response.rules
+
+#Mail sigs
+include $RULE_PATH/smtp.rules
+include $RULE_PATH/imap.rules
+include $RULE_PATH/pop2.rules
+include $RULE_PATH/pop3.rules
+include $RULE_PATH/community-mail-client.rules
+
+#Trojans, Viruses, and spyware
+include $RULE_PATH/backdoor.rules
+include $RULE_PATH/virus.rules
+include $RULE_PATH/bleeding-virus.rules
+include $RULE_PATH/community-virus.rules
+
+#Policy Sigs
+include $RULE_PATH/policy.rules
+include $RULE_PATH/porn.rules
+include $RULE_PATH/chat.rules
+include $RULE_PATH/p2p.rules
+include $RULE_PATH/multimedia.rules
+include $RULE_PATH/bleeding-policy.rules
+include $RULE_PATH/bleeding-p2p.rules
+include $RULE_PATH/bleeding-inappropriate.rules
+include $RULE_PATH/community-game.rules
+include $RULE_PATH/community-inappropriate.rules
+
+#Experimental
+include $RULE_PATH/experimental.rules
+
+EOD;
+
+ return $snort_conf;
+}
+
?> \ No newline at end of file