From 0d7e8e94c0854145806e91e7ff82015bb1c30330 Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Fri, 22 Nov 2013 01:35:55 -0200 Subject: snort - add multi select combo option for sensitive data preprocessor --- config/snort/snort.inc | 12 +++++++++++- config/snort/snort_preprocessors.php | 24 ++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 1a6f1ac6..0573d5f4 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -3204,8 +3204,18 @@ EOD; if (is_dir("{$snortcfgdir}/preproc_rules")) { if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; - if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")) + if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; + #enable only selected sensitive data + if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){ + $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; + $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); + $sd_tmp_new_file=""; + foreach ($sd_tmp_file as $sd_tmp_line) + $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; + file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); + } + } } else $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 98a0b106..c6546b6f 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -100,6 +100,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; + $pconfig['sdf_alert_data_type'] = $a_nat[$id]['sdf_alert_data_type']; $pconfig['sdf_alert_threshold'] = $a_nat[$id]['sdf_alert_threshold']; $pconfig['sdf_mask_output'] = $a_nat[$id]['sdf_mask_output']; $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc']; @@ -410,6 +411,7 @@ if ($_POST['ResetAll']) { $pconfig['dce_rpc_2'] = "on"; $pconfig['dns_preprocessor'] = "on"; $pconfig['sensitive_data'] = "off"; + $pconfig['sdf_alert_data_type'] = ""; $pconfig['sdf_alert_threshold'] = "25"; $pconfig['sdf_mask_output'] = "off"; $pconfig['ssl_preproc'] = "on"; @@ -437,6 +439,8 @@ elseif ($_POST['Submit']) { if ($_POST['sensitive_data'] == 'on') { if ($_POST['sdf_alert_threshold'] < 1 || $_POST['sdf_alert_threshold'] > 4294067295) $input_errors[] = gettext("The value for Sensitive_Data_Alert_Threshold must be between 1 and 4,294,067,295."); + if (empty($_POST['sdf_alert_data_type'])) + $input_errors[] = gettext("You must select at least one item to Inspect for while Sensitive data Detections is enabled."); } /* if no errors write to conf */ @@ -480,6 +484,8 @@ elseif ($_POST['Submit']) { $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; $natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off'; + $natent['sdf_alert_data_type'] = implode(",",$_POST['sdf_alert_data_type']); + $natent['sdf_alert_threshold'] = $_POST['sdf_alert_threshold']; $natent['sdf_mask_output'] = $_POST['sdf_mask_output'] ? 'on' : 'off'; $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off'; $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off'; @@ -1247,6 +1253,7 @@ include_once("head.inc");   " . gettext("stateful") . "."; ?>
+ " . gettext("Global Settings") . "" . gettext(" tab."); ?> + + + +

+ + @@ -1789,10 +1810,13 @@ function sensitive_data_enable_change() { if (endis) { document.getElementById("sdf_alert_threshold_row").style.display="none"; document.getElementById("sdf_mask_output_row").style.display="none"; + document.getElementById("sdf_alert_data_type").style.display="none"; + } else { document.getElementById("sdf_alert_threshold_row").style.display="table-row"; document.getElementById("sdf_mask_output_row").style.display="table-row"; + document.getElementById("sdf_alert_data_type").style.display="table-row"; } } -- cgit v1.2.3